Defining Cybersecurity Law

Author:Jeff Kosseff
Position:Assistant Professor of Cybersecurity Law, United States Naval Academy. J.D., Georgetown University Law Center; M.P.P., B.A., University of Michigan
Pages:985-1031
SUMMARY

As data breaches, denial-of-service attacks, and other cybersecurity incidents lead to extraordinary economic and national security consequences, commentators increasingly look to the legal system for solutions. Unfortunately, U.S. laws do not have a unified and coherent vision for the regulation and promotion of cybersecurity. For that matter, the U.S. legal system lacks a consistent definition... (see full summary)

 
FREE EXCERPT
985
Defining Cybersecurity Law
Jeff Kosseff *
ABSTRACT: As data breaches, denial-of-service attacks, and other
cybersecurity incidents lead to extraordinary economic and national security
consequences, commentators increasingly look to the legal system for solutions.
Unfortunately, U.S. laws do not have a unified and coherent vision for the
regulation and promotion of cybersecurity. For that matter, the U.S. legal
system lacks a consistent definition of the term “cybersecurity law.”
This Article aims to fill that gap by defining “cybersecurity law.” Although
many articles have addressed various aspects of cybersecurity, none has
stepped back to define exactly what “cybersecurity” is and the goals of statutes
and regulations that aim to promote cybersecurity. By defining the scope and
goals of this new legal field, policymakers can then examine how lawmakers
could improve existing laws. Part II of this Article briefly describes the
cybersecurity challenges that the United States faces by examining the
cyberattack on Sony Pictures Entertainment. Part III defines “cybersecurity
law” as a legal framework that “promotes the confidentiality, integrity, and
availability of public and private information, systems, and networks,
through the use of forward-looking regulations and incentives, with the goal
of protecting individual rights and privacy, economic interests, and national
security.” Part IV explains the current legal regime for cybersecurity and
concludes that many of the most prominent cybersecurity laws only address a
small portion of the broader legal framework. Part V examines the gaps in
current U.S. cybersecurity law and suggests starting points for improvements.
I. INTRODUCTION ............................................................................. 986
II. THE SONY HACK: A CASE STUDY IN U.S. CYBERSECURITY
CHALLENGES ................................................................................. 989
*
Assistant Professor of Cybersecurity Law, United States Naval Academy. J.D., Georgetown
University Law Center; M.P.P., B.A., University of Michigan. The views expressed in this Article
are only those of the Author and do not represent the views of the U nited States Naval Academy,
Department of Navy, or Department of Defense. Thanks to LCDR Joseph Hatfield, Chris Inglis,
Martin Libicki, and other colleagues at the Naval Academy’s Cyber Science Department for
frequent discussions on the issues covered in the article, and to the staff of the Iowa Law Review
for their excellent editorial work.
986 IOWA LAW REVIEW [Vol. 103:985
III. DEFINING “CYBERSECURITY LAW” ................................................. 994
A. WHAT ARE WE SECURING? ...................................................... 995
B. WHERE AND WHOM ARE WE SECURING? .................................. 999
C. HOW ARE WE SECURING? ...................................................... 1001
D. WHEN ARE WE SECURING? .................................................... 1006
E. WHY ARE WE SECURING?....................................................... 1007
F. A PROPOSED DEFINITION OF “CYBERSECURITY LAW ............... 1010
IV. ASSESSING CURRENT CYBERSECURITY LAWS ............................... 1010
A. DATA SECURITY STATUTES ..................................................... 1011
B. DATA BREACH-NOTIFICATION STATUTES ................................ 1014
C. DATA SECURITY LITIGATION .................................................. 1016
D. COMPUTER HACKING LAWS ................................................... 1017
E. ELECTRONIC COMMUNICATIONS PRIVACY ACT ........................ 1020
F. THE CYBERSECURITY ACT OF 2015 ........................................ 1021
V. KEY GAPS IN CYBERSECURITY LAW ............................................... 1024
A. INTEGRITY AND AVAILABILITY ................................................ 1024
B. NATIONAL SECURITY AND ECONOMIC INTERESTS .................... 1025
C. COOPERATIVE LAWS .............................................................. 1028
D. FORWARD-LOOKING LAWS ..................................................... 1030
VI. CONCLUSION .............................................................................. 1030
I. INTRODUCTION
In late 2015, after years of attempts, Congress passed legislation to enable
companies to voluntarily share information about cybersecurity threats—such
as attempted hacks—with the federal government and other companies. The
bill, entitled the Cybersecurity Act of 2015, was tucked into a massive omnibus
appropriations bill as Division N.1 The Cybersecurity Act occupies 136 of the
2,009 pages in the omnibus bill, and it in detail establishes rules for operators
of private networks to defend their networks, monitor possible threats, and
collaborate with the federal government.2 The new law also bolsters the
Department of Homeland Security’s (“DHS”) cybersecurity efforts. The focus
of the legislation, not surprisingly, is cybersecurity; indeed, “cybersecurity”
appears in the bill nearly 200 times.3
There is just one problem: The Cybersecurity Act does not define
“cybersecurity.” The statute allows companies to take certain actions for a
1. Cybers ecurity Act of 2015, Pub. L. No. 114-113, Div. N, § 1(a), 129 Stat. 2935 (codified
at 6 U.S.C.A. §§ 1501–10 (West 2016)).
2. Id.
3. Id.
2018] DEFINING CYBERSECURITY LAW 987
“cybersecurity purpose,” which it defines as “the purpose of protecting an
information system or information that is stored on, processed by, or
transiting an information system from a cybersecurity threat or security
vulnerability.”4 The statute defines “security vulnerability” as “any attribute of
hardware, software, process, or procedure that could enable or facilitate the
defeat of a security control.”5 The statute defines “cybersecurity threat” as
an action, not protected by the First Amendment to the Constitution
of the United States, on or through an information system that may
result in an unauthorized effort to adversely impact the security,
availability, confidentiality, or integrity of an information system or
information that is stored on, processed by, or transiting an
information system.6
The statute also defines “security control,”7 “malicious cyber command and
control,”8 and “cyber threat indicator.”9 Although these definitions help to
illuminate the purpose of the legislation, the Cybersecurity Act does not
directly explain what lawmakers meant by “cybersecurity.”
The statute fails to provide a concrete definition that sets forth the scope
and goals of cybersecurity law. Although the new statute can function without
the definition—and as described in Part III of this Article, is a significant
improvement over existing law—its omission of this key definition is
illustrative of a larger problem: When policymakers talk about cybersecurity,
they are not always talking about the same concept.
A day rarely passes without another report of a major cybersecurity
incident. Hackers routinely breach the systems of retailers, stealing consumer
credit card data, social security numbers, and other valuable personal
information.10 Attackers launch distributed denial-of-service attacks, knocking
some of the most popular websites offline for hours or days.11 Home security
4. 6 U.S.C.A. § 1501(4).
5. Id. § 1501(17).
6. Id. § 1501(5)(A).
7. Id. § 1501(16) (“The term ‘security control’ means the management, op erational, and
technical controls used to protect against an unauthorized effort to adversely affect the
confidentiality, integrity, and availability of an information system or its information.”).
8. Id. § 1501(11) (“The term ‘malicious cyber command and control’ means a method for
unauthorized remote identification of, access to, or use of, an information system or information
that is stored on, processed by, or transiting an information system.”).
9. Id. § 1501(6) (listing eight types of threat indicators).
10. See, e.g., David Meyer, Eddie Bauer is Latest Retailer Infected with Data Breach Malware, FORTUNE
(Aug. 19, 2016), http://fortune.com/2016/08/19/eddie-bauer-data-breach (describing how a
malware attack compromised credit card information of Eddie Bauer customers).
11. See, e.g., Lily Hay Newman, What We Know About Friday’s Massive East Coast Internet Outage,
WIRED (Oct. 21, 2016, 1:04 PM), https://www.wired.com/2016/10/internet-outage-ddos-dns-
dyn (describing attack on Dyn, a Domain Name Service, which caused websites around the world
to be unavailable for much of a day).

To continue reading

FREE SIGN UP