2018] DEFINING CYBERSECURITY LAW 987
“cybersecurity purpose,” which it defines as “the purpose of protecting an
information system or information that is stored on, processed by, or
transiting an information system from a cybersecurity threat or security
vulnerability.”4 The statute defines “security vulnerability” as “any attribute of
hardware, software, process, or procedure that could enable or facilitate the
defeat of a security control.”5 The statute defines “cybersecurity threat” as
an action, not protected by the First Amendment to the Constitution
of the United States, on or through an information system that may
result in an unauthorized effort to adversely impact the security,
availability, confidentiality, or integrity of an information system or
information that is stored on, processed by, or transiting an
The statute also defines “security control,”7 “malicious cyber command and
control,”8 and “cyber threat indicator.”9 Although these definitions help to
illuminate the purpose of the legislation, the Cybersecurity Act does not
directly explain what lawmakers meant by “cybersecurity.”
The statute fails to provide a concrete definition that sets forth the scope
and goals of cybersecurity law. Although the new statute can function without
the definition—and as described in Part III of this Article, is a significant
improvement over existing law—its omission of this key definition is
illustrative of a larger problem: When policymakers talk about cybersecurity,
they are not always talking about the same concept.
A day rarely passes without another report of a major cybersecurity
incident. Hackers routinely breach the systems of retailers, stealing consumer
credit card data, social security numbers, and other valuable personal
information.10 Attackers launch distributed denial-of-service attacks, knocking
some of the most popular websites offline for hours or days.11 Home security
4. 6 U.S.C.A. § 1501(4).
5. Id. § 1501(17).
6. Id. § 1501(5)(A).
7. Id. § 1501(16) (“The term ‘security control’ means the management, op erational, and
technical controls used to protect against an unauthorized effort to adversely affect the
confidentiality, integrity, and availability of an information system or its information.”).
8. Id. § 1501(11) (“The term ‘malicious cyber command and control’ means a method for
unauthorized remote identification of, access to, or use of, an information system or information
that is stored on, processed by, or transiting an information system.”).
9. Id. § 1501(6) (listing eight types of threat indicators).
10. See, e.g., David Meyer, Eddie Bauer is Latest Retailer Infected with Data Breach Malware, FORTUNE
(Aug. 19, 2016), http://fortune.com/2016/08/19/eddie-bauer-data-breach (describing how a
malware attack compromised credit card information of Eddie Bauer customers).
11. See, e.g., Lily Hay Newman, What We Know About Friday’s Massive East Coast Internet Outage,
WIRED (Oct. 21, 2016, 1:04 PM), https://www.wired.com/2016/10/internet-outage-ddos-dns-
dyn (describing attack on Dyn, a Domain Name Service, which caused websites around the world
to be unavailable for much of a day).