Cybersecurity in Context: Technology, Policy, and Law

“A masterful guide to the interplay between cybersecurity and its societal, economic, and political impacts, equipping students with the critical thinking needed to navigate and influence security for our digital world.” —JOSIAH DYKSTRA, Trail of Bits “A comprehensive, multidisciplinary introduction to the technology and policy of cybersecurity. Start here if you are looking for an entry point to cyber.” —BRUCE SCHNEIER, author of A Hacker’s Mind: How the Powerful Bend Society’s Rules, and How to Bend Them Back The first-ever introduction to the full range of cybersecurity challenges Cybersecurity is crucial for preserving freedom in a connected world. Securing customer and business data, preventing election interference and the spread of disinformation, and understanding the vulnerabilities of key infrastructural systems are just a few of the areas in which cybersecurity professionals are indispensable. This textbook provides a comprehensive, student-oriented introduction to this capacious, interdisciplinary subject. Cybersecurity in Context covers both the policy and practical dimensions of the field. Beginning with an introduction to cybersecurity and its major challenges, it proceeds to discuss the key technologies which have brought cybersecurity to the fore, its theoretical and methodological frameworks and the legal and enforcement dimensions of the subject. The result is a cutting-edge guide to all key aspects of one of this century’s most important fields. Cybersecurity in Context is ideal for students in introductory cybersecurity classes, and for IT professionals looking to ground themselves in this essential field.

Table of Contents:
About the Authors xiii Preface xv Acknowledgments xix About the Companion Website xxi Introduction xxiii I What is Cybersecurity? 1 What Is Cybersecurity? 3 1.1 What Is the Cyber in Cybersecurity? 5 1.1.1 Cyberspace’s Places and the Problem of Internet Sovereignty 8 1.2 What Is the Security in Cybersecurity? The “CIA” Triad 12 1.2.1 The Internet’s Threat Model 15 1.2.2 Computer Security Versus “Cybersecurity” 19 1.2.3 Security, Innovation, “Hacking” 23 1.2.4 Security from a Private Sector Perspective 24 1.2.5 Building on the CIA Triad 26 1.2.6 Cybersecurity Definitions 27 1.3 Encryption Is Critical in Cybersecurity 28 1.3.1 Modern Cryptosystems 29 1.3.2 Hashing 33 1.4 Cyberpower: How Insecurity Empowers and Undermines Nations 37 1.5 Is Disinformation a Cybersecurity Concern? 40 1.5.1 From Information Scarcity to Glut 41 1.5.2 The Power of Influence Campaigns on the Internet 43 1.5.3 Libicki’s Disinformation Framework 46 1.5.4 The US Approach: Free Speech First 48 1.5.5 Election Interference 50 1.5.6 Is There Really Reason to Be Concerned? 53 1.6 International Views 55 1.7 Conclusion: A Broad Approach 57 2 Technology Basics and Attribution 59 2.1 Technology Basics 60 2.1.1 Fundamentals 60 2.1.2 Reliance Is a Fundamental Element of Computing and the Internet 66 2.1.3 Internet Layers 68 2.1.4 Cybersecurity Depends on Generations of Legacy Technologies 77 2.1.5 “Controlling” the Internet 84 2.1.6 Why Not Start Over? 85 2.2 Attribution 86 2.2.1 Types of Attribution 91 2.2.2 Attribution Process 92 2.2.3 Don’t Be Surprised: Common Dynamics in Attribution 103 2.2.4 The Future of Attribution 106 2.3 Conclusion: An End to Anonymity? 108 II Cybersecurity’s Contours 3 Economics and the Human Factor 111 3.1 Economics of Cybersecurity 112 3.1.1 Asymmetry and the Attack/Defense Balance 116 3.1.2 Incentive “Tussles” 118 3.2 The People Shaping Internet Technology and Policy 120 3.2.1 Tragedies of the Un- managed Commons 124 3.3 The Human Factor— The Psychology of Security 127 3.3.1 Attackers as Behavioral Economists 127 3.3.2 Institutions as Rational Choice Economists 130 3.3.3 User Sophistication 134 3.3.4 The Role of Emotion and the Body 136 3.3.5 Security as Afterthought 138 3.3.6 RCT: The User View 138 3.4 Conclusion 140 4 The Military and Intelligence Communities 141 4.1 Why Cybersecurity Is Center Stage 144 4.2 Are Cyberattacks War? 148 4.2.1 Cyber War Will Not Take Place 148 4.2.2 Cyber War Is Coming 153 4.2.3 The Law of War 155 4.2.4 Cyber Realpolitik 162 4.3 Computers and the Future of Conflict 165 4.3.1 The Changing Nature of Conflict 166 4.4 Cybersecurity and the Intelligence Community 176 4.4.1 The Intelligence Community 178 4.4.2 The Power of the Platform 187 4.4.3 The Vulnerabilities Equities Process 189 4.4.4 Cyber Soldiers and/or Cyber Spies? 193 4.5 Conclusion 195 5 Cybersecurity Theory 197 5.1 Deterrence Theory 198 5.1.1 Deterrence Theory Contours 199 5.1.2 Deterring with Entanglement and Norms 207 5.1.3 Cyber “Power” 209 5.1.4 The Deterrence Theory Critique 213 5.2 Security Studies: Anarchy, Security Dilemma, and Escalation 215 5.2.1 Anarchy 215 5.2.2 The Security Dilemma 216 5.2.3 Escalation and the Security Dilemma 218 5.2.4 Securitization: Nissenbaum Revisited 222 5.2.5 The Problem of Referent Object 223 5.2.6 Nissenbaum’s Alternative Vision: Cyberattacks Are Just Crimes 224 5.2.7 A Response to Nissenbaum: Strategic Risks Do Exist 225 5.3 Economic Theory: The Tragedy of the Cybersecurity Commons 226 5.3.1 The Free Problem 227 5.4 The Public Health Approach 230 5.5 Gerasimov and “Hybrid War:” Information Domain Revisited 233 5.5.1 The US Reaction 235 5.6 Barlowism as Theory 237 5.6.1 Technology Utopianism: The Internet as Democratizing 237 5.6.2 Utopia as No Place, But as Organic 242 5.6.3 High Modernism and Authoritarian High Modernism 243 5.7 Conclusion 246 III Cybersecurity Law and Policy 6 Consumer Protection Law 249 6.1 Federal Trade Commission Cybersecurity 250 6.1.1 FTC’s Legal Authority 252 6.1.2 Unfairness 254 6.1.3 Deception 257 6.1.4 The Zoom Case— Complaint 258 6.1.5 The Zoom Case— Settlement 262 6.2 FTC Adjacent Cybersecurity 267 6.2.1 The Attorneys General 267 6.2.2 Self- regulation 268 6.2.3 Product Recalls 270 6.3 The Limits of the Consumer Protection Approach 271 6.3.1 Two Litigation Moats: Standing and Economic Loss 272 6.3.2 The Devil in the Beltway 275 6.4 Conclusion 279 7 Criminal Law 281 7.1 Computer Crime Basics 282 7.2 Computer Crime Incentive Contours 283 7.3 The Political/Economic Cyber Enforcement Strategy 287 7.4 Cybercrime’s Technical Dependencies 291 7.5 The Major Substantive Computer Crime Laws 293 7.5.1 Identity Theft 294 7.5.2 The Computer Fraud and Abuse Act (CFAA) 297 7.5.3 Other Computer Crime Relevant Statutes 309 7.5.4 Digital Abuse 311 7.6 High- Level Investigative Procedure 312 7.6.1 Investigative Dynamics 312 7.6.2 Investigative Process 317 7.6.3 Obtaining the Data 317 7.6.4 Stored Communications, Metadata, Identity, and “Other” 318 7.7 Live Monitoring 324 7.7.1 International Requests and the CLOUD Act 326 7.7.2 National Security Access Options 329 7.8 Conclusion 332 8 Critical Infrastructure 333 8.1 What Is “Critical Infrastructure” 336 8.2 Political Challenges in Securing Critical Infrastructure 341 8.3 Cyber Incident Reporting for Critical Infrastructure Act of 2022 343 8.4 Technical Dynamics 345 8.4.1 What Does CI Designation Mean 345 8.5 NIST Cybersecurity Framework 346 8.5.1 NIST Broken Down 346 8.5.2 Electricity and Cybersecurity 348 8.6 Alternative Approaches to the NIST Cybersecurity Framework 351 8.6.1 Assessments and Audits— They’re Different 352 8.6.2 Requirements- based Standards 352 8.6.3 Process- Based and Controls- Based Standards 354 8.6.4 Privacy != Security 356 8.6.5 Standards Critiques 357 8.7 The Other CISA— Cybersecurity Information Sharing Act of 2015 358 8.7.1 Information- sharing Theory 358 8.7.2 Information- Sharing Practice 360 8.7.3 Provisions of CISA (the Act) 362 8.8 Conclusion 365 9 Intellectual Property Rights 367 9.1 IPR Problems: Context 368 9.1.1 IP Threats 369 9.1.2 Apt1 371 9 2 Protection of Trade Secrets 373 9.2.1 Reasonable Measures for Protecting Trade Secrets 374 9.2.2 Rights Under the DTSA 375 9.2.3 The Electronic Espionage Act (EEA) 378 9.3 Copyright and Cybersecurity 379 9.3.1 The DMCA and Critical Lessons for Software Testing 385 9.4 Online Abuse and IP Remedies 385 9.4.1 Public Law Remedies for Abuse 387 9.4.2 Private Law Remedies for Abuse 392 9 5 Conclusion 392 10 The Private Sector 393 10.1 There Will Be Blood: Risk and Business Operations 394 10.2 The Politics of Sovereignty 397 10.2.1 Homo Economicus Meets North Korea 400 10.2.2 Technological Sovereignty 402 10.2.3 Committee on Foreign Investment in the United States 404 10.2.4 Data Localization 405 10.2.5 Export Control 406 10.3 The APT Problem 407 10.4 The Security Breach Problem 411 10.4.1 Trigger Information 413 10.4.2 What Is an Incident? What Is a Breach? 414 10.4.3 Notification Regimes 415 10.4.4 Does Security Breach Notification Work? 420 10.5 Hacking Back: CISA (The Statute) Revisited 421 10.6 The Special Case of Financial Services 425 10.6.1 Gramm Leach Bliley Act (GLBA) 425 10.7 Publicly Traded Companies and Cybersecurity 430 10.7.1 Material Risks and Incidents 431 10.7.2 SEC Enforcement 432 10.7.3 The Board of Directors 434 10.8 Cybersecurity Insurance 437 10.8.1 Insurer Challenges 438 10.8.2 Buying Insurance 439 10.9 Conclusion 440 IV Cybersecurity and the Future 11 Cybersecurity Tussles 443 11.1 A Public Policy Analysis Method 444 11.2 Software Liability: Should Developers Be Legally Liable for Security Mistakes? 446 11.3 Technical Computer Security Versus Cybersecurity Revisited 449 11.3.1 The Criminal Law Alternative 450 11.3.2 The Consumer Law Approach 451 11.3.3 The Industrial Policy Approach 451 11.4 Encryption and Exceptional Access 453 11.5 Disinformation Revisited 457 11.5.1 Racist Speech and Cybersecurity 460 11.5.2 What Expectations About Disinformation Are Reasonable? 461 11.6 Conclusion 461 12 Cybersecurity Futures 463 12.1 Scenarios Methods 464 12.2 Even More Sophisticated Cyberattacks 465 12.3 Quantum Computing 466 12.4 Automaticity and Autonomy: Artificial Intelligence and Machine Learning 467 12.5 The Data Trade and Security 470 12.6 The Sovereign Internet 471 12.7 Outer Space Cyber 473 12.8 Classification Declassed 475 12.9 Attribution Perfected or Not 476 12.10 Conclusion 476 V Further Reading and Index Further Reading 481 Index 495

About the Author :
Chris Jay Hoofnagle is Professor of Law in Residence at the University of California, Berkeley, where he has taught since 2006. He has published extensively on cybersecurity law and related subjects, and is a practicing attorney with venture law firm Gunderson Dettmer, as well as an advisor to multiple defense and intelligence technology companies. Golden G. Richard III is Professor of Computer Science and Director of the Cyber Center at Louisiana State University. He is a Fellow of the American Academy of Forensic Sciences with over thirty years of experience in teaching cybersecurity and related topics in computer science. His primary areas of expertise are in memory forensics, digital forensics, malware analysis, reverse engineering, and systems programming.