Law Commons^™

Improving Ethics Surrounding Collegiate-Level Hacking Education: Recommended Implementation Plan & Affiliation With Peer-Led Initiatives, Shannon Morgan, Dr. Sanjay Goel

Military Cyber Affairs

Cybersecurity has become a pertinent concern, as novel technological innovations create opportunities for threat actors to exfiltrate sensitive data. To meet the demand for professionals in the workforce, universities have ramped up their academic offerings to provide a broad range of cyber-related programs (e.g., cybersecurity, informatics, information technology, digital forensics, computer science, & engineering). As the tactics, techniques, and procedures (TTPs) of hackers evolve, the knowledge and skillset required to be an effective cybersecurity professional have escalated accordingly. Therefore, it is critical to train cyber students both technically and theoretically to actively combat cyber criminals and protect the confidentiality, integrity, …

Securing The Void: Assessing The Dynamic Threat Landscape Of Space, Brianna Bace, Dr. Unal Tatar

Military Cyber Affairs

Outer space is a strategic and multifaceted domain that is a crossroads for political, military, and economic interests. From a defense perspective, the U.S. military and intelligence community rely heavily on satellite networks to meet national security objectives and execute military operations and intelligence gathering. This paper examines the evolving threat landscape of the space sector, encompassing natural and man-made perils, emphasizing the rise of cyber threats and the complexity introduced by dual-use technology and commercialization. It also explores the implications for security and resilience, advocating for collaborative efforts among international organizations, governments, and industry to safeguard the space sector.

Integrating Nist And Iso Cybersecurity Audit And Risk Assessment Frameworks Into Cameroonian Law, Bernard Ngalim

Journal of Cybersecurity Education, Research and Practice

This paper reviews cybersecurity laws and regulations in Cameroon, focusing on cybersecurity and information security audits and risk assessments. The importance of cybersecurity risk assessment and the implementation of security controls to cure deficiencies noted during risk assessments or audits is a critical step in developing cybersecurity resilience. Cameroon's cybersecurity legal framework provides for audits but does not explicitly enumerate controls. Consequently, integrating relevant controls from the NIST frameworks and ISO Standards can improve the cybersecurity posture in Cameroon while waiting for a comprehensive revision of the legal framework. NIST and ISO are internationally recognized as best practices in information …

Security-Enhanced Serial Communications, John White, Alexander Beall, Joseph Maurio, Dane Fichter, Dr. Matthew Davis, Dr. Zachary Birnbaum

Military Cyber Affairs

Industrial Control Systems (ICS) are widely used by critical infrastructure and are ubiquitous in numerous industries including telecommunications, petrochemical, and manufacturing. ICS are at a high risk of cyber attack given their internet accessibility, inherent lack of security, deployment timelines, and criticality. A unique challenge in ICS security is the prevalence of serial communication buses and other non-TCP/IP communications protocols. The communication protocols used within serial buses often lack authentication and integrity protections, leaving them vulnerable to spoofing and replay attacks. The bandwidth constraints and prevalence of legacy hardware in these systems prevent the use of modern message authentication and …

What Senior U.S. Leaders Say We Should Know About Cyber, Dr. Joseph H. Schafer

Military Cyber Affairs

On April 6, 2023, the Atlantic Council’s Cyber Statecraft Initiative hosted a panel discussion on the new National Cybersecurity Strategy. The panel featured four senior officials from the Office of the National Cyber Director (ONCD), the Department of State (DoS), the Department of Justice (DoJ), and the Department of Homeland Security (DHS). The author attended and asked each official to identify the most important elements that policymakers and strategists must understand about cyber. This article highlights historical and recent struggles to express cyber policy, the responses from these officials, and the author’s ongoing research to improve national security cyber policy.

The Security And Cyber Defence Realities And Difficulties In Algeria, Kada Aicha

Journal of Police and Legal Sciences

This research paper aims to shed light on the digital challenge faced by Algeria as it enters the world of the knowledge society, which qualifies it to achieve cybersecurity and cyber defense against various forms and types of security threats, including cyber threats. The researcher used an analytical approach to understand the phenomenon under study and trace its causes, in addition to a case study method to study all aspects of the studied phenomenon and identify the characteristics of the case study - Algeria was chosen as the analysis unit. The study concluded several important results, including:

The deficiency of …

Ransomware Groups On Notice: U.S. Cyber Operation Against Revil Is Permissible Under International Law, Justin Singh

American University International Law Review

The continued increase in the use of ransomware by cyber criminals has had a costly impact on businesses and organizations around the world. Ransomware groups continue to initiate attacks on businesses and organizations, and states have become increasingly concerned over the potential impact it may have on their critical infrastructure and economies. The United States’ recent acknowledgement of cyber operations against ransomware groups highlights the seriousness of the issue and exposes areas of international law that are complicated when applied to cyber operations against these groups. This Comment explores the relevant international law as it applies to the United States …

Strengthening Our Intuitions About Hacking, Jeffrey L. Vagle

Indiana Law Journal

The computer trespass analogy has served us reasonably well as a basis for cybersecurity policies and related anti-hacking laws, but computers, and our uses of them, have changed significantly in ways that stretch the computer trespass metaphor beyond usefulness. This Essay proposes an approach to expanding and strengthening our intuitions about computer security that accounts for new computing paradigms, giving courts and lawmakers additional tools for interpreting and drafting effective anti-hacking laws.

This Essay argues that many new and existing computer use scenarios leave courts unsure how existing anti-hacking laws might apply, increasing the possibility of under- or over-inclusive policies …

The Law And Politics Of Ransomware, Asaf Lubin

Vanderbilt Journal of Transnational Law

What do Lady Gaga, the Royal Zoological Society of Scotland, the city of Valdez in Alaska, and the court system of the Brazilian state of Rio Grande do Sul all have in common? They have all been victims of ransomware attacks, which are growing both in number and severity. In 2016, hackers perpetrated roughly four thousand ransomware attacks a day worldwide, a figure which was already alarming. By 2020, however, ransomware attacks reached a staggering number, between twenty thousand and thirty thousand per day in the United States alone. That is a ransomware attack every eleven seconds, each of which …

Small Business Cybersecurity: A Loophole To Consumer Data, Matthew R. Espinosa

The Scholar: St. Mary's Law Review on Race and Social Justice

Small businesses and small minority owned businesses are vital to our nation’s economy; therefore legislation, regulation, and policy has been created in order to assist them in overcoming their economic stability issues and ensure they continue to serve the communities that rely on them. However, there is not a focus on regulating nor assisting small businesses to ensure their cybersecurity standards are up to par despite them increasingly becoming a victim of cyberattacks that yield high consequences. The external oversight and assistance is necessary for small businesses due to their lack of knowledge in implementing effective cybersecurity policies, the fiscal …

Defensive Industrial Policy: Cybersecurity Interventions To Reduce Intellectual Property Theft, Dr. Chad Dacus, Dr. Carl (Cj) Horn

Military Cyber Affairs

Through cyber-enabled industrial espionage, China has appropriated what Keith Alexander, the former Director of the National Security Agency, dubbed “the largest transfer of wealth in history.” Although China disavows intellectual property (IP) theft by its citizens and has set self-sustained research and development as an important goal, it is unrealistic to believe IP theft will slow down meaningfully without changing China’s decision calculus. China and the United States have twice agreed, in principle, to respect one another’s IP rights. However, these agreements have lacked any real enforcement mechanism, so the United States must do more to ensure its IP is …

Book Review: This Is How They Tell Me The World Ends: The Cyberweapons Arms Race (2020) By Nicole Perlroth, Amy C. Gaudion

Dickinson Law Review (2017-Present)

No abstract provided.

What's The Harm? Federalism, The Separation Of Powers, And Standing In Data Breach Litigation, Grayson Wells

Indiana Law Journal

This Comment will argue that the Supreme Court should analyze standing in data breach litigation under a standard that is deferential to state statutory and common law. Specifically, federal standing analysis should look to state law when determining whether an injury is concrete such that the injury-in-fact requirement is met. Some argue that allowing more data breach cases to proceed to the merits could lead to an explosion of successful litigation and settlements, burdening the federal courts and causing economic losses for the breached businesses. These concerns may be valid. But if state law provides a remedy to the harm …

The Evolution Of Legal Risks Pertaining To Patch Management And Vulnerability Management, James T. Kitchen, David R. Coogan, Keeton H. Christian

Duquesne Law Review

This article begins with an overview, in non-technical terms, of the tools generally available and processes implemented for vulnerability management and patch management. Section II identifies some of the evolving security standards that regulators and plaintiffs may rely on to show that companies are legally required to have vulnerability management and patch management. Section III identifies U.S. legal implications of vulnerability management and patch management and factors that a court and regulators may consider.

Show Me The (Data About The) Money!, Nizan Geslevich Packin

Utah Law Review

Information about consumers, their money, and what they do with it is the lifeblood of the flourishing financial technology (“FinTech”) sector. Historically, highly regulated banks jealously protected this data. However, consumers themselves now share their data with businesses more than ever before. These businesses monetize and use the data for countless prospects, often without the consumers’ actual consent. Understanding the dimensions of this recent phenomenon, more and more consumer groups, scholars, and lawmakers have started advocating for consumers to have the ability to control their data as a modern imperative. This ability is tightly linked to the concept of open …

Trimming The Fat: The Gdpr As A Model For Cleaning Up Our Data Usage, Kassandra Polanco

Touro Law Review

No abstract provided.

The Survival Of Critical Infrastructure: How Do We Stop Ransomware Attacks On Hospitals?, Helena Roland

Catholic University Journal of Law and Technology

Our nation’s infrastructure is under an emerging new threat: ransomware attacks. These attacks can cause anything from individual laptops, to entire cities to shut down for a period of time until the victim pays a ransom to the attacker. Unfortunately, these attacks are on the rise and the attackers have a new target: hospitals. Ransomware attacks on hospitals can temporarily shut down operating room technology and limit physician access to patient files, ultimately threatening the safety of hospital patients and the surrounding community. This paper examines how the threat of ransomware attacks on hospitals is on the rise and what …

Cybersecurity Oversight Liability, Benjamin P. Edwards

Georgia State University Law Review

A changing cybersecurity environment now poses a significant corporate-governance challenge. Although some cybersecurity data breaches may be inevitable, courts now increasingly consider when a corporation’s officers and directors may be held liable on theories that they acted in bad faith and failed to adequately oversee the corporation’s affairs. This short essay reviews recent derivative decisions and encourages corporate boards to recognize that in an environment filled with increasing threats, a reasonable response will require devoting real resources and attention to cybersecurity issues.

Creating A National Data Privacy Law For The United States, Shaun G. Jamison

Cybaris®

No abstract provided.

Cybersecurity And The Rights Of The Internet User In France, Jennifer Cross

Georgia Journal of International & Comparative Law

No abstract provided.

“Private” Cybersecurity Standards? Cyberspace Governance, Multistakeholderism, And The (Ir)Relevance Of The Tbt Regime, Shin-Yi Peng

Cornell International Law Journal

We are now living in a hyper-connected world, with a myriad of devices continuously linked to the Internet. Our growing dependence on such devices exposes us to a variety of cybersecurity threats. This ever-increasing connectivity means that vulnerabilities can be introduced at any phase of the software development cycle. Cybersecurity risk management, therefore, is more important than ever to governments at all developmental stages as well as to companies of all sizes and across all sectors. The awareness of cybersecurity threats affects the importance placed on the use of standards and certification as an approach.

Corporate Cybersecurity: The International Threat To Private Networks And How Regulations Can Mitigate It, Eric J. Hyla

Vanderbilt Journal of Entertainment & Technology Law

Cyberattacks are occurring at an accelerating pace. Foreign nations are increasingly utilizing hacking as a tool for economic gain, acts of aggression, or international political expression. At risk are US consumers'personal data, private firms' bottom line, and the economies'integrity. In response, federal and state lawmakers have issued a series of disparate, uncoordinated policies seeking to strengthen cybersecurity practices. However, recent events indicate that these policies are less than ideal. This Note suggests that a unified response to cybersecurity is required and calls for the establishment of a single, central federal agency with authority over all cybersecurity regulations. Such an agency …

Global Cybersecurity, Surveillance, And Privacy: The Obama Administration's Conflicted Legacy, Peter Margulies

Indiana Journal of Global Legal Studies

To analyze the Obama administration's cyber efforts, this Article proposes a paradigm of stewardship with both discursive and structural dimensions. Discursive stewardship refers to the Executive's openness to dialogue with other stakeholders. Structural stewardship refers to the domestic and transnational distribution of decisional authority, including checks and balances that guard against the excesses of unilateral action. The Article concludes that the Obama administration made substantial progress in each of these realms. However, the outsized role of law enforcement agendas and dearth of clearly articulated checks on transnational surveillance drove headwinds that limited forward movement.

Sony, Cyber Security, And Free Speech: Preserving The First Amendment In The Modern World, Conrad Wilton

Pace Intellectual Property, Sports & Entertainment Law Forum

Reprinted from 16 U.C. Davis Bus. L.J. 309 (2016). This paper explores the Sony hack in 2014 allegedly launched by the North Korean government in retaliation over Sony’s production of The Interview and considers the hack’s chilling impact on speech in technology. One of the most devastating cyber attacks in history, the hack exposed approximately thirty- eight million files of sensitive data, including over 170,000 employee emails, thousands of employee social security numbers and unreleased footage of upcoming movies. The hack caused Sony to censor the film and prompted members of the entertainment industry at large to tailor their communication …

Enhancing Cybersecurity In The Private Sector By Means Of Civil Liability Lawsuits - The Connie Francis Effect, Jeffrey F. Addicott

University of Richmond Law Review

The purpose of this article is to explore the threats posed by

cybersecurity breaches, outline the steps taken by the government

to address those threats in the private sector economy, and

call attention to the ultimate solution, which will most certainly

spur private businesses to create a more secure cyber environment

for the American people-a Connie Francis-styled cyber civil

action lawsuit.

Making Democracy Harder To Hack, Scott Shackelford, Bruce Schneier, Michael Sulmeyer, Anne Boustead, Ben Buchanan, Amanda N. Craig Deckard, Trey Herr, Jessica Malekos Smith

University of Michigan Journal of Law Reform

With the Russian government hack of the Democratic National Convention email servers and related leaks, the drama of the 2016 U.S. presidential race highlights an important point: nefarious hackers do not just pose a risk to vulnerable companies; cyber attacks can potentially impact the trajectory of democracies. Yet a consensus has been slow to emerge as to the desirability and feasibility of reclassifying elections—in particular, voting machines—as critical infrastructure, due in part to the long history of local and state control of voting procedures. This Article takes on the debate—focusing on policy options beyond former Department of Homeland Security Secretary …

Authorized Investigation: A Temperate Alternative To Cyber Insecurity, Casey M. Bruner

Seattle University Law Review

This Note aims to show that legal structures created to protect the Internet in its original form are completely insufficient to protect what the Internet has become. This antiquated legal framework is exacerbating the problem. The breadth of activity that the current law restricts severely limits the remedies that cyberattack victims can pursue, and it must be updated. While full hack-back may prove necessary in the long run, I argue for a more temperate initial response to the problem—I call this response “authorized investigation.” Specifically, the Computer Fraud and Abuse Act should be amended to allow victims access to their …

Silencing The Call To Arms: A Shift Away From Cyber Attacks As Warfare, Ryan Patterson

Loyola of Los Angeles Law Review

Cyberspace has developed into an indispensable aspect of modern society, but not without risk. Cyber attacks have increased in frequency, with many states declaring cyber operations a priority in what has been called the newest domain of warfare. But what rules govern? The Tallinn Manual on the International Law Applicable to Cyber Warfare suggests existent laws of war are sufficient to govern cyber activities; however, the Tallinn Manual ignores fundamental problems and unique differences between cyber attacks and kinetic attacks. This Article argues that several crucial impediments frustrate placing cyber attacks within the current umbra of warfare, chiefly the problems …

Global Cyber Intermediary Liability: A Legal & Cultural Strategy, Jason H. Peterson, Lydia Segal, Anthony Eonas

Pace Law Review

This Article fills the gap in the debate on fighting cybercrime. It considers the role of intermediaries and the legal and cultural strategies that countries may adopt. Part II.A of this Article examines the critical role of intermediaries in cybercrime. It shows that the intermediaries’ active participation by facilitating the transmission of cybercrime traffic removes a significant barrier for individual perpetrators. Part II.B offers a brief overview of legal efforts to combat cybercrime, and examines the legal liability of intermediaries in both the civil and criminal context and in varying legal regimes with an emphasis on ISPs. Aside from some …

The Looming Threat Of Cyberterrorism

Maryland Carey Law

Technology has the ability to make gray what was once the black letter of the law.