Law Commons^™

Cyber Plungers: Colonial Pipeline And The Case For An Omnibus Cybersecurity Legislation, Asaf Lubin

Articles by Maurer Faculty

The May 2021 ransomware attack on Colonial Pipeline was a wake-up call for a federal administration slow to realize the dangers that cybersecurity threats pose to our critical national infrastructure. The attack forced hundreds of thousands of Americans along the east coast to stand in endless lines for gas, spiking both prices and public fears. These stressors on our economy and supply chains triggered emergency proclamations in four states, including Georgia. That a single cyberattack could lead to a national emergency of this magnitude was seen by many as proof of even more crippling threats to come. Executive Director of …

Securing Patent Law, Charles Duan

Articles in Law Reviews & Other Academic Journals

A vigorous conversation about intellectual property rights and national security has largely focused on the defense role of those rights, as tools for responding to acts of foreign infringement. But intellectual property, and patents in particular, also play an arguably more important offense role. Foreign competitor nations can obtain and assert U.S. patents against U.S. firms and creators. Use of patents as an offense strategy can be strategically coordinated to stymie domestic innovation and technological progress. This Essay considers current and possible future practices of patent exploitation in this offense setting, with a particular focus on China given the nature …

Platforms, Encryption, And The Cfaa: The Case Of Whatsapp V Nso Group, Jonathon Penney, Bruce Schneier

Articles, Book Chapters, & Popular Press

End-to-end encryption technology has gone mainstream. But this wider use has led hackers, cybercriminals, foreign governments, and other threat actors to employ creative and novel attacks to compromise or workaround these protections, raising important questions as to how the Computer Fraud and Abuse Act (CFAA), the primary federal anti-hacking statute, is best applied to these new encryption implementations. Now, after the Supreme Court recently narrowed the CFAA’s scope in Van Buren and suggested it favors a code-based approach to liability under the statute, understanding how best to theorize sophisticated code-based access barriers like end-to-end encryption, and their circumvention, is now …

It's Time To Reform The U.S. Vulnerabilities Equities Process, Amy Gaudion

Faculty Scholarly Works

No abstract provided.

Persuasion About/Without International Law: The Case Of Cybersecurity Norms, Steven R. Ratner

Book Chapters

International law on cybersecurity is characterized by at best a thin consensus on the existence of rules, their meaning, and the desirability and content of new rules. This legal landscape results in a unique pattern of argumentation and persuasion by states and non-state actors both in advocating for a regulatory scheme for cyber activity and in reacting to malicious cyber acts. By examining argumentation in the absence of a generally agreed legal framework, this chapter seeks to provide new insights into the motivations for and effects of international legal argumentation in shaping debates and behavior. After describing the legal landscape …

Recognizing The Role Of Inspectors General In The U.S. Government's Cybersecurity Restructuring Task, Amy Gaudion

Faculty Scholarly Works

Months prior to the 2015 public disclosure of a data breach at the U.S. government’s Office of Personnel and Management (OPM), the Office of the Inspector General for OPM issued a report that identified significant deficiencies and material weaknesses in a number of the agency’s information systems and IT security programs. In response to the 2020 SolarWinds supply chain hack, attributed to Russia, calls are underway for inspectors general to conduct audits and inspections and to review prior inspector general assessments of information systems and vulnerabilities at federal agencies. The use of inspectors general to assess information system vulnerabilities and …

National Cybersecurity Innovation, Tabrez Y. Ebrahim

Faculty Scholarship

National cybersecurity plays a crucial role in protecting our critical infrastructure, such as telecommunication networks, the electricity grid, and even financial transactions. Most discussions about promoting national cybersecurity focus on governance structures, international relations, and political science. In contrast, this Article proposes a different agenda and one that promotes the use of innovation mechanisms for technological advancement. By promoting inducements for technological developments, such innovation mechanisms encourage the advancement of national cybersecurity solutions. In exploring possible solutions, this Article asks whether the government or markets can provide national cybersecurity innovation. This inquiry is a fragment of a much larger literature …

Linn Foster Freedman Room Dedication At Rwu School Of Law 11-01-2019, Roger Williams University School Of Law, Michael M. Bowden

School of Law Conferences, Lectures & Events

No abstract provided.

Dean's Desk: Iu Maurer Programs Supporting Careers In Cybersecurity, Austen L. Parrish

Austen Parrish (2014-2022)

A recent Bureau of Labor Statistics report estimated a near 30 percent growth in coming years for information security professionals, far outpacing most other job types. While Indiana University has long recognized the importance of data security and privacy, multiple new initiatives are ensuring that the next generation of chief information security officers, systems analysts, privacy professionals and others will come from our law school.

One of the ways the law school is leading the way is through the university’s new master of science in cybersecurity risk management. That degree program combines the resources of three of IU’s top-ranked schools …

Promoting International Cybersecurity Cooperation: Lessons From The Proliferation Security Initiative, Duncan B. Hollis, Matthew C. Waxman

Faculty Scholarship

Global efforts by states to cooperate through international rules in combating cyber threats have generated mixed results, at best. In this paper, we examine the architecture of the Proliferation Security Initiative (PSI) as a possible model for future cybersecurity cooperation among interested states. We identify several features of PSI’s architecture (rather than its substantive focus on non-proliferation) for further analysis, including PSI’s low entry costs, tiered structure, and flexibility, as well as its leveraging of both territorial jurisdiction and state consent. We conclude that, despite several hurdles visible in the scope of its membership and its legal framework, PSI still …

Ispy: Threats To Individual And Institutional Privacy In The Digital World, Lori Andrews

All Faculty Scholarship

What type of information is collected, who is viewing it, and what law librarians can do to protect their patrons and institutions.

Transforming Election Cybersecurity, David P. Fidler

Articles by Maurer Faculty

No abstract provided.

Cybersecurity Stovepiping, David Thaw

Articles

Most readers of this Article probably have encountered – and been frustrated by – password complexity requirements. Such requirements have become a mainstream part of contemporary culture: "the more complex your password is, the more secure you are, right?" So the cybersecurity experts tell us… and policymakers have accepted this "expertise" and even adopted such requirements into law and regulation.

This Article asks two questions. First, do complex passwords actually achieve the goals many experts claim? Does using the password "Tr0ub4dor&3" or the passphrase "correcthorsebatterystaple" actually protect your account? Second, if not, then why did such requirements become so widespread? …

Comment With The Copyright Office Regarding A Proposed Exemption Under 17 U.S.C. Section 1201 For Software Security Research (Class 25), Candice Hoke

Law Faculty Reports and Comments

Professor Candice Hoke, Cleveland State University, and others (Douglas W. Jones, University of Iowa; Professor Deirdre Mulligan, University of California, Berkeley; Professor Vern Paxson, University of California, Berkeley;Professor Pamela Samuelson, University of California, Berkeley; Bruce Schneier Erik Stallman, Center for Democracy & Technology (CDT); comment addressing Proposed Class 25: Software Security Research and an exemption for software security research in order to promote the active research and testing efforts necessary to keep pace with evolving cybersecurity risks. Software and related access controls are increasingly embedded in a wide range of systems, from consumer goods to medical devices to infrastructure to …

Framing The Question, "Who Governs The Internet?", Robert J. Domanski

Publications and Research

There remains a widespread perception among both the public and elements of academia that the Internet is “ungovernable”. However, this idea, as well as the notion that the Internet has become some type of cyber-libertarian utopia, is wholly inaccurate. Governments may certainly encounter tremendous difficulty in attempting to regulate the Internet, but numerous types of authority have nevertheless become pervasive. So who, then, governs the Internet? This book will contend that the Internet is, in fact, being governed, that it is being governed by specific and identifiable networks of policy actors, and that an argument can be made as to …

Whither The Web?: International Law, Cybersecurity, And Critical Infrastructure Protection, David P. Fidler

Articles by Maurer Faculty

No abstract provided.

Cyber Espionage Or Cyber War?: International Law, Domestic Law, And Self-Protective Measures, Christopher S. Yoo

All Faculty Scholarship

Scholars have spent considerable effort determining how the law of war (particularly jus ad bellum and jus in bello) applies to cyber conflicts, epitomized by the Tallinn Manual on the International Law Applicable to Cyber Warfare. Many prominent cyber operations fall outside the law of war, including the surveillance programs that Edward Snowden has alleged were conducted by the National Security Agency, the distributed denial of service attacks launched against Estonia and Georgia in 2007 and 2008, the 2008 Stuxnet virus designed to hinder the Iranian nuclear program, and the unrestricted cyber warfare described in the 1999 book by …

Data Breach (Regulatory) Effects, David Thaw

Articles

No abstract provided.

Hacking The Wealth Of Nations: Managing Markets Amid Malware, David P. Fidler

Articles by Maurer Faculty

No abstract provided.

Cybersecurity And The Administrative National Security State: Framing The Issues For Federal Legislation, David G. Delaney

Articles by Maurer Faculty

In the digital age, every part of federal government has critical cybersecurity interests. Many of those issues are brought into sharp focus by Edward Snowden's disclosure of sensitive government cyber intelligence programs conducted by the National Security Agency, the Federal Bureau of Investigation, and the Central Intelligence Agency. Courts are reviewing various constitutional and statutory challenges to those programs, two government review groups have reported on related legal and policy issues, and Congress is considering cyber intelligence reform proposals. All of this action comes on the heels of significant efforts by successive administrations to restructure government and pass comprehensive cybersecurity …

The Efficacy Of Cybersecurity Regulation, David Thaw

Articles

Cybersecurity regulation presents an interesting quandary where, because private entities possess the best information about threats and defenses, legislatures do – and should – deliberately encode regulatory capture into the rulemaking process. This relatively uncommon approach to administrative law, which I describe as Management-Based Regulatory Delegation, involves the combination of two legislative approaches to engaging private entities' expertise. This Article explores the wisdom of those choices by comparing the efficacy of such private sector engaged regulation with that of a more traditional, directive mode of regulating cybersecurity adopted by the state legislatures. My analysis suggests that a blend of these …

Enlightened Regulatory Capture, David Thaw

Articles

Regulatory capture generally evokes negative images of private interests exerting excessive influence on government action to advance their own agendas at the expense of the public interest. There are some cases, however, where this conventional wisdom is exactly backwards. This Article explores the first verifiable case, taken from healthcare cybersecurity, where regulatory capture enabled regulators to harness private expertise to advance exclusively public goals. Comparing this example to other attempts at harnessing industry expertise reveals a set of characteristics under which regulatory capture can be used in the public interest. These include: 1) legislatively-mandated adoption of recommendations by an advisory …

Mind The Gap: Explaining Problems With International Law Where Cybersecurity And Critical Infrastructure Protection Meet, David P. Fidler

Articles by Maurer Faculty

No abstract provided.

Nato, Cyber Defense, And International Law, David P. Fidler, Richard Pregent, Alex Vandurme

Articles by Maurer Faculty

Cybersecurity threats pose challenges to individuals, corporations, states, and intergovernmental organizations. The emergence of these threats also presents international cooperation on security with difficult tasks. This essay analyzes how cybersecurity threats affect the North Atlantic Treaty Organization (NATO), which is arguably the most important collective defense alliance in the world.1 NATO has responded to the cyber threat in policy and operational terms (Part I), but approaches and shifts in cybersecurity policies create problems for NATO— problems that NATO principles, practices, and politics exacerbate in ways that will force NATO to address cyber threats more aggressively than it has done so …

Leap-Ahead Privacy As A Government Responsibility In The Digital Age, David G. Delaney, Ivan K. Fong

Articles by Maurer Faculty

No abstract provided.

The Business Of Privacy, Fred H. Cate, Christopher Kuner, Christopher Millard, Dan Jerker B. Svantesson

Articles by Maurer Faculty

No abstract provided.

Cybertrespass And Trespass To Documents, Kevin Emerson Collins

Articles by Maurer Faculty

No abstract provided.

Law In Cyberspace, Fred H. Cate

Articles by Maurer Faculty

No abstract provided.