Regulating Cyber-security

The conventional wisdom is that this country’s privately owned critical infrastructure—banks, telecommunications networks, the power grid, and so on—is vulnerable to catastrophic cyber-attacks. The existing academic literature does not adequately grapple with this problem, however, because it conceives of cyber-security in unduly narrow terms: most scholars understand cyber-attacks as a problem of either the criminal law or the law of armed conflict. Cyber-security scholarship need not run in such established channels. This Article argues that, rather than thinking of private companies merely as potential victims of cyber-crimes or as possible targets in cyber-conflicts, we should think of them in administrative law terms. Many firms that operate critical infrastructure tend to underinvest in cyber-defense because of problems associated with negative externalities, positive externalities, free riding, and public goods— the same sorts of challenges the modern administrative state faces in fields like environmental law, antitrust law, products liability law, and public health law. These disciplines do not just yield a richer analytical framework for thinking about cyber-security; they also expand the range of possible responses. Understanding the problem in regulatory terms allows us to adapt various regulatory solutions—such as monitoring and surveillance to detect malicious code, hardening vulnerable targets, and building resilient and recoverable systems—for the cyber-security context. In short, an entirely new conceptual approach to cyber-security is needed

Service-Oriented Foreign Direct Investment: Legal and Policy Frameworks Protecting Digital Assets in Offshoring Information Technology (IT) - Enabled Services

This thesis examines challenges caused by global cyberspace, which continues to undermine the ability of regulatory instruments aimed at cyber security and deterring cybercrime so that digital assets including those associated with Foreign Direct Investment (FDI) are protected. Progress in information and communication technology (ICT) has brought about both challenges and opportunities for mankind. While ICT has enabled seamless communication on cyberspace, it has also made every phenomenon, positive or negative on cyberspace possible. The good side of ICT is the endless opportunities provided to harness multiple features and capabilities of associated technologies while its side effect being the enormous security challenge on cyberspace. Legal and policy frameworks are needed to help mitigate cyber security threats and safeguard digital assets against such threats while promoting the benefits of ICT. To this end nations attempt to regulate cyberspace within their territories, but may quickly find out that issues on cyberspace are both global and national at the same time, and as such not fully controllable at national levels only. If nations cannot fully regulate ICT and cyberspace, this will have negative implications for digital investor’s assets in their territories as well. That is investor’s information assets may not be adequately safeguarded by means of national legal instruments. This dissertation seeks to analyze the question as to whether it is entirely possible for nation-states to address the multifaceted challenges introduced by cyberspace with appropriate national legal and policy frameworks alone to protect digital investments. This dissertation argues that, on the one hand, nations are behind in providing proper regulatory coverage for cyberspace, while, on the other hand, existing regulations have largely been unsuccessful in containing cyber security threats primarily due to complications caused by the ubiquitous global presence of cyberspace per se. Consequently, investor’s digital assets are more susceptible to unauthorized access and use, or destruction, all of which cannot be fully accounted for with currently available legal or technical means. There is a strong indication that digital investor assets demand more protection efforts from both investors and forum nations alike compared to what is needed to protect and promote traditional FDI

False Comfort from Nuclear Analogies : How International Trade Restrictions Apply to Cyberspace

This thesis evaluates the international legal framework of trade restrictions in the context of cyberspace. Certain cyber goods are recognized as dual-use goods based on their potential military applications. Thereby, the existing legal framework for governing the trade of sensitive goods is extended analogically to apply to cyber goods. The first research question presented in this paper is whether international law includes a legal basis for using trade policy as a measure for security governance in cyberspace. To answer this research question, the paper evaluates how security interests are regarded in trade policy. This evaluation is conducted by analysing the nature of security interests with the constructivist method and reviewing the General Agreement on Tariffs and Trade with the de lege lata approach. The second research question evaluates whether trade policy is a suitable model for governing threats in the cyberspace. This research question covers the evaluation of existing non-proliferation focused trade policies, mainly the Wassenaar Arrangement, and grounds for applying the same approach to cyber goods. This evaluation also includes observing the nature of cyber goods and the cyber goods industry with a socio-legal method. Dual-use nuclear goods are used as a reference point in a comparison between cyber goods and conventional dual-use goods. The purpose of the thesis is to examine the implications of applying trade policy as a security measure in cyberspace. The choice of extending an existing legal framework instead of establishing a separate framework specifically for cyberspace may have a broader impact on the legal status of cyberspace. The paper evaluates whether the current legal approach to governing dual-use cyber goods takes into account the nature of cyberspace in an adequate manner. This paper concludes that international trade law provides a legal basis for imposing trade restrictions for cyber goods based on security interests. However, the analogical extension of the non-proliferation focused trade policy framework does not fully adapt to the nature of cyber goods and the cyber goods industry. Thereby, the current model for the governance of dual-use cyber goods may result in negative effects in the industry by restricting trade without providing equivalent benefit in the form of decreasing cyber risks. The possible solutions proposed based on the research conducted in this paper include incorporating views and practices of private sector stakeholders as an essential input in any regulation related to cyberspace, establishing a separate cyber convention for properly defining the legal status of cyberspace, and promoting global initiatives for cyber resilience

Cyber Law and Espionage Law as Communicating Vessels

Professor Lubin\u27s contribution is Cyber Law and Espionage Law as Communicating Vessels, pp. 203-225. Existing legal literature would have us assume that espionage operations and “below-the-threshold” cyber operations are doctrinally distinct. Whereas one is subject to the scant, amorphous, and under-developed legal framework of espionage law, the other is subject to an emerging, ever-evolving body of legal rules, known cumulatively as cyber law. This dichotomy, however, is erroneous and misleading. In practice, espionage and cyber law function as communicating vessels, and so are better conceived as two elements of a complex system, Information Warfare (IW). This paper therefore first draws attention to the similarities between the practices – the fact that the actors, technologies, and targets are interchangeable, as are the knee-jerk legal reactions of the international community. In light of the convergence between peacetime Low-Intensity Cyber Operations (LICOs) and peacetime Espionage Operations (EOs) the two should be subjected to a single regulatory framework, one which recognizes the role intelligence plays in our public world order and which adopts a contextual and consequential method of inquiry. The paper proceeds in the following order: Part 2 provides a descriptive account of the unique symbiotic relationship between espionage and cyber law, and further explains the reasons for this dynamic. Part 3 places the discussion surrounding this relationship within the broader discourse on IW, making the claim that the convergence between EOs and LICOs, as described in Part 2, could further be explained by an even larger convergence across all the various elements of the informational environment. Parts 2 and 3 then serve as the backdrop for Part 4, which details the attempt of the drafters of the Tallinn Manual 2.0 to compartmentalize espionage law and cyber law, and the deficits of their approach. The paper concludes by proposing an alternative holistic understanding of espionage law, grounded in general principles of law, which is more practically transferable to the cyber realmhttps://www.repository.law.indiana.edu/facbooks/1220/thumbnail.jp

Cyber Analogies

This anthology of cyber analogies will resonate with readers whose duties call for them to set strategies to protect the virtual domain and determine the policies that govern it. Our belief is that learning is most effective when concepts under consideration can be aligned with already-existing understanding or knowledge. Cyber issues are inherently tough to explain in layman's terms. The future is always open and undetermined, and the numbers of actors and the complexity of their relations are too great to give definitive guidance about future developments. In this respect, historical analogies, carefully developed and properly applied, help indicate a direction for action by reducing complexity and making the future at least cognately manageable.US Cyber CommandIntroduction: Emily O. Goldman & John Arquilla; The Cyber Pearl Harbor:James J. Wirtz: Applying the Historical Lessons of Surprise Attack to the Cyber Domain: The Example of the United Kingdom:Dr Michael S. Goodman: The Cyber Pearl Harbor Analogy: An Attacker’s Perspective: Emily O. Goldman, John Surdu, & Michael Warner: “When the Urgency of Time and Circumstances Clearly Does Not Permit...”: Redelegation in Nuclear and Cyber Scenarios: Peter Feaver & Kenneth Geers; Comparing Airpower and Cyberpower: Dr. Gregory Rattray: Active Cyber Defense: Applying Air Defense to the Cyber Domain: Dorothy E. Denning & Bradley J. Strawser: The Strategy of Economic Warfare: A Historical Case Study and Possible Analogy to: Contemporary Cyber Warfare: Nicholas A. Lambert: Silicon Valley: Metaphor for Cybersecurity, Key to Understanding Innovation War: John Kao: The Offense-Defense Balance and Cyber Warfare: Keir Lieber: A Repertory of Cyber Analogies: Robert Axelro

Cybersecurity for Infrastructure: A Critical Analysis

Nations and their citizens rely on infrastructures. Their incapacitation or destruction could prevent nations from protecting themselves from threats, cause substantial economic harm, and even result in the loss of life. Therefore, safeguarding these infrastructures is an obvious strategic task for any sovereign state. While the need to protect critical infrastructures (CIs) is far from novel, digitization brings new challenges as well as increased cyber-risks. This need is self-evident; yet, the optimal policy regime is debatable. The United States and other nations have thus far opted for very light regulation, merely encouraging voluntary steps while choosing to intervene only in a handful of sectors. Over the past few years, several novel laws and regulations addressing this emerging issue have been legislated. Yet, the overall trajectory of limited regulatory intervention has not changed. With that, the wisdom of such a limited regulatory framework must be revisited and possibly reconsidered. This Article fills an important gap in the legal literature by contributing to and promoting this debate on cyber-risk regulation of CIs, while mapping out the relevant rights, options, and interests this ‘critical’ debate entails and setting forth a regulatory blueprint that balances the relevant factors and considerations. The Article begins in Part II by defining CIs and cyber risks and explaining why cyber risk requires a reassessment of CI protection strategies. Part III describes the means used by the United States and several other nations to address cyber risks of CIs. Part IV examines a market-based approach with minimal governmental intervention to critical infrastructure cyber-regulation, along with the various market failures, highlighting assorted minimal measures to correct these problems. It further examines these limited forms of regulation, which merely strive to bridge information and expertise barriers, assign ex post liability for security-related harms, or provide other specific incentives—and finds them all insufficient. Part V continues the normative evaluation of CI cyber-protection models, focusing on ex ante approaches, which require more intrusive government involvement in terms of setting and enforcing standards. It discusses several concerns with this regulatory strategy, including the lack of governmental expertise, regulatory capture, compromised rights, lack of transparency, and the centralization of authority. Finally, in Part VI, the Article proposes a blueprint for CI cyber protection that goes beyond the mere voluntary regulatory strategy applied today