Class Organization. Class participation is required and will be taken into account in final grading.

Transcription

1 Cybersecurity: The Challenges of Securing Cyberspace Leonard Bailey and Kimberley Raleigh, Adjunct Professors Georgetown University Law Center Spring 2015 (Edited 3/21/15) Class meets for two hours on Wednesdays at 5:45 p.m. Overview. The course will explore why securing the Nation s computer systems, which has been a goal of multiple successive administrations and has broad bipartisan and public support has proven to be so difficult to realize. The topics presented will include the legal and policy framework for cybersecurity, roles and responsibilities of government agencies, private sector cybersecurity risk management, information sharing, and international issues including internet governance, law enforcement cooperation, and nation state activity in cyberspace. Office Hours and Availability. Professors Bailey and Raleigh are available for telephone conferences or meetings by appointment. To schedule, please contact Professor Bailey or Professor Raleigh at Class Organization. Class participation is required and will be taken into account in final grading. Laptops will be allowed in the classroom, but use of the Internet for any activity other than accessing course materials is not allowed. No audio or visual recording devices are permitted in the classroom. Readings. There is no assigned textbook for this class. The reading will consist of academic and general media articles, judicial decisions, statutes, regulations, and executive branch documents listed below. Documents listed below without a link will be posted on Courseware. Additional readings on topical issues will be added to Courseware after the start of the semester. The professors will endeavor to inform the class when materials are added, but students are responsible for checking the website before class each week. The class password is. Writing Assignment. There will be a short, pass/fail writing assignment to prepare students for participation in the exercise that we will be conducting in class 9. The assignment will be due at the beginning of that class and counts toward the class participation grade. To receive credit for its completion, students must turn it in on time. Class Presentation. Students will select a topic and a partner and prepare a ten minute class presentation. An additional five minutes will be reserved for each pair to engage the class in a question and answer session. Active class participation is expected. Exam. There will be a four- hour take- home exam that will cover concepts from class and the readings. The exam questions will be available from the beginning of the exam period; answers must be turned in by Monday, May 4, 2015 at 9 a.m. Grading. Class Participation: 20%

2 Class Presentation: 30% Exam: 50% Course Syllabus and Reading Assignments. 1. January 14, 2015: Course Overview and Cyber Threats (Prof. Bailey and Prof. Raleigh) Steven G. Bradbury, The Developing Legal Framework for Defensive and Offensive Cyber Operations, 2 Harv. Nat'l Sec. J. 591 (2011), available at developing- legal- framework- for- defensive- and- offensive- cyber- operations/ Gregory T. Nojeim, Cybersecurity: An Idea Whose Time Has Not Come And Shouldn t, 8 I/S: J. L. & Pol'y for Info. Soc'y 413 (Fall 2012), available at Amanda Vicinanzo, U.S. Cybersecurity Practices Fail to Keep Pace with Cyber Adversaries, available at news/single- article/us- cybersecurity- practices- fail- to- keep- pace- with- cyber- adversaries/170a083812f4f52eb d8739a0.html a. What is cybersecurity? b. Who are the stakeholders? c. Who conducts cybersecurity activities and uses cybersecurity authorities? d. What are the cyber threats that pose the greatest risk to information systems? 2. January 21, 2015: Internet Technology and Its Impact on Legal Frameworks (Prof. Bailey) Barry M. Leiner, Vinton G. Cerf, David D. Clark, Robert E. Kahn, Leonard Kleinrock, Daniel C. Lynch, Jon Postel, Lawrence G. Roberts, Stephen S. Wolff, The Past and Future of the Internet, available at ttp://groups.csail.mit.edu/ana/publications/pubpdfs/the%20past%20and%20future%20history%20of% 20the%20internet.pdf [Available on Courseware] Kyllo v. United States, 533 U.S. 27 (2001) [Excerpt on Courseware] United States v. Forrester, 512 F.3d 500, 510 (9th Cir. 2007) [Excerpt On Courseware] United States v. Knotts, 460 U.S.276 (1983) [Excerpt On Courseware] a. Why was the Internet created and what purposes was it intended to serve? b. How did this vision of the Internet influence its subsequent development and use? c. How have courts approached interpreting the law in cases in which technology is central to the disposition of the case? 3. January 28, 2015: Corporate Cybersecurity Risk Management Part 1 (Prof. Raleigh) Michael Riley, Ben Elgin, Duen Lawrence, and Carol Matlack, Missed Alarms and 40 Million Stolen Credit Cards: How Target Blew It, in Bloomberg Businessweek, available at 13/target- missed- alarms- in- epic- hack- of- credit- card- data

3 In re Target Corporation Customer Data Security Breach Litigation - Consumer Cases, available at McDonald Hopkins, Data Privacy Class Action Puts Bulls Eye On Target s Directors and Officers, available at privacy- class- action- puts- bulls- eye- on- targets- directors- and- officers Division of Corporation Finance, SEC, CF Disclosure Guidance: Topic No.2, Cybersecurity, October 13, 2011, available at topic2.htm Community Health Systems, Inc., SEC Form 8- K, available at a. Who manages cyber risk in an organization? b. How do we incentivize adoption of good cyber hygiene? c. Who should bear the cost of a breach? 4. February 4, 2015: Corporate Cybersecurity Risk Management Part 2 (Prof. Raleigh) Julie Brill, Comm r, FTC, On the Front Lines: the FTC s Role in Data Security (Sept. 17, 2014), available at FTC v. Wyndham Worldwide Corporation et al., Opinion Denying Motion to Dismiss, available at Federal Trade Commission, In the Matter of TRENDnet, Inc., complaint, available at and consent decree, available at Dissenting Statement of Comm r Michael O Rielly, FCC, TerraCom, Inc. and YourTel America, Inc., Apparent Liability for Forfeiture, File No.: EB- TCD , available at a5. a. What is FTC s authority to regulate data security? b. Are regulatory agencies required to provide notice through rule- making? 5. February 11, 2015: Legal Framework for Monitoring Electronic Communications (Prof. Bailey) Smith v. Maryland, 442 U.S. 735 (1979) [Excerpt on Courseware] California v. Riley, 134 S.Ct (2014) [Excerpt on Courseware] United States v. Cotterman, 709 F.3d 952 (9 th Cir. 2013) [Excerpt on Courseware] United States v. New York Telephone, 434 U.S. 159 (1977) 18 U.S.C and 2511 [Excerpt on Courseware] 18 U.S.C [Excerpt on Courseware] 18 U.S.C [Excerpt on Courseware] a. How does cybersecurity monitoring implicate the Fourth Amendment and electronic surveillance statutes? b. What different types of electronic communications do the Wiretap Act, Pen Register/Trap and Trace Statute, and Stored Communications Act regulate?

4 c. How are cybersecurity activities conducted without violating these constitutional and statutory provisions? 6. February 25, 2013: Computer Crimes (Prof. Bailey) 18 U.S.C [Excerpt on Courseware] Ciphertrust White Paper, What Hackers Know that You Don t, available at %20What%20 %20Hackers%20Know%20That%20You%20Do%20Not.pdf [Available on Courseware] United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) (en banc) [Excerpt on Courseware] Orin Kerr, Vagueness Challenges to the Computer Fraud and Abuse Act, 94 Minn. Law Rev (2010) available at content/uploads/2012/03/kerr MLR.pdf [Available on Courseware] Criminal Complaint in United States v. Auernheimer, available at Govt%20Criminal%20Complaint.pdf [Available on Courseware] a. How should a computer intrusion be defined by law? b. What should determine whether unauthorized access has occurred and how do they potentially affect cybersecurity activities conducted for non- malicious purposes (e.g., computer security research)? c. What challenges are raised in pursuing these offenses? 7. March 4, 2015: Cybersecurity Standards, Threat Information Sharing, and Law Enforcement Cooperation (Prof. Raleigh) Rosenzweig, Paul, Cybersecurity, the Public/Private 'Partnership,' and Public Goods (September 7, 2011), Hoover National Security and Law Task Force, 2011, pp 8-29, available at SSRN: Executive Order 13636, Improving Critical Infrastructure Cybersecurity, available at press- office/2013/02/12/executive- order- improving- critical- infrastructure- cybersecurity Executive Order [], Promoting Private Sector Cybersecurity Information Sharing, available at press- office/2015/02/13/executive- order- promoting- private- sector- cybersecurity- information- shari Department of Justice Response to CyberPoint International Request for Business Review Letter, available at w/ htm Skim: NIST, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, February 12, 2014, available at framework pdf Council of Europe Convention on Cybercrime, Chapter III- - International Co- operation, available at

5 a. What are the goals of information sharing? b. What legal and policy issues may impede information sharing? c. Should the government have a role in mandating that critical infrastructure entities maintain a certain standard of network defense? d. Should the government be expected to defend the private sector from network attacks perpetrated by nation states? e. How does the US share information with international partners, and what mechanism is there for cross- border investigative assistance? 8. March 18, 2015: Cybersecurity Incident Response (Prof. Bailey) Solar Sunrise Video [Available at Lysa Myers, Active Defense: Good Protection Doesn t Need to be Offensive, [Available at defense- good- protection- doesnt- need- to- be- offensive/] Stewart Baker, Steptoe and Johnson Blog, available at hackback- debate/ [Available on Courseware] Mark Young, U.S. Government Cybersecurity Relationships, 8 I/S: J. L. & Pol'y for Info. Soc'y 281 (Fall 2012) [Excerpt online available at a. Who in the government is in charge of cybersecurity? b. How are cyber incidents handled by the private sector and the government? What factors determine how a cyber incident is handled? c. Can a victim hack back to secure its stolen data? 9. March 25, 2015: Table Top Exercise (Prof. Bailey and Prof. Raleigh) Exercise Scenario to be provided to students. 10. April 1, 2015: International Law and Nation State Conduct in Cyberspace (Prof. Raleigh) Michael N. Schmitt, International Law in Cyberspace: The Koh Speech and Tallinn Manual Juxtaposed, 54 HARV. INT L L.J. ONLINE 13 (2012), available at articles- online 54 schmitt/ Eichensehr, Kristen, The Cyber- Law of Nations (January 8, 2014). 103 Geo. L.J. 317 (2015), available at SSRN: Review: Section III, Offensive Cyber Operations in Steven G. Bradbury, The Developing Legal Framework for Defensive and Offensive Cyber Operations, 2 Harv. Nat'l Sec. J. 591 (2011), available at developing- legal- framework- for- defensive- and- offensive- cyber- operations/ a. Do the laws of war provide an adequate framework for nation state activity on the Internet? b. What constitutes a use of force in cyberspace? c. When does a cyber attack amount to an armed attack?

6 d. How does uncertain attribution impact a state s response to a cyber attack? e. What non- military action might the US Government take in response to a network attack by a nation state? f. How is the Internet governed? 11. April 8, 2015: The Future of Cybersecurity and STUDENT PRESENTATIONS (Prof. Bailey and Prof. Raleigh) Paul Rosensweig, The Organization of the United States Government and Private Sector for Achieving Cyber Deterrence, available at sites.nationalacademies.org/cs/groups/cstbsite/documents/webpage/cstb_ pdf [Available on Courseware]. Vivek Wadhwa, Laws and Ethics Can't Keep Pace with Technology, MIT Technology Review (2014) available at and- ethics- cant- keep- pace- with- technology/ 12. April 15, 2015: STUDENT PRESENTATIONS (Prof. Bailey and Prof. Raleigh) 13. April 22, 2013: Course Wrap- Up (review, Q&A, exam overview, class evaluations) (Prof. Bailey and Prof. Raleigh)