Category Archives: Cybersecurity

“I have found Vol. 4:1 of the Journal of National Security Law & Policy, the Cybersecurity Symposium, to be an invaluable resource. I use many of these articles in my research and clinic preparation, and am glad to have a bound, hard copy that I can grab from my shelf and mark up as I like.” -Eric J. Lobsinger, Teaching Fellow, Georgetown University Law Center

Full Count?: Crime Rate Swings, Cybercrime Misses and Why We Don’t Really Know the Score

The exponential growth of cybercrimes continues to wreak havoc on governments, businesses, and individuals, and there has been progress in combating these crimes, even leading to near ubiquitous recognition of the cybercrime problem.

Eileen Decker focuses the reader on the lack of understanding of these disastrous crimes as derivative of a lack of collection and analysis of accurate and comprehensive data on the subject.

This article provides an analysis of the current cybercrime data collection programs, by calling attention to their successes while highlighting their critical weaknesses, gaps, and downfalls. The author then dives into the importance of cybercrime data collection and the impact that large scale data collection has while contrasting with the detrimental impacts of insufficient data collection.

In an imperative call to action, Decker recommends an expansive modernization of cybercrime data collection that focuses on efficiency and accuracy.

Advancing Accurate & Objective Cybercrime Metrics

Cybercrime has increased dramatically in this century. Although there is broad academic consensus that a dearth of official data on crimes committed in cyberspace hampers cybercrime enforcement efforts, even the most affluent nations have not yet managed to systematically catalogue cybercrime statistics.

Through a detailed analysis of efforts to keep track of this ever-evolving area of the law, Stephen Cobb outlines a future strategy that builds on the existing machinery of crime measurement and applies it at the national, regional, and international level.

At a time when cyberthreats are escalating, Cobb sheds light on historical and contemporary examples of successful monitoring efforts to show that committing to closing the cybercrime metrics gap is critical to crime deterrence efforts everywhere.

Defining the Scope of “Possession, Custody, or Control” for Privacy Issues and the CLOUD Act

With a growing number of US companies storing their electronic data across country lines, US law enforcement agencies are left with the difficult task of trying to access electronic evidence stored outside of their physical jurisdictions.

In response, Congress passed the Clarifying Lawful Overseas Use of Data Act (Cloud Act) in 2018 to provide the US government with the power to order the production of electronic evidence that is stored outside of the US if it is within a US company’s “possession, custody, or control.”

However, the Cloud Act does not define what constitutes the “possession, custody, or control” of electronic evidence, raising concerns about the scope of US authority under the Act. Through their examination of existing domestic and international jurisprudence interpreting these terms in other legal contexts, Hemmings, Srinivasan, and Swire outline the key factors courts should balance in analyzing this pivotal phrase.

Persistent Enforcement: Criminal Charges as a Response to Nation-State Malicious Cyber Activity

Malicious cyber activities by foreign states present major challenges to the US government. Foreign governments steal intellectual property, attack election systems, wage influence campaigns, and cripple American companies. One tool brought to bear most recently against these state actors is the criminal indictment.

This article reviews the use of criminal charges as a response to nation-state hacking and proposes a conceptual framework for understanding the utility of those charges as a tool to effectively combat malicious cyber activity.

Finally, the article applies this framework to case studies involving China, Russia, Iran, Syria, and North Korea and evaluates the use of criminal charges as a component of broader U.S. cyber policy.

Personal Information as an Attack Vector: Why Privacy Should Be an Operational Dimension of US National Security

The US government has always been keen on its ability to protect sensitive and classified information from its enemies, yet the majority of resources have focused on military and national security information, which has left other categories of information exposed.

Capt. Christopher Dearing focuses the reader on the national security implications of personal information and the detrimental impact it possesses. This article provides an analysis of current privacy law and the information landscape, while highlighting areas where the US government has failed to keep pace to protect personal information, providing a valuable target for adversaries.

In an expansive call for action, Capt. Dearing recommends eight concrete steps that the government can take to better protect and manage personal information while developing stronger procedures to identify threats and respond to them.