Category Archives: Cybersecurity

“I have found Vol. 4:1 of the Journal of National Security Law & Policy, the Cybersecurity Symposium, to be an invaluable resource. I use many of these articles in my research and clinic preparation, and am glad to have a bound, hard copy that I can grab from my shelf and mark up as I like.” -Eric J. Lobsinger, Teaching Fellow, Georgetown University Law Center

History Repeats Itself: The 60-Day Cyberspace Policy Review in Context

On February 9, 2009, President Obama gave his National Security and Homeland Security Advisors 60 days to conduct a Cyberspace Policy Review.1 The stated purpose of this “60-Day Review” was to provide a comprehensive assessment of U.S. policies for cybersecurity.2 According to a White House press release, the review would “develop a strategic framework to ensure that U.S. Government cyber security initiatives are appropriately integrated, resourced and coordinated with Congress and the private sector.”3

The 60-Day Review was an ambitious project and, in the end, took more than 60 days to complete.4 When the final report was issued on May 29, 2009, it offered a careful assessment of the current situation and a broad vision of what the United States must accomplish to secure our digital future. This vision, however, was not fundamentally different from previous iterations of cybersecurity strategy that the U.S. government has issued over the past 12 years.

The 60-Day Review undoubtedly represents a critical step toward addressing the many challenges the United States faces in working to secure its public and private information systems. However, it is important to place this document in proper context and understand what it accomplishes and what business it leaves unfinished. Before much progress can be made in improving cybersecurity, there are some tough policy decisions that have to be made.

The 60-Day Review does not take on many of those decisions. Rather, it provides an accurate and troubling picture of what the country is up against. It offers a glimpse of the daunting but important tasks of trying to harmonize the cybersecurity programs within government, establishing an effective partnership with the private sector, and developing strong relationships with other nations to combat cyber crime. It recommends…

 

Offensive Cyber Operations and the Use of Force

Hostile actions against a computer system or network can take two forms.1 One form – a cyber attack – is destructive in nature. An example of such a hostile action is erasure by a computer virus resident on the hard disk of any infected computer. In this article, “cyber attack” refers to the use of deliberate actions and operations – perhaps over an extended period of time – to alter, disrupt, deceive, degrade, or destroy adversary computer systems or networks or the information and (or) programs resident in or transiting these systems or networks.2 Such effects on adversary systems and networks may also have indirect effects on entities coupled to or reliant on them. A cyber attack seeks to cause the adversary’s computer systems and networks to be unavailable or untrustworthy and therefore less useful to the adversary.

The second form – cyberexploitation – is nondestructive. An example is a computer virus that searches the hard disk of any infected computer and emails to the hostile party all files containing a credit card number. “Cyberexploitation” refers to the use of actions and operations – perhaps over an extended period of time – to obtain information that would otherwise be kept confidential and is resident on or transiting through an adversary’s computer systems or networks. Cyberexploitations are usually clandestine and conducted with the smallest possible intervention that still allows extraction of the information sought.3 They do not seek to disturb…

Cyber Threats and the Law of War

When I was invited to participate in a forum dealing with “National Security Threats in Cyberspace,” sponsored by the American Bar Association Standing Committee on Law and National Security and the National Strategy Forum, my assigned role was to provide a “succinct and brief” explanation of how the existing Law of War (LOW) might be applied to cyber threats. The Journal of National Security Law & Policy later requested that I reduce my comments to writing. No doubt this generous request was made due to the brevity of my analysis, rather than to my intellectual prowess. Others have dealt with this subject in a far more detailed and sophisticated fashion …

 

Will There Be Cybersecurity Legislation?

In the course of just a few decades, information technology has become an essential component of American life, playing a critical role in nearly every sector of the economy. Consequently, government policy affecting information technology currently emanates from multiple agencies under multiple authorities – often with little or no coordination. The White House’s Cyberspace Policy Review (the Review) wisely recognized that the first priority in improving cybersecurity is to establish a single point of leadership within the federal government and called for the support of Congress in pursuit of this agenda.

Congressional involvement in some form is inevitable, but there is considerable uncertainty as to what Congress needs to do and whether it is capable of taking action once it decides to do so. With an agenda already strained to near the breaking point by legislation to address health care reform, climate change, energy, and financial regulatory reform – as well as the annual appropriations bills – the capacity of Congress to act will depend, in some part, on the necessity of action. For the last eight years, homeland security has dominated the congressional agenda. With the memory of the terrorist attacks of September 11 becoming ever more distant, there may be little appetite for taking on yet another major piece of complex and costly homeland security legislation.

Part I of this article considers the question of necessity. The Homeland Security Act,2 the Federal Information Security Management Act,3 the Communications Act,4 and any number of other statutes provide substantial authorities over federal and nonfederal information infrastructure.5

Cybersecurity and Freedom on the Internet

Cybersecurity has become a national imperative and a government priority. Increased cybersecurity will help protect consumers and businesses, ensure the availability of critical infrastructures on which our economy depends, and strengthen national security. However, cybersecurity efforts must be carefully tailored in order to preserve privacy, liberty, innovation, and the open nature of the Internet.2 To design an effective and balanced cybersecurity strategy, each part of the country’s critical infrastructure3 must be considered separately. Solutions that may be appropriate for the power grid or financial networks may not be suitable for securing the public portions of the Internet that constitute the very architecture for free speech essential to our democracy. Policy toward government systems can be much more prescriptive than policy toward private systems. The characteristics that have made the Internet such a success – its openness, its decentralized and user-controlled nature, and its support for innovation and free expression – may be put at risk if heavy-handed policies are enacted…