CYBERSECURITY OUTLINE

PROFESSOR EICHENSEHR
SPRING 2015
Print: CFAA, Budapest Convention, EEA, Geneva Convention, Cal. Data Breach Law, SEC
Disclosure Guidelines
1. INTRO
a. Sony Hack
i. Timeline
1. June
a. North Korea makes negative comments about the Interview
2. November
a. Discovery of Sony hack (Nov. 24, 2014)
i. Sony realized that their systems have experienced a
breach
ii. Message regarding Sonys CEO was displayed on
every internal computer
b. Contacted law enforcement within a few days of the
discovery of the initial breach
c. First data dump (Nov. 27, 2014)
i. Stolen movies (Annie, James Bond, etc)
3. December
a. Threatening email sent to all of Sonys employees (Dec. 05,
2014)
b. The Interview is referred to in the hackers communications
(Dec. 08, 2014)
c. Warnings sent out to media outlets by Sony in regards to
the information dumps (Dec. 14, 2014)
i. Hired on lawyer David Boyce to manage the media
attention
d. Threats are communicated to theaters against showing the
Interview (Dec. 16, 2014)
e. Major cinemas begin dropping the Interview (Dec. 17,
2014)
i. CEO Linton makes statement that they have no
further release plans for the movie
f. Identification of North Korea as the perpetrator by the FBI,
statement issued (Dec. 19, 2014)
i. Obama reprimands Sony for pulling the movie
1. Restriction on American freedom of speech
2. Promises proportional response on the part of
the US
ii. Secretary of State Kerry condemns North Korea for
the cyberattack and indicated that this violated
international norms
iii. First time the US has called out a foreign country for
a cyberattack
g. Obama makes statements on CNN, calling it an act of
cybervandalism (Dec. 21, 2014)
i. Contrast with John McCain calling it cyberwarfare

h. North Koreas internet goes down (Dec. 22, 2014)

i. The Interview is released (Dec. 24, 2014)
j. Email releases and other data releases occur throughout
December
i. Employee and past employees personal information
1. Social security numbers, etc
ii. Passwords and other company information
iii. Contracts with third-parties and vendors
1. Internal contracts
2. Fee arrangements
4. January
a. Obama issues executive order against North Korea (Jan. 02,
2015)
i. Economic sanctions against North Korea
1. Specific entities and individuals
2. Authorizes the US Treasury department to do
so
ii. Makes statement that this is the USs first response
to the Sony attack
1. Denies connection with previous North Korean
internet outage incident
ii. Issues
1. Sony
a. Labor issues
i. Employee and previous employee information being
released
1. Stolen Personally Identifiable Information (PII)
a. Social security number
b. Medical records
b. Security issues
i. Past incidents of hacking
ii. Known weaknesses in their security systems
iii. Negligence in protecting their systems
c. Notice
i. Previous warning email does this constitute
sufficient notice?
d. Intellectual property
i. Stolen intellectual property and its distribution
1. Movies
2. Contracts
3. Business plans
4. Scripts
5. Production plans and drafts
e. Notification
i. Failure to notify employees of breach in a timely
manner
1. Federal: SCC notification requirements for
publicly-traded companies
a. Duty to shareholders
2. State: Data breach notifications
f. Contractual issues

i. Theaters pulling out constitutes a breach of contract

g. Injunctive issues
i. Whether Sony can legally enjoin media outlets from
publishing the stolen information
2. Government
a. Whether any international laws have been broken
b. Proportionality of response
c. Whether criminal laws have been violated and, if so, what
laws?
d. Sonys counterattack measures
i. DDOS attacks for websites hosting stolen IP
ii. Recovery and preparation for any future attacks
e. Do the government sanctions comply with international law
f. Freedom of expression
i. Chilling effect on freedom of speech, future movies,
actions of media outlets
2. WHAT IS CYBERSECURITY?
a. Cybersecurity threats
i. Framework
1. CIA triad
a. Confidentiality
i. Keeping information secure and secret
b. Integrity
i. System and data not being improperly altered
ii. Issue of accuracy
c. Availability
i. Being able to use the system as anticipated
ii. Having data being accessible when needed
2. Resilience
a. The ability to withstand and endure security treats instead
of allowing systems to critically fail
i. Keeping systems running even when they are
compromised
ii. Speed in system restoration
b. Considered a backstop for the 3 CIA factors
c. Elements that aid in increases of resilience:
i. Back-ups
ii. Extra network capacity (in response to DDOS
attacks)
iii. Higher quality data encryption
ii. Difference between threats and vulnerabilities
1. Vulnerability
a. A vulnerability becomes a threat when there is a bad actor
b. Vulnerabilities have no consequences as of yet, but have
the potential to leave the system open to future harms
c. Examples:
i. Weak authentication
1. Poor training
2. Poor password use
ii. New technologies with undiscovered loopholes
1. BMW issue

iii. Bad code with loopholes

iv. Out-of-data virus prevention software
v. Careless insiders
2. Threats
a. Threats occur where a bad actor takes action to endanger
the system
i. Cybersecurity threats definitional issues:
1. Inexactness
2. Newness of the issue
3. Dependent on the approaches of each
government and country
a. Different tools and different concerns
b. Variety of state concerns:
i. US: Defense and offense
ii. EU: Civilian and military
iii. Austria: Protection of key legal
assets, natural dangers, included
iv. Israel: Flexibility
v. Estonia: Personal responsibility
vi. Hungary:
Education
and
awareness-raising,
inclusion
of
policy and techniques
vii. Proactive and reactive
viii. New
Zealand:
Element
of
detection,
acknowledging
the
fallibility of the internet, points out
resilience issues
ix. Turkey: Putting systems back into
the state prior to the cybersecurity
incident,
mentions
countermeasures
x. Public
responsibility
and
governmental responsibility
4. Difference
between
macro
and
micro
cybersecurity
5. No authoritative document on the subject
a. No
negotiated
definition
between
governments
b.
ii.
b. Examples:
i. Malicious insiders
1. Looking to steal information, trade secrets, etc,
from employers
2. Have access to passwords and privileged
information
ii. Malware
1. Ransomware
a. Data is encrypted to lock out users and
money must be paid in order to regain
access

i. Implicates confidentiality, integrity

and availability
b. EX: Cryptolocker
iii.
iv.
v.
vi.
vii.

Phishing
Viruses
DDOS attacks
Hackers and other cybercriminals
Advanced persistent threats
1. Classification of states that are actively
engaged in hacking or spying
2. EX: China
c. Why threats exist
i. Why is the internet so vulnerable?
1. The architecture of the internet
a. Lack of transparency
b. Anonymity
c. Decentralization
i. Difficult, expensive and maybe
impossible
to
change
the
fundamental structure of the
internet
ii. Anonymity is important to protect
freedom of expression
ii. Exponential innovation
1. More points of access, new configurations may
result in unprecedented access
2. Pressure for innovation results in push for
quick-release products that are less thoroughly
researched and secured
a. Change
might
slow
innovation,
disadvantage
small
start-ups
and
negatively effect the economy
iii. Widespread integration into economy and society
1. More devices with access
2. Critical infrastructure is operated through the
internet
iii. General issues
1. Cyber as an offensive-dominated environment
a. Easier and cheaper to attack (find a weakness in the
system) than to defend
i. Fueled by anonymity structure
1. You dont know where the attack is coming
from, at what time, resulting in less time and
knowledge through which one can formulate a
defense
2. Low barrier to entry
a. Tools and information for cyberattacks are widely available
on the internet
i. Black market for cybercrime tools allows experts to
pass on tools and information to those with intent
iv. Perpetrators of cyberthreats

1. Criminal hackers
a. Financially-motivated criminal gangs
2. Hacktivism
3. Espionage attacks
a. Trade secret theft
b. Spying
v. Cases
1. Wall Street spear-phishing incident
a. Facts
i. Use of Wall Street lingo to conduct hack
ii. Malware was contained in emails that were sent to
executives, which contained sophisticated Wall Street
language
b. Combination of hacking and social engineering
c. Getting confidential information about particular industries
i. Focus on pharmaceuticals and healthcare
d. Tailored to the recipient
i. Looks like something you would receive from
someone that you are actively in contact with
ii. Requires more work on the part of the hackers
2. Zeus BotNet takedown
a. Facts
i. Mass takeover of users computers and used them
to, collectively, swarm other websites
1. Malware allowed the bot-herders to direct the
networks of compromised computers to do
certain tasks
a. Some were aimed at DDOS attacks
b. Some aimed at stealing credentials
ii. Stole banking credentials and initiated wire transfers
overseas of over $100 million
iii. Simultaneous infection with Cryptolocker
3. Estonia cyber-riot
a. Facts
i. Movement of a statue resulted in Russian DDOS
attacks being directed at Estonias government
websites which further replaced Estonias sites with
Russian propaganda
ii. Suspected to be orchestrated by the Russian
government
1. Information was posted on Russian-language
websites, which allowed private citizens to
utilize this information as well
4. Iranian hack of US banks
a. Facts
i. Banks were bombarded with DDOS attacks that
resulted in bank shutdowns
b. Thought to be too sophisticated to be the work of amateur
hackers, attributed to Iran
i. Takes a lot of bandwidth to direct that much traffic at
the banks

5. Associated Press (AP) Twitter hack

a. Facts
i. Tipped stock market by $136 million
ii. One in a series of defacement of media
organizations websites
1. Said that Obama was injured on APs Twitter
a. Caused the market to dive for 3 minutes
iii. Used a phishing email directed at AP staff members
that asked them to click a particular link
6. Flame virus
a. Facts
i. US and Israel develop the Flame virus in order to
hack Iranian oil companies
1. The virus collected information and sent a
steady stream of information back to owners to
allow them to prepare for more targeted
attacks
a. Activation of microphones and cameras
to allow for remote spying
b. Could
receive
commands
through
Bluetooth
2. Activated as a Microsoft update
ii. Claims that the viruss DNA was similar to the coding
used in Stuxnet had similar programming language
and overlapping code
iii. Flame was the precursor to Stuxnet
iv. The level of malware sophistication indicates state
involvement
7. Stuxnet
a. Facts
i. Virus was able to gain control of nuclear facility
centrifuges and cause them to spin out of control,
thereby
destroying
it,
while
simultaneously
transmitting to Iranian authorities that it was fine
ii. Iranians attributed it to human error for a period
8. Cyberattack on a Saudi Arabian firm
a. Facts
i. Perpetrator initiated the attack on a day when
55,000 of the employees were not there due to
religious holiday
ii. Erased data on 3/4s of the corporate PCs and
replaced it with a picture of a burning American flag
b. US sees it as Iran firing back for Stuxnet
9. NSA infiltration of Yahoo and Google clouds
a. Facts
i. Used the link between data centers and targeted the
internal clouds of the companies to gather private
information
1. Data travelling between data centers is
unencrypted

a. Has led to companies encrypting

everything
ii. Came out as part of Snowden leak
10.
Protestors in Hong Kong
a. Facts
i. Message in WhatsApp requested people join a
protest group, which in turn, gave the Chinese
government access to their phones and coordinates
b. Attributed to the Chinese government as this is a tactic
that has been used before
vi. Documents detailing cybersecurity threats
1. IP Commission Report
a. Puts majority of blame for economic IP stealing on China
(50%-80%), India and Russia
b. Annual losses are comparable to current US exports to
Asia, around $300 billion
c. Considers IP theft as the greatest transfer of wealth in
human history
d. Recommendations
i. Increasing the giving of visas, green cards and
related immigration documents to IP and tech
workers
ii. Increase the Department of Justice and the FBIs
ability to combat the theft
iii. Create a private right of action under the Economic
Espionage Act
1. Bypassing the DOJ as to the sole method of
prosecution
iv. Confiscation of goods that use stolen IP
v. Deny foreign companies who have stolen American
IP use of American banking system
vi. General change of the cost-benefit calculus for
entities benefiting from stolen IP
vii. Would not allow US companies to be bought by
companies that did not have strong IP protection
1. However, range of diplomatic and investment
consequences
viii. Companies that experience cybertheft should be
allowed to retrieve their information, if it does not
damage the intruders network
1. Endorses hacking back
2. Mandiant report, APT1
a. Mandiant is a forensic security firm
i. Made
their
name
doing
investigations
on
compromised companies
b. Report named China as a Advanced Persistent Attack
i. Triggered a chain of organizations naming China in
cybersecurity issues
ii. Attribution of acts to government sponsored actors in
China Unit 61398
1. Tracing of IP locations

2. Evidence of a particular building with the IP

resources
3. Employees has the necessary IP backgrounds
a. Required that they be able to speak
English
4. Keyboard that was used to code was set to the
Chinese language
iii. Industries that were part of Chinas 5-year plan
1. Satellites and telecom
2. Mining
3. Engineering
4. Aerospace
5. Government
iv. Average length of time the virus was in the system
was about a year, the longest being 4 years and 10
months
1. Lack of detection is a big issue
2. Computers
compromised
through
spearphishing
3. CONCEPTUAL CYBERSPACE ARTICLES
a. Cyberspace Declaration of Independence; Barlow
i. In response to the Communications Decency Act, which applied
regulations for radio and television to the internet
1. Struck down by the Supreme Court a year later
a. Impermissibly vague, did not define indecency, violated
the First Amendment
ii. Views the internet as a new space, requiring a new layer of consent
iii. No physical coercion is applicable in the cyber world
b. Law and Borders the Rise of Law in Cyberspace; Johnson, Post
i. Asserts that governments should not and cannot regulate the internet
1. Arguments:
a. Absence of territorial borders in cyberspace
b. Difficulty in tracking users locations
c. Effects of online activities are not necessarily tied to one
location, easily crosses borders
d. Enforcement almost impossible
e. Enforcement may be illegitimate
i. Power of the government is derived from the will of
the people
1. View that users need to consent to be
governed (again
2. View that government cannot effectively
regulate because they do not understand the
cyber community
f. If all governments regulated, there would be conflicting
regulations and overlapping jurisdictions
i. No notice of what the law is
ii. Conflict of laws might result in users complying with
the strictest regulations resulting in a race to the
bottom

c. The Internet and the Abiding Significance of Territorial Sovereignty;

Goldsmith
i. Argument
1. Internet governance is not inherently different
a. Extraterritorial effects are common in the real world
2. Separate internet sovereignty would overlap with state
regulatory measures
3. Many nations have common regulatory interests
4. Problem of not being on notice as to what law applies is
exaggerated
a. Content providers can give notice
5. Does not believe that consent is as big an issue as Johnson and
Post.
a. You have consented to your territorial government, you do
not need to consent again
i. Part and parcel to existing governments
6. The more integrated we are with the internet, the more territorial
laws will have hold over the internet, in turn
7. Enforcement
a. Physical coercion can still occur in cyberspace because
actors exist outside of the internet and the government
can still act on the assets and persons of that actor
8. Regulatory leakage issue exaggerated
a. EX: Companies incorporate in other states to get around
enforcement
i. Not a purely cyber issue
ii. Does not need to be perfect in order to be effective
9. International harmonization would be difficult
a. States views represent a spectrum
b. Influenced by businesses as trade agreements and
business interests may create a trend towards
harmonization
10.
Governments do not own the underlying infrastructure to
the internet, so difficult for states to directly regulate
d. Code 2.0; Lessig
i. Idea that code is law
1. Code as a regulator, as how it functions and is designed is the
ultimate restrictor of behavior
a. The people who created the internet are the regulators and
these people are non-governmental actors
b. Sets the terms in which the internet functions
ii. Argument
1. Liberty in cyberspace will not come from the absence of the state
a. Rejects Johnson and Posts anarchist views
b. Governments are acting to benefit the public good and are
held accountable to such
i. Whereas coders are motivated by the economy and
could quietly change things without anyone noticing
4. STRUCTURE OF CYBERSPACE
a. Net neutrality
i. All internet traffic is routed at the same speed

ii. SCC has announced future regulation that would prohibit throttling
1. Classified the internet as a public utility
b. Structure
i. Internet Corporation for Assigned Names and Numbers (ICANN)
1. US is relinquishing control of ICANN to other multi-stakeholder
processes
a. Due to increasing criticism about the USs dominant role in
internet infrastructure
b. Congress prohibited the Department of Commerce from
appropriating funds for the transfer, but did not prohibit
the transfer itself
i. Does not need funds to transition ICANN, transfer of
authority will automatically occur when the contract
runs out in Sept., 2015
ii. Internet Engineering Taskforce (IETF)
1. Multi-stakeholder group
2. Develops the technical protocols that runs the internet
a. Developed IPv.4: 4.3 billion IP addresses, however, running
out
b. Developed IPv.6: Expands IP addresses by a gazillion
iii. Internet Society
1. Open-forum that anyone can join, including individuals and
organizations for a fee
2. Advocates for an open internet
3. Operates on a multi-stakeholder consensus model (humming!)
iv. International Telecommunications Union (ITU)
1. Started in order to regulate telegraphic exchanges between
countries
2. Debate at World Conference on International Telecommunications
(WCIT) 2012 on whether to include the internet as one of the
forms of communication that they can regulate
a. Pushed by Russia, adopted by some, but not others
i. Normally operates by consensus rule, but this
conference broke tradition and had a formal majority
vote
ii. Big player countries walked out
b. Internet issue was talked about in a side resolution, not in
the binding part of the treaty itself
c. Language of the resolution stated that all governments
play an equal role
i. Imposition of a multi-lateral instead of the original
multi-stakeholder model
ii. Equal role language is a slam on the US
3. Is a UN body, and giving the ITU the ability to regulate the
internet would mean that each UN state gets one vote, and
would cement the multi-lateral model transition
c. Multi-stakeholder model
PROS
CONS
Run by private industry and not by
Too many people are involved; easy
state governments or organizations
to make backdoors
Current
stakeholders
are
more
Not enough order

competent and well-versed in the

subject than governments
More legitimate than one state
government acting for everyone
Takes into account the views of more
states
Chance
of
one
particular
governments interest being overly
represented is smaller
So far has been effective in
governing the internet
No real feasible alternatives

Ineffective enforcement
Driven by technology companies
which are largely headquartered in
the US
Common citizens do not have the
resources or technical know-how to
voice an opinion
Western-dominated
Skews everything in a profit-driven,
self-interested way; private industry
agenda needs to be taken into
account

d. Views
i. International Strategy for Cyberspace (US AND EU VIEW)
1. Promotes:
a. Multi-stakeholder governance
i. US can promote this because it decreases worldwide
governmental control, while at the same time the US
has other levers of control through which it can exert
its power and therefore does not need to make it
explicit
b. Freedom of expression
c. Privacy
d. Establishing international norms
i. Safety, stability
e. Interoperability
i. One internet for the whole world, not multiple
national internets
ii. Anti-fragmentation
ii. International Code of Conduct (CHINESE AND RUSSIAN VIEW)
1. Promotes:
a. Multi-lateral governance
b. Pro-fragmentation of the internet
c. State sovereignty in the internet sphere
d. Content control
e. State acts as primary figure in information selection
f. Prohibition on proliferation of hostile activities
g. Establishing alternative norms
i. Respecting cultural differences
ii. Freedom of expression, etc, are not international
norms
5. DISCLOSURE AND TRANSPARENCY IN THE CYBER SPHERE
a. SEC disclosures
i. For public companies, requests disclosure of cybersecurity risks through
guidance materials not mandatory or binding
1. Requires disclosure where triggered by a material risk
a. Information is considered material if there is a substantial
likelihood that it would change the attitude of an investor
ii. Attacks covered by disclosure materials

1. Not just data breaches that compromise viable data

a. DDOS attacks
b. Insider attacks
c. Third-party attacks
d. IP theft
2. Any kind of cybersecurity risk as long as it meets the materiality
threshold
iii. Level of detail
1. Vague standard not too generic to not provide enough
information, but not too much that it would disclose or cause
future risks (too much specificity might give other hackers a road
map)
iv. Benefits of public disclosure requirements (Singer, Friedman)
1. Puts similar companies on notice as to how they might be
attacked or that they might be attacked
2. Holds companies more accountable
a. Companies have the choice of upping their security or
waiting for an attack to occur and subsequently disclosing
it
3. Transparency helps shareholders make decisions
4. Creates competition and a market for security
5. Increases board attention on the issue
6. Helps in risk assessment
a. Ability to value the breach in a monetary manner
b. Company considerations
i. Associated costs upon breach
1. Remediation costs
a. Cost of notification in the case of a data breach
2. Litigation costs
3. Increased security costs, post-attack
a. Trainings
b. Upgrading of systems
c. Employment of third-party protections
4. Reputational costs
a. Loss of confidence by the public
b. Company security
c. Loss of customers
d. Content disclosure
e. Damaged relationships
5. Incentive payments to retain customers after they have been
damaged by a cyber attack
6. Trademarks and trade secrets
a. Lost revenue from stolen IP
7. Cost of countermeasures
8. Costs of preventative measures
ii. Risks
1. Are you a target?
2. Frequency of attacks in your industry?
3. Threatened attacks?
4. Prior attacks?
5. Financial stability after breach?

6. Litigation due to breach?

c. Examples of data breaches
i. RSA (Enter the Cyber Dragon)
1. Facts
a. Company makes security keys that prides itself on onetime passwords
i. Created two-factor authentication secure ID tokens
b. Chinese hackers found the source code for the security
device
i. Defense contractors were the ones using the
products, so very alarming
c. Unclear how long hackers were in system
d. Replacement of the secure ID tokens in June, attack
occurred during March
i. RSAs parent, EMC filed an 8-k making the disclosure
public the day of the attack
1. Did not state what information was taken, did
not tell customers what they should do, what
remedies they can pursue
d. Data breach notifications
i. Data breach laws designed to protect individuals and customers
1. Goal of disclosure is to tell customers to take protective steps,
not to warn other companies
2. Provides different protections than SEC, including credit
protection, customer awareness
3. Very expensive to send notices
a. Creates litigation costs
b. Large costs, however, increase board awareness of the
issue
ii. Complicated data breach notification compliance
1. data breach laws of each state
a. Method of notification
i. Email
ii. Phone
iii. Mail
iv. Substitute notice
1. Printing something in the media
2. Posting on the companys website
v. However the customer has previously consented to
being contacted by the company
b. Trigger for substitute notice
c. What constitutes personal information
i. Name
ii. Social security number
iii. Drivers license
iv. Medical information
v. Health insurance information
vi. DNA
vii. Fingerprinting
d. What amount of time in which to send out notice

iii.
iv.
v.
vi.

i. All states allow some delay for working with law

enforcement, incentivizes companies to do so
e. Notification triggers
i. CA: Strict liability if breach, no requirement of
subsequent risk of harm
ii. Other states take into account risk of harm
1. Whether the unauthorized access will result in
misuse
Companies may seek an initial waiver from customers at the beginning
of the consumer relationship
1. However, some states have found this to be against public policy
Some states allow a private right of action for consumers (class actions)
Compliance more difficult for small companies
Data breach notification laws
1. Cal. Civ. Code 1798.82
a. General
i. First data breach law passed in the country
ii. Applies to businesses in California with personal
identifiable information
b. Trigger: what causes a requirement to notify?
i. That the information was, or is reasonably believed
to be, acquired by an unauthorized person
1. Strict liability, no requirement of harm
c. Timing
i. Most expedient time possible without unreasonable
delay
1. Reasonableness as a standard, not a rule
2. Acceptable delay:
a. Involvement of law enforcement
b. If disclosure would impede a case
c. Measures necessary to restore the
system
d. No notice exemptions are allowed
i. No waiver provision
1. Customers cannot sign anything that will waive
their right to notification
e. Private right of action
f. Specific permissible methods of notification
i. Written notice
ii. Electronic notice
1. In the case of an email breach, cannot notify
through email
iii. Substitute notice
1. Can be used where the number of people is
enormous, you cannot contact them or the cost
is prohibitively expensive
g. Content
i. Has to be in plain language
ii. If they are going to provide identity theft services,
cannot charge for it
h. Parties

i. The people whos information has been compromised

ii. The State Attorney General
1. Triggered by number, 500+ California residents
2. 3 purposes of data breach notification law
a. Politeness
i. You should know when something of yours is stolen
b. Provide statistics for security experts
c. Increase the costs to companies
i. Force them to take security seriously and increase
spending on it
3. Potential future movement to one unified federal data-breach law
4. Current, federal data breach statutes
a. HIPAA
i. Applies specifically to healthcare providers
ii. GLBA
1. Financial institutions must disclose breaches of
financial and banking information
vii. Examples of data breach notifications
1. Sony letter
2. Target letter
3. People of the State of California v. Kaiser Health Plan
a. Facts
i. A hard drive was sold at a thrift shop containing a
large amount of peoples personal information
ii. Kaiser learned of the drives whereabouts in Sept.,
2011, retrieved it in Dec., 2011 and did not begin
notifying people until Mar., 2012.
b. First suit brought for unreasonable delay
6. EXISTING CYBERSPACE LAWS
a. Originally intended to only cover hacking and has been stretched to cover
things it was never meant to cover
i. Did not predict the expansion of the internet and its effects on the CFAA
ii. Consequently, a very harsh statute to use in relation to certain internet
cases
iii. Violation of terms and conditions (contract-based restrictions) is a
clashing point between circuits as to whether it is a viable theory
b. Has both civil and criminal sides, with civil definitions getting leaked into
criminal cases
c. Government is exempted from the CFAA in 1030(f)
d. CFAA 18 USC 1030(a)
i. Initially passed in 1984
1. Established crimes relating to the misuse of a computer to obtain
national security secrets or personal financial records or hacking
of US governmental computers
ii. 7/8-9 distinct crimes:
1. (a)(1) Accessing a computer without authorization or exceeding
authorized access to obtain classified information with reason
to believe that such information is to be used to the injury of the
US.
a. Unauthorized access is not defined

b. Exceeding authorized access defined as accessing a

computer with authorization and using such access to
obtain or alter information that the user is not authorized
to obtain or alter
2. (a)(2) Accessing a computer without authorization or exceeding
authorized access to obtain:
a. Governmental information
b. Financial information
c. Information from a protected computer
i. Most frequently charged category of CFAA crimes
3. (a)(3) Accessing any nonpublic computer of a department or
agency of the US intentionally and without authorization or
exceeding authorized access
a. Applies specifically to US government computers
b. Rarely used
4. (a)(4) Knowingly, with intent to defraud, accessing a protected
computer without authorization or exceeding authorized
access, and by means of such conduct furthers the intended
fraud and obtains anything of value, unless the object of the
fraud and the thing obtained consists only of the use of the
computer or the value of such use is not more than $5,000
5. (a)(5) Knowingly cause the transmission of a program,
information, code or command, etc, causing intentional damage
without authorization
a. (A) Transmission of a virus, malware, etc, that results in
damage to the receiving computer
b. (B) Recklessly causing damage
c. (C) Intentional access causing damage or loss
i. Computer damage clause
ii. Covers both unauthorized damage and unauthorized
access that causes damage
6. (a)(6) Knowingly, and with intent to defraud, traffic in any
password or similar information through which a computer may
be accessed without authorization if:
a. (A) Such trafficking affects interstate or foreign commerce,
or
b. (B) Such computer is used by or for the government
i. Prohibits trafficking in passwords
1. Misuse of passwords is not trafficking of
passwords
7. (a)(7) With intent to extort from any person any money or other
thing of value:
a. (A) Threatening to cause damage to a protected computer
b. (B) Threatening to obtain information from a protected
computer or impair the confidentiality of information
c. (C) Demanding or requesting money or other thing of value
in relation to damage to a protected computer where such
damage was caused to facilitate the extortion
8. (b) Whosoever conspires to commit such crimes or attempts to
commit such crimes
iii. Enforcement of CFAA

1. Action can be brought by:

a. Federal prosecutor
b. Private right of action (1030(g))
2. Definitions
a. Protected computer
i. Computer used in or affecting interstate commerce,
including computers located outside of the US
ii. Computer used exclusively by a financial institution
or by the US government
b. Exceeds authorized access
i. To access a computer without authorization and to
use such access to obtain or alter information in the
computer that the accessor is not entitled to so
obtain or alter
c. Authorization
i. Code-based
1. Password
a. Clearer
showing
of
circumventing
authorization
b. Usually conducted by outsiders
c. Violations more similar to traditional
hacking
ii. Contract-based
1. Terms of service
a. Based on a promise, not on incapacity
b. Usually conducted by insiders
c. More
closely
tracks
exceeding
authorized use
iv. Cases
1. UNITED STATES V. MORRIS
a. Facts
i. Defendant dared to test the limits of the internet
1. At this time, the university, government and
military institutions were linked together
ii. Released a worm to see how big the internet was,
but wound up causing a lot of damage
1. Booted worm into a MIT computer
2. Worm was programmed to guess passwords
b. Analysis
i. Charged with CFAA 1030 precursor: intentionally
accessing a federal computer without authorization
1. Defendant argues that he just exceeded
authorized use
ii. Court found that his conduct consisted of
unauthorized access as he did not use his access in a
way related to his access proper function
2. INTERNATIONAL AIRPORT CENTERS V. CITRINE
a. 7th Circuit; Posner
b. Employee decided to quit and before he turned in his
computer, he erased all of the data on the computer

c. Taking actions adverse to your employer may mean that

you no longer have authorization
i. Employee authorization depends on your role as an
agent of the company
ii. When you breach the duty of loyalty, you lose all
authorization
d. Held that he had accessed the computer without
authorization
3. DEPARTMENT OF JUSTICE INDICTMENT OF CHINESE OFFICIEALS
a. Facts
i. Chinese military officials charged with using spearphishing tactics to gain information about design
specifications for nuclear power, business plans and
as a general entry-point into various American
companies
b. Analysis
i. Charged with:
1. Unauthorized access
2. Conspiracy
3. Transmission that intentionally causes damage
4. Accessing a protected computer and taking
information
5. Economic espionage
6. Wire fraud (separate from CFAA violations)
4. UNITED STATES V. NOSAL
a. En banc, 9th Circuit; Kozinski
i. Criminal cybersecurity case
b. Facts
i. Convinced his ex-coworkers to take propriety
information from his old firm and to help him use that
information to start a new firm
1. Recruited ex-coworkers to download company
contacts from a company-restricted database
c. Analysis
i. Charged with CFAA 1030(a)(4) aiding and abetting
ii. Court limited violations of restrictions on information
as code-based access, and not contract-based access
1. Exceeding authorized access is limited to
violations on access to information and not on
its use
2. Court favors narrow interpretation
a. Notice many individuals violating terms
of service may not realize that they are
committing a federal crime
b. Criminalizes a wide swathe of behavior
i. Makes everyone a criminal
c. Canon interpretation
i. Should be up to Congress to make
things illegal, not the courts

ii. Courts should construe the criminal

statutes narrowly based on the
Rule of Lenity
d. Terms of service often goes unread
e. Possibility of discrimination
i. Prosecutorial discretion insufficient
ii. May be used as a pretext for firing
employees
f. Wants consistent interpretation and one
definition across the whole statute
g. Vagueness
h. Affects not just employee contracts, but
also internet consumers
i. Reaches conduct that is not inherently
wrongful
iii. Other remedies for trade secret infringement, apart
from CFAA
d. Holding
i. Finds for Nosal; the phrase exceeds authorized
access within the meaning of the CFAA is limited to
access-based restrictions, not use-based restrictions
1. Violations of contract-based restrictions not
covered
5. WEC CAROLINA ENERGY SOLUTIONS V. MILLER
a. 4th Circuit
b. Facts
i. Employee
took
proprietary
information
from
company, goes to work for a competitor and uses
that proprietary information to steal clients from his
old employer
c. Analysis
i. Alleged violation of the CFAA 1030(a)(2)(c) broadest, (a)(4) fraud, (a)(3) damage
ii. CITRIN case
1. 7th Circuit; Posner
2. Facts
a. Airport employee erases all company
information
on
a
laptop
before
subsequently leaving the company
3. Cessation of agency theory
a. Breach of a duty of loyalty means that
the employee loses all authorization
beyond that point
iii. Rejection of cessation of agency theory
iv. Finds that if you had code-based access, there is no
violation under the CFAA
6. UNITED STATES V. DREW
a. Facts
i. Mother uses fake Myspace account to terrorize
another little girl who subsequently killed herself
b. Analysis

i. Government argued that violation of terms of service

renders access to a computer unconstitutional,
charged defendant with violation of Myspaces terms
of service
1. Cannot include a photo of another person
without their consent
2. Cannot solicit information from someone under
18
ii. Was convicted and judge struck down the conviction
for void-for-vagueness reasons
1. Encourages discriminatory enforcement
a. Difficult to tell what is actually prohibited
under a statute
7. U.S. V. MARIO AZAR
a. Facts
i. IT worker unhappy when he did not get a full-time
position and wiped everything off of the master
server
1. Has the effect of disrupting communications
between Pacific, Gas and Electric and their
offshore oil platforms
8. U.S. V. MIJANGOS; U.S. V. KAZARYAN
a. Facts
i. Defendants were sex-extortionists
1. Would hack through victims accounts and
computers to search for intimate pictures
2. Would turn on computer cameras without the
victims knowledge
ii. Mijangos would monitor victims and would pretend to
be their significant others in order to access private
information and photos
iii. Would threaten the victims with posting the videos
online
9. U.S. V. CHANEY
a. Hacked celebrity accounts
10.
U.S. V. MOORE
a. Revenge porn king
11.
U.S. V. VOGELAAR
a. Hacked into post-production company and stole pre-release
movies
12.
AARON SWARTZ CASE
a. Facts
i. Tried to download a significant portion of the JSTO
database
ii. Charged under wire fraud statute and CFAA
iii. Circumvented a significant amount of code-based
restrictions
1. Both unauthorized access and exceeding
authorized access
iv. Killed himself after being threatened with 35 years of
jail time

b. Aarons Law
i. Potentially could change the CFAA to cover only
code-based access
ii. Would
eliminate
liability
in
the
CFAA
for
contract0based access
iii. Would reform the penalties
7. ACTIVE DEFENSE (HACKING BACK)
a. General
i. The Department of Justice has held that there is no exception in the
CFAA for companies hacking back
b. Kinds of active defense
i. Planting of false information (OK)
ii. Stolen information that self-destructs (OK)
1. Issue of whether this will damage the perpetrators systems
iii. Beaconing (OK)
1. Shows where the data is allowing you to trace
2. Alerts the company that the data has left its system
iv. Patrolling cybercrime forums (OK)
1. Accounting information, offers to sell intellectual property, etc
v. Honeypots (OK)
1. A weakened server seeded with information
2. Traps set to entice hackers to a particularly weakly defended
server in order to see what they are looking for, what techniques
they are using and in an effort to look for clues of their identity
vi. Accessing the sever of the hacker and deleting the stolen files (NO)
vii. Stewart Bakers Poisoned RATs (NO)
1. Remote Access Tool
a. A way in for hackers to get into a companys server; sends
malware or a beacon back to identify them
viii. Disabling hackers servers (NO)
ix. Virtual labyrinths (OK)
1. Continuous misdirection of hackers
2. Increases the hackers costs
c. Arguments
i. For hacking back
1. Your computer, my data: Because it is your data, youre
allowed to follow it and take it back or control how it is used
a. Argument hurt by the fact that the CFAA talks about
accessing computers, not data
2. Compromised machines owned by innocent third parties
a. You are doing them a favor by letting them know what is
happening to them
b. However, this is tempered by the fact that you cannot
harm their computer in your counterattack
c. Limit: Cannot cause damage, but surveillance, likely okay
i. Must be very confident when launching your
counterattack that the third-party will not be
damaged, or else you will get no protection
3. More resources for private defense
4. Less political controversy
a. Private parties actions cannot be attributed to the state

ii. Against hacking back

1. CFAA prohibits the transfer overloading of a computer with data,
even if it is used to stop an ongoing attack
a. CFAA(a)(5)(A) computer damage statute
i. Knowingly causing the transfer of code, command,
etc causing damage to a protected computer.
1. CFAA 1030(e)(8)
a. Damage is defined as any impairment
on the availability of data
i. Definition covers DDOS attack
2. Attribution is very difficult
3. Potential interference with US government
4. Escalation
a. Wrongful attribution may result in someone lashing out
5. Resource allocation
a. Well-resourced companies would be able to protect
themselves, but not others
d. Governmental blind eye
i. Delegitimization of the CFAA where prosecutorial discretion is used to
allow companies to hack back
1. How should the CFAA be revised to allow hacking back?
a. Allow an affirmative defense
b. Pose conditions for retribution
i. Accurate attribution
c. Limit on damages that you can do to another server
d. Manipulation of own data to protect itself is okay
ii. Other potential options
1. An armed non-governmental cybersecurity enforcement entity
2. Letters of mark
a. Companies getting permission from the DOJ to hack back if
they fulfill certain criteria allowing private action under
specific circumstances
8. Cyberespionage
a. Economic Espionage Act
i. General
1. Passed in 1996, signed into law by Clinton
2. Addresses economic security and relates it to national security
a. Extends federal protection to trade secrets
3. Is not a cyber-specific statute
a. Often charged with other statutes, including CFAA
i. EX: UNITED STATES V. NOSAL
ii. EEA covers 2 types of trade secret misappropriation
1. 18 USC 1831 economic espionage
a. What is a foreign instrumentality? 18 USC 1839(1)
i. Means any agency, bureau, ministry, component,
institution, association, or any legal, commercial, or
business organization, firm, or entity that is
substantially
owned,
controlled,
sponsored,
commanded, managed, or dominated by a foreign
government.
b. What is a foreign agent? 18 USC 1893(2)

i. Means any officer, employee, proxy, servant,

delegate, or representative of a foreign government.
c. Important commonality is foreign state ownership and
control
d. 1831 charged much less frequently than 1832
i. 1831 economic espionage penalty is much higher
1. Economic espionage
a. Individuals: $5 million or up to 15 years
imprisonment, or both
b. Organization: Fine up to $10 million or
three times the value of the stolen item
(18 USC 1831(b))
2. Trade secret
a. Individuals: Fine and imprisonment up to
10 years
b. Organization: Fine of not more than $5
million
e. Elements
i. Theft of a trade secret
ii. Knowledge that the theft would benefit a foreign
government, agent, instrumentality, etc
2. 18 USC 1832 trade secret theft
a. What is a trade secret? 18 USC 1839(3)
i. Means all forms and types of financial, business,
scientific, technical, economic, or engineering
information, including patterns, plans, compilations,
program devices, formulas, designed, prototypes,
methods,
techniques,
processes,
procedures,
programs, or codes, whether tangible or intangible,
whether or how stored, compiled, or memorialized
physically,
electronically,
graphically,
photographically, or in writing if:
1. (A) The owner thereof has taken reasonable
measures to keep such information secret, and
a. Expanded on in UNITED STATES V.
CHUNG
i. Advised
employees
of
the
existence of trade secrets
ii. Marking information as secret
iii. Restrictions on access
iv. Password protection
v. Physical protection
2. (B) The information derives independent
economic value, actual or potential, from not
being generally known to, and not being
readily ascertainable through proper means by,
the public
a. For economic value courts consider:
i. Value to owner
ii. Value to competitor

iii. Whether the information would

yield an economic advantage
iv. Whether someone had to pau for it
v. Cost of development
b. Circuit disagreement as to readily
ascertainable by whom?
i. EEA: the public v. Uniform Trade
Secrets Act (UTSA): Other persons
who can obtain economic value
from its disclosure and use the
economically relevant portion of
the public
b. Elements
i. Intention to convert the trade secret to benefit
someone other than the owner
1. Does not need to show specific attribution like
1831
ii. Knowledge or intention that the offense will injure
the owner of the trade secret
iii. Has to affect interstate commerce
c. Trade secret v. economic espionage
i. Trade secret definition requires more than economic
espionage, substantial overlap
ii. Economic espionage differs in that it requires
benefit to any foreign government, foreign
instrumentality, or foreign agent
iii. Attempted conspiracy are causes of actions under
both trade secret and economic espionage
d. Trade secret theft
i. Must be used in or intended to be used in interstate
or foreign commerce
ii. Must have the intent or knowledge that the use of it
will injure the owner of the trade secret
iii. Does not need to benefit a foreign government
1. Just needs to show that someone other than
the owner benefited from the use of the trade
secret
a. Does not require attribution
iii. General presumption against extra-territorial application (18 USC 1837)
1. EEA only applies to conduct that occurs abroad if:
a. (1) The offender is a natural person who is a citizen or
permanent resident alien of the United States, or an
organization organized under the laws of the United States
or a state or political subdivision thereof
b. (2) An act in furtherance of the offense was committed in
the United States
iv. Procedural restrictions
1. Requires the approval of senior DOJ officials to charge EEA crimes
a. After 2001, approval no longer required for 1832, but still
required for 1831
v. What is covered by the EEA?

1. IP theft
2. Data breaches
a. Customer data may not be a trade secret, but a client list
would be
vi. What is not covered by the EEA?
1. DDOS attacks
a. No actual act of misappropriation
2. Data wiping
b. Cases
i. US V. GENOVESE
1. Facts
a. Pieces of Microsoft source code was leaked for free on a
website
b. Defendant took the source code and tried to sell it
i. Was not the source of the leak, did not do the actual
hacking
2. Analysis
a. Constitutional challenges to the indictment
i. Freedom of speech
1. Since it was public information, he is allowed to
repeat it
ii. Was not a trade secret, since it was made publicly
available
iii. Void for vagueness argument
b. 1832 trade theft case
i. Court found that it was not protected speech
1. Illegal activity does not constitute protected
speech
3. Holding
a. Against the defendant
ii. US V. CHUNG
1. Facts
a. Chung secreted information under his house over the
course of decades
i. Was a Boeing contractor/engineer
ii. Gave information to the Chinese government
b. Largest archive of NASA information outside of NASA
2. Analysis
a. 1831 economic espionage case
i. Indicted for 6 counts of economic espionage and 1
count of conspiracy to commit economic espionage
b. Analytical process
i. Was the information a trade secret?
1. Was it a secret?
a. Were
there
reasonable
secrecy
measures?
2. Did
the
information
have
independent
economic value?
a. Tasked by the Chinese government to
steal this information with the intent to
benefit the Chinese government

b. Boeings information may provide a

roadmap for competitors in the future
c. Inferred economic value based on value
to the competitor
c. Criminal liability under the EEA can be established by the
defendants attempt alone
i. Attempt is penalized the same as completion
c. Articles
i. CYBERESPIONAGE, SURVEILLANCE AND INTERNATIONAL LAW: FINDING
COMMON GROUND (BANKS)
1. Cyberespionage has low barriers of entry
2. Relationship between international law and espionage
a. 3 answers:
i. International law does not prohibit espionage,
therefore it is permitted
1. LOTUS CASE
a. Court found that if there is nothing in
international law that says a state cant
do something, then states can do it
i. Focus on state sovereignty
ii. Unless specifically consented to an
international law, they are not
bound.
2. Old view
ii. International law affirmatively permits espionage
1. It is a widespread practice
2. States are required to engage in espionage to
protect their citizens
a. A necessary incident to self-defense
iii. International law prohibits espionage
1. Non-intervention
2. Human rights reasons
3. Right to privacy
a. Some countries do not interpret the
ICCPRs right to privacy to include digital
surveillance
i. Germany redrafted legislation to
extend to electronic information;
therefore can argue that the treaty
did not already include it
4. State sponsored espionage can constitute force
and intervention, which is prohibited by the UN
Charter
5. Vienna Convention on Diplomatic Relations
(VCDR)
a. Prohibits diplomats from spying
i. Diplomats are required to respect
the laws of the receiving state and
espionage
is
prohibited
domestically in most countries
3. Proposals to regulate espionage

a. Limit espionage to allow for only national security reasons

i. Differentiation between national security espionage
and all other types?
ii. What constitutes national security?
b. States could agree that international law prohibits
economic espionage
i. Prescribes a limited category and does not run into
issues of defining national security
c. Internationalizing domestic laws such as the CFAA and the
EEA
d. Prohibiting attacks on particular targets, creating a no-spy
zone
e. No-spy agreements
ii. UN GENERAL ASSEMBLYS RIGHT TO DIGITAL PRIVACY
1. Not specific about what is covered by the right to privacy
2. Recognizes the necessity of some surveillance
a. Reasons to curtail right to privacy:
i. Countering terrorism
ii. Security
9. INTERNATIONAL LAW
a. Types
i. Treaties
1. A contract between countries
2. BUDAPEST CONVENTION
a. First international treaty that deals directly with cybercrime
b. Negotiated in late 1990s, opened for signature in 2001,
came into force in 2004
i. Has 45 member states
1. Russia has not signed
2. US ratified the treaty in 2006
c. Additional protocol
i. A separate treaty ratified by a number of member
states
ii. Makes it a criminal offense to use computer systems
to distribute crimes against humanity and racist,
xenophobic threats
1. Only 24 ratifications, no ratifications outside
the Counsel of Europe
d. Articles
i. Article 2 Illegal Access
1. Differs from the CFAA, in that in requires
obtaining computer data, not just accessing
ii. Article 5 System Interference
1. CFAA defines damage in relation to integrity
and availability of data, while BC articulates it
as a serious hindering without right of the
functioning of a computer system
iii. Article 7 Computer-Related Forgery
1. No similar CFAA provision
a. CFAA gets at it through computer
damage and computer fraud provisions

iv. Article 13 Punishment

1. Does not mandate a specific punishment, but
indicates that punishment should be effective,
proportionate and dissuasive sanction, which
includes deprivation of liberty.
e. Broadly lines up with the CFAA, does not mandate specific
legislative language, but asks for criminalization of specific
activities
i. Allows for state-by-state variation
ii. Uses access without right language
f. Obligates information sharing and facilitates signing of
MLATs
i. Attempts to harmonize cyberlaws and allow for
cooperation in investigation
g. Critiques
i. Vague definitions
ii. Lack of enforcement
iii. Weak cooperation provision
iv. Western focus
v. Not broadly ratified
vi. Countries filing reservations
h. JACK GOLDSMITH ARTICLE
i. BUDAPEST CONVENTION is a cautionary tale
1. Lax enforcement mechanisms
a. Not truly enforceable
b. Carve-outs by states
2. Vague definitions
3. Western-oriented
4. Has limited international adherence
3. AFRICAN UNION CONVENTION ON CYBERSECURITY AND
PERSONAL DATA PROTECTION
a. Brand new treaty, no ratifications
b. Covers cybercrime, personal data protection, electronic
protection
c. Borrows language from both CFAA and the BC
i. Uses CFAAs unauthorized access or exceeding
authorized access versus BCs access without
right language
ii. Uses BCs system interference language of to hinder
and distort function of a computer system
d. Explicitly lists privacy as a right under Art. 25(3): Rights of
Citizens
e. Critiques
i. No ratifications
ii. Freedom of speech concerns
iii. Lack of capacity for enforcement or implementation
iv. Too broad in scope
ii. Customary international law
1. State practice
a. Custom must be the general and consistent practice of
states

10.

b. Must be widespread
2. Customs of countries on the international stage
a. However, not all customs obtain the status of customary
international law
3. Opinio juris sive necessitatis
a. An opinion of law or necessity
i. Done out of a sense of legal obligation
ii. States are not just engaging in the practice out of
convenience or policy
1. Does it because they think they are legally
required as a matter of international law to do
it
4. States may not have signed onto a treaty, but may still be bound
by customary international law
a. Generally enforce through actions taken by other states
5. Usually not an affirmative practice, but a defensive one, asking
states to refrain from doing something
b. International procedural issues
i. Extradition
1. Taking a criminal defendant from one country and sending them
to another country fro prosecution
2. Custody of persons, moving people across borders for the
charging of crimes
a. US-Estonia
3. Requirements
a. Dual criminality
i. Must be a crime in both jurisdictions/overlapping
cores of criminality
b. Minimum severity requirement
ii. Mutual legal assistance (evidence collecting function)
1. Perpetrators may be abroad and so evidence may also be abroad
2. MLATs
a. Mutual legal assistance treaties
b. Usually bilateral
c. Binding legal obligations for the receiving state ot respond,
subject to some exceptions
i. Processed through the central authority of each
state, government-to-government
1. Cannot be used by individual litigants
3. Letters of Rogatory
a. Processed between court-to-court
POLICY QUESTIONS
a. (1) Congress should pass a federal data breach notification law that would
preempt all state data breach notification laws currently in effect
i. FOR
1. Current patchwork structure makes compliance for companies
difficult and time-consuming
a. May result in customers in different states being notified of
the same incident at different times with different
information
2. Would unify requirements

b.

c.

d.

e.

3. Be cheaper to comply with

ii. AGAINST
1. Could lessen consumer protection if the federal threshold is
higher
2. If aiming for stricter laws, could impose huge costs on small
businesses
(2) International treaties are an effective means to address threats posed by
cybercrime
i. FOR
1. Cybercrime is an international issue
ii. AGAINST
1. Treaties, ultimately, must be enforced by countries against other
countries
a. Cybercrime may not be high up on other countries priority
list
b. Imposing sanctions requires a lot of other considerations
c. No other outside enforcement mechanism
d. States can just not sign on to a treaty
2. Extradition issues
3. Definitional issues
a. Different parameters as to what constitutes a cybercrime,
lack of consensus for punishement
(3) The current multi-stakeholder model of internet governance is less
protective of individual rights than governance by government would be
i. FOR
1. They could provide better more consistent protection
ii. AGAINST
1. Governments would want to limit individual rights more due to
national security reasons
2. Different countries governments may be more restrictive as to
internet governance
a. EX: China
(4) Congress should increase the penalties for violating the CFAA and the EEA
because current penalties are not deterring hackers
i. FOR
1. Could work for the EEA as it involves more deliberate criminal
behavior
ii. AGAINST
1. Under the current CFAA definitions, people could accidentally be
engaged in certain actions that could constitute hacking
a. If they are unknowingly committing a crime, deterrence is
a moot issue
(5) The standard for what qualifies as an armed attack should be the same in
the cyber-context as in a traditional, conventional armed attack
i. FOR
1. Can cause harm that is similar to a conventional armed attack,
just through different channels
a. EX: Stuxnet; if the US had physically gone in to mess with
the reactors, would likely have been considered an armed
attack
ii. AGAINST

11.

1. Fundamentally different sort of attacks

2. Difficulty in identifying whether an attack as occurred, who
conducted it, what is the scope of the harm, whether civilians
were harmed in the process and what would constitute excessive
harm of a civilian in violation of Art. 55(1)(b)
3. Huge disagreements between states as to what would constitute
an armed attack in the cyber-context
f. (6) Announcements, like NATOs Wales Summit Declaration, that
cyberattacks
can
trigger
collective-self-defense
obligations
make
cyberattacks less likely
i. FOR
1. Allowing for self-defensive measures that are backed up by other
states will result in more careful state consideration of using the
attack, similar to the level of deliberation for conventional
attacks
ii. AGAINST
1. Attribution is difficult, so, as a deterrence measure, most likely
limited
2. May only be a consideration where it is a state actor perpetrating
the cyberattack
a. Large portion of cyberattacks may not be conducted by the
state
b. Collective self-defense measures would have to go through
the state before it can reach the private actor
g. (7) The US is entitled to exercise forceful self-defense measures in response
to the attack on Sony
i. FOR
1. Was an economic attack and the US has the right to protect itself
2. Attributed to a state actor, therefore the US could call upon NATO
member states for collective self-defense
ii. AGAINST
1. Unclear whether the Sony hack would constitute an armed attack
that would justify the use of retaliatory force
2. Unclear who the actors were
3. Does the release of civilian information constitute civilian harm?
a. Difficulty in ascertaining magnitude of harm
CYBERWARFARE
a. Jus cogens
i. Super strong customary international law
1. Cannot be overturned by treaty or other customary international
law
2. Can only be overcome by another jus cogens
3. No current jus cogens or treaties for cyberwarfare
a. Must use existing treaties on war, and apply it by analogy
to cyberspace
ii. Example
1. UN Charter Rules on the Use of Force
2. Rules against genocide
iii. Articles
1. MURPHYS PRINCIPLES OF INTERNATIONAL LAW

a. A state can suffer a use of force, but not have the right to
retaliate as it does not rise to the level of an armed attack
i. States are only allowed to respond to uses of force
when it amounts to an attack, whereas the US states
that uses of force are armed attacks
b. If we said that cyberattacks were not armed attacks, then
states would never be allowed to use force in retaliation
2. WHETHER A CYBERATTACK CAN BE AN ARMED ATTACK; SELFDEFENSIVE FORCE AGAINST CYBERATTACKS, LEGAL, STRATEGIC
AND POLITICAL DIMENSIONS (WAXMAN)
a. 3 possible answers
i. NO
1. Strict reading; cannot be an armed attack as
must constitute kinetic violence
ii. SOMETIMES
1. Must result in violent consequences (effectsbased)
a. Such as the consequences resulting from
a conventional strike
b. EX: opening a dam on a village,
activating nuclear weapons, disabling air
traffic communications resulting in a
crash
c. US takes this approach
i. Has no firm position as to
cyberactions with no clear kinetic
parallels
2. Depends
on
the
magnitude
of
the
consequences
a. Difficult to apply
b. EX: attack on the stock market
3. TALLIN MANUAL
a. Armed attack and use of force are not equated does not
take US position
b. Exceptions to prohibition on the use of force
i. Self defense
c. Jus ad bellum
i. Recognized by the US
ii. Limitations on the right to self defense
1. Necessary
a. LETTER FROM US SECRETARY in relation to the
CAROLINE INCIDENT
i. Leaving no choice of means
1. No peaceful alternatives
a. Diplomatic negotiations
b. Asking for cease and desist
ii. Admonition or remonstrance impracticable,
or would have been unavailing
iii. Daylight could not wait
iv. Means necessary to remove the threat, and whether
non-forcible means were adequate

2. Proportionate
a. Proportional in relation to what the attack was
supposed to achieve
b. Not limited to repelling the initial attack, but ending
the conflict
i. Whatever is necessary to eliminate the threat
1. Not limited by geographic location
2. Does not have to a be a mirror image of
the attack
a. Do not need to resort to same
tactics, type of weapon or type of
attack
c. Could it have been done with less violence with the
same objective of neutralizing the threat?
d. The response must not be excessive, must ne
proportionate to the threat
e. LETTER FROM US SECRETARY in relation to the
CAROLINE INCIDENT
i. Nothing unreasonable or excessive
f. Proportionality: responding to a conventional attack
with cyber means?
i. Limit damage, lost lives
ii. Should not be required, but an option
1. Requiring a specific kind of response
would take away from a states ability
to defend itself
iii. If you could accomplish the same goal
through cyber means, would show you took
proportional, less violent action?
iii. TALLIN MANUAL; RULE 14 Jus Ad Bellum
1. Use of force of cyberoperations taken by a state must be
necessary and proportionate; no exemption for cyber
context
2. Peaceful cyber alternatives
a. Firewall
b. Detection and prevention systems
c. Requests to desist
d. Expanding server capacity to withstand DDOS
attacks
3. Cyber attacks do not necessarily require a cyber response
iv. How much of a constraint is necessity and proportionality on
self-defense?
1. Easy to work around the requirements
2. Only limits against ridiculously overbearing responses
a. Does not limit more nuanced differences in
response
v. Temporal requirements
1. Imminence
a. When you know an attack is going to happen, how
soon can you respond?
b. 4 possible answers

i. An attack must have already occurred

ii. Temporally-focused anticipatory self-defense
1. The attack is about to be launched;
focused on the traditional meaning of
imminence
2. Minority position
iii. Anticipatory self-defense
1. When an armed attack is imminent
2. USs
announced
position,
TALLIN
MANUALs majority position
iv. Last window of opportunity
1. Doctrine of last chance
a. Focus on when the attack
becomes non-preventable
b. Can be temporally remote from
the time of attack itself
2. Majority position
v. Preemptive self-defense, probable future
attack
1. Could lead to paranoia, too much
armed defense
2. Immediacy
a. How long after a state suffers an armed attack can
that state respond forcibly?
vi. UN Security Council authorized
1. Issues of political deadlock
2. Authorized the Korean War, Bosnian War
3. Cyber issues
a. Would require near perfect attribution
i. Required evidentiary showing may be higher than is
possible in cyber context
b. Takes too long to go through Security Council
c. Debate on whether you can authorize force against nonstate actors
d. Collective self-defense
i. When one country is attacked, the victim-state can request assistance
from other states
1. Request must be contemporaneous
a. Limits other states from acting aggressively and jumping to
help
b. The victim state can limit the kinds of assistance that can
be provided
i. Does not need to allow the assisting-state to help
however the assisting-state sees fit
2. Assisting-states stands in the shoes of the victim-state once the
request has been made
3. All normal jus ad bellum limitations to self-defense still applies
ii. Authorized by UN Art. 51
iii. NATO
1. Committed ex ante that an attack on any one of the member
states will be considered an attack on all of them

a. 9/11 was the only time this was invoked

b. Still requires a request for assistance, but is pre-committed
should there be a request
i. Victim-state not obligated to receive the insurance,
but assisting-states obligated to provide it
2. WALES SUMMIT DECLARATION
a. Members obligated to establish their own defenses
b. Enhanced information-sharing between NATO member
states
c. International law, jus cogens, jus ad bellum, jus in bello, UN
Charter applies to cyber
d. Thought to be an empty gesture
i. Declaration of already existing NATO policy
1. NATO would have treated a cyber attack as an
armed attack
ii. However, explicit statement helps advise states in
their course of action
iii. States signing on acknowledge that jus in bello
applies in cybersecurity context
e. Jus in bello
i. How states can use force during a conflict
ii. Treaties
1. Hague Convention
a. Restrictions on the method used in warfare
b. Martens Clause (included in the preamble)
i. Intended to be a gap-filler in international law
ii. In cases not included in the specific language of the
treaty, parties are still to proceed in conjunction with
customary international law
1. Residual clause; anticipates that technology
will outpace treaties
2. Geneva Convention
a. Protection for victims (wounded, sick, POW, etc)
b. Ratified by every county
c. 4 conventions, 2 additional protocols
i. The US has not ratified the additional protocols,
which dignify insurgent groups and gives them
protections similar to states
d. Articles
i. Article 48
1. Must distinguish between civilians and
combatants and only attack the latter
a. Based on civilians maintaining their own
civilian status, however
b. Civilians are not protected once they
enter the fray
ii. Article 4(a)
1. Defining combatants
iii. Article 51
1. Protection of the civilian population
2. Indiscriminate attacks prohibited

a. Attacks that do not attempt to distinguish

between civilians and combatants
b. Objective of spreading terror prohibited
c. Prohibits use of methods that cannot be
limited to either a civilian or military
objective
3. Cannot use civilian population as a shield
4. Art. 55(1)(b)
a. Collateral damage okay, allowed to cause
civilian casualties, but proportionality
important
b. Threshold: Must not be excessive in
relation to the concrete and direct
military advantage anticipated
iv. Article 52
1. General protection of civilian objects
a. Civilian objects shall not be the object of
attack or reprisal
b. Presumption is that objects are not
military objects
iii. Principles
1. States are prohibited from causing unnecessary suffering
a. States do not have unlimited freedom of choice as to the
weapons that they are allowed to use
iv. Neutral state involvement
1. TALLIN MANUAL: RULE 94
a. Aggrieved party can take steps if a neutral state fails to
terminate exercise of belligerent rights in its territory
i. Still subject to jus in bello rules
2. Criteria/proposals for showing that a neutral state is unwilling or
unable to deal with belligerents in its territory; GEOGRAPHY OF
CYBER-CONFLICT (DEEKS)
a. Prioritize cooperation and consent with the state rather
than a unilateral use of force
i. Neutral states can consent to use of force in their
territories
b. Ask the neutral state to address the threat and give it an
adequate amount of time to respond
c. Reasonably access the neutral states capacity and control
within the relevant region
d. Reasonably assess the neutral states proposed means to
suppress the threat
e. Evaluate its past interactions with the offending state
i. Where the neutral state has failed to take action
after promises to do so in the past, can factor this in
3. Neutral states seem to get a higher level of protection than
civilians
a. Can not engage neutral states, but unable to refrain from
not harming any civilians during a war
v. Requirements
1. Distinction

a. Distinction in terms of if the choice of methods would

distinguish between military or civilian
b. Distinction in choice of target
c. States must never make civilians the object of attack; must
always differentiate between civilian and military targets
d. HAROLD KOH
i. Principle of distinction should apply in cyber-context
ii. Takes the position that the US will abide by the
principles of distinction whether it is international
customary law of not
2. Proportionality
a. Whether civilian damage is excessive in relation to the
military advantage anticipated
i. Difficult application to cyber context
1. Uncertainty as to effects on civilians,
everything is interconnected
2. Difficult to determine what is excessive
3. Hard to know how much advantage is gained
4. What constitutes a weapon
5. Prevalence of dual-use networks
6. Attribution
7. When does a hacker constitute a combatant
a. Direct participation in a hostility is
complicated as a cyber standard
8. Difficulty of human shield analogy
a. Countries may not even know that they
are doing it
3. Precaution
a. Should always choose the option that causes the least
amount of damage to civilians, even where all options are
considered proportionate
i. Differentiation
between
precaution
and
proportionality
1. Proportionality
a. Whether the harm caused was excessive
2. Precaution
a. Whether the country took feasible
measures to protect civilians
b. Military must choose the most protective
option while still achieving their military
objective
ii. Might be proportionate to harm 100 people, but
precaution means that if there are 2 options, choose
the more protective one, and harm only 10
b. Geneva Convention Article 57
i. Constant care shall be taken to spare civilian
populations, civilians and civilian objects
1. Constant care is undefined in international
law, but it means you cannot completely
disregard civilians

f. Is a
i.

ii.

iii.

ii. Should take all feasible precautions in the choice of

means and method of attack workable or
practicable given all of the circumstances ruling at
the time
cyberattack an armed attack?
TALLIN MANUAL: RULE 30 Definition of Cyberattack
1. Does not mean an armed attack
2. An attack that can be expected to cause harm to persons or
objects
3. Almost verbatim tracks the Geneva Convention definitions
4. Data
a. Does not find that data is an object, so it cannot be
classified as civilian or combatant
i. Arguments against:
1. Data may be more important than objects itself
2. Linked to numerous objects
3. Data has been found to be a form of property
via trade secret laws and intellectual property
ii. While data is not an object, can constitute an attack
if it affects systems and functions
Requirements for being a military object
1. Is it a military object based on nature, location or use?
a. Use
i. Percentage of military use/civilian use
1. EX: Tech company that makes off-the-shelf
software as well as military encryption
software, Boeing as a military target, but
strong civilian application
ii. TALLIN MANUAL: RUEL 39 Objects used for civilian
and military purposes
1. Cyber functions are targets when they are
involved in military operations
iii. However, dual use likely not known by civilian parties
2. Does it effect a contribution to military action?
3. Will the total or partial destruction or neutralization, or capture of
data, offer a definite military advantage?
Jus in bello
1. TALLIN MANUAL: RULE 43 Indiscriminate means or methods
a. Prohibits use of cyberweapons that are inherently
indiscriminate by nature
i. Differentiates from choice of indiscriminate use by
user
2. Jus ad bellum proportionality
a. TALLIN MANUAL: RULE 51
i. A cyber attack that may be expected to cause
incidental loss of civilian life, which would be
excessive compared to the military advantage to be
gained, is prohibited
1. Principle of distinction applies; cannot target
civilians
b. Definitions of damage:

i. Kinetic damage
ii. Serious functionality disruptions
iii. Any unauthorized access
1. Not an appropriate standard for a law of war
iv. TALLIN MANUAL: RULE 5
1. General duty for one state to not knowingly allow the unlawful
use of its cyberinfrastructure to harm another state
2. Cyber issues
a. Attribution
i. Difficult for states to know where an attack is coming
from
b. Borders are hard to police
i. Borders are very porous/non-existent in cyberspace
c. Speed of cyberattacks
v. What does a state have to know before taking action?
1. Certain attribution
2. Actual knowledge
a. Duty to act
b. May give states plausible deniability
3. Constructive knowledge
a. Imposes knowledge on a person where they should have
known
b. Duty to monitor
i. FOR
1. State itself is in the best position to know
2. Would not want to permit other states to look
into your cyberinfrastructure
ii. AGAINST
1. Enforcement difficult
2. States have different capabilities
3. Privacy concerns for citizens
a. Could be sanctioning a lot of government
monitoring, intrusive
4. Not a good use of resources
iii. Does this duty apply to states through which cyber
attacks are routed?
1. Applies to the state where the attack originates
2. However, where routing is fairly instantaneous,
impracticable for routing states to react
a. Data travels in a fragmentary way
b. May not have the ability to prevent it
3. LAW OF CYBERWARFARE (SCHMITT)
a. Predicts that there will be a movement
towards accountability of routing states
g. Cyberwar: law by analogy
i. International wrongful act
1. Breach on an international legal obligation
a. Very broad; when an act of a state does not comply with a
legal obligation
b. Exemptions
i. Consent

ii. Countermeasure
iii. Force majeur
iv. Self-defense
2. Attributable to the state
a. DRAFT IRC ARTICLES
i. Article 4: Conduct of organs of a state
1. Regardless of postion, regardless of whatever
power it holds, its actions will be attributed to
the state
2. Whether it is an organ of the state is
determined by how it is organized based on
internal law
ii. Article 5: Conduct of persons or entities who are not
organs of the state
1. Attributed to the state where it is empowered
by the state, provided that the person or entity
was acting in that capacity
a. De facto organs of the state
i. Non-governmental
organs
exercising governmental authority
b. TALLIN MANUAL: RULE 6
i. Broader definition of state organ
ii. Individuals acting under the instruction of a state and
is directly under the states direction or control
iii. ICJ standard: effective control (dominant standard)
1. U.S V. NICURAGUA
a. Must prove that the US has effective
control of the military operations,
weapons funded by the US not sufficient
2. Operation-by-operation control difficult to show
high evidentiary status
3. Greenlights the idea of war by proxy, so long as
they are doing it through a third-party and are
not giving instructions
a. EX: Estonia cyber-riot, Sony hack
iv. International Criminal Tribunal for Yugoslavia: overall
control
1. Looser definition, does not require operationby-operation control
c. How to determine state responsibility?
i. Conventional
1. What is the relationship between the forces
and the state military
2. Where are the weapons coming from
ii. Cyber
1. Amount of control the state has over its own
network
2. Where is the international wrongful act is
coming from (location)
3. Transfers of money to these groups by the
government

4. How much the state knew about these

operations
5. Governmental training programs
a. Are these people being trained by the
government?
6. Any communications between the government
and the attackers
7. Source of the code
8. How they are locating their targets
a. Are they being directed to particular
targets or being matched up with
vulnerabilities?
9. If the government authorizes hacking back,
might make the government responsible for all
of the companies subsequent actions
a. If the government issues a statement
that it wont punish hacking back, then
they might be permitting cyberwarfare
by proxy
iii. Even if the state is not responsible for the conduct, if
they adopt it as its own afterwards, would be
responsible
1. Cannot protect hackers or prevent them from
being prosecuted
iv. TALLIN MANUAL: RULE 8
1. Routing through a state is not sufficient to
attribute it to the state
v. TALLIN MANUAL: RULE 7
1. Launch of a cyberattack from a governmental
building is not dispositive as to whether it is an
act of the state, but it does indicate that the
state may be associated with the operation in
question
a. Flipped from conventional context
3. Sony incident as an internationally wrongful act?
a. Yes, violation of sovereignty
i. Placement of malware within another states territory
ii. Or, if the North Korean government is not
responsible, failure to prevent the use of its territory
to cause harm to other states
iii. Manipulation of cyberinfrastructure of another state
b. An act of retorsion would be permissible
i. Retorsion v. countermeasures
1. Retorsion
a. An act that is lawful at all times; lawful,
but unfriendly
b. EX: Suspending foreign aid, suspending
trade, banning immigration
2. Countermeasures

12.

a. An internationally wrongful act but for a

preceding violation; a response to a
unlawful act
i. Must be taken in response to a
previous international wrongful act
of another state, and must be
directed at that state
ii. Victim state must call upon the
state committing the wrongful act
to discontinue the wrongful act or
make reparations
iii. Proportionality requirement
iv. Effects of the countermeasure must
be commensurate with the injury
suffered
b. EX: Violation of sovereignty
c. Was the US taking down the North Korean internet a
permissible countermeasure?
i. Did the US suffer an international wrongful act?
ii. Were the actions taken against the state responsible?
iii. Did taking down the North Korean internet induce
compliance with international law?
iv. Did they call upon North Korea to cease the
internationally wrongful act? Or did they take urgent
countermeasures?
v. Was their act proportionate?
vi. Was the act taken in a way to permit resumption of
obligations?
CYBERSECURITY REGULATION
a. Actors
i. Companies
1. May not properly value cybersecurity
a. May not think they will be targeted
ii. Individuals
1. Failure to see individual incentives
iii. Government
1. Lacks authority
b. Bad cybersecurity due to market failure (SINGER; FRIEDMAN)
i. Negative externality, a bad user does not individually bear all of the cost
1. Poor personal secure may result in your computer becoming part
of a botnet that can, in turn, go out and commit other acts
2. Cost is borne by the system
c. Levels of government regulation
i. Government directly regulate
1. FOR
a. Can provide a minimum level of cybersecurity for
companies that are unable to provide it for themselves
2. AGAINST
a. Implementing a blanket regime may be detrimental to a lot
of big tech companies and the economy

13.

b. Government may not be properly equipped to regulate in

this field
3. Could issue
ii. Government issuing regulations requiring companies to provide
cybersecurity
1. EU position
2. Can spur compliance
3. Not really any other entity to do this regulation, but better than
direct governmental regulation
4. Mitigate externalities issue
5. Can provide a floor for cybersecurity
6. Can begin a trend towards greater cybersecurity
iii. Voluntary standards
1. Optional governmental regulations
2. Government can develop these standards in conjunction with the
industries
a. Really expensive for companies to figure out what
voluntary regulations they would wish to impose
3. Might make companies immune to lawsuits however, if they
comply with a bare minimum voluntary standard
4. Obsolescence due to speed to technological development
iv. Do nothing
1. A market for security will develop eventually
ZERO-DAY VULNERABILITIES
a. Market for vulnerabilities
i. Responsibilities
1. Product creators
2. Buyers
a. Driving up demand
b. Disclosure
i. When disclosed, the software company patches up the hole and the
government can no longer exploit it and use it to gain information
1. EX: If zero-day vulnerability had been disclosed and fixed,
Stuxnet could not have occurred
ii. Risks of non-disclosure
1. Does not get fixed
2. Someone else is has also discovered and is accessing the
vulnerability
iii. Government disclosure process
1. High-level interagency discussions within the intelligence branch
about whether to disclose and claims is biased towards
responsible disclosure
2. HEARTBLEED
a. A vulnerability on open SSL which contained a backdoor
through which attackers can extract information;
government accused of knowing about it for a long time
and not disclosing, also exploiting it
iv. Disclosure continuum
1. Use
2. Stockpile
3. Disclose

14.

c. Government participation in zero-day vulnerability market

i. Government has no choice, must stay ahead of these vulnerabilities
ii. However, US tax dollars going to illegitimate sources
iii. Creation of further demand
iv. Allows some hackers to act under the color of law
d. Important questions
i. Whose software is the vulnerability in?
1. Less of a duty to protect foreign citizens, less duty to disclose
ii. Do bug bounties pre-authorize activities that hackers/security
researchers conduct upon the software?
1. Possible solutions
a. Contract
b. Create parameters in which authorized hackers are
authorized to act
c. Oversight
i. Registering with the company and logging in through
the company
d. Giving of bug and code without actually exploiting it
e. Sandbox-style play area
2. May be used as a way to get out of CFAA liability
e. CURBING THE MARKET OF CYBERWEAPONS (STOCKTON)
i. 3 proposals
1. Incentivize companies to make better products
2. Export controls
a. What products and information can leave the US
b. Potential multi-country export restriction
c. However, if the conduct is outside of US jurisdiction to
begin with, no effect
3. Amend CFAA with due diligence requirements for sellers
a. Imposition of a duty on sellers of vulnerability information
to sell to only good buyers
DETERRANCE
a. Making perpetrators of an attack decide not to go through with the attack
i. Due to retaliation or fear of consequences (FOCUS)
1. Partially a function of perception; it works by convincing a
potential adversary that it will suffer unacceptable costs if it
conducts an attack
ii. Not worthwhile for them to attack because it wont succeed
b. Issues with cyber deterrence
i. Attribution
ii. Inability to properly signal
1. Letting other states know your capabilities may lead to issues
iii. Timing
iv. DEPARTMENT OF DEFENSE deterrence strategies
1. Military retaliation
a. Hacking back
2. Improving the defenses of systems and networks
a. Invulnerability
3. Improving resilience to attack
4. Interdependence of networks
5. Attribution

6. Criminal law
a. Extradition issues
b. Different national definitions of cybercrime
7. Invisibility
a. Labyrinth
8. Economic sanctions
a. Targeting both perpetrators and the people who benefit
from the cybercrime
b. Slow-moving
c. Interdependence may result in economic sanctions having
a blowback effect on own nations economy
9. Diplomatic responses
10.
Declaratory policies
a. Statements of how the US will respond in the event of an
attack
i. Can be a statement indicating that there will be a
response without specifying what it will be
11.
Collective defense
a. Helping other countries bridge the digital divide