Cybersecurity
What is the result of the Van Buren case?
After Van Buren, 2 step set of questions when it comes to exceeding authorized access: - 1) Threshold question (only part SCOTUS decided) was or was not the person credentialed to access the computer/database - 2) Is every time a person circumvents a technical constraint to get into a place a violation of the CFAA or is it enough the employer tells them not to go there? o This question is only relevant when the person is accessing a place they weren't allowed to access at all, which is why it wasn't relevant to Van Buren
Vuln aka Vulnerability/Bug
An error in the code or IT system unintended by the person who wrote the code that opened the door for getting the software to do something the engineer did not intend
Why is it hard to sue attacker(hackers) and why is it hard to sue software vendors? Who does that leave to sue?
Attackers - impossible to track down most of the time, can't even identify them most of the time. Vendors - their lobbyists have worked hard to avoid this, explicitly in statutes. Additionally: - courts have consistently construed software license agreements to disclaim liability for software defects - consumers tolerate defective software because it works most of the time - Holding software producers liable putts a stifle on innovation - Hard to prove causation of defect on harm caused This leaves the victim company as an option for defendant in a lawsuit.
Describe FTC's enforcement action against LabMD
Basically, LabMD was the victim of extortionists who took advantage of one employee using old software. Turned out to be China. FTC brought enforcement action (that LabMD appealed to the 11th Circuit) alleging company "failed to reasonably protect the security of consumers' personal data, including medical information". 11th circuit found FTC's cease and desist order § founded upon LabMD's general negligent failure to act was unenforceable because it didn't specifically list the data security protections LabMD needed to implement to comply with the order. Said FTC was holding LabMD to an "indeterminate standard of reasonableness". § Court sidestepped the issue of the FTC's power to use Section 5 "unfairness" to enforce privacy and security violations, avoided circuit split with 3rd Circuit. This case was an example of crazy goose chase that the FTC should've dropped a long time before this 11th circuit opinion was reached. Outcome was basically just that FTC now has to list specific measures in its cease-and-desist orders. That ruling is actually a double edged sword for companies, though, because it invites the FTC to micromanage whaat companies should do instead of giving them broad ground to decide what measures to undertake to satisfy the orders.
Why did Rear Admiral Gene Price say we the U.S.'s approach to cybersecurity defense needs to be "defending forward"?
Because the U.S.' reverence for civill liberties makes it virtually impossible to provide adequate cybersecurity within the U.S. without external effort to know what is coming at us. The U.S. is the safest place for cyber attackers to live and operate out of because of our privacy rules and dedication to free and open society.
Which groups split federal prosecutorial authority for cyber crimes at the headquarters (Main DOJ) level?
CCIPS (Computer Crimes & Intellectual Property Section) and NSD (National Security Division). Which of these two divisions take the lead on a particular case depends on the nature of the attacker and the nature of the victim(s)/impact
Categorize this hacking activity: On behalf of a foreign government an adversary penetrates the computers of a major contracted defense company's systems and steals classified information about helicopter plans and engine designs.
Classic military specific espionage
What is the insecurity industry
Companies in the business of discovering vulns and developing vuln exploit chains for governments. Good if you're the government they're exposing the vulnerability to, potentially bad otherwise. Government agencies also do this themselves.
CIA Triad
Confidentiality, Integrity, and Availability. The core things we are aiming to protect with security of information in cybersecurity. Confidentiality - privacy of information. ability to keep people from seeing what they aren't supposed to. Integrity - The idea that no one can change information in ways that it should not be changed (i.e. no one can move a decimal in your bank account or otherwise alter things) Availability - Hackers making systems not work/inaccessible
Categorize this hacking activity: On behalf of a foreign government, a hacker obtains control of the navigational system of a U.S. Navy vessel, and causes the ship to run aground. Assume first: no one is hurt, and second: dozens die.
Covert action (assuming no one knows who did it). Since there's a military vessel brought into it, need to know if there's armed conflict already going on? Then gradations of armed conflict, like if people aren't hurt maybe easier to stay it's not that than if people did get hurt it might instigate war.
Categorize this hacking activity: On behalf of a foreign government, a hacker obtains control of weapons systems for a U.S. Navy vessel, and develops redundant capacities to access those systems but takes no further action.
Covert action. Potentially preparation of the battle field? Do we know woh it is or that they did it and have that capacity?
Proofs of Concept
Demonstration documents circulated by researchers/tech people who discover a vulnerability explaining step-by-step how it might be exploited. Double edged sword because puts pressure on security but also accelerates the diffusion of knowledge for bad actors to take advantage of the vuln
DOJ - CCIPS
Department of Justice, Computer Crime and Intellectual Property Section. The go to office for non-national security computer crimes. If national security is involved, the DOJ National Security Division might also get involved
Discuss the ways the Texas analogue to the CFAA is similar and different from the federal statute.
Different - primarily the definition of what constitutes "effective consent" to access a computer. Lists 5 examples of when consent is not effective. One of those says consent not effective if "used for a purpose other than that for which the consent was given". Seems to directly address Van Buren (footnote 8 question) directly. He would've been convicted under Texas law.
CFAA - 18 U.S.C. §1030(A)(2)
Financial institutions and credit cards section
U.S. Secret Service
Founded initially as part of Treasury Department to protect U.S. financial system from counterfeiting. Now under DHS, and involved in the cyber space protection of electronic transactions. 18 U.S.C. §§ 1029-1030 codifies their role in this space.
CFAA - 18 U.S.C. §1030(A)(5)
General damage section
CFAA - 18 U.S.C. §1030(A)(3)
Government computer protection section
Relate LinkedIn v. HiQ to Van Buren. Do you think that VB will require a different result for HiQ on remand? AKA now that HiQ has to be decided with consideration of VB on remand, will there be a different outcome?
HiQ has a stronger goal case than Power Ventures in that the data was entirely publicly available. This situation is even more like the VB Footnote 8 situation/question - was the non-technical policy constraint in the terms of use enough to violate the CFAA?
Are vulns valuable? What about 0 day vulns?
Maybe or maybe not. It ma not be the best way to get into the system. There also must be an exploit or chain of exploits that can be developed to take advantage of the vulnerability before it can be valuable
Categorize this hacking activity: On behalf of a foreign government a hacker accesses a server in the US to identify persons using it to engage in criticism of that foreign government that is illegal under their law.
Multiplicity scenario - maybe espionage if not prosecuting, but also law enforcement. Doesn't become covert action until something is actually done with the information.
OFAC (Office of Foreign Assets Control)
Section of the treasury department tasked with sanctions imposition
Technical debt
Sedimentary effect of code and other security errors in the system you don't know about
FBI - CAT
Strictly speaking part of thee DOJ, but think of them as separate entities for our purposes. The Cyber Action Team (CAT)
What are the arguments for being more Generic vs. more Prescriptive in creating statutes/rules that set requirements for companies in protecting cybersecurity/protecting consumer information (for example FTC safeguard's rule language)
You can't just have a list saying every single company has to use "X" resource made by "Y" company etc. Every company is different and does different things and has different type of protected information and is of a different size. Would have to have different subcategories within each category of level if tried to list it like that. Very difficult. So there's a spectrum of prescriptive vs. generic instruction. Being prescriptive makes it clearer what is required of the companies, avoids hiding the ball. However, doesn't always make sense for everyone and being more precise makes it more difficult to adapt to changing technologies year to year. Downsides to flexibility (generic) - some people way over invest and some way under invest.
Identity Fraud/Theft Statute - 18 USC §1028
complex statutes that lists a variety of fraud scenarios and allows the government to prosecute such activity when certain conditions are met. Knowingly mens rea. Using someone else's data and pretending to be them. Useful in cyber context because can hack to get peoples SS #'s,
What are the steps on the sanctions spectrum
no action --> rumors --> official "talk" --> serious talk --> Declaration of National Emergency --> Sanction framework published --> Sanctions imposed
Exploit/Exploit Chain
technique developed to take advantage of a vulnerability.
Who are the 3 potential parties to sue in a cybersecurity defense failure situation?
1) The hacker/attackers 2) The vendors who created the software that had a vuln 3) The companies/entities that suffered the breach
What are the other relevant criminal statutes available for charging perpetrators of cyber crime?
1) 18 USC §1343 - Wire Fraud 2) 18 USC §1028 Identity Fraud/Theft 3) - 18 USC §1029 Access Device Fraud
What must a plaintiff prove (elements of negligence) to successfully sue a company for a cybersecurity breach?
1) Defendant owed duty of care 2) Defendant breached that duty 3) Plaintiff suffered a legally recognizable harm 4) Breach was proximate (reasonably foreseeable) caused of the harm
What is in the United State's "Cost Imposition Toolbox" for responding to a cyber attack
1) Diplomatic Complaint - strongly worded letters/threats. Conveys a threat of cost. Efficacy of this depends on the state's relationship with each other 2) Going Public: Name-and-Shame --> Much more impactful against some countries than others. Might actually help Russia or North Korea (trend rule of law vs. authoritarian) 3) Prosecution - Name and shame with extra accountability. The issue is that can't actually get to the perpetrators often. However, indictment against a foreign individual nevertheless beneficial because can limit their travel 4) Civil suit 5) Economic Sanctions - U.S. has disproportionate advantage in imposing these 6) Withholding Benefits - withholding diplomatic support, loans, etc. 7) Providing the Perpetrating Country's Adversary with Benefits - i.e. selling them the next generation of weapons, etc. 8) Covert Action 9) Overt Action 10) Armed threat 11) Armed Attack
What are the 3 common (thought not exclusive) threat reduction strategies? Hint: The 3 D's
1) Disruption 2) Deterrence 3) Defense
What are the issues with categorizing hacking behavior when trying to figure out what's going on and for what purpose? Explain what each is.
1) INDETERMINACY - the purpose of hacking can be indeterminable to the victim party not only because they don't have omniscience, but also because it can be indeterminable in fact. Even the hacker themselves can not know their purpose for being there yet, or change their minds about it 2) MULTIPLICITY - there can be many different reasons for the hackers to hack 3) TIMING - The reason for hacking and understanding of the hacking both change over time 4) ATTRIBUTION ISSUES - hackers can cloud their identity and lay false trails to make it difficult to determine who has actually done the malignant activity
Why is it so difficult for consumers to prove negligence claims against companies who themselves have been victims of cybersecurity data breaches?
1) It's difficult to prove that the security policies of the company that suffered a data breach were so substandard that they actually breached their duty of care (looking at whaat are "reasonable" cybersecurity practices" 2) Very difficult to prove the actual amount of harm that was a caused 3) Difficult to inarguably prove that the harm was caused proximately to then breach alone
What are the 5 "Gateways to Civil Liability" for the CFAA?
1) Loss to 1 or more persons during any 1-year period of at least $5,000 in value - Most general one 2) Modification or impairment or potential modification or impairment of the medical examination diagnosis, treatment, or care of 1 or more individual 3) There was a physical injury 4) The hack endangered public health or safety 5) Computer in question was a U.S. government computer used for law enforcement/national security - Basically anyone can sue so long as meets this one, it has to be actual economic damage, no pain/suffering
What two things can regulatory agencies do to help expand and enforce cybersecurity defense?
1) Make rules 2) Enforce those rules they make
What is the power in bringing class action lawsuits? When are these suits usually settled?
1) Makes it make sense for plaintiff's lawyers 2) More efficient for courts when these massive data breaches occur because can litigate all claims at the same time instead of one at a time 3) Makes the dollar amount look a lot higher/raises the stakes for the company because gives the plaintiffs more power The suits are usually settled right before the court makes a ruling on whether the plaintiffs are permitted to form a class or not
What are the 6 reasons Goldsmith & Russel list in their article (that Chesney agrees with) that the U.S.' strength and vastness in the cybersphere bring it asymmetrical vulnerability? Rome roads analogy Or big glass house analogy.
1) Private-sector global dominance --> means IP, trade secrets, and proprietary information are worth stealing in the eyes of foreign governments like China who has state run companies that can steal and distribute this information in ways the U.S. cannot 2) Digital Connectedness --> Everyone in the U.S. uses digital networks. Means we have more targets compared to adversaries. 1) Allows countries like North Korea with relatively limited capabilities access (low cost of entry, largely asymmetrical, some degree of anonymity). The U.S. can't control the subsequent attacks if they were to retaliate and cause escalation. 3) Free & Open Society --> more risk compared to closed authoritarian adversaries because they can control spread of digital information and regulate/manipulate public information. U.S.' free/unregulated media & freedom of speech makes it easier for adversaries to achieve desired effects through social media, doxing operations, fake news, online propaganda, etc. 4) Government Transparency --> The U.S. govt. is more transparent about its cyber operation losses. Without equal transparency about retaliation, emboldens adversaries and weakens deterrence. 5) Rule of Law --> U.S. has much greater commitment to rule of law/legal constraints compared to authoritarian adversaries. Also relevant internationally. 6) Regulatory Skepticism --> the U.S. is relatively hands off comparatively to basically all other countries with regard to internet policy
What audiences, from a policy perspective, should the government consider when calibrating a response to a cyber attack for example the Sony North Korea Attack)
1) The victim & other similarly situated companies/entities 2) The attack themselves and other similarly situated potential other hackers 3) Others?
What are the elements of civil liability under the CFAA?
1) show violation of one of the criminal provisions 2) violation has to have caused loss. 3) Prove one of the 5 "Gateways to civill liability"
What does the Federal Trade Commission Act prohibit?
1) unfair methods of competition in or affecting commerce 2) unfair or deceptive acts or practices in or affecting commerce
Why do some companies settle even though they may not think they are liable?
1. Allows for more control in the negotiation process. Can help control how much they have to pay out/remedial measures instead of juries just thinking they're at fault because they're the big bad company and slapping astronomical damage amounts on them 2. Some defendants (like the credit industry) are just not very popular and therefore more likely to get bad outcomes
What are some reasons a foreign government might hack the United States or other targets? (And why might the U.S. do the same?)
1. Law Enforcement 2. Crime - regimes desperate for $$ stealing from banks 3. Espionage - stealing military secrets, intelligence activity 4. Covert Action - secretly accessing information in order to alter/destroy/cause harms to a system (propaganda, disinformation, sabotage, etc.). 5. Armed Conflict - Is there already a relevant state of armed conflict or could this action on its own engender one? 6. Preparation of the Battlefield - Term of art used to refer to notional things in place should we ever get to an actual battlefield situation. Making sure we have max efficacy later on 7. Hold at Risk - action to demonstrate to a rival or direct opponent in a credible way that you hav the capacity to cause damage to something they value. Analogy is holding a gun at an opponent's valuable item and saying I'll blow this up unless you give me what I want over here
What are the various tools that are options for the government to regulate cybersecurity defenses/safety (and all other public safety/defense, for that matter)?
1. Leave it to Market Forces 2. Leave it to Industry Self-Regulation 3. Provide voluntary help solutions (information/best practices sharing, etc.) 4. Direct mandates (statutory or regulatory) 5. Enforcement Actions (brought by regulators or private litigants) 6. Insurance 7. Pruning of legal disincentives 8. Leveraging government contract/procurement power
Besides the FTC, what other entities impose regimes/mandates for consumer protection information and cybersecurity practices?
1. Other regulatory agencies (SEC, FDA) 2. States (examples of California and NY law) 3. Foreign law/regulators
Why might the U.S. decide to or to not to make public that they know who committed a cyber attack and what they plan to do in response? In other words, explain the attribution problem it cybersecurity.
1. Sometimes attribution is simply impossible. Others, can know how the attack occurred, but not who did it. 2. Sometimes, can know both how and who, but disclosure could allow that person/country to improve their ways and make the attacks better in the future 3. Also issue of escalation dominance since the U.S.' vastness also makes it more difficult to defend 4. Can make the U.S. appear weak, lessen deterrence impact, especially if don't disclose a response or don't plan on a response like in basic espionage scenarios where it would be hypocritical to do so 5. Sony type situation where the U.S. knew about the attacks before but didn't want to give up that they knew because they were spying on NK/Chinese channels NK was using for bigger more pressing national security concerns 6. Also don't want to attribute before have decided a response because that warns the attacker and can let them change up on you before you implement your response
Under which two Acts does the FTC bring enforcement actions relevant to cybersecurity defense?
1. The Federal Trade Commission Act (FTCA) 2. The Gramm-Leach-Bliley Act (GLB)
Why did people think Sony incident might not have been the North Koreans?
1. the extent of knowledge of Sony's internal architecture and key passwords indicated an insider (though also built up, patient, quiet watching also) 2. Could be proxy machines and false IP addresses
Why do you see country refusal to sign up to the Budapest Convention on Cybercrime? Specifically Russia, China, and Iran?
Articles require countries to commit to complying with investigations, preserving evidence, and Article 24 extradition treaties or act as an extradition treaty for signing on if you don't have one already. Russia, China, etc. do not care to comply with this. The thing that's interesting is that they haven't signed up and then still not complied, the just haven't signed onto the convention at all. It would be pretty costless to sign on and then just not do anything, but when the convention was out for signature Moscow felt less able to be so obvious about it. Difficulties even with parties in the convention itself, Ex: would the US actually extradite one of its citizens to Beijing (China not a party) if they were party to it?
What happened with the OPM attack, and why didn't the U.S. impose sanctions on China in that instance?
China hacked the Office of Personnel Management, which handles security clearance for the federal government. Basically provided them a master outline of all the important government people except the CIA, and event them too by process of elimination. Not a red line where sanctions would be imposed because this was the fundamental essence of traditional espionage that the U.S. engages in every day. It wasn't normatively wrongful, just unwanted. If we had imposed sanctions it would invite that right back on us for the same behavior
Why has China pursued a policy of using espionage to acquire intellectual property (IP) and transfer it to domestic companies? Why would any country do it?
China sees it as vital to their national interests just like any other traditional espionage because their commercial and state are the same. China depending on the rest of the world for innovation pits them perpetually in second-tier manufacturing, but it's working on moving from "made in China" to "invented in China". Chinese leaders view technological autonomy as critical to economic and national security
Categorize this hacking activity: On behalf of a foreign government, a hacker steals the creds of a US person and drains here cryptocurrency wallet of $6m.
Crime - · governments can and do commit crimes. The two sides: police can use force (in some circumstances) in arresting someone and that's not battery and kidnapping because they have a monopoly on the legitimate use of force, but that's not what's happening here. For example, when a government like North Korea robs a bank because it's in their central national interest, but it's still a crime
Direct vs. Delegated Sanctions Authority
Direct - Congress in the first instance entirely holds the power of economic sanctions via Constitutional delegation Delegated - for efficiency sake, Congress has delegated power to impose sanctions to the executive branch via IEEPA framework ( executive branch office in charge = Office of Foreign Asset Control)
CFAA - 18 U.S.C. §1030
Enumerates 7 (really 9 with sub parts) computer crime related felonies (criminal statute. pay special attention to mens and acts reus).
Categorize this hacking activity: On behalf of a foreign government, a hacker accesses the emails of a presidential campaign and learns information about the candidates views about that foreign government.
Espionage, but if they plan on doing something about it or with that information, that's more. Then it's covert action and you have to ask if there's some additional category we haven't talked about like does election meddling fit anywhere already or does it need its own category?
Define Within-Domain Deterrence
Example: offensive and defensive cyber operations playing out completely within cyberspace. If there's a cyber attack, you respond with a cyber attack. The thing to be aware of with WDD is that there's a draw toward responding within domain, though that's nota at all necessary. You have other tools with more punching power and more asymmetric advantage in other domains. That's why the U.S. goes to sanctions so often - aren't there other domains where the US government should be quick to go?
What policy arguments might favor allowing at least some darknet type services to exist? Which favor suppressing them?
Exist - undercover type action that can lead you from lower level people executing orders to the main criminals or perpetrators. Also, what if users are citizens in China, for example, whose countries do not have free and open access to the internet trying to use anonymity to access sites they otherwise wouldn't be allowed to. Suppress - It's allowing a large amount of illegal activity to occur that otherwise wouldn't be able to at the scale that it is. Child abuse accounts for thee largest portion of Dark Web traffic. Dread Pirate Robrts Silk Road example. Sold drugs, stolen credit card into, literally anything illegal vendors wanted to sell.
CFAA - 18 U.S.C. §1030(A)(7)
Extortion Section
Facebook v. Power Ventures
Facebook sought to stop Power Ventures from accessing data on accounts of FB users who willingly share their login credentials with PV. FB sent a cease and desist and blocked PV's IP address. PV just changed its IP address and continued operating. FB brought CFAA claim [1030(a)(2) unauthorized access to a protected computer]. FB had to argue PV was doing the accessing without or in excess of authorizaton. FB said they (they FB) head not provided authorization and in fact phd made clear they didn't give authorization. 9th Circuit ruled PV violated the CFAA when it continued to access FB's computers with users' permission after receiving the cease-and-desist letter. Judge focused mainly on the "intentionally" element of accessing the computer without authorization as opposed to explaining what counts as "without authorization". analogy to bank, you might have a key to a deposit box but that doesn't mean you can barge into the bank and access it whenever you want.
Explain what "first attribution" and "second attribution" are
First attribution - the President and internal people talking about who is at fault privately in aa classified manner Second attribution - identifying the perpetrator to the general public. Can be done to different extents. Identify who did it, or just identify what they did and how they did it (playing the deterrence/defense game)
Patching
Fixing a vulnerability in the code and rolling out that change to correct all the instances of that vulnerability. In reality, patches are imperfect because everyone with the compromised code has to fix it for it to be successfully, which rarely happens. Also, the vuln might not be valuable enough to patch in the first place. You also have to know how to fix it and know it exists
CFAA - 18 U.S.C. §1030(A)(4)
Fraud section
The Safeguards Rule
Further promulgation by the FTC under the GLB. Requires companies to develop a written o information security plan - appropriate to the company's size and complexity, nature and scope of its activities, and sensitivity of the customer information it handles - that describes their program to protect customer information. Lists out a lot of recommended best practices and what to do to comply with limiting risk to customer information and what to do if breach does occur. Note - other agencies also have "safeguards rules" See Taxslayer example
Describe FTC's enforcement action against Wyndham Hotels
Hackers accessed Wyndham systems 3 times between 2008-2009, accessing unencrypted information resulting in ~$10.6m in fraudulent loss. FTC filed suit against Wyndham claiming the hacks were the result of unfair and deceptive practices in violation of 15 USC §45(a). Wyndham argued there was not fair notice of possible liability under the FTCA for these practices - said FTC violated fair notice principles by bringing an unfairness claim without first promulgating formal regulations. 3rd Circuit said FTC has authority to regulate data security under the unfairness prong of §45(a), and Wyndham had fair notice of potential liability under the provision. Importance of this case: Was the first time a court addressed whether the FTC could regulate data under the unfairness prong of §45(a) & in the way that they were doing it.
LinkedIn v. HiQ
HiQ, competitor of LinkedIn, was collecting and using information that LinkedIn users had publicly shared to their profiles. o LinkedIn's terms of use, to which HiQ agreed, say you can't scrape data or copy files and information of other users through ay means...can't copy or use the information, content or data on LinkedIn in connection with a competitive service o HiQ was scraping the information using automated bots that LinkedIn users put on their profiles and then generated people analytics with it to sell to clients o The Court determined the CFAA was focused on prosecuting the digital equivalent of physical breaking and entering into otherwise inaccessible computers, not to policing misappropriation of computers § Reference Facebook v. Power Ventures, Inc. "A violation of the terms of use of a website - without more - cannot establish liability under the CFAA" o Court determined only private information is protected by the CFAA - private information delineated as such through use of a permission requirement, such has a password gate...is needed to create the necessary barrier that divides open spaces from closed spaces on the Web o Court distinguishes between Facebook case by saying the information PV was accessing was password protected vs. this information on LinkedIn is freely available to the public o Says: "it is likely that when a computer network generally permits public access to its data, a user's accessing that publicly available data will not constitute access without authorization under the CFAA. The data HiQ seeks to access is not owned by LinkedIn and has not been demarcated by LinkedIn as private using such an authorization system..." Additionally, LinkedIn was historically using HiQ's services and attending conferences where they spoke.
Categorize this hacking activity: The U.S. government and a foreign government are engaging in unfriendly actions towards one another, though as yet no force has been used. On behalf of the foreign government, a hacker obtains control of an industrial control system that manages the valves for a dangerous process at a chemical plant in the US. The foreign government ensures that the penetration is detected, and attributed to it.
Hold at risk. If the government had not made clear that the penetration were detected and attributed to it, then it becomes less clear what the hacker itself is intending to do and it could fall into a number of categories - espionage, preparation of battlefield, preparing to be able to hold at risk (leverage - sorry prof. Chesney I know you don't like that word) if the U.S. does something they want to counteract.
Why is protecting the availability of information (the "A" of the C.I.A. triad) a double edged sword?
Implementing security mechanisms that make it more difficult for hackers to get into systems (i.e. duo authentication, etc.) can be a problem if it makes it too difficult for the customer to use the system. Metaphor of putting square wheels on a car to reduce accidents. Protects perfectly, but infringes on the intended use.
CFAA - 18 U.S.C. §1030(A)(6)
Interstate Commerce & Computer Fraud Section
What are the takeaways of the Equifax case study?
It is an example of how much money can be paid out in a class action lawsuit where a less than sympathetic company was clearly breached in a very major way with a lot of plaintiffs. Also shows how federal regulators get in on it and all 50 U.S. states. Raises questions about the incentives created from this extensive liability, especially because it turned out on the back end to be clear Equifax had been victim to super sophisticated Chinese espionage attack.
Categorize this hacking activity: On behalf of a foreign government, a hacker accesses a server in the United States to identify persons partaking in drug trafficking.
Law enforcement. Breaches the U.S. CFAA, but doing so fo law enforcement purposes
Categorize this hacking activity: On behalf of a foreign government, a hacker penetrates a computer belonging to a major U.S. airplane manufacturer and thereby obtains information about the engine design for a new type of plane. The foreign government gives that information to a state-owned company to use it to develop a competing commercial product.
Multiplicity scenario, but primarily crime. Then espionage. - not a military component here so it makes it less espionage. This is also an example of U.S. bias because the U.S. draws a stark line between National Security/government interest for government interests and public company/market actions. From the U.S. perspective where commercial activity is not the national interest for government interest it just looks like crime but either way it's espionage. The question is, does adding the crime label add something in a meaningful way? It's not covert action yet because even though it's trying to be kept secret it's not an action yet it's still just information gathering
CFAA - 18 U.S.C. §1030(A)(1)
National Security to steal classified information section
Relate FB v. Power Ventures to Van Buren - Did the ruling in FB's favor change Van Buren in any way?
No, the FB scenario was different than VB because it addresses the Footnote 8 Van Buren scenario --> the question of what happens when the accessor in question has access legitimately, but there was a policy statement indicating they can't use it in the way they're using it. Could also argue it isn't even that situation because FB blocked their IP address so they changed it and that is a technical, not a policy hurdle. SCOTUS denied review of this case before VB issue arose
Describe what happened in the Sony Pictures, North Korea situation
North Korean hackers were spearfishing Sony Executives as Sony was setting to launch "The Dictator" movie about NK head getting assassinated. The U.S. knew NK was a spearfishing Sony execs but didn't say anything. Raised the question of what private actors are important enough to protect that they rise to the level of "critical infrastructure" that is vital to protect as a national security concern. This was obviously a national security issue, but not one that was reasonable to say the U.S. should've been monitoring the cybersecurity of every entertainment company in the U.S.
FBI National Security Division
Purpose is counterterrorism, counterintelligence (expelling foreign spies), prosecuting treasonous individuals, foreign intelligence surveillance, etc.
What is the Gramm-Leach-Bliley Act?
Requires companies that meet the definition of "financial institutions" to ensure, among other things, the security and confidentiality of customer data
Define Escalation/Escalation Risk
Responding to something with an increased intensity. For example, if we respond to a cyber-attack by blowing something up. The concern is that there is then an equally escalatory response and then the whole world is blown up. Escalation risk is the idea that (good decision makers, at least), are pondering "if we do 'X' action, what will happen in step 2? what will the retaliatory measure be?"
What happened in the Track2 case, and why is it a helpful example of many of the available criminal statutes to charge cyber activity?
Russian man defrauded millions of credit card numbers, defrauding victims more than $169 million. He hacked retail point-of-sale systems and installing malware that allowed him to steal the card numbers from more than 500 U.S. businesses and sent thee data to servers he controlled in Russia, the U.S., and McClean, Virginia. He bundled the CC information into groups and sold them on various criminal "carding" websites to buyers who use them for fraudulent purchases. arrested when the U.S. basically kidnapped him in the Maldives. He was convicted of 10 counts of wire fraud, 8 counts of intentional damage to a protected computer (CFAA a5), 9 counts of obtaining information from a protected computer (CFAA a2), 9 counts of possession of 15 or more unauthorized access devices (18 USC 1029), and 2 counts of aggravated identity theft.
Define Escalation Dominance
Side "X" has escalation dominance when side "Y" knows that side "X" can go further than side "Y" can handle. Example of thee U.S. not deciding to take further action to provocation in the Iranian Bank Example because the U.S. has so much more IP to lose and channels to attack The U.S.' problem with retaliating against cyber-attacks is that the country's Digital infrastructure is too vast and therefore has too many potential weaknesses and so we can't handle escalation
Why has the FTC's approach to regulating company's cybersecurity been controversial?
The FTC has not engaged in any formal rule-making relating to cybersecurity under the FTCA. It has instead focused on enforcement actions. Super controversial, FTC has not been promulgating new rules to create bright lines for behaviors, they've just been going after people doing things they think are actionable (claiming some situations involving poor cybersecurity violated a rule set forth in the FTCA itself). The pattern of these enforcement actions ends up being like a more formal rule themselves. This approach leads companies to be on edge/feel possibly like the rules are always changing around them at the FTC's whim. This approach is much less transparent and it avoids criticism if you don't have rule making. The FTC eventually began going after companies not because their advertising publicly was false, but because of their sheer lack of investment in protections for cybersecurity. FTC said that put them at a bad position compared to their peers in the market. They said that was making the whole business model unfair, that was a big deal. Taking their regulatory power to the next level.
Which federal admin agency has most stepped in to fill the cybersecurity "regulatory vacuum"?
The Federal Trade Commission (FTC)
What's the UN's relevance in the U.S.'s sanction imposition scheme?
The U.N. can impose sanctions as a group, which is much more powerful than a singular country imposing sanctions. It's very difficult to get the P5 to agree to sanctions together, so you just try to get them to collar then get other counties to agree outside of that
United States v. Morris
The first big CFAA prosecution, where malware & computer security really begin. In 1988, Robert Morris released a malevolent computer program (worm) that spread from computer to computer like a biological infection. He was motivated by intellectual curiosity instead of malice. He wanted to create a "botnet", which is when a virus infects a computer then opens a channel to the worm's creator and awaits further instruction, thus effectively creating a team of zombie computers. He was also trying to prove there were errors/holes in the security of the internet system. He effectively wanted to teach everyone a hard lesson. Holding/Ruling: convicted under old §1030(a)(5)(A), said government did not have to demonstrate intention in the prevention of authorized use/loss caused. Impact: changed the internet forever, security flaws taken very seriously thereafter and field of internet security took off.
What is and what are the steps in the "Cyber Kill Chain"
The many steps needed to have a good hack/exploit. Steps: initial access --> discover a vuln --> use the system to move laterally from user to admin --> etc.
What is one of the most important things you need to know about a cyber attack to be able to develop an effective policy response?
The movie of the attacker (accidentally there? causing damage? espionage? Ransomware attack?)
What are 0 Days and are they useful?
The period of time where no one knows the vulnerability exists. Once you find it, it's still a 0 day until it goes public. 0 days are not necessarily useful. People have to figure out how to exploit the vuln and it has to be a useful vuln for it to be useful
Define Cross-Domain Deterrence
The use of threats of one type to discourage behavior of another type. Example: promising economic sanctions or military strike in response to a cyber attack. It's not so much a different type of deterrence as a better explanation of how deterrence works in real life
Budapest Convention on Cybercrime - International Cybercrime Enforcement
There is no customary international law that speaks to cybersecurity stuff, but there is the Budapest Convention on Cybercrime (Treaty). Not jus cogens level, wishy washy. It does NOT create crime. It's a treaty agreement that signatories will adopt (under their domestic law) certain substantive criminal laws to prosecute offenses against the confidentiality, integrity, and availability (CIA Triad) of computer data and systems, including fraud, forgery, and misuse o Calls out specifically child pornography offenses, copyright infringement offences, corporate liability, etc.
What's the importance of recognizing the Monday Morning Quarterback perspective at play in analyzing what policy positions "should" have been taken in varying cyber attacks that have occurred against the U.S. government?
There's a fog of uncertainty in real time, don't judge them by things they didn't know and we do know, look at it from the perspective they have. Easy to say with 20/20 hindsight what should've happened
Describe FTC's enforcement action against Uber
Uber was marketing that it was using the most protective possible safety features to protect customer information from hackers, but was actually not providing even reasonable protection for information stored in its database. Hackers accessed really personal information of thousands of drivers. FTC brought charges under 15 USC §45 (a) that Uber's safety representations constituted unfair or deceptive acts or practices in or affecting commerce in violation of 5(a) of FTCA. § FTC was accompanied by a bunch of states AGs teaming up to sue Uber based on various state data-breach liability laws, all just for failing to invest in cybersecurity protections! Takeaway for companies § skimping on cybersecurity can seem more efficient and less costly, but in real terms and reputational harms if something goes wrong, it's a huge deal
United States v. Van Buren
Van Buren was a sergeant in a Georgia PD that used an FBI/Georgia BI database with his legitimate credentials, but did so in a way that violated department policy (at the request of a criminal he was in with searched to see if a woman was an undercover cop). He was charged with a felony violation of CFAA §1030(a)(2). The question was: does a person who's authorized to access information on a computer for certain purposes violate the CFAA provision prohibiting "intentionally accessing a computer without authorization or exceeding authorized access" where authorized access is defined as "accessing a computer without authorization and using such access to obtain or alter information in the computer that the accessor isn't entitled so to obtain or alter." The Court held that an individual "exceeds authorized access" under the CFAA when he accesses a computer with authorization but then obtains information located in particular areas off-limits to him. The Court did a gates open or down inquiry - One either can or cannot access a computer system and either can or cannot access certain areas within the system.
United States v. Swartz
Very controversial case, created a lot of backlash over the amount of discretion the CFAA allowed prosecutors in punishment. Aaron Swartz connected to an MIT network and downloaded 2.7 million academic papers that were freely available to any campus visitor via JSTOR. He had some authorization to the system, but what he did was something beyond the terms of his access. It was something anyone could have done. He was prosecuted under §1030(a)(2)(C). Big question was: is this really the type of thing the CFAA is mean to do? Prosecute to the extent that he was? JSTOR didn't even pursue a complaint, but the justice department pursued him anyway to make an example out of him, it seems. Some people say this is a direct example of how the FBI is overzealous in prosecution, and others say it's really Congress' fault for creating a statute that would allow something like this to be a federal crime.
What questions about authorized access remain following the case?
What constitutes a "gate" prohibiting an otherwise qualified person's access to aa space. A technical limit like a fire wall? Or just a manager telling the employee they are not allowed to access some particular folder? It hasn't been decided yet what counts as a technical barrier.
What is wire fraud
When someone devises a scheme intended to trick someone out of value + does so using any type of transmitting technology as literally any part of furthering their scheme, they've committed wire fraud. Prosecutor's best friend because easy to run afoul of and easy to pull federal jurisdiction in (though can also be prosecuted at the state level).
What do the "Darknet" and "Tor" do?
obfuscates the source and destination of a web request so users can conceal information about their activities on the web. Conceals user's identities and online activities from analysis by separating identification and routing
What does it mean for the prescriptive vs. generic analysis that the FTC's proposed changes to the Safeguards Rule (proposed in 2016) still have not passed? Where was the proposal language on the scale of prescriptive to generic?
the changes listed specific things the newly amended safeguards rule would require financial institutions to do, like encrypt all customer data, use multi-factor authentication, etc. These proposals are very prescriptive. Can see how incentives of economics might give rise to industry pushback against these types of things because it will be expensive for everyone in the scope of these entities to comply with it. Maybe too prescriptive? The current Safeguards Rule is pretty generic. It's where the market has accepted on that spectrum. There's been a statutory convergence around the GLB version of the safeguards rule (in other agencies safeguards rules) because tensions between "too generic versus to prescriptive" issue drive regulators toward same relatively non-specific set of compliances
Define Deterrence
the prevention of action by the existence of aa credible threat of unacceptable counteraction and/or belief that the cost of action outweighs the perceived benefit. Changing the balance of power and communicating interests. Depends on what each side knows and perceives and what each side is able to convey
What is the federal regulatory agency designated to address the nation's cybersecurity?
trick question! There is none!