Cybersecurity Law II

B738 is taught by Z. Heck, A. Lubin, S. Shackelford

Cyber insecurities affect the whole of society, from consumers who suffer cybercrimes on their internet connected devices, to media outlets whose websites are hacked or taken offline, to businesses whose intellectual property is plundered, all the way to states that undertake to defend against espionage and uses of force in cyberspace. Enhancing cybersecurity is thus a policy issue of critical importance. Policymakers are fashioning regulatory schemes around the world that promise to shape not only the day-to-day realities of operating information systems, but also cyberspace itself.

This course will explore the national and international legal frameworks that govern malicious and defensive actions in cyberspace, including laws related to data breaches, cybercrime, cyberespionage, and cyberwar. The course will consider legal questions within the context of broader debates about issues such as governance of cyberspace and the Internet, the roles of governmental and non-governmental actors, evolving understandings of privacy, and the role of law in governing a constantly changing domain where many actors operate in secret. Among other topics, we will discuss the anatomy of data breaches and their regulation, the role of private ordering and the limits of the cyber insurance industry, the Computer Fraud and Abuse Act and criticism thereof, the hoarding of zero-day vulnerabilities for law enforcement purposes, the international law rules that control cyber armed attacks, and data protection in an age of surveillance capitalism.

The objective of the course is to contextualize cybersecurity threats and responses to them within a national security and international law framework, while also recognizing the limits of current law, the need for further policy evolution, and the real-world impacts of different legal and policy solutions.

Grades will be based on three response papers to be completed during the term and on an open book, scheduled final examination. No technical knowledge is required. Background or familiarity with public international law, national security law, privacy law, cybersecurity law, computer science, and/or international relations is helpful, but not necessary.