For information on the online (distance education) course, please click here.

Below is information about the on-campus course on which the distance learning course is based.

 

Fall 2011 Syllabus

Course Description:

This is a three-credit, one semester course conducted through a series of seminars.  The subject matter is interdisciplinary.  No computer science background or expertise is necessary.  The final grade will be a paper that meets the criteria for the College of Law writing requirement, the National Security and Counterterrorism Certificate, and the Graduate Certificate of Advanced Study in Security Studies.

This course is designed to exist at the cutting edge of the dynamic development of networked computers and their potential to impact national security.  As 2009 report of the American Bar Association concluded:

What will be the enduring image of this cyber era?  Will it be one of a darkened city, whose electric grid has failed?  Will it be a picture from Second Life or the image of a computing cloud?  Or will it be a picture of cybercriminals led off to jail for their attempted offenses, having been caught in the act?  Only time will tell.  We are, however, convinced that we stand at the crossroads – the decisions we make today will help determine the defining images of tomorrow.

The 2009 White House Cyberspace Policy Review states:

The United States needs to conduct a national dialogue on cybersecurity to develop more public awareness of the threat and risks and to ensure an integrated approach toward the Nation’s need for security and the national commitment to privacy rights and civil liberties guaranteed by the Constitution and law.

Some cyber law already exists, such as the federal Computer Fraud and Abuse Act, 18 U.S.C. §1030, and the Economic Espionage Act, 18 U.S.C. §§1831-39.  Other laws of long standing present issues of applicability or adaptability to the cyber realm.  Examples of this sort include the law of armed conflict.  Many proposals remain in Congressional committees, bills that would mandate security measures for all entities receiving federal money, establish a federal certification for technicians serving computer networks of entities receiving federal money, and provide the President with authority to “pull the plug” on national Internet connectivity in times of emergency.

This course is premised on the belief that much policy and law to implement it will be made in the next few years to institute a national policy to protect U.S. interests in cyberspace.  If an interdisciplinary approach is not used to develop this law, then either security will not be obtained or the cost to civil rights will be very high.

Texts:

Due to the dynamic nature of our subject matter, no textbook exists that meets our requirements.  Thus, readings for each week will be from a variety of sources and largely will be distributed electronically through a website and a blog.  Some published texts are required, but only one costs money.

Required:

• Goldsmith, Who Controls the Internet? Illusions of a Borderless World ISBN 9780195340648 Oxford University. (This is the only book that you are required to buy for the course -- not because it is the most important, but because it is the only required text that is not available as a free download in Adobe Acrobat^® format under a Creative Commons or similar license.)
• Goodman and Lynn, Toward A Safer And More Secure Cyberspace, ISBN 978-0-309-10395-4 (pbk.) -- ISBN 978-0-309-66741-8 (pdf) from National Academies Press (2007) (available as a free download here; this book also is available in bound format).
• Liblcki, CyberDeterrence and CyberWar ISBN 9780833047342 from Rand Corp. -- (available as a free download here; this book also is available in bound format).
• Owens, Technology, Policy, Law and Ethics Regarding US Acquisition and Use of Cyberattack ISBN 9780309138505 from National Academies Press (available as a free download here; this book is currently available in bound format with a retail price of $49.00).
• Baker, Skating on Stilts, ISBN ISBN: 978-0-8179-1154-6 (cloth) or ISBN-13: 978-0-8179-1156-0 (e-book) from Hoover Institution Press (2010) (available as a free download here; also available in Kindle format and traditional bound volume).
• Zittrain, The Future of the Internet -- And How to Stop It, ISBN 9780300151244 Yale University Press (available as a free download here; also available in Kindle format and traditional bound volume).

Recommended:

• Clarke, Cyber War: The Next Threat to National Security and What To Do About It ISBN 9780061962233 (2010) (this book is currently available with a retail price of $25.99).
• Morozov, The Net Delusion: The Dark Side of Internet Freedom, ISBN 9781586488741 (2011).
• Mueller, Networks and States: The Global Politics of Internet Governance, ISBN 9780262014595 (2010).
• Solove, Nothing to Hide: The False Tradeoff Between Privacy and Security, ISBN 9780300172317 (2011)

 

I. Introduction and Terminology

A. The Nature of Cyberspace

Cyberspace is ubiquitous.  Cyberspace is decentralized, complex, adaptive and resilient. What does all that mean, and what else is cyberspace?  Is it so large and so complex that it constitutes a new challenge for humanity: how to affect something whose individual parts are all man-made but whose whole constitutes more than the sum of its parts and is beyond the control of any single person or organization?

1. History of development was for use by already trusted identities

2. Packets

3. TCP/IP

4. Network of networks

5. Control points

6. Lack of central authority (including ownership and governance)

7. Generative

8. Outsourced

9. Mostly all 3rd party

That is, most information in cyber is either transferred or stored by entities other than the sender and intended receiver (the “conversants”).  That makes an enormous difference in the applicable Constitutional analysis.

10. Cloud

11. More than the Internet

B. The Nature of the Threats to National Security in Cyberspace

Cyberspace connects us to each other and to all manner of information. Yet, it also connects us to cheats, frauds, spies, thieves, terrorists and child pornographers – and they to each other.  Given our society’s increasing dependence upon cyber technology, some of these threats rise to the severity of endangering our national security.  What are these threats and the vulnerabilities that they could exploit? Do we really know?

1. Vulnerabilities

a) Computer Network Attack (malicious code)

b) Distributed Denial of Service (DDOS)

c) Espionage / exploitation

d) Integrity degradation of data in transit

e) Integrity degradation of stored data

f) Destruction

g) Warfare complement

h) Recruiting/fund raising (cyber-facilitated terrorism distinguished from attacks on information infrastructure)

i) Enemy operational communications

j) Supply chain

2. Threats:

a) Nation states and their militaries and agents

b) Non-state actors:

(1) “patriotic hackers”

(2) Criminals (some organized)

(3) Terrorists (some working with criminals)

(4) Insiders

3. WCS categories

Networking computers blurred the boundaries between cyberwarfare, cybercrime, cyberterrorism, cyberattack, and more.

Assignment: For Monday, August 22, please read:

• Hayden, The Future of Things “Cyber”;

• Zittrain, The Future of the Internet and How to Stop It, pages 1-61;

• Lewis, The Cyberwar Has Not Begun, (just four pages long) available at this link.

Class files:

• Audio file of class on August, 22, 2011
• The few PowerPoint slides used in class.
• The article distributed in class (not assigned).

II. The Role of International Law in Securing and Regulating Cyber Space

If not the borderless realm for which its early pioneers once hoped, the Internet is at least transnational.  So, if it must be governed, shouldn’t it be governed by international law? In July, 2011, Department of Homeland Security Secretary Napolitano called for an “international legal framework” to “govern[] cyber.”  What international law does or could prevent cyber crime, limit cyber arms and warfare, and protect the free flow of ideas and of commerce?  Can treaties do that?

A. Existing Law

1. Law of armed conflict

a) Proportionality

b) Discrimination

c) Necessity

d) Humanity

2. Council of Europe Convention on Cyber Crime

3. Is access a human right?

Assignment: For Monday September 12, 2011, please read:

• HANDOUT

Class files:

• Audio file of seminar on 9/12/11.

B. Case study: What Actions in Cyberspace are “armed attacks”?

The United Nations Charter generally prohibits the “threat or use of force,” but permits self defense in the event of an “armed attack.” No consensus has emerged on what actions in cyberspace constitute a use of force or an armed attack.

1. Position in American Bar Association (ABA) report

2. Position in National Academy of Sciences (NAS) report

3. Position of 7/14/11 DoD Strategy for Cyberspace

4. Apply to real world scenarios

a) Stuxnet

b) Georgia

c) Estonia

d) dissidents

5. Elements of the definition of “armed attack” and of “use of force” in cyberspace

a) Effects? What kind?

b) Intent?

6. What constitutes the right of self defense? (Hack-backs)

Assignment: For Monday, September 19, please read:

• Handout #3

 

III. The Role of Sovereign Government in Securing Cyber Space

Can a territorially based government affect a realm that knows no borders? Given that most of the infrastructure and technology of the Internet is privately owned, what tools do governments have to affect conduct in Cyberspace?

A. Methods (or “implementation mechanisms”)

1.  Regulation

2.  Criminal law

3.  Civil law

4.  Monetary incentives

5.  Education

6.  Leadership / best practices

7.  Military force

Assignment: For Monday, September 26, please read:

• Handout #4

  Class files:

• Audio file of Seminar #4 on 9/26/11.

 

 

B. Case study: U.S. Attempts to use criminal law to affect conduct in cyberspace

With only five percent of the world’s population and an ever-decreasing percentage of Internet traffic, can criminal prosecution by United States courts regulate what happens in cyberspace? Given the transnational nature of the Internet, what right does one country have to impose its law on Internet traffic?  What is the legal basis for jurisdiction?  How can domestic law enforcement operate outside of the physical territory of the United States? Do traditional crimes such as trespassing and theft still have meaning in cyber, or do we need entirely new definitions of crimes?  Historical, a thing is not stolen if the owner still has it, so how does theft apply to data?  Is hacking into a computer the same as breaking into a building or a safe?

1.  United States v. Morris

2.  Computer Fraud & Abuse Act

3.  Electronic Communications Privacy Act

4.  Trade Secrets / espionage act

5.  Material Support

6.  Proposed warrants for foreign searches (hacking warrants)

7.  Effective preemption of state crimes

8.  Current state of Commerce Clause as basis for jurisdiction

9.  Hacker arrests in summer of 2011

Assignment: For Monday, October 3, please read:

• Handout #5

  Class files:

• Audio file of class on October, 03, 2011.
• Chart distributed in class (not assigned).

C. Case study: U.S. Attempts to use civil law to affect conduct in cyberspace

Professor Lisa Dolak has offered to join us for this session.

1. Tort law

a) Data theft

b) Failure to protect

2. Data Theft Disclosure Laws

3. Standards set by administrative regulations

4. Intellectual Property Law

Assignment: For Monday, October 10, please read:

• Handout # 6.

 

 

D. Use of the Military to Secure Cyberspace

“Cybersecurity threats represent one of the most serious national security, public safety, and economic challenges we face as a nation,” according to the 2010 United States National Security Strategy.  When national security is at stake, surely it is appropriate to employ the military for protection.  And, in fact, “Operations in cyberspace are a critical aspect of our military operations around the globe,” according to then Chairman of the Joint Chiefs of Staff General Peter Pace.  Aside from what the military must do to protect its own networks from attack, when is it appropriate to use the military protect our nation’s and its citizens’ interest in cyberspace?  Can the threat of Mutual Assured Disruption of computer networks deter cyber attacks and cyber war the way that Mutual Assured Destruction deters the use of nuclear weapons? 

1. Current Military Cyber Organizations

a) U.S. Cyber Command

b) NATO Cooperative Cyber Defence Centre

c) People’s Army

2. Deterrence Theory

a) Conventional?

(1) Retaliation

(2) Denial

(3) Resilience

b) Cross-domain

3. Threats v. vulnerabilities

Assignment: For Monday, October 17, please read:

• Handout.

 

IV. The Role Of Private Sector In Securing Cyber Space

“[M]ost of the real-world governance of the Internet is decentralized and emergent; it comes from the interactions of tens of thousands of network operators and service providers – and sometimes users themselves – who are connected through the Internet protocols.”[1] Generally, those service providers are not owned by nation states.  Can the service providers and users govern themselves?  Should they? Syracuse University Professor Milton Mueller argues that “the problem of Internet governance has produced and will continue to produce institutional innovations in the global regulation of information and communications.”[2]  To what extent should the private sector comprise or at least be involved in those institutions?  Can the private sector provide its own security in cyberspace? Often, the private sector has technical expertise rivaling or exceeding that of nation states.  Do banks and corporations, for example, have a private right of self-defense in cyber?

A. Individual actors – “cyber hygiene”

B. Self-Governance

1. Internet Corporation for Assigned Names and Numbers (ICANN)

2. Internet Engineering Task Force (IETF)

3. United Nations World Summit on the Information Society (WSIS)

4. Working Group on Internet Governance (WGIG)

5. Internet Governance Forum (IGF)

C. Intermediaries

1. Internet service providers

2. Financial institutions

3. The domain name system (control of root files)

4. Information intermediaries (search engines, directories, data aggregators (e.g., ChoicePoint)

Assignment: For Monday, October 24, please read:

• Handout.

 

V. Attribution: The Key to Security, Trade, and Governance in Cyberspace?

“Attribution” in this context refers to determining the person responsible for a nefarious attempt to disrupt or alter a computer network or data.  An American Bar Association report calls it “[a]rguably the most salient technical issue in Cyberconflict,” and it is an obvious necessity for enforcement of laws against cyber crime. Of course, an action in cyber space that is truly anonymous is by definition incapable of attribution. Security requires a high capacity for attribution, while anonymity requires the opposite. Thus, the spectrum of attributability may be considered by some people to be a tradeoff between security and civil rights. This tradeoff is seen in the Secretary of State’s call to develop "new tools that enable citizens to exercise their rights of free expression" while at the same time pledging that "[t]hose who use the internet [sic] to recruit terrorists or distribute stolen intellectual property cannot divorce their online actions from their real world identities." Clearly, the Secretary wants persons engaging in political speech to be able to conceal their real-world identities from tyrants, but terrorists and criminals to be identifiable to law enforcement. If persons use the same authentication instrument for banking, medical records and “anonymous” blog posts, their speech can be attributed to their physical world identity. Who will make this necessary balance between trusted identification and civil liberties?  Is requiring the authentication of all cyber actors the sine quo non of cyber security?

A. Technically possible?

B. Crime

C. Deterrence

D. National Strategy for Trusted Identities in Cyberspace (NSTIC)

E. Proposals for new or other Internet

A new military protocol could replace TCP/IP, allowing for authentication of the sender of every packet, as well as prioritization and encryption.  A secure network with the protocol, applications and operating system incompatible to the public Internet could be established for the use of government and critical infrastructure.

Assignment: For Monday, October 31, please read:

• Handout

 

VI. Speech, Privacy and Anonymity in Cyberspace

Is there a tradeoff between privacy and security? Is the relevant Constitutional standard to be found in the 1st Amendment or in the Commerce Clause.  Under the theory that radio signals travel in a limited spectrum and are commercial activity, the FCC enforces all kinds of content restrictions (including transmitter identification) that would never be permitted for printed material.  Yet, radio waves can be used for speech, and books can be sold in commerce.  If 1st Amendment analysis controls, then the anonymity of speech is protected because of the chilling effect identification would have on content.  If the Commerce Clause is the relevant analysis, then the presence of protected speech does not limit regulation any more than putting a political bumper sticker on a tractor-trailer truck exempts it from displaying a registration plate or a safety inspection sticker.  In the physical world, those principles are clear.  The Supreme Court hasn’t really reached such issues pertaining to cyber. The Circuits have held both that the Internet is an instrumentality of commerce, which would permit your plan to require authors of websites to identify themselves, and that the content of packets are protected speech, which would suggest that anonymity is protected. 

A. 1st Amendment Primer

B. 4th Amendment Primer

C. Electronic Communications Privacy Act

1. Stored Communications Act

2. Wiretap Act (Title III electronic surveillance)

3. Pen Register Act

D. Foreign Intelligence Surveillance Act

E. What constitutes a reasonable expectation of privacy in cyberspace?

F. What additional protections are desirable?

G. Does free speech require anonymity?

H. Privacy and Anonymity Are Not the Same

Assignment: For Monday, November 7, please read:

• Handout on Freedom and Privacy in Cyberspace.

 

VII. Is Cyber Really a Domain?

A Rand report states: “The establishment of the 24th Air Force and U.S. Cyber Command marks the ascent of cyberspace as a military domain. As such, it joins the historic domains of land, sea, air, and space.” General Michael Hayden, however, asks:

Is cyber really a domain ? Like everyone else who is or has been in a US military uniform, I think of cyber as a domain. It is now enshrined in doc­trine: land, sea, air, space, cyber. … There are those in the US government who think treating cyber as an independent domain is just a device to cleverly mask serious unanswered questions of sovereignty when conducting cyber operations. They want to be heard and satisfied before they support the full range of our cyber potential.

What difference does it make?

Assignment:: For Monday, November 7, please read:

• TBD

 

VIII. Current U.S. Cyber Strategies

“[T]here has been no clear or single articulation of a cybersecurity policy. Nor has there been an agreed-upon framework for leadership and implementation of any policy that may be developed….In sum, if one thing is clear about the state of cybersecurity in the United States, it is that there is not now an agreed-upon way forward.” [3]  In 2011, the U.S. Government has released three strategy documents that could be subparts of an over-all national cybersecurity strategy.  What are their assumptions and goals?  Are they consistent?  What gaps do they leave? What agency of government should take the lead in cybersecurity?

A. Cyber Policy Review

B. White House International Cyber Strategy

C. DoD Strategy for Operating in Cyberspace

D. Review NSTIC

E. Walls, stovepipes, partnerships, and “multi-stakeholderism”

Note relationships in the strategies between government and private sector and between parts of government (LE v. Intel, military v. civilian).

Assignment: For Monday, November 14, please read:

• Handout

 

IX. Current Legislative Proposals:

A. White House Draft Cyber Security Legislation

B. Lieberman, Collins, Carper Bill

C. Private Sector proposals

Assignment: For Monday, November 21, please read:

• Handout.

 

X. What Strategy, Regulations, and Statutes Would We Write?

 

Assignment: For Monday, November 28, please read:

• Chapter 10, Managing the Mess, in Brenner, America The Vulnerable.
• Plus, Handout.