Defining Cybersecurity Law

Defining Cybersecurity Law Jeff Kosseff * ABSTRACT: As data breaches, denial-of-service attacks, and other cybersecurity incidents lead to extraordinary economic and national security consequences, commentators increasingly look to the legal system for solutions. Unfortunately, U.S. laws do not have a unified and coherent vision for the regulation and promotion of cybersecurity. For that matter, the U.S. legal system lacks a consistent definition of the term “cybersecurity law.” This Article aims to fill that gap by defining “cybersecurity law.” Although many articles have addressed various aspects of cybersecurity, none has stepped back to define exactly what “cybersecurity” is and the goals of statutes and regulations that aim to promote cybersecurity. By defining the scope and goals of this new legal field, policymakers can then examine how lawmakers could improve existing laws. Part II of this Article briefly describes the cybersecurity challenges that the United States faces by examining the cyberattack on Sony Pictures Entertainment. Part III defines “cybersecurity law” as a legal framework that “promotes the confidentiality, integrity, and availability of public and private information, systems, and networks, through the use of forward-looking regulations and incentives, with the goal of protecting individual rights and privacy, economic interests, and national security.” Part IV explains the current legal regime for cybersecurity and concludes that many of the most prominent cybersecurity laws only address a small portion of the broader legal framework. Part V examines the gaps in current U.S. cybersecurity law and suggests starting points for improvements. I. INTRODUCTION ............................................................................. 986 II. THE SONY HACK: A CASE STUDY IN U.S. CYBERSECURITY CHALLENGES ................................................................................. 989 * Assistant Professor of Cybersecurity Law, United States Naval Academy. J.D., Georgetown University Law Center; M.P.P., B.A., University of Michigan. The views expressed in this Article are only those of the Author and do not represent the views of the United States Naval Academy, Department of Navy, or Department of Defense. Thanks to LCDR Joseph Hatfield, Chris Inglis, Martin Libicki, and other colleagues at the Naval Academy’s Cyber Science Department for frequent discussions on the issues covered in the article, and to the staff of the Iowa Law Review for their excellent editorial work. 986 IOWA LAW REVIEW [Vol. 103:985 III. DEFINING “CYBERSECURITY LAW” ................................................. 994 A. W HAT A RE W E S ECURING ? ...................................................... 995 B. W HERE AND W HOM A RE W E S ECURING ? .................................. 999 C. H OW A RE W E S ECURING ? ...................................................... 1001 D. W HEN A RE W E S ECURING ? .................................................... 1006 E. W HY A RE W E S ECURING ? ....................................................... 1007 F. A P ROPOSED D EFINITION OF “C YBERSECURITY L AW ” ............... 1010 IV. ASSESSING CURRENT CYBERSECURITY LAWS ............................... 1010 A. D ATA S ECURITY S TATUTES ..................................................... 1011 B. D ATA B REACH -N OTIFICATION S TATUTES ................................ 1014 C. D ATA S ECURITY L ITIGATION .................................................. 1016 D. C OMPUTER H ACKING L AWS ................................................... 1017 E. E LECTRONIC C OMMUNICATIONS P RIVACY A CT ........................ 1020 F. T HE C YBERSECURITY A CT OF 2015 ........................................ 1021 V. KEY GAPS IN CYBERSECURITY LAW ............................................... 1024 A. I NTEGRITY AND A VAILABILITY ................................................ 1024 B. N ATIONAL S ECURITY AND E CONOMIC I NTERESTS .................... 1025 C. C OOPERATIVE L AWS .............................................................. 1028 D. F ORWARD -L OOKING L AWS ..................................................... 1030 VI. CONCLUSION .............................................................................. 1030 I. INTRODUCTION In late 2015, after years of attempts, Congress passed legislation to enable companies to voluntarily share information about cybersecurity threats—such as attempted hacks—with the federal government and other companies. The bill, entitled the Cybersecurity Act of 2015, was tucked into a massive omnibus appropriations bill as Division N. 1 The Cybersecurity Act occupies 136 of the 2,009 pages in the omnibus bill, and it in detail establishes rules for operators of private networks to defend their networks, monitor possible threats, and collaborate with the federal government. 2 The new law also bolsters the Department of Homeland Security’s (“DHS”) cybersecurity efforts. The focus of the legislation, not surprisingly, is cybersecurity; indeed, “cybersecurity” appears in the bill nearly 200 times. 3 There is just one problem: The Cybersecurity Act does not define “cybersecurity.” The statute allows companies to take certain actions for a 1. Cybersecurity Act of 2015, Pub. L. No. 114-113, Div. N, § 1(a), 129 Stat. 2935 (codified at 6 U.S.C.A. §§ 1501–10 (West 2016)). 3 . Id. 2018] DEFINING CYBERSECURITY LAW 987 “cybersecurity purpose,” which it defines as “the purpose of protecting an information system or information that is stored on, processed by, or transiting an information system from a cybersecurity threat or security vulnerability.” 4 The statute defines “security vulnerability” as “any attribute of hardware, software, process, or procedure that could enable or facilitate the defeat of a security control.” 5 The statute defines “cybersecurity threat” as an action, not protected by the First Amendment to the Constitution of the United States, on or through an information system that may result in an unauthorized effort to adversely impact the security, availability, confidentiality, or integrity of an information system or information that is stored on, processed by, or transiting an information system. 6 The statute also defines “security control,” 7 “malicious cyber command and control,” 8 and “cyber threat indicator.” 9 Although these definitions help to illuminate the purpose of the legislation, the Cybersecurity Act does not directly explain what lawmakers meant by “cybersecurity.” The statute fails to provide a concrete definition that sets forth the scope and goals of cybersecurity law. Although the new statute can function without the definition—and as described in Part III of this Article, is a significant improvement over existing law—its omission of this key definition is illustrative of a larger problem: When policymakers talk about cybersecurity, they are not always talking about the same concept. A day rarely passes without another report of a major cybersecurity incident. Hackers routinely breach the systems of retailers, stealing consumer credit card data, social security numbers, and other valuable personal information. 10 Attackers launch distributed denial-of-service attacks, knocking some of the most popular websites offline for hours or days. 11 Home security 4. 6 U.S.C.A. § 1501(4). 5 . Id. § 1501(17). 6 . Id. § 1501(5)(A). 7 . Id. § 1501(16) (“The term ‘security control’ means the management, operational, and technical controls used to protect against an unauthorized effort to adversely affect the confidentiality, integrity, and availability of an information system or its information.”). 8 . Id. § 1501(11) (“The term ‘malicious cyber command and control’ means a method for unauthorized remote identification of, access to, or use of, an information system or information that is stored on, processed by, or transiting an information system.”). 9 . Id. § 1501(6) (listing eight types of threat indicators). 10 . See, e.g. , David Meyer, Eddie Bauer is Latest Retailer Infected with Data Breach Malware , FORTUNE (Aug. 19, 2016), http://fortune.com/2016/08/19/eddie-bauer-data-breach (describing how a malware attack compromised credit card information of Eddie Bauer customers). 11 . See, e.g. , Lily Hay Newman, What We Know About Friday’s Massive East Coast Internet Outage , WIRED (Oct. 21, 2016, 1:04 PM), https://www.wired.com/2016/10/internet-outage-ddos-dnsdyn (describing attack on Dyn, a Domain Name Service, which caused websites around the world to be unavailable for much of a day). 988 IOWA LAW REVIEW [Vol. 103:985 webcams become remote spying devices. 12 Even the U.S. electoral system is compromised by hacks of the email accounts of political officials and attacks on state elections systems. 13 In the increasingly frequent news coverage of these attacks, commentators, and lawmakers demand immediate and swift legal solutions to prevent further damage. 14 The constant media coverage begs the question: How well do our existing laws address cybersecurity threats? The short answer: Not well at all. The slightly longer answer: The patchwork of U.S. statutes and regulations that constitute cybersecurity law is an uncoordinated mishmash of requirements that mostly were conceived long before modern cyber-threats. Modern U.S. cybersecurity law stems from century-old privacy norms, torts, and criminal laws that bear little relation to the protection of the confidentiality, integrity, or availability of systems, networks, and data. In short, the U.S. legal system lacks a consistent definition of the term “cybersecurity law.” This Article aims to fill that gap by defining “cybersecurity law.” Although “cybersecurity” is a commonly used term in legal circles, no scholarship has stepped back to define exactly what “cybersecurity law” is and the goals of statutes and regulations that aim to promote “cybersecurity.” By defining the scope and goals of this new legal field, policymakers can then...