Professors Jennifer M. Urban & Chris Jay Hoofnagle
Law 276.11 (for law students, CCN32294)
Info 290.001 (for graduate students, CCN17573; undergraduates by permission)
MW 11:20–12:35*
*Please note, we start at 11:20 (not Berkeley time)
Boalt Hall Room 132

Office Hours: Tuesdays, 11 am, 342 North Addition (Prof. Urban's office)

Cybersecurity has become instrumental to economic activity and human rights alike. But as digital technologies penetrate deeply into almost every aspect of human experience, a broad range of social-political-economic-legal-ethical-military and other considerations have come to envelop the cybersecurity landscape. Cybersecurity in Context will explore the most important elements that shape the playing field on which cybersecurity problems emerge and are managed. The course will emphasize how ethical, legal, and economic frameworks enable and constrain security technologies and policies. It will introduce some of the most important macro-elements (such as national security considerations and the interests of nation-states) and micro-elements (such as behavioral economic insights into how people understand and interact with security features). Specific topics include policymaking (on the national, international, and organizational level), business models, legal frameworks (including duties of security, privacy issues, law enforcement access issues, computer hacking, and economic/military espionage), standards making, and the roles of users, government, and industry.

Readings

We will use a course reader. All readings are freely accessible if you use the UC-Berkeley VPN or the library proxy.

Several of the readings come from Chris Jay Hoofnagle, Federal Trade Commission privacy law and policy (Cambridge University Press, 2016). You can get this book free by using the VPN and visiting this link: http://ebooks.cambridge.org/ebook.jsf?bid=CBO9781316411292

Questions about Cybersecurity in Context

Q. Do I need technical knowledge to take Cybersecurity in Context?

A. No. This course is about the wrapping elements of cybersecurity.

We do ask you to learn the basics: the difference between circuit-switched phone networks, and packet-switched internet ones, about the different layers of the internet, and how attacks on the confidentiality and integrity of data, and attacks on access to computers can occur on those different layers. We will have in-class content and readings to explain these topics. Look at the optional readings in the first week to get an idea of how technically sophisticated the reading will be.

Q. How does Cybersecurity in Context differ from the Cybersecurity Reading Group?

A. The reading group is a discussion seminar focusing on academic writings in cybersecurity, typically organized around a specific theme, such as cyber conflict. Cybersecurity in Context is a podium-lecture course covering the main themes in cybersecurity.

Q. I am a undergraduate. May I enroll?

A. The course is likely to be full, but if we have space we will enroll undergraduates in Info 290. We will enroll undergraduates after the graduate registration period, in August. We ask undergraduate students to email us the following information by August 1st:

1. I am an upper-division student [Yes/No]
2. What year?
3. I understand and accept that this is a graduate-level class, with graduate-level materials and pacing. [Yes/No]
4. I understand and accept that participation in class discussion is expected, even if the class is larger than most undergraduate courses that expect this (in grad and law school classes, for example, students participate in discussion in 50-100-person classes). [Yes/No]
5. I would like to take this class because: [Please tell us why you would like to take the class.]
6. I would contribute to this class because: [Please tell us why you would contribute to the class. For example, your major is relevant to topics in the class; you are doing an undergrad thesis on a relevant topic; you worked on relevant issues prior to coming to Berkeley; etc.]

Class Participation

We will be using Poll Everywhere, along with "on call" groups in order to have inclusive participation in this large course. You can participate in Poll Everywhere voting by visiting this website: https://pollev.com/CYBEAR 

You can also download the Poll Everywhere app: https://www.polleverywhere.com/mobile 

Assessment

Readings will be posted on the course webpage at least one week in advance Students will be evaluated on the following:

• Students are expected to read, watch, or listen to all assigned materials and be prepared to participate actively in class activities and discussion. We will have “on call” students. We won't always discuss the readings in detail, but they are necessary for understanding the higher-level class themes.
• Students are expected to complete occasional exercises, such as the “ping” and “traceroute” exercises.
• Students are expected to participate in group exercises.
• Students are expected to prepare questions for our guest speakers during the course of the semester.
• Students are expected to regularly attend class according to the policy described below.
• The final exam for the class.

The class will be graded on the basis of the final exam (70%) and attendance at and participation in the class sessions (30%). In grading, we will consider the final exam, whether students complete all of the home and in-class exercises and material for guest speakers, the quantity and quality of class participation (including session leadership and participation during other sessions). Please note that the quality of class participation—and, indeed, whether it is of appropriate quantity—may be enhanced in some cases by speaking up, and in some cases by giving others room to speak.

Note for non-law students. Law classes commonly use the “on call” method for class participation that we will employ in this class. Students will be assigned classes for which they are “on call.” While everyone is expected to participate regularly in class discussion, “on-call” students can expect to be called on and to be responsible for anchoring class discussion. This is straightforward in practice, but please don’t hesitate to check with us if you have questions.

Technical and legal aspects of the class. Cybersecurity requires cooperation among many different kinds of experts, and this interdisciplinary class provides an opportunity to consider the different types of expertise you may encounter and how to communicate across types of expertise.

You do not need a technical background for this class. You do need to learn the basics: the difference between circuit-switched phone networks, and packet-switched internet ones, about the different layers of the internet, and how attacks on the confidentiality and integrity of data, and attacks on access to computers can occur on those different layers. We will have in-class content and readings to explain these topics. Look at the optional readings for the first week to get an idea of how technically sophisticated the reading will be. While you will not be expected to become expert in non-legal subject matter, you will be expected develop the ability to understand non-legal subject matter sufficiently to comment on it intelligently and apply it to law and policy. Lawyers are generalists—they are expected to learn and apply many kinds of information throughout our careers. Being a competent lawyer requires the ability to understand the facts and theories that underlie or touch upon a legal problem.

Similarly, you do not need a legal background for this class, but you will be expected to learn the legal information we cover and the basics of how law operates in the cybersecurity field.

Course Policies

Attendance. Attendance is required.

Laptops & Other Electronic Devices. Class is, in part, discussion-based and interactive. Research shows that electronic devices can inhibit participation and learning in classroom settings. To allow everyone to participate fully in the discussion and avoid distractions, we ask that you keep your laptop generally closed and other electronic devices turned off and put away during class. You may open your laptop to access and refer to reading assignments when needed; otherwise, please leave it closed.

Credit Hours, Exams, Accommodation. A “credit hour” at Berkeley Law is an amount of work that reasonably approximates four hours of work per week for 15 weeks, including a) classroom time, b) time spent preparing for class, c) time spent studying for, and taking, final exams, d) time spent researching, writing, and revising papers and other written work, and e) time spent preparing for and completing any other final project, presentation, or performance. For the purposes of these calculations, 50 minutes of classroom instruction counts as one hour, and the 15 weeks includes the exam period. You can expect to spend this amount of time per unit per week on out-of class, course-related work as described above.

Student Services schedules all exams, including accommodated exams, as the law school is committed to anonymous grading.   Any student who seeks an accommodated or rescheduled exam for documented medical reasons or for religious observance should contact Student Services in 280 Simon Hall, 510-643-2744, imayer@law.berkeley.edu.

Learning Outcomes

Berkeley Law Learning Outcomes. Berkeley Law has identified several school-wide learning outcomes that you will recognize in Cybersecurity in Context:

(a) Knowledge and understanding of substantive and procedural law (as covered by the class);

(b) Legal analysis and reasoning, legal research, problem-solving, and written and oral communication in the legal context (including class exercises and discussion);

(c) Exercise of proper professional and ethical responsibilities to clients and the legal system (with regard to ethical responses to cybersecurity challenges);

(d) Other professional skills needed for competent and ethical participation as a member of the legal profession (with regard to competent and ethical responses to cybersecurity challenges); and

(e) Using the law to solve real-world problems and to create a more just society (including using the law appropriately to solve cybersecurity problems and address cyber threats, and analyzing tools other than law are appropriate).

Course-Specific Learning Outcomes. In addition to the general learning outcomes listed above, students in this class will be expected to:

• Understand the elements that define “cybersecurity;”
• Understand the legal, social, and political frameworks that affect cybersecurity;
• Identify and define challenges to achieving cybersecurity;
• Identify and explain social, legal, political, and economic impediments to cybersecurity;
• Suggest approaches to maintain a reasonable state of cybersecurity and to address breaches effectively, ethically, and according to law; and
• Identify main tradeoffs between different cybersecurity-related interests (e.g., between economics and security levels; between law enforcement and civil liberties; between private interests and public interests).

Course Schedule

#	Date	Topics	Learning Goals	Reading
1a	20-Aug	Introduction to the course: Why Cybersecurity in Context	Course Intro: why cybersecurity "in context?"	At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues (David Clark, Thomas Berson, and Herbert S. Lin, Editors)(National Academies Press 2014) pp. 1–52. You can get this excellent little book free from NAS here: https://www.nap.edu/catalog/18749/at-the-nexus-of-cybersecurity-and-public-policy-some-basic
			Why Cybersecurity is Important	Barry M. Leiner, Vinton G. Cerf, David D. Clark, Robert E. Kahn, Leonard Kleinrock, Daniel C. Lynch, Jon Postel, Larry G. Roberts, and Stephen Wolff. 2009. A brief history of the internet. SIGCOMM Comput. Commun. Rev. 39, 5 (October 2009), 22-31, https://dl.acm.org/citation.cfm?id=1629613
			The different "law of cybersecurity"--public law, private law, international law	Commotion, Learn Networking Basics (n.d.), https://commotionwireless.net/docs/cck/networking/learn-networking-basics/
				Rus Shuler, How Does the Internet Work? (2002), https://web.stanford.edu/class/msande91si/www-spr04/readings/week1/InternetWhitepaper.htm
				Optional: NICCS, A Glossary of Common Cybersecurity Terminology (2017), https://niccs.us-cert.gov/glossary
				Do the how the internet works module on bCourses
1b	22-Aug	Cybersecurity in Context Continued	What is encompassed by narrow and broad definitions of cybersecurity?	Graduate students: please view the video of Monday's class (the law students started on Monday) and do all of Monday's readings
			By focusing on cybersecurity, are structuring the debate such that it empowers certain actors and interests?	Helen Nissenbaum, Where Computer Security Meets National Security, 7 Ethics and Information Technology 7:61–73 (2005), https://www.nyu.edu/projects/nissenbaum/papers/ETINsecurity.pdf
			The evolution of cyber attacks: actors, motives, techniques, surfaces	Jason Faulkner, Online security: Breaking down the anatomy of a phishing email, How-to Geek, April 13 2011, https://www.howtogeek.com/58642/online-security-breaking-down-the-anatomy-of-a-phishing-email/
				Raphael Satter, Jeff Donn, and Chad Day, Inside Story: How Russians Hacked the Democrats' Emails, AP, Nov. 4, 2017, https://www.apnews.com/dea73efc01594839957c3c9a6c962b8a/Inside-story:-How-Russians-hacked-the-Democrats%27-emails
				Do the Internet of Insecure Things module on bCourses
2a	27-Aug	Defining Challenges: Anonymity and Attribution	Introduction to Traceability Online	Herbert Lin, Attribution Soup to Nuts, Hoover Institute Aegis Paper Series No. 1607 (2016), https://www.hoover.org/sites/default/files/research/docs/lin_webready.pdf
		Discussion Group 1 on call	Attribution: electrons do not wear uniforms, yet the demands of more specific attribution are growing	Mandiant, APT1: Exposing One of China’s Cyber Espionage Units (2014) pp 1–60, https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
			Structural, legal, and economic factors influence the amount of “anonymity” on the Internet
			Anonymity stages new conflicts surrounding the power of nation-states in control of the internet, leading to empowerment of non-state actors
			How networks work: firewalls, encryption, routers, and switches	Optional/Background: What's a backdoor? https://www.wired.com/2014/12/hacker-lexicon-backdoor/
			How actors penetrate networks
2b	29-Aug	Defining Challenges: The Economics of Cybersecurity	Incentives and Disincentives	Ross Anderson, Why information security is hard - an economic perspective, Computer Security Applications Conference, 2001, http://ieeexplore.ieee.org/document/991552/
		Discussion Group 2 on call	The Ross Anderson Critique	Tyler Moore, Introducing the Economics of Cybersecurity: Principles and Policy Options (a single chapter) in Proceedings of a Workshop on Deterring Cyberattacks: Informing Strategies and Developing Options for U.S. Policy (2010), download the chapter here, or the full book: https://www.nap.edu/catalog/12997/proceedings-of-a-workshop-on-deterring-cyberattacks-informing-strategies-and
			The Cybersecurity Industry	Watch interview with Professor Steven Bellovin on the fundamental cyber problems (in Files>Videos).
			The Economics of Cyber Crime
3a	5-Sep	Defining Challenges: Cybersecutity Key Actors & Conflicts	Who are the key stakeholders in cybersecurity and why are they important?	Paul Rosenzweig, The Organization of the United States Government and Private Sector for Achieving Cyber Deterrence, Proceedings of a Workshop on Deterring Cyberattacks: Informing Strategies and Developing Options for U.S. Policy (2010), https://www.nap.edu/read/12997/chapter/18
		Discussion Group 3 on call	How do stakeholder interests align and misalign?	Deirdre K. Mulligan & Fred B. Schneider, Doctrine for Cybersecurity, 140(4) Daedalus 70–92 (2011), http://www.mitpressjournals.org/doi/abs/10.1162/DAED_a_00116
			The American approach of "public-private cybersecurity"	Watch interview with Professor Kirsten Eichensehr (in Files>Videos)
			Security as a contested value; considering the non-economic barriers to security, such as free speech	Watch interview with Professor Laura DeNardis (in Files>Videos)
3b	10-Sep	Defining Challenges: The Human Factor	Psychology and Security	Shari Lawrence Pfleeger & Deanna D. Caputo, Leveraging behavioral science to mitigate cyber security risk, 31(4) Computers & Security 597–611 (2012), http://www.sciencedirect.com/science/article/pii/S0167404811001659
		Discussion Group 4 on call	How will cybersecurity professionals react to individual-level decision making by users?	Skim: Verizon, Verizon 2018 Data Breach Investigations Report (DBIR) (2017), pp. 1–47, 60–62, https://www.verizonenterprise.com/resources/reports/rp_DBIR_2018_Report_en_xg.pdf
4a	12-Sep	Does the FTC Own Cybersecurity?	What is the law of cybersecurity emerging from the FTC?	Chris Jay Hoofnagle, Federal Trade Commisison Privacy Law and Policy, Chapter 5, You can get this book free by using the VPN and visiting this link: http://ebooks.cambridge.org/ebook.jsf?bid=CBO9781316411292
		Discussion Group 1 on call	Whence does this "law" come?	FTC v. Wyndham et al., No. 14-3514 (3rd Cir. 2014), http://www2.ca3.uscourts.gov/opinarch/143514p.pdf
				GDPR Article 32, and Recitals 39, 49, 81, 83. The recitals are the text at the beginning of the document following "Whereas" https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN
4b	17-Sep	FTC Cybersecurity Continued	Understanding the evolution of cybersecurtity duties of care	Chris Jay Hoofnagle, Federal Trade Commission Privacy Law and Policy, Chapter 8
		Discussion Group 2 on call		LabMD v. FTC, No. 16-16270 (11th Cir. 2018), http://media.ca11.uscourts.gov/opinions/pub/files/201616270.pdf
				Watch interview with Professor Steve Bellovin on the FTC and reasonable security (see files > Videos).
5a	19-Sep	Security Breach Notification	Security breach notification (SBN) laws proliferated across the country and now almost any business can have a security incident that causes a notification requirement	California Department of Justice, 2016 Data Breach Report (2016), pp. iii-38, https://oag.ca.gov/sites/all/files/agweb/pdfs/dbr/2016-data-breach-report.pdf
		Discussion Group 3 on call	What duty to monitor is imposed by SBN?	Perkins Coie LLP, Security Breach Notification Chart (skim), https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart.html
			How are SBN laws evolving? How should they evolve? Do we want notice of security breaches, or something else?	Kim Zetter, Hackers Finally Post Stolen Ashley Madison Data, Wired Aug. 18, 2015. https://www.wired.com/2015/08/happened-hackers-posted-stolen-ashley-madison-data/
			What are the expanding notions of people who should give notice of breaches	GDPR Recitals 85–88 (these are the numbered clauses following "Whereas") and Articles 33, 34. Under Article 4, a "personal data breach" means "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed." "Personal data" means "any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person." https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN
5b	24-Sep	Jonathan Jaffe, Views from Practice: The Cybersecurity Consultant (confirmed)	How to institutions prepare for, respond to, and avoid security breaches?	Electronic Frontier Foundation, Assessing Your Risks (2017).
		Discussion Group 4 on call	How to do threat modeling	EFF Threat Modeling Worksheet.
				Do the Have I Been Pwned module.
6a	26-Sep	Defining Challenges: The Role of Standards in a Connected Economy	Introduction to two cybersecurity approaches: NIST Cybersecurity and PCI-DSS	NIST Cybersecurity Framework (draft version 1.1), pp 1–13, then skim 14–46, https://www.nist.gov/file/344206
		Discussion Group 1 on call		PWC, Why you should adopt the NIST Cybersecurity Framework (2014), https://www.pwc.com/us/en/increasing-it-effectiveness/publications/assets/adopt-the-nist.pdf
				TechTarget.com, The history of the PCI DSS standard: A visual timeline (2014), http://searchsecurity.techtarget.com/feature/The-history-of-the-PCI-DSS-standard-A-visual-timeline
				SANS, Compliant but not Secure: Why PCI-Certified Companies Are Being Breached, pp 1–12 (2015) https://www.sans.org/reading-room/whitepapers/compliance/compliant-secure-pci-certified-companies-breached-36497
6b	1-Oct	ECPA & SCA: Law Enforcement Acess to User Data	What is it that law enforcement agencies (LEAs) want and why?	Orin S. Kerr, A User's Guide to the Stored Communications Act, and I Legislator's Guide to Amending It, 72(6) George Washington Law Review 1208, pp 1208–1224 (2004). Please be sure to study the chart on page 1223, https://heinonline.org/HOL/P?h=hein.journals/gwlr72&i=1222
		Discussion Group 2 on call	Should systems be built to accommodate law enforcement access?	Best Practices for Working with Companies, Appendix C in U.S. DOJ Prosecuting Computer Crimes (2010), https://www.justice.gov/sites/default/files/criminal-ccips/legacy/2015/01/14/ccmanual.pdf
			When is there a legal duty to report?	The Cloud Act
			How communications privacy laws shape cybersecurity
7a	3 Oct	Cybersecurity and Intellectual Property 1	Kinship between IP (valuable information) protection and cybersecurity DTSA, EEA, Trade Secrets and high level security through obscurity	Charles Doyle, Stealing Trade Secrets and Economic Espionage: An Overview of the Economic Espionage Act. Please be sure to consider the definition of a trade secret and how it is protected according to the EEA and the DTSA, https://fas.org/sgp/crs/secrecy/R42681.pdf
		Discussion Group 3 on call	Effects of IP laws on cybersecurity development:	Emily Mossburg, J. Donald Fancher, and John Gelinne, The Hidden Costs of an IP Breach  (Deloitte) (2016), https://www2.deloitte.com/content/dam/insights/us/articles/loss-of-intellectual-property-ip-breach/DR19_TheHiddenCostsOfAnIPBreach.pdf
			a) incentives to create tools	Optional overview on IPRs:  James M. Singer, Esq. (Fox Rothschild LLP), IP Stategies for Next-Generation Cybersecurity Technologies (2018), https://www.foxrothschild.com/content/uploads/2018/02/Ebook-Intellectual-Property-Strategies-for-Next-Generation-Cybersecurity-Technologies-James-M.-Singer-April-2018.pdf
			b) effect on standards and interoperability: open source, IP-encumbered standards
7b	8-Oct	Jim Dempsey, Views from Practice: Surveillance Policy (confirmed)	To what extent can network operators monitor their users?	18 USC 2511(2)(a)(i)
		Discussion Group 1 on call	EINSTEIN 3: Intrusion prevention system for the federal executive branch.	18 USC 2511(2)(i)
			Foreign Intelligence Surveillance Act § 702 and Cybersecurity	18  USC 3121(b)
				6 USC 1503
8a	10-Oct	Cybersecurity and IP 2: DMCA Anticircumvention	What are the substantive provisions of the DMCA that may affect cybersecurity?	17 USC 1201
		Discussion Group 4 on call	How do the sharp contours of "anti-circumvention" under the DMCA affect cyberscurity?  What code circumventions exceed the "security researcher" exemptions in the DMCA? Do they have a practical effect?	Cybersecurity Research: Addressing the Legal Barriers and Disincentives: Report of a Workshop Convened by the Berkeley Center for Law & Technology, the UC Berkeley School of Information and the International Computer Science Institute under a grant from the National Science Foundation (2015), https://www.ischool.berkeley.edu/sites/default/files/cybersec-research-nsf-workshop.pdf
8b	15-Oct	Computer Fraud and Abuse Act (CFAA) Part 1	What are the substantive provisions of the Computer Fraud and Abuse Act? How do the contours of hacking affect cybersecurity at the macro and micro levels?	Charles Doyle, Cybercrime: An Overview of the Federal Computer Fraud and Abuse Statute and Related Federal Criminal Laws, Congressional Research Service, Oct. 2014, pp. 1–69, https://fas.org/sgp/crs/misc/97-1025.pdf
		Discussion Group 1 on call	We conceive of hacking through the lens of trespass. Illegal hacking follows some of the same contours of trespass law.	18 USC 1030
9a	17-Oct	CFAA Part 2	Authorization's three lenses: code, contract, and social norms	Review Charles Doyle, Cybercrime: An Overview of the Federal Computer Fraud and Abuse Statute and Related Federal Criminal Laws, Congressional Research Service, Oct. 2014, pp. 1–69, https://fas.org/sgp/crs/misc/97-1025.pdf
		Discussion Group 2 on call	What violations of agreements are serious enough to be criminal?	Matthew Bunn and Scott D. Sagan, A Worst Practices Guide to Insider Threats: Lessons from Past Mistakes, American Academy of Arts and Sciences (2014), https://www.amacad.org/content/publications/publication.aspx?d=1425
			What misuses of computers are so serious that we as a society consider it criminal?
9b	22-Oct	Becky Richards,Views from Practice: The IC View (confirmed)	Cyber and the Intelligence Community	NSC, Vulnerabilities Equities Policy and Process for the United States Government, November 15, 2017 (pay particular attention to §5 and annex B)
		All discussion groups on call	Understanding the Vulnerabilities Equities Policy and Process	Executive Order 12333,United States intelligence activities, 46 FR 59941, Dec. 4, 1981.
				National Security Directive 42, July 5, 1990.
				Vulnerabilities Equity Policy hypothetical.
10a	24-Oct	Critical Infrastructure and Information-Sharing	What is critical infrastructure (CI)? What definition of "cybersecurity" is appropriate to use in securing CI? Who are the actors involved in attacking and securing CI? What are the economic interests relevant to securing CI? What are the legal and behavioral dynamics? How is the task of securing CI changing with increasing networked systems (e.g., the "smart" electricity grid)?	Kelly Jackson Higgins. Lessons from the Ukraine electric grid hack. Information Week, March 18, 2016, https://www.darkreading.com/vulnerabilities---threats/lessons-from-the-ukraine-electric-grid-hack/d/d-id/1324743  Jennifer M. Urban, Chapter 22: Privacy issues in smart grid deployment, in Research Handbook on Intellectual Property and Climate Change (2016), pages 1-5 (up to "Privacy issues presented by the smart grid system") and pages 16-17 ("Note on on cyber-security issues") only. NIST, NISTIR 7628, Guidelines for Smart Grid Security, Sept. 2014, http://dx.doi.org/10.6028/NIST.IR.7628r1 - page 1-5 only - this is a 668-page document; don't worry when you open it! We want you to read only the introductory pages (Chapter 1 up to 1.2) focusing on: how NIST is defining cybersecurity, who the actors are, and identifying the NISTIR's general approach to securing the smart grid. You can skim over the discussion of what has been added since the last version.
		Discussion Group 4 on call	How might information sharing affect cybersecurity risk?	Mark Bowden, The Enemy Within, Vanity Fair (2010), https://www.theatlantic.com/magazine/archive/2010/06/the-enemy-within/308098/  Cybersecurity Information Sharing Act of 2015
				Alert (ICS-ALERT-14-281-01E) Ongoing Sophisticated Malware Campaign Compromising ICS)(Please note, this is a TLP: Amber document and it is not allowed to be circulated. Please do not circulate it outside the class. We are including it here because its full text was uploaded into a regulatory petition, and as a result, it is formally part of the public record. We are including it so that you can see an example of the kinds of "indicators of compromise" information sharing that exists.
				Optional/Further background reading: 2003 Congressional Research Report on "What Makes an Infrastructure Critical?" https://fas.org/irp/crs/RL31556.pdf E-ISAC Ukraine report Handy corporate primer on CISA:https://corpgov.law.harvard.edu/2016/03/03/federal-guidance-on-the-cybersecurity-information-sharing-act-of-2015/ Homeland Security/DOJ Guidance Document on CISA: https://www.us-cert.gov/sites/default/files/ais_files/Non-Federal_Entity_Sharing_Guidance_%28Sec%20105%28a%29%29.pdf US-CERT How-To on Automated Indicator Sharing (AIS): https://www.us-cert.gov/ais (note that they say "We Need You!" ) DHS/DOJ "Privacy and Civil Liberties Final Guidelines": https://www.us-cert.gov/sites/default/files/ais_files/Privacy_and_Civil_Liberties_Guidelines_%28Sec%20105%28b%29%29.pdf
10b	29-Oct	Michael Nacht, Views from Practice: Global Strategy (confirmed)	The Stuxnet Attack	David Sanger, Confront and Conceal, Obama's Secret Wars and Surprising Use of American Power, chapter 8 (2012)
		Discussion Group 2 on call
11a	31-Oct	Cyber in Financial Services	Financial services companies have vast privacy and security requirements	FTC, Financial Institutions and Customer Information: Complying with the Safeguards Rule (2006), https://www.ftc.gov/tips-advice/business-center/guidance/financial-institutions-customer-information-complying
		Discussion Group 3 on call	In practice, cyber responsibilities of financial services companies reach far because service providers and contractors are held to the same standards. Regulators are elevating responsibility to the board room.
			In financial services, CIA is an animating value, but so is safety and soundness of the banking system
			Consider the political economy of the battle between state-level developments and desire for federal preemption of states.
	5-Nov	No Class Today: Rescheduled	The class make-up will be on Friday, November 16, from 1 pm to 2:15 pm in Room 132 (our usual room)
11b	7-Nov	Two Key Tussles: 1) Harassment and Extortion Online 2) Apple v. FBI & Key Escrow Encryption	Is freedom from harrassment a cybersecurity issue?	Benjamin Wittes, Cody Poplin, Quinta Jurecic & Clara Spera, Sextortion: Cybersecurity, teenagers, and remote sexual assault, pp. 1–9 (May 2016), https://www.brookings.edu/wp-content/uploads/2016/05/sextortion1-1.pdf
		Discussion Group 4 on call	How have aggressors used the internet to attack individuals?	Nellie Bowles, Thermostats, Locks and Lights: Digital Tools of Domestic Abuse, NY Times, Jun. 23, 2018, https://www.nytimes.com/2018/06/23/technology/smart-home-devices-domestic-abuse.html  Danielle Keats Citron, Cyber Civil Rights, 89 Boston Univ. Law Rev. 61, pp. 61–84 (2009), http://www.bu.edu/law/journals-archive/bulr/volume89n1/documents/CITRON.pdf
			Should companies adopt key escrow or other methods for allowing LEA access?	Harold Abelson et al., Keys under doormats: Mandating insecurity by requiring government access to all data and communications. Journal of Cybersecurity, 1(1), September 2015, https://dspace.mit.edu/bitstream/handle/1721.1/97690/MIT-CSAIL-TR-2015-026.pdf?sequence=8  Optional/Further reading: Marlisse Silver Sweeney, "What the Law Can (and Can't" Do About Online Harassment?"The Altantic, Nov. 12, 2014: https://www.theatlantic.com/technology/archive/2014/11/what-the-law-can-and-cant-do-about-online-harassment/382638/ (includes interview with Danielle Citron).
	12-Nov	No Class Today: Veterans Day Observed No classes meet
12a	14-Nov	1) Online Harassment 2 2) Decryption Mandates 3) Cyber War	Please see questions above (for 7 Nov) as a reminder on the first two topics. Cyber War (we will continue this on Friday 16 Nov), but begin it during this class if there is time. All readings and questions are listed here. Questions to consider: What are the legal and policy contours of cyber conflict so serious that it constitutes ”war?”	Thomas Rid, Cyber War Will Not Take Place, 35(1) Journal of Strategic Studies 5-32 (2011), https://www.tandfonline.com/doi/pdf/10.1080/01402390.2011.608939
		Discussion Group 1 on call	Has the focus on “war” turned our attention away from the dominance of cyber espionage?	John Arquilla, Cyberwar is Already Upon Us, Foreign Policy (2012), http://foreignpolicy.com/2012/02/27/cyberwar-is-already-upon-us/
			What is the future of cyber conflict likely to look like?	Jason Healey. Learn cyber conflict history, or doom yourself to repeat it. Armed Forces Journal, December 17, 2013, http://armedforcesjournal.com/learn-cyber-conflict-history-or-doom-yourself-to-repeat-it/
			Deterrence, Compellence, and Understanding the history of cyber conflict	Richard B. Gasparre. The Israeli 'E-tack' on Syria--Part I. Air Force Technology.com, March 10, 2008, http://www.airforce-technology.com/features/feature1625/
12b	16-Nov at 1 pm.	Cyber War	This is a make-up class. Please note that the day of the week (Friday) and time (1 pm). We were going to be in our usual room, but classes were cancelled. We met via Zoom and recorded. The Zoom video can be found in Files>Videos	Charles K. Bartles, Getting Gerasimov Right, Military Review, Jan/Feb 2016, https://www.armyupress.army.mil/Portals/7/military-review/Archives/English/MilitaryReview_20160228_art009.pdf
		Discussion Group 2 on call		Optional: Government Accountability Office, "Weapons System Cybersecurity: DOD Just Beginning to Grapple with Scale of Vulnerabilities," (Oct. 2018), https://www.gao.gov/assets/700/694913.pdf
13a	19-Nov	Note: classes cancelled by university due to air quality concerns. Rescheduled to 11/27.
13a	26-Nov	John Yoo, Views from Practice: The Policy Lawyer (confirmed, okay to record)		John Yoo, Embracing the Machines: Rationalist War and New Weapons Technologies, 105 California Law Review 443 (2017), https://scholarship.law.berkeley.edu/californialawreview/vol105/iss2/4/
		Discussion Group 4 on call
13b	27-Nov	Jonathan Reiber, Views from Practice: DoD Strategy (confirmed) (rescheduled from 11/19) Discussion Group 3 on call		Department of Defense, Cyber Strategy Summary 2018 Jonathan Reiber, "What Happens When the US Starts to 'Defend Forward' in Cyberspace?" https://www.defenseone.com/ideas/2018/11/what-happens-when-us-starts-defend-forward-cyberspace/152580/ Jonathan Reiber, "China Is the Top Long-Term Threat in Cyberspace," https://www.nextgov.com/ideas/2018/11/china-top-long-term-threat-cyberspace/152588/
14a	28-Nov	1) Hacking and Integrity of Democracy 2) Control,  Civility, or Chaos?	Topic 1: Should elections or election infrastructure be considered "critical infrastructure"? What would be the implications of this? What constitutes a "cybersecurity" problem for election integrity? What is the right balance between election security and voting rights? Topic 2: How much, and what type, of control will be imposed upon the internet?	Statement of Ryan Goodman on Election Interference before the U.S. Senate Committee on the Judiciary (pages 1-8), Jun. 12, 2018 Verified Voting, Statement in Response to NIST Request for Information regarding the Cybersecurity Framework, April 8, 2018. John Perry Barlow, A Declaration of the Independence of Cyberspace, Feb. 1996, https://www.eff.org/cyberspace-independence  James Grimmelmann, Death of a data haven: cypherpunks, WikiLeaks, and the world’s smallest nation, ArsTechnica, Mar. 28, 2012.
		Discussion Group 1 on call		Optional: If you're interested in the topic of election hacking (of the machines and systems), poke around www.verifiedvoting.org - they have tons and tons of information. Verified Voting is mainly made up of computer scientists who are deeply skeptical of electronic voting. For one (long and nerdy) view of what it would take to create secure internet voting, check out U.S. Vote Foundation/Galois, The Future of Voting (July 2015). https://www.usvotefoundation.org/sites/default/files/E2EVIV_full_report.pdf
14b	3-De, c Note new date	Future of Cybersecurity	What do contests for control over internet governance mean for cybersecurity?	See 11/28 readings (Barlow and Grimmelman) Optional: CLTC, Cybersecurity Futures 2020 (2016)
		Discussion Group 3 on call	What will be the competitive dynamics among individuals, nation-states, and non-state actors
			How might we redesign the internet for security?
			What power should professionals and institutions have with regard to choosing what is exogenous to the cybersecurity system?
			What are the most consequential decisions you will make as a cybersecurity professional?
Final Exam Review Session	5-Dec Note new date	This is at our usual time, in our usual room.
Final Exam	11-Dec	Exam is at 1:30 pm in Berkeley Law Room 105 Schedule is here.