Professors Jennifer M. Urban & Chris Jay Hoofnagle
Law 276.11 (for law students, CCN32294)
Info 290.001 (for graduate students, CCN17573; undergraduates by permission)
*Please note, we start at 11:20 (not Berkeley time)
Boalt Hall Room 132
Office Hours: Tuesdays, 11 am, 342 North Addition (Prof. Urban's office)
Cybersecurity has become instrumental to economic activity and human rights alike. But as digital technologies penetrate deeply into almost every aspect of human experience, a broad range of social-political-economic-legal-ethical-military and other considerations have come to envelop the cybersecurity landscape. Cybersecurity in Context will explore the most important elements that shape the playing field on which cybersecurity problems emerge and are managed. The course will emphasize how ethical, legal, and economic frameworks enable and constrain security technologies and policies. It will introduce some of the most important macro-elements (such as national security considerations and the interests of nation-states) and micro-elements (such as behavioral economic insights into how people understand and interact with security features). Specific topics include policymaking (on the national, international, and organizational level), business models, legal frameworks (including duties of security, privacy issues, law enforcement access issues, computer hacking, and economic/military espionage), standards making, and the roles of users, government, and industry.
Several of the readings come from Chris Jay Hoofnagle, Federal Trade Commission privacy law and policy (Cambridge University Press, 2016). You can get this book free by using the VPN and visiting this link: http://ebooks.cambridge.org/ebook.jsf?bid=CBO9781316411292
Questions about Cybersecurity in Context
Q. Do I need technical knowledge to take Cybersecurity in Context?
A. No. This course is about the wrapping elements of cybersecurity.
We do ask you to learn the basics: the difference between circuit-switched phone networks, and packet-switched internet ones, about the different layers of the internet, and how attacks on the confidentiality and integrity of data, and attacks on access to computers can occur on those different layers. We will have in-class content and readings to explain these topics. Look at the optional readings in the first week to get an idea of how technically sophisticated the reading will be.
Q. How does Cybersecurity in Context differ from the Cybersecurity Reading Group?
A. The reading group is a discussion seminar focusing on academic writings in cybersecurity, typically organized around a specific theme, such as cyber conflict. Cybersecurity in Context is a podium-lecture course covering the main themes in cybersecurity.
Q. I am a undergraduate. May I enroll?
A. The course is likely to be full, but if we have space we will enroll undergraduates in Info 290. We will enroll undergraduates after the graduate registration period, in August. We ask undergraduate students to email us the following information by August 1st:
1. I am an upper-division student [Yes/No]
2. What year?
3. I understand and accept that this is a graduate-level class, with graduate-level materials and pacing. [Yes/No]
4. I understand and accept that participation in class discussion is expected, even if the class is larger than most undergraduate courses that expect this (in grad and law school classes, for example, students participate in discussion in 50-100-person classes). [Yes/No]
5. I would like to take this class because: [Please tell us why you would like to take the class.]
6. I would contribute to this class because: [Please tell us why you would contribute to the class. For example, your major is relevant to topics in the class; you are doing an undergrad thesis on a relevant topic; you worked on relevant issues prior to coming to Berkeley; etc.]
We will be using Poll Everywhere, along with "on call" groups in order to have inclusive participation in this large course. You can participate in Poll Everywhere voting by visiting this website: https://pollev.com/CYBEAR
You can also download the Poll Everywhere app: https://www.polleverywhere.com/mobile
Readings will be posted on the course webpage at least one week in advance Students will be evaluated on the following:
- Students are expected to read, watch, or listen to all assigned materials and be prepared to participate actively in class activities and discussion. We will have “on call” students. We won't always discuss the readings in detail, but they are necessary for understanding the higher-level class themes.
- Students are expected to complete occasional exercises, such as the “ping” and “traceroute” exercises.
- Students are expected to participate in group exercises.
- Students are expected to prepare questions for our guest speakers during the course of the semester.
- Students are expected to regularly attend class according to the policy described below.
- The final exam for the class.
The class will be graded on the basis of the final exam (70%) and attendance at and participation in the class sessions (30%). In grading, we will consider the final exam, whether students complete all of the home and in-class exercises and material for guest speakers, the quantity and quality of class participation (including session leadership and participation during other sessions). Please note that the quality of class participation—and, indeed, whether it is of appropriate quantity—may be enhanced in some cases by speaking up, and in some cases by giving others room to speak.
Note for non-law students. Law classes commonly use the “on call” method for class participation that we will employ in this class. Students will be assigned classes for which they are “on call.” While everyone is expected to participate regularly in class discussion, “on-call” students can expect to be called on and to be responsible for anchoring class discussion. This is straightforward in practice, but please don’t hesitate to check with us if you have questions.
Technical and legal aspects of the class. Cybersecurity requires cooperation among many different kinds of experts, and this interdisciplinary class provides an opportunity to consider the different types of expertise you may encounter and how to communicate across types of expertise.
You do not need a technical background for this class. You do need to learn the basics: the difference between circuit-switched phone networks, and packet-switched internet ones, about the different layers of the internet, and how attacks on the confidentiality and integrity of data, and attacks on access to computers can occur on those different layers. We will have in-class content and readings to explain these topics. Look at the optional readings for the first week to get an idea of how technically sophisticated the reading will be. While you will not be expected to become expert in non-legal subject matter, you will be expected develop the ability to understand non-legal subject matter sufficiently to comment on it intelligently and apply it to law and policy. Lawyers are generalists—they are expected to learn and apply many kinds of information throughout our careers. Being a competent lawyer requires the ability to understand the facts and theories that underlie or touch upon a legal problem.
Similarly, you do not need a legal background for this class, but you will be expected to learn the legal information we cover and the basics of how law operates in the cybersecurity field.
Attendance. Attendance is required.
Laptops & Other Electronic Devices. Class is, in part, discussion-based and interactive. Research shows that electronic devices can inhibit participation and learning in classroom settings. To allow everyone to participate fully in the discussion and avoid distractions, we ask that you keep your laptop generally closed and other electronic devices turned off and put away during class. You may open your laptop to access and refer to reading assignments when needed; otherwise, please leave it closed.
Credit Hours, Exams, Accommodation. A “credit hour” at Berkeley Law is an amount of work that reasonably approximates four hours of work per week for 15 weeks, including a) classroom time, b) time spent preparing for class, c) time spent studying for, and taking, final exams, d) time spent researching, writing, and revising papers and other written work, and e) time spent preparing for and completing any other final project, presentation, or performance. For the purposes of these calculations, 50 minutes of classroom instruction counts as one hour, and the 15 weeks includes the exam period. You can expect to spend this amount of time per unit per week on out-of class, course-related work as described above.
Student Services schedules all exams, including accommodated exams, as the law school is committed to anonymous grading. Any student who seeks an accommodated or rescheduled exam for documented medical reasons or for religious observance should contact Student Services in 280 Simon Hall, 510-643-2744, firstname.lastname@example.org.
Berkeley Law Learning Outcomes. Berkeley Law has identified several school-wide learning outcomes that you will recognize in Cybersecurity in Context:
(a) Knowledge and understanding of substantive and procedural law (as covered by the class);
(b) Legal analysis and reasoning, legal research, problem-solving, and written and oral communication in the legal context (including class exercises and discussion);
(c) Exercise of proper professional and ethical responsibilities to clients and the legal system (with regard to ethical responses to cybersecurity challenges);
(d) Other professional skills needed for competent and ethical participation as a member of the legal profession (with regard to competent and ethical responses to cybersecurity challenges); and
(e) Using the law to solve real-world problems and to create a more just society (including using the law appropriately to solve cybersecurity problems and address cyber threats, and analyzing tools other than law are appropriate).
Course-Specific Learning Outcomes. In addition to the general learning outcomes listed above, students in this class will be expected to:
- Understand the elements that define “cybersecurity;”
- Understand the legal, social, and political frameworks that affect cybersecurity;
- Identify and define challenges to achieving cybersecurity;
- Identify and explain social, legal, political, and economic impediments to cybersecurity;
- Suggest approaches to maintain a reasonable state of cybersecurity and to address breaches effectively, ethically, and according to law; and
- Identify main tradeoffs between different cybersecurity-related interests (e.g., between economics and security levels; between law enforcement and civil liberties; between private interests and public interests).
|1a||20-Aug||Introduction to the course: Why Cybersecurity in Context||Course Intro: why cybersecurity "in context?"||At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues (David Clark, Thomas Berson, and Herbert S. Lin, Editors)(National Academies Press 2014) pp. 1–52. You can get this excellent little book free from NAS here: https://www.nap.edu/catalog/18749/at-the-nexus-of-cybersecurity-and-public-policy-some-basic|
|Why Cybersecurity is Important||Barry M. Leiner, Vinton G. Cerf, David D. Clark, Robert E. Kahn, Leonard Kleinrock, Daniel C. Lynch, Jon Postel, Larry G. Roberts, and Stephen Wolff. 2009. A brief history of the internet. SIGCOMM Comput. Commun. Rev. 39, 5 (October 2009), 22-31, https://dl.acm.org/citation.cfm?id=1629613|
|The different "law of cybersecurity"--public law, private law, international law||Commotion, Learn Networking Basics (n.d.), https://commotionwireless.net/docs/cck/networking/learn-networking-basics/|
|Rus Shuler, How Does the Internet Work? (2002), https://web.stanford.edu/class/msande91si/www-spr04/readings/week1/InternetWhitepaper.htm|
|Optional: NICCS, A Glossary of Common Cybersecurity Terminology (2017), https://niccs.us-cert.gov/glossary|
|Do the how the internet works module on bCourses|
|1b||22-Aug||Cybersecurity in Context Continued||What is encompassed by narrow and broad definitions of cybersecurity?||Graduate students: please view the video of Monday's class (the law students started on Monday) and do all of Monday's readings|
|By focusing on cybersecurity, are structuring the debate such that it empowers certain actors and interests?||Helen Nissenbaum, Where Computer Security Meets National Security, 7 Ethics and Information Technology 7:61–73 (2005), https://www.nyu.edu/projects/nissenbaum/papers/ETINsecurity.pdf|
|The evolution of cyber attacks: actors, motives, techniques, surfaces||Jason Faulkner, Online security: Breaking down the anatomy of a phishing email, How-to Geek, April 13 2011, https://www.howtogeek.com/58642/online-security-breaking-down-the-anatomy-of-a-phishing-email/|
|Raphael Satter, Jeff Donn, and Chad Day, Inside Story: How Russians Hacked the Democrats' Emails, AP, Nov. 4, 2017, https://www.apnews.com/dea73efc01594839957c3c9a6c962b8a/Inside-story:-How-Russians-hacked-the-Democrats%27-emails|
|Do the Internet of Insecure Things module on bCourses|
|2a||27-Aug||Defining Challenges: Anonymity and Attribution||Introduction to Traceability Online||Herbert Lin, Attribution Soup to Nuts, Hoover Institute Aegis Paper Series No. 1607 (2016), https://www.hoover.org/sites/default/files/research/docs/lin_webready.pdf|
|Discussion Group 1 on call||Attribution: electrons do not wear uniforms, yet the demands of more specific attribution are growing||Mandiant, APT1: Exposing One of China’s Cyber Espionage Units (2014) pp 1–60, https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf|
|Structural, legal, and economic factors influence the amount of “anonymity” on the Internet|
|Anonymity stages new conflicts surrounding the power of nation-states in control of the internet, leading to empowerment of non-state actors|
|How networks work: firewalls, encryption, routers, and switches||
What's a backdoor? https://www.wired.com/2014/12/hacker-lexicon-backdoor/
|How actors penetrate networks|
|2b||29-Aug||Defining Challenges: The Economics of Cybersecurity||Incentives and Disincentives||Ross Anderson, Why information security is hard - an economic perspective, Computer Security Applications Conference, 2001, http://ieeexplore.ieee.org/document/991552/|
|Discussion Group 2 on call||The Ross Anderson Critique||Tyler Moore, Introducing the Economics of Cybersecurity: Principles and Policy Options (a single chapter) in Proceedings of a Workshop on Deterring Cyberattacks: Informing Strategies and Developing Options for U.S. Policy (2010), download the chapter here, or the full book: https://www.nap.edu/catalog/12997/proceedings-of-a-workshop-on-deterring-cyberattacks-informing-strategies-and|
|The Cybersecurity Industry||Watch interview with Professor Steven Bellovin on the fundamental cyber problems (in Files>Videos).|
|The Economics of Cyber Crime|
|3a||5-Sep||Defining Challenges: Cybersecutity Key Actors & Conflicts||Who are the key stakeholders in cybersecurity and why are they important?||Paul Rosenzweig, The Organization of the United States Government and Private Sector for Achieving Cyber Deterrence, Proceedings of a Workshop on Deterring Cyberattacks: Informing Strategies and Developing Options for U.S. Policy (2010), https://www.nap.edu/read/12997/chapter/18|
|Discussion Group 3 on call||How do stakeholder interests align and misalign?||Deirdre K. Mulligan & Fred B. Schneider, Doctrine for Cybersecurity, 140(4) Daedalus 70–92 (2011), http://www.mitpressjournals.org/doi/abs/10.1162/DAED_a_00116|
|The American approach of "public-private cybersecurity"||Watch interview with Professor Kirsten Eichensehr (in Files>Videos)|
|Security as a contested value; considering the non-economic barriers to security, such as free speech||Watch interview with Professor Laura DeNardis (in Files>Videos)|
|3b||10-Sep||Defining Challenges: The Human Factor||Psychology and Security||Shari Lawrence Pfleeger & Deanna D. Caputo, Leveraging behavioral science to mitigate cyber security risk, 31(4) Computers & Security 597–611 (2012), http://www.sciencedirect.com/science/article/pii/S0167404811001659|
|Discussion Group 4 on call||How will cybersecurity professionals react to individual-level decision making by users?||Skim: Verizon, Verizon 2018 Data Breach Investigations Report (DBIR) (2017), pp. 1–47, 60–62, https://www.verizonenterprise.com/resources/reports/rp_DBIR_2018_Report_en_xg.pdf|
|4a||12-Sep||Does the FTC Own Cybersecurity?||What is the law of cybersecurity emerging from the FTC?||Chris Jay Hoofnagle, Federal Trade Commisison Privacy Law and Policy, Chapter 5, You can get this book free by using the VPN and visiting this link: http://ebooks.cambridge.org/ebook.jsf?bid=CBO9781316411292|
|Discussion Group 1 on call||Whence does this "law" come?||FTC v. Wyndham et al., No. 14-3514 (3rd Cir. 2014), http://www2.ca3.uscourts.gov/opinarch/143514p.pdf|
|GDPR Article 32, and Recitals 39, 49, 81, 83. The recitals are the text at the beginning of the document following "Whereas" https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN|
|4b||17-Sep||FTC Cybersecurity Continued||Understanding the evolution of cybersecurtity duties of care||Chris Jay Hoofnagle, Federal Trade Commission Privacy Law and Policy, Chapter 8|
|Discussion Group 2 on call||LabMD v. FTC, No. 16-16270 (11th Cir. 2018), http://media.ca11.uscourts.gov/opinions/pub/files/201616270.pdf|
|Watch interview with Professor Steve Bellovin on the FTC and reasonable security (see files > Videos).|
|5a||19-Sep||Security Breach Notification||Security breach notification (SBN) laws proliferated across the country and now almost any business can have a security incident that causes a notification requirement||California Department of Justice, 2016 Data Breach Report (2016), pp. iii-38, https://oag.ca.gov/sites/all/files/agweb/pdfs/dbr/2016-data-breach-report.pdf|
|Discussion Group 3 on call||What duty to monitor is imposed by SBN?||Perkins Coie LLP, Security Breach Notification Chart (skim), https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart.html|
|How are SBN laws evolving? How should they evolve? Do we want notice of security breaches, or something else?||Kim Zetter, Hackers Finally Post Stolen Ashley Madison Data, Wired Aug. 18, 2015. https://www.wired.com/2015/08/happened-hackers-posted-stolen-ashley-madison-data/|
|What are the expanding notions of people who should give notice of breaches||GDPR Recitals 85–88 (these are the numbered clauses following "Whereas") and Articles 33, 34. Under Article 4, a "personal data breach" means "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed." "Personal data" means "any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person." https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN|
|5b||24-Sep||Jonathan Jaffe, Views from Practice: The Cybersecurity Consultant (confirmed)||How to institutions prepare for, respond to, and avoid security breaches?||Electronic Frontier Foundation, Assessing Your Risks (2017).|
|Discussion Group 4 on call||How to do threat modeling||EFF Threat Modeling Worksheet.|
|Do the Have I Been Pwned module.|
|6a||26-Sep||Defining Challenges: The Role of Standards in a Connected Economy||Introduction to two cybersecurity approaches: NIST Cybersecurity and PCI-DSS||NIST Cybersecurity Framework (draft version 1.1), pp 1–13, then skim 14–46, https://www.nist.gov/file/344206|
|Discussion Group 1 on call||PWC, Why you should adopt the NIST Cybersecurity Framework (2014), https://www.pwc.com/us/en/increasing-it-effectiveness/publications/assets/adopt-the-nist.pdf|
|TechTarget.com, The history of the PCI DSS standard: A visual timeline (2014), http://searchsecurity.techtarget.com/feature/The-history-of-the-PCI-DSS-standard-A-visual-timeline|
|SANS, Compliant but not Secure: Why PCI-Certified Companies Are Being Breached, pp 1–12 (2015) https://www.sans.org/reading-room/whitepapers/compliance/compliant-secure-pci-certified-companies-breached-36497|
|6b||1-Oct||ECPA & SCA: Law Enforcement Acess to User Data||What is it that law enforcement agencies (LEAs) want and why?||Orin S. Kerr, A User's Guide to the Stored Communications Act, and I Legislator's Guide to Amending It, 72(6) George Washington Law Review 1208, pp 1208–1224 (2004). Please be sure to study the chart on page 1223, https://heinonline.org/HOL/P?h=hein.journals/gwlr72&i=1222|
|Discussion Group 2 on call||Should systems be built to accommodate law enforcement access?||Best Practices for Working with Companies, Appendix C in U.S. DOJ Prosecuting Computer Crimes (2010), https://www.justice.gov/sites/default/files/criminal-ccips/legacy/2015/01/14/ccmanual.pdf|
|When is there a legal duty to report?||The Cloud Act|
|How communications privacy laws shape cybersecurity|
|7a||3 Oct||Cybersecurity and Intellectual Property 1||Kinship between IP (valuable information) protection and cybersecurity DTSA, EEA, Trade Secrets and high level security through obscurity||Charles Doyle, Stealing Trade Secrets and Economic Espionage: An Overview of the Economic Espionage Act. Please be sure to consider the definition of a trade secret and how it is protected according to the EEA and the DTSA, https://fas.org/sgp/crs/secrecy/R42681.pdf|
|Discussion Group 3 on call||Effects of IP laws on cybersecurity development:||Emily Mossburg, J. Donald Fancher, and John Gelinne, The Hidden Costs of an IP Breach (Deloitte) (2016), https://www2.deloitte.com/content/dam/insights/us/articles/loss-of-intellectual-property-ip-breach/DR19_TheHiddenCostsOfAnIPBreach.pdf|
|a) incentives to create tools||Optional overview on IPRs: James M. Singer, Esq. (Fox Rothschild LLP), IP Stategies for Next-Generation Cybersecurity Technologies (2018), https://www.foxrothschild.com/content/uploads/2018/02/Ebook-Intellectual-Property-Strategies-for-Next-Generation-Cybersecurity-Technologies-James-M.-Singer-April-2018.pdf|
|b) effect on standards and interoperability: open source, IP-encumbered standards|
|7b||8-Oct||Jim Dempsey, Views from Practice: Surveillance Policy (confirmed)||To what extent can network operators monitor their users?||18 USC 2511(2)(a)(i)|
|Discussion Group 1 on call||EINSTEIN 3: Intrusion prevention system for the federal executive branch.||18 USC 2511(2)(i)|
|Foreign Intelligence Surveillance Act § 702 and Cybersecurity||18 USC 3121(b)|
|6 USC 1503|
|8a||10-Oct||Cybersecurity and IP 2: DMCA Anticircumvention||What are the substantive provisions of the DMCA that may affect cybersecurity?||17 USC 1201|
|Discussion Group 4 on call||
How do the sharp contours of "anti-circumvention" under the DMCA affect cyberscurity?
What code circumventions exceed the "security researcher" exemptions in the DMCA? Do they have a practical effect?
Cybersecurity Research: Addressing the Legal Barriers and Disincentives: Report of a Workshop Convened by the Berkeley Center for Law & Technology, the UC Berkeley School of Information and the International Computer Science Institute under a grant from the National Science Foundation (2015), https://www.ischool.berkeley.edu/sites/default/files/cybersec-research-nsf-workshop.pdf
|8b||15-Oct||Computer Fraud and Abuse Act (CFAA) Part 1||
What are the substantive provisions of the Computer Fraud and Abuse Act?
How do the contours of hacking affect cybersecurity at the macro and micro levels?
|Charles Doyle, Cybercrime: An Overview of the Federal Computer Fraud and Abuse Statute and Related Federal Criminal Laws, Congressional Research Service, Oct. 2014, pp. 1–69, https://fas.org/sgp/crs/misc/97-1025.pdf|
|Discussion Group 1 on call||We conceive of hacking through the lens of trespass. Illegal hacking follows some of the same contours of trespass law.||
|9a||17-Oct||CFAA Part 2||Authorization's three lenses: code, contract, and social norms||Review Charles Doyle, Cybercrime: An Overview of the Federal Computer Fraud and Abuse Statute and Related Federal Criminal Laws, Congressional Research Service, Oct. 2014, pp. 1–69, https://fas.org/sgp/crs/misc/97-1025.pdf|
|Discussion Group 2 on call||What violations of agreements are serious enough to be criminal?||Matthew Bunn and Scott D. Sagan, A Worst Practices Guide to Insider Threats: Lessons from Past Mistakes, American Academy of Arts and Sciences (2014), https://www.amacad.org/content/publications/publication.aspx?d=1425|
|What misuses of computers are so serious that we as a society consider it criminal?|
|9b||22-Oct||Becky Richards,Views from Practice: The IC View (confirmed)||Cyber and the Intelligence Community||NSC, Vulnerabilities Equities Policy and Process for the United States Government, November 15, 2017 (pay particular attention to §5 and annex B)|
|All discussion groups on call||Understanding the Vulnerabilities Equities Policy and Process||Executive Order 12333,United States intelligence activities, 46 FR 59941, Dec. 4, 1981.|
|National Security Directive 42, July 5, 1990.|
|Vulnerabilities Equity Policy hypothetical.|
What is critical infrastructure (CI)?
What definition of "cybersecurity" is appropriate to use in securing CI?
Who are the actors involved in attacking and securing CI?
What are the economic interests relevant to securing CI? What are the legal and behavioral dynamics?
How is the task of securing CI changing with increasing networked systems (e.g., the "smart" electricity grid)?
Kelly Jackson Higgins. Lessons from the Ukraine electric grid hack. Information Week, March 18, 2016, https://www.darkreading.com/vulnerabilities---threats/lessons-from-the-ukraine-electric-grid-hack/d/d-id/1324743
Jennifer M. Urban, Chapter 22: Privacy issues in smart grid deployment, in Research Handbook on Intellectual Property and Climate Change (2016), pages 1-5 (up to "Privacy issues presented by the smart grid system") and pages 16-17 ("Note on on cyber-security issues") only.
NIST, NISTIR 7628, Guidelines for Smart Grid Security, Sept. 2014, http://dx.doi.org/10.6028/NIST.IR.7628r1 - page 1-5 only - this is a 668-page document; don't worry when you open it! We want you to read only the introductory pages (Chapter 1 up to 1.2) focusing on: how NIST is defining cybersecurity, who the actors are, and identifying the NISTIR's general approach to securing the smart grid. You can skim over the discussion of what has been added since the last version.
|Discussion Group 4 on call||How might information sharing affect cybersecurity risk?||
Mark Bowden, The Enemy Within, Vanity Fair (2010), https://www.theatlantic.com/magazine/archive/2010/06/the-enemy-within/308098/
|Alert (ICS-ALERT-14-281-01E) Ongoing Sophisticated Malware Campaign Compromising ICS)(Please note, this is a TLP: Amber document and it is not allowed to be circulated. Please do not circulate it outside the class. We are including it here because its full text was uploaded into a regulatory petition, and as a result, it is formally part of the public record. We are including it so that you can see an example of the kinds of "indicators of compromise" information sharing that exists.|
Optional/Further background reading:
|10b||29-Oct||Michael Nacht, Views from Practice: Global Strategy (confirmed)||The Stuxnet Attack||David Sanger, Confront and Conceal, Obama's Secret Wars and Surprising Use of American Power, chapter 8 (2012)|
|Discussion Group 2 on call|
Cyber in Financial Services
|Financial services companies have vast privacy and security requirements||FTC, Financial Institutions and Customer Information: Complying with the Safeguards Rule (2006), https://www.ftc.gov/tips-advice/business-center/guidance/financial-institutions-customer-information-complying|
|Discussion Group 3 on call||In practice, cyber responsibilities of financial services companies reach far because service providers and contractors are held to the same standards. Regulators are elevating responsibility to the board room.|
|In financial services, CIA is an animating value, but so is safety and soundness of the banking system|
|Consider the political economy of the battle between state-level developments and desire for federal preemption of states.|
No Class Today: Rescheduled
The class make-up will be on Friday, November 16, from 1 pm to 2:15 pm in Room 132 (our usual room)
Two Key Tussles: 1) Harassment and Extortion Online
2) Apple v. FBI & Key Escrow Encryption
Is freedom from harrassment a cybersecurity issue?
Benjamin Wittes, Cody Poplin, Quinta Jurecic & Clara Spera, Sextortion: Cybersecurity, teenagers, and remote sexual assault, pp. 1–9 (May 2016), https://www.brookings.edu/wp-content/uploads/2016/05/sextortion1-1.pdf
Discussion Group 4 on call
How have aggressors used the internet to attack individuals?
Nellie Bowles, Thermostats, Locks and Lights: Digital Tools of Domestic Abuse, NY Times, Jun. 23, 2018, https://www.nytimes.com/2018/06/23/technology/smart-home-devices-domestic-abuse.html
Danielle Keats Citron, Cyber Civil Rights, 89 Boston Univ. Law Rev. 61, pp. 61–84 (2009), http://www.bu.edu/law/journals-archive/bulr/volume89n1/documents/CITRON.pdf
Should companies adopt key escrow or other methods for allowing LEA access?
Harold Abelson et al., Keys under doormats: Mandating insecurity by requiring government access to all data and communications. Journal of Cybersecurity, 1(1), September 2015, https://dspace.mit.edu/bitstream/handle/1721.1/97690/MIT-CSAIL-TR-2015-026.pdf?sequence=8
Optional/Further reading: Marlisse Silver Sweeney, "What the Law Can (and Can't" Do About Online Harassment?"The Altantic, Nov. 12, 2014: https://www.theatlantic.com/technology/archive/2014/11/what-the-law-can-and-cant-do-about-online-harassment/382638/ (includes interview with Danielle Citron).
No Class Today:
Veterans Day Observed
No classes meet
1) Online Harassment 2
2) Decryption Mandates
3) Cyber War
Please see questions above (for 7 Nov) as a reminder on the first two topics.
Cyber War (we will continue this on Friday 16 Nov), but begin it during this class if there is time. All readings and questions are listed here. Questions to consider:
What are the legal and policy contours of cyber conflict so serious that it constitutes ”war?”
|Thomas Rid, Cyber War Will Not Take Place, 35(1) Journal of Strategic Studies 5-32 (2011), https://www.tandfonline.com/doi/pdf/10.1080/01402390.2011.608939|
|Discussion Group 1 on call||Has the focus on “war” turned our attention away from the dominance of cyber espionage?||John Arquilla, Cyberwar is Already Upon Us, Foreign Policy (2012), http://foreignpolicy.com/2012/02/27/cyberwar-is-already-upon-us/|
|What is the future of cyber conflict likely to look like?||Jason Healey. Learn cyber conflict history, or doom yourself to repeat it. Armed Forces Journal, December 17, 2013, http://armedforcesjournal.com/learn-cyber-conflict-history-or-doom-yourself-to-repeat-it/|
|Deterrence, Compellence, and Understanding the history of cyber conflict||Richard B. Gasparre. The Israeli 'E-tack' on Syria--Part I. Air Force Technology.com, March 10, 2008, http://www.airforce-technology.com/features/feature1625/|
|12b||16-Nov at 1 pm.
This is a make-up class. Please note that the day of the week (Friday) and time (1 pm). We were going to be in our usual room, but classes were cancelled. We met via Zoom and recorded.
The Zoom video can be found in Files>Videos
|Charles K. Bartles, Getting Gerasimov Right, Military Review, Jan/Feb 2016, https://www.armyupress.army.mil/Portals/7/military-review/Archives/English/MilitaryReview_20160228_art009.pdf|
|Discussion Group 2 on call||Optional: Government Accountability Office, "Weapons System Cybersecurity: DOD Just Beginning to Grapple with Scale of Vulnerabilities," (Oct. 2018), https://www.gao.gov/assets/700/694913.pdf|
|13a||19-Nov||Note: classes cancelled by university due to air quality concerns. Rescheduled to 11/27.||
|13a||26-Nov||John Yoo, Views from Practice: The Policy Lawyer (confirmed, okay to record)||John Yoo, Embracing the Machines: Rationalist War and New Weapons Technologies, 105 California Law Review 443 (2017), https://scholarship.law.berkeley.edu/californialawreview/vol105/iss2/4/|
|Discussion Group 4 on call|
Jonathan Reiber, Views from Practice: DoD Strategy (confirmed)
(rescheduled from 11/19)
Discussion Group 3 on call
Department of Defense, Cyber Strategy Summary 2018
Jonathan Reiber, "What Happens When the US Starts to 'Defend Forward' in Cyberspace?" https://www.defenseone.com/ideas/2018/11/what-happens-when-us-starts-defend-forward-cyberspace/152580/
Jonathan Reiber, "China Is the Top Long-Term Threat in Cyberspace," https://www.nextgov.com/ideas/2018/11/china-top-long-term-threat-cyberspace/152588/
1) Hacking and Integrity of Democracy
2) Control, Civility, or Chaos?
Should elections or election infrastructure be considered "critical infrastructure"? What would be the implications of this?
What constitutes a "cybersecurity" problem for election integrity?
What is the right balance between election security and voting rights?
How much, and what type, of control will be imposed upon the internet?
Statement of Ryan Goodman on Election Interference before the U.S. Senate Committee on the Judiciary (pages 1-8), Jun. 12, 2018
Verified Voting, Statement in Response to NIST Request for Information regarding the Cybersecurity Framework, April 8, 2018.
John Perry Barlow, A Declaration of the Independence of Cyberspace, Feb. 1996, https://www.eff.org/cyberspace-independence
James Grimmelmann, Death of a data haven: cypherpunks, WikiLeaks, and the world’s smallest nation, ArsTechnica, Mar. 28, 2012.
|Discussion Group 1 on call||
If you're interested in the topic of election hacking (of the machines and systems), poke around www.verifiedvoting.org - they have tons and tons of information. Verified Voting is mainly made up of computer scientists who are deeply skeptical of electronic voting.
For one (long and nerdy) view of what it would take to create secure internet voting, check out U.S. Vote Foundation/Galois, The Future of Voting (July 2015). https://www.usvotefoundation.org/sites/default/files/E2EVIV_full_report.pdf
Note new date
|Future of Cybersecurity||
What do contests for control over internet governance mean for cybersecurity?
See 11/28 readings (Barlow and Grimmelman)
CLTC, Cybersecurity Futures 2020 (2016)
|Discussion Group 3 on call||What will be the competitive dynamics among individuals, nation-states, and non-state actors|
|How might we redesign the internet for security?|
|What power should professionals and institutions have with regard to choosing what is exogenous to the cybersecurity system?|
|What are the most consequential decisions you will make as a cybersecurity professional?|
|Final Exam Review Session||
Note new date
This is at our usual time, in our usual room.
Exam is at 1:30 pm in Berkeley Law Room 105
Schedule is here.
The syllabus page shows a table-oriented view of the course schedule, and the basics of course grading. You can add any other comments, notes, or thoughts you have about the course structure, course policies or anything else.
To add some comments, click the "Edit" link at the top.