Course Syllabus

Professors Jennifer M. Urban & Chris Jay Hoofnagle
Law 276.11 (for law students, CCN32294)
Info 290.001 (for graduate students, CCN17573; undergraduates by permission)
MW 11:20–12:35*
*Please note, we start at 11:20 (not Berkeley time)
Boalt Hall Room 132

Office Hours: Tuesdays, 11 am, 342 North Addition (Prof. Urban's office)

Cybersecurity has become instrumental to economic activity and human rights alike. But as digital technologies penetrate deeply into almost every aspect of human experience, a broad range of social-political-economic-legal-ethical-military and other considerations have come to envelop the cybersecurity landscape. Cybersecurity in Context will explore the most important elements that shape the playing field on which cybersecurity problems emerge and are managed. The course will emphasize how ethical, legal, and economic frameworks enable and constrain security technologies and policies. It will introduce some of the most important macro-elements (such as national security considerations and the interests of nation-states) and micro-elements (such as behavioral economic insights into how people understand and interact with security features). Specific topics include policymaking (on the national, international, and organizational level), business models, legal frameworks (including duties of security, privacy issues, law enforcement access issues, computer hacking, and economic/military espionage), standards making, and the roles of users, government, and industry.

Readings

We will use a course reader. All readings are freely accessible if you use the UC-Berkeley VPN or the library proxy.

Several of the readings come from Chris Jay Hoofnagle, Federal Trade Commission privacy law and policy (Cambridge University Press, 2016). You can get this book free by using the VPN and visiting this link: http://ebooks.cambridge.org/ebook.jsf?bid=CBO9781316411292

Questions about Cybersecurity in Context

Q. Do I need technical knowledge to take Cybersecurity in Context?

A. No. This course is about the wrapping elements of cybersecurity.

We do ask you to learn the basics: the difference between circuit-switched phone networks, and packet-switched internet ones, about the different layers of the internet, and how attacks on the confidentiality and integrity of data, and attacks on access to computers can occur on those different layers. We will have in-class content and readings to explain these topics. Look at the optional readings in the first week to get an idea of how technically sophisticated the reading will be.

Q. How does Cybersecurity in Context differ from the Cybersecurity Reading Group?

A. The reading group is a discussion seminar focusing on academic writings in cybersecurity, typically organized around a specific theme, such as cyber conflict. Cybersecurity in Context is a podium-lecture course covering the main themes in cybersecurity.

Q. I am a undergraduate. May I enroll?

A. The course is likely to be full, but if we have space we will enroll undergraduates in Info 290. We will enroll undergraduates after the graduate registration period, in August. We ask undergraduate students to email us the following information by August 1st:

1. I am an upper-division student [Yes/No]
2. What year?
3. I understand and accept that this is a graduate-level class, with graduate-level materials and pacing. [Yes/No]
4. I understand and accept that participation in class discussion is expected, even if the class is larger than most undergraduate courses that expect this (in grad and law school classes, for example, students participate in discussion in 50-100-person classes). [Yes/No]
5. I would like to take this class because: [Please tell us why you would like to take the class.]
6. I would contribute to this class because: [Please tell us why you would contribute to the class. For example, your major is relevant to topics in the class; you are doing an undergrad thesis on a relevant topic; you worked on relevant issues prior to coming to Berkeley; etc.]

Class Participation

We will be using Poll Everywhere, along with "on call" groups in order to have inclusive participation in this large course. You can participate in Poll Everywhere voting by visiting this website: https://pollev.com/CYBEAR 

You can also download the Poll Everywhere app: https://www.polleverywhere.com/mobile 

Assessment

Readings will be posted on the course webpage at least one week in advance Students will be evaluated on the following:

  • Students are expected to read, watch, or listen to all assigned materials and be prepared to participate actively in class activities and discussion. We will have “on call” students. We won't always discuss the readings in detail, but they are necessary for understanding the higher-level class themes.
  • Students are expected to complete occasional exercises, such as the “ping” and “traceroute” exercises.
  • Students are expected to participate in group exercises.
  • Students are expected to prepare questions for our guest speakers during the course of the semester.
  • Students are expected to regularly attend class according to the policy described below.
  • The final exam for the class.

The class will be graded on the basis of the final exam (70%) and attendance at and participation in the class sessions (30%). In grading, we will consider the final exam, whether students complete all of the home and in-class exercises and material for guest speakers, the quantity and quality of class participation (including session leadership and participation during other sessions). Please note that the quality of class participation—and, indeed, whether it is of appropriate quantity—may be enhanced in some cases by speaking up, and in some cases by giving others room to speak.

Note for non-law students. Law classes commonly use the “on call” method for class participation that we will employ in this class. Students will be assigned classes for which they are “on call.” While everyone is expected to participate regularly in class discussion, “on-call” students can expect to be called on and to be responsible for anchoring class discussion. This is straightforward in practice, but please don’t hesitate to check with us if you have questions.

Technical and legal aspects of the class. Cybersecurity requires cooperation among many different kinds of experts, and this interdisciplinary class provides an opportunity to consider the different types of expertise you may encounter and how to communicate across types of expertise.

You do not need a technical background for this class. You do need to learn the basics: the difference between circuit-switched phone networks, and packet-switched internet ones, about the different layers of the internet, and how attacks on the confidentiality and integrity of data, and attacks on access to computers can occur on those different layers. We will have in-class content and readings to explain these topics. Look at the optional readings for the first week to get an idea of how technically sophisticated the reading will be. While you will not be expected to become expert in non-legal subject matter, you will be expected develop the ability to understand non-legal subject matter sufficiently to comment on it intelligently and apply it to law and policy. Lawyers are generalists—they are expected to learn and apply many kinds of information throughout our careers. Being a competent lawyer requires the ability to understand the facts and theories that underlie or touch upon a legal problem.

Similarly, you do not need a legal background for this class, but you will be expected to learn the legal information we cover and the basics of how law operates in the cybersecurity field.

Course Policies

Attendance. Attendance is required.

Laptops & Other Electronic Devices. Class is, in part, discussion-based and interactive. Research shows that electronic devices can inhibit participation and learning in classroom settings. To allow everyone to participate fully in the discussion and avoid distractions, we ask that you keep your laptop generally closed and other electronic devices turned off and put away during class. You may open your laptop to access and refer to reading assignments when needed; otherwise, please leave it closed.

Credit Hours, Exams, Accommodation. A “credit hour” at Berkeley Law is an amount of work that reasonably approximates four hours of work per week for 15 weeks, including a) classroom time, b) time spent preparing for class, c) time spent studying for, and taking, final exams, d) time spent researching, writing, and revising papers and other written work, and e) time spent preparing for and completing any other final project, presentation, or performance. For the purposes of these calculations, 50 minutes of classroom instruction counts as one hour, and the 15 weeks includes the exam period. You can expect to spend this amount of time per unit per week on out-of class, course-related work as described above.

Student Services schedules all exams, including accommodated exams, as the law school is committed to anonymous grading.   Any student who seeks an accommodated or rescheduled exam for documented medical reasons or for religious observance should contact Student Services in 280 Simon Hall, 510-643-2744, imayer@law.berkeley.edu.

Learning Outcomes

Berkeley Law Learning Outcomes. Berkeley Law has identified several school-wide learning outcomes that you will recognize in Cybersecurity in Context:

(a) Knowledge and understanding of substantive and procedural law (as covered by the class);

(b) Legal analysis and reasoning, legal research, problem-solving, and written and oral communication in the legal context (including class exercises and discussion);

(c) Exercise of proper professional and ethical responsibilities to clients and the legal system (with regard to ethical responses to cybersecurity challenges);

(d) Other professional skills needed for competent and ethical participation as a member of the legal profession (with regard to competent and ethical responses to cybersecurity challenges); and

(e) Using the law to solve real-world problems and to create a more just society (including using the law appropriately to solve cybersecurity problems and address cyber threats, and analyzing tools other than law are appropriate).

Course-Specific Learning Outcomes. In addition to the general learning outcomes listed above, students in this class will be expected to:

  • Understand the elements that define “cybersecurity;”
  • Understand the legal, social, and political frameworks that affect cybersecurity;
  • Identify and define challenges to achieving cybersecurity;
  • Identify and explain social, legal, political, and economic impediments to cybersecurity;
  • Suggest approaches to maintain a reasonable state of cybersecurity and to address breaches effectively, ethically, and according to law; and
  • Identify main tradeoffs between different cybersecurity-related interests (e.g., between economics and security levels; between law enforcement and civil liberties; between private interests and public interests).

Course Schedule

# Date Topics Learning Goals Reading
1a 20-Aug Introduction to the course: Why Cybersecurity in Context Course Intro: why cybersecurity "in context?" At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues (David Clark, Thomas Berson, and Herbert S. Lin, Editors)(National Academies Press 2014) pp. 1–52. You can get this excellent little book free from NAS here: https://www.nap.edu/catalog/18749/at-the-nexus-of-cybersecurity-and-public-policy-some-basic 
Why Cybersecurity is Important Barry M. Leiner, Vinton G. Cerf, David D. Clark, Robert E. Kahn, Leonard Kleinrock, Daniel C. Lynch, Jon Postel, Larry G. Roberts, and Stephen Wolff. 2009. A brief history of the internet. SIGCOMM Comput. Commun. Rev. 39, 5 (October 2009), 22-31, https://dl.acm.org/citation.cfm?id=1629613 
The different "law of cybersecurity"--public law, private law, international law Commotion, Learn Networking Basics (n.d.), https://commotionwireless.net/docs/cck/networking/learn-networking-basics/ 
Rus Shuler, How Does the Internet Work? (2002), https://web.stanford.edu/class/msande91si/www-spr04/readings/week1/InternetWhitepaper.htm 
Optional: NICCS, A Glossary of Common Cybersecurity Terminology (2017), https://niccs.us-cert.gov/glossary 
Do the how the internet works module on bCourses
1b 22-Aug Cybersecurity in Context Continued What is encompassed by narrow and broad definitions of cybersecurity? Graduate students: please view the video of Monday's class (the law students started on Monday) and do all of Monday's readings
By focusing on cybersecurity, are structuring the debate such that it empowers certain actors and interests? Helen Nissenbaum, Where Computer Security Meets National Security, 7 Ethics and Information Technology 7:61–73 (2005), https://www.nyu.edu/projects/nissenbaum/papers/ETINsecurity.pdf 
The evolution of cyber attacks: actors, motives, techniques, surfaces Jason Faulkner, Online security: Breaking down the anatomy of a phishing email, How-to Geek, April 13 2011, https://www.howtogeek.com/58642/online-security-breaking-down-the-anatomy-of-a-phishing-email/ 
Raphael Satter, Jeff Donn, and Chad Day, Inside Story: How Russians Hacked the Democrats' Emails, AP, Nov. 4, 2017, https://www.apnews.com/dea73efc01594839957c3c9a6c962b8a/Inside-story:-How-Russians-hacked-the-Democrats%27-emails 
Do the Internet of Insecure Things module on bCourses
2a 27-Aug Defining Challenges: Anonymity and Attribution Introduction to Traceability Online Herbert Lin, Attribution Soup to Nuts, Hoover Institute Aegis Paper Series No. 1607 (2016), https://www.hoover.org/sites/default/files/research/docs/lin_webready.pdf 
Discussion Group 1 on call Attribution: electrons do not wear uniforms, yet the demands of more specific attribution are growing Mandiant, APT1: Exposing One of China’s Cyber Espionage Units (2014) pp 1–60, https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf 
Structural, legal, and economic factors influence the amount of “anonymity” on the Internet
Anonymity stages new conflicts surrounding the power of nation-states in control of the internet, leading to empowerment of non-state actors
How networks work: firewalls, encryption, routers, and switches

Optional/Background:

What's a backdoor? https://www.wired.com/2014/12/hacker-lexicon-backdoor/

How actors penetrate networks
2b 29-Aug Defining Challenges: The Economics of Cybersecurity Incentives and Disincentives Ross Anderson, Why information security is hard - an economic perspective, Computer Security Applications Conference, 2001, http://ieeexplore.ieee.org/document/991552/ 
Discussion Group 2 on call The Ross Anderson Critique Tyler Moore, Introducing the Economics of Cybersecurity: Principles and Policy Options (a single chapter) in Proceedings of a Workshop on Deterring Cyberattacks: Informing Strategies and Developing Options for U.S. Policy (2010), download the chapter here, or the full book: https://www.nap.edu/catalog/12997/proceedings-of-a-workshop-on-deterring-cyberattacks-informing-strategies-and 
The Cybersecurity Industry  Watch interview with Professor Steven Bellovin on the fundamental cyber problems (in Files>Videos).
The Economics of Cyber Crime
3a 5-Sep Defining Challenges: Cybersecutity Key Actors & Conflicts Who are the key stakeholders in cybersecurity and why are they important? Paul Rosenzweig, The Organization of the United States Government and Private Sector for Achieving Cyber Deterrence, Proceedings of a Workshop on Deterring Cyberattacks: Informing Strategies and Developing Options for U.S. Policy (2010), https://www.nap.edu/read/12997/chapter/18 
Discussion Group 3 on call How do stakeholder interests align and misalign? Deirdre K. Mulligan & Fred B. Schneider, Doctrine for Cybersecurity, 140(4) Daedalus 70–92 (2011), http://www.mitpressjournals.org/doi/abs/10.1162/DAED_a_00116 
The American approach of "public-private cybersecurity" Watch interview with Professor Kirsten Eichensehr (in Files>Videos)
Security as a contested value; considering the non-economic barriers to security, such as free speech Watch interview with Professor Laura DeNardis (in Files>Videos)
3b 10-Sep Defining Challenges: The Human Factor Psychology and Security Shari Lawrence Pfleeger & Deanna D. Caputo, Leveraging behavioral science to mitigate cyber security risk, 31(4) Computers & Security 597–611 (2012), http://www.sciencedirect.com/science/article/pii/S0167404811001659 
Discussion Group 4 on call How will cybersecurity professionals react to individual-level decision making by users? Skim: Verizon, Verizon 2018 Data Breach Investigations Report (DBIR) (2017), pp. 1–47, 60–62, https://www.verizonenterprise.com/resources/reports/rp_DBIR_2018_Report_en_xg.pdf
4a 12-Sep Does the FTC Own Cybersecurity? What is the law of cybersecurity emerging from the FTC? Chris Jay Hoofnagle, Federal Trade Commisison Privacy Law and Policy, Chapter 5, You can get this book free by using the VPN and visiting this link: http://ebooks.cambridge.org/ebook.jsf?bid=CBO9781316411292
Discussion Group 1 on call Whence does this "law" come? FTC v. Wyndham et al., No. 14-3514 (3rd Cir. 2014), http://www2.ca3.uscourts.gov/opinarch/143514p.pdf 
GDPR Article 32, and Recitals 39, 49, 81, 83. The recitals are the text at the beginning of the document following "Whereas" https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN 
4b 17-Sep FTC Cybersecurity Continued Understanding the evolution of cybersecurtity duties of care Chris Jay Hoofnagle, Federal Trade Commission Privacy Law and Policy, Chapter 8
Discussion Group 2 on call LabMD v. FTC, No. 16-16270 (11th Cir. 2018), http://media.ca11.uscourts.gov/opinions/pub/files/201616270.pdf 
Watch interview with Professor Steve Bellovin on the FTC and reasonable security (see files > Videos).
5a 19-Sep Security Breach Notification Security breach notification (SBN) laws proliferated across the country and now almost any business can have a security incident that causes a notification requirement California Department of Justice, 2016 Data Breach Report (2016), pp. iii-38, https://oag.ca.gov/sites/all/files/agweb/pdfs/dbr/2016-data-breach-report.pdf 
Discussion Group 3 on call What duty to monitor is imposed by SBN? Perkins Coie LLP, Security Breach Notification Chart (skim), https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart.html 
How are SBN laws evolving? How should they evolve? Do we want notice of security breaches, or something else? Kim Zetter, Hackers Finally Post Stolen Ashley Madison Data, Wired Aug. 18, 2015. https://www.wired.com/2015/08/happened-hackers-posted-stolen-ashley-madison-data/ 
What are the expanding notions of people who should give notice of breaches GDPR Recitals 85–88 (these are the numbered clauses following "Whereas") and Articles 33, 34. Under Article 4, a "personal data breach" means "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed." "Personal data" means "any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person." https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN 
5b 24-Sep Jonathan Jaffe, Views from Practice: The Cybersecurity Consultant (confirmed) How to institutions prepare for, respond to, and avoid security breaches? Electronic Frontier Foundation, Assessing Your Risks (2017).
Discussion Group 4 on call How to do threat modeling EFF Threat Modeling Worksheet.
Do the Have I Been Pwned module.
6a 26-Sep Defining Challenges: The Role of Standards in a Connected Economy Introduction to two cybersecurity approaches: NIST Cybersecurity and PCI-DSS NIST Cybersecurity Framework (draft version 1.1), pp 1–13, then skim 14–46, https://www.nist.gov/file/344206 
Discussion Group 1 on call PWC, Why you should adopt the NIST Cybersecurity Framework (2014), https://www.pwc.com/us/en/increasing-it-effectiveness/publications/assets/adopt-the-nist.pdf 
TechTarget.com, The history of the PCI DSS standard: A visual timeline (2014), http://searchsecurity.techtarget.com/feature/The-history-of-the-PCI-DSS-standard-A-visual-timeline 
SANS, Compliant but not Secure: Why PCI-Certified Companies Are Being Breached, pp 1–12 (2015) https://www.sans.org/reading-room/whitepapers/compliance/compliant-secure-pci-certified-companies-breached-36497 
6b 1-Oct ECPA & SCA: Law Enforcement Acess to User Data What is it that law enforcement agencies (LEAs) want and why?  Orin S. Kerr, A User's Guide to the Stored Communications Act, and I Legislator's Guide to Amending It, 72(6) George Washington Law Review 1208, pp 1208–1224 (2004). Please be sure to study the chart on page 1223, https://heinonline.org/HOL/P?h=hein.journals/gwlr72&i=1222 
Discussion Group 2 on call Should systems be built to accommodate law enforcement access? Best Practices for Working with Companies, Appendix C in U.S. DOJ Prosecuting Computer Crimes (2010), https://www.justice.gov/sites/default/files/criminal-ccips/legacy/2015/01/14/ccmanual.pdf 
When is there a legal duty to report? The Cloud Act
How communications privacy laws shape cybersecurity  
7a 3 Oct Cybersecurity and Intellectual Property 1 Kinship between IP (valuable information) protection and cybersecurity DTSA, EEA, Trade Secrets and high level security through obscurity Charles Doyle, Stealing Trade Secrets and Economic Espionage: An Overview of the Economic Espionage Act. Please be sure to consider the definition of a trade secret and how it is protected according to the EEA and the DTSA, https://fas.org/sgp/crs/secrecy/R42681.pdf 
Discussion Group 3 on call Effects of IP laws on cybersecurity development: Emily Mossburg, J. Donald Fancher, and John Gelinne, The Hidden Costs of an IP Breach  (Deloitte) (2016), https://www2.deloitte.com/content/dam/insights/us/articles/loss-of-intellectual-property-ip-breach/DR19_TheHiddenCostsOfAnIPBreach.pdf 
a) incentives to create tools Optional overview on IPRs:  James M. Singer, Esq. (Fox Rothschild LLP), IP Stategies for Next-Generation Cybersecurity Technologies (2018), https://www.foxrothschild.com/content/uploads/2018/02/Ebook-Intellectual-Property-Strategies-for-Next-Generation-Cybersecurity-Technologies-James-M.-Singer-April-2018.pdf 
b) effect on standards and interoperability: open source, IP-encumbered standards
7b 8-Oct Jim Dempsey, Views from Practice: Surveillance Policy (confirmed) To what extent can network operators monitor their users? 18 USC 2511(2)(a)(i)
Discussion Group 1 on call EINSTEIN 3: Intrusion prevention system for the federal executive branch. 18 USC 2511(2)(i)
Foreign Intelligence Surveillance Act § 702 and Cybersecurity 18  USC 3121(b)
6 USC 1503
8a 10-Oct Cybersecurity and IP 2: DMCA Anticircumvention What are the substantive provisions of the DMCA that may affect cybersecurity? 17 USC 1201
Discussion Group 4 on call

How do the sharp contours of "anti-circumvention" under the DMCA affect cyberscurity? 

What code circumventions exceed the "security researcher" exemptions in the DMCA? Do they have a practical effect?

Cybersecurity Research: Addressing the Legal Barriers and Disincentives: Report of a Workshop Convened by the Berkeley Center for Law & Technology, the UC Berkeley School of Information and the International Computer Science Institute under a grant from the National Science Foundation (2015), https://www.ischool.berkeley.edu/sites/default/files/cybersec-research-nsf-workshop.pdf 

 

8b 15-Oct Computer Fraud and Abuse Act (CFAA) Part 1

What are the substantive provisions of the Computer Fraud and Abuse Act?

How do the contours of hacking affect cybersecurity at the macro and micro levels?

 

Charles Doyle, Cybercrime: An Overview of the Federal Computer Fraud and Abuse Statute and Related Federal Criminal Laws, Congressional Research Service, Oct. 2014, pp. 1–69, https://fas.org/sgp/crs/misc/97-1025.pdf 
Discussion Group 1 on call We conceive of hacking through the lens of trespass. Illegal hacking follows some of the same contours of trespass law.

18 USC 1030

 

9a 17-Oct CFAA Part 2 Authorization's three lenses: code, contract, and social norms Review Charles Doyle, Cybercrime: An Overview of the Federal Computer Fraud and Abuse Statute and Related Federal Criminal Laws, Congressional Research Service, Oct. 2014, pp. 1–69, https://fas.org/sgp/crs/misc/97-1025.pdf 
Discussion Group 2 on call What violations of agreements are serious enough to be criminal? Matthew Bunn and Scott D. Sagan, A Worst Practices Guide to Insider Threats: Lessons from Past Mistakes, American Academy of Arts and Sciences (2014), https://www.amacad.org/content/publications/publication.aspx?d=1425 
What misuses of computers are so serious that we as a society consider it criminal?
9b 22-Oct Becky Richards,Views from Practice: The IC View (confirmed) Cyber and the Intelligence Community  NSC, Vulnerabilities Equities Policy and Process for the United States Government, November 15, 2017 (pay particular attention to §5 and annex B)
All discussion groups on call Understanding the Vulnerabilities Equities Policy and Process Executive Order 12333,United States intelligence activities, 46 FR 59941, Dec. 4, 1981.
National Security Directive 42, July 5, 1990.
Vulnerabilities Equity Policy hypothetical

 

10a 24-Oct

Critical Infrastructure

and Information-Sharing

 

What is critical infrastructure (CI)?

What definition of "cybersecurity" is appropriate to use in securing CI?

Who are the actors involved in attacking and securing CI?

What are the economic interests relevant to securing CI? What are the legal and behavioral dynamics?

How is the task of securing CI changing with increasing networked systems (e.g., the "smart" electricity grid)?

Kelly Jackson Higgins. Lessons from the Ukraine electric grid hack. Information Week, March 18, 2016, https://www.darkreading.com/vulnerabilities---threats/lessons-from-the-ukraine-electric-grid-hack/d/d-id/1324743 

Jennifer M. Urban, Chapter 22: Privacy issues in smart grid deployment, in Research Handbook on Intellectual Property and Climate Change (2016), pages 1-5 (up to "Privacy issues presented by the smart grid system") and pages 16-17 ("Note on on cyber-security issues") only.

NIST, NISTIR 7628, Guidelines for Smart Grid Security, Sept. 2014, http://dx.doi.org/10.6028/NIST.IR.7628r1 - page 1-5 only - this is a 668-page document; don't worry when you open it! We want you to read only the introductory pages (Chapter 1 up to 1.2) focusing on: how NIST is defining cybersecurity, who the actors are, and identifying the NISTIR's general approach to securing the smart grid. You can skim over the discussion of what has been added since the last version.

 

Discussion Group 4 on call How might information sharing affect cybersecurity risk?

Mark Bowden, The Enemy Within, Vanity Fair (2010), https://www.theatlantic.com/magazine/archive/2010/06/the-enemy-within/308098/ 

Cybersecurity Information Sharing Act of 2015

Alert (ICS-ALERT-14-281-01E) Ongoing Sophisticated Malware Campaign Compromising ICS)(Please note, this is a TLP: Amber document and it is not allowed to be circulated. Please do not circulate it outside the class. We are including it here because its full text was uploaded into a regulatory petition, and as a result, it is formally part of the public record. We are including it so that you can see an example of the kinds of "indicators of compromise" information sharing that exists.
 

Optional/Further background reading:

10b 29-Oct Michael Nacht, Views from Practice: Global Strategy (confirmed) The Stuxnet Attack David Sanger, Confront and Conceal, Obama's Secret Wars and Surprising Use of American Power, chapter 8 (2012)
Discussion Group 2 on call
11a 31-Oct

 

Cyber in Financial Services

Financial services companies have vast privacy and security requirements FTC, Financial Institutions and Customer Information: Complying with the Safeguards Rule (2006), https://www.ftc.gov/tips-advice/business-center/guidance/financial-institutions-customer-information-complying 
Discussion Group 3 on call In practice, cyber responsibilities of financial services companies reach far because service providers and contractors are held to the same standards. Regulators are elevating responsibility to the board room.
In financial services, CIA is an animating value, but so is safety and soundness of the banking system
Consider the political economy of the battle between state-level developments and desire for federal preemption of states.
5-Nov

No Class Today: Rescheduled

The class make-up will be on Friday, November 16, from 1 pm to 2:15 pm in Room 132 (our usual room)

 

 

11b 7-Nov

Two Key Tussles: 1) Harassment and Extortion Online

2) Apple v. FBI & Key Escrow Encryption

Is freedom from harrassment a cybersecurity issue?

 

Benjamin Wittes, Cody Poplin, Quinta Jurecic & Clara Spera, Sextortion: Cybersecurity, teenagers, and remote sexual assault, pp. 1–9 (May 2016), https://www.brookings.edu/wp-content/uploads/2016/05/sextortion1-1.pdf 

 

 

Discussion Group 4 on call

 

How have aggressors used the internet to attack individuals?

Nellie Bowles, Thermostats, Locks and Lights: Digital Tools of Domestic Abuse, NY Times, Jun. 23, 2018, https://www.nytimes.com/2018/06/23/technology/smart-home-devices-domestic-abuse.html 

Danielle Keats Citron, Cyber Civil Rights, 89 Boston Univ. Law Rev. 61, pp. 61–84 (2009), http://www.bu.edu/law/journals-archive/bulr/volume89n1/documents/CITRON.pdf 

 

 

Should companies adopt key escrow or other methods for allowing LEA access?

Harold Abelson et al., Keys under doormats: Mandating insecurity by requiring government access to all data and communications. Journal of Cybersecurity, 1(1), September 2015, https://dspace.mit.edu/bitstream/handle/1721.1/97690/MIT-CSAIL-TR-2015-026.pdf?sequence=8 

Optional/Further reading: Marlisse Silver Sweeney, "What the Law Can (and Can't" Do About Online Harassment?"The Altantic, Nov. 12, 2014: https://www.theatlantic.com/technology/archive/2014/11/what-the-law-can-and-cant-do-about-online-harassment/382638/ (includes interview with Danielle Citron).

 

12-Nov

 

No Class Today:

Veterans Day Observed

No classes meet

12a 14-Nov

1) Online Harassment 2

2) Decryption Mandates

3) Cyber War

Please see questions above (for 7 Nov) as a reminder on the first two topics.

Cyber War (we will continue this on Friday 16 Nov), but begin it during this class if there is time. All readings and questions are listed here. Questions to consider:

What are the legal and policy contours of cyber conflict so serious that it constitutes ”war?”

Thomas Rid, Cyber War Will Not Take Place, 35(1) Journal of Strategic Studies 5-32 (2011), https://www.tandfonline.com/doi/pdf/10.1080/01402390.2011.608939 
Discussion Group 1 on call Has the focus on “war” turned our attention away from the dominance of cyber espionage? John Arquilla, Cyberwar is Already Upon Us, Foreign Policy (2012), http://foreignpolicy.com/2012/02/27/cyberwar-is-already-upon-us/ 
What is the future of cyber conflict likely to look like? Jason Healey. Learn cyber conflict history, or doom yourself to repeat it. Armed Forces Journal, December 17, 2013, http://armedforcesjournal.com/learn-cyber-conflict-history-or-doom-yourself-to-repeat-it/ 
Deterrence, Compellence, and Understanding the history of cyber conflict Richard B. Gasparre. The Israeli 'E-tack' on Syria--Part I. Air Force Technology.com, March 10, 2008, http://www.airforce-technology.com/features/feature1625/ 
12b 16-Nov at 1 pm. 
Cyber War

This is a make-up class. Please note that the day of the week (Friday) and time (1 pm). We were going to be in our usual room, but classes were cancelled. We met via Zoom and recorded.

The Zoom video can be found in Files>Videos

Charles K. Bartles, Getting Gerasimov Right, Military Review, Jan/Feb 2016, https://www.armyupress.army.mil/Portals/7/military-review/Archives/English/MilitaryReview_20160228_art009.pdf   
Discussion Group 2 on call Optional: Government Accountability Office, "Weapons System Cybersecurity: DOD Just Beginning to Grapple with Scale of Vulnerabilities," (Oct. 2018), https://www.gao.gov/assets/700/694913.pdf
13a 19-Nov Note: classes cancelled by university due to air quality concerns. Rescheduled to 11/27.  

 

13a 26-Nov John Yoo, Views from Practice: The Policy Lawyer (confirmed, okay to record)   John Yoo, Embracing the Machines: Rationalist War and New Weapons Technologies, 105 California Law Review 443 (2017), https://scholarship.law.berkeley.edu/californialawreview/vol105/iss2/4/ 
Discussion Group 4 on call
13b 27-Nov

Jonathan Reiber, Views from Practice: DoD Strategy (confirmed)

(rescheduled from 11/19)

Discussion Group 3 on call

 

Department of Defense, Cyber Strategy Summary 2018

Jonathan Reiber, "What Happens When the US Starts to 'Defend Forward' in Cyberspace?" https://www.defenseone.com/ideas/2018/11/what-happens-when-us-starts-defend-forward-cyberspace/152580/

Jonathan Reiber, "China Is the Top Long-Term Threat in Cyberspace," https://www.nextgov.com/ideas/2018/11/china-top-long-term-threat-cyberspace/152588/

 

14a 28-Nov

1) Hacking and Integrity of Democracy

2) Control,  Civility, or Chaos?

Topic 1:

Should elections or election infrastructure be considered "critical infrastructure"? What would be the implications of this?

What constitutes a "cybersecurity" problem for election integrity?

What is the right balance between election security and voting rights?

Topic 2:

How much, and what type, of control will be imposed upon the internet?

Statement of Ryan Goodman on Election Interference before the U.S. Senate Committee on the Judiciary (pages 1-8), Jun. 12, 2018

Verified Voting, Statement in Response to NIST Request for Information regarding the Cybersecurity Framework, April 8, 2018.

John Perry Barlow, A Declaration of the Independence of Cyberspace, Feb. 1996, https://www.eff.org/cyberspace-independence 

James Grimmelmann, Death of a data haven: cypherpunks, WikiLeaks, and the world’s smallest nation, ArsTechnica, Mar. 28, 2012.

Discussion Group 1 on call

Optional:

If you're interested in the topic of election hacking (of the machines and systems), poke around www.verifiedvoting.org - they have tons and tons of information. Verified Voting is mainly made up of computer scientists who are deeply skeptical of electronic voting.

For one (long and nerdy) view of what it would take to create secure internet voting, check out U.S. Vote Foundation/Galois, The Future of Voting (July 2015). https://www.usvotefoundation.org/sites/default/files/E2EVIV_full_report.pdf

14b

3-De, c

Note new date

Future of Cybersecurity

 

What do contests for control over internet governance mean for cybersecurity?

See 11/28 readings (Barlow and Grimmelman)

Optional:

CLTC, Cybersecurity Futures 2020 (2016)

Discussion Group 3 on call What will be the competitive dynamics among individuals, nation-states, and non-state actors
How might we redesign the internet for security?
What power should professionals and institutions have with regard to choosing what is exogenous to the cybersecurity system?
What are the most consequential decisions you will make as a cybersecurity professional?
Final Exam Review Session

5-Dec

Note new date

This is at our usual time, in our usual room.

 

Final Exam 11-Dec

Exam is at 1:30 pm in Berkeley Law Room 105

Schedule is here.

 

Course Summary:

Date Details Due