Course Syllabus

Cybersecurity in Context (Fall 2020)

MW 11:20 AM - 12:45 PM
Location: Internet/Online
From August 26, 2020
To November 24, 2020

Law Class Number: 32620 / 276.11 sec. 001
Info: 290 sec 005

Instructor: Chris Hoofnagle, Berkeley Law North Addition 341
My Zoom room: Zoom Links

Office Hours: Wednesdays, 2:00–3:00 by zoom

Cybersecurity has become instrumental to economic activity and human rights alike. But as digital technologies penetrate deeply into almost every aspect of human experience, a broad range of social-political-economic-legal-ethical-military and other considerations have come to envelop the cybersecurity landscape. Cybersecurity in Context will explore the most important elements that shape the playing field on which cybersecurity problems emerge and are managed. The course will emphasize how ethical, legal, and economic frameworks enable and constrain security technologies and policies. It will introduce some of the most important macro-elements (such as national security considerations and the interests of nation-states) and micro-elements (such as behavioral economic insights into how people understand and interact with security features). Specific topics include policymaking (on the national, international, and organizational level), business models, legal frameworks (including duties of security, privacy issues, law enforcement access issues, computer hacking, and economic/military espionage), standards making, and the roles of users, government, and industry.

Cybears

Are you interested in a career in cybersecurity? See our FAQ on cybersecurity resources at Cal.

Readings

We will use a course reader. All readings are freely accessible if you use the UC-Berkeley VPNLinks to an external site. or the library proxyLinks to an external site..

Several of the readings come from Chris Jay Hoofnagle, Federal Trade Commission privacy law and policy (Cambridge University Press, 2016). You can get this book free by using the VPN and visiting this link: http://ebooks.cambridge.org/ebook.jsf?bid=CBO9781316411292

 (Links to an external site.)

Class Schedule

#	Date	Topics	Learning Goals	Readings & Assignments	On Call
				Module 1: Foundations
1a	26-Aug	Introduction to the course	Introduction to the contested definition(s) of “cybersecurity”	Syllabus: Please read the class description, learning goals, policies, and class information Please watch the recorded lecture (1a).	1
		What is Cybersecurity?	What is encompassed by narrow and broad definitions of cybersecurity?	At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues (David Clark, Thomas Berson, and Herbert S. Lin, Editors)(National Academies Press 2014) chapters 1–2 pp. 1–28. You can get this excellent little book free from NAS here: https://www.nap.edu/catalog/18749/at-the-nexus-of-cybersecurity-and-public-policy-some-basic
		Why cybersecurity in context?		Helen Nissenbaum, Where Computer Security Meets National Security, 7 Ethics and Information Technology 7:61–73 (2005), https://nissenbaum.tech.cornell.edu/papers/ETINsecurity.pdf
				Assignment: Please 1) Fill out the brief class survey  https://berkeley.qualtrics.com/jfe/form/SV_8epWqhTYYguoIBL and 2) introduce yourself on bCourses in the discussion area.
1b	31-Aug	Defining Cybersecurity II	What do we mean by “cyber” attacks and “cyber” security?	Please watch the recorded lecture (1b). Barry M. Leiner, Vinton G. Cerf, David D. Clark, Robert E. Kahn, Leonard Kleinrock, Daniel C. Lynch, Jon Postel, Larry G. Roberts, and Stephen Wolff. 2009. A brief history of the internet. SIGCOMM Comput. Commun. Rev. 39, 5 (October 2009), 22-31, https://dl.acm.org/citation.cfm?id=1629613	2
		Technology Basics I	How does the architecture of the Internet support or undermine security?	Rus Shuler, How Does the Internet Work? (2002), https://web.stanford.edu/class/msande91si/www-spr04/readings/week1/InternetWhitepaper.htm
			The evolution of cyber attacks: actors, motives, techniques, surfaces	Lin Clark, “A cartoon intro to DNS over HTTPS” (March 31, 2018), https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https/
				Assignment: Do the how the internet works module on bCourses:
				1) Traceroute
				2) Email headers
				3) Cyber has place.
				Optional/Recommended Background:
				Commotion, Learn Networking Basics (n.d.), https://commotionwireless.net/docs/cck/networking/learn-networking-basics/
				NICCS, A Glossary of Common Cybersecurity Terminology (2017), https://niccs.us-cert.gov/glossary
2a	2-Sep	Technology Basics II	The evolution of cyber attacks: actors, motives, techniques, surfaces, cont.	AFCEA International Cyber Committee, “The Security Implications of the Internet of Things,” 2015.	3
			How networks work: firewalls, encryption, routers, and switches	https://www.afcea.org/committees/cyber/documents/internetofthingsfinal.pdf
			How actors penetrate networks	Raphael Satter, Jeff Donn, and Chad Day, Inside Story: How Russians Hacked the Democrats' Emails, AP, Nov. 4, 2017, https://www.apnews.com/dea73efc01594839957c3c9a6c962b8a/Inside-story:-How-Russians-hacked-the-Democrats%27-emails
			Why are networks becoming harder to secure?	Jason Faulkner, Online security: Breaking down the anatomy of a phishing email, How-to Geek, April 13 2011, https://www.howtogeek.com/58642/online-security-breaking-down-the-anatomy-of-a-phishing-email/
				Assignment: Do the Internet of Insecure Things module on bCourses
				Optional/Background:
				What's a backdoor? https://www.wired.com/2014/12/hacker-lexicon-backdoor/
	7-Sep		Holiday
2b	9-Sep	The Human Factor I: Cybersecurity Key Actors and Conflicts	Who are the key stakeholders in cybersecurity and why are they important?	Paul Rosenzweig, The Organization of the United States Government and Private Sector for Achieving Cyber Deterrence, Proceedings of a Workshop on Deterring Cyberattacks: Informing Strategies and Developing Options for U.S. Policy (2010), https://www.nap.edu/read/12997/chapter/18	4
			By focusing on  cybersecurity, are structuring the debate such that it empowers certain actors and interests?	Deirdre K. Mulligan & Fred B. Schneider, Doctrine for Cybersecurity, 140(4) Daedalus 70–92 (2011), http://www.mitpressjournals.org/doi/abs/10.1162/DAED_a_00116
			How do human organizations affect and address cybersecurity?	Watch interview with Professor Kirsten Eichensehr (in Files>Videos)
			Security as a contested value; considering the non-economic barriers to security, such as free speech	Watch interview with Professor Laura DeNardis (in Files>Videos)
				Module 2: Basic Cybersecurity Challenges
3a	14-Sep	Defining Challenges: Anonymity and Attribution	Introduction to Traceability Online	Herbert Lin, Attribution Soup to Nuts, Hoover Institute Aegis Paper Series No. 1607 (2016), https://www.hoover.org/sites/default/files/research/docs/lin_webready.pdf
			Attribution: electrons do not wear uniforms, yet the demands of more specific attribution are growing	Optional/Background:
			Structural, legal, and economic factors influence the amount of “anonymity” on the Internet	Milton Mueller, Karl Grindal, Brenden Kuerbis, Farzaneh Badiei, Cyber Attribution: Can a New Institution Achieve Transactional Credibility?, The Cyber Defense Review, 107-121, Spring 2019, https://cyberdefensereview.army.mil/Portals/6/9_MUELLER_CDR_V4N1.pdf?ver=2019-04-30-105159-563
			Anonymity stages new conflicts surrounding the power of nation-states in control of the internet, leading to empowerment of non-state actors	Mandiant, APT1: Exposing One of China’s Cyber Espionage Units (2014) pp 1–60, https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
				Office of the Director of National Intelligence, “Assessing Russian Activities and Intentions in Recent US Elections,” Jan. 2017.  https://www.dni.gov/files/documents/ICA_2017_01.pdf
3b	16-Sep	Defining Challenges: The Human Factor II; The Economics of Cybersecurity	Incentives and Disincentives	Ross Anderson, Why information security is hard - an economic perspective, Computer Security Applications Conference, 2001, http://ieeexplore.ieee.org/document/991552/	2
			The Economics of Cyber Crime	Tyler Moore, Introducing the Economics of Cybersecurity: Principles and Policy Options (a single chapter) in Proceedings of a Workshop on Deterring Cyberattacks: Informing Strategies and Developing Options for U.S. Policy (2010), download the chapter here: https://www.nap.edu/read/12997/chapter/3 , or the full book: https://www.nap.edu/catalog/12997/proceedings-of-a-workshop-on-deterring-cyberattacks-informing-strategies-and
			The Ross Anderson Critique	Watch interview with Professor Steven Bellovin on the fundamental cyber problems (in Files>Videos)
4a	21-Sep	Defining Challenges: The Human Factor III:  The Psychology and Behavioral Economics of Cybersecurity	What challenges does human psychology pose for cybersecurity?	Alma Whitten and J.D. Tygar, “Why Johnny Can’t Encrypt: A Usability Evaluation of PGP 5.0,” Chapter 34 in Security and Usability: Designing Secure Systems that People Can Use, eds. L. Cranor and G. Simson, O’Reilly, 2005, https://www.usenix.org/legacy/events/sec99/full_papers/whitten/whitten_html/index.html	3
			How will cybersecurity professionals react to individual decision-making by users?	Skim: Verizon, Verizon 2020 Data Breach Investigations Report (DBIR) (2020), https://enterprise.verizon.com/resources/reports/dbir/
				Assignment: The “Threat Assessment” exercise is due before our next class. Please do this privately--don't actually submit your answers because they will reveal security issues! So for instance you could fill in the exercise and just save it as a PDF. I'll take your word for it that you completed the assignment.
				You can find the threat assessment under "Quizzes" on the left hand navigation bar if the link doesn't work. Please complete it Tuesday the 22nd so we can discuss in class Wednesday
				Optional/Background:
				This is too long to assign, but an excellent resource on usable security if you would like more background on practical security measures, how they work, and their limitations:
				Simson Garfinkel and Heather Richter Lipford, “Usable Security: History, Themes , and Challenges,” 2014, http://www.worldcat.org/oclc/893101704
4b	23-Sep	Human Factor IV and Consolidation of Module 2	Review learning goals from Modules 1 and 2.	Be prepared to discuss the threat assessment exercise with reference to what you've learned thus far.	4
				Module 3: Key Cybersecurity Problems and Legal/Policy Responses
5a	28-Sep	Cyberdefense and Cyberwar	Consider the cybersecurity interests of nation-state actors. Consider and identify “human factors” that undermine or support cyberdefense	Thomas Rid, Cyber War Will Not Take Place, 35(1) Journal of Strategic Studies 5-32 (2011), https://www.tandfonline.com/doi/pdf/10.1080/01402390.2011.608939	1
			What are the legal and policy contours of cyber conflict so serious that it constitutes ”war?” How does this relate to cyber espionage?	John Arquilla, Cyberwar is Already Upon Us, Foreign Policy (2012), http://foreignpolicy.com/2012/02/27/cyberwar-is-already-upon-us/
			Understand deterrence, compellence, and  the basic history of cyber conflict	Jason Healey. Learn cyber conflict history, or doom yourself to repeat it. Armed Forces Journal, December 17, 2013, http://armedforcesjournal.com/learn-cyber-conflict-history-or-doom-yourself-to-repeat-it/
				Richard B. Gasparre. The Israeli 'E-tack' on Syria--Part I. Air Force Technology.com, March 10, 2008, http://www.airforce-technology.com/features/feature1625/
				Optional/Background:
				The Tallinn Manual on the International Law Applicable to Cyber Warfare, version 2.0, https://berkeley.on.worldcat.org/oclc/959552394
5b	30-Sep	Cyberdefense and Cyberwar, continued	Consider other (non-U.S.) theories of cyberwar	Charles K. Bartles, Getting Gerasimov Right, Military Review, Jan/Feb 2016, https://www.armyupress.army.mil/Portals/7/military-review/Archives/English/MilitaryReview_20160228_art009.pdf	2
			Understand the concept of "defending forward."	Michael P. Fischerkeller and Richard J. Harknett, “Deterrence is not a Credible Strategy for Cyberspace,” Foreign Policy Research Institute, 2017, > Please see Files > Fischerkeller_harknet.pdf
			How does "defending forward" relate to traditional theories of compellance and deterrence?	Department of Defense, Cyber Strategy Summary  2018, https://media.defense.gov/2018/Sep/18/2002041658/-1/-1/1/CYBER_STRATEGY_SUMMARY_FINAL.PDF
			Does "cyber" make defending forward a necessity? Advisable? Inadvisable?	Optional/Background:
			How should the Stuxnet attack be categorized? The incursions into the electricity grid?	David Sanger, Confront and Conceal, Obama's Secret Wars and Surprising Use of American Power , chapter 8 (2012), https://archive.org/details/0307718026COnfrontConceal
				Government Accountability Office, "Weapons System Cybersecurity: DOD Just Beginning to Grapple with Scale of Vulnerabilities," (Oct. 2018), https://www.gao.gov/assets/700/694913.pdf
6a	5-Oct	Securing Critical Infrastructure	What is critical infrastructure (CI)?	2003 Congressional Research Report on "What Makes an Infrastructure Critical?" https://fas.org/irp/crs/RL31556.pdf	3
			Who are the actors involved in attacking and securing CI?	Kelly Jackson Higgins. Lessons from the Ukraine electric grid hack. Information Week, March 18, 2016, https://www.darkreading.com/vulnerabilities---threats/lessons-from-the-ukraine-electric-grid-hack/d/d-id/1324743
			What definition of "cybersecurity" is appropriate to use in securing CI?	Jennifer M. Urban, Chapter 22: Privacy issues in smart grid deployment, in Research Handbook on Intellectual Property and Climate Change (2016), pages 1-5 (up to "Privacy issues presented by the smart grid system") and pages 16-17 ("Note on cyber-security issues") only.  The version in files is the final, published version, so the pagination is different. If you are using that one, the pages are 437-440 and 448-449.
			What are the economic interests relevant to securing CI? What are the legal and behavioral dynamics?	NIST, NISTIR 7628, Guidelines for Smart Grid Security, Sept. 2014, http://dx.doi.org/10.6028/NIST.IR.7628r1   - page 1-5 only - this is a 668-page document; don't worry when you open it! We want you to read only the introductory pages (Chapter 1 up to 1.2) focusing on: how NIST is defining cybersecurity, who the actors are, and identifying the NISTIR's general approach to securing the smart grid. You can skim over the discussion of what has been added since the last version.
			How is the task of securing CI changing with increasing networked systems (e.g., the "smart" electricity grid)?	David E. Sanger and Nicole Perlroth, “U.S. Escalates Online Attacks on Russia’s Power Grid,” New York Times, June 15, 2019.
				https://www.nytimes.com/2019/06/15/us/politics/trump-cyber-russia-grid.html
6b	7-Oct	Securing Critical Infrastructure, cont.	Should elections or election infrastructure be considered "critical infrastructure"? What would be the implications of this?	Statement of Ryan Goodman on Election Interference before the U.S. Senate Committee on the Judiciary (pages 1-8), Jun. 12, 2018.	4
			What constitutes a "cybersecurity" problem for election integrity?	Verified Voting, Statement in Response to NIST Request for Information regarding the Cybersecurity Framework , April 8, 2018.NIST-RFI-Response-April-8-2013.pdf
			What is the right balance between election security and voting rights? Is it ever ok to connect election machines or systems to the Internet?	Kim Zetter, “Exclusive: Critical U.S. Election Systems Have Been Left Exposed Online Despite Official Denials, April 8, 2019. https://www.vice.com/en_us/article/3kxzk9/exclusive-critical-us-election-systems-have-been-left-exposed-online-despite-official-denials
			Circling back to Cyberdefense and Cyberwar, consider the stakes of election hacking. Should we treat it as an act of war? Why or why not? In what circumstances?	Benjamin Dynkin, Barry Dynkin, and Daniel Garrie, “Hacking Elections? An Act of War?” https://www.zeklaw.com/news/hacking-elections-an-act-of-war
				Max Boot, “Was Russia election hack an act of war?” USA Today, April 6, 2017, https://www.usatoday.com/story/opinion/2017/04/06/russia-election-hack-act-of-war-max-boot-column/100030944/
				Optional/Background:
				If you're interested in the topic of election hacking (of the machines and systems), poke around www.verifiedvoting.org  - they have tons of information. Verified Voting is mainly made up of computer scientists who are deeply skeptical of electronic voting.
				For one (long and nerdy) view of what it would take to create secure internet voting, check out U.S. Vote Foundation/Galois, The Future of Voting (July 2015). https://usvotefoundation-drupal.s3.amazonaws.com/prod/E2EVIV_full_report.pdf
7a	12-Oct	Securing Critical Infrastructure: Responses: The Role of Standards	What role can technical standards play in securing CI?	NIST Cybersecurity Framework (1.1), pp v–13, then skim 13-22.	1
			What other sectors might use standards? Why? What are the incentives and disincentives to using standards?	Department of Defense Joint Enterprise Defense Infrastructure (JEDI) Cloud Program: Cyber Security Plan, 11 Apri, 2018 (Draft). This is available in "Files" - this should give you an idea of a high-level requirements document that implements certain technical standards. Note the list of standards at the back - look them up if you want to see what these look like. (Recommended but entirely optional.)
			Should we consider PCI-DSS a “critical infrastructure” standard? Why or why not?	A bit of background on JEDI: Scott Shane, Kate Conger, and Karen Wise, "In Pentagon Contract Fight, Amazon Has Foes in High Places," New York Times, Aug. 2, 2019: https://www.nytimes.com/2019/08/02/us/politics/amazon-pentagon-contract-trump.html   - also available in Files.
			What are the limits of standards for cybersecurity? Consider what characteristics of a standard would make it more or less useful for cybersecurity purposes.	PWC, Why you should adopt the NIST Cybersecurity Framework (2014), https://www.pwc.com/us/en/increasing-it-effectiveness/publications/assets/adopt-the-nist.pdf
				TechTarget.com, The history of the PCI DSS standard: A visual timeline (2014), http://searchsecurity.techtarget.com/feature/The-history-of-the-PCI-DSS-standard-A-visual-timeline
				SANS, Compliant but not Secure: Why PCI-Certified Companies Are Being Breached, pp 1–12 (2015) https://www.sans.org/reading-room/whitepapers/compliance/compliant-secure-pci-certified-companies-breached-36497
7b	14-Oct	Securing Critical Infrastructure: Responses: The Role of Information-Sharing	How might information sharing affect cybersecurity risk?	Cybersecurity Information Sharing Act of 2015	2
			Understand that we are introducing CISA in the context of CI attacks, but it is not limited to the CI sector. Note, for example, that the Karp piece is written as a primer for corporate actors.	Alert (ICS-ALERT-14-281-01E) Ongoing Sophisticated Malware Campaign Compromising ICS(Please note, this is a TLP: Amber document and it is not allowed to be circulated. Please do not circulate it outside the class. We are including it here because its full text was uploaded into a regulatory petition, and as a result, it is formally part of the public record. We are including it so that you can see an example of the kinds of "indicators of compromise" information sharing that exists.
				Brad S. Karp, Federal Guidance on the Cybersecurity Information Sharing Act of 2015, March 3, 2016: https://corpgov.law.harvard.edu/2016/03/03/federal-guidance-on-the-cybersecurity-information-sharing-act-of-2015/
				Homeland Security/DOJ Guidance Document on CISA: https://www.us-cert.gov/sites/default/files/ais_files/Non-Federal_Entity_Sharing_Guidance_%28Sec%20105%28a%29%29.pdf
				Optional/Further Background:
				E-ISAC Ukraine report: https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf
				US-CERT How-To on Automated Indicator Sharing (AIS): https://www.us-cert.gov/ais   (note that they say "We Need You!" )
				DHS/DOJ "Privacy and Civil Liberties Final Guidelines": https://www.us-cert.gov/sites/default/files/ais_files/Privacy_and_Civil_Liberties_Guidelines_%28Sec%20105%28b%29%29.pdf
8a	19-Oct	Cybercrime: Computer Fraud and Abuse Act (CFAA) Part 1	What problem(s) is the CFAA trying to solve? How does it approach the problem through civil and criminal law?	Charles Doyle, Cybercrime: An Overview of the Federal Computer Fraud and Abuse Statute and Related Federal Criminal Laws, Congressional Research Service, Oct. 2014, pp. 1–69,  https://fas.org/sgp/crs/misc/97-1025.pdf	3
			How do the contours of hacking affect cybersecurity at the macro and micro levels?	Note that this is a long document, and plan accordingly. This reading is for this class and the CFAA 2 class.
			We conceive of hacking through the lens of trespass. Illegal hacking follows some of the same contours of trespass law.	18 USC 1030
8b	21-Oct	Cybercrime: Computer Fraud and Abuse Act, cont.	What is the importance of “authorization” under the CFAA? What are the pros and cons of this approach?	Review Charles Doyle, Cybercrime: An Overview of the Federal Computer Fraud and Abuse Statute and Related Federal Criminal Laws, Congressional Research Service, Oct. 2014, pp. 1–69, https://fas.org/sgp/crs/misc/97-1025.pdf	4
			Is it ever ok to “hack back”?	Matthew Bunn and Scott D. Sagan, A Worst Practices Guide to Insider Threats: Lessons from Past Mistakes, American Academy of Arts and Sciences (2014), https://www.amacad.org/content/publications/publication.aspx?d=1425
			Authorization's three lenses: code, contract, and social norms	Joseph Cox, American Cyber Security Firm FireEye Denies Hacking Chinese Military, June 25, 2018, https://motherboard.vice.com/en_us/article/pav5yz/fireeye-denies-hacking-chinese-military-david-sanger-perfect-weapon
			What violations of agreements are serious enough to be criminal?
9a	26-Oct	Cybercrime: Law Enforcement Access to User Data: Decryption Mandates and International Data Sharing	Understand the “going dark” problem	Harold Abelson et al., Keys under doormats: Mandating insecurity by requiring government access to all data and communications. Journal of Cybersecurity, 1(1), September 2015, https://dspace.mit.edu/bitstream/handle/1721.1/97690/MIT-CSAIL-TR-2015-026.pdf?sequence=8	1
			Should systems be built to accommodate law enforcement access?	Stephen P. Mulligan, Cross-Border Data Sharing Under the CLOUD Act, Congressional Research Service (April 23, 2018). https://fas.org/sgp/crs/misc/R45173.pdf
			Under what circumstances can LEAs and the IC access data held outside the United States? When can foreign LEAs access data held within the United States?	U.S. Department of Justice, “Promoting Public Safety, Privacy, and the Rule of Law Around the World: The Purpose and Impact of the CLOUD Act,” White Paper (April 2019). https://www.justice.gov/dag/page/file/1153436/download
				Optional/Background: We read the CFAA for last class. Because there's a fair amount of other reading,  reading the CLOUD Act  itself is optional. It's recommended, however, as gaining familiarity with statutes and learning how to parse them is an important skill.  https://www.justice.gov/dag/page/file/1152896/download
9b	28-Oct	Cybercrime:	Law Enforcement Access to User Data: ECPA, SCA, and Cybersecurity Act of 2015	Orin S. Kerr, A User's Guide to the Stored Communications Act, and a Legislator's Guide to Amending It, 72(6) George Washington Law Review 1208, pp 1208–1224 (2004). Please be sure to study the chart on page 1223, https://heinonline.org/HOL/P?h=hein.journals/gwlr72&i=1222	2
			What are the requirements for law enforcement access under ECPA and the SCA? Have they changed under the Cybersecurity Act of 2015, and if so, how?	Orin Kerr, "How Does the Cybersecurity Act of 2015 Change the Internet Surveillance Laws?", Washington Post, Dec. 24, 2015.  https://www.washingtonpost.com/news/volokh-conspiracy/wp/2015/12/24/how-does-the-cybersecurity-act-of-2015-change-the-internet-surveillance-laws/?noredirect=on
			What is it that law enforcement agencies (LEAs) want and why?	Jennifer Stisa Granick, "OmniCISA Pits DHS Against the FCC and FTC on User Privacy," Just Security, Dec. 16, 2015. https://www.justsecurity.org/28386/omnicisa-pits-government-against-self-privacy/
			Who is the “threat actor” as contemplated by ECPA and the SCA?	Best Practices for Working with Companies, Appendix C in U.S. DOJ Prosecuting Computer Crimes (2010), https://www.justice.gov/sites/default/files/criminal-ccips/legacy/2015/01/14/ccmanual.pdf
			When is there a legal duty to report?
			How communications privacy laws shape cybersecurity
10a	2-Nov	Attacking Consumers: The Role of the Federal Trade Commission	What is the law of cybersecurity emerging from the FTC?	Chris Jay Hoofnagle, Federal Trade Commisison Privacy Law and Policy, Chapter 5, You can get this book free by using the VPN and visiting this link (you may have to cut and paste it): http://ebooks.cambridge.org/ebook.jsf?bid=CBO9781316411292	3
			Whence does this “law” come?	FTC v. Wyndham et al., No. 14-3514 (3rd Cir. 2014)(you may have to cut and paste it), http://www2.ca3.uscourts.gov/opinarch/143514p.pdf
			How does the FTC’s approach differ from the European approach under the General Data Protection Regulation?	GDPR Article 32, and Recitals 39, 49, 81, 83. The recitals are the text at the beginning of the document following "Whereas" https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN
10b	4-Nov	Attacking Consumers: The Role of the Federal Trade Commission, cont	Understanding the evolution of cybersecurity duties of care	Chris Jay Hoofnagle, Federal Trade Commission Privacy Law and Policy, Chapter 8	4
				LabMD v. FTC, No. 16-16270 (11th Cir. 2018), http://media.ca11.uscourts.gov/opinions/pub/files/201616270.pdf
				Watch interview with Professor Steve Bellovin on the FTC and reasonable security (see files > Videos).
	9-nov	Note		We will continue our FTC material on Monday the 9th. Please review the FTC material and you are not responsible for the security breach material.
11a	16-Nov	Attacking Consumers: Security Breach Notification	Understand the basic parameters of security breach notification laws	California Department of Justice, 2016 Data Breach Report (2016), pp. iii-38	1
			What duty to monitor is imposed by SBN laws?	https://oag.ca.gov/sites/all/files/agweb/pdfs/dbr/2016-data-breach-report.pdf
			How are SBN laws evolving? How should they evolve? Do we want notification of security breaches, something more, something else?	Perkins Coie LLP, Security Breach Notification Chart (skim only), https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart.html
			Compare US SBN laws with Europe’s approach in the GDPR.	Kim Zetter, Hackers Finally Post Stolen Ashley Madison Data, Wired Aug. 18, 2015. https://www.wired.com/2015/08/happened-hackers-posted-stolen-ashley-madison-data/
				GDPR Recitals 85–88 (these are the numbered clauses following "Whereas") and Articles 33, 34. Under Article 4, a "personal data breach" means "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed." "Personal data" means "any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person." https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN
				Assignment: Do the How Many Breaches/Have I Been Pwned module
	11-Nov			Veterans Day Holiday
11b	23-Nov	Attacking Consumers: Harassment and Extortion Online	How have aggressors used the Internet to attack individuals?	Benjamin Wittes, Cody Poplin, Quinta Jurecic & Clara Spera, Sextortion: Cybersecurity, teenagers, and remote sexual assault, pp. 1–9 (May 2016), https://www.brookings.edu/wp-content/uploads/2016/05/sextortion1-1.pdf	2
			How does section 230 of the Communications Decency Act help or hinder attempts to address harassment and harm?	Nellie Bowles, Thermostats, Locks and Lights: Digital Tools of Domestic Abuse, NY Times, Jun. 23, 2018, https://www.nytimes.com/2018/06/23/technology/smart-home-devices-domestic-abuse.html
			How does law help address cyber harassment? How is it limited? How should it evolve?	47 U.S.C. 230, Communications Decency Act, https://www.law.cornell.edu/uscode/text/47/230
				Danielle Keats Citron, The Problem Isn’t Just Backpage: Revising Section 230 Immunity, 2 Georgetown Tech. L.R. 2018), https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3218521
				Optional/Further reading: Marlisse Silver Sweeney, "What the Law Can (and Can't" Do About Online Harassment?"The Altantic, Nov. 12, 2014: https://www.theatlantic.com/technology/archive/2014/11/what-the-law-can-and-cant-do-about-online-harassment/382638/   (includes interview with Danielle Citron).
11c		Attacking Consumers: Harassment and Extortion Online II	Continued from Thursday, 7 November - see above	Same readings as last time WE WILL SKIP THIS MODULE	3
12a	23-Nov	Corporate Cybersecurity: Financial Services	Financial services companies have vast privacy and security requirements	WE WILL SKILL THIS MODULE FTC, Financial Institutions and Customer Information: Complying with the Safeguards Rule (2006), https://www.ftc.gov/tips-advice/business-center/guidance/financial-institutions-customer-information-complying
			In practice, cyber responsibilities of financial services companies reach far because service providers and contractors are held to the same standards. Regulators are elevating responsibility to the board room.
			In financial services, CIA is an animating value, but so is the safety and soundness of the banking system
12b	24-Nov	Futures of Cybersecurity		CLTC Cybersecurity Futures 2025, https://cltc.berkeley.edu/wp-content/uploads/2019/02/Cybersecurity-Futures-2025-Insights-and-Findings.pdf	4
	7-Dec	Final Exam Review Session	11:20 AM – 12:45 PM	On zoom.
		Take-home exam		The Take Home window will run from Dec. 8-17, Tuesday-Thursday

Questions about Cybersecurity in Context

Q. Do I need technical knowledge to take Cybersecurity in Context?

A. No. This course is about the wrapping elements of cybersecurity.

We do ask you to learn the basics: the difference between circuit-switched phone networks, and packet-switched internet ones, about the different layers of the internet, and how attacks on the confidentiality and integrity of data, and attacks on access to computers can occur on those different layers. We will have in-class content and readings to explain these topics. Look at the readings in the first week or two to get an idea of how technically sophisticated the reading will be. There will be class discussion to help you pull out what you need.

Q. How does Cybersecurity in Context differ from the Cybersecurity Reading Group? How does it differ from Cybersecurity Law and Policy in the Spring semester?

A. The reading group is a discussion seminar focusing on academic writings in cybersecurity, typically organized around a specific theme, such as cyber conflict. Cybersecurity in Context is a podium-lecture course covering the main themes in cybersecurity. Cybersecurity Law and Policy is a doctrinal course. While we cover law in Cybersecurity in Context, we place the law in context and thus spend substantial time on economic, political, ethical, and other considerations.  The courses are complementary, and you can take both.

Q. I am an undergraduate. May I enroll?

A. The course is likely to be full, but if we have space we will enroll undergraduates in Info 290. We will enroll undergraduates after the graduate registration period, in August. We ask undergraduate students to email us the following information by August 1st:

1. I am an upper-division student [Yes/No]
2. What year?
3. I understand and accept that this is a graduate-level class, with graduate-level materials and pacing. [Yes/No]
4. I understand and accept that participation in class discussion is expected, even if the class is larger than most undergraduate courses that expect this (in grad and law school classes, for example, students participate in discussion in 50-100-person classes). [Yes/No]
5. I would like to take this class because: [Please tell us why you would like to take the class.]
6. I would contribute to this class because: [Please tell us why you would contribute to the class. For example, your major is relevant to topics in the class; you are doing an undergrad thesis on a relevant topic; you worked on relevant issues prior to coming to Berkeley; etc.]

Assessment

Readings will be posted on the course webpage at least one week in advance Students will be evaluated on the following:

• Students are expected to read, watch, or listen to all assigned materials and be prepared to participate actively in class activities and discussion. We will have “on call” students. We won't always discuss the readings in detail, but they are necessary for understanding the higher-level class themes.
• Students are expected to complete occasional exercises.
• Students are expected to participate in group exercises.
• Students are expected to prepare questions for any guest speakers during the course of the semester.
• Students are expected to regularly attend class according to the policy described below.
• The final exam for the class. This will be a take-home exam.

The class will be graded on the basis of the final exam (70%) and attendance at and participation in the class sessions (30%). The final exam will be a take-home exam. In grading, we will consider the final exam, whether students complete all of the home and in-class exercises, the quantity and quality of class participation (including session leadership and participation during other sessions). Please note that the quality of class participation—and, indeed, whether it is of appropriate quantity—may be enhanced in some cases by speaking up, and in some cases by giving others room to speak.

Note for non-law students. Law classes commonly use the “on call” method for class participation that we will employ in this class. Students will be assigned classes for which they are “on call.” While everyone is expected to participate regularly in class discussion, “on-call” students can expect to be called on and to be responsible for anchoring class discussion. This is straightforward in practice, but please don’t hesitate to check with us if you have questions.

Technical and legal aspects of the class. Cybersecurity requires cooperation among many different kinds of experts, and this interdisciplinary class provides an opportunity to consider the different types of expertise you may encounter and how to communicate across types of expertise.

You do not need a technical background for this class. You do need to learn the basics: the difference between circuit-switched phone networks, and packet-switched internet ones, about the different layers of the internet, and how attacks on the confidentiality and integrity of data, and attacks on access to computers can occur on those different layers. We will have in-class content and readings to explain these topics. Look at the readings for the first week of class to get an idea of how technically sophisticated the reading will be.  (Note that the technical reading is concentrated in the first classes.) While you will not be expected to become expert in non-legal subject matter, you will be expected to develop the ability to understand non-legal subject matter sufficiently to comment on it intelligently and apply it to law and policy. Lawyers are generalists—they are expected to learn and apply many kinds of information throughout our careers. Being a competent lawyer requires the ability to understand the facts and theories that underlie or touch upon a legal problem.

Similarly, you do not need a legal background for this class, but you will be expected to learn the legal information we cover and the basics of how law operates in the cybersecurity field.

Learning Outcomes

Berkeley Law Learning Outcomes. Berkeley Law has identified several school-wide learning outcomes that you will recognize in Cybersecurity in Context:

(a) Knowledge and understanding of substantive and procedural law (as covered by the class);

(b) Legal analysis and reasoning, legal research, problem-solving, and written and oral communication in the legal context (including class exercises and discussion);

(c) Exercise of proper professional and ethical responsibilities to clients and the legal system (with regard to ethical responses to cybersecurity challenges);

(d) Other professional skills needed for competent and ethical participation as a member of the legal profession (with regard to competent and ethical responses to cybersecurity challenges); and

(e) Using the law to solve real-world problems and to create a more just society (including using the law appropriately to solve cybersecurity problems and address cyber threats, and analyzing tools other than law are appropriate).

Course-Specific Learning Outcomes. In addition to the general learning outcomes listed above, students in this class will be expected to:

• Understand the elements that define “cybersecurity;”
• Understand the legal, social, and political frameworks that affect cybersecurity;
• Identify and define challenges to achieving cybersecurity;
• Identify and explain social, legal, political, and economic impediments to cybersecurity;
• Suggest approaches to maintain a reasonable state of cybersecurity and to address breaches effectively, ethically, and according to law; and
• Identify main tradeoffs between different cybersecurity-related interests (e.g., between economics and security levels; between law enforcement and civil liberties; between private interests and public interests).

Course and School-Wide Policies

Attendance. Attendance is required.

Laptops & Other Electronic Devices. Class is, in part, discussion-based and interactive. Research shows that electronic devices can inhibit participation and learning in classroom settings. To allow everyone to participate fully in the discussion and avoid distractions, we ask that you keep your laptop generally closed and other electronic devices turned off and put away during class. You may open your laptop to access and refer to reading assignments when needed; otherwise, please leave it closed.

Credit Hours, Exams, Accommodation. A “credit hour” at Berkeley Law is an amount of work that reasonably approximates four hours of work per week for 15 weeks, including a) classroom time, b) time spent preparing for class, c) time spent studying for, and taking, final exams, d) time spent researching, writing, and revising papers and other written work, and e) time spent preparing for and completing any other final project, presentation, or performance. For the purposes of these calculations, 50 minutes of classroom instruction counts as one hour, and the 15 weeks includes the exam period. You can expect to spend this amount of time per unit per week on out-of class, course-related work as described above.

Student Services schedules all exams, including accommodated exams, as the law school is committed to anonymous grading.   Any student who seeks an accommodated or rescheduled exam for documented medical reasons or for religious observance should contact Student Services in 280 Simon Hall, 510-643-2744, imayer@law.berkeley.edu.

Academic Honor Code. The Academic Honor Code [Academic Honor CodeLinks to an external site.] governs the conduct of all students during examinations and in all other academic and pre-professional activities at Berkeley Law.

Support Services. If you are in need of economic, food, or housing support, you can find help at basicneeds.berkeley.eduLinks to an external site. You may be eligible for money to buy groceries via calfresh.berkeley.eduLinks to an external site. or our Food Assistance ProgramLinks to an external site.. If you are in need of food immediately, please visit our UC Berkeley Food Pantry at pantry.berkeley.eduLinks to an external site.

Anti-Harassment Policies and Support Services. The University of California is committed to creating and maintaining a community dedicated to the advancement, application and transmission of knowledge and creative endeavors through academic excellence, where all individuals who participate in University programs and activities can work and learn together in an atmosphere free of harassment, exploitation, or intimidation. Every member of the community should be aware that the University prohibits sexual violence and sexual harassment, retaliation, and other prohibited behavior (“Prohibited Conduct”) that violates law and/or University policy. The University will respond promptly and effectively to reports of Prohibited Conduct and will take appropriate action to prevent, to correct, and when necessary, to discipline behavior that violates this policy. For the complete UC Policy, definitions, compliance and procedures, please access the full text: http://policy.ucop.edu/doc/4000385/SVSH (Links to an external site.).

Resources: If you have further questions or concerns about reporting behavior related to sexual harassment, sexual violence, and/or protected category discrimination, please contact the Office for the Prevention of Harassment and Discrimination (OPHD) by phone 510-643-7985 or email ask_ophd@berkeley.edu.

Path to Care Center Confidential Advocates provide affirming, empowering, and confidential support for those that have experienced gendered violence, including: sexual harassment, emotional abuse, dating and intimate partner violence, sexual assault, stalking, and sexual exploitation. Advocates bring a non-judgmental, caring approach to exploring all options, rights, and resources. They can be reached by phone (510) 642-1988 or email http://sa.berkeley.edu/dean/confidential-care-advocateLinks to an external site..