Cybersecurity and Privacy Law in a Nutshell
Authors:
Kesan, Jay P. / Hayes, Carol M.
Edition:
1st
Copyright Date:
2019
13 chapters
have results for cybersecurity
Chapter 1. Introduction 1 10 results (showing 5 best matches)
- Cybersecurity policy issues implicate both private and public international law in addition to domestic law. The cybersecurity climate has created an environment where general practitioners should be aware of the international implications of certain actions. The overlap of civilian and military information infrastructure means that civilians could be directly affected by cyberwar between sovereign nations. In this nutshell, we will provide an overview of many of the major legal issues relating to cybersecurity. We decided to briefly introduce major international cybersecurity issues first in this chapter in part because there is no easy line between domestic and international in cybersecurity. The Internet provides a forum that is at once the world’s largest conference room and the world’s largest battlefield.
- Cybersecurity is a serious concern in the modern age. Our real lives and digital lives are often inextricably linked. Attorneys and their clients are significantly affected by the implications of cybersecurity events. Data security is also becoming an ethical issue for attorneys. To protect client information, attorneys increasingly have to take active steps to protect data, not just refrain from making disclosures.
- There is a broad range of potential consequences for a cybersecurity incident. The danger that a thief could make purchases with a stolen credit card is very real, but the threat also goes beyond dollars and cents. Virtually every industry is reliant on effective cybersecurity. Ransomware attacks on hospitals can even put patients’ lives in jeopardy by blocking medical professionals from obtaining accurate and up to date patient information. In the legal field, safeguarding client information has become an ethical matter, not just a technological or financial matter.
- International Cybersecurity
- Domestic Cybersecurity
- Open Chapter
Chapter 9. Recent Changes to Federal Cybersecurity Law 143 26 results (showing 5 best matches)
- The discovery of Stuxnet in 2010 provided a wake-up call for the computer security industry, critical infrastructure providers, the general public, and basically anyone who was not already involved in the creation and dissemination of the Stuxnet worm. Eventually, discussions resulted in a variety of largely incremental changes in national cybersecurity policy. , which is titled Improving Critical Infrastructure Cybersecurity. The Order’s most significant contribution to cybersecurity policy was arguably its direction to develop the Cybersecurity Framework. In the years since the order was signed, the Cybersecurity Framework has become a resource for security professionals outside of critical infrastructure as well. Multiple cybersecurity-related bills were enacted in December 2014, and the federal Cybersecurity Information Sharing Act was enacted as part of an omnibus budget bill in December 2015. We start with an explanation of ...in the areas of cybersecurity standards...
- NCPA codifies the functions of the National Cybersecurity and Communications Integration Center (NCCIC) of the Department of Homeland The NCPA approaches cybersecurity from an information-sharing perspective, though the NCPA only allows the government to share information and does not address cybersecurity information held by the private sector. The NCCIC is authorized to facilitate information-sharing agreements for cybersecurity purposes.
- Section 8 provides the outline for agency support of the critical infrastructure cybersecurity program. Agencies that are designated Sector-Specific Agencies are important contact points for private sector businesses in various industries. Finally, Section 9 of EO 13,636 requires the identification of critical infrastructure providers that are at the greatest risk of a cybersecurity incident causing catastrophic consequences.
- In December 2014, Congress passed three cybersecurity-related bills, which were all signed by President Obama on December 18, 2014: 1) the Federal Information Security Modernization Act of 2014 (FISMA), 2) the National Cybersecurity Protection Act of 2014 (NCPA), and 3) the Cybersecurity Enhancement Act of 2014 (CEA). FISMA is an update to the older Federal Information Security Management Act, and focuses on the cybersecurity practices of federal agencies.
- The CEA addresses a variety of topics like cybersecurity research and education, but for current purposes, its most significant contribution is Title I, which sets forth detailed guidance for the National Institute for Standards and Technology’s activities relating to cybersecurity standards. Through this Title, the CEA provides legislative oversight of the CSF.
- Open Chapter
Chapter 2. Cybersecurity Technology and Actors 9 17 results (showing 5 best matches)
- Because a cybersecurity story wouldn’t be complete without a hacker, we have three: Wilma, George, and Brian. Wilma works for Securesoft and solves cybersecurity problems as part of her job. George is a systems administrator who does freelance security work and sometimes sells information to companies about vulnerabilities in their products, often in the form of a “bug bounty.” Brian is a coder who supplements his income by hacking into other systems, stealing information, and selling that information on the black market. These three represent, respectively, the white hat, grey hat, and black hat hacker categories often referenced in cybersecurity commentary.
- This chapter will provide an introduction to technology relevant to cybersecurity. While being technologically savvy is increasingly common among lawyers, most lawyers do not have a technical background. Some lawyers can build and fix their own computers, but such expertise is not necessary to understand and appreciate legal issues relating to cybersecurity. However, some knowledge of concepts and terminology is important, which is why we have prepared this chapter as a technology primer for lawyers.
- Because lawyers are accustomed to detailed hypotheticals, we decided to introduce common elements of cybersecurity events in that familiar format. What follows is a story that will provide characters and examples to which we will refer throughout this chapter. Any resemblance to real individuals or companies is completely coincidental.
- There are a lot of buzzwords about cybersecurity and technology that some readers may not be familiar with. In this section, we provide some background about these terms and the underlying hacking-related activities.
- Another common term in cybersecurity is “advanced persistent threat.” APTs are typically directed at specific targets. APTs generally involve malware and external command and control capabilities to allow the outsider attackers continued access to the compromised systems. Attractive targets for APTs include government systems, universities, and critical infrastructure.
- Open Chapter
- As we have previously noted, the law of cybersecurity is in flux, and discussions often draw from other areas of law. This challenge is especially pressing in the laws of war. In the context of cyberwar, what rules apply to these new weapons? The laws of war were shaped by physical interactions and threats. Whether it was arrows, swords, a trebuchet, an AK-47, biological weaponry, napalm, or a nuclear bomb, the threats of conventional weapons affected the physical environment, and it was generally easy to see when a weapon had been used. With cyber weapons, the points of ambiguity are seemingly endless. There is also currently some overlap between civilian and military information infrastructure, so even lawyers in the private sector can benefit from some awareness of the developing international law issues relating to cybersecurity.
- In addition to the 46 member signatories, 13 non-member States also signed, ratified, or acceded to the ECC: Australia, Canada, Chile, Dominican Republic, Israel, Japan, Mauritius, Panama, Senegal, South Africa, Sri Lanka, Tonga, and the United States. The existence of the ECC, even though it has not been broadly adopted, shows leaders’ awareness that cybersecurity concerns transcend national boundaries.
- Malicious cybersecurity activities in the following years can be placed in three broad categories: surveillance and leaks, disruption of computer services or data, and disruption of physical infrastructure. Stuxnet was significant because it was among the first confirmed successful cyberattacks where the injury was physical, not just
- Many other nations are also taking steps to prepare for future cyber threats. China publicly acknowledged in 2011 the existence of a unit of the Chinese military focused on cybersecurity matters, but emphasized that this unit’s focus was on defensive measures, not offensive measures. In May 2014, five Chinese military officials were indicted by the FBI for cyber espionage against the United States. In 2015, President Xi Jinping of China and President Barack Obama reached an agreement where the nations jointly pledged to not conduct or support the cyber-enabled theft of intellectual property from each other.
- Much of the emphasis on cyber operations is on the defensive use of such capabilities. United States leaders have publicly emphasized the importance of cybersecurity to national security. Analyzing and responding to cyber threats has long been an area of interest for the United States government. Operation Eligible Receiver was a 90-day cyber warfare exercise in 1997, in which 35 people acted as a rogue state. Reports from the operation indicated that both government and commercial sites were susceptible to attacks using “off-the-shelf” technology. In 2002, the U.S. Naval War College simulated a “digital Pearl Harbor” attack against critical infrastructure to gain insight into how such an attack would be carried out and what its effects would be. According to analysts, at that time an attack of sufficient strength to disable
- Open Chapter
Index 291 6 results (showing 5 best matches)
- The Federal Information Security Management Act was enacted in 2002 and required government agencies and contractors to adopt cybersecurity measures. It was replaced in 2014 by the Federal Information Security Modernization Act. Under Section 11331 of Title 40, the Director of the Office of Management and Budget is authorized to create binding information security standards based on standards proposed by the National Institute of Standards and Technology (NIST). NIST is empowered and required by law to develop such standards for use by government agencies under . These standards are separate from the Cybersecurity Framework, which NIST developed as a voluntary information security standard for use by the private sector, especially private operators of critical infrastructure.
- Open Chapter
- Deescalation is about getting back to normal. Deescalation strategies focusing on improving resilience can include drills to prepare staff for cybersecurity incidents. Audits can improve resilience by identifying organizational issues and quantifying available resources.
- Some have called for public private partnerships to improve cybersecurity, believing that cooperation between the government and private sector can keep all parties informed of emerging trends. An attorney interested in learning more about such collaborations in a particular industry could look for a relevant information sharing and analysis center (ISAC). There are ISACs for the financial services sector, the communications sector, and the automotive sector, among others.
- Open Chapter
Outline 4 results
- We turn now from more general discussions of cybersecurity and the law to specific statutes proscribing cyber misconduct. In the United States, the most prominent statute is the federal Computer Fraud and Abuse Act (CFAA). Congress enacted a version of the CFAA in 1984 and substantially amended it in 1986. Between 1986 and 2018, the CFAA has been amended nine times, with the most recent amendments having been made in 2008. The CFAA broadly prohibits unauthorized activity on a protected computer, as well as a few other offenses. For some provisions, the prohibition on unauthorized activity extends both to activity without authorization and activity that exceeds authorized access.
- In the previous chapter’s dramatic tale of cybersecurity intrigue, Brian the Black Hat tricked a Retailco employee into clicking a phishing link. Brian then used the compromised computer to obtain information from the company’s customer databases. His actions clearly violate
- Open Chapter
- Publication Date: May 20th, 2019
- ISBN: 9781634602723
- Subject: Internet Law
- Series: Nutshells
- Type: Overviews
- Description: Cybersecurity and Privacy Law in a Nutshell by Jay P. Kesan and Carol M. Hayes provides a comprehensive and up-to-date overview of cybersecurity law and policy. Cybersecurity is a serious concern in our lives. It affects individuals, governments, the military, big businesses, small businesses, and law firms themselves. Cybersecurity policy issues implicate both private and public international law, in addition to domestic law. In this Nutshell, we present case law, federal, state and international legislation, administrative actions and regulations, and relevant policy considerations that attorneys and their clients should keep in mind, whether they are working on a case about cybersecurity or just wanting to know more about cybersecurity and privacy in the Internet age.