Cybersecurity Law II

Cyber insecurities affect the whole of society: from consumers who suffer cybercrimes on their internet connected devices, to media outlets whose websites are hacked or taken offline, to businesses whose intellectual property is plundered, all the way to states that undertake to defend against espionage and uses of force in cyberspace. Enhancing cybersecurity is thus a policy issue of critical importance. Policymakers are fashioning regulatory schemes around the world that promise to shape not only the day-to-day realities of operating information systems, but also cyberspace itself.

This course explores the national and international legal frameworks that govern malicious and defensive actions in cyberspace, including laws related to data breaches, cybercrime, cyberespionage, and cyberwar. The course will consider legal questions and broader debates concerning such topics as:

(1) Governance of cyberspace and the Internet and conflicts of laws in the information society.

(2) The roles of governmental and non-governmental actors such as multinational corporations and cybersecurity firms.

(3) Evolving understandings of privacy and data protection from both a domestic and regional perspectives.

(4) The place for FTC and SEC enforcement in enhancing cybersecurity hygiene within society.

(5) The anatomy of data breaches and their regulation under both state and federal law (including both statutory and common law frameworks).

(6) The role of private ordering and the limits of such tools as industry self-regulation and cyber insurance.

(7) The Computer Fraud and Abuse Act (CFAA) and other state and federal laws prohibiting and addressing hacking.

(8) The ethical dimensions of hoarding of zero-day vulnerabilities by law enforcement and the permissibility of lawful hacking, includiware.

(9) The international law rules that control cyber armed attacks, election interferences, cyber attribution, and cyber espionage.

(10) Corporate risk assessment and incident response, the NIST framework, and other compliance mechanisms for cybersecurity enhancement.

(11) New frontiers of cyber defenses, including in the context of malicious cyber-attacks on artificial intelligence and machine learning, botnet takedowns, and corporate hack backs.

The objective of the course is to contextualize cybersecurity threats and responses within corporate, national security, and international law frameworks, while also recognizing the limits of current laws and debates. Students will thus be called to consider the need for further evolution of policy and the real-world impacts of different regulatory solutions. Students will also explore critical race, gender, LGBTQ+, and Third World Approaches to International Law (TWAIL) theories in cyber regulation.

For in-person students: grades will be based on three short experiential assignments (FTC lab, cyber insurance lab, and cyber diplomacy lab), and one 3-hour open-book proctored exam.