05/01/23 1

Dealing with the Cyberthreat:

A Political & Legal Quandary

Ethan S. Burger, Esq.Adjunct Professor – Washington College of Law

American UniversityWashington, D.C. 20016

e-mail: ethansb@post.Harvard.edu

05/01/23 2

The Cost of Cyberattacks

One can only speculate as to the size of U.S. losses (in all forms) due to potential cyberattacks and the costs taken by the public and private sectors to defend against the attacks.

According to the Center for Strategic and International StudiesReport: Cybercrime and espionage costs $375-500 billion annually.

What is included in this figure? What is the World-wide amount? Who bears the cost? Will individuals fall victims to the theft of their financial assets as a result of a cyberattack?

What if the human cost? Lost jobs? Lost Time? Use of funds that could have been used for other purposes?

05/01/23 3

The Standard of Care: Negligence or Should

Contract Principles be Applied in Certain Cases?

What is required of the private sector? – Is or adapting NIST or some other Government body standards adequate? Should each sector have different standards?

Should foreign standards and other requirements be considered?

Can improvements in system architecture or design overtime reduce the threat?

How frequently must systems be updated?

05/01/23 4

Obama’s 5 Priorities

Protecting the country's critical infrastructure — our most important information systems — from cyber threats. Improving our ability to identify and report cyber incidents so that we can respond in a timely manner.Engaging with international partners to promote internet freedom and build support for an open, interoperable, secure, and reliable cyberspace.Securing federal networks by setting clear security targets and holding agencies accountable for meeting those targets.Shaping a cyber-savvy workforce and moving beyond passwords in partnership with the private sector. 

05/01/23 5

Government Actors

The Department of Homeland Security, http://www.dhs.gov/topic/cybersecurity 

The Department of Justice, http://www.justice.gov/criminal-ccips/cybersecurity-unit and http://www.justice.gov/usao/priority-areas/cyber-crime

 The Federal Bureau of Investigation, https://www.fbi.gov/about-us/investigate/cyber/cyber.

The Federal Trade Commission, https://www.ftc.g v/. National Conference of State Legislatures,

http://www.experian.com/assets/data-breach/white-papers/2015-industry-forecast-experian.pdf/

National Institute of Standards and Technology (NIST), http://www.nist.gov/cyberframework/cybersecurity-framework-faqs.cfm.

The White House -- https://www.whitehouse.gov/issues/foreign-policy/cybersecurity.

05/01/23 6

Some Federal Legislation

The Economic Espionage Act (EEA) (1917).

The Racketeer Influenced and Corrupt Organizations Act (1970).

Counterfeit Access Device and Computer Fraud and Abuse Act (CFAA 1984) as amended.

The Electronic Communications Privacy Act (ECPA) (1986).

The Identity Theft and Assumption Deterrence Act (ITADA) (1998).

Cybersecurity Informational Sharing Information Sharing Act of 2015.

05/01/23 7

Can Cyberthreats be Managed?

Is the cyberthreat merely another risk that needs to be addressed through best operational practices?

Are the legal and insurance industry capable of dealing with matters where major liability issues are unresolved?

Is the initial victim of a cyberattack liable for all subsequent victims of cyberattacks harmed by the initial victim? When does liability end? What about Statute of Limitations Issues?

Will the insurance industry need to police its insureds to follow best practices?

Will business purchase more software, hardware and operational support than needed due to fears of corporate officers and directors of their own personal liability?

05/01/23 8

Some Issues to Ponder

How can law enforcement respond to cyber criminals if they cannot even be located?

As organized criminal groups and non-state actors become more sophisticated, how much confidence can we have in our financial systems (stock and commodities markets)?

Will States use proxies (including organized criminal groups to inflict harm on other States?

Is the Federal Government relying too much on the private sector to find solutions through information sharing?

Can we protecting the country's critical infrastructure from cyber threats? 

05/01/23 9

Some Additional Questions to Ponder

As we become more dependent on systems that are potentially vulnerable to attack, are we carelessly creating future problems (the Internet of Things)?

Must business and individuals only deal with familiar parties in the commercial realm?

Is the “Cloud” as safe as some people think it is?

Must we get use to new concepts of privacy?

How much hardware, software, and procedural safeguards will enough as the threat becomes more sophisticated? While there are “laws” of armed conflict, cyberattacks is entirely unprecedented in international law.

Remember the human is always the weakest link in security.