It’s Time to Hack Cybersecurity Law

Inadequate security of computers, networks, systems, and data can devastate the economy, upend the lives of individuals, weaken national security, and even undercut the foundations of our democratic system.  The United States continues to face persistent threats to public and private infrastructure from increasingly sophisticated and determined adversaries, making it more urgent than ever to develop a whole-of-nation response.

The United States has made great strides on some aspects of its cyber strategy to better address these threats.  For instance, the U.S. Defense Department in 2018 announced a “persistent engagement” strategy, which recognizes that cyber threats are continuous rather than episodic events, as they have often been treated.  The new military strategy includes an operational concept known as “defend forward,” in which the United States will conduct operations outside of military operations with the goal of positioning itself to degrade cyber operations, gather information about threats, and influence adversaries to cease their malign cyber activities directed toward the United States.

While the United States has made some progress in developing a more aggressive military cyber strategy, that is only part of the equation.  Equally important to combatting the persistent threats is improving domestic cybersecurity.  This task is particularly challenging, as much of the infrastructure and data that adversaries target is controlled by the private sector, not the government.  Attacks targeting Sony, Yahoo, the Democratic National Committee, and so many other non-governmental organizations have had severe consequences for the U.S. economy and national security.  Accordingly, any comprehensive and effective national cybersecurity strategy must account for – and, ideally, influence – the cybersecurity of the private sector. 

The government’s most powerful lever for influencing the private sector is its lawmaking.  Whether through carrots such as technological assistance, education, or tax credits, or through sticks such as regulations and the enabling of private causes of action, U.S. laws can help to shape the private sector’s approach to cybersecurity.

Unfortunately, the cluster of state and federal laws that broadly make up U.S. “cybersecurity law” is outdated – often decades-old – and lack a common purpose to address today’s cybersecurity threats.  I have broadly described these laws in a 2018 Iowa Law Review article, Defining Cybersecurity Law.  In that Article, I explained how laws related to data security, computer hacking, consumer protection, and privacy can broadly be considered part of “cybersecurity law,” and I highlight areas where they are lacking and uncoordinated.

Now, in a forthcoming article in Illinois Law Review entitled “Hacking Cybersecurity Law,” I build on this research by setting forth guiding principles for policymakers to hack cybersecurity law.  By “hacking,” I do not mean the type of unauthorized access to computers that is covered under the Computer Fraud and Abuse Act (one of the many statutes that I include in my definition of cybersecurity law).  Instead, I refer to another definition of hacking: taking a bold move intended to improve something; or, as Merriam-Webster defines the term, “to cut or shape by or as if by crude or ruthless strokes.” 

Cybersecurity laws are so misaligned with current threats and challenges that policymakers cannot fix them through modest refinements or amendments. A radical rethinking and overhaul is necessary: in other words, a hacking. 

This dramatic new approach can include new statutes, new regulations, and even new exercises of authorities under existing statutes and regulations.  The ultimate goal is to better align the legal rules – particularly those that govern private sector cybersecurity – with methods that effectively combat existing and future cybersecurity challenges. 

I propose seven principles to guide U.S. policymakers as they work to hack cybersecurity laws.  I developed these principles by drawing on literature that documents areas of success in cybersecurity law and other areas of the law in which the government has attempted to influence private sector behavior. Those principles are to ensure that U.S. cybersecurity law relating to private sector activity is informed, clear, adaptive, comprehensive, cohesive, global, and collaborative:

1. Informed: Congress, regulatory agencies, executive branch officials, and courts must have a clear and current understanding of the technology and cybersecurity threats before they develop or modify legal rules. Reviving the Office of Technology Assessment, a nonpartisan congressional office staffed by scientists and engineers, would be a good first step.
2. Clear: To the greatest extent possible, the private sector must have a clear understanding of what cybersecurity law requires of it. Directing companies to comply with particular cybersecurity standards such as NIST Special Publication 800-171 or ISO 27001, for instance, is far clearer than imposing general “reasonableness” requirements.
3. Adaptive: While some cybersecurity laws can include generalizable standards that are easily adaptable to new challenges, others simply fail to anticipate future technology and its cybersecurity impacts. In such cases, Congress should empower a regulatory agency such as the Federal Trade Commission to promulgate regulations that adapt to the new technological reality.
4. Comprehensive: Cybersecurity laws often are conflated with privacy laws, as there is significant overlap. However, cybersecurity laws must address more than just the confidentiality of personal information by protecting data from unauthorized alteration and from attacks such as ransomware that cause data or systems to become unavailable. Cybersecurity laws also must focus not just on financial harms but also any threats to national security or individual privacy or safety, such as information that is used by stalkers and harassers. (I explain the need for laws that protect sensitive information such as geolocation data in Cybersecurity of the Person, forthcoming in First Amendment Law Review).
5. Cohesive: Companies currently face a complicated web of requirements at the state level, and many of these requirements conflict. Governments should attempt, to the greatest extent possible, to align the requirements nationally in an effort to provide a clear regulatory framework. (I outline my practical and constitutional concerns with state-centric cybersecurity laws in Hamiltonian Cybersecurity, forthcoming later this year in Wake Forest Law Review).
6. Global: Just as it is necessary for the United States to overcome conflicting state requirements in favor of a unified national policy, global coordination of cybersecurity regulations and incentives will help to improve the overall efficacy of fighting threats that do not adhere to traditional geographic borders.
7. Collaborative: A number of federal agencies specialize in cybersecurity. The experts in these agencies should work together, rather than in separate silos.  These collaborative efforts should stress not only punitive measures, such as criminal enforcement and regulation, but also partnerships and assistance, such as threat information sharing. Unlike some other commentators, I do not propose a single Department of Cybersecurity; however, I suggest ways to better coordinate efforts to improve U.S. cybersecurity among existing departments and agencies.

This hack requires radical change to better align the many different areas of the law with a common goal: protecting the confidentiality, integrity, and availability of information, systems, and networks in the public and private sector.  The hack must position U.S. laws not only to address the imminent cybersecurity threats that we face but also to provide sufficient flexibility to effectively fight future threats. 

That’s all easier said than done.  Because U.S. cybersecurity law spans so many different areas of federal and state law, executing this hack is not an easy task.  It would be foolhardy and presumptuous to list a narrow set of discrete proposals to “fix” the broken cybersecurity legal system.  Such work may come in the future, but the first task is to better understand what we want our cybersecurity laws to look like.  The hack requires a set of common values and principles to guide policymaking at the state, federal, and global level. 

• This piece is a shortened version of Hacking Cybersecurity Law, which will appear in Illinois Law Review in 2020. The opinions expressed in this piece are only those of the author, and do not represent the U.S. Naval Academy, Department of Navy, or Department of Defense.