Cybersecurity and Information Law

Today, I moderated a panel at the Cybersecurity Workshop at Central European University on the role that information law will play in cybersecurity. (Thanks to Kate Coyer, Stefaan Verhulst, Monroe Price, and Roxana Radu for inviting me!) Here’s basically what I said:

Cybersecurity may be the issue that leads states to re-fight the old battle of cyber-exceptionalism versus cyber-realism. It is the threat that will lead nation-states to seek greater control over the Internet (or, more accurately, Internets). Territorial sovereigns will exert their power not only to regulate the Net, but to increase its regulability (as Larry Lessig posited).

Cybersecurity poses inherent challenges for law, and for policy makers. It is a public concern that involves primarily private infrastructure. Insecurity creates strong negative externalities that, while a classic justification for public law regulation, mean no single actor will have adequate incentives to take action. Moreover, a “bordered” approach to cybersecurity – securing the systems within one’s territory – is plainly inadequate. True security will require the cooperation of many other stakeholders.

We already see the emergence of legal regimes that seek to impose greater control on the Net, in at least two forms. The first form is not, strictly speaking, related to security. Instead, it tries to establish monitoring, surveillance, or access controls for other purposes, such as preventing IP infringement, distribution of child abuse material, hate speech, or extremism. Examples include the French HADOPI regime, the United Kingdom’s recent Digital Economy Bill, and Australia’s nascent filtering system.

The second form is explicitly oriented towards security. Examples include Senator Joseph Lieberman’s proposed legislation to confer control over Internet infrastructure upon the American government in cases of national emergency, German efforts to limit open wireless networks, and ongoing moves to limit circumvention and encryption technologies. These are likely to increase.

There are three particular targets for these forms of legal regulation:

First, laws limit Internet access, creating a tension between conceptions of access as a human right and access as a privilege conditioned upon lawful use or adequate precautions. These schemes often disconnect “risky” users (with risk broadly defined), based upon quasi-judicial or administrative processes. I believe we are likely to see a continued evolution from access limits that are predicated upon reasonable use (such as refraining from IP infringement or spamming) to those mandating adequate security precautions (such as running a firewall or anti-virus software, which many U.S. universities require).

Second, laws target content. I think we will see a move from legal regimes based on criminal definitions of prohibited content (such as hacking, spamming, and identity theft / fraud) towards those oriented towards security, particularly national security. The recent Wikileaks arrest may be an exemplar. Overall, there is greater consensus among states on banned activities (no one likes hacking) than content (countries differ on their tolerance for pornography, hate speech, and intellectual property violations). Moreover, there is a divergence in responses to banned content, from strict liability (Italy, for privacy violations) through notice-notice (Canada, for copyright infringement) to notice-and-takedown (the U.S., for copyright) to effective immunity (China, for copyright, and the U.S., for defamation). The problem of dual-use technologies is particularly acute in this zone – examples include circumvention techniques (TOR) and indeed Wikileaks.

Third, laws target intermediaries, who are a flash point for information law. They constitute highly attractive targets for regulators, and are under unrelenting pressure. We see this with Google’s challenges in China and Italy, with Facebook’s ongoing privacy woes, and with EU requirements for ISP data retention. Regulatory efforts range from command-and-control schemes through public-private partnerships to self-regulation.

There are a number of areas where data, and useful scholarship, are lacking. First, lawyers tend to be parochial: we focus on our countries of expertise. There is a crying need for comparative and multi-state analysis, particularly that stratified by issue or topic of interest. In addition, we badly need work that creates typologies of approaches, so we can see commonalities and divergences in legal methods.

Second, we need to examine the use of unrelated legal tools – such as systems for surveillance, content blocking, and reporting – for cybersecurity purposes. Governments are creative and will use the methods at their disposal. It is critical that we report upon, and anticipate if possible, such moves.

Finally, we need to consider the risks from reverse evolution: to what ends will new cybersecurity policies and rules be employed? I think it is very likely that cybersecurity-directed methods will be used to effectuate unrelated (though potentially worthy) goals.

Cybersecurity raises problems that are new, real, and hard. Existing laws, conceptual models, and justifications will rapidly prove inadequate. We must move rapidly to map the current situation, to measure gaps, and to propose new approaches that meet policy needs while respecting countervailing concerns.

Comments are closed.