Cyberwar and Cyberespionage

My paper “Ghost in the Network” is available from SSRN. It’s forthcoming in the University of Pennsylvania Law Review. I’m appending the abstract and (weirdly, but I hope it will become apparent why) the conclusion below. Comments welcomed.


Cyberattacks are inevitable and widespread. Existing scholarship on cyberespionage and cyberwar is undermined by its futile obsession with preventing attacks. This Article draws on research in normal accident theory and complex system design to argue that successful attacks are unavoidable. Cybersecurity must focus on mitigating breaches rather than preventing them. First, the Article analyzes cybersecurity’s market failures and information asymmetries. It argues that these economic and structural factors necessitate greater regulation, particularly given the abject failures of alternative approaches. Second, the Article divides cyber-threats into two categories: known and unknown. To reduce the impact of known threats with identified fixes, the federal government should combine funding and legal mandates to push firms to redesign their computer systems. Redesign should follow two principles: disaggregation, dispersing data across many locations; and heterogeneity, running those disaggregated components on variegated software and hardware. For unknown threats – “zero-day” attacks – regulation should seek to increase the government’s access to markets for these exploits. Regulation cannot exorcise the ghost in the network, but it can contain the damage it causes.


Something terrible is going to happen in cyberspace. That may help.

The U.S. suffers serious but less visible cyberattacks daily. Complex technology, mixed with victims’ reluctance to disclose the scale of harms, leads to underappreciation of cyber-risks. This disjunction generates the ongoing puzzle of cybersecurity: the gap between dramatic assessments of risks the U.S. faces and minimalist measures the country has taken to address them. America’s predictions do not match its bets. One of those positions is wrong. But the economic and structural factors that impede regulation suggest reform will not occur without a dramatic focusing event.[1] The U.S. did not address its educational deficiencies in math and science until the Soviets launched Sputnik into orbit.[2] Until the near-meltdown at Three Mile Island, America was complacent about nuclear energy safety.[3] And it required the attacks of 9/11 for the country to address the rise in international terrorism, the gaps in its intelligence systems, and the weaknesses in aviation security.[4] This Article’s role is to sit on the shelf, awaiting with dread that focusing event. When it occurs, regulators will need a model for a response. This Article offers one.

Cybersecurity offers copious challenges for future research. Two are particularly relevant for this Article. First, data integrity is a difficult puzzle. Restoring data after attacks is unhelpful if one cannot tell good information from bad – we must be able to distinguish authorized updates from unauthorized ones. This seemingly technical puzzle has important implications for provenance in other areas, from rules of evidence to intellectual property, which struggle with similar authentication problems. Second, nation-states are now engaged in the long twilight struggle of espionage and hacking in cyberspace. At present, there are neither formal rules nor tacit norms that govern conduct. Eventually, though, countries must arrive at accommodations. Spying[5], assassination[6], and armed combat[7] all benefited from shared rules, even during the Cold War. Lawyers can raise awareness of these benefits and help shape the system that emerges. Future research can contribute to both these inquiries.

For now, ghosts roam the network. They cannot be driven out. We must lessen the effects of their touch.

[1] John W. Kingdon, Agendas, Alternatives, and Public Policies 165 (2003).

[2] Cornelia Dean, When Science Suddenly Mattered, in Space and in Class, N.Y. Times (Sept. 25, 2007),….

[3] Perrow, supra note 80, at 29-30.

[4] Thomas H. Kean et al., Final Report of the National Commission on Terrorist Attacks in the United States 254-65 (2004).

[5] Geoffrey B. Demarest, Espionage in International Law, 24 Denv. J. Int’l L. & Pol’y 321 (1996).

[6] Nathan A. Sales, Self-Restraint and National Security, 6 J. Nat’l Security L. & Pol’y 227, 249-50 (2012).

[7] Geoffrey S. Corn, Back to the Future: De Facto Hostilities, Transnational Terrorism, and the Purpose of the Law of Armed Conflict, 30 U. Pa. J. Int’l L. 1345, 1346-47 (2009).

Comments are closed.