Updates AND supplemental Material for Chapter 1
Introduction
[Use the “Updates” drop-down in the banner above to access chapter-by-chapter updates.]
Introduction
Has there ever been any area of the law that changes so rapidly, on so many different fronts, as cybersecurity? Even between the time the second edition of Cybersecurity Law Fundamentals went into copyediting and page layout and the time it was ready for purchase, there were remarkable developments:
A Department of Justice rulemaking on export of sensitive personal data of Americans.
A Commerce Department inquiry into the cybersecurity implications of connected vehicles.
Settlements in FTC enforcement actions against Blackbaud and Global*Tel Link that gave new insights into the Commission’s views of its authority under Section 5 of the FTC Act.
In the Justice Department’s takedown of the Volt Typhoon botnet, further creative use of the warrant procedures of Rule 41 of the Federal Rules of Criminal Procedures.
Updates will be posted chapter by chapter in coming days and on an on-going basis. Pointers welcome to items missed.
_____________________________________________________________
UPDATES TO THE SECOND EDITION
1.4.2 Military Operations and the Law of War
In July, 2023, the Department of Defense issued an updated edition of its Law of War Manual.
___________________________________________________________
SUPPLEMENTAL MATERIAL TO THE SECOND EDITION
1.2 Definitions of Cybersecurity
As noted in the book, there is no single, agreed-upon legal definition of cybersecurity. In addition to the definitions provided in the book, here are some definitions of related terms in federal law, definitions in some state laws, and definitions used by international bodies.
1.2.1 Definitions of Cybersecurity-Related Terms in Federal Legislation
“cybersecurity purpose” - 6 U.S.C. § 1501(4) (the definitions section of the Cybersecurity Information Sharing Act (CISA), 6 U.S.C. §§ 1501-1510):
(4) The term “cybersecurity purpose” means the purpose of protecting an information system or information that is stored on, processed by, or transiting an information system from a cybersecurity threat or security vulnerability.
“cybersecurity threat” - 6 U.S.C. § 1501(5):
(5) (A) In general
Except as provided in subparagraph (B), the term “cybersecurity threat” means an action, not protected by the First Amendment to the Constitution of the United States, on or through an information system that may result in an unauthorized effort to adversely impact the security, availability, confidentiality, or integrity of an information system or information that is stored on, processed by, or transiting an information system.
(B) Exclusion
The term “cybersecurity threat” does not include any action that solely involves a violation of a consumer term of service or a consumer licensing agreement.
“cybersecurity mission” - 15 U.S.C. § 7421(1) (enacted as part of the Cybersecurity Enhancement Act of 2014, 15 U.S.C. §§ 7421-7464, which, among other things, directed the Secretary of Commerce, the Director of the National Science Foundation, and the Secretary of Homeland Security to support various measures to enhance cybersecurity education and the training and recruitment of cybersecurity professionals):
The term “cybersecurity mission” means activities that encompass the full range of threat reduction, vulnerability reduction, deterrence, international engagement, incident response, resiliency, and recovery policies and activities, including computer network operations, information assurance, law enforcement, diplomacy, military, and intelligence missions as such activities relate to the security and stability of cyberspace.
“cybersecurity risk” - 6 U.S.C. § 659(a)(1) (Section 659 charters the National Cybersecurity and Communications Integration Center in the Department of Homeland Security):
(1) the term “cybersecurity risk”—
(A) means threats to and vulnerabilities of information or information systems and any related consequences caused by or resulting from unauthorized access, use, disclosure, degradation, disruption, modification, or destruction of such information or information systems, including such related consequences caused by an act of terrorism; and
(B) does not include any action that solely involves a violation of a consumer term of service or a consumer licensing agreement.
Other provisions in Title 6 incorporate this definition of cybersecurity risk by reference, including § 660, which directs the Department of Homeland Security to develop and implement an intrusion assessment plan to detect, identify, and remove intruders in federal agency information systems and a cyber incident response plan, and § 663, which legislatively mandates the deployment of a federal intrusion detection and prevention system. See 6 U.S.C. § 651.
Section 2279 of Title 10, which prohibits the Secretary of Defense from entering into a contract for satellite services with a foreign entity if the Secretary reasonably believes that “entering into such contract would create an unacceptable cybersecurity risk for the Department of Defense,” has an identical definition of cybersecurity risk, without the exception of Subsection (B). 10 U.S.C. § 2279.
“cybersecurity incident” - 16 U.S.C. § 824o(8) (from the section in the Energy Act of 2005 addressing the reliability of the bulk electric power system):
The term “cybersecurity incident” means a malicious act or suspicious event that disrupts, or was an attempt to disrupt, the operation of those programmable electronic devices and communication networks including hardware, software and data that are essential to the reliable operation of the bulk power system.
“significant activities undermining cybersecurity” - 22 U.S.C. § 9202(14) (from Chapter 99 of Title 22, on North Korea Sanctions, enacted in 2016):
The term “significant activities undermining cybersecurity” includes—
(A) significant efforts to—
(i) deny access to or degrade, disrupt, or destroy an information and communications technology system or network; or
(ii) exfiltrate information from such a system or network without authorization;
(B) significant destructive malware attacks;
(C) significant denial of service activities; and
(D) such other significant activities described in regulations promulgated to implement section 9214 of this title.
There is a similar definition in 22 U.S.C. § 9524, adopted in 2017, which requires the president to impose sanctions on any person that the president determines knowingly engages in “significant activities undermining cybersecurity” on behalf of the government of the Russian Federation.
See also “national cybersecurity asset response activities,” 6 U.S.C. § 651(4).
1.2.2 State Law Definitions of Cybersecurity
Colorado
Colorado Revised Statues § 2-3-1701 (in a part establishing the joint technology committee in the state Legislature and giving it oversight authority regarding data privacy and cybersecurity within state agencies):
(1.3) “Cybersecurity” means a broad range of technologies, processes, and practices designed to protect networks, computers, programs, and data from attack, damage, or unauthorized access.
Hawaii
Hawaii Revised Statutes § 128B-1 (establishing a full-time Hawaii cybersecurity, economic, education, and infrastructure security coordinator to oversee cybersecurity and cyber resiliency matters, including cybersecurity, economic, education, and infrastructure security for the state):
“Cyber resiliency” shall mean the ability to complete vulnerability assessments, identify potential cyber-attacks, mitigate losses from cyber-attacks, and recover quickly and efficiently from cyber-attacks.
Maryland
MD Code, Econ Dev § 10-463 (in a section of the code creating a Cybersecurity Investment Fund to provide seed and early-stage funding for emerging technology companies located in the state focused on cybersecurity and cybersecurity technology product development):
(1) “Cybersecurity” means information technology security.
(2) “Cybersecurity” includes the protection of networked devices, networks, programs, and data from unintended or unauthorized access, change, or destruction.
MD Code, Tax—General § 10-733.1 (creating a tax credit for the purchase of cybersecurity technology or a cybersecurity service):
(3) “Cybersecurity service” means an activity that is associated with a category or subcategory identified under the Framework Core established by the National Institute of Standards and Technology’s Cybersecurity Framework.
(4) “Cybersecurity technology” means products or goods intended to detect or prevent activity intended to result in unauthorized access to, exfiltration of, manipulation of, or impairment to the integrity, confidentiality, or availability of an information system or information stored on or transiting an information system.
Michigan
Michigan Compiled Laws § 15.232 (part of the state Freedom of Information Act, which permits exemptions for cybersecurity plans, assessments, or vulnerabilities and for information that would identify or provide a means of identifying a person that may, as a result of disclosure of the information, become a victim of a cybersecurity incident or that would disclose a person’s cybersecurity plans or cybersecurity-related practices, procedures, methods, results, organizational information system infrastructure, hardware, or software):
(b) “Cybersecurity incident” includes, but is not limited to, a computer network intrusion or attempted intrusion; a breach of primary computer network controls; unauthorized access to programs, data, or information contained in a computer system; or actions by a third party that materially affect component performance or, because of impact to component systems, prevent normal computer system activities.
(c) “Cybersecurity plan” includes, but is not limited to, information about a person’s information systems, network security, encryption, network mapping, access control, passwords, authentication practices, computer hardware or software, or response to cybersecurity incidents.
(d) “Cybersecurity vulnerability” means a deficiency within computer hardware or software, or within a computer network or information system, that could be exploited by unauthorized parties for use against an individual computer user or a computer network or information system.
Michigan Compiled Laws § 18.222 (in an act creating a cyber civilian corps):
(d) “Cybersecurity incident” means an event occurring on or conducted through a computer network that actually or imminently jeopardizes the integrity, confidentiality, or availability of computers, information or communications systems or networks, physical or virtual infrastructure controlled by computers or information systems, or information resident on any of these. Cybersecurity incident includes, but is not limited to, the existence of a vulnerability in an information system, system security procedures, internal controls, or implementation that is subject to exploitation.
Ohio
Ohio Revised Code, Chapter 3965 (establishing cybersecurity requirements for insurance companies):
“Cybersecurity event” means an event resulting in unauthorized access to, disruption of, or misuse of an information system or nonpublic information stored on an information system that has a reasonable likelihood of materially harming any consumer residing in this state or any material part of the normal operations of the licensee. “Cybersecurity event” does not include the unauthorized acquisition of encrypted nonpublic information if the encryption, process, or key is not also acquired, released, or used without authorization. “Cybersecurity event” does not include an event with regard to which the licensee has determined that the nonpublic information accessed by an unauthorized person has not been used or released and has been returned or destroyed. § 3965.01(E).
1.2.3 Definitions Used by International Bodies
The International Telecommunication Union defines cybersecurity:
Cybersecurity is the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and organization and user’s assets.
The ITU goes on to note that “general security objectives comprise the following: availability, integrity, which may include authenticity and non-repudiation, and confidentiality.”
In a 2015 companion document to its Recommendation on Digital Security Risk Management for Economic and Social Prosperity, the Organisation for Economic Cooperation and Development stated:
Digital security can be approached from at least four different perspectives each stemming from a different culture and background, recognised practices, and objectives:
• technology, i.e. focusing on the functioning of the digital environment (often called “informationsecurity”, “computer security”, or “network security” by experts)
• law enforcement and, more generally, legal aspects (e.g. cybercrime)
• national and international security, including aspects such as the role of ICTs with respect to intelligence, conflicts prevention, warfare, etc.
• economic and social prosperity, encompassing wealth creation, innovation, growth, competitiveness and employment across all economic sectors, as well as aspects such as individual liberties, health, education, culture, democratic participation, science, leisure, and other dimensions of wellbeing in which the digital environment is driving progress.
Last updated: April 9, 2024.
Photo: “The Allegory of Good Government," by Ambrogio Lorenzetti, 1338, Museo Civico, Siena, (c) Erik Törner, CC BY-NC-SA 2.0.