Cyber Security

Making the Case for Public-Private Collaboration in the Fight Against Cybercrime

by Ryan Connell, UMN Law Student, MJLST Lead Articles Editor

In Cyber-Threats and the Limits of Bureaucratic Control, Volume 14, Issue 1 of the Minnesota Journal of Law, Science & Technology, Professor Susan Brenner delivered a thoughtful and compelling analysis of the current state of the United States Government’s approach to cybercrime. Professor Brenner advocates for a new threat-control strategy. Specifically, Professor Brenner urges us to abandon the rigid hierarchical structures that currently define our strategy. Professor Brenner instead would support a system that correlates with the lateral networked structures that are found in cyberspace itself.

Almost certainly, cybercrime must be at the forefront of our concerns. Hackers across the globe constantly threaten government secrets. In the private sector, corporations’ data also provide lucrative targets for hackers.

As Professor Brenner points out, we, as a country, have given the government complete responsibility for addressing the cybercrime threat. The problem however, is that the government has distributed its response among the many agencies that comprise the government. This has created a fragmented response where agencies either needlessly repeat each other’s work or operate in the dark due to a lack of information sharing between the agencies. Overall, this response has left many, particularly in the corporate world, feeling dissatisfied with the government.

Unfortunately, this dissatisfaction in the corporate world has damaged the government’s ability to address cybercrime in the private sector. For instance, although private industry has spent in upwards of 300 billion dollars to fight hackers, only one third of companies report cybercrimes to the government. This may suggest that the companies think they can solve the problem better than the government can. It bears mentioning that this problem is not unique the United States. The United Kingdom, for instance, has suffered similar problems. Indeed, in the UK, banks are more likely to simply reimburse most victims of cybercrime than they are to report it to the government.

Professor Brenner has presented an interesting and plausible solution. She has recognized that the Internet itself is community-based and is laterally networked. Accordingly, it is difficult to address the problems raised by cybercrime using a vertically networked system. The government should encourage and facilitate civilian participation in the fight against cybercrime. The government should recognize that it alone cannot solve this problem. Cybercrime is a solution that takes more than government to solve; it takes a government and its citizens.


Cyber Security Investigation and Online Tracking

by Ude Lu, UMN Law Student, MJLST Staff.

Ude-Lue.jpgOn April 18th, 2013, Cyber Intelligence Sharing and Protection Act (CISPA) was passed with wide spread controversies. CISPA aims to help national security agencies to investigate cyber threats by allowing private companies, such as Google and Facebook, to search users’ personal data to identify possible threats. Commentators argue that CISPA compromises the Fourth Amendment, because, under CISPA, agencies can get privacy data of suspects identified by the privacy companies without a judicial order. CISPA bridges the gap between crime investigations and the privacy data stored and analyzed by social media companies.

Google and Facebook regularly track their user’s online behaviors, such as websites they visited or products they purchased, to figure out their personal preferences to perform targeted advertisements. These personal behavior analyses raise serious privacy concerns. Omer Tene and Jules Polonetsky in their article published in Volume 13 Issue 1 of the Minnesota Journal of Law Science and Technology, To Track or “Do Not Track: Advancing Transparency and Individual Control in Online Behavioral Advertising discussed these privacy concerns.

Tene and Polonetsky described that while targeted advertisement provides many advantages, one particular criticism is that users are deprived from meaningful control of their data. This led to various administrative proposals in the US and EU. In the US, FTC proposed “Do Not Track”, a signal sent by users’ browser to internet content providers requesting them not to track cookies. In the EU, the e-Privacy Directive required an opt-in consent for cookie tracking. The authors argue that whether cookie tracking should be “opt-in” or “opt-out” depends on how tracking is valued by the society. If the society in general values tracking as a positive measure to provide valuable services, then opt-out should be applied. On the contrary, if tracking is viewed by the society as an invasion to privacy, then opt-in should be applied.


Cybersecurity: Serious threat or “technopanic”?

by Bryan Dooley, UMN Law Student, MJLST Staff

Thumbnail-Bryan-Dooley.jpgWhile most would likely agree that threats to cybersecurity pose sufficient risk to warrant some level of new regulation, opinions vary widely on the scope and nature of an appropriate response. FBIwebsite-sm-border.jpgThe Cyber Intelligence Sharing and Protection Act, one of several proposed legislative measures intended to address the problem, has drawn widespread criticism. Concerns voiced by opponents have centered on privacy and the potential for misuse of shared information. Some fear the legislation creates the potential for additional harm by allowing or encouraging private parties to launch counterattacks against perceived security threats, with no guarantee they will always hit their intended targets.

In Technopanics, Threat Inflation, and the Danger of an Information Technology Precautionary Principle</strong>, published in Issue 14.1 of the Minnesota Journal of Law, Science & Technology, Adam Thierer discusses the danger of misguided regulation in response to new and potentially misunderstood technological developments. The discussion centers on what Thierer terms “technopanics”–hasty and often irrational pushes to address a problem in the face of uncertainty and misinformation, sometimes intentionally disseminated by parties who hope to benefit financially or advance a social agenda.

In the context of cyber security, Thierer argues that advocates of an aggressive regulatory response have exaggerated the potential for harm by using language such as “digital Pearl Harbor” and “cyber 9/11.” He argues technopanics have influenced public discourse about a number of other issues, including online pornography, privacy concerns associated with targeted advertising, and the effects of violent video games on young people. While these panics often pass with little or no real lasting effect, Thierer expresses concern that an underlying suspicion toward new technological developments could mature into a precautionary principal for information technology. This would entail a rush to regulate in response to any new development with a perceived potential for harm, which Thierer argues would slow social development and prevent or delay introduction of beneficial technologies.

It’s an interesting discussion. Whether or not cyber attacks pose the potential for widespread death and destruction, there is significant potential for economic damage and disruption, as well as theft or misuse of private or sensitive information. As in any case of regulation in the face of uncertainty, there is also clear potential that an overly hasty or inadequately informed response will go too far or carry unintended consequences.


Threats From North Korea: Switching Our Focus From Nuclear Weapons To Websites

by Bryan Morben, UMN Law Student, MJLST Staff

Thumbnail-Bryan-Morben.jpgThere has been a lot of attention on North Korea and the possibility of a nuclear war lately. In fact, as recently as April 4, 2013, news broke that the increasingly hostile country moved medium-range missiles to its east coastline. It is reported that the missiles do not have enough range to hit the U.S. mainland, but is well within range of the South Korean capital. Tensions have been running high for several months, especially when the North took the liberty to shred the sixty year old armistice that ended the Korean War, and warned the world that “the next step was an act of ‘merciless’ military retaliation against its enemies.”

But perhaps the use of physical force by leader Kim Jong Un is not the only, or even the most important threat, from North Korea that the United States and its allies should be worried about. Despite the popular impression that North Korea is technologically inept, the regime boasts a significant cyber arsenal. The country has jammed GPS signals and also reportedly conducted cyber terrorism operations against media and financial institutions in the South. North Korea employs a host of sophisticated computer hackers capable of producing anonymous attacks against a variety of targets including military, governmental, educational, and commercial institutions. This ability to vitiate identity is one of the most powerful and dangerous parts about cyber warfare that isn’t possible in the physical world.

Susan Brenner is an expert in the field cyberwar, cybercrime, and cyber terrorism. She has been writing about how and why the institutions modern nation-states rely on to fend off the threats of war, crime, and terrorism have become ineffective as threats have migrated into cyberspace for over half a decade. Her article, Cyber-threats and the Limits of Bureaucratic Control, in Issue 14.1 of the Minnesota Journal of Law, Science & Technology outlines why we need a new threat-control strategy and how such a strategy could be structured and implemented. A strategy like the one Brenner recommends could help protect us from losing a cyberbattle with North Korea that most people aren’t even aware could happen.


Time for a New Approach to Cyber Security?

by Kenzie Johnson, UMN Law Student, MJLST Managing Editor

Kenzie Johnson The recent announcements by several large news outlets including the New York Times, Washington Post, Bloomberg News, and the Wall Street Journal reporting that they have been the victims of cyber-attacks have yet again brought cyber security into the news. These attacks reportedly all originated in China and were aimed at monitoring news reporting of Chinese issues. In particular, the New York Times announced that Chinese hackers persistently attacked their servers for a period of four months and obtained passwords for reporters and other Times employees. The Times reported that the commencement of the attack coincided with a story it published regarding mass amounts of wealth accumulated by the family of Chinese Prime Minister Wen Jiabao.

It is not only western news outlets that are the targets of recent cyber-attacks. Within the past weeks, the United States Department of Energy and Federal Reserve both announced that hackers had recently penetrated their servers and acquired sensitive information.

This string of high-profile cyber-attacks raises the need for an improved legal and response structure to deal with the growing threat of cyber-attacks. In the forthcoming Winter 2013 issue of Minnesota Journal of Law, Science, and Technology, Susan W. Brenner discusses these issues in an article entitled “Cyber-Threats and the Limits of Bureaucratic Control.” Brenner discusses the nature, causes, and consequences of cyber-threats if left unchecked. Brenner also analyzes alternative approaches to the United States’ current cyber-threat control regime, criticizes current proposals for improvements to the current regime, and proposes alternative approaches. As illustrated by these recent cyber-attacks, analysis of these issues is becoming more important to protect sensitive government data as well as private entities from cyber-threats.