- JOSIAH DYKSTRA, Trail of Bits
“A comprehensive, multidisciplinary introduction to the technology and policy of cybersecurity. Start here if you are looking for an entry point to cyber.”
- BRUCE SCHNEIER, author of A Hacker’s Mind: How the Powerful Bend Society’s Rules, and How to Bend Them Back
The first-ever introduction to the full range of cybersecurity challenges
Cybersecurity is crucial for preserving freedom in a connected world. Securing customer and business data, preventing election interference and the spread of disinformation, and understanding the vulnerabilities of key infrastructural systems are just a few of the areas in which cybersecurity professionals are indispensable. This textbook provides a comprehensive, student-oriented introduction to this capacious, interdisciplinary subject.
Cybersecurity in Context covers both the policy and practical dimensions of the field. Beginning with an introduction to cybersecurity and its major challenges, it proceeds to discuss the key technologies which have brought cybersecurity to the fore, its theoretical and methodological frameworks and the legal and enforcement dimensions of the subject. The result is a cutting-edge guide to all key aspects of one of this century’s most important fields.
Cybersecurity in Context is ideal for students in introductory cybersecurity classes, and for IT professionals looking to ground themselves in this essential field.
Table of Contents
About the Authors xiii
Preface xv
Acknowledgments xix
About the Companion Website xxi
Introduction xxiii
I What is Cybersecurity?
1 What Is Cybersecurity? 3
1.1 What Is the Cyber in Cybersecurity? 5
1.1.1 Cyberspace’s Places and the Problem of Internet Sovereignty 8
1.2 What Is the Security in Cybersecurity? The “CIA” Triad 12
1.2.1 The Internet’s Threat Model 15
1.2.2 Computer Security Versus “Cybersecurity” 19
1.2.3 Security, Innovation, “Hacking” 23
1.2.4 Security from a Private Sector Perspective 24
1.2.5 Building on the CIA Triad 26
1.2.6 Cybersecurity Definitions 27
1.3 Encryption Is Critical in Cybersecurity 28
1.3.1 Modern Cryptosystems 29
1.3.2 Hashing 33
1.4 Cyberpower: How Insecurity Empowers and Undermines Nations 37
1.5 Is Disinformation a Cybersecurity Concern? 40
1.5.1 From Information Scarcity to Glut 41
1.5.2 The Power of Influence Campaigns on the Internet 43
1.5.3 Libicki’s Disinformation Framework 46
1.5.4 The US Approach: Free Speech First 48
1.5.5 Election Interference 50
1.5.6 Is There Really Reason to Be Concerned? 53
1.6 International Views 55
1.7 Conclusion: A Broad Approach 57
2 Technology Basics and Attribution 59
2.1 Technology Basics 60
2.1.1 Fundamentals 60
2.1.2 Reliance Is a Fundamental Element of Computing and the Internet 66
2.1.3 Internet Layers 68
2.1.4 Cybersecurity Depends on Generations of Legacy Technologies 77
2.1.5 “Controlling” the Internet 84
2.1.6 Why Not Start Over? 85
2.2 Attribution 86
2.2.1 Types of Attribution 91
2.2.2 Attribution Process 92
2.2.3 Don’t Be Surprised: Common Dynamics in Attribution 103
2.2.4 The Future of Attribution 106
2.3 Conclusion: An End to Anonymity? 108
II Cybersecurity’s Contours
3 Economics and the Human Factor 111
3.1 Economics of Cybersecurity 112
3.1.1 Asymmetry and the Attack/Defense Balance 116
3.1.2 Incentive “Tussles” 118
3.2 The People Shaping Internet Technology and Policy 120
3.2.1 Tragedies of the Un- managed Commons 124
3.3 The Human Factor - The Psychology of Security 127
3.3.1 Attackers as Behavioral Economists 127
3.3.2 Institutions as Rational Choice Economists 130
3.3.3 User Sophistication 134
3.3.4 The Role of Emotion and the Body 136
3.3.5 Security as Afterthought 138
3.3.6 RCT: The User View 138
3.4 Conclusion 140
4 The Military and Intelligence Communities 141
4.1 Why Cybersecurity Is Center Stage 144
4.2 Are Cyberattacks War? 148
4.2.1 Cyber War Will Not Take Place 148
4.2.2 Cyber War Is Coming 153
4.2.3 The Law of War 155
4.2.4 Cyber Realpolitik 162
4.3 Computers and the Future of Conflict 165
4.3.1 The Changing Nature of Conflict 166
4.4 Cybersecurity and the Intelligence Community 176
4.4.1 The Intelligence Community 178
4.4.2 The Power of the Platform 187
4.4.3 The Vulnerabilities Equities Process 189
4.4.4 Cyber Soldiers and/or Cyber Spies? 193
4.5 Conclusion 195
5 Cybersecurity Theory 197
5.1 Deterrence Theory 198
5.1.1 Deterrence Theory Contours 199
5.1.2 Deterring with Entanglement and Norms 207
5.1.3 Cyber “Power” 209
5.1.4 The Deterrence Theory Critique 213
5.2 Security Studies: Anarchy, Security Dilemma, and Escalation 215
5.2.1 Anarchy 215
5.2.2 The Security Dilemma 216
5.2.3 Escalation and the Security Dilemma 218
5.2.4 Securitization: Nissenbaum Revisited 222
5.2.5 The Problem of Referent Object 223
5.2.6 Nissenbaum’s Alternative Vision: Cyberattacks Are Just Crimes 224
5.2.7 A Response to Nissenbaum: Strategic Risks Do Exist 225
5.3 Economic Theory: The Tragedy of the Cybersecurity Commons 226
5.3.1 The Free Problem 227
5.4 The Public Health Approach 230
5.5 Gerasimov and “Hybrid War:” Information Domain Revisited 233
5.5.1 The US Reaction 235
5.6 Barlowism as Theory 237
5.6.1 Technology Utopianism: The Internet as Democratizing 237
5.6.2 Utopia as No Place, But as Organic 242
5.6.3 High Modernism and Authoritarian High Modernism 243
5.7 Conclusion 246
III Cybersecurity Law and Policy
6 Consumer Protection Law 249
6.1 Federal Trade Commission Cybersecurity 250
6.1.1 FTC’s Legal Authority 252
6.1.2 Unfairness 254
6.1.3 Deception 257
6.1.4 The Zoom Case - Complaint 258
6.1.5 The Zoom Case - Settlement 262
6.2 FTC Adjacent Cybersecurity 267
6.2.1 The Attorneys General 267
6.2.2 Self- regulation 268
6.2.3 Product Recalls 270
6.3 The Limits of the Consumer Protection Approach 271
6.3.1 Two Litigation Moats: Standing and Economic Loss 272
6.3.2 The Devil in the Beltway 275
6.4 Conclusion 279
7 Criminal Law 281
7.1 Computer Crime Basics 282
7.2 Computer Crime Incentive Contours 283
7.3 The Political/Economic Cyber Enforcement Strategy 287
7.4 Cybercrime’s Technical Dependencies 291
7.5 The Major Substantive Computer Crime Laws 293
7.5.1 Identity Theft 294
7.5.2 The Computer Fraud and Abuse Act (CFAA) 297
7.5.3 Other Computer Crime Relevant Statutes 309
7.5.4 Digital Abuse 311
7.6 High- Level Investigative Procedure 312
7.6.1 Investigative Dynamics 312
7.6.2 Investigative Process 317
7.6.3 Obtaining the Data 317
7.6.4 Stored Communications, Metadata, Identity, and “Other” 318
7.7 Live Monitoring 324
7.7.1 International Requests and the CLOUD Act 326
7.7.2 National Security Access Options 329
7.8 Conclusion 332
8 Critical Infrastructure 333
8.1 What Is “Critical Infrastructure” 336
8.2 Political Challenges in Securing Critical Infrastructure 341
8.3 Cyber Incident Reporting for Critical Infrastructure Act of 2022 343
8.4 Technical Dynamics 345
8.4.1 What Does CI Designation Mean 345
8.5 NIST Cybersecurity Framework 346
8.5.1 NIST Broken Down 346
8.5.2 Electricity and Cybersecurity 348
8.6 Alternative Approaches to the NIST Cybersecurity Framework 351
8.6.1 Assessments and Audits - They’re Different 352
8.6.2 Requirements- based Standards 352
8.6.3 Process- Based and Controls- Based Standards 354
8.6.4 Privacy != Security 356
8.6.5 Standards Critiques 357
8.7 The Other CISA - Cybersecurity Information Sharing Act of 2015 358
8.7.1 Information- sharing Theory 358
8.7.2 Information- Sharing Practice 360
8.7.3 Provisions of CISA (the Act) 362
8.8 Conclusion 365
9 Intellectual Property Rights 367
9.1 IPR Problems: Context 368
9.1.1 IP Threats 369
9.1.2 Apt1 371
9 2 Protection of Trade Secrets 373
9.2.1 Reasonable Measures for Protecting Trade Secrets 374
9.2.2 Rights Under the DTSA 375
9.2.3 The Electronic Espionage Act (EEA) 378
9.3 Copyright and Cybersecurity 379
9.3.1 The DMCA and Critical Lessons for Software Testing 385
9.4 Online Abuse and IP Remedies 385
9.4.1 Public Law Remedies for Abuse 387
9.4.2 Private Law Remedies for Abuse 392
9 5 Conclusion 392
10 The Private Sector 393
10.1 There Will Be Blood: Risk and Business Operations 394
10.2 The Politics of Sovereignty 397
10.2.1 Homo Economicus Meets North Korea 400
10.2.2 Technological Sovereignty 402
10.2.3 Committee on Foreign Investment in the United States 404
10.2.4 Data Localization 405
10.2.5 Export Control 406
10.3 The APT Problem 407
10.4 The Security Breach Problem 411
10.4.1 Trigger Information 413
10.4.2 What Is an Incident? What Is a Breach? 414
10.4.3 Notification Regimes 415
10.4.4 Does Security Breach Notification Work? 420
10.5 Hacking Back: CISA (The Statute) Revisited 421
10.6 The Special Case of Financial Services 425
10.6.1 Gramm Leach Bliley Act (GLBA) 425
10.7 Publicly Traded Companies and Cybersecurity 430
10.7.1 Material Risks and Incidents 431
10.7.2 SEC Enforcement 432
10.7.3 The Board of Directors 434
10.8 Cybersecurity Insurance 437
10.8.1 Insurer Challenges 438
10.8.2 Buying Insurance 439
10.9 Conclusion 440
IV Cybersecurity and the Future
11 Cybersecurity Tussles 443
11.1 A Public Policy Analysis Method 444
11.2 Software Liability: Should Developers Be Legally Liable for Security Mistakes? 446
11.3 Technical Computer Security Versus Cybersecurity Revisited 449
11.3.1 The Criminal Law Alternative 450
11.3.2 The Consumer Law Approach 451
11.3.3 The Industrial Policy Approach 451
11.4 Encryption and Exceptional Access 453
11.5 Disinformation Revisited 457
11.5.1 Racist Speech and Cybersecurity 460
11.5.2 What Expectations About Disinformation Are Reasonable? 461
11.6 Conclusion 461
12 Cybersecurity Futures 463
12.1 Scenarios Methods 464
12.2 Even More Sophisticated Cyberattacks 465
12.3 Quantum Computing 466
12.4 Automaticity and Autonomy: Artificial Intelligence and Machine Learning 467
12.5 The Data Trade and Security 470
12.6 The Sovereign Internet 471
12.7 Outer Space Cyber 473
12.8 Classification Declassed 475
12.9 Attribution Perfected or Not 476
12.10 Conclusion 476
V Further Reading and Index
Further Reading 481
Index 495
