Washington College of Law
Home Archive Volume 62 Volume 62, Issue 5
Volume 62, Issue 5
FOREWARD: Mapping Today's Cybersecurity Landscape

By Jorge L. Contreras, Laura DeNards, & Melanie Teplinsky | 62 Am. U. L. Rev. 1113 (2013)

Cyberthreats recently overtook terrorism as the number one global threat to America, according to the 2013 global threat assessment performed by the U.S. intelligence community. This special issue of the American University Law Review represents the culmination of a concerted effort to bring together scholars, legal practitioners, industry representatives, and government officials to discuss and debate the pressing issues surrounding cybersecurity in today’s increasingly interconnected environment. This effort began in October 2012 with a public symposium entitled America the Virtual: Security, Privacy, and Interoperability in an Interconnected World. One of the principal themes of the symposium was the growing threat that online security breaches present to business, government, and individual citizens. This Law Review issue offers reflections on the symposium, original scholarship, and commentary that we hope will further advance the debate.

TRANSCRIPT: "America the Virtual: Security, Privacy, and Interoperability in an Interconnected World

By Ivan K. Fong & David G. Delaney | 62 Am. U. L. Rev. 1131 (2013)

It is no exaggeration to state that our nation faces significant and increasing cyberthreats from a range of individual, organized, and state actors. Recent headlines remind us, for example, that malicious actors can easily render tens of thousands of computers inoperable, as was done to Saudi Aramco in August of this year; that distributed denial of service attacks can significantly degrade web services, as was done to several major U.S. banks last month; and that hackers can penetrate the networks of companies operating natural-gas pipelines. 

The statistics on cybercrime, data breaches, and loss of personal information are sobering. This year the global cost of cybercrime has been estimated at $110 billion. Between ninety-five and ninety-eight percent of records lost through data breaches contain personal information—that is, data such as names, addresses, e-mails, or social security numbers. In fiscal year 2011, the Secret Service prevented $1.6 billion in potential losses through its cybercrime investigations. And just last year, the United States Computer Emergency Readiness Team, which is DHS’s 24-hour cyber-watch and warning center, responded to more than 106,000 incident reports and released more than 5000 actionable cybersecurity alerts and information products to our public and private sector partners. In short, the threats to our cybersecurity are real, they are serious, and they are urgent.

Toward Cyberpeace: Managing Cyberattacks Through Polycentric Governance

By Scott J. Shackelford | 62 Am. U. L. Rev. 1273 (2013)

Views range widely about the seriousness of cyberattacks and the likelihood of cyberwar. But even framing cyberattacks within the context of a loaded category like war can be an oversimplification that shifts focus away from enhancing cybersecurity against the full range of threats now facing companies, countries, and the international community. Current methods are proving ineffective at managing cyberattacks, and, as cybersecurity legislation is being debated in the U.S. Congress and around the world, the time is ripe for a fresh look at this critical topic. This Article searches for alternative avenues to foster cyberpeace by applying a novel conceptual framework termed polycentric governance.

When Cyberweapons End Up on Private Networks: Third Amendment Implications for Cybersecurity Polity

By Alan Butler | 62 Am. U. L. Rev. 1203 (2013)

In the summer of 2010, Microsoft reported a new “zero-day” vulnerability in Windows XP that allowed malicious software to be executed from USB drives. Two months later, it was discovered that a sophisticated computer worm called “Stuxnet” had taken advantage of this vulnerability to infect industrial control systems within Iran’s nuclear facilities. Security researchers posited that Stuxnet was “created by a government and [wa]s a prime example of clandestine digital warfare.”

Although Stuxnet initially targeted specific Iranian nuclear facilities, its widespread infection left it “splattered on thousands of computer systems around the world,” including Chevron’s network. Nearly two years after Stuxnet was discovered, a New York Times exposé revealed that the United States and Israel had developed the worm as part of a project codenamed “Olympic Games.” This news clearly signaled the shift in cyberoperations from rogue groups to the nation-state level. Representatives from the United States and other nations have begun discussing frameworks for analyzing cyberoperations under international law. However, discussions of the constitutional limitations and the civil liberties implications of military cyberoperations have been limited. Many recent articles have attempted to provide answers to how traditional legal principles governing military action will apply in cyberspace; this
Article is another along that vein. 

NOTE: FTC v. LabMD: FTC Jurisdiction over Information Privacy is "Plausible," But How Far Can it Go?

By Peter S. Frecehette | 62 Am. U. L. Rev. 1401 (2013) 

Companies in nearly every industry collect, store, and use personal information from consumers. Recently, company databases have become the target of increasingly sophisticated attacks aimed atstealing this information. Data breaches occur with such regularity that the Federal Bureau of Investigation (FBI) has separated companies into two categories: “those that have been hacked, and those that will be.” The Federal Trade Commission (FTC) plays a large role in the cybersecurity world by enforcing specific statutes and, more generally, utilizing its authority under the Federal Trade Commission Act (FTC Act) to penalize companies that allow data breaches. Recently, however, businesses have begun to push back, contesting the FTC’s authority to police information security.

Regulating Information Security in the Government Contracting Industry: Will the Rising Tide Lift all the Boats?

By Keir X. Bancroft  | 62 Am. U. L. Rev. 1145 (2013) 

The government is strengthening cyber and information security regulations to address increasing cybersecurity risks. These regulations will affect government contractors in many ways; for instance, contractors must apply new technologies to monitor cybersecurity threats and develop stronger information security protections. This “rising tide” of regulation should lift “all boats,” namely members of the government contracts sector. Some small business contractors or larger contractors without experience working with the government, however, may not be equipped to fully comply with these strengthened regulations. The government may as a result lose a number of would-be competitors for contracts requiring cyber and information security protections. Alternatively, some contractors lacking resources and experience may compete for the contracts anyway, which could serve to weaken the security of government information and information systems.

Hacker's Delight: Law Firm Risk and Liability in the Cyber Age

By Michael McNerney & Emilian Papadopoulos | 62 Am. U. L. Rev. 1243 (2012)

In October 2012, former Secretary of Defense Leon Panetta made headlines at a speech in New York when he warned of an impending “cyber Pearl Harbor.” He cautioned that the United States’ critical infrastructure, such as the electric grid, air traffic control system, and financial networks, are increasingly vulnerable to malicious hackers both at home and abroad. Since then, numerous senior government officials also echoed Panetta’s comments, and the Administration issued an executive order on improving the cybersecurity of critical infrastructure. The fact that the Administration would dedicate so much attention to cybersecurity shows how important this issue is to our nation’s security. 

While the U.S. defense establishment gears up to defend the nation from this nightmare scenario, private industry is already locked in a struggle
with what is perhaps a more insidious threat: the persistent theft by cyber means of intellectual property and business secrets. Although this threat as an attack on critical infrastructure, it does promise to undermine America’s long-term competitiveness. At a time when the world economy remains fragile, this loss of competitiveness can negatively impact our ability to be productive and generate wealth and economic progress. While the exact scope of the problem is hard to discern, and indeed some people question whether the threat is as severe as experts say, evidence in reports by government and private organizations continues to mount that the cyberthreat to the economy is significant. Most recently, the Commission on the Theft of American Intellectual Property reported that intellectual property theft against the U.S. is costing the economy more than $300 billion per year, nearly equal to the country's total exports to Asia.

COMMENT: Identity Crisis: Seeking a Unified Approach to Plaintiff Standing for Data Security Breaches of Sensitive Personal Information

By Miles L. Galbraith  | 62 Am. U. L. Rev. 1365 (2013) 

Today, information is largely stored and transmitted electronically, raising novel concerns about data privacy and security. This data frequently includes sensitive personally identifiable information that is vulnerable to theft and exposure through illegal hacking. A breach of this data leaves victims at a heightened risk of future identity theft. Victims seeking to recover damages related to emotional distress or money spent protecting their identities and finances are often denied Article III standing to pursue a claim against the entity charged with protecting that data. While the U.S. Court of Appeals for the Seventh Circuit in Pisciotta v. Old National Bancorp and the U.S. Court of Appeals for the Ninth Circuit in Krottner v. Starbucks Corp. recognized standing even when harm was limited to the increased risk of identity theft, the U.S. Court of Appeals for the Third Circuit in Reilly v. Ceridian Corp. split with its sister courts and denied standing for data breach victims, citing a lack of injury-in-fact. 

NOTE: Reining in the Rogue Employee: The Fourth Circuit Limits Employee Liability Under the CFAA

By Danielle E. Sunberg  | 62 Am. U. L. Rev. 1417 (2013) 

 On January 2, 2013, the Supreme Court dismissed the petition for writ of certiorari in WEC Carolina Energy Solutions LLC v. Miller, leaving unresolved the vexing question of employee liability under the Computer Fraud and Abuse Act (CFAA). The case involved Mike Miller, former Project Director for WEC Carolina Energy Solutions (WEC), who used WEC’s proprietary information to benefit a competing business. WEC permitted Miller to access the company’s confidential and trade secret documents stored on his employer-provided laptop computer. On April 30, 2010, only twenty days after resigning from his position with WEC, Miller used the confidential information to make a pitch to a potential

client on behalf of a competitor, Arc Energy Services, Inc. (Arc). Arc won the client’s business, and WEC sued Miller and another participating colleague, asserting nine state-law charges as well as several violations of the CFAA. 

The CFAA, codified at 18 U.S.C. § 1030, is the nation’s first and leading cybercrime statute. The statute grants employers a private right of action to hold employees liable for accessing a company computer “without authorization” or for “exceeding authorized access.” Penalizing this conduct grows more imperative: a 2009 study conducted by the Ponemon Institute revealed that six out of every ten departing employees steal company data and described this figure as a growing problem of “malicious insiders.” Unsurprisingly, following this expansion in the computerprotection statute, employers have increasingly used the CFAA as a means to hold rogue employees accountable for using information obtained from a company computer in a manner that conflicts with the employer’s interests.