Cybersecurity in Context - Chris Jay Hoofnagle, Golden G. Richard  III

Cybersecurity in Context

Technology, Policy, and Law
Buch | Hardcover
544 Seiten
2024
John Wiley & Sons Inc (Verlag)
978-1-394-26244-1 (ISBN)
79,95 inkl. MwSt
“A masterful guide to the interplay between cybersecurity and its societal, economic, and political impacts, equipping students with the critical thinking needed to navigate and influence security for our digital world.”
—JOSIAH DYKSTRA, Trail of Bits

“A comprehensive, multidisciplinary introduction to the technology and policy of cybersecurity. Start here if you are looking for an entry point to cyber.”
—BRUCE SCHNEIER, author of A Hacker’s Mind: How the Powerful Bend Society’s Rules, and How to Bend Them Back

The first-ever introduction to the full range of cybersecurity challenges

Cybersecurity is crucial for preserving freedom in a connected world. Securing customer and business data, preventing election interference and the spread of disinformation, and understanding the vulnerabilities of key infrastructural systems are just a few of the areas in which cybersecurity professionals are indispensable. This textbook provides a comprehensive, student-oriented introduction to this capacious, interdisciplinary subject.

Cybersecurity in Context covers both the policy and practical dimensions of the field. Beginning with an introduction to cybersecurity and its major challenges, it proceeds to discuss the key technologies which have brought cybersecurity to the fore, its theoretical and methodological frameworks and the legal and enforcement dimensions of the subject. The result is a cutting-edge guide to all key aspects of one of this century’s most important fields.

Cybersecurity in Context is ideal for students in introductory cybersecurity classes, and for IT professionals looking to ground themselves in this essential field.

Chris Jay Hoofnagle is Professor of Law in Residence at the University of California, Berkeley, where he has taught since 2006. He has published extensively on cybersecurity law and related subjects, and is a practicing attorney with venture law firm Gunderson Dettmer, as well as an advisor to multiple defense and intelligence technology companies. Golden G. Richard III is Professor of Computer Science and Director of the Cyber Center at Louisiana State University. He is a Fellow of the American Academy of Forensic Sciences with over thirty years of experience in teaching cybersecurity and related topics in computer science. His primary areas of expertise are in memory forensics, digital forensics, malware analysis, reverse engineering, and systems programming.

About the Authors xiii

Preface xv

Acknowledgments xix

About the Companion Website xxi

Introduction xxiii

I What is Cybersecurity?

1 What Is Cybersecurity? 3

1.1 What Is the Cyber in Cybersecurity? 5

1.1.1 Cyberspace’s Places and the Problem of Internet Sovereignty 8

1.2 What Is the Security in Cybersecurity? The “CIA” Triad 12

1.2.1 The Internet’s Threat Model 15

1.2.2 Computer Security Versus “Cybersecurity” 19

1.2.3 Security, Innovation, “Hacking” 23

1.2.4 Security from a Private Sector Perspective 24

1.2.5 Building on the CIA Triad 26

1.2.6 Cybersecurity Definitions 27

1.3 Encryption Is Critical in Cybersecurity 28

1.3.1 Modern Cryptosystems 29

1.3.2 Hashing 33

1.4 Cyberpower: How Insecurity Empowers and Undermines Nations 37

1.5 Is Disinformation a Cybersecurity Concern? 40

1.5.1 From Information Scarcity to Glut 41

1.5.2 The Power of Influence Campaigns on the Internet 43

1.5.3 Libicki’s Disinformation Framework 46

1.5.4 The US Approach: Free Speech First 48

1.5.5 Election Interference 50

1.5.6 Is There Really Reason to Be Concerned? 53

1.6 International Views 55

1.7 Conclusion: A Broad Approach 57

2 Technology Basics and Attribution 59

2.1 Technology Basics 60

2.1.1 Fundamentals 60

2.1.2 Reliance Is a Fundamental Element of Computing and the Internet 66

2.1.3 Internet Layers 68

2.1.4 Cybersecurity Depends on Generations of Legacy Technologies 77

2.1.5 “Controlling” the Internet 84

2.1.6 Why Not Start Over? 85

2.2 Attribution 86

2.2.1 Types of Attribution 91

2.2.2 Attribution Process 92

2.2.3 Don’t Be Surprised: Common Dynamics in Attribution 103

2.2.4 The Future of Attribution 106

2.3 Conclusion: An End to Anonymity? 108

II Cybersecurity’s Contours

3 Economics and the Human Factor 111

3.1 Economics of Cybersecurity 112

3.1.1 Asymmetry and the Attack/Defense Balance 116

3.1.2 Incentive “Tussles” 118

3.2 The People Shaping Internet Technology and Policy 120

3.2.1 Tragedies of the Un- managed Commons 124

3.3 The Human Factor— The Psychology of Security 127

3.3.1 Attackers as Behavioral Economists 127

3.3.2 Institutions as Rational Choice Economists 130

3.3.3 User Sophistication 134

3.3.4 The Role of Emotion and the Body 136

3.3.5 Security as Afterthought 138

3.3.6 RCT: The User View 138

3.4 Conclusion 140

4 The Military and Intelligence Communities 141

4.1 Why Cybersecurity Is Center Stage 144

4.2 Are Cyberattacks War? 148

4.2.1 Cyber War Will Not Take Place 148

4.2.2 Cyber War Is Coming 153

4.2.3 The Law of War 155

4.2.4 Cyber Realpolitik 162

4.3 Computers and the Future of Conflict 165

4.3.1 The Changing Nature of Conflict 166

4.4 Cybersecurity and the Intelligence Community 176

4.4.1 The Intelligence Community 178

4.4.2 The Power of the Platform 187

4.4.3 The Vulnerabilities Equities Process 189

4.4.4 Cyber Soldiers and/or Cyber Spies? 193

4.5 Conclusion 195

5 Cybersecurity Theory 197

5.1 Deterrence Theory 198

5.1.1 Deterrence Theory Contours 199

5.1.2 Deterring with Entanglement and Norms 207

5.1.3 Cyber “Power” 209

5.1.4 The Deterrence Theory Critique 213

5.2 Security Studies: Anarchy, Security Dilemma, and Escalation 215

5.2.1 Anarchy 215

5.2.2 The Security Dilemma 216

5.2.3 Escalation and the Security Dilemma 218

5.2.4 Securitization: Nissenbaum Revisited 222

5.2.5 The Problem of Referent Object 223

5.2.6 Nissenbaum’s Alternative Vision: Cyberattacks Are Just Crimes 224

5.2.7 A Response to Nissenbaum: Strategic Risks Do Exist 225

5.3 Economic Theory: The Tragedy of the Cybersecurity Commons 226

5.3.1 The Free Problem 227

5.4 The Public Health Approach 230

5.5 Gerasimov and “Hybrid War:” Information Domain Revisited 233

5.5.1 The US Reaction 235

5.6 Barlowism as Theory 237

5.6.1 Technology Utopianism: The Internet as Democratizing 237

5.6.2 Utopia as No Place, But as Organic 242

5.6.3 High Modernism and Authoritarian High Modernism 243

5.7 Conclusion 246

III Cybersecurity Law and Policy

6 Consumer Protection Law 249

6.1 Federal Trade Commission Cybersecurity 250

6.1.1 FTC’s Legal Authority 252

6.1.2 Unfairness 254

6.1.3 Deception 257

6.1.4 The Zoom Case— Complaint 258

6.1.5 The Zoom Case— Settlement 262

6.2 FTC Adjacent Cybersecurity 267

6.2.1 The Attorneys General 267

6.2.2 Self- regulation 268

6.2.3 Product Recalls 270

6.3 The Limits of the Consumer Protection Approach 271

6.3.1 Two Litigation Moats: Standing and Economic Loss 272

6.3.2 The Devil in the Beltway 275

6.4 Conclusion 279

7 Criminal Law 281

7.1 Computer Crime Basics 282

7.2 Computer Crime Incentive Contours 283

7.3 The Political/Economic Cyber Enforcement Strategy 287

7.4 Cybercrime’s Technical Dependencies 291

7.5 The Major Substantive Computer Crime Laws 293

7.5.1 Identity Theft 294

7.5.2 The Computer Fraud and Abuse Act (CFAA) 297

7.5.3 Other Computer Crime Relevant Statutes 309

7.5.4 Digital Abuse 311

7.6 High- Level Investigative Procedure 312

7.6.1 Investigative Dynamics 312

7.6.2 Investigative Process 317

7.6.3 Obtaining the Data 317

7.6.4 Stored Communications, Metadata, Identity, and “Other” 318

7.7 Live Monitoring 324

7.7.1 International Requests and the CLOUD Act 326

7.7.2 National Security Access Options 329

7.8 Conclusion 332

8 Critical Infrastructure 333

8.1 What Is “Critical Infrastructure” 336

8.2 Political Challenges in Securing Critical Infrastructure 341

8.3 Cyber Incident Reporting for Critical Infrastructure Act of 2022 343

8.4 Technical Dynamics 345

8.4.1 What Does CI Designation Mean 345

8.5 NIST Cybersecurity Framework 346

8.5.1 NIST Broken Down 346

8.5.2 Electricity and Cybersecurity 348

8.6 Alternative Approaches to the NIST Cybersecurity Framework 351

8.6.1 Assessments and Audits— They’re Different 352

8.6.2 Requirements- based Standards 352

8.6.3 Process- Based and Controls- Based Standards 354

8.6.4 Privacy != Security 356

8.6.5 Standards Critiques 357

8.7 The Other CISA— Cybersecurity Information Sharing Act of 2015 358

8.7.1 Information- sharing Theory 358

8.7.2 Information- Sharing Practice 360

8.7.3 Provisions of CISA (the Act) 362

8.8 Conclusion 365

9 Intellectual Property Rights 367

9.1 IPR Problems: Context 368

9.1.1 IP Threats 369

9.1.2 Apt1 371

9 2 Protection of Trade Secrets 373

9.2.1 Reasonable Measures for Protecting Trade Secrets 374

9.2.2 Rights Under the DTSA 375

9.2.3 The Electronic Espionage Act (EEA) 378

9.3 Copyright and Cybersecurity 379

9.3.1 The DMCA and Critical Lessons for Software Testing 385

9.4 Online Abuse and IP Remedies 385

9.4.1 Public Law Remedies for Abuse 387

9.4.2 Private Law Remedies for Abuse 392

9 5 Conclusion 392

10 The Private Sector 393

10.1 There Will Be Blood: Risk and Business Operations 394

10.2 The Politics of Sovereignty 397

10.2.1 Homo Economicus Meets North Korea 400

10.2.2 Technological Sovereignty 402

10.2.3 Committee on Foreign Investment in the United States 404

10.2.4 Data Localization 405

10.2.5 Export Control 406

10.3 The APT Problem 407

10.4 The Security Breach Problem 411

10.4.1 Trigger Information 413

10.4.2 What Is an Incident? What Is a Breach? 414

10.4.3 Notification Regimes 415

10.4.4 Does Security Breach Notification Work? 420

10.5 Hacking Back: CISA (The Statute) Revisited 421

10.6 The Special Case of Financial Services 425

10.6.1 Gramm Leach Bliley Act (GLBA) 425

10.7 Publicly Traded Companies and Cybersecurity 430

10.7.1 Material Risks and Incidents 431

10.7.2 SEC Enforcement 432

10.7.3 The Board of Directors 434

10.8 Cybersecurity Insurance 437

10.8.1 Insurer Challenges 438

10.8.2 Buying Insurance 439

10.9 Conclusion 440

IV Cybersecurity and the Future

11 Cybersecurity Tussles 443

11.1 A Public Policy Analysis Method 444

11.2 Software Liability: Should Developers Be Legally Liable for Security Mistakes? 446

11.3 Technical Computer Security Versus Cybersecurity Revisited 449

11.3.1 The Criminal Law Alternative 450

11.3.2 The Consumer Law Approach 451

11.3.3 The Industrial Policy Approach 451

11.4 Encryption and Exceptional Access 453

11.5 Disinformation Revisited 457

11.5.1 Racist Speech and Cybersecurity 460

11.5.2 What Expectations About Disinformation Are Reasonable? 461

11.6 Conclusion 461

12 Cybersecurity Futures 463

12.1 Scenarios Methods 464

12.2 Even More Sophisticated Cyberattacks 465

12.3 Quantum Computing 466

12.4 Automaticity and Autonomy: Artificial Intelligence and Machine Learning 467

12.5 The Data Trade and Security 470

12.6 The Sovereign Internet 471

12.7 Outer Space Cyber 473

12.8 Classification Declassed 475

12.9 Attribution Perfected or Not 476

12.10 Conclusion 476

V Further Reading and Index

Further Reading 481

Index 495

Erscheinungsdatum
Verlagsort New York
Sprache englisch
Maße 208 x 257 mm
Gewicht 1497 g
Themenwelt Informatik Netzwerke Sicherheit / Firewall
Informatik Theorie / Studium Kryptologie
ISBN-10 1-394-26244-2 / 1394262442
ISBN-13 978-1-394-26244-1 / 9781394262441
Zustand Neuware
Haben Sie eine Frage zum Produkt?
Mehr entdecken
aus dem Bereich
Das Lehrbuch für Konzepte, Prinzipien, Mechanismen, Architekturen und …

von Norbert Pohlmann

Buch | Softcover (2022)
Springer Vieweg (Verlag)
34,99
Management der Informationssicherheit und Vorbereitung auf die …

von Michael Brenner; Nils gentschen Felde; Wolfgang Hommel

Buch (2024)
Carl Hanser (Verlag)
69,99

von Chaos Computer Club

Buch | Softcover (2024)
KATAPULT Verlag
28,00