Rethinking the Government’s Role in Private Sector Cybersecurity

editor Article , , ,

Rethinking the Government’s Role in Private Sector Cybersecurity

By Devon H. Draker, University of Maine School of Law, class of 2023 [1]

Abstract

Cyber-attacks on the private sector through the theft of trade secrets and ransomware attacks threaten US interests at a federal level by undermining US economic competitiveness and funding groups with interests adverse to those of the US. The federal government can regulate cyberspace under the Commerce Clause, but the current cybersecurity regulatory landscape is ineffective in addressing these harms. It is ineffective because legislation is either bad-actor focused and punishes the proverbial “hacker,” which has no teeth due to jurisdictional reach limitations, or because it attempts to punish the victim-company in hopes of motivating the development of sufficient safeguards. The missing puzzle piece in solving this issue is “intelligence.” Intelligence in military terms is the process of combining information to create an actionable plan that anticipates what the enemy will do based on operational factors. The utility of intelligence in cyberspace is that it provides companies the ability to anticipate not only when they may be attacked based on trends in their sector, but also what methods would likely be used to carry out the attack. There are two ways that cybersecurity intelligence could be achieved. The first approach involves integrating cybersecurity units from the United States Military into the private sector to collect information on attacks and provide intelligence to private sector companies based on this information gathering. This approach also allows the US Military to continue its proficiency in the cyberspace domain, which is a rising concern for US military leaders. The second approach involves expanding the Cybersecurity and Infrastructure Security Agency’s (CISA) regulatory powers to enact mandatory reporting regulations for more than just “critical infrastructure.” Each approach has its own drawbacks, but both offer significant advantages as compared to the current regulatory landscape.

 

Continue reading

Digitizing the Fourth Amendment: Privacy in the Age of Big Data Policing

editor Article, Uncategorized , , , ,

Written by Charles E. Volkwein

ABSTRACT

Today’s availability of massive data sets, inexpensive data storage, and sophisticated analytical software has transformed the capabilities of law enforcement and created new forms of “Big Data Policing.” While Big Data Policing may improve the administration of public safety, these methods endanger constitutional protections against warrantless searches and seizures. This Article explores the Fourth Amendment consequences of Big Data Policing in three parts. First, it provides an overview of Fourth Amendment jurisprudence and its evolution in light of new policing technologies. Next, the Article reviews the concept of “Big Data” and examines three forms of Big Data Policing: Predictive Policing Technology (PPT); data collected by third-parties and purchased by law enforcement; and geofence warrants. Finally, the Article concludes with proposed solutions to rebalance the protections afforded by the Fourth Amendment against these new forms of policing.

Continue reading

Say “Bonjour” to New Blanket Privacy Regulations?

editor Article , , , , , , , , ,

The FTC Considers Tightening the Leash on the Commercial Data Free-for-All and Loose Data Security Practices in an Effort to Advance Toward a Framework More Akin to the GDPR

By Hannah Grace Babinski, class of 2024

On August 11, 2022, the Federal Trade Commission (FTC) issued an Advance Notice of Proposed Rulemaking (ANPR) concerning possible rulemaking surrounding “commercial surveillance” and “lax data security practices”[1] and established a public forum date of September 8, 2022.[2] The FTC’s specific objective for issuing this ANPR is to obtain public input concerning “whether [the FTC] should implement new trade regulation rules or other regulatory alternatives concerning the ways in which companies (1) collect, aggregate, protect, use, analyze, and retain consumer data, as well as (2) transfer, share, sell, or otherwise monetize that data in ways that are unfair or deceptive.”[3]

Continue reading

Revenge Porn: The Result of a Lack of Privacy in an Internet-Based Society

editor Comment , , , , , , , , ,

Comment

By Shelbie Marie Mora, Class of 2023

I. Introduction

 Nonconsensual pornography, also referred to as revenge porn, is “the distribution of sexual or pornographic images of individuals without their consent.”[1] Forty-six U.S. states, the District of Columbia, and the U.S. territory of Puerto Rico have adopted revenge porn laws. However, there is no federal law in place that prohibits revenge porn. Several countries around the world have chosen to adopt revenge porn statutes to protect individuals’ privacy rights and prevent emotional and financial harm. Revenge porn is primarily a large issue for women given that they are overwhelmingly the target of it.[2] Major ramifications can amount to victims who have had their intimate images posted online without their consent.

In this paper, I will discuss the rise of revenge porn websites, examine Texas and Vermont’s revenge porn statutes, review case law for each state, and analyze the detriments that the holdings pose to victims of revenge porn. I will next examine Australia, Puerto Rico, and Canada’s revenge porn laws and the penalties imposed for offenders. Lastly, I will assess a failed proposed federal revenge porn law in the United States, discuss where the U.S. falls short on federal legislation, and propose remedies to help protect the privacy of individuals. The United States falls short in revenge porn legislation and must pass a federal law to promote and protect the privacy of Americans and deter this crime.

Continue reading

Life’s Not Fair. Is Life Insurance?

editor Article, Uncategorized , , , , , , ,

The rapid adoption of artificial intelligence techniques by life insurers poses increased risks of discrimination, and yet, regulators are responding with a potentially unworkable state-by-state patchwork of regulations. Could professional standards provide a faster mechanism for a nationally uniform solution?

By Mark A. Sayre, Class of 2024

Introduction

Among the broad categories of insurance offered in the United States, individual life insurance is unique in a few key respects that make it an attractive candidate for the adoption of artificial intelligence (AI).[1] First, individual life insurance is a voluntary product, meaning that individuals are not required by law to purchase it in any scenario.[2] As a result, in order to attract policyholders, life insurers must convince customers not only to choose their company over other companies but also convince customers to choose their product over other products that might compete for a share of discretionary income (such as the newest gadget or a family vacation). Life insurers can, and do, argue that these competitive pressures provide natural constraints on the industry’s use of practices that the public might view as burdensome, unfair or unethical and that such constraints reduce the need for heavy-handed regulation.[3]

Continue reading

Disclosure of Teen’s Facebook Messages Should be a Red Flag for Us All

editor Blog , , , , , , , , , , , , , ,

Blog

By Will Simpson, Class of 2025

Amidst the fallout of the Supreme Court’s decision on June 24, 2022, to overturn the cornerstone abortion case of 1973, Roe v. Wade, a privacy issue has surfaced: the extent to which digital data can be used against us to prosecute novel forms of criminalized behaviors. To make matters worse, tech giants such as Facebook and Google—who collect and largely control this data—are legally obligated to assist governments with this invasive practice.

Why should we care? While the Fourth Amendment helps protect Americans against unreasonable searches and seizures by the government, private companies are not restricted from archiving our digital data. As a result, the details of our online lives are preserved for potential access by government warrants. Continue reading

Leaning into CHAOS (Child’s Health and Online Safety Act): Revision to FTC’s Enforcement of COPPA & New Model Rule for Child Advertising

editor Article , , , , , , , , , , ,

Comment

By Gabrielle Schwartz, Class of 2023

I. Introduction

A wise author once wrote, “I know, up top you are seeing great sights, but down here at the bottom we, too, should have rights.”[1] Dr. Suess not only understood the importance of inspiring children but believed it was essential to teach children valuable life lessons. As more children continue to stray away from reading as their source of entertainment, children are more likely to become fascinated by the beauty of the internet. Although the internet’s capabilities may positively impact children, there are also adverse effects through the use of the internet’s products, services, and content. Many companies, individuals (such as parents), and lawmakers are calling for action to be taken to prevent and protect against arguably toxic online content.

Continue reading

Protecting Critical Infrastructure From Cyberattack: Current Issues and Potential Solutions

editor Article , , , ,

Written by G. Andrew Ouellette, Class of 2022 

I. Introduction

On February 5, 2021, hackers gained unauthorized access to the control systems of a water treatment facility in Oldsmar, Florida.[1]  The Oldsmar facility, located about fifteen miles from Tampa, which hosted the Super Bowl the day before, provides water for businesses and over 15,000 residents.[2]  Once inside the computer system, the hackers were able to locate the software function controlling the levels of sodium hydroxide, commonly known as lye, that is added to the water. They proceeded to raise the levels of sodium hydroxide by more than 110 times the standard level, a level that could potentially be fatal to humans if ingested.[3]  Luckily, this crisis was averted thanks to the watchful eye of a plant operator who was able to return the levels to normal before any of the changes could take effect.[4]

Though no casualties were suffered as a result of the Oldsmar attack, the incident highlights a significant and growing threat to national security, a threat that the United States is increasingly unprepared to defend against. This is just one example in a long string of cyberattacks on infrastructure in recent years. According to the FBI, cyberattacks resulted in over $3.5 billion in financial losses reported in 2019 alone,[5] and experts estimate that this could reach $10.5 trillion globally by the year 2025.[6]  Generally, when people think of cyberattacks, they think of data breaches and theft of personal information due to the numerous cases affecting high-profile companies in recent years.[7]  However, more serious cyber threats exist, namely cyberattacks that target our nation’s critical infrastructure. Critical infrastructure (CI) is becoming an increasingly attractive target for terrorists and hackers due to both the strategic importance of CI and the “numerous vulnerabilities found within these assets and systems.”[8]  Experts have noted that “as industries become more digitally connected, we will continue to see more states and criminals target these sites for the impact they have on society.”[9]  A recent report distributed to the Senate Select Committee on Intelligence noted that China, Iran, and Russia all have the ability to launch disruptive cyberattacks on the U.S.’s critical infrastructure, including gas pipelines and electrical grids.[10]  Additionally, former Director of National Intelligence Dan Coats has warned that “Moscow is mapping our critical infrastructure with the long-term goal of being able to cause substantial damage.”[11]

While the concept of the federal government playing a significant role in protecting CI from attack is not a new one, the increasing interconnectivity of CI to the internet has brought a host of new challenges. Prior to the cyber-era, “the government’s role in protecting infrastructures was relatively justifiable and straightforward, as risks both originated and materialized in the kinetic realm.”[12]  However, risks have multiplied due to an increasing dependence on the internet, as well as the internet itself being classified as CI.[13]  The Covid-19 pandemic has only increased vulnerability with thousands of employees connecting to systems remotely, often with inadequate protection in place.

Rapid development, increasing complexity, and argument over the appropriate approach have led to a lag in policy addressing security regulations in the area. The United States, along with other countries, has so far been hesitant to impose strict regulations, instead opting for a “voluntary participation” based approach.[14] Not only have recent attacks and an increased reliance on remote connectivity laid bare the shortcomings of the current approach to protecting CI, but they have shown that it is time for the adoption of stricter regulation to protect against far more serious attacks.

This paper seeks to highlight some of the issues arising out of the current policy approach to protecting CI from cyberattack and propose recommendations in several key areas. Section II will begin by presenting an overview of relevant background information, including how critical infrastructure is categorized, the current landscape of the CI sectors, as well as current vulnerabilities to cyberattack. Next, Section III will briefly cover the policy history of CI protection in the United States with a focus on major developments to highlight how this policy has evolved as well as recent developments in this area. Section IV will explore the current policy approach as well as some of the significant benefits and drawbacks in key areas.

Section V will conclude by building on the topics discussed in the previous sections and present several proposals, including strengthening incentives for companies to build and maintain robust cybersecurity, furthering public-private information sharing, as well as creating a standardized federal cybersecurity requirement for CI sectors.

Continue reading

Ongoing Threat to Children’s Data in the American Education System

editor Article , ,

Written by Julie Libby, Class of 2022 

Introduction

Privacy regulations have been strengthening worldwide in recent years, but regulations continue to fall short regarding children’s data in K-12 education, specifically in the United States. Under current federal law, children’s privacy receives only face-level protections by not requiring protective measures to defend the mass collection of this class of vulnerable and valuable data. Future student privacy regulations are possible by creating a reliable structure to minimize threats experienced by students nationwide through evaluating leading federal and state laws, perceived inadequacies in recommended minimums, and developing trends at the state level. In the end, Congress bears the responsibility to enact mandatory minimum protections that effectively assume that even if a breach occurs, it was not due to the lack of sufficient protection.

Continue reading

Alexa, I’m Home! – The Risks & Regulation of the Internet of Things

editor Article , , , ,

Written by, Nora Hanson, Chris Knight, Blake McCartney & Dale Rappaneau, Class of 2022

I. Introduction

There are a variety of definitions of the “Internet of Things” (“IoT”). IoT has been described as “the concept of . . . connecting any device with an on and off switch to the Internet” and/or to another device.[1] It may also be explained as “[t]he interconnection via the Internet of computing devices embedded in everyday objects, enabling them to send and receive data.”[2] The concept of IoT encompasses many types of devices, including home technologies, wearable devices, and technology used by countless industries such as farming, manufacturing, transportation, and oil and gas.

This paper focuses on IoT in the consumer’s home, a space ripe with privacy considerations. First, this paper considers IoT in the home and the corresponding privacy risks. Next, this piece explains the manner in which the United States currently regulates IoT. Finally, this paper considers how the United States will regulate IoT moving forward.

Continue reading