Untold Benefits of the “Whole of Government Approach” to Cyber Threats

By: Joe Schottenfeld, JD ‘19

In January, the National Security Division (NSD) of the Department of Justice announced the newest development in its efforts to combat cyber-attacks. Building off of its indictment of a North Korean man in 2018, the Division had started to help identify and alert individuals affected by a longstanding botnet attack. The press release was the latest in a steady stream of cyber-related moves: Since 2014, when NSD indicted five members of the People’s Liberation Army, the Division and DOJ more generally have gone after a growing stream of bad actors around the globe, like the North Korean hackers behind the Sony attack.  These prosecutions have come to represent one of the US Government’s most significant responses to cyber threats. READ MORE >>

Facebook's Information-Operations Dilemma

By: Nikita Lalwani, JD ‘20

After months of denial following the 2016 election, Facebook appears finally to have grasped the magnitude of the threat of information warfare. In January, the company announced that it had deleted some 500 pages and accounts tied to disinformation campaigns originating in Russia. One of the campaigns—aimed at influencing people in Armenia, Azerbaijan, Estonia, Georgia, Kazakhstan, Kyrgyzstan, Latvia, Lithuania, Moldova, Romania, Russia, Tajikistan, and Uzbekistan—included 289 pages that together had some 790,000 followers. As part of similar efforts, Facebook has also banned a digital marketing group in the Philippines, an online syndicate in Indonesia, and multiple pages, groups, and accounts in Iran. READ MORE >>

Different Kind of Trust: Public-Private Cyber Information Sharing

By: Vigjilenca Abazi, LLM ‘19

Trust is essential for sharing information, especially when it comes to national security secrets. A trust-based relation that facilitates sharing information is hard to build and it would not happen merely because formal rules mandate it. Rather, the ability to show that the shared secrets are safe, that the originator of information retains control over its dissemination, and providing assurances of no misuses are some elements that build trust in due course. At the same time, these elements of trust significantly limit the circles of information sharing as traditionally the wisdom goes that the wider the sharing circle is, the higher the risks of information getting into the wrong hands, increased number of leaks, or other security threats. These tensions are well known in discussions about national security. In fact, we accept that there are inherent trade-offs and we emphasize the salience of sharing information especially when the failure to do so leads to grave consequences for public and national security, as has been the example of 9/11 information silos. READ MORE >>

Election Security: Addressing Critical Issues Before an Ideological Stalemate

By: Jake van Leer, JD ‘20

In the wake of the 2016 election, the “hacking” of U.S. elections was at the forefront of political discussion. Foreign interference sparked numerous congressional inquiries and a high-profile investigation by Special Counsel Robert Mueller. Most hacking-related commentary focused on Russian disinformation campaigns. Fake news and disinformation pose real threats to the integrity of our nation’s political campaigns. However, less attention has been paid to the very real threat of cyberattacks to our election infrastructure. READ MORE >>

Improving Government Response in the Cyber “Wild West”

By: James Fitch, JD ‘21

Even in 2019, three decades into the modern World Wide Web, people still refer to the internet as a “wild west.” And with so many striking similarities between the issues that frame the debate over addressing cyber threats and the tensions that would have sparked clashes in frontier towns 150 years ago, it is not hard to draw the comparison. Private industry representatives frequently bemoan the lack of government intervention and beg for authorization to organize their own reaction, like some kind of twenty-first century vigilante cyber posse. Government officials often respond by pointing to the complexity and newness of the issues to plead for time, prompting others to recommend “deputizing” private cyber defenders in the meantime. These kinds of debates are dispiriting; there has to be a better way than this in a rule of law society. READ MORE >>

Digital Gerrymandering: The Underlying Risk of Private Governance

By: Elizabeth Levin, JD ‘20

In the wake of the 2016 election, scholars, regulators, and private companies were faced with the question of the role of social media in preventing the spread of various forms of misinformation. Media outlets spread news of the rise of “fake news,” and several studies confirmed the role of social media platforms in its spread and influence. The wave of information on the spread of fake news led to a call to arms for social media platforms to counter misinformation and act in ways that were socially responsible. Although not all commentators were as optimistic about platforms’ potential success in tackling fake news and misinformation campaigns, many argued that Facebook had a responsibility to protect its users against fake information. Mark Zuckerberg’s statement before Congress––arguing that Facebook was a technology company, not a media company, and therefore not responsible for regulating news on its platform––was met with backlash. READ MORE >>

Going local: A role for local governments and small businesses in public-private cyber cooperation

By: Gabriella Capone, JD/MBA ‘19

The 2019 Yale Law Cyber Security Forum explored how the public and private sectors can bridge gaps in their cyber security efforts.

This piece focuses on the role of local governments and small enterprises in cross-sector cyber cooperation. While focus was often placed on the larger players in both sectors, bringing smaller actors in each sector into the conversation is a significant opportunity to strengthen shared infrastructure and cooperation. READ MORE >>

Does the United States Need a Cyber Hotline?

By: David Murdter, JD ‘19

American businesses publicly reported over 800 cyberattacks affecting upwards of 1.3 billion customer records in 2018 alone. Such attacks not only threaten the integrity of sensitive customer data, but also may pose serious national security risks, particularly when the targets are companies responsible for managing critical infrastructure. Despite the frequency and severity of these cyberattacks, some of which have resulted in massive and widely publicized data breaches, the regulatory regime governing how companies report and respond to cyberattacks is in many ways underdeveloped. READ MORE >>

Known Unknowns and Unknown Unknowns

By: Adam Pan, JD ‘19

As part of this year’s Yale Cyber Leadership Forum, I gave a short demonstration of a vulnerability in the MD5 hashing algorithm that was exploited by the infamous Flame worm discovered in 2012. To add a bit of dramatic flair, I built the hack into what at first appeared to be a much more innocuous demonstration of the Elliptic Curve Digital Signature Algorithm (ECDSA), an industry-standard encryption suite, before revealing the actual hack that I intended to present. The preparation that went into the demo presented its own challenges and lessons, but it was the reactions to the demos that gave me the most food for thought. As I described the hack, I could see that many of the attendees already had some knowledge of the Flame attack. However, as expected, only a few of the attendees were familiar with the technical details of how Flame worked. READ MORE >>