Cyber Law
Students will gain a broad knowledge of constitutional, civil, criminal, and related legal considerations that arise in the context of work or citizenship in an increasingly cyber/digital world. Whether the student seeks a career in the public or private sector, the student will gain insight into both the limits and authorities on government or private sector activities, from the creation and protection of intellectual property, to the investigation of unlawful cyber activities, to the considerations of cyber operations in an increasingly dangerous world. This broadened awareness will help students successfully navigate and strengthen personal and professional choices as they move ahead.
Course Material
Assignment 1- The Importance of Consumer Data Protection
Data protection and privacy have been a relatively hot topic since the Freedom Act, but lately, as the world relies more and more on technology and the internet, it’s been pushed into a strong spotlight. Companies today are collecting more data on their customers and users than ever before, and the United States is lacking in rights and protections for certain types of data. The main three reasons why companies are collecting data on their consumers are because either they need this information to complete some type of transaction, to smoother the experience for the user, or in cases of companies like social media, they collect data to sell to advertisers so they can specifically send target ads to increase chances of clicks and sells.
This however leads to large amounts of data about people, such as their race, name, age, address, and even credit card information, that these companies are responsible for but only some of that information are they federally forced to encrypt and protect, such as medical records, finnacial records, and educational records. Breaches can and will happen for these companies, if the information is unencrypted the information can then be sold for either credit card fraud, identity theft, and more. However, if the information is encrypted, doesn’t exactly mean it’s safe forever. Certain bad actors will still buy encrypted data and save it on large databases, in the hopes of better technology, specifically quantum computers, to become cheaper and widely available, which would be able to crack most of our hashing algorithms in days, hours, or even minutes. Currently, if a breach like this happens, there is nothing we can do about it at a state level, ignoring medical, financial, and educational data.
Discussing data privacy and security, there are a few terms that pop up and are not exactly straightforward. The main issue regarding privacy is for information such as PII, or personally identifiable information, this includes anything that could allow anyone with that information to find the person. Such as name, face, address, religious beliefs, and work address. Generally, more than one piece of information is needed to identify the person. Three terms that often get confused with one another are authentication, authorization, and Identification. Authentication is the verification of one’s identity and making sure that they are who they say they are. Authorization is what abilities and access such individuals have once on the system. Finally, identification is the process by which a user identifies themselves usually with a username. Biometric data is any data that relates to physical features, usually unique to a person that is typically used for authentication. Typically their fingerprints, facial structure, voice, and sometimes eye are in retina scanners. The GDPR is the General Data Protection Regulation put in place by the European Union, in 2018 to protect consumers’ data and to hold companies responsible for mishandling data, either in a breach or leak, even if not found responsible for the incident. The GDPR is the biggest regulation for consumers’ rights to data protection and privacy. This is the template for other regulations that have popped up since, such as the California Consumer Privacy Act and Virginia’s Consumer Data Protection Act. It helped lay the groundwork for basic terms such as Controllers, which are the personals or entity that is responsible for processing and handling data collection
.A bill like the GDPR might be too large for just one state to enact or enforce properly, I think VIrginia’s new Consumer Data Protection Act might be a better alternative for a state government. The GDPR is more inclusive and strict against companies but also covers other types of data such as financial, educational, and medical which in the U.S. is handled by HIPPA, GLBA, and FERPA. Virginia’s Consumer Data Protection Act offers many of the same rights to the citizens as the GDPR, including the right to request deletion or stopping of data collection and more.
References
Common Wealth of Virginia. (n.d.). The Virginia Consumer Data Protection Act – oag.state.va.us. Attorney General of Virginia. https://www.oag.state.va.us/consumer-protection/files/tips-and-info/Virginia-Consumer-Data-Protection-Act-Summary-2-2-23.pdf
EU. (2022, September 27). Official Legal Text. General Data Protection Regulation (GDPR). https://gdpr-info.eu/
Pflitsch, M. (2023, May 5). Council post: Quantum Computers could make today’s encryption defenseless. Forbes. https://www.forbes.com/sites/forbestechcouncil/2023/05/04/quantum-computers-could-make-todays-encryption-defenseless/?sh=62c005108556Singlemann, C. (2023, July 5). GDPR US equivalent: How the US and EU Compare on data privacy laws. Thoropass. https://thoropass.com/blog/compliance/gdpr-us-equivalent/
Assignment 2 – M
In your research, review existing (within past 6 years) and proposed U.S. or individual state (that might be a good model for federal legislation) cybersecurity laws and then identify one such law that you think is important. This assignment is designed to be written as a memo sent to a State representative.
MEMORANDUM
TO REP
FROM CARTER
RE Research Information regarding certain cyber security laws.
Date: 11/26/2023
In your request regarding information for knowledge and expertise on cybersecurity laws. I have identified one interesting law regarding cybersecurity and that is the Hack Your State Department Act. This act did not pass Congress and its goals were to expand the cybersecurity defense and testing to researchers and private companies through a process.
Hack Your State Department Act H.R.328
- Requires the Department of State to establish and make publicly aware of the Vulnerability Disclosure Process to help with cybersecurity vulnerabilities and weaknesses possibly present in the State Department. The State Department must create and report to Congress how this program would work.
- This also required the State Department to start a bug bounty program offering compensation to approved “white” hat hackers and organizations to help identify vulnerabilities.
This bill attempted to improve the cybersecurity defenses of the State Department. This bill would have worked on a two-pronged front. First, the Vulnerability Disclosure Process would be a system for vetted cybersecurity professionals to test the state departments’ vulnerabilities, this would be based on the person’s altruism. This process would include guidelines on how to test and operate the research on the State Department, to avoid any legal issues while testing/hacking the State Department.
The second half of the program would have been a slightly more open bug bounty program. Bug bounty programs are ways for anyone with cybersecurity or programming skills to attempt to hack the State Department, and then report how they did it for compensation.
This can bring a wider range of hackers, from normal researchers to self-taught teenagers like David Dworken who hacked the Pentagon.
The idea behind the Hack Your State Department Act originated from the successful short program pilot program of Hacking the Pentagon. This program only ran from April 12 2016 to May 18 2016 and invited over 1,400 hackers, 250 of which submitted bug reports and almost 150 of those were eligible for compensation. One of those hackers was 18-year-old David Dworken, a high school student spending time in class hacking the Pentagon. This program, according to the Secretary of Defense, was significantly more cost-effective than the normal channels of discovering vulnerabilities and bugs. The program only cost about $150,000, but a rough estimate of the work accomplished, if done by a private firm could have cost in the millions. After obtaining all the reports the Pentagon worked with a company called HackerOne to help patch and fix the vulnerabilities. Secretary of Defense Ash Carter, is a firm believer in these bug bounty programs and believes that there should be a proper way for researchers and private organizations to be involved in national security.
Where I believe this bill can be expanded upon, I believe that a third program should be added for schools, where teenagers can learn cybersecurity and better online practices and potentially even do their own little bug bounty program with their website. A program that encourages teenagers to be aware of security online and teaches them important cyber skills needed for the future.
I believe that this bill can be brought back before Congress and can pass, these programs have been proven to work and are cost-effective. This improves our national security and encourages more citizens and non-government agencies to be involved in our national security. The addition of a high school program or class could generate a whole new line of cybersecurity professionals with experience out of high school with penetration testing and bug finding. This act can strength our communities and security while also informing the newer generation and encouraging them to be more aware of their cyber actions and practices.
https://www.congress.gov/bill/116th-congress/house-bill/328
https://www.dhs.gov/news/2022/04/22/hack-dhs-program-successfully-concludes-first-bug-bounty-program