The lectures and readings listed here are subject to change, including in response to current events (i.e., major news items).
Tuesday, September 03
Introduction
Steve, Evan, Jay
Concepts:
Introduction to computer security and the perspectives
of the problems and solutions seen from technology, policy, and law.
Readings:
- Orin S. Kerr. How to read a legal opinion: A guide for new law students. The Green Bag, 11(1), Autumn 2007. Second series. (Optional reading). [ http ]
- Barry M Leiner, Vinton G Cerf, David D Clark, Robert E Kahn, Leonard Kleinrock, Daniel C Lynch, Jon Postel, Larry G Roberts, and Stephen Wolff. A brief history of the internet. ACM SIGCOMM Computer Communication Review, 39(5):22–31, 2009. [ http ]
- Jason Faulkner. Online security: Breaking down the anatomy of a phishing email. How-to Geek, April 13 2011. [ http ]
- Brian Krebs. Tools for a safer PC. Krebs on Security, 2012. [ http ]
- Oscar Celestino Angelo Abendan ll. Gateways to infection: Exploiting software vulnerabilities. TrendMicro Threat Encyclopedia, September 3, 2012. [ http ]
- Neil DuPaul. Common malware types: Cybersecurity 101. Veracode Security News, October 12, 2012. [ http ]
- Paul Tero. A comprehensive guide to firewalls. Smashing Magazine, January 30, 2013. [ http ]
- Andrew Tarantola. VPNs: What they do, how they work, and why you're dumb for not using one. Gizmodo, March 26, 2013. [ http ]
- Kim Zetter. Hacker lexicon: What is a zero day? Wired, November 11, 2014. [ http ]
- Gregory Krieg and Tal Kopan. Is this the email that hacked John Podesta's account? CNN, October 30, 2016. [ http ]
- Video for the 'How the Internet Works' lecture
- How Computers Work: The CPU and Memory
- A Glossary of Common Cybersecurity Terminology
- Rus Shuler, How Does the Internet Work?, 2002
- The Internet Backbone
- What are DDoS Attacks? DDoS Explained, 2012
- Notable attacks throughout history
- What is a firewall?, 2013
- The Dark Web, Explained, 2013
- Intrusion Detection System (IDS)
- Understanding Intrusion Detection Systems
Tuesday, September 10
Cryptography Tutorial
Steve (Jay and Evan optional)
Concepts:
Concepts to cover: More detailed conversation to ensure a common
knowledge amongst the students on deeper topics including:
Readings:
- What is cryptography?
- Symmetric and public key cryptography
- Public key infrastructure, certificates, and digital signatures
- Authentication
- The role of bugs in computer (in)security
- Whitfield Diffie and Martin E. Hellman. Exhaustive cryptanalysis of the NBS data encryption standard. Computer, 10(6):74–84, June 1977. [ http ]
- R. M. Needham and M. Schroeder. Using encryption for authentication in large networks of computers. Communications of the ACM, 21(12):993–999, December 1978. [ http ]
- Whitfield Diffie and Susan Landau. Privacy on the Line: the Politics of Wiretapping and Encryption. MIT Press, Cambridge, MA, second edition, 2007. Chapters 2–7. [ http ]
Tuesday, September 17
Evan (Steve and Jay optional)
Readings:
Students form into groups
- Frank H. Easterbrook. Cyberspace and the law of the horse. University of Chicago Legal Forum, 1996. [ http ]
- N. Eric Weiss and Rena S. Miller. The Target and other financial data breaches: Frequently asked questions. CRS Report for Congress R43496, Congressional Research Service, February 4, 2015. [ .pdf ]
- Jeff Kosseff. Defining cybersecurity law. Iowa L. Rev., 103:985, 2017. [ http ]
- SEC. Commission statement and guidance on public company cybersecurity disclosures, February 21, 2018. pp. 1-7. [ .pdf ]
- 2019 Data Breach Investigations Report
Focus on the Easterbrook and Kosseff articles and review the other ones.
Tuesday, September 24
Cyber Preparedness and Cyber Critical Infrastructure Protection
Evan or Evan and Jay (Steve probably absent)
Evan’s “regulatory requirements” section plus new material on ISACs, ISAOs, CISA
Concepts:
- Identifying critical infrastructure
- Government/private partnerships
- ISACs, ISAOs, etc.
- Legal framework
-
GDPR § 82
Tuesday, October 01
Attribution; Open Discussion
Jay and Evan; Steve absent
Readings:
- Jason Healey. Beyond attribution: Seeking national responsibility for cyber attacks, January 2012. [ .PDF ]
- Mandiant. Apt1: Exposing one of China's cyber espionage units. White paper, 2013. [ .pdf ]
- Thomas Rid and Ben Buchanan. Attributing cyber attacks. Journal of Strategic Studies, 38(1-2):4–37, 2015. [ DOI | arXiv | http ]
Tuesday, October 08
Incident Response
Evan and Jay (Steve optional)
Readings:
Evan’s “incident response” section plus Jay’s “incident response at the national level”
- Paul Cichonski, Thomas Millar, Tim Grance, and Karen Scarfone. Computer security incident handling guide. SP 800-61 Rev. 2, NIST, August 2012. [ http ]
- Barack Obama. Presidential Policy Directive—United States cyber incident coordination. PPD 41, July 26, 2016. [ http ]
- DHS. National cyber incident response plan, December 2016. Skim. [ .pdf ]
- SEC. Commission statement and guidance on public company cybersecurity disclosures, February 21, 2018. pp. 7–24. [ .pdf ]
- FS ISAC
- GDPR § 33
Thursday, October 10
Homework due:
Tuesday, October 15
Understanding Cyber Conflict
Jay (Evan and Steve optional)
Concepts:
This class will cover some history of cyber conflict and important
topics such as attribution and the advantages and dangers of cyber
conflict.
Readings:
- Richard B. Gasparre. The Israeli 'E-tack' on Syria–Part I. Air Force Technology.com, March 9, 2008. [ http ]
- Richard B. Gasparre. The Israeli 'E-tack' on Syria–Part II. Air Force Technology.com, March 10, 2008. [ http ]
- Ralph Langner. To kill a centrifuge: A technical analysis of what Stuxnet's creators tried to achieve, November 2013. [ .pdf ]
- Jason Healey. Learn cyber conflict history, or doom yourself to repeat it. Armed Forces Journal, December 17, 2013. [ http ]
- Phil Muncaster. ICS-CERT three year BlackEnergy attack on industrial control systems. Infosecurity Magazine, October 29, 2014. [ http ]
- Kelly Jackson Higgins. Lessons from the Ukraine electric grid hack. Information Week, March 18, 2016. [ http ]
Tuesday, October 22
Open Discussion or Wargame
Steve?
- Possibly invite one or more speakers for first hour
- Student groups discuss and decide paper topics in second hour
Tuesday, October 29
Homework due:
- Paper Topic (Group Paper Topic)
US Cyber Conflict Strategy: Persistent Engagement
Jay (Evan and Steve optional)
Readings:
- Michael P Fischerkeller and Richard J Harknett. Deterrence is not a credible strategy for cyberspace. Orbis, 61(3):381–393, 2017. [ http ]
- US Cyber Command. Achieve and maintain cyberspace superiority, February 2018. [ .pdf ]
- Paul M. Nakasone. A cyber force for persistent operations. Joint Force Quarterly, 92, 1st Quarter 2019. [ www: ]
- Jason Healey. The implications of persistent (and permanent) engagement in cyberspace. Journal of Cybersecurity, 5(1), 08 2019. [ DOI | arXiv | http ]
Tuesday, November 05
Fall Break—no class
Tuesday, November 12
Homework due:
Cryptography and Exceptional Access
Steve (Evan and Jay optional)
Invite Dan Richman
Concepts:
- What rights and responsibilities do law enforcement have to devices and communications?
- What rights and responsibilities do individual citizens have?
- How will this be affected by new technologies?
- What are the trade-offs between computer security and societal security? How do these choices affect privacy and innovation?
- What is the "right" mix? Can there be one?
- Matt Blaze. My life as an international arms courier, January 1995. [ .txt ]
- Robert Post. Encryption source code and the First Amendment. Berkeley Technology Law Journal, 15(2):713–723, 2000. [ http ]
- Whitfield Diffie and Susan Landau. Privacy on the Line: the Politics of Wiretapping and Encryption. MIT Press, Cambridge, MA, second edition, 2007. Chapter 9. [ http ]
- James B. Comey and Sally Quillian Yates. Going dark: Encryption, technology, and the balances between public safety and privacy. Statement before the Senate Judiciary Committee, July 8, 2015. [ http ]
- Harold Abelson, Ross Anderson, Steven M. Bellovin, Josh Benaloh, Matt Blaze, Whitfield Diffie, John Gilmore, Matthew Green, Susan Landau, Peter G. Neumann, Ronald L. Rivest, Jeffrey I. Schiller, Bruce Schneier, Michael A. Specter, and Daniel J. Weitzner. Keys under doormats: Mandating insecurity by requiring government access to all data and communications. Journal of Cybersecurity, 1(1), September 2015. [ DOI | http ]
- Report of the Manhattan District Attorney's Office on smartphone encryption and public safety, November 2015. [ .pdf ]
- House Judiciary Committee & House Energy and Commerce Committee. Encryption working group year — end report, December 20, 2016. [ .html ]
- Matthew Kahn. Deputy Attorney General Rod Rosenstein remarks on encryption. October 10, 2017. [ http ]
- Carnegie Foundation. Moving the encryption policy conversation forward, September 2019. [ http ]
- Jim Baker. Rethinking encryption. Lawfare, October 22, 2019. [ http ]
- United States v. Bernstein (opinion withdrawn, 192 F.3d 1308 (9th Cir. 1999))
- Proposed rule change: "Wassenaar Arrangement 2013 Plenary Agreements Implementation: Intrusion and Surveillance Items"
Tuesday, November 19
Homework due:
- Scoping paper (Group paper)
Steve and Evan (Jay optional)
Concepts:
- International law on espionage
- Mutual Legal Assistance Treaties
- PCLOB reports on Sections 215 and 702
- What rights and responsibilities do law enforcement have to devices and communications?
- Vassilis Prevelakis and Diomidis Spinellis. The Athens affair. IEEE Spectrum, 44(7):26–33, July 2007. [ http ]
- Privacy and Civil Liberties Oversight Board. Report on the telephone records program conducted under Section 215 of the USA PATRIOT Act and on the operations of the Foreign Intelligence Surveillance Court, January 23, 2014. Parts 1-3 only. [ http ]
- Privacy and Civil Liberties Oversight Board. Report on the surveillance program operated pursuant to Section 702 of the foreign intelligence surveillance act, July 14, 2014. Parts 1-3 only. [ .pdf ]
- Ellen Nakashima and Andrea Peterson. The British want to come to America—with wiretap orders and search warrants. Washington Post, February 4, 2016. [ .html ]
Tuesday, November 26
Collective Defense, International Law, and Norms
Evan and Jay (Steve optional)
Readings:
- Department of Defense. Law of war manual, December 2016. Chapter 16. [ http ]
- Matthew Waxman. U.K. outlines position on cyberattacks and international law. Lawfare, May 23, 2018. [ http ]
- Global Citizen. Microsoft and global citizen call for real policy action on digital peace, October 26, 2018. [ http ]
- French Foreign Ministry. Cybersecurity: Paris call of 12 November 2018 for trust and security in cyberspace, November 12, 2018. [ http ]
- Alex Grigsby. The United Nations doubles its workload on cyber norms, and not everyone is pleased. Council for Foreign Relations (blog), November 15, 2018. [ http ]
- Cybersecurity Tech Accord. One year later: A cybersecurity commitment shared by more than 100 companies, May 9, 2019. [ http ]
- Paul Rozenzweig. Preliminary observations on the utility of measuring cybersecurity. Lawfare, August 6, 2019. [ http ]
- US Department of State. Joint statement on advancing responsible state behavior in cyberspace, September 23, 2019. [ http ]
- Michael Schmitt. The Netherlands releases a tour de force on international law in cyberspace: Analysis. October 14, 2019. [ http ]
Tuesday, December 03
Group Presentations
Steve, Evan, Jay
Invite Rattray and members of NY Cyber Task Force to help judge presentations
Tuesday, December 17
Homework due:
- Final paper (Group paper)
