This document outlines the agenda and topics for the Cybersecurity Law and Policy Summit One event in Spring 2021. The schedule includes introductory lectures, presentations from guest speakers Kenneth Geers and Jamil Jaffer, and group work sessions. Discussion topics focus on analogizing frameworks like the War Powers Resolution to regulate cyber operations, and debates around adopting international cyber arms control treaties. The document provides background on tensions in cyberspace mirroring geopolitical issues, cyber incidents influencing public opinion, and high-profile attacks like SolarWinds. It examines challenges applying international law to espionage and questions of monitoring compliance in any cyber arms control agreements.

1. Cybersecurity Law and Policy
Summit One
Spring 2021
Prof. David Opderbeck
© 2020 - 2021 David W. Opderbeck
Creative Commons Attribution / Share-Alike

2. Introduction
Block Activity
1:15 – 2:15 Intro, Lecture
2:15-2:30 Break
2:30-3:00 Group Work Set Up
3:00 – 4:00 Kenneth Geers
4:00 – 4:15 Break
4:15 – 5:00 Group Work
5:00 – 6:00 Jamil Jaffer
6:00 – 6:15 Break
6:15 – 7:15 Group Work Reports; Preview Upcoming
Weeks

3. •“[W]herever there is historical
tension in the ‘real world’, there is
now parallel tension in cyberspace.”
– Kenneth Geers

4. Dynamics of Cyber Incidents
• After the Cold War, a new East vs. West: Russia, China – and North
Korea and Iran – vs. the U.S.
• Some activity in other Asian countries: India, Vietnam
• Cyber Incidents often follow on other international incidents
• Increasing efforts to influence the democratic process / public opinion

5. Tools of Information and Influence
• Signals Intelligence (SIGINT): information
from “public” sources
• Espionage: gathering of private or classified
information, including through human
intelligence (HUMINT)
• Propaganda: non-objective information,
often misleading, to publicize a viewpoint
• Diplomacy: managing international relations
through designated representatives
• Soft power: exertion of economic or cultural
influence
• Hard power: economic or military coercion

6. Cyber Infrastructure and National Security
• Cyber infrastructure is essential to every aspect of
• The national and international economy
• Military systems and national defense
• Cultural exchange, speech, and private association
• Most critical cyber infrastructure is privately owned
• “Code” layer is open by design

7. • Live cyber threat maps:
• https://www.fireeye.com/cyber-map/threat-map.html
• Side note: 12/2020 attack on FireEye
• https://cybermap.kaspersky.com/

9. March 15, 2018 CERT Report

10. April 3, 2018 News Report
“A cyber attack that hobbled the electronic communication system used
by a major U.S. pipeline network . . . .” (Bloomberg News)

11. February 2021 – Florida
Water Treatment Plant
• Plant operator noticed someone was controlling his
screen
• Hacker adjusted level of sodium hydroxide (lye) which
is used in small amounts to regulate water PH.
• COTS Remote Access Tool (RAT) used (remote
workers)
• All computers used same password for remote access
• Computers connected to Internet with no firewall
• Computers at facility also used 32-bit version of
Windows 7

12. SolarWinds

13. 2020 U.S. Cyberspace Solarium Commission
Report
• Operationalize Cybersecurity Collaboration with the Private Sector. Unlike
in other physical domains, in cyberspace the government is often not the
primary actor. It must support and enable the private sector. The
government must build and communicate a better understanding of
threats, with the specific aim of informing private-sector security
operations, directing government operational efforts to counter malicious
cyber activities, and ensuring better common situational awareness for
collaborative action with the private sector. While recognizing that private-
sector entities have primary responsibility for the defense and security of
their networks, the U.S. government must bring to bear its unique
authorities, resources, and intelligence capabilities to support these actors
in their defensive efforts.

14. 2020 U.S. Cyberspace Solarium Commission
Report
• Preserve and Employ the Military Instrument of National
Power. Future crises and conflicts will almost certainly contain a cyber
component. In this environment, the United States must defend
forward to limit malign adversary behavior below the level of armed
attack, deter conflict, and, if necessary, prevail employing the full
spectrum of its capabilities. Conventional weapons and nuclear
capabilities require cybersecurity and resilience to ensure that the
United States preserves credible deterrence and the full range of
military response options. Across the spectrum from competition to
crisis and conflict, the United States must ensure that it has sufficient
cyber forces to accomplish strategic objectives through cyberspace.

15. International Law for Cybersecurity
•There is no international cybersecurity
treaty
•International law of war may apply

16. Legal Frameworks: War, Espionage, and
Domestic Law
• International Law
• Conduct of War: UN Convention
• Espionage: unclear
• Maybe covered by some human rights norms
• Maybe covered by some aspects of customary international law
• But here, “everybody does it” matters
• Domestic Law of Foreign Nations
• Espionage activities are usually crimes, but seldom prosecuted even if
attribution / extradition is possible

17. Cyber Arms Control?
• Difficult Because:
• It is difficult to measure the relative strength of states in cyberspace;
• There is uncertainty regarding the military effects of cyber
technology;
• The challenges of monitoring compliance; and
• Difficulties with enforcement.
From: Borghard and Lonergan, Why are
There No Cyber Arms Control
Agreements, CFR January 16, 2018

19. Group Work
• Should some framework
analogous to the WPR be adopted
for cyber operations? What kind
of details should it include? How
would you address the kinds of
Constitutional issues raised by the
WPR?
• Should the international
community adopt a cyber arms
control treaty? What limits should
it contain? If such a treaty were
adopted, should the U.S. accede
to it?

20. WPR Framework
Congress: Power to
Declare War; Power of
the Purse
President: Commander-in-Chief
WPR
Hostilities short of declared
war:
• Notify Congress
• Forces must be
withdrawn after 60 days
if Congress does not
issue an AUMF
Constitutional Issues with WPR
• Congress’ power to enact (N&P?)
• Separation of Powers – President’s inherent power to employ military
short of war
• Legislative Veto

21. Kenneth Geers

23. Group Work
• Should some framework
analogous to the WPR be adopted
for cyber operations? What kind
of details should it include? How
would you address the kinds of
Constitutional issues raised by the
WPR?
• Should the international
community adopt a cyber arms
control treaty? What limits should
it contain? If such a treaty were
adopted, should the U.S. accede
to it?

25. Jamil Jaffer

26. • Group Presentations
• Looking Ahead

27. Wrap Up