Investing in a Centralized Cybersecurity Infrastructure: Why "Hacktivism" Can and Should Influence Cybersecurity Reform

This Note recommends that Congress draftcybersecurity reform legislation in line with President Obama's May 2011 Cybersecurity Legislative Proposal, rather than the House Republican Cybersecurity Task Force's October 2011 Proposal. The former proposal's emphasis on centralized regulation under the Department of Homeland Security (DHS) more accurately accounts for the nature of threats posed in cyberspace, including hacktivist groups like the online hacker collective Anonymous who have become the most prominent actors in cyberspace over the last few years. This Note advocates that Congress expressly account for Anonymous in drafting cybersecurity legislation because doing so will deliver an array of otherwise-desirable policy goals.In arriving at these conclusions, this Note explores in detail the history of hacking, hacktivism, and Anonymous. Additionally, it briefly surveys the panoply of current legal mechanisms governing cyberspace. Finally, this Note will advocate for the inclusion of several key elements in any cybersecurity reform legislation, whether or not Congress chooses a DHS-centric model.INTRODUCTIONOf the many topics President Obama was expected to address head-on in the opening stage of his presidency, only political and industry insiders could have guessed that cybersecurity would be one. Surely, President Obama's selfdesignated mandate upon taking office - "Change" - pertained to the tanking global economy and the prolonged wars in Iraq and Afghanistan. Attention to those gargantuan problems, the American public might have thought, should prevent talk of just about anything else.Nevertheless, in late May 2009, barely four months after taking his presidential oath, Obama delivered a blunt, urgent speech on securing our nation's cybersecurity network.1 Partially spurred into action after becoming a victim of a cyberattack himself,2 President Obama stated that cyberattacks3 constitute "one of the most serious economic and national security challenges we face as a nation."4 The President also made clear a belief that has been widely agreed upon by commentators for nearly two decades: "We're not as prepared as we should be, as a government or as a country [for a cyberattack]. . . . This status quo is no longer acceptable - not when there's so much at stake. We can and we must do better."5These statements beg the question: Three years later, has the status quo changed? Are we better equipped in 2012 than we were in 2009 to protect the United States from cyberattacks? Even an optimistic reader of recent news headlines would answer, "No."Consider the following stories. In December 2010, hackers prevented user access to PayPal - a leading online global payment company - for a four-day period by executing a distributed denial of service (DDoS) attack on the PayPal website.6 The hackers who took credit for the attack announced that PayPal deserved retribution for its wrongful suspension of WikiLeaks' donation account following the latter's online release of highly classified U.S. State Department documents.7In April 2011, Sony's PlayStation Network - an online gaming community for the company's top-selling video game console - was the victim of a more intrusive cyberattack.8 Hackers breached security safeguards to steal data from each of the PlayStation Network's seventy-seven million individual user accounts, including birthdates and credit card numbers.9 Upon discovering the breach,10 Sony promptly shut down the PlayStation Network for more than a month in order to conduct a thorough security and damage assessment.11 Sony estimated that the cyberattack caused approximately $170 million in losses for the company.12 In the weeks preceding the cyberattack, the hackers alleged to be responsible had taken to the blogosphere to declare war on Sony for its decision to sue a hacker in January 2011 for publishing the PlayStation 3 console code obtained from reverse-engineering the device. …