Amending the ECPA to Enable a Culture of Cybersecurity Research

TABLE OF CONTENTS I. INTRODUCTION II. THE UNIQUE PROMISE OF TECHNICAL RESEARCH IN IMPROVING CYBERSECURITY A. Defining Cybersecurity B. Defending Against Known Threats: The Inadequacy of Prevention C. The Limits of Deterrence D. Adapting to Evolving Threats Through Detection and Resilience: The Case for Focusing on Technical Research III. HOW COMMUNICATIONS PRIVACY LAW LIMITS CYBERSECURITY RESEARCH A. Communications Privacy Law 1. Wiretap Act 2. Stored Communications Act. Pen/Trap Statute 4. State Laws 5. Gaps B. Institutions IV. COPING WITH THE DEARTH OF CYBERSECURITY DATA A. Scientific Goals of Data Sharing B. Data Needs: A Picture of the Ideal C. Public Releases 1. Non-Content Data 2. Communications Contents D. Private Access V. A PRIVACY-PRESERVING FRAMEWORK FOR CYBERSECURITY RESEARCH A. Requirements for a Cybersecurity Research Exception to the ECPA B. Institutions C. Creating New Threats? VI. CONCLUSION I. INTRODUCTION Computer and network security (together, "cybersecurity") have become matters of major economic, social, and national security importance. Computer networks have joined other systems like transportation, energy, defense, and health care that are critical to the functioning of the national economy. (1) Indeed, computer networks are the "nervous system" that ties together and controls these other components of our national infrastructure. (2) Increasingly sophisticated network attacks, however, constantly threaten this infrastructure and the activities that rely on it. These attacks do not simply damage an isolated machine, or disrupt an individual's or single enterprise's access to the Internet. Instead, modern attacks threaten to target infrastructure that is integral to the economy, national defense, and daily life. (3) Although society has benefited from innovative applications that connect people and devices via the Internet, (4) malicious parties have taken advantage of the Internet's connectivity by exploiting technological and human vulnerabilities to perpetrate attacks for personal, financial, and political gain. (5) The FBI estimated in 2005 that cybercrime costs the United States $67.2 billion annually. (6) But the risks of insecurity go beyond financial damage. For example, Estonia endured a massive flood of Internet traffic in 2007, which crippled networks within the country, leading to a shutdown of banks and other services. (7) In 2003, the "Slammer" worm spread rapidly across the Internet, shutting down South Korea's "entire Internet system" and disrupting ATM transactions in the United States. (8) The following year, the "Witty" worm deleted random data from the hard drives of the hosts it infected worldwide. (9) As networked devices--not only personal computers but cell phones, appliances, and even the materials in buildings--become pervasive, (10) the potential for harm from successful attacks will continue to grow. Although the United States has not suffered major Internet physical infrastructure outages as a result of cyberattacks, attempts to defeat the defenses of critical information systems are relentless. (11) Understanding how to detect and defend against such attacks is an active research area within computer science, (12) and technical research (13) in this area is, in turn, a central element of national cybersecurity policy. (14) The era of network-wide attacks began in 1988, when the "Internet Worm," a program that replicated itself from one networked computer to another without human intervention, quickly spread to an estimated five to ten percent of computers connected to the Internet. (15) The Worm exploited flaws in individual computers, traversing their networks without regard to organizational boundaries, and quickly spread from one organization's network to another. The response to the Worm also crossed institutional boundaries, with researchers and administrators sharing alerts and suggestions for mitigation with their peers at other organizations. …