LAW4004/CS203

Spring 2018

This class will use the case method to teach basic computer, network, and information security from a technology, law, and policy perspective. Using recent security incidents from the news, we will discuss the technical aspects of the incident, the legal and policy aspects of the problem, and business approaches to managing breaches.

Students taking the class will learn about the techniques attackers use, applicable legal prohibitions, rights, and remedies, and approaches to managing the risk and aftermath of an attack. This course aims to give students the tools necessary to understand technological, legal and policy issues in current cybersecurity debates.

Administrative

Instructors:	Dan Boneh and Andrew Grotto and Riana Pfefferkorn
Lectures:	Tuesday 4:15-6:15, Law 190

Piazza discussion board

Students with Documented Disabilities: Students who may need an academic accommodation based on the impact of a disability must initiate the request with the Office of Accessible Education (OAE). Professional staff will evaluate the request with required documentation, recommend reasonable accommodations, and prepare an Accommodation Letter for faculty. Unless the student has a temporary disability, Accommodation letters are issued for the entire academic year. Students should contact the OAE as soon as possible since timely notice is needed to coordinate accommodations. The OAE is located at 563 Salvatierra Walk (phone: 723-1066, URL: https://oae.stanford.edu/).

Grading

Grades will be based on class participation (20%), two reflection papers (40%), and a one-day take-home exam (40%).

Course schedule:
The two reflection papers are due on Apr. 17, May. 8.
The one-day take-home exam will be assessed during the week of June 4-8.

Reflection papers:
Reflection papers should be no more than 2 pages. The topic for the first paper is below. Students may choose any topic for the second reflection paper.

Reflection paper #1: Pick one of the following data breach incidents: Yahoo, OPM, RSA dongles, Target, or the Github DDoS. Describe what happened. Describe one or more trade-offs the decision makers had to evaluate. How good of a job did they do? What do you think could have helped to prevent or mitigate this incident?

Syllabus

Lecture 1: 4/ 3/18	Why is computer security difficult? Reading: Proofpoint, The human factor, (2017) U.S. Government, U.S. Federal Cybersecurity Operations Team: National Roles and Responsibilities, aka "The Bubble Chart" (2013) Equifax Releases Details on Cybersecurity Incident, Announces Personnel Changes (2017) Sony Cyberattack, First a Nuisance, Swiftly Grew Into a Firestorm, N.Y. TIMES, Dec. 30, 2014

Lecture 2: 4/10/18	Economics of computer security Reading: Ross Anderson, Why Information Security is Hard – An Economic Perspective Madeline Carr, Public-Private Partnerships in National Cyber-Security Strategies, 92 International Affairs 43 (2016) Lawrence A. Gordon et al, Empirical Evidence on the Determinants of Cybersecurity Investments in Private Sector Firms, 9 Journal of Information Security 133 (2018) (skip Sections 5-6) State Data Breach Notification Laws: Have They Helped? 2017 Cost of Data Breach Study, Ponemon Institute (June 2017). Skip Part 3 Craig A. Newman, When to Report a Cyberattack? For Companies, That’s Still a Dilemma, NY TIMES, Mar. 5, 2018 Michael D. Scott, Tort Liability for Vendors of Insecure Software: Has the Time Finally Come?, 67 Maryland Law Review 425 (2008)

Lecture 3: 4/17/18	Cyber conflict Reading: Andru E. Wall, Demystifying the Title 10-Title 50 Debate: Distinguishing Military Operations, Intelligence Activities & Covert Action, 3 Harvard National Security Journal 85 (2011-2012) Michael M. Schmitt, Classification of Cyber Conflict, 17 Journal of Conflict & Security Law 245 (2012) Sean Gallagher, In terse statement, White House blames Russia for NotPetya worm, Ars Technica, February 15, 2018

Lecture 4: 4/24/18	Technical Assistance and encryption back doors Reading: Apple v. FBI: Order Compelling Apple, Inc. to Assist Agents in Search, Feb. 16, 2016 Matt Olsen, Bruce Schneier, and Jonathan Zittrain, Don’t Panic: Making Progress on the 'Going Dark' Debate, Harvard Berkman Center for the Internet and Society, February 1, 2016 The Company v. United States, 349 F.3d 1132 (9th Cir. 2003) DOJ Office of the Inspector General, A Special Inquiry Regarding the Accuracy of FBI Statements Concerning its Capabilities to Exploit an iPhone Seized During the San Bernardino Terror Attack Investigation (March 2018) In re Under Seal (Lavabit), 749 F.3d 276 (4th Cir. 2014)

Lecture 5: 5/ 1/18	Government Hacking: Dual role of government as protector and hacker Reading: White House, Vulnerabilities Equities Policy and Process for the United States Government, November 15, 2017 Federal Rule of Criminal Procedure 41, including the Committee Note on the 2016 amendment to subdivision (b)(6) Government Hacking: Evidence and Vulnerability Disclosure in Court, Center for Internet and Society Blog, May 23, 2017 United States v. Werdene, No. 16-3588, 2018 U.S. App. LEXIS 4089, 2018 WL 988893 (3d Cir. Feb. 21, 2018) Kim Zetter, Everything We Know About How the FBI Hacks People Video of NSA TAO Chief on Disrupting Nation State Hackers A Technical Analysis of WannaCry Ransomware (2017) Ellen Nakashima & Philip Rucker, U.S. declares North Korea carried out massive WannaCry cyberattack, Washington Post, December 19, 2017

Lecture 6: 5/ 8/18	Computer Fraud and Abuse Act Reading: Computer Fraud and Abuse Act Wylie Hoffman & Ariel Levite, Private Sector Cyber Defense: Can Active Measures Help Stabilize Cyberspace?, Carnegie Endowment for International Peace, July 2017 Active Cyber Defense Certainty Act, introduced by Tom Graves & Krsten October 23, 2017 Bill Summary: Active Cyber Defense Certainty Act United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) (en banc) United States v. Nosal, 828 F.3d 865 (9th Cir. 2016) (including dissent by Judge Reinhardt) Facebook, Inc. v. Power Ventures, Inc., 844 F.3d 1058 (9th Cir. 2016)

Lecture 7: 5/15/18	DMCA and security researchers Reading: 17 USC 1201 et seq Petition for Proposed Exemption Under 17 U.S.C. § 1201 by Steven Bellovin, Matt Blaze, Edward Felten, Alex Halderman, and Nadia Heninger Petition for New Exemption Under 17 U.S.C. § 1201 by Professor Matthew Green (2017) Petition for New Exemption Under 17 U.S.C. § 1201 by Prof. Ed Felten and Prof. J. Alex Halderman (2017) Robert N. Charette, Georgia’s Intrusive Computer Intrusion Bill, IEEE Spectrum, Mar. 16, 2018 Opinion in Sandvig v. Sessions, Mar. 30, 2018 Lessons from the Sony CD DRM Episode, Usenix Security 2006

Lecture 8: 5/22/18	Privacy and surveillance Reading: Cell Phone Location Tracking Laws By State Electronic Communications Privacy Act (ECPA), Title I - Wiretap Act ECPA Title II - Stored Communications Act ECPA Title III - Pen Register Act Amy Howe, Argument Preview: The Justices Return to Cellphones and the Fourth Amendment, SCOTUSblog, Nov. 22, 2017 Clarifying Lawful Overseas Use of Data Act (CLOUD Act), Mar. 23, 2018 (signed into law as part of omnibus spending bill) - read pp. 2201-2232 of PDF only Brad Smith, The CLOUD Act is an important step forward, but now more steps need to follow, Apr. 3, 2018.

Lecture 9: 5/29/18	Human Elements Reading: Andrew J. Grotto, Testimony before a joint information hearing of the California Legislature on Cybersecurity and California Elections, March 7, 2018 Video, Face2Face: Real-time Face Capture and Reenactment of RGB Videos (CVPR 2016 Oral) Robert Chesney & Danielle Citron, Deep Fakes: A Looming Crisis for National Security, Democracy and Privacy? Federal Rule of Evidence 902(13) & (14), including the Committee Notes on the 2017 amendments to paragraphs (13) and (14)

LAW4004 / CS203 / IPS251: Computer security, a Legal and Technical Perspective

Spring 2018

Administrative

Grading

Syllabus

LAW4004 / CS203 / IPS251: Computer security,
a Legal and Technical Perspective