The Department of Cyber Science at the US Naval Academy is actively engaged in research in the cyber sciences. Our educational goal is to provide a broad perspective on cybersecurity and cyber operations by providing a curriculum with educational objectives in computer science, computer engineering, systems engineering, political science, law and philosophy. The work below represents the effort of our small and growing faculty as we achieve national recognition in a variety of sub-disciplines related to research and educational thought leadership in this dynamic and active field.
Kosseff, Jeff A New Legal Framework for Online Anonymity, IEEE Security & Privacy (Nov./Dec. 2015): In this article, I trace the right to anonymity’s history and rationale and how the US and other western nations developed legal rules to provide a limited right of online anonymity. In the past, courts have analyzed the right to anonymity as an extension of the right to free speech. Here, I argue that a California court’s new alternative approach, which instead focuses on the right to privacy, could provide a useful road map for other courts in the US and other western democracies that recognize the right to anonymity
- Hatfield, Joseph M. 2017. “An Ethical Defense of Treason by Means of Espionage.” Intelligence and National Security, Vol. 32, No. 2, pp. 195-207. This essay argues that treason by means of espionage is ethically justified when six factors are present, two of which are: that the political community being betrayed fails to secure for its citizens basic human rights and other means of peaceful or otherwise lawful protest are unavailable. The paper begins by analyzing the application of several theories of ethics to treason, including: consequentialism, deontology, the Just War tradition, and Michael Walzer’s influential concept of ‘dirty hands.’ It then criticizes these points of view and offers an account of jus ad proditione per intelligentia (just treason by means of espionage) based upon Aristotelian thinking about ethics and politics.
- Lewis, James A. “China’s Information Controls, Global Media Influence, and Cyber Warfare Strategy,” U.S. China Security and Economic Review Commission, May 2017
- Lewis, James A. “’Compelling Opponents to Our Will’ The role of cyber warfare in Ukraine” NATO Cooperative Cyber Defence Centre of Excellence, 2015.
- Lewis, James A. “Confidence Building Measure in Cyberspace,” Organization of American States, February 2016
- Kosseff, Jeff Cybersecurity Law (Wiley, 2017): Textbook/treatise on global cybersecurity laws and regulations for U.S. companies. (ISBN: 978-1-119-23150-9)
- Lewis, James A. “Cybersecurity’s Role in Maritime Operations,” International Seapower Symposium, CSIS, September 2016
- Lewis, James A. “Cyberspace and Armed forces: the rationale for offensive cyber capabilities” ASPI, March 2016
- Kosseff, Jeff Cyber-Physical Systems and National Security Concerns, chapter in Security and Privacy in Cyber-Physical Systems: Foundations and Applications (Wiley) (forthcoming 2017): A set of international legal rules, known as jus ad bellum (Latin for “right to war”), provide a framework for determining whether an attack against a nation-state was unlawful, and whether it is permissible for the target state to respond with self-defense. Over the past decade, legal scholars and government officials have struggled to determine how to apply jus ad bellum to attacks on computer systems. This Chapter extends that analysis to attacks on cyber-physical systems. I conclude that although cyber-physical systems present new national security challenges, the jus ad bellum analysis applies just as easily to cyber-physical attacks as it does to attacks on computer systems and purely physical targets.
- Kosseff, Jeff Defining Cybersecurity Law, Iowa Law Review (forthcoming 2018): As data breaches, denial-of-service attacks, and other cybersecurity incidents lead to extraordinary economic and national security consequences, commentators increasingly look to the legal system for solutions. Unfortunately, U.S. laws do not have a unified and coherent vision for the regulation and promotion of cybersecurity. For that matter, the U.S. legal system lacks a consistent definition of the term “cybersecurity law.” This Article aims to fill that gap by defining cybersecurity law. Although many articles have addressed various aspects of cybersecurity, none have stepped back to define exactly what cybersecurity is and the goals of statutes and regulations that aim to promote cybersecurity. By defining the scope and goals of this new legal field, we can then examine how lawmakers could improve existing laws.
- Lewis, James A. “Economic Warfare
and Cyberspace,” Australian Strategic Policy Institute, November 2014
- Lewis, James A. “Expanding International Norms after the U.S.-China Cyber Theft Agreement,” World Political Review, January 2016
- Lewis, James A. “Five Myths About Chinese Hackers,” Washington Post, March 2013
- Lewis, James A. “From Awareness to Action: A Cybersecurity Agenda for the 45th President,” January 2017
- Lewis, James A. “German Bundestag’s 1st Committee of Enquiry on NSA Activities,” CSIS, September 2016
- Lewis, James A. “How Russia overtook China as our biggest cyber enemy,” Washington Post, December 2016
- Lewis, James A. “How the Internet Became a Focal Point for Espionage,” Fletcher Forum of World Affairs, August 2014
- Hatfield, Joseph M. (forthcoming 2018). “Immanual Kant: from Universal Rationality to Perpetual Peace,” in Philosophers and War, edited by Timothy Demy, Eric Patterson, and Jeffrey Shaw (Stone Tower Books). Immanual Kant is one of the most important philosophers in the Western philosophical tradition. This book chapter explores his writings on war and peace, arguing that Kant's unique views about the justification of war can be directly inferred from the rest of his overall philosophical system. Kant's views are unusually systematic, with his political writings stemming from arguments he makes when he discusses ethics, epistemology, and logic. The chapter will be of interest to scholars and students grappling with issues of war and peace in the cyber age.
- Kosseff, Jeff In Defense of FAA Section 702: An Examination of Its Justification, Operational Employment, and Legal Underpinnings (co-author with Chris Inglis), Hoover Institution National Security, Technology, and Law Working Group paper (2016): This paper makes make the case that the provisions of Section 702 of the FISA Amendments Act are both necessary and appropriate under the US Constitution's mandate that the government pursue all of its aims (e.g., security and privacy). Moreover, the paper provides compelling evidence to rebut widely circulated myths regarding the actual implementation of Section 702, most notably that NSA exceeded either the intent or the letter of its authorities. For this reason, we believe that Congress should reject calls to repeal or amend Section 702. The statute already provides a well-regulated system for intelligence agencies to collect the foreign intelligence from non-U.S. persons who are not located in the United States. The National Security Agency has stated that Section 702 is its single most significant tool for identifying terrorist threats. The program is overseen by all three branches of government and has an unprecedented system of checks and balances. In the past seven years, the program has been remarkably effective, both at protecting the privacy of U.S. persons and obtaining valuable intelligence from foreign sources. Accordingly, Congress should reauthorize this valuable foreign intelligence program.
- Lewis, James A. “In Defense of Stuxnet,” Institute for National Security Studies, February 2013
- Lewis, James A. “Iran and Cyber Attack,” Security Times (Munich Security Conference) February 2013
- Hatfield, Joseph M. 2017. “Lactantius,” “Anabaptist Pacifism,” and “Tyrannicide,” in Wars of Religion: An Encyclopedia of Faith and Conflict, edited by Timothy Demy and Jeffrey Shaw (ABC-CLIO). These articles are entries in an important new encyclopedia of religion and war. The three volumes provide students with an invaluable reference source for examining two of the most important phenomena impacting society today. This all-inclusive reference work will serve readers researching specific religious traditions, historical eras, wars, battles, or influential individuals across all time periods. The A–Z entries document ancient events and movements such as the First Crusade that began at the end of the 10th century as well as modern-day developments like ISIS and Al Qaeda. Subtopics throughout the encyclopedia include religious and military leaders or other key people, ideas, and weapons, and comprehensive examinations of each of the major religious traditions' views on war and violence are presented. The work also includes dozens of primary source documents—each introduced by a headnote—that enable readers to go directly to the source of information and better grasp its historical significance. The in-depth content of this set benefits high school and college students as well as scholars and general readers.
- Kosseff, Jeff New York’s Financial Cybersecurity Regulation: Tough, Fair, and a National Model, Georgetown Law Technology Review 1 Geo. L. Tech. Rev. 432 (2017): This Article explores the new cybersecurity requirements that New York’s financial regulators will impose on its regulated companies, and argue that the revised regulation is a model of a rigorous, fair, and technologically sound cybersecurity regulation. New York’s regulation could serve as a model for a uniform nationwide cybersecurity regulation that would provide certainty and clarity to companies while protecting the confidentiality, integrity, and availability of information and systems. Cybersecurity law in the United States currently is a patchwork of outdated privacy and computer crime laws; New York’s regulation, in contrast, is a model cybersecurity statute for the modern era.
- Lewis, James A. “North Korea’s cyber capability; in The Conventional Military Balance on the Korean Peninsula,” 2016, IISS
- Kosseff, Jeff Private Computer Searches and the Fourth Amendment, I/S: A Journal of Law and Policy for the Information Society (forthcoming 2018): The Fourth Amendment generally restricts a search or seizure conducted by a government entity, such as the state police or Federal Bureau of Investigation. The Supreme Court has held that the Fourth Amendment applies to a search or seizure performed by a private party unless that private party is an “agent or instrument” of the government. The Supreme Court has not formulated a specific test to determine whether a private party is an agent or instrument, leaving it to lower courts to formulate their own analytic frameworks. The prevailing agency test in most circuits focuses on whether the private party intended to help law enforcement. In this Article, I argue that this subjective analytical framework is flawed because it is contrary to the principles that the Supreme Court has articulated in its opinions about Fourth Amendment agency, which focus on the actions of the government, and not the intent of the private party. Moreover, from a practical standpoint, the subjective agency-or-instrument test has been difficult to apply with certainty and consistency. To assess the practical difficulties of the current test, this Article reviews the criminal prosecutions of defendants in child pornography cases in which the evidence was initially discovered by online service providers or computer repair technicians. The Article proposes an alternative, objective agent-or-instrument test that looks to the government’s actions. Under the proposed test, the private party is deemed an agent or instrument only if the government substantially participated in the search or seizure.
- Lewis, James A. “Raising the Bar for Cybersecurity,” CSIS, February 2013
- Hatfield, Joseph M. 2018. “Social Engineering in Cybersecurity: The Evolution of a Concept.” Computers & Security, Vol. 73, pp. 102-113. This paper offers a history of the concept of social engineering in cybersecurity and argues that while the term began its life in the study of politics, and only later gained usage within the domain of cybersecurity, these are applications of the same fundamental ideas: epistemic asymmetry, technocratic dominance, and teleological replacement. The paper further argues that the term’s usages in both areas remain conceptually and semantically interrelated. Moreover, ignorance of this interrelation continues to handicap our ability to identify and rebuff social engineering attacks in cyberspace. The paper’s conceptual history begins in the nineteenth-century in the writings of the economists John Gray and Thorstein Veblen. An analysis of scholarly articles shows the concept’s proliferation throughout the early to mid-twentieth century within the social sciences and beyond. The paper then traces the concept’s migration into cybersecurity through the 1960s–1980s utilizing both scholarly publications and memoir accounts – including interviews with then-active participants in the hacker community. Finally, it reveals a conceptual array of contemporary connotations through an analysis of 134 definitions of the term found in academic articles written about cybersecurity from 1990 to 2017.
- Lewis, James A. “Sovereignty
and Governance,” Observer Research Foundation, 2014
- Lewis, James A. “Sustaining Progress in International Negotiations on Cybersecurity,” Center for International Governance Innovation, July 2017
- Lewis, James A. “The Role of Offensive Cyber Operations in NATO's Collective Defence,” Tallinn Papers, NATO Cooperative Cyber Defence Centre of Excellence, March 2015.
- Kosseff, Jeff The Cybersecurity Privilege, I/S: A Journal of Law and Policy for the Information Society, 12:2 I/S: A Journal of Law & Policy 641 (2016): Cybersecurity work often relies on highly confidential information about a company’s network vulnerabilities, and therefore the disclosure of the work product or communications could be useful to plaintiff’s lawyers or regulators after a data security incident. To protect against this risk, companies attempt to cover their cybersecurity professionals’ communications and work product under an existing evidentiary privilege, such as the attorney-client privilege or work product doctrine. However, such privileges are an uneasy fit for some cybersecurity work, particularly prophylactic measures that are not directly tied to ongoing or potential litigation. In other words, current evidentiary law discourages companies from investing in the services necessary to prevent cyberattacks from occurring. In this Article, I propose the creation of a stand-alone privilege for cybersecurity work.
- Kosseff, Jeff The Gradual Erosion of the Law that Shaped the Internet, Columbia Science and Technology Law Review, 18 Colum. Sci. & Tech. L. Rev. 1 (2017): In this Article, I review all Section 230-related court opinions published between July 1, 2015 and June 30, 2016 to determine the extent of immunity. The review found that in approximately half of the cases, courts refused to fully grant Section 230 immunity. Most commonly, the courts conclude that the online service provider actually created and published the content. To be sure, 20 years after Congress enacted Section 230, Section 230 remains a strong shield for online service providers in many cases. However, as the amount of user-generated content has exponentially increased in recent years, courts have struggled with what was once viewed as bullet-proof immunity for online intermediaries, and are slowly enlarging the loopholes that allow plaintiffs’ lawsuits against intermediaries to survive.
- Kosseff, Jeff The Hazards of Cyber-Vigilantism, Computer Law & Security Review, 32:4 Comp. L. & Sec. Rev. 642 (2016): In recent years, some aggressive actions against cyber-criminals and terrorists have come not only from state actors, but also from independent third parties such as Anonymous. These groups have claimed some significant victories in their battles against ISIS and similar organizations, by hacking their email, publicly exposing their secret communications, and knocking their websites offline. The hacker groups also combat other cyber criminals, including distributors of child pornography. Some of the groups' activities, however, violate the computer hacking laws of many nations. Some commentators have criticized these statutes, claiming that the laws unnecessarily prohibit private actors from serving the public good. I defend the broad prohibition of cyber-vigilantism, and argue that well-intentioned private actors can accomplish their goals by working with governments.
- Kosseff, Jeff Twenty Years of Intermediary Immunity: The U.S. Experience, SCRIPTed: A Journal of Law, Technology & Society, 14:1 SCRIPTed 5 (2017): Policymakers worldwide have long debated how to maintain free expression on the Internet while minimizing defamation and other harmful online speech. Key to these debates has been intermediary liability: whether online platforms should be held legally responsible for user-generated content. To inform this continued debate, this Article examines the U.S. experience with relatively broad intermediary liability immunity. Enacted two decades ago, Section 230 of the Communications Decency Act provides robust immunity to websites, ISPs, social media providers, and other online platforms for legal claims arising from user content. This Article examines the scope of the immunity that Section 230 provides to U.S. platforms and examines the primary criticisms of this approach. This Article analyses court opinions involving Section 230, and examines the content moderation policies and practices of the leading U.S. online platforms. The Article concludes that Section 230 has fostered the growth of social media, user reviews, and other online services that rely primarily on user generated content. Critics of Section 230 raise valid concerns that the broad immunity often prevents lawsuits against online platforms; however, my research concludes that many of the largest U.S. intermediaries voluntarily block objectionable and harmful content due to consumer and market demands.
- Lewis, James A. “U.S.-Japan Cooperation in Cybersecurity,” CSIS, (October 2015).
- Kosseff, Jeff Prevent Data Breaches, Don't Just Report Them, TechCrunch (May 9, 2017)
- Kosseff, Jeff A VHS-Era Privacy Law in the Digital Age, TechCrunch (May 24, 2016)
- Kosseff, Jeff In the Apple Encryption Debate, Can We Just Have the Facts, Please? TechCrunch (Oct. 26, 2016)
- Kosseff, Jeff Should Tech Companies be Subject to the Fourth Amendment? TechCrunch (Dec. 13, 2015)
- Kosseff, Jeff Time for a Serious Talk About Encryption, The Hill(Nov. 23, 2015)
- Kosseff, Jeff The Biggest Cybersecurity Risk is Not Identity Theft, TechCrunch (Nov. 13, 2015)
- Kosseff, Jeff Congress Looks at Car Hacking, The Hill (Oct. 26, 2015)
- Kosseff, Jeff Notified About a Data Breach? Too Late, Wall Street Journal (Oct. 9, 2015)
- Kosseff, Jeff Can Decency Be Legislated? TechCrunch (Oct. 9, 2015)
- Kosseff, Jeff Cybersecurity is Expensive – That’s Why We Should Offer Tax Incentives, Forbes (Sept. 23, 2015)
- Kosseff, Jeff To Fix Cybersecurity Law, Ask More Questions, TechCrunch (Sept. 15, 2015).