CyberSecurity Conference, 2010, St. Mary’s School of Law

The following are some of my notes and reflections (in several posts) from the CyberSecurity Conference sponsored by the Center for Terrorism Law at St. Mary’s School of Law in San Antonio, TX. 

The Center for Terrorism Law is run by Prof. Jeffrey F. Addicott – Director of the Center.  He has held a number of positions: Army JAG, legal advisor to Army Special Forces, etc.  He has done work with the military advising on human rights issues.  He was one oif the first speakers in the program, and I was fortunate enough to talk with him later on some points raised in his lecture.

He started off on the idea of CyberSecurity and Cyber Terrorism.  The law requires definitions – whether in the beginning of a statute or in a case.  Often these definitions will greatly effect the viability of a law in any given context.  Prof. Addicott talked about the fact that in order to define CyberTerrorism, we would have to define Terrorism first.  Prof. Addicott discussed Kofi Annan’s attempt, in 2005, to get the UN General Assembly to define “terrorism.”  The 56 member Organisation of the Islamic Conference blocked the definition based on the fact they wanted an exception for “national liberation” wars.  You can see all the documentation about the struggles defining terrorism at the UN here.

Typically, a state utilizes the Law of War (LOW) against another state – not an individual or group – the war on terror or Al Queda is the first US use in that way.  Later in the hall Prof. Addicott and I discussed the possibilities of defining terrorism without the UN.  I asked what if each nation-state has its own individual definition of “terrorism” and then it becomes part of the international customary law?  While there are benefits to this method – to try and define customary law under the ICJ statute is still a high bar to cross.  Even higher if you consider that the next target would be the definition of CyberTerrorism.

Addicott talked about cyberterrorism similar to the Chinese proverb, “kill one and frighten 10,000.”  Hacking into one critical US infrastructure system (air traffic control, power grid, etc.) can be the one “kill” that frightens 10,000 or millions (in the case of the internet) more.

The real cyber security problem comes from the fact that private industry controls 85% or so of the security that protects the critical infrastructure (including all areas defined by the Internet Integrity and Critical Infrastructure Act of 2001).  The private companies are not necessarily interested in the “security” aspect beyond the abilities to make their company more profitable.  Prof. Adicott made the interesting point that “profit” does not equal “security.”  This is true.  As we will discuss in Cyberlaw class, one of the hardest things you can do as a IA security officer is ask for more money each year for security – especially if nothing happened the prior year.  A board may ask “Why should we give you more money for security – there were no recorded breaches the last few years?”  This is the struggle IA professionals will continue to face.

We also discussed the difference between the use cyberspace by terrorists.  In the classic sense there is hacking, probing, and information penetration.  Then there is the use of cyberspace in other ways – creating social network groups (with unknown terrorist sponsors), online charitable contributions, etc.  The two types have different outcomes and may be prosecuted in different ways (“Jihad Jane” case – social network use – Facebook, YouTube – leading to a charge of aiding a terrorist organization)

There was also talk of mandatory regulation of private industry for cyber-security.  Several speakers later disagreed with this notion (folks from the private sector).  This is a very old argument for the internet as a whole, but one that will have to be addressed soon.  The current administration may be more open to some form of regulation, and the recently named Cyber Czar could make this part of the goals for protection of our national infrastructure.

Cyberspace is being discussed along with a theory called “Commons.”  Commons states that since something is so integral to our society the government must act to protect it.  Would this override the objections from private industry?  This is an old theory (derived, I believe, from early Roman law) but applying it to the Internet is a newer theory, but. Again, there would be massive resistance from the private sector to submit to regulation.

Overall, Prof. Addicott’s talk was enlightening, and offered some different opinions than the typical academic.  Overall it was great to hear him lecture and discuss discrete issues of cyber-international law.

More to come….


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s