Download this Paper Open PDF in Browser

Regulating Cyber-Security

67 Pages Posted: 5 Apr 2012 Last revised: 24 Mar 2014

Nathan Alexander Sales

Syracuse University College of Law

Date Written: April 5, 2012

Abstract

The conventional wisdom is that this country’s privately owned critical infrastructure — banks, telecommunications networks, the power grid, and so on — is vulnerable to catastrophic cyber-attacks. The existing academic literature does not adequately grapple with this problem, however, because it conceives of cyber-security in unduly narrow terms: most scholars understand cyber-attacks as a problem of either the criminal law or the law of armed conflict. Cyber-security scholarship need not run in such established channels. This Article argues that, rather than thinking of private companies merely as potential victims of cyber-crimes or as possible targets in cyber-conflicts, we should think of them in administrative law terms. Many firms that operate critical infrastructure tend to underinvest in cyber-defense because of problems associated with negative externalities, positive externalities, free riding, and public goods — the same sorts of challenges the modern administrative state faces in fields like environmental law, antitrust law, products liability law, and public health law. These disciplines do not just yield a richer analytical framework for thinking about cyber-security; they also expand the range of possible responses. Understanding the problem in regulatory terms allows us to adapt various regulatory solutions — such as monitoring and surveillance to detect malicious code, hardening vulnerable targets, and building resilient and recoverable systems—for the cyber-security context. In short, an entirely new conceptual approach to cyber-security is needed.

Keywords: al Qaeda, biosurveillance, Bliley, Bruce Smith, China, Christopher Coyne, Estonia, Gramm, hackers, hackbacks, high frequency, intrusion, LOAC, Leach, low severity, military, Richard Clarke, Peter Leeson, RSA, Russia, SCADA, Soviet Union, Tallinn, United Nations Charter, virus, vulnerabilities, worm

JEL Classification: G28, H56, K14, K21, K23, K32, K42, L96, N40

Suggested Citation

Sales, Nathan Alexander, Regulating Cyber-Security (April 5, 2012). Northwestern University Law Review, Vol. 107, No. 4, pp. 1503-1568, 2013; George Mason Law & Economics Research Paper No. 12-35. Available at SSRN: https://ssrn.com/abstract=2035069

Nathan Sales (Contact Author)

Syracuse University College of Law ( email )

Syracuse, NY 13244-1030
United States

Paper statistics

Downloads
620
Rank
35,175
Abstract Views
2,512