Will There Be Cybersecurity Legislation?
John Grant∗
Independent efforts will not be sufficient to address this challenge
without a central coordination mechanism, an updated national
strategy, an action plan developed and coordinated across the
1
Executive Branch, and the support of Congress.
INTRODUCTION
In the course of just a few decades, information technology has become
an essential component of American life, playing a critical role in nearly
every sector of the economy. Consequently, government policy affecting
information technology currently emanates from multiple agencies under
multiple authorities – often with little or no coordination. The White
House’s Cyberspace Policy Review (the Review) wisely recognized that the
first priority in improving cybersecurity is to establish a single point of
leadership within the federal government and called for the support of
Congress in pursuit of this agenda.
Congressional involvement in some form is inevitable, but there is
considerable uncertainty as to what Congress needs to do and whether it is
capable of taking action once it decides to do so. With an agenda already
strained to near the breaking point by legislation to address health care
reform, climate change, energy, and financial regulatory reform – as well as
the annual appropriations bills – the capacity of Congress to act will
depend, in some part, on the necessity of action. For the last eight years,
homeland security has dominated the congressional agenda. With the
memory of the terrorist attacks of September 11 becoming ever more
distant, there may be little appetite for taking on yet another major piece of
complex and costly homeland security legislation.
Part I of this article considers the question of necessity. The Homeland
2
3
Security Act, the Federal Information Security Management Act, the
4
Communications Act, and any number of other statutes provide substantial
5
authorities over federal and nonfederal information infrastructure. Do
* Minority Counsel for the Senate Committee on Homeland Security and
Governmental Affairs. The views expressed in this article are those of the author and do not
necessarily reflect those of the Members and Staff of the Committee.
1. CYBERSPACE POLICY REVIEW: ASSURING A TRUSTED AND RESILIENT INFORMATION
AND COMMUNICATIONS INFRASTRUCTURE 7 (2009), available at http://www.whitehouse.
gov/assets/documents/Cyberspace_Policy_Review_final.pdf (emphasis added).
2. Homeland Security Act of 2002, Pub. L. No. 107-296, 116 Stat. 2135 (2002).
3. Federal Information Security Management Act, 44 U.S.C. §§3541-3549 (2006).
4. Communications Act of 1934, 47 U.S.C. §§151-161 (2006).
5. “The term ‘information infrastructure’ means the underlying framework that
103
104
JOURNAL OF NATIONAL SECURITY LAW & POLICY [Vol. 4:103
these statutes provide the federal government with all of the tools that it
needs to effectively manage cybersecurity? Are they compatible, or do they
create a series of conflicting authorities that will paralyze the agencies that
seek to execute them?
Part II considers whether, if Congress needs to act, it can effectively do
so. Information technology has become an engine of the economy, and the
businesses that provide it wield enormous influence. Any substantial
reorganization will draw opposition. Without the impetus of an attack on
U.S. cyberspace comparable to the September 11 attacks, we may
legitimately ask whether any reform legislation can overcome the
opposition of powerful stakeholders. Beyond the political realities, there is
also the question of whether, given its inherent institutional limitations,
Congress can effectively legislate in this area. Does the slow pace of
congressional action coupled with a general lack of technical expertise
inhibit Congress’s ability to craft and enact legislation responsive to the
cybersecurity vulnerabilities of today and the future?
This article concludes by identifying the likely endpoints in a spectrum
of options for organizing the federal government’s cybersecurity regime.
I. THE QUESTION OF NECESSITY
There are a number of potential sources of executive branch authority
over the security of both federally controlled and privately owned
information infrastructure. While volumes could be written appraising the
strengths and weaknesses of each source, this article has a different focus.
It briefly discusses the major authorities and then proposes that
congressional action focus less on granting new authority and more on
defining how the existing authorities interact.
A. The Federal Information Security Management Act
The Federal Information Security Management Act (FISMA) was
enacted to “provide for development and maintenance of minimum controls
required to protect federal information and information systems” and
“provide a mechanism for improved oversight of federal agency
6
information security programs.” FISMA attempts to accomplish this in
two ways – by delineating a set of agency responsibilities and giving the
7
Office of Management and Budget (OMB) oversight authority.
information systems and assets rely on in processing, transmitting, receiving, or storing
information electronically.” Information and Communications Enhancement Act (ICE), S.
921, 111th Cong. §3551(b)(4) (2009).
6. 44 U.S.C. §§3541(3)-3541(4) (2006).
7. Id. §§3543–3544.
2010]
WILL THERE BE CYBERSECURITY LEGISLATION?
105
Specifically, agencies are required to implement agency-wide programs:
. . . providing information security protections commensurate
with the risk and magnitude of the harm resulting from
unauthorized access, use, disclosure, disruption, modification, or
destruction of
(i) information collected or maintained by or on behalf of the
agency; and
(ii) information systems used or operated by an agency or by a
contractor of an agency or other organization on behalf of an
8
agency.
In short, agencies are given broad authority to make their own security
arrangements under the purportedly watchful eye of OMB.
As implemented, FISMA has received reviews that are far from
glowing. The Government Accountability Office (GAO) continues to
designate federal information security as a government-wide, high-risk area
9
in biennial GAO reports to Congress. FISMA has been criticized as a
10
“paperwork exercise” that does little to actually improve security. The
Center for Strategic and International Studies (CSIS), in its Securing
Cyberspace for the 44th Presidency, outlined a concise litany of failures:
FISMA lacks effective guidance and standards for determining
appropriate levels of risk; it lacks requirements for testing or
measuring an agency’s vulnerabilities or its plans for mitigating
such vulnerabilities; it fails to define agency responsibilities for
effective controls over contractors or vendors; and it does not
recognize the emergence of new technologies and network
11
architectures.
Nonetheless, it is important to note that these criticisms do not
necessarily suggest that federal agencies lack the statutory authority to
protect their information infrastructure. Rather, it is FISMA’s usefulness as
a measure of security and an oversight tool that is questionable. While in
the end it may be considered desirable for Congress to act to address these
perceived weaknesses in FISMA, it does not follow that it is necessary for
8. Id. §3544(a)(1)(A).
9. See GOVERMENT ACCOUNTABILITY OFFICE, HIGH-RISK SERIES: AN UPDATE 47
(2009) (GAO-09-271), available at http://www.gao.gov/new.items/d09271.pdf.
10. Dan Verton, Survey Finds Digital Divide Among Federal CISOs, COMPUTERWORLD,
Nov. 23, 2004, available at http://www.computerworld.com/s/article/ print/97763/Survey_finds
_digital_divide_among_federal_CISOs.
11. CENTER FOR STRATEGIC AND INT’L STUDIES, SECURING CYBERSPACE FOR THE 44TH
PRESIDENCY 1, 69 (2008), available at http://csis.org/files/media/csis/pubs/081208_securing
cyberspace_44.pdf [hereinafter CSIS Report].
106
JOURNAL OF NATIONAL SECURITY LAW & POLICY [Vol. 4:103
Congress to act in order for agencies to have the means to secure their
information infrastructure.
B. The Homeland Security Act
12
13
Under the Homeland Security Act of 2002, various successor statutes
14
and executive orders such as Executive Order 13,286, the Department of
Homeland Security (DHS) has responsibilities for protecting information
infrastructure. Thirteen key cybersecurity responsibilities have been vested
in the DHS, including:
(1) developing a comprehensive national plan for [Critical
Infrastructure Protection], including cybersecurity; (2) developing
partnerships and coordinating with other federal agencies, state and
local governments, and the private sector; (3) developing and
enhancing national cyber analysis and warning capabilities; (4)
providing and coordinating incident response and recovery
planning, including conducting incident response exercises; and (5)
identifying, assessing, and supporting efforts to reduce cyber
threats and vulnerabilities, including those associated with
15
infrastructure control systems.
Many of these responsibilities derive from authorities that are not
specifically related to information technology, but rather extrapolated from
general authorities relating to critical infrastructure protection.
The DHS has come under considerable criticism for its discharge of
these responsibilities. GAO has reported that the “DHS has yet to
comprehensively satisfy its key responsibilities for protecting computer16
reliant critical infrastructures.” This could be due in part to ongoing
uncertainty as to just what the Department’s role should be in terms of
privately owned critical infrastructure. As noted in the Review:
The question remains unresolved as to what extent protection of
these same infrastructures from the same harms by the same actors
[referring to physical attacks on critical infrastructure by criminals
or terrorists] should be a government responsibility if the attacks
12. See, e.g., Homeland Security Act, 6 U.S.C. §143 (2006).
13. See, e.g., Implementing Recommendations of the 9/11 Commission Act of 2007, 6
U.S.C. §121 (2006 & Supp. I 2007).
14. Exec. Order No. 13,286, Amendment of Executive Orders, and Other Actions, in
Connection with the Transfer of Certain Functions to the Secretary of Homeland Security,
68 Fed. Reg. 10,619 (Feb. 23, 2003).
15. GOVERMENT ACCOUNTABILITY OFFICE, CYBERSECURITY: CONTINUED FEDERAL
EFFORTS ARE NEEDED TO PROTECT CRITICAL SYSTEMS AND INFORMATION 3 (GAO-09-835T
2009), available at http://www.gao.gov/new.items/d09835t.pdf.
16. See id. at 6.
2010]
WILL THERE BE CYBERSECURITY LEGISLATION?
107
were carried out remotely via computer networks rather than by
17
direct physical action.
The CSIS report concluded that the supposed public-private partnership
touted by the DHS to address these questions “is marked by serious
shortcomings,” including “lack of agreement on roles and responsibilities,
an obsession with information sharing for its own sake, and the creation of
new public-private groups each time a problem arises without any effort to
18
eliminate redundancy.”
C. Miscellaneous Regulatory Authorities
Authority to provide for the security of information infrastructure is not
always found in statutory provisions labeled “cybersecurity.” Information
technology is a supporting component of nearly every major piece of
critical infrastructure, much of which is itself regulated by specific federal
agencies. Thus, cybersecurity often falls under the purview of other
regulatory bodies through provisions of their individual authorizing
statutes.
For example, the Electric Reliability provision of the Federal Power
Act gives the Federal Energy Regulatory Commission (FERC) the authority
19
to enforce compliance with reliability standards. A “reliability standard”
is defined as “a requirement. . . . to provide for reliable operation of the
bulk-power system” and includes “requirements for the operation of
existing bulk-power system facilities, including cybersecurity
20
protection. . . .” As with other authorities, some question this provision’s
effectiveness. The Electric Reliability provision of the Federal Power Act
has been criticized as ineffective because of the long lead time before
standards can be established, lack of authority to compel power companies
to protect security-sensitive information, and the excessive degree of
21
discretion given to utilities in deciding how to implement the standards.
When a potential cyber vulnerability in the electrical grid was identified in
2008, Congress even considered passing legislation to provide the FERC
22
with additional authority to respond to imminent cybersecurity threats.
17. CYBERSPACE POLICY REVIEW, supra note 1, at 28.
18. CSIS Report, supra note 11, at 43.
19. 16 U.S.C. §824o(b) (2006).
20. Id. §824o(a)-(3).
21. See Cyber Security: Hearing Before the S. Comm. on Energy & Nat. Resources,
111th Cong. 1 (2009) (testimony of Joseph McClelland, Off. of Electric Reliability).
22. See Stephanie Condon, Cybersecurity Worries Spur Congress To Rethink
Electrical Grid, CNET NEWS, Sept. 12, 2008, http://news.cnet.com/8301-13578_3-100
40101-38.html.
108
JOURNAL OF NATIONAL SECURITY LAW & POLICY [Vol. 4:103
D. Inherent Authority
In addition to the statutory authorities held by agencies, there is an
argument that the President has certain inherent powers flowing from
constitutionally granted war powers. If the concept of “war powers” is
extended to encompass the broader notion of national security, then the
President could have significant cybersecurity authorities that require no
23
congressional authorization. However, broad invocation of such powers
remains controversial, and recent attempts based on a broad interpretation
of these powers, such as to justify warrantless wiretapping, may make their
use in the cybersecurity context politically unpalatable.
E. Organization
Given these authorities, there is a strong case to be made that the
executive branch already possesses significant authority to address security
vulnerabilities in both the federal and nonfederal information infrastructure.
However, while the executive branch may possess adequate authority, the
questions – in some cases, ambiguity – surrounding the execution of that
authority suggest that the executive branch is not currently organized in a
manner that allows it to wield that authority effectively.
The Review particularly focused on how conflicting authorities may
result in a lack of clear leadership, a significant concern:
Answering the question of “who is in charge” must address the
distribution of statutory authorities and missions across
departments and agencies. This is particularly the case as
telecommunications and Internet-type networks converge and other
infrastructure sectors adopt the Internet as a primary means of
interconnectivity. Unifying mission responsibilities that evolved
over more than a century will require the Federal government to
clarify policies for cybersecurity and the cybersecurity-related roles
24
and responsibilities of various departments and agencies.
The CSIS report reached a similar conclusion, comparing the legion of
cyber experts scattered throughout the federal government to a “large fleet
25
of well-meaning bumper cars.”
This problem is not necessarily unique to cybersecurity. A recent
report from the Project on National Security Reform suggested that the
national security apparatus in general is structurally incapable of handling
23. See John Rollins & Anna C. Henning, Comprehensive National Cybersecurity
Initiative: Legal Authorities and Policy Considerations (Cong. Res. Serv. R40427), Mar. 10,
2009, at 10.
24. CYBERSPACE POLICY REVIEW, supra note 1, at 4.
25. CSIS Report, supra note 11, at 34.
2010]
WILL THERE BE CYBERSECURITY LEGISLATION?
109
threats that require the simultaneous integration of the assets of American
26
power. Cybersecurity is a prime example of an issue that presents new
challenges that cut across multiple agency jurisdictions and consequently
requires government-wide coordination. Yet, as the Project on National
Security Reform concluded, “departments and agencies, when faced with
challenges that fall outside traditional departmental competencies, almost
invariably produce ad hoc arrangements that prove suboptimal by almost
27
every measure.”
While a discussion of reforming the entire national
security system is beyond the scope of this article, the issues confronting
the government in organizing its response to cyber threats are quite
comparable.
Both the CSIS report and the Review concluded that the leadership
question can be resolved by establishing White House dominance. The
Review concluded that “anchoring and elevating leadership for
cybersecurity-related policies at the White House signals to the United
States and the international community that we are serious about
28
cybersecurity.” The CSIS report concluded that “only the White House
29
has the necessary authority and oversight for cybersecurity.” Although the
Obama administration has yet to fully implement the recommendations of
either the CSIS report or the Review, its penchant for centralized White
House authority – in the form of the increasingly ubiquitous “czar” – is well
30
established.
Thus, the necessity of congressional action may arise not from the need
to adopt these centralization recommendations, but rather from a desire to
prevent their implementation. The reliance on issue czars in the
Administration has drawn fire from several camps, including prominent
voices in Congress. Senator Robert C. Byrd, the Senate’s senior member,
has suggested that such positions “can threaten the Constitutional system of
31
checks and balances.” Other members have noted that czars operating out
of the Executive Office of the President are subject to less oversight than
26. See PROJECT ON NAT’L SECURITY REFORM, FORGING A NEW SHIELD, at ii (2008),
available at http://www.pnsr.org/data/files/pnsr_forging_a_new_shield_report.pdf. See also
Gordon Lederman, National Security Reform for the Twenty-first Century: A New National
Security Act and Reflections on Legislation’s Role in Organizational Change, 3 J. NAT’L
SECURITY L. & POL’Y 363 (2009).
27. PROJECT ON NAT’L SECURITY REFORM, supra note 26, at viii.
28. CYBERSPACE POLICY REVIEW, supra note 1, at 7.
29. CSIS Report, supra note 11, at 36.
30. See Laura Meckler, “Czars” Ascend at White House, WALL ST. J., Dec. 15, 2008,
at A6. On December 22, 2009, the White House appointed a Cybersecurity Coordinator,
Howard Schmidt. See Ellen Nakashima & Debbi Wilgoren, Obama To Name Former Bush,
Microsoft Official as Cyber-Czar, WASH. POST, Dec. 22, 2009, at A04.
31. Press Release, Off. of Sen. Robert C. Byrd, Byrd Questions Obama Administration
on Role of White House “Czar” Positions (Feb. 25, 2009), available at http://byrd.senate.
gov/mediacenter/view_article.cfm?ID=331.
110
JOURNAL OF NATIONAL SECURITY LAW & POLICY [Vol. 4:103
Senate-confirmed Cabinet secretaries and are consequently less accountable
32
to the American public for their actions. Furthermore, as noted by the
Project on National Security Reform, “White House centralization of
interagency missions also risks creating an untenable span of control over
policy implementation,” impeding “timely, disciplined, and integrated
33
decision formulation and option assessment over time.” If Congress takes
these criticisms to heart, then it should feel compelled to initiate
cybersecurity reform, lest the White House act to fill a perceived leadership
vacuum.
F. Summary
Although the way in which cybersecurity authority has been
implemented leaves much to be desired, it appears that the Constitution and
Congress have imbued the executive branch with sufficient authority to
provide for the security of both public and private information
infrastructures. Furthermore, the President’s prerogative to organize and
direct the activities of the executive branch would allow him an attempt to
overcome the obstacles that have prevented effective interagency
coordination. However, Congress may still find it necessary to act in order
to ensure that the management of the cybersecurity mission is sufficiently
transparent and accountable to Congress and the American public.
II. CONGRESSIONAL CAPACITY
Deciding to act is only one part of the challenge, however. The next
question to consider is whether Congress has the capacity to enact
legislation in this area. Information technology is a powerful component of
the U.S. economy. Sizeable corporate interests wield considerable
influence on elected officials. At the same time, inherent institutional
weaknesses in the legislative branch may hamper its ability to legislate
effectively in response to cyber threats and vulnerabilities. This part
discusses the factors influencing Congress’s ability to pass legislation on
information technology and what that legislation would need to look like.
A. Burden
Climate change legislation, regulation of financial institutions, and
myriad other issues compete with cybersecurity for congressional
34
attention. If historical precedent is followed, the second session of the
32. See, e.g., Letter from Sen. Susan Collins to President Barack Obama (Sept. 15,
2009), available at http://www.ireport.com/docs/DOC-329196.
33. See PROJECT ON NAT’L SEC. REFORM, supra note 26, at viii.
34. See, e.g., Anna Mulrine, Democrats in Congress Push Ambitious Agenda, U.S.
NEWS, July 8, 2009, available at http://www.usnews.com/articles/news/politics/2009/07
2010]
WILL THERE BE CYBERSECURITY LEGISLATION?
111
111th Congress will be abbreviated in order to allow members to return to
their districts to campaign for the midterm elections. There may be little
time on the crowded agenda to take up contentious and complex legislation
relating to cybersecurity. Consequently, if cybersecurity legislation is
going to pass, congressional leadership will be looking for a relatively noncontroversial bill that will attract few amendments and consume little
precious floor time.
B. Motivation
Congressional action is often most expeditious when motivated by
outside forces – one need only look at the spate of legislation passed in the
wake of the terrorist attacks of September 11, 2001. There is a question as
to whether any event has occurred or set of new circumstances exists that
will spur public pressure for congressional action.
Certainly, cyber threats have made newspaper headlines in the course
of the last several years. For example:
$
Newspapers reported that both the McCain and Obama
campaign computer systems were penetrated, as well as those
35
of a number of government agencies.
$
Several vulnerabilities to the electrical grid were reported.
$
The United States was the victim of a prolonged “denial of
service” attack directed at both government and privately
37
owned systems.
$
Identity theft as a consequence of cyber crime is on the rise and
38
companies lose millions of dollars per year as a consequence.
36
Nonetheless, none of these incidents has had a significant or prolonged
effect on the general public’s use of the information infrastructure. There
has been no spectacular disruption of service or long-term damage to
critical infrastructure. Consequently, there has been no sizeable public
clamor for action on cybersecurity – particularly when other issues, such as
/08/democrats-in-congress-push-ambitious-agenda.html.
35. See Dan Goodin, Obama, McCain Campaigns Hit with ‘Sophisticated’ Cyberattack,
REGISTER, Nov. 5, 2008, available at http://www.theregister.co.uk/2008/11/05/obama_
mccain_cyberattack/.
36. See Condon, supra note 22.
37. See Julian E. Barnes & Josh Meyer, Cyber Attack Is Met with Speculation and
Shrugs; Some Think North Korea Launched the Virus Whose Targets Included the White
House and NYSE. Others Scoff., L.A. TIMES, July 9, 2009, at A10.
38. See Cybercrime Rising, Report Warns, BBC NEWS, Mar. 31, 2009, available at
http://news. bbc.co.uk/2/hi/americas/7973886.stm.
112
JOURNAL OF NATIONAL SECURITY LAW & POLICY [Vol. 4:103
39
health care reform or the confirmation of a new Supreme Court justice,
dominate the news cycle.
40
C. Complexity
Cybersecurity involves complex technical issues that are constantly
evolving thanks to the rapid pace of technical innovation. Members of
Congress are regularly briefed on both the threats and the measures used to
combat them. Such briefings can be highly technical. Even when they are
not, they can still be beyond the understanding of members with less
familiarity with the Internet and information technology.
As a
consequence, the development of comprehensive cybersecurity legislation
will often be driven by staff, lobbyists, and industry stakeholders with the
expertise to understand the technical issues under discussion. While this
allows bills to be drafted and introduced, there is a point in the life of any
piece of legislation in which direct action from Senators or Members of
Congress is necessary to secure space on a busy committee mark-up agenda
or the packed floor schedule in each chamber. However, once such
personal action is taken members become obligated to make floor speeches,
attend press conferences, and field questions related to cybersecurity –
something they may be hesitant to do if they are uncomfortable with the
subject matter.
D. Opposition
As with any piece of legislation, a key factor in determining the
likelihood of passage is the level of opposition. In general terms, the most
significant lightning rod in any cybersecurity legislation is likely to be the
imposition of mandatory standards on privately owned information
41
technology infrastructure. It has frequently been claimed that the Internet
is free from regulation and that any attempt to impose a mandatory regime
could stifle the innovation that has turned information technology into an
42
economic engine. Any bill that is perceived – rightly or wrongly – as
imposing regulation on the Internet will draw substantial opposition.
39. See, e.g., David M. Herszenhorn & Robert Pear, Final Votes in Congress Cap
Battle over Health, N.Y. TIMES, Mar. 26, 2010, at A17.
40. See, e.g., Sheryl Gay Stolberg, A Knock-Down, Drag-Out – Yawn, N.Y. TIMES,
June 3, 2010, at A19 (Senate confirmation hearing for Elena Kagan scheduled to begin on
June 28, 2010); Charlie Savage, Senate Approves Sotomayor for the Supreme Court, N.Y.
TIMES, Aug. 7, 2009, at A1.
41. See Joby Warrick & Walter Pincus, Senate Legislation Would Federalize
Cybersecurity; Rules for Private Networks also Proposed, WASH. POST, Apr. 1, 2009, at A4.
42. For an excellent discussion of how cybersecurity measures currently under
discussion affect innovation, see Gregory T. Nojeim, Cybersecurity and Freedom on the
Internet, 4 J. NAT’L SECURITY L. & POL’Y 119 (2010).
2010]
WILL THERE BE CYBERSECURITY LEGISLATION?
113
An example of potential opposition can be seen by the reaction to
Senators Jay Rockefeller and Olympia Snowe introduction of the
Cybersecurity Act of 2009. The bill includes provisions establishing
cybersecurity standards for both government and private sector information
infrastructure, requiring the licensing and certification of cybersecurity
professionals, and designating the Department of Commerce as the
43
clearinghouse for cybersecurity threat and vulnerability information.
Reaction to the bill was initially muted but gives an indication of potential
future opposition. TechAmerica, a leading industry trade association,
warned that “some provisions of the Rockefeller-Snowe bill may impose
prescriptive regulations on the private-sector that could inhibit the very
44
technology innovation needed for greater prosperity and security.” Phil
Bond, President of TechAmerica, added that “the last thing we need is
45
cybersecurity innovation that moves at the speed of government.” Larry
Clinton, President of the Internet Security Alliance, criticized the bill’s
vagueness and stated that without clarification his organization – which has
close ties to Verizon, Nortel, and other key industry stakeholders – could
46
not support the bill.
In addition to industry opposition, the Rockefeller-Snowe bill drew
concern from the privacy and civil liberties community as well. The Center
for Democracy and Technology expressed concern that the bill would give
“the federal government extraordinary power over private sector Internet
47
services, applications and software.” The Electronic Frontier Foundation
argued that provisions of the bill “could eviscerate statutory protections for
48
private information.”
E. Jurisdiction
Information technology has become part of nearly every major industry
and service in the United States. Consequently, most – if not all – of the
congressional committees could seek jurisdiction over cybersecurity.
43. Cybersecurity Act of 2009, S. 773, 111th Cong. (2009).
44. Press Release, TechAmerica, TechAmerica Welcomes Congressional Focus on
Cybersecurity, Expresses Reservations About Rockefeller Bill (Apr. 3, 2009), available at
http://www.techamerica.org/techamerica-welcomes-congressional-focus-on-cybersecurityexpresses-reservations-about-rockefeller-bill.
45. Id.
46. See Declan McCullagh, Bill Would Give President Emergency Control of Internet,
SODAHEAD.COM, Aug. 28, 2009, http://www.sodahead.com/united-states/bill-would-givepresident-emergency-control-of-internet/blog-147327/.
47. Kenneth Corbin, Groups Warn New Cybersecurity Bill Oversteps, INTERNET
NEWS, Apr. 7, 2009, http://www.internetnews.com/government/print.php/3814171.
48. Jenifer Granick, Federal Authority over the Internet? The Cybersecurity Act of
2009, Electronic Frontier Found., Apr. 10, 2009, http://www.eff.org/deeplinks/2009/04/
cybersecurity-act.
114
JOURNAL OF NATIONAL SECURITY LAW & POLICY [Vol. 4:103
Already in the Senate, the Chairman and Ranking Member of the
49
Commerce Committee have introduced two bills, several prominent
50
members of the Judiciary Committee have introduced data breach bills
with significant cybersecurity implications, and the Chairman and Ranking
Member of the Homeland Security and Governmental Affairs Committee
have announced their intention to develop comprehensive cybersecurity
51
legislation. Given the prominence of the issue and the economic power of
the information technology industry, it is unlikely that the aforementioned
committees – among the most powerful in the Senate – will cede
jurisdiction without considerable reluctance. Similar jurisdictional tensions
52
can be found in the House of Representatives as well.
III. A RANGE OF OPTIONS
As this article has argued, the federal government may already possess
sufficient authority to manage cybersecurity, and if congressional action is
needed, it is in the area of reorganizing those authorities to ensure that the
federal government strategy is effectively coordinated. Congress has a
range of approaches to address this reorganization. At one end of the
spectrum is a more draconian regime that would involve vesting a single
entity with the necessary authority over both the federal government and
the private sector to direct measures to ensure the security of information
infrastructure. At the other end of the spectrum is a regime that would
leave each agency or component with its existing authority but establish
decisionmaking mechanisms by which it could be ensured that these
individual authorities were coordinated and working consistently.
A. Direct Authority
The most dramatic and arguably the cleanest approach to establishing a
new cybersecurity regime would be the creation of a single new entity to
oversee the security of the information infrastructure. This new
cybersecurity “agency” would be responsible for coordinating the federal
government’s entire approach to information infrastructure security. Such
authority would go beyond mere strategy development, and include the
authority to direct action both at the agency level and to some extent within
49. Cybersecurity Act of 2009, supra note 43.
50. Data Breach Notification Act, S. 139, 111th Cong. (2009); Personal Data Privacy
and Security Act, S. 1490, 111th Cong. (2009).
51. See, e.g., Gautham Nagesh, Lawmakers Join Forces on Cybersecurity Legislation,
NEXTGOV, Sept. 4, 2009, http://www.nextgov.com/nextgov/ng_20090914_5789.php.
52. See e.g., Cybersecurity Education Enhancement Act, H.R. 266, 111th Cong.
(2009) (dealing primarily with grants to support cybersecurity education and professional
development, which was referred to the House Committees on Science and Technology, on
Education and Labor, and on Homeland Security).
2010]
WILL THERE BE CYBERSECURITY LEGISLATION?
115
the private sector. The agency would have the authority to set security
standards that would be binding on agencies and on the information
infrastructure controlled by the private sector. The agency would be both
seizing authorities from other Cabinet-level departments and directing those
departments in securing their own networks, as well as regulating
information technology systems in private sector industries that are
otherwise subject to the regulatory authorities of the departments. The
agency would, therefore, need ways to compel action. Such mechanisms
would likely include the authority to write and rewrite agency information
security budgets, access to agency enterprise architecture, access to the
intelligence and law enforcement information necessary to identify threat
signatures, the authority to isolate compromised systems from the network
or take them offline completely, and the authority to conduct operational
evaluations of federal and private sector information infrastructure.
An agency given these strategic responsibilities and broad operational
authorities over cybersecurity would necessarily be of considerable size. If
it were assembled in the same way as the DHS – by, in most cases, joining
disparate components of existing departments under a single umbrella –
large chunks of the Department of Commerce, OMB, and the DHS would
be uprooted and placed under the new agency. Assuming that national
security systems remained within the purview of the intelligence
community and the Department of Defense, it would still be necessary to
develop mechanisms by which they could coordinate with the new agency.
Such an agency would require a substantial budget.
Action on this scale in the current political environment is highly
unlikely. Any attempt to create such an agency would be compared to the
creation of the DHS, which seven years after the enactment of the
Homeland Security Act is still struggling to operate effectively. As a
consequence, there is a concern that the U.S. cybersecurity regime would
remain rudderless and disorganized for years to come in the face of growing
threats. As suggested by the response to the Snowe-Rockefeller bill,
industry would be strongly opposed to any agency that would be
empowered to regulate the private sector. Congress would also almost
certainly balk at the high start-up costs involved in creating a new agency,
especially in light of a ballooning federal deficit and difficult economic
times. Those start-up costs might be lessened if, instead of creating a new
agency, Congress gave an existing agency these authorities. However, any
attempt to empower one agency would likely meet with fierce resistance
because it would be seen as a power grab by other congressional
authorizing committees with an interest in cybersecurity.
B. Coordinating Authority
At the other end of the scale is the creation of a smaller entity with very
limited authority that leaves the current regime largely intact. The
116
JOURNAL OF NATIONAL SECURITY LAW & POLICY [Vol. 4:103
reorganization of the U.S. Intelligence Community following the terrorist
attacks of September 11, 2001, may prove instructive, as this too required
Congress to decide how best to coordinate the activities of disparate
agencies with a variety of missions. The Program Manager for the
Information Sharing Environment (PM-ISE) was created as part of this
effort and can serve as a model for a less draconian approach to
53
cybersecurity governance. Under this system, there would be little, if any,
change in the division of authorities. Instead, the head of this office would
be responsible for developing strategies, working to resolve disputes where
individual authorities appear to clash, and establishing policies and
procedures that will facilitate information sharing and coordination among
agencies. The office would have no authority to impose its will on other
agencies but would, like the PM-ISE, either seek to influence the issuance
of executive orders, OMB memoranda, and other binding instruments, or to
negotiate with and among agencies to encourage the implementation of
cybersecurity policies. As with the PM-ISE, to the extent that the entity
creates new programs and administrative structures, they can be handed off
to agencies for full implementation and oversight.
This approach has the advantage of requiring a much smaller staff and
infrastructure, substantially reducing the implementation costs. It also
avoids the complexity issue because it does not require Congress to make
decisions about who should get what authority to respond to what
vulnerability, but instead requires only the establishment of a basic
decision-making framework.
This approach should also avoid
congressional committee jurisdictional conflict as there will be no
reorganization of the existing power structure.
However, while the relative ease with which this structure can be
established may make it seem attractive, there is a distinct possibility that it
would not be an effective means of securing the information infrastructure.
While the PM-ISE has notched some successes (for example, the
development of a nationwide protocol as part of the the Suspicious Activity
Reporting Initiative that allows federal, state, and local authorities to easily
report, share, and analyze terrorism-related suspicious activities reports), it
continues to report difficulty in accomplishing its primary mission of
facilitating information sharing among federal agencies, state, local, and
tribal authorities, the private sector, and international partners. In
particular, it has had limited success in breaking the entrenched agency
barriers to information sharing. With no direct authority to compel agency
action or adoption of policies, the PM-ISE has had little leverage. The
director of a similar cybersecurity entity would likely encounter even
greater obstacles, particularly as he or she attempts to reconcile the often
competing imperatives of providing greater security and of promoting
technological innovation. Without any authority to compel action, the
53.
See generally Information Sharing Environment, http://www.ise.gov/.
2010]
WILL THERE BE CYBERSECURITY LEGISLATION?
117
director would be largely impotent and few, if any, of the problems that
Congress seeks to address would be resolved.
CONCLUSION
In light of the limitations on Congress’s ability to act that are described
above, this article concludes that any congressional action will eventually
fall toward the lower end of the authority spectrum. How far in that
direction it will go, however, is largely dependent on any number of
legislative “x-factors.” Will consideration of comprehensive cybersecurity
fall in the shadow of a significant cyber attack, pushing legislation closer to
the direct authority model? Might consideration of such legislation come in
the shadow of revelations of inappropriate monitoring of Internet
communications by the federal government, fostering mistrust of the
government and making it difficult to pass any cybersecurity bill that
increases the government’s role in information infrastructure security?
As with information technology itself, the circumstances surrounding
cybersecurity legislation are changing so rapidly that an accurate prediction
is difficult to make. The door remains open for cybersecurity policy to flow
not down from the federal government but up from the information
technology industry. If the industry were to develop and implement
consensus standards that addressed most of the cyber vulnerabilities that
have been identified, that might obviate the need for congressional action.
Given the industry’s copious expertise and resources, this may indeed be an
ideal solution.
Copyright of Journal of National Security Law & Policy is the property of University of the Pacific, McGeorge
School of Law and its content may not be copied or emailed to multiple sites or posted to a listserv without the
copyright holder's express written permission. However, users may print, download, or email articles for
individual use.
IS IT TIME FOR A NATIONAL CYBERSECURITY SAFETY BOARD?
EXAMINING THE POLICY IMPLICATIONS AND POLITICAL PUSHBACK
Scott J. Shackelford JD, PhD*
Austin E. Brady**
Abstract
In the wake of a series of destabilizing and damaging cyber attacks
ranging from Equifax to Yahoo!, there has been a growing call for
the U.S. government to establish an analogue of the National
Transportation Safety Board (NTSB) to investigate cyber attacks.
Even the esteemed Center for Strategic and International Studies has
advocated for this approach in its policy recommendations to the
45th President. But how would such a Board function, and could it
succeed where past public-private collaborations have failed given
the rapid pace of technical innovation in the cybersecurity field?
This Article investigates this policy prescription by researching the
passage of the original NTSB, assessing the various proposals that
have been made to establish a National Cybersecurity Safety Board
(NCSB), and globalizing the discussion to ascertain how other
nations are approaching this same issue.
1
Electronic copy available at: https://ssrn.com/abstract=3100962
Table of Contents
INTRODUCTION ......................................................................................................................................... 3
I.
NTSB ORIGINS ................................................................................................................................... 4
II.
EXAMINING PROPOSALS FOR A NCSB ........................................................................................ 7
III.
A GLOBAL NOTE ........................................................................................................................14
CONCLUSION............................................................................................................................................17
2
Electronic copy available at: https://ssrn.com/abstract=3100962
INTRODUCTION
Back in 1926, a new technology was causing people to interact with the world in new ways,
closing distances and linking together far-flung places, but in the process, also leading to a spate
of personal injuries and deaths. 1 That technology was the burgeoning aircraft industry. In response,
Congress passed the Air Commerce Act of 1926 to investigate aircraft accidents, 2 a step which,
nearly forty years later, gave birth to the Department of Transportation (DoT) in 1967. The DoT
included the National Transportation Safety Board, an independent agency charged with
investigating the safety of various transportation systems, from highways and pipelines to railroads
and airplanes.3 Since then, the NTSB has investigated more than 130,000 accidents. 4 Now, nearly
a century after the original Air Commerce Act, it might be time to learn from this legacy as we
seek to understand how best to mitigate the risk of a threat to another new technology that is tying
the world closer together even as it threatens our shared security—cyber attacks.
In the wake of a series of destabilizing and damaging cyber attacks, there has been a
growing chorus of calls to establish an analogue of the NTSB to investigate cyber attacks. 5 Far
from being a niche proposition, the Center for Strategic and International Studies put its substantial
weight behind this approach in its policy recommendations to the 45th President. 6 But how would
* Chair, Indiana University-Bloomington Cybersecurity Program; Director, Ostrom Workshop Program on
Cybersecurity and Internet Governance; Associate Professor, Indiana University Kelley School of Business.
** J.D. candidate, Indiana University Maurer School of Law; M.S. Cybersecurity Risk Management candidate,
Indiana University-Bloomington Cybersecurity Program.
1
See, e.g., Ben Rothke, It’s Time for a National Cybersecurity Safety Board, CSO (Feb. 19, 2015),
https://www.csoonline.com/article/2886326/security-awareness/it-s-time-for-a-national-cybersecurity-safety-boardncsb.html; History of The National Transportation Safety Board, NAT’L SAFETY TRANSPORTATION BD.,
https://www.ntsb.gov/about/history/Pages/default.aspx (last visited Oct. 24, 2017) [hereinafter, NTSB History].
2
See Air Commerce Act of 1926, Pub. L. No. 69-254, 44 Stat. 568, 572.
3
See NTSB History, supra note 1.
4
See id.
5
See, e.g., Interdisciplinary Pathways Towards a More Secure Internet, CYBERSECURITY IDEAS LAB (Feb. 10-12,
2014), at 21, https://www.nsf.gov/cise/news/CybersecurityIdeasLab_July2014.pdf [hereinafter IDEAS LAB].
6
FROM AWARENESS TO ACTION: A CYBERSECURITY AGENDA FOR THE 45TH PRESIDENT 12 (Jan. 3, 2017),
https://www.whitehouse.senate.gov/imo/media/doc/2016-01-03%20%20CSIS%20Lewis%20Cyber%20Recommendations%20Next%20Administration.pdf.
3
Electronic copy available at: https://ssrn.com/abstract=3100962
such a Board function? And could it succeed where past public-private collaborations have failed
given the rapid pace of technical innovation in the cybersecurity field?7 This Article investigates
this policy prescription by researching the passage of the original NTSB, assessing the various
proposals that have been to establish a National Cybersecurity Safety Board (NCSB), and
globalizing the discussion to ascertain how other nations are approaching this same issue.
This Article is structured as follows. Part I examines the historical evolution and political
calculus of the NTSB to provide a framework for discussion. Part II analyzes the various proposals
for a NCSB, including both the policy implications and perspectives from leading public and
private-sector stakeholders. Finally, Part III offers global insights about how other jurisdictions
have similarly examined this concept, focusing on the European Union’s pending General Data
Privacy Regulation (GDPR) and Network Information Security (NIS) Directive.
I.
NTSB ORIGINS
True to the spirit of the pre-Lochner era, regulation of the skies came slowly and haltingly,
often requiring public calamities to spur legislative action. In the years following the First World
War, pilots were subject to scant laws during what Federal Aviation Administration historian Nick
A. Komons calls the “Chaos of Laissez Faire in the Air”8 that resonates with modern concerns
over a tragedy of the cyber pseudo commons. 9 The federal government’s wait-and-see approach
stifled investment in air travel, 10 leading to a confusing patchwork of state and local laws. 11
Regulation of the skies was a hard sell for a tight-fisted Congress. Persuaded by a combination of
7
For a state of play regarding public-private cybersecurity partnerships, see Kristen E. Eichensehr, Public-Private
Cybersecurity, 95 TEX. L. REV. 467, 472-73 (2017).
8
NICK A. KOMONS, BONFIRES TO BEACONS: FEDERAL CIVIL AVIATION POLICY UNDER THE AIR COMMERCE ACT,
1926–1938, at 7 (1978).
9
See Michael Chertoff, Foreword, 4 J. NAT’L SEC. L. & POL’Y 1, 2 (2010).
10
KOMONS, supra note 8, at 29 (explaining that investors, insurers, and passengers were all reticent towards
participating in the aviation industry).
11
Id. at 27.
4
Electronic copy available at: https://ssrn.com/abstract=3100962
abysmal safety statistics, and cries for regulation from the aviation industry itself,12 Congress
enacted the Air Commerce Act of 1926. It gave federal oversight of aviation to the Department of
Commerce’s (DoC) new Aeronautics Branch, recognizing the potential air travel had for economic
growth.13 Federal attention revived the floundering industry, and aviation use took off over the
next decade.14
The Air Commerce Act provided the “legislative cornerstone” 15 for increasing aerial
safety. But it was not a perfect solution. Lochner-era federalism restrictions meant that only pilots
and aircraft engaged in interstate commerce were subject to DoC regulations, such as licensing
requirements and safety standards. Intrastate regulation was, predictably, left to the states.16 Intra
or inter, whenever accidents occurred, responsibility for investigating and assigning probable
cause was vested in the Bureau of Air Commerce. 17 This role put the Bureau in the spotlight during
investigations into the deaths of national figures—such as the 1931 demise of Notre Dame football
coach Knute Rockne—making it subject to harsh scrutiny during the ensuing the public furor.18
As it struggled with its national image, the Bureau had a separate, structural problem.
Namely, the conflict-laden reality of the Bureau investigating the effectiveness of its own safety
12
The aviation industry averaged 70.8 deaths per year from 1921– 1925. While this may seem low by modern
standards, it was enormously high as a percentage of total pilots at the time. See id. at 23.
13
See NTSB History, supra note 1.
14
See 7 Air. Com. Bull. 1, 7 (1935) (“Of 8,733 Airplanes now in Service, 2,414 Were Built in 1929”)
15
See KOMONS, supra note 8, at 88
16
In fact, the first volume and issue of the Air Commerce Bulletin began with an article titled “Need for Uniform
State Legislation,” soliciting state support in enacting federal, uniform, programs. 1 Air Com. Bull. 1 (1929).
17
The Bureau of Air Commerce was the successor to the Aeronautics Branch of the Department of Commerce. See
KOMONS, supra note 8, at 277–78
18
See id.; See also, Knute Rockne Dies with Seven Others in Mail Plane Dive, N.Y. TIMES (Apr. 1, 1931), at 1
(including the arrival of Department of Commerce investigators in the front-page announcement of the famed
football coach’s death). The place crash that caused the death of Senator Cutting of New Mexico seemed to spell the
end for the Bureau of Air Commerce. It spent 1936 assuming control of Air Traffic Control in the wake of the
Cutting crash but could not demand air carriers follow their safety regulations like the Interstate Commerce
Commission could with the railroads. See KOMONS, supra note 8, at 360.
5
Electronic copy available at: https://ssrn.com/abstract=3100962
policies while it alone determined legally-binding fault.19 It was not until the Civil Aeronautics
Act (CAA) of 1938 that probable cause determinations were separated from the safety regulating
functions and placed within a separate Air Safety Board.20
In forming the Air Safety Board, Congress affirmed the need for a dedicated corps of
federal investigators to examine the causes of transportation incidents. 21 The growing pains over
two decades, the deaths of a United States Senator and beloved Notre Dame football coach, and
multiple bureau re-organizations solidified the need to split regulatory functions from investigations
assigning fault. The formation of the Air Safety Board was a critical first step towards independent
investigations; however, when Congress created the Department of Transportation in 1967, it
established the NTSB as an “independent” agency within the DoT.22 This move created a different
conflict of interest at a departmental level that was tasked with regulatory responsibilities at odds
with the NTSB objective analysis. Finally, the NTSB was cleaved from DoT pressures in 1974,
with Congress remarking that “no federal agency can properly perform such (investigatory)
functions unless it is totally separate and independent from any other . . . agency of the United
States.”23 Once it was free of DOT administration, the NTSB came into its own as a fully
independent investigatory agency.
19
Part of the problem with the Bureau assuming responsibility for determining probable cause was that they might
find that responsibility lay at the feet of the Bureau itself. This liability caused the Board’s investigations to be less
transparent, an unacceptable veil to an American public that demanded answers after high profile deaths such as
Senator Cutting of New Mexico in 1935. A 1934 amendment to the Air Commerce Act had partially alleviated the
secrecy problems but did not address the independence issue. See KOMONS, supra note 8, at 278 (the amendment
mandated public disclosure of Bureau findings and forbade the findings of the Bureau from being admitted as
evidence in legal proceedings).
20
KOMONS, supra note 8, at 379.
21
See NTSB History, supra note 1.
22
See id.
23
Id.
6
Electronic copy available at: https://ssrn.com/abstract=3100962
Concerns of overreaching federalism stunted growth in the beginning, 24 but the lesson of
the NTSB is that a specialized organization can in fact promote the growth of highly-complex
industries while boosting security for the public. However, that organization must be able to
independently conduct its investigations without the fear of intra-agency meddling. Today, air
travel is widely regarded as among the safest forms of mass transportation. 25 Can the same feat be
replicated in cyberspace?
II.
EXAMINING PROPOSALS FOR A NATIONAL CYBERSECURITY SAFETY BOARD
Propositions for strengthening U.S. cybersecurity range widely, from federally sponsored
cyber risk insurance programs to allowing companies to have a freer hand to engage in proactive
cybersecurity measures. 26 A common refrain across many of these proposals, though, are more
robust data breach investigation requirements, which could include “on-site gathering of data on
why the attack succeeded, [so as] to help other companies prevent similar attacks.”27 This evokes
one of the core functions of the NTSB, that is, to investigate and establish the facts behind an
incident, and to make recommendations to help ensure that similar events do not occur in the
future.28 In short, investigators help establish “the who, what, where, when, how and [perhaps]
why behind an incident.”29 After the facts are determined, policymakers can and often have backed
24
See KOMONS, supra note 8, at 88
See, e.g., Bureau of Transportation Stat., U.S. Dep’t Transportation,
https://www.rita.dot.gov/bts/sites/rita.dot.gov.bts/files/publications/national_transportation_statistics/html/table_02_
01.html (last visited Dec. 20, 2017).
26
See, e.g., Amanda N. Craig, Scott J. Shackelford, & Janine Hiller, Proactive Cybersecurity: A Comparative
Industry and Regulatory Analysis, 18 AM. BUS. L.J. 721, 722 (2015); Joe Uchill, New Bill Would Allow Hacking
Victims to ‘Hack Back,’ HILL (Oct. 13, 2017), http://thehill.com/policy/cybersecurity/355305-hack-back-bill-hitshouse.
27
Robert K. Knake, Creating a Federally Sponsored Cyber Insurance Program, COUNCIL ON FOREIGN REL. (Nov.
22, 2016), https://www.cfr.org/report/creating-federally-sponsored-cyber-insurance-program.
28
See id.
29
IDEAS LAB, supra note 5, at 21.
25
7
Electronic copy available at: https://ssrn.com/abstract=3100962
up NTSB recommendations with new regulations. Failing that, it is common for air carriers, for
example, to voluntarily implement such recommendations, such as through industry codes of
conduct.30
The framework of an NTSB investigation—root cause determination of an accident and
the development of proposals to avoid such failures in the future—is appropriate for highcomplexity sectors beyond aviation. A useful comparison can be made to similar inquiries into
NASA’s space travel efforts. After the tragic explosion of the space shuttle Columbia, NASA put
together an investigation board in order to determine what had caused the Shuttle to break apart
upon reentry.31 While proximate cause of the Columbia disaster was traced to a piece of insulating
foam that dislodged and impacted the Shuttle’s wing during liftoff, 32 the Columbia Accident
Investigation Board (CAIB) assigned actual, or but-for, cause to the overall culture at NASA. 33
The CAIB, similar to a thorough NTSB investigation,34 expanded their investigation beyond the
technical failures that led to the accident and into cultural causes. They laid part of the blame on
the mosaic of events that created a culture of savings-over-safety at NASA during the post-Apollo
period.35
30
See Knake, supra note 27. For an example of such an industry code of conduct, see the efforts by AdvaMed to
enhance the security of medical devices. AdvaMed Medical Device Cybersecurity Foundational Principles,
ADVAMED,
https://www.advamed.org/sites/default/files/resource/advamed_medical_device_cybersecurity_principles_final.pdf
(last visited Dec. 20, 2017).
31
1 COLUMBIA ACCIDENT INVESTIGATION BOARD, REPORT VOLUME I: AUGUST 2003 (2003).
32
See id. at 49 (“The physical cause of the loss of Columbia and its crew was a breach in the Thermal Protection
System . . . . initiated by a piece of insulating foam.”).
33
Id. at 97 (“In our view, the NASA organizational culture has as much to do with this accident as the foam.”).
34
See, e.g., NATIONAL TRANSPORTATION SAFETY BOARD, NTSB/HAR-12/01, HIGHWAY ACCIDENT REPORT:
MOTORCOACH RUN-OFF-THE-ROAD AND COLLISION WITH VERTICAL HIGHWAY SIGNPOST, INTERSTATE 95
SOUTHBOUND, NEW YORK CITY, NEW YORK M ARCH 12, 2011, at viii (adopted Jun. 5, 2012) (“This accident is one
of many investigated by the NTSB in which the motor carrier’s safety processes, as well as its corporate culture,
may have set the stage for [the accident].”).
35
See COLUMBIA ACCIDENT INVESTIGATION BOARD, supra note 31, at 103.
8
Electronic copy available at: https://ssrn.com/abstract=3100962
Today, the business of space travel is still highly dangerous, 36 and costly.37 However,
relatively few people “slip the surly bonds of Earth”38 and travel higher in the atmosphere than
those at the cruising altitude of the major airlines. In fact, as of this writing, only six people reside
in orbital space aboard the International Space Station.39 Still, highly technical accidents require a
qualified investigative body to comb through facts and determine causes, which, at times, include
detrimental organizational norms. 40 Commercial actors in space travel, such as SpaceX and Virgin
Galactic, still rely on the NTSB for post-accident investigations.41 If space travel becomes more
ubiquitous, we may see similar culture failures to those replete in the cybersecurity context. 42
The CAIB’s authority to expand its investigation beyond technical considerations and into
cultural issues is a critical tool that a NCSB should also adopt. Like aviation, enhancing security
in the emerging Internet of Everything is a highly complex, technologically and legally challenging
endeavor where organizational culture can vary dramatically.43 As companies, individuals, and
36
Even two dozen years after the Columbia accident, traveling to space is not for the faint of heart. See, Eric Berger,
The Second Launch from Russia’s New Spaceport Has Failed: Human Error May Have Been Involved,
ARSTECHNICA (Nov. 28, 2017, 8:13 AM), https://arstechnica.com/science/2017/11/the-second-launch-from-russiasnew-spaceport-has-failed/. Even non-governmental players, such as SpaceX, suffer failures during liftoff and
reentry. See, e.g., Alan Yuhas, SpaceX’s Booms and Busts: Spaceflight is Littered with Explosions and Disasters,
THEGUARDIAN (Sep. 1, 2016, 4:13 PM), https://www.theguardian.com/science/2016/sep/01/spacex-falcon-9explosion-tesla-elon-musk-nasa.
37
See, COLUMBIA ACCIDENT INVESTIGATION BOARD, supra note 31, at 109.
38
John Gillespie Magee, Jr., High Flight (1941), available at http://www.arlingtoncemetery.net/highflig.htm.
39
See Space Station Updates, NASA, https://www.nasa.gov/mission_pages/station/main/index.html (last visited
Dec. 20, 2017).
40
See, COLUMBIA ACCIDENT INVESTIGATION BOARD, supra note 31, at 99. Independent boards were commissioned
following both the Challenger and Columbia accidents, with the Rodgers Commission, the investigators of the
Challenger accident, being heavily cited by the CAIB.
41
The NTSB, with its expertise in aviation, investigated the crash of the VSS Enterprise and collaborated with
SpaceX into the failures of the Falcon 9 rockets. See, NATIONAL TRANSPORTATION SAFETY BOARD, NTSB/AAR15/02, AEROSPACE ACCIDENT REPORT: IN-FLIGHT BREAKUP DURING TEST FLIGHT SCALED COMPOSITES SPACESHIP
TWO, N339SS, NEAR KOEHN DRY LAKE, C ALIFORNIA, OCTOBER 31, 2014 (adopted July 28, 2015); Loren Grush,
SpaceX Eyes January 8th Return to Flight After Finishing Up Accident Investigation, THE VERGE (Jan. 2, 2017, 9:01
AM), https://www.theverge.com/2017/1/2/14142064/spacex-flight-launch-date-falcon-9-explosion-investigation.
42
See, e.g., Andrew G. Simpson, 5 Reasons Cyber Security Is Failing and What P/C Insurers Can Do About It,
INSURANCE J. (Aug. 18, 2017), https://www.insurancejournal.com/news/national/2017/08/18/461482.htm
(summarizing an array of cultural disconnects that make addressing cybersecurity challenges more difficult).
43
See, Aaron J. Burstein, Amending the ECPA to Enable a Culture of Cybersecurity Research, 22 HARV. J. L. &
TECH. 167, 171 (2008) (“There is a culture of pushing attackers away from oneself without any consideration of the
poor overall security resulting from this lack of coordination between organizations.”).
9
Electronic copy available at: https://ssrn.com/abstract=3100962
devices continue to be integrated, the need for a NCSB may become as essential as the NTSB or
CAIB. As the CAIB concluded:
Attempting to manage high-risk technologies while minimizing failures is an
extraordinary challenge. By their nature, these complex technologies are intricate,
with many interrelated parts. Standing alone, the components may be well
understood and have failure modes that can be anticipated. Yet when these
components are integrated into a larger system, unanticipated interactions can occur
that lead to catastrophic outcomes. The risk of these complex systems is increased
when they are produced and operated by complex organizations that also break
down in unanticipated ways. 44
Like a Shuttle’s systems, the complex networks and devices involved in cybersecurity breaches
are interdependent, where the failure of one can lead to dramatic consequences downstream.45 To
better understand the coming wave, from 2013 to 2020, Microsoft has estimated that the number
of Internet-enabled devices is expected to increase from 11 to 50 billion, though estimates vary
with Morgan Stanley predicting 75 billion such devices in existence by 2020. 46 Samsung has
announced that all of its products would be connected to the Internet by 2020. 47 Already,
vulnerabilities in such smart devices have been connected with significant security breaches. 48
The potential wide-ranging impacts of recent cybersecurity breaches into major U.S.
corporations cannot be attributed to technical failures alone, as recent examples point towards
culture as being an important element of fault. The 2017 hack of Equifax was the result of a
44
COLUMBIA ACCIDENT INVESTIGATION BOARD, supra note 31, at 97.
As a recent example, the DDoS attack against Dyn shut down swaths of the internet by attacking the domain
registry. See, Bruce Schneier, Lessons from the Dyn DDoS Attack, SCHNEIER ON SECURITY (Nov. 8, 2016 6:25 AM),
https://www.schneier.com/blog/archives/2016/11/lessons_from_th_5.html.
46
See Tony Donava, Morgan Stanley: 75 Billion Devices Will Be Connected to The Internet of Things By
2020, BUS. INSIDER (Oct. 2, 2013), http://www.businessinsider.com/75-billion-devices-will-be-connectedto-the-internet-by-2020-2013-10#ixzz3i4CApJsg.
47
See Rachel Metz, CES 2015: The Internet of Just About Everything, TECH. REV. (Jan. 6, 2015),
http://www.technologyreview.com/news/533941/ces-2015-the-internet-of-just-about-everything/.
48
See Scott J. Shackelford, How to Fix an Internet of Broken Things, CHRISTIAN SCI. MONITOR (Oct. 26,
2016), https://www.csmonitor.com/World/Passcode/Passcode-Voices/2016/1026/Opinion-How-to-fix-aninternet-of-broken-things; Scott J. Shackelford et al., When Toasters Attack: Enhancing the ‘Security of
Things’ through Polycentric Governance, 2017 UNIV. ILL. L. R EV. 415, 416 (2017).
45
10
Electronic copy available at: https://ssrn.com/abstract=3100962
vulnerability the company was warned of prior to the attack. 49 Following their December, 2016
breach, Uber, Inc. similarly failed to follow standard industry practices, paying their attacker
$100,000 in hush money.50 More startlingly, Uber kept the exfiltration of millions of customers
personal and financial information secret until it was revealed in late 2017. 51 Both of these attacks
impacted millions of consumers because of organizational cultures that did not emphasize
cybersecurity best practices and industry norms.52 In fact, Equifax’s attempt to hide the extent of
their data breach has backfired badly, contributing to proposals to fine credit monitoring firms for
such behavior in the future. 53
Unlike the tragic but relatively low-number of astronaut fatalities that the CAIB
investigated, cybersecurity breaches have affected billions of people.54 Analysis of the costs
associated with cyber attacks should not stop at the technical failures that allowed the attackers
access to the victim’s networks. Investigations should take a page from the CAIB’s playbook and
include evaluation of cultural norms that allowed such vulnerabilities to exist, along with industry
best practices.55
49
See, Senate Banking Committee Hearings on Equifax Data Breach, C-SPAN (Oct. 4, 2017), https://www.cspan.org/video/?434469-1/equifax-ceo-testifies-senate-banking-panel.
50
The FBI strongly recommends against paying a ransom for stolen data, as it only emboldens attackers and
potentially funds criminal activity. See, FBI, What We Investigate: Cyber Crime,
https://www.fbi.gov/investigate/cyber.
51
See, Eric Newcomer, Uber Paid Hackers to Delete Stolen Data on 57 Million People, BLOOMBERG (Nov. 21, 3:58
PM), https://www.bloomberg.com/news/articles/2017-11-21/uber-concealed-cyberattack-that-exposed-57-millionpeople-s-data.
52
For more on organizational, budgetary, and technological cybersecurity best practices, see generally Scott J.
Shackelford, Timothy L. Fort, & Jamie D. Prenkert, How Businesses Can Promote Cyber Peace, 36 UNIV. PENN. J.
OF INT’L L. 353 (2015); Chapter Five in SCOTT J. SHACKELFORD, MANAGING CYBER ATTACKS IN INTERNATIONAL
LAW, BUSINESS, AND RELATIONS: IN SEARCH OF CYBER PEACE (2014).
53
See Frank Kalman, Equifax Breach Shows Folly in Hiding Bad News, TALENT ECONOMY (Sept. 14, 2017),
http://www.talenteconomy.io/2017/09/14/equifax-breach-hiding-bad-news/; Laura Hautala, Elizabeth Warren's Bill
Would Fine the Next Equifax for Data Breach, CNET (Jan. 10, 2018), https://www.cnet.com/news/elizabeth-warrenequifax-mark-warner-credit-reporting-agencies-data-breach-bill-fines/.
54
See, e.g., World’s Biggest Data Breaches, Information is Beautiful,
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ (last visited Dec. 20,
2017).
55
For more on this topic, see Chapter 5 in Shackelford, supra note 52.
11
Electronic copy available at: https://ssrn.com/abstract=3100962
As has been noted, two elements of the NTSB analogy are particularly useful for enhancing
cybersecurity. First, it separates fact-finding proceedings from any questions of liability, allowing
attribution to be established, for example, without parties initiating litigation. 56 Second is the socalled “party process,” which is a multi-stakeholder approach to accident investigations involving
members of various constituencies.57 This multi-stakeholder model is also part and parcel of
cybersecurity, and the larger internet-governance ecosystem, 58 and thus could resonate well with
these types of investigations.
The NCSB would likely have significant private-sector participation; in fact, it could even
be run entirely by coalitions of companies such as through existing trade groups or Information
Sharing and Analysis Centers (ISACs).59 Moreover, funding could come from interested
stakeholders, such as insurance companies. 60 This is because such secondary markets would
benefit from greater clarity surrounding the attribution of claims, as well as more information about
the utility of various cybersecurity best practices, such as utilizing the National Institute for
Standards and Technology Cybersecurity Framework (NIST CSF).61
Critics of establishing a NCSB would likely content that firms may spend more on settling
litigation and investing in reputation management than in proactively managing cyber attacks. 62
Other concerns might include the fact that as both the cyber threat environment and dependent
56
See Neil Robinson, The Case for a Cyber-Security Safety Board: A Global View on Risk, R AND. CORP. (Jan. 18,
2012), https://www.rand.org/blog/2012/06/the-case-for-a-cyber-security-safety-board-a-global.html.
57
See id.
58
See, e.g., Scott J. Shackelford et al., iGovernance: The Future of Multi-Stakeholder Internet Governance in the
Wake of the Apple Encryption Saga, 42 N.C. J. INT’L L. 883 (2016-2017); Scott J. Shackelford et al., Back to the
Future of Internet Governance?, GEORGETOWN J. OF INT’L AFF. 81, 82 (2015).
59
See Information Sharing, Dep’t Homeland Sec., https://www.dhs.gov/topic/cybersecurity-information-sharing
(last visited Dec. 20, 2017).
60
See Knake, supra note 26.
61
See Scott J. Shackelford, Scott Russell, & Jeffrey Haut, Bottoms Up: A Comparison of “Voluntary” Cybersecurity
Frameworks, 16 UNIV. OF CAL. DAVIS BUS. L.J. 217, 217 (2016); Scott J. Shackelford et al., Toward a Global
Standard of Cybersecurity Care?: Exploring the Implications of the 2014 Cybersecurity Framework on Shaping
Reasonable National and International Cybersecurity Practices, 50 TEX. INT’L L.J. 287, 289 (2015).
62
See Robinson, supra note 56.
12
Electronic copy available at: https://ssrn.com/abstract=3100962
technologies change so dynamically, 63 the value of NTSB-style investigations may be limited
given the concern that, by the time that the investigation is complete, the means used in the data
breach may be obsolete. Addressing this concern requires that investigations, once undertaken, are
completed as expediently as possible, unlike, for example, the typical NTSB report that can take
one year or more to compile. 64
Final concerns that would need to be overcome if the promise of a NCSB is to be realized
include: (1) identifying the right experts for the tremendous variety of cyber attacks from
Distributed Denial of Service (DDoS) attacks to sophisticated cyber weapons using zero-day
exploits;65 (2) learning from effective information sharing forums to mesh the functions of a NCSB
with existing industry best practices and public-private partnerships;66 (3) defining access (e.g.,
erring on the side of confidentiality versus transparency for various types of cyber attacks); (4)
landing on an appropriate terminology, most likely in the guise of risk management given the
success of the NIST CSF67; and (5) aligning efforts with the Federal Trade Commission and other
sector-specific regulators to help ensure a more robust cybersecurity standard of care emerges from
these efforts.68 To be successful, a variety of incentives and likely regulatory requirements would
be required for firms to participate in a NCSB, such as targeted safe harbor provisions and
mandating investigations for “serious” breaches such as those involving U.S. critical
63
See, e.g., Andrew Munger, Reducing Cyberrisk in a Dynamic Threat Environment, INFRAGARD MAG. (2017),
https://infragardmagazine.com/how-to-reduce-cyber-risk-in-a-dynamic-threat-environment/.
64
See The Investigation Process, Nt’l Transportation Safety Board,
https://www.ntsb.gov/investigations/process/Pages/default.aspx (last visited Dec. 20, 2017).
65
IDEAS LAB, supra note 5, at 22.
66
See id.
67
See Scott J. Shackelford, Scott Russell, & Andreas Kuehn, Bottoms Up: A Comparison of “Voluntary”
Cybersecurity Frameworks, 16 UNIV. OF CAL. DAVIS BUS. L.J. 217 (2016).
68
See Scott J. Shackelford et al., Toward a Global Standard of Cybersecurity Care?: Exploring the Implications of
the 2014 Cybersecurity Framework on Shaping Reasonable National and International Cybersecurity Practices, 50
TEX. INT’L L.J. 287 (2015).
13
Electronic copy available at: https://ssrn.com/abstract=3100962
infrastructure.69 It would also be important to limit the purview, and thus workload, of a NCSB
given the tremendous number of breaches taking place.
As has been argued by the Cybersecurity Ideas Lab:
Done right, such an organization could make tremendous contributions, by
providing a common base of information about what types of incidents occur, who
is affected, who is attacking, the methods of attacks, and the vulnerabilities that are
exploited, both at a given point in time and as a way of identifying and
characterizing trends.70
Such a model would be an improvement on the existing reliance on Cyber Emergency Response
Teams (CERTs),71 and aide in effective policymaking at both the state and federal level given the
lack of hard, verifiable data on the scope and scale of cyber attacks. The creation of a NCSB could
also help law enforcement investigations, particularly local and state agencies without the
resources and expertise of the FBI.72 Along with the ISACs, this would be a boon to academics
needing reliable data to undertake scholarly analysis, as well as national security organizations,
and U.S. strategic partners around the world.
III.
A GLOBAL NOTE
No nation is an island in cyberspace, as much as some wish they were. As such,
jurisdictions the world over are experimenting with various cybersecurity risk management
models.73 One of the most important of these jurisdictions is the European Union, both for its
overall size,74 and for the fact that it is undergoing a transformation in its cybersecurity law through
69
For more on this topic, see Scott J. Shackelford et al., From Russia with Love: Understanding the Russian Cyber
Threat to U.S. Critical Infrastructure, 96 NEBRASKA L. REV. 320 (2017).
70
IDEAS LAB, supra note 5, at 21.
71
See, id.
72
See, Police Lack Skills and Funding to Cope with Today’s Cyber Threats, PA CONSULTING (Dec. 12, 2014),
http://www.paconsulting.com/newsroom/releases/police-lack-skills-and-funding-to-cope-with-todays-cyber-threats12-december-2014/ (“only 30% believe they have the skills and tools to tackle cybercrime effectively.”).
73
See Shackelford, Russell, & Kuehn, supra note 61.
74
See EU Position in World Trade, http://ec.europa.eu/trade/policy/eu-position-in-world-trade/ (last visited Dec. 21,
2017).
14
Electronic copy available at: https://ssrn.com/abstract=3100962
the enactment of the General Data Privacy Regulation (GDPR) and the Network Information
Security (NIS) Directive. Taken together, these initiatives will revitalize data breach investigations
across the European single market with significant implications for global cybersecurity
policymaking.
The GDPR, recently finalized, represents the most recent iteration of EU data protection’s
efforts that date back decades.75 Among other important aspects of the GDPR, it centralizes data
protection authority in the EU into a single regulatory body, as compared with the EU Data Privacy
Directive’s (DPD) utilization of national data protection authorities for each Member State. 76 It
also mandates breach notification within seventy-two hours of a covered entity becoming aware
of the breach, provides a right to access data to promote the transparency of data privacy, codifies
the ‘right to be forgotten,’ includes a right to data portability, requires privacy by design, and sets
out new rules for data protection officers. 77
Also notable is the shift towards a risk-management model for implementing the privacy
principles,78 a move that may have been influenced by the relative success of the NIST CSF. 79
Finally, the GDPR extends the jurisdictional reach of EU data protection requirements to data
processing that occurs outside the territorial boundaries of the EU. Specifically, when the processor
targets individuals within the EU for the offering of goods or services, or when the processor is
75
GDPR Portal, Eur. Union, https://www.eugdpr.org/ (last visited Dec. 21, 2017).
Id. at 182.
77
GDPR Key Changes, https://www.eugdpr.org/key-changes.html (last visited Dec. 21, 2017).
78
Council of the European Union Proposes Risk-Based Approach to Compliance Obligations, HUNTON &
WILLIAMS (Oct. 29, 2014), http://www.huntonprivacyblog.com/2014/10/29/.
council-european-union-proposes-risk-based-approach-compliance-obligations/.
79
See Shackelford, Russell, & Kuehn, supra note 61; KATHERINE O’KEEFE & DARAGH O’BRIEN, SUBJECT ACCESS
REQUESTS: A DATA HEALTH CHECK 12 (Castlebridge Assocs. ed., 2015),
https://castlebridge.ie/products/whitepapers/
2015/09/subject-access-requests-data-health-check (“40% of Data Controllers are failing to ensure adequate
technological or organisational [sic] controls to prevent unauthorised [sic] access to or disclosure of personal
data . . . ”).
76
15
Electronic copy available at: https://ssrn.com/abstract=3100962
monitoring EU persons that are located within the territorial bounds of the EU. 80 Taken together,
these reforms constitute a sea change in the EU’s data privacy regime, which is already among the
most robust in the world.
In addition to the GDPR, the NIS Directive deepens the EU’s reforms by increasing the
Member States’ cybersecurity capacity-building, defining a “Cooperation Group” to support intraEU information sharing, and laying out the requirements for operators of “essential services”
(analogous to critical infrastructure that includes energy, transportation, banking, financial
markets, healthcare, water, and digital infrastructure). 81 Overall, the NIS Directive helps to
establish a European standard of cybersecurity care for all businesses based upon risk
management.82
The above reforms are coupled with a requirement for each EU Member State to enact
legislation establishing a national cybersecurity strategy, a national cybersecurity authority, and a
national CERT, if such entities do not exist already. 83 The extent of some of these obligations,
however, is still unclear, as States may see cyber threats as falling in the realm of national security,
and therefore outside the scope of this strata of EU governance.84 Finally, in furtherance of the
emphasis on risk management, crystallizing the EU’s Cybersecurity Strategy led to the
development of the NIS Platform, which establishes a framework for evaluating cybersecurity due
80
For more on this topic, see Scott J. Shackelford & Scott Russell, Operationalizing Cybersecurity Due Diligence:
A Transatlantic Case Study, 67 UNIV. S. CAROLINA L. REV. 1 (2017).
81
The Directive on Security of Network and Information Systems (NIS Directive), Eur. Comm’n,
https://ec.europa.eu/digital-single-market/en/network-and-information-security-nis-directive (last visited Dec. 21,
2017).
82
Proposal for a Directive of the European Parliament and of the Council Concerning Measures to Ensure a High
Common Level of Network and Information Security Across the Union, EUROPEAN COMM (2013), at 9, (July 2,
2013), http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52013PC0048 (“[T]he requirements are
proportionate to the risk presented . . . and should not apply to micro enterprises.”).
83
Id. at arts. 19–21.
84
Consolidated Version of the Treaty on European Union art. 4, Mar. 30, 2010, 2010 O.J. (C 83) 18 (“national
security remains the sole responsibility of each Member state.”).
16
Electronic copy available at: https://ssrn.com/abstract=3100962
diligence, and which largely incorporates the NIST CSF core elements—identify, protect, detect,
respond, recover—as the standard approach for enterprise risk management. 85
Looking ahead, the GDPR will automatically come into force across the EU on May 25,
2018, “whereas NISD requires Member States to introduce implementing legislation by 9 May
2018.”86 Once these reforms come into full effect, there will be a flood of information on data
breaches across the EU that will help investigators in Europe, North America, and indeed around
the world better identify, and hopefully mitigate the risk of, cyber attacks. Although neither the
GDPR nor the NIS Directive includes a version of a regional Cybersecurity Safety Board, the
elements it does include moves the EU in this direction, which could make an analogous U.S. body
that much more effective. Such developments would be an important step on the long journey to a
positive and sustainable cyber peace. 87
Conclusion
No system for investigating and reporting on cyber attacks is perfect. Incentives will
continue to be misaligned in this context given that many firms fear legal liability and the negative
impact on brand that being forthcoming about the details of cyber attacks can bring. But as more
nations and regions—including the European Union— join the forty-seven U.S. states and move
forward with more robust data breach notification requirements, a global debate is now underway
about the best ways in which to increase transparency and with it, opportunities to learn from
85
NIS Platform (WG-1), Network and Information Security Risk Management Organizational Structures and
Requirements, at 2-4, Final Draft 220515, https://resilience.enisa.europa.eu/nis-platform/shared-documents/5thplenary-meeting/chapter-1-nis-risk-management-organisational-structures-and-requirements-v2/at_download/file.
86
Data Security and Breach Reporting under the GDPR and NISD, TAYLOR WESSING (Sept. 2016), https://unitedkingdom.taylorwessing.com/globaldatahub/article-data-security-and-breach-reporting-under-the-gdpr-and-nisd.html.
87
For more on the topic of cyber peace, see Scott J. Shackelford, In Search of Cyber Peace: A Response to the
Cybersecurity Act of 2012, 64 STAN. L. REV. ONLINE 106 (Mar. 8, 2012),
http://www.stanfordlawreview.org/online/cyber-peace.
17
Electronic copy available at: https://ssrn.com/abstract=3100962
successful cyber attacks. A NCSB is politically unlikely in the near term, but we believe that the
creation of such a body is overdue.
Without Congressional action, a coalition of the private sector and even state governments
could begin the process of enacting local, even sector-specific CSBs. But to reach their full promise
(and to ward off wasteful duplication), Congress would need to pass a package of incentives and
regulatory requirements outlined above. Although far from a panacea, such a step could help raise
the overall level of cybersecurity due diligence and hasten the rise of a cybersecurity standard of
care in the United States and abroad. All that is needed is the political will to act, the desire to
experiment with new models of cybersecurity governance, and the recognition that we should learn
from history. As President Franklin D. Roosevelt famously said, “The country needs and, unless I
mistake its temper, the country demands bold persistent experimentation. It is common sense to
take a method and try it: If it fails, admit it frankly and try another. But above all, try something.”88
88
Franklin D. Roosevelt, Address at Oglethorpe University in Atlanta, Georgia (May 22, 1932),
http://www.presidency.ucsb.edu/ws/?pid=88410.
18
Electronic copy available at: https://ssrn.com/abstract=3100962
0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0
0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0
0 0 1 0 1 0 1 0 0 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 11 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0
1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0
1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 0 1 0
1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 11
1111 0 0 0 111 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 0
1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 0 1 0 111 0 1 0 1 0 1
0 11 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 1 0 11 0 1 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 11 0 1 0 1 0 1
0 1 0 1 0 0 1 0 0 0 111 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1
0 0 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 0 1 0 111 0 1 0
1 0 1 0 11 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 1 0 11 0 1 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 11 0 1 0
0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0
0 0 1 0 1 0 1 0 0 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 11 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0
1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0
1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 0 1 0
1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 11
1 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0
1111 0 0 0 111 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 0
1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 0 1 0 111 0 1 0 1 0 1
0 11 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 1 0 11 0 1 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 11 0 1 0 1 0 1
0 1 0 1 0 0 1 0 0 0 111 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1
0 0 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 0 1 0 111 0 1 0
1 0 1 0 11 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 1 0 11 0 1 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 11 0 1 0
1 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 1111 0 1 0 11 0
0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0
0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0
0 0 1 0 1 0 1 0 0 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 11 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0
1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0
1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 0 1 0
1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 11
1 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0
1111 0 0 0 111 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 0
1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 0 1 0 111 0 1 0 1 0 1
0 11 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 1 0 11 0 1 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 11 0 1 0 1 0 1
0 1 0 1 0 0 1 0 0 0 111 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1
0 0 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 0 1 0 111 0 1 0
1 0 1 0 11 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 1 0 11 0 1 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 11 0 1 0
1 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 1111 0 1 0 11 0
0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0
0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0
0 0 1 0 1 0 1 0 0 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 11 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0
1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0
1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 0 1 0
1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 11
1 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0
1111 0 0 0 111 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 0
1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 0 1 0 111 0 1 0 1 0 1
0 11 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 1 0 11 0 1 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 11 0 1 0 1 0 1
0 1 0 1 0 0 1 0 0 0 111 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1
0 0 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 0 1 0 111 0 1 0
1 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 1111 0 1 0 11 0
0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0
0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0
1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 0 1 0
1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 11
1 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 11 0 1 0 1111 0
0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 0 1 0 111 0 1 0 1 0 1 0 11 0 1 0 1 0 1
0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 1 0 11 0 1 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 11 0 1 0 1 0 1 0 1 0 1 0 0 1 0 0
0 111 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 0 1 0 1 0 11
11 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 0 1 0 111 0 1 0 1 0 1 0 11 0 1 0
1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 1 0 11 0 1 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 11 0 1 0 1 0 0 1 0 1 0 1 0
0 1 0 1 0 111 0 1 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 1111 0 1 0 11 0 0 11 0 1 0 1 0 1
0 1 0 1111 0 1 0 11 0 0 11 0 1 0 1 0 1 0 1 0 1111 0 1 0 11 0 0 11 0 1 0 1 0 1 0 1 0 1111 0 1 0 11 0 0 11 0 1 0 1 0 1 0 1 0 1111 0 1 0 11 0 0 11 0 1 0 1 0 1 0 1 0 1111 0 1 0 11 0 0 11111 0 1 0 11 0
1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 1 0 11 0 1 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 11 0 1 0 1 0 1111 0 1 0 1
0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0
0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0
0 0 1 0 1 0 1 0 0 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 11 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0
1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0
1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 0 1 0
1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 11
1 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0
1111 0 0 0 111 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 0
1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 0 1 0 111 0 1 0 1 0 1
0 11 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 1 0 11 0 1 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 11 0 1 0 1 0 1
0 1 0 1 0 0 1 0 0 0 111 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1
0 0 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 0 1 0 111 0 1 0
1 0 1 0 11 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 1 0 11 0 1 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 11 0 1 0
1 0 0...
Purchase answer to see full
attachment