LSTD517 American Military University Cybersecurity Related Statutes Paper

User Generated

CrgreCvcre1969

Business Finance

LSTD517

American Military University

Description

In a minimum of 600 words, explain how and why the current cybersecurity-related statutes, regulations, and policies related to the Internet of Things developed as they did. Offer some observations as to whether these laws and policies should change to better fit the cybersecurity environment within the foreseeable future.

References

Daniels, J. (2017, November 14). You Hold The Key to Overcoming Cyber-Threats. (TEDx Talks) Retrieved May 17, 2019, from YouTube:

Grant, J. (2010). Will There Be Cybersecurity Legislation? Journal of National Security Law, 4(1), 103-117. Retrieved May 17, 2019, from http://search.ebscohost.com.ezproxy1.apus.edu/logi...

Hagemann, R., Huddleston, J., & Thierer, A. D. (2018, February 5). Soft Law for Hard Problems: The Governance of Emerging Technologies in an Uncertain Future. Colorado Technology Law Journal. Retrieved May 17, 2019, from https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3...

Shackelford, S. J., & Brady, A. E. (2018, January 12). Is it Time for a National Cybersecurity Safety Board? Albany Law Journal of Science and Technology. Retrieved May 17, 2019, from https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3...

US-CERT. (2003). National Security Strategy to Secure Cyberspace. US-CERT. Washington, D.C.: Department of Homeland Security. Retrieved May 17, 2019, from https://www.us-cert.gov/sites/default/files/public...

Unformatted Attachment Preview

Will There Be Cybersecurity Legislation? John Grant∗ Independent efforts will not be sufficient to address this challenge without a central coordination mechanism, an updated national strategy, an action plan developed and coordinated across the 1 Executive Branch, and the support of Congress. INTRODUCTION In the course of just a few decades, information technology has become an essential component of American life, playing a critical role in nearly every sector of the economy. Consequently, government policy affecting information technology currently emanates from multiple agencies under multiple authorities – often with little or no coordination. The White House’s Cyberspace Policy Review (the Review) wisely recognized that the first priority in improving cybersecurity is to establish a single point of leadership within the federal government and called for the support of Congress in pursuit of this agenda. Congressional involvement in some form is inevitable, but there is considerable uncertainty as to what Congress needs to do and whether it is capable of taking action once it decides to do so. With an agenda already strained to near the breaking point by legislation to address health care reform, climate change, energy, and financial regulatory reform – as well as the annual appropriations bills – the capacity of Congress to act will depend, in some part, on the necessity of action. For the last eight years, homeland security has dominated the congressional agenda. With the memory of the terrorist attacks of September 11 becoming ever more distant, there may be little appetite for taking on yet another major piece of complex and costly homeland security legislation. Part I of this article considers the question of necessity. The Homeland 2 3 Security Act, the Federal Information Security Management Act, the 4 Communications Act, and any number of other statutes provide substantial 5 authorities over federal and nonfederal information infrastructure. Do * Minority Counsel for the Senate Committee on Homeland Security and Governmental Affairs. The views expressed in this article are those of the author and do not necessarily reflect those of the Members and Staff of the Committee. 1. CYBERSPACE POLICY REVIEW: ASSURING A TRUSTED AND RESILIENT INFORMATION AND COMMUNICATIONS INFRASTRUCTURE 7 (2009), available at http://www.whitehouse. gov/assets/documents/Cyberspace_Policy_Review_final.pdf (emphasis added). 2. Homeland Security Act of 2002, Pub. L. No. 107-296, 116 Stat. 2135 (2002). 3. Federal Information Security Management Act, 44 U.S.C. §§3541-3549 (2006). 4. Communications Act of 1934, 47 U.S.C. §§151-161 (2006). 5. “The term ‘information infrastructure’ means the underlying framework that 103 104 JOURNAL OF NATIONAL SECURITY LAW & POLICY [Vol. 4:103 these statutes provide the federal government with all of the tools that it needs to effectively manage cybersecurity? Are they compatible, or do they create a series of conflicting authorities that will paralyze the agencies that seek to execute them? Part II considers whether, if Congress needs to act, it can effectively do so. Information technology has become an engine of the economy, and the businesses that provide it wield enormous influence. Any substantial reorganization will draw opposition. Without the impetus of an attack on U.S. cyberspace comparable to the September 11 attacks, we may legitimately ask whether any reform legislation can overcome the opposition of powerful stakeholders. Beyond the political realities, there is also the question of whether, given its inherent institutional limitations, Congress can effectively legislate in this area. Does the slow pace of congressional action coupled with a general lack of technical expertise inhibit Congress’s ability to craft and enact legislation responsive to the cybersecurity vulnerabilities of today and the future? This article concludes by identifying the likely endpoints in a spectrum of options for organizing the federal government’s cybersecurity regime. I. THE QUESTION OF NECESSITY There are a number of potential sources of executive branch authority over the security of both federally controlled and privately owned information infrastructure. While volumes could be written appraising the strengths and weaknesses of each source, this article has a different focus. It briefly discusses the major authorities and then proposes that congressional action focus less on granting new authority and more on defining how the existing authorities interact. A. The Federal Information Security Management Act The Federal Information Security Management Act (FISMA) was enacted to “provide for development and maintenance of minimum controls required to protect federal information and information systems” and “provide a mechanism for improved oversight of federal agency 6 information security programs.” FISMA attempts to accomplish this in two ways – by delineating a set of agency responsibilities and giving the 7 Office of Management and Budget (OMB) oversight authority. information systems and assets rely on in processing, transmitting, receiving, or storing information electronically.” Information and Communications Enhancement Act (ICE), S. 921, 111th Cong. §3551(b)(4) (2009). 6. 44 U.S.C. §§3541(3)-3541(4) (2006). 7. Id. §§3543–3544. 2010] WILL THERE BE CYBERSECURITY LEGISLATION? 105 Specifically, agencies are required to implement agency-wide programs: . . . providing information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of (i) information collected or maintained by or on behalf of the agency; and (ii) information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an 8 agency. In short, agencies are given broad authority to make their own security arrangements under the purportedly watchful eye of OMB. As implemented, FISMA has received reviews that are far from glowing. The Government Accountability Office (GAO) continues to designate federal information security as a government-wide, high-risk area 9 in biennial GAO reports to Congress. FISMA has been criticized as a 10 “paperwork exercise” that does little to actually improve security. The Center for Strategic and International Studies (CSIS), in its Securing Cyberspace for the 44th Presidency, outlined a concise litany of failures: FISMA lacks effective guidance and standards for determining appropriate levels of risk; it lacks requirements for testing or measuring an agency’s vulnerabilities or its plans for mitigating such vulnerabilities; it fails to define agency responsibilities for effective controls over contractors or vendors; and it does not recognize the emergence of new technologies and network 11 architectures. Nonetheless, it is important to note that these criticisms do not necessarily suggest that federal agencies lack the statutory authority to protect their information infrastructure. Rather, it is FISMA’s usefulness as a measure of security and an oversight tool that is questionable. While in the end it may be considered desirable for Congress to act to address these perceived weaknesses in FISMA, it does not follow that it is necessary for 8. Id. §3544(a)(1)(A). 9. See GOVERMENT ACCOUNTABILITY OFFICE, HIGH-RISK SERIES: AN UPDATE 47 (2009) (GAO-09-271), available at http://www.gao.gov/new.items/d09271.pdf. 10. Dan Verton, Survey Finds Digital Divide Among Federal CISOs, COMPUTERWORLD, Nov. 23, 2004, available at http://www.computerworld.com/s/article/ print/97763/Survey_finds _digital_divide_among_federal_CISOs. 11. CENTER FOR STRATEGIC AND INT’L STUDIES, SECURING CYBERSPACE FOR THE 44TH PRESIDENCY 1, 69 (2008), available at http://csis.org/files/media/csis/pubs/081208_securing cyberspace_44.pdf [hereinafter CSIS Report]. 106 JOURNAL OF NATIONAL SECURITY LAW & POLICY [Vol. 4:103 Congress to act in order for agencies to have the means to secure their information infrastructure. B. The Homeland Security Act 12 13 Under the Homeland Security Act of 2002, various successor statutes 14 and executive orders such as Executive Order 13,286, the Department of Homeland Security (DHS) has responsibilities for protecting information infrastructure. Thirteen key cybersecurity responsibilities have been vested in the DHS, including: (1) developing a comprehensive national plan for [Critical Infrastructure Protection], including cybersecurity; (2) developing partnerships and coordinating with other federal agencies, state and local governments, and the private sector; (3) developing and enhancing national cyber analysis and warning capabilities; (4) providing and coordinating incident response and recovery planning, including conducting incident response exercises; and (5) identifying, assessing, and supporting efforts to reduce cyber threats and vulnerabilities, including those associated with 15 infrastructure control systems. Many of these responsibilities derive from authorities that are not specifically related to information technology, but rather extrapolated from general authorities relating to critical infrastructure protection. The DHS has come under considerable criticism for its discharge of these responsibilities. GAO has reported that the “DHS has yet to comprehensively satisfy its key responsibilities for protecting computer16 reliant critical infrastructures.” This could be due in part to ongoing uncertainty as to just what the Department’s role should be in terms of privately owned critical infrastructure. As noted in the Review: The question remains unresolved as to what extent protection of these same infrastructures from the same harms by the same actors [referring to physical attacks on critical infrastructure by criminals or terrorists] should be a government responsibility if the attacks 12. See, e.g., Homeland Security Act, 6 U.S.C. §143 (2006). 13. See, e.g., Implementing Recommendations of the 9/11 Commission Act of 2007, 6 U.S.C. §121 (2006 & Supp. I 2007). 14. Exec. Order No. 13,286, Amendment of Executive Orders, and Other Actions, in Connection with the Transfer of Certain Functions to the Secretary of Homeland Security, 68 Fed. Reg. 10,619 (Feb. 23, 2003). 15. GOVERMENT ACCOUNTABILITY OFFICE, CYBERSECURITY: CONTINUED FEDERAL EFFORTS ARE NEEDED TO PROTECT CRITICAL SYSTEMS AND INFORMATION 3 (GAO-09-835T 2009), available at http://www.gao.gov/new.items/d09835t.pdf. 16. See id. at 6. 2010] WILL THERE BE CYBERSECURITY LEGISLATION? 107 were carried out remotely via computer networks rather than by 17 direct physical action. The CSIS report concluded that the supposed public-private partnership touted by the DHS to address these questions “is marked by serious shortcomings,” including “lack of agreement on roles and responsibilities, an obsession with information sharing for its own sake, and the creation of new public-private groups each time a problem arises without any effort to 18 eliminate redundancy.” C. Miscellaneous Regulatory Authorities Authority to provide for the security of information infrastructure is not always found in statutory provisions labeled “cybersecurity.” Information technology is a supporting component of nearly every major piece of critical infrastructure, much of which is itself regulated by specific federal agencies. Thus, cybersecurity often falls under the purview of other regulatory bodies through provisions of their individual authorizing statutes. For example, the Electric Reliability provision of the Federal Power Act gives the Federal Energy Regulatory Commission (FERC) the authority 19 to enforce compliance with reliability standards. A “reliability standard” is defined as “a requirement. . . . to provide for reliable operation of the bulk-power system” and includes “requirements for the operation of existing bulk-power system facilities, including cybersecurity 20 protection. . . .” As with other authorities, some question this provision’s effectiveness. The Electric Reliability provision of the Federal Power Act has been criticized as ineffective because of the long lead time before standards can be established, lack of authority to compel power companies to protect security-sensitive information, and the excessive degree of 21 discretion given to utilities in deciding how to implement the standards. When a potential cyber vulnerability in the electrical grid was identified in 2008, Congress even considered passing legislation to provide the FERC 22 with additional authority to respond to imminent cybersecurity threats. 17. CYBERSPACE POLICY REVIEW, supra note 1, at 28. 18. CSIS Report, supra note 11, at 43. 19. 16 U.S.C. §824o(b) (2006). 20. Id. §824o(a)-(3). 21. See Cyber Security: Hearing Before the S. Comm. on Energy & Nat. Resources, 111th Cong. 1 (2009) (testimony of Joseph McClelland, Off. of Electric Reliability). 22. See Stephanie Condon, Cybersecurity Worries Spur Congress To Rethink Electrical Grid, CNET NEWS, Sept. 12, 2008, http://news.cnet.com/8301-13578_3-100 40101-38.html. 108 JOURNAL OF NATIONAL SECURITY LAW & POLICY [Vol. 4:103 D. Inherent Authority In addition to the statutory authorities held by agencies, there is an argument that the President has certain inherent powers flowing from constitutionally granted war powers. If the concept of “war powers” is extended to encompass the broader notion of national security, then the President could have significant cybersecurity authorities that require no 23 congressional authorization. However, broad invocation of such powers remains controversial, and recent attempts based on a broad interpretation of these powers, such as to justify warrantless wiretapping, may make their use in the cybersecurity context politically unpalatable. E. Organization Given these authorities, there is a strong case to be made that the executive branch already possesses significant authority to address security vulnerabilities in both the federal and nonfederal information infrastructure. However, while the executive branch may possess adequate authority, the questions – in some cases, ambiguity – surrounding the execution of that authority suggest that the executive branch is not currently organized in a manner that allows it to wield that authority effectively. The Review particularly focused on how conflicting authorities may result in a lack of clear leadership, a significant concern: Answering the question of “who is in charge” must address the distribution of statutory authorities and missions across departments and agencies. This is particularly the case as telecommunications and Internet-type networks converge and other infrastructure sectors adopt the Internet as a primary means of interconnectivity. Unifying mission responsibilities that evolved over more than a century will require the Federal government to clarify policies for cybersecurity and the cybersecurity-related roles 24 and responsibilities of various departments and agencies. The CSIS report reached a similar conclusion, comparing the legion of cyber experts scattered throughout the federal government to a “large fleet 25 of well-meaning bumper cars.” This problem is not necessarily unique to cybersecurity. A recent report from the Project on National Security Reform suggested that the national security apparatus in general is structurally incapable of handling 23. See John Rollins & Anna C. Henning, Comprehensive National Cybersecurity Initiative: Legal Authorities and Policy Considerations (Cong. Res. Serv. R40427), Mar. 10, 2009, at 10. 24. CYBERSPACE POLICY REVIEW, supra note 1, at 4. 25. CSIS Report, supra note 11, at 34. 2010] WILL THERE BE CYBERSECURITY LEGISLATION? 109 threats that require the simultaneous integration of the assets of American 26 power. Cybersecurity is a prime example of an issue that presents new challenges that cut across multiple agency jurisdictions and consequently requires government-wide coordination. Yet, as the Project on National Security Reform concluded, “departments and agencies, when faced with challenges that fall outside traditional departmental competencies, almost invariably produce ad hoc arrangements that prove suboptimal by almost 27 every measure.” While a discussion of reforming the entire national security system is beyond the scope of this article, the issues confronting the government in organizing its response to cyber threats are quite comparable. Both the CSIS report and the Review concluded that the leadership question can be resolved by establishing White House dominance. The Review concluded that “anchoring and elevating leadership for cybersecurity-related policies at the White House signals to the United States and the international community that we are serious about 28 cybersecurity.” The CSIS report concluded that “only the White House 29 has the necessary authority and oversight for cybersecurity.” Although the Obama administration has yet to fully implement the recommendations of either the CSIS report or the Review, its penchant for centralized White House authority – in the form of the increasingly ubiquitous “czar” – is well 30 established. Thus, the necessity of congressional action may arise not from the need to adopt these centralization recommendations, but rather from a desire to prevent their implementation. The reliance on issue czars in the Administration has drawn fire from several camps, including prominent voices in Congress. Senator Robert C. Byrd, the Senate’s senior member, has suggested that such positions “can threaten the Constitutional system of 31 checks and balances.” Other members have noted that czars operating out of the Executive Office of the President are subject to less oversight than 26. See PROJECT ON NAT’L SECURITY REFORM, FORGING A NEW SHIELD, at ii (2008), available at http://www.pnsr.org/data/files/pnsr_forging_a_new_shield_report.pdf. See also Gordon Lederman, National Security Reform for the Twenty-first Century: A New National Security Act and Reflections on Legislation’s Role in Organizational Change, 3 J. NAT’L SECURITY L. & POL’Y 363 (2009). 27. PROJECT ON NAT’L SECURITY REFORM, supra note 26, at viii. 28. CYBERSPACE POLICY REVIEW, supra note 1, at 7. 29. CSIS Report, supra note 11, at 36. 30. See Laura Meckler, “Czars” Ascend at White House, WALL ST. J., Dec. 15, 2008, at A6. On December 22, 2009, the White House appointed a Cybersecurity Coordinator, Howard Schmidt. See Ellen Nakashima & Debbi Wilgoren, Obama To Name Former Bush, Microsoft Official as Cyber-Czar, WASH. POST, Dec. 22, 2009, at A04. 31. Press Release, Off. of Sen. Robert C. Byrd, Byrd Questions Obama Administration on Role of White House “Czar” Positions (Feb. 25, 2009), available at http://byrd.senate. gov/mediacenter/view_article.cfm?ID=331. 110 JOURNAL OF NATIONAL SECURITY LAW & POLICY [Vol. 4:103 Senate-confirmed Cabinet secretaries and are consequently less accountable 32 to the American public for their actions. Furthermore, as noted by the Project on National Security Reform, “White House centralization of interagency missions also risks creating an untenable span of control over policy implementation,” impeding “timely, disciplined, and integrated 33 decision formulation and option assessment over time.” If Congress takes these criticisms to heart, then it should feel compelled to initiate cybersecurity reform, lest the White House act to fill a perceived leadership vacuum. F. Summary Although the way in which cybersecurity authority has been implemented leaves much to be desired, it appears that the Constitution and Congress have imbued the executive branch with sufficient authority to provide for the security of both public and private information infrastructures. Furthermore, the President’s prerogative to organize and direct the activities of the executive branch would allow him an attempt to overcome the obstacles that have prevented effective interagency coordination. However, Congress may still find it necessary to act in order to ensure that the management of the cybersecurity mission is sufficiently transparent and accountable to Congress and the American public. II. CONGRESSIONAL CAPACITY Deciding to act is only one part of the challenge, however. The next question to consider is whether Congress has the capacity to enact legislation in this area. Information technology is a powerful component of the U.S. economy. Sizeable corporate interests wield considerable influence on elected officials. At the same time, inherent institutional weaknesses in the legislative branch may hamper its ability to legislate effectively in response to cyber threats and vulnerabilities. This part discusses the factors influencing Congress’s ability to pass legislation on information technology and what that legislation would need to look like. A. Burden Climate change legislation, regulation of financial institutions, and myriad other issues compete with cybersecurity for congressional 34 attention. If historical precedent is followed, the second session of the 32. See, e.g., Letter from Sen. Susan Collins to President Barack Obama (Sept. 15, 2009), available at http://www.ireport.com/docs/DOC-329196. 33. See PROJECT ON NAT’L SEC. REFORM, supra note 26, at viii. 34. See, e.g., Anna Mulrine, Democrats in Congress Push Ambitious Agenda, U.S. NEWS, July 8, 2009, available at http://www.usnews.com/articles/news/politics/2009/07 2010] WILL THERE BE CYBERSECURITY LEGISLATION? 111 111th Congress will be abbreviated in order to allow members to return to their districts to campaign for the midterm elections. There may be little time on the crowded agenda to take up contentious and complex legislation relating to cybersecurity. Consequently, if cybersecurity legislation is going to pass, congressional leadership will be looking for a relatively noncontroversial bill that will attract few amendments and consume little precious floor time. B. Motivation Congressional action is often most expeditious when motivated by outside forces – one need only look at the spate of legislation passed in the wake of the terrorist attacks of September 11, 2001. There is a question as to whether any event has occurred or set of new circumstances exists that will spur public pressure for congressional action. Certainly, cyber threats have made newspaper headlines in the course of the last several years. For example: $ Newspapers reported that both the McCain and Obama campaign computer systems were penetrated, as well as those 35 of a number of government agencies. $ Several vulnerabilities to the electrical grid were reported. $ The United States was the victim of a prolonged “denial of service” attack directed at both government and privately 37 owned systems. $ Identity theft as a consequence of cyber crime is on the rise and 38 companies lose millions of dollars per year as a consequence. 36 Nonetheless, none of these incidents has had a significant or prolonged effect on the general public’s use of the information infrastructure. There has been no spectacular disruption of service or long-term damage to critical infrastructure. Consequently, there has been no sizeable public clamor for action on cybersecurity – particularly when other issues, such as /08/democrats-in-congress-push-ambitious-agenda.html. 35. See Dan Goodin, Obama, McCain Campaigns Hit with ‘Sophisticated’ Cyberattack, REGISTER, Nov. 5, 2008, available at http://www.theregister.co.uk/2008/11/05/obama_ mccain_cyberattack/. 36. See Condon, supra note 22. 37. See Julian E. Barnes & Josh Meyer, Cyber Attack Is Met with Speculation and Shrugs; Some Think North Korea Launched the Virus Whose Targets Included the White House and NYSE. Others Scoff., L.A. TIMES, July 9, 2009, at A10. 38. See Cybercrime Rising, Report Warns, BBC NEWS, Mar. 31, 2009, available at http://news. bbc.co.uk/2/hi/americas/7973886.stm. 112 JOURNAL OF NATIONAL SECURITY LAW & POLICY [Vol. 4:103 39 health care reform or the confirmation of a new Supreme Court justice, dominate the news cycle. 40 C. Complexity Cybersecurity involves complex technical issues that are constantly evolving thanks to the rapid pace of technical innovation. Members of Congress are regularly briefed on both the threats and the measures used to combat them. Such briefings can be highly technical. Even when they are not, they can still be beyond the understanding of members with less familiarity with the Internet and information technology. As a consequence, the development of comprehensive cybersecurity legislation will often be driven by staff, lobbyists, and industry stakeholders with the expertise to understand the technical issues under discussion. While this allows bills to be drafted and introduced, there is a point in the life of any piece of legislation in which direct action from Senators or Members of Congress is necessary to secure space on a busy committee mark-up agenda or the packed floor schedule in each chamber. However, once such personal action is taken members become obligated to make floor speeches, attend press conferences, and field questions related to cybersecurity – something they may be hesitant to do if they are uncomfortable with the subject matter. D. Opposition As with any piece of legislation, a key factor in determining the likelihood of passage is the level of opposition. In general terms, the most significant lightning rod in any cybersecurity legislation is likely to be the imposition of mandatory standards on privately owned information 41 technology infrastructure. It has frequently been claimed that the Internet is free from regulation and that any attempt to impose a mandatory regime could stifle the innovation that has turned information technology into an 42 economic engine. Any bill that is perceived – rightly or wrongly – as imposing regulation on the Internet will draw substantial opposition. 39. See, e.g., David M. Herszenhorn & Robert Pear, Final Votes in Congress Cap Battle over Health, N.Y. TIMES, Mar. 26, 2010, at A17. 40. See, e.g., Sheryl Gay Stolberg, A Knock-Down, Drag-Out – Yawn, N.Y. TIMES, June 3, 2010, at A19 (Senate confirmation hearing for Elena Kagan scheduled to begin on June 28, 2010); Charlie Savage, Senate Approves Sotomayor for the Supreme Court, N.Y. TIMES, Aug. 7, 2009, at A1. 41. See Joby Warrick & Walter Pincus, Senate Legislation Would Federalize Cybersecurity; Rules for Private Networks also Proposed, WASH. POST, Apr. 1, 2009, at A4. 42. For an excellent discussion of how cybersecurity measures currently under discussion affect innovation, see Gregory T. Nojeim, Cybersecurity and Freedom on the Internet, 4 J. NAT’L SECURITY L. & POL’Y 119 (2010). 2010] WILL THERE BE CYBERSECURITY LEGISLATION? 113 An example of potential opposition can be seen by the reaction to Senators Jay Rockefeller and Olympia Snowe introduction of the Cybersecurity Act of 2009. The bill includes provisions establishing cybersecurity standards for both government and private sector information infrastructure, requiring the licensing and certification of cybersecurity professionals, and designating the Department of Commerce as the 43 clearinghouse for cybersecurity threat and vulnerability information. Reaction to the bill was initially muted but gives an indication of potential future opposition. TechAmerica, a leading industry trade association, warned that “some provisions of the Rockefeller-Snowe bill may impose prescriptive regulations on the private-sector that could inhibit the very 44 technology innovation needed for greater prosperity and security.” Phil Bond, President of TechAmerica, added that “the last thing we need is 45 cybersecurity innovation that moves at the speed of government.” Larry Clinton, President of the Internet Security Alliance, criticized the bill’s vagueness and stated that without clarification his organization – which has close ties to Verizon, Nortel, and other key industry stakeholders – could 46 not support the bill. In addition to industry opposition, the Rockefeller-Snowe bill drew concern from the privacy and civil liberties community as well. The Center for Democracy and Technology expressed concern that the bill would give “the federal government extraordinary power over private sector Internet 47 services, applications and software.” The Electronic Frontier Foundation argued that provisions of the bill “could eviscerate statutory protections for 48 private information.” E. Jurisdiction Information technology has become part of nearly every major industry and service in the United States. Consequently, most – if not all – of the congressional committees could seek jurisdiction over cybersecurity. 43. Cybersecurity Act of 2009, S. 773, 111th Cong. (2009). 44. Press Release, TechAmerica, TechAmerica Welcomes Congressional Focus on Cybersecurity, Expresses Reservations About Rockefeller Bill (Apr. 3, 2009), available at http://www.techamerica.org/techamerica-welcomes-congressional-focus-on-cybersecurityexpresses-reservations-about-rockefeller-bill. 45. Id. 46. See Declan McCullagh, Bill Would Give President Emergency Control of Internet, SODAHEAD.COM, Aug. 28, 2009, http://www.sodahead.com/united-states/bill-would-givepresident-emergency-control-of-internet/blog-147327/. 47. Kenneth Corbin, Groups Warn New Cybersecurity Bill Oversteps, INTERNET NEWS, Apr. 7, 2009, http://www.internetnews.com/government/print.php/3814171. 48. Jenifer Granick, Federal Authority over the Internet? The Cybersecurity Act of 2009, Electronic Frontier Found., Apr. 10, 2009, http://www.eff.org/deeplinks/2009/04/ cybersecurity-act. 114 JOURNAL OF NATIONAL SECURITY LAW & POLICY [Vol. 4:103 Already in the Senate, the Chairman and Ranking Member of the 49 Commerce Committee have introduced two bills, several prominent 50 members of the Judiciary Committee have introduced data breach bills with significant cybersecurity implications, and the Chairman and Ranking Member of the Homeland Security and Governmental Affairs Committee have announced their intention to develop comprehensive cybersecurity 51 legislation. Given the prominence of the issue and the economic power of the information technology industry, it is unlikely that the aforementioned committees – among the most powerful in the Senate – will cede jurisdiction without considerable reluctance. Similar jurisdictional tensions 52 can be found in the House of Representatives as well. III. A RANGE OF OPTIONS As this article has argued, the federal government may already possess sufficient authority to manage cybersecurity, and if congressional action is needed, it is in the area of reorganizing those authorities to ensure that the federal government strategy is effectively coordinated. Congress has a range of approaches to address this reorganization. At one end of the spectrum is a more draconian regime that would involve vesting a single entity with the necessary authority over both the federal government and the private sector to direct measures to ensure the security of information infrastructure. At the other end of the spectrum is a regime that would leave each agency or component with its existing authority but establish decisionmaking mechanisms by which it could be ensured that these individual authorities were coordinated and working consistently. A. Direct Authority The most dramatic and arguably the cleanest approach to establishing a new cybersecurity regime would be the creation of a single new entity to oversee the security of the information infrastructure. This new cybersecurity “agency” would be responsible for coordinating the federal government’s entire approach to information infrastructure security. Such authority would go beyond mere strategy development, and include the authority to direct action both at the agency level and to some extent within 49. Cybersecurity Act of 2009, supra note 43. 50. Data Breach Notification Act, S. 139, 111th Cong. (2009); Personal Data Privacy and Security Act, S. 1490, 111th Cong. (2009). 51. See, e.g., Gautham Nagesh, Lawmakers Join Forces on Cybersecurity Legislation, NEXTGOV, Sept. 4, 2009, http://www.nextgov.com/nextgov/ng_20090914_5789.php. 52. See e.g., Cybersecurity Education Enhancement Act, H.R. 266, 111th Cong. (2009) (dealing primarily with grants to support cybersecurity education and professional development, which was referred to the House Committees on Science and Technology, on Education and Labor, and on Homeland Security). 2010] WILL THERE BE CYBERSECURITY LEGISLATION? 115 the private sector. The agency would have the authority to set security standards that would be binding on agencies and on the information infrastructure controlled by the private sector. The agency would be both seizing authorities from other Cabinet-level departments and directing those departments in securing their own networks, as well as regulating information technology systems in private sector industries that are otherwise subject to the regulatory authorities of the departments. The agency would, therefore, need ways to compel action. Such mechanisms would likely include the authority to write and rewrite agency information security budgets, access to agency enterprise architecture, access to the intelligence and law enforcement information necessary to identify threat signatures, the authority to isolate compromised systems from the network or take them offline completely, and the authority to conduct operational evaluations of federal and private sector information infrastructure. An agency given these strategic responsibilities and broad operational authorities over cybersecurity would necessarily be of considerable size. If it were assembled in the same way as the DHS – by, in most cases, joining disparate components of existing departments under a single umbrella – large chunks of the Department of Commerce, OMB, and the DHS would be uprooted and placed under the new agency. Assuming that national security systems remained within the purview of the intelligence community and the Department of Defense, it would still be necessary to develop mechanisms by which they could coordinate with the new agency. Such an agency would require a substantial budget. Action on this scale in the current political environment is highly unlikely. Any attempt to create such an agency would be compared to the creation of the DHS, which seven years after the enactment of the Homeland Security Act is still struggling to operate effectively. As a consequence, there is a concern that the U.S. cybersecurity regime would remain rudderless and disorganized for years to come in the face of growing threats. As suggested by the response to the Snowe-Rockefeller bill, industry would be strongly opposed to any agency that would be empowered to regulate the private sector. Congress would also almost certainly balk at the high start-up costs involved in creating a new agency, especially in light of a ballooning federal deficit and difficult economic times. Those start-up costs might be lessened if, instead of creating a new agency, Congress gave an existing agency these authorities. However, any attempt to empower one agency would likely meet with fierce resistance because it would be seen as a power grab by other congressional authorizing committees with an interest in cybersecurity. B. Coordinating Authority At the other end of the scale is the creation of a smaller entity with very limited authority that leaves the current regime largely intact. The 116 JOURNAL OF NATIONAL SECURITY LAW & POLICY [Vol. 4:103 reorganization of the U.S. Intelligence Community following the terrorist attacks of September 11, 2001, may prove instructive, as this too required Congress to decide how best to coordinate the activities of disparate agencies with a variety of missions. The Program Manager for the Information Sharing Environment (PM-ISE) was created as part of this effort and can serve as a model for a less draconian approach to 53 cybersecurity governance. Under this system, there would be little, if any, change in the division of authorities. Instead, the head of this office would be responsible for developing strategies, working to resolve disputes where individual authorities appear to clash, and establishing policies and procedures that will facilitate information sharing and coordination among agencies. The office would have no authority to impose its will on other agencies but would, like the PM-ISE, either seek to influence the issuance of executive orders, OMB memoranda, and other binding instruments, or to negotiate with and among agencies to encourage the implementation of cybersecurity policies. As with the PM-ISE, to the extent that the entity creates new programs and administrative structures, they can be handed off to agencies for full implementation and oversight. This approach has the advantage of requiring a much smaller staff and infrastructure, substantially reducing the implementation costs. It also avoids the complexity issue because it does not require Congress to make decisions about who should get what authority to respond to what vulnerability, but instead requires only the establishment of a basic decision-making framework. This approach should also avoid congressional committee jurisdictional conflict as there will be no reorganization of the existing power structure. However, while the relative ease with which this structure can be established may make it seem attractive, there is a distinct possibility that it would not be an effective means of securing the information infrastructure. While the PM-ISE has notched some successes (for example, the development of a nationwide protocol as part of the the Suspicious Activity Reporting Initiative that allows federal, state, and local authorities to easily report, share, and analyze terrorism-related suspicious activities reports), it continues to report difficulty in accomplishing its primary mission of facilitating information sharing among federal agencies, state, local, and tribal authorities, the private sector, and international partners. In particular, it has had limited success in breaking the entrenched agency barriers to information sharing. With no direct authority to compel agency action or adoption of policies, the PM-ISE has had little leverage. The director of a similar cybersecurity entity would likely encounter even greater obstacles, particularly as he or she attempts to reconcile the often competing imperatives of providing greater security and of promoting technological innovation. Without any authority to compel action, the 53. See generally Information Sharing Environment, http://www.ise.gov/. 2010] WILL THERE BE CYBERSECURITY LEGISLATION? 117 director would be largely impotent and few, if any, of the problems that Congress seeks to address would be resolved. CONCLUSION In light of the limitations on Congress’s ability to act that are described above, this article concludes that any congressional action will eventually fall toward the lower end of the authority spectrum. How far in that direction it will go, however, is largely dependent on any number of legislative “x-factors.” Will consideration of comprehensive cybersecurity fall in the shadow of a significant cyber attack, pushing legislation closer to the direct authority model? Might consideration of such legislation come in the shadow of revelations of inappropriate monitoring of Internet communications by the federal government, fostering mistrust of the government and making it difficult to pass any cybersecurity bill that increases the government’s role in information infrastructure security? As with information technology itself, the circumstances surrounding cybersecurity legislation are changing so rapidly that an accurate prediction is difficult to make. The door remains open for cybersecurity policy to flow not down from the federal government but up from the information technology industry. If the industry were to develop and implement consensus standards that addressed most of the cyber vulnerabilities that have been identified, that might obviate the need for congressional action. Given the industry’s copious expertise and resources, this may indeed be an ideal solution. Copyright of Journal of National Security Law & Policy is the property of University of the Pacific, McGeorge School of Law and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use. IS IT TIME FOR A NATIONAL CYBERSECURITY SAFETY BOARD? EXAMINING THE POLICY IMPLICATIONS AND POLITICAL PUSHBACK Scott J. Shackelford JD, PhD* Austin E. Brady** Abstract In the wake of a series of destabilizing and damaging cyber attacks ranging from Equifax to Yahoo!, there has been a growing call for the U.S. government to establish an analogue of the National Transportation Safety Board (NTSB) to investigate cyber attacks. Even the esteemed Center for Strategic and International Studies has advocated for this approach in its policy recommendations to the 45th President. But how would such a Board function, and could it succeed where past public-private collaborations have failed given the rapid pace of technical innovation in the cybersecurity field? This Article investigates this policy prescription by researching the passage of the original NTSB, assessing the various proposals that have been made to establish a National Cybersecurity Safety Board (NCSB), and globalizing the discussion to ascertain how other nations are approaching this same issue. 1 Electronic copy available at: https://ssrn.com/abstract=3100962 Table of Contents INTRODUCTION ......................................................................................................................................... 3 I. NTSB ORIGINS ................................................................................................................................... 4 II. EXAMINING PROPOSALS FOR A NCSB ........................................................................................ 7 III. A GLOBAL NOTE ........................................................................................................................14 CONCLUSION............................................................................................................................................17 2 Electronic copy available at: https://ssrn.com/abstract=3100962 INTRODUCTION Back in 1926, a new technology was causing people to interact with the world in new ways, closing distances and linking together far-flung places, but in the process, also leading to a spate of personal injuries and deaths. 1 That technology was the burgeoning aircraft industry. In response, Congress passed the Air Commerce Act of 1926 to investigate aircraft accidents, 2 a step which, nearly forty years later, gave birth to the Department of Transportation (DoT) in 1967. The DoT included the National Transportation Safety Board, an independent agency charged with investigating the safety of various transportation systems, from highways and pipelines to railroads and airplanes.3 Since then, the NTSB has investigated more than 130,000 accidents. 4 Now, nearly a century after the original Air Commerce Act, it might be time to learn from this legacy as we seek to understand how best to mitigate the risk of a threat to another new technology that is tying the world closer together even as it threatens our shared security—cyber attacks. In the wake of a series of destabilizing and damaging cyber attacks, there has been a growing chorus of calls to establish an analogue of the NTSB to investigate cyber attacks. 5 Far from being a niche proposition, the Center for Strategic and International Studies put its substantial weight behind this approach in its policy recommendations to the 45th President. 6 But how would * Chair, Indiana University-Bloomington Cybersecurity Program; Director, Ostrom Workshop Program on Cybersecurity and Internet Governance; Associate Professor, Indiana University Kelley School of Business. ** J.D. candidate, Indiana University Maurer School of Law; M.S. Cybersecurity Risk Management candidate, Indiana University-Bloomington Cybersecurity Program. 1 See, e.g., Ben Rothke, It’s Time for a National Cybersecurity Safety Board, CSO (Feb. 19, 2015), https://www.csoonline.com/article/2886326/security-awareness/it-s-time-for-a-national-cybersecurity-safety-boardncsb.html; History of The National Transportation Safety Board, NAT’L SAFETY TRANSPORTATION BD., https://www.ntsb.gov/about/history/Pages/default.aspx (last visited Oct. 24, 2017) [hereinafter, NTSB History]. 2 See Air Commerce Act of 1926, Pub. L. No. 69-254, 44 Stat. 568, 572. 3 See NTSB History, supra note 1. 4 See id. 5 See, e.g., Interdisciplinary Pathways Towards a More Secure Internet, CYBERSECURITY IDEAS LAB (Feb. 10-12, 2014), at 21, https://www.nsf.gov/cise/news/CybersecurityIdeasLab_July2014.pdf [hereinafter IDEAS LAB]. 6 FROM AWARENESS TO ACTION: A CYBERSECURITY AGENDA FOR THE 45TH PRESIDENT 12 (Jan. 3, 2017), https://www.whitehouse.senate.gov/imo/media/doc/2016-01-03%20%20CSIS%20Lewis%20Cyber%20Recommendations%20Next%20Administration.pdf. 3 Electronic copy available at: https://ssrn.com/abstract=3100962 such a Board function? And could it succeed where past public-private collaborations have failed given the rapid pace of technical innovation in the cybersecurity field?7 This Article investigates this policy prescription by researching the passage of the original NTSB, assessing the various proposals that have been to establish a National Cybersecurity Safety Board (NCSB), and globalizing the discussion to ascertain how other nations are approaching this same issue. This Article is structured as follows. Part I examines the historical evolution and political calculus of the NTSB to provide a framework for discussion. Part II analyzes the various proposals for a NCSB, including both the policy implications and perspectives from leading public and private-sector stakeholders. Finally, Part III offers global insights about how other jurisdictions have similarly examined this concept, focusing on the European Union’s pending General Data Privacy Regulation (GDPR) and Network Information Security (NIS) Directive. I. NTSB ORIGINS True to the spirit of the pre-Lochner era, regulation of the skies came slowly and haltingly, often requiring public calamities to spur legislative action. In the years following the First World War, pilots were subject to scant laws during what Federal Aviation Administration historian Nick A. Komons calls the “Chaos of Laissez Faire in the Air”8 that resonates with modern concerns over a tragedy of the cyber pseudo commons. 9 The federal government’s wait-and-see approach stifled investment in air travel, 10 leading to a confusing patchwork of state and local laws. 11 Regulation of the skies was a hard sell for a tight-fisted Congress. Persuaded by a combination of 7 For a state of play regarding public-private cybersecurity partnerships, see Kristen E. Eichensehr, Public-Private Cybersecurity, 95 TEX. L. REV. 467, 472-73 (2017). 8 NICK A. KOMONS, BONFIRES TO BEACONS: FEDERAL CIVIL AVIATION POLICY UNDER THE AIR COMMERCE ACT, 1926–1938, at 7 (1978). 9 See Michael Chertoff, Foreword, 4 J. NAT’L SEC. L. & POL’Y 1, 2 (2010). 10 KOMONS, supra note 8, at 29 (explaining that investors, insurers, and passengers were all reticent towards participating in the aviation industry). 11 Id. at 27. 4 Electronic copy available at: https://ssrn.com/abstract=3100962 abysmal safety statistics, and cries for regulation from the aviation industry itself,12 Congress enacted the Air Commerce Act of 1926. It gave federal oversight of aviation to the Department of Commerce’s (DoC) new Aeronautics Branch, recognizing the potential air travel had for economic growth.13 Federal attention revived the floundering industry, and aviation use took off over the next decade.14 The Air Commerce Act provided the “legislative cornerstone” 15 for increasing aerial safety. But it was not a perfect solution. Lochner-era federalism restrictions meant that only pilots and aircraft engaged in interstate commerce were subject to DoC regulations, such as licensing requirements and safety standards. Intrastate regulation was, predictably, left to the states.16 Intra or inter, whenever accidents occurred, responsibility for investigating and assigning probable cause was vested in the Bureau of Air Commerce. 17 This role put the Bureau in the spotlight during investigations into the deaths of national figures—such as the 1931 demise of Notre Dame football coach Knute Rockne—making it subject to harsh scrutiny during the ensuing the public furor.18 As it struggled with its national image, the Bureau had a separate, structural problem. Namely, the conflict-laden reality of the Bureau investigating the effectiveness of its own safety 12 The aviation industry averaged 70.8 deaths per year from 1921– 1925. While this may seem low by modern standards, it was enormously high as a percentage of total pilots at the time. See id. at 23. 13 See NTSB History, supra note 1. 14 See 7 Air. Com. Bull. 1, 7 (1935) (“Of 8,733 Airplanes now in Service, 2,414 Were Built in 1929”) 15 See KOMONS, supra note 8, at 88 16 In fact, the first volume and issue of the Air Commerce Bulletin began with an article titled “Need for Uniform State Legislation,” soliciting state support in enacting federal, uniform, programs. 1 Air Com. Bull. 1 (1929). 17 The Bureau of Air Commerce was the successor to the Aeronautics Branch of the Department of Commerce. See KOMONS, supra note 8, at 277–78 18 See id.; See also, Knute Rockne Dies with Seven Others in Mail Plane Dive, N.Y. TIMES (Apr. 1, 1931), at 1 (including the arrival of Department of Commerce investigators in the front-page announcement of the famed football coach’s death). The place crash that caused the death of Senator Cutting of New Mexico seemed to spell the end for the Bureau of Air Commerce. It spent 1936 assuming control of Air Traffic Control in the wake of the Cutting crash but could not demand air carriers follow their safety regulations like the Interstate Commerce Commission could with the railroads. See KOMONS, supra note 8, at 360. 5 Electronic copy available at: https://ssrn.com/abstract=3100962 policies while it alone determined legally-binding fault.19 It was not until the Civil Aeronautics Act (CAA) of 1938 that probable cause determinations were separated from the safety regulating functions and placed within a separate Air Safety Board.20 In forming the Air Safety Board, Congress affirmed the need for a dedicated corps of federal investigators to examine the causes of transportation incidents. 21 The growing pains over two decades, the deaths of a United States Senator and beloved Notre Dame football coach, and multiple bureau re-organizations solidified the need to split regulatory functions from investigations assigning fault. The formation of the Air Safety Board was a critical first step towards independent investigations; however, when Congress created the Department of Transportation in 1967, it established the NTSB as an “independent” agency within the DoT.22 This move created a different conflict of interest at a departmental level that was tasked with regulatory responsibilities at odds with the NTSB objective analysis. Finally, the NTSB was cleaved from DoT pressures in 1974, with Congress remarking that “no federal agency can properly perform such (investigatory) functions unless it is totally separate and independent from any other . . . agency of the United States.”23 Once it was free of DOT administration, the NTSB came into its own as a fully independent investigatory agency. 19 Part of the problem with the Bureau assuming responsibility for determining probable cause was that they might find that responsibility lay at the feet of the Bureau itself. This liability caused the Board’s investigations to be less transparent, an unacceptable veil to an American public that demanded answers after high profile deaths such as Senator Cutting of New Mexico in 1935. A 1934 amendment to the Air Commerce Act had partially alleviated the secrecy problems but did not address the independence issue. See KOMONS, supra note 8, at 278 (the amendment mandated public disclosure of Bureau findings and forbade the findings of the Bureau from being admitted as evidence in legal proceedings). 20 KOMONS, supra note 8, at 379. 21 See NTSB History, supra note 1. 22 See id. 23 Id. 6 Electronic copy available at: https://ssrn.com/abstract=3100962 Concerns of overreaching federalism stunted growth in the beginning, 24 but the lesson of the NTSB is that a specialized organization can in fact promote the growth of highly-complex industries while boosting security for the public. However, that organization must be able to independently conduct its investigations without the fear of intra-agency meddling. Today, air travel is widely regarded as among the safest forms of mass transportation. 25 Can the same feat be replicated in cyberspace? II. EXAMINING PROPOSALS FOR A NATIONAL CYBERSECURITY SAFETY BOARD Propositions for strengthening U.S. cybersecurity range widely, from federally sponsored cyber risk insurance programs to allowing companies to have a freer hand to engage in proactive cybersecurity measures. 26 A common refrain across many of these proposals, though, are more robust data breach investigation requirements, which could include “on-site gathering of data on why the attack succeeded, [so as] to help other companies prevent similar attacks.”27 This evokes one of the core functions of the NTSB, that is, to investigate and establish the facts behind an incident, and to make recommendations to help ensure that similar events do not occur in the future.28 In short, investigators help establish “the who, what, where, when, how and [perhaps] why behind an incident.”29 After the facts are determined, policymakers can and often have backed 24 See KOMONS, supra note 8, at 88 See, e.g., Bureau of Transportation Stat., U.S. Dep’t Transportation, https://www.rita.dot.gov/bts/sites/rita.dot.gov.bts/files/publications/national_transportation_statistics/html/table_02_ 01.html (last visited Dec. 20, 2017). 26 See, e.g., Amanda N. Craig, Scott J. Shackelford, & Janine Hiller, Proactive Cybersecurity: A Comparative Industry and Regulatory Analysis, 18 AM. BUS. L.J. 721, 722 (2015); Joe Uchill, New Bill Would Allow Hacking Victims to ‘Hack Back,’ HILL (Oct. 13, 2017), http://thehill.com/policy/cybersecurity/355305-hack-back-bill-hitshouse. 27 Robert K. Knake, Creating a Federally Sponsored Cyber Insurance Program, COUNCIL ON FOREIGN REL. (Nov. 22, 2016), https://www.cfr.org/report/creating-federally-sponsored-cyber-insurance-program. 28 See id. 29 IDEAS LAB, supra note 5, at 21. 25 7 Electronic copy available at: https://ssrn.com/abstract=3100962 up NTSB recommendations with new regulations. Failing that, it is common for air carriers, for example, to voluntarily implement such recommendations, such as through industry codes of conduct.30 The framework of an NTSB investigation—root cause determination of an accident and the development of proposals to avoid such failures in the future—is appropriate for highcomplexity sectors beyond aviation. A useful comparison can be made to similar inquiries into NASA’s space travel efforts. After the tragic explosion of the space shuttle Columbia, NASA put together an investigation board in order to determine what had caused the Shuttle to break apart upon reentry.31 While proximate cause of the Columbia disaster was traced to a piece of insulating foam that dislodged and impacted the Shuttle’s wing during liftoff, 32 the Columbia Accident Investigation Board (CAIB) assigned actual, or but-for, cause to the overall culture at NASA. 33 The CAIB, similar to a thorough NTSB investigation,34 expanded their investigation beyond the technical failures that led to the accident and into cultural causes. They laid part of the blame on the mosaic of events that created a culture of savings-over-safety at NASA during the post-Apollo period.35 30 See Knake, supra note 27. For an example of such an industry code of conduct, see the efforts by AdvaMed to enhance the security of medical devices. AdvaMed Medical Device Cybersecurity Foundational Principles, ADVAMED, https://www.advamed.org/sites/default/files/resource/advamed_medical_device_cybersecurity_principles_final.pdf (last visited Dec. 20, 2017). 31 1 COLUMBIA ACCIDENT INVESTIGATION BOARD, REPORT VOLUME I: AUGUST 2003 (2003). 32 See id. at 49 (“The physical cause of the loss of Columbia and its crew was a breach in the Thermal Protection System . . . . initiated by a piece of insulating foam.”). 33 Id. at 97 (“In our view, the NASA organizational culture has as much to do with this accident as the foam.”). 34 See, e.g., NATIONAL TRANSPORTATION SAFETY BOARD, NTSB/HAR-12/01, HIGHWAY ACCIDENT REPORT: MOTORCOACH RUN-OFF-THE-ROAD AND COLLISION WITH VERTICAL HIGHWAY SIGNPOST, INTERSTATE 95 SOUTHBOUND, NEW YORK CITY, NEW YORK M ARCH 12, 2011, at viii (adopted Jun. 5, 2012) (“This accident is one of many investigated by the NTSB in which the motor carrier’s safety processes, as well as its corporate culture, may have set the stage for [the accident].”). 35 See COLUMBIA ACCIDENT INVESTIGATION BOARD, supra note 31, at 103. 8 Electronic copy available at: https://ssrn.com/abstract=3100962 Today, the business of space travel is still highly dangerous, 36 and costly.37 However, relatively few people “slip the surly bonds of Earth”38 and travel higher in the atmosphere than those at the cruising altitude of the major airlines. In fact, as of this writing, only six people reside in orbital space aboard the International Space Station.39 Still, highly technical accidents require a qualified investigative body to comb through facts and determine causes, which, at times, include detrimental organizational norms. 40 Commercial actors in space travel, such as SpaceX and Virgin Galactic, still rely on the NTSB for post-accident investigations.41 If space travel becomes more ubiquitous, we may see similar culture failures to those replete in the cybersecurity context. 42 The CAIB’s authority to expand its investigation beyond technical considerations and into cultural issues is a critical tool that a NCSB should also adopt. Like aviation, enhancing security in the emerging Internet of Everything is a highly complex, technologically and legally challenging endeavor where organizational culture can vary dramatically.43 As companies, individuals, and 36 Even two dozen years after the Columbia accident, traveling to space is not for the faint of heart. See, Eric Berger, The Second Launch from Russia’s New Spaceport Has Failed: Human Error May Have Been Involved, ARSTECHNICA (Nov. 28, 2017, 8:13 AM), https://arstechnica.com/science/2017/11/the-second-launch-from-russiasnew-spaceport-has-failed/. Even non-governmental players, such as SpaceX, suffer failures during liftoff and reentry. See, e.g., Alan Yuhas, SpaceX’s Booms and Busts: Spaceflight is Littered with Explosions and Disasters, THEGUARDIAN (Sep. 1, 2016, 4:13 PM), https://www.theguardian.com/science/2016/sep/01/spacex-falcon-9explosion-tesla-elon-musk-nasa. 37 See, COLUMBIA ACCIDENT INVESTIGATION BOARD, supra note 31, at 109. 38 John Gillespie Magee, Jr., High Flight (1941), available at http://www.arlingtoncemetery.net/highflig.htm. 39 See Space Station Updates, NASA, https://www.nasa.gov/mission_pages/station/main/index.html (last visited Dec. 20, 2017). 40 See, COLUMBIA ACCIDENT INVESTIGATION BOARD, supra note 31, at 99. Independent boards were commissioned following both the Challenger and Columbia accidents, with the Rodgers Commission, the investigators of the Challenger accident, being heavily cited by the CAIB. 41 The NTSB, with its expertise in aviation, investigated the crash of the VSS Enterprise and collaborated with SpaceX into the failures of the Falcon 9 rockets. See, NATIONAL TRANSPORTATION SAFETY BOARD, NTSB/AAR15/02, AEROSPACE ACCIDENT REPORT: IN-FLIGHT BREAKUP DURING TEST FLIGHT SCALED COMPOSITES SPACESHIP TWO, N339SS, NEAR KOEHN DRY LAKE, C ALIFORNIA, OCTOBER 31, 2014 (adopted July 28, 2015); Loren Grush, SpaceX Eyes January 8th Return to Flight After Finishing Up Accident Investigation, THE VERGE (Jan. 2, 2017, 9:01 AM), https://www.theverge.com/2017/1/2/14142064/spacex-flight-launch-date-falcon-9-explosion-investigation. 42 See, e.g., Andrew G. Simpson, 5 Reasons Cyber Security Is Failing and What P/C Insurers Can Do About It, INSURANCE J. (Aug. 18, 2017), https://www.insurancejournal.com/news/national/2017/08/18/461482.htm (summarizing an array of cultural disconnects that make addressing cybersecurity challenges more difficult). 43 See, Aaron J. Burstein, Amending the ECPA to Enable a Culture of Cybersecurity Research, 22 HARV. J. L. & TECH. 167, 171 (2008) (“There is a culture of pushing attackers away from oneself without any consideration of the poor overall security resulting from this lack of coordination between organizations.”). 9 Electronic copy available at: https://ssrn.com/abstract=3100962 devices continue to be integrated, the need for a NCSB may become as essential as the NTSB or CAIB. As the CAIB concluded: Attempting to manage high-risk technologies while minimizing failures is an extraordinary challenge. By their nature, these complex technologies are intricate, with many interrelated parts. Standing alone, the components may be well understood and have failure modes that can be anticipated. Yet when these components are integrated into a larger system, unanticipated interactions can occur that lead to catastrophic outcomes. The risk of these complex systems is increased when they are produced and operated by complex organizations that also break down in unanticipated ways. 44 Like a Shuttle’s systems, the complex networks and devices involved in cybersecurity breaches are interdependent, where the failure of one can lead to dramatic consequences downstream.45 To better understand the coming wave, from 2013 to 2020, Microsoft has estimated that the number of Internet-enabled devices is expected to increase from 11 to 50 billion, though estimates vary with Morgan Stanley predicting 75 billion such devices in existence by 2020. 46 Samsung has announced that all of its products would be connected to the Internet by 2020. 47 Already, vulnerabilities in such smart devices have been connected with significant security breaches. 48 The potential wide-ranging impacts of recent cybersecurity breaches into major U.S. corporations cannot be attributed to technical failures alone, as recent examples point towards culture as being an important element of fault. The 2017 hack of Equifax was the result of a 44 COLUMBIA ACCIDENT INVESTIGATION BOARD, supra note 31, at 97. As a recent example, the DDoS attack against Dyn shut down swaths of the internet by attacking the domain registry. See, Bruce Schneier, Lessons from the Dyn DDoS Attack, SCHNEIER ON SECURITY (Nov. 8, 2016 6:25 AM), https://www.schneier.com/blog/archives/2016/11/lessons_from_th_5.html. 46 See Tony Donava, Morgan Stanley: 75 Billion Devices Will Be Connected to The Internet of Things By 2020, BUS. INSIDER (Oct. 2, 2013), http://www.businessinsider.com/75-billion-devices-will-be-connectedto-the-internet-by-2020-2013-10#ixzz3i4CApJsg. 47 See Rachel Metz, CES 2015: The Internet of Just About Everything, TECH. REV. (Jan. 6, 2015), http://www.technologyreview.com/news/533941/ces-2015-the-internet-of-just-about-everything/. 48 See Scott J. Shackelford, How to Fix an Internet of Broken Things, CHRISTIAN SCI. MONITOR (Oct. 26, 2016), https://www.csmonitor.com/World/Passcode/Passcode-Voices/2016/1026/Opinion-How-to-fix-aninternet-of-broken-things; Scott J. Shackelford et al., When Toasters Attack: Enhancing the ‘Security of Things’ through Polycentric Governance, 2017 UNIV. ILL. L. R EV. 415, 416 (2017). 45 10 Electronic copy available at: https://ssrn.com/abstract=3100962 vulnerability the company was warned of prior to the attack. 49 Following their December, 2016 breach, Uber, Inc. similarly failed to follow standard industry practices, paying their attacker $100,000 in hush money.50 More startlingly, Uber kept the exfiltration of millions of customers personal and financial information secret until it was revealed in late 2017. 51 Both of these attacks impacted millions of consumers because of organizational cultures that did not emphasize cybersecurity best practices and industry norms.52 In fact, Equifax’s attempt to hide the extent of their data breach has backfired badly, contributing to proposals to fine credit monitoring firms for such behavior in the future. 53 Unlike the tragic but relatively low-number of astronaut fatalities that the CAIB investigated, cybersecurity breaches have affected billions of people.54 Analysis of the costs associated with cyber attacks should not stop at the technical failures that allowed the attackers access to the victim’s networks. Investigations should take a page from the CAIB’s playbook and include evaluation of cultural norms that allowed such vulnerabilities to exist, along with industry best practices.55 49 See, Senate Banking Committee Hearings on Equifax Data Breach, C-SPAN (Oct. 4, 2017), https://www.cspan.org/video/?434469-1/equifax-ceo-testifies-senate-banking-panel. 50 The FBI strongly recommends against paying a ransom for stolen data, as it only emboldens attackers and potentially funds criminal activity. See, FBI, What We Investigate: Cyber Crime, https://www.fbi.gov/investigate/cyber. 51 See, Eric Newcomer, Uber Paid Hackers to Delete Stolen Data on 57 Million People, BLOOMBERG (Nov. 21, 3:58 PM), https://www.bloomberg.com/news/articles/2017-11-21/uber-concealed-cyberattack-that-exposed-57-millionpeople-s-data. 52 For more on organizational, budgetary, and technological cybersecurity best practices, see generally Scott J. Shackelford, Timothy L. Fort, & Jamie D. Prenkert, How Businesses Can Promote Cyber Peace, 36 UNIV. PENN. J. OF INT’L L. 353 (2015); Chapter Five in SCOTT J. SHACKELFORD, MANAGING CYBER ATTACKS IN INTERNATIONAL LAW, BUSINESS, AND RELATIONS: IN SEARCH OF CYBER PEACE (2014). 53 See Frank Kalman, Equifax Breach Shows Folly in Hiding Bad News, TALENT ECONOMY (Sept. 14, 2017), http://www.talenteconomy.io/2017/09/14/equifax-breach-hiding-bad-news/; Laura Hautala, Elizabeth Warren's Bill Would Fine the Next Equifax for Data Breach, CNET (Jan. 10, 2018), https://www.cnet.com/news/elizabeth-warrenequifax-mark-warner-credit-reporting-agencies-data-breach-bill-fines/. 54 See, e.g., World’s Biggest Data Breaches, Information is Beautiful, http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ (last visited Dec. 20, 2017). 55 For more on this topic, see Chapter 5 in Shackelford, supra note 52. 11 Electronic copy available at: https://ssrn.com/abstract=3100962 As has been noted, two elements of the NTSB analogy are particularly useful for enhancing cybersecurity. First, it separates fact-finding proceedings from any questions of liability, allowing attribution to be established, for example, without parties initiating litigation. 56 Second is the socalled “party process,” which is a multi-stakeholder approach to accident investigations involving members of various constituencies.57 This multi-stakeholder model is also part and parcel of cybersecurity, and the larger internet-governance ecosystem, 58 and thus could resonate well with these types of investigations. The NCSB would likely have significant private-sector participation; in fact, it could even be run entirely by coalitions of companies such as through existing trade groups or Information Sharing and Analysis Centers (ISACs).59 Moreover, funding could come from interested stakeholders, such as insurance companies. 60 This is because such secondary markets would benefit from greater clarity surrounding the attribution of claims, as well as more information about the utility of various cybersecurity best practices, such as utilizing the National Institute for Standards and Technology Cybersecurity Framework (NIST CSF).61 Critics of establishing a NCSB would likely content that firms may spend more on settling litigation and investing in reputation management than in proactively managing cyber attacks. 62 Other concerns might include the fact that as both the cyber threat environment and dependent 56 See Neil Robinson, The Case for a Cyber-Security Safety Board: A Global View on Risk, R AND. CORP. (Jan. 18, 2012), https://www.rand.org/blog/2012/06/the-case-for-a-cyber-security-safety-board-a-global.html. 57 See id. 58 See, e.g., Scott J. Shackelford et al., iGovernance: The Future of Multi-Stakeholder Internet Governance in the Wake of the Apple Encryption Saga, 42 N.C. J. INT’L L. 883 (2016-2017); Scott J. Shackelford et al., Back to the Future of Internet Governance?, GEORGETOWN J. OF INT’L AFF. 81, 82 (2015). 59 See Information Sharing, Dep’t Homeland Sec., https://www.dhs.gov/topic/cybersecurity-information-sharing (last visited Dec. 20, 2017). 60 See Knake, supra note 26. 61 See Scott J. Shackelford, Scott Russell, & Jeffrey Haut, Bottoms Up: A Comparison of “Voluntary” Cybersecurity Frameworks, 16 UNIV. OF CAL. DAVIS BUS. L.J. 217, 217 (2016); Scott J. Shackelford et al., Toward a Global Standard of Cybersecurity Care?: Exploring the Implications of the 2014 Cybersecurity Framework on Shaping Reasonable National and International Cybersecurity Practices, 50 TEX. INT’L L.J. 287, 289 (2015). 62 See Robinson, supra note 56. 12 Electronic copy available at: https://ssrn.com/abstract=3100962 technologies change so dynamically, 63 the value of NTSB-style investigations may be limited given the concern that, by the time that the investigation is complete, the means used in the data breach may be obsolete. Addressing this concern requires that investigations, once undertaken, are completed as expediently as possible, unlike, for example, the typical NTSB report that can take one year or more to compile. 64 Final concerns that would need to be overcome if the promise of a NCSB is to be realized include: (1) identifying the right experts for the tremendous variety of cyber attacks from Distributed Denial of Service (DDoS) attacks to sophisticated cyber weapons using zero-day exploits;65 (2) learning from effective information sharing forums to mesh the functions of a NCSB with existing industry best practices and public-private partnerships;66 (3) defining access (e.g., erring on the side of confidentiality versus transparency for various types of cyber attacks); (4) landing on an appropriate terminology, most likely in the guise of risk management given the success of the NIST CSF67; and (5) aligning efforts with the Federal Trade Commission and other sector-specific regulators to help ensure a more robust cybersecurity standard of care emerges from these efforts.68 To be successful, a variety of incentives and likely regulatory requirements would be required for firms to participate in a NCSB, such as targeted safe harbor provisions and mandating investigations for “serious” breaches such as those involving U.S. critical 63 See, e.g., Andrew Munger, Reducing Cyberrisk in a Dynamic Threat Environment, INFRAGARD MAG. (2017), https://infragardmagazine.com/how-to-reduce-cyber-risk-in-a-dynamic-threat-environment/. 64 See The Investigation Process, Nt’l Transportation Safety Board, https://www.ntsb.gov/investigations/process/Pages/default.aspx (last visited Dec. 20, 2017). 65 IDEAS LAB, supra note 5, at 22. 66 See id. 67 See Scott J. Shackelford, Scott Russell, & Andreas Kuehn, Bottoms Up: A Comparison of “Voluntary” Cybersecurity Frameworks, 16 UNIV. OF CAL. DAVIS BUS. L.J. 217 (2016). 68 See Scott J. Shackelford et al., Toward a Global Standard of Cybersecurity Care?: Exploring the Implications of the 2014 Cybersecurity Framework on Shaping Reasonable National and International Cybersecurity Practices, 50 TEX. INT’L L.J. 287 (2015). 13 Electronic copy available at: https://ssrn.com/abstract=3100962 infrastructure.69 It would also be important to limit the purview, and thus workload, of a NCSB given the tremendous number of breaches taking place. As has been argued by the Cybersecurity Ideas Lab: Done right, such an organization could make tremendous contributions, by providing a common base of information about what types of incidents occur, who is affected, who is attacking, the methods of attacks, and the vulnerabilities that are exploited, both at a given point in time and as a way of identifying and characterizing trends.70 Such a model would be an improvement on the existing reliance on Cyber Emergency Response Teams (CERTs),71 and aide in effective policymaking at both the state and federal level given the lack of hard, verifiable data on the scope and scale of cyber attacks. The creation of a NCSB could also help law enforcement investigations, particularly local and state agencies without the resources and expertise of the FBI.72 Along with the ISACs, this would be a boon to academics needing reliable data to undertake scholarly analysis, as well as national security organizations, and U.S. strategic partners around the world. III. A GLOBAL NOTE No nation is an island in cyberspace, as much as some wish they were. As such, jurisdictions the world over are experimenting with various cybersecurity risk management models.73 One of the most important of these jurisdictions is the European Union, both for its overall size,74 and for the fact that it is undergoing a transformation in its cybersecurity law through 69 For more on this topic, see Scott J. Shackelford et al., From Russia with Love: Understanding the Russian Cyber Threat to U.S. Critical Infrastructure, 96 NEBRASKA L. REV. 320 (2017). 70 IDEAS LAB, supra note 5, at 21. 71 See, id. 72 See, Police Lack Skills and Funding to Cope with Today’s Cyber Threats, PA CONSULTING (Dec. 12, 2014), http://www.paconsulting.com/newsroom/releases/police-lack-skills-and-funding-to-cope-with-todays-cyber-threats12-december-2014/ (“only 30% believe they have the skills and tools to tackle cybercrime effectively.”). 73 See Shackelford, Russell, & Kuehn, supra note 61. 74 See EU Position in World Trade, http://ec.europa.eu/trade/policy/eu-position-in-world-trade/ (last visited Dec. 21, 2017). 14 Electronic copy available at: https://ssrn.com/abstract=3100962 the enactment of the General Data Privacy Regulation (GDPR) and the Network Information Security (NIS) Directive. Taken together, these initiatives will revitalize data breach investigations across the European single market with significant implications for global cybersecurity policymaking. The GDPR, recently finalized, represents the most recent iteration of EU data protection’s efforts that date back decades.75 Among other important aspects of the GDPR, it centralizes data protection authority in the EU into a single regulatory body, as compared with the EU Data Privacy Directive’s (DPD) utilization of national data protection authorities for each Member State. 76 It also mandates breach notification within seventy-two hours of a covered entity becoming aware of the breach, provides a right to access data to promote the transparency of data privacy, codifies the ‘right to be forgotten,’ includes a right to data portability, requires privacy by design, and sets out new rules for data protection officers. 77 Also notable is the shift towards a risk-management model for implementing the privacy principles,78 a move that may have been influenced by the relative success of the NIST CSF. 79 Finally, the GDPR extends the jurisdictional reach of EU data protection requirements to data processing that occurs outside the territorial boundaries of the EU. Specifically, when the processor targets individuals within the EU for the offering of goods or services, or when the processor is 75 GDPR Portal, Eur. Union, https://www.eugdpr.org/ (last visited Dec. 21, 2017). Id. at 182. 77 GDPR Key Changes, https://www.eugdpr.org/key-changes.html (last visited Dec. 21, 2017). 78 Council of the European Union Proposes Risk-Based Approach to Compliance Obligations, HUNTON & WILLIAMS (Oct. 29, 2014), http://www.huntonprivacyblog.com/2014/10/29/. council-european-union-proposes-risk-based-approach-compliance-obligations/. 79 See Shackelford, Russell, & Kuehn, supra note 61; KATHERINE O’KEEFE & DARAGH O’BRIEN, SUBJECT ACCESS REQUESTS: A DATA HEALTH CHECK 12 (Castlebridge Assocs. ed., 2015), https://castlebridge.ie/products/whitepapers/ 2015/09/subject-access-requests-data-health-check (“40% of Data Controllers are failing to ensure adequate technological or organisational [sic] controls to prevent unauthorised [sic] access to or disclosure of personal data . . . ”). 76 15 Electronic copy available at: https://ssrn.com/abstract=3100962 monitoring EU persons that are located within the territorial bounds of the EU. 80 Taken together, these reforms constitute a sea change in the EU’s data privacy regime, which is already among the most robust in the world. In addition to the GDPR, the NIS Directive deepens the EU’s reforms by increasing the Member States’ cybersecurity capacity-building, defining a “Cooperation Group” to support intraEU information sharing, and laying out the requirements for operators of “essential services” (analogous to critical infrastructure that includes energy, transportation, banking, financial markets, healthcare, water, and digital infrastructure). 81 Overall, the NIS Directive helps to establish a European standard of cybersecurity care for all businesses based upon risk management.82 The above reforms are coupled with a requirement for each EU Member State to enact legislation establishing a national cybersecurity strategy, a national cybersecurity authority, and a national CERT, if such entities do not exist already. 83 The extent of some of these obligations, however, is still unclear, as States may see cyber threats as falling in the realm of national security, and therefore outside the scope of this strata of EU governance.84 Finally, in furtherance of the emphasis on risk management, crystallizing the EU’s Cybersecurity Strategy led to the development of the NIS Platform, which establishes a framework for evaluating cybersecurity due 80 For more on this topic, see Scott J. Shackelford & Scott Russell, Operationalizing Cybersecurity Due Diligence: A Transatlantic Case Study, 67 UNIV. S. CAROLINA L. REV. 1 (2017). 81 The Directive on Security of Network and Information Systems (NIS Directive), Eur. Comm’n, https://ec.europa.eu/digital-single-market/en/network-and-information-security-nis-directive (last visited Dec. 21, 2017). 82 Proposal for a Directive of the European Parliament and of the Council Concerning Measures to Ensure a High Common Level of Network and Information Security Across the Union, EUROPEAN COMM (2013), at 9, (July 2, 2013), http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52013PC0048 (“[T]he requirements are proportionate to the risk presented . . . and should not apply to micro enterprises.”). 83 Id. at arts. 19–21. 84 Consolidated Version of the Treaty on European Union art. 4, Mar. 30, 2010, 2010 O.J. (C 83) 18 (“national security remains the sole responsibility of each Member state.”). 16 Electronic copy available at: https://ssrn.com/abstract=3100962 diligence, and which largely incorporates the NIST CSF core elements—identify, protect, detect, respond, recover—as the standard approach for enterprise risk management. 85 Looking ahead, the GDPR will automatically come into force across the EU on May 25, 2018, “whereas NISD requires Member States to introduce implementing legislation by 9 May 2018.”86 Once these reforms come into full effect, there will be a flood of information on data breaches across the EU that will help investigators in Europe, North America, and indeed around the world better identify, and hopefully mitigate the risk of, cyber attacks. Although neither the GDPR nor the NIS Directive includes a version of a regional Cybersecurity Safety Board, the elements it does include moves the EU in this direction, which could make an analogous U.S. body that much more effective. Such developments would be an important step on the long journey to a positive and sustainable cyber peace. 87 Conclusion No system for investigating and reporting on cyber attacks is perfect. Incentives will continue to be misaligned in this context given that many firms fear legal liability and the negative impact on brand that being forthcoming about the details of cyber attacks can bring. But as more nations and regions—including the European Union— join the forty-seven U.S. states and move forward with more robust data breach notification requirements, a global debate is now underway about the best ways in which to increase transparency and with it, opportunities to learn from 85 NIS Platform (WG-1), Network and Information Security Risk Management Organizational Structures and Requirements, at 2-4, Final Draft 220515, https://resilience.enisa.europa.eu/nis-platform/shared-documents/5thplenary-meeting/chapter-1-nis-risk-management-organisational-structures-and-requirements-v2/at_download/file. 86 Data Security and Breach Reporting under the GDPR and NISD, TAYLOR WESSING (Sept. 2016), https://unitedkingdom.taylorwessing.com/globaldatahub/article-data-security-and-breach-reporting-under-the-gdpr-and-nisd.html. 87 For more on the topic of cyber peace, see Scott J. Shackelford, In Search of Cyber Peace: A Response to the Cybersecurity Act of 2012, 64 STAN. L. REV. ONLINE 106 (Mar. 8, 2012), http://www.stanfordlawreview.org/online/cyber-peace. 17 Electronic copy available at: https://ssrn.com/abstract=3100962 successful cyber attacks. A NCSB is politically unlikely in the near term, but we believe that the creation of such a body is overdue. Without Congressional action, a coalition of the private sector and even state governments could begin the process of enacting local, even sector-specific CSBs. But to reach their full promise (and to ward off wasteful duplication), Congress would need to pass a package of incentives and regulatory requirements outlined above. Although far from a panacea, such a step could help raise the overall level of cybersecurity due diligence and hasten the rise of a cybersecurity standard of care in the United States and abroad. All that is needed is the political will to act, the desire to experiment with new models of cybersecurity governance, and the recognition that we should learn from history. As President Franklin D. Roosevelt famously said, “The country needs and, unless I mistake its temper, the country demands bold persistent experimentation. It is common sense to take a method and try it: If it fails, admit it frankly and try another. But above all, try something.”88 88 Franklin D. Roosevelt, Address at Oglethorpe University in Atlanta, Georgia (May 22, 1932), http://www.presidency.ucsb.edu/ws/?pid=88410. 18 Electronic copy available at: https://ssrn.com/abstract=3100962 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 11 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 11 1111 0 0 0 111 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 0 1 0 111 0 1 0 1 0 1 0 11 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 1 0 11 0 1 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 11 0 1 0 1 0 1 0 1 0 1 0 0 1 0 0 0 111 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 0 1 0 111 0 1 0 1 0 1 0 11 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 1 0 11 0 1 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 11 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 11 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 11 1 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 0 1 0 111 0 1 0 1 0 1 0 11 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 1 0 11 0 1 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 11 0 1 0 1 0 1 0 1 0 1 0 0 1 0 0 0 111 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 0 1 0 111 0 1 0 1 0 1 0 11 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 1 0 11 0 1 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 11 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 1111 0 1 0 11 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 11 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 11 1 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 0 1 0 111 0 1 0 1 0 1 0 11 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 1 0 11 0 1 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 11 0 1 0 1 0 1 0 1 0 1 0 0 1 0 0 0 111 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 0 1 0 111 0 1 0 1 0 1 0 11 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 1 0 11 0 1 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 11 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 1111 0 1 0 11 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 11 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 11 1 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 0 1 0 111 0 1 0 1 0 1 0 11 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 1 0 11 0 1 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 11 0 1 0 1 0 1 0 1 0 1 0 0 1 0 0 0 111 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 0 1 0 111 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 1111 0 1 0 11 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 11 1 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 11 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 0 1 0 111 0 1 0 1 0 1 0 11 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 1 0 11 0 1 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 11 0 1 0 1 0 1 0 1 0 1 0 0 1 0 0 0 111 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 0 1 0 1 0 11 11 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 0 1 0 111 0 1 0 1 0 1 0 11 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 1 0 11 0 1 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 11 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 1111 0 1 0 11 0 0 11 0 1 0 1 0 1 0 1 0 1111 0 1 0 11 0 0 11 0 1 0 1 0 1 0 1 0 1111 0 1 0 11 0 0 11 0 1 0 1 0 1 0 1 0 1111 0 1 0 11 0 0 11 0 1 0 1 0 1 0 1 0 1111 0 1 0 11 0 0 11 0 1 0 1 0 1 0 1 0 1111 0 1 0 11 0 0 11111 0 1 0 11 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 1 0 11 0 1 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 11 0 1 0 1 0 1111 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 11 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 11 1 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 0 1 0 111 0 1 0 1 0 1 0 11 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 1 0 11 0 1 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 11 0 1 0 1 0 1 0 1 0 1 0 0 1 0 0 0 111 0 1 0 1 0 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1 0 1 0 1 0 0 0 1 0 1 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 0 1 0 111 0 1 0 1 0 1 0 11 0 1 0 1 0 1 0 0 0 1111 0 0 0 111 0 1 0 1 0 11 0 11 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 1 0 1 0 1 0 1 0 0 0 11 0 1 0 1 0 1 0 11 0 1 0 1 0 1 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 1 0 111 0 1 0 11 0 1 0 1 0 0...
Purchase answer to see full attachment
User generated content is uploaded by users for the purposes of learning and should be used following Studypool's honor code & terms of service.

Explanation & Answer

Attached.

Cyber-Security Legislation and Policies – outline
Thesis Statement: Due to the close relationship between cybersecurity and IoT, several
cybersecurity-related policies, regulations, and statutes have been developed in various states in
the United States with different reasons and methods.
I.

Why Cyber-Security Related Laws and Internet of Things Are Developed
A. Protection to the Internet Users
B. Avoiding Hackers
C. Promote Efficiency of Information Sharing

II.

How Cyber-Security Related Laws and Internet of Things Are Developed
A. Creation and Implementation of Device Policies

III.

Conclusion


Running head: CYBER-SECURITY LEGISLATION AND POLICIES

Cyber-Security Legislation and Policies
Name
Institution

1

CYBER-SECURITY LEGISLATION AND POLICIES

2

Cyber-Security Legislation and Policies
The Internet of Things is an Internet connectivity extension into various day-to-day
objects and devices such as electronics and different hardware that can interact and share
information between one another through the Internet. The Internet of Things (IoT) has currently
been considered as a critical aspect within and outside workplaces. Some of the devices that are
applied to this form of connection include computers, mobile phones, and printers. The
development of IoT has been considered to have a close relationship with cybersecurity since it
is said to influence cybersecurity in several ways. The IoT has enhance...


Anonymous
I was stuck on this subject and a friend recommended Studypool. I'm so glad I checked it out!

Studypool
4.7
Trustpilot
4.5
Sitejabber
4.4

Related Tags