By: Yuval Shany

Welcome to the fifth newsletter of the HUJI CyberLaw Program.
Like other fields of academic research, research into cyber law includes basic and applied research. Part of our work involves trying to understand the legal fields that govern different interactions in cyberspace (e.g., cyber attacks, cyber-crime, data sharing, surveillance, etc.) and the regulatory, liability, and enforcement challenges they pose. Another part of the work, however, involves trying to harness academic knowledge to solve specific policy problems. Under this latter heading, our Program has undertaken to accompany the drafting of a new governmental bill aimed at creating a legal framework for regulating cybersecurity in the private business sphere.

Cyber security for private businesses is a thorny regulatory problem, since it entails consideration of governmental intervention in the economy, potentially imposing burdensome requirements on private businesses (such as appointing CISOs, adopting required cybersecurity standards, and being subject to inspections), with macro and micro-economic implications. Such regulation also touches upon important questions of regulatory theory, such as the pros and cons of centralized or decentralized regulation of the field (i.e. one central cybersecurity regulating agency or multiple sectoral business regulating whose competence extends to regulating cybersecurity), and the dual role of the state as cyber security regulator and provider. Other important questions relate to the compatibility of any proposed regulation with human rights, and in particular, the right to privacy, and the feasibility of regulating cyber security risks in a world in which these risks are fast evolving (creating the possibility that any regulation will be outdated upon arrival).

It is against these challenges that the National Cyber Security Directorate has requested the Cyber Law Program’s assistance in evaluating the draft legislation it seeks to propose, as part of its Regulatory Impact Assessment. The Program has responded favorably by establishing a regulation research group, headed by Prof. Yoav Dotan from the Faculty of Law and comprising several Program researchers and external researchers (from law and non-law backgrounds), to study models of cybersecurity regulation in comparative law, and to evaluate the proposed legislation against regulation theory. A first public event took place earlier this month and was attended by more than 100 participants, bringing together lawyers and tech experts, academics and practitioners to discuss the proposed regulation. While there was almost universal consensus that some regulatory intervention is inevitable given the difficulties in operating in supply chains with varying
cybersecurity standards, the nature and extent of intervention, who should bear its costs, and its legal configuration remained hotly contested throughout the workshop.

It is clear to us that questions of regulating cybersecurity standards for new technology, such as smart or autonomous cars, IOT and AI-based decision making, is one of the key legal challenges of our time. I believe that given out pool of expertise, close working relations with the National Cyber Security Directorate, and presence in a society which is willing to try to think outside the box about such issues, our Program is particularly well placed to offer innovative research and practical solutions to many regulatory problems. We will keep you posted of our progress in this regard…

I thank you for your interest and support. As always, we look forward to hearing your thoughts and comments about our activities.

Sincerely,
Yuval Shany
Program Director