By: Yuval Shany

Welcome to the twelve newsletter of the The Federmann Cyber Law Program!

A key question confronted by researchers in our CyberLaw program is the question of legal liability for harms caused by cyber security beaches. This is a multifaceted problem, which a number of our research projects on law and technology have been trying to tackle from a variety of perspectives. One related set of issues discussed in this newsletter, involves liability for AI technology and machines publication authored by our post-doctoral fellow, Omri Rachum Twaig. Rachum Twaig shows that current models of product liability and tort law do not adequately address the practical challenges of limited human involvement or supervision over the exercise of robot-like autonomous machine capabilities. Instead, he proposes to develop “supplementary rules” that would create specific standards of care for AI designers, operators and end-users. While not focusing directly on liability for cybersecurity breaches, many of the foreseeability problems related to highly complex supply chains with limited control over the interface between the technology and actual use environment discussed by Rachum Twaig are relevant also to the field of cybersecurity.

Another project, just launched by the program’s visiting scholar, Asaf Lubin, looks at the role of the insurance market for cyber risks in generating policies and standards for the government and the private sector, in lieu of traditional standard setters. A key difficulty posed in this regard is the practice of excluding from insurance policies certain risks – such as war-like attacks, legal fines, physical harm and ransomware payments. These questions of insurability limit and delineate the regulatory potential of the insurance market. In any event, studying cyber-insurance practices and policies is a promising avenue for studying actual liability standards and the manner in which remedies are actually provided in the event of breach, and we are very happy to support Lubin’s potentially groundbreaking work in this field.    

Furthermore, the program is already immersed in another research project, supported by the Dutch government, which looks at the practical and legal difficulties of attributing cyber-attacks at the inter-state level. This is an area where the complexities of applying legal standards are compounded by uncertainty as to what exactly happened and by whom. One possible idea which will be discussed in an upcoming high-profile international research workshop in Rotterdam is whether there is a need to establish an international attribution agency, or whether other private, public or hybrid solutions need to be developed

All of these contexts underscore, separately and jointly, that the legal ‘rules of the game’ imposing legal liability on malicious actors and on actors that fail to meet appropriate standards of care, do not fit well in a technological environment with complex supply chains and elaborate decision making process, where formal rule makers cannot or do not wish to impose clear standards of conduct, and where an extraterritorial dimension further challenges the ability to establish the chain of responsibility and act thereupon. Still, our ability, at the Cyber Law program to tackle all these issues simultaneously and to draw connections between them, as well as from multidisciplinary bodies of expertise, may help us to think outside the box about possible solutions to intractable problems, as well as to think about the overarching regulatory architecture in which interactions in cyberspace. This is where the breadth and diversity of our work and pool of expertise offers clear advantages. And this is partly why we found working in this field to intellectually stimulating and professionally satisfying.

I would be most happy to discuss with you further these and other issues referred to in this newsletter and in our other publications.        

Sincerely,

Yuval Shany

Program Director