Cybersecurity's Taxonomy Problems: The Do's and Don'ts of Conflation

By: Cedric Sabbah.

In the post-Snowden era, much of the domestic and international debate on cybersecurity law and policy has become entangled with related questions of privacy, law enforcement and cybercrime, cyber warfare, and surveillance. This interweaving of concepts can often confuse and sometimes misinform the important conversations taking place domestically and internationally on each of these topics. In this post, I would like to briefly unpack some of these concepts and explore how their proper framing is crucial for robust policy and law discussions between government, academia, and other stakeholders.

Let’s Talk Taxonomy

Very broadly, we can distinguish between cybersecurity, cybercrime, and cyber defense.

Cybersecurity, at a basic level, is about securing networks and computers (see here and here for more expansive definitions). Government policy development and deployment for cybersecurity usually involves regulatory incentives and deterrents motivating organizations –particularly other government departments and critical structure organizations – to improve their respective defensive posture, cyber awareness, cooperation between the private and public sectors to enable quick recovery after a cyber incident (including information sharing), and damage mitigation in real-time. Israel’s government resolutions 36112443 and 2444 establishing a sole-purpose cybersecurity agency, its Cyber Defense Methodology for Organizations, the NTIA’s NIST Framework, and the EU’s NIS Directive are examples of government-level policy/law in the field of cybersecurity.

Cybercrime refers to acts committed by individuals and organized criminal or terrorist groups through or against computers (e.g. hacking into a computer/network without authorization, tampering with data, and distributing child pornography through the internet). This field also raises questions of digital forensics. The main applicable legal framework is domestic criminal law. Current salient issues in this field include law enforcement authorities’ access to data stored in other countries, the “going dark” problem, and the role of internet platforms in monitoring and removing content inciting terrorism or contains child pornography. Internationally, the Council of Europe’s Cybercrime Convention (the “Budapest Convention”), comprising 56 members, reflects the baseline understanding of state parties as to what constitutes a “cyber crime” and provides a mechanism for cross-border cooperation.

Cyber defense refers to a state’s response to actual and potential cyber attacks emanating from other states and non-state actors. The national cyber defense mission is generally the responsibility of a state’s armed forces and national defense organizations. In international law, the law of armed conflict and the law of state responsibility are relevant legal frameworks.

Unfortunately, as will be seen below, these concepts are often conflated with one another, resulting in lack of clarity as to how a particular issue is construed and analyzed. This in turn affects discussions on the policy to be pursued, the government body in charge of its implementation, and the applicable legal framework(s).

The Pitfalls of Conflation – Three Examples

Cybersecurity vs privacy: The regulation of and response to data breaches often call into play the application of cybersecurity and privacy regimes. Both regimes share the overarching policy goal of “protecting information,” but they have a different focus: privacy regulation is about data concerning individuals, whereas cybersecurity is concerned with security as a whole, including securing systems and data that may be entirely unrelated to individuals’ private records. Thus, a large-scale cyber incident would typically trigger action on the part of the relevant cybersecurity authority, but if no breach of personal data was involved, it would likely be irrelevant from a privacy perspective (conversely, not all privacy breaches are necessarily cybersecurity incidents – e.g. Cambridge Analytica, based on what we know so far.) For the cybersecurity authority, what matters most is not the breach of privacy per se, but the attack and its consequences: forensic analysis, patching, mitigation, etc. By focusing exclusively on the privacy aspect of data breaches, the broader cybersecurity picture may be obscured. This also poses a challenge for governments, which must properly define the respective mandates of cybersecurity and privacy regulators and ensure that these mandates are interoperable and not overly duplicative.

recent blog post endeavored to compare the privacy-security trade-offs embodied in the EU’s new privacy protection regulation, the GDPR, with those of China’s new Cybersecurity Law. In my view, the premise behind such a comparison is questionable: in the GDPR, privacy is the starting point, the rule from which national security exceptions can be carved out. By contrast, China’s Cybersecurity Law is at its core national security legislation, with only a passing reference to privacy. These two legislative texts operate in very different spheres and emanate from very different perspectives of what the privacy-security balance should look like. Given these widely diverging starting points, it is doubtful whether meaningful comparisons can be made between the two can be made that can help policy-makers strike an appropriate balance.

“Cyber operations”: The recently published Tallinn Manual 2.0 on the Law of Cyber Operations addresses, from an academic perspective, how international law might apply to “cyber operations” above and below the “use of force” threshold. Setting aside the criticism that the Manual has received on certain substantive issues (for example, on matters of sovereignty, countermeasures and due diligence, as well on extraterritorial law enforcement jurisdiction), I would note here that it takes a very amorphous view of “cyber operations,” blurring traditional distinctions between cybersecurity, cybercrime, and cyber defense.[1] Indeed, in the part of the Manual dealing with the law of armed conflict, the term “cyber operation” is typically used to refer to cyber operations of a military nature; however, the part dealing with international law in peacetime uses the term much more broadly to refer to almost any kind of use of information and communications technology, including uses having little to do with military operations (for example government measures to block internet access to its own population, legislative restrictions on freedom of speech,[2] and law enforcement on the cloud).[3] This approach undermines traditional distinctions between different branches of law and suggests a false parallel between the military, civilian, and law enforcement activities of the government. Ultimately, such blurring of lines hinders rather than enhances robust legal debates.

Surveillance: A recent “draft legal instrument on government-led surveillance and privacy,” published by the UN Rapporteur on Privacy attempts to provide a single set of common standards applicable for the surveillance of nationals and foreigners for domestic law enforcement purposes and national security purposes. The draft briefly concedes the difference between these activities, yet it does not address the full breadth of these differences. Surveillance for law enforcement and intelligence purposes are each governed by distinct rules domestically and internationally, while oversight mechanisms are aimed at different goals. The legal thresholds for authorizing surveillance, the scope of authorized surveillance, and the effect on privacy, vary greatly between the two. Furthermore, espionage is not prohibited under international law (though an individual caught spying against a country may be indicted and tried under the domestic law of that country). In order to truly advance the discussion on surveillance and privacy, these distinctions must be acknowledged and addressed more fully. The above problem is not unique to cyber, and relates to the broader issue of the “fragmentation” of international law. Here, the human rights law perspective should be complemented and informed by other disciplines such as national security and cybersecurity technology and law in order to yield richer policy recommendations that can be implemented in practice.

The Good Kind of Conflation

Of course, the cyber domain cannot be neatly confined to, or analyzed through the prism of, any single legal framework. Some cross-fertilization of concepts is inevitable and indeed relevant, as many of the issues are in fact intertwined. The following are a few examples:

  • The debate on “active defense” in the private sector stems from a cybersecurity issue (the call to afford some measure of flexibility to companies in order to enable them to respond to cybersecurity incidents when government’s ability to intervene in real-time is limited). At the same time, the policy discussion on active defense requires an understanding of the cybercrime context (e.g. law and jurisprudence on what constitutes unlawful access to a computer), as well as international law and international relations implications. This is not a case of accidental conflation, but rather a multidisciplinary approach to a unique problem.
  • The US Department of Justice has increasingly been indicting foreign hackers as part of a broader cybersecurity strategy (for example, Chinese hackers affiliated with the PLA and Iranian hackers affiliated with the Revolutionary Guard). This approach shows how cybercrime enforcement intersects with and complements cybersecurity goals, contributing to a state’s deterrence tools against would-be hackers (see John Carlin’s comprehensive article on this subject).
  • DHS actions to curb the use of Kaspersky products within the federal government serve a similar dual goal: cybersecurity (limiting the use of software with security flaws within government agencies and departments) and defense against suspected Russian espionage.
  • Another interesting case was raised by Russia’s alleged interference with the US elections. In a recent thought-provoking post on the Lawfare blog, renowned technology and policy Professor Susan Landau argues for expanding our traditional definition of cybersecurity to include “influence operations” of the type used in the 2017 US elections (see here Herb Lin and Paul Rosenzweig’s response to the proposal). I do not take a position as to whether or not this is desirable from a policy perspective. The point here is to note that the conflation between cybersecurity on the logical layer and broader notions of “information security” on the content/social layer is deliberate in this case, and stems from clearly-defined policy goals.

Where Do We Go from here?

The cyber domain is unique precisely because it enables so many types of activities and interactions, on so many levels, among such diverse actors. Given the current pace of events and technical developments, numerous challenges face policy-makers, private companies, the technical community, and academics in the fields of cybersecurity, cybercrime, and so forth. In order to address these challenges, stakeholders must avoid the trap of generalizations, appreciate the applicable legal frameworks and constructs, and be mindful of nuances. Insisting on these nuances isn’t just an exercise in taxonomy for its own sake. It is a threshold condition for coherent and sophisticated cybersecurity law and policy development.

 

* This blog post is written in my personal capacity. It does not necessarily reflect the views of Israel’s Ministry of Justice or the Israeli government.

[1] The Tallinn Manual 2.0 defines “cyber operation” as “the employment of cyber capabilities to achieve objectives in or through cyberspace. In this Manual, the term is generally used in an operational context.”

[2] Tallinn Manual 2.0, Chap.6.

[3] Tallinn Manual 2.0, Chap.3.