Toward a New Legal Framework for Cybersecurity

What role should the law play in the creation of more secure or trustworthy networks? Fred Schneider of Cornell University and I argue that it does little to structure incentives or direct activity to drive cybersecurity. As Washington reconsiders the government's role in network security, we set forth a new legal framework for cybersecurity.

We argue for a theoretical reorientation, and we reject the standard siren call for the production of "secure" systems and networks, even though this still dominates policy circles and drives legal approaches. It will be better to focus on managing the inevitable insecurity that comes from the constant vulnerabilities and adversaries we face. The rich mix of legal authorities and institutions that comprise the public health infrastructure makes a useful departure point for considering the range of legal mechanisms and institutions that could aid in cybersecurity. Leveraging the law in a sophisticated and comprehensive manner to address market failures stemming from information gaps, externalities, and cognitive biases is essential to achieving and maintaining a level of security appropriate to the activities occurring on the Internet today and in the future.

We believe the law has been undertheorized and underutilized for network security and trustworthiness. Absent a concerted effort to consider the possible contributions of the law toward managing insecurity on networks, the Internet will grow increasingly less secure and there will be immense and, ultimately, regrettable pressure to build networks that provide greater security in a narrow sense (secrecy, confidentiality, integrity, and availability) at substantial cost to other shared values such as openness, transparency, and privacy.