Innovation Also Means … Envisioning the Evolution of Our Laws and Our Legal Frameworks
When we think about innovation in and of the law and in the legal profession, many people envision only the application of technologies to our current ways of providing legal services, including providing advice and counsel to and generating legal work products for clients. Yet, innovation is not just about the application of tech-based solutions, including automation- and AI-based techniques, to existing ways of providing services and generating work products. Innovation also means that we should think about how our legal frameworks – the U.S. Constitution and federal and state statutes, rules and regulations as well as local ordinances – may need to evolve to anticipate circumstances in the future that do not yet exist today but are generally foreseeable. We have to be prepared to envision how the legal frameworks on which we rely for order and the day-to-day functioning of our society may need to be modified to address and take into account ever-changing conditions and circumstances in the world in which we live.
To put this in some context, consider how you would answer the following:
Question: “If either of the General Data Protection Regulation (“GDPR”) or the California Consumer Privacy Act (“CCPA”) had been in effect in 2014 and 2015, would the Cambridge Analytica scandal have occurred?”
Though many of you considering the question above may also ask:
Inquiry: “Well, it was not until after the Cambridge Analytica scandal and the circumstances revealed as a part of the investigations of and the material fines levied upon FaceBook that we realized how much we needed GDPR and CCPA.”
Response: “Whoa! Stop right there!”
“For years, we have known of the collection of information about individuals for behavioral marketing and other purposes in connection with optimizing revenue, gaging individual sentiment and influencing individuals’ points of view. Yet, rather than consider the potential consequences that could arise from the aggregation of vast amounts of personal data by large for-profit corporations and other organizations, and then taking appropriate steps based on those potential consequences, most of us were complacent to accept our $5.00 coupon (or other token “compensation”) from time-to-time in exchange for letting an organization track our purchases and other activities (and in doing so, our preferences from which conclusions can be drawn about our personal characteristics, many of which we want to remain private).
“If, back in 2014, we had stopped to think about how, given technological advancements in data aggregation and processing, personal data could be exploited, we as a nation certainly would have taken proactive steps to prevent the Cambridge Analytica scandal, among other unintended uses of personal data by Google, Amazon and Facebook and other organizations such as political action committees. In other words, we – a lawyers, lawmakers, government agencies, corporations, individual citizens and other stakeholders – should have brainstormed how applicable laws and legal frameworks may have needed to be modified to protect personal data (and our respective individual privacy) given the evolution of tech capabilities and social norms around the sharing and use of personal data.”
With the above framework as a point of reference, I think we as a nation should routinely and rigorously consider how all of our legal frameworks need to evolve as the commercial and social norms of our world change.
Let’s take an example: The Second Amendment to the U.S. Constitution
Cyberattacks, attempted and threatened cyberattacks and the identification of cyber vulnerabilities for over a decade have put us all on notice that we – individuals, corporations and other organizations and government agencies – are exposed to all types of potential harm from cyberweapons. Given this threat of harm and potential confrontation with cybercriminals, it seems reasonable, then, to consider the actions that could or should be permitted in the context of self-defense in the face of a cyberattack:
- Does the “right to bear arms” guaranteed to individuals in the Second Amendment, District of Columbia et al Heller, (554 U.S. 570 (2008)) (“Heller”), allow one to stand one’s ground electronically (or virtually) in the face of cyberattacks just as one can stand one’s ground physically?
- Does the “right to bear arms” include not only the right to bear “tangible arms” (like firearms) but also “intangible arms” like cyberweapons that would allow one to defend against cyberattacks and, hence, to stand one’s ground electronically?
As a point of reference and additional context, Dennis Miralis of Nyman Gibson Miralis offers several definitions of malware or “cyberweapons,” including the following broad definition: “software and IT systems that, through [networks], manipulate, deny, disrupt, degrade, or destroy targeted information systems or networks.” There are many types of malware or cyberweapons, including computer viruses, ransomware, worms, trojan horses and spyware. Depending on the characteristics of a particular cyberweapon, a malicious system or program can “steal, encrypt or delete sensitive data, alter or hijack key computing functions and to monitor the victim's computer activity.”
The following recent cyberattacks provide insight into why one might want the right to bear cyberweapons and defend one’s self against the potential harm that could arise during a confrontation with a cybercriminal or group of cybercriminals.
- The Cyber Attack of Jeff Bezos, CEO of Amazon (February - May 2018).
A forensic analysis conducted by Anthony J. Ferrante of FTI Consulting (FTI Cybersecurity) from February to November 2019 suggests that the Crown Prince Mohammed bin Salman of Saudi Arabia (MBS) was responsible for the hack of Jeff Bezos’s mobile phone, an iPhone X, from February to May 2018. In the FTI Cybersecurity report, FTI Cybersecurity concluded:
“Following a full forensic examination of the logical file system, network analysis, and an in-depth investigation of all available artifacts to date, FTI assesses with medium to high confidence that Bezos' iPhone X was compromised via a WhatsApp video attachment that was sent from an account utilized by [MBS]. ... Based on the investigation to date and all available intelligence, it is believed that the compromise was likely facilitated by malicious tools procured by [Saud al Qahtani, the President and Chairman of the Saudi Federation for Cybersecurity, Programming and Drones at the time of the Bezos hack], such as a product of NSO (e.g., Pegasus-3), or a product of Hacking Team (e.g., Galileo).”
The FTI Cybersecurity report is an insightful read into the anatomy of a device hack and is accessible through a number of internet media outlets, including Cyberscoop and Motherboard/Vice. Both NSO Group and the Hacking Team were two organizations mentioned by FTI. NSO Group is a cyber intelligence company, headquartered in Israel, that, among other things, provides advanced surveillance technologies to government agencies around the world, and the Hacking Team, headquartered in Italy, provides “effective, easy-to-use offensive technology to the worldwide law enforcement and intelligence communities.” The NSO Group and the Hacking Team develop tools that could not only be used to effect cyberattacks like that experienced by Bezos but also tools that could be used to "proactively defend" against cyberattacks.
- Cyber Attack by the Chinese People’s Liberation Army to Collect Personal Data of U.S. Citizens (Cyberattack, May – July 2017; Indictment: February 2020).
On February 10, 2020, the U.S. Department of Justice indicted four members of the Chinese People’s Liberation Army (PLA) for hacking the computer systems of Equifax Inc., a U.S.-based credit reporting agency. The nine-count indictment, issued by a federal grand jury in Atlanta, was announced by Attorney General William Barr and accuses the PLA members of computer fraud and economic espionage, among other crimes. The indictment describes with particularity the treasure trove of personal data that the PLA obtained:
“Beginning on an unknown date, but at least by on or about May 13, 2017, and continuing through on or about July 301 2017, members of the People's Liberation Army ("PLA"), the armed forces of the People's Republic of China ("China"), conspired with each other to hack into the protected computers of Equifax located in the Northern District of Georgia, to maintain unauthorized access to those computers, and to steal sensitive personally identifiable information of 145 Americans.”
“The PLA hackers obtained names, birth dates, and social security numbers for the 145 million American victims, in addition to driver's license numbers for at least 10 million Americans stored on Equifax' s databases. The hackers also collected credit card numbers and other personally identifiable information belonging to approximately 200,000 American consumers. Accordingly, in a single breach, the PLA obtained sensitive personally identifiable information for nearly half of all American citizens.”
Attorney General Barr also noted in his remarks that hacks similar to the Equifax hack by Chinese nationals have gone on for years.
August 2017 – Abbot / St. Jude Medical. On August 29, 2017, the U.S. Food and Drug Administration (FDA) recalled certain implantable cardiac pacemakers manufactured by St. Jude Medical, Inc. (acquired by Abbot in January 2017) to implement an FDA-approved software update “to reduce the risk of patient harm due to potential exploitation of cybersecurity vulnerabilities” of the devices. In the recall notice, the FDA noted:
“The FDA has reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical's RF-enabled implantable cardiac pacemakers and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user (i.e. someone other than the patient's physician) to access a patient's device using commercially available equipment. This access could be used to modify programming commands to the implanted pacemaker, which could result in patient harm from rapid battery depletion or administration of inappropriate pacing.”
December 2018 – Medtronic. Cybersecurity professionals Billy Rios and Jonathan Butts disclosed to Medtronic, Inc. (Medtronic) vulnerabilities in Carelink 2090 pacemaker programmers. The work of Rios and Butts led the Cybersecurity and Infrastructure Security Agency (CISA), an agency within the U.S. Department of Homeland Security, to describe the “Vulnerability Overview” of the pacemaker programmers as follows:
“The affected products do not encrypt or do not sufficiently encrypt the following sensitive information while at rest:
“PII. Some combination of personal data that enables the unique identification of an individual. PII is defined as “information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual.
“PHI. Some combination of PII and associated health related data.”
It is the work of Rios and Butts, who are “cyber” bounty hunters whose only reward seems to be the gratification of exposing cyber vulnerabilities, that has put Medtronic on notice about “a chain of vulnerabilities in Medtronic's infrastructure that an attacker could exploit to control implanted pacemakers remotely, deliver shocks patients don't need or withhold ones they do, and cause real harm.”
January 2020 – GE Healthcare. On January 23, 2020, the FDA issued a safety communication “about cybersecurity vulnerabilities for certain GE Healthcare Clinical Information Central Stations and Telemetry Servers.
“These devices are primarily used in health care facilities for displaying patient information, such as the physiologic status (i.e., temperature, heartbeat, blood pressure, etc.) of a patient, and monitoring patient status from a central location in a facility, such as a nurse’s bay. The cybersecurity vulnerabilities identified could allow an attacker to remotely take control of the device to silence alarms, generate false alarms or interfere with the function of patient monitors connected to these devices. For example, an attacker could potentially silence an alarm that is intended to communicate vital information about a patient to health care staff, such as a patient’s cardiac status.”
See also “FDA warns hospitals about security flaws in some GE medical equipment: The flaws could allow infiltrators to control the devices remotely,” Mariella Moon, engadget, January 23, 2020.
March 2020 – Multiple Medical Device Manufacturers. On March 3, 2020, the FDA issued a safety communication regarding 12 cybersecurity vulnerabilities, the “SweynTooth” vulnerabilities, all related to the Bluetooth Low Energy (BLE) connection technology used in medical devices. “Medical devices that use BLE connections include devices that are implanted and worn, including pacemakers, stimulators, insulin pumps, glucose monitors and ultrasound devices,” and the vulnerabilities fall into three categories. “An unauthorized user can wirelessly exploit these vulnerabilities to:
Additional detail is available in the related CISA report. Some individuals who rely on medical devices have been, and continue to be, vulnerable to cyberweapons.
“Hundreds of thousands — and possibly millions — of people can be hacked now via their wirelessly connected and digitally monitored implantable medical devices (IMDs) — which include cardioverter defibrillators (ICD), pacemakers, deep brain neurostimulators, insulin pumps, ear tubes, and more.”
Perhaps the most troubling aspect of the “SweynTooth” vulnerabilities is that the code used to hack the BLE devices is available to the public. According to Mike Borowczak, director of the University of Wyoming’s Cybersecurity Education and Research Center (CEDAR), “[the hack] would be something a college student could pull off, and maybe even a high school student given all the resources, and they wouldn’t actually have to know all the technical details…they would just need to know how to program a device.”
The FDA has issued 11 cybersecurity safety communications including its initial such communication in June 2013.
- Cyberattack on Estonia (2007).
In late April 2007, Russia allegedly sponsored wide-spread cyberattacks against Estonia, which have also been described a “Russian information operation against Estonia” and “the world’s first cyberwar,” on all aspects of the Estonian government, economy and society. “Estonians found that they couldn’t use much of the internet. They couldn’t access newspapers online, or government websites. Bank accounts were suddenly inaccessible.”
Out of the 2007 attacks, among other initiatives, came (1) the Tallinn Manual on the International Law Applicable to Cyber Warfare (2013), which was superseded by the Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (2017), and (2) The NATO Cooperative Cyber Defence Centre of Excellence (CCDOE) located in Tallinn, Estonia. The mission of the CCDCOE is to support NATO and its member nations “with unique interdisciplinary expertise in the field of cyber defence research, training and exercises covering the focus areas of technology, strategy and law.”
Self-Defense Against Cyberattacks
The descriptions of the foregoing (as well as the many other events not described here due to space constraints) suggest that we are vulnerable to cyberattacks, and the cyberweapons, in whatever form they take, could target our lives and our social, emotional and financial well-being, not to mention the systems underpinning the operation of national, state and local governments and global financial markets.
The cyber threats described above become magnified even further when you consider:
- The proliferation of connected wearable devices throughout the globe. According to Statista, worldwide there are approximately 357 million users with over 500 million connected wearable devices. Each connected wearable device represents a potential vulnerability or point of entry for a hacker or cybercriminal.
- The market places for malware and cybercrime-as-a-service (CaaS) on the dark web. The market places for malware systems to take advantage of these points of vulnerability or entry are indeed robust. According to Carbon Black, a cybersecurity firm, “there are currently more than 6,300 estimated dark web marketplaces selling ransomware, with more than 45,000 current listings.” According to McAfee, LLC, “from products like exploit kits and custom malware to services like botnet rentals and ransomware distribution, the diversity and volume of cybercrime offerings has never been greater.”
- The material enforcement gap between the number of cyberattacks and the number of cybercriminals that are brought to justice. One estimate of the enforcement gap suggests that “less than 1% of malicious cyber incidents see an enforcement action taken against the attackers.”
According to Steve Morgan, Editor-in-Chief of Cybercrime Magazine, one prediction has costs attributable to cybercrime damages hitting $6 trillion annually by 2021, and Morgan characterizes these costs as, among other things, the “greatest transfer of economic wealth in history, [risking] the incentives for innovation and investment, and [being] more profitable than the global trade of all major illegal drugs combined.”
“Cybercrime costs include damage and destruction of data, stolen money, lost productivity, theft of intellectual property, theft of personal and financial data, embezzlement, fraud, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hacked data and systems, and reputational harm.”
Yet, notwithstanding the predicted magnitude above, $6 trillion could be an underestimate given the damages described above do not include the costs of other types of losses that could be incurred, including through the loss of lives and personal injuries suffered due, for example, to the hack of medical devices as described above.
So, given the threats of harm we face and the extent of our vulnerability to cyberweapons, we all need to be prepared to address what it means to defends one’s self against cyberweapons. Consider, for example, the efforts of the New York City Economic Development Corporation (NYCEDC), which in October 2018, launched the Cyber NYC program. Cyber NYC was launched with a $30 million “catalyzing” investment designed to rapidly grow New York City’s ecosystem and infrastructure for cybersecurity, and the program features support from a number of significant and widely recognized partners in the cybersecurity, tech and fintech spaces, including SOSA, Facebook, Mastercard, Goldman Sachs and PricewaterhouseCoopers, among others. The program is also backed by Erel Margalit, the Founder and Chairman of Jerusalem Venture Partners (JVP).
“As the world encounters an ever-increasing array of cyber threats, old empires can falter – and new empires can grow. Cybersecurity may well be one of the next great industries, and it may just provide the needed defenses to ensure that New York City’s other empires can live another day.”
Interestingly, in the article that Tech Crunch wrote about the launch of the Cyber NYC program, Tech Crunch used the following headline to describe the program:
“NYC wants to build a cyber army: Through five new startup programs, Cyber NYC is the city's bold plan to dominate cybersecurity this century.”
Which other localities across the globe may be looking to build cyber armies?
Is there already or will there be the equivalent of the National Rifle Association for cyberweapons?
District of Columbia et al v. Heller, (554 U.S. 570 (2008))
Heller tells us that a textual analysis of the words in the Second Amendment guarantees each individual the right to possess and carry weapons in case of confrontation.
“c. Meaning of the Operative Clause. Putting all of these textual elements together, we find that they guarantee the individual right to possess and carry weapons in case of confrontation. This meaning is strongly confirmed by the historical background of the Second Amendment.”
In addition, the analysis in Heller suggests that the term “arms” should be construed broadly to include “even those that were not in existence at the time of the founding” of our nation.
“* Some have made the argument, bordering on the frivolous, that only those arms in existence in the 18th century are protected by the Second Amendment. We do not interpret constitutional rights that way. Just as the First Amendment protects modern forms of communications, e.g., Reno v. American Civil Liberties Union, 521 U. S. 844, 849 (1997), and the Fourth Amendment applies to modern forms of search, e.g., Kyllo v. United States, 533 U. S. 27, 35–36 (2001), the Second Amendment extends, prima facie, to all instruments that constitute bearable arms, even those that were not in existence at the time of the founding.”
Query, then, whether the breadth of this construction includes cyberweapons.
In June 2018, our start-up venture was hacked. It actually took us about five weeks to discover the hack, and fortunately, we were able to restore all of the emails and corresponding files that had been misappropriated. To this day, we do not know the identity of the hacker nor do we know how the hack was implemented. There was no obvious phishing email or unexpected file on which anyone had clicked; there was no smoking gun. We were enraged by the hack, and we felt so violated that someone had compromised our system. We froze the hacker’s Gmail account by commencing a Defend Trade Secret Act proceeding in the Southern District of New York and obtaining an injunction against an unknown defendant. That gave us some degree of comfort and security, but ultimately, today, we are no closer than to ascertaining the identity of the hacker than we were two years ago.
As I think back to our direct experience with hacking, I wonder if we had had the right to use malware proactively and defensively to protect our system, if the outcome would have been different. What if our system had been equipped with a form of malware that was automatically triggered upon an attempted hack (e.g., breach of or entry into our system by a device located at an unknown ISP address or the attempted upload of certain files without appropriate permissions)? My guess is that the outcome would have been different. No third party would have accessed our system, and we would not have incurred legal and court fees to mitigate the harm caused by the hack.
And consider the “Hack-Back Legislation,” which is different than the suggestion above, but makes for a thought-provoking framework given that the Legislation is currently before the U.S. Congress. The “Hack-Back Legislation” was initially introduced in March 2017 by U.S. Representative [Tom] Graves of Georgia (R) as the “Active Cyber Defense Certainty Act” (ACDC), which amends the Computer Fraud and Abuse Act (CFAA) to “allow the use of limited defensive measures that exceed the boundaries of one’s network in an attempt to identify and stop attackers.” The Hack-Back Legislation (H.R. 3270) was re-introduced by Rep. Graves and a bi-partisan group of 15 other Congresswomen and Congressmen on June 13, 2019. On June 28, 2019, the Legislation was referred to the Subcommittee on Crime, Terrorism, and Homeland Security, where the bill now resides pending further action.
Some think that granting (or recognizing) the right to hack back is a “recipe for cybersecurity choas” or “the worst idea in cybersecurity.” In fact, Professor Josephine Wolf, Assistant Professor of Cybersecurity Policy at The Fletcher School of Tufts University, was inspired by the 1980’s hard rock band that comes with the acronym for the Active Cyber Defense Certainty Act when she wrote about the proposed legislation in Slate, calling the legislation “a highway to hell” and announced that she was “thunderstruck by how terrible” the proposed legislation is. There are many reasons to be wary of legalizing (recognizing) the right to hack back, chief among them the problem of attribution. It is very difficult to attribute a hack.
“Hackers are masters of obfuscation and typically cover their tracks by using things like spoof IP addresses and hacking tools developed by others. It’s also very difficult to be certain a computer that appears to be behind an attack hasn’t itself been hacked. That could easily cause the wrong systems to be targeted.”
However, the Office of the Director of National Intelligence, in its Guide to Cyber Attribution, pronounced:
“Establishing attribution for cyber operations is difficult but not impossible. No simple technical process or automated solution for determining responsibility for cyber operations exists. The painstaking work in many cases requires weeks or months of analyzing intelligence and forensics to assess culpability.”
Even with all of the concerns about attribution of cyberattacks expressed today, it seems reasonable to believe that as technology continues to evolve, our ability to ascertain the party – individual, group or nation-state – behind a cyberattack will only improve. In fact, Defense Advanced Research Projects Agency (DARPA) established the Enhanced Attribution Program “to make currently opaque malicious cyber adversary actions and individual cyber operator attribution transparent by providing high-fidelity visibility into all aspects of malicious cyber operator actions.”
In addition to the current attribution dilemma, there is the ever-present potential for conflict with the foreign affairs power of the Legislative and Executive Branches of the U.S. Government, which certainly is a first-order Constitutional issue. What if a hack were attributed (correctly or not) to a nation-state? After all, China, Iran, North Korea, Russia and Saudi Arabia are alleged to be the culprits behind some of the most invasive hacks affecting individuals and corporations for more than a decade. And, if nation-states are implicated, what then of the conflict between the Second Amendment (as interpreted to include cyberweapons), on the one hand, and certain foreign affairs powers under Article I, Section 8 and Article II, Section 2 of the U.S. Constitution, on the other hand?
Discussing whether the Second Amendment applies to one’s right to carry and possess cyberweapons is a difficult subject to tackle and is much more complicated than this blog post even begins to suggest. However, just because the subject is difficult to address does not mean the right to carry and possess cyberweapons does not exist or should be not recognized nor does it mean we should not have a robust national conversation about it. Quite the contrary, it is exactly because the issues of cybersecurity and the use of "proactively defensive" cyberweapons are so important that we all should welcome the debate inspired by Rep. Graves and the entire bipartisan group of U.S. Representatives, and other thought leaders across the globe and with varying points of view, about the right to defend against cyberweapons and empowering those affected by, or vulnerable to, cyberattacks and cybercriminals to protect themselves. This debate should also come with a robust discussion of whether the enforcement gap is best addressed through collective government action, e.g., in the form of allocating additional resources to government enforcement and research agencies such the Cyber Division of the FBI, CISA, U.S. Cyber Command or other agencies (ideally acting together as a unified "cyber front"), on the one hand, or through the "proactively defensive" actions of individuals, on the other hand. And, in the case of individuals, we have to consider whether the individual must or should work with or through qualified cybersecurity professionals or firms. And if the right to carry and possess cyberweapons under the Second Amendment were to be recognized, what degree of regulation would be necessary to ensure the exercise of such rights did not yield undue harm? Just to foreshadow the forthcoming constitutional discussion, one could see how regulation would be necessary to serve the many "compelling state interests" that arise when one considers the use and deployment of cyberweapons, particularly when deployment goes beyond our national borders.
It is exactly this discussion and debate that will enhance our ability to keep the evolution of the law and the legal frameworks under which we live, work and thrive at the forefront of innovation in and of the law and in the legal profession. And … there are so many areas in which we can and should encourage and foment the evolution of the law and the legal frameworks … all in the spirit of advancing our abilities to live, work and thrive, individually and collectively as global, national, state and local communities … all in furtherance of advancing and protecting our fundamental rights and freedoms as well as other rights we have earned and will continue to earn.
What can you do to evolve the law?
How can you foment discussion and generate debate about how to improve the legal frameworks under which we live, work and thrive?
Note: A special note of thanks to a few contributors who shared their insights on the thoughts and ideas expressed in this post.
Please know that I am very grateful for your time and the ideation you inspired.