By: Julian Bava, YLS ‘23

The year is 2028 and two candidates just squared off on Election Day to determine who will be the next President of the United States. Facing the prospect of a narrow loss, the incumbent candidate decides to bring the full force of the executive power to bear. The incumbent declares a national emergency pursuant to the recently enacted “Federal Election Integrity Act of 2027” in response to unspecified reports of foreign tampering with state voting apparatuses, and the incumbent orders a nationwide audit to be completed under federal government supervision. After the audit and a corresponding recount, the incumbent declares victory. If that scenario sounds fantastical, so did the thought of an insurrection at the Capitol incited by the Commander-in-Chief. Admittedly, subtler erosion of our democracy’s vitality is far likelier than an outright coup, though both are preventable. As policymakers grapple with how to secure critical election infrastructure from cyberattack, they must reject the temptation to concentrate overly broad authority to do so within the federal government. Congress and state legislatures instead should improve electoral resilience to cyber interference by eliminating flaws in the democratic process that leave it vulnerable to exploitation.

By: Nicholas Barile, YLS ‘23

Consider a hypothetical twist on a famous criminal investigation: Operation Varsity Blues, an enforcement operation that exposed countless parental bribes for standardized test scores and college acceptances. Having evidence that mastermind William “Rick” Singer is coordinating the scheme via phone, authorities obtain a warrant under the federal eavesdropping statutory regime: Title III of the Omnibus Crime Control and Safe Streets Act of 1968. Investigators, however, discover that Singer makes calls using a particular medium that did not exist in 1968: WhatsApp. WhatsApp calls, unlike traditional phone lines, are end-to-end encrypted. Title III interception is rendered useless. Frustrated with the inability to capture brazen confessions, authorities resort to an alternative. They obtain a warrant to remotely hack Singer’s phone, installing cybersurveillance software that secretly records and uploads WhatsApp calls.

By: Josh Asabor, YLS ‘23

Richard Boscovich, Assistant General Counsel for the Microsoft Corporation’s Digital Crimes Unit, has described the SolarWinds intrusion as a primary driver in changing the landscape of cybercrime forever. As part of the Yale Cyber Leadership Forum in 2021, Boscovich spoke on a panel focused on “Criminal Law Enforcement Across National Borders.” The post-SolarWinds world was shaken to its foundations, because as Boscovich put it, the attacks compromised the very backbone of both private and governmental cyber infrastructure. When analyzing such an attack in the context of broader national security policy, and considering the increasing potential for cybercrime and cyberattacks - both state-sanctioned and independent in nature - to cripple a sovereign nation’s public infrastructure, it raises questions as to how a world power like the United States should respond to and deter technology-based aggression moving forward.

By: Elizabeth Rosenblatt, YLS ‘23

5G, the fifth-generation standard of mobile networking technology, promises to enable novel use cases that will fundamentally alter the world as we know it. However, with this promise comes increased security risk. As digital infrastructure becomes increasingly critical, this heightened cybersecurity risk is cause for concern. Telecommunications vendors and network operators are under incentivized to mitigate cybersecurity risk due to a collective action problem. Further, due to increasing interconnectedness between network components, a cyber event in one network element may catalyze widespread breach or network failure across providers with catastrophic societal implications. Novel tools are needed to address this challenge and catalyze efficient levels of investment in precaution. This paper examines the network vulnerabilities unique to fifth-generation networks and proposes the use of network “stress tests” to understand, measure, and proactively react to network vulnerabilities.

By: Joe Schottenfeld, JD ‘19

In January, the National Security Division (NSD) of the Department of Justice announced the newest development in its efforts to combat cyber-attacks. Building off of its indictment of a North Korean man in 2018, the Division had started to help identify and alert individuals affected by a longstanding botnet attack. The press release was the latest in a steady stream of cyber-related moves: Since 2014, when NSD indicted five members of the People’s Liberation Army, the Division and DOJ more generally have gone after a growing stream of bad actors around the globe, like the North Korean hackers behind the Sony attack.  These prosecutions have come to represent one of the US Government’s most significant responses to cyber threats. READ MORE >>

By: Nikita Lalwani, JD ‘20

After months of denial following the 2016 election, Facebook appears finally to have grasped the magnitude of the threat of information warfare. In January, the company announced that it had deleted some 500 pages and accounts tied to disinformation campaigns originating in Russia. One of the campaigns—aimed at influencing people in Armenia, Azerbaijan, Estonia, Georgia, Kazakhstan, Kyrgyzstan, Latvia, Lithuania, Moldova, Romania, Russia, Tajikistan, and Uzbekistan—included 289 pages that together had some 790,000 followers. As part of similar efforts, Facebook has also banned a digital marketing group in the Philippines, an online syndicate in Indonesia, and multiple pages, groups, and accounts in Iran. READ MORE >>

By: Vigjilenca Abazi, LLM ‘19

Trust is essential for sharing information, especially when it comes to national security secrets. A trust-based relation that facilitates sharing information is hard to build and it would not happen merely because formal rules mandate it. Rather, the ability to show that the shared secrets are safe, that the originator of information retains control over its dissemination, and providing assurances of no misuses are some elements that build trust in due course. At the same time, these elements of trust significantly limit the circles of information sharing as traditionally the wisdom goes that the wider the sharing circle is, the higher the risks of information getting into the wrong hands, increased number of leaks, or other security threats. These tensions are well known in discussions about national security. In fact, we accept that there are inherent trade-offs and we emphasize the salience of sharing information especially when the failure to do so leads to grave consequences for public and national security, as has been the example of 9/11 information silos. READ MORE >>

By: Jake van Leer, JD ‘20

In the wake of the 2016 election, the “hacking” of U.S. elections was at the forefront of political discussion. Foreign interference sparked numerous congressional inquiries and a high-profile investigation by Special Counsel Robert Mueller. Most hacking-related commentary focused on Russian disinformation campaigns. Fake news and disinformation pose real threats to the integrity of our nation’s political campaigns. However, less attention has been paid to the very real threat of cyberattacks to our election infrastructure. READ MORE >>

By: James Fitch, JD ‘21

Even in 2019, three decades into the modern World Wide Web, people still refer to the internet as a “wild west.” And with so many striking similarities between the issues that frame the debate over addressing cyber threats and the tensions that would have sparked clashes in frontier towns 150 years ago, it is not hard to draw the comparison. Private industry representatives frequently bemoan the lack of government intervention and beg for authorization to organize their own reaction, like some kind of twenty-first century vigilante cyber posse. Government officials often respond by pointing to the complexity and newness of the issues to plead for time, prompting others to recommend “deputizing” private cyber defenders in the meantime. These kinds of debates are dispiriting; there has to be a better way than this in a rule of law society. READ MORE >>

By: Elizabeth Levin, JD ‘20

In the wake of the 2016 election, scholars, regulators, and private companies were faced with the question of the role of social media in preventing the spread of various forms of misinformation. Media outlets spread news of the rise of “fake news,” and several studies confirmed the role of social media platforms in its spread and influence. The wave of information on the spread of fake news led to a call to arms for social media platforms to counter misinformation and act in ways that were socially responsible. Although not all commentators were as optimistic about platforms’ potential success in tackling fake news and misinformation campaigns, many argued that Facebook had a responsibility to protect its users against fake information. Mark Zuckerberg’s statement before Congress––arguing that Facebook was a technology company, not a media company, and therefore not responsible for regulating news on its platform––was met with backlash. READ MORE >>

By: Gabriella Capone, JD/MBA ‘19

The 2019 Yale Law Cyber Security Forum explored how the public and private sectors can bridge gaps in their cyber security efforts.

This piece focuses on the role of local governments and small enterprises in cross-sector cyber cooperation. While focus was often placed on the larger players in both sectors, bringing smaller actors in each sector into the conversation is a significant opportunity to strengthen shared infrastructure and cooperation. READ MORE >>

By: David Murdter, JD ‘19

American businesses publicly reported over 800 cyberattacks affecting upwards of 1.3 billion customer records in 2018 alone. Such attacks not only threaten the integrity of sensitive customer data, but also may pose serious national security risks, particularly when the targets are companies responsible for managing critical infrastructure. Despite the frequency and severity of these cyberattacks, some of which have resulted in massive and widely publicized data breaches, the regulatory regime governing how companies report and respond to cyberattacks is in many ways underdeveloped. READ MORE >>

By: Tian Tian Xin, JD ‘19

In August 2018, the Trump administration rescinded an Obama-era policy directive that outlined the interagency process for authorizing offensive cyber operations conducted by the United States. Once again, the public was plunged into the fog about how the cyber policy sausage is made. READ MORE >>

By: Adam Pan, JD ‘19

As part of this year’s Yale Cyber Leadership Forum, I gave a short demonstration of a vulnerability in the MD5 hashing algorithm that was exploited by the infamous Flame worm discovered in 2012. To add a bit of dramatic flair, I built the hack into what at first appeared to be a much more innocuous demonstration of the Elliptic Curve Digital Signature Algorithm (ECDSA), an industry-standard encryption suite, before revealing the actual hack that I intended to present. The preparation that went into the demo presented its own challenges and lessons, but it was the reactions to the demos that gave me the most food for thought. As I described the hack, I could see that many of the attendees already had some knowledge of the Flame attack. However, as expected, only a few of the attendees were familiar with the technical details of how Flame worked. READ MORE >>