Upgrading Cybersecurity Law

I. Introduction

For the past few years, cybersecurity has purportedly been a top priority of lawmakers and regulators.^[1] Companies invested heavily in cybersecurity compliance.^[2] Law firms nationwide built large cybersecurity practices.^[3]

Much of the early development of cybersecurity law occurred without a clear consensus as to what cybersecurity law is. The field is often lumped together with the more established realm of privacy law^[4] or the far narrower goal of preventing identity theft—a conception of cybersecurity law that is a relic of the early aughts.^[5]

But this is starting to change. The first few years of the 2020s have marked a maturation of policymakers’ understanding of the scope of cybersecurity challenges. That understanding has prompted the creation of laws that comprehensively address the full range of cybersecurity threats that the United States faces.

The United States has finally started getting serious about cybersecurity law.

This is the third in a series of articles that have examined the cohesion and efficacy of U.S. cybersecurity law, and the need to improve U.S. laws to more effectively address modern threats. In 2018, Defining Cybersecurity Law tried to broadly define the goals and mission of cybersecurity law and highlighted areas in which U.S. laws were outdated and lacking.^[6] Two years later, Hacking Cybersecurity Law outlined seven high-level principles for lawmakers and regulators to consider when amending and drafting new cybersecurity laws.^[7] Rather than call for specific changes, the article provided policymakers with principles that would make cybersecurity laws more likely to succeed, such as ensuring that they are comprehensive, clear, and informed.^[8]

This Article examines how lawmakers, regulators, and other government officials have approached cybersecurity law in the early 2020s. It highlights ten statutes, regulations, and other government initiatives that adhere to the more modern and comprehensive definition of cybersecurity law and seek to apply many principles for successful cybersecurity initiatives. The Article then highlights some areas of cybersecurity law that need further modernization.

Ultimately, this Article tells a success story—or at least the beginning of a potential success story. The past few years mark a point in U.S. history in which lawmakers and regulators have stopped lumping cybersecurity law together with unrelated or outdated concepts and have begun treating the field with the precision and seriousness that it deserves.

“Precision” is the key word at this stage of the U.S. experience with cybersecurity law. The first article sought to define cybersecurity law. The second article sought to “hack” cybersecurity law by introducing broad and often sweeping principles to shape the field. With those principles in mind, this Article examines how to optimize the legal system and achieve national cybersecurity goals. The changes are most analogous to a software upgrade, which “usually comes with major improvements or entirely different operating systems that change or alter the application, operating system, or software drastically” and often means “adding a whole new component of security or a new feature.”^[9] In short, “upgrade” in the software world means “[t]o replace existing software or hardware with a newer version.”^[10] Just as software upgrades are targeted tweaks that increase efficiency and reduce the likelihood of harm, the legal upgrades described and proposed in this Article will make U.S. cybersecurity laws more effective.

II. Principles for Upgrading Cybersecurity Law

The two previous articles in this series recognized the urgent need for policymakers to develop laws that reflect modern cybersecurity challenges. Defining Cybersecurity Law evaluated the scope of cybersecurity threats and compared them with the U.S. laws that purportedly addressed those threats, including data security statutes, data breach notification statutes, data security litigation, computer hacking laws, and government surveillance restrictions.^[11]

Many of these laws that are often lumped under the general category of “cybersecurity,” the article observed, originate from “century-old privacy norms, torts, and criminal laws that bear little relation to the protection of the confidentiality, integrity, or availability of systems, networks, and data.”^[12] The article sought to define the field of cybersecurity law, with the goal of helping lawmakers, regulators, and courts approach the field in a more cohesive and strategic manner.^[13]

The article examined the wide scope of cybersecurity threats that the United States faces, and assessed the ways that legal rules and standards could best help achieve cybersecurity.^[14] For instance, while cybersecurity laws tend to impose requirements for securing the confidentiality of personal information, such as credit card numbers and social security numbers, they do little to safeguard the integrity and availability of data, systems, and connected devices.^[15] Moreover, because cybersecurity threats often traverse public and private infrastructure, cybersecurity law should strive to protect both private companies and government computers.^[16] Cybersecurity law should also contain a mix of carrots and sticks, recognizing that the goals of private companies are often aligned with those of policymakers.^[17] The article then incorporated those goals into a definition: “Cybersecurity law promotes the confidentiality, integrity, and availability of public and private information, systems, and networks, through the use of forward-looking regulations and incentives, with the goal of protecting individual rights and privacy, economic interests, and national security.”^[18]

The article applied that definition to current existing statutes, regulations, and other laws, including data security statutes, data breach notification laws, data security litigation, computer hacking laws, the Electronic Communications Privacy Act, and the Cybersecurity Act of 2015, and identified four key broad thematic gaps.^[19]

First, the laws mainly focused on the confidentiality of information, not on the integrity and availability of information and systems.^[20] While protecting confidentiality of personal information remains vital, the cybersecurity laws are disproportionately focused on that goal, and do not adequately try to ensure that data and systems are protected from attacks on integrity, such as website defacement, and attacks on availability, such as ransomware.

Second, cybersecurity law emphasizes the protection of personal information, and often does not adequately safeguard information and systems that are vital to national security and economic interests.^[21] For example, state data breach notice laws often focus on personal information (social security numbers and banking information) and the Federal Trade Commission brings data security cases under a consumer protection law.^[22] Cybersecurity laws do not adequately address potential cyberattacks that could have a devastating impact on national security, such as a compromise of a regional electric grid. Further, cybersecurity laws do not sufficiently address the economic harms from those attacks or the theft of trade secrets. While protecting individual privacy should remain a top priority of cybersecurity laws, policymakers must also fully consider the national security and economic harms caused by cybersecurity incidents.

Third, U.S. laws heavily focus on penalizing companies for inadequate cybersecurity, typically after a data breach. While such regulation is justified and necessary, cybersecurity laws should also emphasize collaboration between the public sector and private sector.^[23] Contrasting with many other regulatory fields—such as environmental protection—the goals of the government and regulated companies are aligned.^[24] A rational corporate executive would want to avoid cybersecurity incidents, if only to prevent the loss of trade secrets and reputational harm among consumers. The private and public sectors have substantial room to collaborate on solutions that reduce the frequency and magnitude of data breaches and other cybersecurity incidents.

Fourth, cybersecurity law should be forward-looking and seek to prevent cybersecurity incidents from ever occurring.^[25] Unfortunately, many laws are backward-facing and focus on penalizing companies after incidents have occurred. For example, data breach notification laws impose penalties on companies that have failed to properly notify consumers and regulators about breaches.^[26] While notification is key to mitigating harms, cybersecurity laws should place an even greater emphasis on helping to prevent breaches from ever taking place.

Two years after Defining Cybersecurity Law, the article Hacking Cybersecurity Law applied the definition and goals to articulate seven general principles for cybersecurity laws that are better aligned with modern challenges:

1. Informed: Congress, regulatory agencies, executive branch officials, and courts must have a clear and current understanding of the technology and cybersecurity threats and potential solutions before they develop or modify legal rules.
2. Clear: To the greatest extent possible, the private sector must have a clear understanding of their requirements under cybersecurity law.
3. Adaptive: While some cybersecurity laws can include generalizable standards that are easily adaptable to new challenges, others simply fail to anticipate future technology and its cybersecurity impacts. In such cases, Congress should empower a regulatory agency to promulgate regulations that adapt to the new technological reality.
4. Comprehensive: Cybersecurity laws often are conflated with privacy laws, as there is significant overlap. Cybersecurity laws, however, must address more than just the confidentiality of personal information, and also seek to protect from unauthorized alteration of data and attacks such as ransomware that cause data or systems to become unavailable. Cybersecurity laws also must focus not just on financial harms, but any threats to national security or individual privacy or safety.
5. Cohesive: Companies currently face a web of requirements at the state levels, and many of these requirements conflict. Governments should attempt, to the greatest extent possible, to align the requirements nationally, in an effort to provide a clear regulatory framework.
6. Global: Just as it is necessary for a unified national policy, global coordination of cybersecurity regulations and incentives will help to improve the overall efficacy of fighting threats that do not adhere to traditional geographic borders.
7. Collaborative: A number of federal agencies specialize in cybersecurity. The experts in these agencies should work together, rather than in separate silos. These collaborative efforts should stress not only punitive measures, such as criminal enforcement and regulation, but also partnerships such as threat information sharing.^[27]

The article proposed a “hacking,” or a “radical change” of cybersecurity law and policy to “position U.S. laws to address not only the imminent cybersecurity threats that we currently face, but it also must provide sufficient flexibility to effectively fight future threats.”^[28] The seven principles were intended to “expand on high-level, normative goals that policymakers may apply in their efforts to better align our laws, policies, and government programs with the threats to national security, the economy, and individuals.”^[29]

III. Ten Successful Upgrades

The two previous articles focused on gaps in existing cybersecurity laws, regulations, and court precedents. This Article, fortunately, strikes a more optimistic note. Since the publication of Hacking Cybersecurity Law in 2020, Congress, state legislatures, and regulators have made great progress in enacting laws that address urgent cybersecurity challenges. Many of these laws adhere to the broader definition of “cybersecurity law” and achieve some of the seven principles discussed above.

Although the United States continues to have substantial room for improvements, many of the cybersecurity laws, regulations, and policies of the early 2020s are a roadmap for future progress.^[30] This Part highlights ten recent legal developments and explains how they achieve the general principles for effective cybersecurity law.

A. Cyberspace Solarium Commission

The first guiding principle articulated in Hacking Cybersecurity Law was “informed.”^[31] The article reviewed recent cases in which policymakers failed to grasp important nuances about the technology that they sought to regulate and argued that Congress should revive the Office of Technology Assessment, which was Congress’s internal technology think tank from 1972 to 1995.^[32] Despite many years of proposals to revive the Office, as of early 2023, Congress has not yet done so.^[33]

However, Congress had another solution to educate itself about cybersecurity law, policy, and technology. In a defense authorization bill passed in 2018, lawmakers included a provision that creates the Cyberspace Solarium Commission, whose mission is “to develop a consensus on a strategic approach to defending the United States in cyberspace against cyber attacks of significant consequences.”^[34] The statute requires members to include top officials in the Department of Homeland Security, Office of the Director of National Intelligence, Federal Bureau of Investigation, and Defense Department, as well as appointees from leaders of both parties in Congress.^[35] Four of the Commission members must be members of Congress, and those appointees who are not members of Congress must have expertise in cybersecurity or national security.^[36] The Commission is led by two co-chairs, one from the Republican party and one from the Democratic party, driving home its bipartisan nature.^[37]

Among the duties that Congress delegated to the Commission are “[t]o weigh the costs and benefits of various strategic options to defend the United States,” and “[t]o evaluate the effectiveness of the current national cyber policy relating to cyberspace, cybersecurity, and cyber warfare to disrupt, defeat and deter cyber attacks.”^[38] Congress gave the Commission subpoena power, the ability to hold hearings and place witnesses under oath, and charged it with delivering a final report with its findings.^[39]

Once the Commission had its members and staff, it divided into three task forces that gathered data via more than 300 meetings with industry, academic, and government officials, along with more than ten roundtables and seminars at think tanks, and more than twenty meetings with foreign officials and international organizations.^[40] After each task force used the data to develop theories of success in cyberspace, they engaged external “red teams” to challenge these theories before the Commissioners “stress-tested” the theories and recommendations.^[41]

The result was a 174-page final report, released in March 2020, containing an overarching strategy for “[l]ayered cyber deterrence” along with more than seventy-five supporting recommendations.^[42] “We didn’t solve everything in this report,” the Commission’s chairmen, Sen. Angus King and Rep. Mike Gallagher, wrote in the introduction to the report.^[43]

We didn’t even agree on everything. There are areas, such as balancing maximum encryption versus mandatory lawful access to devices, where the best we could do was provide a common statement of principles. Yet every single Commissioner was willing to make compromises in the course of our work because we were all united by the recognition that the status quo is not getting the job done.^[44]

The Commission’s recommendations overcame the standard political obstacles that often prevent substantive legislation from becoming law.^[45] The annual National Defense Authorization Act, signed into law less than a year after the Commission’s report, included twenty-five recommendations that draw from the Commission’s report.^[46] Among them: providing the Department of Homeland Security’s cybersecurity agency with subpoena authority, authorizing the development of a K-12 cybersecurity curriculum, assessing the national security risks of quantum technology, creating an Office of National Cyber Director, and making improvements to the federal government’s recruitment of cybersecurity workforce.^[47]

Many factors likely played a part in the Commission’s success. The Commission was truly bipartisan, so a single political party could not claim victory for its achievements. And issues such as cybersecurity workforce development are not as politically divisive as many other issues. But the Commission also benefitted greatly from the in-depth expertise of the members, task forces, and external experts. The Cyberspace Solarium Commission went beyond surface-level partisan rhetoric, digging deep into the technology, operations, and strategy of cyber defense and offense and considering the many nuanced challenges that the United States confronts in cyberspace.

The Cyberspace Solarium Commission’s success helps to make a case for dedicated congressional specialty in cybersecurity. This argument was best articulated in 2020 by Carrie Cordero and David Thaw in a paper arguing for an interim joint select committee for cybersecurity, coordinating the many House and Senate committees that have some jurisdiction over the field and picking up where the Cyberspace Solarium Commission left off.^[48]

B. National Cyber Director

Hacking Cybersecurity Law recognized that cybersecurity law must be collaborative, and that current cybersecurity responsibilities are “scattered across departments and independent agencies,” including the Department of Homeland Security, National Security Agency, National Institute of Standards and Technology, the Federal Trade Commission, financial regulators, and many other federal agencies.^[49] “In short, many agencies with different leaders and different agendas are charged with shaping U.S. cybersecurity policy, strategy, and enforcement,” the article concluded.^[50] The article noted the practical logistics of centralizing all functions into a “Department of Cybersecurity,” and suggested a model akin to the Director of National Intelligence, which synchronizes and coordinates intelligence across sixteen intelligence agencies, noting that “[a] similar cybersecurity-focused office, with sufficient authority and resources, could provide the necessary coordination and expertise-sharing necessary to better combat cybersecurity threats.”^[51]

The Cyberspace Solarium Commission recommended such a coordinator, and it was among the most publicized of the Commission’s recommendations included in the 2021 defense law.^[52] “The inclusion of the National Cyber Director (NCD) housed in the Executive Office of the President (EOP) is a real game changer,” King and Gallagher said in a statement announcing the recommendations’ passage into law. “The NCD will be the President’s principal advisor for cybersecurity-related issues, as well as lead national-level coordination of cybersecurity strategy and policy, both within government and with the private sector.”^[53]

The statute creates a Senate-confirmed National Cyber Director, reporting directly to the President, who is “the principal advisor to the President on cybersecurity policy and strategy.”^[54] The statute also charges the National Cyber Director with advising the National Security Council, Homeland Security Council, and other federal departments on the coordination of cyber efforts, a national cyber strategy, federal government responses to large cyberattacks, and consultations with the private sector on cybersecurity.^[55]

The Office of National Cyber Director is a substantial step toward building a collaborative model for cybersecurity. It avoids the drastic step of eliminating and consolidating offices to create a centralized cybersecurity department. Rather, the change is a modest one that allows existing agencies and departments to continue their cybersecurity functions. The National Cyber Director increases collaboration among agencies and ensures that they work symbiotically toward the same national goals.^[56]

C. State and Local Government Cybersecurity Act of 2021 and the Federal Rotational Cyber Workforce Program Act of 2021

Congress further bolstered cybersecurity collaboration in June 2022 when it enacted the State and Local Government Cybersecurity Act of 2021 and the Federal Rotational Cyber Workforce Program Act of 2021.^[57] While the laws approach cybersecurity from different angles, they both focus on assisting different parts of the government to work collaboratively to address substantial cybersecurity threats.

The State and Local Government Cybersecurity Act of 2021 sets a framework for collaboration between the Department of Homeland Security’s National Cybersecurity and Communications Integration Center and state, local, and tribal governments.^[58] It allows the federal cybersecurity agency to partner with local and state governments for cybersecurity exercises and provide them with training on cyber threat indicators, defensive measures, cybersecurity risks, vulnerabilities, and incident response and management.^[59]

The law also authorizes the Center to help state and local governments share cyber threat indicators with the federal government and provide them with technical and operational help on cybersecurity, including for election systems.^[60] The Center can also help state and local governments “in developing policies and procedures for coordinating vulnerability disclosures consistent with international and national standards in the information technology industry.”^[61]

The State and Local Government Cybersecurity Act of 2021 is collaborative because it encourages the federal government to assist state and local governments in improving their cybersecurity. Crucially, the services are voluntary. State and local governments are not required to take federal assistance, nor is federal help a condition of funding or other federal government benefits given to state and local governments.^[62] By positioning the federal government as a partner that is willing to assist, the law builds trust between the levels of government and enables them to work toward the same cybersecurity goals.^[63]

The Federal Rotational Cyber Workforce Program Act allows federal employees who specialize in cybersecurity to temporarily rotate to other agencies.^[64] The bill had bipartisan support in the House and Senate.^[65] “As we have seen, cyberattacks pose a significant threat to our national and economic security and will only continue to grow more sophisticated,” said Sen. Gary Peters, the bill’s lead author. “That is why we need a highly skilled federal cybersecurity workforce that will enhance our nation’s ability to fight back against online threats from foreign adversaries and criminal hackers for years to come.”^[66]

The workforce law is collaborative across federal agencies and departments and allows them to share cybersecurity expertise, including knowledge of threats and defensive measures. With the federal government facing a substantial cybersecurity workforce shortage for the foreseeable future, this type of law helps agencies leverage the labor pool to secure federal government systems and information.^[67]

D. Biden Cybersecurity Executive Order

Another aspect of collaborative cybersecurity law is effective partnership between the government and the private sector. A decade ago, Scott Shackelford recognized the value of a “polycentric” governance in cybersecurity.^[68] Hacking Cybersecurity Law called for such cybersecurity governance, or a “coordinated system of self-regulation by companies, incentives, and government regulation.”^[69] The private sector owns and controls much of the cyber infrastructure, and it is in the interests of both the government and the companies to increase security and reduce data breaches, ransomware, and other incidents.^[70] This requires a rethinking of our traditional approach to industry governance.

In the early days of his administration, President Biden issued Executive Order 14028, which contains many provisions that are designed to break down barriers between the government and private sector, recognizing that they share a common cybersecurity goal because the private sector provides many of the information technology services that the federal government uses.^[71] “Protecting our Nation from malicious cyber actors requires the Federal Government to partner with the private sector,” Biden wrote in the executive order’s introduction.^[72] “The private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the Federal Government to foster a more secure cyberspace.”^[73]

To accomplish that goal, the executive order instructs federal agencies to review contracts with information technology providers for clauses that prohibit the companies from sharing cyber threat information with the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and other federal agencies.^[74] “Removing these contractual barriers and increasing the sharing of information about such threats, incidents, and risks are necessary steps to accelerating incident deterrence, prevention, and response efforts and to enabling more effective defense of agencies’ systems and of information collected, processed, and maintained by or for the Federal Government,” Biden wrote.^[75] Likewise, the order makes it the federal government’s policy that federal information technology providers “must promptly report to such agencies when they discover a cyber incident involving a software product or service provided to such agencies or involving a support system for a software product or service provided to such agencies.”^[76]

The executive order also instructs the National Institute of Standards and Technology to develop guidelines for securing the software supply chain, recognizing that it, too, is critical for federal government cybersecurity. “There is a pressing need to implement more rigorous and predictable mechanisms for ensuring that products function securely, and as intended,” Biden wrote.^[77] “The security and integrity of ‘critical software’—software that performs functions critical to trust (such as affording or requiring elevated system privileges or direct access to networking and computing resources)—is a particular concern.”^[78]

Biden also charged the Homeland Security Secretary with building a Cyber Safety Review Board, composed of both government officials and members of the private sector.^[79] The board is responsible for reviewing and assessing “significant cyber incidents” involving both federal and private sector systems, along with “threat activity, vulnerabilities, mitigation activities, and agency responses.”^[80]

The executive order also recognizes the need for collaboration within the federal government. It requires the Homeland Security Secretary to develop a standardized playbook for federal government agencies to respond to cybersecurity incidents.^[81] “The cybersecurity vulnerability and incident response procedures currently used to identify, remediate, and recover from vulnerabilities and incidents affecting their systems vary across agencies, hindering the ability of lead agencies to analyze vulnerabilities and incidents more comprehensively across agencies,” Biden wrote.^[82] “Standardized response processes ensure a more coordinated and centralized cataloging of incidents and tracking of agencies’ progress toward successful responses.”^[83] Likewise, the order requires the federal government to “employ all appropriate resources and authorities to maximize the early detection of cybersecurity vulnerabilities and incidents on its networks.”^[84]

In short, the cybersecurity executive order rejects the earliest approaches to U.S. cybersecurity policy, which separately addressed challenges of each sector. Under the executive order, the cybersecurity of the government affects the cybersecurity of the private sector, and the cybersecurity of the private sector affects the cybersecurity of the government. By tackling multi-level challenges, such as software supply cybersecurity, the executive order attempts to develop a cohesive strategy that does not stop at a particular industry or government agency.

E. State Department Bureau of Cyberspace and Digital Policy

Another principle for effective cybersecurity law included in Hacking Cybersecurity Law is “global.”^[85] Many challenges in cyberspace cross international borders. For instance, cybercrimes that harm the United States may originate from other countries, so U.S. laws alone are insufficient to deal with the threats.^[86] And some adversaries, such as China and Russia, are highly unlikely to extradite cybercriminals to stand trial in the United States.^[87] As Kristen Eichensehr aptly documented in a 2017 article, “many of the private sector’s actions in cybersecurity are outward-facing, stretching well beyond a company’s own property, carrying national and cross-border effect, and in some cases running the risk of sparking international incidents.”^[88]

The State Department and Congress have recognized the global nature of cybersecurity challenges by substantially bolstering U.S. cyber diplomacy efforts. On October 27, 2021, Secretary of State Antony Blinken announced the formation of a Bureau of Cyberspace and Digital Policy. “On cyberspace and emerging technologies, we have a major stake in shaping the digital revolution that’s happening around us and making sure that it serves our people, protects our interests, boosts our competitiveness, and upholds our values,” Blinken said in a speech announcing the bureau’s formation. “We want to prevent cyber attacks that put our people, our networks, companies, and critical infrastructure at risk. We want the internet to remain a transformative force for learning, for connection, for economic growth, not a tool of repression.”^[89]

In April 2022, the State Department announced the start of the Bureau’s operations and its goal of addressing “the national security challenges, economic opportunities, and implications for U.S. values associated with cyberspace, digital technologies, and digital policy.”^[90] And at the end of the year, in the defense authorization bill for 2023, Congress codified the Bureau’s duties by including the Cyber Diplomacy Act in the James M. Inhofe National Defense Authorization Act. This statute provides the head of the Bureau with the status of ambassador, and among its duties are “to lead, coordinate, and execute, in coordination with other relevant bureaus and offices, the Department of State’s diplomatic cyberspace, and cybersecurity efforts (including efforts related to data privacy, data flows, internet governance, information and communications technology standards, and other issues that the Secretary has assigned to the Bureau).” Duties also include “promot[ing] international policies to protect the integrity of United States and international telecommunications infrastructure from foreign-based threats, including cyber-enabled threats.”^[91]

The Bureau will not be a panacea for the many global cybersecurity challenges that the United States faces. However, it provides an enduring point of contact within the United States for other nations to discuss emerging and often urgent cyberspace issues. The Bureau’s existence increases the likelihood of harmonizing U.S. cybersecurity policies with those of its allies. And, it hopefully is an indication that the United States will continue to invest substantial resources in shaping international cybersecurity policy and building critical cyberspace alliances.

F. Cyber Incident Reporting for Critical Infrastructure Act

Another characteristic of successful cybersecurity laws is that they are cohesive. As argued in Hacking Cybersecurity Law, “[i]t is difficult—and counterproductive—to subject companies or individuals to a patchwork of inconsistent or conflicting requirements within a single nation.”^[92]

Historically, whether companies are required to report cybersecurity incidents has depended on a patchwork of state data-breach notification laws.^[93] These laws have important differences, including the types of personal information that trigger a breach notice, the format of the notice, and whether the notice must be filed with state regulators. These laws have many shortcomings.^[94] They typically only focus on the confidentiality of personal information, so they do not address other cybersecurity incidents, such as ransomware, which threaten the integrity and availability of data and systems.^[95] For more than a decade, cybersecurity experts and companies have complained that the differences in these state laws impede the response to breaches at critical moments, as lawyers are forced to sort through technical differences between dozens of state laws.^[96] While all state breach notice laws require notice to individuals in certain circumstances, only some require notice to state officials, such as attorneys general, and there is not a centralized repository of this data.^[97] Congress has only passed national data breach laws for particular sectors, such as healthcare and financial institutions.^[98]

U.S. cybersecurity law took a significant step toward cohesive breach notifications in March 2022 when President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), which sets uniform cybersecurity incident reporting requirements for operators of critical infrastructure.^[99] Although the statute is limited to operators of critical infrastructure and does not displace state breach notice laws, it adopts the broad definition of “critical infrastructure” from Presidential Policy Directive 21:^[100] “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”^[101]

Under the new statute, covered critical infrastructure operators must file a report with the Department of Homeland Security’s CISA within seventy-two hours of reasonably believing that they have experienced a cyber incident that is covered by the statute.^[102] It also requires critical infrastructure operators to file reports with CISA within twenty-four hours of making ransomware payments.^[103] The new statute is cohesive because it sets uniform incident reporting rules for a wide swath of the private sector in the United States.

What types of cybersecurity incidents trigger the reporting requirement? The statute charges the CISA director with issuing a regulation that defines “covered cyber incident” and other key terms, including the types of critical infrastructure operators that are covered.^[104] The statute provides the CISA director with discretion, but also provides some guidelines for the determination. For instance, the regulation’s description of the types of cyber incidents that are covered under the law must, at minimum, cover: (1) “a cyber incident that leads to substantial loss of confidentiality, integrity, or availability of such information system or network, or a serious impact on the safety and resiliency of operational systems and processes”; (2) “a disruption of business or industrial operations, including due to a denial of service attack, ransomware attack, or exploitation of a zero day vulnerability”; or (3) “unauthorized access or disruption of business or industrial operations due to loss of service facilitated through, or caused by, a compromise of a cloud service provider, managed service provider, or other third-party data hosting provider or by a supply chain compromise.”^[105] The statute then instructs the CISA director to merely consider other factors, including “the sophistication or novelty of the tactics used to perpetrate such a cyber incident, as well as the type, volume, and sensitivity of the data at issue” and “potential impacts on industrial control systems, such as supervisory control and data acquisition systems, distributed control systems, and programmable logic controllers.”^[106] The CISA Director must exclude from the definition “any event where the cyber incident is perpetrated in good faith by an entity in response to a specific request by the owner or operator of the information system.”^[107]

Such nuanced delegation strikes a balance with two other traits of effective cybersecurity laws: clear and adaptive. Too many of the first-generation cybersecurity laws merely require “reasonable” cybersecurity practices and punt the question to a judge or jury.^[108] At the same time, we must recognize that the legislative process is slow, and codifying cybersecurity laws that are specific to the technology of today could leave us with quickly outdated statutes. Accordingly, the statutes must also have sufficient flexibility to adapt to new technological developments.^[109] By delegating rulemaking authority to the CISA director, CIRCIA is sufficiently adaptive to allow regulatory updates that incorporate technological changes. At the same time, it is clear enough to set understandable parameters for those regulations—removing the uncertainty that often accompanies cybersecurity statutes.

G. New York SHIELD Act

Approximately twenty-five states have enacted data security laws as of early 2023, but most merely require “reasonable” data security practices.^[110] While such generality allows for flexibility in expectations, it lacks the clarity that helps companies understand their legal obligations.^[111]

New York broke with that general tendency of ambiguity when it passed the Stop Hacks and Improve Electronic Data Security (SHIELD) Act.^[112] The law, which went into effect in 2020, includes fairly specific requirements for data security among companies that process New York residents’ personal information.^[113] The statute states that a company can comply with its requirements by implementing a data security plan that includes: (1) administrative requirements such as designated security coordinators, risk identification, security control assessment, employee security training, service provider security evaluation, and adjustments to the program to accommodate new circumstances; (2) technical safeguards such as assessments of software and network design, risk assessments of information processing, attack and system failure detection, prevention, response, and network testing and monitoring; and (3) physical safeguards such as information storage and disposal risk assessments, intrusion detection, prevention, response, protection of information while it is collected, transported, and destroyed, and disposal of personal information in a manner that prevents reconstruction.^[114]

Like CIRCIA, the New York SHIELD Act is not so technology-specific that it will become outdated within a few years and require a wholesale legislative revision. However, it is clear enough that it provides companies with some guidelines so that they understand what aspects of their security program are most likely to raise legal issues.

The SHIELD Act also modified New York’s data breach notification law in an important way: while New York’s law, like most other state laws, was traditionally triggered by the unauthorized acquisition of personal information,^[115] the SHIELD Act amended the definition of “breach of the security of the system” to “unauthorized access to or acquisition of, or access to or acquisition without valid authorization, of computerized data that compromises the security, confidentiality, or integrity of private information maintained by a business.”^[116] The law provides businesses with instructions for assessing whether unauthorized access has occurred:

In determining whether information has been accessed, or is reasonably believed to have been accessed, by an unauthorized person or a person without valid authorization, such business may consider, among other factors, indications that the information was viewed, communicated with, used, or altered by a person without valid authorization or by an unauthorized person.^[117]

By expanding the breach notification law beyond acquisition and adding unauthorized access, the SHIELD Act increases the likelihood of the notification requirement applying to threats to availability and integrity, rather than only to threats to confidentiality. As Ido Kilovaty has documented, many existing cybersecurity laws fail to adequately cover threats to the availability of data and systems.^[118] Addressing not only confidentiality but also integrity and availability is necessary for comprehensive cybersecurity laws.^[119] The New York SHIELD Act should serve as a model for states that seek to cover the scope of cybersecurity threats more comprehensively. As described in Part III, an even more cohesive national cybersecurity legal regime would feature a federal data security and breach notice law that preempts state laws, setting a national standard. But absent the political will in Washington, D.C. to pass such a law, the New York SHIELD Act is a good model for a more modern state data security law. And even if Congress were to pass a federal law, it could incorporate many of the features of the New York law.

H. State Ransomware Bans

States are also beginning to make their cybersecurity laws more comprehensive by addressing ransomware, which is a substantial threat to the availability of systems and data.^[120] Among the most frequent and vulnerable targets of ransomware are local and state government agencies, which often face the difficult choice between paying the ransom or being unable to deliver critical services for days or weeks.^[121] A 2022 survey of information technology professionals in state and local governments found that fifty-eight percent reported having been the victim of at least one ransomware attack in 2021.^[122]

Whether to pay the ransom is a difficult choice. Some government entities have done so; for instance, the University of California paid $1.14 million and Lafayette, Colorado paid $45,000.^[123] Yet Baltimore’s refusal to pay a $76,000 ransomware demand in 2019, ultimately cost more than $18 million.^[124] While paying ransom might solve the immediate problem of recovering data and access to systems, it could further empower cybercriminals and incentivize them to attack other government agencies. The Federal Bureau of Investigation discourages organizations from paying ransom demands,^[125] but it does not have the legal authority to prohibit the payments.

However, states do have the legal authority to prohibit or restrict government agencies’ ransomware payments. In late 2021, North Carolina became the first state to do so.^[126] It passed a statute that states: “No State agency or local government entity shall submit payment or otherwise communicate with an entity that has engaged in a cybersecurity incident on an information technology system by encrypting data and then subsequently offering to decrypt that data in exchange for a ransom payment.”^[127] The statute requires affected agencies to consult with the state Department of Information Technology if they receive a ransom demand.^[128] Rob Main, North Carolina’s Chief Risk Officer, said the law was intended to create a uniform statewide strategy that removes incentive for attackers:

With the law in effect, it takes the decision of whether or not to pay ransom off the table and allows the N.C. Joint Cybersecurity Task Force to streamline the response and recovery phases of effort . . . We believe this law is essential in our cyber defensive posture by disincentivizing threat actors from seeking payment from public sector entities in North Carolina.^[129]

North Carolina is not the only state to ban local and state agency ransomware payments. Months after North Carolina’s ban, Florida passed a statute that provides that a state agency, county, or municipal government “experiencing a ransomware incident may not pay or otherwise comply with a ransom demand.”^[130]

To be sure, the bans received some reasonable criticism.^[131] But at the very least, the statutes reflect a deliberate strategic decision to take a uniform approach to the problem. And the laws move past the narrow, confidentiality-centric focus that state cybersecurity laws have taken for two decades. For years, ransomware has been one of the nation’s greatest cybersecurity challenges^[132] but states too often ignored the problem and focused on the confidentiality of personal information. These state ransomware strategies are a much-needed break from that trend.

I. Internet of Things Cybersecurity Improvement Act of 2020

Along with more broadly addressing integrity and availability, cybersecurity law must promote the security of physical systems and not just information.^[133] As Scott Shackelford aptly noted, connected devices “promise new efficiencies and innovations while also introducing new vulnerabilities.”^[134] Laws that focus on the security of personal information do little to ensure that webcams are safe from hackers or that state actors cannot commandeer factories.

The federal government took its first major step toward addressing these challenges at the end of 2020 when Congress passed the Internet of Things (IoT) Cybersecurity Improvement Act of 2020.^[135] The law, which focuses on the federal government’s use of IoT devices, charges the National Institute of Standards and Technology (NIST) with developing standards for governmental IoT use.^[136] Among the topics that the standards must address are “examples of possible security vulnerabilities of Internet of Things devices” and “considerations for managing the security vulnerabilities of Internet of Things devices.”^[137] Less than a year after the law’s passage, NIST released Special Publication 800-213, a thirty-nine-page document that instructs federal agencies how to apply existing NIST principles to IoT devices.^[138] The statute charges the Office of Management and Budget (OMB) Director with reviewing federal agency policies to ensure that they comply with the NIST IoT standards.^[139]

The statute also directs the NIST to develop guidelines for reporting and receiving information about IoT device security vulnerabilities.^[140] The OMB Director is charged with overseeing the agencies’ use of these guidelines,^[141] and the DHS is directed to provide agencies with technical assistance.^[142] The law’s most aggressive provision prohibits federal agencies from contracting with companies for IoT devices that fail to adhere to the NIST standards.^[143]

Although the statute does not go so far as to regulate the cybersecurity of all IoT devices, it indirectly imposes security requirements on many device-makers. Disqualifying noncompliant manufacturers from any federal government business is a harsh penalty, and therefore, a strong incentive to comply with the NIST standards.^[144] From a strategic standpoint, the law is significant because it is a federal cybersecurity statute that focuses not on the confidentiality of personal information, but threats to confidentiality, integrity, and availability of connected devices. Unlike earlier federal cybersecurity efforts, this statute addresses a comprehensive set of problems.

J. FTC Patching Policy

A crucial—yet overlooked—component of cybersecurity law is that it should be forward-looking. Rather than merely penalizing companies after breaches and other cybersecurity incidents have already occurred, laws should have the primary goal of preventing incidents from taking place.^[145] While penalizing companies for inadequate security after a breach is a necessary part of that strategy, regulations should focus far more heavily on encouraging companies to take steps to prevent a breach.^[146]

One effective example of such encouragement came after the December 2021 disclosure of a vulnerability in Log4j, a widely used software component, that allowed hackers to exploit computers, obtain private data, and even commandeer computers remotely.^[147] Apache Software Foundation quickly released a patch for the vulnerability, but individuals and companies needed to install it.^[148]

About two weeks after the disclosure, the Federal Trade Commission (FTC) took the rare step of publishing a blog post, warning companies of their obligations to patch the Log4j vulnerability.^[149] “The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future,” the agency wrote.^[150] Although no statute explicitly provides the FTC with the authority to regulate data security, the agency has long done so under the Federal Trade Commission Act, which allows it to regulate unfair and deceptive trade practices.^[151] In its blog post, the FTC noted that Equifax had paid $700 million to settle claims brought by the FTC and other federal and state regulators arising from a data breach caused by the company’s failure to fix a known vulnerability.^[152]

The FTC’s warning is forward-looking because it attempts to persuade companies to patch a vulnerability that could be exploited by hackers. Rather than merely focusing on when and how companies report exploits of Log4j, the FTC is using its authority and publicity to stop the attacks from happening in the first place.

The blog post—while far short of a statute, regulation, or even formal guidance—is also an attempt to clarify and bring more certainty to cybersecurity regulation. For years, the FTC has received criticism for its failure to adequately identify which cybersecurity practices are “reasonable.” As Riana Pfefferkorn correctly observed, this post is part of the FTC’s efforts to better articulate reasonable responsibilities.^[153] To continue to provide clarity, the FTC should release additional guidance about patching and other cybersecurity measures, preferably in guidance materials that carry more authority than blog posts.

IV. Future Upgrades

Within a few years, the United States has come a long way toward developing a cohesive and effective legal system for promoting cybersecurity. Thoughtful evaluations, such as the Cyberspace Solarium Commission’s report, have caused policymakers to view cybersecurity as a goal rather than an afterthought.

Despite this progress, there is a long way to go. There always will be because cybersecurity challenges evolve faster than any legislative or regulatory body can anticipate. However, some gaps are particularly urgent and deserve immediate attention from policymakers. This Section highlights five of the most urgent gaps, though many others will emerge as the nation’s challenges evolve.

First, policymakers must continue to stay informed about current and future cybersecurity threats. The Cyberspace Solarium Commission’s comprehensive report^[154] was an outstanding achievement and led Congress to pass more than two dozen informed legal reforms.^[155] But, the report represented knowledge of cybersecurity threats at a particular point in time—March 2020.^[156] The Commission continued to hold public events for more than a year, but its final documented public event was in December 2021.^[157] While the Commission’s report remains a vital roadmap for U.S. cybersecurity policy strategy, it is frozen in time. With each year that passes, more technological and political developments have taken place that are not incorporated in the report. The United States needs a consistent source of cybersecurity information and assessment. This could take many forms. Congress could constitute a specialized cybersecurity committee, as Carrie Cordero and David Thaw have suggested.^[158] A centralized cybersecurity committee would allow Congress to investigate emerging problems and develop deliberate solutions, and would enable committee members to develop cybersecurity expertise. Such a system has many advantages over the current structure, in which cybersecurity responsibilities are dispersed among many committees.^[159] Or Congress could heed the calls of many policy experts and revive its in-house, nonpartisan technology think tank, the Office of Technology Assessment.^[160] Although such an organization would not be as capable as a congressional committee in setting a policy agenda, it could provide lawmakers with much-needed technical expertise as they assess cybersecurity vulnerabilities and develop proposals. Alternatively, Congress could revive—or even make permanent—the Cyberspace Solarium Commission. Although such a move would require a rethinking of the Commission’s operations and goals, it could be an effective way to continue providing Congress with informed cybersecurity policy proposals. The Commission has already proven its efficacy and value, so it could ensure that Congress continues to be informed about emerging cybersecurity issues.

Second, the United States needs a far more cohesive national cybersecurity regulatory regime.^[161] While CIRCIA^[162] is a positive step toward setting a national breach reporting requirement for certain critical infrastructure operators, such a federal requirement remains an anomaly in cybersecurity law. State legislatures continue to dictate many requirements both for reporting data breaches^[163] and securing personal information.^[164] And some states are including data security measures in their new data protection laws, such as the California Consumer Privacy Act.^[165] The United States should build on CIRCIA and expand it beyond both critical infrastructure and incident notification. CIRCIA can set a model for a national law for cybersecurity incident notification and cybersecurity requirements. As with CIRCIA, the statute should provide concrete standards, such as the timeframe in which businesses must notify stakeholders about cybersecurity incidents and the general types of information and systems that require protection. The statute should also delegate technology-specific rulemaking to the FTC or another agency to ensure it does not become outdated, particularly regarding technologies that require specific types of cybersecurity technical controls. The requirements should be strong, but they also should preempt inconsistent state laws. The goal should be to have a cohesive and effective national law for cybersecurity incident notification and safeguards. While it would be naïve to assume that such a compromise would be an easy political task, all stakeholders should attempt to reach a compromise. A state-by-state cybersecurity legal patchwork was unworkable two decades ago, and it has become even more so now as the complexity and magnitude of the challenges have grown.

Third, federal efforts to regulate cybersecurity must be comprehensive, and address not only confidentiality but integrity and availability.^[166] They must protect both public and private systems and information.^[167] And, they must focus not only on personal information but on economic harm and national security.^[168] Unfortunately, cybersecurity often plays second fiddle to privacy in discussions of national legal reform, and the issues are often conflated.^[169] For instance, one of the most discussed privacy bills in 2022 was the American Data Privacy and Protection Act.^[170] The vast majority of the bill deals with privacy issues such as loyalty duties,^[171] privacy by design,^[172] consent rights,^[173] and children’s privacy.^[174] Only one small section of the bill covers data security and it focuses entirely on the confidentiality of personal information.^[175] The bill merely requires companies to “maintain reasonable administrative, technical, and physical data security practices and procedures to protect and secure covered data against unauthorized access and acquisition.”^[176] It lists only seven specific requirements: vulnerability assessment, preventive and corrective actions, evaluations of those actions, information retention and disposal, training, designation, and incident response.^[177] The statute allows the FTC to issue security regulations.^[178] While this is a reasonable approach to personal data security—and a far more comprehensive one than is seen in many state data security laws—it only addresses a narrow aspect of cybersecurity. For instance, the bill would do little to protect trade secrets. And it probably would not address ransomware or similar attacks, such as NotPetya.^[179] While supporters of the bill might argue that addressing personal data confidentiality is better than not addressing it at all, it would be far more effective to regulate cybersecurity comprehensively in a standalone cybersecurity bill that is not narrowly focused on personal information.

Fourth, the U.S. cybersecurity legal system must continue to recognize the reality of the global nature of the cybersecurity threat and the inability of existing international legal norms to address the problem.^[180] Many of our most persistent and dangerous cybersecurity problems arise not domestically but from China, Iran, North Korea, and Russia.^[181] While computer crime statutes like the Computer Fraud and Abuse Act (CFAA)^[182] will always be an important part of the equation in the fight for cybersecurity, policymakers must realize that many of the most persistent malign actors will never be extradited to U.S. courtrooms because they are located in countries that are not part of the Budapest Convention or do not otherwise have extradition arrangements with the United States.^[183] Accordingly, the United States must continue to focus on securing both public and private systems from international threats. This will require a close assessment of the efficacy of DHS’s civilian cybersecurity assistance apparatus and an evaluation of whether these efforts require more funding or elevation within the federal government.

Although a federal “Department of Cybersecurity” has many drawbacks—including the substantial price tag of creating a new agency—it is at least worth considering whether such an organization would result in more support for civilian cybersecurity. On the offensive end, Congress should evaluate whether to provide tools for imposing even harsher sanctions against nations that are the source of our most damaging cybersecurity attacks. The United States should focus not only on its defenses but the defenses of allies who are facing attacks from many of the same adversaries. For instance, the United States should consider taking a strong and unequivocal position that international law permits the use of collective cyber countermeasures; that is, countries can assist their allies in taking steps to prevent violations of their sovereignty and other actions in cyberspace that violate international law.^[184] By helping our allies, the United States also gains an advantage against adversaries and blunts the impacts of their attacks.

Fifth, while regulation will remain an important component in bolstering cybersecurity, the United States must continue to find a better balance of carrots and sticks.^[185] The creation and expansion of CISA within DHS has been a significant step in that direction. Local, state, and federal policymakers should continue to explore opportunities in which they can help companies and individuals better secure their data and systems. For instance, educating end users about cybersecurity can help prevent phishing and other attacks that rely on the deception of humans. But a 2020 survey of 918 K–12 educators by the EdWeek Research Center found that the United States is not prioritizing K–12 cybersecurity education: fewer than half of respondents said that their students were learning anything about cybersecurity in school.^[186] “Many key topics, including cryptography, systems engineering, artificial intelligence, and electricity are rarely taught in schools,” the report concluded. “Likely as a result of this infrequent and uneven access, educators say most students are not well-informed about the educational and career requirements associated with cybersecurity jobs.”^[187] Cybersecurity education could also help spark interest in the field among young students, and eventually close the substantial gap between supply and demand for qualified cybersecurity workers. Education is just one example of a path that policymakers can take to further assist the private sector and individuals in improving their cybersecurity. The government could further invest in programs to share cyber threat information with the private sector, and state legislatures can ensure that state and local law enforcement have sufficient funding for local experts who can assist businesses after they experience a cybersecurity incident.

V. Conclusion

In the first few years of the 2020s, cybersecurity law in the United States transformed from an amorphous concept to a serious endeavor. More than a quarter-century after the emergence of the commercial internet, federal, state, and local policymakers finally recognize the need for a distinct body of law that promotes the security of systems, networks, information, and connected devices. They are investing in the necessary governmental infrastructure and passing laws that have well-defined goals. That is not to say that cybersecurity law is a utopia—or anything close to a utopia. Many rules continue to rely on outdated technical and legal concepts, and too many areas remain unaddressed at the federal level. Although the nation has much work ahead, policymakers have charted a clear path forward as they continue to upgrade the nation’s cybersecurity laws.

---

1. Pam Greenberg, With Attacks on the Rise, Lawmakers Harden Cybersecurity, Nat’l Conf. of State Legislatures (Mar. 15, 2022), https://www.ncsl.org/state-legislatures-news/details/with-attacks-on-the-rise-lawmakers-harden-cybersecurity [https://perma.cc/V996-7YG8].

2. State of Security 2022 Report Reveals Increase in Cyberattacks While Security Talent Remains Scarce, Splunk (Apr. 12, 2022), https://www.splunk.com/en_us/newsroom/press-releases/2022/state-of-security-2022-report-reveals-increase-in-cyberattacks-while-security-talent-remains-scarce.html [https://perma.cc/R4ZH-R87B] (“Ninety percent of organizations reported that they have increased their focus on third-party risk assessments as a result of those high-profile attacks. In my 20 years in IT security, I’ve never seen software supply chain threats given this level of visibility.”).

3. See Justin Henry, The Law Firms That Get Hired When a Firm Is Hacked, Am. Law. (Aug. 16, 2022, 3:40 PM), https://www.law.com/americanlawyer/2022/08/16/afirms-tech-firm-the-law-firms-that-get-hired-when-afirm-is-hacked/ [https://perma.cc/B9BZ-CCHC] (click “Go to Lexis” or “Go to Bloomberg Law”) (“As each month brings a new round of cybersecurity incidents in the legal industry—more than 50 in 2022 so far—a select set of players in the Am Law 200 have emerged as the most frequently retained by fellow law firms for the prevention of and response to a data breach, according to a review of recently filed data incident notifications by The American Lawyer.”).

4. See Privacy vs. Security: What’s the Difference?, Norton (Jan. 18, 2021), https://us.norton.com/blog/privacy/privacy-vs-security-whats-the-difference [https://perma.cc/54ST-WWTM].

5. Cybersecurity Risk Management: How to Take Action Against Identity Theft, Nat’l Ass’n of Ins. Comm’rs (Mar. 7, 2022), https://content.naic.org/article/cybersecurity-risk-management-how-take-action-against-identity-theft [https://perma.cc/A38A-3XSQ].

6. See generally Jeff Kosseff, Defining Cybersecurity Law, 103 Iowa L. Rev. 985 (2018) [hereinafter Kosseff, Defining Cybersecurity Law].

7. See generally Jeff Kosseff, Hacking Cybersecurity Law, 2020 U. Ill. L. Rev. 811 (2020) [hereinafter Kosseff, Hacking Cybersecurity Law].

8. Id. at 814.

9. JCDILLIN, Software Upgrade vs. Update: What Is the Difference?, Advanced Comput. Consulting (Oct. 22, 2018), https://www.advancedcpc.com/blog/software-upgrade-vs-update-what-difference [https://perma.cc/X4WW-XLN4].

10. Upgrade, PC Mag. Encyc., https://www.pcmag.com/encyclopedia/term/upgrade [https://perma.cc/82KW-6K42] (last visited July 21, 2023).

11. Kosseff, Defining Cybersecurity Law, supra note 6, at 1011–20.

12. Id. at 988.

13. Id. at 994.

14. Id. at 989–1010.

15. Id. at 1024–25, 1029 (“[C]onfidentiality is an overwhelming focus of many of our cybersecurity laws. Such a focus is necessary and understandable, as confidentiality is closely linked to privacy, and privacy law has existed for more than a century, long before the development of the modern computer. Indeed, confidentiality is easily addressed in regulatory requirements that result in liability for companies that experience data breaches. However, cybersecurity laws should focus not exclusively on threats to confidentiality, but also on threats to integrity (such as the deletion of important trade secrets or website defacement) and availability (such as denial-of-service attacks).”).

16. Id. at 999–1000 (“The security of public infrastructure often will face quite different legal requirements than the security of private infrastructure. However, the policymakers should consider the security of both types of systems and networks comprehensively, and understand how the security (or lack thereof) of one affects the other.” (citation omitted)).

17. Id. at 1001 (“This debate often appears to be a binary choice: coercive laws that deter inadequate cybersecurity versus cooperative laws that provide incentives for companies and government agencies to invest in cybersecurity. I propose that cybersecurity law focus on both coercive and cooperative laws, provided that the regulations and incentives for both systems are aligned to achieve similar goals.” (citation omitted)).

18. Id. at 1010.

19. Id. at 1010–24.

20. Id. at 1024–25.

21. Id. at 1025–28.

22. Id. at 1011, 1014.

23. Id. at 1028–30.

24. Id. at 1001–03.

25. Id. at 1030.

26. Id. at 1029–30.

27. Kosseff, Hacking Cybersecurity Law, supra note 7, at 813–14.

28. Id. at 849.

29. Id.

30. See infra Part IV for a discussion of potential improvements.

31. Kosseff, Hacking Cybersecurity Law, supra note 7, at 819.

32. Id. at 820–21.

33. See Darrell M. West, It Is Time to Restore the US Office of Technology Assessment, Brookings (Feb. 10, 2021), https://www.brookings.edu/articles/it-is-time-to-restore-the-us-office-of-technology-assessment/ [https://perma.cc/PVF8-WHYA] (“Bringing back a reconstituted U.S. Office of Technology Assessment would offer an organizational mechanism to address tech problems and provide legislators with up-to-date information on this vital sector. With problems ranging from worker impact, ethics, and bias to human safety, inequality, and governance, it is time to restore this organization and provide guidance over the technology sector.”); Written Testimony of Zach Graves, Head of Policy, Lincoln Network Before the Select Comm. on the Modernization of Cong., U.S. House of Representatives (Mar. 25, 2021), https://lincolnpolicy.org/wp-content/uploads/2021/03/Zach-Graves-Written-Testimony-Modernization-Committee-3-25-2021-4.pdf [https://perma.cc/4TB3-BR28] (“The role of expertise in the legislative branch support agencies should thus be to inform Members of Congress about the social, economic, and technical implications of policy choices. Importantly, determinations about resolving values conflicts are left to elected representatives rather than expert bureaucracies, implemented by staff accountable to them. This differentiates the function of expertise in Congress as serving democratic rather than technocratic ends.” (citation omitted)).

34. John S. McCain National Defense Authorization Act for Fiscal Year 2019, Pub. L. No. 115-232, § 1652(a)(1), 132 Stat. 2140–41 (2018).

35. Id. § 1652(b)(1)(A).

36. Id. § 1652(b)(1)(A)–(b)(1)(B)(i).

37. Id. § 1652(b)(2).

38. Id. § 1652(f)(2), (6).

39. Id. §§ 1652(g)(1)(A)–(B), (k)(1).

40. Sen. Angus King & Rep. Mike Gallagher, Cyberspace Solarium Comm’n 21 (2020).

41. Id. at 21–22.

42. Id. at 23, 123–26, 174.

43. Id. at vi.

44. Id.

45. NDAA Enacts 25 Recommendations from the Bipartisan Cyberspace Solarium Commission, Cyberspace Solarium Comm’n (Jan. 2, 2021), https://www.solarium.gov/press-and-news/ndaa-override-press-release [https://perma.cc/L67L-3BWN].

46. Id.

47. Id.

48. See Carrie Cordero & David Thaw, Rebooting Congressional Cybersecurity Oversight, Ctr. for a New Am. Sec. (Jan. 30, 2020), https://www.cnas.org/publications/reports/rebooting-congressional-cybersecurity-oversight [https://perma.cc/EPT3-4MMT] (“Thus, we recommend the establishment of an interim joint select committee to begin work in the 117th Congress, which will commence in January 2021. Ideally, this would take the form of a joint select committee with combined House and Senate membership, and equal numbers from each political party. A select committee could be charged not only with initiating direct inquiries, but also with coordinating the activities of other committees that relate to cybersecurity issues. The committee, in addition to coordinating across both chambers, could be charged with producing specific reports or proposed legislation by a given deadline.” (citations omitted)).

49. See Kosseff, Hacking Cybersecurity Law, supra note 7, at 844–47.

50. Id. at 847.

51. Id. at 847–48.

52. NDAA Enacts 25 Recommendations from the Bipartisan Cyberspace Solarium Commission, supra note 45; see Angus King, King Hails “Major Step Forward” on Cybersecurity After Inglis Sworn in as National Cyber Director, Angus King U.S. Senator for Me. (July 12, 2021), https://www.king.senate.gov/newsroom/press-releases/king-hails-major-step-forward-on-cybersecurity-after-inglis-sworn-in-as-national-cyber-director [https://perma.cc/C5EM-K9DG].

53. NDAA Enacts 25 Recommendations from the Bipartisan Cyberspace Solarium Commission, supra note 45.

54. 6 U.S.C. § 1500(b)(1), (c)(1)(A) (Supp. III 2022).

55. Id. § 1500(c)(1)(B)–(D), (F) (Supp. III 2022).

56. See id. § 1500(c)(1)(C)(i).

57. State and Local Government Cybersecurity Act of 2021, Pub. L. No. 117-150, sec. 2, § 2201(7), § 2209(p), 136 Stat. 1295, 1295–96 (2022); Federal Rotational Cyber Workforce Program Act of 2021, Pub. L. No. 117-149, sec. 4, 136 Stat. 1289, 1290 (2022).

58. NCCIC ICS, Nat’l Cybersecurity and Comm’ns Integration Ctr., https://www.cisa.gov/sites/default/files/FactSheets/NCCIC ICS_FactSheet_NCCIC ICS_S508C.pdf [https://perma.cc/V4JP-DQPY] (last visited Sept. 4, 2023).

59. State and Local Government Cybersecurity Act of 2021 § 2209(p)(1)(A)–(B).

60. Id. § 2209(p)(1)(C)–(G).

61. Id. § 2209(p)(1)(H).

62. See 6 U.S.C § 659(h)(1)(A) (2019).

63. See State and Local Government Cybersecurity Act of 2021 § 2209(p)(1)(G)–(H).

64. Federal Rotational Cyber Workforce Program Act of 2021, sec. 2(4), 3(a)(1), 4(a)(1), 4(b)(1), 4(c)(3)(A)–(B), 136 Stat. 1289, 1290 (2022).

65. See John Hewitt Jones, Biden to Sign Bill to Create Rotational Program for Federal Cybersecurity Workforce, Fedscoop (May 11, 2022), https://fedscoop.com/biden-to-sign-bill-to-create-rotational-program-for-federal-cybersecurity-workforce/ [https://perma.cc/Q8C7-5V7P].

66. Id.

67. Fed. Cyber Workforce Mgmt. and Coordinating Working Grp., State of the Federal Cyber Workforce: A Call for Collective Action 6 (2022), https://digital.va.gov/wp-content/uploads/2022/10/State-of-the-Federal-Cyber-Workforce-Report_2022.pdf [https://perma.cc/RCB9-KHHZ].

68. Scott J. Shackelford, Toward Cyberpeace: Managing Cyberattacks Through Polycentric Governance, 62 Am. U. L. Rev. 1273, 1284 (2013) (“[A] polycentric approach recognizes that diverse organizations and governments working at multiple levels can create policies that increase levels of cooperation and compliance, enhancing ‘flexibility across issues and adaptability over time.’”).

69. Kosseff, Hacking Cybersecurity Law, supra note 7, at 848–49.

70. Id. at 812–14, 843.

71. See Exec. Order No. 14028, 3 C.F.R. 556, 561, 565–66 (2021).

72. Id. at 556.

73. Id.

74. Id. at 556–57.

75. Id.

76. Id. at 557.

77. Id. at 561–62.

78. Id. at 561.

79. Id. at 565–66.

80. Id.

81. Id. at 561.

82. Id. at 567.

83. Id.

84. Id. at 568.

85. See Kosseff, Hacking Cybersecurity Law, supra note 7, at 841–44.

86. Id. at 841–42.

87. Id.

88. Kristen E. Eichensehr, Public-Private Cybersecurity, 95 Tex. L. Rev. 467, 509 (2017).

89. Secretary Antony J. Blinken on the Modernization of American Diplomacy, U.S. Dep’t State (Oct. 27, 2021), https://www.state.gov/secretary-antony-j-blinken-on-the-modernization-of-american-diplomacy/ [https://perma.cc/8KNB-XQFV].

90. Establishment of the Bureau of Cyberspace and Digital Policy, U.S. Dep’t State (April 4, 2022), https://www.state.gov/establishment-of-the-bureau-of-cyberspace-and-digital-policy/ [https://perma.cc/Z7MV-C9FK].

91. James M. Inhofe National Defense Authorization Act for Fiscal Year 2023, Pub. L. No. 117-263, sec. 9502, § 2651a(3)(i)(1), (3)(i)(2)(B)(ii), (3)(i)(2)(B)(xiii), 136 Stat. 2395, 3898–900 (2022).

92. Kosseff, Hacking Cybersecurity Law, supra note 7, at 837.

93. Kosseff, Defining Cybersecurity Law, supra note 6, at 1014 (“Because state breach-notification laws apply based on the residency of the individuals, companies with customers in all 50 states must sort through each of these laws at a time when they could otherwise be remediating the breach.”).

94. Id. at 1014–15 (“Each notification law requires notice only if an unauthorized party has acquired certain types of customer information. Typically, breach-notification laws require reporting if there has been unauthorized disclosure of an individual’s name along with a Social Security number, driver’s license or state identification number, or financial account number and access code. However, some states have added categories of information that trigger a notification requirement. North Dakota, for instance, also requires notification of the disclosure of a date of birth, mother’s maiden name, and other information. Moreover, some statutes only require notification if the company determines that the breach poses a reasonable likelihood of harm to consumers, while others require notification regardless of the risk of harm.” (citations omitted)).

95. Id. at 1000, 1015, 1020 (“Even to the extent that data breach notifications deter some future breaches, they only address a small part of the cybersecurity landscape. The breach-notification laws, like data security laws, focus entirely on confidentiality of data rather than on integrity or availability. If a cyberattack knocks Internet-connected cameras offline, for example, the camera manufacturer is not required to report the incident to consumers or regulators.”).

96. See Amber Corrin, ‘Patchwork’ of State Laws Complicates Data Breach Response, Nextgov/FCW (Feb. 14, 2014), https://www.nextgov.com/cybersecurity/2014/02/patchwork-of-state-laws-complicates-data-breach-response/255658/ [https://perma.cc/M9WT-ZXTS] (“The discrepancies further complicate an already complex process for investigating public or private data breaches, including examining networks to determine where breaches occurred, what information was accessed and who needs to be notified. Currently, there is not much in the way of a standard for that activity and, perhaps more importantly, no timeline for when the work needs to be completed.”).

97. Jeff Kosseff, Cybersecurity Law 46–47, 50, 52 (John Wiley & Sons, Inc. 3d ed. 2023).

98. Chris D. Linebaugh, Cong. Rsch. Serv., LSB10210, What Legal Obligations Do Internet Companies Have to Prevent and Respond to a Data Breach? 1–2 (2018).

99. Cyber Incident Reporting for Critical Infrastructure Act of 2022, Pub. L. 117-103, 136 Stat. 1038 (2022) (codified in scattered sections of the U.S.C.).

100. 6 U.S.C. §§ 681(4), 681d(f).

101. The White House Off. of the Press Sec’y, Presidential Policy Directive: Critical Infrastructure Security and Resilience 12 (2013).

102. 6 U.S.C. §§ 101(5), 652(a)(1), 652(b)(1), 681b(a)(1)(A) (Supp. IV 2018).

103. Id. § 681b(a)(2)(A).

104. Id. § 681b(b)–(c).

105. Id. § 681b(c)(2)(A).

106. Id. § 681b(c)(2)(B)(i), (iii).

107. Id. § 681b(c)(2)(C)(i).

108. See Kosseff, Hacking Cybersecurity Law, supra note 7, at 826–27 (“The regulatory requirements, however, must strike a better balance between ‘reasonableness standards’ and specific requirements, and, currently, the law is too skewed toward reasonableness. While a number of different combinations of safeguards, when considered as a whole, might be considered reasonable, companies should at least have a concrete understanding of some types of precautions that would satisfy this standard.”).

109. Id. at 828 (“Cybersecurity law should be capable of changing at the same pace as cybersecurity threats and defensive measures. Therefore, if a legal rule (such as a statute) is incapable of being adjusted frequently due to constraints such as the political difficulty of enacting new legislation, then it is understandable to avoid codifying a particular technological requirement that currently is state-of-the-art, but may well be antiquated within a few years.”).

110. Kosseff, supra note 97, at 46, 52–53 (“Of the data security laws, most are relatively flexible, requiring companies to implement reasonable security procedures but not specifying precisely what constitutes ‘reasonable.’”).

111. Kosseff, Hacking Cybersecurity Law, supra note 7, at 823–24 (“Even a well-intentioned company that genuinely wants to comply with the expectations of lawmakers and regulators may be unable to do so, as they are left guessing as to what ‘reasonableness’ means.”).

112. N.Y. Gen. Bus. Law §§ 899-aa(2)–(10), 899-bb(2) (McKinney 2019).

113. Id. § 899-bb(2)(a), (b)(ii), (c).

114. Id. § 899-bb(2)(b)(ii).

115. S.B. 5575, 2019–2020 Reg. Sess. (N.Y. 2019).

116. Id. (emphasis added).

117. Gen. Bus. Law § 899-aa(1)(c).

118. Ido Kilovaty, Availability’s Law, 88 Tenn. L. Rev. 69, 73 (2020) (“The interest in safeguarding availability, therefore, is equal to the interests in preserving confidentiality and integrity in the information technology context because all three aspects are equal parts of information security.”).

119. See Kosseff, Hacking Cybersecurity Law, supra note 7, at 833 (“In short, policymakers should be concerned about threats to confidentiality, integrity, and availability. Unfortunately, U.S. cybersecurity laws primarily focus on protecting confidentiality, and, to a lesser extent, availability.”).

120. See Kilovaty, supra note 118, at 84 (“After all, availability attacks do not directly compromise any sensitive information. Moreover, even if a breach does affect the confidentiality of personal information, statutes largely narrow down the types of compromised information that would require a breach notification. This narrow scope of applicability may ignore a large chunk of cybersecurity incidents that consumers actually care about, including massive DDoS or ransomware attacks.” (citation omitted)).

121. See Ionut Arghire, FBI Warns of Ransomware Attacks Targeting Local Governments, Sec. Wk. (Apr. 1, 2022), https://www.securityweek.com/fbi-warns-ransomware-attacks-targeting-local-governments/ [https://perma.cc/TT3S-SRTB] (“According to the FBI, local government entities within the government facilities sector (GFS) represented the second most targeted group following academia, based on victim incident reporting throughout 2021. Last year, smaller counties and municipalities represented the majority of victimized local government agencies, ‘likely indicative of their cybersecurity resource and budget limitations,’ the FBI says.”); Daniel Thomas, The State of Ransomware in State and Local Government, SC Media (Nov. 11, 2022), https://www.scmagazine.com/resource/the-state-of-ransomware-in-state-and-local-government [https://perma.cc/Y22Y-FXRQ] (“Compared to the private sector, state and local agencies stand to lose considerably more by the simple virtue of their responsibilities as public servants. Weakened trust in civic institutions, loss of personally identifiable citizen data, and shuttering of critical services are just some of the consequences resulting from a successful ransomware attack on the public sector.”) (“State and local government agencies are particularly attractive to attackers due to several known weak areas in government-level cybersecurity . . . .”).

122. Thomas, supra note 121.

123. Elad Leon, As Governments Shun Ransomware Payments, Cyberattacks May Cost Taxpayers Even More, Hill (Aug. 25, 2022, 12:00 PM), https://thehill.com/opinion/cybersecurity/3615343-as-governments-shun-ransomware-payments-cyberattacks-may-cost-taxpayers-even-more/ [https://perma.cc/9UYJ-N9DF].

124. Baltimore: Ransomware Attack Will Cost at Least $18M, Associated Press (May 30, 2019, 4:10 AM), https://apnews.com/article/8935f7a199884d648bf5319f5b0e5498 [https://perma.cc/AEW8-DAGM].

125. Ransomware, Fed. Bureau Investigation, https://www.fbi.gov/how-we-can-help-you/safety-resources/scams-and-safety/common-scams-and-crimes/ransomware [https://perma.cc/5YCJ-BE83] (last visited Aug. 15, 2023) (“The FBI does not support paying a ransom in response to a ransomware attack. Paying a ransom doesn’t guarantee you or your organization will get any data back. It also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity.”).

126. See Paul Bischoff, Ransomware Attacks Cost the US $159.4bn in Downtime Alone in 2021, Comparitech, https://www.comparitech.com/blog/information-security/us-ransomware-attacks-cost/ [https://perma.cc/6YHE-XDJJ] (last updated July 19, 2022).

127. N.C. Gen. Stat. § 143-800(a) (2023).

128. Id. § 143-800(b).

129. Jonathan Greig, An Inside Look Into States’ Efforts to Ban Gov’t Ransomware Payments, Rec. (Aug. 22, 2022), https://therecord.media/an-inside-look-into-states-efforts-to-ban-govt-ransomware-payments [https://perma.cc/H2AZ-LSNQ].

130. Id.; Fla. Stat. Ann. § 282.3186 (West 2023).

131. See, e.g., Allan Liska, Why the North Carolina Ransomware Law Won’t Help, ransomware.org (June 6, 2022), https://ransomware.org/blog/why-the-north-carolina-ransomware-law-wont-help/ [https://perma.cc/M98U-P5RZ] (“No ransomware group is going to say, ‘Oh this is a local government in North Carolina, I am going to leave the network.’ Instead, what they are likely to do is steal as much sensitive information as possible to sell later—and if the government holds firm on not paying the ransom, destroy as much of the network as possible. Just as they would any victim making similar proclamations.”).

132. See Bischoff, supra note 126 (“In 2021, 576 U.S. organizations fell victim to ransomware. This affected at least 34.1 million records and resulted in a cost of $159.4 billion in downtime alone. Entities may have faced further costs as they offered identity theft protection for affected customers, restored affected computers, and tried to improve their systems to ward off future attacks.”).

133. See Kosseff, Defining Cybersecurity Law, supra note 6, at 999 (“A focus on integrity and availability is particularly important in the Internet of Things era, as everyday devices, ranging from medical devices to kitchen appliances to automobiles, are connected to the Internet. Imagine the chaos if hackers manage to disable thousands of pacemakers, or cause vehicles to accelerate to 100 miles per hours [sic] as they drive through Times Square. Such attacks have little to do with confidentiality of information, and instead involve the integrity and availability of systems and networks.” (citation omitted)).

134. Scott J. Shackelford, Smart Factories, Dumb Policy? Managing Cybersecurity and Data Privacy Risks in the Industrial Internet of Things, 21 Minn. J.L. Sci. & Tech. 1, 3–4 (2019).

135. Internet of Things Cybersecurity Improvement Act of 2020, Pub. L. No. 116-207, 134 Stat. 1001 (2020) (codified at 15 U.S.C. §§ 271, 278g–3a to e).

136. 15 U.S.C. § 278g–3b(a)(1) (Supp. III 2019–2022).

137. § 278g–3b(a)(2).

138. Nat’l Inst. of Standards & Tech., Spec. Pub. No. 800–213, IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements (2021).

139. § 278g–3b(b)(1).

140. § 278g–3c(a)(1).

141. § 278g–3c(d).

142. § 278g–3c(e).

143. § 278g–3e(a)(1).

144. See Daniel K. Alvarez et al., IoT Cybersecurity Improvement Act of 2020, Willkie Farr & Gallagher LLP (Dec. 16, 2020), https://www.willkie.com/-/media/files/publications/2020/12/iot_cybersecurity_improvement_act_of_2020.pdf [https://perma.cc/F3PQ-P8L7] (“Given the scale and breadth of products the Federal government may seek to purchase that are likely to fall within the ambit of the new regulations, the IoT Act will likely influence manufacturers and services providers to incorporate the new minimum standards into products available on the general market.”).

145. See Kosseff, Defining Cybersecurity Law, supra note 6, at 1006 (“To the greatest extent possible, cybersecurity law should be forward-looking. Cybersecurity law should prevent cybersecurity incidents from ever occurring, and if incidents do occur, cybersecurity law should help companies and government recover as quickly as possible and prevent future harmful events.”).

146. Id. (“[M]any of our laws are backward-looking. They require companies and regulators to litigate the minute details of incidents that already have occurred. In some cases, such retrospection may be valuable, as it can help companies and governments avoid repeating past mistakes. However, the ultimate focus always should be on preventing additional attacks and losses from occurring in the future.”).

147. Santiago Torres-Arias, What is Log4j? A Cybersecurity Expert Explains the Latest Internet Vulnerability, How Bad It Is and What’s at Stake, The Conversation (Dec. 22, 2021, 8:12 AM), https://theconversation.com/what-is-log4j-a-cybersecurity-expert-explains-the-latest-internet-vulnerability-how-bad-it-is-and-whats-at-stake-173896 [https://perma.cc/U2RZ-9MLV].

148. Jonathan Greig, Apache Releases New 2.17.0 Patch for Log4j to Solve Denial of Service Vulnerability, ZDNet (Dec. 18, 2021), https://www.zdnet.com/article/apache-releases-new-2-17-0-patch-for-log4j-to-solve-denial-of-service-vulnerability/ [https://perma.cc/T8LQ-376B].

149. FTC Warns Companies to Remediate Log4j Security Vulnerability, Fed. Trade Comm’n (Jan. 4, 2022), https://www.ftc.gov/policy/advocacy-research/tech-at-ftc/2022/01/ftc-warns-companies-remediate-log4j-security-vulnerability [https://perma.cc/84KW-F2YM].

150. Id.

151. See Kosseff, Defining Cybersecurity Law, supra note 6, at 1011–12.

152. FTC Warns Companies to Remediate Log4j Security Vulnerability, supra note 149149.

153. Riana Pfefferkorn, Why the FTC Is Telling Companies to Patch Log4j Vulnerabilities, Brookings (Jan. 13, 2022), https://www.brookings.edu/articles/why-the-ftc-is-telling-companies-to-patch-log4j-vulnerabilities/ [https://perma.cc/3EUX-TMAR] (“I interpret this as the FTC’s attempt to put the country on notice that failure to patch the Log4j vulnerabilities risks subjecting a company to punishment.”).

154. See generally King & Gallagher, supra note 40.

155. See supra Section III.A.

156. See King & Gallagher, supra note 40, at v.

157. See Upcoming Events, Cyberspace Solarium Comm’n, https://www.solarium.gov/events [https://perma.cc/NGV7-RBPC] (last visited July 21, 2023).

158. See Cordero & Thaw, supra note 48.

159. Id. (“Existing mechanisms for congressional cybersecurity oversight are likewise disjointed and uncoordinated. Unlike in many other policy areas, there is no one clear committee or clear set of committees responsible for cybersecurity issues. These are divided among many committees in both the House of Representatives and the Senate, often along historical lines that may not match current expertise.”).

160. See Bianca Majumder, Congress Should Revive the Office of Technology Assessment, Ctr. for Am. Progress (May 13, 2019), https://www.americanprogress.org/article/congress-revive-office-technology-assessment/ [https://perma.cc/SXS2-8LE6] (“Reviving the OTA would enshrine a congressional commitment to acknowledge the growing influence science and technology play in arenas of government jurisdiction as well as to concertedly and knowledgably act on this influence when called for. The need for a functionally independent legislative resource for science and technology is growing at an unignorable pace, and the United States must get smart on these subjects.”).

161. See Carol Li, A Repeated Call for Omnibus Federal Cybersecurity Law, 94 Notre Dame L. Rev. 2211, 2231, 2241 (2019) (“The benefits of federalism are outweighed by the increasingly evident costs for companies attempting to secure themselves from not just hackers, but also liability. Data security has become a national security issue urgently requiring a national solution.”).

162. See supra Section III.F.

163. See Kosseff, supra note 97, at 46 (“All 50 states and the District of Columbia have enacted such laws, which require companies and government agencies to notify consumers, regulators, and credit bureaus about data breaches under specified circumstances. A company must be aware of every state’s breach notification law, even if it does not have any employees or property in that state. Each breach notification law applies to the unauthorized acquisition of information belonging to the state’s residents, provided that the company conducts business in the state—a low threshold.”).

164. Id. at 52 (“As of early 2022, more than 25 states have enacted statutes that impose data security requirements on companies that own or process personal information from the states’ residents. As with the data breach notification laws, the location of a company’s headquarters is irrelevant to determining whether these laws apply to the company. Instead, a state’s data security law generally will apply if a company owns or processes personal information of even one resident of that state.”).

165. Cal. Civ. Code § 1798.150 (West 2023) (providing a private right of action to Californians whose personal information “is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information”).

166. See Kosseff, Defining Cybersecurity Law, supra note 6, at 998–99 (“To be sure, we want to make sure that cybersecurity law attempts to prevent breaches of confidentiality that invade individual privacy and exposes corporate intellectual property and other sensitive information. However, cybersecurity law should not focus on confidentiality to the exclusion of integrity and availability.”).

167. Id. at 1000 (“Accordingly, when policymakers develop cybersecurity laws, they should consider the security of both public and private infrastructure and information.”).

168. Id. at 1010 (“Such attacks not only threaten economic and business interests; they can cause injuries, death, and national unrest. Accordingly, national security must be among the top considerations of cybersecurity law.”).

169. See Jeff Kosseff, Congress Is Finally Tackling Privacy! Now Let’s Do Cybersecurity., Slate (Dec. 3, 2019, 3:00 PM), https://slate.com/technology/2019/12/congress-national-privacy-law-cybersecurity.html [https://perma.cc/NS6R-YX56] (“Unfortunately, cybersecurity has taken a backseat to privacy in our current national debate, in part because policymakers often conflate the issues and claim to be addressing both. Privacy and cybersecurity, however, are distinct. Privacy provides users with control over how businesses collect, use, and share their information. Cybersecurity prevents unauthorized parties from accessing, altering, or rendering unavailable their data, information systems, or connected devices.”).

170. See Gilad Edelman, Don’t Look Now, but Congress Might Pass an Actually Good Privacy Bill, Wired (July 21, 2022 8:00 AM), https://www.wired.com/story/american-data-privacy-protection-act-adppa/ [https://perma.cc/D53A-F5AK] (“A new version of the ADPPA has taken shape, and privacy advocates are mostly jazzed about it. It just might have enough bipartisan support to become law—meaning that, after decades of inaction, the United States could soon have a real federal privacy statute.”).

171. H.R. 8152, 117th Cong. § 102 (2022).

172. Id. § 103.

173. Id. § 204.

174. Id. § 205.

175. See id. § 208.

176. Id. § 208(a)(1).

177. Id. § 208(b).

178. Id. § 208(c).

179. See Andy Greenberg, The Untold Story of NotPetya, the Most Devastating Cyberattack in History, Wired (Aug. 22, 2018, 5:00 AM), https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/ [https://perma.cc/4V9Y-V8D7] (“Within hours of its first appearance, the worm raced beyond Ukraine and out to countless machines around the world, from hospitals in Pennsylvania to a chocolate factory in Tasmania.”).

180. See Nori Katagiri, Why International Law and Norms Do Little in Preventing Non-state Cyber Attacks, J. Cybersecurity, Mar. 10, 2021, at 1, 2 (“Despite much attention they garnered, international law and norms have failed to keep cyberspace peaceful. The problem comes mainly from their failure to address what nonstate actors, such as individual hackers and technology firms, do in cyberspace.”).

181. See, e.g., Jalen Small, U.S. Intel, Google Warn of Cyberattacks from China, Russia, North Korea, Newsweek (Apr. 28, 2022, 9:49 AM), https://www.newsweek.com/us-intel-google-warn-cyberattacks-china-russia-north-korea-1701553 [https://perma.cc/94QK-BZ86] (“According to Google’s Threat Analysis Group (TAG), the most malicious cyberattacks in the U.S. are coming from Iran, North Korea, Russia and China. An official post, written by Google security engineer Billy Leonard, accused these nations of taking advantage of public interest in the war in Ukraine to spread malware.”).

182. 18 U.S.C. § 1030.

183. See Kosseff, supra note 97, at 291.

184. See Jeff Kosseff, Collective Countermeasures in Cyberspace, 10 Notre Dame J. Int’l & Compar. L. 18, 28–30, 32, 34 (2020) (“The interconnected nature of cyberspace, along with the constant barrage of low-intensity threats, requires us to reconsider the aversion to the use of collective countermeasures. If enacted with significant limitations, such as proportionality, collective countermeasures could provide a net benefit to efforts to bolster cyber defenses against persistent bad actors, while minimizing the potential for abuse and escalation.”).

185. See Kosseff, Defining Cybersecurity Law, supra note 6, at 1028 (“[F]ew U.S. cybersecurity laws provide companies with incentives to adopt adequate cybersecurity safeguards. While sticks often are necessary, carrots can be equally useful.”).

186. See The State of Cybersecurity Education in K-12 Schools, EdWeek Rsch. Ctr. 1–3 (2020), https://cyber.org/sites/default/files/2020-06/The State of Cybersecurity Education in K-12 Schools.pdf [https://perma.cc/W4Q8-EJ8S].

187. Id. at 1.