For all the news about cyberconflict lately, we’re still in the very early days of what promises to be a complicated international issue that isn’t going away anytime soon. There’s still a lot to sort out, both legally and technologically.
Aiming to bridge the divide between the law and technology of cyberconflict, three Yale professors — Joan Feigenbaum in the Department of Computer Science, and Oona Hathaway and Scott Shapiro from the Law School — are working together to explore many of the questions that make the subject so confounding.
The cross-disciplinary project is designed to promote research and encourage new ways of thinking about cyberattacks that originate from state or quasi-state actors. Funded with a two-year $406,000 grant from the William and Flora Hewlett Foundation, the project aims to tackle the issue from both domestic and international angles and develop a network of experts in the emerging field. It includes speakers, conferences, and a course co-taught by the three professors.
The term “cyberconflict” refers specifically to politically motivated cyberattacks, but not always those that rise to the level of war. There are already extensive laws that govern politically motivated physical attacks — bombs and assassinations, for instance — but national and international law is still murky about politically motivated cyberattacks that destroy or leak information, or render computers unusable.
“Not every act of aggression is an act of war. The discussion is distorted if you only talk about ‘cyberwar’ because it leaves you only with the laws of war,” said Feigenbaum, the Grace Murray Hopper Professor of Computer Science & Economics, and chair of the computer science department.
There’s still so much uncovered ground when it comes to the legal and technological issues of cyberconflict, that even knowing where to start is daunting, said Shapiro, the Charles F. Southmayd Professor of Law and professor of philosophy.
“I’m amazed at how much knowledge you need to understand the problem,” he said. “It’s not just that the law’s unclear, it’s that there are multiple bodies of law — criminal, international, security and privacy and civil rights. One important goal of the project is figuring out the minimal amount that’s needed to know to just to have a conversation.”
One of the first steps, the professors said, is getting lawyers and computer specialists to share their knowledge with each other.
“On the technology side, most people don’t think about the legal constraints under which they’re working,” said Oona Hathaway, the Gerard C. and Bernice Latrobe Smith Professor of International Law. ”And many on the legal side, including myself, have no idea how the technology works.”
Part of the grant funds conferences and other events. Recent speakers included The New York Times’ David Sanger on cyberwar, and Apple’s privacy counsel, Vivek Mohan, on cybersecurity. The professors are also working with the Yale Center for Global Legal Challenges, the Yale Office of International Affairs, and McKinsey & Company on the first Yale Cyber Leadership Forum, which takes place March 31 and April 1. Topics will include the regulatory and legal landscape at domestic and international levels, and lessons learned from recent cyber-attacks. Hathaway, who is the director of the conference, will be among the speakers, as will Feigenbaum and Shapiro.
Students addressing cyberconflict issues
The collaboration also includes a course, “The Law and Technology of Cyberconflict.” Last semester, the students (10 law and 11 computer science) met for weekly seminars. This semester, students are working individually and in teams on projects that address pressing cyberconflict issues.
One team is focusing on a system that allows voters to verify that their votes were recorded and counted correctly, without allowing access to information about other voters’ ballots. Previous researchers have shown this system can work in theory, but it’s unknown how it would fare in real life and at the scale of a national election. “No one has ever implemented this scheme, and the team wants to show that it could work in practice,” Feigenbaum said.
Another team aims to develop a cryptocurrency they call “FedCoin.” It’s similar to BitCoin, but would be sanctioned by the Federal Reserve, or any nation’s central bank. It would possess the security properties of modern cryptography with the legal and social properties of conventional currencies.
A third student group is working on what’s known as “privacy-preserving surveillance” systems. These would allow intelligence and law enforcement agencies to identify encrypted data about a suspect within a much larger set of encrypted data — for instance, a few cellphone calls made to or by a suspect handled by a particular cell tower during a certain time interval — without revealing the content of the other encrypted records in the larger set.
The grant has also provided funding for the university’s first cyber fellow, Ido Kilovaty, a legal scholar specializing in computer security policy. Kilovaty said the collaboration between the law school and computer science department is happening at a time when ordinary citizens are becoming more aware of how cyberconflict can affect them directly, and lawyers are realizing that there is a lack of law that addresses the issue.
“This is becoming a distinct area of law, and Yale can offer this specialization,” Kilovaty said, adding that he’s seeing significant interest among students at Yale. “These students want to go to the government and be responsible for cybersecurity and policy at the Department of Justice, the Department of State, and the Department of Defense, as well as private practice law firms and certain NGOs.”
For more information on the Yale Cyber Leadership Forum and to apply, visit the program’s website.