IGA 236

Updated: 18 January 2018 IGA-236: Cybersecurity: Technology, Policy, and Law Harvard Kennedy School Spring 2018 Mondays...

1 downloads 164 Views 521KB Size
Updated: 18 January 2018

IGA-236: Cybersecurity: Technology, Policy, and Law Harvard Kennedy School Spring 2018 Mondays and Wednesdays 2:45–4:00 PM Room: Littauer 230

Instructor: Bruce Schneier [email protected] Office: 1 Brattle, Suite 470, Room 479 Office Hours: by appointment Course Assistants: Miguel DeCorral [email protected] Pete Knoetgen [email protected] Olga Kulak [email protected]

Faculty Assistant: Karin Vander Schaaf [email protected] (617) 496-5584 Office: Belfer 322 1. Course Description In our information-age society, Internet security has become a paramount concern and an increasingly broad area of public policy. From cybercrime to national security, from corporate data collection to government surveillance, from cell phones to driverless cars, issues of Internet security are everywhere. These issues are complex and multifaceted, touching on such things as personal freedom and autonomy, public safety, corporate behavior and profitability, international relations, and war. This course seeks to explore the complex interplay of public policy issues in computer and Internet security. In the first half of the course, we will survey the nature of Internet security threats, explore the human factors surrounding security, and seek to understand the basics of Internet security technologies. In the second half, we will take our newfound expertise and use it to examine a series of computer- and Internet-

security policy issues, both current and near-future. Examples include government demands for encryption backdoors, software liabilities, hate speech and radical speech, digital copyright, surveillance reform, and computer-crime law. While these issues will primarily be US-focused, we will also discuss relevant issues in the EU and China, as well as international tensions and norms. Cyberspace is fundamentally technological, and an area where public policy requires a firm understanding of the underlying technologies. Cybersecurity is no exception. This class assumes no computer science background and will make these technologies comprehensible to the layperson. Note: The class was originally called “Internet Security: Technology, Policy, and Law.” But it turns out that the word “cyber” dramatically increases student interest. 2. Course Objectives This course aims to give students the tools necessary to understand legal and policy issues in cyberspace. While it is impossible to become a cybersecurity expert in a single semester, students will leave the course as intelligent laypeople, adept at discussing computer- and Internet-security policy issues and able to spot political agendas disguised as technical arguments. Students will understand how technology and policy interrelate, when it’s time to turn to technical experts, and how to use technical expertise to form effective policy. This course is designed for policymakers, rather than for implementers of pre-existing policy. As such, we will not discuss how to implement Internet security policies within government organizations. We will discuss how to effectively determine which policies are the correct ones to mandate: for government, for private industry, and for individuals. This course is less about learning a body of answers, and more about learning a way of thinking about the topics in general. As a result of the class, you will be more sophisticated when you approach new Internet-security policy issues. Specifically, you will be able to weigh pros and cons, examine consequences of policies, and craft and recommend policies of your own. 3. Prerequisites This course is open to graduate students from any Harvard school or department, and to qualified undergraduates with the permission of the instructor, and to MIT and Tufts Fletcher cross-registered students; diversity of backgrounds enriches the course. Training in natural or engineering sciences is not a requirement. Auditors will be admitted as space allows. 4. Course Requirements Students will be encouraged to participate in class discussions, and to hone their analytical, research, and writing skills through the assignments. The Kennedy School is a professional school, training professionals. As such, students are expected to: 1) attend all classes; 2) be on time; 3) refrain from using their laptops and cell phones in class (except when useful for discussion), 4) submit assignments on time; 5) be respectful of each other and of the instructor; 6) be prepared to be cold-called; and 7) do their best to prepare professional products for their assignments. Grades will be calculated as follows: Class Participation: Every student is expected to be prepared for and attend every class, and to participate in the discussions. (25%) Policy Memos: Over the course of the semester, students will write two short (500–8oo word) policy memos. (12% each memo, 24% total) 2

Group Policy Memo: Students will write one short (1000-1600 word) group policy memo. (16%) Final: Students will choose from a short list of cybersecurity policy issues that were not discussed in the class, and will write a 2000–3000-word analysis and policy recommendation regarding the issue. (35%) Assignments must be posted to the class page before midnight of the day they are due. Late assignments will be marked down one grade for each day they are late, unless the professor grants an exception due to special circumstances. This may be useful: HKS Resources on How to Write a Policy Memo: https://www.hks.harvard.edu/degrees/teaching-courses/communications-program/writing-publicspeaking-and-digital-communications-resources Class participation will be graded on quality, not frequency. This is a large class, and I know that everyone can’t speak in every session. Good contributions have some of the following characteristics: (1) clear, sound, rigorous, insightful analysis; (2) comments that thoughtfully challenge conventional or politically safe positions; (3) realistic recommendations for action; (4) so-called “stupid questions” that no one else is willing to ask but that open up productive paths of inquiry; (5) constructive critique of others’ contributions; and (6) impact on the thinking of others. Students are permitted to use laptops during class, but should limit their use to taking notes and other class-related activities. Reading webpages and social media is distracting to nearby students. Recently, the HKS faculty has addressed the issue of grade inflation. The Academic Council, with the support of the Dean, has issued recommendations on grading policy, including the following suggested curve: A (10-15%), A- (20-25%), B+ (30-40%), B (20-25%), and B- or below (5-10%). 5. Readings Students are expected to have read the required readings before class – many of the classes will be discussions of issues raised in the readings. Recommended readings represent additional resources that may be useful for students especially interested in a particular topic, but reading them is not required for class. Readings will be largely book chapters, or articles and essays from the popular press; it will only occasionally be academic or legal. Two books are assigned, and are available at Harvard Coop. The HKS Library will also have a copy of each book on reserve for students who do not wish to buy them. And a Google search found both books available as free bootlegs. P.W. Singer and Allan Friedman (2014), Cybersecurity and Cyberwar: What Everyone Needs to Know, Oxford University Press. https://books.google.com/books?id=9VDSAQAAQBAJ (referred to as “Singer and Friedman” on the reading list) Bruce Schneier (2015), Data and Goliath, W.W. Norton. https://books.google.com/books?id=MwF-BAAAQBAJ (referred to as “Schneier” on the reading list) All other readings will be available on the Canvas Course Page.

3

6. Citation Practices and Academic Integrity Everyone taking this course is working toward a position of public service and trust. Consequently, academic integrity and a solid ethical grounding are vital. It must be shown in this course. The subject matter of this course is designed to spark discussion, and you are encouraged to talk about everything, including assignments, with your classmates. However, individual work must be done by the individual who takes credit for the work, and ideas imported from elsewhere must give credit to the source of the idea. Students must be familiar with and must observe Kennedy School and Harvard University rules regarding the citation of sources. Including material from others in the assignments without appropriate quotation marks and citations is regarded, as a matter of School and University policy, as a serious violation of academic and professional standards and can lead to a failing grade in the course, failure to graduate, and even expulsion from the University. 7. Class Schedule Note: the set of topics is subject to change, as the topic of cybersecurity and the policy debates around that topic change rapidly. Events may well dictate a different topic; if so we will adapt. Consult the Canvas Course Page for the most current syllabus. Week 1. Introduction: The Security Mindset 1/22: Thinking About Security (Part I) 1/24: Thinking About Security (Part II) Weeks 2–3. Internet Security Technologies 1/29: Introduction to Internet Security 1/31: Cryptography 2/5: Computer and Network Security 2/7: Case Study: The 2017 Equifax Breach Week 4-5. Threats and Attackers 2/12: Access Control, Attribution, and Anonymity 2/14: Attackers and Attacks 2/19: NO CLASS——PRESIDENT’S DAY 2/21: The Internet of Things (guest speaker - Melissa Hathaway) Week 6. Human Factors in Security 2/26: Security Economics 2/28: Psychology of Security, Security Usability Weeks 7–9. Commercial Policy Issues 3/5: Security Regulations 3/7: Software Liabilities and Cybersecurity Insurance 3/12 and 3/14: NO CLASS—SPRING BREAK 3/19: Commercial Surveillance Policy 3/21: DMCA and Copyright Protection Week 9: Visit the IBM Cyber Range 3/26: Visit the IBM Cyber Range; work on group papers 3/28: Visit the IBM Cyber Range; work on group papers Weeks 10–13. Government Policy Issues 4/2: Cyber Operations and Cyberwar (Chris Demchak - guest speakers) 4/4: Cyber Norms 4

4/9: National Security and Surveillance (John DeLong - guest speakers) 4/11: Surveillance Reform (Cindy Cohn - guest speaker) 4/16: Emerging Topics in Security Policy I 4/18: Emerging Topics in Security Policy II 4/23: Encryption vs Law-enforcement access (Susan Landau - guest speaker) Week 13. Conclusion 4/25: Final questions, overarching issues, and lessons from the class 8. Detailed Syllabus and Reading List Yes, there are lots of readings. But most of them are short essays and news articles. Optional readings are not required, but are there for those who wish to delve more deeply into particular topics. Readings are subject to change without notice. Consult the Canvas course page for the most current readings.

1/22 and 1/24: Thinking about Security Security is a mindset, and thinking about security requires a different way of thinking. It’s not enough to think like a designer, you have to learn to think like a hacker. In this introductory session, we will explore that way of thinking through a series of security scenarios, most of which having nothing to do with computers, and all of which will foreshadow the technical and policy issues to follow. Readings: Bruce Schneier (20 Mar 2003), “Inside the twisted mind of a security professional,” Wired. https://www.wired.com/2008/03/securitymatters-0320 José Esteves, Elisabete Ramalho and Guillermo de Haro (6 Mar 2017), "To improve cybersecurity, think like a hacker," MIT Sloan Management Review. https://sloanreview.mit.edu/article/to-improve-cybersecurity-think-like-a-hacker

1/29: Introduction to Internet Security It is impossible to discuss any topics related to Internet-security policy without understanding the details of Internet security. In the first of a series of sessions, we will delve into the general technical issues of how security works on the Internet. This will necessarily require us to understand how the Internet works. Required Readings: Singer and Friedman, pp. 12–66 (Part I: “How it all works”). Garrett M. Graff (23 Sep 2016), “Government lawyers don’t understand the Internet. That’s a problem,” Washington Post. https://www.washingtonpost.com/posteverything/wp/2016/09/23/government-lawyers-dontunderstand-the-internet-thats-a-problem Erica Portnoy and Jeremy Gillula (7 Dec 2017), “The FCC still doesn't know how the internet works,” Electronic Frontier Foundation. https://www.eff.org/deeplinks/2017/12/fcc-still-doesnt-know-how-internet-works 5

Catherine Clifford (13 Dec 2017), “Apple co-founder and ‘Father of the Internet’ tell the FCC: ‘You don’t understand how the internet works,’” CNBC. https://www.cnbc.com/2017/12/13/steve-wozniak-to-fcc-you-dont-understand-how-the-internetworks.html Optional Readings: David Clark and Marjory Blumenthal (10 Aug 2000), “Rethinking the design of the Internet: The end to end arguments vs. the Brave New World,” 28th Research Conference on Communication, Information and Internet Policy (TPRC 2000). http://dspace.mit.edu/bitstream/handle/1721.1/1519/TPRC_Clark_Blumenthal.pdf Steven M. Bellovin, et al. (17 May 2011), “Can it really work? Problems with extending EINSTEIN 3 to critical infrastructure,” Harvard National Security Journal 3. http://harvardnsj.org/wp-content/uploads/2012/01/Vol.3_Bellovin_Bradner_Diffie_Landau_Rexford.pdf Fred Schneider and Deirdre Mulligan (Fall 2011), “Doctrine for cybersecurity,” Dædalus 140, no. 4. http://www.cs.cornell.edu/fbs/publications/publicCYbersecDaed.pdf Aaron L. Jones, et al. (17 Jul 2017), “Joint comments of internet engineers, pioneers, and technologists on the technical flaws in the FCC’s Notice of Proposed Rule-making and the need for the light-touch, bright-line rules from the Open Internet Order,” In the Matter of Restoring Internet Freedom (WC Docket No. 17-108), Federal Communications Commission. https://www.eff.org/document/internet-engineers-commentsfcc-nn

1/31: Cryptography Cryptography is a cornerstone of anything related to Internet security. In this class we’ll talk about how cryptography works in both classical pencil-and-paper systems and modern computer systems. Along the way, we will discuss symmetric and public-key encryption, authentication codes, and digital signatures. It is possible to understand how cryptography works without a lot of math, but a little bit helps. Required Readings: Bruce Schneier (2000), Secrets and Lies: Digital Security in a Networked World, Wiley pp. 85–119 (Chapters 6-7). https://books.google.com/books/about/?id=eNhQAAAAMAAJ Optional Readings: Network Associates (1999), An Introduction to Cryptography, pp. 11–38. https://courses.cs.vt.edu/cs5204/fall09-kafura/Papers/Security/IntroToCryptography.pdf Massachusetts Institute of Technology (Spring 2005), “Cryptography and cryptanalysis,” MIT Course Number 6.875, MIT Open Courseware. https://ocw.mit.edu/courses/electrical-engineering-and-computer-science/6-875-cryptographyand-cryptanalysis-spring-2005

6

2/5: Computer and Network Security Computer networks, especially a ubiquitous global network like the Internet, brings its own security challenges. We will explore this from the inside out: applications software, operating systems, computers, local networks, and then the Internet. We’ll also talk about software bugs, vulnerabilities, and exploits. And, along the way we. will discuss a variety of common network-security technologies: anti-virus programs, firewalls, intrusion detection systems, and so on. Required Readings: Bruce Schneier (2000), Secrets and Lies: Digital Security in a Networked World, Wiley, pp. 176– 211 (Chapters 11–13). https://books.google.com/books/about/?id=eNhQAAAAMAAJ Ari Schwartz and Rob Knake (15 Jun 2016), “Government’s role in vulnerability disclosure,” Belfer Center for Science and International Affairs, Harvard Kennedy School. http://www.belfercenter.org/sites/default/files/files/publication/Vulnerability%20Disclosure%20 Web-Final4.pdf Optional Readings: Massachusetts Institute of Technology (Spring 2014), “Network and computer security,” MIT Course Number 6.857, MIT Open Courseware. https://ocw.mit.edu/courses/electrical-engineering-and-computer-science/6-857-network-andcomputer-security-spring-2014

2/7: Case Study: The 2017 Equifax Breach In September, the credit bureau and data broker Equifax reported the theft of personal information about 145.5 million US persons, about 44% of the population. In this class, we will discuss the breach, its ramifications, and policy options to address the risks. Required Readings: Dan Goodin (9 Mar 2017), “Critical vulnerability under ‘massive’ attack imperils high-impact sites,” Ars Technica. https://arstechnica.com/information-technology/2017/03/critical-vulnerability-under-massiveattack-imperils-high-impact-sites Tara Siegel Bernard (7 Sep 2017), “Equifax says cyberattack may have affected 143 million in the U.S.,” New York Times. https://www.nytimes.com/2017/09/07/business/equifax-cyberattack.html Thomas Fox-Brewster (8 Sep 2017), “A brief history of Equifax security fails,” Forbes. https://www.forbes.com/sites/thomasbrewster/2017/09/08/equifax-data-breach-history Dan Goodin (13 Sep 2017), “Failure to patch two-month-old bug led to massive Equifax breach,” Ars Technica. https://arstechnica.com/information-technology/2017/09/massive-equifax-breach-caused-byfailure-to-patch-two-month-old-bug Stacy Cowley (2 Oct 2017), “2.5 million more people potentially exposed in Equifax breach,” New York Times. https://www.nytimes.com/2017/10/02/business/equifax-breach.html 7

Dan Goodin (2 Oct 2017), “A series of delays and major errors led to massive Equifax breach,” Ars Technica. https://arstechnica.com/information-technology/2017/10/a-series-of-delays-and-major-errors-ledto-massive-equifax-breach Bruce Schneier (1 Nov 2017), “Testimony and statement for the record: Hearing on ‘Securing Consumers’ Credit Data in the Age of Digital Commerce’,” Subcommittee on Digital Commerce and Consumer Protection, Committee on Energy and Commerce, United States House of Representatives. https://www.schneier.com/essays/archives/2017/11/testimony_before_the_1.html Martin Matishak (1 Jan 2018), “After Equifax breach, anger but no action in Congress,” Politico. https://www.politico.com/story/2018/01/01/equifax-data-breach-congress-action-319631 Optional Readings: Anna Werner (9 Jan 2018), "Months after massive Equifax data breach, victims struggling to recover," CBS News. https://www.cbsnews.com/news/equifax-data-breach-victims-struggling-to-recover Craig A. Newman (9 Jan 2018), “Equifax must turn over NY breach data this week,” Lexology. https://www.lexology.com/library/detail.aspx?g=5b2aa81b-d88b-4953-a43c-dddff81e6b85 Jim Puzzanghera (10 Jan 2018), “Senators want ‘massive’ fines for data breaches at Equifax and other credit reporting firms,” Los Angeles Times. http://beta.latimes.com/business/la-fi-equifax-data-breach-fines-20180110-story.html

2/12: Access Control, Anonymity, and Attribution One of the core issues in computer and Internet security is access control. Who has access? How does she get it? How does she prove to the system that she is who he says she is, and should be allowed the claimed access? These are complicated questions, and we will explore them in this session. We will also discuss anonymity and attack attribution, two things that have significant policy implications. Required Readings: Bruce Schneier (2006), “Identification, authentication, and authorization,” in Beyond Fear: Thinking Sensibly About Security in an Uncertain World, Springer pp. 181–206 (Chapter 13). https://books.google.com/books/about/?id=wuNImmQufGsC Dan Goodin (27 May 2013), “Anatomy of a hack: How crackers ransack passwords like ‘qeadzcwrsfxv1331,’” Ars Technica. http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords Bruce Schneier (4 Mar 2015), “Hacker or spy? In today's cyberattacks, finding the culprit is a troubling puzzle,” Christian Science Monitor. http://www.csmonitor.com/World/Passcode/Passcode-Voices/2015/0304/Hacker-or-spy-Intoday-s-cyberattacks-finding-the-culprit-is-a-troubling-puzzle Jake Swearingen (7 Oct 2016), “Can you be online without leaving any digital fingerprints?” New York Magazine. http://nymag.com/selectall/2016/10/how-to-be-anonymous-on-the-internet.html 8

Optional Readings: Benjamin Edwards, Robert Axelrod, et al. (11 Jan 2017), “Strategic aspects of cyberattack, attribution, and blame,” Proceedings of the National Academy of Sciences of the United States of America 114, no. 11. http://www.pnas.org/content/114/11/2825.full Delbert Tran (16 Aug 2017), “The law of attribution,” Cyber Conflict Project, Yale University. https://law.yale.edu/system/files/area/center/global/document/2017.05.10__law_of_attribution.pdf

2/14: Attacks and Attackers In security, we spend a lot of time trying to model the humans involved in a system. Threat modeling examines who wants to attack the system and their characteristics. Criminals, terrorists, foreign governments, secret police, noisy neighbors and so on have different skills, resources, motivations, risk aversions, and so on. We will also discuss the traditional “CIA triad,” and see how different security properties are important in different situations and contexts. We will end by reviewing what we’ve learned so far. Required Readings: Singer and Friedman, pp. 67–114 (Part II: “Why it matters”). Mark Bowden (Jun 2010), “The enemy within,” Atlantic. http://www.theatlantic.com/magazine/archive/2010/06/the-enemy-within/8098 Mandiant (Feb 2012), “APT1: Exposing one of China’s cyber espionage units.” https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf David Kushner (26 Feb 2013), “The real story of Stuxnet,” IEEE Spectrum. http://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet Peter Singer (1 Nov 2012), “The cyber terror bogeyman,” Armed Forces Journal. http://armedforcesjournal.com/the-cyber-terror-bogeyman Adam Shostack (2014), “Dive in and threat model!” in Threat Modeling: Designing for Security, Wiley, pp. 3–28 (Chapter 1). https://books.google.com/books?id=asPDAgAAQBAJ David E. Sanger and Nicole Perlroth (23 Mar 2014), “N.S.A. breached Chinese servers seen as security threat,” New York Times. https://www.nytimes.com/2014/03/23/world/asia/nsa-breached-chinese-servers-seen-as-spyperil.html Margaret Rouse (24 Nov 2014), “Confidentiality, integrity, and availability (CIA triad),” TechTarget. http://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIA Bill Marczak, John Scott-Railton and Sarah McKune (9 Mar 2015), “Hacking Team reloaded? USbased Ethiopian journalists again targeted with spyware,” CitizenLab. https://citizenlab.org/2015/03/hacking-team-reloaded-us-based-ethiopian-journalists-targetedspyware

9

Brendan I. Koerner (23 Oct 2016), “Inside the cyberattack that shocked the U.S. government,” Wired. https://www.wired.com/2016/10/inside-cyberattack-shocked-us-government Anthony Henderson (25 Mar 2017), “The CIA triad: Confidentiality, integrity, availability,” Panmore Institute. http://panmore.com/the-cia-triad-confidentiality-integrity-availability Daniel R. Coats (11 May 2017), “Worldwide threat assessment of the US intelligence community: Senate Select Committee on Intelligence,” Office of the Director of National Intelligence. https://www.dni.gov/files/documents/Newsroom/Testimonies/SSCI%20Unclassified%20SFR%20%20Final.pdf Jai Vijayan (23 Oct 2017), “US critical infrastructure target of Russia-linked cyberattacks,” Dark Reading. https://www.darkreading.com/attacks-breaches/us-critical-infrastructure-target-of-russia-linkedcyberattacks/d/d-id/1330196 Optional Readings: Ken Thompson (Aug 1984), “Reflections on trusting trust,” Communication of the ACM 27. https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf Bruce Schneier (2000), Secrets and Lies: Digital Security in a Networked World, Wiley, pp. 42–58 (Chapter 4). https://books.google.com/books/about/?id=eNhQAAAAMAAJ Bill Marczak, et al. (15 Oct 2015), “Pay no attention to the server behind the proxy: Mapping FinFisher’s continuing proliferation,” CitizenLab. https://citizenlab.ca/2015/10/mapping-finfishers-continuing-proliferation Aaron Sankin (9 Jul 2015), “Forget Hacking Team: Many other companies sell surveillance tech to repressive regimes,” Daily Dot. https://www.dailydot.com/layer8/hacking-team-competitors Bart Preneel (3 Aug 2016), “New threat models for cryptography,” 2016 IEEE International Conference on Software Quality, Reliability & Security. http://paris.utdallas.edu/qrs16/docs/Keynote-Bart-Preneel-slides.pdf John Scott-Railton, et al. (19 Jun 2017), “Reckless exploit: Mexican journalists, lawyers, and a child targeted with NSO spyware,” CitizenLab. https://citizenlab.ca/2017/06/reckless-exploit-mexico-nso

2/21: The Internet of Things The Internet of Things will bring the Internet into every corner of our life: both sensors that measure our world, and actuators that physically affect this. In this session, we will discuss the security implications of this next phase of computerization, at both the personal and national level. Melissa Hathaway will be our guest speaker. She has done extensive work on this issue in the private sector. Previously, she has had high-profile cybersecurity positions in both the Bush and Obama administrations. Required Readings:

10

Melissa E. Hathaway and John N. Stewart (25 Jul 2014), “Taking control of our cyber future,” Georgetown Journal of International Affairs. https://www.georgetownjournalofinternationalaffairs.org/online-edition/cyber-iv-feature-takingcontrol-of-our-cyber-future J.M. Porup (23 Jan 2016), “‘Internet of Things’ security is hilariously broken and getting worse,” Ars Technica. http://arstechnica.com/security/2016/01/how-to-search-the-internet-of-things-for-photos-ofsleeping-babies Nicole Perlroth (22 Oct 2016), “Hackers used new weapons to disrupt major websites across U.S.,” New York Times. http://www.nytimes.com/2016/10/22/business/internet-problems-attack.html Sean Gallagher (25 Oct 2016), “How one rent-a-botnet army of cameras, DVRs caused Internet chaos,” Ars Technica. http://arstechnica.com/information-technology/2016/10/inside-the-machine-uprising-howcameras-dvrs-took-down-parts-of-the-internet Alex Schiffer (21 Jul 2017), “How a fish tank helped hack a casino,” Washington Post. https://www.washingtonpost.com/news/innovations/wp/2017/07/21/how-a-fish-tank-helpedhack-a-casino Optional Readings: Bruce Schneier (27 Jan 2017), “Click here to kill everybody: Security and the Internet of Things,” New York Magazine. http://nymag.com/selectall/2017/01/the-internet-of-things-dangerous-future-bruce-schneier.html U.S. Federal Trade Commission (Jan 2015), “Internet of Things: Privacy and security in a connected world,” FTC Staff Report. https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-reportnovember-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf U.S. Department of Homeland Security (15 Nov 2016), “Strategic principles for securing the Internet of Things (IoT).” https://www.dhs.gov/sites/default/files/publications/Strategic_Principles_for_Securing_the_Inte rnet_of_Things-2016-1115-FINAL....pdf

2/26: Security Economics Internet security is fundamentally about technology, but economic considerations provide a backdrop for understanding what and how different technologies are deployed. Knowing who reaps the benefits and who bears the costs can explain the difference between a successful security technology and a failure. Required Readings: Ross Anderson (2008), “Economics,” in Security Engineering, 2nd Edition, Wiley, pp. 215–236 (Chapter 7). https://books.google.com/books/about/?id=ILaY4jBWXfcC Adam Shostack and Andrew Stewart (2008), "Amateurs study cryptography; professionals study economics," in The New School of Information Security, Addison-Wesley, pp. 79–103 (Chapter 5). https://books.google.com/books?id=TWvC32p5M5YC 11

Optional Readings: Ross Anderson (13 Dec 2001), “Why information security is hard: An economic perspective,” 17th Annual Computer Security Applications Conference (ACSAC 2001). https://www.acsac.org/2001/papers/110.pdf Ross Anderson and Tyler Moore (27 Oct 2006), "The economics of information security," Science 314, no. 5799. https://tylermoore.ens.utulsa.edu/science-econ.pdf Ross Anderson, et al. (26 Jun 2012), “Measuring the cost of cybercrime,” 2012 Workshop on the Economics of Information Security. http://www.econinfosec.org/archive/weis2012/papers/Anderson_WEIS2012.pdf Peter Maass and Megha Rajagopalan (1 Aug 2012), “Does cybercrime really cost $1 trillion?” ProPublica. https://www.propublica.org/article/does-cybercrime-really-cost-1-trillion Josephine Wolff (12 Jun 2014), “The $10 million deductible,” Slate. http://www.slate.com/articles/technology/future_tense/2014/06/target_breach_cyberinsurance_i s_a_mess.html Dan Geer (7 Aug 2014), “Cybersecurity as realpolitik,” Black Hat 2014. http://geer.tinho.net/geer.blackhat.6viii14.txt (text) https://www.youtube.com/watch?v=nT-TGvYOBpI (video)

2/28: Psychology of Security, Security Usability People have an a natural intuition about security, born out of hundreds of thousands of years of living in risky environments. In this session we will discuss how people think about security and where our cognitive biases fail. We will also discuss another important aspect of security: designing systems so that people actually use them, and use them well. Required Readings: Anne Adams and M. Angela Sasse (1 Dec 1999), “Users are not the enemy,” Communications of the ACM 42, no. 12. http://discovery.ucl.ac.uk/20247/2/CACM%20FINAL.pdf Daniel J. Solove (12 Jul 2007), “I've got nothing to hide' and other misunderstandings of privacy,” San Diego Law Review 44. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=998565 Ross Anderson (2008), “Usability and psychology,” in Security Engineering, 2nd Edition, Wiley, pp. 17-62 (Chapter 2). https://books.google.com/books/about/?id=ILaY4jBWXfcC Don Norman (Nov/Dec 2009), "When security gets in the way," Interactions 16, no. 6. http://www.jnd.org/dn.mss/when_security_gets_in_the_way.html Oracle Mind (1 May 2016), “Watch this hacker break into my cellphone account in two minutes,” YouTube. https://www.youtube.com/watch?v=lc7scxvKQOo 12

M. Mitchell Waldrop (12 May 2016), “How to hack the hackers: The human side of cybercrime,” Nature 533. http://www.nature.com/news/how-to-hack-the-hackers-the-human-side-of-cybercrime-1.19872 Optional Readings: Alma Whitten and J.D. Tygar (23 Aug 1999), “Why Johnny can’t encrypt: A usability evaluation of PGP 5.0,” 8th USENIX Security Symposium. https://www.usenix.org/legacy/events/sec99/full_papers/whitten/whitten_html/index.html Bruce Tognazzini (2005), “Design for usability,” in Security and Usability: Designing Secure Systems that People Can Use, O’Reilly Media. https://books.google.com/books?id=wDVhy9EyEAEC&pg=PA31 Bruce Schneier (13 Jun 2008), “The psychology of security,” AfricaCrypt 2008. https://www.schneier.com/academic/archives/2008/01/the_psychology_of_se.html Iacovos Kirlappos, Simon Parkin and M. Angela Sasse (2014), “Learning from ‘shadow security’: Why understanding non-compliant behaviors provides the basis for effective security,” 2014 Workshop on Usable Security. http://discovery.ucl.ac.uk/1424472

3/5: Security Regulations TBD

3/7: Software Liabilities and Cybersecurity Insurance One of the proposed remedies for insecure software—and poor quality software in general—is to hold the software vendors liable for the effects of their software. We will discuss the different aspects of this remedy. How viable is it to let a court determine liabilities? What will this do to the software market? What about free and open source software? And if we already live in a world of product liability, do we need a separate liability regime for software? Finally, how does insurance play a role in all this? Required Readings: Daniel E. Geer, Jr. (Jul/Aug 2014), “Inviting more Heartbleed,” IEEE Security & Privacy 12, no. 4. http://geer.tinho.net/ieee/ieee.sp.geer.1407b.pdf Simon Ruffle, et al. (6 Jul 2015), “Business blackout: The insurance implications of a cyber attack on the U.S. power grid,” Lloyd’s Cambridge Centre for Risk Studies. https://www.lloyds.com/news-and-insight/risk-insight/library/society-and-security/businessblackout Jane Chong (2016), “Bad code: Exploring liability in software development,” in Richard M. Harrison and Trey Herr, ed. (2016), Cyber Insecurity, Navigating the Perils of the Next Information Age, Rowman & Littlefield, pp. 69-85 (Chapter 5). https://books.google.com/books/about/?id=NAp7DQAAQBAJ

13

Robert Morgus (2016), “Cyber insurance: A market-based approach to information assurance,” in Richard M. Harrison and Trey Herr, ed. (2016) Cyber Insecurity, Navigating the Perils of the Next Information Age, Rowman & Littlefield, pp. 155-170 (Chapter 10). https://books.google.com/books/about/?id=NAp7DQAAQBAJ Albert Bianchi, Jr., Michelle L. Dama and Adrienne S. Ehrhardt (3 Mar 2017), “Executives and board members could face liability for data breaches,” National Law Review. https://www.michaelbest.com/Newsroom/129509/Executives-and-Board-Members-Could-FaceLiability-for-Data-Breaches Joseph B. Crace, Jr. (3 Apr 2017), “When does data breach liability extend to the boardroom?” Law 360. https://www.law360.com/articles/907786. Adam Janofsky (17 Sep 2017), “Insurance grows for cyberattacks,” Wall Street Journal. https://www.wsj.com/articles/insurance-grows-for-cyberattacks-1505700360 Adam Janofsky (17 Sep 2017), “Cyberinsurers look to measure risk,” Wall Street Journal. https://www.wsj.com/articles/cyberinsurers-look-to-measure-risk-1505700301 Optional Readings: Atlantic Council (30 Nov 2016), “Cyber risk Wednesday: Software liability” (starting 13:30). http://www.atlanticcouncil.org/events/webcasts/cyber-risk-wednesday-software-liability Charles Cresson Wood (4 Dec 2016), “Solving the information security and privacy crisis by expanding the scope of top management personal liability,” Notre Dame Journal of Legislation 43, no. 1. http://scholarship.law.nd.edu/jleg/vol43/iss1/5.

3/19: Commercial Surveillance Policy In the US today, commercial surveillance is largely unregulated. There are exceptions, but in the main the Internet companies you interact with can spy on your every move. And while there is no appetite in Congress to change this, we can both look to Europe to see a different regime. In this session we will talk about potential limits to corporate data collection and use. Required Readings: Daniel Solove (2011), Nothing to Hide: The False Tradeoff Between Privacy and Security, Yale University Press, pp. 1–18 (Introduction). http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1827982 Natasha Singer (16 Jan 2012), “You for sale: Mapping, and sharing, the consumer genome,” New York Times. https://www.nytimes.com/2012/06/17/technology/acxiom-the-quiet-giant-of-consumer-databasemarketing.html Charles Duhigg (19 Feb 2012), “How companies learn your secrets,” New York Times Magazine. http://www.nytimes.com/2012/02/19/magazine/shopping-habits.html Jonathan Zittrain (21 Mar 2012), “Meme patrol: ‘When something online is free, you’re not the customer, you’re the product,’” The Future of the Internet and How to Stop It.

14

https://blogs.harvard.edu/futureoftheInternet/2012/03/21/meme-patrol-when-something-onlineis-free-youre-not-the-customer-youre-the-product Paul Rosenzweig (22 Dec 2012), “Whither privacy?” Society & Surveillance 10, no. 3-4. http://library.queensu.ca/ojs/index.php/surveillance-and-society/article/view/whither David Veldt (May 2013), “LinkedIn: The creepiest social network,” +interactually. http://www.interactually.com/linkedin-creepiest-social-network Maciej Ceglowski (20 May 2014), “The internet with a human face,” Idle Words. http://idlewords.com/talks/internet_with_a_human_face.htm Jonathan Zittrain (12 Jan 2016), “A few keystrokes could solve the crime. Would you press enter?” Just Security. https://www.justsecurity.org/28752/keystrokes-solve-crime-press-enter Bruce Schneier (1 Mar 2016), “Data is a toxic asset, why not throw it out?” CNN. https://www.schneier.com/essays/archives/2016/03/data_is_a_toxic_asse.html Optional Readings: Alexander Furnas (15 Mar 2012), “It’s not all about you: What privacy advocates don’t get about data tracking on the web,” Atlantic. http://www.theatlantic.com/technology/archive/2012/03/its-not-all-about-you-what-privacyadvocates-dont-get-about-data-tracking-on-the-web/254533 Bruce Schneier (30 Apr 2013), “Do you want the government buying your data from corporations?” Atlantic. http://www.theatlantic.com/technology/archive/2013/04/do-you-want-the-government-buyingyour-data-from-corporations/275431 Bruce Schneier (21 Oct 2013), “The trajectories of government and corporate surveillance,” Schneier on Security. https://www.schneier.com/blog/archives/2013/10/the_trajectorie.html President’s Council of Advisors on Science and Technology (May 2014), “Big data and privacy: A technical perspective,” Executive Office of the President. https://web.archive.org/web/20140513130225/https://www.whitehouse.gov/sites/default/files/mi crosites/ostp/PCAST/pcast_big_data_and_privacy_-_may_2014.pdf Shoshana Zuboff (17 Apr 2015), “Big other: Surveillance capitalism and the prospects of an information civilization,” Journal of Information Technology 30. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2594754.

3/21: DMCA and Copyright Protection Copyright law is complex and Byzantine, and has completely changed in reaction to the Internet. The Digital Millennium Copyright Act (1996) attempted to modernize copyright, but has also effectively criminalized reverse-engineering. We will discuss how the law is used, and the current battles to repeal it. Required Readings: Kim Zetter (9 Sep 2008), “DefCon: Boston subway officials sue to stop talk on fare card hacks,” Wired. 15

https://www.wired.com/2008/08/injunction-requ David Kravets (27 Oct 2008), “10 years later, misunderstood DMCA is the law that saved the web,” Wired. https://www.wired.com/2008/10/ten-years-later Brad Hill (29 Apr 2013), “The iTunes influence, part I: How Apple changed the face of the music marketplace,” Engadget. https://www.engadget.com/2013/04/29/the-itunes-influence-part-one Electronic Frontier Foundation (16 Sep 2014), “Unintended consequences: Sixteen years under the DMCA.” https://www.eff.org/pages/unintended-consequences-fifteen-years-under-dmca Chris Perkins (14 Aug 2015), “Volkswagen suppressed a paper about car hacking for 2 years,” Mashable. http://mashable.com/2015/08/14/volkswagen-suppress-car-vulnerability Electronic Frontier Foundation (21 Jul 2016), “EFF lawsuit takes on DMCA section 1201: Research and technology restrictions violate the First Amendment.” https://www.eff.org/press/releases/eff-lawsuit-takes-dmca-section-1201-research-and-technologyrestrictions-violate Cory Doctorow (1 Dec 2016), “Security and feudalism: Own or be pwned,” O’Reilly Security Conference. http://craphound.com/news/2016/12/01/my-keynote-from-the-oreilly-security-conferencesecurity-and-feudalism-own-or-be-pwned Charlie Osborne (31 Oct 2016), “US DMCA rules updated to give security experts legal backing to research,” ZD Net. http://www.zdnet.com/article/us-dmca-rules-updated-to-give-security-experts-legal-backing-toresearch Optional Readings: John Perry Barlow (1 Mar 1994), “The economy of ideas,” Wired. http://archive.wired.com/wired/archive/2.03/economy.ideas.html Matthew Green (1 Jan 2002), “Napster opens Pandora’s Box: Examining how file-sharing services threaten the enforcement of copyright on the internet,” Ohio State Law Journal 63, no. 2. http://moritzlaw.osu.edu/students/groups/oslj/files/2012/03/63.2.green_.pdf Lawrence Lessig (Jul 2003), “The creative commons,” Florida Law Review 55. http://homepages.law.asu.edu/~dkarjala/OpposingCopyrightExtension/commentary/LessigCreativ eCommonsFlaLRev2003.htm Matthew Green (6 Feb 2015), “Long form comment: Proposed Class 25, security research,” U.S. Copyright Office. https://www.copyright.gov/1201/2015/comments020615/InitialComments_LongForm_Green_Class25.pdf Steven M. Bellovin, et al. (6 Feb 2015), “Long comment regarding a proposed exemption under 17 U.S.C. 1201,” U.S. Copyright Office. https://www.copyright.gov/1201/2015/comments020615/InitialComments_LongForm_SecurityResearchers_Class25.pdf

16

Ellen J. Gleberman (27 Mar 2015), “Comment of Association of Global Automakers, Inc. regarding exemption for proposed Class 22 from liability under 17 U.S.C. 1201,” U.S. Copyright Office. https://www.copyright.gov/1201/2015/comments032715/class%2022/Association_of_Global_Automakers_Class22_1201_2014.pdf Darin Bartholomew for Deere & Company (27 Mar 2015), “Long comment regarding a proposed exemption under 17 U.S.C. 1201,” U.S. Copyright Office. https://www.copyright.gov/1201/2015/comments032715/class%2022/John_Deere_Class22_1201_2014.pdf Herbert C. Wamsley for Intellectual Property Owners Association (27 Mar 2015), “In the matter of Exemption to Prohibition on Circumvention of Copyright Protection Systems for Access Control Technologies Under 17 U.S.C. 1201—Sixth Triennial DMCA Rulemaking – Proposed Class 25,” U.S. Copyright Office. https://www.copyright.gov/1201/2015/comments032715/class%2025/Intellectual_Property_Owners_Association_Class25_1201_2014.pdf

3/26 and 3/28: Visit the IBM Cyber Range: Cyber Norms IBM Security (75 Binney St, Cambridge) has built an immersive cybersecurity simulator. We will assume different managerial roles at the fictional company Bane & Ox, and experience a real-time cybersecurity event against our network. The simulation can only accommodate half of the class, so we will break up in order to do this. Required Readings: Schneier, pp. 1–87 (Part I). Optional Readings: Ron Miller (16 Nov 2016), “IBM opens new Cambridge, MA security headquarters with massive cyber range,” Tech Crunch. https://techcrunch.com/2016/11/16/ibm-opens-new-cambridge-ma-security-headquarters-withmassive-cyber-range IBM Security (5 Jul 2017), “You’re under attack. Now live the response: Experience a day in the life of a cyber attack at the IBM X-Force Command Center,” IBM Corporation. https://public.dhe.ibm.com/common/ssi/ecm/wg/en/wgf12361usen/security-ibm-securitysolutions-wg-flyer-wgf12361usen-20170705.pdf (direct download) Marc van Zadelhoff (9 Oct 2017), “Cambridge Cyber Security Summit: The cognitive answer and lessons from the range,” CNBC. https://www.cnbc.com/video/2017/10/09/cambridge-cyber-security-summit-the-cognitiveanswer-and-lessons-from-the-range.html

4/2: Cyber Operations and Cyberwar “Cyberwar” has been used to describe everything from the Russian hacks against the DNC to the cyber operations associated with the War in Iraq. In this session, we will explore the various aspects of cyberwar, as well as the military organizations that have emerged to fight in this new battlefield. We may be joined Dr. Chris Demchak, former military officer and now professor at the Naval War College.

17

Required Readings: Singer and Friedman, pp. 114–165. John Markoff (13 Aug 2008), “Before the gunfire, cyberattacks,” New York Times. http://www.nytimes.com/2008/08/13/technology/13cyber.html Seymour Hersh (1 Nov 2010), “The online threat: Should we be worried about a cyberwar?” New Yorker. http://www.newyorker.com/reporting/2010/11/01/101101fa_fact_hersh Jack Goldsmith (9 Mar 2011), “Cybersecurity treaties: A skeptical view,” Koret-Taube Task Force on National Security and Law, Hoover Institution. http://media.hoover.org/sites/default/files/documents/FutureChallenges_Goldsmith.pdf Joseph Nye (Winter 2011), “Nuclear lessons for cyber security,” Strategic Studies Quarterly 5, no. 4. https://dash.harvard.edu/bitstream/handle/1/8052146/nye-nuclearlessons.pdf Thomas Rid (1 Jan 2012), “Cyber war will not take place,” Journal of Strategic Studies 35, no. 1. http://www.tandfonline.com/doi/abs/10.1080/01402390.2011.608939 John Arquilla (Mar/Apr 2012), “Cyber war is already upon us,” Foreign Policy 192. http://www.foreignpolicy.com/articles/2012/02/27/cyberwar_is_already_upon_us Robert Axelrod and Rum Iliev (28 Jan 2014), “Timing of cyber conflict,” Proceedings of the National Academy of Sciences of the United States of America 111, no. 4. http://www.pnas.org/content/111/4/1298 Optional Readings: Robert Knake (Aug 2010), Internet Governance in an Age of Cyber Insecurity, Council on Foreign Relations. https://www.cfr.org/report/internet-governance-age-cyber-insecurity Joseph S. Nye (2011), “Diffusion and cyberpower,” in The Future of Power, Public Affairs, pp. 113– 151 (Chapter 5). https://books.google.com/books?id=EtgBAwAAQBAJ David Clark and Susan Landau (1 Mar 2011), “Untangling attribution,” Harvard National Security Journal 2. http://harvardnsj.org/wp-content/uploads/2011/03/Vol.-2_Clark-Landau_Final-Version.pdf NATO Cooperative Cyber Defence Centre of Excellence (2012), The Tallinn Manual on the International Law Applicable to Cyber Warfare, Cambridge University Press. https://ccdcoe.org/tallinn-manual.html Thomas Rid (Mar/Apr 2012), “Think again: Cyberwar,” Foreign Policy. http://www.foreignpolicy.com/articles/2012/02/27/cyberwar Herbert Lin (Summer 2012), “Cyber conflict and international humanitarian law,” International Review of the Red Cross 886. https://www.icrc.org/en/international-review/article/cyber-conflict-and-internationalhumanitarian-law Michael Gross (1 Jul 2013), “Silent war,” Vanity Fair. http://www.vanityfair.com/news/2013/07/new-cyberwar-victims-american-business 18

Peter Swire (21 May 2014), “The Chinese hacking indictments and why economic espionage is different,” Privacy Perspectives. https://www.privacyassociation.org/privacy_perspectives/post/the_chinese_hacking_indictments _and_why_economic_espionage_is_different Jack Goldsmith (21 May 2014), “The US corporate theft principle,” Lawfare. http://www.lawfareblog.com/2014/05/the-u-s-corporate-theft-principle Angelyn Flowers and Sherali Zeadally (29 Jun 2017), "Cyberwar: The what, when, why, and how," IEEE Technology and Society. http://technologyandsociety.org/cyberwar-the-what-when-why-and-how United States Computer Emergency Readiness Team (20 Oct 2017), “Alert (TA17-293A): Advanced persistent threat activity targeting energy and other critical infrastructure sectors.” https://www.us-cert.gov/ncas/alerts/TA17-293A

4/4: Cyber Norms International norms are a powerful constraint on the behavior of nation-states. We will discuss cyber norms in general, and Microsoft’s recent call for a “Digital Geneva Convention.” Required Readings: Roger Hurwitz (3 Nov 2014), “The play of states: Norms and security in cyberspace,” American Foreign Policy Interests 36, no. 5. http://www.tandfonline.com/doi/abs/10.1080/10803920.2014.969180 Joseph S. Nye, Jr. (1 Oct 2015), “The world needs new norms on cyberwarfare,” Washington Post. https://www.washingtonpost.com/opinions/the-world-needs-an-arms-control-treaty-forcybersecurity/2015/10/01/20c3e970-66dd-11e5-9223-70cb36460919_story.html Scott Charney, et al. (21 Jun 2016), “From articulation to implementation: Enabling progress on cybersecurity norms,” Microsoft Corporation. https://www.microsoft.com/en-us/cybersecurity/content-hub/cybersecurity-norms_fromarticulation-to-implementation.aspx Brad Smith (14 Feb 2017), “The need for a digital Geneva Convention,” Microsoft on the Issues. https://blogs.microsoft.com/on-the-issues/2017/02/14/need-digital-geneva-convention Optional Readings: Martha Finnemore and Duncan Hollis (26 Sep 2016), “Constructing norms for global cybersecurity,” American Journal of International Law 110. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2843913

4/9: National Security and Surveillance The role of surveillance in national security will be a repeated theme in this course. To start things off, we will generally look at how surveillance is used for national security purposes. History is important, and we will trace the NSA and other organizations from World War II to the surveillance reforms of the 1970s to the 9/11 terrorist attacks to today. Our guest for this session is John DeLong, former Director of Compliance at the NSA. 19

Required Readings: Schneier, pp. 90–151 (Part II). Susan Landau (Aug 2013), “Making sense from Snowden: What's significant in the NSA Surveillance revelations,” IEEE Security & Privacy 111, no. 4. https://www.computer.org/cms/Computer.org/ComputingNow/pdfs/MakingSenseFromSnowdenIEEESecurityAndPrivacy.pdf Barton Gellman (15 Aug 2013), “NSA broke privacy rules thousands of times per year, audit finds,” Washington Post. https://www.washingtonpost.com/world/national-security/nsa-broke-privacy-rules-thousands-oftimes-per-year-audit-finds/2013/08/15/3310e554-05ca-11e3-a07f-49ddc7417125_story.html Conor Friedersdorf (16 Aug 2013), “Lawbreaking at the NSA: Bring on a new Church Committee,” Atlantic. http://www.theatlantic.com/politics/archive/2013/08/lawbreaking-at-the-nsa-bring-on-a-newchurch-committee/278750 Michael Isikoff (20 Dec 2013), “NSA program stopped no terror attacks, says White House panel member,” NBC News. http://www.nbcnews.com/news/other/nsa-program-stopped-no-terror-attacks-says-whitehousepanel-f2D11783588 John DeLong and Susan Hennessey (7 Oct 2016), “Understanding Footnote 14: NSA oversight, lawyering, and compliance,” Lawfare. https://www.lawfareblog.com/understanding-footnote-14-nsa-lawyering-oversight-and-compliance Charlie Savage (2 May 2017), “Reined-in NSA still collected 151 million phone records in ‘16,” New York Times. https://www.nytimes.com/2017/05/02/us/politics/nsa-phone-records.html Sharon Goldberg (22 Jun 2017), “Surveillance without borders: The “traffic shaping” loophole and why it matters,” Century Foundation. https://tcf.org/content/report/surveillance-without-borders-the-traffic-shaping-loophole-and-whyit-matters Optional Readings: Stewart Baker (6 Jun 2013), “Why the NSA needs your phone calls…and why you (probably shouldn’t worry about it,” Foreign Policy. http://foreignpolicy.com/2013/06/06/why-the-nsa-needs-your-phone-calls Stephanie K. Pell and Christopher Soghoian (29 Dec 2014), “Your secret Stingray’s no secret anymore: The vanishing government monopoly over cell phone surveillance and its impact on national security and consumer privacy,” Harvard Journal of Law and Technology 28, no. 1. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2437678 Fred H. Cate and James X. Dempsey, ed. (8 Sep 2017), Bulk Collection: Systematic Government Access to Private-Sector Data, Oxford University Press. http://www.oxfordscholarship.com/view/10.1093/oso/9780190685515.001.0001/oso9780190685515

20

4/11: Surveillance reform—guest lecturer Cindy Cohn While many agree that surveillance needs to be curtailed, the details are far from simple. In this session, we will discuss various possibilities for surveillance reform for both the intelligence community and law enforcement. Our guest for this lecture, Cindy Cohn, is the executive director of the Electronic Frontier Foundation. Required Readings: Schneier, pp. 155–238 (part III). Cindy Cohn (27 Sep 2013), “Witness statement of Cindy Cohn,” Big Brother Watch, Open Rights Group, English PEN, and Dr. Constanze Kurz. v. United Kingdom, Application No. 58170/13, European Court of Human Rights. https://www.privacynotprism.org.uk/assets/files/privacynotprism/CINDY_COHNFINAL_WITNESS_STATEMENT.pdf Rainey Reitman (22 Nov 2017), “NSA internet surveillance under Section 702 violates the First Amendment,” Electronic Frontier Foundation. https://www.eff.org/deeplinks/2017/11/nsa-internet-surveillance-under-section-702-violates-firstamendment. Optional Readings: Charlie Savage (10 Jan 2018), “Surveillance and privacy debate reaches pivotal moment in Congress,” New York Times. https://www.nytimes.com/2018/01/10/us/politics/nsa-surveillance-privacy-section-702amendment.html Karoun Demirjian and Josh Dawsey (11 Jan 2018), “Congress advances bill to renew NSA surveillance program after Trump briefly upstages key vote,” Washington Post. https://www.washingtonpost.com/politics/trump-backtracks-after-appearing-to-contradict-hisadministrations-support-of-fisa/2018/01/11/5d7f7088-f6d1-11e7-91af-31ac729add94_story.html David Ruiz (11 Jan 2018), “House fails to protect Americans from unconstitutional NSA surveillance,” Electronic Frontier Foundation. https://www.eff.org/deeplinks/2018/01/house-fails-protect-americans-unconstitutional-nsasurveillance.

4/16 and 4/18: Emerging Topics in Security Policy These days are reserved for topics that will emerge over the semester. This is such a fast-moving area that it’s impossible to predict these in advance. Required Readings: Singer and Friedman, pp. 166–246. Optional Readings: none

21

4/23: Encryption vs Law-enforcement Access—guest lecturer Susan Landau We discuss general question of law-enforcement access to encrypted data and communications. We will discuss whether the ubiquitous use of encryption on computers and phones means that the FBI is “going dark.” Is the solution “back doors” into these devices, or does the FBI have alternative tools at its disposal? We will discuss “lawful hacking” as one such alternative tool. Our guest lecturer for this session is Dr. Susan Landau, professor of ((what)) at Tufts University. Required Readings: James B. Comey (8 Jul 2015), “Going dark: Encryption, technology, and the balances between public safety and privacy,” U.S. Federal Bureau of Investigation. https://www.fbi.gov/news/testimony/going-dark-encryption-technology-and-the-balancesbetween-public-safety-and-privacy Cyrus R. Vance, et al. (12 Aug 2015), “When phone encryption blocks justice,” New York Times. http://www.nytimes.com/2015/08/12/opinion/apple-google-when-phone-encryption-blocksjustice.html Rod J. Rosenstein (10 Oct 2017), “Deputy Attorney General Rod J. Rosenstein delivers remarks on encryption at the United States Naval Academy,” U.S. Department of Justice. https://www.justice.gov/opa/speech/deputy-attorney-general-rod-j-rosenstein-delivers-remarksencryption-united-states-naval Matthew Green (4 Oct 2014), “Why can’t Apple decrypt your iPhone?” A Few Thoughts on Cryptographic Engineering. https://blog.cryptographyengineering.com/2014/10/04/why-cant-apple-decrypt-your-iphone Andi Wilson, Denielle Kehl, and Kevin Bankston (1 Jun 2015), “Doomed to repeat history? Lessons from the crypto wars of the 1990s,” New America Foundation. https://na-production.s3.amazonaws.com/documents/Doomed_To_Repeat_History.pdf Hal Abelson, et al. (7 Jul 2015), “Keys under doormats: Mandating insecurity by requiring government access to all data and communications,” MIT Computer Science and Artificial Intelligence Laboratory. https://www.schneier.com/academic/paperfiles/paper-keys-under-doormats-CSAIL.pdf Eric Geller (10 Jul 2015), “The rise of the new crypto war,” The Daily Dot. http://www.dailydot.com/politics/encryption-crypto-war-james-comey-fbi-privacy Susan Landau (1 Mar 2016), “Testimony for House Judiciary Committee hearing on ‘The Encryption Tightrope: Balancing Americans’ Security and Privacy.’,” U.S. House of Representatives. https://judiciary.house.gov/wp-content/uploads/2016/02/Landau-Written-Testimony.pdf Susan Landau (2017), “Investigations in the age of encryption,” in Listening In: Cybersecurity in an Insecure Age, Yale University Press, pp. 117-151 (chapter 5). https://books.google.com/books/about/?id=ZIbNAQAACAAJ Optional Readings: Peter Swire and Kenesa Ahmad (28 Nov 2011), “’Going dark’ versus a ‘golden age for surveillance,’” Center for Democracy and Technology. https://cdt.org/blog/%E2%80%98going-dark%E2%80%99-versus-a-%E2%80%98golden-age-forsurveillance%E2%80%99 Benjamin Wittes (9 Jul 2015), "Thoughts on encryption and going dark: Part I," Lawfare. http://www.lawfareblog.com/thoughts-encryption-and-going-dark-part-i 22

Benjamin Wittes (12 Jul 2015), “Thoughts on encryption and going dark, part II: The debate on the merits,” Lawfare. https://www.lawfareblog.com/thoughts-encryption-and-going-dark-part-ii-debate-merits Conor Friedersdorf (14 Jul 2015), “How dangerous is end-to-end encryption?” Atlantic. https://www.theatlantic.com/politics/archive/2015/07/nsa-encryption-ungoverned-spaces/398423 Benjamin Wittes (7 Aug 2015) “Five hard encryption questions,” Lawfare. https://www.lawfareblog.com/five-hard-encryption-questions Matt Olsen, et al. (1 Feb 2016), “Don’t panic: Making progress on the ‘going dark’ debate,” Berkman Center for Internet and Society at Harvard University. https://cyber.law.harvard.edu/pubrelease/dontpanic/Dont_Panic_Making_Progress_on_Going_Dark_Debate.pdf John Cassidy (29 Mar 2016), “Lessons from Apple vs. the FBI,” New Yorker. http://www.newyorker.com/news/john-cassidy/lessons-from-apple-versus-the-f-b-i Amar Tooer (24 Aug 2016), “France and Germany want Europe to crack down on encryption,” Verge. https://www.theverge.com/2016/8/24/12621834/france-germany-encryption-terorrism-eutelegram Catherine Stupp (22 Nov 2016), “Five member states want EU-wide laws on encryption,” Euractiv. https://www.euractiv.com/section/social-europe-jobs/news/five-member-states-want-eu-widelaws-on-encryption Samuel Gibbs (19 Jun 2017), “EU seeks to outlaw ‘backdoors’ in new data privacy proposals,” Guardian. https://www.theguardian.com/technology/2017/jun/19/eu-outlaw-backdoors-new-data-privacyproposals-uk-government-encrypted-communications-whatsapp Bhairav Acharya, et al. (28 Jun 2017), “Deciphering the European encryption debate: United Kingdom,” New America/Open Technology Institute. https://www.newamerica.org/oti/policy-papers/deciphering-european-encryption-debate-unitedkingdom Rachel Baxendale (14 Jul 2017), “Laws could force companies to unlock encrypted messages of terrorists,” Australian. http://www.theaustralian.com.au/national-affairs/laws-could-force-companies-to-unlockencrypted-messages-of-terrorists/news-story/ed481d29c956dfac9361061a60dcf590

4/25: Final questions, overarching issues, and lessons from the class In our final class, we’ll sum up what we learned and discuss the final exam. Readings: none

23

9. Detailed Assignments All assignments are due before midnight on the day they are due. Students are to submit assignments in Canvas. Due 2/5: Brief One Tell us about your academic/professional background, and recommend the one Internet-security problem the government (US or another government) should work towards solving first. The problem could be important, urgent, solvable or any combination of the three. Describe the problem, and explain why you think it should be at the top of the policy agenda. Length: 500-800 words. Due 3/5: Brief Two We’ve learned that incentives are often at the core of seemingly intractable security problems. Explain an Internet-related security problem that has a technical solution, but whose economic considerations prevent that solution from being efficiently implemented. Describe the problem, the technical solution, and the economic barrier. Recommend a policy action to overcome the economic barrier. Length: 500800 words. Due 4/2: Brief Three (Group Assignment) You are a policy advisor for a US national legislator. Your boss is under increasing pressure from his constituents to ensure the security and/or privacy of the IoT. Develop a) a security taxonomy for common household IoT devices (this can be a graphic) and b) proposed recommendations spelling out your security/privacy approach. This might include recommendation for specific legislative action or adoption of industry standards. How would you ensure compliance? What challenges or risks would remain? Focus on the technical or implementation, rather than the political, risks. Length: 800-1200 words. Due 5/2: Final Paper TBD. Length 1500-2400 words.

24