Law, Cyber and Extreme Conditions
Funded by the Ministry of Science and Technology, 2014- 2017
PIs: Prof. Amnon Reichman, Prof. Eli Salzberger, Prof. Gad Barzilai, Prof. Deborah Shmueli
Cyberspace has become an integral part of the nerves system of functioning modern states; as more and more infrastructure systems are digitized and connected via electronic communication systems. Therefore, severe cyber attack or malfunction may arrest the operation of critical systems that control key elements of modern democracies, and equally important, may destroy or corrupt essential databases. Such an event may result in catastrophe, with the potential to undermine not only public order, but also the very existence of the rule of law. Questions such as the liability of state agencies and other stakeholders (including those outside the boundaries of the state) to damages resulting from cyber attacks, the legal authority of the various state agencies to manage and coordinate their acts during cyber attack, and the legal powers of state agencies to regulate cyber space attack are all critical questions that must be thoroughly and critically examined, and where the law as it stands is lacking, solutions should be proposed. Moreover, cyber attacks threaten the law itself, because the legal system is now enmeshed in cyberspace: court cases, laws and regulations, decisions of administrative agencies and databases with paramount legal significance, such as the land registry, lists of those eligible to vote, lists of those who may or may not enter or exit the state, lists of those targeted for investigation by various authorities and of course the management of fees, taxes and accounts – are all digitized and therefore susceptible to cyber attack.
Cyber attacks on infrastructure and the collapse and corruption of legally significant databases should be considered an extreme condition – an emergency posing grave challenges to the legal system. A systemic cyber failure inducing a disaster is a major concern for every state. The understanding of legal and institutional structures and regulations governing who is responsible and able to do what, is crucial. In emergency situations, some regular rules do not apply and the balance between public and individual legal rights may shift. Therefore, the study of the rule of law under cyber attack is essential. Such research will focus not only on the state and its agencies. Cyberspace is a complex system of computers, servers and communication networks governed by private people as well as by public, local, national and international organizations. In cyberspace, the boundaries of liability and responsibility are vague. Control of public space and networks requires cooperation, coordination and consent between power holders and other stakeholders. Therefore, research into the lines of responsibility and accountability, as well as into possible modes of public-private cooperation, is vital.
Systemic and meticulous research of legal aspects of cyber emergencies is a crucial element in achieving resilient and safe cyber networks and in preparing for contingencies that may occur. The research aims to explore both theoretical and practical issues regarding control, regulation and legal aspects of cyber disasters. It will map existing rules and regulations, explore the differences and similarities between nations and the possible similarities to other disasters and suggest amendments and improvements to the existing legal regime.
The research looked into both defensive and offensive actions, before, during and after a cyber disaster. It included a comprehensive empirical mapping of existing legal tools as well as the institutional aspects of regulation, control, responsibilities and liabilities of cyber emergencies outcomes.
The research employed qualitative analysis tools over primary and secondary data resources, legal databases as well as interviews and simulations with stakeholders. It will include a comparative study between countries as well as between cyber and other disasters and will explore case studies of cyber disasters as well as database corruption cases. On the theoretical level, the research will suggest models and analytical tools for the study of the legal aspects of cyber disasters.
The unique characteristic of cyberspace, together with the uniqueness of extreme conditions renders a special expertise in legal research. The Minerva Center for the Rule of Law under Extreme Conditions was created specifically to address the unique challenges to the rule of law posed by emergency situations. Research in the Center has already begun, using a methodology designed for the study of the law and natural disasters, wars/terrorist attacks and social-economical meltdowns.
Cyber regulations research
2014-2016: Cybersecurity through Regulation: A Comparative Approach – Lead researcher: Deborah Housen-Couriel, Adv., Researchers: Admit Ivgi, Adv., Aurelie Amidan, Shirah Meir
Research presentation, Dec-2015
Research presentation – Dec-2015-Hebrew
2016 : The Regulation of Cybersecurity Professions: A Proposal for Five Regulatory Models – Lead researcher: Deborah Housen-Couriel, Adv., Researchers: Admit Ivgi, Adv. and Shirah Meir
Countries have similar challenges in meeting cybersecurity workforce challenges, and nearly all are cognizant in their national cybersecurity strategies of serious gaps in capacity at present and in the coming years regarding national and global cybersecurity needs and professional talent gaps in meeting these needs. Yet each country and organization has a different approach to resolution of this challenge, reflecting different national strategic interests, priorities and capabilities. The five models proposed in this study are based on comparative research of the commonalities and differences of the twelve countries and two organizations reviewed. The models form a conceptualization that could be described as progressive or “nested”, in the sense that each model also contains the elements that characterize its predecessor. The models and the countries and organizations which they characterize are as follows:declaratory (national policies note the importance of professional development in the context of capacity-building and may showcase professional training schemes, yet the training and accreditation is voluntary and left to the private sector); declaratory with some informal training schemes (in addition toinclusion of professional capacity-building as a national strategic goal, some professional training schemes are supported and recommended and may also be government-subsidized); government information sharing with the private sector (national workforce policies are ingrained, promoted and supported by formal and regular government feedback to the private sector and the public); recommended accreditation(accreditation of professionals is strongly supported, recommended and subsidized in the context of a national strategy); and “nearly-mandatory” accreditation (whereby accreditation schemesare recommended and sponsored and are either a de jure or de factorequirement for some professionals).The details regarding each of the national and organizational strategies are reviewed on a country-by-country basis. Special characteristics are noted, such as France’s inclusion of labor unions as a stakeholder in national capacity-building efforts, the UK’s agreement with insurance companies to reduce premiums for cybersecurity-compliant companies, and Australia’s use of nationally registered occupational training organizations (RTOs). Moreover, a basket of best practices from among the countries surveyed is included at the conclusion of the study – probably better identified as “probable best practices”, as the overall assessment of the degree of success of each in achieving a higher level of cybersecurity, as well as the metrics of such an assessment, remain as future topics for research.
2016 : Property Rights in Cyberspace: A Comparative Study of Digital Property – Lead researcher: Deborah Housen-Couriel, Adv.
The burgeoning quantity of computerized data over the past decades, and its corollary exposure to cybercrime and other forms of hostile activity in cyberspace indicate an urgent need to regulate rights in digital property. Yet the development of regulation regarding such property on the part of the countries and organization analyzed here has been slow. In three of the four countries in which it has progressed, a central impetus has been the concern over transferability of rights in the event of death or disability. In one of the four, the US, the legislative initiative of the Revised Uniform Fiduciary Access to Digital Assets Act has moved ahead significantly since 2015, with nearly half of the 50 states having adopted the Act or currently considering it. In the UK and Germany, pro-active professional organizations, the UK Law Society and the German Bar Association, have formulated public positions and policies on the inclusion of digital rights in legacies. Finally, in France, the current efforts to encompass a broad range of issues in the context of the Digital Republic Bill may bring about a more explicit digital rights regime. Further research will be necessary to follow the inevitable regulatory developments in this context, including the developments regarding the terms and conditions of website utilization by private persons, and to evaluate their degree of success in ensuring property rights in the present digital era.