By: Charles Bjork
Scott J. Shackelford. Managing Cyber Attacks in International Law, Business, and Relations: In Search of Cyber Peace (Cambridge University Press, 2014). 434 p. Hardcover $99.00.
The National Academy of Sciences defines the term “cyber attack” as a deliberate attempt to alter, disrupt, deceive, degrade or destroy computer systems or networks and the programs that run on them. In recent years, this once obscure term has entered the mainstream. Hardly a month goes by without a cyber attack making headlines – from the breach of customer data at Target, to the hacking of emails and theft of intellectual property at Sony Pictures Entertainment, to the hijacking the Pentagon’s social media accounts by ISIS. As a result, the issue of cyber security has captured the attention of policymakers around the world, including President Obama.
In the wake of these developments, the need for a comprehensive survey of cyber security law and governance has never been greater. Managing Cyber Attacks in International Law, Business, and Relations: In Search of Cyber Peace, by Scott J. Shackelford, ably fills this need. The author, a member of the faculty at Indiana University and a senior fellow at the Center for Applied Cybersecurity, begins with a brief overview of the history of Internet governance. He contrasts the initial period of organic, bottom-up governance exemplified by ad hoc entities like the Internet Engineering Task Force, which still develops and publishes the standards for Internet transfer protocols, with the subsequent emergence of the Internet Corporation for Assigned Names and Numbers (ICANN), a centralized, top-down entity created to manage IP addresses and domain names.
In the following chapter, Shackelford turns to the future of Internet governance, which will be dominated by the need for enhanced cyber security and demands for greater national and international regulation. A recurring theme throughout this chapter and the remainder of the book is that a fragmented and dynamic ecosystem like cyberspace is too complex to be successfully governed by a unitary regulatory framework. Shackelford makes a persuasive case that the best way forward is a system of “polycentric governance,” which he defines as regulation at multiple levels by overlapping sets of state and non-state actors employing a combination of national law, international norms, industry standards and best practices, and market forces to achieve a desired end. This “all-of-the-above” approach relies on multi-stakeholder governance to harness the benefits of both top-down and bottom-up regulatory regimes while avoiding their respective shortcomings.
The second section of the book focuses on managing vulnerabilities in cyber space. Shackelford begins this section by describing the three-layered structure of the Internet and assessing the principal weaknesses of each layer: the physical infrastructure (hardware), the logical infrastructure (software), and the content layer (data and users). This is followed by a discussion of the most common types of cyber weapons, including spyware, Trojan horses, viruses, worms, logic bombs, and distributed denial of service attacks. In the next two chapters, Shackelford examines the steps being taken by national governments to safeguard critical national infrastructure (CNI) from cyber attacks and efforts to enhance cyber security in the private sector through the development of industry standards and best practices. Readers interested in pursuing any of the foregoing topics in greater depth may rely on Shackelford’s copious footnotes to guide them.
The final section of the book is devoted to the role of international legal norms in cyber governance. Shackelford begins this section by assessing the applicability of existing international law, particularly the law of armed conflict, to cyberspace. A recurring theme in this section of the book is the vexing problem of attribution. How can we accurately identify the perpetrators of cyber attacks, especially when shadowy, non-state actors (who may or may not be operating under the direction or at the behest of a national government) are involved? In the final chapter, Shackelford examines the prospects for developing new international norms for cyber governance.
Writing for a wide audience about a subject grounded in technology is no easy task. Fortunately, Shackelford manages to make the underlying technical issues intelligible to lay readers without dumbing things down to the point that those with technical expertise will lose interest. His explanation of how the routing protocols that make the Internet flexible and scalable have also left it vulnerable to security breaches is especially helpful.
Managing Cyber Attacks in International Law, Business, and Relations: In Search of Cyber Peace would make a welcome and timely addition to any law library seeking to augment its existing collection in the fields of law and technology and national security law. For libraries operating under budgetary constraints, this broad survey of cyber security issues provides an excellent alternative to purchasing multiple titles on related but narrower topics, such as cyber crime and cyber warfare.