Scope:
Since first developed as a research project in the 1960s, the Internet has
grown to become a world-girding, borderless domain where more than
2.5 billion people buy goods, consult doctors, foment rebellion, send
photographs, and do countless other things both big and small. With that
powerful openness, however, comes grave insecurity. The goal of this course
is to teach you about the structure of the Internet and the unique threats it
breeds. In the end, this course will center on a single overarching theme:
that Internet openness brings risks and dangers that cannot be eliminated,
but they are risks that can be understood, managed, and reduced. By the end
of the course, you’ll have a greater appreciation for what governments and
individuals can do and are doing to reduce those threats.
Our course begins with a case study—of the Stuxnet virus that attacked
Iranian nuclear production facilities. Some think of Stuxnet as the world’s
first cyber guided missile. It is the first instance we know of where cyber
attacks had real-world physical effects. However you characterize it, this
new reality will be transformative. The interconnectedness between the
cyber domain and the physical world creates new vulnerabilities and poses
new legal and policy challenges. The disruption of settled assumptions and
expectations is, in some ways, reminiscent of the sea change we saw in
world governance after the introduction of nuclear weapons. Our goal will
be to explore challenges posed by the dynamic changes in cyberspace in a
systematic way.
The course continues by looking at fundamentals and basic structures. We
will learn first how the Internet and cyberspace are built and why they are
built the way they are. It turns out that a good deal of vulnerability is built
into the system from the start. The Internet would not be the network we
know if it were structured in a more closed and secure way, but that lack
of security is a critical gap that can’t be technologically fixed. We’ll also
spend some time looking more closely at the different types of viruses

and vulnerabilities that infect the cyber domain. You will gain a better
understanding of the difference, say, between Trojan horses and botnets.
After that, we’ll close the introductory portion of the course by trying to
get a feel for who the different actors are in cyberspace. We’ll learn that
there is a world of difference between the motivations of, say, China or the
United States and those of cyber hackers, and those are very different from
the motivations of organized crime actors in cyberspace.
In the second part of the course, we’ll look at some of the issues of law
and policy that are bound up in our dealing with these threats. We’ll begin
by examining the prospect of government regulation of the Internet and
asking whether or not it can be effective. Then, we’ll investigate the even
more problematic (and challenging) question of international cooperation.
Because the Internet spans the globe, some international governance
is essential, but what should it look like? We will also discuss how the
Constitution both protects our civil liberties and possibly limits our ability
to protect ourselves. We’ll ask some questions about encryption policy as
a way of protecting ourselves, and we’ll take a dive into the topic known
as “big data”—the idea that everyone leaves a trail in cyberspace. What we
will discover is that almost every aspect of cybersecurity is a double-edged
sword: New technologies can be used to foster freedom but also to create
greater insecurity.
The third part of the course steps back from our look at particular policies
to put the problem in context. Anticipating that some form of cyber attack
will inevitably succeed, we’ll take a look at how to make the entire network
more resilient so that we can recover from an attack. We’ll also look at how
to make yourself a less inviting target and provide a short catalog of tips
on how you can better protect yourself. Finally, we’ll do some crystal-ball
gazing, looking at what the next 10 or 20 years may hold for us in the cyber
world.