Ghost in the network

Research output: Contribution to journalReview articlepeer-review

24 Scopus citations

Abstract

Cyberattacks are inevitable and widespread. Existing scholarship on cyberespionage and cyberwar is undermined by its futile obsession with preventing attacks. This Article draws on research in normal accident theory and complex system design to argue that successful attacks are unavoidable. Cybersecurity must focus on mitigating breaches rather than preventing them. First, this Article analyzes cybersecurity's market failures and information asymmetries. It argues that these economic and structural factors necessitate greater regulation, particularly given the abject failures of alternative approaches. Second, this Article divides cyberthreats into two categories: known and unknown. To reduce the impact of known threats with identified fixes, the federal government should combine funding and legal mandates to push firms to redesign their computer systems. Redesign should follow two principles: disaggregation-dispersing data across many locations-and heterogeneity-running those disaggregated components on variegated software and hardware. For unknown threats-"zero-day attacks"-regulation should seek to increase the government's access to markets for these exploits. Regulation cannot exorcise the ghost in the network, but it can contain the damage it causes. Maelcum produced a white lump of foam slightly smaller than Case's head, fished a pearl-handled switchblade on a green nylon lanyard out of the hip pocket of his tattered shorts, and carefully slit the plastic. He extracted a rectangular object and passed it to Case. "Thas part some gun, mon?" "No," said Case, turning it over, "but it's a weapon. It's virus."

Original languageEnglish (US)
Pages (from-to)1011-1091
Number of pages81
JournalUniversity of Pennsylvania Law Review
Volume162
Issue number5
StatePublished - Apr 2014

ASJC Scopus subject areas

  • Law

Fingerprint

Dive into the research topics of 'Ghost in the network'. Together they form a unique fingerprint.

Cite this