This is the old version of the H2O platform and is now read-only. This means you can view content but cannot create content. You can access the new platform at https://opencasebook.org. Thank you.
Edit playlist item notes below to have a mix of public & private notes, or:
MAKE ALL NOTES PUBLIC (0/7 playlist item notes are public) MAKE ALL NOTES PRIVATE (7/7 playlist item notes are private)0 | Show/Hide More | 2.1 Select Case Studies |
0.1 | Show/Hide More | 3.1.1 Estonia |
0.1.2 | Show/Hide More | Ian Traynor, Russia Accused of Unleashing Cyberwar to Disable Estonia, Guardian, May 16, 2007 |
0.2 | Show/Hide More | Ghostnet |
0.2.2 | Show/Hide More | John Markoff, Vast Spy System Loots Computers in 103 Countries, NY Times, Mar 28, 2009 |
0.3 | Show/Hide More | Olympic Games |
0.3.2 | Show/Hide More | David E. Sanger, Obama Ordered Sped Up Wave of Cyberattacks Against Iran, NY Times, Jun 1, 2012 |
0.4 | Show/Hide More | Flame |
0.4.2 | Show/Hide More | Ellen Nakashima et al., U.S., Israel Developed Flame Computer Virus to Slow Iranian Nuclear Efforts, Officials Say, Washington Post, Jun 19, 2012 |
0.5 | Show/Hide More | Economic Theft |
0.6 | Show/Hide More | Hacktivism |
0.6.2 | Show/Hide More | Part I: Saki Knafo, Anonymous And The War Over The Internet, Huffington Post, Jan 2012. |
0.6.3 | Show/Hide More | Part II: Saki Knafo, Anonymous And The War Over The Internet, Huffington Post, Jan 2012 |
1 | Show/Hide More | Chapter 1: Understanding Networks and Computers |
1.1 | Show/Hide More | 1.1 Introduction to Computers and Computer Vulnerabilities |
1.1.1 | Show/Hide More | 1.1.1 Computer Architecture Overview |
1.1.2 | Show/Hide More | 1.1.2 Computer Sources of Vulnerability |
1.2 | Show/Hide More | 1.2 Introduction to Internet Infrastructure |
1.2.1 | Show/Hide More | 1.2.1 Architecture Philosophy |
1.2.1.1 | Show/Hide More | David Clark, The Design Philosophy of the DARPA Internet Protocols, ACM SIGCOMM Computer Communication Review, 1988 |
1.2.1.2 | Show/Hide More | Lawrence Lessig, Code 2.0, Ch. 4: Architectures of Control, 2006 |
1.2.1.3 | Show/Hide More | David G. Post, In Search of Jefferson’s Moose, Ch. 1: Chaos, 2009 |
1.2.2 | Show/Hide More | 1.2.2 Elements of the Network (ISPs, Routers, Protocols and packets view) |
1.2.2.1 | Show/Hide More | David Clark, An Insider’s Guide to the Internet, 2004 |
1.2.2.2 | Show/Hide More | Elihu Zimet and Edward Skoudis, Cyberpower and National Security, Ch. 4: A Graphical Introduction to the Structural Elements of Cyberspace, eds. Kramer, Starr, and Wentz, 2009 |
1.2.2.3 | Show/Hide More | Preston Gralla, How the Internet Works, Ch. 1-10, 8th edition, 2007 |
1.2.3 | Show/Hide More | 1.2.3 Communication Channels |
1.2.3.1 | Show/Hide More | 1.2.3.a Cables |
1.2.3.1.1 | Show/Hide More | Global Bandwidth Research Service, TeleGeography Submarine Cable Map, 2011 |
1.2.3.2 | Show/Hide More | 1.2.3.b Satellites |
1.2.3.2.1 | Show/Hide More | Dave Lee, Sky-high Thinking for African Internet, BBC, Aug 6, 2012 |
1.2.3.2.2 | Show/Hide More | BBC, Lybia Jamming ‘exposed Vulnerability’, Jan 13, 2006 |
1.2.3.3 | Show/Hide More | 1.2.3.c Wireless Networks |
1.2.4 | Show/Hide More | 1.2.4 Data Provenance |
1.2.4.1 | Show/Hide More | 1.2.4.a Encryption (public and private keys, hash functions) |
1.2.4.1.1 | Show/Hide More | Steven Levy, Crypto Ch. 3: Public Key, 2001 |
1.2.4.1.2 | Show/Hide More | Introduction to Public-Key Cryptography, Mozilla Developer Network, 2005 |
1.2.4.1.3 | Show/Hide More | D. Richard Kuhn et al., Introduction to Public Key Technology and the Federal PKI Infrastructure, NIST, 2001 |
1.2.4.2 | Show/Hide More | 1.2.4.b SSL Certificates |
1.2.4.2.1 | Show/Hide More | Introduction to SSL, Mozilla Developer Network, 2005 |
1.2.4.2.2 | Show/Hide More | 1.2.4.b.ii Moxie Marlinspike on SSL and Authenticity |
1.2.4.2.2.1 | Show/Hide More | Moxie Marlinspike, BlackHat USA 2011: SSL and the Future of Authenticity, 2011 |
1.2.4.2.2.2 | Show/Hide More | Moxie Marlinspike, New Tricks For Defeating SSL In Practice, BlackHat DC, 2009 |
1.2.4.2.2.3 | Show/Hide More | Moxie Marlinspike, SSL and the Future of Authenticity, Thoughtcrime Blog, 2011 |
1.2.4.2.3 | Show/Hide More | Gregg Keizer, Hackers Stole Google SSL Certificate, Dutch Firm Admits, Computerworld, Aug 30, 2011 |
1.3 | Show/Hide More | 1.3 Sources of Network Vulnerability |
1.3.1 | Show/Hide More | 1.3.1 Overview |
1.3.1.1 | Show/Hide More | Martin C. Libicki, Cyberdeterrence and Cyberwar: Ch. 2: A Conceptual Framework, RAND, 2009 |
1.3.2 | Show/Hide More | 1.3.2 Critical Infrastructure |
1.3.2.1 | Show/Hide More | William D. O’Neil, Cyberpower and National Security Ch. 5: Cyberspace and Infrastructure, eds. Kramer, Starr, and Wentz, 2009 |
1.3.3 | Show/Hide More | 1.3.3 DNS and Man-in-the-Middle Attacks |
1.3.3.1 | Show/Hide More | Bruce Schneier, Lessons from the DNS Bug: Patching Isn’t Enough, Wired, Jul 23, 2008 |
1.3.3.2 | Show/Hide More | Callegati, F., Man-in-the-Middle Attack to the HTTPS Protocol, Security & Privacy, IEEE, 2009 |
1.3.3.3 | Show/Hide More | Seth Schoen, The Message of Firesheep:”Baaaad Websites, Implement Sitewide HTTPS Now!”, EFF, Oct 29, 2010 |
1.3.4 | Show/Hide More | 1.3.4 Could Computing |
1.3.4.1 | Show/Hide More | Chris Clayton, Standard Cloud Taxonomies and Windows Azure, MSDN, 2011 |
1.3.4.2 | Show/Hide More | Harvard Law National Security Research Group, Cloud Computing and National Security Law, 2010 |
1.3.5 | Show/Hide More | 1.3.5 User-based Vulnerabilities |
1.3.5.1 | Show/Hide More | 1.3.5.a Phishing |
1.3.5.1.1 | Show/Hide More | David Goldman, Massive Gmail Phishing Attack Hits Top U.S. Officials, CNN Money, Jun 1, 2011 |
1.3.5.1.2 | Show/Hide More | Tyler Moore and Richard Clayton, Examining the Impact of Website Take-down on Phishing, APWG eCrime Researchers Summit, 2007 |
1.3.5.2 | Show/Hide More | 1.3.5.b Insiders |
1.3.5.2.1 | Show/Hide More | US Secret Service, Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector, CERT, 2004 |
1.3.6 | Show/Hide More | 1.3.6 Communication Channels |
1.3.6.1 | Show/Hide More | 1.3.6.a Cables |
1.3.6.1.1 | Show/Hide More | Michael Sechrist, Cyberspace in Deep Water, Harvard Kennedy School, 2010 |
2 | Show/Hide More | Chapter 2: Fundamental Issues |
2.1 | Show/Hide More | 2.1 Fundamental Concepts |
2.1.1 | Show/Hide More | 2.1.1 Cyber-Attack v. Cyber-Exploitation |
2.1.2 | Show/Hide More | 2.1.2 Characteristics of Cyber-Operations (attack and exploitation) |
2.1.3 | Show/Hide More | 2.1.3 Why Offense Beats Defense |
2.1.4 | Show/Hide More | 2.1.4 Economics and Metrics |
2.1.4.3 | Show/Hide More | Seymour E. Goodman and Herbert S. Lin, Toward a Safer and More Secure Cyberspace, Ch. 6.4: The Economics of Cybersecurity, National Research Council, 2007, pp. 133-42 |
2.1.5 | Show/Hide More | 2.1.5 Attribution |
2.1.5.1 | Show/Hide More | David Clark and Susan Landau, Untangling Attribution, Proceedings of a Workshop on Deterring CyberAttacks: Informing Strategies and Developing Options for U.S. Policy, 2010 |
2.2 | Show/Hide More | 2.2 Seriousness of the Threat |
2.2.1 | Show/Hide More | Richard Clarke and Robert Knake, Cyber War: The next Threat to National Security and What to Do About It, 2010 |
2.2.2 | Show/Hide More | Joel Brenner, America the Vulnerable: Inside the New Matrix of Digital Espionage, Crime, and Warfare, 2011 |
2.3 | Show/Hide More | 2.3 Cyber Power |
2.3.1 | Show/Hide More | Joseph Nye, Cyber Power, Belfer Center, Harvard Kennedy School, May 2010 |
2.3.2 | Show/Hide More | The Cyber Hub, Cyber Power Index, Booz Allen Hamilton and the Economist Intelligence Unit |
3 | Show/Hide More | Chapter 3: Governance Overview: Main Governing and Regulatory Mechanisms |
3.1 | Show/Hide More | 3.1 Overview of Relevant International Cybersecurity Bodies and Mechanisms (public and private) |
3.1.1 | Show/Hide More | 3.1.1 Introduction to Internet Governance Frameworks |
3.1.1.1 | Show/Hide More | Lawrence B. Solum, Models of Internet Governance, Illinois Public Law Research Paper No. 07-25, U Illinois Law & Economics Research Paper No. LE08-027, September 3, 2008 |
3.1.1.2 | Show/Hide More | Robert Knake, Internet Governance in an Age of Cyber Insecurity, Council on Foreign Relations, September 2010 |
3.1.1.3 | Show/Hide More | Jeremy Ferwerda, Nazli Choucri, and Stuart Madnick, Institutional Foundations for Cyber Security: Current Responses and New Challenges, Working Paper CISL# 2011-05, May 2011 |
3.1.1.4 | Show/Hide More | Jack Goldsmith, Cybersecurity Treaties: A Skeptical View, Future Challenges in National Security and Law, February 2011 |
3.1.1.5 | Show/Hide More | Abraham D. Sofaer, David Clark, and Whitfield Diffie, Cyber Security and International Agreements, Proceedings of a Workshop on Deterring Cyberattacks, pp. 179-206, 2010 |
3.1.2 | Show/Hide More | 3.1.2 Select Globally-Relevant Bodies and Treaties |
3.1.2.1 | Show/Hide More | Internet Corporation for Assigned Names and Numbers (ICANN) |
3.1.2.1.1 | Show/Hide More | International Corporation for Assigned Names and Numbers, Memorandum of Understanding, November 1998 |
3.1.2.1.2 | Show/Hide More | International Corporation for Assigned Names and Numbers, Affirmation of Commitments, September 2009 |
3.1.2.2 | Show/Hide More | The Internet Engineering Task Force (IETF) |
3.1.2.2.1 | Show/Hide More | The Internet Engineering Task Force, The Tao of IETF: A Novice's Guide to the Internet Engineering Task Force, 15 October, 2011 |
3.1.2.3 | Show/Hide More | Shanghai Cooperation Organization |
3.1.2.3.1 | Show/Hide More | Yekaterinburg Declaration of June 16, 2009 |
3.1.2.4 | Show/Hide More | International Telecommunication Union (ITU) |
3.1.2.4.1 | Show/Hide More | Jeremy Ferwerda, Nazli Choucri, and Stuart Madnick, Institutional Foundations for Cyber Security: Current Responses and New Challenges, Working Paper CISL# 2011-05, May 2011 |
3.1.2.4.2 | Show/Hide More | International Telecommunication Union, ITU’s Global Cybersecurity Agenda |
3.1.2.4.3 | Show/Hide More | Mcdowell, Robert M., The U.N. Threat to Internet Freedom, The Wall Street Journal, February 21, 2012 |
3.1.2.5 | Show/Hide More | Council of Europe Convention on Cybercrime |
3.1.2.6 | Show/Hide More | Organization of American States |
3.1.2.6.1 | Show/Hide More | A Comprehensive Inter-American Cybersecurity Strategy |
3.2 | Show/Hide More | 3.2 Introduction to Domestic Governing and Regulatory Bodies |
3.2.1 | Show/Hide More | 3.2.1 Overview |
3.2.1.1 | Show/Hide More | Lawrence B. Solum, Models of Internet Governance, Illinois Public Law Research Paper No. 07-25, U Illinois Law & Economics Research Paper No. LE08-027, September 3, 2008 |
3.2.1.2 | Show/Hide More | Jeremy Ferwerda, Nazli Choucri, and Stuart Madnick, Institutional Foundations for Cyber Security: Current Responses and New Challenges, Working Paper CISL# 2011-05, May 2011 |
3.2.1.4 | Show/Hide More | Abraham D. Sofaer, David Clark, and Whitfield Diffie, Cyber Security and International Agreements, Proceedings of a Workshop on Deterring Cyberattacks, pp. 179-206, 2010 |
3.2.2 | Show/Hide More | 3.2.2 Relevant Domestic Organizations, Policies, and Strategies |
3.2.2.1 | Show/Hide More | The White House |
3.2.2.1.1 | Show/Hide More | The White House, International Strategy for Cyberspace, May 2011 |
3.2.2.1.2 | Show/Hide More | Eric Chabrow, The Cybersecurity Czar Who Wasn't, GovInfo Security, 2 June 2012 |
3.2.2.2 | Show/Hide More | Department of Defense |
3.2.2.2.1 | Show/Hide More | Department of Defense, Strategy for Operating in Cyberspace, July 2011 |
3.2.2.2.2 | Show/Hide More | Department of Defense Cyberspace Policy Report, November 2011 |
3.2.2.2.3 | Show/Hide More | The Secretary of Defense, Establishment of a Subordinate Unified U.S. Cyber Command Under U.S. Strategic Command for Military Cyberspace Operations, 23 June 2009 |
3.2.2.2.4 | Show/Hide More | Statement of General Keith B. Alexander, Commander, United States Cyber Command, before the House Committee on Armed Services, 23 September 2010 |
3.2.2.3 | Show/Hide More | Department of Homeland Security |
3.2.2.3.1 | Show/Hide More | National Cyber Incident Response Plan, Interim Version, September 2010 |
3.2.2.3.2 | Show/Hide More | Homeland Security Presidential Directive 5 , 28 February 2003 |
3.2.2.3.3 | Show/Hide More | Blueprint for a Secure Cyber Future, DHS, “How We Will Protect Critical Information Infrastructure” and “How We Will Strengthen the Cyber Ecosystem”2, December 2011 |
3.2.2.3.4 | Show/Hide More | Memorandum of Understanding Between the Department of Homeland Security and the National Security Administration Regarding Cyberspace, October 2010 |
3.2.2.4 | Show/Hide More | Federal Bureau of Investigation |
3.2.2.5 | Show/Hide More | National Institute of Standards and Technology |
3.2.2.5.1 | Show/Hide More | NIST Computer Security Division |
3.2.2.5.2 | Show/Hide More | NIST Establishes National Cybersecurity Center of Excellence, 21 February 2012 |
3.2.2.6 | Show/Hide More | Federal Communications Commission |
3.2.2.6.1 | Show/Hide More | Communications Security, Reliability and Interoperability Council (CSRIC) III |
3.3 | Show/Hide More | 3.3 Introduction to Law-Enforcement Frameworks as Applied to the Digital Domain |
3.3.1 | Show/Hide More | Application of the Laws of War |
3.3.1.1 | Show/Hide More | Oona A. Hathaway, et al., The Law Of Cyber-Attack, forthcoming in the California Law Review, 2012 |
3.3.1.2 | Show/Hide More | Maj. Gen. Charles C. Dunlap, Jr., Perspectives for Cyber Strategists on Law for Cyberwar, Strategic Studies Quarterly, Spring 2011. |
4 | Show/Hide More | Chapter 4: Cybercrime |
Purpose: This chapter is designed to provide an understanding of cybercrime, i.e. crime that involves a computer network. Basically anything that can be a “real-space” crime can also be done in some way using a computer network. Examples include fraudulent misrepresentation via email or the network distribution of child pornography. In addition, some crimes (such as data theft, or disruption of network) necessarily involve computers, computer software, or computer networks . In this chapter we discuss both types of cybercrime. We limit our focus to the international dimension – i.e. to crimes committed be people in one jurisdiction (or in an unknown jurisdiction) involving computers or networks in another jurisdiction. Finally, both national governments and non-state actors can commit international cybercrimes. For example, the Chinese hack of Google violated U.S. criminal law. Because national governments are not even in theory subject to domestic criminal process, we will focus on crimes committed by non-state actors.
Concepts Covered: This chapter divides into three parts. Part 4.1 explores examples of cybercrime and how cyber-criminals operate. Part 4.2 examines the limitations of domestic criminal law to address cybercrime. Part 4.3 looks at international efforts to regulate cybercrime, and the limits of those efforts.
4.1 | Show/Hide More | 4.1 How Cybercrime Works |
4.1.1 | Show/Hide More | 4.1.1 Case Studies |
4.1.1.1 | How the RSA SecurID Hack Worked |
4.1.2 | Show/Hide More | Tyler Moore, et al., The Economics of Online Crime, Journal of Economic Perspectives, Vol 23, No 3, 2009 |
4.1.3 | Show/Hide More | Group IB, State and Trends of the Russian Digital Crime Market, 2011 |
4.1.4 | Show/Hide More | Knafo, Anonymous And The War Over The Internet, Part I, 30 January 2012 |
4.1.5 | Show/Hide More | Knafo, Anonymous And The War Over The Internet, Part II, 31 January 2012 |
4.2 | Show/Hide More | 4.2 The Limitations of Domestic Criminal Law |
4.2.1 | Show/Hide More | 4.2.1 Jurisdiction and Sovereignty |
4.2.2 | Show/Hide More | National Research Council, Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities, Chapter 5, 2009 |
4.2.4 | Show/Hide More | Computer Fraud and Abuse Act, 18 USC 1830 |
4.2.6 | Show/Hide More | U.S.-Canada Extradition Treaty |
4.3 | Show/Hide More | 4.3 International Efforts To Regulate Cybercrime |
4.3.1 | Show/Hide More | The Council of Europe Convention on Cybercrime |
4.3.2 | Show/Hide More | Ratifications of Council on Europe Convention on Cybercrime |
4.3.4 | Show/Hide More | Jack Goldsmith, Cybersecurity Treaties: A Skeptical View, Future Challenges in National Security and Law, February 2011 |
5 | Show/Hide More | Chapter 5: Laws of War |
5.1 | Show/Hide More | Curtis A. Bradley and Jack L. Goldsmith, Overview of International Law and Institutions in , Foreign Relations Law: Cases and Materials (4th ed. 2011) |
5.2 | Show/Hide More | 5.1 Jus ad Bellum |
5.2.1 | Show/Hide More | United Nations Charter |
5.2.2 | Show/Hide More | National Research Council, Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities |
5.2.3 | Show/Hide More | Department of Defense, An Assessment of International Legal Issues in Information Operations, 1999 |
5.2.4 | Show/Hide More | Michael N. Schmitt, Computer Network Attack and the Use of Force in International Law: Thoughts on a Normative Framework, Columbia Journal of Transnational Law 37:885-937, 1999 |
5.2.5 | Show/Hide More | Matthew C. Waxman, Cyber Attacks and the Use of Force, Back to the Future of Article 2(4), The Yale Journal of International Law 36, 2011 |
5.2.6 | Show/Hide More | Michael N. Schmitt, Cyber Operations and the Jus ad Bellum Revisited, Villanova Law Review 56, 2011 |
5.2.7 | Show/Hide More | Department of Defense Cyberspace Policy Report, 2011 |
5.3 | Show/Hide More | 5.2 Jus in Bello |
5.3.1 | Show/Hide More | National Research Council, Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities |
5.3.2 | Show/Hide More | Department of Defense, An Assessment of International Legal Issues in Information Operations, 1999 |
5.3.3 | Show/Hide More | Michael N. Schmitt, Cyber Operations and Jus in Bello: Key Issues, Naval War College International Law Studies, 2011 |
5.4 | Show/Hide More | 5.3 Espionage |
5.4.1 | Show/Hide More | 5.3.1 Relevant Case Studies |
5.4.1.1 | Estonia |
5.4.1.2 | Olympic Games |
5.4.1.3 | Flame |
5.4.2 | Show/Hide More | National Research Council, Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities |
5.4.3 | Show/Hide More | Department of Defense, An Assessment of International Legal Issues in Information Operations, 1999 |
5.4.4 | Show/Hide More | Simon Chesterman, The Spy Who Came In from the Cold War: Intelligence and International Law, 27 Mich. J. Int’l L. 1071, 2006 |
5.4.5 | Show/Hide More | Jeffrey H. Smith, Keynote Address: State Intelligence Gathering and International Law, 28 Mich. J. Int’l L. 543, 544, 2006 |
5.4.6 | Show/Hide More | Roger D. Scott, Territorially Intrusive Intelligence Collection and International Law, 46 Air Force L. Rev. 217, 1999 |
6 | Show/Hide More | Chapter 6: Deterrence and International Agreements |
6.1 | Show/Hide More | 6.1 Deterrence |
6.1.1 | Show/Hide More | Joseph S. Nye Jr., Nuclear Lessons for Cybersecurity, Strategic Studies Quarterly, Winter 2011 |
6.2 | Show/Hide More | 6.2 International Agreements |
6.2.1 | Show/Hide More | Abraham D. Sofaer, David Clark, and Whitfield Diffie, Cyber Security and International Agreements, Proceedings of a Workshop on Deterring Cyberattacks, pp. 179-206, 2010 |
6.2.2 | Show/Hide More | Clark and Knake, Cyber War: The Next Threat to National Security and What to Do About It, Chapter 7, 2010, ISBN: 978-0061962233 |
6.2.4 | Show/Hide More | Russian Proposal, Convention on International Information Security, November 2011 |
6.2.5 | Show/Hide More | Jack Goldsmith, Cybersecurity Treaties: A Skeptical View, Future Challenges in National Security and Law, February 2011 |
6.2.6 | Show/Hide More | James Andrew Lewis, Confidence-building and International Agreement in Cybersecurity, United Nations Institute for Disarmament Research, 2011 |
May 28, 2018
Jack Goldsmith and a Berkman Center Cybersecurity Team
Find Items |
Search below to find items, then drag and drop items onto playlists you own. To add items to nested playlists, you must first expand those playlists.
This is the old version of the H2O platform and is now read-only. This means you can view content but cannot create content. If you would like access to the new version of the H2O platform and have not already been contacted by a member of our team, please contact us at h2o@cyber.law.harvard.edu. Thank you.