I have had the opportunity to work on cybersecurity issues from a variety of vantage points—at a large law firm, at a tech startup, and in state government. Most recently, in private practice, I helped companies prepare for and respond to cyber attacks launched by cyber criminals and other adversaries.
After spending time working on these issues in different environments, it became clear to me that the private sector is on the front lines of cyber warfare. A number of questions emerge from that reality, several of which I hope to probe here at Carnegie.
In particular, I plan to examine the scope of the legal authority that the U.S. government has to respond to cyber attacks executed by nonstate actors. There are obviously important, ongoing conversations about how to develop an effective cyber offensive policy, but one piece of the puzzle is identifying a coherent legal basis for that strategy, especially with regard to hackers unaffiliated with state institutions.
I also plan to study the state’s role in defending against cyber threats. Usually people think about cyberspace as a federal issue or, if anything, as a private vs. public sector concern. While that’s true, it is also true that states can, and already do, play a role in shaping cyber policy—often with respect to collecting information on data security incidents. I hope to highlight the state’s existing role in cyberspace and to think of new ways for states and localities to play a bigger role in cyber policy and to be an effective partner to the federal government.