Cybersecurity law has many silos. If a teenager’s private photo is hacked from Google Drive, lawyers think about anti-hacking statutes like the Computer Fraud and Abuse Act. If the U.S. government seeks access to the same photo from the same account, lawyers think about the Fourth Amendment and criminal procedure rules like the Electronic Communications Privacy Act. If the British government seeks access to that photo, lawyers think about mutual legal assistance treaties and the CLOUD Act. If the Russian government accesses that photo, lawyers think about national security law. If Google were to launch a new social network that automatically shares its users’ photos, lawyers would think about privacy policies and privacy statutes. Cybersecurity law is the intersection of all those silos; it is the law of who may control which computer.
As I argue in this article, cybersecurity is both a technical problem and a social problem. Network defense is the technical half of cybersecurity, but law is the social half. While regulating how computers behave is an important part of cybersecurity, regulating how humans and governments behave is just as important. Law is the foundation of cybersecurity because law defines the “security” in cybersecurity, who is entitled to that security, and how human beings and governments should behave to guarantee cybersecurity.