David Thaw

Working Papers

• Redefining Cybersecurity Policy: An Interdisciplinary Approach to System Failures (scholarly book project connecting several threads of empirical scientific research and scholarly analysis to illuminate why cybersecurity presents a complex problem, the necessity of interdisciplinary approaches, how flexible regulation can more effectively address such complex problems, and cybersecurity might teach us about the future of managing complex problems in a globally-interconnected world) (example chapters listed below).
  
  
  • Cybersecurity Stovepiping (arguing that disconnects between policymakers and technical experts in lawmaking and rulemaking processes not only fail to produce positive benefits, but may actually undermine the very goals the policy set forth to achieve, using the myth of increased security through complex password requirements as a case study)
  
  
  • Redefining Cybersecurity (arguing that current organizational and legal policy approaches to cybersecurity are structurally inferior, focusing on risk prevention when risk management is more effective. This work is part of a larger book proposal planned to include portions of Cybersecurity Stovepiping, The Efficacy of Cybersecurity Regulation, and Enlightened Regulatory Capture as chapters and utilizing empirical data from the Chameleon system)


• Chameleon Cyber Threat Intelligence Gathering System, Cyber Research Environment Network (CyREN) Laboratory, University of Pittsburgh School of Information Sciences– cybersecurity research project developing a method and system to collect current and prospective cyber threat intelligence data.
  
  
  • Honeynet Shortcomings: A Review of Historical Honeynet Approaches and Empirical Challenges (examining the history of honeynet technologies, evaluating the empirical shortcomings of those technologies, and categorizing these past deficiencies with the goal of identifying future improvements).
  
  
  • Using Camouflaged Cyber Simulations as a Model to Ensure Validity in Cybersecurity Experimentation (describing the Chameleon Project and formalizing a method and system for collecting real-time, recent, and empirically valid data regarding the nature, scope, and efficacy of methods for remote system compromise by overcoming validity, camouflage, and data capture shortcomings of honeypot implementations).
  
  
  • Efficient Defense Allocation: Empirical Examination of the Relative Efficacy of Perimeter Defense Technologies (empirical examination of the hypotheses that (1) remote information security compromises occur as a result of network "perimeter breaches"; and (2) network "perimeter" defense technologies are an efficient/effective methods for preventing the most common types of remote information security compromises).


• Managing Electoral Cyber Risk (developing a framework for understanding cyber threats to election systems and the legal and technological systems which can address those threats, and arguing that a “hacking” viewpoint of such threats misunderstands the nature of the problem and mitigating unlawful electoral interference must instead be understood and characterized in terms of a comprehensive, integrated legal and technological risk management framework).


• Ancient Worries and Modern Fears: Different Roots and Common Effects of U.S. and EU Privacy Regulation (arguing that while challenging substantive differences exist between U.S. and EU privacy regimes, because of a shared underlying commitment to avoid the same type of harm – albeit from different actors – a common compliance framework is possible across through the application of Management-Based Regulatory Delegation theory) (with Pierluigi Perri).


• Disambiguating "Cyber" (arguing for an organized understanding of the often-conflated terms "privacy," "data protection," "cybersecurity," "cybercrime," "cyber warfare," and related terms through the axes of (1) normative versus objective evaluation; and (2) the distinctions among private, public, criminal, and international law).


• Cybersecurity: An Interdisciplinary Approach (interdisciplinary instructional and reference text covering topics in cybersecurity, cybercrime, cyber conflict, and associated regulatory topics for lawyers, scientists, engineers, policymakers, and business leaders) (with Gus Hurwitz and Derek Bambauer).

---

Legal Scholarship

• Data Breach (Regulatory) Effects, 2015 Cardozo L. Rev. De Novo 151 (discussing key points regarding the "practical" impact of data breach regulatory notification laws, and suggesting improvements for future such disclosure-based cybersecurity regulation).


• Reasonable Expectations of Privacy Settings: Contemplating the Stored Communications Act Through the Prism of Social Media, 13 Duke L. & Tech Rev. 36 (2015) (discussing the application to social media of existing federal surveillance protections, and suggesting approaches courts should use when applying an antiquated law to modern technology not envisioned by that law's drafters).


• Surveillance at the Source, 103 Ky. L. J. 405 (2015) (discussing the comparative lack of attention in privacy scholarship to mass surveillance by private parties as compared to that by Government entities, and arguing that in contemporary society, given that private mass surveillance is a predicate to Government surveillance, mass surveillance scholarship should specifically include the proverbial and literal "source" of the data).


• Enlightened Regulatory Capture, 89 Wash. L. Rev. 329 (2014) (examining the history of the HIPAA Security Rule and arguing that its development reveals a unique, but potentially-replicable, circumstance under which public and private interests can be aligned under proper conditions to leverage regulatory capture to engage private expertise in service of public goals, using cybersecurity as an example).


• The Efficacy of Cybersecurity Regulation, 30 Ga. St. U. L. Rev. 287 (2014) (presenting empirical evidence comparing the efficacy of directive regulation versus flexible regulation, and determining that flexible forms of regulation were substantially more effective at preventing certain types of data breaches than was directive regulation alone for the first decade such laws were in effect. This evidence is cross-validated with interviews of Chief Information Security Officers (CISOs) discussing their impressions "on-the-ground" of the impact of these laws and regulations on their organizations' security practices).


• Criminalizing Hacking, Not Dating: Reconstructing the CFAA Intent Requirement, 103 J. Of Crim. L. & Criminology 907 (2013) (arguing that interpretations of the Computer Fraud and Abuse Act (CFAA) broadly allowing Terms-of-Service to define authorized access are overclusive, but that interpretations fully precluding such definitions are underinclusive, and suggesting that any resolution to this debate must accommodate some ability for system operators to define authorization through written language because the deterministic nature of technological "locks" inevitably will prevent such locks from precluding all activity a system owner might lawfully wish to preclude and against which the criminal law is the only reasonable deterrent).


• When Machines Are Watching: How Warrantless Use of GPS Surveillance Technology Violates the Fourth Amendment Right Against Unreasonable Searches, 121 Yale L. J. Online (2011) (arguing that comprehensive GPS surveillance of a criminal suspect requires a judicial warrant) (with Priscilla J. Smith, Nabiha Syed, & Albert Wong).

---