Jeff Kosseff is an Assistant Professor of Cybersecurity Law at the United States Naval Academy. He is the author of Cybersecurity Law (Wiley), the first comprehensive textbook on U.S. cybersecurity laws and regulations, and in spring 2019 he published The Twenty-Six Words that Created the Internet (Cornell University Press), a nonfiction narrative history of Section 230 of the Communications Decency Act. He currently is writing a third book, also for Cornell University Press, tentatively titled United States of Anonymous Speech, about the history of the First Amendment right to anonymous speech in the United States, from the Federalist Papers to online postings.
His articles about cybersecurity and Internet law have appeared in Iowa Law Review, Wake Forest Law Review, IEEE Security & Privacy, Computer Law and Security Review, Columbia Science and Technology Law Review, and other publications. In October 2017, he testified about online sex trafficking and Section 230 before the House Judiciary Committee's Subcommittee on Crime, Terrorism, Homeland Security, and Investigations. In March 2017, he testified about Section 702 of the Foreign Intelligence Surveillance Act before the House Judiciary Committee.
Jeff has practiced cybersecurity and privacy law, and clerked for Judge Milan D. Smith, Jr. of the U.S. Court of Appeals for the Ninth Circuit and for Judge Leonie M. Brinkema of the U.S. District Court for the Eastern District of Virginia. He is a graduate of Georgetown University Law Center and the University of Michigan. Before becoming a lawyer, he was a journalist for The Oregonian and was a finalist for the Pulitzer Prize for national reporting.
Cybersecurity Law (Wiley, 2017): Textbook/treatise on global cybersecurity laws and regulations for U.S. companies. Second edition forthcoming December 2019
The Twenty-Six Words that Created the Internet (Cornell University Press, forthcoming Spring 2019): nonfiction narrative history of Section 230 of the Communications Decency Act
Selected Academic Publications
Hacking Cybersecurity Law, Illinois Law Review (forthcoming 2020): Unlike discrete legal fields such as patent and employment law, cybersecurity law spans a number of sections of the U.S. Code, as well as state and international laws. Because the contours of cybersecurity law are blurry, U.S. policymakers have not sufficiently determined how to most effectively align statutes and regulations with current cybersecurity threats. This Article builds on the author’s previous work to define the scope of cybersecurity law, and suggests seven guiding principles to radically reshape – or “hack” – the legal system to better address current and future cybersecurity threats. This Article draws on legal scholarship and other fields of law to derive high-level goals for policymakers as they seek to make cybersecurity law more effective, cohesive, and agile.
Hamiltonian Cybersecurity, Wake Forest Law Review (forthcoming 2019): Cyberattacks present existential challenges for U.S. national security and economic interests, yet Congress has failed to adopt a comprehensive regulatory framework to secure private-sector information and systems. To fill that gap, state legislatures have passed many laws that regulate data security, data breaches, and protection of personal data. The requirements of these laws vary significantly, are outdated, and sometimes conflict. This Article explains why this state-centric approach to cybersecurity is inadequate. First, the Article examines the Framers’ desire for a uniform approach to commercial regulations, and explains how the U.S. approach is scattered, outdated, and decentralized. A comprehensive federal cybersecurity statute would help to realize the Framers’ vision. Second, the Article asserts that, given this prudential argument, the state approach to cybersecurity and data protection regulations may be unconstitutional under the Dormant Commerce Clause, which prohibits state laws that unduly burden interstate commerce or impose inconsistent regulations.
Cybersecurity of the Person, First Amendment Law Review (2019): U.S. cybersecurity law is largely an outgrowth of the early-aughts concerns over identity theft and financial fraud. Cybersecurity laws focus on protecting identifiers such as driver’s licenses and social security numbers, and financial data such as credit card numbers. Federal and state laws require companies to protect this data and notify individuals when it is breached, and impose civil and criminal liability on hackers who steal or damage this data. In this paper, I argue that our current cybersecurity laws are too narrowly focused on financial harms. While such concerns remain valid, they are only one part of the cybersecurity challenge that our nation faces. Too often overlooked by the cybersecurity profession are the harms to individuals, such as revenge pornography and online harassment. Our legal system typically addresses these harms through retrospective criminal prosecution and civil litigation, both of which face significant limits. Accounting for such harms in our conception of cybersecurity will help to better align our laws with these threats and reduce the likelihood of the harms occurring.
Defining Cybersecurity Law, Iowa Law Review (2018): As data breaches, denial-of-service attacks, and other cybersecurity incidents lead to extraordinary economic and national security consequences, commentators increasingly look to the legal system for solutions. Unfortunately, U.S. laws do not have a unified and coherent vision for the regulation and promotion of cybersecurity. For that matter, the U.S. legal system lacks a consistent definition of the term “cybersecurity law.” This Article aims to fill that gap by defining cybersecurity law. Although many articles have addressed various aspects of cybersecurity, none have stepped back to define exactly what cybersecurity is and the goals of statutes and regulations that aim to promote cybersecurity. By defining the scope and goals of this new legal field, we can then examine how lawmakers could improve existing laws.
Developing Collaborative and Cohesive Cybersecurity Legal Principles, paper presented at the NATO Cooperative Cyber Defense Center of Excellence Conference on Cyber Conflict (Tallinn, Estonia) and published in the IEEE conference proceedings (June 2018): This Paper sets forth the need for nations to discuss common legal principles for promoting and regulating cybersecurity, similar to the privacy principles articulated in Organization for Economic Cooperation and Development’s Fair Information Practices in 1980. As a starting point for discussion, this Paper suggests four goals of common international principles for cybersecurity law: (1) modernization of cybersecurity laws; (2) uniformity of legal requirements; (3) coordination of cooperative incentives and coercive regulations; and (4) supply chain security. Although cybersecurity laws always will vary, international coordination could improve the efficacy of cybersecurity laws by providing some degree of consistency. A dialogue also could help policymakers learn from other nations’ cybersecurity successes and failures.
Private Computer Searches and the Fourth Amendment, I/S: A Journal of Law and Policy for the Information Society (forthcoming 2018): The Fourth Amendment generally restricts a search or seizure conducted by a government entity, such as the state police or Federal Bureau of Investigation. The Supreme Court has held that the Fourth Amendment applies to a search or seizure performed by a private party unless that private party is an “agent or instrument” of the government. The Supreme Court has not formulated a specific test to determine whether a private party is an agent or instrument, leaving it to lower courts to formulate their own analytic frameworks. The prevailing agency test in most circuits focuses on whether the private party intended to help law enforcement. In this Article, I argue that this subjective analytical framework is flawed because it is contrary to the principles that the Supreme Court has articulated in its opinions about Fourth Amendment agency, which focus on the actions of the government, and not the intent of the private party. Moreover, from a practical standpoint, the subjective agency-or-instrument test has been difficult to apply with certainty and consistency. To assess the practical difficulties of the current test, this Article reviews the criminal prosecutions of defendants in child pornography cases in which the evidence was initially discovered by online service providers or computer repair technicians. The Article proposes an alternative, objective agent-or-instrument test that looks to the government’s actions. Under the proposed test, the private party is deemed an agent or instrument only if the government substantially participated in the search or seizure.
New York’s Financial Cybersecurity Regulation: Tough, Fair, and a National Model, Georgetown Law Technology Review 1 Geo. L. Tech. Rev. 432 (2017): This Article explores the new cybersecurity requirements that New York’s financial regulators will impose on its regulated companies, and argue that the revised regulation is a model of a rigorous, fair, and technologically sound cybersecurity regulation. New York’s regulation could serve as a model for a uniform nationwide cybersecurity regulation that would provide certainty and clarity to companies while protecting the confidentiality, integrity, and availability of information and systems. Cybersecurity law in the United States currently is a patchwork of outdated privacy and computer crime laws; New York’s regulation, in contrast, is a model cybersecurity statute for the modern era.
The Gradual Erosion of the Law that Shaped the Internet, Columbia Science and Technology Law Review, 18 Colum. Sci. & Tech. L. Rev. 1 (2017): In this Article, I review all Section 230-related court opinions published between July 1, 2015 and June 30, 2016 to determine the extent of immunity. The review found that in approximately half of the cases, courts refused to fully grant Section 230 immunity. Most commonly, the courts conclude that the online service provider actually created and published the content. To be sure, 20 years after Congress enacted Section 230, Section 230 remains a strong shield for online service providers in many cases. However, as the amount of user-generated content has exponentially increased in recent years, courts have struggled with what was once viewed as bullet-proof immunity for online intermediaries, and are slowly enlarging the loopholes that allow plaintiffs’ lawsuits against intermediaries to survive.
Cyber-Physical Systems and National Security Concerns, chapter in Security and Privacy in Cyber-Physical Systems: Foundations and Applications (Wiley) (forthcoming 2017): A set of international legal rules, known as jus ad bellum (Latin for “right to war”), provide a framework for determining whether an attack against a nation-state was unlawful, and whether it is permissible for the target state to respond with self-defense. Over the past decade, legal scholars and government officials have struggled to determine how to apply jus ad bellum to attacks on computer systems. This Chapter extends that analysis to attacks on cyber-physical systems. I conclude that although cyber-physical systems present new national security challenges, the jus ad bellum analysis applies just as easily to cyber-physical attacks as it does to attacks on computer systems and purely physical targets.
In Defense of FAA Section 702: An Examination of Its Justification, Operational Employment, and Legal Underpinnings (co-author with Chris Inglis), Hoover Institution National Security, Technology, and Law Working Group paper (2016): This paper makes make the case that the provisions of Section 702 of the FISA Amendments Act are both necessary and appropriate under the US Constitution's mandate that the government pursue all of its aims (e.g., security and privacy). Moreover, the paper provides compelling evidence to rebut widely circulated myths regarding the actual implementation of Section 702, most notably that NSA exceeded either the intent or the letter of its authorities. For this reason, we believe that Congress should reject calls to repeal or amend Section 702. The statute already provides a well-regulated system for intelligence agencies to collect the foreign intelligence from non-U.S. persons who are not located in the United States. The National Security Agency has stated that Section 702 is its single most significant tool for identifying terrorist threats. The program is overseen by all three branches of government and has an unprecedented system of checks and balances. In the past seven years, the program has been remarkably effective, both at protecting the privacy of U.S. persons and obtaining valuable intelligence from foreign sources. Accordingly, Congress should reauthorize this valuable foreign intelligence program.
The Hazards of Cyber-Vigilantism, Computer Law & Security Review, 32:4 Comp. L. & Sec. Rev. 642 (2016): In recent years, some aggressive actions against cyber-criminals and terrorists have come not only from state actors, but also from independent third parties such as Anonymous. These groups have claimed some significant victories in their battles against ISIS and similar organizations, by hacking their email, publicly exposing their secret communications, and knocking their websites offline. The hacker groups also combat other cyber criminals, including distributors of child pornography. Some of the groups' activities, however, violate the computer hacking laws of many nations. Some commentators have criticized these statutes, claiming that the laws unnecessarily prohibit private actors from serving the public good. I defend the broad prohibition of cyber-vigilantism, and argue that well-intentioned private actors can accomplish their goals by working with governments.
The Cybersecurity Privilege, I/S: A Journal of Law and Policy for the Information Society, 12:2 I/S: A Journal of Law & Policy 641 (2016): Cybersecurity work often relies on highly confidential information about a company’s network vulnerabilities, and therefore the disclosure of the work product or communications could be useful to plaintiff’s lawyers or regulators after a data security incident. To protect against this risk, companies attempt to cover their cybersecurity professionals’ communications and work product under an existing evidentiary privilege, such as the attorney-client privilege or work product doctrine. However, such privileges are an uneasy fit for some cybersecurity work, particularly prophylactic measures that are not directly tied to ongoing or potential litigation. In other words, current evidentiary law discourages companies from investing in the services necessary to prevent cyberattacks from occurring. In this Article, I propose the creation of a stand-alone privilege for cybersecurity work.
A New Legal Framework for Online Anonymity, IEEE Security & Privacy (Nov./Dec. 2015): In this article, I trace the right to anonymity’s history and rationale and how the US and other western nations developed legal rules to provide a limited right of online anonymity. In the past, courts have analyzed the right to anonymity as an extension of the right to free speech. Here, I argue that a California court’s new alternative approach, which instead focuses on the right to privacy, could provide a useful road map for other courts in the US and other western democracies that recognize the right to anonymity.
Private or Public? Eliminating the Gertz Defamation Test, University of Illinois Journal of Law, Technology, & Policy, 2011 U. Ill. J. L. Tech & Pol’y 249 (2011): This Article proposes that courts require a demonstration of actual malice for all defamation claims, eliminating the public/private dichotomy. A requirement of actual malice in all cases still provides sufficient safeguards for the plaintiff in the types of cases that defamation law has long been intended to address.
Note, The Elusive Value: Protecting Privacy During Class Action Discovery, Georgetown Law Journal, 97 Geo. L. J. 289 (2008): This Note proposes a set of guidelines for precertification and postcertification discovery. Courts should apply heightened scrutiny to any requests for identifying or personal information about absent class members, and they should apply that standard equally to discovery requests from plaintiffs and from defendants. In addition to heightened scrutiny, this Note recommends that if courts determine that personal or identifying information is necessary, they should consider technology, protective orders,15 and business arrangements that would minimize the invasion of absent class members’ privacy. This Note also recommends best practices for postcertification discovery of absent class members. Notices should inform class members about the nature of the information that may be provided to named plaintiffs. Adherence to a uniform set of best practices would ensure fairness for plaintiffs, defendants, and absent class members.
Presenter, Defining Cybersecurity Law, Johns Hopkins University, Applied Physics Laboratory (Aug. 16, 2017)
Panelist, Inside Job, Improving Cybersecurity with Better Cyber Hygiene (June 15, 2017)
Presenter (with MIDN 1/C Dennis Devey), Understanding the Cybersecurity Act of 2015, BSidesCharm conference (April 30, 2017)
Moderator, The Future of Cybersecurity Regulation, Joint Service Academy Cyber Security Summit (Mar. 24, 2017)
Panelist, Governance, Risk Management & Compliance, Boston Conference on Cyber Security (Mar. 8, 2017)
Co-presenter (with Mike Bilzor), Cyber Reconnaissance and Intrusion, at Developing a Normative Framework for Cyberwarfare conference (Oct. 17, 2016)
Presenter: The Value of Intermediary Immunity: The U.S. Experience, Oxford Internet Institute Internet, Policy, & Politics Conference (Sept. 23, 2016)
Presenter, Cyber Security and the Law conference, French-American Foundation and Interpol (Sept. 16, 2016)
Panelist, Cyber Sovereignty: Ethical and Legal Considerations, Cyber Endeavor 2016, Naval Postgraduate School (June 22, 2016)
Moderator, Making Privacy Rules for New Networks: The FCC’s Regulation of Broadband ISPs, International Association of Privacy Professionals Global Privacy Summit (April 6, 2016)
Presenter, Preserving the Privilege During Breach Response, RSA Conference (Mar. 3, 2016)
Presenter, Ten Reasons to Adopt the NIST Cybersecurity Framework, The Law & Policy of Cybersecurity Symposium, University of Maryland (Feb. 5, 2016)
Presenter, Positive Cybersecurity Law: Creating a Consistent and Incentive-Based System (symposium article), Chapman Law Review, Chapman University (Jan. 29, 2016)
Presenter, Protecting the Privilege During Breach Investigations, InfoGovCon, Hartford, CT (Sept. 30, 2015).
Presenter, The Attorney-Client Privilege for Cybersecurity Investigations, Cyber Security Technology and Training Forum (Aug. 19, 2015)
Prevent Data Breaches, Don't Just Report Them, TechCrunch (May 9, 2017)
A VHS-Era Privacy Law in the Digital Age, TechCrunch (May 24, 2016)
In the Apple Encryption Debate, Can We Just Have the Facts, Please? TechCrunch (Oct. 26, 2016)
Should Tech Companies be Subject to the Fourth Amendment? TechCrunch (Dec. 13, 2015)
Time for a Serious Talk About Encryption, The Hill (Nov. 23, 2015)
The Biggest Cybersecurity Risk is Not Identity Theft, TechCrunch (Nov. 13, 2015)
Congress Looks at Car Hacking, The Hill (Oct. 26, 2015)
Notified About a Data Breach? Too Late, Wall Street Journal (Oct. 9, 2015)
Can Decency Be Legislated? TechCrunch (Oct. 9, 2015)
Cybersecurity is Expensive – That’s Why We Should Offer Tax Incentives, Forbes (Sept. 23, 2015)
To Fix Cybersecurity Law, Ask More Questions, TechCrunch (Sept. 15, 2015).
Georgetown University Law Center
Juris Doctor, magna cum laude and Order of the Coif (2010)
Executive Articles Editor, Georgetown Law Journal
University of Michigan
Master of Public Policy, economic policy (2001)
Bachelor of Arts, economics (2000)
Courses Taught (United States Naval Academy)
SY406: Cyber Law & Ethics
SY403: Cyber Policy & Planning
SY485B: Politics of Cyberspace