Notes on Contributors xiAcknowledgments xvIntroduction xvii1 Cybersecurity Information-Sharing Governance Structures: An Ecosystem of Diversity, Trust, and Trade-offs 1Elaine Sedenberg and Jim Dempsey1.1 Introduction 11.2 Taxonomy of Information-sharing Governance Structures and Policies 41.2.1 Government-centric Sharing Models 41.2.2 Government-Prompted, Industry-Centric Sharing Models 81.2.3 Corporate-initiated, Peer-based Groups 101.2.4 Small, Highly Vetted, Individual-based Groups 101.2.5 Open Communities and Platforms 111.2.6 Proprietary Products and Commercialized Services 121.3 Discussion and Conclusions 131.3.1 Trust and the Trade-offs 131.3.2 The Ecosystem and the Role of the Federal Government 14Acknowledgments 15Notes 152 Cybersecurity Governance in the GCC 19James Shires2.1 Introduction 192.2 Why the GCC? 202.3 Key Cybersecurity Incidents 212.4 Government Organizations 222.5 Strategies, Laws, and Standards 242.6 The Cybersecurity Industry 262.7 Conclusion 28Acknowledgments 29Notes 293 The United Kingdom's Emerging Internet of Things (IoT) Policy Landscape 37Leonie Maria Tanczer, Irina Brass, Miles Elsden, Madeline Carr, and Jason Blackstock3.1 Introduction 373.2 The IoT's Risks and Uncertainties 393.3 Adaptive Policymaking in the Context of IoT 413.4 The UK Policy Landscape 423.5 The IoT and its Governance Challenges 463.6 Conclusion 48Notes 494 Birds of a Feather: Strategies for Collective Cybersecurity in the Aviation Ecosystem 57Emilian Papadopoulos and Evan Sills4.1 Introduction: The Challenge of Ecosystem Risk 574.1.1 Aviation Is a National and Global Target 584.1.1.1 The Cyber Harm 594.1.1.2 Economic Harm 604.1.1.3 Political/Governmental Harm 604.1.1.4 Reputational Harm 604.1.1.5 Physical Harm 614.1.1.6 Psychological and Emotional Harm 614.1.2 Domestic and International Challenges of Aviation Governance 614.2 Progress So Far 634.2.1 The AIAA's Decision Paper, "The Connectivity Challenge: Protecting Critical Assets in a Networked World" (August 2013) 644.2.2 The Aviation Information Sharing and Analysis Center (A-ISAC) (September 2014) 664.2.3 The Civil Aviation Cybersecurity Action Plan (December 2014) 664.2.4 Connecting the Dots on Connectivity (2015) 674.2.5 Hackers Allege Aircraft Vulnerabilities (2015) 674.2.6 United Airlines Opens Bug Bounty Program (2015) 684.2.7 Aviation Security World Conference (2015) 684.2.8 Conferences and Organizations Mature (2015 and Beyond) 694.2.9 Industry Takes the Lead (2017) 704.3 Aviation's Tools for Cyber Risk Governance 704.4 The Path Forward 714.4.1 Collective Third-Party Risk Management 714.4.2 Secure Design 724.4.3 Information Sharing, "Plus" 734.4.4 International Norms and Standards 744.5 Conclusion 75Notes 755 An Incident-Based Conceptualization of Cybersecurity Governance 81Jacqueline Eggenschwiler5.1 Introduction 815.2 Conceptualizing Cybersecurity Governance 825.3 Case Studies 845.3.1 RUAG 845.3.1.1 Background 845.3.1.2 Events 855.3.1.3 Learnings 865.3.2 The Conficker Working Group 865.3.2.1 Background 865.3.2.2 Events 865.3.2.3 Learnings 885.3.3 Symantec's Cybersecurity Practices 895.3.3.1 Background 895.3.3.2 Events 895.3.3.3 Learnings 895.4 Utility and Limitations 905.5 Conclusion 92Notes 926 Cyber Governance and the Financial Services Sector: The Role of Public-Private Partnerships 97Valeria San Juan and Aaron Martin6.1 Introduction 976.2 Governance, Security, and Critical Infrastructure Protection 986.3 Financial Services Information Sharing and Analysis Center 1006.4 Financial Services Sector Coordinating Council 1046.5 Financial Systemic Analysis and Resilience Center 1086.6 Lessons for Cybersecurity Governance 1096.6.1 Lesson One: Affirmation of PPP Model, but Focus and Clarity Needed 1096.6.2 Lesson Two: Addressing Systemic Risk Requires more than Just Information Sharing 1106.6.3 Lesson Three: Limitations of PPPs in Regulated Industries 1116.7 Conclusion 111Acknowledgments 111Notes 1127 The Regulation of Botnets: How Does Cybersecurity Governance Theory Work When Everyone Is a Stakeholder? 117Samantha A. Adams, Karine e Silva, Bert-Jaap Koops, and Bart van der Sloot7.1 Introduction 1177.2 Cybersecurity 1197.3 Botnets 1217.3.1 Preventing New Infections 1227.3.2 Mitigating Existing Botnets 1227.3.3 Minimizing Criminal Profit 1237.4 Governance Theory 1247.5 Discussion: Governance Theory Applied to Botnet Mitigation 1277.6 Conclusion 132Acknowledgment 133Notes 1338 Governing Risk: The Emergence of Cyber Insurance 137Trey Herr8.1 Introduction 1378.2 Where Did Cyber Insurance Come From? 1398.2.1 Understanding Insurance 1408.2.2 Risk Pool 1408.2.3 Premiums 1408.2.4 Insurer 1418.2.5 Insurable Risk 1418.2.6 Comparisons to Terrorism 1428.3 Security Standards in the Governance Process 1438.3.1 Government-Developed Standards 1448.3.2 Private Sector Standards 1458.4 The Key Role of Risk 1468.5 Enforcing Standards: Insurance Becomes Governance 1478.5.1 Model of Modern Market Governance 1488.5.2 Cyber Insurance: Governing Risk Through Standard Setting and Enforcement 1498.6 Conclusion and Implications 151Notes 1539 Containing Conficker: A Public Health Approach 157Michael Thornton9.1 Introduction 1579.2 The Conficker Infection 1589.3 A Public Health Alternative 1629.3.1 Populations, Not Individuals 1629.3.2 Shared and Overlapping Problems 1639.3.3 Balancing Efficacy and Individual Rights 1669.4 A Public Health Approach to Conficker 1699.5 Conclusion 171Notes 17110 Bug Bounty Programs: Institutional Variation and the Different Meanings of Security 175Andreas Kuehn and Ryan Ellis10.1 Introduction: Conspicuously Absent 17510.2 Scope and Aims 17610.3 A Market for Flaws: Bug Bounty Programs 17710.3.1 Case I, Microsoft: Rethinking the Market for Flaws 17810.3.2 Case II, Google: Matching the Wisdom of Crowds and the Wisdom of Experts 18010.3.3 Case III, Facebook: Transaction Costs and Reputational Benefits 18310.4 Conclusion 185Notes 18811 Rethinking Data, Geography, and Jurisdiction: A Common Framework for Harmonizing Global Data Flow Controls 195Jonah Force Hill and Matthew Noyes11.1 Introduction 19511.2 The Challenge of Extraterritorial Data 19711.2.1 The Challenge to Law Enforcement 19711.2.2 Alternative Approaches to MLATs 20111.2.3 The Challenge to Regulators 20311.2.3.1 Content and Speech 20311.2.3.2 Privacy and Data Protection 20511.3 The Threat of Data Localization 20611.4 A New Approach to Data Flow Controls 20711.4.1 Control Points Analysis 20811.4.2 A Common Framework for Data Flow Controls 20911.5 Recommendations 21211.5.1 Recommendation One: Establish a Common Framework for Data Flow Controls Through the Development of International Standards, Norms, and Principles 21211.5.2 Recommendation Two: Formalize Agreed-upon Standards, Norms, and Principles Through the Adoption of Voluntary and Treaty-Based International Agreements 21411.5.3 Recommendation Three: Reform Domestic Law and Policy Frameworks Consistent with Agreed-upon Standards, Norms, and Principles 21511.5.4 Recommendation Four: Focus First on Specific Policy Matters of Broad International Consensus, Then Move on to the more Contentious Issues 21611.6 Additional Challenges 21711.7 Conclusion 218Acknowledgments 218Notes 21912 Private Ordering Shaping Cybersecurity Policy: The Case of Bug Bounties 231Amit Elazari Bar On12.1 Introduction 23112.2 Are Bug Bounties Operating as a "Private" Safe Harbor? Key Findings of the Legal Terms Survey 23412.2.1 The Bug Bounty Economy Anti-Hacking Legal Landscape 23412.2.1.1 The CFAA 23412.2.1.2 The DMCA 23512.2.1.3 The Department of Justice Framework for a Vulnerability Disclosure Program for Online Systems 23512.2.2 Bug Bounty Legal Terms: General Structure 23612.2.3 The Bug Bounty Catch 22 23812.2.4 Safe Harbor Language Matters 24012.3 Policy Recommendations: Toward a Private Safe Harbor 24212.3.1 Increase of Terms Salience 24212.3.2 Clear Safe Harbor Language 24312.3.3 Standardization of Bug Bounty Legal Terms Across Platforms, Industries, and Sponsors 24412.3.4 Improved Disclosures and Educational Efforts 24512.3.5 Individual Hackers as Collective Bargainers 24612.4 Conclusion 246Acknowledgments 247Notes 247Bibliography 265Index 315

RYAN ELLIS is an Assistant Professor of Communication Studies at Northeastern University. His research and teaching focuses on topics related to communication law and policy, infrastructure politics, and cybersecurity.VIVEK MOHAN is an attorney in private practice based in Northern California. Before entering private practice, he was associated with the Privacy, Data Security, and Information Law group at Sidley Austin LLP and the Cybersecurity Project at Harvard University.