Strategic Communications and Marketing News Bureau

Striking a balance between Internet freedoms and cybersecurity

Jay P. Kesan

Jay P. Kesan, a professor of law at Illinois, is a leading national scholar in the areas of technology, law and business.

Jay P. Kesan, a professor of law at Illinois, is a leading national scholar in the areas of technology, law and business.

Kesan, who directs the Program in Intellectual Property and Technology Law, spoke with News Bureau business and law editor Phil Ciciora about what steps the government should take to improve the cybersecurity infrastructure in the U.S.

Is the U.S. taking cybersecurity as seriously as it needs to?

The government is taking cybersecurity seriously but the general public, however, has been more vocal about a perceived loss of Internet freedoms. In fact, Internet activism, like the Stop Online Piracy Act blackout and the recent postings and petitions against Cyber Intelligence Sharing and Protection Act, may actually make effective cybersecurity regulation more difficult to pass.

Discussions of CISPA in a “Get away from my Internet” context miss the larger point. CISPA was written to prevent really vicious new cyberweapons from emerging – like Stuxnet, the worm that damaged nuclear centrifuges in Iran, interrupting its enrichment of uranium. If a Stuxnet-type worm were to be released in the U.S. and it infected critical infrastructure, depending on the targeted sector, you could be talking about sewage being released into the water supply; massive power outages; and interference with transportation systems, which could potentially lead to plane crashes or subway malfunctions.

The bottom line is that serious cybersecurity proposals should be narrowly tailored to protect us against a Stuxnet-like attack.

Does the government need to do more to deter cyberattacks?

There are two types of deterrence: deterrence by punishment and deterrence by denial.

When you are talking about deterrence by punishment, the first thing that comes to my mind is the Computer Fraud and Abuse Act, the main federal cybercrime statute. Efforts to increase the CFAA’s deterrent effect typically focus on deterrence by punishment. This could include increasing the sentences for cybercrimes, and making violations of the law into crimes that can trigger additional punishment under RICO (the Racketeer Influenced and Corrupt Organizations Act), which is a federal law concerned with imposing harsher punishments for organized crime.

But just increasing sentences and throwing people in jail for longer periods of time is not the answer. We already have a huge overcrowding problem in this country’s prisons, so relying on deterrence by punishment to curb domestic cyberattacks may cause more problems than it would solve.

Deterrence by punishment also becomes more questionable when you are talking about attacks from actors not within the U.S., because there are a lot of other countries that would not assist with investigations into attacks originating in those countries.

Given the international criminal law realities and the practical concerns about prison overpopulation, I think there should be more of a focus on deterrence by denial. In other words, deter by denying the attackers success from their attacks.

How do we deter by denial? You can do it through passive means, like firewalls, intrusion-detection systems and antivirus software, or you can do it through active means, where the system ejects the intruder.

Does the government need to do more to facilitate deterrence by denial? Yes. There should be an emphasis on education, and the government should do more to support the private sector in this.

Should there be a law that forces private companies to build up their cyber defenses, or merely a softer mandate that encourages them to meet certain minimum standards?

A set of security suggestions enhanced with government subsidization of cyber defenses would probably be a good start for private companies. If it is critical infrastructure, then a more detailed mandate may be appropriate because of the relationship between privately owned and operated infrastructure and national security concerns.

To create incentives for the private sector to bulk up their defenses, the government could subsidize passive defense methods, perhaps by allowing individuals and companies to take a tax deduction for amounts spent on computer security. But in the case of privately owned critical infrastructure, government support in this area could be very valuable, and the government should be more involved because of the importance to national security.

You’ve published research on mitigative counterstriking. Is that a viable option to counter a cyberattack?

Mitigative counterstriking is another piece of deterrence by denial. This would be where you see an intruder in your system, figure out where the intruder is coming from, and then do something to interrupt the intruder’s access to your system. Not to punish, and not in retaliation, but just to kick them out and minimize future harm to your system.

The problem is that these actions may be illegal under our current laws. Therefore, the government should assert a right to self-help in the cyberattack context. But because of the potential international and diplomatic issues, the government may need to closely regulate this aspect of self-help.

Read Next

Announcements Marcelo Garcia, professor of civil and environmental engineering at The Grainger College of Engineering.

Illinois faculty member elected to National Academy of Engineering

Champaign, Ill. — Marcelo Garcia, a professor of civil and environmental engineering in The Grainger College of Engineering, has been elected to the National Academy of Engineering.

Social sciences Male and female student embracing on the quad with flowering redbud tree and the ACES library in the background. Photo by Michelle Hassel

Dating is not broken, but the trajectories of relationships have changed

CHAMPAIGN, Ill. — According to some popular culture writers and online posts by discouraged singles lamenting their inability to find romantic partners, dating is “broken,” fractured by the social isolation created by technology, pandemic lockdowns and potential partners’ unrealistic expectations. Yet two studies of college students conducted a decade apart found that their ideas about […]

Engineering Civil and Environmental Engineering Professor Nishant Garg, center, is joined by fellow researchers, from left: Yujia Min, Hossein Kabir, Nishant Garg, center, Chirayu Kothari and M. Farjad Iqbal, front right. In front are examples of clay samples dissolved at different concentrations in a NaOH solution. The team invented a new test that can predict the performance of cementitious materials in mere 5 minutes. This is in contrast to the standard ASTM tests, which take up to 28 days. This new advance enables real-time quality control at production plants of emerging, sustainable materials. Photo taken at the University of Illinois Urbana-Champaign on Monday, Feb. 3, 2025. (Photo by Fred Zwicky / University of Illinois Urbana-Champaign)

Researchers develop a five-minute quality test for sustainable cement industry materials

A new test developed at the University of Illinois Urbana-Champaign can predict the performance of a new type of cementitious construction material in five minutes — a significant improvement over the current industry standard method, which takes seven or more days to complete. This development is poised to advance the use of next-generation resources called supplementary cementitious materials — or SCMs — by speeding up the quality-check process before leaving the production floor.

Strategic Communications and Marketing News Bureau

507 E. Green St
MC-426
Champaign, IL 61820

Email: stratcom@illinois.edu

Phone (217) 333-5010