CSE-04: Cyberspace Governance & Regulation | Cybersecurity Ethics

Cybersecurity Ethics — Week 2 · Module 04

Cyberspace Governance & Regulation

A network with no border. Laws with borders that pretend the network has them. Security professionals working at the seam.

13 slides~13 minutesSpinello Ch. 2 (governance lens)

Slide 2 of 13 · Structural problem

Why Cyberspace Governance Is Hard

The result: governance must reconcile a borderless technical substrate with a system of laws built around territory. Most cases in this module are versions of that single problem.

Slide 3 of 13 · The first model

ICANN and the Multistakeholder Model

The 2016 IANA transition: US government formally relinquished its residual oversight role over ICANN's IANA functions, transferring stewardship to the global multistakeholder community. A live experiment in non-state global governance.

Slide 4 of 13 · The political map

Three Competing Governance Visions

Slide 5 of 13 · Extraterritorial reach

The Brussels Effect — GDPR Goes Global

Coined by legal scholar Anu Bradford. When a single market's regulation becomes a de facto global standard.

Slide 6 of 13 · The opposite vector

Data Localization and the Splinternet

Jurisdiction	Approach	Implication
Russia (Federal Law 242-FZ, 2014/2015)	Personal data of Russian citizens stored on Russian-territory servers	Multinational platforms run dedicated Russia data centers or face access blocks
China (Cybersecurity Law 2017, DSL 2021, PIPL 2021)	"Critical info infra" data localized; cross-border transfer requires security assessment	Architectural separation of China operations is the norm for major cloud providers
India (DPDP Act 2023)	Sectoral framework; categories of data may be required to remain in India	Significant uncertainty for cross-border processing arrangements

The "splinternet" thesis (term variously attributed to Scott Bradner and popularized by Doc Searls in tech-policy circles): data localization, content blocking, and protocol divergence may be fragmenting the global internet. Thesis is contested; the policy trend toward national digital sovereignty is not.

Slide 7 of 13 · The other direction

The CLOUD Act (2018)

Clarifying Lawful Overseas Use of Data. The US's response to the cross-border data access problem.

What it does

Authorizes US law enforcement to compel US-based service providers to produce data they control, regardless of where the data is physically stored. Also creates a framework for executive agreements with allied countries to enable reciprocal cross-border requests.

Why it exists

Resolved the live legal question in Microsoft v. United States (the "Microsoft Ireland" case) about whether a US warrant could reach data on a server in Dublin. The Supreme Court vacated the case as moot after CLOUD Act passed.

The collision: the CLOUD Act and EU data-protection law both claim authority over the same data, in different directions. A US-headquartered cloud provider with EU customers is simultaneously subject to both regimes.

Slide 8 of 13 · Cyber tools as munitions

Export Controls on Cybersecurity Tools

Wassenaar Arrangement

42 participating states. Multilateral export-control regime. The 2013 plenary added "intrusion software" to the dual-use control list. National implementations have varied; security researchers argued the original wording would chill defensive research, and several jurisdictions revised.

US ITAR / EAR

International Traffic in Arms Regulations and Export Administration Regulations. Some cybersecurity tools, encryption beyond certain thresholds, and intrusion-related capabilities require US export licenses.

A security researcher publishes a proof-of-concept exploit. If it can be downloaded outside the US, has the researcher made an export? Different lawyers in the same firm answer differently.

Slide 9 of 13 · Where you work

The Security Professional Inside the Regulated Firm

Sectoral regulation

HIPAA (health), GLBA (finance), FERPA (education), NERC CIP (electric utility) — all federal statute. PCI DSS (payments) is contractual, enforced by card brands, not statute. Different enforcement, similar operational obligations.

Sanctions screening

OFAC and equivalent regimes. Security teams routinely vet IP ranges, vendor relationships, and customers against sanctions lists. Mistakes carry corporate and personal exposure.

Breach notification

Patchwork: GDPR (72 hours), state laws in all 50 states + DC, federal sectoral laws. Discovery starts a clock. The clock starts before you know what you have.

Slide 10 of 13 · Reference case timeline

Microsoft v. United States — "Microsoft Ireland"

Slide 11 of 13 · CSF anchor

This Module Anchors ID.BE

ID.BE-1 — Supply chain role (paraphrased)

CSF: org's role in the supply chain is identified and communicated. This module's gloss: includes which jurisdictions reach you through that chain.

ID.BE-2 — Critical infrastructure (paraphrased)

CSF: org's place in critical infrastructure and industry sector is identified and communicated. This module's gloss: determines national-framework obligations.

ID.BE-3 — Mission & activities (paraphrased)

CSF: priorities for mission, objectives, and activities established and communicated. This module's gloss: "in which jurisdictions, under which legal regimes" is the cybersecurity-ethics extension.

Slide 12 of 13 · The throughline

Global Network vs. National Law

The professional position: the security pro sits at the only point in the org where these two realities are simultaneously present in operational decisions. Code does what the network allows. Law does what the territory permits.

Slide 13 of 13

Module 04 Takeaways

1Cyberspace governance is hard — no central authority, transboundary, architecturally irreversible.

2Three competing visions — multistakeholder (ICANN/IGF/IETF), state-led (ITU/UN), market-led (large platforms).

3Brussels Effect: GDPR (adopted 2016, enforced 2018) became the global floor.

4Data localization (Russia, China, India) pushes the other way — toward fragmentation.

5CLOUD Act / Microsoft Ireland: the courts couldn't resolve it; Congress did. Continuous collision with EU data-protection law.

6Export controls (Wassenaar 42-state, ITAR/EAR) treat some cybersecurity capabilities as munitions.

Next up: CSE-05 — Free Speech in Cyberspace. Section 230, content moderation, foreign election interference.