Resilience for a Digital Age

See, e.g., Thomas P. Keenan, Technocreep: The Surrender of Privacy and the Capitalization of Intimacy 1–18 (2014); Jack M. Balkin, Digital Speech and Democratic Culture: A Theory of Freedom of Expression for the Information Society, 79 N.Y.U. L. Rev. 1 (2004) (exploring the significance of digital technologies on affordances for free speech); Matt Burgess, The Dangerous Rise of GPS Attacks, Wired (Apr. 30, 2024), https://www.wired.com/story/the-dangerous-rise-of-gps-attacks/[https://perma.cc/6BNH-QCNB](detailing the effects of GPS jamming and spoofing on aviation and shipping); Water and Wastewater Cybersecurity, Cybersecurity & Infrastructure Sec. Agency, https://www.cisa.gov/water[https://perma.cc/WM3F-N64H](“The Water and Wastewater Sector depends on the digital world . . . .”); White House, U.S. National Cyber Strategy 2 (Mar. 2023), https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf [https://perma.cc/8FHY-H99H](“[F]actories, power grids, and water treatment facilities, among other essential infrastructure, are increasingly shedding old analog control systems and rapidly bringing online digital operational technology . . . .”).Hide

See generally Siva Vaidhyanathan, The Googlization of Everything (And Why We Should Worry) (2012). This has been true for all transformative technologies. See Langdon Winner, The Whale and the Reactor (1986) (exploring the role of technologies in transforming social and political affordances and altering political and moral meaning).Hide

See, e.g., Nicholas Carr, The Glass Cage: Automation and Us (2014); Linda J. Skitka et al., Automation Bias and Errors: Are Crews Better Than Individuals?, 10 Int’l J. Aviation Psych. 85, 86 (2000) (explaining that over-reliance on automated aviation systems could corrode pilots’ failsafe skills); Daniel Herman, The End of High-School English, Atlantic (Dec. 9, 2022), https://www.theatlantic.com/technology/archive/2022/12/openai-chatgpt-writing-high-school-english-essay/672412/[https://perma.cc/XY7H-4F8K](warning that widespread adoption of ChatGPT could undermine writing skills).Hide

See Dan Bilefsky, Britain Says North Korea Was Behind Cyberattack on Health Service, N.Y. Times (Oct. 27, 2017), https://www.nytimes.com/2017/10/27/world/europe/uk-ransomware-hack-north-korea.html[https://perma.cc/J6KG-NZSS](discussing North Korea’s WannaCry ransomware operation that affected Britain’s National Health Service); Andy Greenberg, Sandworm Hackers Caused Another Blackout in Ukraine—During a Missile Strike, Wired (Nov. 9, 2023), https://www.wired.com/story/sandworm-ukraine-third-blackout-cyberattack/ [https://perma.cc/36SG-H7ZU] (discussing Russian government hackers’ history of causing electricity blackouts in Ukraine); Andy Greenberg, The Untold Story of NotPetya, the Most Devastating Cyberattack in History, Wired (Aug. 22, 2018), https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/[https://perma.cc/LK6F-FLA8](discussing the effect of Russia’s NotPetya cyber operation on the Maersk shipping company).Hide

David E. Sanger, What Happened to Digital Resilience?, N.Y. Times (July 19, 2024), https://www.nytimes.com/2024/07/19/us/politics/crowdstrike-outage.html[https://perma.cc/K3QD-CSFT](describing the aftermath of a flawed update to Crowdstrike software).Hide

See, e.g., Combating Foreign Influence, FBI, https://www.fbi.gov/investigate/counterintelligence/foreign-influence[https://perma.cc/Z6F8-UWHX](explaining that the FBI investigates foreign influence operations that “spread disinformation, sow discord, and, ultimately, undermine confidence in democratic institutions and values,” often by “us[ing] false personas and fabricated stories on social media to discredit U.S. individuals and institutions”).Hide

David E. Sanger & Steven Lee Myers, China Sows Disinformation About Hawaii Fires Using New Techniques, N.Y. Times (Sept. 11, 2023), https://www.nytimes.com/2023/09/11/us/politics/china-disinformation-ai.html [https://perma.cc/QXL7-DENN].Hide

Id.Hide

Id.Hide

Press Release, U.S. Dep’t of Justice, Justice Department Disrupts Covert Russian Government-Sponsored Foreign Malign Influence Operation Targeting Audiences in the United States and Elsewhere (Sept. 4, 2024), https://www.justice.gov/opa/pr/justice-department-disrupts-covert-russian-government-sponsored-foreign-malign-influence[https://perma.cc/WMB6-KCLJ](quoting Deputy Attorney General Lisa Monaco).Hide

See infra Section II.A.Hide

Cyber Resiliency, Nat’l Inst. Standards & Tech., Comput. Sec. Res. Ctr., https://csrc.nist.gov/glossary/term/cyber_resiliency[https://perma.cc/CB9Y-7JVR].Hide

Edda Humprecht et al., The Sharing of Disinformation in Cross-National Comparison: Analyzing Patterns of Resilience, 26 Info., Commc’n & Soc’y 1342, 1344–45 (2023).Hide

See, e.g., Kristen E. Eichensehr & Cathy Hwang, Essay, National Security Creep in Corporate Transactions, 123 Colum. L. Rev. 549, 556–60 (2023) (discussing how the concept of national security has expanded in recent years).Hide

Off. of the Dir. of Nat’l Intell., Annual Threat Assessment of the U.S. Intelligence Community (Feb. 5, 2024).Hide

Id. at 7–23, 38–39.Hide

Id. at 30–31, 33–34 (capitalization omitted).Hide

Disinformation campaigns can be so successful that people reject “the knowability of information altogether.” Stephan Lewandowsky & Sander van der Linden, Countering Misinformation and Fake News Through Inoculation and Prebunking, 32 Euro. Rev. Soc. Psych. 348, 353 (2021); see also Bobby Chesney & Danielle Citron, Deep Fakes: A Looming Challenge for Privacy, Democracy, and National Security, 107 Calif. L. Rev. 1753, 1778–79 (2019) (exploring how well-timed deep fake video or audio of political candidates on the eve of an election could change election outcomes). Robert Chesney and one of us (Citron) have described the weaponization of decrying actual truths as the “Liar’s Dividend.” Chesney & Citron, supra, at 1785.Hide

See, e.g., Dustin Volz, More SolarWinds Hack Victims Yet to be Publicly Identified, Tech Executives Say, Wall St. J. (Feb. 23, 2021, 7:50 PM), https://www.wsj.com/articles/senate-panel-probes-solarwinds-hack-to-learn-how-big-how-broad-hit-was-11614086918 [https://perma.cc/U33R-YUX7] (discussing the broad scope of the hacking enabled by the compromise of SolarWinds).Hide

Ellen Nakashima, Hacks of OPM Databases Compromised 22.1 Million People, Federal Authorities Say, Wash. Post (July 9, 2015, 8:33 PM), https://www.washingtonpost.com/news/federal-eye/wp/2015/07/09/hack-of-security-clearance-system-affected-21-5-million-people-federal-authorities-say/[https://perma.cc/DG5M-GTBM].Hide

Brian Barrett, How 4 Chinese Hackers Allegedly Took Down Equifax, Wired (Feb. 10, 2020, 12:52 PM), https://www.wired.com/story/equifax-hack-china/ [https://perma.cc/S9KY-VSSG].Hide

See, e.g., Rebecca Carballo, Ransomware Attack Disrupts Health Care Services in at Least Three States, N.Y. Times (Aug. 5, 2023), https://www.nytimes.com/2023/08/05/us/cyberattack-hospitals-california.html[https://perma.cc/AK84-LVHC].Hide

See, e.g., Michael D. Shear et al., Colonial Pipeline Paid Roughly $5 Million in Ransom to Hackers, N.Y. Times (June 7, 2021), https://www.nytimes.com/2021/05/13/us/politics/biden-colonial-pipeline-ransomware.html [https://perma.cc/HW6J-TDG3].Hide

See, e.g., Marek N. Posard et al., From Consensus to Conflict: Understanding Foreign Measures Targeting U.S. Elections, Rand Corp. Research Report (2020), https://www.rand.org/pubs/research_reports/RRA704-1.html[https://perma.cc/ETM2-7Y3T];U.S. Dep’t of Justice, Report on the Investigation into Russian Interference in the 2016 Presidential Election 14–35, https://www.documentcloud.org/documents/5955118-The-Mueller-Report[https://perma.cc/83K8-UNFP](detailing “Russian ‘Active Measures’ Social Media Campaign” conducted primarily by the Internet Research Agency).Hide

Off. of the Dir. of Nat’l Intel., supra note 15, at 31 (emphasis omitted).Hide

Id. (“Foreign states are advancing digital and physical means to repress individual critics and diaspora communities abroad, including in the United States . . . .”); see also Sarah Sobieraj, Credible Threat: Attacks Against Women Online and the Future of Democracy (2020).Hide

Danielle Keats Citron, Hate Crimes in Cyberspace 13–15 (2014); Danielle Keats Citron, Cyber Civil Rights, 89 B.U. L. Rev. 61, 85 (2009).Hide

Nina Jankowicz et al., Malign Creativity: How Gender, Sex, and Lies Are Weaponized Against Women Online, Wilson Center (Jan. 2021) (studying online abuse involving gendered and sexualized disinformation targeting ten U.S. female politicians).Hide

Michelle Ferrier, Attacks and Harassment: The Impact on Female Journalists and Their Reporting (Sept. 2018), https://www.iwmf.org/wp-content/uploads/2018/09/Attacks-and-Harassment.pdf[https://perma.cc/R27Q-CQCX];Anti-Defamation League’s Task Force on Harassment and Journalism, Anti-Semitic Targeting of Journalists During the 2016 Presidential Campaign (Oct. 19, 2016), https://www.adl.org/sites/default/files/documents/assets/pdf/press-center/CR_4862_Journalism-Task-Force_v2.pdf [https://perma.cc/F5GP-DXDH].Hide

Lauren Gambino, Journalist Who Profiled Melania Trump Hit with Barrage of Antisemitic Abuse, Guardian (Apr. 28, 2016, 9:57 PM), https://www.theguardian.com/us-news/2016/apr/28/julia-ioffe-journalist-melania-trump-antisemitic-abuse [https://perma.cc/QSA7-22AD].Hide

Jankowicz et al., supra note 28, at 34.Hide

Id. at 34–37.Hide

Id.Hide

Id. at 41.Hide

Jessikka Aro, Putin’s Trolls: On the Frontlines of Russia’s Information War Against the World 9–21, 81, 185–89 (2022) (explaining the pro-Kremlin cyber campaign against her that included, among other tactics, a phone call with the sound of gun fire, online smears accusing her of being “a NATO lobbyist,” and Facebook comments fantasizing about raping her).Hide

Id. at 195–98.Hide

Id. at 195–96.Hide

Id. at 197–98.Hide

Rana Ayyub, Opinion, In India, Journalists Face Slut-Shaming and Rape Threats, N.Y. Times (May 22, 2018), https://www.nytimes.com/2018/05/22/opinion/india-journalists-slut-shaming-rape.html[https://perma.cc/G644-U7HK].Hide

See id.; Rana Ayyub: Misinformation Threatens to be the New ‘True Information’, Nobel Peace Prize Blog (May 2023), https://www.nobelprize.org/rana-ayyub-misinformation-threatens-to-be-the-new-true-information/[https://perma.cc/KUD6-WRVC];Danielle Keats Citron, The Fight for Privacy: Protecting Dignity, Identity, and Love in the Digital Age 56 (2022) (discussing interviews with Ayyub about her experience facing online abuse spearheaded by the Modi regime to stop her from writing).Hide

Jen Easterly & Victor Zhora, The Power of Resilience: What America Can Learn from Our Partners in Ukraine, Cybersecurity & Infrastructure Sec. Agency (Aug. 9, 2023), https://www.cisa.gov/news-events/news/power-resilience[https://perma.cc/YF4Z-XWPH].Hide

Id.Hide

U.S. Fed. Trade Comm’n, Remarks by Chair Lina M. Khan as Prepared for Delivery, Carnegie Endowment for Int’l Peace 2–3 (Mar. 13, 2024), https://www.ftc.gov/system/files/ftc_gov/pdf/2024.03.13-chair-khan-remarks-at-the-carnegie-endowment-for-intl-peace.pdf [https://perma.cc/P4M5-KZZ4].Hide

White House, supra note 1; see also White House, Fact Sheet; Biden-Harris Administration Announces New National Security Memorandum on Critical Infrastructure (Apr. 30, 2024), https://www.whitehouse.gov/briefing-room/statements-releases/2024/04/30/fact-sheet-biden-harris-administration-announces-new-national-security-memorandum-on-critical-infrastructure/[https://perma.cc/9V7Z-ENSW](“Resilience, particularly for our most sensitive assets and systems, is the cornerstone of homeland defense and security.”); President’s Council of Advisors on Sci. and Tech., Report to the President: Strategy for Cyber-Physical Resilience: Fortifying our Critical Infrastructure for a Digital World (2024), https://www.whitehouse.gov/wp-content/uploads/2024/02/PCAST_Cyber-Physical-Resilience-Report_Feb2024.pdf[https://perma.cc/MTG3-U2HY][hereinafter PCAST Report] (offering concrete recommendations for improving the resilience of cyber-physical systems).Hide

To be sure, we are not the first to discuss resilience and technological challenges. See, e.g., Derek E. Bambauer, Ghost in the Network, 162 U. Pa. L. Rev. 1011 (2014) (drawing on “normal accident theory” to argue for focusing on mitigating the effects of cyberoperations and identifying disaggregation of data and heterogeneity of software and hardware as resilience strategies that governments should employ in key industries); Gary E. Marchant & Yvonne A. Stevens, Resilience: A New Tool in the Risk Governance Toolbox for Emerging Technologies, 51 U.C. Davis L. Rev. 233 (2017) (discussing the role of resilience in governing emerging technologies, particularly consumer products). We add to the existing literature, however, a broader frame. We consider resilience as not just a technological issue, but rather a societal one. We draw insight from scholarly discussions related to specific contexts and concerns and then widen the aperture to a whole of national security approach. See infra notes 53–58 and accompanying text discussing insights from specific fields like systems design, safety engineering, and human rights.Hide

Anthea Roberts, From Risk to Resilience: How Economies Can Thrive in a World of Threats, 102 Foreign Affairs 123, 127 (2023); see also The National Academies, Disaster Resilience: A National Imperative 1 (2012), https://nap.nationalacademies.org/read/13457/chapter/2[https://perma.cc/W8B9-3K9Z](“[R]esilience is the ability to prepare and plan for, absorb, recover from, and more successfully adapt to adverse events” (emphasis omitted)); Timothy Malloy, Re-Imagining Risk: The Role of Resilience and Prevention, 22 Nev. L.J. 145, 177–78 (2021) (collecting “leading definitions” of “resilience” from a variety of contexts).Hide

White House, PPD-21, Critical Infrastructure Security and Resilience (Feb. 12, 2013), https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil [https://perma.cc/5Q4G-32FT].Hide

White House, NSM-22, National Security Memorandum on Critical Infrastructure Security and Resilience (Apr. 30, 2024), https://www.whitehouse.gov/briefing-room/presidential-actions/2024/04/30/national-security-memorandum-on-critical-infrastructure-security-and-resilience/[https://perma.cc/64DX-TGRZ].The Memorandum defines “all threats, all hazards” broadly to include “a threat or an incident, natural or manmade, that warrants action to protect life, property, the environment, and public health or safety, and to minimize disruptions of Government, social, or economic activities,” including but “not limited to: natural disasters, cyber incidents, industrial accidents, pandemics, acts of terrorism, sabotage, supply chain disruptions to degrade critical infrastructure, and disruptive or destructive activity targeting critical infrastructure.” Id.Hide

Marchant & Stevens, supra note 45, at 247.Hide

Id. at 248.Hide

Cyber Resilience, Pac. Nw. Nat’l Lab’y, https://www.pnnl.gov/explainer-articles/cyber-resilience[https://perma.cc/WSL5-NUAT].Hide

What Is Cyber Resilience?, IBM, https://www.ibm.com/topics/cyber-resilience[https://perma.cc/V7SC-79WT].Hide

David G. Hendry & Batya Friedman, Resilience Grammar: A Value Sensitive Design Method for Resilience Thinking 4, 6 (2023) (emphasis added), https://digitalcommons.law.uw.edu/techlab/21/[https://perma.cc/9WEW-RJ45].Hide

Sam Gregory, Fortify the Truth: How to Defend Human Rights in an Age of Deepfakes and Generative AI, 15 J. Hum. Rts. Prac. 702, 703 (2023).Hide

Id. (emphasis in original); see also Humprecht, supra note 13, at 1344 (defining resilience as disregarding and ignoring disinformation).Hide

Zoom Interview with Nina Jankowicz, Co-Founder and CEO, American Sunlight Project (Dec. 13, 2023) (notes on file with authors). See generally Nina Jankowicz, How to Lose the Information War: Russia, Fake News, and the Future of Conflict (2020); Nina Jankowicz, How to Be a Woman Online: Surviving Abuse and Harassment and How to Fight Back (2022).Hide

See generally Daniel J. Solove, Privacy Self-Management and the Consent Dilemma, 126 Harv. L. Rev. 1880 (2013).Hide

Erik Mygind du Plessis & Bjarne Vandeskog, Other Stories of Resilient Safety Management in the Norwegian Offshore Sector: Resilience Engineering, Bullshit and the De-Politicization of Danger, 36 Scandinavian J. Mngmt. 1, 9 (2020) (emphasis added).Hide

Microsoft, Defending Ukraine: Early Lessons from the Cyber War 5 (June 22, 2022), https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE50KOK [https://perma.cc/5TFS-HW5A].Hide

Id. (describing the effort as one to “‘evacuate’ critical government data outside the country and into data centers across Europe”); see also Safeguarding Ukraine’s Data to Preserve Its Present and Build Its Future, Amazon (Apr. 14, 2023), https://www.aboutamazon.com/news/aws/safeguarding-ukraines-data-to-preserve-its-present-and-build-its-future [https://perma.cc/9HCU-VPD8](describing Amazon’s role in migrating Ukrainian government and private sector data to the cloud).Hide

Catherine Stupp, Ukraine Has Begun Moving Sensitive Data Outside Its Borders, Wall St. J. (June 14, 2022, 5:30 AM), https://www.wsj.com/articles/ukraine-has-begun-moving-sensitive-data-outside-its-borders-11655199002[https://perma.cc/LS5N-PS7D].Hide

Id.Hide

Cf. Microsoft, supra note 59, at 5 (explaining that “[o]ne reason” Russian “kinetic and cyberattacks [against Ukraine] have had limited operational impact is because digital operations and data have been disbursed into the public cloud”).Hide

Cf. Joseph S. Nye, Jr., Deterrence in Cyberspace, Project Syndicate (June 3, 2019), https://www.project-syndicate.org/commentary/deterrence-in-cyberspace-persistent-engagement-by-joseph-s-nye-2019-06[https://perma.cc/WB2M-P5EH](“[W]hile attribution is crucial for punishment, it is not important for deterrence by denial or entanglement.”).Hide

See Claire Atkin, Are Your Ads Funding Disinformation?, Harv. Bus. Rev. (Aug. 21, 2023), https://hbr.org/2023/08/are-your-ads-funding-disinformation [https://perma.cc/YDL5-64B3](describing how brands are contributing to the disinformation economy and how personal data “enables propagandists to develop detailed user profiles that help them target people who are susceptible to lies and bigotry”).Hide

Cf. Robert Chesney et al., All’s Clear for Deepfakes: Think Again, Lawfare (May 11, 2020, 4:19 PM), https://www.lawfaremedia.org/article/alls-clear-deepfakes-think-again

[https://perma.cc/46JM-4EB3] (noting in the context of discussing deep fakes that although “major platforms like Facebook and Twitter have banned some manner of digital forgeries[,] . . . [f]akes . . . have to be judged fraudulent in a particular way that contravenes the policy”).

See, e.g., Alexander L. George & Richard Smoke, Deterrence in American Foreign Policy: Theory and Practice 11 (1974) (“In its most general form, deterrence is simply the persuasion of one’s opponent that the costs and/or risks of a given course of action he might take outweigh its benefits.”).Hide

See generally Robert Jervis, Deterrence Theory Revisited, 31 World Politics 289, 291–92 (1979) (describing work on deterrence that “uses the game of Chicken as an analogy in situations in which the first choice of both sides is to stand firm, but in which both prefer retreating and letting the other side win to a mutually disastrous confrontation” and noting “the paradoxical nature of deterrence in which each side hopes to gain security, not by being able to protect itself, but by threatening to inflict unacceptable damage on the other”).Hide

See, e.g., Thomas C. Schelling, The Strategy of Conflict 9 (1960) (“Deterrence . . . is concerned with persuading a potential enemy that he should in his own interest avoid certain courses of activity.”).Hide

Jack M. Balkin, To Reform Social Media, Reform Informational Capitalism, in Social Media, Freedom of Speech and the Future of our Democracy 101, 102 (Lee Bollinger & Geoffrey R. Stone, eds. 2022); Citron, Hate Crimes in Cyberspace, supra note 27, at 190–221.Hide

Cf. Danielle Keats Citron & Neil M. Richards, Four Principles for Digital Expression (You Won’t Believe #3!), 95 Wash. U. L. Rev. 1353, 1357 (2018).Hide

Id. at 1385.Hide

Checking back on priorities, goals, and values can be legally required via expiration dates. We see this, for example in the sunset provision of Section 702 of the Foreign Intelligence Surveillance Act. See Caroline Lynch, The Virtue of Sunsets?, Lawfare (Feb. 28, 2017, 9:00 AM), https://www.lawfaremedia.org/article/virtue-sunsets [https://perma.cc/JE56-7K7W];see also Ashley Deeks & Kristen E. Eichensehr, Frictionless Government and Foreign Relations, 110 Va. L. Rev. (forthcoming 2024) (manuscript at 47), https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4727989[https://perma.cc/ASP4-J5SR](discussing sunset clauses as a type of “policy off-ramp” that prompts debate). The exact cadence of periodic re-evaluations will depend on the actors involved and the particular issues.Hide

Of this, we do not dismiss the difficulty involved. Long-standing efforts to pass a federal bill to criminalize nonconsensual disclosure of intimate images and Section 230 reform illustrate the point. See Citron, Fight for Privacy, supra note 40, at 140­­–44, 149­–55; Danielle Keats Citron, How to Fix Section 230, 103 B.U. L. Rev. 713 (2023).Hide

Frances Z. Brown, Governance for Resilience: How Can States Prepare for the Next Crisis?, Carnegie Endowment for Int’l Peace 4–5 (2022), https://carnegie-production-assets.s3.amazonaws.com/static/files/Brown_Governance_for_Resilience_final.pdf[https://perma.cc/2E5P-Q3JZ].Hide

Colorado and California are standouts in their efforts to adopt comprehensive data protection regimes. See Lothar Determann et al., Comparing the Colorado Privacy Act with the California Consumer Privacy Act, Connect on Tech (Oct. 21, 2022), https://www.connectontech.com/comparing-the-colorado-privacy-act-with-the-california-consumer-privacy-act/[https://perma.cc/3WQC-AM9M].The Colorado Privacy Act, for instance, stems the current presumption that all data can be collected, world without end, by requiring meaningful consent before collecting sensitive data, sharing personal data for profiling, and selling personal data. See Colorado Privacy Act (CPA), Off. of Colo. Attorney Gen. Phil Weiser, https://coag.gov/resources/colorado-privacy-act/[https://perma.cc/9NGA-D9A7].Hide

Danielle Keats Citron & Alison Gocke, Nancy Pelosi is Blocking Landmark Data Privacy Legislation—for a Good Reason, But There’s a Way to Fix It, Slate (Sept. 9, 2022, 5:50 AM), https://slate.com/technology/2022/09/nancy-pelosi-data-priavcy-law-adppa.html[https://perma.cc/76Y3-MMG6].Hide

See, e.g., Deterrence and Defence, NATO (Oct. 10, 2023), https://www.nato.int/cps/en/natohq/topics_133127.htm [https://perma.cc/G5VM-N4J4](“Resilience is . . . an important aspect of deterrence by denial: persuading an adversary not to attack by convincing it that an attack will not achieve its intended objectives.”); Eric Talbot Jensen, Cyber Deterrence, 26 Emory Int’l L. Rev. 773, 813–15 (2012) (discussing resilience as a type of deterrence via denying adversaries the benefit of an attack); Michael J. Mazarr, Understanding Deterrence, RAND Corp. 2 (2018), https://www.rand.org/content/dam/rand/pubs/perspectives/PE200/PE295/RAND_PE295.pdf[https://perma.cc/Q9LV-G3P2](“Deterrence by denial represents, in effect, simply the application of an intention and effort to defend some commitment.”).Hide

U.S. Cyberspace Solarium Comm’n Report 32–33 (2020), https://drive.google.com/file/d/1ryMCIL_dZ30QyjFqFkkf10MxIXJGT4yv/view [https://perma.cc/TA4J-HDCH].Hide

du Plessis & Vandeskog, supra note 58, at 8–9 (addressing the argument that resilience contributes to an “exclusion of the political” and noting that while the data is not sufficient to conclude that this is the case, it certainly suggests that the way the resilience term is used by industry actors has de-politicizing potential).Hide

See PCAST Report, supra note 44, at 12 (urging a “shift from a futile quest for absolute invulnerability to a more realistic strategy of resiliency in which we control the impacts of failures”).Hide

See, e.g., U.S. Cyberspace Solarium Comm’n, supra note 79, at 24–26 (proposing “layered cyber deterrence” as a model to combine different deterrent strategies).Hide

Easterly & Zhora, supra note 41.Hide

See, e.g., Nye, supra note 64 (distinguishing nuclear deterrence from cyber deterrence because “where nuclear weapons are concerned, the aim is total prevention,” whereas “[d]eterrence in cyberspace is more like crime: governments can only imperfectly prevent it”).Hide

See, e.g., Roberts, supra note 46, at 124; see also PCAST Report, supra note 44, at 20 (noting that while “[i]ncreased cyber-physical resilience is usually fully aligned with commercial goals[,] . . . there need to be checks and balances—laws or regulations—to create the incentives to build resiliency that may slip in the face of occasional short-term thinking”)Hide

See, e.g., John Hanna, Top Official Says Kansas Courts Need at Least $2.6 Million to Recover from Cyberattack, Assoc. Press (Jan. 16, 2024), https://apnews.com/article/kansas-courts-cyberattack-hack-computers-costs-c8cbea12c2b8d0589d9490e81772e660 [https://perma.cc/3CYK-2Z8H] (reporting that Russian ransomware group caused a weeks-long disruption to state courts); Sean Lyngaas & Alta Spells, Fulton County Faces Ransomware Attack by ‘Financially Motivated Actors,’ But County Elections Still on Track, CNN (Feb. 14, 2024), https://www.cnn.com/2024/02/14/tech/fulton-county-ransomware-attack-financially-motivated-actors/index.html [https://perma.cc/QTN7-S2BG] (reporting on disruptions from ransomware in the county that includes Atlanta); Matt Novak, Ransomware Attack on Dallas Disrupts 911, Court and Water Systems, Forbes (May 4, 2023, 7:42 PM), https://www.forbes.com/sites/mattnovak/2023/05/04/ransomware-attack-on-dallas-disrupts-911-court-and-water-systems/?sh=71cdbe1f29c6[https://perma.cc/MAF6-LZYX](reporting that a Russia-based ransomware group disrupted a variety of government services in Dallas).Hide

Cf. Marchant & Stevens, supra note 45, at 250 (noting that to date, “law has been slow to integrate resilience strategies”).Hide

The literature here is vast and cross cutting. For some highlights, see Stephanie Hare, Technology Is Not Neutral: A Short Guide to Technology Ethics (2022); Woodrow Hartzog, Privacy’s Blueprint: The Battle to Control the Design of New Technologies (2018); Winner, supra note 2.Hide

Lawrence Lessig, Code: Version 2.0 110 (2006) (“The . . . change in the code is . . . crafted to reflect choices and values of the coders.”); Joel Reidenberg, Lex Informatica, The Formulation of Information Policy Rules Through Technology, 76 Tex. L. Rev. 553, 554 (1998).Hide

Paul Virilio, Politics of the Very Worst: An Interview with Philippe Petit 89 (1999).Hide

See Hartzog, supra note 88, at 7; see also Danielle Keats Citron, Technological Due Process, 85 Wash. U. L. Rev. 1249, 1252–53 (2008).Hide

See, e.g., infra notes 96–107 (discussing digital redundancies).Hide

These are our preliminary thoughts on resilience strategies. We draw from resilience literature across various fields; our views will continue to evolve as will those strategies. We do not mean to limit ourselves to these components but think that they are a helpful way to begin any resilience analysis, so long as the interests, goals, and values of stakeholders animate the strategies pursued.Hide

See supra notes 47–48 and accompanying text.Hide

See, e.g., White House, Joint Statement of the Ministers and Representatives from the Counter Ransomware Initiative Meeting October 2021 (Oct. 14, 2021), https://www.whitehouse.gov/briefing-room/statements-releases/2021/10/14/joint-statement-of-the-ministers-and-representatives-from-the-counter-ransomware-initiative-meeting-october-2021/[https://perma.cc/A223-ZY3F](citing “maintaining offline data backups” as a resilience measure in the context of ransomware); Marchant & Stevens, supra note 45, at 267 (“Redundancy is a core resilience measure.”).Hide

See supra notes 59–62 and accompanying text.Hide

See generally E-Embassies in Luxembourg, E-Embassies Ensure IT Security and Diplomatic Protection, Luxembourg, https://luxembourg.public.lu/en/invest/innovation/e-embassies-in-luxembourg.html[https://perma.cc/22PV-7HPY](explaining that “[d]ata is hosted with guarantees of immunity and privileges similar to those of a traditional embassy because the founding agreements between countries take account of the 1961 Vienna Convention on Diplomatic Relations,” but that data embassies represent “a totally new concept in international law: as is the case for actual embassies, the data centres constitute sovereign territory of the country that owns the data.” (emphasis omitted)); Thiébaut Meyer, Director, Office of the CISO, How Digital Embassies Can Strengthen Resiliency with Sovereignty, Google Cloud (Nov. 11, 2022), https://cloud.google.com/blog/products/identity-security/data-embassies-strengthening-resiliency-with-sovereignty[https://perma.cc/5ZPE-LVV2](discussing “data embassies”).Hide

Agreement Between the Republic of Estonia and the Grand Duchy of Luxembourg on the Hosting of Data and Information Systems (2017), https://www.riigiteataja.ee/aktilisa/2280/3201/8002/Lux_Info_Agreement.pdf [https://perma.cc/RHA3-82P3].Hide

Id. at Preamble.Hide

Id. art. 3.Hide

Yuliya Talmazan, Data Security Meets Diplomacy: Why Estonia Is Storing Its Data in Luxembourg, NBC News (June 25, 2019, 11:33 AM), https://www.nbcnews.com/news/world/data-security-meets-diplomacy-why-estonia-storing-its-data-luxembourg-n1018171[https://perma.cc/3ECF-MCHU].Hide

Factsheet: Data Embassy, E-Estonia, https://https://e-estonia.com/wp-content/uploads/factsheet_data_embassy.pdf [https://perma.cc/3HHJ-HWQW](lasted visited Aug. 16, 2024).Hide

The Principality and the Grand Duchy Linked by a New Bilateral Agreement: Pierre Dartout and Xavier Bettel Sign an Agreement to Create an e-Embassy of Monaco in Luxembourg, Gouvernement Princier Principauté de Monaco (July 16, 2021), https://en.gouv.mc/Policy-Practice/A-Modern-State/News/The-Principality-and-the-Grand-Duchy-Linked-by-a-New-Bilateral-Agreement-Pierre-Dartout-and-Xavier-Bettel-Sign-an-Agreement-to-Create-an-e-Embassy-of-Monaco-in-Luxembourg [https://perma.cc/TMP3-6VKJ].Hide

Talmazan, supra note 101; see also Gouvernement Princier Principauté de Monaco, supra note 103 (discussing motivations for the e-embassy).Hide

Federal Reserve System, Dep’t of the Treasury, and Securities & Exchange Comm’n, Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System (Apr. 7, 2003), https://www.sec.gov/news/studies/34-47638.htm [https://perma.cc/YJM9-88AT].Hide

Id.Hide

See, e.g., Greenberg, The Untold Story of NotPetya, supra note 4 (describing the speed with which NotPetya malware spread around the world).Hide

Kristen E. Eichensehr, Giving Up on Cybersecurity, 64 UCLA L. Rev. Disc. 320, 323 (2016). A more extreme approach would be to “forego a technological capability” altogether by engaging in “technological regression or arrest,” where “[t]echnological regression involves walking back from technological capabilities because of concern about the inability to properly secure the technology” and “[t]echnological arrest . . . captur[es] the deliberate decision not to proceed with developing a technical capacity because of security concerns.” Id. at 324. That approach may be warranted in certain circumstances, see id. at 330–33 (discussing examples of technological regression and arrest), but the examples highlighted in this Essay involve instances where networking and technological capabilities generally provide significant benefits, making redundancy a more on-point approach.Hide

See id. at 328–29 (discussing paper backups of electronically cast votes).Hide

Jon Roozenbeek et al., Prebunking Interventions Based on “Inoculation” Theory Can Reduce Susceptibility to Misinformation Across Cultures, 1 Harv. Kennedy Sch. Misinfo. Rev. 1, 2 (2020).Hide

Id.Hide

Id.Hide

Id.Hide

Id.Hide

Id. (emphasis omitted).Hide

Id.; see also Chesney & Citron, supra note 18, at 1765–68.Hide

P.W. Singer & Emerson T. Brooking, LikeWar: The Weaponization of Social Media 263 (2018).Hide

Id. at 264. No surprise, the University of Washington has the nation’s most respected disinformation, media, and tech faculty across the campus. The University of Washington’s Tech Policy Lab spearheads some of that work. See Tech Policy Lab, Univ. Wash., https://techpolicylab.uw.edu/[https://perma.cc/7A9S-GT7G].Hide

See, e.g., Earthquake Preparedness, Cal. Gov.’s Office Emergency Servs., https://www.caloes.ca.gov/office-of-the-director/operations/planning-preparedness-prevention/seismic-hazards/earthquake-preparedness/ [https://perma.cc/P5HA-UGU9]; Tornadoes, ready.gov, https://www.ready.gov/tornadoes[https://perma.cc/T52F-YY5T].Hide

Danielle Keats Citron & Mary Anne Franks, The Internet as a Speech Machine and Other Myths Confounding Section 230 Reform, 2020 U. Chi. Legal F. 45 (2020).Hide

Citron, Fight for Privacy, supra note 40, at 97–98.Hide

Chesney & Citron, supra note 18, at 1765–68.Hide

Singer & Brooking, supra note 117, at 243.Hide

Id.Hide

Id.Hide

Id.Hide

Citron, Fight for Privacy, supra note 40, at 97–98.Hide

Chesney & Citron, supra note 18, at 1765–66.Hide

See Ryan Calo, Modeling Through, 71 Duke L.J. 1391, 1392, 1398 (2022).Hide

See Mary Anne Franks, The Free Speech Industry, in Social Media, Freedom of Speech and the Future of our Democracy 65, 79–83 (Lee Bollinger & Geoffrey R. Stone, eds. 2022).Hide

Id.Hide

Id. One of us (Citron) worked closely with a few tech companies interested in doing that in the aftermath of the 2016 election—regrettably, those same companies have walked back those efforts due to new leadership, expense, or having learned the wrong lessons from Murthy v. Missouri. Danielle Keats Citron & Jeffrey Stautberg, Public-Private Partnerships After Murthy v. Missouri, Ind. L.J. (forthcoming 2025), https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4911912[https://perma.cc/UTQ5-S85E].Hide

Singer & Brooking, supra note 117, at 269 (emphasis omitted).Hide

Id. at 251.Hide

For more on this, see Citron, Fight for Privacy, supra note 40, at 149–66.Hide

See European Comm’n, 2022 Strengthened Code of Practice on Disinformation 9–14 (June 16, 2022), https://ec.europa.eu/newsroom/dae/redirection/document/87585[https://perma.cc/SE92-S3CJ]; see also Julie E. Cohen, A Systems Approach to Cheap Speech: Flash Trades, Engagement Levers, and Destabilization Attacks, Balkanization (Apr. 7, 2022), https://balkin.blogspot.com/2022/04/a-systems-approach-to-cheap-speech.html[https://perma.cc/WLF2-4JBL](discussing legal approaches to microtargeting and disinformation).Hide

Citron & Chesney, supra note 18, at 1758.Hide

Hany Farid, From the Darkroom to Generative AI, Content Authenticity Initiative (Aug. 15, 2023), https://contentauthenticity.org/blog/from-the-darkroom-to-generative-ai [https://perma.cc/K79B-GNRH];see generally Hany Farid, Fake Photos (2019).Hide

See Citron & Chesney, supra note 18, at 1787.Hide

Farid, supra note 138.Hide

Exec. Order 14,110, Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence, 88 Fed. Reg. 75,191 (Oct. 30, 2023).Hide

Cf. Marchant & Stevens, supra note 45, at 268 (describing “stockpil[ing] needed mitigation resources and supplies for when something does go wrong” as a “substantive resilience measure”).Hide

Strategic National Stockpile, U.S. Dep’t of Health & Hum. Servs. https://aspr.hhs.gov/SNS/Pages/default.aspx [https://perma.cc/HT7T-4TQV].Hide

See Jensen, supra note 78, at 816 (discussing the need for congressional authorization to permit “purchas[ing] large numbers of computers and other spare systems in case of an attack where spares would be needed”).Hide

Michael Cieply & Brooks Barnes, Sony Cyberattack, First a Nuisance, Swiftly Grew into a Firestorm, N.Y. Times (Dec. 30, 2014), https://www.nytimes.com/2014/12/31/business/media/sony-attack-first-a-nuisance-swiftly-grew-into-a-firestorm-.html[https://perma.cc/7PKK-Q8JU].Hide

Greenberg, The Untold Story of NotPetya, supra note 4.Hide

Cf. Securities & Exchange Comm’n, Final Rule, Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, 88 Fed. Reg. 51,896 (Aug. 4, 2023) (requiring periodic disclosures about public companies’ “processes to assess, identify, and manage material cybersecurity risks, management’s role in assessing and managing material cybersecurity risks, and the board of directors’ oversight of cybersecurity risks”).Hide

See, e.g., Lewis Herrington & Richard Aldrich, The Future of Cyber-Resilience in an Age of Global Complexity, 33 Politics 299, 305–06 (2013) (discussing retention of analog capabilities to operate critical infrastructure as a resilience mechanism to cyber intrusions and expressing concern that in the United Kingdom, “this unintended but valuable source of resilience will be eroded in the name of cost-cutting and efficiency” through the introduction of digital systems).Hide

Kim Zetter, Inside the Cunning, Unprecedented Hack of Ukraine’s Power Grid, Wired (Mar. 3, 2016), https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/ [https://perma.cc/A6K5-XCC6];see also Cybersecurity & Infrastructure Sec. Agency, IR-ALERT-H-16-056-01, ICS Alert: Cyber-Attack Against Ukrainian Critical Infrastructure (2021), https://www.cisa.gov/news-events/ics-alerts/ir-alert-h-16-056-01[https://perma.cc/U37U-P37S](describing the intrusion in detail and noting the attribution to the Russian government).Hide

Zetter, supra note 149.Hide

Id.Hide

Citron & Richards, supra note 71, at 1377–81.Hide

Aro, supra note 35, at 178.Hide

See Danielle Keats Citron, The Continued (In)visibility of Cyber Gender Abuse, 133 Yale L.J. F. 333, 343–46 (2023) (showing law enforcement’s continued failure to take cyber gender abuse seriously).Hide

Shannon Bond, She Joined DHS to Fight Disinformation. She Says She Was Halted by . . . Disinformation, NPR (May 21, 2022, 5:00 AM), https://www.npr.org/2022/05/21/1100438703/dhs-disinformation-board-nina-jankowicz [https://perma.cc/PG77-3UMQ].Hide

Heidi Przybyla, ‘A Surreal Experience’: Former Biden ‘Disinfo’ Chief Details Harassment, Politico (Mar. 8, 2023, 4:30 AM), https://www.politico.com/news/2023/03/08/former-biden-disinfo-chief-details-harassment-00085981[https://perma.cc/U6LT-82HZ].Hide

Rep. Boebert Introduces Bill to Terminate the Department of Homeland Security’s Disinformation Governance Board, Congresswoman Lauren Boebert, https://boebert.house.gov/media/press-releases/rep-boebert-introduces-bill-terminate-department-homeland-securitys-0[https://perma.cc/8XVK-F2Y2].Hide

Przybyla, supra note 156.Hide

Id.; Zoom Interview with Nina Jankowicz, supra note 56.Hide

 Techtonic, The Deepfake Porn Problem, Article 19 (Aug. 21, 2023), https://www.article19.org/resources/techtonic-deepfake-porn-caught-in-the-crosshairs/ [https://perma.cc/XFB4-AFDQ].Hide

Citron, Continued (In)visibility, supra note 154, at 335.Hide

Id.Hide

Kate Starbird, UW Misinformation Researchers Will Not Buckle Under Political Attacks, Seattle Times (Oct. 6, 2023, 3:07 PM), https://www.seattletimes.com/opinion/uw-misinformation-researchers-will-not-buckle-under-political-attacks/[https://perma.cc/7WXE-A5Q7].Hide

Id.Hide

Id. The attacks on Starbird resemble the abuse faced by Jessikka Aro, Rana Ayyub, and others who investigate online influence campaigns and political corruption. See supra text and notes.Hide

Id. There are other crucial structural reforms that should be pursued to tackle cyber harassment. At the very moment when we are awash in cyber stalking abuse and disinformation, content platforms are stepping back from their efforts at content moderation. Kat Lo, Elon Musk’s Twitter Takeover: Five Takeaways For Content Moderation, Meedan (Nov. 18, 2022), https://meedan.com/post/five-content-moderation-takeaways-from-elon-musks-twitter-takeover[https://perma.cc/RTG3-H3XR](“Twitter has been rapidly decreasing staffing and capacity for carrying out content moderation actions to prevent misinformation, hate speech, and online abuse.”). Content moderation should be brought in house, rather than outsourced through low-paid contracts in countries where minimum pay is appallingly low, and it should be adequately funded. See Paul M. Barrett, It’s Past Time to Take Social Media Content Moderation In-House, Just Sec. (Jan. 18, 2023), https://www.justsecurity.org/84812/its-past-time-to-take-social-media-content-moderation-in-house/ [https://perma.cc/GJB7-T6TZ].Law must provide the needed incentives, since the market is not pressing us in this direction. We can and should adopt reforms to Section 230 of the Communications Decency Act, so that legal immunity is not enjoyed by sites that deliberately solicit, encourage, or fail to remove cyber stalking, intimate privacy violations, or digital forgeries and so sites otherwise have duties of care to address such abuse. See Citron, Continued (In)visibility, supra note 154, at 365–66 (discussing draft bill that Citron worked on with Massachusetts Congressman Jake Auchincloss).Hide