Abstract:
The Article first explores the line between public and private functions and provides a descriptive account of the public-private cybersecurity system. It highlights the relative roles of the U.S. government and private sector in four important contexts related to international cybersecurity threats: (1) disrupting networks of infected computers used by transnational criminal groups (“botnet takedowns”), (2) remediating software vulnerabilities that can be used for crime, espionage, and offensive operations (“zero-day vulnerabilities”), (3) attributing cyber intrusions to state-sponsored attackers, and (4) defending privately owned systems and networks from sophisticated, nation state-sponsored attackers.
The Article then uses the public-private cybersecurity system to challenge and complicate existing scholarship on privatization. Procedurally, the public-private cybersecurity system differs from traditional privatization because private actors — not the government — decide what functions they should perform, and private actors operate outside of contractual frameworks that have traditionally restrained private contractors. Substantively, the cybersecurity context implicates public law values addressed in prior work — including accountability, transparency, and due process or fairness — but it also raises additional concerns about security and privacy.
Evaluating how the public-private cybersecurity system attains and falls short of public law values yields broader lessons for cybersecurity governance and for privatization. The public-private cybersecurity system shows that concerns about public law values are not unidirectional — sometimes threats to public values come from the government, not the private sector. On the other hand, while empowered private parties play a crucial role in cybersecurity and in many ways currently support public values, this alignment is a present fortuity, not a structural feature, and so may shift in the future, posing new threats to public law values. These complexities require new kinds of context-dependent solutions to safeguard public law values. The Article concludes by suggesting several such remedies for the public law failings it identifies.