Impact of International Cyber Law, or the Lack Thereof, on States and Businesses
Article by Aaron J. Cheung,
I. Introduction to the Cyber Issue
The Central Intelligence Agency (CIA) Worldwide Threat Assessment recognized that the increasing cyber capabilities of other state actors could be used to surveil, attack, steal from, and influence the U.S. These cyberattacks have the potential to threaten government institutions and target major corporations, harming large groups of people. Al-Qaeda and ISIS have used social media to facilitate terrorism, and Russian intelligence officers hacked the Democratic National Committee (DNC) to interfere with U.S. elections in violation of a federal computer-intrusion statute. In 2000, a fifteen-year-old Canadian citizen attacked and disabled several U.S. based websites, including Amazon, CNN, Dell, eBay, and Yahoo!, causing an estimated $1.7 billion in damages, and in September 2019, Equifax settled with the FTC for $425 million following a data breach that disclosed personal information of 147 million people.
International law offers little settled guidance on how to address these incidents. Legal frameworks dealing with cyber issues tend not to address cybersecurity directly. Instead, a combination of rules and norms governing other aspects of international relations are sometimes applied. As a result, international law fails to provide an overarching and consistent framework for handling cybersecurity issues. Furthermore, the asymmetric nature of cyber warfare, i.e. the unpredictability and undetectability of cyberattacks, combined with the difficulty of identifying attackers, complicates retaliation, enforcement, and prosecution.
When governments begin to create international cyber law, as they may soon do, they should seek to solve two problems: the lack of legal guidance on how state actors may retaliate, seek relief, or recover damages; and a similar challenge for non-sovereign entities. For this Article, I will assume that retaliation, relief, and recovery are generally normatively and positively desirable. The following two sections of this Article will provide a brief overview of the most critical ways that international (and domestic) laws fail to address these problems. The Article will then describe how a framework to create multilateral institutions may help resolve the unpredictability and undetectability of cyberattacks, as well as complications inherent in enforcing cybersecurity laws.
II. Establishing an International Cyber Law Framework
The Proper Retaliation, Relief, or Damages for State Actors Created through a Piecemeal Legal Framework:
The same laws governing conventional warfare generally apply when cyberattacks against states or institutions amount to war. Once a war breaks out, states may theoretically retaliate with standard forms of traditional warfare, including conventional (or nuclear) uses of military strategies and weapons, in combination with appropriate cyberattacks. However, many disagree about when states should exercise the law of war. Since cyberwarfare is relatively cheaper than conventional warfare and may cause temporary rather than permanent harm, no explicit rules have emerged as to when a state may retaliate using conventional weapons.
Yale Law Professor Oona Hathaway identified three prominent theories that illustrate different interpretations about when war is justified. Under an instrument-based approach, only cyberattacks that use military weapons may escalate to war. With a targets-based approach, a cyberattack must imminently and sufficiently harm a critical target. An effects-based approach measures the “gravity of effects” based on the harms that may result.
If a cyberattack does not amount to war, then a hodgepodge of other rules, such as those governing countermeasures, treaties between countries or among multilateral organizations, and domestic criminal or civil laws, can regulate cyberspace. The applicable rule depends on the circumstances of the cyberattack, and in many cases, no rules apply. For example, an attack aimed at disabling some system may warrant retaliation under international countermeasure norms to prevent the attacker from repeating the same offense or to take down a similar system. On the other hand, according to Oona Hathaway, cyberattacks on communications systems might fall under international telecommunication agreements, and cyberattacks on airplanes may fall under international aviation laws. Sometimes, domestic laws criminalize cyberattacks conducted by foreign actors. For example, Mueller found evidence that Russian agents violated the federal computer-intrusion statute. Even though they violated U.S. law, the agents will unlikely face prosecution anytime soon by avoiding U.S. jurisdiction. Under the current framework, cyberspace does not have its own set of relevant laws but instead is loosely governed when cyberattacks escalate to warfare, violate the law in a related field, or violate domestic statutes.
Businesses and People (non-state actors):
Laws regulating cybersecurity for non-state actors sometimes leads to strange results. Domestic laws do provide for civil actions in response to cyberattacks. However, they often do not grant adequate relief. In the 2017 Equifax breach, hackers unlawfully accessed personal data due to a vulnerability that Equifax failed to patch. Although Equifax may be partly responsible for failing to take adequate measures to protect that information, it was an affirmative act of the hacker that caused the harm. Equifax had to pay millions of dollars and provide even more in services as a punishment for the hacker’s crime. Equifax found itself in the unenviable position of suffering financial losses they were unable to recover as a result of the harm caused by the hacker’s actions.
Even if they could find the hackers, they would unlikely be able to recover much through civil action. Unlike robberies, in which the law will work to find the perpetrators and undo the harm (or, insurance may cover it), victims of cyberattacks are unlikely to obtain compensation equal to the damages suffered. While states have the resources to identify attackers, criminally prosecute perpetrators, and retaliate, non-state actors generally cannot respond in the same way. Victims gain little from pursuing civil actions whose potential rewards are outweighed by the costs, as is often the case. If a foreign actor commits the cybercrime, non-state actors may have even more trouble identifying the offender and holding them responsible.
How can such issues be addressed through international law when the offender comes from a foreign State? States can recognize an obligation to protect their citizens from significant cyberattacks. In many cases, non-state actors belong partly or wholly to a state and receive entitlement to adequate protection from outsiders. Under several traditional theories about state formation, such as social contract formulations, the state may be obligated to protect its people from the cyber equivalent of foreign invasion as a form of a common good. By using the force of the state to find perpetrators of cybercrimes targeting its citizens, states can fulfill a utilitarian purpose in deterring cybercrimes and finds justice by prosecuting criminals.
As a final matter, institutions should be established multilaterally to share information and identify perpetrators of cyberattacks. These institutions should determine when various actors can be charged with violating a law or norm based on agreed-upon rules. For example, they may determine what sort of financial consequences, through fines or sanctions, a state may receive for launching a cyberattack. If they do not wish to take certain sovereign powers away from states, institutions may alternatively create new rules that provide standards for just retaliation.
The most critical tasks are to address the unpredictability and undetectability of cyberattacks, and to increase the capability of state and non-state actors to identify offenders. The most persistent problem with a cyberattack, and the reason why it poses such a significant threat, is the asymmetry of power in which a hidden cybercriminal may, at their discretion, attack systems at any time, with little warning, and often in an unknown way. Thus, institutions should do all they can to identify and prosecute wrongdoer, because doing so will increase the overall costs for someone to commit such a crime. A possible way to achieve this would be to coordinate efforts and information from several states. This would facilitate a sense of shared responsibility to investigate and prosecute cyberattacks, further increasing the ability to find potential wrongdoers. This type of agreement would decrease what makes cyberattacks so asymmetrically advantageous.
Domestic and international cyber laws fail to adequately provide a framework for state and non-state actors to identify attackers and receive relief. States targeted by cyberattacks need to navigate a complex web of loose rules to determine what they may or may not do. Non-state actors encounter even more difficulty recovering for the harms they suffer, and this problem will likely become exacerbated as international cybercrimes increase in frequency. These problems should be addressed through the creation of international rules and norms.