As state actors continue to wage cyberwar on the United States, they have a powerful ally
Editor’s note: The views expressed in this article are those of the authors and do not reflect the official position or policy of the U.S. government.
A major hack on the firms Cravath, Swaine & Moore and Weil Gotshal & Manges a few years ago was linked to foreign nationals with ties to the Chinese government. Their target? Proprietary client information. In 2014, a group with links to the Russian state energy sector hacked into a website belonging to the British law firm 39 Essex Chambers looking for information.
Last year, the Department of Justice opened an investigation into whether the Chinese government had attempted to hack Clark Hill, a law firm representing a Chinese dissident. And those are just the directed assaults. Law firms also are vulnerable to more broad-based attacks. DLA Piper was devastated in 2017 by a ransomware worm that placed nearly 3,600 of their lawyers on temporary lockdown. The worm later was found to be the work of hackers linked to North Korea.
Cyber exploitations and attacks happen every day on a global scale. How do we characterize this new cyber reality? Are these network violations criminal activity or espionage? Or are they acts of war? Our existing international laws, domestic statutes and law of armed conflict frameworks, all conceived in the pre-internet age, are struggling to find principles to bring order to our digital era.
The legal rules for cyber incidents below the threshold of an “armed attack” live in a gray zone as practitioners and scholars struggle to fill the legal doctrinal gaps on nonintervention under international law. The roles, responsibilities, authorities, accountability or standards for attribution are not universal, and there are no agreed-upon responses or norms for unlawful acts in cyberspace.
As the U.S. attorney general’s 2018 Cyber-Digital Task Force Report makes clear, although many government agencies are working on cybersecurity, and much has been accomplished, the DOJ is “keenly aware” that the current “tools and authorities are not sufficient by themselves” to keep America safe from cyberthreats.
Cybersecurity and the law
A joint production of the ABA Journal and the ABA Cybersecurity Legal Task Force
The Law of Armed Conflict
The U.N. Charter’s Article 2.4 prohibits any nation from acts of aggression against other nations, and while in theory this extends to
the cyber world, the international community
has yet to determine where the threshold for a cyber use of force lies. One clear point of agreement, noted in 2012 by Harold Koh, who was the Department of State legal adviser, is “cyber activities that proximately result in death, injury or significant destruction would likely be viewed as a use of force.”
The most recent Department of Defense’s Law of War Manual later stipulated that a cyber operation that might be considered a use of force under the U.N. Charter might be one that triggered a nuclear plant meltdown, opened a dam to cause destruction, disabled air traffic control services, or crippled military logistics systems.
Cyberattacks that cause physical destruction have been rare, the notable exceptions being in Saudi Arabia and Iran. In 2012, the Saudi state oil company Aramco was hacked and its hard drives wiped clean of information. Two years earlier, centrifuges in one of Iran’s nuclear facilities fell victim to malicious code.
Installing malicious code in a foreign government’s security system—is it considered a cyberattack, penetration or espionage? What about deliberately spreading ransomware to another nation’s businesses or health care systems? Was the Sony Pictures hack in 2014 an act of war?
There is no international legal agreement on the answers to these questions yet. An attempt begun in 2013 by the U.N. Group of Governmental Experts in cybersecurity to establish a legal cyber framework has stalled after reaching some basic agreements.
The GGE recognized the applicability of existing international law to states’ cyber activities; the inherent right of self-defense as recognized in Article 51 of the U.N. Charter; and the applicability of the law of armed conflict’s fundamental principles of humanity, necessity, proportionality and distinction to the conduct of hostilities in and through cyberspace.
In the law of armed conflict, the principle of necessity dictates that only those cyberstrikes deemed necessary to counter a threat should be carried out, while the principle of proportionality ensures any risk of collateral damage to civilian networks or infrastructure must not be excessive.
The principle of distinction demands that only those aspects that are military in nature can be targeted; and finally, the principle of humanity prohibits military strikes that would cause wanton suffering. But further agreement has been elusive. Some in the private sector have called for a “digital Geneva Convention,” committing to not engage in cyberattacks against individuals or businesses. But it, too, remains a nascent effort.
The most comprehensive private international effort to codify the law on cyberwar came in the form of the Tallinn Manual on the International Law Applicable to Cyber Warfare, originally written by a group of international experts in 2013 and updated in 2017. The Tallinn Manual was informed by traditional law of war treaties, such as the Geneva Conventions, and translated those principles for the cyber age in a bid to set a standard for cyber rule-making around the world.
The key flaw, however, is that the Tallinn Manual does not have the binding authority of a treaty. So while it is one the most thorough legal manuals on the law of cyber operations, no nation is compelled to abide by its rules. The Tallinn Manual has appropriately focused on the issues of sovereignty and nonintervention as being two of the critical sticking points on how to achieve international consensus in this arena.
The State Actors
As is the case in any international conflict, we have allies, adversaries and frenemies. While problems with attribution persist, it is generally known that there are four key American adversaries in the cyber realm: China, Iran, North Korea and Russia.
In 2011, the Office of the National Counterintelligence Executive’s annual report to Congress on economic espionage named China, Iran and Russia as advanced persistent threats that were focused on stealing American intellectual property. Even so, holding states responsible to ensure that unlawful actions do not emanate from their jurisdiction, as well as the issue of attribution, continue to be difficult to apply in the cyber arena.
Russia has particularly aggressive cyber capabilities, which it typically uses to advance its geopolitical agenda and aggressively target democratic institutions in many countries. Every agency within the U.S. intelligence community—and a recent criminal indictment—has determined that the Russian government repeatedly infiltrated the computers of U.S. political parties to exploit information and interfered in the 2016 presidential election.
As noted by the recent indictments in July by special counsel Robert Mueller, there is also evidence that the Russian government developed detailed cyber campaigns to influence elections and undermine democratic institutions of our allies. In April, the Department of Homeland Security and the FBI announced that they were tracking widespread targeting of U.S. routers by Russians searching for more network vulnerabilities.
Furthermore, in 2016, the Russian-linked NotPetya virus was deployed in Ukraine to further Russian interests. However, it spread across the globe, affecting numerous systems in the United States and United Kingdom.
China, on the other hand, has implemented a dedicated cyber campaign apparently motivated more by financial and commercial considerations. The United States has accused China of as much as $600 billion of intellectual property theft from U.S. companies—the scale of which is largely unprecedented, according to U.S. Army Gen. Keith Alexander, former National Security Agency director.
The United States countered China’s “voracious appetite for information” by indicting members of the Chinese military in May 2014 for cyber breaches involving trade secrets and confidential business information. Then in 2015, federal officials signed a groundbreaking cybersecurity agreement with China to restrict future financial and commercial cyberespionage. This agreement has had a measurable impact on Chinese-linked hacks.
However, there has been some question as to whether they have continued to abide by the pact. Most experts agree that it is only a first step, and that China still maintains its capabilities and cyber ambitions.
North Korean hackers are thought to have been behind some of the world’s most devastating cyberattacks. Last year, they propagated the ransomware cryptoworm WannaCry, which affected more than 300,000 computers across more than 150 countries, costing the world economy billions of dollars.
In 2014, a North Korean-linked group hacked into Sony Pictures and stole more than 100 terabytes of information (names, Social Security numbers, health records) and dumped that information on public websites in retaliation for the company producing a fictional film about the assassination of North Korean leader Kim Jong Un. This group also threatened “9/11-style consequences” on the United States, and the entire attack resulted in sweeping international sanctions and legislative proposals.
Cybersecurity and the law
A joint production of the ABA Journal and the ABA Cybersecurity Legal Task Force
Moving Forward
As we try to define this cyber gray zone, the State Department has proposed some principles and norms as outlined by its former legal adviser, Brian Egan.
First, a state shouldn’t conduct or knowingly support cyber-enabled theft of intellectual property, trade secrets or other confidential business information with intent to provide competitive advantages to its companies or commercial sectors.
Second, a state shouldn’t conduct or knowingly support online activity that intentionally damages critical infrastructure or otherwise impairs the use of critical infrastructure to provide service to the public.
Third, a state shouldn’t conduct or knowingly support
activity intended to prevent national computer-security incident-
response teams from responding to cyber incidents. A state also shouldn’t use these teams to enable online activity that’s intended to do harm.
Fourth, a state should cooperate in a manner consistent with its domestic and international obligations with requests for assistance from other states in investigating cybercrimes, collecting electronic evidence, and mitigating malicious cyber activity emanating from its territory. Achieving agreement on these norms internationally in the legal community would help define the contours of this emerging threat.
Domestically, one example of a structural legislative response to this new cyber world are the changes made in Rule 41(b)(6) of the Federal Rules of Criminal Procedure to expand the power of judicial warrants for multiple computers in multiple judicial districts. Another is the passage of the Clarifying Lawful Overseas Use of Data Act, which clarified the disclosure of information held by third parties abroad and reformed the Mutual Legal Assistance Treaty.
Tellingly, one of the areas that the Cyber-Digital Task Force Report highlights for deeper evaluation on its authorities, practices and resources is enhancing effective collaboration with the private sector. This includes issues such as information-sharing, data-breach notification standards and frameworks for joint-disruptive efforts such as botnet takedowns.
This article was published in the November 2018 ABA Journal with the title “Gray Zone.”
Harvey Rishikof is chair of the Advisory Committee to the ABA Standing Committee on Law & National Security. Nicole Cacozza is a program assistant with the standing committee. Garrett Mulrain is a law clerk with the standing committee.