International Cybersecurity: A Call for Legislation

International Cybersecurity: A Call for Legislation

The beginnings of a new international conflict began to brew last summer, after the release of several private emails and confidential documents of members of the Democratic National Committee. Members of the DNC watched in helpless fury as the material posted WikiLeaks and other websites was then eagerly snatched by American media organizations. These letters, allegedly leaked by Russian hackers, represented a massive intrusion in American cyberspace during the presidential election campaign of 2016. Once the CIA released their conclusion that President Vladimir Putin had direct involvement in the DNC hackings, the Obama administration retaliated by expelling several of Russia’s diplomats and imposing sanctions against its intelligence apparatus[1]. However, while this response conveyed a clear political response, it carried no legal implications and thus leaves American actions open to skepticism from outside critics.

Cyber-hacking is a crime that is rapid, ambiguous and difficult to pursue; this issue is exacerbated by a framework of law that is behind the times. Although modern international law is founded on the idea of maintaining a balance of power within nations, and so, imposing a framework of laws that all nations must abide by is advantageous because a nation becomes accountable to a group of other nations, cyber-hacking has not yet been fully legislated into international law. A breach of sovereignty – whether physical or cyber – should violate Article II of the UN Charter stating member-states should refrain from the “use of force against the territorial integrity or political dependence” of a state, . Yet, the law of war provides a useful framework for only a limited number of cyber-attacks that are treated as the “use of force” only it amounted to an armed attack or one that takes place in the context of an ongoing conflict. [2]

Another problem is presented by jurisdiction, as cyberhacking can easily be committed from places outside the jurisdiction of the state in question. Although IP addresses can be traced or the general location of the hackers can be discovered by a US intelligence agency, the country harboring the hacker does not necessarily give them up to the Americans. Yet, had the United States chosen to accuse Russia of violating international law – and successfully provided evidence to support that accusation – the penalty imposed by the United Nations would be upheld by all its members, and thus serve as an example to deter other nations from committing such a breach.

However, the ambiguity behind the term “armed attack” renders international law inadequate to use as a tool to moderate the behavior of other nations. Yet, this need not be the case, as countries have set frameworks of law to monitor domestic cyber-security. The issues presented in international law are thus not echoed in the United States domestic law, which considers cyber-hacking a crime under the Computer Fraud and Abuse Act. Any attempt to access the nonpublic computers in both government and non-government organizations “without authorization” carries legal consequences, which can be either civil or criminal. In United States vs. Dennis Collins et al in 2010, the attempts to render PayPal computers unavailable to its users by the hacking organization Anonymous resulted in a fifteen count criminal indictment, implicating all members involved for “conspiracy and causing intentional damage to PayPal’s computer servers,”. If proven in court, cyber-hacking has the potential to result in serious legal repercussions.

Nevertheless, holes exist even in US domestic laws governing cybersecurity, due to the limited jurisdiction it has on international territory. While the universality of the Internet allows computers within the US to be hacked from virtually anywhere, the American arm of prosecution cannot reach back as far. In United States of America v. Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu, Gu Chunhui in 2014, the US government alleged that five Chinese officials stole valuable information from a number of US companies. The case specifically acknowledges the unusual circumstances of the case as it was the “first time charges have ever been brought against a state-actor for cyber-espionage,” and charged the five officials on 31 different criminal counts.[3] Yet, without the cooperation of the Chinese state – who called the charges “ungrounded and absurd”[4] – a full court proceeding cannot take place. Almost three years later, the men still remain on the FBI’s wanted list, for cyber crimes.

Unsurprisingly, the US has thus often chosen to respond to international cyber-hacking threats through political rather than legislative processes. The hacking of Sony Pictures in November 2014 was not filed in court; instead, after the FBI pinpointed North Korea as the location harboring the hackers, President Obama signed an executive order authorizing new sanctions against the North Korean government. However, the lack of legislative process involved in the enforcement of these consequences has allowed a certain degree of skepticism to taint the validity of the actions of the US.[5] As malware can be traced to computers from Bolivia, South Korea, and other countries all around the world, no evidence exists that unequivocally justifies the US retaliation against the potential cyber-attack committed by North Korea. If the US were to pursue Russian sanctions in retaliation for perceived interference in the elections, the perception of a government reluctant to change its regime would contribute to an added degree of skepticism.

If it is to be concluded that the precarious balance of power in the international realm makes it difficult to have a comprehensive, enforceable domestic legal regime, then it becomes necessary to amend the international framework of laws governing cybersecurity. One avenue that exists for the United States to argue that the Russian government is accountable for the hackings is to bring the case before the International Court of Justice. In the landmark case, Nicaragua vs. USA, the United States was held accountable for state intervention in Nigeria, and was instructed to pay reparations. The United States was found in breach of its obligations to “not to use force against another state”, “not to intervene in its affairs”, and not to violate its “sovereignty”[6]. This ruling by an impartial authority legitimized Nicaragua’s grievances, forcing the United States to admit its guilt in the matter, and mandated reparations to make up for their infraction of Nicaragua’s sovereignty. Now, although the physical intervention of the USA in Nicaragua was much more extreme in that they were charged with the killing, wounding and kidnapping of Nicaraguan citizens, certain similarities can be drawn between the American intervention in Nicaraguan internal affairs and Russian intervention in American internal affairs. While no military or paramilitary exists for the Russian Federation to secretly fund, their exposure of confidential documents accomplished by illicit means was a targeted attempt to influence political affairs. Only members of the DNC were targeted, and so the aim of the hacking – and the consequent leaking of documents – was not to discredit the American government but discredit one political party. Since this intervention was accomplished against the knowledge or consent of the DNC suggests this intervention was forceful, and can therefore be treated as equal to a direct intervention in foreign affairs.

Like Nicaragua vs. USA, a potential case brought before the International Court of Justice such as USA vs. Russia also contains the potential to serve as a landmark case for international cyber-security. Article 51 of the UN Charter states that nothing shall impair the “inherent right of collective self-defense if an armed attack occurs against the member of the United Nations, until the Security Council has taken measures necessary to maintain international peace and security,”[7] However, cases regarding cybersecurity are currently subject to differing legal interpretations of “armed” attack. For instance, the USA argued in the ICJ court case against Nicaragua, for a distinction between “the most grave forms of the use of force(those constituting armed attack)” from other “less grave forms,” which includes cutoffs of foreign aid, trade boycotts, travel bans, or other acts that might have the same effects as an armed attack. While bringing a case protesting the Russian interference in the presidential elections would open several arguments regarding the ambiguous meaning of several key definitions, it would represent a shift toward recognizing the role of modern technology in international relations, and provoke changes in the international legislative structure to accommodate the continually evolving technology in today’s society.

[1] Diaz, Evan Perez and Daniella. “Russia Sanctions Announced by White House.” CNN. Cable News Network, 02 Jan. 2017. Web. 29 Mar. 2017.

[2] “The Law of Cyber Attack.” Yale Digital Commons. Yale Law School Faculty Scholarship, 1 Jan. 2012. Web. 12 Mar. 2017.

[3] “U.S. Charges Five Chinese Military Hackers for Cyber Espionage Against U.S. Corporations and a Labor Organization for Commercial Advantage.” The United States Department of Justice. N.p., 19 May 2014. Web. 12 Mar. 2017.

[4] “China Blasts ‘absurd’ U.S. Charges of Cyberespionage.” Los Angeles Times. Los Angeles Times, 19 May 2014. Web. 13 Mar. 2017.

[5] Perlroth, Nicole. “New Study May Add to Skepticism Among Security Experts That North Korea Was Behind Sony Hack.” The New York Times. The New York Times, 24 Dec. 2014. Web. 29 Mar. 2017.

[6] Military and Paramilitary Activities in and against Nicaragua Case (Nicaragua v United States of America) International Court of Justice, n.d. Web. 05 Mar. 2017.

[7] UN Charter <http://www.un.org/en/sections/un-charter/un-charter-full-text/>