An SOS for Cyberspace?

My colleague David Post and I have an op-ed in today’s National Law Journal.  In it, we challenge the sufficiency of existing responses to cyberattacks, whether in terms of pushing for heightened security, more criminal law enforcement or applying the laws of war (if applicable).  Criminal law (and the laws of war for that matter) depends on identifying and holding actors accountable for their actions.  Given attribution problems that give cyberattackers virtual anonymity, we argue that these methods cannot effectively respond to such attacks, let alone deter them.  So long as the Internet’s architecture preserves an attacker’s identity, we claim that the law will need to look to alternative deterrent and regulatory models for regulating threats without regulating who (or what) causes them.  To that end, we flag the use of the SOS to deal with threats to life and property on the high seas as a useful analogue.  The SOS works, not by regulating the cause of any harm (e.g., hurricanes, pirates, equipment failure), but by imposing a duty to assist on all in a position to help when they hear the SOS call.  In doing so, the SOS mitigates the threat, with the assistance provided often saving lives and protecting property.  We argue a duty to assist could have similar functions in cyberspace, mitigating the effects of cyberattacks even where we cannot identify (and thus regulate) the actual attacker(s).  Indeed, we believe that if the duty to assist actually does mitigate the harm from certain cyberattacks (i.e., by ensuring bandwidth is available to overcome directed denial of service attacks, or by cutting off the pathway of an attack) it might actually deter attackers from launching those attacks in the first place.  In such situations, attackers may come to recognize that the desired effect cannot be achieved and not bother to even try to attack.  Or, if the attacker is an entity that might actually fall under a duty to assist (e.g., a national government) it might think twice before attacking in the first place.  After all, why make a mess that you know you’ll have a public duty to remediate?  For more details, you can read our op-ed here.