An e-SOS for Cyberspace by Duncan B. Hollis
[This post is part of the Second Harvard International Law Journal/Opinio Juris Symposium.]
In 2007, I authored two papers — one for a military audience and another for a legal one — arguing that debates over the law’s response to the growing range of cyberthreats would likely track ongoing debates over law’s response to terrorism. In that context, we’ve seen 4 options emerge:
- First, those who say terrorism is a crime, and only a crime, with any legal response limited to law enforcement mechanisms.
- Second, those who insist terrorism is war, with the applicable law, if any, derived solely from international humanitarian law.
- Third, those who try to bridge the two camps by insisting terrorism can be both a crime and an act of war, applying the benefits (and burdens) of both legal regimes.
- Fourth, and finally, those who argue that terrorism is neither a classic crime nor a classic act of war, and thus requires a new legal response to regulate its threat.
My sense is that the same jockeying among camps — crime, war, both, neither — is beginning to play out in the context of cyberthreats as well. The initial international legal response, most notably the Council of Europe’s 2001 Cybercrime Convention, rests entirely on a criminal law paradigm. In contrast, the recent emergence of U.S. Cybercommand (USCYBERCOM) and the guidelines reported to apply to it envisions significant cyberthreats in national security terms, more appropriately dealt with through a war model, rather than a criminal one. Not surprisingly, some states and scholars tacked to Option 3, suggesting that we can employ both crime and war paradigms to deal with these issues. Indeed, that’s how the Estonian government viewed the 2007 cyberattacks against it, calling them an act of war, but also launching criminal investigations and seeking extradition of those responsible. This third approach appears to be where the United States is heading as well.
I’ve spent the last 4-5 years advocating for Option 4 — the none of the above idea. To be clear, I’ve never suggested that law doesn’t currently govern cyberthreats, but rather that it does so poorly. Thus, I’ve complained about the difficulties of translating existing rules into cyberspace, the complexity of those rules, and their inadequate scope when it comes to threats that can have either state or non-state origins. As a result, I’ve advocated for nation states to work out new rules to regulate and mitigate the harm posed by the most severe cyberthreats.
Not surprisingly, the most frequent response to my call for new rules was a question: what do I think those rules should be? This paper – An e-SOS for Cyberspace — is my attempt at a response. In it, I offer a first principle — a Duty to Assist — that I believe states could adopt as an appropriate international regulatory response. As the paper elaborates, a duty to assist is not some magic salve for all cyberthreats, but it could be a way for states to respond to the most severe ones that directly or indirectly take life or disrupt critical infrastructure. I argue, moreover, that given the way anonymity is built into the very architecture of the Internet, a Duty to Assist may be all that we can expect law to do at this point to deal with these threats. All of which is a long way of getting to my abstract:
Individuals, shadowy criminal organizations, and nation states all now have the capacity to harm modern societies through computer attacks. These new and severe cyberthreats put critical information, infrastructure, and lives at risk. And the threat is growing in scale and intensity with every passing day. The conventional response to such cyberthreats is self-reliance. When self-reliance comes up short, states have turned to law for a solution. Cybercrime laws proscribe individuals from engaging in unwanted cyberactivities. Other international laws proscribe what states can (and cannot) do in terms of cyberwarfare. Both sets of rules work by attribution, targeting bad actors—whether criminals or states—to deter cyberthreats.
This Article challenges the sufficiency of existing cyber-law and security. Law cannot regulate the authors of cyberthreats because anonymity is built into the very structure of the Internet. As a result, existing rules on cybercrime and cyberwar do little to deter. They may even create new problems, when attackers and victims assume different rules apply to the same conduct.
Instead of regulating bad actors, this Article proposes states adopt a duty to assist victims of the most severe cyberthreats. A duty to assist works by giving victims assistance to avoid or mitigate serious harms. At sea, anyone who hears a victim’s SOS must offer whatever assistance they reasonably can. An e-SOS would work in a similar way. It would require assistance for cyberthreat victims without requiring them to know who, if anyone, was threatening them. An e-SOS system could help avoid harms from existing cyberthreats and deter others. Even when cyberthreats succeed, an e-SOS could make computer systems and networks more resilient to any harm they impose. At the same time, an e-SOS would complement, rather than compete with, self-reliant measures and existing legal proscriptions against cyberthreats.
I look forward to the comments of Professor Eric Jensen and Professor Jonathan Zittrain and the conversation (I hope) it generates.