Eric Jensen responds to Duncan Hollis

[Eric Jensen, Visiting Assistant Professor of Law at Fordham University Law School, responds to Duncan Hollis, An e-SOS for Cyber-Space. This post is part of the Second Harvard International Law Journal/Opinio Juris Symposium.]

Drawing on the familiar and effective maritime principle of an SOS distress call, Professor Hollis argues in his paper that an analogous system should be established to respond to cyber distresses. The paper is extremely well researched and written and presents a very innovative idea certainly worth considering, and if not accepting, at least building upon to address the significant need for better responses to cyber threats. To his credit, unlike many commentators in the area, Hollis doesn’t just identify the problems, but proposes a solution that certainly has merit and is based in current international law.

In addition to Hollis’s proposal which I will address below, two of the best aspects of the paper are the factual data compiled as the introduction and the analysis of the attribution problem. Though both sections are designed to be background for Hollis’s main point, they are among the most articulate and complete in the current literature.

Hollis’s descriptive section on cyber threats is a rare compilation of the most significant recent activity, with just enough technical explanation to educate lawyers but not send them into a “science coma.” He has found some events that even those of us who write and research in the area continuously haven’t heard of, and then tied them all together with great conclusions as to the need for his proposed solution.

Additionally, his section on attribution will serve as the resource on that issue for papers written in the future. In particular, his linkage of proscription and attribution cast the problem in a way that clearly highlights the difficulties not only with attribution, but current attempts to remedy the situation.

The thesis of Hollis’s article is that the international community ought to embrace a duty to assist, or DTA, in the context of cyber threats. Analogizing to a ship’s ability to issue an SOS distress call which triggers a duty in proximate and capable ships to come to the distressed ship’s aid, Hollis argues that individuals businesses, organizations, and/or states ought to have a similar ability (and a similar corresponding duty) to seek and provide aid to the victims of cyber attacks. Hollis is careful to make clear that he does not “expect any resulting duty to remediate all threats nor to operate in all contexts” but he lays out a framework, inviting the international community to accept the apparent need and to craft a solution that will provide the assistance required.

Recognizing that Hollis’s project here is not to propose a complete solution, but merely a framework upon which to build, I will focus these initial comments on three points in Hollis’s paper: proximity, frequency, and technology protection. Dealing with proximity first, the basis for the effectiveness of the SOS was the proximity of the assisting ship to the ship that was in distress. The physical proximity not only was the basis for the requirement to help, but also the basis for the ability to help. Because the ship was in distress, a ship that was near had the ability to provide help. That acted to limit the scope of the right to assistance. Every close ship was responsible to respond within its capabilities, but only close ships were required to respond. I find this key foundational aspect of the SOS right and duty difficult to translate to cyber attacks. Hollis appears to recognize this difficulty but only addresses it very briefly by suggesting that “states might find it easiest to tie the DTA to the territorial jurisdiction within which the threat lies.” While that translates nicely to our common view of territory, it is technologically not necessarily any easier for someone to provide assistance to a computer threat from the building next door than from the office on the other side of the world. Further, states are free to do this now, without any international action, simply as a matter of domestic law.
Hollis also proposes the idea of “technological proximity”, arguing that “if a DDOS (Distributed Denial of Service) attack arrives on a server via one or more ISPs, those ISPs would have a DTA. . . . In other words, the DTA would seek to burden not those with a general capacity to combat cyberthreats, but those best situated to deal with the precise cyberthreat at issue.” The problem with this, as Hollis recognizes elsewhere in his paper, is that often, it is unclear in the midst of a cyber event, what the actual problem is and who is its source. Further, even if the type of problem can be discerned, would the victim make this determination and then be able to pick who was to provide the assistance based on their determination of technological proximity? Again, Hollis does not undertake in this paper to propose a detailed solution to each potential problem but merely propose a framework. However, I believe that the resolution of the proximity analogy from the traditional SOS underlies the validity of Hollis’s proposal.

The next area where the analogy with the traditional SOS is strained and serves to undercut the overall framework is the idea of frequency. One of the reasons for the success of the SOS paradigm is that ships found themselves in distress on extremely rare occasions. The circumstances that put a ship in distress were few and occurred rarely. The vast majority of ships would go throughout their entire working life without either ever issuing an SOS or responding to an SOS. With the pervasiveness of cyber attacks (Hollis mentions in his paper that nearly two thirds of the businesses polled in a recent survey reported that their energy and water sector operations had been affected by cyber attacks), the need for help and the requirement to help would not be the rare case, even if states determined to limit the e-SOS to the most severe cases. Additionally, the entities with the capability to actually provide help would quickly be overrun with requests. After having pondered on this problem, I am not sure that states could reasonably tailor the e-SOS in such a way that the National Security Agency would not become the first line of defense for much of the world against cyber attacks.

Finally, I think the whole framework might not be able to overcome the concern over technology transfer. Presumably, the victim would be seeking help because it did not have the technology or expertise to solve the problem itself. It follows that the entity would be more technologically advanced and would be required to bring those advanced technologies to bear. Hollis again briefly acknowledges the potential difficulties here but I think they may be foundational difficulties in that the entity providing assistance is not going to want to do so in a way that compromises any advanced technology, and the victim is going to be anxious to watch what is being done (and potentially left) in its system, making that a hard combination to solve.

Having raised these three issues, I again want to say that I think Hollis’s paper is a great contribution to the literature and that even these three issues may be less a critique of Hollis’s paper and more of a challenge for us readers to pick up on the great work he has done and “move the ball forward” in a way that will help solve these problems.