Herbert Lin wrote a quick primer on private sector active defense for World Politics Review. I want to direct your attention to an excerpt from Mr. Lin’s work:
It is not clear that the use of offensive operations in response to hostile actions against private parties would in fact mitigate the threat those parties face, or that the benefits would necessarily outweigh the risks. It is certain, however, that taking such actions would raise a host of thorny domestic and international legal and policy issues.
For instance, who should determine when self-help actions may be conducted? What standards should be used to decide when self-help is appropriate, and what particular measures are justified by a given circumstance? How do common law traditions of self-defense apply in cyberspace?
Policymakers must also consider how, if at all, government should be involved in setting such standards, and whether government involvement implies official approval of actions taken under their rubric. Should national interests be taken into account in deciding whether a self-help response is appropriate in any given instance, and if so, how? And would self-help actions undertaken by private parties implicate national responsibilities under international law?
Finally, international forums must be identified where such issues can be discussed and agreement sought. Such forums would have to involve all stakeholders and not presume that only national governments have rights to engage.
A U.S. policy that condones aggressive self-help might serve as a deterrent against the cyberthreat to private sector entities. Alternatively, it might encourage a free-for-all environment in which any aggrieved party anywhere in the world would feel justified in conducting offensive operations against the alleged offender.
Stewart Baker responded to Mr. Lin in his Skating on Stilts blog, with a generally critical tone. Notably, Mr. Baker (who spoke at Suits & Spooks on hackback/private sector defense under international law) took issue with Mr. Lin’s assertion that we must identify international forums where we can discuss private sector active defense. Mr. Baker notes that “[i]f a right of self-defense depends [on] getting agreement in an international forum that involves all stakeholders, it’s safe to say that there won’t be much left to defend by the time the negotiators are done.”
***
I want to quickly weigh in on some of Mr. Lin’s points. I agree with Mr. Lin that it’s unclear at what point hackback and/or stabilization actions actually become beneficial. Something I’m trying to work though in my mind is when private sector active defense’s deterrent value outweighs the risk of maddening the adversary so that he comes back at you with his A-game. Then again, do you refuse to stand up to a bully just because there’s a chance he hits back? I don’t know.
Continuing on, who should determine when self-help actions may be conducted? The US government, specifically the DOJ. Amend the CFAA to authorize private sector hackback under a deputization agreement where private companies interested in hacking back must get DOJ approval. What standards should be used, and what measures are justified? Let DOJ develop a formula similar to a LOAC analysis–with heavy emphasis on attribution–allowing the proportionality component to decide when a particular measure is justified.
Mr. Lin sort of alludes to this idea when he asks whether the government ” should be involved in setting such standards” and whether such “self-help actions undertaken by private parties implicate national responsibilities under international law[.]” As to international responsibility, I believe that the US may not–or at least should not–be responsible for private sector active defense. The Tallinn Manual says a country is responsible for a non-state actor’s cyber actions when they are (1) attributable to the nation-state and (2) a breach of international law. I’m not going to get into a lengthy analysis, but under the Tallinn Manual, I argue private sector hackback (even under this deputization agreement) is not formally attributable to the US. Moreover, considering that 99% of hackback/private sector active defense would fall below the use of force threshold and not implicate the non-intervention doctrine, I don’t think hackback is a violation of international law. Thus, I don’t think self-help actions by private parties would implicate U.S. responsibility.
Having said that, China/Russia would doubtless still hold the US responsible. Therefore, I agree with Mr. Lin’s last point: “international forums must be identified where such issues can be discussed and agreement sought.” Assuming the US does want to legalize some forms of private sector self-help (a leap, no doubt, but many at the Suits & Spooks event suggested that the best way to engage in self-help is with government blessing), it’s going to need international support from a group of like-minded states to make inroads on whether private sector hackback is attributable to the host-nation. My thought was to lodge this in NATO and come up with some sort of Cyber Montreux Document so we can square this both domestically and internationally.
In sum, I believe my proposed policy (deputization under the CFAA) would stand as a “U.S. policy that condones aggressive self-help [and] serve[s] as a deterrent against the cyberthreat to private sector entities.” Moreover, I believe it avoids the “free-for-all environment in which any aggrieved party anywhere in the world would feel justified in conducting offensive operations against the alleged offender.” I admit I’m not certain how government authorized hackback would work under international law, but it’s worth a shot.
***
By the way, Tom Gjelten had an interesting article for NPR on some of the very same issues.
Leave a Reply