Crossroads Blog | CYBER SECURITY LAW AND POLICY

Current Affairs, Tallinn Manual

Cyber Roundup (3/25): Congress strengthens stance on China, Tallinn Manual launch, CFAA may get tougher, and more . . .

Quick survey of recent cyber news . . .

***

I didn’t refer to it in the title, but I want to give top billing to a Lawfare blog post by Jack Goldsmith.  The post was in response to this recent WashPo op-ed by James Lewis where Lewis explored “Five Myths About Chinese Hackers.”  The fifth myth was “America spies on China, too, so what can we complain about?”, and in that section Lewis said that “[t]he United States, by contrast [to China], does not engage in economic espionage.”

Mr. Goldsmith laid out a very comprehensive response to several of Lewis’ points.  Notably, Goldsmith said:

  • “[I]t is not true that ‘unwritten rules’ prohibit economic espionage.”
  • [I]t is not true that the Chinese are doing something that other countries don’t do (though it is true that they do it better and more extensively than most).”
  • [I]t is not true that ‘[t]he United States . . . does not engage in economic espionage.”
  • “U.S. public and foreign audiences don’t really know the precise USG policy on foreign economic espionage.”
  • China is definitely engaging in cyberexploitation, [b]ut [the U.S. is] also doing things to China that its government views as direct attacks . . .”

Mr. Goldsmith then went on to discuss the one-sidedness of the cyber dialogue, finishing up with this interesting line: “Commentary in the United States too often proceeds on the assumption that the USG can have its cake and eat it too on cybersecurity.”

I quoted a few choice sections, but this is really a post that deserves to be read in its entirety.  I confess that I’ve often parroted the claim that the U.S. does not engage in economic espionage/cyberexploitation, and that claim is apparently wrong.  As Mr. Goldsmith notes, the better claims is that the USG  does not collect “proprietary information of foreign commercial firms to benefit private firms in the United States.”

Anyways, this is a great Lawfare blog post, definitely worth a look.

***

Via the Atlantic Council, the Tallinn Manual is going to be getting a D.C. release party “at The University Club Ballroom on March 28, 2013, in cooperation with the ABA Standing Committee on Law and National Security, Cybersecurity Legal Task Force, and the Standing Committee on Armed Forces Law.”

Here’s a useful Tallinn Manual factsheet that quickly states some of the Manual’s conclusions.

While we’re on the topic, The Washington Times’ Shaun Waterman reports that NATO concluded that Stuxnet was a use of force and “was likely illegal under international law.”  The article notes that the experts were divided on whether ol’ Stuxie rose to the level of an armed attack.

***

Stewart Baker had an interesting post for his Skating on Stilts blog that discussed Congress’ efforts to stop Chinese cyberexploitation/cyberespionage.  Baker explained that Congress “has added tough sanctions to the continuing resolution that funds the federal government and is now awaiting the President’s signature. The sanctions provision bars federal government purchases of IT equipment ‘produced, manufactured or assembled’ by entities ‘owned, directed, or subsidized by the People’s Republic of China’ unless the head of the purchasing agency consults with the FBI and determines that the purchase is ‘in the national interest of the United States.'”

***

The Hill’s Jennifer Martinez reported on how a new bill circulating the House Judiciary Committee may stiffen the CFAA.  According to Martinez, the bill “would tighten penalties for cyber crimes and establish a standard for when companies would have to notify consumers that their personal data has been hacked” while also changing “existing law so that an attempt at a cyber crime can be punished as harshly as an actual offense.”

Via The Hill article, here’s a copy of the bill.

***

This one already made its rounds on Twitter, but Yousaf Butt had a very good article for Foreign Policy on why nuclear deterrence is a bad option for cyberspace.  Butt is of course referencing a recent DoD report that suggested “threatening the use of nuclear weapons in response to the most severe cyberattacks.”  Butt argued why he thought applying nuclear deterrence to cyberspace was a bad idea, ultimately concluding that we can never fully solve the cybersecurity problem, but we can “respond by making our systems more resilient, improve our attribution abilities, and, to the extent possible, cooperate with other nations in smoking out [dangerous hackers] worldwide.”

***

Nothing really new, but Paul Wagenseil had a useful article for NBCNews that discussed 5 (probably) American cyberweapons: Stuxnet, Flame, Duqu, Gauss, and MiniFlame.

Leave a Reply