1 Cybersecurity and International Law: A Hybrid Proposal to Place Partial Cyberspace Security Responsibility on Private Infrastructure Providers While Extending the Special Maritime and Territorial Jurisdiction to Cyberspace “A hacker needs no passport and passes no checkpoints” 1 Bruce Villard University of Maryland Carey School of Law May 2012 I. Introduction Recent incidents involving cross-border intrusions into the Estonian and American computer systems and corporate entities have brought the nexus of international and cybersecurity law into the focus of many legal scholars and policy-makers. 2 Over a three-week period in 2007, and shortly after Estonia moved a Russian war memorial away from the center of Tallinn (Estonia’s capital), Estonian government, banking, health, university, and other computer systems were overwhelmed by a denial of service attack, specifically “increasingly larger waves of data requests, rendering them inaccessible for long periods of time.” 3 Corporations and government agencies in the United States are also, of course, vulnerable to cyber attacks, notably from China, 4 which has developed specially-trained military units to mount such attacks. 5 But, the Chinese government is not the only state to funnel resources into preparing to mount offensive cyber attacks. Research performed by the United States’ Government Accounting Office indicates that at least 120 countries are developing or have already developed such capabilities 6 and the U.S. itself attempted to make use of such capabilities during the Kosovo conflict. 7 Given the physical infrastructure risks as well as those denial-of-service attacks, a more thorough means of dissuading such activity through active prosecution needs to be developed. The U.S. has noted that laws and international collaboration on cybersecurity issues are not
30
Embed
Villard WritingSample Cybersecurity and International Law
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1
Cybersecurity and International Law: A Hybrid Proposal to Place Partial Cyberspace
Security Responsibility on Private Infrastructure Providers While Extending the Special
Maritime and Territorial Jurisdiction to Cyberspace
“A hacker needs no passport and passes no checkpoints”1
Bruce Villard
University of Maryland Carey School of Law
May 2012
I. Introduction
Recent incidents involving cross-border intrusions into the Estonian and American
computer systems and corporate entities have brought the nexus of international and
cybersecurity law into the focus of many legal scholars and policy-makers.2 Over a three-week
period in 2007, and shortly after Estonia moved a Russian war memorial away from the center of
Tallinn (Estonia’s capital), Estonian government, banking, health, university, and other computer
systems were overwhelmed by a denial of service attack, specifically “increasingly larger waves
of data requests, rendering them inaccessible for long periods of time.”3
Corporations and government agencies in the United States are also, of course, vulnerable
to cyber attacks, notably from China,4 which has developed specially-trained military units to
mount such attacks.5 But, the Chinese government is not the only state to funnel resources into
preparing to mount offensive cyber attacks. Research performed by the United States’
Government Accounting Office indicates that at least 120 countries are developing or have
already developed such capabilities6 and the U.S. itself attempted to make use of such
capabilities during the Kosovo conflict.7
Given the physical infrastructure risks as well as those denial-of-service attacks, a more
thorough means of dissuading such activity through active prosecution needs to be developed.
The U.S. has noted that laws and international collaboration on cybersecurity issues are not
2
keeping up with technology despite treaties such as the Council of Europe’s Convention on
Cybercrime and various actions taken by the United Nations,8 and one way to address this
problem is with a hybrid solution of incorporating the special maritime and territorial jurisdiction
into the Convention on Cybercrime and placing some burden on private entities to maintain
appropriate levels of security against cyber attacks. After reviewing the existing legal structure
to address cyber attacks and its drawbacks, multiple solutions will be reviewed and analyzed,
including the hybrid private entity burden - special maritime jurisdiction solution.
The events described supra9 illustrate how attacks can damage data, and are often
referred to as “Computer Network Attacks” or “CNAs.”10
Persons who initiate CNAs intend not
only to cause disruption and denial of services (as seen in the cyber attack on Estonian computer
systems), but also actually destroy information in computers and networks themselves.11
Cyber
attacks, in some ways are an improvement over bombs and missiles in that cyber attacks can
cause similar harm12
and do it without actually engaging an adversary in the traditional vision of
a physical conflict.13
Specifically, cyber attacks can physically damage to infrastructure
elements such public water and electric utilities by using a discrete cyber attack to remotely open
a dam, cause a nuclear plant meltdown, or rupture an oil pipeline14
– just like a bomb or a
missile.15
The fact that potential damage can occur to critical infrastructure, as well as data, in
the private and public sectors, points to the need that “we must work towards building the rule of
law, to prevent the risks of logging on from outweighing its benefits.”16
If the proposed solution
is implemented in the future, it should further the work toward building this rule of law.
3
II. International Law Review
While international law is generally based upon the agreement of multiple countries,
there is a blurry line between actions that fall under the auspices of international criminal law
and those that fall under the laws of war or the use of force.17
This section will discuss both, and
will place some focus on jurisdiction and customary law as they play the biggest roles in
cyberspace adjudication. In general, however, international law is that which is either a)
accepted as customary law; b) is agreed to by international treaty or convention; or c) is derived
from common legal principles.18
A. The Law Armed Conflict and Its Application to Cyberspace
i. The Law of Armed Conflict
The Law of Armed Conflict (“LOAC”) is derived principally from United Nations
Charter Articles 2(4)19
and 51,20
as well as the seminal cases of Corfu Channel21
and Military
and Paramilitary Activities In and Against Nicaragua.22
With two exceptions, the U.N. Charter
states that members need to refrain from the using force.23
These exceptions, known as the right-
to-war or jus ad bellum, are 1) when the U.N. Security Council authorizes the use of force
pursuant to U.N. Charter Article 42,24
and 2) individual or collective self-defense under U.N.
Charter Article 51.25
Self-defense can only be used when there is an armed attack26
- the definition of which
engenders considerable tension. Traditionally, an “armed attack” meant that a party used
conventional weapons – not cyber – to attack an adversary.27
However, the International Court
of Justice (“I.C.J.”) has found that Articles (2)4 and 51 apply to the use of cyber, chemical,
biological and similar forms of aggression – the I.C.J. found the type of weapon used to be
irrelevant to its determination of what constituted an “armed attack.”28
Put another way, while
4
the original definition of an “armed attack” focused on the use of kinetic weapons, the standard
changed to a results-oriented approach and instead focused on the effects on life and property.29
Especially noteworthy in the context of cybersecurity is that U.N. Charter Article 2(4)
only applies to States and not to non-state actors.30
Terrorist attacks, for example, are prosecuted
under criminal statutes instead of the laws of armed conflict even when a foreign national
attacker stated that they were waging war against the state they attacked.”31
The distinctions between legitimate use of force in a self-defense contact and what
actions cannot be considered self-defense can be seen in the Corfu Channel32
and Military and
Paramilitary Activities In and Against Nicaragua 33
cases. In Corfu Channel, the Albanian
military fired on two British warships, which were passing through the Corfu Channel off the
coast of Albania in May 1946.34
The British warships were ostensibly asserting their right of
free passage and also wanted to test the Albanian response.35
In October 1946, the British Navy
sent four more ships through the channel and two of the ships struck mines.36
The Royal Navy
commenced mine-clearing operations in November 1946.37
The I.C.J. declared that while the
U.K. violated international law by sending armed ships into Albanian waters to remove mines,
the I.C.J. did not expressly state the action to have violated Article 2(4).38
However, the I.C.J.
did find Albania in violation of Article 2(4) by firing on the British ships because the ships had
not attacked Albania.39
Similarly, in Military and Paramilitary Activities, the I.C.J. found that when Nicaragua
assisted Salvadoran rebels by sending troops across the border from Nicaragua into El Salvador,
the action was considered to be just a threat that the conflict might escalate and not an escalation
itself. 40
At most, the action was considered to be meddling in El Salvador’s internal affairs.41
5
Either way, the I.C.J. held that the U.S. violated international law by assisting El Salvador
because Nicaragua’s actions were not sufficient to warrant El Salvador’s self-defense response.42
ii. Application of the Law of Armed Conflict to Cyberspace
There is tension among legal scholars and policy-makers on whether cybercrime and
cybersecurity are synonymous and whether some actions should be treated under the LOAC or
under criminal law.
One school of thought is that actions should be categorized either as being a cybercrime
or as a cyber attack (in the sense of terrorism or warfare). Scholars of this school say that within
cyberspace, cybercrime is distinguished from cyber warfare by the perpetrator’s intent and
effects of their actions and from this, courts can classify the action as a criminal or terrorist act.43
This distinction is significant because scholars who subscribe to this thinking further believe that
criminal acts, are considered a domestic security issue and should be prosecuted under criminal
statutes. 44
Conversely, cyber activity determined to be terrorism (by the perpetrator’s intent and
effects of the act) can trigger a defensive posture by the attacked country.45
This triggering act
then is considered to be a violation of the LOAC – even though the attack was carried out via
cyber means as opposed to a conventional kinetic attack. 46
The intent and focus of a cyber
terrorist is to destabilize a country and get publicity for their actions.47
This is in contrast to the
intent of a cybercriminal, which, again according to scholars of this school of thought, is usually
financial in nature – the theft of money, fraud, and sometimes the theft of information.48
This
distinction remains in place even if the methods used to effect the attack (e.g., denial of service,
virus, worm, etc.) is the same.49
Sometimes, however, distinguishing between cybercrime and cyber terrorism is difficult
because the descriptive words, specifically “security,” and “defense,” are interchangeable;50
6
therefore, the line between the two is difficult to determine.51
This difficulty has led to the
U.N.’s alternative school of thought, which is that cybercrime and cyberterrorism cannot be
bifurcated, that there is a blurry line between crime and war,52
and that cybercrime and cyber
terrorism issues cannot be separated because they are so interconnected.”53
Advocates for this
school of thought have illustrated how indistinctive the line is between criminal actions and those
that can be classified under the LOAC by highlighting how the military and civilians often work
together to mount cyber attacks in environments (e.g., air-conditioned office buildings) that
hardly resemble what one usually thinks of as a combat.54
Further, attackers do not even need to
come physically close to their targets and can pretty much mount an attack from anywhere, even
from a coffee shop, that has Internet access.55
Further blurring the line between what is
considered to be a criminal act versus an act that falls under the LOAC is that the U.N. only
considers attacks to be acts of war if the parties in conflict were sovereign states.56
For example,
the U.N. does not consider the 2007 denial-of-service attack on Estonian government offices to
be an act of war57
because there is no proof that the attack was initiated by a sovereign state –
even though some view the whole incident as the first cyberwar attack.58
B. International Criminal Law
International criminal law as applied to cyberspace is centered around two pieces of law:
the Computer Fraud and Abuse Act (“CFAA”) in the United States, and the Council of Europe’s
Convention on Cybercrime. Jurisdictional issues are often key factor in many international law
disputes, including in the cybersecurity realm, so after this section’s focus on the CFAA and the
Convention on Cybercrime, the following section59
will also draw a connection to the nexus
between international law jurisdictional principals and cybersecurity.
7
i. Computer Fraud and Abuse Act
The U.S. Computer Fraud and Abuse Act (“CFAA”) was enacted in 1984. The CFAA
prohibits persons from “knowingly” accessing “without authorization or exceeding . . .
authorized access.”60
Further, the CFAA characterizes the entities and types of data that are
protected, including financial records, federal agencies or departments, and protected
computers61
– defined as those affecting interstate or foreign commerce.62
ii. Council of Europe’s Convention on Cybercrime
The Council of Europe’s Convention on Cybercrime (“Convention on Cybercrime”)
came into being much later than the CFAA. The Convention on Cybercrime came into effect on
July 1, 2004, is the lone international treaty which addresses Internet crimes.63
Further, despite
its full name and origins in the Council of Europe, any state may join the Convention. 64
Unlike
the CFAA, the Council of Europe’s Convention on Cybercrime is a non-self-executing treaty
meaning that countries which ratify the treaty need to incorporate its terms into their own
statutory schemes. Specifically, the Convention on Cybercrime mandates that signatories
incorporate specific cybercrime offences into their criminal codes.65
These offenses include not
only illegal access to and interference with a computer system, but also include unlawful data
interception, forgery and fraud committed with the aid of a computer, and copyright
infringement.66
The absence of a reference to terrorist-related acts as being covered by the
Convention on Cybercrime is notable, especially in light of the U.N.’s definition of
“cybercrime,” which includes a reference to such acts - specifically, that even when terrorists use
computers to commit crimes, the acts are covered under the Convention on Cybercrime.67
Although European in origin and name, the Convention on Cybercrime is open to any
country in the world which would like to join.68
Notably, the U.S. has ratified the Convention on
8
Cybercrime, and commenting on the ratification, Richard Beaird, a Department of State official
responsible for international communications and information policy said in an April 2008
speech to the American Bar Association that the Convention on Cybercrime “offers the best legal
framework for the international community.”69
Even more significantly, however, is that Mr.
Beaird of the U.S. State Department also stated that nothing in U.S. statutory law (i.e., the
CFAA), needs changing as a result of ratifying the Convention on Cybercrime.70
However, the Convention on Cybercrime suffers from a similar semantics problem as the
LOAC. As interpreters of the LOAC have a difficult time articulating where the line is between
crime and war, or whether there are any differences at all, so too does the Convention on
Cybercrime have a definitional issue. Here, the major issue with the Convention on Cybercrime
is that each member has a high degree of flexibility in determining what exactly constitutes a
violation of the Convention on Cybercrime and further, because the Convention on Cybercrime
is not self-executing, each member can keep the definitions they place into their own statutory
regimes.71
Just in the European Union, for example, there is a wide range of definitions just for
unauthorized access to a computer system. These include: (1) accessing computer systems
where there has been some effort made to not permit open access; (2) requiring that actual
damage to the penetrated system; to (3) showing a movement from a “basic hacking offense” to
more serious offenses.72
C. The Nexus between Jurisdiction and Cybersecurity
Jurisdiction plays a large role in cybersecurity law. A major difference between the
CFAA and the Council of Europe’s Convention on Cybercrime is that the latter “provides for
extraterritorial jurisdiction.”73
Specifically, article 22(4) requires that signatory countries enact
9
laws that provides jurisdiction over acts that violate the Convention on Cybercrime but which
occur “outside the territory of the country but committed by one of its nationals.”74
How this plays out can be seen by comparing the outcome of the seminal case of Ivanov
v. United States75
under the CFAA and what would have likely occurred had the Convention on
Cybercrime existed at the time. From Russia, Aleksey Ivanov accessed a computer system in
Connecticut that contained credit card and other valuable data.76
Ivanov tried to extort money
from the owners in exchange for “security advice.” Some sources indicate that was sent to the
U.S. by Russia per an extradition request,77
but other, more primary sources indicate he was
convinced to come to the U.S. as part of an F.B.I. undercover operation.78
Regardless, Ivanov
was successfully prosecuted and the prosecution was able to show that Congress intended the
CFAA to apply extraterritorially.79
However, if the CFAA had an explicit clause granting
extraterritorial jurisdiction (as occurred later as part of the PATRIOT Act discussed infra)80
or if
the Convention on Cybercrime, with its extradition requirements, had been ratified by the U.S.,
then the prosecution would not have had to rely as heavily on showing legislative intent and
Russian government cooperation.81
i. The Territorial and Nationality Jurisdictional Principles and Cybersecurity
Two related international jurisdictional principles are the territorial and nationality
principles. Territorial jurisdiction is the most common and is true to its name – that is that if the
offense takes place within a state’s territory, then there is a firm foundation for claiming
jurisdiction.82
In turn, jurisdiction outside of a state’s borders – also called “extraterritorial
jurisdiction” – can be achieved via the nationality principle and is used specifically when a
national commits an offense outside of the prosecuting country.83
The seminal example of the
nationality principle is to prosecute American “sex tourists” who travel outside the U.S. to take
10
advantage of weak enforcement of child exploitation laws in other countries.84
Despite the
offenses occurring outside of the U.S., under U.S. law, American prosecutors can still go after
American nationals who commit these acts outside the U.S.85
and Congress can include
extraterritorial enforcement provisions when creating or amending other laws as well.86
Although the CFAA was interpreted to apply extraterritorially in Ivanov v. U.S.,87
the
Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and
Obstruct Terrorism Act of 2001, otherwise known as the PATRIOT Act, explicitly extended the
reach of the CFAA to allow for extraterritorial enforcement88
, and the Council of Europe’s
Convention on Cybercrime also provides for extraterritorial jurisdiction.89
However, semantically, when an action is said to have occurred “extraterritorially,” it
implies that it occurred in a geographic area – just one outside of the prosecuting country.90
But,
cyberspace by its very nature is not confined by geographic boundaries91
and so the problem
with applying territorial or extraterritorial jurisdiction is that “[c]yberspace is nowhere.”92
Significantly, the Internet uses packet switching technology where a piece of communication, for
example an e-mail, is broken up into discreet packets by the sender’s internet service provider
(“ISP”), sent over the Internet, and reassembled by the receiver’s ISP.93
The packets take the
shortest electronic route, which may not be the shortest geographic route, and may cross multiple
national physical borders during transmission, which essentially a space unconstrained by
geographic borders.94
Therefore, trying to artificially overlay the geographical border
implications of extraterritorial jurisdiction over cyberspace would be ineffective.95
ii. The Passive Personality or “Effects-Based” Jurisdictional Principle
On the opposite side of the same coin of the nationality principle is the passive
personality principle. In contrast to the nationality principle, where jurisdiction covers nationals
11
accused of crimes, the passive personality principle covers nationals who are victims of crimes.96
Specifically, the passive personality principle gives jurisdiction to the country on whose citizens
effects were felt. It is often referred to as “effects-based” jurisdiction.97
The S.S. Lotus98
case is
the seminal personality principle or effects-based jurisdiction case where the main controversy
was whether Turkey had to show a rule that granted it permission to arrest a French ship skipper
for alleged crimes, or whether the burden was on France to prove that Turkey was prohibited
from doing so.99
In essence, S.S. Lotus stands for the concept that under international law, actions
that are not specifically prohibited are allowed.100
Applied to cybercrime, the passive personality jurisdictional principle was one of the
critical success factors in the prosecution in the Ivanov case. While the prosecution was able to
show legislative intent that Congress meant for the CFAA to apply extraterritorially, the
prosecution also was able to successfully get jurisdiction through the passive personality
principle by showing that Alexsey Ivanov’s actions had adverse effects on U.S. nationals,101
so
prosecutors do not have to necessarily rely on just one type of jurisdiction to be effective.
iii. The Special Maritime and Territorial Jurisdictional Principle
Significantly, there is a subset of the territorial-nationality jurisdiction called the “special
maritime and territorial jurisdiction.”102
The U.S. has used special maritime and territorial
jurisdiction to extend to other countries’ nationals on ships in other countries’ territorial waters
when the ships have scheduled departures or arrivals in U.S. ports and when the victims were
U.S. nationals.103
iv. Protective Jurisdictional Principle
The protective principle is usually used to establish jurisdiction for espionage, official
document falsification, and immigration and custom conspiracy prosecutions.104
This
12
jurisdictional principle has been interpreted very broadly and does not require a showing of an
adverse affect within the U.S.105
v. Universality Jurisdictional Principle
Universal jurisdiction is closely connected with customary law as it, along with
international agreement, is one of two ways to establish jurisdiction using this principle.106
The
seminal case for customary law is Paquete Habana107
where the court held that fishing vessels
can continue working during wartime and cannot be captured because this it has been the custom
of Navies worldwide for over 600 years to allow fishing vessels to go on with their business
regardless of their nationality.108
Essentially, universal jurisdiction can be used when a law of
“universal concern” or universal agreement is involved. Examples include “piracy, slave trade,
attacks on or hijacking of aircraft,” and so forth.109
For prosecutors to make effective use of universal jurisdiction, they need to ensure that
six factors are met.110
These six factors are: (1) countries uniformly agree that the act is
unlawful; (2) the definition of the act is narrow and universally-accepted; (3) consequences for
the act are consistent across national boundaries; (4) the accused refuses the protection of their
country of citizenship; (5) domestic enforcement of the customary law in the location where the
act occurred is difficult; and, (6) the harm resulting from the act is international in nature and
affects more than one country.111
III. Proposed Solutions
A. Greater Reliance on Customary Law
Customary law is based on parties agreeing that certain acts are unlawful and is
sometimes termed the “Rule of Norms.”112
In the cyberspace arena, a recent White House
13
cyberspace article cited the “Rule of Norms” and noted specifically that common definitions and
understanding could go a long way toward creating the international law that governs
cyberspace.113
In particular, when state actors are involved, some scholars believe that most
countries would agree that state-sponsored cyber attacks are unlawful under customary
international law.114
The unlawfulness of State-sponsored attacks is further highlighted by Corfu
Channel’s key point that States cannot permit actions against other states to originate from their
territory, which although occurring in the early 1900s, can be applied to argue that State-
sponsored cyber attacks are unlawful.115
However, there are two primary drawbacks which preclude the effective application of
customary international law to cybersecurity issues. The first of these is customary law’s
requirement for a common viewpoint and common set of definitions116
and the second is the
focus on state actors and the lack of customary law governance over non-state-actors,117
The need for all parties to have a common viewpoint on what acts are unlawful and have
a common set of definitions is probably the most fatal drawback when trying to apply customary
international law to cybersecurity issues.118
Specifically, a common definition for what exactly
constitutes a cyberspace does not currently exist with sufficient specificity to become part of
customary law.119
Cyberspace has been variously defined as, “an evolving man-made domain
for the organization and transfer of data using various wavelengths of the electromagnetic
spectrum”120
to a place where “exchanges of communications [occur] and content between users
where the content is transported across the infrastructure. . . .”121
The significance of definitional
disagreement in the customary law context is that the arguments of parties relying on customary
law tend to be disregarded.122
Tel-Oren v. Libyan Arab Republic123
is the seminal case where
customer law is shown to be ineffective when there is not a common consensus on key
14
definitions.124
In Tel-Oren, a father charged Libya with responsibility for killing his child on a
civilian bus in Israel as a part of a terrorist act.125
The court dismissed the father’s claim partly
because there was little international agreement as to the definition of terrorism.126
Another drawback of trying to apply customary law to cybersecurity is that customary
law only applies to States or persons acting under the color of states unless the law specifically
covers non-state actors.127
Since non-State or private actors can initiate cyber attacks as well as
states themselves, such a gap in the law is a major drawback to relying on customary law to
prosecute cybercrimes. For example, the FBI believes that Al-Qaeda might attempt to initiate a
cyber attack in the future128
and so the U.S. government might have a difficult time pursuing a
non-state actor such as Al-Qaeda in the courts under traditional customary law.
B. Give the International Criminal Court Exclusive Jurisdiction Over Cybercrimes
This idea has its origins in the Anti-Drug Abuse Act, which while did not provide the
International Criminal Court (“ICC”) in The Hague with jurisdiction of international drug
traffickers directly, did direct the President of the U.S. to begin negotiations on the creation of a
court with this sort of jurisdiction.129
A similar court could be created for the prosecution of
cybercrimes, or jurisdiction could be given to the existing International Criminal Court (“ICC”).
The benefits of this proposal are mostly in the area of concurrent jurisdiction – that is
where two or more States believe they should be able to prosecute a violation – similar to the S.S.
Lotus130
case. Such a court, for example, has been used when the U.K., U.S., and Libya all
wanted jurisdiction over prosecution over Pan Am 103 bomber and the compromise was to have
the case tried in the ICC.131
However, as was the case in with the Pan Am bombing trial, there may be fear that a trial
would not even take place or that the trial would not be effective.132
Additional drawbacks to
15
this solution include that the States to whom the parties of a cybersecurity case might belong
might use the trial for political purposes or that the States might be unwilling to turn over
suspects to the ICC and rather, try to shield them from international adjudication.133
Further,
another major drawback of relying on the ICC is that the United States is not a signatory to the
Rome Statute which established the ICC and therefore decisions from that court are not binding
upon the United States.134
C. Prosecute Cybersecurity Violations under Universal Jurisdiction
While it might be tempting for Convention on Cybercrime members to try and use
universal jurisdiction, given the dispute noted previously on what “unauthorized access”
means,135
the requirement for a uniform definition would be tough to meet in the cybersecurity
context.136
D. Broaden the Definition of “Extraterritorial” to Include “Cyberspace” and
Continue to Prosecute Cybercrimes under Extraterritorial Jurisdiction
Currently, the Convention on Cybercrime as well as the CFAA (via the PATRIOT) Act
explicitly leverage extraterritorial jurisdiction. The principle drawback of relying on this type of
jurisdiction, as discussed supra, is that it implies that an offense occurred within a defined
geographic space,137
but “cyberspace is nowhere,”138
so prosecutions could potentially be
defeated on this ground.
While somewhat simple and perhaps inelegant, one possible solution is to formally define
extraterritorial jurisdiction as including cyberspace, or even more broadly as domains which are
not limited or defined by geographic boundaries so as to possibly account for future
technological developments that use something besides cyberspace.
Advantages of this method include that it might be easier from a procedural standpoint to
amend definitional sections in the U.N. Charter and Title 18 of the U.S. Code (which addresses
16
criminal activity) rather than specific treaties and statutes. This would further have the effect of
applying the expanded definition more broadly to treaties and statues beyond the Convention on
Cybercrime and the CFAA respectively. However, it would have the disadvantage of causing
possible unintended and unknown consequences. This risk could be mitigated by limiting the
expanded definition to just the Convention on Cybercrime and the CFAA.
E. Place Partial Cyberspace Security Burden on Private Infrastructure Providers and
Enforce Administratively
Very recently, General Keith Alexander, the head of Cyberwarfare Command, referred to
unspecified events that warrant the need for private companies that provide critical infrastructure
to bear some of the burden for protecting the U.S. from cyber attacks.139
Gen. Alexander further
discussed how he felt that leaving it to the free market to encourage critical infrastructure
providers to provide this protection themselves probably is not adequate and so implied that the
government needs to legislate enforcement.140
While Gen. Alexander did not refer to a specific
bill, he was likely lending support to the “Homeland Security Cyber and Physical Protection Act
of 2011”141
which, if enacted, will establish a Cybersecurity Compliance Division that in turn
can promulgate regulations requiring critical infrastructure providers to meet certain likely high
standards of cybersecurity protection.142
The advantages of this bill include that it is in line with general administrative law
concepts that detailed rulemaking, especially in technically complex areas, should be left to the
experts.143
Also, if regulations are enacted properly, they would cover domestic, as well as
international cyber threats. The primary disadvantage, of course, is that as Sen. McCain pointed
out, it would increase the regulatory burden on private companies in a struggling economy. This
burden may be mitigated somewhat by section 224(c) of the bill that specifies that regulations
should be made after looking at the risks involved including threats, vulnerabilities, and
17
consequences.144
This implies that rule makers will be tempered somewhat and only make
regulations that truly are needed.
F. Enhance the Convention on Cybercrime with Special Maritime and Territorial
Jurisdiction
Finally, a new proposal is to replace or add to the Council of Europe’s Convention on
Cybercrime’s use of extraterritorial jurisdiction with special maritime and territorial jurisdiction.
The advantage of the latter, is that a prosecuting entity can more easily gain jurisdiction over
persons residing in a country other than the one prosecuting, regardless of who (e.g., a private
person) or entity (e.g., embassy, consulate, or corporation).145
Further, this type of jurisdiction is
generally expressly provided for in a statute leaving less room for dispute on how or should be
applied.
i. Cyber Attacks and Piracy: Parallels and Similarities
The first of two major similarities between cyber attacks and piracy is that, as was seen in
the Estonian case, it can be difficult to trace who exactly perpetrated an intrusion or cyber attack
event.146
Similarly, pirates are difficult to track down because they either do not fly a nation’s
flag (rather the pirates flag), or fly one that is not of their own.147
While this is addressed in the
piracy case by applying universal jurisdiction, extending this thinking to the prosecution of cyber
attack perpetrators is probably not wise given the drawbacks of universal jurisdiction discussed
next.
The second of two major similarities between cybercrime and piracy are that the venues
for these crimes – specifically cyberspace and the high seas respectively – do not belong to or
fall under the territorial jurisdiction of any one country.148
This means that to prosecute these
crimes, forms of jurisdiction not based on territorial boundaries must be explored.149
18
Piracy is covered by universal jurisdiction,150
but applying universal jurisdiction to other
areas of the law is risky and comes with severe drawbacks. The first of these is that it can be
easy for lawmakers to create universal jurisdiction over customary law that truly is not
customary.151
An example are the Terrorism Treaties drawn up in the 1970s and 1980s which
addressed crimes that fall under the heading of “international terrorism” and include airline
hijacking, terrorist bombings, torture, hostage-taking, and crimes that purposely impair maritime
navigation.152
The problem was that there was no foundation for these crimes to be considered a
part of customary law and so really were inappropriately covered under universal jurisdiction in
the treaties153
and given that there are diverging opinions on what constitutes cybercrime and
cyberspace,154
applying universal jurisdiction to here would be unwise.
Another drawback of applying universal jurisdiction to laws beyond piracy is it is easy
for lawmakers to exclude State action. Historically, piracy has always been considered a private
action somewhat purposely to avoid creating conflicts between States.155
Applied to
cybercrimes, it would be very easy to similarly write statutes that fall under universal jurisdiction
but leave out the ability to prosecute States who are often thought to perpetrate cyber attacks.156
ii. Cybercrime and Piracy: Differences
Outside of the U.S., piracy is enforced through the United Nations Convention on the
Law of the Sea.157
However, unlike the Convention on Cybercrime, the United States is not a
signatory of the Law of the Sea convention,158
so by having the Convention in Cybercrime in
place makes actually puts the U.S. in a better position to tackle cybercrime on the international
level because it has the backing of the “best legal framework of the international community” to
help back it up.159
19
iii. Alternative: Special Maritime and Territorial Jurisdiction
Given that Convention of Cybercrime is already in place and at least provides a
foundation for prosecution of cyber attacks on the international level, but that exercise of
universal and extraterritorial jurisdiction have drawbacks, the U.S. could suggest that the
Convention on Cybercrime be modified, or in the alternative, make a reservation to use special
maritime and territorial jurisdiction.
Continuing the analogy to piracy, although U.S. legislation generally provides that
prosecution of piracy falls under universal jurisdiction,160
the U.S. also may prosecute under the
special maritime and territorial jurisdiction.161
The crime of piracy is defined as, “[w]hoever, on
the high seas, commits the crime of piracy as defined by the law of nations . . . ,”162
and the
special maritime and territorial jurisdiction includes the “high seas.”163
And, just as the “high
seas” are not within the territorial jurisdiction of any country164
cyberspace, as discussed
supra,165
the “place” where cybercrime occurs, not being a tangible place,166
also cannot be
governed via traditional territorial jurisdiction.
If the special maritime and territorial jurisdiction were similarly applied to cyber attacks,
it would resolve the problem with extraterritorial jurisdiction being linked to geographic
boundaries. Further, the special maritime jurisdiction does not have the problem of universal
jurisdiction of being tied to customary law and in turn the problem with a range of definitions for
cyber attacks and cyberspace. And, if the special maritime jurisdiction were to be integrated into
the already existing base the U.S. has in being a member of the Convention on Cybercrime,
which has been stated to be a good legal framework, it might be legislatively efficient as making
an amendment is likely less burdensome than creating brand new law.
20
IV. Conclusion: Final Recommendation
Rather than relying on the advantages of one of these single solutions, the best solution is
a hybrid of the latter two – that is placing some burden on private entities that supply critical
infrastructure as well as incorporating the special maritime and territorial jurisdiction into the
Convention on Cybercrime so that their advantages can complement the other while mitigating
the disadvantages of each.
One major advantage is that a hybrid solution contains both the defensive elements of
private infrastructure providers enhancing their security protocols while also providing the
offensive elements of the likely more effective prosecution enabled by incorporating the special
maritime and territorial jurisdiction into the Convention on Cybercrime.
In addition, while Congress may have a difficult time enacting an organic statute that
enables an existing agency to create new regulations as part of the private entity part of the
hybrid solution, by showing that the government is also taking on some burden, specifically
improving how crimes can be prosecuted under the already-existing Convention on Cybercrime,
it will provide regulated businesses with a good faith indication that the government is taking
responsibility as well.
Finally, in addition to the benefits that each solution will provide individually, creating a
public-private hybrid has the possible advantage of leveraging the significant skills of both the
policy- and business- focused skills and resources of government agencies and the private sector,
which could lead to significant efficiencies and creativity in improving existing and developing
new defensive mechanisms as well and continuing to “play offense” effectively when required.
21
ENDNOTES
1 Janet Reno, U.S. Attorney General, Keynote Address on High-Tech and Computer Crime,
Address at the P-8 Senior Experts’ Group on Transnational Organized Crime (Jan. 21, 1995),
available at: http://www.irational.org/APD/CCIPS/agfranc.htm.
2 See Duncan B. Hollis, Why States Need an International Law for Information Operations, 11
LEWIS & CLARK L. REV. 1023,1024 (2007); Katharine C. Hinkle, Countermeasures in the Cyber
Context: One More Thing to Worry About, YALE J. INT’L L.ONLINE 1, 13 (2011). 3 Id. (describing that the cyber attack on Estonia began on April 27, 2007, the day when Estonia
moved a Russian war memorial from the center of Tallinn – Estonia’s capital. Although Estonia
is no longer a part of the now-defunct Soviet Union, the Estonia is still home to a large Russian
population who, along with the Russian government, objected to the move of the war memorial.
Initially, the attack made Estonian government websites, including the Estonian Parliament’s
email system, the President’s and Prime Minister’s offices, as well as the Foreign and Justice
ministries, inaccessible for long periods of time making it a denial of service attack. The attack
lasted three weeks and spread beyond government computers to include those belonging to
financial institutions, Internet service providers, newspapers, television stations, and even
telephone exchanges, which disabled critical “911” fire and rescue numbers. 4 Bradley Graham, Hackers Attack Via Chinese Web Sites, WASH. POST, Aug. 25, 2005, at A1.
5 Adam Levine, Millions spent defending Pentagon computers from attack, CNN (Apr. 7, 2009,