International Cybertorts: Expanding State Accountability in Cyberspace

States are not being held accountable for the vast majority of their harmful cyberoperations, largely because classifications created in physical space do not map well onto the cyber domain. Most injurious and invasive cyberoperations are not cybercrimes and do not constitute cyberwarfare, nor are states extending existing definitions of wrongful acts permitting countermeasures to cyberoperations (possibly to avoid creating precedent restricting their own activities). Absent an appropriate label, victim states have few effective and nonescalatory responsive options, and the harms associated with these incidents lie where they fall. This Article draws on tort law and international law principles to construct a comprehensive system of state accountability in cyberspace, where states are liable for their harmful acts and responsible for their wrongful ones. It identifies international cybertorts-acts that employ, infect, or undermine the internet, a computer system, or a network and thereby cause significant transboundary harm-as distinct from cybercrime and cyberwarfare. Not only does this term distinguish a specfic kind of harmful act, it highlights how the principle of state liability for transboundary harms (which holds states accountable for the harmful consequences of both their lawful and unlawful activities) could usefully complement the existing law of state responsibility (which applies only to unlawful state acts). Imposing state liability for international cybertorts minimizes the likelihood that victim states will resort to escalatory responses, increases the chance that those harmed will be compensated, and preserves a bounded grey zone for state experimentation in cyberspace

International Cybertorts: Expanding State Accountability in Cyberspace

States are not being held accountable for the vast majority of their harmful cyberoperations, largely because classifications created in physical space do not map well onto the cyber domain. Most injurious and invasive cyberoperations are not cybercrimes and do not constitute cyberwarfare, nor are states extending existing definitions of wrongful acts permitting countermeasures to cyberoperations (possibly to avoid creating precedent restricting their own activities). Absent an appropriate label, victim states have few effective and nonescalatory responsive options, and the harms associated with these incidents lie where they fall. This Article draws on tort law and international law principles to construct a comprehensive system of state accountability in cyberspace, where states are liable for their harmful acts and responsible for their wrongful ones. It identifies international cybertorts-acts that employ, infect, or undermine the internet, a computer system, or a network and thereby cause significant transboundary harm-as distinct from cybercrime and cyberwarfare. Not only does this term distinguish a specfic kind of harmful act, it highlights how the principle of state liability for transboundary harms (which holds states accountable for the harmful consequences of both their lawful and unlawful activities) could usefully complement the existing law of state responsibility (which applies only to unlawful state acts). Imposing state liability for international cybertorts minimizes the likelihood that victim states will resort to escalatory responses, increases the chance that those harmed will be compensated, and preserves a bounded grey zone for state experimentation in cyberspace

International Cybertorts: Expanding State Accountability in Cyberspace

States are not being held accountable for the vast majority of their harmful cyberoperations, largely because classifications created in physical space do not map well onto the cyber domain. Most injurious and invasive cyberoperations are not cybercrimes and do not constitute cyberwarfare, nor are states extending existing definitions of wrongful acts permitting countermeasures to cyberoperations (possibly to avoid creating precedent restricting their own activities). Absent an appropriate label, victim states have few effective and nonescalatory responsive options, and the harms associated with these incidents lie where they fall. This Article draws on tort law and international law principles to construct a comprehensive system of state accountability in cyberspace, where states are liable for their harmful acts and responsible for their wrongful ones. It identifies international cybertorts—acts that employ, infect, or undermine the internet, a computer system, or a network and thereby cause significant transboundary harm—as distinct from cybercrime and cyberwarfare. Not only does this term distinguish a specific kind of harmful act, it highlights how the principle of state liability for transboundary harms (which holds states accountable for the harmful consequences of both their lawful and unlawful activities) could usefully complement the existing law of state responsibility (which applies only to unlawful state acts). Imposing state liability for international cybertorts minimizes the likelihood that victim states will resort to escalatory responses, increases the chance that those harmed will be compensated, and preserves a bounded grey zone for state experimentation in cyberspace

Virtually Defenseless: Americaʼs Struggle to Defend Itself in Cyberspace and What Can Be Done About It

Nearly twenty-five years after the United States sounded the alarm regarding the risks to US national and economic security posed by the internet, we are struggling in our battle in and for cyberspace. Russia and China, other nation-states, and nation-state-aligned groups have come to regularly employ cyber-enabled espionage, information operations, and cyber effects operations against the United States and its allies to disrupt and degrade civil society and democratic political and institutional stability and to threaten or disrupt critical economic sectors and critical infrastructure. Making matters worse, adversaries have done so with little pushback or consequence. The United States, for all of its undeniable cyber capabilities, has for two decades misconstrued core elements of conflict and competition in cyberspace, focusing on the remote possibility of full-blown cyberwar instead of the ongoing pattern of adversary action below the threshold of war and seeking to address those attacks as individual incidents instead of essential elements of comprehensive political warfare campaigns waged by adversaries against the United States. As a result, US policy has been centered on flawed and incomplete defensive cyber strategies that relied almost exclusively on hardening targets via technical defenses while neglecting defensive cyber effects operations to counter adversary cyber capabilities and failing to have a systematic answer for cyber-enabled influence operations and information warfare. This article examines the complex roots of Americaʼs challenges in cyberspace and sets forth a vision for a US cyber strategy that is essential to and inextricable from emerging US grand strategy for the post-post-9/11 world

WHO CARES WHO, JUST MAKE IT STOP: THE CRITICALITY OF ATTRIBUTION AND NORMS IN SECURING THE CYBER DOMAIN

Security within the cyber domain continues to be an elusive target due to the rapid evolution of the domain and associated threats. Identifying the critical roles within security mechanisms to protect the cyber domain and the critical infrastructure it touches enables more effective means of security and appropriate management of resources. Examining high-profile malicious cyber events perpetrated against nation-states allegedly by nation-states, along with the peer competition space focusing on known malicious actors, enables a broad look at how the attribution of malicious actions and enforcement of normative behavior factor into security within the cyber domain. Exploring the current relationship between the public and private sectors and the potential for integrated defense identifies variances in problem framing, resource availability and allocation, and transparency. These factors demonstrate capabilities and limitations for creating effective and adaptable security within the cyber domain. While attributing malicious cyber actors enhances the ability to secure the cyber domain, it is not a critical aspect. The ability to identify and highlight actors has shown limited effect in deterring malicious events and often requires significant resource investment. Similarly, the ability to enforce normative behavior within the cyber domain is limited in scope and effectiveness. Most nation-states lack the ability to enforce normative behavior against other actors, and actions such as sanctions, political pressure, or economic incentives have not been shown to deter malicious activity or enforce adherence to norms. Due to these factors' limited ability to increase security within the cyber domain, nation-states must look towards multi-faceted defensive approaches. A defense in depth focusing on identifying vulnerabilities, correcting vulnerabilities before exploitation, mitigating vulnerabilities after exploitation, and sharing information across sectors, is a more responsive and adaptable means of securing the cyber domain

Domestic Law Responses to Transnational Cyberattacks and Other Online Harms: Internet Dreams Turned to Internet Nightmares and Back Again

Since its utilization has become widespread, the potential of the Internet has often been overshadowed by the harms it’s capable of bringing upon society. Regulation has not yet properly addressed the harms presented to individuals’ cybersecurity and the U.K. has focused and set objectives at a national security level, while ignoring the effects of attacks on individual citizens. This Article considers whether it is possible to create a domestic legal response to transnational cyberattacks and the appropriateness of law to address the threats, as they exist. The law must be efficient, effective, and fair, which are all aims it may achieve by setting out tactical and operational mechanisms, including police powers, criminal offenses, and sanctions. This Article examines instances of cyber-attacks, existing laws and their appropriateness for achieving the above-mentioned objectives. A comprehensive legal framework that includes tactical interventions the state could take and existing operational interventions, which may be used or expanded on to fully address the risk and resulting harm from these attacks, is advanced. Ultimately, law cannot provide all the solutions for the harms presented by these attacks due to transnationality, instantaneity and accessibility issues, in addition to political harms. The comprehensive plan in this Article illuminates the need for the whole of society—government, civil society, and the private sector—to address cybersecurity attacks

Manhattan_Project.exe: A Nuclear Option for the Digital Age

This article explores the possible implications and consequences arising from the use of an artificial intelligence construct as a weapon of mass destruction. The digital age has ushered in many technological advances, as well as certain dangers. Chief among these pitfalls is the lack of reliable security found in critical information technology systems. These security gaps can give cybercriminals unauthorized access to highly sensitive computer networks that control the very infrastructure of the United States. Cyberattacks are rising in both frequency and severity and the response by the U.S. has been ineffective. A cyber-weapon of mass destruction (CWMD) implementing an artificial intelligence construct would operate on different fundamental principles than a kinetic WMD, but it would be no less effective in eliminating threats to the security of domestic information networks. This article will first examine the current state of artificial intelligence as it exists in both the private sector and in military and intelligence applications. Second, this article will discuss the distinctions between kinetic war and cyberwar and the deployment of WMDs; the capabilities and applications of a possible CWMD will be discussed at this point as well. Third, issues concerning international law will be addressed as applicable to artificial intelligence, automated warfare, and WMDs generally. Finally, this article will examine some dangers associated with the use of an artificial intelligence construct capable of learning as well as the necessity of such a program

Making Democracy Harder to Hack

With the Russian government hack of the Democratic National Convention email servers and related leaks, the drama of the 2016 U.S. presidential race highlights an important point: nefarious hackers do not just pose a risk to vulnerable companies; cyber attacks can potentially impact the trajectory of democracies. Yet a consensus has been slow to emerge as to the desirability and feasibility of reclassifying elections—in particular, voting machines—as critical infrastructure, due in part to the long history of local and state control of voting procedures. This Article takes on the debate—focusing on policy options beyond former Department of Homeland Security Secretary Jeh Johnson’s decision to classify elections as critical infrastructure in January 2017—in the U.S., using the 2016 elections as a case study, but putting the issue in a global context, with in-depth case studies from South Africa, Estonia, Brazil, Germany, and India. Governance best practices are analyzed by reviewing these differing approaches to securing elections, including the extent to which trend lines are converging or diverging. This investigation will, in turn, help inform ongoing minilateral efforts at cybersecurity norm building in the critical infrastructure context, which are considered here for the first time in the literature through the lens of polycentric governance