{"id":4669,"date":"2015-12-17T08:05:52","date_gmt":"2015-12-17T13:05:52","guid":{"rendered":"http:\/\/journals.law.harvard.edu\/nsj\/?p=4669"},"modified":"2016-02-01T15:37:54","modified_gmt":"2016-02-01T20:37:54","slug":"so-youre-telling-me-theres-a-chance-how-the-articles-on-state-responsibility-could-empower-corporate-responses-to-state-sponsored-cyber-attacks","status":"publish","type":"post","link":"https:\/\/journals.law.harvard.edu\/nsj\/2015\/12\/so-youre-telling-me-theres-a-chance-how-the-articles-on-state-responsibility-could-empower-corporate-responses-to-state-sponsored-cyber-attacks\/","title":{"rendered":"So You\u2019re Telling Me There\u2019s A Chance: How the Articles on State Responsibility Could Empower Corporate Responses to State-Sponsored Cyber Attacks"},"content":{"rendered":"

By Daniel Garrie and Shane R. Reeves[1]<\/a><\/p>\n

Click here to read the full text as a PDF.<\/a><\/p>\n

\u201c[U.S] information systems face thousands of attacks a day from criminals, terrorist organizations, and more recently from more than 100 foreign intelligence organizations.\u201d<\/em>[2]<\/a><\/p>\n

Looking forward, if the pace and intensity of attacks increase and are not met with improved defenses, a backlash against digitization could occur, with large negative economic implications. Using MGI data on the technologies that will truly matter to business strategy during the coming decade, we estimate that over the next five to seven years, $9 trillion to $21 trillion of economic-value creation, worldwide, depends on the robustness of the cybersecurity <\/em>environment<\/em><\/a>.[3]<\/strong><\/a><\/em><\/p>\n

I. Introduction<\/p>\n

Corporate America is facing a relentless wave of state sponsored hostilities in cyber space.[4]<\/a> Prominent recent examples include: Russia \u201cattack[ing] the U.S. financial system\u201d and stealing data from J.P. Morgan Chase & Company in August 2014<\/a>;[5]<\/a> the December 2014 North Korea hack of Sony over the release of a comedy titled \u201cThe Interview<\/a>,\u201d[6]<\/a> and the continuing efforts of Chinese military unit 61398 to gain access to strategically important corporate<\/a> intellectual<\/a> property<\/a>.[7]<\/a> Whether motivated by economics, ideology, or nationalism, the cyber targeting of corporations is increasingly the modus operandi of hostile state actors<\/a>.[8]<\/a> Leaving this tactic unchecked poses a significant risk to both corporate interests and U.S. national security.[9]<\/a><\/p>\n

While non-state cyber threats to corporations are no less pernicious<\/a>,[10]<\/a> a broad array of federal statutes that regulate computer-related misconduct address such threats.[11]<\/a> This domestic legal regime provides a victimized corporation both a criminal and civil roadmap for addressing a cyber incident.[12]<\/a> By contrast, it is international law that regulates the response when a state conducts hostile cyber activity against a corporation. International law currently prohibits non-state actors\u2014including corporations\u2014from responding to state hostility themselves.[13]<\/a> Only state actors have the legal authority to respond to other state actors.[14]<\/a> As a result, a targeted corporation must hope that its host state will act on behalf of its interests. Unfortunately, despite some recent efforts to build a more robust public-private partnership to address state sponsored cyber hostilities, government responses are unpredictable and have proven inadequate at defending corporate interests.[15]<\/a> As the frequency and intensity of state sponsored hostile activity increases, this arrangement is becoming untenable.<\/p>\n

Is it possible to give corporations greater discretion in how they defend their interests from hostile state cyber activity without undercutting the well-established international norm that only states can act against other states? The answer to this question is a limited \u201cyes.\u201d International law recognizes the authority of a state to empower private corporations to assume certain governmental functions.[16]<\/a> These governmental functions may include responding with cyber countermeasures that are traditionally off-limits to corporations.[17]<\/a> However, the delegation of this governmental authority does come with risk for the state. Since the corporation is viewed as an appendage of the government, the authorizing state retains legal responsibility for the countermeasures.[18]<\/a> It is therefore imperative for the authorizing state to clearly articulate the parameters on these actions in order to avoid violating international law or, more importantly, inadvertently causing an armed conflict.<\/p>\n

This article will begin with a brief summary of the international legal framework that regulates state interactions. The legal authority for government sanctioned corporate countermeasures, as well as the limitation on these actions, becomes apparent through this framework. The reasons that targeted states need to invoke this authority and how they should limit the countermeasures will follow. The article will conclude with a recommendation that host states, despite the associated risks with such a decision, empower victimized corporations with the authority to use countermeasures in response to hostile state cyber activity.<\/p>\n

II. International Law and State Relationships<\/p>\n

Public international law governs the interaction between states.[19]<\/a> Within this broad category of international law there are more specialized sub-categories including the law of state responsibility, the jus ad bellum<\/em>, and the jus in bellum<\/em>. The law of state responsibility outlines the obligations states owe to each other as well as their concomitant responsibilities if they commit an internationally wrongful act.[20]<\/a> When these internationally wrongful acts are interpreted as a use of force state relations may devolve into armed conflict as a result.[21]<\/a> The international law which regulates armed conflict is comprised of two distinct strands known as jus ad bellum and jus in bello. Jus ad bellum, <\/em>which lays the framework for when a state actor may resort to war, is \u201cgoverned by an important, but distinct, part of the international law set out in the United Nations Charter,\u201d[22]<\/a> and only allows for the use of force in cases of self-defense or if condoned by the collective judgment of the international community.[23]<\/a> Jus in bello<\/em>, on the other hand, governs the actions of those participating in a conflict by establishing a delicate balance between military necessity\u2014\u201cthe wartime necessity of killing and destroying military objectives\u201d \u2014 and humanity\u2014\u201cthe wartime requirement of preventing unnecessary suffering and protecting the civilian population<\/a>.\u201d[24]<\/a> The International Committee of the Red Cross (ICRC), in describing the differences between the two stated that \u201c[j]us ad bellum<\/em> refers to the conditions under which one may resort to war or to force in general; jus in bello<\/em> governs the conduct of belligerents during a war, and in a broader sense comprises the rights and obligations of neutral parties as well<\/a>.\u201d[25]<\/a><\/p>\n

As this section addresses the legal justification for a response to hostile cyber activity only the law of state responsibility and the jus ad bellum<\/em> will be discussed.[26]<\/a> The law of state responsibility provides a path for more aggressive corporate responses to hostile cyber activity. However, if this corporate response is too aggressive, it may be construed as an illegal use of force or even an armed attack. Consequently, the corporation may be responsible for triggering the jus ad bellum<\/em> and dangerously elevating the cyber incident into a justification for a military response. State actors would be foolish to authorize a private corporation to start an armed conflict. It is therefore important to briefly examine how the law of state responsibility provides for the empowerment of a corporation victimized by a hostile state cyber act and the consequences if those actions are misinterpreted.<\/p>\n

A. The Law of State Responsibility and Corporate Countermeasures<\/em><\/p>\n

State responsibility for committing an international wrongful act is found in customary international law and reflected for the most part in the International Law Commission\u2019s Articles of State Responsibility.[27]<\/a> Underlying these articles is a belief in the inviolability of state sovereignty[28]<\/a> and the need to hold accountable those states that violate international law. The articles \u201cdo not attempt to define the content of the international obligations, the breach of which gives rise to responsibility\u201d but rather to outline the \u201cgeneral conditions under international law for the State to be considered responsible for wrongful acts or omissions<\/a>.\u201d[29]<\/a> The Articles of State Responsibility therefore do not simply codify the legal rights and obligations of state actors but also outline in broad terms the consequences of a violation of international law.[30]<\/a><\/p>\n

One possible consequence for a state that chooses to commit an international wrongful act is entitling a targeted state to resort to countermeasures.[31]<\/a> \u201cCountermeasures are actions by an injured State that breach obligations owed to the \u201cresponsible\u201d State (the one initially violating its legal obligations) in order to persuade the latter to return to a state of lawfulness<\/a>.\u201d[32]<\/a> In other words, a state victimized by another is authorized to use acts traditionally prohibited under international law to force the offending state to comply with its legal obligations. As countermeasures are intended to induce a state to comply with international law rather than as a punitive response, these acts are limited in severity and disallowed immediately upon cessation of the triggering illegal act.[33]<\/a> Most importantly, countermeasures must not involve the threat or use of force as these acts are exclusively regulated by the United Nations Charter and customary international law.[34]<\/a><\/p>\n

The Tallinn Manual<\/a>[35]<\/a> notes the applicability of countermeasures to cyber space. It provides that \u201ca state injured by an internationally wrongful act may resort to proportionate countermeasures, including cyber countermeasures\u201d against a responsible state.[36]<\/a> Internationally wrongful acts can range from the severe\u2014such as a violation of the United Nations Charter\u2014to the more benign\u2014such as a breach of the non-intervention principle.[37]<\/a> What is clear is that a state actor conducting hostile cyber operations against a corporation unquestionably commits an internationally wrongful act.[38]<\/a> It is irrelevant whether these activities are physically destructive or injurious, but only that they are unlawful and detrimental.[39]<\/a> How the internationally wrongful act is interpreted will, however, drive the response. If the cyber activity targeting the corporation is an armed attack, the host state\u2019s right of self-defense option to use force applies.[40]<\/a> For those hostile cyber acts falling below the armed attack threshold, non-forceful countermeasures are an appropriate and authorized response.[41]<\/a><\/p>\n

In almost all situations countermeasures are reserved for use by a victimized state. The Articles of State Responsibility make clear that violations of a state\u2019s sovereignty by non-state actors are not permitted. Article 2 expresses that \u201c[t]here is an internationally wrongful act of a State when conduct consisting of an action or omission\u201d is attributable to the State.[42]<\/a> Inclusion of \u201comission\u201d as a form of attribution is important as a non-state actor, in this case a corporation, could respond in such a way that the government becomes responsible. For this reason a corporation is unauthorized to unilaterally engage a state participating in hostile cyber activities.[43]<\/a><\/p>\n

However, there is an exception to this general rule: An injured state which decides to invoke its right to use countermeasures may empower a non-governmental entity to act on its behalf. Article Five of the Articles of State Responsibility states that an \u201centity which is not an organ of the State\u201d may be permitted by domestic law to exercise elements of governmental authority.[44]<\/a> The term \u201centity\u201d may include \u201cpublic corporations, semi-public entities, public agencies of various kinds and even, in special cases, private companies, provided that in each case the entity is empowered by the law of the State to exercise functions of a public character normally exercised by State organs.\u201d[45]<\/a> While the definition of \u201cgovernmental authority\u201d is intentionally left vague to accommodate various interpretations, the use of a countermeasure is clearly within any reasonable interpretation of this term.[46]<\/a> In fact, countermeasures are a relatively minor exercise of government authority in comparison to how the Tallinn Manual illustrates the appropriate use of Article Five in cyberspace. Examples offered include a \u201cprivate corporation that has been granted the authority by the government to conduct offensive computer network operations against a state\u201d and \u201cempowering a private entity to engage in cyber intelligence gathering.\u201d[47]<\/a> International law and specifically the Articles of State Responsibility therefore allow for the delegation of authority to use countermeasures, and in particular cyber countermeasures, to private corporations.[48]<\/a><\/p>\n

B. What are the Risks? <\/em><\/p>\n

Authorizing a private corporation to use countermeasures is an intriguing idea but comes with significant risk for the state. A state may \u201coutsource the taking of lawful cyber actions to private entities\u201d but it also \u201cshoulder[s] legal responsibility for the actions.\u201d[49]<\/a> Through domestic law the state delegates to the private entity the power to exercise governmental authority.[50]<\/a> In doing so, the private entity is the equivalent of a government agency making any approved measures logically attributable to the authorizing state.[51]<\/a> Similarly, any actions of the private entity not authorized by the domestic legislation are not attributable to the state.[52]<\/a> Thus, if a corporation is empowered to use cyber countermeasures in response to a state sponsored hostile cyber act, these government sanctioned actions would be \u201cconsidered an act of the State under international law, provided [they are] acting in that capacity in the particular instance.\u201d[53]<\/a><\/p>\n

The risk to the authorizing state is further amplified by the requirement that countermeasures not violate the State obligation to refrain from the threat or use of force as embodied in the United Nations Charter.[54]<\/a> Compliance with this limitation is particularly difficult in cyber space as the definition of \u201ccyber use of force\u201d is unclear. Professor Michael Schmitt notes that this topic frustrated the International Group of Experts convened to write the Tallinn Manual.[55]<\/a> Out of this frustration the group developed a nonexclusive list of factors that would likely influence the characterization of cyber operations by states as uses of force: severity, immediacy, directness, invasiveness, measurability, military character, state involvement, and presumptive legality. Additional factors found meaningful by the Experts included, inter alia, the prevailing political environment, the nexus of an operation to prospective military force, the attacker\u2019s identity, the attacker\u2019s track record with respect to cyber operations, and the nature of the target. These and other factors operate in concert as states make case-by-case determinations.[56]<\/a><\/p>\n

In applying the above listed factors and methodology it is easy to see how a corporate cyber countermeasure could be characterized as an unlawful use of force. If so characterized, the countermeasure would violate international law and, as the corporation would be acting under governmental authority, the violation would be attributable to the host state.[57]<\/a><\/p>\n

Perhaps more significantly, a corporate cyber countermeasure authorized by the host state may be interpreted as an armed attack and potentially escalate into a military engagement.[58]<\/a> It is important to note that the U.N. Charter prohibits the threat or use of force by any state.[59]<\/a> This prohibition has only two generally recognized exceptions.[60]<\/a> The first exception reserves to the Security Council the right to \u201cdetermine the existence of any threat to the peace, breach of the peace, or act of aggression,\u201d and the power to \u201cdecide what measures shall be taken . . . to maintain or restore international peace and security.\u201d[61]<\/a> The second exception ensures that states retain the \u201cinherent\u201d right of individual or collective self-defense if they are the victim of an armed attack.[62]<\/a> This right is a well-established international norm existing prior to the drafting of the U.N. Charter and is generally recognized as customary international law.[63]<\/a> International law thus imparts on the state independent authority to determine when it is necessary to exercise their inherent right to self-defense.<\/p>\n

So when would a cyber countermeasure be significant enough to allow a state to invoke its inherent right of self-defense?[64]<\/a> Again, similar to \u201cuse of force,\u201d it is difficult to define \u201carmed attack\u201d in cyber operations. While any cyber \u201cuse of force that injures or kills persons or damages or destroys property\u201d is clearly an armed attack[65]<\/a> the \u201crequisite degree of damage or injury remains . . . the subject of some disagreement.\u201d[66]<\/a> What is left unclear is whether cyber countermeasures not resulting in physical damage or injury, but generating \u201csevere non-destructive or non-injurious consequences,\u201d constitute an armed attack.[67]<\/a> In its characterization of these forms of cyber operations the United States has stated that \u201cunder some circumstances, a disruptive activity in cyberspace could constitute an armed attack.\u201d[68]<\/a> Broadly interpreting an \u201carmed attack\u201d in cyber space to include not only destruction or injury but also serious disruptions to the functioning of the state is increasingly the international norm.[69]<\/a> It is therefore possible that a cyber countermeasure that is too aggressive may fall within this more general definition of armed attack. The result would be a perverse situation where the aggressor state, whose actions initially justified the use of cyber countermeasures, could use military force as an act of self-defense against the victim state.[70]<\/a><\/p>\n

III. Why Should a State Risk Empowering a Corporation with Cyber Countermeasures?<\/p>\n

The risks to state actors, who remain legally accountable for any corporate use of cyber countermeasures, are significant, particularly for those corporate acts that could be misconstrued as an illegal use of force or an armed attack. For this reason, it would seem unlikely that a state would delegate countermeasure authority to a corporation. However, the advent of cyberspace has fundamentally altered the traditional landscape for international relations. As a result, states have been forced to re-think their approach to a myriad of issues including how best to protect corporations targeted by state actors in cyberspace.[71]<\/a> However, this approach can only work if the domestic law that empowers the corporation also has clearly articulated limitations in order to mitigate many of the associated concerns with this proposal. Discussion of why corporations need this authority, and how to limit the risk presented by cyber countermeasures, follows.<\/p>\n

A. Cyberspace: Opportunity and Danger<\/em><\/p>\n

The importance of cyberspace in the contemporary business environment cannot be overstated which makes any state sponsored hostile cyber activities that target private corporations potentially devastating. Cyberspace has become ubiquitous for corporations and absolutely essential for conducting business operations.[72]<\/a> In a survey of nearly four hundred businesses conducted by the Journal of Law and Cyber Warfare nearly 11% of corporations surveyed reported generating or using data equaling that stored by the Library of Congress.[73]<\/a> The survey also found that the reliance on data, and the more general use of cyberspace for corporate operations, is not limited to \u201cjust a handful of industries\u201d but rather is pervasive throughout almost all businesses.[74]<\/a><\/p>\n

Cyberspace, described by one author \u201cas all of the computer networks in the world and everything they connect and control,\u201d[75]<\/a> offers unique opportunities and exciting possibilities to businesses<\/a>.[76]<\/a> However, the very reasons that businesses so heavily rely upon cyberspace are why hostile state actors target these corporations. Access to cyberspace is not limited to the technologically advanced, does not require extensive computer sophistication, and is possible from almost any location.[77]<\/a> These attributes are advantages for businesses attempting to reach new customers and create organizational efficiencies. Yet, the borderless nature of cyberspace coupled with how easy it is to access the domain creates a staggering number of ways in which a cyber dependent corporation is vulnerable to exploitation.[78]<\/a> For a hostile state this unparalleled ability to exploit a corporation is enticing and one of the primary reasons cyberspace is increasingly attractive.<\/p>\n

Cyber activity is almost immediate, and if desired, relatively anonymous. These traits make cyberspace invaluable to a corporation; but they also incentivize bad behaviour in aggressive state actors.[79]<\/a> While cyberspace allows a corporation to conduct business incredibly fast it also results in hostile \u201ccyber operations . . . unfold[ing] so quickly that the state cannot\u201d respond.[80]<\/a> Further, the capability to remain anonymous in cyberspace is interesting to both corporate customers as well as the business itself. Anonymity, however, also makes attributing cyber hostilities to a state actor particularly difficult.[81]<\/a> A hostile state is not bound by geography, technology, or even the likelihood that a victimized corporation\u2019s government will respond due to the speed and attribution difficulties associated with these acts.[82]<\/a> These dynamics encourage a hostile state actor to target a corporation with relative impunity and little risk. The targeting of corporations in cyberspace is simply too attractive of an option for a motivated state actor not to use. Until there are consequences for the hostile state, there will be an increase in the targeting of corporations in cyberspace. It is therefore imperative to consider alternatives to the status quo including allowing corporations to protect themselves through the use of cyber countermeasures.<\/p>\n

B. What Should Corporations Be Allowed to Do and Not Do<\/em><\/p>\n

International law, as a general rule, categorically prohibits a corporation from actively engaging a state actor, even if victimized by hostile activity. [83]<\/a> However, the Articles on State Responsibility liberate corporations to act when their host state delegates through domestic legislation to them countermeasure authority.[84]<\/a> Currently, despite increased efforts by state actors to protect corporations<\/a> in cyberspace<\/a>,[85]<\/a> government responses to state sponsored cyber hostilities remain slow and often non-existent.[86]<\/a> Empowering the corporation to act on its own behalf in cyberspace allows for quick and forceful responses to these hostile cyber activities. Further, the host state is at a significant disadvantage to respond as it is often receiving incomplete, second hand information regarding the hostile cyber activity.[87]<\/a> The victimized corporation, in contrast, is in a much better position to remediate any cyber breaches and to identify the perpetrators. Allowing corporations these self-help measures therefore negates many of the advantages currently enjoyed by hostile state actors in cyberspace.<\/p>\n

However, it is essential that there are limits placed on any corporate cyber countermeasures. Domestic legislation delegating countermeasure authority to the corporation must expressly prohibit any actions that may be construed as a use of force.[88]<\/a> Again, it is important to reiterate that the host state retains responsibility for the consequences of any corporate actions[89]<\/a> and the intent of allowing cyber countermeasures is to force an aggressor state into compliance with their international legal obligations.[90]<\/a> Cyber countermeasures are not meant to open the door to armed violence or to \u201cundermine U.S. efforts to establish durable international norms\u201d against hacking<\/a>.[91]<\/a> Allowing for active defense measures is potentially problematic in cyberspace as these acts can often be misinterpreted as more aggressive than intended. Only through well-established and advertised parameters on the corporate countermeasures can a host state hope to avoid unwanted escalations.[92]<\/a> It is critical for the host state to ensure that any authorized corporate cyber countermeasures respect the well-established prohibitive use of force model found in international law.[93]<\/a><\/p>\n

It is also important for the corporate countermeasure authorization to delineate attribution criteria before use. Attribution is a difficulty in cyberspace and can be especially troublesome in the context of state actors.[94]<\/a> While it is nearly impossible to positively attribute cyber actions with complete certainty, evidence often points to the hostile<\/a> state<\/a>.[95]<\/a> Any domestic legislation empowering a corporation with cyber countermeasure authority must balance the need to respond with the importance of holding accountable the responsible party. Without attribution requirements cyber countermeasures could quickly devolve into simple hack back strategies that are shots in the dark against unknown perpetrators.[96]<\/a> However, in circumstances where there is strong evidence of state sponsorship of cyber hostilities, corporations must be allowed to respond.[97]<\/a><\/p>\n

The current paradigm where corporations sit idly by while their interests are assaulted in cyberspace by hostile state actors is impractical. Governments are currently ill-equipped to respond on behalf of the corporation and thus allowing businesses to use self-help protective measures is a logical alternative. Admittedly, the host state assumes risk by authorizing corporate cyber countermeasures. Yet, the peril of this strategy is diminished by clearly establishing in the domestic legislation attribution criteria and the parameters of the corporations cyber countermeasures.<\/p>\n

IV. Conclusion<\/p>\n

The hacking of corporations in cyberspace will not stop until hostile states are forced to re-consider the cost of their actions. Delegating cyber countermeasure authority to corporations would be an effective way to start this thought process. However, this article\u2019s proposal is not meant to be considered in lieu of a closer relationship between governments and corporations; it is rather intended to be a small part of a broader strategy. Only a robust public-private partnership will provide truly comprehensive solutions to the problems facing corporations in cyberspace.[98]<\/a> These problems are immense and finding solutions is of critical importance to both corporations and the national security of the United States. Allowing victimized corporations to respond to hostile state cyber activity would be a small, yet positive, step towards a broader solution.<\/p>\n

Photo courtesy of Wikimedia Commons<\/p>\n

[1]<\/a> Daniel B. Garrie is the executive managing partner for Law & Forensics, a legal consulting firm that works with clients across industries on software, cybersecurity, e-discovery, and digital forensic issues. He is also an accomplished electronic discovery Special Master hearing disputes throughout the United States. In addition, he is a Partner at Zeichner Ellman and Krause, responsible for the firm\u2019s cyber security and privacy practice and is an Adjunct Professor of Law at Cardozo Law School specializing in Information Governance.<\/p>\n

Shane R. Reeves is a Lieutenant Colonel in the United States Army. He is an Associate Professor and the Deputy Head, Department of Law at the United States Military Academy, West Point, New York (shane.reeves@usma.edu). The views expressed here are his personal views and do not necessarily reflect those of the Department of Defense, the United States Army, the United States Military Academy, or any other department or agency of the United States Government. The analysis presented here stems from his academic research of publicly available sources, not from protected operational information.<\/p>\n

[2]<\/a> U.S. Cyber Command: Organizing for Cyber Space Operations: Hearings Before the H. Comm. on Armed Services, <\/em>111th<\/sup> Cong. 1 (2010) [hereinafter Hearings] (statement of Rep. Skelton, Chairman, H. Comm. on Armed Services).<\/p>\n

[3]<\/a> See<\/em> McKinsey & Company, Insights & Publications, May 2014 available at: <\/em>http:\/\/www.mckinsey.com \/insights\/business_technology\/the_rising_strategic_risks_of_cyberattacks.<\/p>\n

[4]<\/a> Cyberspace is defined as \u201ca global domain within the information environment that encompasses the interdependent networks of information technology infrastructures, including the Internet and telecommunications networks.\u201d U.S. Dep\u2019t of Def. Quadrennial Defense Review Report 37, February 2010 [hereinafter QDR]. The Tallinn Manual defines cyber space as \u201c[t]he environment formed by physical and non-physical components, characterized by the use of computers and the electromagnetic spectrum, to store, modify, and exchange data using computer networks.\u201d Tallinn Manual on the International Law Applicable to Cyber Warfare 193 (Michael Schmitt ed., 2013) [hereinafter Tallinn Manual].<\/p>\n

[5]<\/a> See, e.g., <\/em>Michael A Riley & Jordan Robertson, FBI Said to Examine Whether Russia Tied to JPMorgan Hacking<\/em>, Bloomberg (Aug. 27, 2014), http:\/\/www.bloomberg.com\/news\/articles\/2014-08-27\/fbi-said-to-be-probing-whether-russia-tied-to-jpmorgan-hacking (\u201cRussian hackers attacked the U.S. financial system in mid-August, infiltrating and stealing data from JPMorgan Chase & Co..\u201d).<\/p>\n

[6]<\/a> See, e.g.<\/em>, David E. Sanger & Nicole Perlroth, U.S. Said to Find North Korea Ordered Cyberattack on Sony<\/em>, N.Y. Times (Dec. 17, 2014), http:\/\/www.nytimes.com\/2014\/12\/18\/world\/asia\/us-links-north-korea-to-sony-hacking.html?_r=1. \u201cThe Interview,\u201d a comedy about an assassination attempt on dictator Kim Jong-un, offended North Korea and was the reason for the cyber assault on Sony. See id.<\/em><\/p>\n

[7]<\/a> See <\/em>Zoe Li, What we know about the Chinese army\u2019s alleged cyber spying unit<\/em>, CNN (May 20, 2014), www.cnn.com\/2014\/05\/20\/world\/asia\/china-unit-61398\/ (stating that \u201c141 companies targeted by unit 61398, out of which 115 were in the United States\u201d and are \u201cblue-chip companies in important industries such as aerospace, satellite and telecommunications, and information technology\u2014strategic industries that were identified in China\u2019s five year plan for 2011 to 2015.\u201d). See also<\/em> Frank Langfitt, U.S. Security Company Tracks Hacking To Chinese Army Unit<\/em>, NPR (Feb. 19, 2013), http:\/\/www.npr.org\/2013\/02\/19\/172373133\/report-links-cyber-attacks-on-u-s-to-chinas-military (discussing the link between Unit 61398 and cyberattacks on dozens of American companies). Hackers affiliated with the Chinese government are considered the most energetic and aggressive international actors. See, e.g., <\/em>Craig Timberg, Vast majority of global cyber-espionage emanates from China, report finds<\/em>, Wash. Post, Apr. 22, 2013, available at<\/em> http:\/\/www.washingtonpost.com\/business\/technology\/vast-majority-of-global-cyber-espionage-emanates-from-china-report-finds\/2013\/04\/22\/61f52486-ab5f-11e2-b6fd-ba6f5f26d70e_story.html (reporting that of 120 incidents of government cyber espionage, 96 percent came from China).<\/p>\n

[8]<\/a> Cyber attacks motivated by ideology or nationalism can also be defined as cyberterrorism. See generally<\/em> Catherine Theohary & John Rollins, Cyberwarfare and Cyberterrorism: In Brief (May 27, 2015), available at<\/em> http:\/\/fas.org\/sgp\/crs\/natsec\/R43955.pdf.<\/p>\n

Cyberterrorism can be considered \u2018the premeditated use of disruptive activities, or the threat thereof, against computers and\/or networks, with the intention to cause harm or further social, ideological, religious, political or similar objectives, or to intimidate any person in furtherance of such objectives.\u2019…Cyberterrorists are state-sponsored and non-state actors who engage in cyberattacks to pursue their objectives\u2026.There are no clear criteria yet for determining whether a cyberattack is criminal, an act of hactivism, terrorism, or a nation-state\u2019s use of force equivalent to an armed attack. Likewise, no international, legally binding instruments have yet been drafted explicitly to regulate inter-state relations in cyberspace. Id.<\/em><\/p>\n

[9]<\/a> See, e.g., <\/em>Daniel Garrie & Mitchell Silber, Cyber Warfare: Understanding the Law, Policy, and Technology 5-6 (2014) (discussing various cyber hostilities against corporations by state actors).<\/p>\n

[10]<\/a> The damage to corporations by cyber criminals and non-state cyber groups can be immense as illustrated by the February 2015 hack of Anthem Incorporated Insurance Company. See, e.g.,<\/em> Susanna Kim, Anthem Cyber Attack: 5 Things That Could Happen to Your Personal Information<\/em>, ABC News (Feb. 5, 2015), http:\/\/abcnews.go.com\/Business\/anthem-cyber-attack-things-happen-personal-information\/story?id=28747729 (noting that over 80 million personal records were exposed to include those of children and non-customers).<\/p>\n

[11]<\/a> See generally <\/em>Daniel Garrie & Shane R. Reeves, An Unsatisfactory State of the Law: The Limited Options for a Corporation Dealing with Cyber Hostilities by State Actors<\/em>, Card. L. Rev. 48-60 (forthcoming Spring 2016).<\/p>\n

[12]<\/a> See, e.g.<\/em>, United States v. Drew<\/em>, 259 F.R.D. 449 (C.D. Cal. 2009); Bittman v. Fox<\/em>, 2015 U.S. Dist. LEXIS 70249 (N.D. Ill. June 1, 2015); Mahoney v. Denuzzio<\/em>, 2014 U.S. Dist. LEXIS 10931 (D. Mass. Jan. 29, 2014).<\/p>\n

[13]<\/a> See generally<\/em> Shane Reeves, To Russia with Love: How Moral Arguments for a Humanitarian Intervention in Syria Opened the Door for an Invasion of the Ukraine<\/em>, 23 Mich. S. Int\u2019. L. Rev. 199-229 (Fall 2014) (discussing the reason why states maintain the exclusive right to use force).<\/p>\n

[14]<\/a> See <\/em>Garrie & Reeves, supra<\/em> note 11, at 62-70 (reinforcing why corporations cannot be viewed as state actors or unilaterally respond to state sponsored hostile cyber activity).<\/p>\n

[15]<\/a> See id<\/em>. at 75-76.<\/p>\n

[16]<\/a> See <\/em>Responsibility of States for Internationally Wrongful Acts, G.A. Res. 56\/83, Annex, Art. 5, U.N. Doc. A\/RES\/56\/83 Dec. 12, 2001) [hereinafter Articles on State Responsibility] (stating an \u201centity which is not an organ of the State\u201d may be empowered to exercise elements of governmental authority).<\/p>\n

[17]<\/a> Tallinn Manual, supra<\/em> note 4, at 30-31 (discussing private corporations being granted authority by a government to conduct offensive computer network operations against another state).<\/p>\n

[18]<\/a> Id. <\/em>(noting that \u201ca State is responsible for the acts of non-State actors where it has \u2018effective control\u2019 over such actors\u201d).<\/p>\n

[19]<\/a> See <\/em>Restatement (Third) of Foreign Relations Law of the United States \u00a7 101 (1987) (defining international law as \u201crules and principles of general application dealing with the conduct of States and of international organizations and with their relations inter se, as well as some of their relations with persons, whether natural or juridical.\u201d)<\/p>\n

[20]<\/a> See generally <\/em>Tallinn Manual, supra<\/em> note 4, at 25-35.<\/p>\n

[21]<\/a> See<\/em> Brian J. Bill, The Rendulic \u201cRule\u201d: Military Necessity, Commander\u2019s Knowledge, and Methods of Warfare<\/em>, in<\/em> 12 Yearbook of International Humanitarian law 119, 119 (2009) (discussing the reality that at times states will result to warfare to resolve differences).<\/p>\n

[22]<\/a> Geoffrey Best, War & Law Since 1945 5 (2002). .<\/em><\/p>\n

[23]<\/a> When can a state justifiably exercise its right of self-defense is debatable and outside the scope of this article. For a more detailed discussion see generally <\/em>Int\u2019l & Operational Law Dep\u2019t, The Judge Advocate General\u2019s Legal Ctr. & Sch., U.S. Army, Law of Armed Conflict Deskbook 29-35 (2010) [hereinafter Deskbook] (discussing the various views on the inherent right of self-defense in jus ad bellum<\/em>).<\/p>\n

[24]<\/a> Major Shane R. Reeves & Lieutenant Colonel Jeremy Marsh, Bin Laden and Awlaki: Lawful Targets<\/em>, Harv. Int\u2019l Rev., web perspectives (Oct. 26, 2011), available at<\/em>: http:\/\/hir.harvard.edu\/bin-laden-and-awlaki-lawful-targets (last visited 4 June 2013).<\/p>\n

[25]<\/a> Robert Kolb, Origin of the Twin Terms Jus Ad Bellum\/Jus In Bello<\/em>,<\/strong> 320 Int’l Rev. Red Cross 553, 553 n.1, (Oct. 31, 1997), available at<\/em> http:\/\/www.icrc.org\/eng\/resources\/documents\/misc\/57jnuu.htm (last visited 22 June 2013).<\/p>\n

[26]<\/a> An analysis of the jus in bello<\/em> in cyber space is irrelevant to this section. For a detailed discussion on jus in bello <\/em>in cyber space see Michael Schmitt, The Law of Cyber Warfare: Quo Vadis<\/em>, 25 Stan. L. & Pol\u2019y, 269, 289-299 (2014).<\/p>\n

[27]<\/a> \u201cIt must be noted, however, that the law of armed conflict contains a number of specific rules on State responsibility for violation thereof.\u201d\u00a0\u00a0 Tallinn Manual, supra <\/em>note 4, at 29.<\/p>\n

[28]<\/a> \u201cSovereignty in the matters between States signifies independence. Independence in regard to a portion of the globe is the right to exercise therein, to the exclusion of any other State, the functions of a State.\u201d Island of Palmas <\/em>(Neth. v. U.S.) 2 R.I.A.A. 829, 838 (Perm. Ct. Arb. 1928).<\/p>\n

[29]<\/a> Articles of State Responsibility and Commentaries, General Commentary (1), available at<\/em> http:\/\/legal.un.org\/ilc\/texts\/instruments\/english\/commentaries\/9_6_2001.pdf [hereinafter Commentaries].<\/p>\n

[30]<\/a> Id. <\/em>at art. 3.<\/p>\n

[31]<\/a> See <\/em>Articles on State Responsibility, supra <\/em>note 16, art. 22 (\u201cThe wrongfulness of an act of a State not in conformity with an international obligation towards another State is precluded if and to the extent that the act constitutes a countermeasure taken against the latter State in accordance with chapter II of part three.\u201d).<\/p>\n

[32]<\/a> Michael Schmitt, International Law and Cyber Attacks: Sony vs. North Korea, <\/em>Just Security (Dec. 17, 2014), http:\/\/justsecurity.org\/18460\/international-humanitarian-law-cyber-attacks-sony-v-north-korea\/.<\/p>\n

[33]<\/a> Articles on State Responsibility, supra <\/em>note 16, art. 49-52.<\/p>\n

[34]<\/a> Id. <\/em>at art. 50(1)(a); Tallinn Manual, supra <\/em>note 4, at 38.<\/p>\n

[35]<\/a> The Tallinn Manual on the International Law Applicable to Cyber Warfare was drafted by a group of international law experts at the behest of the NATO Cooperative Cyber Defence \u201cto help government\u2019s deal with the international legal implications of cyber operations.\u201d See Manual Examines How International Law Applies to Cyberspace, <\/em>IT World, Sept. 3, 2012, http:\/\/www.pcworld.com\/article\/261850\/manual_examines_how_international_law_applies_to_cyberwarfare.html (last visited Sept. 12, 2015).<\/p>\n

[36]<\/a> Tallinn Manual, supra <\/em>note 4, at 36.<\/p>\n

[37]<\/a> Id. <\/em>at 29-30.<\/p>\n

[38]<\/a> Schmitt, Quo Vadis<\/em>, supra<\/em> note 26, at 275-76 (2014) (\u201chostile cyber operations directed against cyber infrastructure located on another state\u2019s territory, whether government or not, constitute, inter alia<\/em>, a violation of that state\u2019s\u201d sovereignty.). See also <\/em>Schmitt, Sony vs. North Korea, supra <\/em>note 32 (noting that North Korea\u2019s cyber hostilities directed at Sony violated the sovereignty of the United States).<\/p>\n

[39]<\/a> Schmitt, Sony vs. North Korea, supra <\/em>note 32 (\u201cit would seem reasonable to characterize a cyber operation involving a State\u2019s manipulation of cyber infrastructure in another State\u2019s territory, or the emplacement of malware within systems located there, as a violation of the latter\u2019s sovereignty. This being so . . . it violated U.S. sovereignty.\u201d).<\/p>\n

[40]<\/a> Cyber intrusions can range from a violation of sovereignty, to an unlawful intervention, to a use of force, to an armed attack. What rises to the level of an armed attack is debatable but most agree that there is a difference between a \u201cuse of force,\u201d and an \u201carmed attack.\u201d See Military and Paramilitary Activities in and Against Nicaragua (Nicar. v. U.S.)<\/em>, 1986 I.C.J. 14, 191 (June 27) [hereinafter Nicaragua v. United States<\/em>](stating it is necessary to \u201cdistinguish the most grave forms of the use of force (those constituting an armed attack) from other less grave forms.\u201d). But see <\/em>Harold H. Koh, Address at the USCYBERCOM Inter-Agency Legal Conference, Ft. Meade, Maryland: International Law in Cyberspace (Sept. 18, 2012) in <\/em>Harv. Int\u2019l L.J. Online 1, 3 (2012) (stating that the United States position is that the \u201cinherent right of self-defense potentially applies against any illegal use of force. In our view, there is no threshold for a use of deadly force to qualify as an \u2018armed attack\u2019 that may warrant a forcible response.\u201d). The U.N. Charter does not define a \u201cuse of force\u201d leaving some discretion to individual states. The International Criminal Tribunal for the Former Yugoslavia somewhat addressed this issue by stating \u201can armed conflict exists whenever there is a resort to armed force between State or protracted armed violence between governmental authorities and organized armed groups or between such groups within a State.\u201d Prosecutor v. Tadic<\/em>, Case No. IT-94-1AR72I, Decision on the Defence Motion for Interlocutory Appeal on Jurisdiction, \u00b6 70 (Oct. 2, 1995). Though not addressing the definition directly this statement infers \u201cthat activities that directly lead to an armed conflict may be a use of force.\u201d See <\/em>Geoffrey S. Corn et al., The Law of Armed Conflict: An Operational Approach 15 (2012).<\/p>\n

[41]<\/a> See <\/em>Schmitt, Quo Vadis<\/em>, supra<\/em> note 26, at 284. Professor Schmitt notes that \u201cas a practical matter, characterization of a cyber operation as a wrongful use of force merely serves to label the state involved as a violator of international law.\u201d Id. <\/em>State responses to uses of force are capped \u201cat the non-forceful countermeasures level, an armed attack gives the targeted state the right to respond with its own use of force.\u201d Id. (internal citation omitted)<\/em>. See also <\/em> Tallinn Manual, supra <\/em>note 4, at 17 (\u201cActions not constituting an armed attack but that are nevertheless in violation of international law may entitle the targeted State to resort to countermeasures\u201d).<\/p>\n

[42]<\/a> See <\/em>Articles on State Responsibility, supra <\/em>note 16, art. 2.<\/p>\n

[43]<\/a> See generally id.<\/em> art. 49-54.<\/p>\n

[44]<\/a> See id.<\/em> art. 5.<\/p>\n

[45]<\/a> Commentaries, supra <\/em>note 29, at 43.<\/p>\n

[46]<\/a> See id. <\/em>at 128-29 (describing the use of countermeasures).<\/p>\n

[47]<\/a> Tallinn Manual, supra <\/em>note 4, at 31.<\/p>\n

[48]<\/a> Schmitt, Sony vs. North Korea<\/em>, supra<\/em> note 32.<\/p>\n

[49]<\/a> Id.<\/em><\/p>\n

[50]<\/a> Commentaries, supra <\/em>note 29, at 43 (noting that Article 5 is clearly limited to entities which are empowered by internal law to exercise governmental authority).<\/p>\n

[51]<\/a> See <\/em>Articles on State Responsibility, supra <\/em>note 16, art. 5.<\/p>\n

[52]<\/a>\u00a0\u00a0 Tallinn Manual, supra <\/em>note 4, at 31 (\u201cit is important to emphasize that State responsibility is only engaged when the entity in question is exercising elements of governmental authority.\u201d).<\/p>\n

[53]<\/a> Schmitt, Sony vs. North Korea<\/em>, supra<\/em> note 32.<\/em><\/p>\n

[54]<\/a> See <\/em>Articles on State Responsibility, supra <\/em>note 16, art. 50. The Tallinn Manual notes that a majority of the International Experts agreed that this prohibition also applies to cyber countermeasures. Tallinn Manual, supra <\/em>note 4, at 38.<\/p>\n

[55]<\/a> See <\/em>Schmitt, Quo Vadis<\/em>, supra<\/em> note 26, at 280.<\/p>\n

[56]<\/a> Id.<\/em> at 280-81 (citing <\/em>Tallinn Manual, supra <\/em>note 4, at 47-52).<\/p>\n

[57]<\/a> This problem is particularly acute as it is likely that \u201c[t]he use of force threshold, wherever it may presently lie, will almost certainly drop in lock step with the increasing dependency of states on cyberspace.\u201d Id. <\/em>At 281.<\/p>\n

[58]<\/a> See id. <\/em>at 284 (\u201cthe consequences of a situation in which a state mounting a cyber operation miscalculates how the targeted state will characterize it (and respond based on that characterization) are graver with respect to the armed attack threshold.\u201d).<\/p>\n

[59]<\/a> U.N. Charter, art. 2, para. 4 (\u201cAll members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state\u201d). The U.N. Charter\u2019s general prohibition on the use of force echoes the ban on wars of aggression, or \u201cthe renunciation of war as an instrument of national policy,\u201d agreed to in the Kellogg-Briand Pact of 1928. See <\/em>Treaty Between the United States and Other Powers Providing for the Renunciation of War as an Instrument of National Policy, 94 LNTS 57 (1928).<\/p>\n

[60]<\/a> \u201cConsent\u201d is considered by some as a third exception to the general prohibition on the use of force. See, e.g., <\/em>Corn et al., supra <\/em>note 40, at 17. However, consent is more properly viewed as a state allowing force to be used within its own territory; therefore an exception to the rule prohibiting the use of force need not apply. See <\/em>Deskbook, supra <\/em>note 23, at 31 (\u201cConsent is not a separate exception to Article 2(4). If a state is using force with the consent of host state, then there is no violation of the host state\u2019s territorial integrity or political independence; thus, there is no need for an exception to the rule.\u201d).<\/p>\n

[61]<\/a> U.N. Charter, art. 39.<\/p>\n

[62]<\/a> Id. <\/em>at art. 51.<\/p>\n

[63]<\/a> See Nicaragua v. United States<\/em>, supra <\/em>note 40, at \u00a7 187(\u201cThe exception of the right of individual or collective self-defense is also, in the view of States, established in customary law, as is apparent for example from the terms of Article 51 of the United Nations Charter, which refers to an “inherent right”); Yoram Dinstein, War, Aggression, and Self Defense 181 (2005). \u00a0For a discussion on the customary definition of self-defense see Reeves, To Russia with Love, supra <\/em>note 13, at 220-21.<\/p>\n

[64]<\/a> It is again important to note that most international law experts agree that not all \u201cuses of force\u201d equate to an \u201carmed attack.\u201d See, e.g., <\/em>Tallinn Manual, supra <\/em>note 4, at 47, 52.<\/p>\n

[65]<\/a> Tallinn Manual, supra <\/em>note 4, at 55.<\/p>\n

[66]<\/a> Schmitt, Quo Vadis<\/em>, supra<\/em> note 26, at 282.<\/p>\n

[67]<\/a> Id.<\/em><\/p>\n

[68]<\/a> See, e.g., Developments in the Field of Information and Telecommunications in the Context of International Security: Rep. of the Secretary-General, <\/em>18, U.N. Doc. A\/\/66\/152 (July 20, 2010)(stating \u201cunder some circumstances, a disruptive activity in cyberspace could constitute an armed attack.\u201d).<\/p>\n

[69]<\/a> See generally <\/em>Schmitt, Quo Vadis<\/em>, supra<\/em> note 26, at 282-83.<\/p>\n

[70]<\/a> U.N. Charter, art. 51 (\u201cNothing in the present Charter shall impair the inherent right of individual or collective self-defense if an armed attack occurs against a Member of the United Nations, until the Security Council has taken measures necessary to maintain international peace and security.\u201d).<\/p>\n

[71]<\/a> See, e.g., <\/em>Schmitt, Quo Vadis<\/em>, supra<\/em> note 26, at 299 (discussing how armed conflict is transformed by cyber operations).<\/p>\n

[72]<\/a> Eric A. Fisher Et Al., Cong. Research Serv., R42984, The 2013 Cybersecurity Executive Order: Overview and Considerations for Congress 1 (Mar. 1, 2013) (noting how heavily corporations rely upon computer technology to operate their business operations).<\/p>\n

[73]<\/a> See <\/em>Garrie & Silber, supra <\/em>note 9, at 8-15 (discussing the survey and its results).<\/p>\n

[74]<\/a> Id. <\/em>at 8.<\/p>\n

[75]<\/a> Richard A. Clarke and Robert K. Knake, Cyber War 69-70 (2014).<\/p>\n

[76]<\/a> Leon E. Panetta, U.S. Sec\u2019y of Defense, Remarks on Cybersecurity to the Business Executives for National Security, New York City (Oct 11, 2012), available at <\/em>http:\/\/www.defense.gov\/transcripts\/transcript.aspx? transcriptid=5136 (\u201cCyberspace is the new frontier, full of possibilities to advance security and prosperity in the 21st century.\u00a0 And yet, with these possibilities, also come new perils and new dangers.\u201d).<\/p>\n

[77]<\/a> See, e.g.<\/em> P.W. Singer, Wired For War, 264 (2009).<\/p>\n

[78]<\/a> See <\/em>Garrie & Reeves, supra<\/em> note 11, at 10-26 (discussing different forms of cyber hostilities and how they work).<\/p>\n

[79]<\/a> See<\/em> McKinsey & Company, supra <\/em>note 3 (highlighting the rising strategic risks of cyberattacks on corporations and the difficulty executives are having as \u201cmitigating the effect of attacks often requires making complicated trade-offs between reducing risk and keeping pace with business demands.\u201d).<\/p>\n

[80]<\/a> Schmitt, Quo Vadis<\/em>, supra<\/em> note 26, at 276.<\/p>\n

[81]<\/a> See <\/em>Garrie and Silber, supra<\/em> note 9, at 19-40.<\/p>\n

[82]<\/a> See generally <\/em>Hearings, supra <\/em>note 2.<\/p>\n

[83]<\/a> See generally <\/em>Articles on State Responsibility, supra <\/em>note 16.<\/p>\n

[84]<\/a> See id. <\/em>at Art. 22.<\/p>\n

[85]<\/a> The United States has taken significant steps to better coordinate a response to hostile cyber activities targeting corporations by establishing the Cyber Threat Intelligence Integration Center (CTIIC). See Fact Sheet: Cyber Threat Intelligence Integration Center<\/em>, whitehouse.gov (Feb. 25, 2015), available at <\/em>https:\/\/www.whitehouse.gov\/the-press-office\/2015\/02\/25\/fact-sheet-cyber-threat-intelligence-integration-center.\u00a0\u00a0 The CTIIC is intended to be \u201ca national intelligence center focused on \u2018connecting the dots\u2019 regarding malicious foreign cyber threats to the nation and cyber incidents affecting U.S. national interests,\u201d has the mission of assisting \u201crelevant departments and agencies in their efforts to identify, investigate, and mitigate those threats.\u201d Id. <\/em>Additionally, on February 13, 2015 the President issued an Executive Order to promote private sector cybersecurity cooperation by authorizing greater intelligence sharing while protecting business confidentiality. Executive Order\u2014Promoting Private Sector Cybersecurity Information Sharing, Feb. 13, 2015, available at<\/em> https:\/\/www.whitehouse.gov\/the-press-office\/2015\/02\/13\/executive-order-promoting-private-sector-cybersecurity-information-shari. It is unclear whether these efforts will have any effect on the ongoing trend of state sponsored cyber activity.<\/p>\n

[86]<\/a> See, e.g., <\/em>Devlin Barrett & Danny Yadron, Sony, U.S. Agencies Fumbled After Hacking, <\/em>Wall St. J., Feb. 23, 2015, at B1 (discussing how there are major shortcomings in how the government and companies work together to respond to cyber hostilities and in particular the hack of Sony Entertainment).<\/p>\n

[87]<\/a> See <\/em>Garrie & Reeves, supra<\/em> note 11, at 75-76 (\u201cUnfortunately, in the United States this partnership is in its infancy and is complicated by a host of problems including: distrust between the private and public sector, corporate reputational concerns, potential liability caused by a cyber incident, and sensitivity of operating in a global economy.\u201d).<\/p>\n

[88]<\/a> See supra <\/em>text and accompanying notes 49-71 discussing why these acts cannot cross this threshold.<\/p>\n

[89]<\/a> See <\/em>Articles on State Responsibility, supra <\/em>note 16, art. 5.<\/p>\n

[90]<\/a> See id. <\/em>art. 49-52.<\/p>\n

[91]<\/a> Max Fisher, Should the U.S. allow companies to \u2018hack back\u2019 against foreign cyber spies?<\/em>, Wash. Post (May 23, 2013), http:\/\/www.washingtonpost.com\/blogs\/worldviews\/wp\/2013\/05\/23\/should-the-u-s-allow-companies-to-hack-back-against-foreign-cyber-spies\/.<\/p>\n

[92]<\/a> See <\/em>Jeffrey Hunker Et. Al., Institute for Info. Infrastructure Protection, Role and Challenges for Sufficient Cyber-Attack Attribution 5 (2008) (describing the dangers that come with active defense measures in cyberspace and in particular the possibility of a disproportionate response).<\/p>\n

[93]<\/a> See<\/em> U.N. Charter, art. 2(4).<\/p>\n

[94]<\/a> See generally<\/em> Garrie and Silber, supra<\/em> note 9, at 19-40.<\/p>\n

[95]<\/a> However, there are circumstances when attribution is less of a problem. For example, while North Korea denied being behind the cyber hostilities targeting Sony in December 2014, it poorly veiled its complicity in the hack as it seemed intent on \u201cpunishing\u201d the company for its behaviour. See, e.g., <\/em>John Fingas, North Korea denies hacking Sony Pictures, but likes that someone did<\/em>, Engadget (Dec. 7, 2014), http:\/\/www.engadget.com\/2014\/12\/07\/north-korea-denies-hacking-sony-pictures\/. The United States later publicly attributed the cyber act against Sony to North Korea. See, e.g.<\/em>, David E. Sanger & Nicole Perlroth, U.S. Said to Find North Korea Ordered Cyberattack on Sony<\/em>, N.Y. Times (Dec. 17, 2014), http:\/\/www.nytimes.com\/2014\/12\/18\/world\/asia\/us-links-north-korea-to-sony-hacking.html?_r=1.<\/p>\n

[96]<\/a> Hunker, supra <\/em>note 92, at 5 (“[o]ur legal and policy frameworks for responding to cyberattacks cannot work unless we have adequate attribution; these frameworks remain incomplete because we lack the basis (sufficient attribution) to actually use them.”)<\/p>\n

[97]<\/a> Examples include the December 2014 North Korean hack of Sony, see<\/em> generally supra <\/em>note 95, and the October 2012 Iranian hack of American banks and the oil industry in the Middle East. See generally <\/em>Mike Mount, U.S. Officials believe Iran behind recent cyber attacks, <\/em>CNN (Oct. 16, 2012), http:\/\/www.cnn.com\/2012\/10\/15\/world\/iran-cyber\/index.html) (quoting Retired Senator Joseph Lieberman as stating \u201cI don\u2019t believe these were just hackers who were skilled enough to cause disruption of the Web sites . . . I think this was done by Iran and the Quds Force, which has its own developing cyber attack capability.\u201d).<\/p>\n

[98]<\/a> We explain how the public-private relationship could be significantly enhanced in our forthcoming article. See generally <\/em>Garrie & Reeves, supra<\/em> note 11.<\/p>\n","protected":false},"excerpt":{"rendered":"

By Daniel Garrie and Shane R. Reeves[1] Click here to read the full text as a PDF. \u201c[U.S] information systems face thousands of attacks a day from criminals, terrorist organizations, and more recently from more than 100 foreign intelligence organizations.\u201d[2] Looking forward, if the pace and intensity of attacks increase and are not met with improved defenses, a backlash against digitization could occur, with large negative economic implications. Using MGI data on the technologies that will truly matter to business strategy during the coming decade, we estimate that over the next five to seven years, $9 trillion to $21 trillion […]<\/p>\n","protected":false},"author":20,"featured_media":4670,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_post_was_ever_published":false},"categories":[4,24],"tags":[187,188,186,192,185,190,191,36,189],"class_list":["post-4669","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-features","category-online","tag-cyber-attacks","tag-cyber-hostilities","tag-cyber-security","tag-cyber-space","tag-cybersecurity","tag-international-law","tag-north-korea","tag-russia","tag-state-sponsored-corporate-countermeasures"],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/journals.law.harvard.edu\/nsj\/wp-content\/uploads\/sites\/82\/2015\/12\/Computer_Security_Symbol_-_Hacked_rot.jpg?fit=6000%2C4000&ssl=1","jetpack_shortlink":"https:\/\/wp.me\/peZtUX-1dj","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/journals.law.harvard.edu\/nsj\/wp-json\/wp\/v2\/posts\/4669","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/journals.law.harvard.edu\/nsj\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/journals.law.harvard.edu\/nsj\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/journals.law.harvard.edu\/nsj\/wp-json\/wp\/v2\/users\/20"}],"replies":[{"embeddable":true,"href":"https:\/\/journals.law.harvard.edu\/nsj\/wp-json\/wp\/v2\/comments?post=4669"}],"version-history":[{"count":0,"href":"https:\/\/journals.law.harvard.edu\/nsj\/wp-json\/wp\/v2\/posts\/4669\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/journals.law.harvard.edu\/nsj\/wp-json\/wp\/v2\/media\/4670"}],"wp:attachment":[{"href":"https:\/\/journals.law.harvard.edu\/nsj\/wp-json\/wp\/v2\/media?parent=4669"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/journals.law.harvard.edu\/nsj\/wp-json\/wp\/v2\/categories?post=4669"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/journals.law.harvard.edu\/nsj\/wp-json\/wp\/v2\/tags?post=4669"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}