An Unsatisfactory State of the Law: The Limited Options for a Corporation Dealing with Cyber Hostilities by State Actors

State-sponsored cyber hostilities on corporations are not a new occurrence. Recent examples include the August 2014 suspected Russian hack of JP Morgan Chase[1] and the continuous cyber activities against corporate targets conducted by Unit 61398 of the Chinese People’s Liberation Army.[2] However, North Korea’s actions against Sony are considered by many a “game changer” and a significant escalation of the cyber hostilities targeting corporations.[3] Rather than hacking Sony to steal corporate secrets or disrupt their business activity, the North Koreans attempted to devastate the company and chill its activities for a perceived nationalist slight.[4] This targeting of a corporation for ideological reasons by a state actor should not be viewed as an anomaly; rather it is best seen as the harbinger of a new era of particularly pernicious cyber hostilities targeting businesses.[5]

The rapidly increasing willingness of state actors to conduct hostile cyber operations against corporations has not gone unnoticed by governments, and, in particular, the United States.[6] Corporations, for their part, overwhelmingly support government involvement in cyber issues.[7] This mutual desire for a corporate-government partnership provides an opportunity to build an effective response to the cyber threat posed by state actors. Yet, corporations also must be cognizant that the present environment is woefully inadequate at providing the necessary cyber defense mechanisms needed to protect their businesses.[8] This short-term need for protection coupled with the interest in a corporate-government partnership raises two questions. First, what can a corporation do to protect itself from state-sponsored cyber hostilities? Second, what are some possible models for a corporate-government partnership to address the threat in the future?

In our new article we attempt to answer these questions as corporation’s face, almost daily, sophisticated and destructive forms of cyber hostilities conducted by state actors. Unfortunately, the current state of both domestic and international law leaves a corporation with limited response options. Under domestic law there is no overarching legal doctrine available to private corporations, but rather a myriad of federal statutes addressing various aspects of cybersecurity.[9] Enforcement of this patchwork of statutes is solely within the discretion of law enforcement and therefore a corporation that is a victim of cyber hostilities must rely upon a government agency to respond. This limitation can cause frustration and lead businesses to consider active defense measures in their cyber security systems. However, a corporation’s attempt to use active measures is particularly problematic under international law.

International law categorically prohibits a non-state actor—in this case a corporation—from actively engaging a hostile state, even if victimized by a cyber attack. The right of action against a state actor is exclusively within the purview of states as articulated in the United Nations Charter and the Articles on State Responsibility.[10] Though this is unsettling for a corporation constantly victimized by hostile cyber activity, international law intentionally requires a non-state actor to rely upon its nation for a self-defense response. Thus, in their role as a non-state actor corporations are limited to implementing defensive, protective measures—such as remediation tools like disinformation and honeypots—against state-sponsored cyber hostilities. However, it must be reiterated that corporations should tread lightly with their actions as the law clearly does not allow a company to initiate cyber hostilities.

For a more forceful and active response corporations are left with no option other than relying upon their host government. Of course this requires a strong partnership between the government and the private sector. In the United States this partnership is in its infancy and is complicated by a host of problems including: distrust between the private and public sector, corporate reputational concerns, potential liability caused by cyber incidents, and sensitivity of operating in a global economy. This complex web of issues incentivizes both public and private actors to hew to their own interests, withhold critical information, and make decisions without consultation.[11]

The government is not obtuse to this problem and has taken steps to better coordinate a response to hostile cyber activities while simultaneously promoting information sharing between the public and private sectors.[12] While these efforts are a significant step in the right direction, they are insufficient for handling the ever-growing cyber threat to corporations. Instead, a sufficiently robust public-private cyber partnership will require consideration of more radical ideas. Examples may include: creating a confidential reporting mechanism coupled with limiting financial liability for those corporations that openly report a cyber incident or expanding the powers of the Federal Intelligence Surveillance Court to allow victimized companies to petition for a government response to a cyber assault.

These two relatively unexplored recommendations are not intended to be a panacea for the corporate cyber problem, but rather illuminate the need for creativity in developing a response strategy. It will take unorthodox solutions to remove the disincentives currently inhibiting the public-private partnership. Yet, the importance of enhancing this public-private partnership cannot be overstated and is of utmost importance for both corporations and the national security of the United States. Neither corporations nor the government can afford to remain static as the speed and ferocity of cyber hostilities, in particular those launched by state actors against private companies, are the new normal.

ENDNOTES

[1] See Chris Woodyard, Report: Russian hackers behind JPMorgan Chase attack, USA Today (Oct. 7, 2014), http://www.usatoday.com/story/money/business/2014/10/04/jpmorgan-chase-cyberattack-russians/16717499/.

[2] See, e.g., Frank Langfitt, U.S. Security Company Tracks Hacking To Chinese Army Unit, NPR (Feb. 19, 2013), http://www.npr.org/2013/02/19/172373133/report-links-cyber-attacks-on-u-s-to-chinas-military (discussing the link between Unit 61398 and cyberattacks on dozens of American companies). Hackers affiliated with the Chinese government are considered the most energetic and aggressive international actors. See, e.g., Craig Timberg, Vast majority of global cyber-espionage emanates from China, report finds, Wash. Post, Apr. 22, 2013, available at http://www.washingtonpost.com/business/technology/vast-majority-of-global-cyber-espionage-emanates-from-china-report-finds/2013/04/22/61f52486-ab5f-11e2-b6fd-ba6f5f26d70e_story.html (reporting that of 120 incidents of government cyber espionage, 96 percent came from China).

[3] Kenneth Corbin, Sony hack is a corporate cyberwar game changer, CIO (Jan. 19, 2015), http://www.cio.com.au/article/564154/sony-hack-corporate-cyberwar-game-changer/ (stating “North Korea’s state-sponsored attack against Sony is a dramatic escalation in cyber hostilities.”).

[4] See, e.g., David E. Sanger & Nicole Perlroth, U.S. Said to Find North Korea Ordered Cyberattack on Sony, N.Y. Times (Dec. 17, 2014), http://www.nytimes.com/2014/12/18/world/asia/us-links-north-korea-to-sony-hacking.html?_r=1(noting that the North Korean hack was apparently due to the release of the movie “The Interview” which included a far-fetched plot to assassinate Dictator Kim Jong-un).

[5] See, e.g., Daniel Garrie & Mitchell Silber, Cyber Warfare: Understanding the Law, Policy, and Technology 5-6 (2014) (discussing various cyber hostilities against corporations by state actors).

[6] See, e.g., White House Summit on Cybersecurity and Consumer Protection, whitehouse.gov (Feb. 13, 2015), http://www.whitehouse.gov/issues/foreign-policy/cybersecurity/summit (discussing the 2015 cybersecurity summit to “bring together leaders from across the country who have a stake in this issue — industry, tech companies, law enforcement, consumer and privacy advocates, law professors who specialize in this field, and students — to collaborate and explore partnerships that will help develop the best ways to bolster our cybersecurity.”).

[7] See Garrie & Silber, supra note 5, at 5-6 (2014) (noting that in a survey given by the Journal of Law and Cyber Warfare to hundreds of businesses across nearly eighty industries that corporations want government involvement and protection from cyber hostilities).

[8]   A common complaint by private industry is the lack of government response to cyber hostilities. See, e.g., Paul Rosenzweig, The Alarming Trend of Cybersecurity Breaches and Failures in the U.S. Government, Heritage Foundation (May 24, 2012), http://www.heritage.org/research/reports/2012/05/the-alarming-trend-of-cybersecurity-breaches-and-failures-in-the-us-government.

[9]   See generally ERIC A. FISHER, FEDERAL LAWS RELATING TO CYBER SECURITY: OVERVIEW AND DISCUSSION OF PROPOSED REVISIONS (Jun. 20, 2013), available at http://fas.org/sgp/crs/natsec/R42114.pdf. Over the last decade there has been a great deal of discussion within the legislature about reforming federal cybersecurity statutes. Many bills have been proposed but few have been enacted. See, e.g., Cybersecurity Act of 2010; Cybersecurity Act of 2012; Cybersecurity Act of 2013 (none of these were enacted). Only recently has there been any substantial movement with federal cyber statutes with the enactment of the Cybersecurity Enhancement Act of 2014, the most significant cybersecurity statute to be enacted since 2002. For a summary of notable federal cybercrime and cybersecurity provisions see Garrie & Reeves, supra note 10, at 52-62.

[10] The use of force in self-defense is an exclusive right of state actors so the corporation would be in violation of the U.N. Charter’s general prohibition on the use of force. See U.N. Charter, art. 2(4). As a perverse result, under the law of state responsibility, the United States would be responsible for the corporation’s violation of the hostile state’s sovereignty. See Responsibility of States for Internationally Wrongful Acts, G.A. Res. 56/83, Annex, U.N. Doc. A/RES/56/83 (Dec. 12, 2001). This is the same result if a corporation is acting in self-defense and its response damages a third nation’s cyber infrastructure or personnel.

[11]   See, e.g., Devlin Barrett & Danny Yadron, Sony, U.S. Agencies Fumbled After Hacking, WALL ST. J., Feb. 23, 2015, at B1 (discussing how there are major shortcomings in how the government and companies work together to respond to cyber hostilities and in particular the hack of Sony Entertainment).

[12]   See Fact Sheet: Cyber Threat Intelligence Integration Center, whitehouse.gov (Feb. 25, 2015), available at https://www.whitehouse.gov/the-press-office/2015/02/25/fact-sheet-cyber-threat-intelligence-integration-center.

The preceding post comes to us from Daniel B. Garrie and Shane R. Reeves. Mr. Garrie is the executive managing partner of Law & Forensics, an electronic discovery Special Master, a Partner at Zeichner Ellman and Krause and an Adjunct Professor of Law at Cardozo Law School. Shane R. Reeves is a Lieutenant Colonel in the United States Army, a Professor and the Deputy Head, Department of Law at the United States Military Academy, West Point, New York. The views expressed here are the personal views of Shane R. Reeves and do not necessarily reflect those of the Department of Defense, the United States Army, the United States Military Academy, or any other department or agency of the United States Government. The analysis presented here stems from the academic research of Shane R. Reeves based on publicly available sources and is not based on protected operational information. This post is based on the authors’ recent article, which is entitled “An Unsatisfactory State of the Law: The Limited Options for a Corporation Dealing with Cyber Hostilities by State Actors”, available here and forthcoming in the Cardozo Law Review (2015)