Remember two
years ago when North Korea hacked Sony Pictures over a movie? Pundits and concerned
citizens alike postulated whether such behavior could be an act of war.
Just this
election cycle Russia hacked the Democratic National Committee servers and
dumped emails in the midst of a US election. Such activity is one of the first
openly obvious hacks done for covert political influence against another State.
Ido Kilovaty, Cyber Fellow at the Center for Global Legal Challenges at Yale
Law School, theorizes that international law principles of non-intervention are
difficult to apply since cyberspace transcends political boarders. His latest blog warns that information is slowly
becoming the new form of interference: the new form of covert action. And that
is a national security problem.
What
qualifies as a covert action and what rules are in place to oversee it are
domestic issues defined by domestic laws of individual States. Covert actions
conducted by the U.S. are governed for example by the amended National Security
Act of 1947. Section 503(a)(5) is explicit that any covert action “may not
authorize any action that would violate the Constitution or any statute of the U.S.”
It is silent on whether or not a covert action must comply with customary
international law (CIL). This silence is not U.S. specific either. Across the
globe countries have ill-defined expectations and norms when it comes to State
sponsored cyber use. States are coming to terms with the fact that cyber is our
new form of covert warfare. This lack of clarity is our arising national
security problem because it makes each of us vulnerable to a direct covert
action from any State. Without defined expectations of use States will continue
to use cyberattacks covertly to interfere in the lives of civilians because
repercussions will remain nonexistent.
The same
cannot be said under CIL regarding other covert action use. I say CIL because
espionage and covert actions have oddly enough been ill-defined in codified
international law. Covert actions are legal because States have by custom
covertly engaged in them. Satellite reconnaissance, electronic surveillance,
and human efforts have all been seen as legally safe practices. (See this piece by Christopher D. Baker from the American University
International Law Review regarding our tolerance for international espionage.)
The reality
is that these other forms of covert action were conducted at specific State
targets. Satellites followed military instillations etc. Not so with hacking. The
basic customary principles of targeting, distinction, and government-focused
entities when conducting operations seems not to apply in cyberspace. Everyone
is a target.
Behavior
becomes acceptable under CIL when States remain silent. The reality is that countries
who care about protecting their citizenry from foreign covert actions must
speak up more forcibly against state sponsored cyberattacks on civilians. Until
then, the current legal option for those subject to foreign government hacks is
domestic in nature. But good luck collecting your US Court judgment from North
Korea.
Authored by Matthew Goepfrich
No comments:
Post a Comment