Last month, Professor Matthew Waxman of
- malicious hacking, often done for fun without broader motives
- espionage – for political or corporate reasons
- cyber attacks – which would essentially be cyber-warfare, with the intention of crippling our ability to respond to an enemy via attacks on our infrastructure, financial systems, etc.
For example, is spam disruptive or criminal? In this situation at least, the solution likely not to be legal, but based in the private sector, e.g., email providers have algorithms to filter out spam, and those algorithms are always being improved.
Professor Waxman felt that, while there are often warnings in the news media from the government and other commentators about a large-scale cyber-warfare assault, he feels that a massive attack – what is often termed a “cyber
One additional point that Professor Waxman raised about cyber-warfare – the
II. Domestic law
This is a critical but not well-defined area in cybersecurity. Since the
In any case, Professor Waxman cited several counter-pressures that existed pre-Snowden that argued against increased private-government cooperation. For one thing, the technology industry is reluctant for the government to do anything to stifle innovation, and we do have a general national interest in promoting innovation. There is a general concern among the public about regulation, and the various scandals since Professor Waxman’s talk have only heightened the public’s sensitivity to regulations. These scandals have also exacerbated Professor Waxman’s third roadblock: civil liberties concern of increased government involvement in private-sector cybersecurity.
One additional item impeding increased governmental action in this area not mentioned by Professor Waxman is that the technology industry is not a monolith with a single set of objectives and interests. Often, there are competing sets of interests that pit industry sectors against each other. For example, the heated disputes of the Stop Online Piracy Act and the issue of Net Neutrality demonstrate that government actions on behalf of one group of industry participants are often viewed as harmful by another group.
As a result, Professor Waxman does not expect any radical federal reform in this area any time soon.
III. Is international law therefore a solution?
There are additional problems related to trying to equate cyber and military attacks, such as attribution in a provable way. While this can certainly be the case in a physical attack – e.g., who actually planted that bomb? – the ephemeral nature of cyberspace likely compounds the problem of reliably proving the source of an attack – just as China denies such activities while the U.S. has pinpointed a single office building in China as housing the Chinese Army unit responsible for such activities.
Despite those denials, Professor Waxman cites Chinese attacks as creating the biggest threat of cumulating low-level intrusions cited above. He argues that biggest current threat from
The other irony in seeking clarity, as mentioned earlier, is that the
Professor Waxman cited a pattern of weapons development and usage in military history. First, international players try banning the weapon, but that generally doesn't work. Then, everyone tries to find out how it will change warfare – but of course, forecasts usually vary widely and generally miss the mark.
IV. Private sector remedies
If you are being hacked, what are your rights? Can you hack back? What about in self-defense? Professor Waxman noted numerous questions in the current law as to where to draw the lines. He felt that the private sector is drawing the conclusion that government can't provide security in the private sphere the way it can in the public sphere, e.g., with police on the beat, courts, armies and other law enforcement and defense infrastructure.
There may be areas, such as cybersecurity compliance, where incremental progress can be made on topics where there is general agreement. For example, requiring disclosures of data breaches, and instituting liability for the misuse of stolen data. Fear of liability, especially for exposing security breaches, have held back progress in this area even where the general public could benefit. For example, increased information sharing would strengthen the system overall, even though there are disincentives to sharing individual experiences. This could potentially be addressed through legislation to incentivize information sharing, and possibly even provide safe harbor for liability from such episodes