For your consideration, Paul Rosenzweig wrote a very good post for Lawfare considering active defense/hackback and a possible typology for active cyber defense.
In his cybersecurity law & policy courses, one of Prof. Snyder’s favorite lines is that we need to get the lawyers and the techies in the same room and we need to get them talking. With that always in the back of my head, I was disappointed to read Mr. Rosenzweig’s retelling of an ABA Standing Committee on Law and National Security meeting on “Comprehensive Cyber Defenses”:
We had both technologists and lawyers in the room and they were, to a large degree, talking past each other. They lacked a common understanding of the technical capabilities and of the legal framework. Worse yet, to put it concisely, the meeting made it clear to me that we are obsessed with the hard cases and that, if we unpack the question a bit we will find a large swath of areas where agreement is wide spread.
So we now have an added layer of difficulty: we not only have to get the lawyers & techies in the same room, but we have to get them to actually listen to each other.
Mr. Rosenzweig goes on and discusses the legality of active defense in length. In doing so, he suggests an interesting model where we consider a private company’s possible active defense actions (attribution, prevention, or response) in light of where the company is conducting those actions (in network or out of network).
At the risk of summarizing too much, I’ll bow out now and heartily recommend that you read the rest of his post in its entirety.
***
I think this model is very useful, and as Mr. Rosenzweig notes, it “helps to identify important definitional questions that the law and policy must answer.” One of those important questions has to revolve around active defense/hackback under international law. If we anticipate legislating on active defense, or ever having a really fruitful discussion on it, we have to admit that most “Out of Network” attributions/preventions/responses will be going out of country.
I guess the inquiry is whether a private company’s active defense actions could ever be a use of force (or an armed attack) that implicates nation-state responsibility. I certainly don’t know how that question would come out, but I’ve previously suggested that a private company might have a right of self-defense under international law, and I still think a Cyber Montreux Document would be a good start.
In any case, perhaps we could revise the model to consider whether an “Out of Network” action, especially in the “Response” category, is occurring out of country. I think this inquiry will work very well with Mr. Rosenzweig’s “adverse effect” factor, especially in a use of force/armed attack analysis.
Leave a Reply