Last week the U.S. Department of Justice announced that it will indict seven Iranian hackers, due to their
various cyberspace activities relating to the hacking of U.S. financial
institutions in 2011, such as the NY Stock Exchange and Bank of America, as
well as an unauthorized access against the Bowman Avenue Dam in 2013. The seven hackers worked for two
Iranian cybersecurity companies – ITSEC and MERSAD. According to Attorney General Loretta Lynch, “A federal grand jury in Manhattan found that these seven
individuals conspired together, and with others, to conduct a series of
cyberattacks against civilian targets in the United States financial industry
that, in all, cost victims tens of millions of dollars”. At the moment, there
is no extradition agreement between the U.S. and Iran, thus, it is yet to be
seen how the indictment will unfold in the apprehension context.
announcement comes after the U.S. announced similar criminal charges against
members of the Syrian Electronic Army (SEA), a hacking group that carried out
cyber operations against media companies and government agencies, as well as
the posting of a fake tweet on the Associated Press twitter account regarding
an attack on the White House, with President Obama being injured. One of the
members of the SEA is currently under custody in Germany.
indictments against hacking groups are the first of their kind in the efforts
of the U.S. to press charges against individuals engaging in cyber-attacks and
other malicious activities in cyberspace. Though the U.S. already indicted five Chinese hackers in the past for economic cyber espionage, the Iranian hackers’
indictment represents more of a national security hacking charges, which are
unprecedented up to this time. However, it is unclear whether the prosecution
route will be effective in deterring future hackers, as the Associated Press
noted – “It's hard to prove the strategy's effectiveness, or whether such
indictments actually lead to a decrease in hacking attempts. It's also unclear
whether any of the Iranian hackers will ever be apprehended. The five Chinese
defendants indicted on similar charges in May 2014 have yet to appear in an
American courtroom, leading to criticism that the cases make a publicity splash
but have little practical impact”. The main question, therefore, is whether
this symbolic step will prevent future cyber-attacks emanating from countries
that are considered to be safe havens for transnational hackers.
though the efforts to prosecute foreign-based hackers in the U.S. might not
bear any fruits, it could be a tactical measure to “blame and shame” foreign
governments in relation to their support of those individuals and hacking
groups. China, Russia, and Iran, among the prominent players in the cyberspace
battlefield, do not have any extradition agreement with the U.S., making it
much more challenging to prosecute these individuals. Individuals, under the
fear of prosecution, might avoid traveling thus making these efforts somewhat
The news of the
recent Google-Car accident raised, and not
for the first time, unresolved issues of legal liability for damages caused by autonomous
devices. Fortunately, that accident did not result in any injuries or significant
damage to property, but although self-driving cars are expected to
reduce car accidents rate by up to 90%, there is no doubt that in the future,
autonomous vehicles will be involved in some fatal car crashes.
on the issue of civil liability, for the purposes of this post - we would
probably be wondering which individual is to be held liable in case
of an accident
– the manufacturer, programmer, dealer, or owner? This challenge, however, is
not unique to self-driving cars. Similar questions are expected in the context
of damages caused by other autonomous devices or algorithms: who is liable when
a medical diagnostic device misdiagnoses a patient, or an online arbitration
system reaches a ludicrous outcome?
devices and algorithms act as programmed (unless subject to some sort of malfunction),
the more autonomous and complicated the devices are, the more we might view
them as possessing a "discretion" of their own, in the sense that
their ultimate choice under a specific scenario may not beyond what the
developer anticipated. In fact, the relationship between said devices and their
human developers or owners may be somewhat similar to the one of parents and
children or even between employers and employees, in the sense that humans can direct
the device's choices to a large extent, but cannot necessarily fully control it
under all scenarios.
Assuming we acknowledge
the certain level of independence sophisticated devices have or will have in
the future, and hence may make analogies between "human-algorithm
relationship" to other types of vicarious relationships, the next step is
the threshold issue of whether the device's own actions are subject to
liability or not.
If, for example, a physician who caused damage to a patient is found to have
acted with reasonable care, neither the physician nor the hospital where she
works will be found liable for the damages. By the same token, one could argue,
if a medical algorithm (or a driverless vehicle) caused damages but did so while
acting "reasonably", there would be no sense in "going
after" its human operators, developers or owners.
How does one
determine whether an algorithm or device employed reasonable care? Should its
actions and choices be compared to those of the reasonable person under similar
circumstances? To those of a "reasonable algorithm"? And if so, to what
standards shall we hold said "reasonable algorithm"? Would it suffice
to show, as in many U.S. States in the field of medical malpractice, that the
device adhered to common practices? (Such requirement might be meaningless,
assuming all devices will be programmed to meet the standards of care and,
unlike human physicians, will not deviate from them under any circumstances except
for malfunction). How will the state’s interest of promoting technology and
innovation affect the creation of a reasonableness criteria when it comes to
the potentially harmful actions of an autonomous device?
devices differ from humans in many relevant ways. On one hand, their decisions
are expected to be much better in many ways, since they can process and analyze
unthinkable amounts of data, almost instantaneously. They can also be free of
biases, such as personal preferences, tendency to self-preservation etc., and physical
weaknesses, such as fatigue, stress or alcohol which may obscure judgement. We
can also be sure that, unlike humans, they will always complete the full assessment
phase before making a decision and not make impulsive conclusions. On the other
hand, whether the algorithm or device is "self-learning" or not, it may
be argued that it will not have the necessary flexibility and creativity, which
is often characterizing humans, to deal with unexpected input or a changing
reality. In addition, the algorithm or device might not fully understand human
nuances that could affect the desired outcome, for instance, patients diagnosed
by a robo-physician who raise real complaints, but whose actual reason for
consultation is their loneliness and need of attention or, alternatively, their
desire to skip days at work. It is assumed that a person might grasp these
nuances while a machine will not.
How should we,
as a society, address these technological developments when determining
reasonableness of machine actions? This is but one of the many fascinating
questions to think of when addressing legal liability of non-human decision
In my recently published article at the Journal of Law and Cyber Warfare, entitled “Rethinking the Prohibition on the Use of Force in
Light of Economic Cyber Warfare: Towards a Broader Scope of Article 2(4) of the
UN Charter”, I have explored the question of classification of economic
cyber-attacks under public international law, particularly in the context of
the use of force framework. In that article, I have argued that cyber-attacks
resulting in economic harm (as opposed to physical/kinetic harm), ought to be
considered, under certain
circumstances, as uses of force, and in the most severe forms, as armed
attacks. The secondary-rules importance of my determination was not fully
addressed in the scope of the article, and in this blog post I intend to
demonstrate the importance of the classification advanced by my paper.
First, the labeling of a certain economic
cyber-attack as a use of force, which violates a well-entrenched norm of public
international law formulated at Article 2(4) of the U.N. Charter, justifies the
use of countermeasures, which is a “self-help” remedy in response to an
internationally wrongful act by a state against a state. The ability to
classify an economic cyber-attack as a “use of force” leaves victim states
better off than if it were unclear what sort of international law norms is
violated by an economic cyber-attack. Part of the difficulty in international
cyberspace regulation is that it is often perplexing, and even impossible, to
label and define different cyberspace operations, thus leaving the victim state
helpless if a cyber-attack of a certain sort takes place. “Cyber vandalism”,
which was the term used by President Obama following the Sony Hack, is an
example of how states struggle to define the activities that take place against
them in cyberspace. The Sony Hack, in particular, would most likely not reach
the threshold of an economic cyber-attack, but it illustrates the
terminological difficulty nonetheless. Some would offer a counter-argument,
claiming that the labeling of economic cyber-attacks as uses of force does not
necessarily change international law, since economic cyber-attacks would still
violate international law norms such as sovereignty and non-intervention,
however, the response to that argument would be that the norm on nonuse of
force offers a broader set of remedies under the countermeasures regime, since
countermeasures still need to comply with the proportionality principle, which
provides that countermeasures need to be proportionate to the initial violation
of international law.
My second clarification is connected to my
first point, but it is more instrumental and less remedial. The possibility of
labeling an economic cyber-attack under well established and developed norms of
the use of force framework gives the victim state an instrument to use in its
diplomatic efforts vis-à-vis the territorial state. The mere fact that the use
of force norm was violated does not warrant a countermeasures response on
behalf of the victim state, but it could be valuable if the victim state
decides to undertake diplomatic or other form of dispute resolution form.
Third, the use of force framework is helpful
in enhancing deterrence in cyberspace. If economic cyber-attacks are prohibited
by international law, states will most likely refrain from using them against
other states, unless, of course, it is in their interest and that interest
overrides the deterring force of the use of force framework. Additionally, if non-state
actors in the territory of that state will decide to carry out economic
cyber-attacks, the state will be under obligation to cease these attacks as
part of its duty to prevent transboundary harm to other states.
all, the classification of economic cyber-attacks as uses of force is not a
theoretical exercise, but it might also have significant practical
implications, as demonstrated in this blog post. Naturally, there is still a
long way until international law adapts to economic cyber-attacks by creating
specific norms and principles to govern them, but at this point in time, it is
helpful to use contemporary international law to address these new phenomena.
The shooting spree in San Bernardino,
California, which killed 14 people in December last year, comes to the
headlines again. Magistrate Judge Sheri Pym, of the U.S. District Court in Los
Angeles, issued an order against Apple, requesting it to bypass the security
function on the iPhone 5C which belonged to the shooter, and by doing so,
assist the F.B.I investigation by allowing it to gain access to the data on the
device. Apple CEO, following the order, announced that “The government
is asking Apple to hack our own users and undermine decades of security
advancements that protect our customers — including tens of millions of
American citizens — from sophisticated hackers and cybercriminals”. Apple claims that the
implication of such ‘backdoor’ will provide a universal key that will allow law
enforcement authorities to break into any iPhone they wish. All in all, Apple’s
stance is that it refuses to comply with the court’s order.
That controversy extended to the public, and the views on whether
Apple should comply with the order or not were split. Edward Snowden tweeted
that “The FBI is creating a world where citizens rely on #Apple to defend their
rights, rather than the other way around”, and certain lawmakers expressed
their opinions on social media as well. While many defended Apple’s position of
refusing to cooperate and undermine the privacy of their customers, Senator Tom Cotton (R-Arkansas) called Apple “company of choice for terrorists, drug
dealers, and sexual predators”. Senator Dianne Feinstein (D-California) announced that “it’s not
unreasonable for Apple to provide technical assistance”.
Interestingly, only at the beginning of this
month, the Berkman Center for Internet and Society at Harvard University
released a report on the privacy vs. security debate, in the context of
encryption, entitled “Don’t Panic – Making Progress
on the ‘Going Dark’ Debate”. In the report, various experts argue that technology does not necessarily
mean that we are “going dark” in the surveillance sense – “There are and will always be pockets of dimness and some dark spots
– communications channels resistant to surveillance – but this does not mean we
are completely “going dark.” Some areas are more illuminated now than in the
past and others are brightening”. The Report certainly recognizes the
difficulty to balance between privacy and security, but also makes the argument
that short-term implications of providing access to encrypted communications
might be helpful and essential for national security purposes, but in the
long-term, that access could increase the vulnerability to espionage. The
report also concluded that market forces and technological developments will
catch up and assist law enforcement authorities in their investigations, and
information gathering procedures.
Bruce Schneier himself, made a strong argument in his addendum to
the Report, claiming that “Adding backdoors will only exacerbate the risks. As
technologists, we can’t build an access system that only works for people of a
certain citizenship, or with a particular morality, or only in the presence of
a specified legal document. If the FBI can eavesdrop on your text messages or
get at your computer’s hard drive, so can other governments. So can criminals.
So can terrorists”. He continues by providing an example of a backdoor that was
installed by a cellular provider in Greece, for the Greek government to use,
which was eventually abused by other actors. At the end, it’s a matter of
trade-off between short-term and long-term goals.
developments pose a massive amount of challenges, the main question is whether
law can adapt to these developments, and more importantly, whether judges and
policymakers can understand that their decisions might have negative long-term
implications which outweigh the short-term goals, such as solving crimes and
providing law enforcement authorities with assistance. For a judge who deals
with a terrorism investigation case it is extremely difficult to come up with
the broader implications that his decision might have. Naturally, the incentive
to provide a prompt and effective remedy is high, but the harm that such remedy
could cause might undermine and challenge law enforcement authorities in future
investigations, as well as threaten the national security if more backdoors
will be forced upon private companies. For now, it seems that law enforcement
authorities should keep up with technological advancements, and seek for new
ways to investigate and gather information from alternative sources.
Private-sector experts now believe
that the power outage in Ukraine on December 23, 2015, was caused by a malware
attributable to the Russian hacking group ‘Sandworm’.
This incident is a unprecedented, since it is the first time that a
cyber-attack caused a power outage beyond international borders. However,
experts were already worried about cyber-attacks causing power outages or
significant harm to critical infrastructure long before the Ukrainian power
outage occurred, however, only now the scenario has materialized.
incident brings back the difficult questions as to whether there is a duty to
ensure that one’s territory is not used to cause harm to another state, as well
as the question of protection of critical infrastructure from cyber-attacks,
particularly when such critical infrastructure is providing the most basic,
essential services, such as electricity.
As to the first
question, international law is currently indeterminate when it comes to “due
diligence in cyberspace”. Some argue that such obligation existed since the
Corfu Judgement of the International Court of Justice, while others argue that
even if such obligation exists, its precise contours are highly debated and the
application to cyberspace is questionable. The Tallinn Manual, for example, provides
that “A State shall not knowingly allow the cyber infrastructure located in its
territory or under its exclusive governmental control to be used for acts that
adversely and unlawfully affect other States”, however, even the editor of the
Tallinn Manual, Prof. Michael Schmitt, admits that
it was not possible to reach a “consensus on the exact parameters of the
obligation”. Even current efforts to draft a treaty on the “Prevention of
Transboundary Harm from Hazardous Activities” does not contribute much to the
doubts raised by Schmitt, as it provides that “The State … shall take all appropriate measures to prevent significant
transboundary harm”. What “significant” or “harm” mean in that case is already
a conundrum, as well as the draft stage of the Articles on the Prevention on
Transboundary Harm. The gradual development, however, of the obligation of due
diligence in cyberspace is a welcome one, since it states will be required to
prevent cyber-attacks, as well as react and manage ongoing cyber-attacks
against other nation-states. At this point, the obligation is more of an ideal
than an actual, enforceable and respected international law obligation.
The second question is even more complicated, as it pertains to the duty of
states to protect its own citizens as well as the property within their
territory. States only now being to realize that critical infrastructure that
is highly dependent upon computer systems and networks is vulnerable and could
be abused by malevolent actors. The main problem with the realization that
states are required to protect their own infrastructure is that many states are
not capable of doing so, in the wake of sophisticated cyber-attacks and hacking
groups. While many states are dependent upon cyber infrastructure, many of them
are simply incapable of protecting it.
On October 28,
2015, the Acting Librarian of Congress granted an exemption under the Digital Millennium
Copyright Act (DMCA) that allows the public to access and modify vehicle
software for “good faith security research” and “diagnosis,
repair or lawful modification”. The exemption comes mainly as a response to the
Volkswagen scandal, in which
software code embedded in certain car models was used to falsify emission
figures, and reads as follows –
programs that are contained in and control the functioning of a motorized land
vehicle such as a personal automobile, commercial motor vehicle or mechanized
agricultural vehicle, except for computer programs primarily designed for the
control of telematics or entertainment systems for such vehicle, when
circumvention is a necessary step undertaken by the authorized owner of the
vehicle to allow the diagnosis, repair or lawful modification of a vehicle
function; and where such circumvention does not constitute a violation of
applicable law, including without limitation regulations promulgated by the
Department of Transportation or the Environmental Protection Agency…”
cybersecurity experts applauded the exemption, which is expected to come into
force on October 2016. However, although such an exemption is needed in many
instances to fix certain bugs and glitches in the code, it is also going to
create new vulnerabilities, due to human error and lack of expertise.
challenge is efficiency. That is, who is capable of modifying the software in
the most precise and prompt fashion? Consider the fact that automobile
manufacturers spend enormous amounts of resources to tackle software bugs, and
only recently Ford recalled 433,000 cars
due to a software bug. However, more interestingly, Chrysler recalled 1.4 million
cars following a vulnerability that allowed a third party to take over
dashboard functions, as well as steering and braking. That is not to say that
car owners cannot fix the vulnerabilities themselves, but that these
manufacturers can research and implement bug fixes for hundreds of thousands of
cars in a relatively efficient manner. The main point here is that these
manufacturers are accountable for the software and the subsequent fixes and
updates, while car owners that take it upon themselves to address these
vulnerabilities do not always possess the required set of skills or knowledge
to fully tackle these vulnerabilities.
challenge is oversight. In other words, who makes sure that the modification of
the vehicle software is secure and does not create further vulnerabilities? As
mentioned earlier, many vulnerabilities can be created by car owners if they
either err or are lacking the knowledge required to deal with the vehicle
software. Car manufacturers are required to be transparent when it comes to
safety, and they constantly try to improve the integrity of the vehicle
software. The main concern with this challenge, however, is that car owners
might create vulnerabilities without even knowing it, and there will be no
higher authority to supervise and review the modified code for integrity. Although
the exemption provides that circumvention of the vehicle software cannot
violate Transportation regulations, it is still possible that certain car
owners will create unsafe
software modifications by mistake, and the difficulty with such scenario is
that the vulnerability created by the circumvention will be revealed if an
accident occurs due to software malfunction.
What needs to be highlighted is that the DMCA exemption can actually
contribute in many instances to the safety and integrity of the vehicle software,
as there are many researchers who constantly monitor the code for
vulnerabilities. Those researchers may both offer a fix and inform the car
manufacturer about the vulnerability that needs to be fixed. Additionally, it
is important to remember that the DMCA exemption is a copyright claim
exemption, meaning that a car owner who tinkers with the vehicle software code
will not be sued under copyright law. However, do we need new safety
regulations to ensure the security and integrity of the vehicle software?
According to a new Senate Bill – yes, we do.
The Security and Privacy in Your Car Act (SPY Act) was introduced this July with the aim to set IT security standards for
connected car manufacturers. The act instructs the National Highway Traffic
Safety Administration and the Federal Trade Commission to set certain security
standards for the vehicle software, in order to enhance safety and privacy. The
SPY Act goes even further, by requiring that connected vehicles install a
technology that will “detect, report and stop hacking attempts in real time”.
In addition, the Act aims to deal with car manufacturers who use their car
software to collect data about consumers.
The SPY Act very diligently complements the DMCA exemption, as car
manufacturers need to follow certain binding and clear guidelines designed to
secure the integrity of the software, while the DMCA exemption allows car
owners to take matters into their own hands and tinker with the code to fix
certain vulnerabilities. If car manufacturers spend more time and resources developing
more secure software to comply with the IT security and privacy guidelines,
there might be a lesser need for car owners to tinker with the code and to
possibly create more vulnerabilities. More accountability and transparency on
the car manufacturers’ behalf will mitigate the challenges arising from the
The Hacker group Anonymous declared that it will wage war against ISIS as a response to the Paris attacks on Friday night last week. The announcement was released as a video on YouTube, in the usual setting that Anonymous uses in most of its video announcements. Part of the message read "Expect massive cyber attacks. War is declared. Get prepared." In fact, similar threats have been made by Anonymous in August last year, when they declared "full-scale cyber war" against ISIS, and also following the Charlie Hebdo attacks in Paris last January. So far, Anonymous' operation was able to take down as much as 5,500 ISIS-related Twitter accounts.
Anonymous' declaration of "cyber war" on ISIS highlights some of the inability of States to effectively leverage the cyber-dependency of armed groups. ISIS is a non-state actor that operates heavily in cyberspace, whether for recruitment, communication or deployment of hostile cyber operations. Only this August a U.S. drone strike killed Junaid Hussain, an ISIS hacker who was believed to have been involved in multiple hacking activities against the U.S. Central Command. This demonstrates that States, in fact, take the cyber threats posed by armed groups seriously, up to the point that they are willing to lethally target the involved individuals. That is a critical point about ISIS' modus operandi – while it is not in possession of sophisticated or unconventional weapons (yet), it is highly reliant upon cyberspace to carry out its attacks and recruit new members.
It is already known that ISIS recruits new members and inspires others by distributing propaganda online. This method is essential for ISIS because it tries to recruit local sympathizers to carry out attacks in their countries of residence. ISIS' ability to carry these attacks or to communicate between existing members depends greatly on cyberspace and computer systems. States are yet to understand the importance of these methods to ISIS' operations, and as such, States have not acted to contravene them by using cyber measures (as opposed to kinetic). As ISIS gets growingly sophisticated in that regard, it is time for States to rethink their counter-terrorism strategies so they align with technological trends, particularly when it comes to ISIS.
An example of how technological trends exacerbate counter-terrorism strategies is ISIS' usage of the PlayStation 4 gaming console for communication and coordination purposes during the Paris attacks, demonstrating a very unorthodox communication method used to avoid detection, a method which experts define as "more difficult to keep track of than WhatsApp". These methods are actually known to the NSA and CIA, admitting in that context that they followed "World of Warcraft" and "Second Life" in order to monitor potential terrorist and criminal activities within these online games. In fact, the PlayStation 4 platform allows communications without typing or saying a word. For example, in Call of Duty (or most of the other shooter games) a player can shoot at a wall to create a disappearing text made of bullets. This reveals the difficulty of monitoring these communications in real-time, but also reveals a vulnerability which States can take advantage of.
The problem with the mindset of States is that kinetic military operations are the default response to terrorist attacks. For example, France warplanes bombed ISIS headquarters in Syria following the Paris attacks, yet there was no public cyber operations to deny and disrupt communications and data in ISIS-affiliated computer systems. France could effectively respond to ISIS by carrying out a hybrid response operation – using both kinetic military measures, while also wreaking havoc with ISIS computer systems and networks. In that context, Anonymous understands something that States overlooked – cyber-attacks can be just as devastating, if not more, as physical military attacks, and this is true in the case of ISIS. States have the resources to obtain the knowledge and capacity to engage in cyber countermeasures against terrorist organizations, and it is about time for States to get involved.
On October 27, 2015, the U.S. Senate voted 74 to 21 to pass a
version of the Cybersecurity Information Sharing Act (“CISA” or the “Act”) consistent with legislation passed in the
House earlier this year, thus ensuring that a combined version of the two will
become law. CISA was drafted so as to allow companies to monitor information
systems and allow them to share and receive cybersecurity threat data (or as
CISA defines it – “cyber threat indicators”) with and from the Department of
Homeland Security (DHS). DHS will then be able to disclose and distribute the
information to other agencies like the FBI and NSA or other companies, who can
potentially use it to defend the target company and other companies
encountering such similar attacks. No doubt the massive hacks on health insurer
Anthem, Sony, and the Office of Personal Management earlier this year swayed
votes in favor of the Act.
Proponents of the Act claim that it respects privacy laws and is
necessary given the many cyber-attacks witnessed over just the past months. Its
critics contend that it is just another surveillance bill that will weaken our
civil liberties and privacy protections. In addition, it is argued that the Act
is unnecessary given the current privacy compliant sharing of information and due
to the fact that it would not have prevented the recent cyber-attacks, had it
been in force at the time.
CISA just another surveillance bill? On October 20, 2015, Senate Select
Committee on Intelligence (SSCI) Chairman Richard Burr (R-NC) and Vice Chairman
Dianne Feinstein (D-Calif.) released a fact sheet on CISA in which they
specifically discussed the fact that CISA is not a surveillance bill, because:
(1) all sharing is completely voluntary; (2) the U.S. government
cannot monitor any personal records, private networks or computers; (3) it requires
private companies and the government to review information before
sharing to remove irrelevant personally-identifiable information;
(4) it does not allow the government to shut down websites; (5) it does not
permit the government to retain or use the information for anything other than
cyber security purposes, identifying a cyber security threat, protecting
individuals from death or serious harm, protecting minors or investigating
limited cyber-crime offenses; and (6) it provides rigorous oversight and
requires regular reports to ensure protection of privacy. The fact sheet discussion
does not refer to the basic definition of surveillance, “close watch kept over someone
or something”; it does not clearly state that CISA does not provide the
government with a means of obtaining information so that they can keep a close
watch over such information. These points do not provide an explanation as to
why, in fact, this is not just another surveillance bill. More to the point, if
an Act allows private entities to provide government with information so that
they can keep a close watch over such information for the purpose of (amongst others set forth in Section 105(d)(5)(A))
preventing, investigating, or prosecuting offenses relating to: “(1) an
imminent threat of death, serious bodily harm, or serious economic harm,
including a terrorist act or a use of a weapon of mass destruction; or (2)
crimes involving serious violent felonies, fraud and identity theft, espionage
and censorship, or trade secrets,” does this not constitute de facto surveillance?
and Feinstein reiterate throughout the fact sheet that information sharing is voluntary,
but as Amie Stepanovich points out in a recent Wired article, information that the government would be allowed to
share with participating companies under the bill may provide so much of a
competitive advantage — the advantage of being “in the know” — that companies
will be forced to participate simply to keep up with their participating
competitors. Worse, not to participate might actually harm their corporate
interests and put their customers at risk.” Given Stepanovich’s pertinent observation,
we can reasonably assume that private entities will participate. The question
is, in what manner? Section 104(d)(2)(a) of the Act states that an entity
sharing a cyber threat indicator shall prior to such sharing “review
the cyber threat indicator assess whether such cyber threat indicator contains
any information that the entity knows at the time of sharing to
be personal information or information that identifies a specific person not
directly related to a cybersecurity threat and remove such information”. This
provision is somewhat ambiguous. Is there an obligation upon the entity to
review? Or is the obligation only applicable if the entity knows that the
information includes personal information? Does this mean that the obligation
to review is not applicable if they do not know that the information includes
personal information? If so, then what’s the point of the provision? Was this
provision just poorly drafted?
Critics are reading Section 104(d)(2) together with
Section 106(b) (no
cause of action shall lie or be maintained in any court against any entity, and
such action shall be promptly dismissed for the sharing or receipt of cyber
threat indicators) to mean that in sharing the information, the private entities are not
obligated to scrub personal information out of the disclosures. That is, a
private entity will not be liable for disclosing personal information it did
not know was included within the information shared, unless the company
acts with willful misconduct or gross negligence. Whilst this could be seen as
a protective caveat, given the uncertainty surrounding the circumstances in
which there would actually be an obligation to review, it is similarly unclear
what would constitute willful misconduct or gross negligence. This, together
with the focus on real-time sharing, would discourage the private entity from
reviewing the information to check whether personal information is included,
thus weakening our civil liberties and privacy protections.
Technologists contend that even without such
legislation, they are already sharing information (with each other and with the
federal government) that helps protect their systems from future cyber-attacks
while complying with their obligations under federal privacy law. Specifically,
“When a system is attached (sic), the compromise will leave a trail, and
investigators can collect these bread crumbs. Some of that data empowers other
system operators to check and see if they, too, have been attacked, and also to
guard against being similarly attacked in the future.” If this type of sharing
of information is already happening, (i) why is this broad legislation
necessary, (ii) why were amendments that tried to define and clarify what information
can actually be shared and under what circumstances not passed? What makes CISA
more likely to have actually protected Anthem, Sony and OPM from cyberattacks?
hope that private entities understand Burr and Feinstein’s claim that sharing
is voluntary and not obligatory and that such entities continue to share
information with each other and with the government whilst self-regulating and
complying with privacy laws, without seeking to absolve themselves of liability
by relying on CISA. Let’s hope that this Act will result in more industry
efforts to coordinate voluntary, privacy compliant, sharing of cyber threat
indicators that will actually inform companies as to vulnerabilities and help
other companies defend themselves from attack, whilst preserving our right of
On August 6, 2015, U.S. officials announced that a sophisticated cyber-attack targeted and affected the Pentagon's Joint Staff unclassified e-mail system.[i] It is estimated that the cyber-attack began on July 25, and that 4,000 e-mail accounts, both military and civilian, were affected by the cyber-attack that consisted of a "sophisticated" automatic system that obtained massive amounts of data within a minute and distributed it to thousands of internet users in a rapid manner.[ii] As a result of the attack, the Pentagon was forced to shut down the affected e-mail system[iii] and reopened it on August 7, nearly two weeks after the cyber-attack took place.[iv]
According to these officials, there is no certainty about the identity of the perpetrator of that cyber-attack, but it is suspected that Russian hackers are behind it. The reasoning for the suspicion is the scope of that attack, which suggest that "it was clearly the work of a state actor".[v] However, it is not yet conclusive whether the attack was carried out by the Russian government or by individuals. Surprisingly, the attribution process here is quite questionable, since no conclusive evidence was provided to support Russian involvement in the cyber-attack. Instead, the scope of the attack, which managed to surprise the Pentagon, along with similar previous cyber-attacks, point towards Russian involvement, according to the U.S. However, such hastily made accusation could be detrimental to the interest of deterrence of cyber intruders. The optimal way is to establish attribution on solid evidential grounds, and it is unclear whether such solid grounds exist in this case.
This cyber-attack comes three months after a similar, allegedly Russian, cyber-attack targeted the unclassified e-mail system of the White House, which granted the hackers access to sensitive information such as the President's schedule and other non-public data.[vi] In both cases, the method that was used by the perpetrators is "spear phishing", i.e. – an e-mail containing malware which is specifically tailored for a specific target. According to experts, spear phishing is not a particularly sophisticated cyber-attack method, which is contradictory to what U.S. officials claim.[vii] In addition, last month the Office of Personnel Management (OPM) hack was announced, in which alleged China based hackers collected sensitive information of federal employees, such as social security numbers, e-mail addresses, job assignments and more.[viii] In response to the OPM hack, the Obama administration decided to retaliate (or "hack back") against China in response to the OPM hack, as "the usual practices for dealing with traditional espionage cases did not apply",[ix] yet the administration made it clear that the U.S. does not want to escalate the cyber conflict with China.[x]
It would be interesting to see how the retaliation strategy applies to the Pentagon cyber-attack. As cyber-attacks become more disruptive, even in the absence of visible kinetic effects, governments are looking for more ways to respond to and to deter cyber-attacks. What is clear, that there is a major gap as to the permissible "cyber arsenal" that states have as a response to a cyber-attack. Even if the U.S. decides to employ the "hack back" approach in response to cyber-attacks, the precise contours of such approach are unknown, and the approach requires more polishing. However, the right step has been taken with regard to publicity when a senior administration official said that "one of the conclusions we've reached is that we need to be a bit more public about our responses, and one reason is deterrence".[xi] In my July contribution to the Cyber Blog, I argued that the Administration should publicly act in response to the OPM hack, and that any delay in doing so would not work in favor of the U.S., and this, of course, would also be true in relation to the Pentagon cyber-attack.
Unfortunately, the recent cyber-attacks did not demonstrate a consistent cyber strategy on behalf of the U.S., particularly a strategy that is tailored to address the broad spectrum of cyber-attacks by the various actors in the scene. If indeed a "spear phishing" method is the initiator for the Pentagon cyber-attack, it seems that some institutional cybersecurity training is also necessary, to avoid similar attempts in the future. In this case, the preventive measures might prove to be more helpful and deterring than on-the-spot retaliation measures. As an example, Lockheed Martin has its own "red team", which every now and then tries to trick the employees (e.g. spear phishing). If an employee falls for the "trap", he or she will undergo a comprehensive cybersecurity training.[xii] Both the OPM hack and the Pentagon cyber-attack are a result of spear phishing which managed to trick the specific target. This calls for an enactment of comprehensive preventive measures, as well as concretely tailored retaliation procedures.
--------------------[i] Courtney Kube, Russia Hacks Pentagon, NBC News (Aug 6, 2015), http://www.cnbc.com/2015/08/06/russia-hacks-pentagon-computers-nbc-citing-sources.html.
[ii] Courtney Kube, Jim Miklaszewski, Russian Cyber Attack Targets Pentagon Email Systems: Officials, NBC News (Aug 7, 2015), http://www.nbcnews.com/tech/security/cyberattack-pentagons-joint-staff-emails-take-system-offline-n405321.
[iii] Paul Shinkman, Reported Russian Cyber Attack Shuts Down Pentagon Network, U.S. News (Aug 6, 2015), http://www.usnews.com/news/articles/2015/08/06/reported-russian-cyber-attack-shuts-down-pentagon-network.
[iv] Jim Miklaszewski, Courntey Kube, Pentagon Email Systems Go Back Online After Cyber Attack, NBC News (Aug 7, 2015), http://www.nbcnews.com/news/us-news/pentagon-email-systems-go-back-online-after-cyber-attack-n406026.
[v] Kube, supra note i.
[vi] Evan Perez, How the U.S. thinks Russia hacked the White House, CNN (Apr. 8, 2015), http://www.cnn.com/2015/04/07/politics/how-russians-hacked-the-wh/.
[vii] Farzan Hussain, Spear Phishing Attack at Pentagon's Network, Breached 4000 Military Accounts, Hackread (Aug 7, 2015), https://www.hackread.com/pentagons-network-hacked-with-phishing-attack/.
[viii] Brian Bennett & Richard Serrano, Chinese Hackers Sought Information to Blackmail U.S. Government Workers, Officials Believe, Los Angeles Times (Jun. 5, 2015),http://www.latimes.com/nation/la-na-government-cyberattack-20150605-story.html#page=1.
[ix] David Sanger, U.S. Decides to Retaliate Against China's Hacking, NY Times (Jul 31, 2015), http://www.nytimes.com/2015/08/01/world/asia/us-decides-to-retaliate-against-chinas-hacking.html?smprod=nytcore-iphone&smid=nytcore-iphone-share
[xii] Peter Singer & Allan Friedman, Cybersecurity and Cyberwar 66 (2014).
Over the past few months, we heard that U.S. Congress is discussing a cyber-security bill of some sort. Presumably, that is a good thing. There are a lot of cyber-related issues that needs to be properly addressed and solved. But many of these bills are also dangerous. Not only that they do not effectively solve cybersecurity problems, they further endanger the liberties of individuals. One of these latest cybersecurity bills, currently moving its way up in Congress, is the "Cybersecurity Information Sharing Act of 2015" (CISA).[i]
As evident from its title, CISA is mostly about information sharing. It establishes an information-sharing alliance between companies and the NSA. No warrants are needed. In exchange, the participating companies receive a broad immunity to both spy on users and even act offensively against "threats." Sounds familiar? Well, CISA is hardly a new proposed legislation. It builds upon other proposed bills, namely the "Cyber Intelligence Sharing and Protection Act" (CISPA),[ii] which did not eventually pass into law. It also adds to many other proposed bills still pending in Congress.[iii] One of these proposed bills, which previously appeared in this blog is the "Protecting Cyber Networks Act" (PCNA).[iv] While CISA and PCNA share many similarities, they are not identical. The PCNA, in its current form, does not generally allow an alliance between companies and the Department of Defense. In other words, the National Security Agency (NSA) under the PCNA is presumably out of the picture.
But perhaps the main problems of CISA, in its current form, are different. First, and foremost, it grants the NSA a direct, and warrantless, access to a wide variety of personal information. This information sharing is almost unlimited. Why? Because CISA authorizes companies to share any information, as long as there are "cyberthreat indicators." What are those? No idea. CISA does not clearly defines them, meaning that anything could fall under this category. If Edward Snowden tried to better protect civilians with his revelations, then he might have achieved the opposite result. In other words, civil rights and liberties are still at stake, probably more than ever before.
But beyond that, CISA raises another important issue, which should be further clarified by Congress: Potential "Hack backs." The broad immunity for companies does not only apply to information sharing, which could be troubling enough, but also to some forms of protection. Are these truly "hack backs" as many argue?[v] I think not. CISA grants private entities, for cybersecurity purposes to "operate a countermeasure" that applies to an information system of such private entity; an information system of another entity upon written consent of such entity; and an information system of a Federal entity upon written consent. It also clarifies that such authorization does not include operation of any countermeasure that is designed or deployed in a manner that will intentionally destroy, disable, or substantially harm an information system not belonging to the private entity. Therefore, these "countermeasures" could only be taken as a defensive measure on the company's own property. In other words, it seems like CISA only allows companies to deploy self-measures for intrusion prevention, e.g., deploy firewalls. If this is true – is there any need for specific legislation that allows such protection? Aren't companies already allowed to deploy firewalls and antiviruses programs on their networks? Sure they are. What I think it means is that companies will be allowed to act with aggression against attackers while they are "within" their networks. Some sort of self-defense provision that grants companies more assurance that their actions are legal. So, it seems that those companies will not be allowed to launch countermeasures against potentially innocent users. That's a good thing, as I previously noted in a previous blogpost, because hack backs could be dangerous. If my interpretation is correct, then to the very least, this provision makes sense, but it still requires further Congressional clarification.
One final note. As I usually point out in cyber-related posts: Protecting any nation and any individual from cyber-attacks is highly important. I do not doubt that for even one second. But it does not mean that all is fair in "cyber-war." Congress seems to respond too broadly, without truly considering the impact of such legislation on our everyday lives. Their decisions today might truly shape our future, both in the digital and the kinetic worlds. As many journalists and scholars argue, surveillance does not equal security.[vi] Congress seems to be stuck in 1984, and that is why criticism is crucial, perhaps now more than ever before.[vii]
[i] Cybersecurity Information Sharing Act of 2015, S. 754, 114th Cong. (2015).
[ii] Cyber Intelligence Sharing and Protection Act, H.R. 3523, 112th Cong. (2013).
[iii] See, e.g., Cyber Threat Sharing Act of 2015, S. 456, 114th Cong. (2015); National Cybersecurity Protection Advancement Act, H.R. 1731, 114th Cong. (2015); Cyber Intelligence Sharing and Protection Act, H.R. 234, 114th Cong. (2015).
[iv] The Protecting Cyber Networks Act of 2015, H.R. 1560, 114th Cong. (2015).
[v] See, e.g., Stop the Cybersecurity Information Sharing Act, EFF, available at https://act.eff.org/action/stop-the-cybersecurity-information-sharing-act (last visited Aug. 1, 2015).
[vi] See, e.g., Patrick G. Eddington & Sascha Meinrath, Opinion: Why the information sharing bill is anti-cybersecurity, CS Monitor (July 22, 2015), http://www.csmonitor.com/World/Passcode/Passcode-Voices/2015/0722/Opinion-Why-the-information-sharing-bill-is-anti-cybersecurity.
[vii] There are currently various initiatives to stop CISA. See, e.g., supra note v.
The Cyber Forum is a joint project of the Haifa Center for Law & Technology (HCLT) and the Minerva Center for the Rule of Law under Extreme Conditions at the University of Haifa, dedicated to the study of cyber regulation. The main goal of the Forum is to promote research activities in the fields of Cyberspace, Extreme Conditions and Law and Technology.
The Haifa Center for Law and Technology (HCLT) is a renowned interdisciplinary research institute. It is the first and the only center in Israel dedicated to the study of the interconnection between law and technology. HCLT further seeks to promote dialogue between academics, innovators, policymakers and businesses, in order to establish the scientific foundation for legislation to address new technologies. The center conducts workshops and conferences, and promotes research activities by faculty and students, judges, lawyers, jurists, decision makers and the general public.
The Minerva Center for the Rule of Law under Extreme Conditions at the University of Haifa Faculty of Law and the Geography and Environmental Studies Department, is an international venue and transnational forum - together with the University of Hamburg - for study, research, training, education and publication. Its mission is to focus on the rule of law, broadly defined to include policy and regulation, under three main types of extreme conditions: natural disasters; national security challenges; and socioeconomic crises.