Published by The Lawfare Institute
in Cooperation With
The totality of the commission’s recommendations is designed to meet the goal of developing a strategy of “layered cyber deterrence”—namely, one that emphasizes national and international resilience and public-private collaboration. The recommendations’ short-term goal is to prevent or mitigate the effects of major cyberattacks; the long-term goal is to create a digital environment that is safe and stable, promotes continued innovation and economic growth, protects personal privacy, and ensures national security. These objectives underpin all of the commission’s recommendations—from reforming the U.S. government’s cyber incident response structure and capabilities, to promoting national resilience against cyber-enabled operations, reshaping the cyber ecosystem toward greater security, and mobilizing the private sector to collaborate with the U.S. government in addressing cyber threats.
Beyond regulatory investigations by the FTC, however, it is also currently possible that the failure to prevent or warn customers about security vulnerabilities in software could, in cases of exploitation, potentially give rise to state tort liability under a negligence theory. But at present, courts have been reluctant to conclude that the existence of a security vulnerability can, on its own, give rise to the injury-in-fact sufficient to establish standing under Article III. For example, in one recent case a district court found that plaintiffs lacked the injury-in-fact necessary for Article III standing, where plaintiffs failed to show a concrete or monetary harm stemming from two distinct vulnerabilities in Intel chips, generally known in the industry as “Spectre” and “Meltdown.” The court noted that the plaintiffs had failed to allege what “adequate measures” Intel could have reasonably been expected to take to remedy the problem. In the context of an actual data breach, the U.S. Courts of Appeals for the First, Fourth, Third and Eighth Circuits have ruled that allegations of “an increased risk of identity theft” and even expenditure of funds to mitigate such risks after a data breach do not satisfy constitutional standing requirements in the absence of actual harm. However, the Sixth, Seventh and Ninth Circuits have concluded that a substantial risk of future harm arising from a data breach, combined with costs to mitigate that risk, is sufficient to satisfy Article III.
Other actions based on cybersecurity failings are also possible under existing U.S. law. For example, in the context of software provided to the government, consumer plaintiffs prevailed under the False Claims Act on a motion to dismiss regarding an alleged failure to meet certain cybersecurity requirements. These arguments and cases do not all neatly map onto the security vulnerability scenarios that the commission envisions, but they have provided plenty of fodder for courts to advance jurisprudence in this nascent space.
Recognizing the dangers presented by vulnerabilities in connected products and the lack of a uniform approach at the federal level, the commission’s recommendation to establish statutory liability would, if enacted into law, make companies at the end of the supply chain liable for damages from cyber incidents that exploit known vulnerabilities that were and remain unpatched. Such a law would constitute a novel departure from the presently underdeveloped legal landscape described above. From the commission’s perspective, final goods assemblers are best positioned in the supply chain to identify vulnerabilities and fix them, and thus should be the ones to whom customers turn when a problem arises.
The commission has made other recommendations that likewise implicate key questions under domestic law for connected devices. In light of the pandemic, the commission recently released an additional white paper with new and expanded recommendations for Congress to consider, including an “internet of things” (IoT) security law that would mandate that such devices bake in “reasonable security measures” such as “requiring unique default passwords that a user must change to their own authentication mechanism upon first use.” The commission recommends implementing a law that is “modestly prescriptive” but still stresses “enduring standards” for key security issues, including authentication and patching.
Currently, enforcement of IoT security relies on a patchwork of guidelines and authorities. California, for example, became the first state in the nation to pass an IoT security law, which came into effect on Jan. 1 and requires all “connected devices” sold or offered in California to have “reasonable security” measures, including features designed to protect against “unauthorized access, destruction, use, modification, or disclosure.” Oregon passed a similar law but limits its definition of “connected devices” to those devices “used primarily for personal, family or household purposes.”
In the absence of federal legislation, and as noted above, the FTC has also stepped in to help better secure IoT devices in a handful of cases, requiring companies to establish and maintain comprehensive security programs, subject to independent audits. A bill introduced by Sens. Mark Warner and Cory Gardner in 2019, and cited by the commission as a “viable model for a federal law,” would spur the development of security standards for IoT devices used by the federal government. That said, the commission’s recommendation for a law mandating security expectations for all IoT devices is certainly broader and would have widespread ramifications for manufacturers across numerous economic sectors. Should such a law ultimately be enacted, both the private sector and, likely, courts would ultimately need to wrestle with how to define and scope this duty of care and demonstrate that it has been implemented.
Apart from domestic regulatory and legislative recommendations, the Cyberspace Solarium Commission also sets out an overarching strategy for managing and preventing cyber conflict. Specifically, the commission defines a strategy of “layered cyber deterrence” to “increase the costs and decrease the benefits that adversaries anticipate when planning cyberattacks against American interests.” It is within this strategic framework that the commission’s report approaches the concept of “defend forward,” defining it as “[t]he proactive observing, pursuing, and countering of adversary operations and imposing of costs in day-to-day competition to disrupt and defeat ongoing malicious adversary cyber campaigns, deter future campaigns, and reinforce favorable international norms of behavior, using all of the instruments of national power.” (The commission describes this as a “reimagining and expansion” of the 2018 Defense Department definition of “defend forward,” which is to “disrupt or halt malicious cyber activity at its source, including activity that falls below the level of armed conflict.”) These activities will no doubt vary along a continuum of activity ranging from intelligence collection and reconnaissance to potential disruption and active-defense measures. But, as we note below, depending on how this strategy is implemented, certain activities that “disrupt and defeat ongoing malicious adversary cyber campaigns” beyond U.S. borders may come into tension with U.S. obligations under international law.
The international law applicable to state cyber operations remains unsettled. Moreover, as the U.S. Department of Defense notes in its Law of War Manual, elements of the law of war potentially applicable to cyber operations may change as states evaluate and respond to new cyber capabilities. The vast majority of state-sponsored cyber activities consist of frequent, yet low-level intrusions that fall below the threshold of “use of force” under Article 2(4) of the U.N. Charter. Below this threshold, where the activities encompassed by the “defend forward” concept would most likely occur, international law principles and frameworks potentially relevant to state cyber activities include the nonintervention principle, the doctrine of countermeasures and the principle of state sovereignty.
First, the nonintervention principle, as reflected in the U.N. General Assembly’s Friendly Relations Declaration and the International Court of Justice’s Nicaragua judgment, prohibits states from intervening by coercive means in a way that affects a state’s domaine réservé (essential functions internal to a state’s domestic jurisdiction). There is some debate as to the level of state behavior required to meet this threshold and thereby violate the nonintervention principle. Arguably, it could include state cyber activity that impacts a public transportation system or that tampers with electoral infrastructure, for example.
Second, the doctrine of countermeasures is also potentially applicable in the context of the commission’s recommended strategies for deterring and managing cyber conflict. Countermeasures allow a state that is the victim of an internationally wrongful act to take actions intended to bring a state that is breaching an international obligation back in line with such legal obligations, even if that action would ordinarily violate international law. That action must be necessary and proportionate, and designed to cause the state to comply with its obligations, rather than exact a punishment or serve as retaliation. Of course, defend-forward operations that neither violate the nonintervention principle, nor other international obligations, need not be justified as countermeasures.
Since countermeasures are to be directed at an offending state, confidence in attributing cyber operations could play a particularly important role. Not only might uncertainty about attribution stand in the way of taking action under this doctrine, but it also may lead some states to question the legitimacy of the countermeasure and regard it, instead, as an internationally wrongful act. The commission’s report likewise stresses the importance of attribution, noting that “challenges in establishing timely and accurate attribution can weaken cyber deterrence by generating doubt about the identity of the perpetrator of a cyberattack and undermining the credibility of response options.”
One recent incident illustrates increased international capabilities and willingness to attribute specific cyberattacks to specific actors. In October 2019, a large cyberattack took thousands of websites offline, including websites of government agencies, in the country of Georgia. In response, multiple states, including Georgia, the United States and the U.K., as well as the EU, publicly attributed the attack to the Russian GRU—the same group responsible for the 2017 NotPetya cyberattack, as well as the attack on Ukraine’s electricity grid in 2015. The commission’s structural recommendations and recent legislative proposals, including the proposed Bureau of Cyberspace Security and Emerging Technologies within the Department of State, would, in part, work with key allies and partners to enhance multilateral cooperation, strengthen deterrence, and promote responsible state behavior in cyberspace, including through coordinated public attribution and the imposition of consequences.
Finally, with regard to state sovereignty, there are differing views as to whether sovereignty is a principle or a rule under international law. Whereas the Tallinn Manual and Tallinn Manual 2.0 approached sovereignty as both a principle of international law and a rule of international law, U.K. Attorney General Jeremy Wright took a different approach, noting that:
“[s]overeignty is of course fundamental to the international rules-based system. But I am not persuaded that we can currently extrapolate from that general principle a specific rule or additional prohibition for cyber activity beyond that of a prohibited intervention. The UK government’s position is therefore that there is no such rule as a matter of current international law.”
As of today, the U.S. Department of Defense’s perspective appears to have been articulated by Department of Defense General Counsel Paul C. Ney Jr., who has claimed that “States have sovereignty over the information and communications technology infrastructure within their territory.” Ney also explained, however, that “the [Defense] Department believes there is not sufficiently widespread and consistent State practice resulting from a sense of legal obligation to conclude that customary international law generally prohibits … non-consensual cyber operations in another State’s territory.”
Even viewing sovereignty as a rule, the question remains as to what constitutes a violation of state sovereignty in cyberspace and whether such a violation would require some threshold impact—whether physical or virtual. If a threshold impact is required, then only those incursions that cause an impact above a “de minimis” threshold would constitute violations of sovereignty. In contrast, the French Ministry for the Armed Forces apparently holds that “any unauthorized penetration by a State ... may constitute, at the least, a breach of sovereignty.” Whether the French Ministry for the Armed Forces equates this breach of sovereignty with a breach of international law is unclear, as is whether this is the perspective of the French government more broadly. In 2016, the Obama administration’s State Department legal adviser noted the practical difficulties with this approach, namely that “[t]he very design of the Internet may lead to some encroachment on other sovereign jurisdictions.”
Ultimately, there is a potential tension between certain defend-forward operations and norms of responsible state behavior in cyberspace regarded as rooted in the principles of state sovereignty and nonintervention. It is worth noting in this context, though, that the commission’s work has been consciously informed by principles of international law and expertise regarding how defend-forward operations could be undertaken in practice. In discussing the imposition of costs on adversaries in cyberspace, for example, the commission notes that “[t]his posture implies persistent engagement with adversaries as part of an overall integrated effort to apply every authority, access, and capability possible ... to the defense of cyberspace in a manner consistent with international law.” Although there may be challenges in executing proactive cyber activities in practice, the commission’s recommendations do not reflect a fundamental departure from the historic U.S. interpretation of international law principles. The commission readily confirms that U.S. strategy should be “consistent with norms of acceptable behavior defined by the United States and like-minded nations with a shared global interest in a stable cyberspace.” The commission recognizes that this area of law is still unsettled and that the majority of states may not agree on where international law stands with respect to a given cyber operation. The commission, accordingly, maintains the view that “norms of acceptable behavior will not emerge unless the United States is willing to act, in concert with allies whenever possible, to impose meaningful costs on bad actors in cyberspace to change their behavior.”