Author Note: This blog post was co-written with the assistance of Shane R. Reeves, a Lieutenant Colonel in the United States Army, a Professor and the Deputy Head, Department of Law at the United States Military Academy, West Point, New York.
State-sponsored cyber hostilities on corporations are not a new occurrence. Digital assets of private corporations are routinely facing cyber threats as state actors increasingly seek to gain economic advantages in the global economy. Additionally, state actors are using cyber hostilities to commit acts of terrorism and acts tantamount to terrorism for political reasons unrelated to economics or armed conflicts. Recent examples include the August 2014 Russian hack of JP Morgan Chase, the continuous cyber activities against corporate targets conducted by Unit 61398 of the Chinese People’s Liberation Army, and North Korea’s hack of Sony Pictures.
The rapidly increasing willingness of state actors to conduct hostile cyber operations against corporations has not gone unnoticed by governments, and, in particular, the United States. Corporations, for their part, overwhelmingly support government involvement in cyber issues. This mutual desire for a corporate-government partnership provides an opportunity to build an effective response to the cyber threat posed by state actors. Yet, corporations also must be cognizant that the present environment is woefully inadequate at providing the necessary cyber defense mechanisms needed to protect their businesses. This short-term need for protection coupled with the interest in a corporate-government partnership raises two questions: First, what can a corporation do to protect itself from state-sponsored cyber hostilities? Second, what are some possible models for a corporate-government partnership to address the threat in the future?
In a new article, upon which this blog post is based, my co-author and I attempt to answer these questions as corporation’s face, almost daily, sophisticated and destructive forms of cyber hostilities conducted by state actors. Unfortunately, the current state of both domestic and international law leaves a corporation with limited response options. Corporations that are victims of cyber hostilities perpetrated by a state actor have essentially one option under domestic law: rely on law enforcement to enforce any applicable statutes. This can be challenging as there is often little that domestic law enforcement can do to under the current legal regime against foreign government agents that have hacked private entities. This limitation can cause frustration and lead businesses to consider active defense measures in their cyber security systems. However, a corporation’s attempt to use active measures is particularly problematic under international law.
International law categorically prohibits a non-state actor—in this case a corporation—from actively engaging a hostile state, even if victimized by a cyber attack. The right of action against a state actor is exclusively within the purview of states as articulated in the United Nations Charter and the Articles on State Responsibility.
International law categorically prohibits a non-state actor—in this case a corporation—from actively engaging a hostile state, even if victimized by a cyber attack. The right of action against a state actor is exclusively within the purview of states as articulated in the United Nations Charter and the Articles on State Responsibility. Though this is unsettling for a corporation constantly victimized by hostile cyber activity, the U.N. Charter intentionally excludes all non-state actors, including corporations, from having a right to invoke self-defense against a state actor regardless of the reason. Further, even for those actions that may not be considered a use of force under international law, the Articles of State Responsibility make clear that it is a state’s obligation to respond to any breaches of sovereignty. In their role as a non-state actor corporations are limited to implementing only defensive, protective measures when victimized by state-sponsored cyber hostilities. However, it must be reiterated that corporations should tread lightly even with these actions as the law clearly does not allow a company to initiate cyber hostilities in any way.
The best course of action for a corporation is to contact their own government to respond on their behalf. Of course this requires a strong partnership between the government and the private sector. In the United States, this partnership is in its infancy and is complicated by a host of problems including: distrust between the private and public sector, corporate reputational concerns, potential liability caused by cyber incidents, and sensitivity of operating in a global economy. This complex web of issues incentivizes both public and private actors to hew to their own interests, withhold critical information from one another, and make decisions without consultation.
The government is not obtuse to this problem and has taken steps to better coordinate a response to hostile cyber activities while simultaneously promoting information sharing between the public and private sectors. While these efforts are a significant step in the right direction, they are insufficient for handling the ever-growing cyber threat to corporations. Instead, a sufficiently robust public-private cyber partnership will require consideration of more radical ideas. Examples may include: creating a confidential reporting mechanism coupled with limiting financial liability for those corporations that openly report a cyber incident, or expanding the powers of the Federal Intelligence Surveillance Court to allow victimized companies to petition for a government response to a cyber assault.
These two relatively unexplored recommendations are not intended to be a panacea for the corporate cyber problem, but rather illuminate the need for creativity in developing a response strategy. It will take unorthodox solutions to remove the disincentives currently inhibiting the public-private partnership. Yet, the importance of enhancing this public-private partnership cannot be overstated and is of utmost importance for both corporations and the national security of the United States. Neither corporations nor the government can afford to remain static as the speed and ferocity of cyber hostilities—in particular those launched by state actors against private companies—are becoming the new normal.
Editor’s Note: The opinions expressed in this article are entirely those of Daniel Garrie and Shane R. Reeves and not those of ZEK or of the United States Military Academy. The views expressed here are the personal views of Shane R. Reeves and do not necessarily reflect those of the Department of Defense, the United States Army, the United States Military Academy, or any other department or agency of the United States Government. The analysis presented here stems from the academic research of Shane R. Reeves based on publicly available sources and is not based on protected operational information.