International Law and Private Actor Active Cyber Defensive Measures. Paul Rosenzweig

International Law and Private Actor Active Cyber Defensive Measures Paul Rosenzweig Few can doubt that cyber theft and espionage are rampant, costing governments and private sector actors billions, if not tens of billions of dollars in losses annually. 1 To a large degree government efforts to reduce the risks of such cyber intrusions have proven unavailing one need only think of the recent revelations of significant intrusions into more than 140 American companies by Chinese cyber hackers affiliated with the People s Liberation Army. 2 The failure of the government to provide adequate protection has led many theoreticians to suggest the need for private sector self help. After all, the argument goes, if the government is unable (or perhaps unwilling) to provide an effective defense available to all citizens on the network then it is incumbent on private sector actors to defend themselves. More to the point, if the government is unable (or perhaps unwilling) to take or threaten to take offensive actions that would deter cyber attacks, then it may be likewise incumbent on private sector actors to engage in forms of active defense that at times look an awful lot like offensive action. While these private sector actions take many forms, they go by the collective name of hack back the idea that private sector actors may hack back at the hackers who are attacking them. In the United States scholars have begun to debate the legality of hack back. To date, that examination has focused exclusively on domestic American law. 3 The discussion is inconclusive though it is probably fair to say that the weight of analysis favors the conclusion that active hack back by private sector American actors violates the Computer Fraud and Abuse Act. 4 But that conclusion hardly ends the matter laws that are made, after all, can be unmade. And it we were to conclude as a matter of policy that it was appropriate to allow private sector actors to conduct active hack back defense, there might well be an appetite to change the law. 5 Professorial Lecturer in Law, George Washington University School of Law; Principal, Red Branch Consulting, PLLC; and Distinguished Visiting Fellow, Homeland Security Studies and Analysis Institute. Opinions expressed are the authors own. My thanks to the symposium participants at Stanford and the organizers from the Stanford Journal of International Law for their comments and efforts. Special thanks to Ms. Rebecca Heflin for able and effective research assistance without which this paper would not exist. 1 In 2012 Norton, the cybersecurity company, estimated that annual losses were $110 billion for consumers globally. See 2012 Norton Cybercrime Report, https://www.norton.com/2012cybercrimereport. 2 Mandiant, APT1: Exposing One of China s Cyber Espionage Units, http://intelreport.mandiant.com/mandiant_apt1_report.pdf 3 See, e.g., The Hackback Debate, Steptoe Cyberblog, http://www.steptoecyberblog.com/2012/11/02/thehackback debate/. 4 18 U.S.C. 1030. 5 E.g., Rep. Gohmert Wants A Law That Allows Victims To Destroy The Computers Of People Who Hacked Them, Techdirt, March 19, 2103, https://www.techdirt.com/articles/20130316/01560522347/rep gohmert wants lawthat allows victims to destroy computers people who hacked them.shtml; Steven P. Bucci, Paul Rosenzweig and David Inserra, A Congressional Guide: Seven Steps to U.S. Security, Prosperity, and Freedom in Cyberspace, Heritage Foundation, April 1, 2013, http://www.heritage.org/research/reports/2013/04/a congressional guideseven steps to us security prosperity and freedom in cyberspace 1 Electronic copy available at: http://ssrn.com/abstract=2270673

But American authorization of private sector offensive action would hardly end the discussion. Indeed, it would merely begin it. Cyberspace is, after all, an internationalized, trans border domain. Hacking attacks on American companies often originate overseas and transit foreign servers. Thus, any American hack back would, almost inevitable, involve other countries and their laws. Yet, to date, little, if any, consideration has been given to the question of whether private sector hack back violates (or is authorized by) the domestic laws of other nations or any international conventions or customary international law. This short article seeks to fill that gap with some preliminary thoughts regarding the application of non American law to American private sector hack back. The fundamental conclusions are two fold: 1) To the extent any customary international law exists at all it is likely to discourage private sector self help outside the framework of state sponsored action; and 2) ) Almost certainly, hack back by an American private sector actor will violate the domestic law of the country where a non US computer or server is located. In light of these twin conclusions, American companies considering offensive cyber operations would do well to proceed with caution. I. Defining Hack Back Any discussion of hack back must, at least for initial purposes, begin with some working conception of what, exactly, the term means. In other words, what techniques are being considered? One can readily imagine certain types of non destructive actions, for example, that might be more readily approved than more aggressive, destructive activity. Provisionally, then, one can offer the following definition of active cyber defense: the synchronized, real time capability to discover, detect, analyze, and mitigate threats. It operates at network speed using sensors, software and intelligence to detect and stop malicious activity ideally before it can affect networks and systems. While intrusions may not always be stopped at network boundary, an entity may operate and improve upon its advanced sensors to detect, discover, map and mitigate malicious activity on an entity s network. 6 Within that definition fall a number of potential activities. We might, for example, consider a type of defense that could be characterized as Internal Self Defense that is activity within one s own network. Such activities might include (and this is only a partial list): the creation of attractive honeypots 7 with surreptitious payloads that enable a defender to track the attacker inside the defender s own system or to observe efforts to remove data; using threat information and intelligence to screen or block incoming traffic associated with those threat indicators (as, for example, blocking suspect IP addresses); 6 This definition is slightly modified from DOD s formal definition of active defense which appeared in the 2011 Department of Defense Strategy for Operations in Cyberspace. It also appears in the Center for a New American Security Policy Brief Active Cyber Defense A Framework for Policymakers. 7 As the name implies, honeypots are intended to attract hackers by purporting to be worthwhile subjects of attack. One might, for example, give a document honeypot the Microsoft Word name Plans for Countering Hackers.Docx and expect it to be the subject of an attack. 2 Electronic copy available at: http://ssrn.com/abstract=2270673

cutting off network access when certain types of internal data are being manipulated so as to prevent their exfiltration; and/or using canary trap 8 markings on data so that when and if it is re used the illegal activity will be readily identified. Far more aggressively, we can imagine disruptive activities that operate beyond the boundaries of the defender s network and have effects at the attacker s location, or at intermediate locations. These types of Active Defense (which may actually seem like offense to many) could include (and, again, this is only a partial list): Using the payloads already described to identify intermediate or originating server sites; Going beyond identification to take some action against the intermediate or originating server sites that would cause the data exfiltration or collection activities to stop; Using armed payloads (in effect, hacker s tools like zero day exploits 9 ) that cause more affirmative harm, either at the adversary s originating control computer or, possibly, even within the systems of the ultimate user of the stolen data (who may, or may not, be aware of the data s origin). Plainly this definition is incomplete it is more descriptive than normative. And even to the extent it attempts to be descriptive, many more techniques could be imagined (and likely will be) and a more precise definition might be crafted. The location of a network boundary for example, is often indistinct and subject to dispute. But the fundamental precepts are unlikely to change the extensional definitional distinction is between techniques that relate to an actor s own system and ones that relate to systems other than the actor s own. 10 Taking all of this together, we might conceptualize the definitional/typology problem as a graphic tjat looks something like this (where the type of defensive activity is ranged across the top line of the grid and the domain location of the activity is ranged down the side): 11 8 A canary trap derives its name from the proverbial canary in the mineshaft which discloses a threat. In the cyber manifestation, data that might be stolen has a covert digital watermark of some sort embedded so that the original owner can identify the stolen nature of the data when it reappears in another context. 9 A zero day exploit is a vulnerability in a software program that has never previously been used or discovered. Since most vulnerabilities are quickly patched after they become known, zero day exploits, which are not yet patched, are very valuable. They are intrusions that will be successful on the zeroth day. 10 One important collateral point is worth making here not all private sector actors have equal capabilities. This leads some to doubt the effectiveness and utility of private sector hack back. To be sure, some actors might be less than competent and authorizing their activity might cause affirmative disruption globally. On the other hand, it seems relatively clear that some private actors have capabilities equal to and different from those possessed by governmental actors that could have a positive effect on overall cybersecurity. There will, therefore, be modalities in which some private sector action might be authorized and regulated that could resolve many of the effectiveness concerns. 11 This typology is modified from an earlier short work of mine: Paul Rosenzweig, A Typology for Evaluating Active Cyber Defenses, Lawfare Blog (April 15, 2013), http://www.lawfareblog.com/2013/04/a typology for evaluatingactive cyber defenses/. 3

In Network Out of Network Observation Access Disruption Destruction This typology of private sector self defense actions would have a number of positive benefits. First and foremost,i f we get the typology right it will help to identify important definitional questions that the law and policy must answer. We need, for example, to define legally what constitutes a network and probably we need to identify the difference between attribution techniques and prevention techniques. Second, if we get the definitions right, or close to right, a typology then helps us identify the appropriate legal régimes that would apply in various domains. We can ask a sensible question like what should be the legal limits of a private sector actors off network attribution efforts that have no appreciable effect? and mean something that actually says is this beaconing technique legal? And, finally, of course, in the absence of a typology we can t discuss the application of domestic law, much less international law. II. International Conventions and Customary International Law To begin with, we must answer a reasonable question: Is international law even relevant to the question of private sector hack back? And a fair first approximation of that answer would be no, it isn t. Not at all. This is so, for at least two independent and important reasons. First, of course, a quick survey of existing international instruments makes it clear that private sector offensive cyber activity is nowhere mentioned. Thus, as a formal matter, current international law is completely silent on the topic. Second, and rather more fundamentally, with very limited exceptions, 12 international law is directed at nation state actors and is intended to control their behavior. 13 Nations sign treaties and nations are, in turn, bound to act on the obligations they undertake. In general, international law has nothing to really say about private actors and their behavior. But that would be a terribly short and uninteresting contribution to the state of current legal analysis. And so, in the interest both of intellectual curiosity and in an effort to make this short paper worth something more than a bland it isn t relevant it seems worth trying to tease out a few interesting and useful principles and analogies that could arguably be germane to the question. I address, in turn, three areas of consideration: Self defense in International Law; the Law of Piracy; and Letters of Marque and Reprisal. 12 E.g. The Rome Statute of the International Criminal Court, (U.N. Doc. A/CONF.183/9), http://untreaty.un.org/cod/icc/statute/romefra.htm 13 E.g. Responsibility of States for Internationally Wrongful Acts, (U.N. Doc. annex to General Assembly resolution 56/83 of 12 December 2001, and corrected by document A/56/49(Vol. I)/Corr.4), (2001), untreaty.un.org/ilc/texts/instruments/english/.../9_6_2001.pdf. 4

Self Defense In International Law Nothing in international law explicitly approves of or disapproves of private sector hack back. 14 Thus, to the extent an analogy might be sought, it must be found in more general discussions of principles of self defense in existing international instruments and decisions. There are a few such discussions that are notable. The Budapest Convention Perhaps the most directly relevant and noteworthy is the Budapest Convention on Cybercrime. After all, the Budapest Convention is, to date, the only international instrument that is addressed to cyber issues. 15 If it has anything to say about the prospect of cyber selfdefense that discussion would be relatively influential. And, it turns out, there may be something to glean from the Convention not from the text of the Convention itself, which is completely silent on the topic of self defense, but from the accompanying 2001 Explanatory Report. 16 In discussing the specificity with which prohibited cyber offenses were to be identified by signatories, the Report noted that the Convention included an express requirement that the conduct involved be done without right. The Report then went on to explain that this phrase reflects the insight that the conduct described is not always punishable per se, but may be legal or justified not only in cases where classical legal defenses are applicable, like consent, self defence or necessity, but where other principles or interests lead to the exclusion of criminal liability. 17 In short, the Convention commentary seemed to contemplate that signatory Parties would criminalize certain criminal cyber activity (must as the United States has criminalized unauthorized access to a computer in the Computer Fraud and Abuse Act) 18 but that the Parties were free, if they wished to permit such conduct when it occurred pursuant to established legal defenses, excuses or justification. Perhaps also of relevance, though less directly so, the Explanatory Report made clear that there was no intent to criminalize legitimate and common activities inherent in the design of networks or legitimate and common operating or commercial practices. 19 It is only a modest (though, admittedly significant) stretch to read this language as potentially authorizing legitimate practices in self defense. Of course, an important caveat is that the Report is not intended to be an authoritative interpretation of the 14 The recently issued Tallinn Manual on the International Law Applicable to Cyber Warfare, Rule 13, http://www.ccdcoe.org/249.html, addresses only self defense against armed attacks under international law. According to one participant in the drafting, the second version of the Manual may address legal response to cyber hacks that fall below the use of force threshold. See Private Communication with Author (April 2013). Though it is unclear, one expects that this analysis will be limited to nation state actors, though it may provide some guidance for the analysis of private sector responses. 15 The Convention was adopted by the Committee of Ministers of the Council of Europe in November 2001 and shortly thereafter opened for signature. As of early 2013, 51 countries have signed the convention, though only 39 of those have ratified it. See Convention on Cybercrime, ETS No. 185, http://conventions.coe.int/treaty/commun/cherchesig.asp?nt=185&cm=&df=&cl=eng. 16 Explanatory Report to the Convention on Cybercrime, http://conventions.coe.int/treaty/en/reports/html/185.htm. 17 Id. at 38 (emphasis added) 18 18 U.S.C. 1030 19 Explanatory Report at 38. 5

Convention, but it is intended to facilitate the application of its provisions, 20 suggesting that this analysis is at least of potential importance. The Rome Statute The Rome Statue, which created the International Criminal Court, and to which the United States is not (yet) a signatory, entered into force on July 1, 2002. 21 It is an example of that rare international instrument that purports to directly affect human behavior to criminalize certain violations of widely held international norms, such as the prohibition on genocide. In addressing these horrific types of war crimes the Statute tangentially addresses the concept of selfdefense though I hasten to add that it does so only in the context of an armed conflict of some form or another and not in the context of acts that do not rise to the level of an armed conflict, which would be the context most nearly applicable to the private sector acts under consideration. Still the brief mention of self defense in the Statute is somewhat instructive. Article 31(1)(c) of the Statue suggests that actors may only take limited self defense action to protect property in the context of an armed conflict. Put simply the Article authorizes a person to act reasonably in defense of himself or another person and only to act in defense of property which is essential for accomplishing a military mission. 22 This narrow definition of permissible self defense of property in an armed conflict suggests at least tangentially an equally narrow ambit for defensive action in non armed conflicts. ICTY Kordic and Cerkez Notwithstanding that seemingly narrow ambit, the International Criminal Tribunal for Yuogoslavia has, in one case, taken a broader view. Relying on Article 31(1)(c) the Court concluded that an actor s ability to defend or protect himself or his property (or another person or person s property)... may be regarded as constituting a rule of customary international law. 23 The Court went on to note that the defense needs to be reasonable, necessary and proportionate all of which would seem to be conditions that at least some forms of hack back could satisfy. The conclusion of the Court is consistent with the general academic view that a defendant may invoke the right of self defense under customary international law against a charge of criminality, whenever he commits an international crime in order to prevent or put an end to, a crime be another person against the agent or a third person. 24 Academic opinion goes further than existing court doctrine in specifiying when self defense might be justified. As one would expect the conditions focus on the imminence of the unlawful act being opposed; the lack of any alternative way to prevent or stop the offense; and the proportionate nature of any possible response. Taken at face value both Kordic and Cerkez and academic opinion might be read to favor some limited form of private sector active defense. The Law of Piracy The generalized approach to self defense described above does not, of course, form a perfect analogy for assessing the legality of a cyber hack back. But in an imperfect world 20 Id. at II. 21 See generally, Rome Statute of the International Court, http://untreaty.un.org/cod/icc/statute/romefra.htm/ 22 Rome Statute, Art. 31(1)(c). 23 Prosecutor v. Kordic and Cerkez, Judgment of the Trial Chamber (ICTY), 26 Feb. 2001, 133, http://www.icty.org/x/cases/kordic_cerkez/tjug/en/kor tj010226e.pdf. 24 Antonio Cassese et. al., International Crimonal Law, 2d ed., 259 (Oxford Univ. Press 2008) 6

we must use the best analogic possibilities we have. So we may now move from a generalized approach to cyber self defense to an area of law that gives us perhaps the closest historical analog for the private sector s response to unlawful cyber activity the rules relating to private actor responses to unlawful behavior on the high seas, namely piracy. The analogy has a great deal of attractiveness to it. After all, some call cyberspace a highway of commerce much as the ocean functions. And hackers stealing intellectual property are a nice analog to pirates who steal physical property. What then might we derive from traditional rules of piracy? Quite a bit as it turns out. Under traditional maritime rules, merchant men were entitled to use selfdefense to repel pirates, but only state owned vessels were privilege to board and seize a pirate ship or engage in hot pursuit. Moreover, the right of hot pursuit ends when the pirate ship enters the territorial water of another country. So if piracy is the right analogy, then private sector aggressive cyber defense may well be unlawful in the first instance, and even aggressive counter measures by nation states might have to respect the sovereignty of other countries. 25 Self Defense Consider first, the general right of self defense. Recent international instruments that were intended to clarify existing rules, in response to the upsurge in piracy off the coast of Somalia, make it relatively clear that private entities may use force in violent force in self defence to prevent crimes that threaten life. (The converse principle the use of non violent self defense when life is not threatened is less well considered). In November 2010, for example, the International Code of Conduct for Private Security Service Providers (the ICoC) was opened for signature. As of early 2013, more than 590 companies from 70 countries had signed. The ICoC requires security service providers to avoid the use of force if possible, and if required to use only proportionate force in response. Violence (in the form of firearms) is probhibited except when necessary to protect against an imminent threat of death or serious injury or to prevent a grave crime. 26 American practice has expanded on that rule somewhat to encompass a broader scope for self defense (or so it would seem). In 2009 the Coast Guard and Department of Homeland Security issued a Port Security Advisory, Guidance on Self Defense and Defense of Others by U.S. Flagged Commercial Vessels Operating in High Risk Waters. 27 The guidance suggested, consistent with the codification in the ICoC, that lethal force in self defense was strictly limited to circumstances where there was a danger of death or serious bodily injury. But the Guidance went further to make clear that the non deadly use of force could be authorized by a vessel s master to protect the vessel or cargo from theft or damage. Taken as a 25 Candidly, the doubtfulness of this last proposition as a matter of practice (i.e. the unlikelihood that nations will cease pursuing hackers across state boundaries) suggests that the piracy analogy may be outdated and of little practical utility in informing contemporary custom. Nonetheless, it s the best analogy we have. 26 International Code of Conduct for Private Security Service Providers, Arts. 30 32, http://www.icocpsp.org/uploads/international_code_of_conduct_final_without_company_names.pdf.. 27 Port Security Advisory (3 09), Guidance on Self defense or Defense of Others by U.S. Flagged Commercial Vessels Operating in High Risk Areas, http://www.marad.dot.gov/documents/port_security_advisory_3 09_Self_Defense.pdf. 7

model for our cyber hack back question, this would certainly offer some comfort to those who think that international law will authorize a limited right of self defense. Hot Pursuit and Active Defense But this right of self defense is, as already noted, actually quite limited most likely to areas of action we have characterized as Internal Self Defense. When an actor seeks to use active defense measures, the law of piracy suggests that only a State may act not a private citizen. To begin with, both Article 19 of the Convention on the High Seas and Article 100 of the Law of the Sea Convention require States to cooperate in suppressing piracy but that obligation is, notably put only on State actors. Both conventions are silent as to private actors a silence that ought to be taken as a cautionary note. 28 But insofar as States are authorized, they do have wide authority including the authority to engage in hot pursuit that is the authority to chase a pirate ship when the Stat has good reason to believe that the ship being chased has violated the laws of the State. 29 But that right of hot pursuit may only be exercised to ships or aircraft on government service. 30 If our analogy is that active defensive cyber measures are akin to hot pursuit of a cyber pirate, the implication is that those measures are limited to State actors. Indeed, the right may be even more limited than we might hope. The right of hot pursuit ceases as soon as the ship being chased enters the territorial sea of its own country or of a third State. 31 In other words, once the pirate ship enters home waters or leaves the open area of the High Seas the chasing State must stop and presumably rely on the authority of the nation where the pirates have taken refuge. And so, we are left with at least two important questions: First, is the international norm against cyber hacking sufficiently well formed that it can even be analogized to the customary international obligation to combat piracy in the first place? Second, assuming that it is, then should we translate the teachings from piracy history to the cyber piracy situation and thereby limit active defenses to State actors? Letters of Marque and Reprisal All of which brings us to the question of whether or not private sector actors might, in some way, be deputized by the State to act on its behalf as part of an active cyber defense corps. In domestic law, this conjures up images of a cyber special police or a cyber private investigator or even a cyber bounty hunter. The equivalent conception in international law, again drawn from the general precepts concerning piracy, is the idea of a cyber privateer a private actor to whom might be issued letters of marque and reprisal, much as naval privateers were in the 1800s. 28 See Convention on the High Seas, Art. 19 (1958) (hereinafter High Seas Convention ), untreaty.un.org/ilc/texts/.../conventions/8_1_1958_high_seas.pdf ; Third UN Convention on the Law of the Sea, Art. 100 (1972) (hereinafter UNCLOS III ), www.un.org/depts/los/convention_agreements/texts/unclos/unclos_e.pdf. 29 UNCLOS Art. 111(1); High Seas Convention Art. HSC 23(1). 30 High Seas Convention, Art 23(4). 31 Id. Art 23(2). 8

But even this analogy will only take us so far the question of whether such letters can be issued to combat cyber piracy is, at best, thought of as ambiguous and indefinite in its answer. Letters of marque and reprisal are, essentially, a license authorizing a private citizen to engage in reprisals against citizens or vessels of another nation. 32 But as a general rule such privateering was typically permitted only during times of war. 33 Privateers were authorized by the State not to protect their own interests but to aid in the war effort by assisting in the destruction of the commerce of the hostile nation. They paid for themselves, in the end, with profits from the commerce they destroyed. 34 This aspect of privateering has been frowned upon under international law since the 1856 Paris Declaration Respecting Maritime Law. 35 The United States never ratified the Declaration so it does not formally bind our actions. America has, however, chosen to respect the ban on privateering in wartime and has, as a factual matter, not sought to authorize privateers since the Declaration was signed. 36 Notably, however, notwithstanding the Paris Declaration, letters of marquee have continued to be used to counter piracy or to permit self defense. For example, to counter piracy the British Parliament continued to authorize private ships to attack and capture pirates even after the Declaration of Paris. 37 More recently private companies have, with some success, lobbied the Transitional Federal Government of Somalia for contracts to protect Somali waters from piracy. 38 This is consistent with the pre Paris 32 See Black s Law Dictionary 910 (9th ed. 2009). 33 See Francis R. Stark, The Abolition of Privateering and the Declaration of Paris, in Studies in History, Economics and Public Law 221, 270 71; Joseph Story, A Familiar Exposition of the Constitution of the United States: Containing a Brief Commentary on Every Clause, Explaining the True Nature, Reasons, and Objects Thereof 121 (Harper & Brothers 1865) (1847). 34 A good general reference is : James G. Lydon, Pirates, Privateers, and Profits 25 (1970). 35 See Paris Declaration Respecting Maritime Law (1856), http://www.icrc.org/applic/ihl/ihl.nsf/article.xsp?action=opendocument&documentid=473fcb0f41dcc63bc1256 3CD0051492D. The relevant text of the declaration reads: The above mentioned Plenipotentiaries, being duly authorized, resolved to concert among themselves as to the means of attaining this object; and, having come to an agreement, have adopted the following solemn Declaration: 1. Privateering is, and remains, abolished; 2. The neutral flag covers enemy's goods, with the exception of contraband of war; 3. Neutral goods, with the exception of contraband of war, are not liable to capture under enemy's flag; 4. Blockades, in order to be binding, must be effective, that is to say, maintained by a force sufficient really to prevent access to the coast of the enemy. The Paris Declaration did not prohibit a State from contracting private vessels during wartime for regular navy work so long as they were prohibited from preying on private property. 36 See Edgar Stanton Maclay, A History of American Privateers xxiii (Appleton 1899). 37 David Cordingly, Under the Black Flag: The Romance and the Reality of Life Among Pirates 203 (1995). 38 See US Firm to Fight Somali Pirates, BBC News, (Nov. 25, 2005), http://news.bbc.co.uk/2/hi/ africa/4471536.stm. 9

practice of the United States which issued letters of marque which were used chiefly by our merchantmen as a license to defend themselves from hostile craft. 39 In short, though the issue is far from free of doubt, there is at least a colorable argument to be made that the Paris Declaration did not render unlawful the issuance of letters of marque for purposes of selfdefense in countering piracy. 40 From this it would only be a short step to the equally tentative conclusion that letters of marque for cyber privateers might, likewise, be lawful under international law to counter cyber pirates notwithstanding the general disfavor with which the concept of privateers is currently viewed. III. Non American Domestic Law and a Growing Opinio Juris A fourth area of inquiry the examination of non American domestic law serves a dual purpose. First, to the extent that customary international law is developing to create an opinio juiris, that law will be reflected in domestic enactments that may, in the end, come to reflect an international consensus. Second, and wholly apart from strictly international law issues, American private actors who undertake cyber hacking against their opponents will, in almost all instances, wind up affecting computers domiciled outside the borders of the United States. To the extent that this is so (and to the extent that American actors may be subject to foreign law through the exercise of lawful foreign process) American actors should, of necessity, consider how their domestic acts will be perceived in target or transit States where the effects of their US based actions might be felt. Non American Usage A fair assessment suggests that other nations are quite skeptical of the concept of private sector self defense. The Netherlands, for example, has introduced a proposal that would allow its law enforcement officials to hack internationally. 41 But the proposed law is silent as to the lawfulness of actions by private parties and, by implication, seems to disfavor them. The Israeli Defense Forces have a similar position, reserving the right to use offensive cyber operations while remaining silent on whether private sector actors can likewise engage. 42 Likewise, hack back is illegal in Germany (though we must hasten to note that several anecdotal reports suggest that German private entities increasingly engage use hack back techniques anyway). The German prohibition, known as The Hacker Paragraph, is 202a of the German Criminal Code (StGB), and provides, in relevant part: Whosoever unlawfully obtains data for himself or another that were not intended for him and were especially protected against unauthorised access, if he has circumvented the 39 See Gardner W. Allen, Our Naval War with France 225 (1909). 40 See Theodore T. Richard, Reconsidering the Letter of Marque: Utilizing Private Security Providers Against Piracy, 39 Geo. Wash. Pub. Contract L. J. 412, 436 38 (2010). 41 See http://www.rijksoverheid.nl/ministeries/venj/documenten enpublicaties/kamerstukken/2012/10/15/wetgeving bestrijding cybercrime.html (text in Dutch); http://www.pcworld.idg.com.au/article/439620/dutch_government_seeks_let_law_enforcement_hack_foreign_c omputers/ (summarizing the proposal). 42 See, Rotem Pesso, IDF in Cyberspace, http://www.idf.il/1283 16122 en/dover.aspx 10

protection, shall be liable to imprisonment not exceeding three years or a fine. 43 Other provisions explicitly make phising a crime and criminalize any acts in preparation for data espionage of phising. 44 Indeed, returning to our consideration of the Budapest Convention, it may be that some countries (many?) will reject the guidance of the explanatory commentary and consider that the Convention imposes on them a mandatory obligation to criminalize hacking activities even when they are conducted in self defense. This is particularly likely to arise in non common law countries where self defense is generally a more narrowly drawn defense to a criminal prosecution. Under this view, our international strategy of fostering accession to the Budapest Convention, 45 may have the effect of propagating the development of international opinion that opposes private sector hack back. But if international opinion is as much formed by actual State practice as by formal declarations, it is also worth noting that several German companies have come, increasingly, to rely on hack back to protect themselves. According to one researcher at the Institute for Computer Science at Berlin s Freie Universität, German digital vigilantism is on the rise especially in hard hit sectors affected by cybercriminals like the financial industry, development companies, and research groups. 46 It may well be that official disapproval with informal tolerance is a recurring model across the globe. In that case, development of an international opinio juris will prove particularly difficult. When formal declarations diverge from actual practice the ambiguity necessarily tends to prevent the clarification of a customary international opinion. One final cautionary note bears some emphasis, though it does not directly address the opinio juris analysis: The prospect of non American criminal prosecution is realistic and must be taken into account. To a real degree criminal prosecution (or the possibility of it) has been ineffective in deterring overseas hackers of American interests precisely because the threat of prosecution is an empty one. Many hackers are beyond the reach of American law and reside in countries with which we have no effective extradition program for cyber offenses. By contrast, when a private sector hack back has collateral effects in an allied country (say Germany or Japan) we can imagine that American legal authorities would generally honor an appropriately couched extradition request from the affected nation. The prospect of criminal prosecution is, therefore, rather higher for American actors precisely because the U.S. government is a lawful actor on the world stage. And even for countries where extradition is not a realistic prospect (we cannot, for example, extraditing an American to stand trial in China for hack back) there will be other avenues of retaliation that must be considered. Most American private sector actors who have the resources to contemplate private sector self defense, for example, will be corporations or individuals with a multi national presence. Even 43 StGB, 202a, http://www.gesetze im internet.de/englisch_stgb/ 44 Id. 202(b) and (c). 45 See International Strategy for Cyberspace (May 2011), www.whitehouse.gov/sites/.../international_strategy_for_cyberspace.pdf. 46 Ulrich Clau, Hack Back When A Cyber Attack Victim Turns 'Digital Vigilante' (July 21, 2012), http://www.worldcrunch.com/tech science/hack back when a cyber attack victim turns digital vigilante /c4s5887/#.usjqprnpark 11

allowing for difficulties of attribution, it is quite likely that those overseas assets will be at risk if the parent American entity conducts private offensive operations. American Usage Finally, it should be noted that the opinion of the United States government is also relevant to the development of an international opinion juris. In this self reflexive way, the domestic law discussion becomes a component of the international law discussion. Moreover, to the extent that current law is changed in the future, that change is itself of relevance to international law. It is therefore relevant that the official current government position tends to disapprove of private sector self help. The Justice Department s Computer Crime and Intellectual Property Section, Manual on Computer Crime, 47 suggests that: Although it may be tempting to do so (especially if the attack is ongoing), the company should not take any offensive measures on its own, such as hacking back into the attacker s computer even if such measures could in theory be characterized as defensive. Doing so may be illegal, regardless of the motive. Further, as most attacks are launched from compromised systems of unwitting third parties, hacking back can damage the system of another innocent party. Likewise, though criminal liability under the CFAA is a hotly debated topic, 48 there seems to me little doubt that most courts would hold a domestic hack back actor liable in trespass. On the other hand, given the current tenor of the debate the United States may be the most likely State to eventually approve of private sector hack back. In general, the use of private sector security companies to provide police services is not only legally permitted but also widely pursued. More money is spent on private police than public police within the U.S. 49 Indeed, in the domestic sphere the United States authorizes authorize bounty hunters to use force to apprehend fugitives and use police like powers. 50 One can readily imagine a change in American perspective that, in turn, would influence international opinion (or, of course, perhaps such a change would be of little influence). Conclusion As The Economist recently noted, 51 the idea of hack back sounds like something out of a spy novel. But what was once the stuff of fiction, or imaginative policymaking is quickly becoming a topic for serious consideration. Recently, the Administration chartered Commission on the Theft of American Intellectual 47 Appendix D Best Practices for Victim Response and Reporting http://www.justice.gov/criminal/cybercrime/docs/ccmanual.pdf 48 See The Hackback Debate, supra n. xx. 49 See Elizabeth E. Joh, The Paradox of Private Policing, 95 J. Crim. L. & Criminology 50, 64 (2004). 50 See Andrew DeForest Patrick, Note, Running from the Law: Should Bounty Hunters Be Considered State Actors and Thus Subject to Constitutional Restraints, 52 Vand. L. Rev. 171, 172 (1999). 51 Fighting China s Hackers (May 25, 2013), http://www.economist.com/news/united states/21578405 it timeretaliate against cyber thieves fighting chinas hackers 12

Property affirmatively recommended that consideration be given to easing the domestic American prohibition on hack back. 52 Before, however, we go down that road, it would be wise to consider the international consequences of such an act. Cyberspace is, after all, an international domain with more non American actors than American ones. And what is sauce for the goose will no doubt one day be sauce for the gander. This is not to say that hack back is ill advised. Far from it. In the absence of an effective system of cybersecurity provided by the government it is, in some sense, almost immoral to prohibit private sector actors from taking steps to protect themselves. But this is to say that caution is advised and that the American government needs to begin building an international consensus regarding private sector hack back before the forces of the private sector are unleashed. To that end, this brief survey of existing international law on the subject is just a starting point for a larger discussion, rather than an end point for determinative resolution. 52 The IP Commission Report (May 2013), http://www.ipcommission.org/report/ip_commission_report_052213.pdf 13