Govt View on Cyber Warfare/Terrorism

This is is in response to your email to me on 5/2

Interesting how our government is currently viewing this and the legal perspectives….  Most of it isn’t news to me, but I feel like it sort of puts a wrapper around what I already knew and tied up some loose ends.  Looking fwd to getting in a solid read vs. quick scan later.

http://www.fas.org:8080/sgp/crs/natsec/R43955.pdf

I think that much of this FAS document is a "knee jerk reaction" to the Sony hacking incident in 2014. I wrote a paper in this subject a few months ago, and it is included below. Please read and make your own opinions on the matter.

 *************************************************************************

 

Legal Issues Surrounding the Sony Hack

John Kenny

AMU Student

Abstract

Your abstract should be one paragraph and should not exceed 120 words. It is a summary of the most important elements of your paper. All numbers in the abstract, except those beginning a sentence, should be typed as digits rather than words. To count the number of words in this paragraph, select the paragraph, and on the Tools menu click Word Count.

Legal Issues Surrounding the Sony Hack

Background

In November of 2014 the Sony networks were breached and Sony was blackmailed by cyber thugs. The group claiming responsibility for this crime operated under the moniker Guardians of Peace (GOP). The popular theory is that this incident was motivated as retaliation plot related to a Sony film “The Interview”. The plot of this comedy revolves around a bungled CIA plot to murder the Korean president.(Kim Zetter, 2014) Much speculation, and many rumors were distributed regarding the identity of these “hacktivists”. One of the more prevalent theories is that the cyber crimes were committed by a Korean state sponsored group of hackers.(Dana Tamir, 2014) Another popular theory is that the crime was an inside job, executed by disgruntled Sony employees.(Paul, n.d.) If we can somehow prove that the Koreans are behind the Sony hacking, questions of legal options, and whether this incident qualifies as cyber terrorism become relevant.(Jay Kesan, 2015) Regardless of the national affiliations of the cyber criminals, very little information has been released regarding their physical location when the attack was performed. The location that the attacked was launched from becomes an important factor in deciding which legal options are appropriate.

Corporate Espionage, or Cyber Terrorism?

If indeed, it is proved that a Korean state sponsored group is responsible for the recent Sony hack, what are the legal options for pursuing them? Should this be pursued in international court as a case of corporate espionage against Sony? Is there enough evidence to prove cyber terrorism, which would make the incident an act of war?  The answers to these questions require more detailed information than what is currently publicly available. The physical location that the cyber attack was launched from is one key piece of information that must be determined. This will largely determine if this should resolved in international court, or in U.S courts. A determination as to whether a cyber incident launched under direction of a foreign power is representative of an “armed attack” is also required.  This “armed attack” definition is the key to determine if a military response is warranted.

Military Responses

Several rules dictate the conditions under which The United States can commit military forces. At this time, these rules do not directly include cyber threats in their language, and some interpretation must be done to determine if cyber attacks qualify as “armed aggression”.(“18 U.S. Code § 2331 - Definitions | LII / Legal Information Institute,” n.d.).(Levie, 1956) The U.S. Code 2331, and The Law of Land Warfare are the key documents used to determine when military resources and be deployed in an act of war. These documents only speak to whether or not The United States has a justification to commit military personnel in this situation.  As a NATO member, the United States must then consult with the United Nations Security Council and NATO in order to determine if other NATO countries would aid the U.S. in a call to war.(United Nations, n.d.)  Article 51 of the UN Charter is the pivotal element that defines whether or not this incident could be claimed as a cyber terror incident by the U.N..(Dimitar Kostadinov, n.d.). UN Articles 41 and 42 take a somewhat contradictory position to Article 51. While Article 51 allows UN Security Council action with regard to response to “armed force”, Articles 41 and 42 specifically do not involve armed force.

UN Article 51 is the pivotal element used by NATO to determine whether not any military U.S. military actions would be sanctioned by other NATO member nations. The Tallin Manual produced by the NATO Cooperative Cyber Defence Centere of Excellence was to created to help formulate responses to exactly these kinds of scenarios.(NATO CCDCOE, n.d.-b) NATO recently agreed to invoke Article 5 of the NATO charter in cases where it has been determined that a cyber event has degraded the sovereignty of any of the 28 member NATO nations. This means that digital attacks on NATO countries are considered in the same manner as a conventional military attack.(Joey Cheng, 2014) According to Michael Schmitt, founder of the NATO CCDCOE, there are very specific criteria that the crime must meet in order to fit the definition of an “armed attack”. It is this “armed attack” definition which determines whether or not the hacking incident represents a breach of national sovereignty, and therefore warrants an armed response. He further states that once it has been determined that an “armed attack” did not take place, the fact that a state sponsored group is responsible for the incident is largely irrelevant with respect to the issue of cyber terrorism.(Michael Schmitt, 2014)

The interpretation of this clause is the pivotal distinction between acts of cyber terrorism that breaches our national sovereignty, or a state sponsored act of corporate espionage. To further complicate matters, there are no universal definitions for “Cyber Attack”, “Cyber Terrorism”, or “Cyber Espionage”. There are even differences in these terms with respect to the participating NATO countries that make up the NATO CCDCOE. (NATO CCDCOE, n.d.-a)

Non Military Responses

In order to determine which non military responses to the Sony hacking might be appropriate, we must first determine the physical location that the attacks were launched from. If the attacks were launched from outside U.S. territory, the matter must be pursued as an international incident. UN Articles 41, and 41 open the door for economic sanctions, and even possibly “hacking back” as forms of coercion in order to prevent repeat occurrences of situations like the Sony hacking. While sanctions and “hacking back” are somewhat militaristic forms of coercion, there are many areas of ambiguity with regards to the legality of many of these types of responses. (Matthew C. Waxman, n.d.)  There does not seem to be much legal consistency in defining the term cyber crime, much less what the legal response should be to these types of crimes. The United States itself has no developed official position with regard to UN Articles and international cyber crimes. However, some progress is being made in the international cyber crime scene. Many international law agencies are forming cooperative partnerships to help fight cyber crime across international borders. The U.S. Dept of Homeland Security seems to be leading the way toward fighting cyber crime, along with other cooperating agencies such as FBI, INTERPOL, and EUROPOL.(DHS, n.d.)(FBI, n.d.)(INTERPOL, n.d.)(EUROPOL, 2014)  Even though cooperative legal inroads are being made on the international scene with regard to international cyber crime it is a slow process.

If it is determined that the Sony hacks physically originated from within the U.S. borders, it is likely that U.S. criminal codes would take precedence, and the matter would be settled in U.S. civilian courts.(Doyle, 2014)(Eltringham, 2015) In this situation the criminals could also be prosecuted under Computer Espionage (18 U.S.C. 1030(a)(1)) laws.(Doyle, 2014) It is also possible that the United States might pursue both civil action against the individual hackers in combination with international sanctions against Korea.

Corporate Retaliation

Corporate victims such as Sony are increasingly frustrated with what they perceive as governmental inaction. This perceived inaction has caused corporations to question the concept of “corporate personhood”. Corporate personhood is concept that has been in existence for over a hundred years. It is this personhood status that allows a corporation to own property without attributing ownership responsibility to a single individual. Personhood is also used as the legal basis for corporate income taxes.(“Corporate Personhood/Corporate Constitutional Rights | Move to Amend,” n.d.)(Torres-Spelliscy, 2014). Corporations have begun to question which constitutional protections are afforded to them as “persons”. Does a corporation have the same constitutional rights and protections that an individual has under similar circumstances?

With no clear answers to these questions of constitutional rights of conferred persons, some of these corporations have chose to launch their own retaliatory strikes against hackers. They have begun to hire their cyber security specialists and in some cases hired team of hackers to “hack back”. As a security professional, I find the latter of these two choices for cyber personnel particularly disturbing. The use of hired hackers to hack other hackers is too close to the creation of a cyber mercenary team. The potential downsides to this type of corporate sanctioned “back hacking” are enormous. Blackwater comes to mind as an example of possible disastrous consequences.(Michael Riley & Jordon Robertson, n.d.)(Sharon Shea, 2014)

Conclusion

The Sony hacking incident has revealed many short comings with regard to the issue if cyber crimes and international law. It has also revealed shortcomings in military policy with regard to cyber attacks, and when military responses are appropriate. The incident has also causes people to question the concept of corporate personhood. Until more specific information on the Sony hacking is discovered, there are more questions than answers. The most appropriate legal path cannot be determined yet without this detailed information on the Sony hacking incident. All of the potential response scenarios are rife with possibilities for a disastrous escalation of follow-on events.

References

18 U.S. Code § 2331 - Definitions | LII / Legal Information Institute. (n.d.). Retrieved February 21, 2015, from http://www.law.cornell.edu/uscode/text/18/2331

Corporate Personhood/Corporate Constitutional Rights | Move to Amend. (n.d.). Retrieved February 21, 2015, from https://movetoamend.org/topics/corporate-personhoodcorporate-constitutional-rights

Dana Tamir. (2014, November 21). Who Hacked Sony? New Report Raises More Questions About Scandalous Breach. Retrieved February 17, 2015, from http://securityintelligence.com/who-hacked-sony-new-report-raises-more-questions-about-scandalous-breach/#.VOJpoy4wH1A

DHS. (n.d.). Cyber Crime and Law Enforcement | Homeland Security. Retrieved February 17, 2015, from http://www.dhs.gov/national-cyber-security-awareness-month-2014-week-five

Dimitar Kostadinov. (n.d.). Invoking Article 51 (self-defense) of the UN Charter in Response to Cyber Attacks - I - InfoSec Institute. Retrieved February 17, 2015, from http://resources.infosecinstitute.com/invoking-article-51-un-charter-cyber-attacks-i/

Doyle, C. (2014). Cybercrime: An Overview of the Federal Computer Fraud and Abuse Statute and Related Federal Criminal Laws (Congressional Report No. 97-1025). Congressional Research Service. Retrieved from https://www.fas.org/sgp/crs/misc/97-1025.pdf

Eltringham, S. (Ed.). (2015, January 14). Prosecuting Computer Crimes. Office of Legal Education Executive Office for United States Attorneys. Retrieved from http://www.justice.gov/criminal/cybercrime/docs/ccmanual.pdf

EUROPOL. (2014, September 1). Expert international cybercrime taskforce is launched to tackle online crime | Europol. Retrieved February 17, 2015, from https://www.europol.europa.eu/content/expert-international-cybercrime-taskforce-launched-tackle-online-crime

FBI. (n.d.). FBI — Leading Member of the International Cyber Criminal Group LulzSec Sentenced in Manhattan Federal Court. Retrieved February 17, 2015, from http://www.fbi.gov/newyork/press-releases/2014/leading-member-of-the-international-cyber-criminal-group-lulzsec-sentenced-in-manhattan-federal-court

INTERPOL. (n.d.). Cybercrime / Cybercrime / Crime areas / Internet / Home - INTERPOL. Retrieved February 17, 2015, from http://www.interpol.int/Crime-areas/Cybercrime/Cybercrime

Jay Kesan. (2015, January 13). Professor Kesan on the Sony Hack, North Korea and the Laws Governing Cyber-Attack - Illinois Law Faculty Blog. Retrieved February 16, 2015, from http://uiuclawfaculty.typepad.com/facultyblog/2015/01/professor-kesan-on-the-sony-hack.html

Joey Cheng. (2014, September 8). Raising the stakes: NATO says a cyber attack on one is an attack on all -- Defense Systems. Retrieved February 18, 2015, from http://defensesystems.com/Articles/2014/09/08/NATO-cyber-attack-collective-response.aspx

Kim Zetter. (2014, December 3). Sony Got Hacked Hard: What We Know and Don’t Know So Far | WIRED. Retrieved February 17, 2015, from http://www.wired.com/2014/12/sony-hack-what-we-know/

Levie, H. (1956, July). The Law of Warfare, FM 27-10. Headquarters Department of the Army. Retrieved from http://www.loc.gov/rr/frd/Military_Law/pdf/law_warfare-1956.pdf

Matthew C. Waxman. (n.d.). Cyber-Attacks and the Use of Force: Back to the Future of Article 2(4). Yale Journal of International Law. Retrieved from http://www.yjil.org/docs/pub/36-2-waxman-cyber-attacks-and-the-use-of-force.pdf

Michael Riley, & Jordon Robertson. (n.d.). FBI Probes If Banks Hacked Back as Firms Mull Offensives - Bloomberg Business. Retrieved February 18, 2015, from http://www.bloomberg.com/news/articles/2014-12-30/fbi-probes-if-banks-hacked-back-as-firms-mull-offensives

Michael Schmitt. (2014, December 17). International Law and Cyber Attacks: Sony v. North Korea | Just Security. Retrieved February 16, 2015, from http://justsecurity.org/18460/international-humanitarian-law-cyber-attacks-sony-v-north-korea/

NATO CCDCOE. (n.d.-a). Cyber Definitions | CCDCOE. Retrieved February 17, 2015, from https://ccdcoe.org/cyber-definitions.html

NATO CCDCOE. (n.d.-b). Tallinn Manual Follow-Up More Relevant Than Ever | CCDCOE. Retrieved February 17, 2015, from https://ccdcoe.org/tallinn-manual-follow-more-relevant-ever.html

Paul. (n.d.). A New Script: Clues In Sony Hack Point To Insiders | The Security Ledger. Retrieved February 17, 2015, from https://securityledger.com/2014/12/new-clues-in-sony-hack-point-to-insiders-away-from-dprk/

Sharon Shea. (2014, December 12). Sony Pictures hacking back: The ethics of obfuscation. Retrieved February 18, 2015, from http://searchsecurity.techtarget.com/news/2240236597/Sony-Pictures-hacking-back-The-ethics-of-obfuscation

Torres-Spelliscy, C. (2014, April 7). The History of Corporate Personhood | Brennan Center for Justice. Retrieved February 21, 2015, from https://www.brennancenter.org/blog/hobby-lobby-argument

United Nations. (n.d.). Charter of the United Nations: Chapter VII: Action with Respect to Threats to the Peace, Breaches of the Peace and Acts of Agression. Retrieved February 17, 2015, from http://www.un.org/en/documents/charter/chapter7.shtml