Congress permits cyber policy to slumber while digital technology gallops by leaps and bounds.
Almost three decades ago In 1986, Clifford Stoll of the Berkeley National Lab of California anticipated North Korea’s cyberattack on Sony Pictures. He discovered the art of computer hacking and espionage in detecting a German spy from Hanover, Marcus Hess, selling secrets to the KGB. Mr. Stoll described his forensic exploits in The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage.
It should have been a warning to Congress and Silicon Valley, of the need to enact a cyberspace code to address new cyber vulnerabilities to defend and deter both state and non-state hackers.
Yet Congress and Silicon Valley have stood stupified while Internet technology has raced into a digital age, one in which anything worth doing or saying militarily or commercially utilizes the world wide web. Our hacking vulnerabilites are surging, not diminishing. But we have not updated either domestic or international laws or policies to address the unique threat of cyberattacks.
Take North Korea’s cyberattack on Sony Pictures Enterainment coupled with a threat to murder moviegoers of “The Interview.” Was it an act of war intended to destroy free speech in the United States and to cow the American people into intellectual submission? If so, was President Obama required to obtain congressional authorization to retaliate, or was he entitled to respond instantly and unilterally as if it were an actual North Korean land invasion? Does an act of cyberwarfare require mass killings of civilians or mass destruction of key infrastructure that cripples the economy? None of these questions are answered by existing policies.
Suppose a non-state actor was responsible for the cyberattack on Sony. Would the president’s authority to respond have been different or non-existent? Would the country hosting the non-state actor be responsible for his cyber misconduct? What affirmative obligations does a host nation have to cooperate in apprehending a punishing a cybercriminal located in its territory? Again, none of these vital questions have been answered either in domestic law or international conventions.
Suppose the cyberattack was a causus belli. The laws of war would seem to have authorized President Obama to respond kinetically, for instance, by bombing all of North Korea’s nuclear-related facilities in attacks that might have incidentally killed North Korean civilians. But the civilian deaths might have violated the “Just War” norm of proportionality, i.e., a requirement that combatants ensure that the harm caused to civilians or civilian property is not excessive in relation to the concrete and direct military advantage anticipated by an attack on a military objective.
President Obama charaterized North Korea’s attack as “cybervandalism.” But is his characterization binding on Congress or the United Nations Security Council? The term is not in the federal code. Was it simply improvised for political purposes to sound commensurate with President Obama’s puny response: Shutting down North Korea’s already minimal Internet access for a few hours and imposing largely symbolic economic sanctions against 10 senior North Korean officials?
Sony Pictures might have been authorized to retaliate directly against North Korea with a cyberattack without notifying President Obama or obtaining his permission. That is alarming. Congressman Mike McCaul (R-Tex.), Chairman of the House Homeland Security Committee, rightly worries that cyber retaliation by a private party against a state actor could embroil the United States in a war that had neither been provoked nor authorized by Congress, the president or the United Nations Security Council.
The federal code’s application to private cyber retaliatory attacks on state actors is murky. It might constitute a private overture to a foreign country in violation of the Logan Act, 18 U.S.C. 953, or it might constitute an expedition against a foreign state with which the United States is at peace in violation of 18 U.S.C. 960. Congress should clarify that both prohibtions would apply in such circumstances. No private person should be permitted to hijack the decision over war and peace that the Constitution entrusts to Congress and the president.
Existing policy is clueless as to what level of confidence is required before fastening criminal or civil responsibility for a cyberattack on a state or non-state actor. What should the confidence level be if Congress and the president are deciding whether to initiate war as retaliation?
Current policy is also ambiguous as to whether cyberterrorism by a foreign country would expose its Head of State to a lawsuit under a terrorism exception to the Foreign Sovereign Immunities Act.
The major issues elaborated above do not exhaust the cyberspace universe. There are undoubtedly many others that have been overlooked.
The art of hacking is long, but time is fleeting. House Speaker John Boehner and Senate Majority Leader Mitch McConnell should immediately appoint a joint committee at the commencement of the 114th Congress to conduct comprehensive hearings, to draft a comprehensive cyberspace code governing both domestic and international affairs, and to monitor cyberspace changes to safeguard against the obsolescence of the nation’s cyber policies.
Mattie Fein was the Republican congressional candidate for the former 36th district of California in 2010. She is founder and president of the communications strategies firm M22 Strategies.