It’s so obviously true as to be a cliché, that the Internet has revolutionized life as we know it. While it’s brought us conveniences that we would be hard-pressed to give up, cyberattacks are becoming an increasing problem for governments and corporations. Yet ironically, in spite of the novelty of these types of threats, experts are finding that old legal and policy tools are some of the best ways to fight cyberattacks.
When it comes to attacks on and by nations, a couple of legal developments have recently taken place. This past spring, a group of experts released a document, through NATO’s center for cyber defense, called the Tallinn Manual (named for the Estonian city where the group met), which details how the group interprets international law as applying to cyber warfare. It includes topics such as under what circumstances cyber operations constitute a use of force, and how international humanitarian law applies in the cyber context. Then in June, a group of 15 United Nations member states, including the U.S. and China, unanimously affirmed that international law, and in particular the UN Charter, apply to cyberspace. This means, for example, that the UN Security Council could potentially take actions against a nation that is perpetrating cyberattacks, and that the UN’s court, the International Court of Justice, could also take cyber operations into consideration.
Malware such as viruses, on the other hand, heavily target the public and corporations. The private sector has had success in prosecuting perpetrators and taking possession of servers that are controlling infected computers by using legal tools that were written before the Internet Age was even conceivable. For example, the old common law doctrine of trespass to chattels protects personal property and had been little used for many years, but it has begun to be successfully applied in this type of litigation. Moreover, companies including Microsoft have made use of traditional trademark laws such as the Lanham Act of 1946 in some of these types of cyber cases. The U.S. legal system has further expanded the application of pre-Internet laws to cyber issues in a decision last month that declared a popular online currency called Bitcoin to be a security; it follows that the longstanding body of securities law now applies to virtual currencies, which have recently begun growing in popularity.
Legal means can prove ineffective in countering cyberattacks, however, when the attacks are launched from outside the U.S. Smuggling operations pose similar difficulties; in fact, for policy purposes, cyberattacks can be thought of as smuggling at lightning speed, in which malware and stolen data, much like narcotics and weapons, are moved across country borders. Accordingly, many of the policy levers being used to combat traditional smuggling operations are also being found to be effective against cybercrimes. Tactics such as the application of diplomatic pressure to encourage that relevant laws in different nations be consistent, and the use of foreign aid to ensure that law enforcement and prosecution are effective in struggling countries are both integral when it comes to smuggling as well as cybersecurity. Security agreements that promote intelligence sharing between countries and cooperation between their law enforcement agencies are also of vital importance.
That these various legal and policy tactics are robust enough to apply well to cyberspace speaks to how they effectively address some of the core elements of crimes that take place both in and out of cyberspace. These examples also suggest that we ought to look to the past as new cyber challenges confront us. While the technical details of emerging cyberthreats are novel, established tools from before the days of the Internet are proving to be some of our most effective weapons against those threats.
Vavrichek is a defense analyst in Washington, D.C.