Bubbles over Barriers: Amending the Foreign Sovereign Immunities Act for Cyber Accountability

• Author: Adam L. Silow
• Position: Dual J.D.-Master of Science in Foreign Service candidate at Georgetown University, Class of 2022, and the Student Editor-in-Chief for Volume 12 of the Journal of National Security Law & Policy
• Pages: 659-684

Bubbles over Barriers: Amending the Foreign

Sovereign Immunities Act for Cyber Accountability

Adam L. Silow*

INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 659

I. THE CONTEXT: INCREASING CYBER THREATS................. 660

A. Conceptualizing the Privatization of State-sponsored

Cyberattacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 660

B. Cyberspace Has Few Rules and Many Victims . . . . . . . . . . . 661

1. Cybersecurity Contractors Proliferating . . . . . . . . . . . . . 662

2. Human Rights Activists Under Threat . . . . . . . . . . . . . .. 663

3. Trade Secrets Stolen . . . . . . . . . . . . . . . . . . . . . . . . . . . . 665

II. THE PROBLEM: INADEQUATE RESPONSES .................... 666

A. Government Policies Are Important, but Insufficient . . . . . . . 666

B. Private Suits Are Blocked by the Current FSIA . . . . . . . . . . . 668

1. Current FSIA Exceptions Do Not Apply to Cyberattacks. 668

2. A Nascent Circuit Split on Derivative Immunity Creates

Uncertainty and Liability Risks for Contractors . . . . . . . 673

III. THE SOLUTION: A CYBERATTACK EXCEPTION TO THE FSIA . . . . . . 677

A. Absolute “Barriers”: Prior Proposals Are Too Broad . . . . . . 678

B. Protected “Bubbles”: New Solution Tailored to Specific

Targets and Covering Cybersecurity Contractors . . . . . . . . . 680

CONCLUSION..............................................

.

684

INTRODUCTION

Cyberspace is a critical domain for technological innovation and state competi-

tion. Beyond, however, the bounds of fair competition, states are increasingly

using cyberspace to intimidate human rights activists and steal trade secrets from

private companies. In doing so, states hire cybersecurity contractors for cyber ex-

pertise and assistance in conducting malicious cyberattacks. Section I of this

Article outlines the increasing perils for private actors in cyberspace. Section II

* Adam L. Silow is a dual J.D.-Master of Science in Foreign Service candidate at Georgetown

University, Class of 2022, and the Student Editor-in-Chief for Volume 12 of the Journal of National

Security Law & Policy. He thanks Professor David Stewart for his invaluable advice. He also thanks

Lucas Scarasso, Steve Szymanski, Shervin Taheran, and the rest of the JNSLP staff for their excellent

feedback and editing. Any and all errors are Adam’s alone. As Student Editor-in-Chief of this volume, he

took no part in any stage of the consideration and selection of this Article, which occurred before he

assumed this role, and he was not aware of the content of those deliberations while they were ongoing.

© 2022, Adam L. Silow

659

discusses the inadequacy of government actions and private legal remedies to

address this problem. The current U.S. government responses—diplomacy,

sanctions, speaking indictments, and some offensive cyber operations—are

important, but insufficient to stem the tide of cyberattacks. Human rights acti-

vists and private companies have little protection. The Foreign Sovereign

Immunities Act (“FSIA”) blocks avenues for legal redress. A legislative fix is

needed. Section III provides a solution: Congress should create a new and tai-

lored cyber exception to the FSIA that opens liability for states, and their

cybersecurity contractors, who threaten human rights with cyber tools and

conduct cyber economic espionage. Rather than erect an absolute “barrier”

against any cyberattacks—as others have suggested—a tailored exception

would create protected “bubbles” around human rights activists and trade

secrets. Creating a new private cause of action under the FSIA would improve

accountability for states and their contractors, and develop cyber norms pro-

tecting human rights and fair economic competition.

I. THE CONTEXT: INCREASING CYBER THREATS

With rapid growth in information technology and digital markets, malicious

states have more advanced cyber tools at their disposal and can affect a broader

swath of private entities beyond their borders. In this Article, Section I(A) depicts

how states shifted their use of cyberspace in recent years and Section I(B)

describes the effect this had on cybersecurity contractors, human rights activists,

and private companies.

A. Conceptualizing the Privatization of State-sponsored Cyberattacks

As cyberspace has evolved, so too have the ways in which states implement

foreign policy. The diagrams below help to conceptualize the growing involve-

ment of private entities in state-sponsored cyberattacks—both as victims and

facilitators.

Diagram 1: State A hacks State B.

660 J

Diagram 1 highlights how a state-sponsored cyberattack is traditionally con-

ducted against another state in its simplest form. State A uses its own governmen-

tal assets and capabilities to execute a cyberattack against the government of

State B. Only government actors and assets are involved, both as perpetrators and

victims.

OURNAL OF NATIONAL SECURITY LAW & POLICY [Vol. 12:659