Duties owed: low-intensity cyber attacks and liability for transboundary torts in international law.

• Author: Walton, Beatrice A.

NOTE CONTENTS INTRODUCTION I. THE PUZZLE OF LOW-INTENSITY STATE-SPONSORED CYBER ATTACKS A. The Problem B. The Gap in International Law II. LIABILITY IN INTERNATIONAL LAW A. Liability and the Duty To Prevent and Redress Transboundary Harm B. Liability and the Articles on State Responsibility C. Dual Liability Standards III. APPLYING LIABILITY FOR TRANSBOUNDARY HARM TO LOW-INTENSITY STATE-SPONSORED CYBER ATTACKS A. Contemporary Approaches and Cyber: An Absurd Result? B. Applicability to Low-Intensity State-Sponsored Cyber Attacks C. Complications of a Liability System 1. The Issue of Intent 2. Scale of Damages 3. Enforcement IV. THE BENEFITS OF INTERNATIONAL LIABILITY A. Pragmatic Appeal to States and Emphasis 011 Redress B. Clarification of the Law of Countermeasures C. Recognition of Duties Owed to Third Parties CONCLUSION INTRODUCTION

On November 24, 2014, a menacing red skull flashed on every employee's screen at Sony Pictures Entertainment's headquarters in Culver City, California. The attackers, calling themselves the "Guardians of Peace," scrubbed more than one hundred terabytes of Sony's data and leaked thousands of confidential documents. (1) The attackers threatened to release more documents if Sony did not stop the release of The Interview, Sony's newest political-satirical film on North Korea, and made clear their intention to cause further harm and even violence. (2) In the end, many theaters caved to the attackers' demands, refusing to screen the film--but not before the attacks resulted in tens of millions of dollars in damage, (3) including the destruction of Sony data systems, (4) the corruption of thousands of computers, (5) the loss of millions of dollars in revenues, (6) and leaked trade secrets. (7)

In the aftermath of the attack, the U.S. government made an unprecedented accusation, officially attributing the Sony attack to the government of North Korea. (8) After an FBI investigation that linked the attack's code, infrastructure, and overall design to previous attacks that were believed to have been carried out by North Korea, (9) the State Department officially condemned North Korea on December 19, 2014. (10) In a special press release, President Obama vowed that the United States would respond proportionally in the arena of its choosing. (11)

International legal and technology experts have since hotly debated the attribution of the Sony attack. Some have claimed that the United States misattributed or prematurely attributed the attack to North Korea. (12) Others have noted that the United States's actions could set a dangerous precedent. (13) In any case, observers recognize that the United States's response was a key example--now one of a steadily growing number (14)--of a state officially accusing another of a cyber attack. (15) Yet even if attribution is possible, a more pressing question for international law emerges: what international law has North Korea violated by committing this attack?

As surprising as it may seem, the traditional international legal perspective seems to answer "none." (16) Despite the increasingly common and destructive nature of state-sponsored cyber attacks, (17) it is difficult to locate the precise source of illegality for these "low-intensity" cyber attacks. (18) In the language of the Draft Articles on State Responsibility, states are only responsible for acts attributable to the state that are "wrongful" under international law. (19) Low-intensity state-sponsored cyber attacks do not fit this bill. Scholars have recognized this "gap" for low-intensity cyber attacks and sought solutions. Some have tried to broaden current international legal categories of impermissible conduct to cover these attacks. (20) Others have declared that a new treaty or legal regime is needed before international law can render low-intensity attacks wrongful. (21) Neither approach has proved satisfactory thus far.

This Note proposes an important theoretical and practical alternative that derives from a preexisting but underutilized source of international law: liability for transboundary harm. Liability in international law is a complicated, controversial, and often misunderstood concept that has developed separately from, but directly feeds into, the customary international legal regime of state responsibility. Liability does not emerge from a violation of international law per se, which would constitute wrongfulness (or even give rise to international criminal responsibility), but rather, simply from an act of harm.

In particular, liability in international law derives from the customary duty to prevent and redress transboundary harm. This duty is most familiar in the environmental realm, (22) despite its roots in and application to a broader range of legal issues. (23) International liability for a violation of this duty is triggered by the "transboundary movement of ... harmful effects" above a certain level of severity not traditionally tolerated, (24) and involving a causal relationship between the damage caused and the activity causing it. (25)

To make the case for applying this liability approach to low-intensity state-sponsored cyber attacks, this Note proceeds in four Parts. Part 1 begins by explaining why low-intensity cyber attacks appear to escape regulation under existing international legal obligations. Part II next examines the origins of the duty to prevent and redress transboundary harm, which forms the basis of international liability, and the complex relationship between liability and the doctrine of state responsibility. Part III applies liability for this duty to low-intensity, state-sponsored cyber attacks. Part IV then turns to the three key benefits of a liability approach for cyber attacks: (1) pragmatic appeal to states' interests and emphasis on the duty to redress harms, (2) clarification of the literature on due diligence and countermeasures in international law, and (3) acknowledgement of duties owed to third parties. This Note ultimately proposes that liability for transboundary harm offers a fruitful approach for bringing low-intensity cyber attacks into the fold of international law.

1. THE PUZZLE OF LOW-INTENSITY STATE-SPONSORED CYBER

   ATTACKS

   Before turning to liability for transboundary harm and how it might apply in the cyber realm, this Part describes the problems posed by low-intensity cyber attacks and why established international legal principles have proven incapable of regulating these attacks.

   1. The Problem

      A cyber attack is "any action taken to undermine the functions of a computer network for a political or national security purpose." (26) Low-intensity cyber attacks, specifically, encompass any of a wide range of actions taken to "alter, disrupt, deceive, degrade, or destroy" computer systems or networks resulting in destruction and coercion insufficient to amount to a use of force or intervention under international law. (27) As the latter half of this definition makes clear, defining low-intensity cyber attacks inevitably involves a discussion of what they are not: actions clearly governed by established international legal rules. Here, I briefly explain why low-intensity cyber attacks merit attention and why bringing law to bear on them is a worthwhile goal in the first place.

      First, low-intensity cyber attacks are incredibly costly. Experts suggest that the average large U.S. company spends more than $7.7 million on preventing and responding to cyber attacks each year, a relatively high amount compared to that spent by large foreign companies. (28) Around the world, the numbers are similarly startling: cyber attacks result in more than $400 billion in losses to companies each year, (29) and potentially as much as $2.1 trillion in losses by 2019. (30) While governments and private entities have dramatically boosted their cyber security in recent years, experts remain convinced that even the best security precautions remain incapable of eliminating all vulnerability to future attacks. (31) This is troubling, given that even a single vulnerability can open the door to considerable destruction; the attack on Sony, for instance, resulted in the destruction of three thousand computers and eight hundred servers. (32)

      Moreover, low-intensity cyber attacks are incredibly common. While much scholarly attention has focused on the threat of major cyber attacks that border on acts of war, the most common cyber attacks fall considerably below this level. In 2015, only 2.4% of all cyber attacks were conducted in the context of war or gave rise to a degree of physical damage approaching a use of force. (33) In fact, experts agree that "[f]ew, if any, cyber operations have [ever] crossed the armed attack threshold." (34) The need for legal restrictions on and remedies for cyber attacks is 110 less severe given the immense impact that these attacks have on personal and state property.

      Third, even if it were possible to expand existing categories of law to encompass low-intensity cyber attacks, doing so could create havoc in other areas of law. As the next Section and Part IV explain, expanding the concepts of nonintervention and sovereignty in international law could result in problems for NGOs and other supporters of human rights who engage in political activities abroad. Such an expansion would also complicate our understandings of which routine cross-border infringements constitute violations of international law. (35)

      Depending on how existing bodies of international law are broadened, states might also either lose the right to respond "in kind" to low-intensity cyber attacks, or conversely, gain the right to respond with disproportionately numerous counterattacks. (36) But such measures may be unsustainable, as escalations are likely to mount over time if states are permitted to respond to low-intensity attacks without restriction. For instance, after the Sony attack, it appears likely that a portion of North Korea's...