Hidden by Sovereign Shadows: Improving the Domestic Framework for Deterring State-Sponsored Cybercrime.

• Author: Blinderman, Eric

TABLE OF CONTENTS I. INTRODUCTION 890 II. DESCRIPTION OF SOVEREIGN INVOLVEMENT IN CYBERCRIME 893 A. China: The People's Liberation Army's Hack of US Companies 895 B. Russia: The Federal Security Service's Hack of Yahoo 898 C. Iran: The Islamic Revolutionary Guard Corps' Hack of the US Financial Sector and Infrastructure 900 D. Russia: Cyber Interference with the 2016 US Election 902 III. DOMESTIC AND INTERNATIONAL LEGAL FRAMEWORK APPLICABLE TO STATE-SPONSORED CYBERCRIME 906 A. Domestic Framework: The Computer Fraud and Abuse Act 906 1. Narrow View of Authorization 908 2. Broad View of Authorization 909 B. International Framework: The Tallinn Manual 2.0 910 C. European Convention on Cybercrime 914 IV. SHORTCOMINGS IN THE US DOMESTIC LEGAL FRAMEWORK 914 A. Achieving Deterrence 915 B. Foreign Policy Implications 919 1. Impact of Applying Domestic Laws Extraterritorially 919 2. Costs Connected with Attribution 922 a. Effective (Operational) Control 923 b. Overall Control 924 c. Prevailing Test 924 V. SUGGESTED LEGISLATIVE OR OTHER PROPOSALS 926 A. Extraterritorial Application of CFAA and SCA 926 B. Removal of Sovereign Immunity for State Sponsors of Cyber Crime 928 VI. CONCLUSION 930 I. INTRODUCTION

Since the first tribes evolved into sovereign states and began competing with one another for resources, power, and influence, they have sought to obtain advantage over the others through the gathering and use of confidential and sensitive information and the forcible destruction of a competitor and its resources. (1) Traditional diplomacy, spying, monitoring of foreign news outlets, military force, and other similar tools have long been deployed to allow sovereigns to gain and utilize such information and/or to obtain advantage over a competitor. Since the advent of the information age, however, these tools have evolved radically as sovereigns seek to exploit the vulnerabilities that attach to the mass storage and transmission of information across a variety of digital platforms. (2)

This technological complexity has also given rise to equally complicated legal issues that attach when a sovereign deploys its digital arsenal against another state in a manner which violates the domestic laws of the target state. For example, attributing cyber action to a sovereign is often a difficult task given the multitude of state and non-state actors that perpetrate such actions. (3) Additionally, if a sovereign is implicated in such an action, the international and domestic legal framework designed to hold the sovereign responsible for such criminal activity is nearly nonexistent. (4) Likewise, the domestic legal norms across each state pertaining to these types of cyber activities vary wildly. (5) This lack of uniformity makes it extraordinarily difficult for any enforcement authority to make a reasoned judgement about when permissible information-gathering crosses into the realm of impermissible cybercrime. In addition, the diplomatic consequences of misattribution make the stakes for assessing cybercrime especially high. (6)

Although analyzing the multitude of these challenges is beyond the scope of this Article, it is important to understand the basic framework within the United States that federal prosecutors rely upon when trying to hold accountable actors who perpetrate such crimes. (7) Even more relevant is understanding how this framework applies in the unique context when a sovereign state is implicated in such criminal activity. By better understanding this framework and applying it to instances where sovereigns have seized information from persons, juridical or natural, located in the United States, one can understand the limitations current law enforcement faces when seeking to punish such activity. Most importantly, by understanding these limitations, one can also propose changes to the current domestic framework so that such criminal activity is effectively deterred and perpetrators are held accountable for their actions.

This Article does the following. Part I describes recent instances of sovereign use of digital tools to perpetrate various crimes. Part II describes the legal framework that the US government utilizes when it concludes that a sovereign was implicated in a crime. It also discusses the international legal framework that could be (but is generally not) employed by the United States to address such criminal activity. Part III argues that there are two main shortcomings with the present domestic legal framework applicable to such sovereign criminal activity, including but not limited to whether: (1) domestic prosecutions actually have a deterrence effect on sovereign states perpetrating such crimes, and (2) prosecutors who overreach in their application of US law against foreign actors or misattribute the source of cyberattacks on the basis of insufficient evidence negatively impact US foreign policy. This Article then concludes by arguing that if the public wishes for the government to prosecute effectively state-sponsored actors, then the domestic legal framework should allow for the robust extraterritorial application of US laws. Further, this Article concludes by arguing that Congress should contemplate passing a statute that exposes sovereign state perpetrators to civil liability.

2. DESCRIPTION OF SOVEREIGN INVOLVEMENT IN CYBERCRIME

   On a nearly daily basis, news outlets report alleged instances in which a sovereign state has engaged in digital espionage or sabotage against another. (8) Each instance of such activity raises fundamental definitional problems as to what constitutes cybercrime and when law enforcement officials should attribute digital criminal activity to a sovereign state as opposed to a non-state actor. To answer these definitional problems, the next Parts of the Article analyze four specific instances of alleged cybercriminal activity directed against the United States and in violation of US domestic law: (a) the People's Liberation Army of China's (PLA) alleged theft of digitally stored trade secrets and information from various US companies, which was then used to benefit Chinese companies; (b) the Russian government's hacking into and seizing of over 500 million Yahoo user accounts in 2014; (c) the Iranian Islamic Revolutionary Guard Corps' coordinated attack on forty-six major US companies mostly in the financial sector in order to harm American infrastructure and American people; and (d) the Russian government's alleged theft of politically sensitive information from the Democratic National Committee and subsequent leaking of that information to cause damage to the US democratic system.

   After reviewing the facts pertaining to these four instances of purported sovereign state cybercrime, this Article defines "cybercrime" as any digital activity which runs afoul of US domestic criminal statutes. (9) Secondly, it argues that sovereign attribution to cybercrime should attach when any individual, arm, or agency of a sovereign acts, or acting at the direction of a sovereign, is directly responsible, aids or abets those responsible, conspires with those responsible, or otherwise facilitates the perpetration of such cybercriminal activity. (10)

   1. China: The People's Liberation Army's Hack of US Companies

      On May 1, 2014, the U.S. Department of Justice formally charged five Chinese officers of the PLA with various crimes related to computer hacking and economic espionage. (11) Specifically, defendants Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu, and Gu Chunhui were indicted by a grand jury in the Western District of Pennsylvania for violating and conspiring to violate the Computer Fraud and Abuse Act (CFAA), (12) aggravated identity theft, (13) economic espionage, (14) and trade secret theft. (15) The indictment states:

      From at least in or about 2006 up to and including at least in or about April 2014, members of the People's Liberation Army ("PLA"), the military of the People's Republic of China ("China"), conspired together with each other to hack into the computers of commercial entities located in the Western District of Pennsylvania and elsewhere in the United States, to maintain unauthorized access to those computers, and to steal information from those entities that would be useful to their competitors in China, including state-owned enterprises ("SOEs"). (16) The six companies named as victims of the computer hacking were: Westinghouse, an electronic and nuclear power company; SolarWorld, a German solar products manufacturer; United States Steel Corporation, the largest steel company in the United States; Alleghany Technologies Incorporated, a large specialty metals company; United Steel Workers International Union, the largest industrial labor union in North America; and Alcoa, the largest aluminum company in the United States. (17) Taken together, the six victims represent major segments of American nuclear power, metals production, and solar power.

      The indictment describes how the PLA systematically stole trade secrets at moments that were particularly opportune for Chinese companies. (18) For example, the indictment describes how during 2011 and 2012, around the time when Oregon-based solar products manufacturer SolarWorld

      was losing market share to Chinese competitors and was active in trade litigation, Chinese solar manufacturers were continually dumping large volumes of solar products into US markets at below-fair-value market prices. (19) Then in May 2012, Defendant Wen "hacked into SolarWorld's computers and stole e-mails and files belonging to three senior executives." (20) Following that hack, Wen and at least one other member of the conspiracy conducted at least twelve more intrusions into and exfiltrations from SolarWorld's computers, enabling them to steal thousands of e-mail messages and other files containing detailed financial information, production capabilities, business strategies, litigation strategies, and confidential cost-structure...