Institutional Doxing and Attribution: Searching for Solutions to a Law-free Zone

• Publication year: 2021

Institutional Doxing and Attribution: Searching for Solutions to a Law-Free Zone

Kimberlee Styple^*

[Page 211]

TABLE OF CONTENTS

I.INTRODUCTION.....................................................................................212

II. BACKGROUND AND HISTORY...............................................................214

A. Introduction To Institutional Doxing.....................................214
B. Introduction To The Law Of Attribution................................220

III.METHODS OF ATTRIBUTION.................................................................221

A. LEX GENERALLY.................................................................222

i. ILC Draft Articles on Responsibility of States for Internationally Wrongful Acts.........................................222
ii. Rule of War.....................................................................225
iii. Human Rights Treaties....................................................226
iv. Jurisprudence.................................................................228

B. LEX SPECIALIS...................................................................229

i. Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations............................................................230
ii. Domestic Law to Regulate Doxing Attack Attribution......230

IV.PROPOSED EXPANSIONS......................................................................231

A. Due Diligence.......................................................................232
B. Legalizing Cyberattack Attribution And Evidentiary Standards .........................................................................233
C. Joint Effort: A New Public And Private Entity.......................234
D. Private-Sector Attribution.....................................................235

V.CONCLUSION.......................................................................................238

[Page 212]

I. INTRODUCTION

You may not have heard of institutional doxing, but you should be afraid of it. Institutional doxing is a new concern arising from the invention of the Internet. The advent of the Internet in 1989 led to the development of a blinding array of new technology, none more striking than the World Wide Web.¹ According to the World Bank, in 2019 over fifty percent of the world's population had regular access to the Internet, amounting to billions of new cyberspace citizens.² While there are notable advantages of an increasingly digital society, increased digitalization has also made society more vulnerable.³ Some of the most prevalent dangers are cyberattacks, specifically institutional doxing.

Many high-profile cases involving institutional doxing made international headlines in recent years.⁴ These cases include the well-publicized hacks of Ashley Madison and Sony.⁵ "[T]he most famous 'dumps,' such as those released by Edward Snowden, the Sony hackers, and the Ashley Madison hackers, have become household names."⁶ The Sony Hack gained notoriety due to its public attribution to North Korea.⁷ In the Sony Hack, the "North Korean government stole and published gigabytes of corporate email from Sony Pictures. This was part of a much larger doxing — a hack aimed at punishing the company for making a movie parodying the North Korean leader Kim Jong-un."⁸

Institutional doxing attacks are increasingly dangerous according to Director of National Intelligence James Clapper, who announced that cyberattacks surpassed terrorism as the number one threat facing the U.S. today.⁹ Cyberattacks, such as doxing, impose "increasing costs to our businesses, to U.S. economic competitiveness and to national security."¹⁰

[Page 213]

Consequently, "[a] legal framework for attribution would provide a critical stepping stone for enabling a regime to restrict and redress the harms of state-sponsored cyber-attacks" and make the Internet a safer place.¹¹

However, there are two primary reasons why international law lacks a reliable attribution method for state-sponsored institutional doxing.¹² First, the nature of doxing renders treaties and agreements typically used for attribution ineffectual, and there are limited alternatives to identify, prosecute, and remedy cybercrimes.¹³ Second, the lack of remedy is compounded by the general lack of consistent and effective attribution in international law.¹⁴ Treaties, agreements, and best practices that have built the basis of international law attribution procedures are riddled with gaps.¹⁵ These gaps can be ascribed to ambiguous attribution practices and inadequate international law relating to cybercrimes.¹⁶

To resolve institutional security concerns, the international community must address institutional doxing and the growing international threat to security. This Note will analyze how international law should address the threat and will proceed in four parts. Part One defines institutional doxing and summarizes its increasing dangers. Part Two introduces the international law of attribution. Part Three examines potential methods of attributing institutional doxing to guilty states and evaluates several treaties, agreements, and best practices within international and domestic law to determine if any satisfy international security needs. If no adequate solutions exist in international or domestic law, privatized attribution procedures will be scrutinized to determine if they can protect the interests of the institutions vulnerable to doxing. Part Four further evaluates the most promising solution and identify potential implementation issues. This Note concludes that the issue presented by institutional doxing and a lack of reliable attribution methods in international law would be best resolved by privatizing attribution procedures. Large multinational corporations, which are often the target of institutional doxing attacks, are often unprepared for both cyberattacks and attribution procedures that follow them.¹⁷ In practice, these large multinational corporations have failed to efficiently attribute doxing

[Page 214]

perpetrators.¹⁸ However, before this Note can properly analyze solutions, it must first contextualize institutional doxing and its underlying dangers.

II. BACKGROUND AND HISTORY

A. Introduction to Institutional Doxing

Doxing is a damaging and malicious form of cyberattack that is increasingly common as our world digitalizes.¹⁹ Doxing is generally defined as the act of publishing private information, such as credit card numbers, addresses, phone numbers, medical information, or private communications.²⁰ Not all publishing of private information is doxing.²¹ Notably, a key distinction between doxing and general cyberattacks is that the objective of doxing is mainly harassment, not whistleblowing.²² This Note defines doxing as the act of weaponizing private information against an individual, institution, or state with an intent to harass or harm.

While doxing is becoming increasingly common, it is certainly not new.²³ Doxing is a subtype of online vigilantism that has existed since the origin of the Internet.²⁴ Doxing, "originally a slang term among hackers for obtaining and posting private documents about an individual, usually a rival or enemy" has existed on the Internet for decades.²⁵ However, doxing was originally a smaller-scale operation, consisting of "little black-hat hacker crews who were at war with each other — they would take docs, like documents, from a competing group and then claim they had 'dox' on them."²⁶ Over time, doxing attacks evolved into massive hacking operations that

[Page 215]

attacked corporations, law firms, individuals, and intelligence organizations like the NSA and the CIA.²⁷

Institutional doxing is a subtype of doxing where hackers weaponize the Internet to collect and share a business organization's private information.²⁸ This includes information about customers, employees, board members, and trade secrets. Like standard doxing, the scale of an institutional doxing attack can vary. Institutional doxing can fluctuate from a disgruntled employee sharing a small business' private emails to large-scale professional hacks of multi-national corporations. Likewise, doxing technique can vary from "stealing data from an organization's network and indiscriminately dumping it all on the Internet" to precise data mining for a targeted attack on a specific department or project.²⁹ Although institutional doxing attacks may be conducted with vastly different methods and levels of severity, the devastating effects on collection and publication of proprietary, secret, or incriminating data with the intention to intimidate, harass, or humiliate a business organization remain the same.³⁰

Corporations are increasingly attractive candidates for state-sponsored doxing attacks as they increase their size, influence, and economic force. Many institutional doxing attacks are committed by foreign states - one scholar notes that "state-sponsored cyber-attacks are on the rise and show no signs of abating."³¹

Some argue that corporations are acting as states in some capacities.³² It could even be said that corporations act as the modern equivalent of traditional colonial powers by controlling large areas of resources and the livelihoods of many people.³³ Large multinational corporations, especially ones in the technology industry like Google, are "acting in some ways as nation-states used to act, exercising to the best of their ability some attributes traditionally associated with sovereign states."³⁴ In particular, "Facebook has become so powerful and omnipresent that some have begun to employ the language of nationhood to describe it."³⁵ Corporations' massive increase in power and influence made their intellectual property and trade secrets more valuable, making corporations more attractive doxing targets for foreign states.³⁶

[Page 216]

The relationship between business organizations and states is growing increasingly complex and will continue to...