Prosecuting cyberterrorists: applying traditional jurisdictional frameworks to a modern threat.

• Author: Stockton, Paul N.
• Position: Abstract through III. International Law Grounds for Extraterritorial Jurisdiction Applied to Cyberterrorism A. Territoriality, p. 211-241

The United States faces a growing risk of cyberterrorism against its financial system, electric power grid, and other critical infrastructure sectors. Senior U.S. policymakers note that building U.S. capacity to prosecute cyberterrorists could play a key role in deterring and disrupting such attacks. To facilitate prosecution, the federal government is bolstering its technical expertise to attribute attacks to those who perpetrate them, even when, as is increasingly the case, the perpetrators exploit computers in dozens of nations to strike U.S. infrastructure. Relatively little attention has been paid, however, to another prerequisite for prosecuting cyberterrorists: that of building a legal framework that can bring those who attack from abroad to justice.

The best approach to prosecuting cyberterrorists striking from abroad is to add extraterritorial application to current domestic criminal laws bearing on cyberattack. Yet, scholars have barely begun to explore how the United States can best justify such extraterritorial extension under international law and assert a legitimate claim of prescriptive jurisdiction when a terrorist hijacks thousands of computers across the globe. Still less attention has been paid to the question of how to resolve the conflicting claims of national jurisdiction that such attacks would likely engender.

This Article argues that the protective principle--which predicates prescriptive jurisdiction on whether a nation suffered a fundamental security threat--should govern cyberterrorist prosecutions. To support this argument, the Article examines the full range of principles on which States could claim prescriptive jurisdiction and assesses their strengths and weaknesses for extending extraterritorial application of U.S. statutes to cyberterrorism. This Article also contends that if multiple nations asserted legitimate claims of jurisdiction based on the protective principle, sequential prosecutions would provide the best way to minimize potential disagreements over which nation receives precedence. Both recommendations--to utilize the protective principle for prescriptive jurisdiction and to rely on sequential prosecutions to resolve multiple jurisdictional claims--could be important components of future international agreements to address cyberterrorism.

INTRODUCTION I. THE THREAT OF CYBERTERRORISM TO U.S. CRITICAL INFRASTRUCTURE AND U.S. PREPAREDNESS AGAINST IT II. U.S. DOMESTIC LEGAL CONSTRAINTS ON EXTRATERRITORIALITY AND FEDERAL STATUTES BEARING ON CYBERTERRORISM III. INTERNATIONAL LAW GROUNDS FOR EXTRATERRITORIAL JURISDICTION APPLIED TO CYBERTERRORISM A. Territoriality 1. Subjective Territoriality 2. Objective Territoriality, Effects-Based, and Targeting Doctrines B. Nationality Principle C. Passive Nationality Principle D. Universal Jurisdiction Doctrine E. The Protective Principle of Jurisdiction: The Efficacious Method for Prosecuting Cyberterrorists 1. The Case for Protective Jurisdiction 2. Judicial Basis for Extending the Protective Principle to Cyberterrorism 3. Preempting Potential Counterarguments 4. The Major Limitations of the Protective Principle in the Cyberterrorism Context IV. SEQUENTIAL PROSECUTIONS: THE SUPERIOR APPROACH FOR ESTABLISHING JURISDICTION WHEN MULTIPLE NATIONS ASSERT JURISDICTION PREDICATED ON THE PROTECTIVE PRINCIPLE V. SEQUENTIAL PROSECUTIONS ARE PREFERABLE TO OTHER POLICIES FOR BREAKING THE JURISDICTIONAL TIE CONCLUSION We meet today at a transformational moment--a moment in history when our interconnected world presents us, at once, with great promise but also great peril.... [I]t's now clear that this cyber threat is one of the most serious economic and national security challenges we face as a nation.

--President Obama (1)

INTRODUCTION

The United States faces a "rapidly growing threat from cyber-attacks," warned President Barack Obama in his 2013 State of the Union address. In particular, the President noted that U.S. adversaries are "seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems." (2) Leon Panetta, while serving as Secretary of Defense, singled out cyberterrorism as posing a dire threat to such targets. Stating that the United States is in a "pre-9/11 moment," Panetta noted that "attackers are plotting" to attack U.S. infrastructure with potentially devastating effects, and that "a destructive cyber-terrorist attack could virtually paralyze the nation." (3)

The Obama Administration is pursuing a wide array of initiatives to secure critical infrastructure from cyberattack. (4) Yet, one potentially vital opportunity for progress in cybersecurity has received relatively little attention: that of building an effective legal framework to prosecute cyberterrorists. (5) In October 2012, Lisa Monaco, U.S. Assistant Attorney General for National Security, noted the seriousness of the cyber threat posed by terrorists and other state and non-state actors, and emphasized that "prosecutions will be critical tools for deterrence and disruption" of such attacks. (6) We concur. If terrorists faced a substantial risk that they would be prosecuted for attacking U.S. critical infrastructure, they might be deterred from doing so. In the case of terrorists committed to attacking despite such risks, the ability to prosecute the plotters before they struck their targets would also be invaluable. Moreover, as part of a broader effort to build international norms and agreements in the cyber realm, creating a legal framework for prosecution with a strong foundation in international law would be a critical step forward in building a global approach to defeat cyberterrorism.

Building U.S. capacity to prosecute cyberterrorists will require progress in three especially important realms. First, the United States will need to improve its technical means to attribute attacks to those responsible for them, even when the attackers go to elaborate lengths to hide their identity. Attribution is especially difficult when attackers hijack thousands of computers across the globe without the owners' knowledge and commandeer these computers to conduct coordinated "botnet" operations. Such cross-jurisdictional botnet operations occurred when the Republic of Estonia suffered nationwide Distributed Denial of Service ("DDOS") attacks. The perpetrators used approximately one million "zombie" computers, located in countries ranging from Vietnam to the United States, to incapacitate Estonia's computer systems. (7) Large-scale botnet DDOS attacks are now occurring against U.S. banks and companies in other critical infrastructure sectors as well, with perpetrators reportedly employing tens of thousands of computers, half of which are overseas. (8) Accurately attributing massive, cross-jurisdictional botnet attacks to the perpetrator--and then marshaling the evidence to prove responsibility for the attack in a court of law--will require the resolution of major technical challenges. (9)

U.S. government and private sector organizations are intensively working to meet these attribution challenges. A revealing example of progress occurred in February 2013, when U.S. computer security company Mandiant detailed how it traced back cyberattacks to a specific group of perpetrators in a twelve-story office tower in Shanghai, China. (10) The Federal Bureau of Investigation ("FBI") and other federal agencies are also launching an intensive effort to strengthen U.S. attribution capabilities. They are creating new partnerships with private sector owners of critical infrastructure and state and local law enforcement to collect and share cyberattack data necessary for attribution efforts. (11) The FBI is also critically working with its law enforcement counterparts overseas to identify cyber criminals. (12)

In a second realm, the United States must develop the prosecutorial expertise and institutional framework necessary to address the specific problems posed by cyberterrorism. The National Security Division ("NSD") of the Department of Justice is devoting major resources to this effort. NSD has established a National Security Cyber Specialists' Network to serve as a "one-stop shop" to facilitate prosecution efforts, and is partnering with the Criminal Division's Computer Crime and Intellectual Property Section ("CCIPS") and U.S. Attorney's Offices around the nation to prosecute those who attack critical in frastructure and other assets vital to national security and the U.S. economy. (13)

In a third realm, however, progress has been notably absent. Scholars and policymakers have done little to build the legal framework needed to prosecute cyberterrorists who strike from abroad, and who launch cross-jurisdictional botnet attacks against U.S. critical infrastructure. Oona Hathaway et al. offer a comprehensive review of international and U.S. domestic legal tools currently available to help nations meet the challenges posed by cyberattacks from both state and non-state actors. (14) The authors find that major gaps exist in international law and agreements that apply to cyberattacks. (15) They also conclude that "existing domestic law largely fails to directly address the novel modern challenges posed by cyber-attacks, and is severely limited by its lack of extraterritorial reach." (16) They recommend, therefore, that the United States and other nations add extraterritorial applicability to their criminal laws bearing on cyberattack, as well as pursuing a longer-term effort to create an international treaty against cyber threats. (17)

We agree that extending the applicability of U.S. domestic laws to cover those who attack from abroad would provide a timely and much-needed basis to prosecute cyberterrorists. We argue, however, that two major issues must be resolved before the United States can extend extraterritoriality in this manner. First, the United States would have to specify how such an extension of extraterritoriality...