Domestic law is an “imperfect instrument” for responding to transnational cyberattacks, argues a paper in the Notre Dame Journal of International & Comparative Law.
Examining the potential for responding to such attacks in the United Kingdom, two researchers argued that civil law and regulatory responses might offer some help in overcoming the serious obstacles to using national legal structures to prevent or deter a serious cyberattack from another nation.
“Law is an imperfect instrument in cyberspace, especially when responding to transnational cyberattacks,” concluded the paper, written by Clive Walker of the University of Leeds Centre for Criminal Justice Studies and Ummi Hani Binti Masood of University Teknologi MARA, Shah Alam, Malaysia.
“It must contend not only with the difficult attributes of transnationality, instantaneity, and accessibility, but also must overcome an overlay of political calculations, which make courtrooms an unappealing venue for the settling of international scores.”
However, the urgent necessity of finding a way to deal with transnational cyberattacks is clear in light of what happened on March 15th: The U.S. Health and Human Services Department suffered a cyberattack on its computer system, part of a campaign of disruption and disinformation aimed at undermining the response to the COVID-19 pandemic.
Informed sources believe the attack “may have been the work of a foreign actor,” reported Bloomberg News.
“We are aware of a cyber incident related to the Health and Human Services computer networks, and the federal government is investigating this incident thoroughly,” John Ullyot, a spokesman for the National Security Council, said in a statement released last week. “HHS and federal government cybersecurity professionals are continuously monitoring and taking appropriate actions to secure our federal networks.”
A cyberattack is defined in the Notre Dame study as “any action taken to undermine the functions of a computer network for a political or national security purpose.” The HHS attack appears to fit this definition.
Bloomberg reported that the attack, “which involved overloading the HHS servers with millions of hits over several hours, didn’t succeed in slowing the agency’s systems significantly, as was apparently intended, according to one of the people familiar with the matter.”
The Council on Foreign Relations said in a newsletter post, “The national security community has been slow to recognize cybercriminal groups as a national security threat. The growth in sophistication of ransomware campaigns suggests that the capabilities these groups possess are now on par with many nation states.”
“Many people have expressed hope online that cybercriminals would empathize with those who are suffering and think twice before targeting hospitals,” the Council on Foreign Relations continued.
“Unfortunately, hope is not a strategy. Their targeting of vulnerable critical infrastructure, like public health systems and hospitals, in a time of crisis demands that the threat posed by these groups be countered with the full weight that the United States can bring to bear.”
In the Notre Dame study, the two authors say, “Some two decades ago, it was possible to dream about the benevolence of the Internet. However, the optimism is now beset by risks, abuses, and scares that have taken the gloss off the promise of the Internet and the indulgence afforded to Internet operators.”
The authors recommend a broad array of countermeasures to deal with transnational cyberattack.
“The European Commission is surely right to conclude that ‘a whole-of-society approach—government, civil society, private sector, including inter alia, media and online platforms—is at the core’ ” of a necessary response, according to the paper.
For instance, in addition to general prevention through regulation, civil law might be eapplied as a form of reaction to actual or anticipated cyberattacks. Victims could may initiate a civil action for ‘economic’ or ‘intentional’ torts against the perpetrators, as well as seek economic damages through legligence law suits, the authors said.
Other remedies could include injunctions and restraining orders, they added, citing a 2010 temporary restraining order issued by a federal judge against almost 300 Internet Domains in response to a request from Microsoft.
In that case, a group of criminals known as Waledac used these domains to facilitate and continuously control the ability of the computers to communicate with each other as Botnets.
The Notre Dame report, “Domestic Law Responses to Transnational Cyberattacks and
Other Online Harms: Internet Dreams Turned to Internet Nightmares and Back Again,” can be downloaded here.
Nancy Bilyeau is deputy editor of TCR.