Tag Archives: Cyber Attacks

Why is the “Spectrum Model” of Internationally Wrongful Acts Problematic in Cyberspace?

There are generally four concepts in international law that describe a state’s wrongful acts: violation of sovereignty, prohibited intervention, use of force, and armed attack. These four concepts emerged in the pre-internet era, thus the application of them in cyberspace has caused many disagreements. However, notwithstanding the disagreements on the scope of any particular concepts, most scholars and states have implicitly or explicitly accepted a “spectrum model” to conceptualize the relationship between these four concepts. According to the spectrum model, the difference between these four concepts lies only in the severity of their violations. And the severity of a wrongful act is in turn connected to and depended upon the effects caused by it. Therefore, the four concepts operate by drawing four lines or “thresholds” measuring the effects of particular cyber operations. Accordingly, a cyber operation that violates a principle with a higher threshold must also violate a principle with a lower threshold.

This paper will argue that the spectrum model is problematic because it is incompatible with the usual understanding of the non-intervention principle. It does not correctly reflect the relationship between the non-intervention and the non-use of force principles. And it tends to improperly entangle the prohibition of armed attack and non-use of force principle. This paper will then propose an alternative “pyramid model” to conceptualize internationally wrongful acts.

I. Problematic Implications of the Spectrum Model in Cyberspace

1. The spectrum model and the principle of non-intervention

The principle of non-intervention is a well-established customary international law that prohibits states from coercively intervening in another state’s internal and external affairs. But there are two approaches to its application in cyberspace. The first view is that the non-intervention principle prohibits cyber operations that are “specifically designed to compel the victim State to change its behavior with respect to a matter within its domaine réservé.” This view is supported by states including the Netherlands and Germany. Under this approach, a prohibited intervention can be found if and only if (1) the acting state has the intent to influence the victim state’s behaviors or policies within its domaine réservé and (2) the acting state resorts to a coercive method. In contrast, the second approach argues that what’s important is not the victim state’s free will in deciding its affairs but its “ability to control or govern” such matters. Surprisingly, this view is not only supported by authoritarian states but also by liberal states like Australia and New Zealand as well as a minority of experts in Tallinn Manual 2.0.

It is not hard to understand the attractiveness of the second approach to many scholars, as this view is more compatible with the spectrum model of internationally wrongful acts. The spectrum model implies a pure effect-based logic, as it distinguishes different internationally wrongful acts only by the effects caused. The first approach’s inquiry into the victim state’s free will in deciding matters within its domaine réservé, however, requires more than such a logic. On one hand, such inquiries can be harder to objectivize compared to the second approach’s “ability to control” test as it depends on many factors that require case-specific inquiry like the victim state’s national power and leadership; but the effect-based logic necessarily requires a clear, objective, and universal standard. On the other hand, the effect-based logic emphasizes the direct impacts of cyber operations. Whereas a state’s “ability to control” matters within its domaine réservé can be directly harmed by another state’s cyber activities, its free will cannot. Instead, in situations short of using armed forces, a state can only influence another state’s policy choices or behaviors indirectly. In deciding whether a particular cyber operation coerced another state to change its policy, it is usually not enough to investigate simply the direct effects caused. 

However, whereas the first approach is less compatible with the spectrum model, it better reflects the logic of the non-intervention principle and is more compatible with how such a principle is used to be interpreted by the international community. The principle of non-intervention is not written in the U.N. Charter. However, it is reflected in the 1970 Friendly Relations Declaration, which recognizes that all states have “an inalienable right to choose its political, economic, social and cultural systems” and it is prohibited to “coerce another state in order to obtain from it the subordination of the exercise of its sovereign rights.” It is worth noting that the Friendly Relations Declaration does not support the spectrum model because it does not say that the violation of the non-use of force principle per se constitutes a violation of the non-intervention principle. Instead, a more reasonable reading is that only some kinds of use of force are prohibited intervention – for example, the Declaration asserts that the use of force to “deprive peoples of their national identity” is also regarded as a violation of the principle of non-intervention. Besides the Declaration, the International Court of Justice (ICJ) in the 1986 Nicaragua case held that for an operation to constitute a prohibited intervention, it must satisfy two requirements: (1) it must “be one bearing on matters in which each State is permitted, by the principle of State sovereignty, to decide freely” and (2) it must “uses methods of coercion in regard to such choices.” Apparently, the freedom to “choices” instead of “control” is the standard here. Moreover, the majority of experts in the Tallinn Manual 2.0 also accept this reading, and they explain that a prohibited intervention must “have the potential for compelling the target State to engage in an action that it would otherwise not take (or refrain from taking an action it would otherwise take).”

Continue reading Why is the “Spectrum Model” of Internationally Wrongful Acts Problematic in Cyberspace?

Shot in the Dark: Can Private Sector “Hackbacks” Work?

In an era when cyberattacks are becoming ever more prevalent, there is a growing demand for private companies to “hackback” to deter and defend against attacks. But federal law precludes them from doing so. Sam Parker addresses the risks and benefits of allowing companies to respond to cyber-threats by going on the offensive and analyzes three legislative hackback proposals.

Because Parker finds that each proposal is either insufficiently effective or bears unacceptable risks, he recommends a hybrid proposal that would allow federal authorities to authorize and strictly supervise companies to engage in defensive cyberattacks. Parker argues this approach enables private companies to be “force multipliers” against cyberthreats while also mitigating the risks of a feared “Wild West” scenario where the private sector can hackback against anyone without restraint.

Bubbles Over Barriers: Amending the Foreign Sovereign Immunities Act for Cyber Accountability

More and more often, the Foreign Sovereign Immunities Act (FSIA) has protected cyberattack-conducting state actors and their cybersecurity contractors from legal liability and suits brought by victims seeking redress in US courts.

Adam Silow argues that it is time for foreign sovereign immunity to receive an update for the digital era. State-sponsored cyberattacks and their use of cybersecurity contractors are increasing, particularly affecting human rights activists and large companies with key data and trade secrets. The US government’s responses, namely, diplomacy, sanctions, or issuing “speaking indictments” by prosecutors have been inadequate, and statutory language of the FSIA does not clearly allow liability for cyberattacks, even under the new terrorism amendments.

Some experts propose merely amending the language to include liability for all cyberattacks, which Silow argues may inadvertently allow liability for legitimate state action. Instead, Silow concludes that more targeted legislation should protect specific victims of cyberattacks, namely human rights activists and targets of trade secrets, and allow those victims to legally overcome foreign sovereign immunity in US courts.