More and more often, the Foreign Sovereign Immunities Act (FSIA) has protected cyberattack-conducting state actors and their cybersecurity contractors from legal liability and suits brought by victims seeking redress in US courts.
Adam Silow argues that it is time for foreign sovereign immunity to receive an update for the digital era. State-sponsored cyberattacks and their use of cybersecurity contractors are increasing, particularly affecting human rights activists and large companies with key data and trade secrets. The US government’s responses, namely, diplomacy, sanctions, or issuing “speaking indictments” by prosecutors have been inadequate, and statutory language of the FSIA does not clearly allow liability for cyberattacks, even under the new terrorism amendments.
Some experts propose merely amending the language to include liability for all cyberattacks, which Silow argues may inadvertently allow liability for legitimate state action. Instead, Silow concludes that more targeted legislation should protect specific victims of cyberattacks, namely human rights activists and targets of trade secrets, and allow those victims to legally overcome foreign sovereign immunity in US courts.
The United States is under a growing and constant threat of cyberattack. US cybersecurity strategy has evolved in response, adapting to the new threat climate by committing US Cyber Command to more aggressive and persistent peacetime cyber operations. However, the Department of Defense Cyber Mission Force (CMF) has been stretched thin attempting to carry out its new mission, requiring additional commitments to resourcing, force size, and capabilities.
Homer A. La Rue argues that increased participation of private contractors in US cyber operations is the best way to bolster the CMF’s capabilities, at least in the short term. Contractors may be particularly useful in “gray-zone” operations, that is, operation in the area that exists beyond the threshold of conventional diplomacy but falls short of conventional war.
Although there are challenges and risks to increased contractor participation in cyber operations—particularly related to command and control—La Rue argues that methods of managing these risks already exist and that the benefits of outsourcing cyber operations outweighs the risks.
Although acts of cybercrime and cyberwar are different, the lines between the two have been become blurred over time. The nature of cyberspace has complicated the pre-existing doctrine for armed attacks, yet they are still being applied. Furthermore, the United States historically has responded to malicious cyber activity through a militarized lens.
This tendency to lean towards and emphasize a militarized approach has displaced the domestic law enforcement approach and left it inadequately trained, inadequately resourced, and inadequately supported to identify, deter, and punish offenders. Discussions currently neglect other existing frameworks and the development of new ones to address malicious cyber activity
Without a comprehensive international legal framework governing malicious cyber activity, Mieke Eoyang and Chimène Keitner seek to encourage greater awareness of the consequences of viewing malicious cyber activity through only an armed conflict lens.