In an era when cyberattacks are becoming ever more prevalent, there is a growing demand for private companies to “hackback” to deter and defend against attacks. But federal law precludes them from doing so. Sam Parker addresses the risks and benefits of allowing companies to respond to cyber-threats by going on the offensive and analyzes three legislative hackback proposals.
Because Parker finds that each proposal is either insufficiently effective or bears unacceptable risks, he recommends a hybrid proposal that would allow federal authorities to authorize and strictly supervise companies to engage in defensive cyberattacks. Parker argues this approach enables private companies to be “force multipliers” against cyberthreats while also mitigating the risks of a feared “Wild West” scenario where the private sector can hackback against anyone without restraint.
More and more often, the Foreign Sovereign Immunities Act (FSIA) has protected cyberattack-conducting state actors and their cybersecurity contractors from legal liability and suits brought by victims seeking redress in US courts.
Adam Silow argues that it is time for foreign sovereign immunity to receive an update for the digital era. State-sponsored cyberattacks and their use of cybersecurity contractors are increasing, particularly affecting human rights activists and large companies with key data and trade secrets. The US government’s responses, namely, diplomacy, sanctions, or issuing “speaking indictments” by prosecutors have been inadequate, and statutory language of the FSIA does not clearly allow liability for cyberattacks, even under the new terrorism amendments.
Some experts propose merely amending the language to include liability for all cyberattacks, which Silow argues may inadvertently allow liability for legitimate state action. Instead, Silow concludes that more targeted legislation should protect specific victims of cyberattacks, namely human rights activists and targets of trade secrets, and allow those victims to legally overcome foreign sovereign immunity in US courts.
The United States is under a growing and constant threat of cyberattack. US cybersecurity strategy has evolved in response, adapting to the new threat climate by committing US Cyber Command to more aggressive and persistent peacetime cyber operations. However, the Department of Defense Cyber Mission Force (CMF) has been stretched thin attempting to carry out its new mission, requiring additional commitments to resourcing, force size, and capabilities.
Homer A. La Rue argues that increased participation of private contractors in US cyber operations is the best way to bolster the CMF’s capabilities, at least in the short term. Contractors may be particularly useful in “gray-zone” operations, that is, operation in the area that exists beyond the threshold of conventional diplomacy but falls short of conventional war.
Although there are challenges and risks to increased contractor participation in cyber operations—particularly related to command and control—La Rue argues that methods of managing these risks already exist and that the benefits of outsourcing cyber operations outweighs the risks.