Category Archives: Cyberespionage

Shot in the Dark: Can Private Sector “Hackbacks” Work?

In an era when cyberattacks are becoming ever more prevalent, there is a growing demand for private companies to “hackback” to deter and defend against attacks. But federal law precludes them from doing so. Sam Parker addresses the risks and benefits of allowing companies to respond to cyber-threats by going on the offensive and analyzes three legislative hackback proposals.

Because Parker finds that each proposal is either insufficiently effective or bears unacceptable risks, he recommends a hybrid proposal that would allow federal authorities to authorize and strictly supervise companies to engage in defensive cyberattacks. Parker argues this approach enables private companies to be “force multipliers” against cyberthreats while also mitigating the risks of a feared “Wild West” scenario where the private sector can hackback against anyone without restraint.

Willfulness and the Harm of Unlawful Retention of National Security Information

Discussions of the Espionage Act usually focus on the public’s conception of “spying.” Spies steal information that their government seeks to keep secret and disclose that information to other governments. A common acronym, “MICE,” describes the common motivations for spying: money, ideology, compromise, and ego.

The Espionage Act, however, covers a broader set of conduct that can compromise U.S. national security. The original Act, enacted as the United States entered the First World War, included the precursors to prohibitions against undisclosed foreign-government activities in the United States.

The Espionage Act also prohibits taking or possessing national security-related information from the government and keeping it in an unauthorized location. This article explains how some criminal law protections for national security information interact with Executive Branch decisions to protect information based on national security concerns, and how those protections apply in cases where a defendant stole and kept national security information, even if the defendant did not disclose that information to an unauthorized recipient.

To the uninitiated, taking national security information from its authorized location and keeping it in an unauthorized location may seem like a ministerial or administrative violation without much substantive consequence. But to the national security professional—and to the national security professional’s counterparts in adversarial services—such theft constitutes a profound compromise of security.

Authorized locations for the storage of national security information are approved because they are secure and because they facilitate the government’s control over, and tracking of, individuals who access that information—for example, as then-Assistant Attorney General John Demers stated, when Nghia Hoang Pho stole highly classified information and retained it at an unauthorized location, he “placed at risk our intelligence community’s capabilities and methods, rendering some of them unusable.”

Continue reading Willfulness and the Harm of Unlawful Retention of National Security Information

Bubbles Over Barriers: Amending the Foreign Sovereign Immunities Act for Cyber Accountability

More and more often, the Foreign Sovereign Immunities Act (FSIA) has protected cyberattack-conducting state actors and their cybersecurity contractors from legal liability and suits brought by victims seeking redress in US courts.

Adam Silow argues that it is time for foreign sovereign immunity to receive an update for the digital era. State-sponsored cyberattacks and their use of cybersecurity contractors are increasing, particularly affecting human rights activists and large companies with key data and trade secrets. The US government’s responses, namely, diplomacy, sanctions, or issuing “speaking indictments” by prosecutors have been inadequate, and statutory language of the FSIA does not clearly allow liability for cyberattacks, even under the new terrorism amendments.

Some experts propose merely amending the language to include liability for all cyberattacks, which Silow argues may inadvertently allow liability for legitimate state action. Instead, Silow concludes that more targeted legislation should protect specific victims of cyberattacks, namely human rights activists and targets of trade secrets, and allow those victims to legally overcome foreign sovereign immunity in US courts.