Category Archives: Cyberespionage

Why is the “Spectrum Model” of Internationally Wrongful Acts Problematic in Cyberspace?

There are generally four concepts in international law that describe a state’s wrongful acts: violation of sovereignty, prohibited intervention, use of force, and armed attack. These four concepts emerged in the pre-internet era, thus the application of them in cyberspace has caused many disagreements. However, notwithstanding the disagreements on the scope of any particular concepts, most scholars and states have implicitly or explicitly accepted a “spectrum model” to conceptualize the relationship between these four concepts. According to the spectrum model, the difference between these four concepts lies only in the severity of their violations. And the severity of a wrongful act is in turn connected to and depended upon the effects caused by it. Therefore, the four concepts operate by drawing four lines or “thresholds” measuring the effects of particular cyber operations. Accordingly, a cyber operation that violates a principle with a higher threshold must also violate a principle with a lower threshold.

This paper will argue that the spectrum model is problematic because it is incompatible with the usual understanding of the non-intervention principle. It does not correctly reflect the relationship between the non-intervention and the non-use of force principles. And it tends to improperly entangle the prohibition of armed attack and non-use of force principle. This paper will then propose an alternative “pyramid model” to conceptualize internationally wrongful acts.

I. Problematic Implications of the Spectrum Model in Cyberspace

1. The spectrum model and the principle of non-intervention

The principle of non-intervention is a well-established customary international law that prohibits states from coercively intervening in another state’s internal and external affairs. But there are two approaches to its application in cyberspace. The first view is that the non-intervention principle prohibits cyber operations that are “specifically designed to compel the victim State to change its behavior with respect to a matter within its domaine réservé.” This view is supported by states including the Netherlands and Germany. Under this approach, a prohibited intervention can be found if and only if (1) the acting state has the intent to influence the victim state’s behaviors or policies within its domaine réservé and (2) the acting state resorts to a coercive method. In contrast, the second approach argues that what’s important is not the victim state’s free will in deciding its affairs but its “ability to control or govern” such matters. Surprisingly, this view is not only supported by authoritarian states but also by liberal states like Australia and New Zealand as well as a minority of experts in Tallinn Manual 2.0.

It is not hard to understand the attractiveness of the second approach to many scholars, as this view is more compatible with the spectrum model of internationally wrongful acts. The spectrum model implies a pure effect-based logic, as it distinguishes different internationally wrongful acts only by the effects caused. The first approach’s inquiry into the victim state’s free will in deciding matters within its domaine réservé, however, requires more than such a logic. On one hand, such inquiries can be harder to objectivize compared to the second approach’s “ability to control” test as it depends on many factors that require case-specific inquiry like the victim state’s national power and leadership; but the effect-based logic necessarily requires a clear, objective, and universal standard. On the other hand, the effect-based logic emphasizes the direct impacts of cyber operations. Whereas a state’s “ability to control” matters within its domaine réservé can be directly harmed by another state’s cyber activities, its free will cannot. Instead, in situations short of using armed forces, a state can only influence another state’s policy choices or behaviors indirectly. In deciding whether a particular cyber operation coerced another state to change its policy, it is usually not enough to investigate simply the direct effects caused. 

However, whereas the first approach is less compatible with the spectrum model, it better reflects the logic of the non-intervention principle and is more compatible with how such a principle is used to be interpreted by the international community. The principle of non-intervention is not written in the U.N. Charter. However, it is reflected in the 1970 Friendly Relations Declaration, which recognizes that all states have “an inalienable right to choose its political, economic, social and cultural systems” and it is prohibited to “coerce another state in order to obtain from it the subordination of the exercise of its sovereign rights.” It is worth noting that the Friendly Relations Declaration does not support the spectrum model because it does not say that the violation of the non-use of force principle per se constitutes a violation of the non-intervention principle. Instead, a more reasonable reading is that only some kinds of use of force are prohibited intervention – for example, the Declaration asserts that the use of force to “deprive peoples of their national identity” is also regarded as a violation of the principle of non-intervention. Besides the Declaration, the International Court of Justice (ICJ) in the 1986 Nicaragua case held that for an operation to constitute a prohibited intervention, it must satisfy two requirements: (1) it must “be one bearing on matters in which each State is permitted, by the principle of State sovereignty, to decide freely” and (2) it must “uses methods of coercion in regard to such choices.” Apparently, the freedom to “choices” instead of “control” is the standard here. Moreover, the majority of experts in the Tallinn Manual 2.0 also accept this reading, and they explain that a prohibited intervention must “have the potential for compelling the target State to engage in an action that it would otherwise not take (or refrain from taking an action it would otherwise take).”

Continue reading Why is the “Spectrum Model” of Internationally Wrongful Acts Problematic in Cyberspace?

Shot in the Dark: Can Private Sector “Hackbacks” Work?

In an era when cyberattacks are becoming ever more prevalent, there is a growing demand for private companies to “hackback” to deter and defend against attacks. But federal law precludes them from doing so. Sam Parker addresses the risks and benefits of allowing companies to respond to cyber-threats by going on the offensive and analyzes three legislative hackback proposals.

Because Parker finds that each proposal is either insufficiently effective or bears unacceptable risks, he recommends a hybrid proposal that would allow federal authorities to authorize and strictly supervise companies to engage in defensive cyberattacks. Parker argues this approach enables private companies to be “force multipliers” against cyberthreats while also mitigating the risks of a feared “Wild West” scenario where the private sector can hackback against anyone without restraint.

Willfulness and the Harm of Unlawful Retention of National Security Information

Discussions of the Espionage Act usually focus on the public’s conception of “spying.” Spies steal information that their government seeks to keep secret and disclose that information to other governments. A common acronym, “MICE,” describes the common motivations for spying: money, ideology, compromise, and ego.

The Espionage Act, however, covers a broader set of conduct that can compromise U.S. national security. The original Act, enacted as the United States entered the First World War, included the precursors to prohibitions against undisclosed foreign-government activities in the United States.

The Espionage Act also prohibits taking or possessing national security-related information from the government and keeping it in an unauthorized location. This article explains how some criminal law protections for national security information interact with Executive Branch decisions to protect information based on national security concerns, and how those protections apply in cases where a defendant stole and kept national security information, even if the defendant did not disclose that information to an unauthorized recipient.

To the uninitiated, taking national security information from its authorized location and keeping it in an unauthorized location may seem like a ministerial or administrative violation without much substantive consequence. But to the national security professional—and to the national security professional’s counterparts in adversarial services—such theft constitutes a profound compromise of security.

Authorized locations for the storage of national security information are approved because they are secure and because they facilitate the government’s control over, and tracking of, individuals who access that information—for example, as then-Assistant Attorney General John Demers stated, when Nghia Hoang Pho stole highly classified information and retained it at an unauthorized location, he “placed at risk our intelligence community’s capabilities and methods, rendering some of them unusable.”

Continue reading Willfulness and the Harm of Unlawful Retention of National Security Information