Consider this thought experiment: You are an American or British owner of a small business that regularly uses the internet. Are you a legitimate target in a war with Russia or Iran while you conduct your affairs in New York or London?
Most would say no. Yet, it appears that innocent civilians, especially businesses, are fair game in this new era of cyber warfare between the West and rogue regimes.
{mosads}Last Friday, Singapore was hit with a massive cyber attack that compromised the health data of 1.5 million people, including Prime Minister Lee Hsien Loong. Singaporean authorities described it as a “deliberate, targeted and well-planned cyber attack,” apparently conducted by malicious state actors. That hackers were able to breach sensitive health data of the head of a wealthy sovereign state ought to trigger alarms in all capitals; it marks a new milestone in the evolution of a relatively new threat.
The Singapore attack is not an isolated instance. Recently, authorities in the United States and United Kingdom issued the first joint warning about a massive campaign of cyber attacks by Russian state-sponsored actors. The attacks targeted network devices such as routers and firewalls with the objective of controlling them for nefarious purposes. The joint technical alert accused “cyber actors supported by the Russian government” of orchestrating global operations to “enable espionage and intellectual property that supports the Russian Federation’s national security and economic goals.”
Ominously, the worst may be yet to come. Rob Joyce, the official responsible for cybersecurity at the U.S. National Security Council, noted that “we can’t rule out Russia may attempt to use this … infrastructure for further attacks.”
In 2015 and 2017, Ukraine’s power grid and military infrastructure were compromised by attacks. France and other European Union countries also have been targets — especially for cyber-led misinformation campaigns during elections. And there are the cyber attacks detailed in the grand jury indictments announced by the Department of Justice on July 13.
The WannaCry ransomware attack attributed to North Korean hackers infected 300,000 devices in 150 countries. In the United Kingdom, 80 of 236 National Health Service trusts and 595 general practitioners were affected by the attacks. Reportedly, about 20,000 appointments and operations were canceled and patients had to be diverted from emergency services.
Such attacks not only cause inconveniences; they’re also costly when they disable systems. The city of Atlanta was hit by a SamSam ransomware attack in March, compromising the court system. Other attacks have targeted universities, power facilities and dams in the United States.
Cyber warfare has not been limited to state entities. A 2013 attack breached 3 billion Yahoo user accounts, affecting usernames and passwords. An attack on Uber compromised data of 57 million users. The massive Equifax data breach in 2017 affected 700,000 British customers and has been described as the costliest cyber attack in corporate history. The Russian Petya attack against Reckitt Benckiser in 2017 crippled 15,000 computers and cost $131 million.
Surprisingly, aside from the U.S.-U.K. response, the international community’s reaction has been passive acceptance of cyber attacks. Partly, this is because cyber warfare is in a legal grey area and there is an asymmetry of capability.
The absence of rules inhibits a strong response and that only benefits rogue actors. As a first step, cyber attackers must be characterized as hostis humani generis — that is, enemies of mankind. This term of art is employed against pirates, slavers and, recently, torturers.
Why does this matter? If characterized like pirates, cyber attackers could be caught and prosecuted by any country — in other words, there would be universal jurisdiction and no need to extradite them to the United States or United Kingdom. It also would classify them as global outlaws, opening them up to armed responses by any state.
Cyber attackers share commonalities with pirates. They are well organized and employ terror to achieve commercial and political objectives. Like pirates, many hackers are self-described fighters against the system, extracting vengeance for a litany of perceived ills. And hackers are used by state sponsors to further their own hostile objectives against enemies while maintaining a veneer of peaceful relations. The sponsor denies responsibility and the connection can be hard to establish, much as it was with Elizabethan pirates.
Given the rising intensity of attacks and their potential for serious harm, it is time to adopt strong measures. Outlawing cyber attacks against civilian targets would recognize the illegitimacy of this form of conflict without regard for state or cause. It would give legal cover for strong countermeasures — including counter strikes in self-defence that may be pre-emptive when there are sufficient grounds to believe that attacks are imminent.
The tech community recently embraced just such a norm in the Cybersecurity Tech Accord, which was signed by 34 companies including Microsoft, Facebook, Cisco, Juniper Networks, Oracle, Nokia, SAP, Dell, Symantec, FireEye and Trend Micro.
Now states must join in this effort and codify rules to outlaw cyber attacks against civilian targets. The rules must authorize counter attacks against cyber criminals because, often, that is the only avenue available when the criminals are within the jurisdiction of their rogue state sponsors or in lawless territories.
The United Kingdom Government Communications Headquarters recently acknowledged employing such attacks in 2017 against the Islamic State, to cripple its propaganda and recruiting capability. Though the legality of such steps may not matter against ISIS, it would be significant in any action against criminals in, say, Russia or Iran. Hence, the need for clear rules to prevent unintended consequences. To paraphrase Sir Thomas More’s timeless words in “A Man for All Seasons,” we should “give the Devil benefit of law, for our own safety’s sake.”
Sandeep Gopalan is a professor of law and pro vice chancellor for academic innovation at Deakin University in Melbourne, Australia. He previously was co-chairman or vice chairman of American Bar Association committees on aerospace/defense and international transactions, a member of the ABA’s immigration commission, and dean of three law schools in Ireland and Australia. He has taught law in four countries and served as a visiting scholar at universities in France and Germany.