The Law of Cyber-Attack

70 Pages Posted: 23 Aug 2012 Last revised: 7 Sep 2012

Oona A. Hathaway

Yale University - Law School

Rebecca Crootof

Information Society Project; Yale Law School

Philip Levitz

Yale Law School

Haley Proctor

U.S. Court of Appeals for the D.C. Circuit

Aileen Elizabeth Nowlan

Yale University - Law School

William Perdue

Independent

Julia Spiegel

Independent

Date Written: 2012

Abstract

Cyber-attacks have become increasingly common in recent years. Capable of shutting down nuclear centrifuges, air defense systems, and electrical grids, cyber-attacks pose a serious threat to national security. As a result, some have suggested that cyber-attacks should be treated as acts of war. Yet the attacks look little like the armed attacks that the law of war has traditionally regulated. This Article examines how existing law may be applied — and adapted and amended — to meet the distinctive challenge posed by cyber-attacks. It begins by clarifying what cyber-attacks are and how they already are regulated by existing bodies of law, including the law of war, international treaties, and domestic criminal law. This review makes clear that existing law effectively addresses only a small fraction of potential cyber-attacks. The law of war, for example, provides a useful framework for only the very small number of cyber-attacks that amount to an armed attack or that take place in the context of an ongoing armed conflict. This Article concludes that a new, comprehensive legal framework at both the domestic and international levels is needed to more effectively address cyber-attacks. The United States could strengthen its domestic law by giving domestic criminal laws addressing cyber-attacks extra-territorial effect and by adopting limited, internationally permissible countermeasures to combat cyber-attacks that do not rise to the level of armed attacks or that do not take place during an ongoing armed conflict. Yet the challenge cannot be met by domestic reforms alone. International cooperation will be essential to a truly effective legal response. New international efforts to regulate cyber-attacks must begin with agreement on the problem — which means agreement on the definition of cyber-attack, cyber-crime, and cyber-warfare. This would form the foundation for greater international cooperation on information sharing, evidence collection, and criminal prosecution of those involved in cyber-attacks — in short, for a new international law of cyber-attack.

Keywords: cyber-attack, cyber-crime, cyber-warfare, jus ad bellum, jus in bello, national security, war, stuxnet

JEL Classification: K33, F02, O00, O30, N40, H56

Suggested Citation

Hathaway, Oona A. and Crootof, Rebecca and Levitz, Philip and Proctor, Haley and Nowlan, Aileen Elizabeth and Perdue, William and Spiegel, Julia, The Law of Cyber-Attack (2012). California Law Review, Vol. 100, No. 4, 2012; Yale Law & Economics Research Paper No. 453; Yale Law School, Public Law Working Paper No. 258. Available at SSRN: https://ssrn.com/abstract=2134932

Oona A. Hathaway (Contact Author)

Yale University - Law School ( email )

P.O. Box 208215
New Haven, CT 06520-8215
United States
203-432-4992 (Phone)
203-432-1107 (Fax)

Rebecca Crootof

Information Society Project ( email )

127 Wall Street
New Haven, CT 06511
United States

Yale Law School ( email )

P.O. Box 208215
New Haven, CT 06520-8215
United States

Philip Levitz

Yale Law School ( email )

P.O. Box 208215
New Haven, CT 06520-8215
United States

Haley Nix Proctor

U.S. Court of Appeals for the D.C. Circuit ( email )

DC
United States

Aileen Elizabeth Nowlan

Yale University - Law School ( email )

P.O. Box 208215
New Haven, CT 06520-8215
United States

William Perdue

Independent ( email )

No Address Available

Julia Spiegel

Independent ( email )

No Address Available

Paper statistics

Downloads
1,813
Rank
6,484
Abstract Views
6,555