Prosecuting Cyberterrorists: Applying Traditional Jurisdictional Frameworks to a Modern Threat
83 Pages Posted: 30 Apr 2013 Last revised: 11 Apr 2015
Date Written: April 29, 2013
The United States faces a growing risk of cyberterrorism against its financial system, electric power grid, and other critical infrastructure sectors. Senior U.S. policymakers note that building U.S. capacity to prosecute cyberterrorists could play a key role in deterring and disrupting such attacks. To facilitate prosecution, the federal government is bolstering its technical expertise to attribute attacks to those who perpetrate them, even when, as is increasingly the case, the perpetrators exploit computers in dozens of nations to strike U.S. infrastructure. Relatively little attention has been paid, however, to another prerequisite for prosecuting cyberterrorists: that of building a legal framework that can bring those who attack from abroad to justice.
The best approach to prosecuting cyberterrorists striking from abroad is to add extraterritorial application to current domestic criminal laws bearing on cyberattack. Yet, scholars have barely begun to explore how the United States can best justify such extraterritorial extension under international law and assert a legitimate claim of prescriptive jurisdiction when a terrorist hijacks thousands of computers across the globe. Still less attention has been paid to the question of how to resolve the conflicting claims of national jurisdiction that such attacks would likely engender. This Article argues that the protective principle — which predicates prescriptive jurisdiction on whether a nation suffered a fundamental security threat — should govern cyberterrorist prosecutions. To support this argument, the Article examines the full range of principles on which states could claim prescriptive jurisdiction and assesses their strengths and weaknesses for extending extraterritorial application of U.S. statutes to cyberterrorism. This Article also contends that if multiple nations asserted legitimate claims of jurisdiction based on the protective principle, sequential prosecutions would provide the best way to minimize potential disagreements over which nation receives precedence. Both recommendations — to utilize the protective principle for prescriptive jurisdiction and to rely on sequential prosecutions to resolve multiple jurisdictional claims — could be important components of future international agreements to address cyberterrorism.
Keywords: cyberattack, jurisdiction, conflict of laws, extraterritoriality, protective principle, prosecution, Distributed Denial of Service (DDoS), cyberspace, cyberterrorism
Suggested Citation: Suggested Citation