Cyber-Attacks – Prevention-Reactions: The Role of States and Private Actors
Les Cahiers de la Revue Défense Nationale, Paris, 2017
88 Pages Posted: 31 Mar 2017 Last revised: 1 Jun 2018
Date Written: February 25, 2017
La version française de cet article peut être consultée à: http://ssrn.com/abstract=2957795.
The present book aims to conceptualize and present, in a concise manner, the main questions raised in the field of international law regarding the role of the States and private actors in the prevention and the reaction to cyber-attacks. It has been prepared within the framework of the French Cybersecurity Initiative launched in 2017 by the Secretary General for National Defense and Security and the French National Cyber-Security Agency (ANSSI) and it will be presented for the International Conference to be held at UNESCO on 6 and 7 April 2017 on the theme: "Building International Peace and Security in a Digital Society – Public Actors, Private Actors: Duties and Responsibilities". This study strictly expresses the personal opinions of its authors in the framework of their academic research.
This study has been awarded the "Cyberdefense" Book Award of the International Cybersecurity Forum (FIC 2018) presented to the authors on January 23, 2018 by Ms. Florence Party, Minister of the Armed Forces of France and Mr. Juri Luik, Minister of Defense of Estonia.
The point of departure for this book is that the dramatic rise of cyber-attacks involving States and non-State actors could constitute a real threat to international peace and security. In 2013, the members of the UN GGE recognized the application of International Law in the cyberspace. The cyberspace is not a "No Law’s Land"; rather, it can be regulated by International Law, as are virtually all international activities. But the task in this field is infinitely more complex, not only because of the very nature of the cyberspace but also because the great diversity of the actors involved. These actors include potential perpetrators of cyber-attacks (States, "proxies", private actors supported or tolerated by States, terrorists, cybercriminals, companies conducting espionage or wanting to gain a competitive advantage, individual hackers, patriotic hacker groups, etc.); potential victims of attacks (States, administrations and communities, companies, media, individuals, etc.); those involved in these attacks (eg. the States through which cyber-attacks transit, companies and individuals whose systems are used by the attackers without the knowledge of the owners); and, finally, those to be potentially involved in a response to a cyber-attack (States, private companies acting for their own benefits, private companies undertaking a response on behalf of another company, etc.). This situation creates an impressive number of combinations, which in their respective turns affect the type and appropriateness of a response.
The first part of this book focuses on the issue of prevention and argues that the concept of "cyber-diligence", which we have forged on the basis of existing international law and the obligation of any State not to allow knowingly its territory to be used for acts contrary to the rights of other States, provides a satisfactory answer to the question of vigilance that States should exercise with regard to cyber-operations developed from their territory by private actors.
The second part of this book, examines those responses to cyber-attacks which can be developed in accordance with international law. It proceeds to a classification of the possible reactions to cyber-attacks, by proposing a kind of "user's manual" for victim States that wish to react within the limits of international legality. It distinguishes between reactions always permitted and other reactions that are permissible only if it can be established that a State has committed an "internationally wrongful act" by action or omission. It stresses the need for international cooperation in this area, and warns against any "trivialization" of responses that are in principle violations of international law but are "excused" as circumstances precluding wrongfulness or responsibility.
In the third part of this book, we focus on the very important role that the private sector plays in this field, from preventing cyber-attacks and securing digital infrastructures to "active cyber defense" measures, passing through activities such as the attribution of cyber-attacks. Private sector activities in the area of cyber-security raise several issues and controversies, of political, ethical, technical and legal nature. We carry out a detailed study of the problems of "active cyber defense" and "hack-back" from the point of view of both international and comparative law. After analyzing the advantages, disadvantages and risks of hack-back, we answer to the question of whether private actors can unilaterally undertake cyber-offensive measures in accordance with the law, and examine to what extent States can authorize a hack-back operation and/or rely on private actors to conduct counter-attacks. Our conclusion is that private actors would be better off investing in cyber hygiene and the implementation of good safety practices, rather than trying to acquire offensive tools. If, nevertheless, they are victims of a cyber-attack, instead of launching a - technically and legally - hazardous hack-back, it would be better if they notified the State authorities of the attack and asked them to act, and also exercised their legal rights against the perpetrator of the cyber-attack, assuming that the perpetrator can be identified. States should act within the framework of international law (and especially human rights law) to enhance their proactive and reactive capabilities in order to avoid giving the impression that proper legal forms of reaction are either nonexistent or insufficient. Indeed, the impression of inadequate and inefficient government gatekeeping in the field of cyber-security serves the interests of those who call for cyber-vigilantism. States could, if needed, rely on private actors to conduct counter-attacks under certain circumstances, but this should be done under States' close control, with the risk of triggering their international responsibility.
Keywords: Cybersecurity, Cyber-attacks, Cyberspace, International Law, Human Rights, Use of Force, International Responsibility of States, Non State Actors, State of Necessity, Countermeasures, Hacking, Hack-back, Due diligence, Prevention, Sovereignty, Non intervention
Suggested Citation: Suggested Citation