Cybersecurity Calls For Consideration of Defense, Legal, International Policies, Say Attorneys, Scientists
Cyber attacks and the threat of cyberwarfare raise questions of proper legal and policy applications regarding intelligence gathering, liability, authentication and other countermeasures, attorneys said Monday during an American Bar Association event at Crowell & Moring in Washington. The traditional military and counter-attack provisions in Titles 10 and 50 of the U.S. Code provide a challenge to the legal issues of dealing with cyber attacks, some of the attorneys said. “Modern cyberwarfare raises a host of international legal concerns,” said Catherine Lotrionte, executive director at Georgetown University’s Institute for Law, Science and Global Security. Many of these can be addressed in international agreements between states, said Lotrionte, a counsel to the President’s Foreign Intelligence Advisory Board under George W. Bush.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
When the government orders an action, it’s unclear if it will be governed by Title 10 or Title 50, said Suzanne Spaulding, former general counsel for the Senate Intelligence Committee. Title 50 includes the National Security Act, which “provides the legal authority for the primary source for intelligence activities,” she said. Title 10 outlines the military’s role. The National Security Act was amended in 1991, to provide “authority to conduct intelligence collection and covert action and the responsibility to report to Congress on those activities,” she said. While intelligence collection is not considered a covert action, there are exceptions that could be applied to cybersecurity efforts, she said. The counterintelligence exception “has potentially very, very broad application to cyber activities because much of what we're doing in cyberspace is, in fact, counterintelligence,” she said. However, in 1991, “much of what Congress was contemplating here was … traditional counterintelligence activities,” she said.
The government must determine which laws of war apply in cyberwarfare, Lotrionte said. “Does cyber warfare represent a qualitative change in the meaning and nature of warfare itself?” The appropriate role of law enforcement “in responding to cyber attacks that originate both from within a state and from outside the state” also must be considered, she said.
Cyber policy should include offensive and defensive operations, said Herb Lin, chief scientist of the Computer Science & Telecommunications Board at the National Research Council. “Offensive operations are almost always superior to defensive ones” because “we don’t know how to build, technically, a computer system or network that is immune from attack,” he said.
"Government contractors are going to be in the middle of the cyber offensive operations business” in the U.S. and internationally, said David Bodenheimer, a Crowell & Moring attorney specializing in government contracts and cybersecurity. If contractors are assisting with attacks, it must be determined which U.S. laws apply and the international laws that apply, he said.
One norm evolving is the law of state responsibility, Lotrionte said. The U.S. government and other nations should think about how “we can hold other states under their international legal responsibilities, under customary international law to make sure that there is nothing generating from their country that will harm another state,” she said.