The Office of Personal Management announced on Thursday that its personnel database had been hacked, leading to the loss of data for up to four million federal employees. The subsequent ALL CAPS headlines relayed unofficial finger pointing at the Chinese government.
Of course, it was just recently that the Council on Foreign Relations’ Adam Segal reported how China was crying foul over “OceanLotus” a cyber-exploitation that attacked various Chinese governmental agencies and research institutes (and where the fingers were pointed back at the United States).
And that’s to say nothing of the Snowden disclosures or the tens of millions of people whose personal data has been compromised via data breaches of an ever-expanding list of private companies (in February 2015, the US health insurer Anthem admitted that up to 80 million people in its databases had their personal data compromised).
Now, maybe such data breach stories are hyperbolic, offering big numbers of potential losses that do not necessarily mean actual data compromises, let alone consequences for the associated individuals. Nonetheless, the current zeitgeist seems to be the normalization of cyber insecurity.
As someone who believes international law has an (imperfect) role to play in preserving international peace and stability, I find the current scenario increasingly worrisome. The level and breadth of cyber exploitations suggests a world in which actors are engaged in a race to the bottom of every data well they think might be useful for their own purposes, on the theory that their adversaries (and their allies) are all doing the same.
In such a world, law seems to be playing a diminishing role.
To be clear, domestic law certainly may constrain (or facilitate) a State’s cyber operations, as all the anxiety associated with the expiration of the Patriot Act and this week’s passage of the USA Freedom Act suggest. International law, however, seems increasingly marginalized in the current environment.
We’ve spent much of the last several years focused on how international law applies to cyber-operations with huge efforts devoted to questions of line-drawing in what constitutes a prohibited use of force in cyberspace under the jus ad bellum or where the lines are for an attack under the jus in bello. The Tallinn Manual is the paradigmatic example of this (often quite good) work. More recently, States and scholars have moved on to cyber operations below these lines, with attention shifting in Tallinn and elsewhere to which cyber operations may generate counter-measures and defining when cyber operations violate the duty of non-intervention.
But such efforts have (so far) had relatively little to say on the question of cyber espionage. With the exception of US efforts to decry “economic” cyber espionage (as opposed to national security cyber espionage), most international lawyers have shrugged their shoulders on the legality of governments (or their proxies) stealing data from other governments or their nationals. International law has long failed to prohibit espionage and, the thinking goes, by analogy it should also leave cyber espionage alone.
The conventional wisdom suggests intelligence agencies will be intelligence agencies and we should let this play out via diplomacy or power politics. International law has long failed to prohibit espionage and, the thinking goes, by analogy it should also leave cyber espionage alone. If that’s true, international law has little to say about China taking whatever data it can on employees of the US federal government.
Of course, conventional wisdom is often conventional for good reasons. From a national security perspective, there are important interests that militate against regulating or constraining data collection from abroad. Yet, I worry that we’re reaching a tipping point: if we concede that international law can do little for the problem of cyber exploitations, we are effectively conceding the rule of law in cyberspace.
It’s understandable that, from a rational perspective, states will want to do as much of this cyber activity as their technical capacity allows. But such self-centered policies have generated a dramatic collective action problem. The current cyber system is certainly sub-optimal, whether you consider it in economic, humanitarian, or national security terms. The economic costs of the status quo are by all accounts growing, whether in terms of losses of data, or the costs of cleaning up after exploits occur.
Similarly, the ability of individuals to preserve their privacy is rapidly diminishing, and the right to privacy along with it. And, of course, national governments are fighting, and losing, the battle to keep their own data (and secrets) secure.
All of this leads me to ask: is it time to revisit the question of how international law deals with data breaches? I recognize some may say “no” or that after long and careful thought, the answer may remain the same. But, the rising importance and success rates of data breaches across the globe suggests it’s high time for international law to at least engage these questions more closely.
Is international law losing in cyberspace or is there still a chance that it can play a regulatory role over modern cyberthreats, even if only an imperfect one?
We welcome your comments at firstname.lastname@example.org.