TOP TRENDING THE MAGAZINE Our Current Issue Digital Docket Article Archive Back Issues Authoring Guidelines Editorial Calendar Subscribe Menu Beating the Legal Gender Gap: Tips on Achieving the Improbable 1 Thriving Through Transformation: How PayPal’s Emily Ward Used Her Network and Values to Define a Year 2 Legal Hoarder Tendencies: Do Your Contracts Show Your Age? 3 From Brooklyn to Montreal: Jeffrey Shane Talks About Life, Law, and Paths Well Traveled 4 An In-house Counsel’s Guide to Protecting the Attorney–Client Privilege 5 International Cybersecurity: Sanctions or Standoff? - ACCDocket.com http://www.accdocket.com/articles/international-cybersecurity-sanc... 1 of 6 5/17/16 8:41 AM
Transcript
TOP TRENDING
THE MAGAZINE
Our Current Issue DigitalDocketArticleArchiveBackIssuesAuthoringGuidelinesEditorialCalendarSubscribe
Menu
Beating the LegalGender Gap: Tipson Achieving theImprobable
1
Thriving ThroughTransformation:How PayPal’sEmily Ward UsedHer Network andValues to Define aYear
2
Legal HoarderTendencies: DoYour ContractsShow Your Age?
3
From Brooklyn toMontreal: JeffreyShane Talks AboutLife, Law, andPaths WellTraveled
4
An In-houseCounsel’s Guide toProtecting theAttorney–ClientPrivilege
5
International Cybersecurity: Sanctions or Standoff? - ACCDocket.com http://www.accdocket.com/articles/international-cybersecurity-sanc...
1 of 6 5/17/16 8:41 AM
By Julia Tanner | 2015-Nov-24
International Cybersecurity:Sanctions or Standoff?
International cyber attacks grow more pervasive by the day. At the same time,people blithely deposit more and more sensitive data online. The appeal of thecloud, and individuals' apparent inability to resist clicking strange links, is
accompanied by businesses' need to transmit and store petabytes of informationin a digitized age. How should the United States address the escalating risk?
Hackers have penetrated JP Morgan Chase, Home Depot, Target, KaiserPermanente, Community Health Systems, Alcoa, U.S. Steel, Westinghouse, andother energy grid operators, pursuing blueprints, business plans, credit cardnumbers, confidential personnel information, social security numbers, and cash.CNNMoney reported:
TrustedSec discovered spy malware in the software that amajor U.S. energy provider uses to operate dozens ofturbines, controllers and other industrial machinery. It hadbeen there for a year — all because one employee clickedon a bad link in an email.
Navy Admiral Michael Rogers, head of the National Security Agency (NSA) and USCyber Command, told members of the House Select Committee on Intelligencelast year: "there are nation states and groups out there that have the capability to… shut down or stall our ability to operate our basic infrastructure, whether it isgenerating power across this nation, or moving water and fuel."
How to calibrate the nation's response? The carrot or the stick? Policy makers aretrying both. After years of legislative and executive efforts running aground on
Breach Response – WhyHaving a Plan B is SoImportant
More >
COMMUNITY
Compliance viaSmartphone – Stop FightingIt!
How Working In-houseDiffers From PrivatePractice
Propel Your CareerForward; Make Your Vision
IN-HOUSE ACCESS
International Cybersecurity: Sanctions or Standoff? - ACCDocket.com http://www.accdocket.com/articles/international-cybersecurity-sanc...
2 of 6 5/17/16 8:41 AM
concerns about Americans' constitutional rights and privacy, a more targetedcounteroffense of sanctions and legal charges has been developed, along with thepotential of anti-hacking détente.
Domestic businesses themselves cannot legally counter-attack intruders."Hacking back" ordinarily violates the Computer Fraud and Abuse Act (CFAA), anddetermining the source of an attack is difficult. "The bad guys don't tend to usethings labeled 'bad guy server,'" White House cybersecurity coordinator MichaelDaniel said to the Washington Post. (Although "some companies evade theserestrictions … by putting cyber defence units in countries with few laws governingthe internet," doing so may be neither feasible nor desirable, especially becausereverse attacks can lead to devastating reprisals for companies.)
Our government has legal authority to counter-strike, bounded by its ownagreements with other countries. It has reserved the right to counter foreignintrusions and announced its cyber attack capabilities. However, retaliation couldescalate the "death spiral" and invite counter-retaliation and possible collateraldamage. Perhaps for this reason, the Obama administration has largely placedoffensive measures on hold while it pursues multilateral policy agreements such asthe November 1, 2015 G20 Summit anti-hacking Communiqué.
Last year, Admiral Rogers told the House Select Committee on Intelligence: "Wehave got to develop, I believe, a set of norms or principles. … Absent that kind ofthing, being totally on the defensive is a very losing strategy." This year, suchnorms are moving into place. G20 participants agreed no country "should"conduct or support cyber theft of intellectual property for commercial competitiveadvantage. Although this language is aspirational, consensus goals can open apath to commitments.
Simultaneously, the United States has laid groundwork to punish those whosupport cyber attacks.
Sanctions authority. This April, President Obama declared maliciouscyberthreats a national emergency. He signed an Executive Order authorizingsanctions including the blocking of property, money and services in the UnitedStates controlled by those engaged in such threats; any donations of food,clothing or medicine to them; and their entry into the country. These sanctionswill apply to any person or entity found complicit in cyber activities threateningthe United States and compromising critical infrastructure, disruptingcomputer availability, or misappropriating funds, trade secrets, personalidentifiers or financial information for gain.
Legal charges. On May 19, 2014, the US Department of Justice announcedthe indictment of five Chinese military hackers "for computer hacking,economic espionage and other offenses directed at six American victims inthe U.S. nuclear power, metals and solar products industries," charging themwith thirty-one violations of US laws including the CFAA, aggravated identitytheft, and the Economic Esponiage Act. Although Edward Snowden's leaksindicated covert surveillance by the NSA as well, Attorney General Eric Holderdistinguished between intelligence activities and spying "to gain commercialadvantage."
a Reality
International Cybersecurity: Sanctions or Standoff? - ACCDocket.com http://www.accdocket.com/articles/international-cybersecurity-sanc...
3 of 6 5/17/16 8:41 AM
When the indictments were announced, Beijing immediately canceled US-ChinaInternet Working Group activities. This was viewed by some as a setback, but in aChinaFile conversation, experts said it could be an investment in longer termprogress. Graham Webster, a Senior Fellow at The China Center at Yale LawSchool, said "The Chinese government is forced to consider that more costlymeasures may be on the U.S. menu, and may eventually take the problem moreseriously… ." Tai Ming Cheung, director of the University of California Institute onGlobal Conflict and Cooperation, stated that "The goal is to get the two sides toseriously engage in trying to find ways to mitigate their cyber-espionagecompetition towards each and prevent it from continuing its negative spiral."
Certainly, other countries may view themselves as victims of American intrusions,particularly in the wake of Edward Snowden's revelations about the NSA's bulkcollection program. Although the United States views cyber actions for national orpolitical purposes as distinct from actions for economic purposes, its surveillancecapabilities buildup can be viewed as offensive power-building.
Nevertheless, when President Xi Jinping of China visited the United States inSeptember, he and President Obama agreed to "cooperate, in a mannerconsistent with their respective national laws and relevant international obligations,with requests to investigate cybercrimes, collect electronic evidence, and mitigatemalicious cyber activity emanating from their territory." They also agreed "neithercountry's government will conduct or knowingly support cyber-enabled theft ofintellectual property, including trade secrets or other confidential businessinformation, with the intent of providing competitive advantages to companies orcommercial sectors."
This language provides easily observed "outs." For example, cooperation "in amanner consistent with their respective national laws" may not limit a China whoselaws are "vague and sweeping, giving the government latitude to take whateversecurity measures it wishes." As another example, the "intent of providingcompetitive advantages to companies or commercial sectors" may be largelyirrelevant to an intent to increase a nation's strength by damaging industry in theother country. After all, while visiting Seattle last month, President Xi not onlyquoted Martin Luther King, saying "the time is always right to do the right thing,"but also said "development remains China's top priority."
So which path will China take? President Obama said:
"What I've said to President Xi and what I say to the American people is thequestion now is, are words followed by actions. And we will be watching carefullyto make an assessment as to whether progress has been made in this area."
On October 19, 2015, cybersecurity firm Crowdstrike reported that China-affiliatedactors were continuing intrusions into its customers' systems, including "tofacilitate theft of intellectual property and trade secrets [from tech and drugcompanies], rather than to conduct traditional national-security related intelligencecollection which the Cyber agreement does not prohibit."
Although dismantling programs that appear to violate the agreement couldnaturally take time, on December 1–2 the countries will meet to assess progress.
If each country watches the other for improvements, while failing to decrease itsown cyber actions, progress may not be made. Both countries could then find
International Cybersecurity: Sanctions or Standoff? - ACCDocket.com http://www.accdocket.com/articles/international-cybersecurity-sanc...
4 of 6 5/17/16 8:41 AM
themselves massively increasing their efforts in an unproductive cold war.
While we distinguish between the economic and the political, and surveillanceversus theft or damage, the Chinese may be watching us for any of the above. USsurveillance, and pressures in China to produce economic supremacy maydecrease Xi's political will to carry out the agreement despite the benefits ofcooperating with an increasingly aggressive opponent.
The U.S.-China Economic and Security Review Commission recommended thatCongress:
[A]ssess the coverage of U.S. law to determine whetherU.S.-based companies that have been hacked should beallowed to engage in counterintrusions for the purpose ofrecovering, erasing, or altering stolen data in offendingcomputer networks. In addition, Congress should studythe feasibility of a foreign intelligence cyber court to hearevidence from U.S. victims of cyber attacks and decidewhether the U.S. government might undertakecounterintrusions on a victim's behalf.
The latter could be unwieldy, and the former could result in problems if critical USinformation could be harmed by foreign retaliation. Pursuit of the sanctionsadopted in the April 2014 Executive Order, for example, may be more effective insafeguarding national assets. Nevertheless, all options are still on the table, andwell secured, agile companies may desire the authority to pursue intruders andmake it sting.
Computer/Cyber Crime Privacy & Security Issues
Related Items
About the AuthorJulia Tanner is General Counsel and Vice President ofthe MTPCS, LLC group of Cellular One wirelesstelecommunications companies. Find her on Twitter at@Julia_Tanner and on LinkedIn.
International Cybersecurity: Sanctions or Standoff? - ACCDocket.com http://www.accdocket.com/articles/international-cybersecurity-sanc...
5 of 6 5/17/16 8:41 AM
Cybersecurity and Data Breaches: How In-House Counsel Can Engage theBoard
Cybersecurity — Emerging Trends and Regulatory Guidance
Key Findings from the ACC Foundation: the State of Cybersecurity Report
A View from the Hot Seat: Data Breaches and What to Do Now to Make ItEasier When It Happens to You
The information in any resource collected in this virtual library should notbe construed as legal advice or legal opinion on specific facts and shouldnot be considered representative of the views of its authors, its sponsors,and/or ACC. These resources are not intended as a definitive statement onthe subject addressed. Rather, they are intended to serve as a toolproviding practical advice and references for the busy in-house practitionerand other readers.
