Saturday, September 11, 2010
Individuals, shadowy criminal organizations, and nation states all now have the capacity to devastate modern societies through computer attacks. These new and severe cyberthreats put critical information, infrastructure, and lives at risk. And the threat is growing in scale and intensity with every passing day.
The conventional response to such cyberthreats is self-reliance. When self-reliance comes up short, states have turned to law for a solution. Cybercrime laws proscribe individuals from engaging in unwanted cyberactivities. Other international laws proscribe what states can (and cannot) do in terms of cyberwarfare. Both sets of rules work by attribution, targeting bad actors – whether criminals or states – to deter cyberthreats.
This Article challenges the sufficiency of existing cyber-law and security. Law cannot regulate the authors of cyberthreats because anonymity is built into the very structure of the Internet. As a result, existing rules on cybercrime and cyberwar do little to deter. They may even create new problems, when attackers and victims assume different rules apply to the same conduct.
Instead of regulating bad actors, this Article proposes states adopt a duty to assist victims of the most severe cyberthreats. A duty to assist works by giving victims assistance to avoid or mitigate serious harms. At sea, anyone who hears a victim’s SOS must offer whatever assistance they reasonably can. An e-SOS would work in a similar way. It would require assistance for cyberthreat victims without requiring them to know who, if anyone, was threatening them. An e-SOS system could help avoid harms from existing cyberthreats and deter others. Even when cyberthreats succeed, an e-SOS could make computer systems and networks more resilient to any harm they impose. At the same time, an e-SOS would compliment, rather than compete with, self-reliant measures and the existing legal proscriptions against cyberthreats.