Tuesday, May 16, 2017

Digital Boundlessness and Legal Boundaries: Cyberattacks and the Need to Rethink Legal Categories

We are happy to publish this timely guest post by Pietro Ortolani who is a Senior Fellow at the Max Planck Institute Luxembourg for International, European, and Regulatory Procedural Law.

The Attack

On 12 May 2017, over 230,000 computers all over the world were infected by WannaCry, a virus encrypting the users’ files and demanding a ransom in bitcoin. The virus is based on a malicious piece of software, developed by the Equation Group (widely thought to be affiliated to the U.S. National Security Agency) and later stolen by a hacker group called ‘the shadow brokers’. The attack hit not only private users, but also national service providers such as the National Health Service in the UK and Deutsche Bahn in Germany. The purpose of this post is to offer some brief reflections on the increasing inadequateness of our traditional legal categories in the face of events like this, and the need to re-think the role of the law as a tool of State governance in times of digital globalization. 

A disruption of traditional legal boundaries

As a result of the global interconnectedness made possible by the Internet, conceptual legal boundaries such as private/public and national/international lose a lot of their explanatory purchase. Not only does digital globalization evince the growing untenability of the Westphalian representation of the world as a juxtaposition of self-contained national legal system; more interestingly, events like the recent cyberattack demonstrate the obsolescence of the legal tools we traditionally use to address cross-border phenomena, such as judicial cooperation or private international law. What national authorities should have jurisdiction to prosecute a crime with no substantial territorial link and an instantaneous random worldwide outreach? What forum should have jurisdiction for claims in tort arising out of similar events?

In the EU, the emergence of cyber torts has already demonstrated the inadequacy of criteria for the allocation of jurisdiction developed before the digital age. Criteria such as territoriality, which for a long time have been crucial for the allocation of jurisdiction among States, today are likely to result in chaotic overlaps.

Events such as the WannaCry attack highlight the urgent need to change our approach to the law as a tool of governance in an increasingly globalized world. 

The need to re-think the role of law

These basic observations suggest that States should radically re-think the way they react to cybersecurity threats, and more generally to transnational social phenomena. The central and quasi-monopolistic role that the State plays in our conception of both domestic and international law presupposes the existence of strong public regulatory powers, in respect of which private actors are (to borrow Jedediah Purdy’s words) ‘a plastic object of regulation’. The habit itself to refer to ‘the State’ as an abstract and idealized sovereign entity demonstrates how such a way of world making fundamentally shapes the thinking of both domestic and international lawyers. Globalization (of both trade and investment capital flows, and digital communications) challenges this cluster of institutional and ideological premises, and forces us to find new solutions, demonstrating the need for cooperation along two main axes: State-State and State-private.

From the first point of view, it is increasingly unconceivable for single States to react to such phenomena unilaterally, without a global coordination of efforts relying on basic shared policy choices. Such cooperation will probably need to go beyond the current framework of the Budapest Convention, whose territorial scope of application remains mainly limited to Western democracies. From the second point of view, these global events confirm the relevance of the problem of societal constitutionalism, exposing how multinational corporations (e.g. developers of operative systems) enable the provision of fundamental services and provide timely solutions, in a way that States (even with coordinated efforts) could not do alone.

In a nutshell, the most evident lesson we can draw from the WannaCry events is that the diffusion of digital technology on a global scale forces all States to cooperate not only with one another, but also with non-State actors whose embeddedness in different social systems blur the boundary between public and private. In other words, regulatory reactions to cyberattacks are likely to be effective only inasmuch as they are transnational, reflecting policy options widely shared by both public and private actors.

The need for States to re-imagine their role as global regulators is unavoidably mirrored by a similar challenge for us, for jurists. We must change the way we think about the law, and our position as lawyers, beyond the paradigm of State authority. Potentially, the transnationalization of law as a social science may force us to radically re-design the way we teach and learn our discipline in Universities, and the way we use legal categories in our professional and intellectual life. For lawyers, the digital revolution seems to trigger more questions than answers.



| Permalink


Post a comment