The Law of Cyber Peace
Scholars and policymakers are paying greater attention to the application of international law to the cause of enhancing global cybersecurity. The bulk of this research, though, has been focused on leveraging international humanitarian law to regulate the conduct of cyber warfare. Yet much of this work is largely theoretical, given how exceedingly rare it is for a cyber attack to cross the armed-attack threshold at which point the law of armed conflict is activated. Most of the cyber risk facing the public and private sectors lies in the arena of cybercrime and espionage. More scholars have been applying international law ‘below the threshold’ to these issues, but much more work remains to be done. This Article seeks to address this omission by offering a roadmap that synthesizes and extends work in this field. The time is ripe for a fresh look at existing international legal tools that would help us better manage the multifaceted cyber threat. Only then can an accounting be made of gaps to be filled in by norms, custom, and perhaps one day, new accords.
In December 2014, Sony Pictures was the victim of a data breach, allegedly by a group of hackers known as the “Guardians of Peace” with ties to the North Korean regime.1
See, for example, Steve Holland & Doina Chiacu, Obama Says Sony Hack Not an Act of War, Reuters (Dec. 22, 2014), (https://perma.cc/8N7Y-LW3A).
Id.
See Brandon Valeriano & Ryan C. Maness, The Coming Cyberspace: The Normative Argument Against Cyberwarfare, Foreign Affairs (May 13, 2015), (https://perma.cc/9NMQ-4B2Q) (“Despite fears of a boom in cyberwarfare, there have been no major or dangerous hacks between countries.”).
See Sara Sorcher, OPM Breach a Shadow Over Homeland Security's Appeals to Security Pros, Christian Sci. Monitor (Aug. 7, 2015), (https://perma.cc/XS4F-5Z6H); Shannon Hayden, Cyber Attack on South Korean Subway System Could Be a Sign of Nastier Things to Come, Vice News (Oct. 8, 2015), (https://perma.cc/24QP-4V3R); Warwick Ashford, Cisco Praised for Quick Response to Cyber Attack, Computer Weekly (Oct. 8, 2015), (https://perma.cc/LH92-UKEU).
See G20 Leaders’ Communiqué, ANTALYA Summit (Nov. 15–16, 2015), (https://perma.cc/BU57-9XKX).
G7 Leaders Approve Historic Cybersecurity Agreement, Bos. Global F. (June 6, 2016), (https://perma.cc/RM3S-FZ2W).
See Teri Robinson, U.S., China Agree to Cybersecurity Code of Conduct, SC Mag. (June 26, 2015), (https://perma.cc/K9GQ-FZPT).
Increasing and worthwhile attention has been paid to applying existing international law to the cause of enhancing global cybersecurity. The bulk of this research, though, has been focused on leveraging international humanitarian law to regulate the conduct of cyber warfare.8
See, for example, Tallinn Manual on the International Law Application to Cyber Warfare 17 (Michael N. Schmitt ed., 2013) (discussing when a cyber attack could trigger the right of self-defense) [hereinafter Tallinn Manual].
See Nat’l Research Council, Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities 34, 67 (William A. Owens, Kenneth W. Dam, & Herbert S. Lin eds., 2009) [hereinafter National Academies]. There are varying interpretations for defining the jus in bello threshold for armed attacks under international law, but the most common is arguably the equivalent effects test, which requires that for a cyber operation to be an armed attack, it must have results equivalent to a physical invasion by traditional military forces.
See, for example, Scott J. Shackelford, Managing Cyber Attacks in International Law, Business, and Relations: In Search of Cyber Peace 3–51 (2014).
Tallinn 2.0, (https://perma.cc/G6GB-PPQP) (last visited Aug. 9, 2015). Tallinn 2.0 seeks to unpack the public international law applicable below the armed attack threshold, representing a follow-up from the widely-discussed Tallinn Manual. See Tallinn Manual, supra note 8; Michael N. Schmitt, “Below the Threshold” Cyber Operations: The Countermeasures Response Option and International Law, 54 Va. J. Int’l L. 697, 698 (2014).
But see Michael N. Schmitt & Sean Watts, Beyond State-Centrism: International Law and Non-State Actors in Cyberspace, 21 J. of Conflict & Sec. L. 1, 1 (2016) (unpacking the role of non-state actors in international cybersecurity).
Cf. Teresa Scassa & Robert J. Currie, New First Principles? Assessing the Internet’s Challenges to Jurisdiction, 42 Geo. J. Int'l L. 1017, 1030–31 (2011); Christina Parajon Skinner, An International Law Response to Economic Cyber Espionage, 46 Conn. L. Rev. 1165, 1194 (2014).
This Article seeks to help address this omission by offering a roadmap that synthesizes and extends work in this field. It does so by drawing from cybersecurity due diligence, cyber risk insurance, project finance, voluntary frameworks, trade, investment treaties, and underexplored realms of public international law including the Vienna Convention on Diplomatic Relations, global commons regimes, and Mutual Legal Assistance Treaties (MLATs).14
See generally Scott J. Shackelford, From Net War to Nuclear War: Analogizing Cyber Attacks in International Law, 27 Berkeley J. Int’l L. 192 (2009).
See id.
See Scott J. Shackelford & Timothy L. Fort, Sustainable Cybersecurity: Applying Lessons from the Green Movement to Managing Cyber Attacks, 2016 U. Ill. L. Rev. 1995, 2032 (2016); Scott J. Shackelford, Scott Russell, & Andreas Kuehn, Unpacking the International Law on Cybersecurity Due Diligence: Lessons from the Public and Private Sectors, 17 Chi. J. Int’l L. 1, 50 (2016); Scott J. Shackelford, On Climate Change and Cyber Attacks: Leveraging Polycentric Governance to Mitigate Global Collective Action Problems, 18 Vand. J. Ent. & Tech. L. 653, 711 (2016); Scott J. Shackelford & Andraz Kastelic, Toward a State-Centric Cyber Peace: Analyzing the Current State and Impact of National Cybersecurity Strategies on Enhancing Global Cybersecurity, 18 N.Y.U. J. Legis. & Pub. Pol’y 895, 941–42 (2015); Scott J. Shackelford, Scott Russell, & Jeffrey Haut, Bottoms Up: A Comparison of Voluntary Cybersecurity Frameworks, 16 U.C. Davis Bus. L.J. 217, 259–60 (2016); Scott J. Shackelford & Zachary Bohm, Securing North American Critical Infrastructure: A Comparative Case Study in Cybersecurity Regulation, 40 Can.-U.S. L.J. 61, 69–70 (2016); Scott J. Shackelford, Protecting Intellectual Property and Privacy in the Digital Age: The Use of National Cybersecurity Strategies to Mitigate Cyber Risk, 19 Chapman L. Rev. 445, 464–65 (2016); Amanda N. Craig, Scott J. Shackelford, & Janine Hiller, Proactive Cybersecurity: A Comparative Industry and Regulatory Analysis, 52 Am. Bus. L.J. 721, 786–87 (2015); Scott J. Shackelford et al., Toward a Global Standard of Cybersecurity Care: Exploring the Implications of the 2014 NIST Cybersecurity Framework on Shaping Reasonable National and International Cybersecurity Practices, 50 Tex. Int’l L.J. 305, 354–55 (2015); Eric Richards, Scott J. Shackelford, & Abbey Stemler, Rhetoric Versus Reality: U.S. Resistance to Global Trade Rules and the Implications for Cybersecurity and Internet Governance, 24 Minn. J. Int’l L. 159, 173 (2015); Scott J. Shackelford & Scott Russell, Risky Business: Lessons for Mitigating Cyber Attacks from the International Insurance Law on Piracy, 24 Minn. J. Int’l L. 1, 14–15 (2015); Scott J. Shackelford & Scott Russell, Above the Cloud: Enhancing Cybersecurity in the Aerospace Sector, 10 FIU. L. Rev. 635, 667 (2015); Scott J. Shackelford, Timothy L. Fort, & Jamie D. Prenkert, How Businesses Can Promote Cyber Peace, 36 U. Pa. J. Int’l L. 353, 430–31 (2014); Scott J. Shackelford et al., Using BITs to Protect Bytes: Promoting Cyber Peace and Safeguarding Trade Secrets through Bilateral Investment Treaties, 52 Am. Bus. L.J. 1, 73–4 (2015); Scott J. Shackelford & Amanda N. Craig, Beyond the New ‘Digital Divide’: Analyzing the Evolving Role of Governments in Internet Governance and Enhancing Cybersecurity, 50 Stan. J. Int’l L. 119, 184 (2014); Amanda N. Craig & Scott J. Shackelford, Hacking the Planet, the Dalai Lama, and You: Managing Technical Vulnerabilities in the Internet through Polycentric Governance, 24 Fordham Intell. Prop. Media & Ent. L.J. 381, 423–25 (2014); Scott J. Shackelford, Toward Cyberpeace: Managing Cyber Attacks through Polycentric Governance, 62 Am. U. L. Rev. 1273, 1360–64 (2013); Shackelford, supra note 14.
This Article is structured as follows. Section II reviews the private international law applicable to the cause of promoting a global culture of cybersecurity, including the rise of “voluntary” cybersecurity risk frameworks.17
John Verry, Why the NIST Cybersecurity Framework Isn’t Really Voluntary, Info. Sec. Blog. (2014), (https://perma.cc/8CLX-YBQC).
Michael D. McGinnis, Costs and Challenges of Polycentric Governance: An Equilibrium Concept and Examples from U.S. Health Care, Conference on Self-Governance, Polycentricity, and Development 1 (prepared for presentation at Renmin University, Beijing, China) (May 8, 2011), (https://perma.cc/ZLF8-R3MQ); Henning Wegener, Cyber Peace, in The Quest for Cyber Peace 77, 82 (Hamadoun I. Toure & Perm. Monitoring Panel on Info. Sec. eds., 2011), (https://perma.cc/TA8D-VEZP) (arguing that “unprovoked offensive cyber action, indeed any cyber attack, is incompatible with the tenets of cyber peace.”); Shackelford, supra note 10, at 52–110, 312–366.
International law has been defined as “the body of legal rules,” norms, and standards that applies “between sovereign States” and non-State actors, including international organizations and multinational companies, enjoying legal personality.19
Malcolm Shaw, International Law, Definition of International Law, Encyclopedia Britannica (last visited May 03, 2017), (https://perma.cc/8PJ9-JHKP).
Customary international law is often defined as the “general and consistent practice of states followed by them from a sense of legal obligation.” Restatement (Third) of the Foreign Relations Law of the United States § 102(2) (A.L.I. 1987).
Statute of the International Court of Justice Art. 38, June 16, 1945, 59 Stat. 1055, 33 U.N.T.S. 933.
See Malcolm N. Shaw, International Law 69–71 (4th ed. 1997).
Convention on Cybercrime, Nov. 23, 2001, 2296 U.N.T.S. 167.
See Joseph S. Nye, Jr., Power and National Security in Cyberspace, in America’s Cyber Future: Security and Prosperity in the Information Age 5, 19–20 (Kristin M. Lord & Travis Sharp eds., 2011).
Private international law is a far-reaching and often underappreciated body of law.25
See Paul B. Stephan & Julie A. Roin, International Business and Economics: Law and Policy vii (4th ed. 2010).
Private International Law, Org. Am. St. (2017), (https://perma.cc/JP2M-5RA9).
See, for example, Cybersecurity, Hogan Lovells LLP, (https://perma.cc/9FXR-ZXC5); see Section II(D), infra.
Private-sector cybersecurity best practices, along with national, bilateral, and regional bodies acting as norm entrepreneurs that are identified throughout this study are together conceptualized as components of a “polycentric” approach to promoting a global culture of cybersecurity. This multi-level, multi-purpose, multi-functional, and multi-sectoral model,28
Michael D. McGinnis, An Introduction to IAD and the Language of the Ostrom Workshop: A Simple Guide to a Complex Framework, 39 Pol’y Stud. J. 163, 171–72 (2011).
Elinor Ostrom, Polycentric Systems as One Approach for Solving Collective-Action Problems 1 (Ind. Univ. Workshop in Political Theory and Policy Analysis, Working Paper Series No. 08–6, Sept. 2008).
For a detailed discussion of early Internet history, see Katie Hafner & Matthew Lyon, Where Wizards Stay Up Late: The Origins of the Internet (1996); Brief History of the Internet, Internet Soc’y, (https://perma.cc/KT8J-DZA9).
Elinor Ostrom, A Polycentric Approach for Coping with Climate Change 35 (World Bank, Policy Research Working Paper No. 5095, 2009), (https://perma.cc/TW2J-CSJQ).
Robert O. Keohane & David G. Victor, The Regime Complex for Climate Change, 9 Persp. on Pol. 7, 15 (2011). Cf. Julia Black, Constructing and Contesting Legitimacy and Accountability in Polycentric Regulatory Regimes, 2 Reg. & Governance 137, 157 (2008) (discussing the legitimacy of polycentric regimes, and arguing that “[a]ll regulatory regimes are polycentric to varying degrees”).
See Martha Finnemore & Kathryn Sikkink, International Norm Dynamics and Political Change, 52 Int’l Org. 887, 895–98 (1998).
The International Telecommunication Union (ITU), a U.N. agency specializing in information and communication technologies, pioneered some of the early work in the field by defining “cyber peace” in part as “a universal order of cyberspace” built on a “wholesome state of tranquility, the absence of disorder or disturbance and violence.”34
Wegener, supra note 18, at 78.
The notion of negative peace has been applied in diverse contexts, including civil rights. See, for example, Martin Luther King, Non-Violence and Racial Justice, Christian Century 118, 119 (1957) (arguing “[t]rue peace is not merely the absence of some negative force––tension, confusion or war; it is the presence of some positive force––justice, good will and brotherhood”).
See Johan Galtung, Peace, Positive and Negative, in The Encyclopedia of Peace Psychology 1, 758, 762 (Daniel J. Christie ed., 2011) (comparing the concepts of negative and positive peace). For more on this topic, see generally Shackelford, supra note 10, at preface. Another related literature that should be explored further stems from the U.S. constitutional law context, including Federalist No. 10, which discusses the extent to which heterogeneous collaboration can mitigate conflict. See The Federalist No. 10 (James Madison).
The following Section begins the exploration of how we can leverage private international law to promote cyber peace from the bottom up, starting with private-sector cybersecurity innovations that are helping to define a global standard of cybersecurity care including due diligence, cyber risk insurance, project finance, and international arbitration. Next, the movement toward “voluntary” cybersecurity frameworks is analyzed as a data set to begin a more thorough analysis of the current status of customary international cybersecurity law, before turning to bilateral, regional, and global trade and investment treaty frameworks.
What is cybersecurity due diligence? In the private-sector transactional context, this term has been defined as “the review of the governance, processes and controls that are used to secure information assets,”37
Tim Ryan & Leonard Navarro, Cyber Due Diligence: Pre-Transaction Assessments Can Uncover Costly Risks, Kroll Call (Jan. 28, 2015), (https://perma.cc/W8BB-ZVRA).
An earlier version of this research was previously published as Scott J. Shackelford, Scott Russell, & Andreas Kuehn, Unpacking the International Law on Cybersecurity Due Diligence: Lessons from the Public and Private Sectors, 17 Chi. J. Int’l L. 1 (2016).
Cf. John R. Crook, Contemporary Practice of the United States Relating to International Law, 105 Am. J. Int'l L. 775, 795 (2011) (“Cybersecurity Due Diligence: States should recognize and act on their responsibility to protect information infrastructures and secure national systems from damage or misuse.”); John M. Prescott, Responses to Five Questions on National Security Law, 38 Wm. Mitchell L. Rev. 1536, 1548 (2012) (discussing the U.S. International Strategy for Cyberspace); Shackelford, Toward Cyberpeace, supra note 16, at 1354. See also Michael N. Schmitt, In Defense of Due Diligence in Cyberspace, 125 Yale L.J. F. 68, 81 (2016) (“[I]nternational law acknowledges that the right of sovereignty and the corresponding duty of due diligence must be in equilibrium. As a matter of law, therefore, the due diligence obligation does not require a state to take measures that are beyond its means or otherwise unreasonable.”).
Corfu Channel (U.K. v. Albania), 1949 I.C.J. 4, ¶ 49 (April 9).
Trail Smelter Arbitration (U.S. v. Can.), 3 Rep. Int’l Arb Awards (R.I.A.A.) 1905 (1941).
Case Concerning the Military and Paramilitary Activities In and Against Nicaragua (Nicar. v. U.S.), 1986 I.C.J. 14, 106-08, 183 (June 27). However, it should be noted that other ICJ jurisprudence is also on point and is not discussed here due to space constraints, including: Legality of the Threat or Use of Nuclear Weapons, Advisory Opinion – General Assembly, ICJ Reports, 8 July 1996, at 22, ¶ 29; Case Concerning Pulp Mills on the River Uruguay (Argentina v. Uruguay), Judgment, 20 April 2010, ¶ 193.
The first relevant ICJ case regarding the due diligence obligations of nations is Corfu Channel, particularly the holding in that decision that one country’s territory should not be “used for acts that unlawfully harm other States.”43
Corfu Channel, supra note 40.
Eneken Tikk, Ten Rules of Behavior for Cyber Security, 53 Survival 119, 126 (2011).
See, for example, Stephen Flynn, The Edge of Disaster: Rebuilding a Resilient Nation 139 (2007).
See, for example, Cloudy Jurisdiction: Addressing the thirst for Cloud Data in Domestic Legal Processes, Electronic Frontier Foundation (Internet Governance Forum-Baku 2012), (https://perma.cc/CT7S-8PRD).
See G20 Communiqué, supra note 5.
An ad hoc international tribunal also addressed what could become the contours of a cybersecurity due diligence norm in its Trail Smelter decision, which centered on pollution crossing the U.S.-Canadian border giving rise to adverse health and environmental effects. The decision, among other things, was concerned about the nature of Westphalian sovereignty, and whether modern notions of sovereignty should be based just on territory, or whether the effects arising from one nation that impact another could also give rise to obligations through the emerging doctrine of effects jurisdiction.48
See, for example, Sigrun Skogly, Beyond National Borders: States’ Human Rights Obligations in International Cooperation 50 (2006).
Trail Smelter Arbitration, supra note 41.
Ralph Bodle, Climate Law and Geoengineering, in Climate Change and the Law, Ius Gentium: Comparative Perspectives on Law and Justice 447, 457–58 (Erkki Hollo et al. eds., 2012).
Finally, the ICJ addressed the core issue of State sovereignty in its Nicaragua decision when the Court stated that nations have an obligation not to interfere in one another’s domestic affairs if that intervention relates to “the choice of a political, economic, social, and cultural system, and the formulation of foreign policy.”51
Case Concerning the Military and Paramilitary Activities In and Against Nicaragua, supra note 42.
Clinton’s Speech on Internet Freedom, January 2010, Council on Foreign Rel. (Jan. 21, 2010), (https://perma.cc/B685-3QSV).
See, for example, Yahoo!, Inc. v. La Ligue Contre le Racisme et L’Antisemitisme, 169 F. Supp. 2d 1181 (N.D. Cal. 2001), rev’d, 379 F.3d 1120 (9th Cir. 2005), rev’d en banc, 433 F.3d 1199 (9th Cir. 2006); Jack Goldsmith & Tim Wu, Who Controls the Internet?: Illusions of a Borderless World 5 (2006).
See Natalia Drozdiak & Sam Schechner, EU Court Says Data-Transfer Pact With U.S. Violates Privacy, Wall St. J. (Oct. 6, 2015), (https://www.wsj.com/articles/eu-court-strikes-down-trans-atlantic-safe-harbor-data-transfer-pact-1444121361;Scott J. Shackelford, Seeking a Safe Harbor in a Widening Sea: Unpacking the EJC’s Schrems Decision and What it Means for Transatlantic Relations, Seton Hall J. Dipl. & Int’l Rel. (forthcoming 2017) (discussing the case in some detail).
In summary, the international jurisprudence is unsettled, and, as such, is far from dispositive on the question of a cybersecurity due diligence norm. Both State practice and lessons from the private sector can and should be considered to help build out the private international law of cyber peace, which thus far has been largely untapped to answer such questions. For example, facets of national cybersecurity strategies could, in time, crystallize into customary international law as State practice clarifies.55
See Jean-Marie Henckaerts & Louise Doswald-Beck, Assessment of Customary International Law, Int’l Comm. Red Cross (2005), (https://perma.cc/SH46-EVFM).
See Update on the Cybersecurity Framework, NIST (Dec. 5, 2014), (https://perma.cc/2FKE-RM2W).
Jason Weinstein, former deputy assistant attorney general at the U.S. Department of Justice, summarized the issue of cybersecurity due diligence succinctly when he said: “When you buy a company, you’re buying their data, and you could be buying their data-security problems.”57
Rachel Ensign, Cybersecurity Due Diligence Key in M&A Deals, Wall St. J. (Apr. 24, 2014), (http://blogs.wsj.com/riskandcompliance/2014/04/24/cybersecurity-due-diligence-key-in-ma-deals/).
Erin Ayres, Cybersecurity Easing its Way into M&A Due Diligence, Advisen (Aug. 22, 2014), (https://perma.cc/W27L-4TLE).
Id.
Michael Greene, M&A Due Diligence Must Include Cybersecurity Analysis, Attorneys Say, BNA (May 20, 2015), (https://perma.cc/ZA5D-55SG).
See Stone v. Ritter, 911 A.2d 362, 370 (Del. 2006).
See National Institute of Standards and technology, Improving Critical Infrastructure Cybersecurity Executive Order 13636: Preliminary Cybersecurity Framework 1 (2014), (https://perma.cc/H924-X77W).
See Ayres, supra note 58.
Cf. Willingham v. Global Payment, 2013 WL 440702 at *19 (N.D. Ga. Feb. 5, 2013) (reflecting an alternative view in which courts are reluctant rely on data security standards as a means of determine whether a duty was owed).
Despite some progress, though, many remain predominantly reactive in their cybersecurity stances.65
See McAfee, Unsecured Economies: Protecting Vital Information 6 (2009), (https://perma.cc/X38C-DRDP).
For more on this topic, see generally Amanda N. Craig, Scott J. Shackelford, & Janine Hiller, Proactive Cybersecurity: A Comparative Industry and Regulatory Analysis, 52 Am. Bus. L.J. 721 (2015).
Insurance has been called a “key part of the [cybersecurity] solution,” but it has only recently begun to catch on, albeit in fits and starts.67
Interview with Chris Palmer, Google engineer and former technology director, Electronic Frontiers Foundation, in San Francisco, Cal. (Feb. 25, 2011).
See SANS Institute, White House, The National Strategy to Secure Cyberspace 24 (2003), (https://perma.cc/P6L8-CUZ9); Cybersecurity Act of 2009, S. 773, 111th Cong. § 15(1), (2009) (providing for the creation of “a market for cybersecurity risk management, including the creation of a system of civil liability and insurance (including government reinsurance)”).
Emily Stewart, Cyber Attack Insurance Growing Fast, ABC (Oct. 9, 2015), (https://perma.cc/CW2W-UW3E).
Insurance firms have been experimenting with cyber risk insurance policies for more than a decade; Zurich North America, for example, began offering “a reward for information leading to the conviction of” cyber terrorists back in 2002.70
Jon Swartz, Firms’ Hacking-Related Insurance Costs Soar, USA Today (Feb. 9, 2003), (https://perma.cc/U4F6-YB92); see Press Release, Hiscox, Safeonline Launches Internet Security Insurance, (https://perma.cc/AV5J-MWLQ).
See Jim Finkle, Cyber Insurance Premiums Rocket After High-Profile Attacks, Reuters (Oct. 12, 2015), (https://perma.cc/6AVX-GPL9); Nicole Perlroth, Insurance Against Cyber Attacks Expected to Boom, N.Y. Times Bits (Dec. 29, 2011), (https://perma.cc/Q4B8-DW6F); Robert Lemos, Should SMBs Invest in Cyber Risk Insurance?, Dark Reading (Sept. 9, 2010), (https://perma.cc/HXU2-7LPZ).
See Perlroth, supra note 71.
Stewart, supra note 69.
Robert Richardson, CSI Computer Crime & Security Survey at 11 (2008), (https://perma.cc/PH8H-3JLJ).
See Lemos, supra note 71; see also Travelers Adds Cyber Protection Tailored to Small Businesses, Ins. J. (Jan. 22, 2013), (https://perma.cc/SA75-U76X). DHS summarized the current state of cyber risk insurance in 2012, noting that “[w]hile a sizable third-party market exists to cover losses suffered by a company’s customers, first-party policies that address direct harms to companies themselves remain expensive, rare, and largely unattractive.” DHS, Cybersecurity Insurance Workshop Readout Report 1 (2012), (https://perma.cc/L2QE-L4BC); Nathan Brown, The Costs of Having (and NOT Having) Cyber Insurance, Nextech (Mar. 31, 2015), (https://perma.cc/STX2-28LX).
See The Case for Cybersecurity Insurance, Part II, Krebs on Sec. (Jul. 10, 2010), (https://perma.cc/994Q-XBLN); see also Tony Morbin, Should You Use Cyber Insurance to Mitigate Risk?, SC Media (Aug. 20, 2014), (https://perma.cc/9EF5-SDKA).
See Mark Ward, Energy Firm Cyber-Defense is ‘Too Weak’, Insurers Say, BBC (Feb. 26, 2014), (https://perma.cc/93XK-TESE).
Cf. Denise Dubie, Corporate Security Spending Not in Line with Real-World Requirements, Network World (May 2003), (https://perma.cc/6U69-ATJN). But see Riva Richmond, How to Determine If Cyber Insurance Coverage Is Right for You, Entrepeneur (June 5, 2012), (https://perma.cc/8EJS-MES6); Morbin, supra note 76.
See, for example, Brooke Yates & Katie Varholak, Cyber Risk Insurance - Navigating the Application Process, Sherman & Howard (June 6, 2013), (https://perma.cc/6BM2-VCN9).
Calculating cyber risk insurance premiums is no simple matter; there is little reliable data—a factor that is critical,80
But see Sarah Veysey, Insurers Urge Anonymous Database to Help Underwrite Cyber Risks, Bus. Ins. (May 23, 2016), (https://perma.cc/EBE8-9SJP) (“The Association of British Insurers has called for a national anonymous database of cyber incidents to enable the insurance market to better assess, underwrite and price cyber risks.”).
See DHS, supra note 75, at 1.
Stewart, supra note 69.
Id.
See, for example, Cyber Insurance: A Last Line of Defense When Technology Fails, Latham & Watkins Client Alert 1675, at 1 (Apr. 15, 2014), (https://perma.cc/C7RA-RZJS).
See Finkle, supra note 71.
See id.
Id.
Id.
See DHS, supra note 75, at 1.
Finkle, supra note 71.
See Caitlin Bronson, The 5 US Industries Most Uninsured Against Cyber Risk, Ins. Bus. Am. (Oct. 12, 2015), (https://perma.cc/Z3E5-2JW4); Matt Williams, Why Most Governments Don’t Carry Cyber Insurance, Govt. Tech. (Aug. 7, 2013), (https://perma.cc/YY7A-UTAY0).
Many leading global law firms include project finance practice groups that help arrange financing for large infrastructure projects around the world. To take one example, Hogan Lovells LLP has been involved with deals ranging from defense and healthcare to light rail, sanitation, and satellites, in deals totaling more than $250 billion as of 2016.92
See Infrastructure, Energy, Resources, and Projects, Hogan Lovells, (https://perma.cc/A9EQ-CFX8).
FINRA Issues Report on Cybersecurity Practices, Cybersecurity Investor Alert, FINRA (Feb. 3, 2015), (https://perma.cc/LE5Z-3H8L).
See Nicole Hong & Robin Sidel, Hackers Breach Law Firms, Including Cravath and Weil Gotshal, Wall St. J. (Mar. 29, 2016), (https://perma.cc/NJS5-CVTK).
When project finance deals go awry, or nations pass policies or even expropriate investments, international dispute resolution proceedings including arbitration may result, which are fast becoming another major (if somewhat controversial95
For example, concerns have long centered on limitations to national sovereignty, with critics arguing “that the process should be more fully transparent and open to participation by concerned citizens, given the public importance of the issues at stake in many of the cases.” Anthony R. Parra, The History of ICSID 238 (2012) (arguing that “Other influential voices were raised to argue that investment treaties and arbitration could unduly constrain governments from introducing much needed reforms, including those concerning human rights.”).
See Section II(F), infra.
For more on this topic, see Shackelford et al., Using BITs to Protect Bytes, supra note 16 (representing the first publication of parts of this analysis).
As of April 2016, the ICSID Convention has been ratified by 161 States,98
International Centre for Settlement of Investment Disputes (ICSID), List of Contracting States and Other Signatories of the Convention (as of April 12, 2016), (https://perma.cc/XF4M-DJT5).
See International Centre for Settlement of Investment Disputes (ICSID), The ICSID Caseload – Statistics: Issue 2016-1 at 7–9, (https://perma.cc/AT6Q-DAB4).
See Thomas Carbonneau, Cases and Materials on The Law and Practice of Arbitration 911–13 (2003).
For example, the English courts have previously made such a declaration. See Anjanette H Raymond, Confidentiality, in a Forum of Last Resort? Is the Use of Confidential Arbitration a Good Idea for Business and Society?, 16 Am. Rev. Int’l Arb. 479 (2005) (discussing the English case of City of Moscow v. Bankers Trust, [2004] All ER (D) 62 (Jan)).
See Lao Holdings N.V. & The Government of the Lao People’s Democratic Republic, Discussion on the Merits (June 10, 2015), at 40, ICSID Case No. ARB (AF)/12/6.
At the next level up from private-sector innovation in the due diligence, insurance, project finance, and arbitration arenas, States are also experimenting with a wide array of frameworks and other bottom-up cybersecurity governance efforts aimed at securing critical infrastructure, protecting trade secrets, and mitigating the risk of cyber conflict.103
See, for example, Matthew Braga, Canada Doesn’t Know How to Regulate Cyber Weapons Sales, Motherboard (Sept. 8, 2014), (https://perma.cc/5JMY-9PPR).
See, for example, Paul Rosenzweig, The Unpersuasiveness of the Case for Cybersecurity Regulation – An Introduction, Lawfare (May 17, 2012), (https://perma.cc/N67K-XFWW); Michael Daniel, Assessing Cybersecurity Regulations, White House (May 22, 2014), (https://perma.cc/VB7N-BML3) (“The major outcome is that the Administration’s analysis supports our current voluntary approach to address cyber risk.”).
Other nations, though, are taking myriad other approaches. Israel, for example, has created a National Cyber Bureau to aid in standards setting. See, for example, Daniel Benoliel, Towards a Cyber Security Policy Model: Israel National Cyber Bureau (INCB) Case Study (Univ. of Haifa Discussion Paper, July 2014), (https://perma.cc/85AK-8BX9).
See National Institute of Standards and technology, Improving Critical Infrastructure Cybersecurity Executive Order 13636: Preliminary Cybersecurity Framework at i (2014), (https://perma.cc/H924-X77W).
See, for example, Kaspersky Cybermap, (https://cybermap.kaspersky.com/(last visited April 5, 2017).
Jack Goldsmith, Response to Paul on Cyber-Regulation for Critical Infrastructure, Lawfare (May 21, 2012), (https://perma.cc/EHC3-A4V9).
For more on this topic, see Shackelford, Russell, & Haut, supra note 16; ITU, Global Cybersecurity Index & Cyber Wellness Profiles 1 (2015), (https://perma.cc/K6LA-RH5Y) (ranking nations in terms of their vulnerability to and mitigation strategies for cyber attacks).
At the next conceptual level up from domestic policymaking, it is also important to note the role played by national cybersecurity strategies in laying out how nations view both the cybersecurity challenge and the role of the State in meeting it.110
For more on this topic, see Shackelford & Kastelic, supra note 16.
See id. at 913–14.
Still, it remains unclear exactly how many nations will follow the lead of these countries in preferring a bottoms-up approach to cybersecurity risk management. Indeed, some of the leading cyber powers—including China and Russia—favor more State-centric approaches to enhancing critical infrastructure cybersecurity. This may be seen in the Russian government’s stated goal of by 2020 centralizing its efforts to detect and prevent cyber attacks, including those on critical infrastructure, giving over many functions to the Federal Security Service (FSB).112
See Russia has Developed a National Cyber Security Policy, FISMA News, (https://perma.cc/K22V-6LV2).
See U.S. Dep’t Energy, A Primer on Electric Utilities, Deregulation, and Restructuring of U.S. Electricity Markets v. 2.0, at 2.1 (May 2002); Christian Schülke, The EU’s Major Electricity and Gas Utilities Since Market Liberalization 130 (2010).
See Letter from Michael Assante, NERC Vice President and Chief Security Officer, to Industry Stakeholders (Apr. 7, 2009), (https://perma.cc/H437-PHJE) (discussing designating critical cyber assets).
For more on the methodological challenges of undertaking cybersecurity regime effectiveness studies, see Shackelford, supra note 10, at 312–66.
See Global Cybersecurity Index, supra note 109.
Beyond State practice, there is an increasingly important role being played by minilateral legal instruments in promoting especially bilateral cybersecurity, though realizing the full benefit of these instruments will require reform as is discussed below. Before delving into the role of BITs in potentially protecting bytes, though, it is first important to offer some context. During the colonial era up to the nineteenth century, the leading developed nations held the view that foreign investors were entitled to property rights protections under international law, and that if their property was in fact taken then they were entitled to “prompt, adequate, and effective compensation.”117
Frank G. Dawson & Burns H. Weston, “Prompt, Adequate and Effective” A Universal Standard of Compensation?, 30 Fordham L. Rev. 727, 734 (1962); see also Case Concerning the Factory at Chorzow (Ger. v. Pol.), 1926-29 P.C.I.J. (ser. A), Nos. 7, 9, 17, 19, excerpted in Henry J. Steiner et al., Transnational Legal Problems 451–54 (1994).
Notes exchanged between the U.S. and Mexico during the 1938 disputes are reprinted in 3 Green H. Hackworth, Digest of International Law § 228, at 655–65 (1942); see Andrew Guzman, International Law: A Compliance Based Theory, 90 Cal. L. Rev. 1823, 1823–25 (2002).
Ronald Charles Wolf, Trade, Aid, and Arbitrate: The Globalization of Western Law 26 (2004).
BITs accord wide-ranging rights to investors, including the protection of contractual rights, and recourse to international arbitration should any disputes arise,120
See Zachary Elkins, Andrew T. Guzman, & Beth A. Simmons, Competing for Capital: The Diffusion of Bilateral Investment Treaties, 1960-2000, 2008 U. Ill. L. Rev. 265, 268–69 (2008).
See, for example, Thomas E. Carbonneau, Carbonneau on International Arbitration: Collected Essays 126 (2011).
Elkins, supra note 120, at 266.
Daniel Ikenson, Policymakers Must Remove The Barriers To Foreign Investment In The United States, Forbes (Oct. 30, 2013), (https://perma.cc/457E-DKLJ).
UNCTAD, World Investment Report 101 (2013).
See Gus Van Harten, Investment Treaty Arbitration and Public Law 171 (2007).
See Annie Lowrey, U.S. and China to Discuss Investment Treaty, but Cybersecurity Is a Concern, N.Y. Times (July 12, 2013), (http://www.nytimes.com/2013/07/12/world/asia/us-and-china-to-discuss-investment-treaty-but-cybersecurity-is-a-concern.html).
Id.
See, for example, Chen Weihua, US, China Hopeful of BIT After Talks Reignited, China Daily (July 13, 2013), (https://perma.cc/5CG6-JQVZ).
See China Plans First Talks With U.S. Under Cybersecurity Dialogue, Bloomberg (July 5, 2013), (https://perma.cc/2LG7-9EUK).
See, for example, Everett Rosenfeld, US-China Agree to Not Conduct Cybertheft of Intellectual Property, CNBC (Sept. 25, 2015), (https://perma.cc/KZ9B-ASL9).
In the U.S., trade secret theft of a product in interstate or international commerce violates the Economic Espionage Act131
18 U.S.C. § 1832.
See Charles Doyle, Stealing Trade Secrets and Economic Espionage: An Overview of the Economic Espionage Act, CRS Report R42682 (2016), (https://perma.cc/967C-LWFD).
18 U.S.C. §§ 1030(a)(4), (e)(2).
18 U.S.C. § 2314.
18 U.S.C. § 1343.
Pub. L. No. 114-153 (May 11, 2016).
The world’s various legal systems and cultures maintain different levels of intellectual property protections. Therefore, as emphasized by U.S. Deputy Secretary of State William Burns, the U.S. and China, for example, “need to reach a shared understanding of the rules of the road”137
See Paul Eckert & Anna Yukhananov, U.S., China Agree to Restart Investment Treaty Talks, Reuters (July 12, 2013), (https://perma.cc/2MDR-2PA8).
See Gaetan Verhoosel, The Use of Investor-State Arbitration Under Bilateral Investment Treaties to Seek Relief for Breaches of WTO Law, 6 J. Int’l Econ. L. 493, 495 (2003).
Despite its advantages, BIT-based investment arbitration is not without its detractors. Unlike its predecessor—the Treaty of Friendship, Commerce and Navigation discussed in Section III—BITs are designed to be less complicated and more narrowly focused. However, they also are prone to unpredictable and, at times, even inconsistent interpretation. Their brevity created an apparent justification for judicial activism in order to clarify vague treaty language and to close gaps left open by the drafters.139
See Wolfgang Alschner, Interpreting Investment Treaties as Incomplete Contracts: Lessons from Contract Theory, (SSRN ID No. 2241652, Mar. 31 2013), (https://perma.cc/A3M3-GMA6).
UNCTAD, Denunciation of the ICSID Convention and BITS: Impact on Investor-State Claims, IIA Issues Note, No. 2, 2010, UNCTAD/WEB/DIAE/IA/2010/6.
UNCTAD, World Investment Report 2012: Towards a New Generation of Investment Policies, UNCTAD/WIR/2012 at 84 (2012).
See UNCTAD, World Investment Report 2011: Non-Equity Modes of International Production and Development, UNCTAD/WIR/2011 at 102–03 (2011).
Ultimately, for BITs to realize their potential as an important component of the law of cyber peace, the political and legal costs of these agreements need to be mitigated and interest rekindled on the part of developed and developing nations alike. Greater attention will also need to be paid to the compensation standard in play, since compulsory licenses will likely not fully compensate those that have lost trade secrets. Further, more transparency is needed in the investor-state arbitration arena to help address legal fragmentation and build the precedent necessary for stable and predictable international customary cybersecurity law. The absence of transparency is a growing concern in the international community as investor-state arbitration rates increase, but there have been positive steps made in this regard that should be reinforced in future BITs.
Aside from BITs, cybersecurity is also becoming an important topic in regional and global trade negotiations. Ongoing U.S.-E.U. trade talks have been shaped in part by cybersecurity and privacy concerns, especially in the aftermath of NSA surveillance programs and intellectual property protections.143
See, for example, Doug Palmer, U.S. EU Launch Free Trade Talks Despite Spying Concerns, Ins. J. (July 9, 2013), (https://perma.cc/Z3DF-HQBM). But see James Fontanella-Khan, Data Protection Ruled Out of EU-US Trade Talks, Fin. Times (Nov. 4, 2013), (https://perma.cc/A3BP-8DP2) (“Brussels has ruled out a German push to include data protection rules in a proposed EU-US free trade pact.”).
See Kevin Collier, Sen. Ron Wyden on the Problems with the Trans-Pacific Partnership, Daily Dot (Sept. 19, 2012), (https://perma.cc/6Q9L-SA8Q); New Zealand, Australia Leaders Press for TPP to Move Forward, Bridges (Feb. 23, 2017), (https://perma.cc/4C85-AV4Y).
However, regarding the latter, while the WTO has been used as a forum to air broader concerns among the Member States, it has to date been a factor in the cybersecurity context because of provisions allowing nations to shirk their free trade commitments when they conflict with national security. See, for example, Allan A. Friedman, Cybersecurity and Trade: National Policies, Global and Local Consequences, Ctr. for Tech. Innovation at Brookings 10–11 (2013), (https://perma.cc/LD4M-ZFPV); James A. Lewis, Conflict and Negotiation in Cyberspace, Ctr. Strategic & Int’l Stud. at 48–51 (2013), (https://perma.cc/552F-5MK2).
See, for example, Scott Shackelford, In Search of Cyber Peace: A Response to the Cybersecurity Act of 2012, 64 Stan. L. Rev. Online 106, 111 (2012), (https://perma.cc/RL6Q-BEA7).
Cf. Steven E. Feldman & Sherry L. Rollo, Extraterritorial Protection of Trade Secret Rights in China: Do Section 337 Actions at the ITU Really Prevent Trade Secret Theft Abroad?, 11 J. Marshall Rev. Intell. Prop. L. 522, 47 (2012); Gerald O’Hara, Cyber-Espionage: A Growing Threat to the American Economy, 19 CommLaw Conspectus 241, 253–54 (2010); Peter Swire & Kenesa Ahmad, Encryption and Globalization, 13 Colum. Sci. & Tech. L. Rev. 416, 475–76 (2012).
Beginning in 1994, the WTO expanded its coverage from trade in goods and trade in services to coverage of intellectual property through TRIPS.148
Agreement on Trade-Related Aspects of Intellectual Property Rights, Apr. 15, 1994, Marrakesh Agreement Establishing the World Trade Organization, Annex 1C, 1869 U.N.T.S. 299 [hereinafter TRIPS].
Id. at § 7, art. 39(1).
See Marrakesh Agreement Establishing the World Trade Organization, Apr. 15, 1994, 1867 U.N.T.S. 154.
Cf. Aaron Stanley, US Challenges China Over Compliance with WTO Ruling, Fin. Times (Jan. 13, 2014), (https://perma.cc/3H2W-8E3U).
See Judith Hippler Bello, The WTO Dispute Settlement Understanding: Less is More, 90 Am. J. Int’l L. 416, 416–18 (1996).
Kenneth J. Vandevelde, U.S. International Investment Agreements 214 (2009).
Although the private law of cyber peace offers a number of helpful insights regarding ways to enhance global cybersecurity law and policy by harnessing this patchwork of tools, model laws, and data on State practice, it is vital to not ignore the public law of cyber peace. Indeed, this is the body of law with the longest history in regulating global commons spaces, and thus it is important to review it to understand what governance gaps may be filled. This Section undertakes this task by proceeding as follows: First, analogies from arms control regimes are considered, focusing on the interwar years and the nuclear war context. Second, global commons regimes are explored, including space, Antarctica, climate change, and the law of the sea. Third and finally, related regimes including MLATs, extradition treaties, and custom, are explored before moving on to discuss how the public law of cyber peace may be combined with private international law to create the legal foundation for a global culture of cybersecurity.
Arms control treaties have long helped limit the risk of conflict escalation across an array of contexts, to varying degrees of success. This Section investigates the history of two such efforts focusing on the interwar years between World War I and World War II and efforts to reign in the proliferation of nuclear weapons.154
An earlier version of this research was first published in Shackelford 263–311, supra note 10; Shackelford, From Net War to Nuclear War, supra note 14, at 216–19.
1. Interwar Arms Control: Being Cognizant of the Roots of Cyber Conflict.
Following the disastrous results of World War I, with millions of armed forces casualties,155
See Viewpoint: 10 Big Myths About World War One Debunked, BBC (Feb. 25, 2014), (https://perma.cc/V99P-RVSP).
See Caroline F. Ziemke, Peace Without Strings? Interwar Naval Arms Control Revisited, 15 Wash. Q., Autumn 1992, at 87 (1992).
Id.
Robin Ranger, Learning from the Naval Arms Control Experience, 10 Wash. Q. 47 (1987) (writing in the 1980s, but still with some application to the present).
The interwar arms control regime was based on the 1922 Washington Treaty that placed limits on naval fleet sizes, and was followed by a slew of other treaties designed to ward off another arms race.159
Emily O. Goldman, Sunken Treaties: Naval Arms Control Between the Wars 33–34 (1994).
See Sean Watts, Regulation-Tolerant Weapons, Regulation-Resistant Weapons, and The Law of War, 91 Int'l L. Stud. 540, 540 (2015).
Goldman, supra note 159, at 30.
Id.
2. The Analogy of Nuclear War.
According to Jim Lewis of the Center for Strategic and International Studies, we understand nearly as much about the relationship between cyber conflict and international security now as we did about strategic thinking related to nuclear weapons in the early 1950s.163
James A. Lewis, The “Korean” Cyber Attacks and Their Implications for Cyber Conflict, Ctr. Strategic & Int’l Stud. 2 (Oct. 2009), (https://perma.cc/Y7GD-5MT8).
See National Academies, supra note 9, at xi.
See, for example, Kenneth Corbin, How Should the U.S. Respond to State-Sponsored Cyberattacks?, CIO (July 29, 2015), (https://perma.cc/7VPR-RPDS).
See generally Herman Kahn, On Thermonuclear War (1960); Herman Kahn, Thinking About the Unthinkable (1962).
Foreign & Int’l Law Comm., N.Y. County Lawyers’ Ass’n (NYCLA), On the Unlawfulness of the Use and Threat of Nuclear Weapons 5 (2000) [hereinafter NYCLA, Unlawfulness of Nuclear Weapons], (https://perma.cc/HZG2-ESH6).
Id. at 4.
Legality of the Threat or Use of Nuclear Weapons, Advisory Opinion, 1996 I.C.J. 226, at 266 (July 8).
Id.
Id. at 262.
Lewis, supra note 163, at 4.
The ICJ has not explicitly considered the legality of cyber weapons to this point.173
See Legality of Nuclear Weapons, supra note 169, at 262.
See North Sea Continental Shelf (Green./Den. v. Neth.), 1969 I.C.J. 41, at 72 (Feb. 20); Assessment of Customary International Law, Int’l Comm. of the Red Cross, (https://perma.cc/P8V5-VVYD) (“To establish a rule of customary international law, State practice has to be virtually uniform, extensive and representative.”).
But see Ian Traynor, Russia Accused of Unleashing Cyberwar to Disable Estonia, Guardian (May 16, 2007), (https://perma.cc/W3J8-PBKL) (discussing state responses to the cyber attacks on Estonia).
Cf. James Blitz, UK Becomes First State to Admit to Offensive Cyber Attack Capability, Fin. Times (Sept. 29, 2013), (https://perma.cc/JQY4-9ZCF).
As difficult as the regulation of chemical, biological, and nuclear weapons may present, it is even more complex to prohibit the use of cyber attacks under international law, due in no small part to technical challenges, verification issues, and the attribution problem, among other concerns.177
But see Neil C. Rowe et al., Challenges in Monitoring Cyberarms Compliance, 1 Int’l J. Cyber Warfare & Terrorism 1, 1, 12 (2011) (discussing the challenges of and potential paths to cyber arms control, including making use of digital forensics and usage monitoring to verify compliance).
See Duncan Hollis, Should There Be an International Treaty on Cyberwarfare?, Opinio Juris (June 13, 2012), (https://perma.cc/4ERH-W2P7) (responding to a US News-sponsored debate on the desirability of an international cyber weapons treaty).
1. Introducing the Global Commons.
A “commons” is a general term meaning “a resource shared by a group of people.”179
Charlotte Hess & Elinor Ostrom, Introduction: An Overview of the Knowledge Commons, in Understanding Knowledge as a Commons: From Theory to Practice 3, 3 (Charlotte Hess & Elinor Ostrom eds., 2006).
Id. at 5.
See, for example, J. E. S. Fawcett, How Free Are the Seas?, 49 Int’l Aff. 14, 14 (1973).
See Leo Gross, The Peace of Westphalia, 1648–1948, 42 Am. J. Int’l L. 20, 20, 26 (1948).
Christopher C. Joyner, Governing the Frozen Commons: The Antarctic Regime and Environmental Protection 222 (1998); Geert van Calster, International Law and Sovereignty in the Age of Globalization, Int’l L. & Inst., at 2–3, (https://perma.cc/CZ8R-VKW8).
See, for example, Mark E. Redden & Michael P. Hughes, Nat’l Def. Univ., SF No. 259, Global Commons and Domain Interrelationships: Time for a New Conceptual Framework?, 1–3 (2010), (https://perma.cc/54CY-8DAS).
See Kemal Baslar, The Concept of the Common Heritage of Mankind in International Law xix–xx (1998).
Id. at 225–26.
See Paul Tassi, The Philippines Passes a Cybercrime Prevention Act that Makes SOPA Look Reasonable, Forbes (Oct. 2, 2012), (https://perma.cc/L672-8BLK).
For more on these topics, see Shackelford supra note 10, at 52–110.
2. From the Digital Frontier to the Final Frontier: Arms Limitation in Space Law as an Analogy for Cyber War.
Outer space is inherently similar to cyberspace; both are vast areas encompassing both territorial and extraterritorial components. Like the weapons systems that have been developed to attack satellites, cyber attacks could have a large-scale strategic impact, both on terrestrial and orbiting assets.189
National Academies, supra note 9, at 296–97.
See, for example, James W. Gabberty, Understanding Motives of Recent Cyber Attacks Against US, Hill Cong. Blog (Mar. 11, 2013), (https://perma.cc/5LML-TTNL).
For more on this topic, see Shackelford, supra note 10, at 52–110.
Julie J. C. H. Ryan, Daniel J. Ryan, & Eneken Tikk, Cybersecurity Regulation: Using Analogies to Develop Frameworks for Regulation, in International Cyber Security Legal & Policy Proceedings 76, 89 (Eneken Tikk & Anna-Maria Talihärm eds., 2010).
See Thomas Graham Jr. et al., Spy Satellites and Other Intelligence Technologies that Changed History 36–38 (2007); Treaty on Principles Governing the Activities of States in the Exploration and Use of Outer Space, Including the Moon and Other Celestial Bodies, Jan. 27, 1967, 18 U.S.T. 2410, 610 U.N.T.S. 205 (entered into force Oct. 10, 1967) [hereinafter OST]; National Academies, supra note 9, at 296–97.
Space and telecommunications systems are intertwined with cyberspace, including in such areas as imagery collection, navigation, and signals intelligence, to say nothing of sustainable use discussed further below.194
U.S. Dep’t Def., Off. Gen. Couns., An Assessment of International Legal Issues in Information Operations 26 (2d ed. 1999) [hereinafter DOD Assessment]; U.S. Dep’t Def., Cyberspace Policy Report 9 (2011).
DOD Assessment, supra note 194, at 31.
OST, supra note 193, at art. 4.
See Jeremy Hsu, Is a New Space Weapon Race Heating Up?, Space.com (May 5, 2010), (https://perma.cc/8B5E-D9FX).
Karl Grossman & Judith Long, Waging War in Space, The Nation (Dec. 9, 1999), (https://perma.cc/6U5B-C9EN) (emphasis in original).
International efforts to form a legal regime for space weapons have been nearly as happenstance as those aimed at limiting cyber weapons.199
See, for example, Turner Brinton, Obama’s Proposed Space Weapon Ban Draws Mixed Response, Space.com (Feb. 4, 2009), (https://perma.cc/42FK-NQY9).
See Press Release, General Assembly, Prevention of Outer Space Arms Race, Ratification of Nuclear Test-Ban Treaty Among Issues Addressed by Texts Introduced in First Committee, U.N. Press Release GA/DIS/3233 (Oct. 15, 2002), (https://perma.cc/J49G-XXPX); Hollis, supra at note 178.
See The 10 Countries Most Active in Space, Aerospace-Technology.com, available at (https://perma.cc/6Z92-XSVL) (last visited on May, 17, 2017).
DOD Assessment, supra note 194, at 48.
Id.
In summary, analogizing space law illustrates that it is possible to regulate an area of the global commons to bar the most egregious military weapons systems, as this regime has done with nuclear weapons placed in orbit. Space law, however, does not fit the mold of cyber peace given the prevalence of cyber attacks, none of which are equivalent to a WMD attack.204
Other space law treaties relating to liability claims resulting from space activities, registration of objects launched into space, the governance of the Moon, or satellite regulations have little if any applicability to cyber attacks and so are beyond the bounds of this study.
Steven Cherry, Sons of Stuxnet, IEEE Spectrum (Dec. 14, 2011), (https://perma.cc/KW8X-MDY7).
See Ronald L. Spencer, Jr., International Space Law: A Basis for National Regulation, in National Regulation of Space Activities 1, 4 (Ram S. Jakhu ed., 2010).
See Frank A. Rose, Remarks at the UN Institute for Disarmament Research, Space Security Conference, in Geneva, Switzerland: Laying the Groundwork for a Stable and Sustainable Space Environment (Mar. 29, 2012), (https://perma.cc/6CLN-MY7T); COPUOS Space Debris Mitigation Guidelines (2010), U.N. OOSA, (https://perma.cc/4T99-E866) (last visited Nov. 11, 2013); Scott J. Shackelford, Governing the Final Frontier: A Polycentric Approach to Managing Space Weaponization and Debris, 51 Am. Bus. L.J. 429, 430 (2014).
3. Freeze the Code: The Antarctic Treaty System Approach to Cyber Attacks.
Rather than banning only certain types of cyber attacks, another (admittedly difficult and complex) option to consider is regulating all cyber attacks. The Antarctic Treaty, which besides managing a continent was the first arms control treaty of the Cold War, provides a fruitful analogue because it goes further than the OST and bans all military activities.208
Antarctic Treaty art. 1, ¶ 1, Dec. 1, 1959, 12 U.S.T. 794, 402 U.N.T.S. 72 (defining “peaceful purposes” in Antarctica as banning “any measures of a military nature”).
Id. at pmbl.
See, for example, Jack Goldsmith, Cybersecurity Treaties: A Skeptical View, Hoover Inst., at 12, (https://perma.cc/P9HY-UQKD).
But see Rowe et al., supra note 177, at 12 (making the case that cyber arms control is possible using current technology).
4. On Climate Change and Cyber Attacks.
It is difficult to think of two issues with a greater potential to negatively impact both our natural environment and the global economy than climate change and cyber attacks. Though the long-term estimates on both are notoriously hard to pin down, contested estimates on the cost of cyber attacks range from approximately $400 billion for 2014 to more than $3 trillion by 2020.212
See, for example, Net Losses: Estimating the Global Cost of Cybercrime, CSIS at 2 (2014), (https://perma.cc/75GL-V54K); Cyberattacks Fallout Could Cost the Global Economy $3 Trillion by 2020, Tech. Rep. (Feb. 20, 2014), (https://perma.cc/RTC2-VF9W).
See Fiona Harvey, Climate Change is Already Damaging Global Economy, Report Finds, Guardian (Sept. 15, 2012), (https://perma.cc/2WEP-89TW).
See Ostrom, supra note 31.
Applying the complete corpus of international environmental law, or even that segment focusing on atmospheric governance, is beyond the scope of this Article.215
For more on this area, see Shackelford & Fort, Sustainable Cybersecurity, supra note 16.
See Paris Agreement, Eur. Comm’n, (https://perma.cc/QC2E-L6J6).
Much like Rachel Carson’s Silent Spring helped jumpstart a global conversation about the state of environmental protection, and Garrett Hardin’s article The Tragedy of the Commons helped popularize the dangers of open access regimes, another article, this time by three British scientists, helped precipitate arguably the most successful international treaty in history—the Montreal Protocol—which, in 2009, became the first U.N. treaty to achieve universal ratification after the U.N. Charter itself.217
See Key Achievements of the Montreal Protocol to Date, zone Secretariat, (https://perma.cc/7BVF-2QJR).
For more on this topic, see Shackelford, On Climate Change and Cyber Attacks, supra note 16.
See Key Powers Reach Compromise at Climate Summit, BBC News (Dec. 19, 2009), (https://perma.cc/BX4K-U3KP).
White House, FACT SHEET: U.S.-China Joint Announcement on Climate Change and Clean Energy Cooperation, (https://perma.cc/M6TU-26LL).
See Nell Greenfieldboyce, U.N. Holds Climate Talks In New York Ahead Of Paris Meeting, NPR (June 29, 2015), (http://www.npr.org/2015/06/29/418641168/u-n-holds-climate-talks-in-new-york-ahead-of-paris-meeting).
5. Applying the Law of the Sea to Promote Cyber Peace.
The Law of the Sea (LOS), like outer space, Antarctica, and the atmosphere, enjoys parallels with cyberspace. The codification process that resulted in the first United Nations Convention on the Law of the Sea (UNCLOS) treaty began in 1945, leading to UNCLOS I in 1958.222
Susan J. Buck, The Global Commons: An Introduction 85 (1998).
See Christopher C. Joyner, Antarctica and the Law of the Sea: An Introductory Overview, 13 Ocean Dev. & Int’l L. 277, 281 (1983); Buck, supra note 222, at 86.
Buck, supra note 222, at 86.
Id. at 50, 87.
How Much Water is There On, In, and Above the Earth?, U.S. Geological Serv., (https://perma.cc/W6AG-YVAY).
Buck, supra note 222, at 91; Agreement Relating to the Implementation of Part XI of the United Nations Convention on the Law of the Sea of 10 December 1982, § 5, July 28, 1994, S. Treaty Doc. No. 103-39, 1836 U.N.T.S. 41; see David Shukman, Deep Sea Mining ‘Gold Rush’ Moves Closer, BBC (May 17, 2013), (https://perma.cc/K2JC-EC5Q).
See U.N. Body Issues Exploration Contracts as Era of Deep Seabed Mining Nears, Japan Times (July 25, 2015), (https://perma.cc/7USX-GJHQ).
Among the provisions of UNCLOS III that may be applied to cybersecurity include Article 19, which states that a nation should not use another “nation’s territorial sea to engage in activities prejudicial to the peace, good order, or security of the coastal State.”229
United Nations Convention on the Law of the Sea, art. 19, ¶1, Dec. 10, 1982, 1833 U.N.T.S. 397 [hereinafter UNCLOS]; DOD Assessment, supra note 194, at 34.
UNCLOS, art. 19(1)(c)–(d), (k).
Id. art. 113. See also art. 21(1)(c) (granting coastal states the option of passing laws to protect cables and pipelines); DOD Assessment, supra note 194, at 37 (expanding on these arguments).
UNCLOS, at art. 19(1).
See DOD Assessment, supra note 194, at 37.
UNCLOS is also an important example of a regime that was unsuccessful until it better recognized the needs of the private sector. Both proposed and existing legal regimes being applied to strengthen cyber peace should similarly ensure sufficient protections for private enterprise to promote engagement and spur innovation by not sidelining private entities as Internet governance evolves.234
John D. Negroponte et al., Defending an Open, Global, Secure, and Resilient Internet 14 (Council on Foreign Rel. Independent Task Force Rep. No. 70, 2013).
See Buck, supra note 222, at 91.
Building from the analysis of global commons regimes, this final Subsection investigates the utility of other applicable public accords—focusing on international telecommunications law, MLATs, and extradition treaties—before moving on to an analysis of governance gaps undertaken in Section IV.
1. International Communications Law and Cyber Attacks.
In many ways, the development of international communications law was the direct precursor to cyber law, beginning with agreements dating from the 1800s designed to protect the first submarine cables.236
See DOD Assessment, supra note 194, at 4, 32–33.
See International Telecommunication Union, U.N., (https://perma.cc/J7AR-EYS2).
See Charles H. Kennedy & M. Veronica Pastor, An Introduction to International Telecommunications Law 30–33 (1996).
For more on this topic, see Shackelford, supra note 10, at 3–51, 312–66.
International Telecommunications Convention, Nairobi, annex 2, Nov. 6, 1982, 32 U.S.T. 3821 (emphasis added).
Id. at n.1.
But see Global Cybersecurity Index, supra note 109 (representing an effort by the ITU to enhance the transparency of global cybersecurity governance).
The ITU Convention also gives governments wide discretion in regulating private activity that “may appear dangerous to the security of the State,”243
DOD Assessment, supra note 194, at 33–34.
Constitution of the International Telecommunications Union, art. 34, Dec. 22, 1992, (https://perma.cc/SS4V-EHTV).
Id. at 34.
2. Mutual Legal Assistance Treaties.
Numerous bilateral and multilateral treaties dealing with everything from legal assistance, extradition, diplomatic relations, and friendship, to status of forces agreements, also include provisions that impact cybersecurity. The U.S., for example, is party to dozens of MLATs that could be used to seek criminal prosecution of cyber attackers, especially those MLATs that either explicitly mention IT or are termed broadly enough to cover all law enforcement investigations.246
See, for example, U.S.–Canada MLAT, S. Treaty Doc. No. 100–14; 100th Cong., 2nd Sess. Exec. Rept. 100–28; 100th Cong, 2nd Sess. Exec. Rept 101–10; 101st Cong., 1st Sess. XXIV ILM No. 4, 7/85, 1092–99.
See U.S.–Russia MLAT, S. Treaty Doc. No. 106–22 (1999).
DOD Assessment, supra note 194, at 33; see U.S. Treaties of Extradition, Cornell Univ. Law School, at 6–9, (https://perma.cc/T8XQ-FA5L).
DOD Assessment, supra note 194, at 35.
See, for example, Gail Kent, The Mutual Legal Assistance Problem Explained, Ctr. Internet & Soc’y (Feb. 23, 2015), (https://perma.cc/3E45-Q8Y7).
3. Extradition Treaties and Diplomatic Relations.
Another avenue to promote cyber peace would be to leverage existing treaties to help safeguard certain tempting targets such as embassies. The 1961 Vienna Convention on Diplomatic Relations enshrines the right of “inviolability of the premises” of a diplomatic mission, its archives, private residences and property of its agents, and its communications.251
Id. at 38; see Vienna Convention on Diplomatic Relations, arts. 2, 24, 27, 30, Apr. 18, 1961, 23 U.S.T. 3227, (https://perma.cc/99QD-F6VX).
See, for example, Eduard Kovacs, DDoS Attack Targets Russian Embassy Website, Softpedia (Sept. 12, 2011), (https://perma.cc/2APU-AXWK); Cyber War on Japanese Embassies, Expatica (Oct. 26, 2011), (https://perma.cc/ST43-5DPZ).
See US Expels Venezuela’s Miami Consul Livia Acosta Noguera, BBC (Jan. 9, 2012), http://perma.cc/NWC8-NF2R).
See Implementation of the Virtual Data Embassy Solution, Estonian Ministry of Economic Aff. & Comm., http://perma.cc/73P8-QJ3R).
Treaties of friendship, commerce, and navigation could also be used to leverage the prospects for cyber peace.255
See DOD Assessment, supra note 194, at 39.
See generally Schmitt, supra note 12 (exploring the contours of available countermeasures under international cybersecurity law).
G.A. Res. 58/32, U.N. Doc. A/RES/58/32 (Dec. 8, 2003); G.A. Res. 59/61, U.N. Doc. A/RES/59/61 (Dec. 3, 2004); G.A. Res. 60/45, U.N. Doc. A/RES/60/45 (Jan. 6, 2006); G.A. Res. 61/54, U.N. Doc. A/RES/61/54 (Dec. 19, 2006); G.A. Res. 62/17, U.N. Doc. A/RES/62/17 (Jan. 8, 2008); G.A. Res. 63/37, U.N. Doc. A/RES/63/37 (Jan. 9, 2009); G.A. Res. 64/25, U.N. Doc. A/RES/64/25 (Jan. 14, 2010).
Increasingly, leaders such as the former President of Estonia, Toomas Ilves; the former Director of the Internet Corporation for Assigned Names and Numbers (ICANN), Fadi Chehadé; and even Nobel Laureates such as Professor Elinor Ostrom have proffered polycentric governance as the best path forward to addressing the global collective action problems of climate change and cyber attacks.258
See Nancy Scola, ICANN Chief: “The Whole World is Watching” the U.S.’s Net Neutrality Debate, Wash. Post (Oct. 7, 2014), (https://perma.cc/YAU4-8C48).
Brandon Valeriano & Ryan C. Maness, The Coming Cyberpeace: The Normative Argument Against Cyberwarfare, Foreign Aff. (May 13, 2015), (https://perma.cc/ZF6E-VEGY).
It may be easiest to understand polycentric governance in juxtaposition to the alternative—monocentrism, which is a political system where the authority to enforce rules is “vested in a single decision structure that has an ultimate monopoly over the legitimate exercise of coercive capabilities.”260
Paul D Aligica & Vlad Tarko, Polycentricity: From Polanyi to Ostrom, and Beyond, 25 Governance 237, 244 (2012).
Id. at 245.
Id. at 238.
Id.
Id.
Id.
Aligica & Tarko, supra note 260, at 238.
Id. at 239.
Professor Lon Fuller agreed with Polanyi’s assessment with regards to polycentrism, arguing that many legal decisions are in fact polycentric in that they involve multiple “decision centers and the network of cause and effect relationships is not understood very well.”268
Id. at 240.
Id.
Id.
See Eli Dourado, Is There a Cybersecurity Market Failure? (George Mason Univ. Mercatus Ctr., Working Paper No. 12–05, 2012), (https://perma.cc/C49M-LGTY) (arguing that market failures are not so common in the cybersecurity realm); Jerry Brito & Tate Watkins, Loving the Cyber Bomb? The Dangers of Threat Inflation in Cybersecurity Policy, 3 Harv. Nat’l Sec. J. 39, 82 (2011) (making the case against there being a cybersecurity market failure).
The Ostroms’ work on polycentric governance, begun in the 1960s, was initially centered on questions of metropolitan governance, but subsequently evolved in two directions—social theory, and empirical investigations of governance structures. The Ostroms argued that coordination in complex systems is in fact possible through interorganizational arrangements that “would manifest market-like characteristics and display both efficiency-inducing and error-correcting behavior.”272
Aligica & Tarko, supra note 260, at 242.
Id.
Id.
As applied to cybersecurity, the field of polycentric governance has an array of particularized lessons drawn from Professor Ostrom’s work, as summarized in her Institutional Analysis and Design (IAD) Framework.275
See Elinor Ostrom, Polycentric Systems: Multilevel Governance Involving a Diversity of Organizations, in Global Environmental Commons: Analytical and Political Challenges Involving a Diversity of Organizations 105, 117 (Eric Brousseau et al. eds., 2012).
Cost-benefit analysis in the cybersecurity context is challenging both because of the difficulty in defining all the associated costs of a successful data breach as well as determining an investment strategy to identify and instill technological, budgetary, and organizational best practices. See, for example, Gregory J. Touhill & Joseph Touhill, Cybersecurity for Executives: A Practical Guide 31 (2014).
See Ostrom, supra note 275, at 118 & tbl. 5.3.
Fact Sheet: White House Summit on Cybersecurity and Consumer Protection, (https://perma.cc/S68Y-WPJ6).
At a more global level, this approach highlights support for minilateral norm building, which we are already seeing across a number of fora including the G2, G7, and G20. For example, the G2 Cybersecurity Code of Conduct that was mentioned in the introduction calls for mutual restraint in cyber economic espionage, particularly the theft of trade secrets.279
See Robinson, supra note 7.
G7 Leaders, supra note 6.
G20 Communiqué, supra note 5.
Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, UN General Assembly, A/70/174 (July 22, 2015).
These forums are proving invaluable for minilateral norm building that is helping to crystallize State practice. Overall, this form of polycentric undertaking is similar to efforts like the Guiding Principles on Business and Human Rights (Guiding Principles) Framework approach authored by Professor John Ruggie, which encourages greater stakeholder buy-in from diverse organizations rather than a multilateral, top-down approach to promoting human rights in business practices.283
See, for example, John G. Ruggie, Just Business: Multinational Corporations and Human Rights 78 (2013).
See Martha Finnemore & Kathryn Sikkink, International Norm Dynamics and Political Change, 52 Int’l Org. 887, 895–98 (1998).
Michael D. McGinnis, Elinor Ostrom: Politics as Problem-Solving in Polycentric Settings, in Elinor Ostrom and the Bloomington School of Political Economy 281, 285 (Daniel H. Cole & Michael D. McGinnis eds., 2014).
Taken together, the diverse sources of private and public international law discussed in this Article provide the beginnings of a legal framework to manage cyber attacks during peacetime. The private and public sectors are pioneering systems of cybersecurity due diligence and cyber risk insurance that are already helping to mitigate the cyber risk of an array of small, medium, and large organizations. Existing bilateral and multilateral trade and investment treaties provide the ability for private entities to protect their intellectual property such as through international arbitration. If a host nation’s domestic laws criminalize cyber attacks, then applicable MLATs and extradition treaties would apply to make perpetrators accountable in various jurisdictions. If the attack were directed against a foreign mission or embassy, then the Vienna Convention on Diplomatic Immunity would provide certain remedies and potentially reparations to the victim nation, potentially combined with virtual embassy schemes such as the one currently pioneered by Estonia. Moreover, provisions under UNCLOS III regulating submarine cables, the ability to prosecute private parties in breach of the ITU treaty in telecommunications law, and interference with satellite transmissions in space law, all place restrictions on cyber attackers. This regime has been criticized as “patchwork,”286
Finnemore & Sikkink, supra note 284, at 859.
For more on regime effectiveness in the cybersecurity context, see Shackelford, supra note 10; Shackelford, On Climate Change and Cyber Attacks, supra note 16.
If political impasses are overcome and State practice further crystallizes, negotiators could craft a new cybersecurity treaty to improve upon the suboptimal status quo that: (1) defines appropriate graduated sanctions against nations harboring or sponsoring cybercriminals and terrorists where possible; (2) clarifies which international legal provisions apply below the armed attack threshold; (3) establishes a regime for attribution that includes robust information sharing; (4) provides for enforcement mechanisms; and (5) provides a system of efficient dispute resolution.288
See Oona A. Hathaway et al., The Law of Cyber-Attack, 100 Cal. L. Rev. 817, 880 (2012).
Group of Governmental Experts, supra note 282.
Ultimately, the limitations of existing regimes, created by analogy and the extension of principles developed to suit different challenges, demonstrate the limits of international laws to enhance cybersecurity. Internet freedom arguments about the “unregulatability of BITs” and the ability of attackers to circumvent national borders remain powerful especially given rapid technological advancements, but have been partly undermined by the work of scholars, such as Professor Joel Reidenberg, who have advocated for the potential of private regulatory regimes to serve as proxies for laws.290
Andrew W. Murray, The Regulation of Cyberspace: Control in the Online Environment 203–04 (2006).
Id. at 205.
What other options exist in enhancing cybersecurity beyond adapting existing treaties? Some argue for the widespread use of preventative self-defense with its attendant dangers of international instability and escalation.292
See Christopher C. Joyner & Catherine Lotrionte, Information Warfare as International Coercion: Elements of a Legal Framework, 12 Eur. J. Int’l L. 825, 858–59 (2001).
See Kelly A. Gable, Cyber-Apocalypse Now: Securing the Internet Against Cyberterrorism and Using Universal Jurisdiction as a Deterrent, 43 Vand. J. Transnat’l L. 57, 57 (2010).
See Denver Nicks, Report: Usefulness of NSA Mass Surveillance ‘Overblown,’ Time (Jan. 13, 2014), (https://perma.cc/CP73-FWNW).
International law changes with events: as Justice Oliver Wendell Holmes wrote, “The life of the law has not been logic; it has been experience.”295
Oliver Wendell Holmes, Jr., The Common Law 1 (1923).
See Mary Ellen O’Connell, Cyber Security without Cyber War, 17 J. Conflict & Sec. L. 187, 187 (2012).
- 1See, for example, Steve Holland & Doina Chiacu, Obama Says Sony Hack Not an Act of War, Reuters (Dec. 22, 2014), (https://perma.cc/8N7Y-LW3A).
- 2Id.
- 3See Brandon Valeriano & Ryan C. Maness, The Coming Cyberspace: The Normative Argument Against Cyberwarfare, Foreign Affairs (May 13, 2015), (https://perma.cc/9NMQ-4B2Q) (“Despite fears of a boom in cyberwarfare, there have been no major or dangerous hacks between countries.”).
- 4See Sara Sorcher, OPM Breach a Shadow Over Homeland Security's Appeals to Security Pros, Christian Sci. Monitor (Aug. 7, 2015), (https://perma.cc/XS4F-5Z6H); Shannon Hayden, Cyber Attack on South Korean Subway System Could Be a Sign of Nastier Things to Come, Vice News (Oct. 8, 2015), (https://perma.cc/24QP-4V3R); Warwick Ashford, Cisco Praised for Quick Response to Cyber Attack, Computer Weekly (Oct. 8, 2015), (https://perma.cc/LH92-UKEU).
- 5See G20 Leaders’ Communiqué, ANTALYA Summit (Nov. 15–16, 2015), (https://perma.cc/BU57-9XKX).
- 6G7 Leaders Approve Historic Cybersecurity Agreement, Bos. Global F. (June 6, 2016), (https://perma.cc/RM3S-FZ2W).
- 7See Teri Robinson, U.S., China Agree to Cybersecurity Code of Conduct, SC Mag. (June 26, 2015), (https://perma.cc/K9GQ-FZPT).
- 8See, for example, Tallinn Manual on the International Law Application to Cyber Warfare 17 (Michael N. Schmitt ed., 2013) (discussing when a cyber attack could trigger the right of self-defense) [hereinafter Tallinn Manual].
- 9See Nat’l Research Council, Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities 34, 67 (William A. Owens, Kenneth W. Dam, & Herbert S. Lin eds., 2009) [hereinafter National Academies]. There are varying interpretations for defining the jus in bello threshold for armed attacks under international law, but the most common is arguably the equivalent effects test, which requires that for a cyber operation to be an armed attack, it must have results equivalent to a physical invasion by traditional military forces.
- 10See, for example, Scott J. Shackelford, Managing Cyber Attacks in International Law, Business, and Relations: In Search of Cyber Peace 3–51 (2014).
- 11Tallinn 2.0, (https://perma.cc/G6GB-PPQP) (last visited Aug. 9, 2015). Tallinn 2.0 seeks to unpack the public international law applicable below the armed attack threshold, representing a follow-up from the widely-discussed Tallinn Manual. See Tallinn Manual, supra note 8; Michael N. Schmitt, “Below the Threshold” Cyber Operations: The Countermeasures Response Option and International Law, 54 Va. J. Int’l L. 697, 698 (2014).
- 12But see Michael N. Schmitt & Sean Watts, Beyond State-Centrism: International Law and Non-State Actors in Cyberspace, 21 J. of Conflict & Sec. L. 1, 1 (2016) (unpacking the role of non-state actors in international cybersecurity).
- 13Cf. Teresa Scassa & Robert J. Currie, New First Principles? Assessing the Internet’s Challenges to Jurisdiction, 42 Geo. J. Int'l L. 1017, 1030–31 (2011); Christina Parajon Skinner, An International Law Response to Economic Cyber Espionage, 46 Conn. L. Rev. 1165, 1194 (2014).
- 14See generally Scott J. Shackelford, From Net War to Nuclear War: Analogizing Cyber Attacks in International Law, 27 Berkeley J. Int’l L. 192 (2009).
- 15See id.
- 16See Scott J. Shackelford & Timothy L. Fort, Sustainable Cybersecurity: Applying Lessons from the Green Movement to Managing Cyber Attacks, 2016 U. Ill. L. Rev. 1995, 2032 (2016); Scott J. Shackelford, Scott Russell, & Andreas Kuehn, Unpacking the International Law on Cybersecurity Due Diligence: Lessons from the Public and Private Sectors, 17 Chi. J. Int’l L. 1, 50 (2016); Scott J. Shackelford, On Climate Change and Cyber Attacks: Leveraging Polycentric Governance to Mitigate Global Collective Action Problems, 18 Vand. J. Ent. & Tech. L. 653, 711 (2016); Scott J. Shackelford & Andraz Kastelic, Toward a State-Centric Cyber Peace: Analyzing the Current State and Impact of National Cybersecurity Strategies on Enhancing Global Cybersecurity, 18 N.Y.U. J. Legis. & Pub. Pol’y 895, 941–42 (2015); Scott J. Shackelford, Scott Russell, & Jeffrey Haut, Bottoms Up: A Comparison of Voluntary Cybersecurity Frameworks, 16 U.C. Davis Bus. L.J. 217, 259–60 (2016); Scott J. Shackelford & Zachary Bohm, Securing North American Critical Infrastructure: A Comparative Case Study in Cybersecurity Regulation, 40 Can.-U.S. L.J. 61, 69–70 (2016); Scott J. Shackelford, Protecting Intellectual Property and Privacy in the Digital Age: The Use of National Cybersecurity Strategies to Mitigate Cyber Risk, 19 Chapman L. Rev. 445, 464–65 (2016); Amanda N. Craig, Scott J. Shackelford, & Janine Hiller, Proactive Cybersecurity: A Comparative Industry and Regulatory Analysis, 52 Am. Bus. L.J. 721, 786–87 (2015); Scott J. Shackelford et al., Toward a Global Standard of Cybersecurity Care: Exploring the Implications of the 2014 NIST Cybersecurity Framework on Shaping Reasonable National and International Cybersecurity Practices, 50 Tex. Int’l L.J. 305, 354–55 (2015); Eric Richards, Scott J. Shackelford, & Abbey Stemler, Rhetoric Versus Reality: U.S. Resistance to Global Trade Rules and the Implications for Cybersecurity and Internet Governance, 24 Minn. J. Int’l L. 159, 173 (2015); Scott J. Shackelford & Scott Russell, Risky Business: Lessons for Mitigating Cyber Attacks from the International Insurance Law on Piracy, 24 Minn. J. Int’l L. 1, 14–15 (2015); Scott J. Shackelford & Scott Russell, Above the Cloud: Enhancing Cybersecurity in the Aerospace Sector, 10 FIU. L. Rev. 635, 667 (2015); Scott J. Shackelford, Timothy L. Fort, & Jamie D. Prenkert, How Businesses Can Promote Cyber Peace, 36 U. Pa. J. Int’l L. 353, 430–31 (2014); Scott J. Shackelford et al., Using BITs to Protect Bytes: Promoting Cyber Peace and Safeguarding Trade Secrets through Bilateral Investment Treaties, 52 Am. Bus. L.J. 1, 73–4 (2015); Scott J. Shackelford & Amanda N. Craig, Beyond the New ‘Digital Divide’: Analyzing the Evolving Role of Governments in Internet Governance and Enhancing Cybersecurity, 50 Stan. J. Int’l L. 119, 184 (2014); Amanda N. Craig & Scott J. Shackelford, Hacking the Planet, the Dalai Lama, and You: Managing Technical Vulnerabilities in the Internet through Polycentric Governance, 24 Fordham Intell. Prop. Media & Ent. L.J. 381, 423–25 (2014); Scott J. Shackelford, Toward Cyberpeace: Managing Cyber Attacks through Polycentric Governance, 62 Am. U. L. Rev. 1273, 1360–64 (2013); Shackelford, supra note 14.
- 17John Verry, Why the NIST Cybersecurity Framework Isn’t Really Voluntary, Info. Sec. Blog. (2014), (https://perma.cc/8CLX-YBQC).
- 18Michael D. McGinnis, Costs and Challenges of Polycentric Governance: An Equilibrium Concept and Examples from U.S. Health Care, Conference on Self-Governance, Polycentricity, and Development 1 (prepared for presentation at Renmin University, Beijing, China) (May 8, 2011), (https://perma.cc/ZLF8-R3MQ); Henning Wegener, Cyber Peace, in The Quest for Cyber Peace 77, 82 (Hamadoun I. Toure & Perm. Monitoring Panel on Info. Sec. eds., 2011), (https://perma.cc/TA8D-VEZP) (arguing that “unprovoked offensive cyber action, indeed any cyber attack, is incompatible with the tenets of cyber peace.”); Shackelford, supra note 10, at 52–110, 312–366.
- 19Malcolm Shaw, International Law, Definition of International Law, Encyclopedia Britannica (last visited May 03, 2017), (https://perma.cc/8PJ9-JHKP).
- 20Customary international law is often defined as the “general and consistent practice of states followed by them from a sense of legal obligation.” Restatement (Third) of the Foreign Relations Law of the United States § 102(2) (A.L.I. 1987).
- 21Statute of the International Court of Justice Art. 38, June 16, 1945, 59 Stat. 1055, 33 U.N.T.S. 933.
- 22See Malcolm N. Shaw, International Law 69–71 (4th ed. 1997).
- 23Convention on Cybercrime, Nov. 23, 2001, 2296 U.N.T.S. 167.
- 24See Joseph S. Nye, Jr., Power and National Security in Cyberspace, in America’s Cyber Future: Security and Prosperity in the Information Age 5, 19–20 (Kristin M. Lord & Travis Sharp eds., 2011).
- 25See Paul B. Stephan & Julie A. Roin, International Business and Economics: Law and Policy vii (4th ed. 2010).
- 26Private International Law, Org. Am. St. (2017), (https://perma.cc/JP2M-5RA9).
- 27See, for example, Cybersecurity, Hogan Lovells LLP, (https://perma.cc/9FXR-ZXC5); see Section II(D), infra.
- 28Michael D. McGinnis, An Introduction to IAD and the Language of the Ostrom Workshop: A Simple Guide to a Complex Framework, 39 Pol’y Stud. J. 163, 171–72 (2011).
- 29Elinor Ostrom, Polycentric Systems as One Approach for Solving Collective-Action Problems 1 (Ind. Univ. Workshop in Political Theory and Policy Analysis, Working Paper Series No. 08–6, Sept. 2008).
- 30For a detailed discussion of early Internet history, see Katie Hafner & Matthew Lyon, Where Wizards Stay Up Late: The Origins of the Internet (1996); Brief History of the Internet, Internet Soc’y, (https://perma.cc/KT8J-DZA9).
- 31Elinor Ostrom, A Polycentric Approach for Coping with Climate Change 35 (World Bank, Policy Research Working Paper No. 5095, 2009), (https://perma.cc/TW2J-CSJQ).
- 32Robert O. Keohane & David G. Victor, The Regime Complex for Climate Change, 9 Persp. on Pol. 7, 15 (2011). Cf. Julia Black, Constructing and Contesting Legitimacy and Accountability in Polycentric Regulatory Regimes, 2 Reg. & Governance 137, 157 (2008) (discussing the legitimacy of polycentric regimes, and arguing that “[a]ll regulatory regimes are polycentric to varying degrees”).
- 33See Martha Finnemore & Kathryn Sikkink, International Norm Dynamics and Political Change, 52 Int’l Org. 887, 895–98 (1998).
- 34Wegener, supra note 18, at 78.
- 35The notion of negative peace has been applied in diverse contexts, including civil rights. See, for example, Martin Luther King, Non-Violence and Racial Justice, Christian Century 118, 119 (1957) (arguing “[t]rue peace is not merely the absence of some negative force––tension, confusion or war; it is the presence of some positive force––justice, good will and brotherhood”).
- 36See Johan Galtung, Peace, Positive and Negative, in The Encyclopedia of Peace Psychology 1, 758, 762 (Daniel J. Christie ed., 2011) (comparing the concepts of negative and positive peace). For more on this topic, see generally Shackelford, supra note 10, at preface. Another related literature that should be explored further stems from the U.S. constitutional law context, including Federalist No. 10, which discusses the extent to which heterogeneous collaboration can mitigate conflict. See The Federalist No. 10 (James Madison).
- 37Tim Ryan & Leonard Navarro, Cyber Due Diligence: Pre-Transaction Assessments Can Uncover Costly Risks, Kroll Call (Jan. 28, 2015), (https://perma.cc/W8BB-ZVRA).
- 38An earlier version of this research was previously published as Scott J. Shackelford, Scott Russell, & Andreas Kuehn, Unpacking the International Law on Cybersecurity Due Diligence: Lessons from the Public and Private Sectors, 17 Chi. J. Int’l L. 1 (2016).
- 39Cf. John R. Crook, Contemporary Practice of the United States Relating to International Law, 105 Am. J. Int'l L. 775, 795 (2011) (“Cybersecurity Due Diligence: States should recognize and act on their responsibility to protect information infrastructures and secure national systems from damage or misuse.”); John M. Prescott, Responses to Five Questions on National Security Law, 38 Wm. Mitchell L. Rev. 1536, 1548 (2012) (discussing the U.S. International Strategy for Cyberspace); Shackelford, Toward Cyberpeace, supra note 16, at 1354. See also Michael N. Schmitt, In Defense of Due Diligence in Cyberspace, 125 Yale L.J. F. 68, 81 (2016) (“[I]nternational law acknowledges that the right of sovereignty and the corresponding duty of due diligence must be in equilibrium. As a matter of law, therefore, the due diligence obligation does not require a state to take measures that are beyond its means or otherwise unreasonable.”).
- 40Corfu Channel (U.K. v. Albania), 1949 I.C.J. 4, ¶ 49 (April 9).
- 41Trail Smelter Arbitration (U.S. v. Can.), 3 Rep. Int’l Arb Awards (R.I.A.A.) 1905 (1941).
- 42Case Concerning the Military and Paramilitary Activities In and Against Nicaragua (Nicar. v. U.S.), 1986 I.C.J. 14, 106-08, 183 (June 27). However, it should be noted that other ICJ jurisprudence is also on point and is not discussed here due to space constraints, including: Legality of the Threat or Use of Nuclear Weapons, Advisory Opinion – General Assembly, ICJ Reports, 8 July 1996, at 22, ¶ 29; Case Concerning Pulp Mills on the River Uruguay (Argentina v. Uruguay), Judgment, 20 April 2010, ¶ 193.
- 43Corfu Channel, supra note 40.
- 44Eneken Tikk, Ten Rules of Behavior for Cyber Security, 53 Survival 119, 126 (2011).
- 45See, for example, Stephen Flynn, The Edge of Disaster: Rebuilding a Resilient Nation 139 (2007).
- 46See, for example, Cloudy Jurisdiction: Addressing the thirst for Cloud Data in Domestic Legal Processes, Electronic Frontier Foundation (Internet Governance Forum-Baku 2012), (https://perma.cc/CT7S-8PRD).
- 47See G20 Communiqué, supra note 5.
- 48See, for example, Sigrun Skogly, Beyond National Borders: States’ Human Rights Obligations in International Cooperation 50 (2006).
- 49Trail Smelter Arbitration, supra note 41.
- 50Ralph Bodle, Climate Law and Geoengineering, in Climate Change and the Law, Ius Gentium: Comparative Perspectives on Law and Justice 447, 457–58 (Erkki Hollo et al. eds., 2012).
- 51Case Concerning the Military and Paramilitary Activities In and Against Nicaragua, supra note 42.
- 52Clinton’s Speech on Internet Freedom, January 2010, Council on Foreign Rel. (Jan. 21, 2010), (https://perma.cc/B685-3QSV).
- 53See, for example, Yahoo!, Inc. v. La Ligue Contre le Racisme et L’Antisemitisme, 169 F. Supp. 2d 1181 (N.D. Cal. 2001), rev’d, 379 F.3d 1120 (9th Cir. 2005), rev’d en banc, 433 F.3d 1199 (9th Cir. 2006); Jack Goldsmith & Tim Wu, Who Controls the Internet?: Illusions of a Borderless World 5 (2006).
- 54See Natalia Drozdiak & Sam Schechner, EU Court Says Data-Transfer Pact With U.S. Violates Privacy, Wall St. J. (Oct. 6, 2015), (https://www.wsj.com/articles/eu-court-strikes-down-trans-atlantic-safe-harbor-data-transfer-pact-1444121361;Scott J. Shackelford, Seeking a Safe Harbor in a Widening Sea: Unpacking the EJC’s Schrems Decision and What it Means for Transatlantic Relations, Seton Hall J. Dipl. & Int’l Rel. (forthcoming 2017) (discussing the case in some detail).
- 55See Jean-Marie Henckaerts & Louise Doswald-Beck, Assessment of Customary International Law, Int’l Comm. Red Cross (2005), (https://perma.cc/SH46-EVFM).
- 56See Update on the Cybersecurity Framework, NIST (Dec. 5, 2014), (https://perma.cc/2FKE-RM2W).
- 57Rachel Ensign, Cybersecurity Due Diligence Key in M&A Deals, Wall St. J. (Apr. 24, 2014), (http://blogs.wsj.com/riskandcompliance/2014/04/24/cybersecurity-due-diligence-key-in-ma-deals/).
- 58Erin Ayres, Cybersecurity Easing its Way into M&A Due Diligence, Advisen (Aug. 22, 2014), (https://perma.cc/W27L-4TLE).
- 59Id.
- 60Michael Greene, M&A Due Diligence Must Include Cybersecurity Analysis, Attorneys Say, BNA (May 20, 2015), (https://perma.cc/ZA5D-55SG).
- 61See Stone v. Ritter, 911 A.2d 362, 370 (Del. 2006).
- 62See National Institute of Standards and technology, Improving Critical Infrastructure Cybersecurity Executive Order 13636: Preliminary Cybersecurity Framework 1 (2014), (https://perma.cc/H924-X77W).
- 63See Ayres, supra note 58.
- 64Cf. Willingham v. Global Payment, 2013 WL 440702 at *19 (N.D. Ga. Feb. 5, 2013) (reflecting an alternative view in which courts are reluctant rely on data security standards as a means of determine whether a duty was owed).
- 65See McAfee, Unsecured Economies: Protecting Vital Information 6 (2009), (https://perma.cc/X38C-DRDP).
- 66For more on this topic, see generally Amanda N. Craig, Scott J. Shackelford, & Janine Hiller, Proactive Cybersecurity: A Comparative Industry and Regulatory Analysis, 52 Am. Bus. L.J. 721 (2015).
- 67Interview with Chris Palmer, Google engineer and former technology director, Electronic Frontiers Foundation, in San Francisco, Cal. (Feb. 25, 2011).
- 68See SANS Institute, White House, The National Strategy to Secure Cyberspace 24 (2003), (https://perma.cc/P6L8-CUZ9); Cybersecurity Act of 2009, S. 773, 111th Cong. § 15(1), (2009) (providing for the creation of “a market for cybersecurity risk management, including the creation of a system of civil liability and insurance (including government reinsurance)”).
- 69Emily Stewart, Cyber Attack Insurance Growing Fast, ABC (Oct. 9, 2015), (https://perma.cc/CW2W-UW3E).
- 70Jon Swartz, Firms’ Hacking-Related Insurance Costs Soar, USA Today (Feb. 9, 2003), (https://perma.cc/U4F6-YB92); see Press Release, Hiscox, Safeonline Launches Internet Security Insurance, (https://perma.cc/AV5J-MWLQ).
- 71See Jim Finkle, Cyber Insurance Premiums Rocket After High-Profile Attacks, Reuters (Oct. 12, 2015), (https://perma.cc/6AVX-GPL9); Nicole Perlroth, Insurance Against Cyber Attacks Expected to Boom, N.Y. Times Bits (Dec. 29, 2011), (https://perma.cc/Q4B8-DW6F); Robert Lemos, Should SMBs Invest in Cyber Risk Insurance?, Dark Reading (Sept. 9, 2010), (https://perma.cc/HXU2-7LPZ).
- 72See Perlroth, supra note 71.
- 73Stewart, supra note 69.
- 74Robert Richardson, CSI Computer Crime & Security Survey at 11 (2008), (https://perma.cc/PH8H-3JLJ).
- 75See Lemos, supra note 71; see also Travelers Adds Cyber Protection Tailored to Small Businesses, Ins. J. (Jan. 22, 2013), (https://perma.cc/SA75-U76X). DHS summarized the current state of cyber risk insurance in 2012, noting that “[w]hile a sizable third-party market exists to cover losses suffered by a company’s customers, first-party policies that address direct harms to companies themselves remain expensive, rare, and largely unattractive.” DHS, Cybersecurity Insurance Workshop Readout Report 1 (2012), (https://perma.cc/L2QE-L4BC); Nathan Brown, The Costs of Having (and NOT Having) Cyber Insurance, Nextech (Mar. 31, 2015), (https://perma.cc/STX2-28LX).
- 76See The Case for Cybersecurity Insurance, Part II, Krebs on Sec. (Jul. 10, 2010), (https://perma.cc/994Q-XBLN); see also Tony Morbin, Should You Use Cyber Insurance to Mitigate Risk?, SC Media (Aug. 20, 2014), (https://perma.cc/9EF5-SDKA).
- 77See Mark Ward, Energy Firm Cyber-Defense is ‘Too Weak’, Insurers Say, BBC (Feb. 26, 2014), (https://perma.cc/93XK-TESE).
- 78Cf. Denise Dubie, Corporate Security Spending Not in Line with Real-World Requirements, Network World (May 2003), (https://perma.cc/6U69-ATJN). But see Riva Richmond, How to Determine If Cyber Insurance Coverage Is Right for You, Entrepeneur (June 5, 2012), (https://perma.cc/8EJS-MES6); Morbin, supra note 76.
- 79See, for example, Brooke Yates & Katie Varholak, Cyber Risk Insurance - Navigating the Application Process, Sherman & Howard (June 6, 2013), (https://perma.cc/6BM2-VCN9).
- 80But see Sarah Veysey, Insurers Urge Anonymous Database to Help Underwrite Cyber Risks, Bus. Ins. (May 23, 2016), (https://perma.cc/EBE8-9SJP) (“The Association of British Insurers has called for a national anonymous database of cyber incidents to enable the insurance market to better assess, underwrite and price cyber risks.”).
- 81See DHS, supra note 75, at 1.
- 82Stewart, supra note 69.
- 83Id.
- 84See, for example, Cyber Insurance: A Last Line of Defense When Technology Fails, Latham & Watkins Client Alert 1675, at 1 (Apr. 15, 2014), (https://perma.cc/C7RA-RZJS).
- 85See Finkle, supra note 71.
- 86See id.
- 87Id.
- 88Id.
- 89See DHS, supra note 75, at 1.
- 90Finkle, supra note 71.
- 91See Caitlin Bronson, The 5 US Industries Most Uninsured Against Cyber Risk, Ins. Bus. Am. (Oct. 12, 2015), (https://perma.cc/Z3E5-2JW4); Matt Williams, Why Most Governments Don’t Carry Cyber Insurance, Govt. Tech. (Aug. 7, 2013), (https://perma.cc/YY7A-UTAY0).
- 92See Infrastructure, Energy, Resources, and Projects, Hogan Lovells, (https://perma.cc/A9EQ-CFX8).
- 93FINRA Issues Report on Cybersecurity Practices, Cybersecurity Investor Alert, FINRA (Feb. 3, 2015), (https://perma.cc/LE5Z-3H8L).
- 94See Nicole Hong & Robin Sidel, Hackers Breach Law Firms, Including Cravath and Weil Gotshal, Wall St. J. (Mar. 29, 2016), (https://perma.cc/NJS5-CVTK).
- 95For example, concerns have long centered on limitations to national sovereignty, with critics arguing “that the process should be more fully transparent and open to participation by concerned citizens, given the public importance of the issues at stake in many of the cases.” Anthony R. Parra, The History of ICSID 238 (2012) (arguing that “Other influential voices were raised to argue that investment treaties and arbitration could unduly constrain governments from introducing much needed reforms, including those concerning human rights.”).
- 96See Section II(F), infra.
- 97For more on this topic, see Shackelford et al., Using BITs to Protect Bytes, supra note 16 (representing the first publication of parts of this analysis).
- 98International Centre for Settlement of Investment Disputes (ICSID), List of Contracting States and Other Signatories of the Convention (as of April 12, 2016), (https://perma.cc/XF4M-DJT5).
- 99See International Centre for Settlement of Investment Disputes (ICSID), The ICSID Caseload – Statistics: Issue 2016-1 at 7–9, (https://perma.cc/AT6Q-DAB4).
- 100See Thomas Carbonneau, Cases and Materials on The Law and Practice of Arbitration 911–13 (2003).
- 101For example, the English courts have previously made such a declaration. See Anjanette H Raymond, Confidentiality, in a Forum of Last Resort? Is the Use of Confidential Arbitration a Good Idea for Business and Society?, 16 Am. Rev. Int’l Arb. 479 (2005) (discussing the English case of City of Moscow v. Bankers Trust, [2004] All ER (D) 62 (Jan)).
- 102See Lao Holdings N.V. & The Government of the Lao People’s Democratic Republic, Discussion on the Merits (June 10, 2015), at 40, ICSID Case No. ARB (AF)/12/6.
- 103See, for example, Matthew Braga, Canada Doesn’t Know How to Regulate Cyber Weapons Sales, Motherboard (Sept. 8, 2014), (https://perma.cc/5JMY-9PPR).
- 104See, for example, Paul Rosenzweig, The Unpersuasiveness of the Case for Cybersecurity Regulation – An Introduction, Lawfare (May 17, 2012), (https://perma.cc/N67K-XFWW); Michael Daniel, Assessing Cybersecurity Regulations, White House (May 22, 2014), (https://perma.cc/VB7N-BML3) (“The major outcome is that the Administration’s analysis supports our current voluntary approach to address cyber risk.”).
- 105Other nations, though, are taking myriad other approaches. Israel, for example, has created a National Cyber Bureau to aid in standards setting. See, for example, Daniel Benoliel, Towards a Cyber Security Policy Model: Israel National Cyber Bureau (INCB) Case Study (Univ. of Haifa Discussion Paper, July 2014), (https://perma.cc/85AK-8BX9).
- 106See National Institute of Standards and technology, Improving Critical Infrastructure Cybersecurity Executive Order 13636: Preliminary Cybersecurity Framework at i (2014), (https://perma.cc/H924-X77W).
- 107See, for example, Kaspersky Cybermap, (https://cybermap.kaspersky.com/(last visited April 5, 2017).
- 108Jack Goldsmith, Response to Paul on Cyber-Regulation for Critical Infrastructure, Lawfare (May 21, 2012), (https://perma.cc/EHC3-A4V9).
- 109For more on this topic, see Shackelford, Russell, & Haut, supra note 16; ITU, Global Cybersecurity Index & Cyber Wellness Profiles 1 (2015), (https://perma.cc/K6LA-RH5Y) (ranking nations in terms of their vulnerability to and mitigation strategies for cyber attacks).
- 110For more on this topic, see Shackelford & Kastelic, supra note 16.
- 111See id. at 913–14.
- 112See Russia has Developed a National Cyber Security Policy, FISMA News, (https://perma.cc/K22V-6LV2).
- 113See U.S. Dep’t Energy, A Primer on Electric Utilities, Deregulation, and Restructuring of U.S. Electricity Markets v. 2.0, at 2.1 (May 2002); Christian Schülke, The EU’s Major Electricity and Gas Utilities Since Market Liberalization 130 (2010).
- 114See Letter from Michael Assante, NERC Vice President and Chief Security Officer, to Industry Stakeholders (Apr. 7, 2009), (https://perma.cc/H437-PHJE) (discussing designating critical cyber assets).
- 115For more on the methodological challenges of undertaking cybersecurity regime effectiveness studies, see Shackelford, supra note 10, at 312–66.
- 116See Global Cybersecurity Index, supra note 109.
- 117Frank G. Dawson & Burns H. Weston, “Prompt, Adequate and Effective” A Universal Standard of Compensation?, 30 Fordham L. Rev. 727, 734 (1962); see also Case Concerning the Factory at Chorzow (Ger. v. Pol.), 1926-29 P.C.I.J. (ser. A), Nos. 7, 9, 17, 19, excerpted in Henry J. Steiner et al., Transnational Legal Problems 451–54 (1994).
- 118Notes exchanged between the U.S. and Mexico during the 1938 disputes are reprinted in 3 Green H. Hackworth, Digest of International Law § 228, at 655–65 (1942); see Andrew Guzman, International Law: A Compliance Based Theory, 90 Cal. L. Rev. 1823, 1823–25 (2002).
- 119Ronald Charles Wolf, Trade, Aid, and Arbitrate: The Globalization of Western Law 26 (2004).
- 120See Zachary Elkins, Andrew T. Guzman, & Beth A. Simmons, Competing for Capital: The Diffusion of Bilateral Investment Treaties, 1960-2000, 2008 U. Ill. L. Rev. 265, 268–69 (2008).
- 121See, for example, Thomas E. Carbonneau, Carbonneau on International Arbitration: Collected Essays 126 (2011).
- 122Elkins, supra note 120, at 266.
- 123Daniel Ikenson, Policymakers Must Remove The Barriers To Foreign Investment In The United States, Forbes (Oct. 30, 2013), (https://perma.cc/457E-DKLJ).
- 124UNCTAD, World Investment Report 101 (2013).
- 125See Gus Van Harten, Investment Treaty Arbitration and Public Law 171 (2007).
- 126See Annie Lowrey, U.S. and China to Discuss Investment Treaty, but Cybersecurity Is a Concern, N.Y. Times (July 12, 2013), (http://www.nytimes.com/2013/07/12/world/asia/us-and-china-to-discuss-investment-treaty-but-cybersecurity-is-a-concern.html).
- 127Id.
- 128See, for example, Chen Weihua, US, China Hopeful of BIT After Talks Reignited, China Daily (July 13, 2013), (https://perma.cc/5CG6-JQVZ).
- 129See China Plans First Talks With U.S. Under Cybersecurity Dialogue, Bloomberg (July 5, 2013), (https://perma.cc/2LG7-9EUK).
- 130See, for example, Everett Rosenfeld, US-China Agree to Not Conduct Cybertheft of Intellectual Property, CNBC (Sept. 25, 2015), (https://perma.cc/KZ9B-ASL9).
- 13118 U.S.C. § 1832.
- 132See Charles Doyle, Stealing Trade Secrets and Economic Espionage: An Overview of the Economic Espionage Act, CRS Report R42682 (2016), (https://perma.cc/967C-LWFD).
- 13318 U.S.C. §§ 1030(a)(4), (e)(2).
- 13418 U.S.C. § 2314.
- 13518 U.S.C. § 1343.
- 136Pub. L. No. 114-153 (May 11, 2016).
- 137See Paul Eckert & Anna Yukhananov, U.S., China Agree to Restart Investment Treaty Talks, Reuters (July 12, 2013), (https://perma.cc/2MDR-2PA8).
- 138See Gaetan Verhoosel, The Use of Investor-State Arbitration Under Bilateral Investment Treaties to Seek Relief for Breaches of WTO Law, 6 J. Int’l Econ. L. 493, 495 (2003).
- 139See Wolfgang Alschner, Interpreting Investment Treaties as Incomplete Contracts: Lessons from Contract Theory, (SSRN ID No. 2241652, Mar. 31 2013), (https://perma.cc/A3M3-GMA6).
- 140UNCTAD, Denunciation of the ICSID Convention and BITS: Impact on Investor-State Claims, IIA Issues Note, No. 2, 2010, UNCTAD/WEB/DIAE/IA/2010/6.
- 141UNCTAD, World Investment Report 2012: Towards a New Generation of Investment Policies, UNCTAD/WIR/2012 at 84 (2012).
- 142See UNCTAD, World Investment Report 2011: Non-Equity Modes of International Production and Development, UNCTAD/WIR/2011 at 102–03 (2011).
- 143See, for example, Doug Palmer, U.S. EU Launch Free Trade Talks Despite Spying Concerns, Ins. J. (July 9, 2013), (https://perma.cc/Z3DF-HQBM). But see James Fontanella-Khan, Data Protection Ruled Out of EU-US Trade Talks, Fin. Times (Nov. 4, 2013), (https://perma.cc/A3BP-8DP2) (“Brussels has ruled out a German push to include data protection rules in a proposed EU-US free trade pact.”).
- 144See Kevin Collier, Sen. Ron Wyden on the Problems with the Trans-Pacific Partnership, Daily Dot (Sept. 19, 2012), (https://perma.cc/6Q9L-SA8Q); New Zealand, Australia Leaders Press for TPP to Move Forward, Bridges (Feb. 23, 2017), (https://perma.cc/4C85-AV4Y).
- 145However, regarding the latter, while the WTO has been used as a forum to air broader concerns among the Member States, it has to date been a factor in the cybersecurity context because of provisions allowing nations to shirk their free trade commitments when they conflict with national security. See, for example, Allan A. Friedman, Cybersecurity and Trade: National Policies, Global and Local Consequences, Ctr. for Tech. Innovation at Brookings 10–11 (2013), (https://perma.cc/LD4M-ZFPV); James A. Lewis, Conflict and Negotiation in Cyberspace, Ctr. Strategic & Int’l Stud. at 48–51 (2013), (https://perma.cc/552F-5MK2).
- 146See, for example, Scott Shackelford, In Search of Cyber Peace: A Response to the Cybersecurity Act of 2012, 64 Stan. L. Rev. Online 106, 111 (2012), (https://perma.cc/RL6Q-BEA7).
- 147Cf. Steven E. Feldman & Sherry L. Rollo, Extraterritorial Protection of Trade Secret Rights in China: Do Section 337 Actions at the ITU Really Prevent Trade Secret Theft Abroad?, 11 J. Marshall Rev. Intell. Prop. L. 522, 47 (2012); Gerald O’Hara, Cyber-Espionage: A Growing Threat to the American Economy, 19 CommLaw Conspectus 241, 253–54 (2010); Peter Swire & Kenesa Ahmad, Encryption and Globalization, 13 Colum. Sci. & Tech. L. Rev. 416, 475–76 (2012).
- 148Agreement on Trade-Related Aspects of Intellectual Property Rights, Apr. 15, 1994, Marrakesh Agreement Establishing the World Trade Organization, Annex 1C, 1869 U.N.T.S. 299 [hereinafter TRIPS].
- 149Id. at § 7, art. 39(1).
- 150See Marrakesh Agreement Establishing the World Trade Organization, Apr. 15, 1994, 1867 U.N.T.S. 154.
- 151Cf. Aaron Stanley, US Challenges China Over Compliance with WTO Ruling, Fin. Times (Jan. 13, 2014), (https://perma.cc/3H2W-8E3U).
- 152See Judith Hippler Bello, The WTO Dispute Settlement Understanding: Less is More, 90 Am. J. Int’l L. 416, 416–18 (1996).
- 153Kenneth J. Vandevelde, U.S. International Investment Agreements 214 (2009).
- 154An earlier version of this research was first published in Shackelford 263–311, supra note 10; Shackelford, From Net War to Nuclear War, supra note 14, at 216–19.
- 155See Viewpoint: 10 Big Myths About World War One Debunked, BBC (Feb. 25, 2014), (https://perma.cc/V99P-RVSP).
- 156See Caroline F. Ziemke, Peace Without Strings? Interwar Naval Arms Control Revisited, 15 Wash. Q., Autumn 1992, at 87 (1992).
- 157Id.
- 158Robin Ranger, Learning from the Naval Arms Control Experience, 10 Wash. Q. 47 (1987) (writing in the 1980s, but still with some application to the present).
- 159Emily O. Goldman, Sunken Treaties: Naval Arms Control Between the Wars 33–34 (1994).
- 160See Sean Watts, Regulation-Tolerant Weapons, Regulation-Resistant Weapons, and The Law of War, 91 Int'l L. Stud. 540, 540 (2015).
- 161Goldman, supra note 159, at 30.
- 162Id.
- 163James A. Lewis, The “Korean” Cyber Attacks and Their Implications for Cyber Conflict, Ctr. Strategic & Int’l Stud. 2 (Oct. 2009), (https://perma.cc/Y7GD-5MT8).
- 164See National Academies, supra note 9, at xi.
- 165See, for example, Kenneth Corbin, How Should the U.S. Respond to State-Sponsored Cyberattacks?, CIO (July 29, 2015), (https://perma.cc/7VPR-RPDS).
- 166See generally Herman Kahn, On Thermonuclear War (1960); Herman Kahn, Thinking About the Unthinkable (1962).
- 167Foreign & Int’l Law Comm., N.Y. County Lawyers’ Ass’n (NYCLA), On the Unlawfulness of the Use and Threat of Nuclear Weapons 5 (2000) [hereinafter NYCLA, Unlawfulness of Nuclear Weapons], (https://perma.cc/HZG2-ESH6).
- 168Id. at 4.
- 169Legality of the Threat or Use of Nuclear Weapons, Advisory Opinion, 1996 I.C.J. 226, at 266 (July 8).
- 170Id.
- 171Id. at 262.
- 172Lewis, supra note 163, at 4.
- 173See Legality of Nuclear Weapons, supra note 169, at 262.
- 174See North Sea Continental Shelf (Green./Den. v. Neth.), 1969 I.C.J. 41, at 72 (Feb. 20); Assessment of Customary International Law, Int’l Comm. of the Red Cross, (https://perma.cc/P8V5-VVYD) (“To establish a rule of customary international law, State practice has to be virtually uniform, extensive and representative.”).
- 175But see Ian Traynor, Russia Accused of Unleashing Cyberwar to Disable Estonia, Guardian (May 16, 2007), (https://perma.cc/W3J8-PBKL) (discussing state responses to the cyber attacks on Estonia).
- 176Cf. James Blitz, UK Becomes First State to Admit to Offensive Cyber Attack Capability, Fin. Times (Sept. 29, 2013), (https://perma.cc/JQY4-9ZCF).
- 177But see Neil C. Rowe et al., Challenges in Monitoring Cyberarms Compliance, 1 Int’l J. Cyber Warfare & Terrorism 1, 1, 12 (2011) (discussing the challenges of and potential paths to cyber arms control, including making use of digital forensics and usage monitoring to verify compliance).
- 178See Duncan Hollis, Should There Be an International Treaty on Cyberwarfare?, Opinio Juris (June 13, 2012), (https://perma.cc/4ERH-W2P7) (responding to a US News-sponsored debate on the desirability of an international cyber weapons treaty).
- 179Charlotte Hess & Elinor Ostrom, Introduction: An Overview of the Knowledge Commons, in Understanding Knowledge as a Commons: From Theory to Practice 3, 3 (Charlotte Hess & Elinor Ostrom eds., 2006).
- 180Id. at 5.
- 181See, for example, J. E. S. Fawcett, How Free Are the Seas?, 49 Int’l Aff. 14, 14 (1973).
- 182See Leo Gross, The Peace of Westphalia, 1648–1948, 42 Am. J. Int’l L. 20, 20, 26 (1948).
- 183Christopher C. Joyner, Governing the Frozen Commons: The Antarctic Regime and Environmental Protection 222 (1998); Geert van Calster, International Law and Sovereignty in the Age of Globalization, Int’l L. & Inst., at 2–3, (https://perma.cc/CZ8R-VKW8).
- 184See, for example, Mark E. Redden & Michael P. Hughes, Nat’l Def. Univ., SF No. 259, Global Commons and Domain Interrelationships: Time for a New Conceptual Framework?, 1–3 (2010), (https://perma.cc/54CY-8DAS).
- 185See Kemal Baslar, The Concept of the Common Heritage of Mankind in International Law xix–xx (1998).
- 186Id. at 225–26.
- 187See Paul Tassi, The Philippines Passes a Cybercrime Prevention Act that Makes SOPA Look Reasonable, Forbes (Oct. 2, 2012), (https://perma.cc/L672-8BLK).
- 188For more on these topics, see Shackelford supra note 10, at 52–110.
- 189National Academies, supra note 9, at 296–97.
- 190See, for example, James W. Gabberty, Understanding Motives of Recent Cyber Attacks Against US, Hill Cong. Blog (Mar. 11, 2013), (https://perma.cc/5LML-TTNL).
- 191For more on this topic, see Shackelford, supra note 10, at 52–110.
- 192Julie J. C. H. Ryan, Daniel J. Ryan, & Eneken Tikk, Cybersecurity Regulation: Using Analogies to Develop Frameworks for Regulation, in International Cyber Security Legal & Policy Proceedings 76, 89 (Eneken Tikk & Anna-Maria Talihärm eds., 2010).
- 193See Thomas Graham Jr. et al., Spy Satellites and Other Intelligence Technologies that Changed History 36–38 (2007); Treaty on Principles Governing the Activities of States in the Exploration and Use of Outer Space, Including the Moon and Other Celestial Bodies, Jan. 27, 1967, 18 U.S.T. 2410, 610 U.N.T.S. 205 (entered into force Oct. 10, 1967) [hereinafter OST]; National Academies, supra note 9, at 296–97.
- 194U.S. Dep’t Def., Off. Gen. Couns., An Assessment of International Legal Issues in Information Operations 26 (2d ed. 1999) [hereinafter DOD Assessment]; U.S. Dep’t Def., Cyberspace Policy Report 9 (2011).
- 195DOD Assessment, supra note 194, at 31.
- 196OST, supra note 193, at art. 4.
- 197See Jeremy Hsu, Is a New Space Weapon Race Heating Up?, Space.com (May 5, 2010), (https://perma.cc/8B5E-D9FX).
- 198Karl Grossman & Judith Long, Waging War in Space, The Nation (Dec. 9, 1999), (https://perma.cc/6U5B-C9EN) (emphasis in original).
- 199See, for example, Turner Brinton, Obama’s Proposed Space Weapon Ban Draws Mixed Response, Space.com (Feb. 4, 2009), (https://perma.cc/42FK-NQY9).
- 200See Press Release, General Assembly, Prevention of Outer Space Arms Race, Ratification of Nuclear Test-Ban Treaty Among Issues Addressed by Texts Introduced in First Committee, U.N. Press Release GA/DIS/3233 (Oct. 15, 2002), (https://perma.cc/J49G-XXPX); Hollis, supra at note 178.
- 201See The 10 Countries Most Active in Space, Aerospace-Technology.com, available at (https://perma.cc/6Z92-XSVL) (last visited on May, 17, 2017).
- 202DOD Assessment, supra note 194, at 48.
- 203Id.
- 204Other space law treaties relating to liability claims resulting from space activities, registration of objects launched into space, the governance of the Moon, or satellite regulations have little if any applicability to cyber attacks and so are beyond the bounds of this study.
- 205Steven Cherry, Sons of Stuxnet, IEEE Spectrum (Dec. 14, 2011), (https://perma.cc/KW8X-MDY7).
- 206See Ronald L. Spencer, Jr., International Space Law: A Basis for National Regulation, in National Regulation of Space Activities 1, 4 (Ram S. Jakhu ed., 2010).
- 207See Frank A. Rose, Remarks at the UN Institute for Disarmament Research, Space Security Conference, in Geneva, Switzerland: Laying the Groundwork for a Stable and Sustainable Space Environment (Mar. 29, 2012), (https://perma.cc/6CLN-MY7T); COPUOS Space Debris Mitigation Guidelines (2010), U.N. OOSA, (https://perma.cc/4T99-E866) (last visited Nov. 11, 2013); Scott J. Shackelford, Governing the Final Frontier: A Polycentric Approach to Managing Space Weaponization and Debris, 51 Am. Bus. L.J. 429, 430 (2014).
- 208Antarctic Treaty art. 1, ¶ 1, Dec. 1, 1959, 12 U.S.T. 794, 402 U.N.T.S. 72 (defining “peaceful purposes” in Antarctica as banning “any measures of a military nature”).
- 209Id. at pmbl.
- 210See, for example, Jack Goldsmith, Cybersecurity Treaties: A Skeptical View, Hoover Inst., at 12, (https://perma.cc/P9HY-UQKD).
- 211But see Rowe et al., supra note 177, at 12 (making the case that cyber arms control is possible using current technology).
- 212See, for example, Net Losses: Estimating the Global Cost of Cybercrime, CSIS at 2 (2014), (https://perma.cc/75GL-V54K); Cyberattacks Fallout Could Cost the Global Economy $3 Trillion by 2020, Tech. Rep. (Feb. 20, 2014), (https://perma.cc/RTC2-VF9W).
- 213See Fiona Harvey, Climate Change is Already Damaging Global Economy, Report Finds, Guardian (Sept. 15, 2012), (https://perma.cc/2WEP-89TW).
- 214See Ostrom, supra note 31.
- 215For more on this area, see Shackelford & Fort, Sustainable Cybersecurity, supra note 16.
- 216See Paris Agreement, Eur. Comm’n, (https://perma.cc/QC2E-L6J6).
- 217See Key Achievements of the Montreal Protocol to Date, zone Secretariat, (https://perma.cc/7BVF-2QJR).
- 218For more on this topic, see Shackelford, On Climate Change and Cyber Attacks, supra note 16.
- 219See Key Powers Reach Compromise at Climate Summit, BBC News (Dec. 19, 2009), (https://perma.cc/BX4K-U3KP).
- 220White House, FACT SHEET: U.S.-China Joint Announcement on Climate Change and Clean Energy Cooperation, (https://perma.cc/M6TU-26LL).
- 221See Nell Greenfieldboyce, U.N. Holds Climate Talks In New York Ahead Of Paris Meeting, NPR (June 29, 2015), (http://www.npr.org/2015/06/29/418641168/u-n-holds-climate-talks-in-new-york-ahead-of-paris-meeting).
- 222Susan J. Buck, The Global Commons: An Introduction 85 (1998).
- 223See Christopher C. Joyner, Antarctica and the Law of the Sea: An Introductory Overview, 13 Ocean Dev. & Int’l L. 277, 281 (1983); Buck, supra note 222, at 86.
- 224Buck, supra note 222, at 86.
- 225Id. at 50, 87.
- 226How Much Water is There On, In, and Above the Earth?, U.S. Geological Serv., (https://perma.cc/W6AG-YVAY).
- 227Buck, supra note 222, at 91; Agreement Relating to the Implementation of Part XI of the United Nations Convention on the Law of the Sea of 10 December 1982, § 5, July 28, 1994, S. Treaty Doc. No. 103-39, 1836 U.N.T.S. 41; see David Shukman, Deep Sea Mining ‘Gold Rush’ Moves Closer, BBC (May 17, 2013), (https://perma.cc/K2JC-EC5Q).
- 228See U.N. Body Issues Exploration Contracts as Era of Deep Seabed Mining Nears, Japan Times (July 25, 2015), (https://perma.cc/7USX-GJHQ).
- 229United Nations Convention on the Law of the Sea, art. 19, ¶1, Dec. 10, 1982, 1833 U.N.T.S. 397 [hereinafter UNCLOS]; DOD Assessment, supra note 194, at 34.
- 230UNCLOS, art. 19(1)(c)–(d), (k).
- 231Id. art. 113. See also art. 21(1)(c) (granting coastal states the option of passing laws to protect cables and pipelines); DOD Assessment, supra note 194, at 37 (expanding on these arguments).
- 232UNCLOS, at art. 19(1).
- 233See DOD Assessment, supra note 194, at 37.
- 234John D. Negroponte et al., Defending an Open, Global, Secure, and Resilient Internet 14 (Council on Foreign Rel. Independent Task Force Rep. No. 70, 2013).
- 235See Buck, supra note 222, at 91.
- 236See DOD Assessment, supra note 194, at 4, 32–33.
- 237See International Telecommunication Union, U.N., (https://perma.cc/J7AR-EYS2).
- 238See Charles H. Kennedy & M. Veronica Pastor, An Introduction to International Telecommunications Law 30–33 (1996).
- 239For more on this topic, see Shackelford, supra note 10, at 3–51, 312–66.
- 240International Telecommunications Convention, Nairobi, annex 2, Nov. 6, 1982, 32 U.S.T. 3821 (emphasis added).
- 241Id. at n.1.
- 242But see Global Cybersecurity Index, supra note 109 (representing an effort by the ITU to enhance the transparency of global cybersecurity governance).
- 243DOD Assessment, supra note 194, at 33–34.
- 244Constitution of the International Telecommunications Union, art. 34, Dec. 22, 1992, (https://perma.cc/SS4V-EHTV).
- 245Id. at 34.
- 246See, for example, U.S.–Canada MLAT, S. Treaty Doc. No. 100–14; 100th Cong., 2nd Sess. Exec. Rept. 100–28; 100th Cong, 2nd Sess. Exec. Rept 101–10; 101st Cong., 1st Sess. XXIV ILM No. 4, 7/85, 1092–99.
- 247See U.S.–Russia MLAT, S. Treaty Doc. No. 106–22 (1999).
- 248DOD Assessment, supra note 194, at 33; see U.S. Treaties of Extradition, Cornell Univ. Law School, at 6–9, (https://perma.cc/T8XQ-FA5L).
- 249DOD Assessment, supra note 194, at 35.
- 250See, for example, Gail Kent, The Mutual Legal Assistance Problem Explained, Ctr. Internet & Soc’y (Feb. 23, 2015), (https://perma.cc/3E45-Q8Y7).
- 251Id. at 38; see Vienna Convention on Diplomatic Relations, arts. 2, 24, 27, 30, Apr. 18, 1961, 23 U.S.T. 3227, (https://perma.cc/99QD-F6VX).
- 252See, for example, Eduard Kovacs, DDoS Attack Targets Russian Embassy Website, Softpedia (Sept. 12, 2011), (https://perma.cc/2APU-AXWK); Cyber War on Japanese Embassies, Expatica (Oct. 26, 2011), (https://perma.cc/ST43-5DPZ).
- 253See US Expels Venezuela’s Miami Consul Livia Acosta Noguera, BBC (Jan. 9, 2012), http://perma.cc/NWC8-NF2R).
- 254See Implementation of the Virtual Data Embassy Solution, Estonian Ministry of Economic Aff. & Comm., http://perma.cc/73P8-QJ3R).
- 255See DOD Assessment, supra note 194, at 39.
- 256See generally Schmitt, supra note 12 (exploring the contours of available countermeasures under international cybersecurity law).
- 257G.A. Res. 58/32, U.N. Doc. A/RES/58/32 (Dec. 8, 2003); G.A. Res. 59/61, U.N. Doc. A/RES/59/61 (Dec. 3, 2004); G.A. Res. 60/45, U.N. Doc. A/RES/60/45 (Jan. 6, 2006); G.A. Res. 61/54, U.N. Doc. A/RES/61/54 (Dec. 19, 2006); G.A. Res. 62/17, U.N. Doc. A/RES/62/17 (Jan. 8, 2008); G.A. Res. 63/37, U.N. Doc. A/RES/63/37 (Jan. 9, 2009); G.A. Res. 64/25, U.N. Doc. A/RES/64/25 (Jan. 14, 2010).
- 258See Nancy Scola, ICANN Chief: “The Whole World is Watching” the U.S.’s Net Neutrality Debate, Wash. Post (Oct. 7, 2014), (https://perma.cc/YAU4-8C48).
- 259Brandon Valeriano & Ryan C. Maness, The Coming Cyberpeace: The Normative Argument Against Cyberwarfare, Foreign Aff. (May 13, 2015), (https://perma.cc/ZF6E-VEGY).
- 260Paul D Aligica & Vlad Tarko, Polycentricity: From Polanyi to Ostrom, and Beyond, 25 Governance 237, 244 (2012).
- 261Id. at 245.
- 262Id. at 238.
- 263Id.
- 264Id.
- 265Id.
- 266Aligica & Tarko, supra note 260, at 238.
- 267Id. at 239.
- 268Id. at 240.
- 269Id.
- 270Id.
- 271See Eli Dourado, Is There a Cybersecurity Market Failure? (George Mason Univ. Mercatus Ctr., Working Paper No. 12–05, 2012), (https://perma.cc/C49M-LGTY) (arguing that market failures are not so common in the cybersecurity realm); Jerry Brito & Tate Watkins, Loving the Cyber Bomb? The Dangers of Threat Inflation in Cybersecurity Policy, 3 Harv. Nat’l Sec. J. 39, 82 (2011) (making the case against there being a cybersecurity market failure).
- 272Aligica & Tarko, supra note 260, at 242.
- 273Id.
- 274Id.
- 275See Elinor Ostrom, Polycentric Systems: Multilevel Governance Involving a Diversity of Organizations, in Global Environmental Commons: Analytical and Political Challenges Involving a Diversity of Organizations 105, 117 (Eric Brousseau et al. eds., 2012).
- 276Cost-benefit analysis in the cybersecurity context is challenging both because of the difficulty in defining all the associated costs of a successful data breach as well as determining an investment strategy to identify and instill technological, budgetary, and organizational best practices. See, for example, Gregory J. Touhill & Joseph Touhill, Cybersecurity for Executives: A Practical Guide 31 (2014).
- 277See Ostrom, supra note 275, at 118 & tbl. 5.3.
- 278Fact Sheet: White House Summit on Cybersecurity and Consumer Protection, (https://perma.cc/S68Y-WPJ6).
- 279See Robinson, supra note 7.
- 280G7 Leaders, supra note 6.
- 281G20 Communiqué, supra note 5.
- 282Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, UN General Assembly, A/70/174 (July 22, 2015).
- 283See, for example, John G. Ruggie, Just Business: Multinational Corporations and Human Rights 78 (2013).
- 284See Martha Finnemore & Kathryn Sikkink, International Norm Dynamics and Political Change, 52 Int’l Org. 887, 895–98 (1998).
- 285Michael D. McGinnis, Elinor Ostrom: Politics as Problem-Solving in Polycentric Settings, in Elinor Ostrom and the Bloomington School of Political Economy 281, 285 (Daniel H. Cole & Michael D. McGinnis eds., 2014).
- 286Finnemore & Sikkink, supra note 284, at 859.
- 287For more on regime effectiveness in the cybersecurity context, see Shackelford, supra note 10; Shackelford, On Climate Change and Cyber Attacks, supra note 16.
- 288See Oona A. Hathaway et al., The Law of Cyber-Attack, 100 Cal. L. Rev. 817, 880 (2012).
- 289Group of Governmental Experts, supra note 282.
- 290Andrew W. Murray, The Regulation of Cyberspace: Control in the Online Environment 203–04 (2006).
- 291Id. at 205.
- 292See Christopher C. Joyner & Catherine Lotrionte, Information Warfare as International Coercion: Elements of a Legal Framework, 12 Eur. J. Int’l L. 825, 858–59 (2001).
- 293See Kelly A. Gable, Cyber-Apocalypse Now: Securing the Internet Against Cyberterrorism and Using Universal Jurisdiction as a Deterrent, 43 Vand. J. Transnat’l L. 57, 57 (2010).
- 294See Denver Nicks, Report: Usefulness of NSA Mass Surveillance ‘Overblown,’ Time (Jan. 13, 2014), (https://perma.cc/CP73-FWNW).
- 295Oliver Wendell Holmes, Jr., The Common Law 1 (1923).
- 296See Mary Ellen O’Connell, Cyber Security without Cyber War, 17 J. Conflict & Sec. L. 187, 187 (2012).