When is Cyber Defense a Crime? Evaluating Active Cyber Defense Measures Under the Budapest Convention
As cyberattacks increase in frequency and intensity around the globe, private actors have turned to more innovative cyber defense strategies. For many, this involves considering the use of cutting-edge active cyber defense measures—that is, tactics beyond merely erecting firewalls and installing antivirus software that permit cyber defenders to detect and respond to threats in real time. The legality of such measures under international law is a subject of intense debate because of definitional uncertainty surrounding what qualifies as an “active” cyber defense measure. This Comment argues that active defense measures that do not rise to the level of a cybercrime are permissible under international law. Accordingly, it analyzes the Budapest Convention, the only binding international instrument related to cybercrime, and uses its definition of illegal conduct under international law to construct a “stoplight framework” to guide cyber defenders in their actions. Ultimately, this Comment concludes that cyber defenders have a “green light” to use purely passive measures, such as monitoring one’s own network traffic, because these measures are highly unlikely to involve conduct the Budapest Convention criminalizes. Active-passive measures, such as attaching code to intruders that tracks them back to their home base, can in some cases be justified under exceptions to the Convention; accordingly, cyber defenders should proceed with caution. Finally, outright active defense measures nearly always rise to the level of offense conduct under the Budapest Convention, and should not be used. This analysis provides needed clarity as to the legality of conduct in cyberspace, and provides cyber defenders with the guideposts they need to confidently innovate in today’s complex cyber landscape.
Imagine that you are the systems administrator at a major, multinational power company. Recognizing the vital role your networks play in safely delivering energy to consumers around the world, you are motivated to implement the most state-of-the-art security measures that you can afford.
You then decide to set up a “honeypot”—a part of your system designed to be attractive to attackers and that no one has any legitimate motive to access. Soon, traffic begins to flow, and your dedicated team of cyber defenders monitors it. As time passes, they analyze the traffic to figure out who is intruding, carefully tracing it back to its source when possible. Some of the intruders have masked their locations by routing their activities through multiple IP addresses, and it is impossible to determine their identities. Those intruders are expelled from the system and the firewalls are updated to keep them out.
When intruders can be identified, your defenders have followed them back to their own networks and have investigated those networks in order to learn more about who is accessing the honeypot. After gleaning as much information as possible, a defender shuts off the traffic flowing from that entity in order to stop the attack.
Many of the tactics used in the above scenario are considered to be “active cyber defense” measures.1
See, for example, Wyatt Hoffman & Ariel (Eli) Levite, Private Sector Cyber Defense: Can Active Measures Help Stabilize Cyberspace?, Carnegie Endowment for Int’l Peace (June 14, 2017), http://perma.cc/CKL9-HE5M.
See, for example, Center for Cyber & Homeland Security, Geo. Wash. U., Into the Gray Zone: The Private Sector and Active Defense Against Cyber Threats, 7 (2016) http://perma.cc/SAX8-4LW3.
Id. at 9.
International criminal law, as it relates to cyberspace, provides a guidepost as to which actions are and are not permissible—even if taken in self-defense. Although a substantial portion of scholarship examining international law in cyberspace focuses on applying the laws of armed conflict, those analogs are not useful when addressing intrusions that do not rise to the level of a “use of force.”4
See Alexandra Perloff-Giles, Transnational Cyber Offenses: Overcoming Jurisdictional Challenges, 43 Yale J. Int'l L. 191, 202–03 (2018).
See id. at 204 (“For most transnational cyber offenses…the offense does not constitute an Article 51 ‘armed attack’ or a ‘resort to armed force’…”).
See id. at 203.
This Comment seeks to fill that gap by analyzing and applying international law related to cybercrime, as set forth in the Council of Europe’s Convention on Cybercrime (hereinafter “the Budapest Convention” or “the Convention”). The Convention is the only legally binding international instrument delineating when an action in cyberspace becomes a crime. By filtering the active cyber defense discussion through the prism of what constitutes a cybercrime under international law, this Comment articulates a new boundary as to which defensive actions are permissible in cyberspace.
Developing a method to analyze and categorize defensive approaches in this fashion is critical, as the current approach to cybersecurity requires innovation. The frequency of successful cyberattacks—from the WannaCry ransomware attack that struck hospitals in the United Kingdom,7
See Lily Hay Newman, The Ransomware Meltdown Experts Warned Us About is Here, WIRED (May 12, 2017, 2:03 PM), http://perma.cc/A3J5-6WKK.
See Brendan I. Koerner, Inside the Cyberattack That Shocked the US Government, WIRED (Oct. 23, 2016, 5:00 PM), http://perma.cc/Y7FY-DE5F.
See Nicole Perlroth, Hackers are Targeting Nuclear Facilities, Homeland Security Dept. and F.B.I. Say, N.Y. Times, July 6, 2017, at B5.
See Alyza Sebenius, Writing the Rules of Cyberwar, The Atlantic (June 28, 2017), http://perma.cc/ZR8J-QR9G.
This quest to match the creativity and agility of cyberattackers has involved the use of active defense measures. These strategies permit defenders to detect and expel intruders from networks faster and might deter illegitimate access more effectively. This outcome is preferable for large, for-profit corporations because relying on the processes of international or domestic law to cure violations after the fact can be unsatisfying. The financial and reputational impacts of these attacks are difficult to fully remedy. Once the personal data of millions of people is leaked, or the power grid has been shut off, it is difficult to recover the full cost of the cyber incident. Empowering system administrators and operators to identify and address intrusions in real-time would be more effective at stopping an attack before these consequences occur.11
See Jay P. Kesan & Carol M. Hayes, Mitigative Counterstriking: Self-Defense and Deterrence in Cyberspace, 25 Harv. J. L. & Tech. 429, 474 (2012).
As professionals increasingly explore active cyber defense as a solution to these problems, an analysis of how to do so in a way that comports with international law is extremely important. As it stands, “[e]ven though counterstrikes are currently of questionable legality, counterstrikes have already been occurring on the internet over the last decade, initiated by both government and private actors.”12
Id. at 475.
International Telecommunications Union Res. 102, The Plenipotentiary Conference of the International Telecommunications Union (2014), http://perma.cc/TGD5-ZGE8.
Section II of this Comment discusses the relevant international law related to cybercrime as set forth in the Budapest Convention. This Section analyzes activities the Convention requires signatories to criminalize that are relevant to the types of actions taken as part of an active defense strategy. In order to develop as accurate an understanding as possible, this Section draws upon guidance documents produced by the Council of Europe to aid in interpreting the Convention.
In Section III, this Comment defines the term “active cyber defense” and proposes a spectrum of cyber defenses. This Comment, based on a survey of the active defense literature, divides this spectrum into three categories of defenses. First, passive measures are those that, despite their inclusion under the active defense umbrella, do not involve taking any external action. They are deployed internally on an entity’s own network. Second, there are “active” passive measures—defenses that may be set up and operated on an entity’s own network, with occasional external consequences. Finally, there are active defense measures. These are purely external to the network and are targeted and deployed specifically to end an attack or an intrusion. International law has different implications for each of these categories.
Finally, in Section IV, this Comment will apply those laws to the proposed cyber defense spectrum and distinguish between lawful defenses and unlawful cybercrimes. This application suggests that cybersecurity professionals are almost always justified in employing passive defense measures. Indeed, these are rarely even implicated by the Convention, as they operate entirely internally to an entity’s network. As for active-passive measures, their permissibility depends upon whether they qualify as one of three potential defenses suggested as justified by the Convention. Finally, purely active defense measures are almost never permissible under the Convention, and therefore are generally unlawful under international law.
Categorizing measures in this way should help to clarify the boundaries within which cyber defenders must work when it comes to innovating and advancing cyber defense.
The Budapest Convention,14
Convention on Cybercrime, Nov. 23, 2001, T.I.A.S. 13174, E.T.S. No. 185, http://perma.cc/4KKP-2YM7[hereinafter Budapest Convention].
Budapest Convention and Related Standards, Council of Eur., http://perma.cc/C34X-EUJF.
Budapest Convention, supra note 14, at 2.
See id.
Chart of Signatures and Ratifications of Treaty 185, Council of Eur., http://perma.cc/57D7-XPBF.
The Convention approaches these goals from three different angles. First, it standardizes the domestic criminal law related to cybercrime in states that are party to (and therefore bound by) the Budapest Convention (hereinafter “States Party”). Second, it motivates the creation of the necessary criminal procedural laws to investigate and prosecute cybercrime within States Party. Finally, it establishes an agile international cooperation regime.19
See generally, Budapest Convention, supra note 14.
Council of Eur., Explanatory Report to the Convention on Cybercrime (Nov. 23, 2001), ¶ 18, http://perma.cc/A6XF-647V[hereinafter Explanatory Report].
The Convention further delineates several procedural law issues, including expedited preservation of stored data, expedited preservation and partial disclosure of traffic data, production order, search and seizure of computer data, real-time collection of traffic data, and interception of content data.21
Id. at ¶ 19.
Budapest Convention, supra note 14, at art. 35.
Additionally, the Council of Europe published several guidance documents to aid in the interpretation of the Convention. Although these documents “[do] not constitute [instruments] providing an authoritative interpretation of the Convention,” they “might be of such a nature as to facilitate the application of the provisions contained therein.”23
Explanatory Report, supra note 20, at 1.
Cybercrime Convention Committee, T-CY Guidance Note #3: Transborder Access to Data (Article 32), at 3 (Dec. 2–3, 2014), http://perma.cc/494T-7EHG.
The Explanatory Report, for example, defines “computer system” as
a device consisting of hardware and software developed for automatic processing of digital data. It may include input, output, and storage facilities. It may stand alone or be connected in a network with other similar devices [sic] “Automatic” means without direct human intervention, “processing of data” means that data in the computer system is operated by executing a computer program . . . A computer system usually consists of different devices, to be distinguished as the processor or central processing unit, and peripherals. A “peripheral” is a device that performs certain specific functions in interaction with the processing unit, such as a printer, video screen, CD reader/writer or other storage device.
Explanatory Report, supra note 20, at ¶ 23.
“[C]omputer program” is defined as “a set of instructions that can be executed by the computer to achieve the intended result.” Id.
“[N]etwork” is defined as
an interconnection between two or more computer systems. The connections may be earthbound (e.g., wire or cable), wireless (e.g., radio, infrared, or satellite), or both. A network may be geographically limited to a small area (local area networks) or may span a large area (wide area networks), and such networks may themselves be interconnected . . . What is essential is that data is exchanged over the network.
Id. at ¶ 24.
All of the procedures established by the Convention are limited by a concern for preserving human rights, including those enshrined in the European Convention for the Protection of Human Rights and Fundamental Freedoms, the U.N. International Covenant on Civil and Political Rights, and other similar instruments.26
See Budapest Convention, supra note 14, at art. 15.
Id. Proportionality encompasses the idea “that a State’s acts must be a rational and reasonable exercise of means towards achieving a permissible goal, without unduly encroaching on protected rights of either the individual or another State.” Emily Crawford, Proportionality, in Max Planck Encyclopedia of Public International Law ¶ 1 (2011), http://perma.cc/YJ8E-VB5C.
Notably, however, countries such as Russia, China, and India, among others, have not ratified the Convention.28
Joyce Hakmeh, Building a Stronger International Legal Framework on Cybercrime, Chatham House (June 6, 2017), http://perma.cc/TJT5-MMQB.
Id.
Id.
Id.
The Budapest Convention requires States Party to adopt legislation or other measures that criminalize intentional commission of certain offenses. These include, as relevant to the topic of active cyber defense: illegal access to computer systems, illegal interception of data, data interference, system interference, misuse of devices, computer-related forgery, and computer-related fraud. This Comment only discusses these offenses as they are most relevant to the types of actions undertaken as part of mounting an active cyber defense.
These offenses are further punished in their inchoate form via Article 11, which requires States Party to criminalize both “aiding and abetting” and “attempting” the delineated offenses.32
Budapest Convention, supra note 14, at art. 11.
Id. at art. 12.
d. at art. 13.
The Convention also provides guidance on jurisdiction, noting that States Party have jurisdiction over offenses committed within their respective territories, on a ship flying the state’s flag, on an aircraft registered under the laws of the State Party, or by a national of the State Party if the offense is criminalized in the State where the crime is committed or if it “is committed outside the territorial jurisdiction of any State.”35
Id. at art. 22.
Budapest Convention, supra note 14, at art. 22.
In exchange for the promise to criminalize these offenses, the Convention provides extensive processes and procedures for mutual assistance and information sharing.37
See id. at arts. 25–26.
Id. at art. 25.
Id. at art. 26.
Budapest Convention, supra note 14, at art. 25.
States Party may only undertake two specific actions without authorization from another Party. First, States Party may “access publicly available (open source) stored computer data, regardless of where the data is located geographically.”41
Id. at art. 32.
Id.
In summary, the Convention requires States Party to criminalize certain delineated offenses in exchange for assurances of help in bringing those who commit those offenses to justice. It attempts to construct an investigatory framework that respects national sovereignty while still incentivizing cooperation over self-help.
Depending on how they are developed and executed, many potential components of an active cyber defense strategy could rise to the level of offenses prohibited by the Budapest Convention. In order to understand where the Convention draws this line, this Section further details the relevant offenses and the behavior they target. Specifically, those offenses are illegal access to computer systems, illegal interception of data, data interference, system interference, misuses of devices, computer-related forgery, and computer-related fraud. This Section will also discuss the inchoate form of these offenses, as well as potential corporate liability.
1. Illegal Access to Computer Systems
The Budapest Convention criminalizes illegal access to computer systems,43
Budapest Convention, supra note 14, at art. 2.
Cybercrime Convention Committee, T-CY Guidance Note #1: On the Notion of “Computer System” at 3 (Dec. 2012), http://perma.cc/S78P-VYHC.
Budapest Convention, supra note 14, at art. 1.
According to the Explanatory Report, “illegal access” encapsulates “dangerous threats to and attacks against the security … of computer systems and data.”46
Explanatory Report, supra note 20, at ¶ 44; see Budapest Convention, supra note 14, at art. 2.
Explanatory Report, supra note 20, at ¶ 44.
Id.
Id. at ¶ 46.
Id.
When it comes to actually criminalizing conduct, the Explanatory Report provides that States Party are welcome to take a broad approach and criminalize hacking in general.51
Explanatory Report, supra note 20, at ¶ 50.
Id.
Budapest Convention, supra note 14, at art. 2 (emphasis added).
2. Illegal Interception of Data
The illegal interception of non-public transmissions of computer data to, from, or within a computer system using technical means is treated as a crime under the Budapest Convention.54
Id. at art. 3.
Explanatory Report, supra note 20, at ¶ 51.
The Explanatory Report clarifies that all forms of electronic transfer can give rise to an Article 3 offense. According to the Report, interception by “technical means” involves “listening to, monitoring or surveillance of the content of communications, [] the procuring of the content of data either directly, through access and use of the computer system, or indirectly, through the use of electronic eavesdropping or tapping devices.”56
Id. at ¶ 53.
Id.
“Technical means,” according to the Report, include “technical devices fixed to transmission lines as well as devices to collect and record wireless communications” and “may include the use of software, passwords, and codes.”58
Id.
Explanatory Report, supra note 20, at ¶ 53.
Article 3 offenses apply to “non-public” transmissions of computer data—that is, the transmission, and not the data, is what is non-public. Indeed, the data may well be public information that parties wish to communicate confidentially, or even data “kept secret for commercial purposes.”60
Id. at ¶ 54.
Id.
Id. at ¶ 58.
Explanatory Report, supra note 20, at ¶ 58.
Id. at ¶ 55.
Finally, the Convention requires that an interception be committed “intentionally” and “without right” for criminal liability to attach.65
Id. at ¶ 58.
Id.
Explanatory Report, supra note 20, at ¶ 58.
3. Data Interference
“The damaging, deletion, deterioration, alteration, or suppression of computer data” is considered a criminal offense under the Budapest Convention.68
Budapest Convention, supra note 14, at art. 4.
Explanatory Report, supra note 20, at ¶ 60.
Id.
Explanatory Report, supra note 20, at ¶ 61.
Id.
Id.
The Report clarifies that this offense covers “[t]he input of malicious codes, such as viruses and Trojan horses,”74
A “Trojan horse” is defined as “a type of malware that is often disguised as legitimate software.” What is a Trojan Virus? - Definition, Kaspersky, http://perma.cc/N5JE-9CVZ.
Explanatory Report, supra note 20, at ¶ 61.
Explanatory Report, supra note 20, at ¶ 62.
Id.
Id.
Id. (emphasis added).
4. System Interference
The Budapest Convention criminalizes “the serious hindering . . . of the functioning of a computer system by inputting, transmitting, damaging, deleting, deteriorating, altering, or suppressing computer data.”80
Budapest Convention, supra note 14, at art. 5.
Explanatory Report, supra note 20, at ¶ 65.
Id. at ¶¶ 66–67.
States Party are permitted to “require a minimum amount of damage to be caused in order for the hindering to be considered serious.”83
Id. at ¶ 67.
Id.
Explanatory Report, supra note 20, at ¶ 69.
Id.
5. Misuse of Devices
Under the Budapest Convention, “the production, sale, procurement for use, import, distribution or otherwise making available of” devices and computer programs “designed or adapted primarily for the purpose of committing” illegal access, illegal interception, data interference, or system interference is a crime.87
Budapest Convention, supra note 14, at art. 6.
Id.
Id.
Id.
Id.
Article 6 targets the black market for the various tools required to perpetrate cyberattacks and intrusions.92
Explanatory Report, supra note 20, at ¶ 71; Budapest Convention, supra note 15, at art. 6; Explanatory Report, supra note 20, at ¶ 71.
Explanatory Report, supra note 20, at ¶ 71.
Id.
Id. at ¶ 72.
Id.
After extensive debate, the drafters elected not to restrict the category of devices to “those which are designed exclusively or specifically for committing offenses.”97
Id. at ¶ 73.
Id.
Explanatory Report, supra note 20, at ¶ 73.
Id. at ¶¶ 73, 75.
The drafters did not intend to criminalize possession of devices that are “produced and put on the market for legitimate purposes.”101
Id. at ¶ 76.
Id.
Id.
6. Computer-Related Forgery
“[T]he input, alteration, deletion, or suppression of computer data, resulting in inauthentic data with the intent that it be considered or acted upon for legal purposes as if it were authentic” is treated as a crime under the Budapest Convention.104
Budapest Convention, supra note 14, at art. 7.
This offense was intended to “parallel” the offense of forging documents in the physical world.105
Explanatory Report, supra note 20, at ¶ 81.
Id.
Id.
Id. at ¶ 82.
Id.
Because the data referred to in this provision is equivalent to a document with legal effects, “[t]he unauthorized ‘input’ of correct or incorrect data brings about a situation that corresponds to the making of a false document.”110
Id. at ¶ 83.
Id.
Id.
Id. at ¶ 84.
Id. at ¶ 85.
7. Computer-Related Fraud
The Budapest Convention criminalizes “the causing of a loss of property to another person by: (a) any input, alteration, deletion or suppression of computer data; (b) any interference with the functioning of a computer system, with fraudulent or dishonest intent of procuring, without right, an economic benefit for oneself or for another person.”115
Budapest Convention, supra note 14, at art. 8.
The purpose of Article 8 is to “criminalize any undue manipulation in the course of data processing with the intention to effect an illegal transfer of property.”116
Explanatory Report, supra note 20, at ¶ 86.
Id. at ¶ 87.
Manipulations—whether of data, systems, hardware, or otherwise—under this section “are criminalized if they produce a direct economic or possessory loss of another person’s property and the perpetrator acted with the intent of procuring an unlawful economic gain for himself or for another person.”118
Id. at ¶ 88.
Id.
Id. at ¶ 90.
Id.
8. Inchoate Offenses and Corporate Liability
Article 11 of the Budapest Convention requires States Party to criminalize both “aiding and abetting” and “attempt[ing]” the delineated offenses.122
Budapest Convention, supra note 14, at art. 11.
Id. at art. 12.
Id. at art. 13.
The Explanatory Report provides helpful guidance on these provisions. The Convention requires States Party to criminalize aiding and abetting the commission of any offense listed in Articles 2–10, but does not require the same for attempts.125
Explanatory Report, supra note 20, at ¶¶ 118–19.
Id. at ¶¶ 118, 120.
Id. at ¶ 120.
Id. at ¶ 122.
Id.
As to aiding and abetting, liability attaches “where the person who commits a crime established in the Convention is aided by another person who also intends that the crime be committed.”130
Id. at ¶ 119.
Explanatory Report, supra note 20, at ¶ 119.
Regarding corporate liability, the Explanatory Report explains that Article 12 is “intended to impose liability on corporations, associations and similar legal persons for the criminal actions undertaken by a person in a leading position within such legal person, where undertaken for the benefit of that legal person.”132
Id. at ¶ 123.
Id.
Paragraph 1 of Article 12 sets forth four conditions that must be met in order to establish corporate liability. An offense described in the Convention must be committed first, by a person, second, with a leading position, third, who is acting within the scope of his or her authority, and fourth, for the benefit of the legal person.134
Id. at ¶ 124.
Id.
Id.
The Article also provides for the imposition of liability when the crime is committed by a person “acting under the legal person’s authority”—that is, “one of its employees or agents acting within the scope of their authority.”137
Explanatory Report, supra note 20, at ¶ 125.
Id.
The Explanatory Report notes that “failure to supervise should be interpreted to include failure to take appropriate and reasonable measures to prevent employees or agents from committing criminal activities on behalf of the legal person,” and it sets out a few factors that can be used to evaluate what constitutes an “appropriate and reasonable” measure.139
Id.
Id.
Id.
9. Sanctions
As to the sanctions put in place to penalize the criminalized offenses, the Convention requires States Party to implement punishments that are “effective, proportionate and dissuasive” and include the possibility of a term of imprisonment for natural persons.142
Id. at ¶ 128.
Budapest Convention, supra note 14, at art. 13; Explanatory Report, supra note 20, at ¶ 129.
Explanatory Report, supra note 20, at ¶ 129.
Id. at ¶ 130.
The Convention repeatedly states that the conduct it prohibits is conduct done “without right.”146
See generally Budapest Convention, supra note 14.
Paul Rosenzweig, International Law and Private Actor Cyber Defense Measures, 50 Stan. J. Int’l L. 103, 108–109 (2014) (citing Explanatory Report, supra note 20, at ¶ 38).
Explanatory Report, supra note 20, at ¶ 38.
Id.
Rosenzweig, supra note 147, at 109.
Explanatory Report, supra note 20, at ¶ 47.
Furthermore, the Explanatory Report clarifies that the Convention’s framers did not intend to criminalize “legitimate and common activities inherent in the design of networks or legitimate and common operating or commercial practices.”152
Id. at ¶ 38.
Id.
The Explanatory Report also takes up the issue of Article 32, which permits States Party to access certain types of data without authorization.154
Budapest Convention, supra note 14, at art. 32.
Explanatory Report, supra note 20, at ¶ 293.
Id.
Id.
The Report outlines these two situations: 1) when the data is publicly available anyway, and 2) when “the Party has accessed or received data located outside of its territory through a computer system in its territory, and it has obtained the lawful and voluntary consent of the person who has lawful authority to disclose the data to the Party through that system.”158
Id. at ¶ 294.
Id. at ¶ 294.
The Council further published a Guidance Note specifically related to Article 32.160
Cybercrime Convention Committee, supra note 24, at 3.
Id.
Id. at 4.
Id. at 3, 6.
Id. at 6.
Id.
Cybercrime Convention Committee, supra note 24, at 6.
However, the Note also specifies that Article 32(b) is only to be applied within the context of criminal investigations conducted pursuant to Article 14.167
Id. at 5.
Budapest Convention, supra note 14, at art. 14.
Cybercrime Convention Committee, supra note 24, at 7.
This Section constructs a working definition of active cyber defense. To do so, this Section reviews the general status of cybersecurity, discusses the various definitions, merits, and drawbacks of active cyber defense as put forth in existing literature, and defines a spectrum of cyber defensive measures. The legality of conduct on this spectrum will be analyzed in greater detail in Section IV.
Nearly every internet-connected global citizen—from multinational corporations, to governments, to individuals—is vulnerable to malicious cyber activities. Cybersecurity measures aim to keep hackers from accessing “assets belonging to or connecting to an organization’s network.”170
What is Cyber Security?, FireEye Resources, http://perma.cc/T427-2UTZ.
A “network” is a “system that transmits data between users,” including devices belonging to those users (like phones, tablets, and computers), as well as equipment connecting those devices (like servers and routers). Definition of: network, PCMag Encyclopedia (2019), http://perma.cc/V4KQ-9PJX.A “server” is “[a] computer system in a network that is shared by multiple users,” and a “router” is a device on a network that forwards information from one network to another. See Definition of: server, PCMag Encyclopedia (2019), http://perma.cc/6BM3-4VFA.;Definition of: router, PCMag Encyclopedia (2019), http://perma.cc/3U54-UL4L.A “system” can be conceived of as “[a] group of related components that interact to perform a task.” Definition of: system, PCMag Encyclopedia (2019), http://perma.cc/8JS5-5X5B.
These types of attacks are perpetrated using malware. “Malware,” an abbreviated form of “malicious software,” is designed and used to access and, in many cases, harm a computer.172
What is malware and how can we prevent it?, Norton Security Center, http://perma.cc/LC6Y-G6QF.
Id.
"Phishing” occurs when an attacker uses a fake email sent to company employees to gain access to an otherwise protected system. “Spearphishing” occurs when an attacker specifically targets an employee of a certain stature so as to gain access to an identity with better access privileges than the average employee. See Kim Zetter, Hacker Lexicon: What is Phishing?, WIRED (Apr. 7, 2015), http://perma.cc/739D-KWSG.
Watering hole attacks “compromise a website commonly visited by targets to hack victims’ computers.” Andy Greenberg, Hackers Gain Direct Access to U.S. Power Grid Controls, WIRED (Sept. 6, 2017), http://perma.cc/6BUT-5AYX.
Hackers176
Although hackers can be government-sponsored or members of organized crime syndicates, the most serious challenges to cybersecurity are posed by “private criminals interested in private gain.” See Mary Ellen O’Connell, Cyber Security Without Cyber War, 17 J. Conflict & Sec. L. 187, 191 (2012).
Alison DeNisco Rayome, 2017 was ‘worst year ever’ in data breaches and cyberattacks, thanks to ransomware, TechRepublic (Jan. 25, 2018), http://perma.cc/EZ48-AMRG.
See, for example, Josh Horwitz & Cate Cadell, Chinese chipmakers ambitions come unstuck with US Indictment, Reuters (Nov. 2, 2018), http://perma.cc/2GBB-EZQ6;See also, Koerner, supra note 8; Newman, supra note 7.
See Newman, supra note 7.
Id.
Id.
The number of successful cyberattacks alone indicates that the cyber defense status quo is not working. The current approach to cybersecurity tends to overwhelmingly rely on static measures—that is, passive security measures intended to deny attackers access to systems without daily human involvement.182
Robert M. Lee, The Sliding Scale of Cybersecurity, SANS Institute, 1, 8 (Aug. 2015), http://perma.cc/TU3K-XEFU.
Id.
Kesan & Hayes, supra note 11, at 474; Rosenzweig, supra note 17, at 103–04.
“Duck and cover” refers to the Cold War-era drills conducted in schools in which students were instructed to duck under their desks for cover in the event of a nuclear attack. Sarah Pruitt, How ‘Duck-and-Cover’ Drills Channeled America’s Cold War Anxiety, HISTORY (Mar. 26, 2019), http://perma.cc/92RH-C9YZ.As one might infer, this tactic would not be terribly helpful in the event of a nuclear attack.
Kesan & Hayes, supra note 11, at 474. For more on “scan, firewall, and patch,” see Mark Ward, Tips to Help You Stay Safe Online, BBC News (Oct. 7, 2006), http://perma.cc/RUV5-TPR4(suggesting that readers scan their systems regularly for viruses and malware, erect and maintain firewalls to prevent unwanted intrusions on their systems, and ensure that their operating system and software are updated with the latest security patches).
This Comment defines “active defense” as “[t]he synchronized, real-time capability to discover, detect, analyze, and mitigate threats.”187
Rosenzweig, supra note 17, at 105.
Id.
That being said, a multitude of definitions of “active cyber defense” have been proposed in various spheres—from government, to the technology sector, to the military, to the legal community. These definitions include:
- “[E]lectronic countermeasures designed to strike attacking computer systems and shut down cyber attacks midstream;”189
189Erik M. Mudrinich, Cyber 3.0: The Department of Defense Strategy for Operating in Cyberspace and the Attribution Problem, 68 A.F. L. Rev. 167, 180 n.70 (2012).
- “[A]n approach to achieving cyber security predicated upon the deployment of measures to detect, analyse, identify and mitigate threats to and from communications systems and networks in real-time, combined with the capability and resources to take proactive or offensive action against threats and threat entities including action in those entities’ home networks;”190
190Hoffman & Levite, supra note 1, at 7–8.
- “[A] collection of synchronized, real-time capabilities to discover, define, analyze and mitigate cyber threats and vulnerabilities . . . [which] would enable cyber defenders to more readily disrupt and neutralize cyberattacks as they happen . . . [and which are] solely defensive in nature;”191
191andActive Cyber Defense (ACD), Defense Advanced Research Projects Agency, http://perma.cc/PRC9-HKFM.
- “[A] . . . category of response to cyberattacks [that] enable[s] attacked parties to detect, trace, and then actively respond to a threat by, for example, interrupting an attack in progress to mitigate damage to the system.”192
192Kesan & Hayes, supra note 11, at 475.
This list is non-exhaustive. The lack of agreement on the precise contours of what qualifies as an active cyber defense measure has created extensive difficulties in categorizing and characterizing different options as lawful or unlawful under international law.
This Comment purposefully uses a broad definition of active defense in order to more specifically define what conduct is and is not permissible under international law. Accordingly, it will utilize the definition from Paul Rosenzweig as set forth above:
[T]he synchronized, real-time capability to discover, detect, analyze, and mitigate threats. It operates at network speed using sensors, software and intelligence to detect and stop malicious activity ideally before it can affect networks and systems. While intrusions may not always be stopped at network boundary, an entity may operate and improve upon its advanced sensors to detect, discover, map, and mitigate malicious activity on an entity’s network.193
193Rosenzweig, supra note 147, at 105.
This comprehensive definition of the term permits a thorough examination of all measures that could conceivably be considered “active defense,” even those that seem facially “passive.”
Understanding this definition requires fleshing out a few finer distinctions. First, the process of pursuing an “active defense” can be broken down into three steps: 1) detecting an intrusion, 2) identifying its origin, and 3) responding in some form.194
Kesan & Hayes, supra note 11, at 475.
Rosenzweig, supra note 147, at 105–06.
Id.
Id.
In order to separate legal conduct from illegal conduct, these activities must be categorized along some sort of spectrum. Some authors have undertaken this task in the past.198
Cf. Center for Cyber & Homeland Security, supra note 2, at 10–11; Hoffman & Levite, supra note 1, at 9.
To assist in understanding the point at which legal conduct becomes illegal conduct, this Comment outlines a spectrum of cyber defense activities divided into three categories: passive, active-passive, and active. Section IV of this Comment analyzes each category’s permissibility under international law.
Passive defenses are used entirely within the boundaries of one’s own network and never involve reaching beyond it. Such defenses include installing and upgrading antivirus software, constructing firewalls, segmenting certain critical servers in a way that prevents connection to the internet, and engaging in basic “cyber hygiene” practices.199
Cyber hygiene is defined as thinking proactively “to resist cyber threats and online security issues.” Good Cyber Hygiene, Norton Security Center, http://perma.cc/GMB9-VGZW(giving examples of cyber hygiene).
Cf. Center for Cyber & Homeland Security, supra note 2, at 10–11; Hoffman & Levite, supra note 1, at 9.
Active defenses mark the opposite end of the spectrum. Carol Hayes, a research fellow at the University of Illinois College of Law, and Jay Kesan, the H. Ross and Helen Workman Research Scholar at the University of Illinois College of Law, offer an apt characterization for tactics in this category. These types of defenses tend to be “offensive actions undertaken with the goal of neutralizing an immediate threat rather than retaliating.”201
Kesan & Hayes, supra note 11, at 475.
Center for Cyber & Homeland Security, supra note 2, at 11.
Hoffman & Levite, supra note 1, at 8–9.
Active-passive defenses lie somewhere between these endpoints. These measures encompass those like digital “dye-packs” or other devices that enable defenders to track data taken from their networks,204
Id.
Center for Cyber & Homeland Security, supra note 2, at 10–11; Hoffman & Levite, supra note 1, at 8.
See Section II, supra.
It is entirely possible that the same tactic could appear in all three categories depending on how a given tactic is built and operated. Take, for example, the honeypot from the opening scenario. If that honeypot functioned solely to permit defenders to observe network traffic and has zero effect on any other system, it is likely considered passive. If that honeypot infected intruders with a tracking beacon that allows cyber defenders to determine where a particular intruder is based, it would be characterized as active-passive. Finally, if that honeypot attached a virus that would delete all data on the intruder’s home system, it would qualify as an active defense.
Clearly, the term “active cyber defense” is very broad and cannot be characterized as “legal” or “illegal” on its face. Rather, these finer distinctions permit a more nuanced understanding of when and why a particular tactic might rise to the level of an international crime.
Section II undertook a comprehensive interpretation of the Budapest Convention and relevant explanatory documents. That interpretation highlighted several offenses related to computer data, forbidding any creation of false or otherwise “inauthentic” data, and outlawing the actions that lead to data loss via “input, alteration, deletion, or suppression of computer data” or “any interference with the functioning of a computer system.”207
Budapest Convention, supra note 14, at art. 7–8.
Id. at art. 6.
In order to rise to a criminal level, the Convention makes clear that these offenses must be committed intentionally and “without right”—that is, without authorization or outside the parameters of legal defenses acceptable within a State Party’s domestic legal system.209
Explanatory Report, supra note 20, at ¶ 38.
Budapest Convention, supra note 14, at art. 22.
Id.
See generally Explanatory Report, supra note 20, at ¶ 235–236.
Applying the law as set forth in the Budapest Convention to the spectrum of cyber defenses laid out in Section III of this Comment clarifies when active cyber defense measures are considered cybercrimes under international law. This Comment proposes using a “stoplight framework” to categorize various actions. That is, defenders should freely implement certain measures (green light), should use caution when considering more ambiguous ones (yellow light), and should never undertake others (red light).
Understanding where the line is drawn between legal and illegal conduct in cyberspace permits cyber defenders to have a general sense of what is and is not permissible when putting together defense strategies. The ultimate test, however, as to whether a particular tactic is illegal under international law is whether it rises to the level of an offense that the Budapest Convention seeks to criminalize.
The stoplight framework proposed in this Comment easily maps on to the three categories of actions—passive, active-passive, and active—based upon the number of Budapest Convention offenses potentially implicated in each category. As is explained in greater detail below, defenders can confidently employ passive measures, ought to approach active-passive measures with caution, and should refrain from using active measures in order to avoid engaging in conduct that is illegal under international law.
In general, defensive measures in the passive category will be permissible. Defenses in the passive category could run afoul of only a few Convention offenses: illegal interception of data, data interference, or misuse of devices.213
See Budapest Convention, supra note 14, at arts. 3, 4, 6.
An “air gap” “refers to computers or networks that are not connected directly to the internet or to any other computers that are connected to the internet.” Kim Zetter, Hacker Lexicon: What Is an Air Gap?, WIRED (Dec. 8, 2014), http://perma.cc/ZH9P-YQXL.
See Lee, supra note 182, at 7–8.
Cf. Center for Cyber & Homeland Security, supra note 2, at 10–11; Hoffman & Levite, supra note 1, at 9.
Considering that such defenses involve little to no ongoing engagement by cyber defenders and generally are only deployed within the defender’s own network, the likelihood that they would constitute offenses defined by the Budapest Convention is minimal. If they were to rise to the level of a potential violation, the only offenses that would likely be implicated are the illegal interception of data, data interference, or misuse of devices.
One can imagine a scenario in which passively surveilling intruder communications could constitute an illegal interception of data, because this behavior is roughly analogous to the “cyber wiretaps” the Convention’s drafters sought to prevent.217
Explanatory Report, supra note 20, at ¶ 51.
Id. at ¶ 53.
Similarly, although these measures might result in the suppression of computer data, thereby implicating the data interference offense, they likely would not constitute a true violation. The Explanatory Report clarified that the suppression offense is meant to target actions that prevent people who “ha[ve] access” to the computer containing the data at issue.219
Id. at ¶ 61.
Budapest Convention, supra note 14, at art. 6.
Accordingly, actions in the passive category get a green light. Because of the extremely low likelihood that they would be considered “offenses” as defined in the Budapest Convention, defenders can generally employ them without concerns about their illegality under international criminal law.
By contrast, tactics in the active-passive category are more likely to implicate a greater number of Budapest Convention offenses—nearly all of the offenses discussed in this Comment, in fact. Although active-passive measures are unlikely to result in computer-related fraud, they may well lead to illegal access to computer systems, illegal interception of transmissions, data interference, system interference, misuse of devices, or computer-related forgery.
This category includes measures that track data taken from networks,221
Hoffman & Levite, supra note 1, at 8–9.
Center for Cyber & Homeland Security, supra note 2, at 10–11; Hoffman & Levite, supra note 1, at 8–9.
On its face, the Convention seems very clear: unauthorized access to or interference with systems or data is strictly prohibited.223
Budapest Convention, supra note 14, at arts. 4–5.
The Explanatory Report, however, indicates three potential caveats to this conclusion. The first is the Report’s intimation that actions falling within the ambit of a domestic justification for committing a crime—like necessity, self-defense, or consent—are permissible.224
Explanatory Report, supra note 20, at ¶ 38.
Id. at ¶ 62.
Id. at ¶ 67.
These caveats open three possible avenues for the use of active-passive defenses. First, an entity may lawfully access the intruder’s system under the domestic legal conceptions of self-defense or necessity in that entity’s jurisdiction.227
Id., at ¶ 38. Although technically consent to entry is a justification, it seems unlikely that an intruder would consent to its own target’s investigation.
Perloff-Giles, supra note 4, at 217–18.
The second possible avenue for implementing active-passive measures is within existing commercial and industry practice. One could argue that, as governments prove less and less willing to assume defense responsibilities for private companies, an “industry practice” of active-passive cyber defense is in the early stages of emerging.229
See Hoffman & Levite, supra note 1, at 1.
Center for Cyber & Homeland Security, supra note 2, at 8.
Id.
More recently, private sector entities around the world have been responding to the uptick in cyberattacks by implementing some forms of active cyber defense, and many entrepreneurs have been very willing to assist.232
Hoffman & Levite, supra note 1, at 4.
Id. at 15.
Id.
The financial sector, in particular, is motivated to innovate, as it faces “the most severe and persistent threats.”235
Id.
Id.
Her Majesty’s Government, National Cyber Security Strategy 2016–2021, 2016, ¶ 1.8 (UK).
Clearly, a “gray market”—not quite a legitimate market, but not fully a black market, either—for active cyber defense measures is growing, aided and abetted by the legal ambiguities in this area.238
Hoffman & Levite, supra note 1, at 4.
Explanatory Report, supra note 20, at ¶ 62.
Finally, the Convention leaves the door open for States Party to establish some minimum amount of damage that must occur before criminal liability will attach for a system interference.240
Id. at ¶ 67.
The idea that any minimal efforts to investigate cyber intrusions would constitute cybercrimes under international law seems ill-considered from an efficiency standpoint. Although such strict interpretation may have made sense when the Convention was drafted in the 1990s, it hardly seems in step with the current status of cyberspace. With tens of thousands of cyberattacks and intrusions targeting businesses every year,241
Rayome, supra note 177.
Although measures falling into the active-passive category are more likely to constitute an offense under the Budapest Convention, it is possible that those employing them would have some kind of legal defense or exception to justify their actions. Accordingly, such measures should be implemented with caution, and fall into the “yellow light” category of this Comment’s suggested stoplight framework.
Active cyber defenses are the most difficult to justify under the strictures of the Budapest Convention, as they can implicate every single Convention offense discussed in this Comment.
Measures falling under this category can be generally summarized as “offensive actions undertaken with the goal of neutralizing an immediate threat rather than retaliating.”242
Kesan & Hayes, supra note 11, at 475.
See Budapest Convention, supra note 14, at arts. 2, 5.
As a result, these measures have a hard time fitting into any of the three available justifications for the employment of measures external to one’s own network. The self-defense and necessity justifications might remain available to an entity in the case of an exceptionally serious cyberattack; however, an attack of that magnitude is precisely when national law enforcement authorities would likely get involved.244
See, for example, Perlroth, supra note 9 (discussing the hacking operation undertaken against the Wolf Creek Nuclear Operating Corporation in Kansas in the United States and the subsequent joint investigation conducted by the U.S. Federal Bureau of Investigation and the U.S. Department of Homeland Security).
Hoffman & Levite, supra note 1, at 15.
Thus, with active measures, the number of potential offenses implicated is not offset by the availability of legal defenses. Accordingly, they belong in the “red light” category—that is, cyber defenders ought to refrain from using them. These actions are very likely to constitute illegal conduct under international law.
The Budapest Convention is the only binding international law defining which actions are permissible in cyberspace and which are not. It is imperfect, and suffers from the failures of imagination that characterize late twentieth century attempts to regulate the internet. However, it is the international community’s only definition of when behavior in cyberspace becomes criminal and what justifications might be relied upon to excuse certain actions. Essentially any unauthorized access to, or interference with, computer systems or data is criminalized under the Convention if it does not fall into three categories of exceptions: a legal defense recognized under domestic law, a common commercial practice, or an action that falls below the threshold set by individual States Party.
Purely passive measures are highly unlikely to implicate any offense listed in the Convention, as they never venture outside the confines of an entity’s own network. Active-passive measures, or those that are internal to a network with possible external repercussions, can fall under the umbrella of one of the Convention’s justifications. Finally, although it is possible that an attack would be so egregious that a purely active measure specifically targeting external networks would be justified, this scenario is highly unlikely. Therefore, active measures are nearly always unlawful under international law and should be avoided.
It is difficult to blame private companies for wanting to innovate when it comes to defending their assets in cyberspace. They face an unprecedented threat environment, with tens of thousands of cyberattacks directed at businesses each year.246
Rayome, supra note 177.
- 1See, for example, Wyatt Hoffman & Ariel (Eli) Levite, Private Sector Cyber Defense: Can Active Measures Help Stabilize Cyberspace?, Carnegie Endowment for Int’l Peace (June 14, 2017), http://perma.cc/CKL9-HE5M.
- 2See, for example, Center for Cyber & Homeland Security, Geo. Wash. U., Into the Gray Zone: The Private Sector and Active Defense Against Cyber Threats, 7 (2016) http://perma.cc/SAX8-4LW3.
- 3Id. at 9.
- 4See Alexandra Perloff-Giles, Transnational Cyber Offenses: Overcoming Jurisdictional Challenges, 43 Yale J. Int'l L. 191, 202–03 (2018).
- 5See id. at 204 (“For most transnational cyber offenses…the offense does not constitute an Article 51 ‘armed attack’ or a ‘resort to armed force’…”).
- 6See id. at 203.
- 7See Lily Hay Newman, The Ransomware Meltdown Experts Warned Us About is Here, WIRED (May 12, 2017, 2:03 PM), http://perma.cc/A3J5-6WKK.
- 8See Brendan I. Koerner, Inside the Cyberattack That Shocked the US Government, WIRED (Oct. 23, 2016, 5:00 PM), http://perma.cc/Y7FY-DE5F.
- 9See Nicole Perlroth, Hackers are Targeting Nuclear Facilities, Homeland Security Dept. and F.B.I. Say, N.Y. Times, July 6, 2017, at B5.
- 10See Alyza Sebenius, Writing the Rules of Cyberwar, The Atlantic (June 28, 2017), http://perma.cc/ZR8J-QR9G.
- 11See Jay P. Kesan & Carol M. Hayes, Mitigative Counterstriking: Self-Defense and Deterrence in Cyberspace, 25 Harv. J. L. & Tech. 429, 474 (2012).
- 12Id. at 475.
- 13International Telecommunications Union Res. 102, The Plenipotentiary Conference of the International Telecommunications Union (2014), http://perma.cc/TGD5-ZGE8.
- 14Convention on Cybercrime, Nov. 23, 2001, T.I.A.S. 13174, E.T.S. No. 185, http://perma.cc/4KKP-2YM7[hereinafter Budapest Convention].
- 15Budapest Convention and Related Standards, Council of Eur., http://perma.cc/C34X-EUJF.
- 16Budapest Convention, supra note 14, at 2.
- 17See id.
- 18Chart of Signatures and Ratifications of Treaty 185, Council of Eur., http://perma.cc/57D7-XPBF.
- 19See generally, Budapest Convention, supra note 14.
- 20Council of Eur., Explanatory Report to the Convention on Cybercrime (Nov. 23, 2001), ¶ 18, http://perma.cc/A6XF-647V[hereinafter Explanatory Report].
- 21Id. at ¶ 19.
- 22Budapest Convention, supra note 14, at art. 35.
- 23Explanatory Report, supra note 20, at 1.
- 24Cybercrime Convention Committee, T-CY Guidance Note #3: Transborder Access to Data (Article 32), at 3 (Dec. 2–3, 2014), http://perma.cc/494T-7EHG.
- 25The Explanatory Report, for example, defines “computer system” as
a device consisting of hardware and software developed for automatic processing of digital data. It may include input, output, and storage facilities. It may stand alone or be connected in a network with other similar devices [sic] “Automatic” means without direct human intervention, “processing of data” means that data in the computer system is operated by executing a computer program . . . A computer system usually consists of different devices, to be distinguished as the processor or central processing unit, and peripherals. A “peripheral” is a device that performs certain specific functions in interaction with the processing unit, such as a printer, video screen, CD reader/writer or other storage device.
Explanatory Report, supra note 20, at ¶ 23.
“[C]omputer program” is defined as “a set of instructions that can be executed by the computer to achieve the intended result.” Id.
“[N]etwork” is defined as
an interconnection between two or more computer systems. The connections may be earthbound (e.g., wire or cable), wireless (e.g., radio, infrared, or satellite), or both. A network may be geographically limited to a small area (local area networks) or may span a large area (wide area networks), and such networks may themselves be interconnected . . . What is essential is that data is exchanged over the network.
Id. at ¶ 24.
- 26See Budapest Convention, supra note 14, at art. 15.
- 27Id. Proportionality encompasses the idea “that a State’s acts must be a rational and reasonable exercise of means towards achieving a permissible goal, without unduly encroaching on protected rights of either the individual or another State.” Emily Crawford, Proportionality, in Max Planck Encyclopedia of Public International Law ¶ 1 (2011), http://perma.cc/YJ8E-VB5C.
- 28Joyce Hakmeh, Building a Stronger International Legal Framework on Cybercrime, Chatham House (June 6, 2017), http://perma.cc/TJT5-MMQB.
- 29Id.
- 30Id.
- 31Id.
- 32Budapest Convention, supra note 14, at art. 11.
- 33Id. at art. 12.
- 34d. at art. 13.
- 35Id. at art. 22.
- 36Budapest Convention, supra note 14, at art. 22.
- 37See id. at arts. 25–26.
- 38Id. at art. 25.
- 39Id. at art. 26.
- 40Budapest Convention, supra note 14, at art. 25.
- 41Id. at art. 32.
- 42Id.
- 43Budapest Convention, supra note 14, at art. 2.
- 44Cybercrime Convention Committee, T-CY Guidance Note #1: On the Notion of “Computer System” at 3 (Dec. 2012), http://perma.cc/S78P-VYHC.
- 45Budapest Convention, supra note 14, at art. 1.
- 46Explanatory Report, supra note 20, at ¶ 44; see Budapest Convention, supra note 14, at art. 2.
- 47Explanatory Report, supra note 20, at ¶ 44.
- 48Id.
- 49Id. at ¶ 46.
- 50Id.
- 51Explanatory Report, supra note 20, at ¶ 50.
- 52Id.
- 53Budapest Convention, supra note 14, at art. 2 (emphasis added).
- 54Id. at art. 3.
- 55Explanatory Report, supra note 20, at ¶ 51.
- 56Id. at ¶ 53.
- 57Id.
- 58Id.
- 59Explanatory Report, supra note 20, at ¶ 53.
- 60Id. at ¶ 54.
- 61Id.
- 62Id. at ¶ 58.
- 63Explanatory Report, supra note 20, at ¶ 58.
- 64Id. at ¶ 55.
- 65Id. at ¶ 58.
- 66Id.
- 67Explanatory Report, supra note 20, at ¶ 58.
- 68Budapest Convention, supra note 14, at art. 4.
- 69Explanatory Report, supra note 20, at ¶ 60.
- 70Id.
- 71Explanatory Report, supra note 20, at ¶ 61.
- 72Id.
- 73Id.
- 74A “Trojan horse” is defined as “a type of malware that is often disguised as legitimate software.” What is a Trojan Virus? - Definition, Kaspersky, http://perma.cc/N5JE-9CVZ.
- 75Explanatory Report, supra note 20, at ¶ 61.
- 76Explanatory Report, supra note 20, at ¶ 62.
- 77Id.
- 78Id.
- 79Id. (emphasis added).
- 80Budapest Convention, supra note 14, at art. 5.
- 81Explanatory Report, supra note 20, at ¶ 65.
- 82Id. at ¶¶ 66–67.
- 83Id. at ¶ 67.
- 84Id.
- 85Explanatory Report, supra note 20, at ¶ 69.
- 86Id.
- 87Budapest Convention, supra note 14, at art. 6.
- 88Id.
- 89Id.
- 90Id.
- 91Id.
- 92Explanatory Report, supra note 20, at ¶ 71; Budapest Convention, supra note 15, at art. 6; Explanatory Report, supra note 20, at ¶ 71.
- 93Explanatory Report, supra note 20, at ¶ 71.
- 94Id.
- 95Id. at ¶ 72.
- 96Id.
- 97Id. at ¶ 73.
- 98Id.
- 99Explanatory Report, supra note 20, at ¶ 73.
- 100Id. at ¶¶ 73, 75.
- 101Id. at ¶ 76.
- 102Id.
- 103Id.
- 104Budapest Convention, supra note 14, at art. 7.
- 105Explanatory Report, supra note 20, at ¶ 81.
- 106Id.
- 107Id.
- 108Id. at ¶ 82.
- 109Id.
- 110Id. at ¶ 83.
- 111Id.
- 112Id.
- 113Id. at ¶ 84.
- 114Id. at ¶ 85.
- 115Budapest Convention, supra note 14, at art. 8.
- 116Explanatory Report, supra note 20, at ¶ 86.
- 117Id. at ¶ 87.
- 118Id. at ¶ 88.
- 119Id.
- 120Id. at ¶ 90.
- 121Id.
- 122Budapest Convention, supra note 14, at art. 11.
- 123Id. at art. 12.
- 124Id. at art. 13.
- 125Explanatory Report, supra note 20, at ¶¶ 118–19.
- 126Id. at ¶¶ 118, 120.
- 127Id. at ¶ 120.
- 128Id. at ¶ 122.
- 129Id.
- 130Id. at ¶ 119.
- 131Explanatory Report, supra note 20, at ¶ 119.
- 132Id. at ¶ 123.
- 133Id.
- 134Id. at ¶ 124.
- 135Id.
- 136Id.
- 137Explanatory Report, supra note 20, at ¶ 125.
- 138Id.
- 139Id.
- 140Id.
- 141Id.
- 142Id. at ¶ 128.
- 143Budapest Convention, supra note 14, at art. 13; Explanatory Report, supra note 20, at ¶ 129.
- 144Explanatory Report, supra note 20, at ¶ 129.
- 145Id. at ¶ 130.
- 146See generally Budapest Convention, supra note 14.
- 147Paul Rosenzweig, International Law and Private Actor Cyber Defense Measures, 50 Stan. J. Int’l L. 103, 108–109 (2014) (citing Explanatory Report, supra note 20, at ¶ 38).
- 148Explanatory Report, supra note 20, at ¶ 38.
- 149Id.
- 150Rosenzweig, supra note 147, at 109.
- 151Explanatory Report, supra note 20, at ¶ 47.
- 152Id. at ¶ 38.
- 153Id.
- 154Budapest Convention, supra note 14, at art. 32.
- 155Explanatory Report, supra note 20, at ¶ 293.
- 156Id.
- 157Id.
- 158Id. at ¶ 294.
- 159Id. at ¶ 294.
- 160Cybercrime Convention Committee, supra note 24, at 3.
- 161Id.
- 162Id. at 4.
- 163Id. at 3, 6.
- 164Id. at 6.
- 165Id.
- 166Cybercrime Convention Committee, supra note 24, at 6.
- 167Id. at 5.
- 168Budapest Convention, supra note 14, at art. 14.
- 169Cybercrime Convention Committee, supra note 24, at 7.
- 170What is Cyber Security?, FireEye Resources, http://perma.cc/T427-2UTZ.
- 171A “network” is a “system that transmits data between users,” including devices belonging to those users (like phones, tablets, and computers), as well as equipment connecting those devices (like servers and routers). Definition of: network, PCMag Encyclopedia (2019), http://perma.cc/V4KQ-9PJX.A “server” is “[a] computer system in a network that is shared by multiple users,” and a “router” is a device on a network that forwards information from one network to another. See Definition of: server, PCMag Encyclopedia (2019), http://perma.cc/6BM3-4VFA.;Definition of: router, PCMag Encyclopedia (2019), http://perma.cc/3U54-UL4L.A “system” can be conceived of as “[a] group of related components that interact to perform a task.” Definition of: system, PCMag Encyclopedia (2019), http://perma.cc/8JS5-5X5B.
- 172What is malware and how can we prevent it?, Norton Security Center, http://perma.cc/LC6Y-G6QF.
- 173Id.
- 174"Phishing” occurs when an attacker uses a fake email sent to company employees to gain access to an otherwise protected system. “Spearphishing” occurs when an attacker specifically targets an employee of a certain stature so as to gain access to an identity with better access privileges than the average employee. See Kim Zetter, Hacker Lexicon: What is Phishing?, WIRED (Apr. 7, 2015), http://perma.cc/739D-KWSG.
- 175Watering hole attacks “compromise a website commonly visited by targets to hack victims’ computers.” Andy Greenberg, Hackers Gain Direct Access to U.S. Power Grid Controls, WIRED (Sept. 6, 2017), http://perma.cc/6BUT-5AYX.
- 176Although hackers can be government-sponsored or members of organized crime syndicates, the most serious challenges to cybersecurity are posed by “private criminals interested in private gain.” See Mary Ellen O’Connell, Cyber Security Without Cyber War, 17 J. Conflict & Sec. L. 187, 191 (2012).
- 177Alison DeNisco Rayome, 2017 was ‘worst year ever’ in data breaches and cyberattacks, thanks to ransomware, TechRepublic (Jan. 25, 2018), http://perma.cc/EZ48-AMRG.
- 178See, for example, Josh Horwitz & Cate Cadell, Chinese chipmakers ambitions come unstuck with US Indictment, Reuters (Nov. 2, 2018), http://perma.cc/2GBB-EZQ6;See also, Koerner, supra note 8; Newman, supra note 7.
- 179See Newman, supra note 7.
- 180Id.
- 181Id.
- 182Robert M. Lee, The Sliding Scale of Cybersecurity, SANS Institute, 1, 8 (Aug. 2015), http://perma.cc/TU3K-XEFU.
- 183Id.
- 184Kesan & Hayes, supra note 11, at 474; Rosenzweig, supra note 17, at 103–04.
- 185“Duck and cover” refers to the Cold War-era drills conducted in schools in which students were instructed to duck under their desks for cover in the event of a nuclear attack. Sarah Pruitt, How ‘Duck-and-Cover’ Drills Channeled America’s Cold War Anxiety, HISTORY (Mar. 26, 2019), http://perma.cc/92RH-C9YZ.As one might infer, this tactic would not be terribly helpful in the event of a nuclear attack.
- 186Kesan & Hayes, supra note 11, at 474. For more on “scan, firewall, and patch,” see Mark Ward, Tips to Help You Stay Safe Online, BBC News (Oct. 7, 2006), http://perma.cc/RUV5-TPR4(suggesting that readers scan their systems regularly for viruses and malware, erect and maintain firewalls to prevent unwanted intrusions on their systems, and ensure that their operating system and software are updated with the latest security patches).
- 187Rosenzweig, supra note 17, at 105.
- 188Id.
- 189Erik M. Mudrinich, Cyber 3.0: The Department of Defense Strategy for Operating in Cyberspace and the Attribution Problem, 68 A.F. L. Rev. 167, 180 n.70 (2012).
- 190Hoffman & Levite, supra note 1, at 7–8.
- 191Active Cyber Defense (ACD), Defense Advanced Research Projects Agency, http://perma.cc/PRC9-HKFM.
- 192Kesan & Hayes, supra note 11, at 475.
- 193Rosenzweig, supra note 147, at 105.
- 194Kesan & Hayes, supra note 11, at 475.
- 195Rosenzweig, supra note 147, at 105–06.
- 196Id.
- 197Id.
- 198Cf. Center for Cyber & Homeland Security, supra note 2, at 10–11; Hoffman & Levite, supra note 1, at 9.
- 199Cyber hygiene is defined as thinking proactively “to resist cyber threats and online security issues.” Good Cyber Hygiene, Norton Security Center, http://perma.cc/GMB9-VGZW(giving examples of cyber hygiene).
- 200Cf. Center for Cyber & Homeland Security, supra note 2, at 10–11; Hoffman & Levite, supra note 1, at 9.
- 201Kesan & Hayes, supra note 11, at 475.
- 202Center for Cyber & Homeland Security, supra note 2, at 11.
- 203Hoffman & Levite, supra note 1, at 8–9.
- 204Id.
- 205Center for Cyber & Homeland Security, supra note 2, at 10–11; Hoffman & Levite, supra note 1, at 8.
- 206See Section II, supra.
- 207Budapest Convention, supra note 14, at art. 7–8.
- 208Id. at art. 6.
- 209Explanatory Report, supra note 20, at ¶ 38.
- 210Budapest Convention, supra note 14, at art. 22.
- 211Id.
- 212See generally Explanatory Report, supra note 20, at ¶ 235–236.
- 213See Budapest Convention, supra note 14, at arts. 3, 4, 6.
- 214An “air gap” “refers to computers or networks that are not connected directly to the internet or to any other computers that are connected to the internet.” Kim Zetter, Hacker Lexicon: What Is an Air Gap?, WIRED (Dec. 8, 2014), http://perma.cc/ZH9P-YQXL.
- 215See Lee, supra note 182, at 7–8.
- 216Cf. Center for Cyber & Homeland Security, supra note 2, at 10–11; Hoffman & Levite, supra note 1, at 9.
- 217Explanatory Report, supra note 20, at ¶ 51.
- 218Id. at ¶ 53.
- 219Id. at ¶ 61.
- 220Budapest Convention, supra note 14, at art. 6.
- 221Hoffman & Levite, supra note 1, at 8–9.
- 222Center for Cyber & Homeland Security, supra note 2, at 10–11; Hoffman & Levite, supra note 1, at 8–9.
- 223Budapest Convention, supra note 14, at arts. 4–5.
- 224Explanatory Report, supra note 20, at ¶ 38.
- 225Id. at ¶ 62.
- 226Id. at ¶ 67.
- 227Id., at ¶ 38. Although technically consent to entry is a justification, it seems unlikely that an intruder would consent to its own target’s investigation.
- 228Perloff-Giles, supra note 4, at 217–18.
- 229See Hoffman & Levite, supra note 1, at 1.
- 230Center for Cyber & Homeland Security, supra note 2, at 8.
- 231Id.
- 232Hoffman & Levite, supra note 1, at 4.
- 233Id. at 15.
- 234Id.
- 235Id.
- 236Id.
- 237Her Majesty’s Government, National Cyber Security Strategy 2016–2021, 2016, ¶ 1.8 (UK).
- 238Hoffman & Levite, supra note 1, at 4.
- 239Explanatory Report, supra note 20, at ¶ 62.
- 240Id. at ¶ 67.
- 241Rayome, supra note 177.
- 242Kesan & Hayes, supra note 11, at 475.
- 243See Budapest Convention, supra note 14, at arts. 2, 5.
- 244See, for example, Perlroth, supra note 9 (discussing the hacking operation undertaken against the Wolf Creek Nuclear Operating Corporation in Kansas in the United States and the subsequent joint investigation conducted by the U.S. Federal Bureau of Investigation and the U.S. Department of Homeland Security).
- 245Hoffman & Levite, supra note 1, at 15.
- 246Rayome, supra note 177.