Temple University law professor Duncan Hollis, and my co-blogger at Opinio Juris, has a provocative new paper on SSRN addressing the question of cyber-threats and why he believes the threats need new forms of regulation. Duncan titles his article at SSRN, “An e-SOS for Cyberspace,” and of course I can’t resist adding ‘Sending Out An e-SOS, Sending Out An e-SOS’ …
Minds more serious than my own have been discussing Duncan’s ideas, however, including our own Orin Kerr, over at Concurring Opinions, to which Duncan responds at OJ. I am not a cyberthreats expert; I tend to stick with the robotics side of things, so I won’t venture a substantive opinion here. But obviously these areas overlap in important ways, and the recognition of cyber-threats and cyber-emergencies as legal issues is both important and overdue, so I do try to follow the literature modestly. Here is Duncan’s abstract:
Individuals, shadowy criminal organizations, and nation states all now have the capacity to devastate modern societies through computer attacks. These new and severe cyberthreats put critical information, infrastructure, and lives at risk. And the threat is growing in scale and intensity with every passing day.
The conventional response to such cyberthreats is self-reliance. When self-reliance comes up short, states have turned to law for a solution. Cybercrime laws proscribe individuals from engaging in unwanted cyberactivities. Other international laws proscribe what states can (and cannot) do in terms of cyberwarfare. Both sets of rules work by attribution, targeting bad actors – whether criminals or states – to deter cyberthreats.
This Article challenges the sufficiency of existing cyber-law and security. Law cannot regulate the authors of cyberthreats because anonymity is built into the very structure of the Internet. As a result, existing rules on cybercrime and cyberwar do little to deter. They may even create new problems, when attackers and victims assume different rules apply to the same conduct.
Instead of regulating bad actors, this Article proposes states adopt a duty to assist victims of the most severe cyberthreats. A duty to assist works by giving victims assistance to avoid or mitigate serious harms. At sea, anyone who hears a victim’s SOS must offer whatever assistance they reasonably can. An e-SOS would work in a similar way. It would require assistance for cyberthreat victims without requiring them to know who, if anyone, was threatening them. An e-SOS system could help avoid harms from existing cyberthreats and deter others. Even when cyberthreats succeed, an e-SOS could make computer systems and networks more resilient to any harm they impose. At the same time, an e-SOS would compliment, rather than compete with, self-reliant measures and the existing legal proscriptions against cyberthreats.
(Update: The first couple of comments were off topic and not very helpful, so I’m going to delete them and close the post.)