Bringing Foreign-Based Cyberterrorists to Justice in America
By Paul Stockton
As you read this, U.S. adversaries are scouring our financial system, electric power grid, and other parts of our critical infrastructure for vulnerabilities to cyber sabotage. President Obama’s Deputy National Security Advisor for Homeland Security and Counterterrorism, Lisa Monaco, says that prosecutions of cyberterrorists “will be critical tools for deterrence and disruption” of their attacks. Before we can bring cyberterrorists to justice, however, we have to fill a major gap in our legal framework to prosecute them. Michele Golabek-Goldman and I have a new article in the Stanford Law and Policy Review that examines that gap and how to fill it. (Intrepid readers can access the analysis, “Prosecuting Cyberterrorists: Applying Traditional Jurisdictional Frameworks to a Modern Threat,” through the Social Science Research Network.)
The stakes in the cyber realm could not be higher. Former Defense Secretary Leon Panetta framed this challenge in his customary, direct terms. A few months before leaving office, he warned that the United States is in a “pre-911 moment” in which “attackers are plotting” to attack U.S. infrastructure with potentially devastating effects. Moreover, he warned us all that “a destructive cyberterrorist attack could virtually paralyze the nation.” (Full disclosure: I was Assistant Secretary of Defense for Homeland Defense under Secretary Panetta, and more than once got the benefit of his salty assessments of the threat — and sometimes of my own performance.)
We need to solve two big problems before we can have a strong, effective system to prosecute cyberterrorists who attack us from abroad. The first challenge lies in strengthening our technical means to accurately and convincingly attribute attacks to their perpetrators. Attribution is especially difficult when attackers hijack thousands of computers across the globe without their owners’ knowledge or consent, and commandeer those computers to conduct a destructive, coordinated “botnet” operation (as in the massive 2007 attack on Estonia). Nevertheless, federal agencies and private companies are making major progress towards solving the attribution problem.
The second problem is just as important but has received far less attention: that is, building the legal framework to prosecute cyberterrorists. The few experts who have examined this problem, such as Oona Hathaway at Yale Law School, generally argue that the United States should extend the reach of our domestic criminal laws to cyberterrorists who attack us from other nations. The problem remains, what is the basis in international law for such an extension of extraterritoriality? The solution should not only advance U.S. national security interests, but also support our broader effort to build an international consensus and agreements to fight cyberterrorism.
The answer lies in what international law experts call “prescriptive jurisdiction” based on “the protective principle.” The protective principle says that a nation can exercise jurisdiction over conduct outside its borders when the conduct directly threatens its security or critical government functions. Historically, this principle has extended a country’s jurisdiction in cases involving terrorism, counterfeiting, drug trafficking, and immigration. Courts here and in other countries have agreed that those crimes sufficiently threaten their national security to warrant jurisdiction. On this basis, a foreign-based cyberterrorist attack that could incapacitate our power grid, compromise broad public safety, and jeopardize the economy should also fall under our legal jurisdiction.
The benefits of establishing such a basis for prosecution would be far-reaching. Being able to prosecute would-be attackers before they strike their targets would be especially important for protecting the power grid and other critical infrastructure, given their importance to our economy and national security. After a few successful prosecutions, the policy might well discourage others from undertaking such attacks. Moreover, as part of a broader global effort to create new international norms and agreements for the cyber realm, a new legal framework for prosecuting these cyberterrorists would rest on tenets of international law.
For the detailed legal and policy analysis of this approach, and how it would help the United States and the international community build a broader framework to prosecute, deter, and foil cyberterrorist attacks, read our article — and send along your comments!
Your views on the larger challenge that cyberattackers pose to America’s critical infrastructure owners and operators are also welcome. Colleagues and I at George Washington University’s Homeland Security Policy Institute are looking at new approaches to establishing market-based incentives for investments that address emerging threats to the electric grid and other critical infrastructure. I would welcome your thoughts as we move forward.