Do Cyber-Attacks Require a 'Duty to Assist'?

On Jan. 1, 2009, when an Indian oil tanker found itself under attack by machine gun fire from pirates off the coast of Somalia, the ship's captain sent out an SOS via wireless radio. A nearby Malaysian frigate heard the call and immediately responded, sending a helicopter to the scene. On its arrival, the pirates fled and the tanker's crew escaped unharmed. It's a story that has been repeated countless times, in large part because international law requires anyone receiving an SOS signal to “proceed with all possible speed” to render assistance. Today, similar legal duties abound ' what we might call “duties to assist” ' whether in response to a pilot's mayday call, distress signals or emergency numbers.

As yet, however, there is no “duty to assist” in cyberspace. That needs to change. Concerns about new kinds of pirates and a new form of attack ' the “cyber-attack” ' currently fill our newspapers and preoccupy policymakers. When hackers marshaled a million computers to block access to Estonian computer networks in 2007, they took down emergency phone lines and froze online services for the government, banks, universities and hospitals.

Today, cyber-attacks repeatedly compromise communications, whether among Chinese human rights activists, Iranian dissidents or U.S. Defense Department officials. Dozens of militaries have assembled cyberforces, not simply to defend against cyber-attacks but also to launch them; indeed, China's military remains the chief suspect in the well-publicized recent attacks on Google's e-mail infrastructure and servers. As the world's dependence on information networks grows, cyber-attacks can and will do great harm. Experts fear a future when cyber-attacks disable anything from power grids to stock exchanges.

Defending Cyber-Attacks

How to defend our commercial, military and other critical infrastructure from attack has become a critical policy concern. Technological prevention measures ' thicker security firewalls and better mechanisms to detect and repel attacks ' will undoubtedly be part of any effective counterattack strategy. Similar progress may come from efforts to reach agreement on how militaries should operate in cyberspace and increased transnational coordination among law enforcement agencies.

But these measures will not be enough to solve the problem. Open networks will always be vulnerable to malicious attack as new security measures generate improved hacking techniques in an endless game of cat and mouse. The laws of war that govern military uses of force do not translate easily into cyberspace. Criminal laws, similarly, are a blunt instrument for protection. The difficulties inherent in trying to identify the precise location from which attacks arise and the identities of anonymous attackers stem from the basic structure of the global Internet. Those difficulties make enforcement of criminal penalties (or the laws of war) difficult and at times impossible.

Law to the Rescue

We believe, however, that international law can play an effective role in combating cyber-attackers by recognizing a duty to assist those subject to their attacks ' an “SOS for the Internet.” If nations could agree (whether by formal treaty or customary practice) that anyone who can help must do so, it would provide a much needed first principle for cyber-attacks. A duty to assist can work without identifying the attackers. It focuses instead on minimizing the attack's effects. A victim would send out a distress call ' an Internet SOS ' and all those in a position to provide assistance ' whether governments or private actors ' would have an obligation to respond. Help could come in many forms. If attackers denied service to a computer resource, Internet service providers could provide additional bandwidth. If an attack crossed through a nation's territory, that nation's government would have to deny attackers further use of its information networks and help trace the attack to its true origins.

Much informal assistance already occurs in the aftermath of a cyber-attack. But no matter how robust, aid comes only from those who decide they have the time, resources or interest to help. A duty to assist, in contrast, would mandate aid from all quarters. In 2007, when Estonia asked Russia to cease attacks it believed originated from within Russian territory, Russia refused, suggesting they could have originated elsewhere. If it accepts an obligation to assist, Russia would no longer have such excuses.

Of course, sometimes a government might be the attacker. But if governments agree in advance to a duty to assist, they might not attack in the first place. Why make a mess you'll have to help clean up even if no one knows you were responsible? Since holding attackers accountable is difficult at best and impossible at worst, all we can hope for is to minimize the harm from cyber-attacks. And that is exactly what a duty to assist should do. Attackers may question whether it's worth the effort to attack at all.

Conclusion

Law has long valued rights of self-reliance and self-defense. Companies and governments will often be able to defend their own computer networks, but that does not mean the law cannot step in when those efforts fail. Of course, countries must elaborate more precisely who can call for help, when they can do so and what assistance others must render. Whatever its details, though, governments, companies and individuals should be able to know that, when they make that call, help will come.

On Jan. 1, 2009, when an Indian oil tanker found itself under attack by machine gun fire from pirates off the coast of Somalia, the ship's captain sent out an SOS via wireless radio. A nearby Malaysian frigate heard the call and immediately responded, sending a helicopter to the scene. On its arrival, the pirates fled and the tanker's crew escaped unharmed. It's a story that has been repeated countless times, in large part because international law requires anyone receiving an SOS signal to “proceed with all possible speed” to render assistance. Today, similar legal duties abound ' what we might call “duties to assist” ' whether in response to a pilot's mayday call, distress signals or emergency numbers.

As yet, however, there is no “duty to assist” in cyberspace. That needs to change. Concerns about new kinds of pirates and a new form of attack ' the “cyber-attack” ' currently fill our newspapers and preoccupy policymakers. When hackers marshaled a million computers to block access to Estonian computer networks in 2007, they took down emergency phone lines and froze online services for the government, banks, universities and hospitals.

Today, cyber-attacks repeatedly compromise communications, whether among Chinese human rights activists, Iranian dissidents or U.S. Defense Department officials. Dozens of militaries have assembled cyberforces, not simply to defend against cyber-attacks but also to launch them; indeed, China's military remains the chief suspect in the well-publicized recent attacks on Google's e-mail infrastructure and servers. As the world's dependence on information networks grows, cyber-attacks can and will do great harm. Experts fear a future when cyber-attacks disable anything from power grids to stock exchanges.

Defending Cyber-Attacks

How to defend our commercial, military and other critical infrastructure from attack has become a critical policy concern. Technological prevention measures ' thicker security firewalls and better mechanisms to detect and repel attacks ' will undoubtedly be part of any effective counterattack strategy. Similar progress may come from efforts to reach agreement on how militaries should operate in cyberspace and increased transnational coordination among law enforcement agencies.

But these measures will not be enough to solve the problem. Open networks will always be vulnerable to malicious attack as new security measures generate improved hacking techniques in an endless game of cat and mouse. The laws of war that govern military uses of force do not translate easily into cyberspace. Criminal laws, similarly, are a blunt instrument for protection. The difficulties inherent in trying to identify the precise location from which attacks arise and the identities of anonymous attackers stem from the basic structure of the global Internet. Those difficulties make enforcement of criminal penalties (or the laws of war) difficult and at times impossible.

Law to the Rescue

We believe, however, that international law can play an effective role in combating cyber-attackers by recognizing a duty to assist those subject to their attacks ' an “SOS for the Internet.” If nations could agree (whether by formal treaty or customary practice) that anyone who can help must do so, it would provide a much needed first principle for cyber-attacks. A duty to assist can work without identifying the attackers. It focuses instead on minimizing the attack's effects. A victim would send out a distress call ' an Internet SOS ' and all those in a position to provide assistance ' whether governments or private actors ' would have an obligation to respond. Help could come in many forms. If attackers denied service to a computer resource, Internet service providers could provide additional bandwidth. If an attack crossed through a nation's territory, that nation's government would have to deny attackers further use of its information networks and help trace the attack to its true origins.

Much informal assistance already occurs in the aftermath of a cyber-attack. But no matter how robust, aid comes only from those who decide they have the time, resources or interest to help. A duty to assist, in contrast, would mandate aid from all quarters. In 2007, when Estonia asked Russia to cease attacks it believed originated from within Russian territory, Russia refused, suggesting they could have originated elsewhere. If it accepts an obligation to assist, Russia would no longer have such excuses.

Of course, sometimes a government might be the attacker. But if governments agree in advance to a duty to assist, they might not attack in the first place. Why make a mess you'll have to help clean up even if no one knows you were responsible? Since holding attackers accountable is difficult at best and impossible at worst, all we can hope for is to minimize the harm from cyber-attacks. And that is exactly what a duty to assist should do. Attackers may question whether it's worth the effort to attack at all.

Conclusion

Law has long valued rights of self-reliance and self-defense. Companies and governments will often be able to defend their own computer networks, but that does not mean the law cannot step in when those efforts fail. Of course, countries must elaborate more precisely who can call for help, when they can do so and what assistance others must render. Whatever its details, though, governments, companies and individuals should be able to know that, when they make that call, help will come.