Since the beginning of time, unfortunately, some people have been intent on causing harm to others for their own benefit. This, of course, has been true with respect to Internet conduct. Indeed, we now live in a world in which the “black hats” are actively hacking and causing other problems in cyberspace, while the “white hats” are trying to combat these efforts.
Cybercrime is not confined within the borders of sovereign states. What happens on the Internet goes beyond national borders. After all, we are dealing with the World Wide Web. Accordingly, cybercrime has international implications.
For example, computers here in the United States can be hacked from overseas. Sensitive data, including important financial information, can be purloined and used in another country. Thus, there can be all sorts of international identity theft. Indeed, I know this personally, as once my credit card information was somehow stolen and someone else then made purchases for stereo equipment on my card in France.
Cybercrime can go beyond having financial implications for victims. Cybercrime can reach a point of constituting true Internet terrorism. For instance, what if someone in another country threatens or actually launches a computer attack that seeks to bring down U.S. air traffic control systems or systems controlling U.S. nuclear power plants? This would take cybercrime to another level.
If this were to happen, it would be complicated in terms of seeking legal redress or prosecution of the perpetrators in their home countries. And frankly, it might be difficult on the front end even to track down the identities of the true perpetrators.
There has been the creation of the Budapest Convention on Cybercrime, which has been aimed at trying to pursue common international policies directed at cybercrime. The goal here is to adopt compatible legislation among countries and to foster international cooperation when it comes to cybercrime.
And the question arises as to whether a cyberattack initiated by one sovereign state against another constitutes war. The U.S., for example, launched a cyberattack called Stuxnet, which impeded development of a nuclear power reactor at a uranium enrichment facility in Iran. Was this an act of war?
Furthermore, when is an act of war considered just? The United Nations Charter makes plain that the use of force or acts of war are to be avoided when possible. However, self defense can be a permissible basis to use force. But what about anticipatory self defense, like the Stuxnet attack?
The international rules of the game are yet to be fully sketched out in this new and quickly evolving area. Stay tuned for further developments.
Eric Sinrod (@EricSinrod on Twitter) is of counsel in the San Francisco office of Duane Morris LLP, where he focuses on litigation matters of various types, including information technology and intellectual property disputes. You can read his professional biography here. To receive a weekly email link to Mr. Sinrod’s columns, please email him at email@example.com with Subscribe in the Subject line. This column is prepared and published for informational purposes only and should not be construed as legal advice. The views expressed in this column are those of the author and do not necessarily reflect the views of the author’s law firm or its individual partners.