Attribution of cyber attacks is becoming increasingly difficult—not only because Internet communications pass through multiple routers in different states or countries but also because attackers intentionally use proxies to mask their identities.
For these reasons, Liis Vihul, a legal analyst with the NATO Cooperative Cyber Defence Centre of Excellence in Tallinn, Estonia, said it is important to look beyond traditional geography when attributing cyber attacks. Most critical, Vihul said, is the ability to holistically view a wide combination of evidence, including forensics, intelligence, and politics.
Jeff Jonas, a fellow and chief scientist with IBM, said it’s difficult to determine a response to a cyber attack without knowing from where it emanates. There are many factors to consider, such as whether the attacker is a U.S. citizen, what country they are in, and what is our relationship with their government.
However, finding these answers is, of course, a challenge.
“You might see the attack coming out of one box somewhere, but only after a closer inspection you realize it’s really coming out of somewhere else, and so on,” Jonas said. “It’s a series of ‘wheres’ to get to the root.”
Geography has also been found to play a critical role in cybersecurity law.
“Borders do matter in cyberspace,” said Eric Rosenbach, Deputy Assistant Secretary of Defense for Cyber Policy, at a recent cybersecurity event in DC. “I know conventional wisdom is that it’s the borderless world where you don’t have to think about borders, but for the law they matter a lot. International law matters a lot to the United States. It also matters in technology because people have their gateways at geographic borders.”
Vihul agrees: “The traditional threats to a state’s national security are other nation states,” he wrote via email. “Today, non-state actors or terrorists, and in the context of cybersecurity, also hactivist and criminal groups, are included in the threat catalogue. How law regulates the relationships between those actors is highly dependent on geography.”
There are two legal concepts that are relevant in cybersecurity law, according to Vihul. The first being sovereignty, meaning nations of equal sovereignty should not knowingly let cyber infrastructure located in their territory be used for acts that can adversely and unlawfully affect other countries.
“In essence, states are obliged to respect the territorial sovereignty of other states, but in the cyber context adhering to this requirement can sometimes naturally prove difficult,” Vihul wrote.
This is because of the second factor, jurisdiction, or a nation’s ability to regulate within its own borders. Not all countries have the same cyber laws.
“States are in a position to regulate cyber actors and activities within their geographical borders: to enact legislation, such as laws criminalizing unauthorized access to computer systems or the propagation of malware, laws requiring Internet service providers to assure the security of their services, laws forcing critical infrastructure operators to share information about security breaches with the government, etc.,” Vihul wrote.
Regardless of how difficult attribution may be and how widely the laws vary, the location of cyber adversaries will always be important.
“If something is taking action, whether it’s a machine or a human on the other end, it actually exists somewhere, and then it’s up to you to figure out where,” Jonas said.
Featured image: The 24th Air Force legal team raises awareness on cyber law. Photo credit: U.S. Air Force Tech. Sgt. Scott McNabb