Thousands of years ago, the Greeks created rules for sailing the high seas. Those rules have become what is known today as maritime law — regulations that govern travel through international waters.
And some experts say it’s time for that same level of international cooperation for cyber security rules. What happens if an attack occurs, and the server is in Estonia or Iran? Whose responsibility is it to track the criminals down, and what punishment should be set for them?
Cyber law is still in its infancy and many of the rules are undefined — mostly because of the speed of innovation in technology. Cyber technology is moving faster than laws can keep up, and cyber criminals of all stripes are getting away with vast fortunes. Even in the United States rules are still uncertain and outdated, and there’s very little international consensus on what to do about cyber attacks.
“During the Cold War, there was an understanding: ‘Don’t do to me what you don’t want me to do to you,’” said William Parker, special international affairs adviser at the Space Foundation. “And it worked. No one set off a nuclear bomb. The Russians knew we’d retaliate. Unfortunately, that underpinning isn’t as solid as it once was.”
That’s because cyber attacks come from nation states, from terrorists, from organized crime and from “hackivists,” people who hack into networks in order to push a political agenda. It’s hard to track them down because they can hide behind servers in every corner of the globe.
Rep. Patrick Meehan, a Republican from Pennsylvania who is chairman of the House subcommittee on cyber security, infrastructure protection and security technologies, says first the United States has to pass a set of laws to make sure it is doing all it can to fight against outside cyber threats.
“We need a public-private partnership,” he said. “We need to be able to share information from companies to the government and back.”
And, he said, companies need to trust that the government won’t use their intellectual property, trade secrets or other information to make it harder to do business.
“We need to know who’s being attacked, and why,” he said. “And companies are reluctant to share that information with each other, and with the federal government.”
Meehan’s committee is working on bipartisan legislation to be introduced in the upcoming year. The goal is to make sure there’s an ability to share crucial information about attacks across all sectors.
“We also need to remove legal and fiduciary roadblocks,” he said. “Our laws are unclear, are too archaic to provide industry with ways not only to share information, but to protect their secrets. And we need to share the information if we want to start to understand the threats.”
Companies sharing cyber information should also be free from intrusion from local law enforcement, he said.
“I was talking to the CEO of a defense company,” he said. “And he reminded me that if five CEOs meet in an elevator, they’re subject to antitrust threats. We need a way we can all work together in real time without those concerns.”
And if U.S. law is murky, international cyber law is foggier still. Just as the Greeks sought to halt piracy on the high seas, the U.S. and its allies are trying to work together to stop cyber attacks across military networks.
And that gets complicated.
“For instance, we might have two partners,” said German Air Force Col. Jorg Dronia. “And one might shut down a hacker website. But the other partner might have been exploiting that website for information. If we don’t really share the information, we could cause problems for our partners and allies.”
It might be too much to wish for an overarching international law to address cyber security, he said.
“Everyone on the planet has a computer, a laptop, a mobile phone, a netbook, a pad of some sort,” he said. “That’s asking 7 billion people to sign on to rules. It’s impossible.”
Law in its infancy
It’s just too early in the process, said Doug DePeppe, principal at i2 Information Security and co-founder of the Western Cyber Exchange.
“We’re in a period of revolutionary change,” he said. “And there’s an imbalance that hasn’t yet been corrected. We’re waiting on the law-and-order frameworks to catch up. It’s the modern equivalent of the raging hordes of Genghis Khan or the Barbary pirates.”
Countries are still working on their response to cyber pirates, who steal bank numbers and credit card passwords, but still wreak financial havoc on countries.
“Hacking wasn’t a problem when we had dial-up,” he said. “But now, the Internet is fast and it’s everywhere. Cyber criminals and nation state actors have the advantage.”
It’s time, he said, to change the legal frameworks and restructure the laws that hinder tracking down cyber criminals.
“That’s the law of armed conflicts,” he said. “It’s used to correct imbalances, and we need to adjust to the current imbalance.”