'Legal Obligations of States Directly Affected by Cyber-Incidents' by Oren Gross in (2015) 48
Cornell International Law Journal comments
Much has been written in recent years about cyberspace as a new domain for warfare. The magnitude of the threats cannot be underestimated. Cyber attacks can disable whole countries (e.g., Estonia) as well as companies (e.g., Sony) and cyber-security incidents in sectors such as communications, finance, transportation and utilities can have catastrophic consequences.
The discussion to date has tended to focus on two common conceptions. First, regardless of the failure to arrive at widely accepted definitions of terms such as cyber “crime,” cyber “espionage,” cyber “attacks” and cyber “warfare,” they have mostly been regarded as willfully perpetrated, pre-meditated and intentional. Second, existing literature (certainly legal literature) has focused exclusively on the legal obligations of, and possible sanctions against, states and non-state actors that orchestrated cyber attacks.
In this article I offer radically different perspectives on both counts. First, the article recognizes that the harm to both computer networks and physical systems interconnected with them may be as catastrophic when the source of damage is not intentional but rather the result of human error or conventional threats. Second, I offer the first exploration and analysis of possible obligations that may be imposed not on the state (or non-state actor) that originated the attack, but rather on the directly affected state, i.e., the state that is the target of the attack or the cyber incident. I argue that imposing legal and technological responsibilities on the state that has been exposed to a cyber incident is warranted both as a matter of conceptualizing state sovereignty and due to the state’s various obligations to other states and the global community.
Thus, the article canvasses the possible bases for, and scope of, responsibilities that may be borne by states that are directly affected by cyber-security incidents before, during and after a cyber-security incident materializes.