At a glance.
- "Threats to use force" are also a problem, under the UN Charter.
- Initial US response to Holiday Bear shows continuity in US policy over three Administrations.
- Industry resistance to proposed US breach disclosure rules.
Under what conditions should hacks be construed as “threats to use force?”
Lawfare considers when cyber operations constitute threats of force, an “underutilized” designation “in the international legal arsenal,” given the UN Charter’s prohibition on both using and intimating force. (What counts as a use of force in the cyber domain has, as we’ve seen, received much legal and scholarly attention.)
Threats to use force don’t need to be explicit, but they must suggest an action that would meet the criteria for an illegal use of force. Espionage operations aren’t necessarily in the clear; context, patterns, and capabilities matter. Surveilling critical infrastructure, for example, or installing backdoors could portend future attacks. And unlike military demonstrations, which sometimes qualify as threats of force, hacks occur on sovereign territory and are often indistinguishable from staging.
Lawfare thinks this concept “may yet have an important role to play in regulating state and state-sponsored cyber operations.”
Continuity in US policy as the first phase in a response to Russia.
SecurityWeek reports that President Biden has followed President Trump’s lead in extending President Obama’s 2015 Executive Order (EO) allowing property sanctions in response to cyberattacks. In announcing the decision, the Administration noted that foreign-sponsored attacks “continue to pose an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States.”
Meanwhile, some organizations are encouraging the Administration to take a softer tone with Russia in the interest of nuclear arms control, according to The Hill. Nearly thirty groups, including Blue America and Demand Progress, have called on the President “to stop participating in…reckless rhetorical exchanges.” Progressive Democrats of America’s leadership commented, “We have no patience for Cold War saber-rattling, let alone nuclear brinkmanship” and “zero interest in a bellicose foreign policy towards Putin.”
US breach disclosure rules may encounter industry resistance.
FCW says President Biden’s forthcoming EO on incident reporting and related bills promised by three members of Congress deal with “incredibly contentious” matters, according to a Center for Strategic and International Studies (CSIS) director.
Industry concerns center on liability exposure, protecting trade secrets, and the appropriate threshold for disclosure. A government official explained the worries as follows: “I think the biggest challenge for industry is going to be what is shared -- with whom -- and then what's going to be done with whatever is shared.” (Another CSIS director suggested that vendors issue regular digests of breach attempts and detailed reports of successful hacks.) While the EO could face legal contests, legislation may run into jurisdictional problems, since numerous committees are invested in the issue.