Legal Considerations Raised by the U.S. Cyberspace Solarium Commission Report
What are the U.S. domestic and international legal issues that would come with carrying out the Commission’s recommendations?
Published by The Lawfare Institute
in Cooperation With
Editor's note: This article is part of a series of articles by analysts involved in the Cyberspace Solarium Commission, among others, highlighting and commenting upon aspects of the commission's findings and conclusion.
To cope with the coronavirus crisis, Americans rely more than ever before on information and communications technology to stay connected, do our jobs, see our families and live fulfilling lives. But this shift has come with a significant increase in cybersecurity and data privacy risk. One recent study estimates that remote work increased 70 percent between February and April this year, with a near 150 percent increase in ransomware attacks in March over baseline levels the previous month. In particular, China has engaged in cyber espionage against U.S. companies’ intellectual property in the race to develop a coronavirus vaccine. Meanwhile, numerous alerts from around the world have warned of malicious threat actors targeting hospitals and health care organizations with ransomware. Technological interconnectedness has fueled much of our progress in the twenty-first century. But among the more critical lessons we have learned from the coronavirus pandemic is that both public- and private-sector infrastructure are far too vulnerable to cyberattacks—and do not always possess the necessary resilience to recover quickly.
In March 2020, a government commission led by sitting legislators, executive branch officials and representatives from the private sector released a blueprint for enhancing America’s cyber resilience and preventing a significant cyberattack. The U.S. Cyberspace Solarium Commission was established by the 2019 National Defense Authorization Act to “develop a consensus on a strategic approach to defending the United States ... against cyber attacks of significant consequences.” The commission’s final report, as well as its recent white paper developed to account for new issues raised by the pandemic, present a comprehensive and expansive series of recommendations and corresponding legislative proposals that are intended to dramatically improve the cybersecurity posture of the U.S. government, economy and civil society.
The totality of the commission’s recommendations is designed to meet the goal of developing a strategy of “layered cyber deterrence”—namely, one that emphasizes national and international resilience and public-private collaboration. The recommendations’ short-term goal is to prevent or mitigate the effects of major cyberattacks; the long-term goal is to create a digital environment that is safe and stable, promotes continued innovation and economic growth, protects personal privacy, and ensures national security. These objectives underpin all of the commission’s recommendations—from reforming the U.S. government’s cyber incident response structure and capabilities, to promoting national resilience against cyber-enabled operations, reshaping the cyber ecosystem toward greater security, and mobilizing the private sector to collaborate with the U.S. government in addressing cyber threats.
We are serving on a pro bono basis as counsel to the Cyberspace Solarium Commission for cybersecurity and national security law. Our role has been limited to legal guidance, and not to the development or endorsement of policy positions or related legislative proposals. Below, we highlight some of the key U.S. domestic and international legal issues raised by certain commission recommendations, including considerations that both lawmakers and the private sector may face as they work to implement the commission’s vision.
Legal Considerations Under U.S. Domestic Law
Many of the commission’s recommendations implicate key questions under U.S. domestic law. For example, the commission sets out important recommendations regarding the duty of care applicable to connected/digital products. Specifically, Recommendation 4.2 calls for establishing tort liability for “final goods assemblers” of software, hardware and firmware for damages arising from the exploitation of known and unpatched vulnerabilities.
As it currently stands in U.S. law, there is no clearly developed federal statutory framework for establishing liability for security vulnerabilities in software, hardware or firmware. The Federal Trade Commission (FTC)—as the primary regulator of cybersecurity practices that affect American consumers—enforces cybersecurity standards principally through its authority under Section 5 of the Federal Trade Commission Act, which prohibits “unfair” and “deceptive” practices against consumers. Selling products with known security vulnerabilities that could cause consumers harm would likely constitute an unfair practice. For example, in one enforcement action, the FTC alleged that a manufacturer produced and sold routers with features that contained multiple security vulnerabilities. These vulnerabilities “would allow attackers to gain unauthorized access to consumers’ files and router login credentials.” Since 2002, the FTC has brought more than 70 enforcement actions directed at data security practices, and it is poised to remain the key federal regulator in this space.
Beyond regulatory investigations by the FTC, however, it is also currently possible that the failure to prevent or warn customers about security vulnerabilities in software could, in cases of exploitation, potentially give rise to state tort liability under a negligence theory. But at present, courts have been reluctant to conclude that the existence of a security vulnerability can, on its own, give rise to the injury-in-fact sufficient to establish standing under Article III. For example, in one recent case a district court found that plaintiffs lacked the injury-in-fact necessary for Article III standing, where plaintiffs failed to show a concrete or monetary harm stemming from two distinct vulnerabilities in Intel chips, generally known in the industry as “Spectre” and “Meltdown.” The court noted that the plaintiffs had failed to allege what “adequate measures” Intel could have reasonably been expected to take to remedy the problem. In the context of an actual data breach, the U.S. Courts of Appeals for the First, Fourth, Third and Eighth Circuits have ruled that allegations of “an increased risk of identity theft” and even expenditure of funds to mitigate such risks after a data breach do not satisfy constitutional standing requirements in the absence of actual harm. However, the Sixth, Seventh and Ninth Circuits have concluded that a substantial risk of future harm arising from a data breach, combined with costs to mitigate that risk, is sufficient to satisfy Article III.
Other actions based on cybersecurity failings are also possible under existing U.S. law. For example, in the context of software provided to the government, consumer plaintiffs prevailed under the False Claims Act on a motion to dismiss regarding an alleged failure to meet certain cybersecurity requirements. These arguments and cases do not all neatly map onto the security vulnerability scenarios that the commission envisions, but they have provided plenty of fodder for courts to advance jurisprudence in this nascent space.
Recognizing the dangers presented by vulnerabilities in connected products and the lack of a uniform approach at the federal level, the commission’s recommendation to establish statutory liability would, if enacted into law, make companies at the end of the supply chain liable for damages from cyber incidents that exploit known vulnerabilities that were and remain unpatched. Such a law would constitute a novel departure from the presently underdeveloped legal landscape described above. From the commission’s perspective, final goods assemblers are best positioned in the supply chain to identify vulnerabilities and fix them, and thus should be the ones to whom customers turn when a problem arises.
The commission has made other recommendations that likewise implicate key questions under domestic law for connected devices. In light of the pandemic, the commission recently released an additional white paper with new and expanded recommendations for Congress to consider, including an “internet of things” (IoT) security law that would mandate that such devices bake in “reasonable security measures” such as “requiring unique default passwords that a user must change to their own authentication mechanism upon first use.” The commission recommends implementing a law that is “modestly prescriptive” but still stresses “enduring standards” for key security issues, including authentication and patching.
Currently, enforcement of IoT security relies on a patchwork of guidelines and authorities. California, for example, became the first state in the nation to pass an IoT security law, which came into effect on Jan. 1 and requires all “connected devices” sold or offered in California to have “reasonable security” measures, including features designed to protect against “unauthorized access, destruction, use, modification, or disclosure.” Oregon passed a similar law but limits its definition of “connected devices” to those devices “used primarily for personal, family or household purposes.”
In the absence of federal legislation, and as noted above, the FTC has also stepped in to help better secure IoT devices in a handful of cases, requiring companies to establish and maintain comprehensive security programs, subject to independent audits. A bill introduced by Sens. Mark Warner and Cory Gardner in 2019, and cited by the commission as a “viable model for a federal law,” would spur the development of security standards for IoT devices used by the federal government. That said, the commission’s recommendation for a law mandating security expectations for all IoT devices is certainly broader and would have widespread ramifications for manufacturers across numerous economic sectors. Should such a law ultimately be enacted, both the private sector and, likely, courts would ultimately need to wrestle with how to define and scope this duty of care and demonstrate that it has been implemented.
Another key commission recommendation (Rec. 5.1) is to codify the concept of systemically important critical infrastructure (SICI) and specify the U.S. government support such entities can receive, along with the “additional security requirements” they are expected to follow. This recommendations builds on Section 9 of President Obama’s Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” which outlines guidance on a process to designate, identify, and assist certain entities at risk of a cyberattack that “could reasonably result in catastrophic regional or national effects.” In May 2017, President Trump signed Executive Order 13800, affirming Section 9 designations as an important element of the federal government’s cybersecurity strategy. Under the current framework, one of the main benefits of being classified as a Section 9 entity is potential access to expedited processing of employee security clearances through the Department of Homeland Security’s Private Sector Clearance Program. Such entities may also be “prioritized for routine and incident-driven cyber technical assistance activities offered by the [the Department of Homeland Security] and other agencies.” Yet, the commission notes that while Section 9 of Executive Order 13636 affirms the importance of protecting critical infrastructure against cyberattack, it stops short of creating “new [federal] requirements, resources, or authorities to support SICI” or “additional expectations on the [private-sector] entities that receive it.”
Under the commission’s proposed recommendation (and as developed further in the recently released legislative proposal), SICI entities would be required to participate in government programs related to information sharing and “national risk identification and assessment efforts.” Such entities would also be expected to adhere to a new “Security Certification” that would entail “common and sector-specific standards and expectations for the governance and execution of security operations.” In addition to meeting these new expectations, SICI entities would also be eligible for certain potentially significant benefits. Perhaps most notably, SICI entities in “good-faith compliance” with their security requirements “would be shielded from liability in instances when covered systems and assets are targeted, attacked, compromised, or disrupted through a cyberattack by a nation-state, designated transnational criminal group, or terrorist organization.” Such a liability shield would be of immense value to the private sector and would, if passed, be the subject of extensive analysis and discussion, including comparison to analogous protections the government already provides in other contexts, such as terrorism. SICI designations would be a subject of intense interest as companies weigh the benefits and risks associated with such added responsibility and consider how such a program could augment or mitigate the legal and business risks they face from significant cyberattacks.
Legal Considerations Under International Law
Apart from domestic regulatory and legislative recommendations, the Cyberspace Solarium Commission also sets out an overarching strategy for managing and preventing cyber conflict. Specifically, the commission defines a strategy of “layered cyber deterrence” to “increase the costs and decrease the benefits that adversaries anticipate when planning cyberattacks against American interests.” It is within this strategic framework that the commission’s report approaches the concept of “defend forward,” defining it as “[t]he proactive observing, pursuing, and countering of adversary operations and imposing of costs in day-to-day competition to disrupt and defeat ongoing malicious adversary cyber campaigns, deter future campaigns, and reinforce favorable international norms of behavior, using all of the instruments of national power.” (The commission describes this as a “reimagining and expansion” of the 2018 Defense Department definition of “defend forward,” which is to “disrupt or halt malicious cyber activity at its source, including activity that falls below the level of armed conflict.”) These activities will no doubt vary along a continuum of activity ranging from intelligence collection and reconnaissance to potential disruption and active-defense measures. But, as we note below, depending on how this strategy is implemented, certain activities that “disrupt and defeat ongoing malicious adversary cyber campaigns” beyond U.S. borders may come into tension with U.S. obligations under international law.
The international law applicable to state cyber operations remains unsettled. Moreover, as the U.S. Department of Defense notes in its Law of War Manual, elements of the law of war potentially applicable to cyber operations may change as states evaluate and respond to new cyber capabilities. The vast majority of state-sponsored cyber activities consist of frequent, yet low-level intrusions that fall below the threshold of “use of force” under Article 2(4) of the U.N. Charter. Below this threshold, where the activities encompassed by the “defend forward” concept would most likely occur, international law principles and frameworks potentially relevant to state cyber activities include the nonintervention principle, the doctrine of countermeasures and the principle of state sovereignty.
First, the nonintervention principle, as reflected in the U.N. General Assembly’s Friendly Relations Declaration and the International Court of Justice’s Nicaragua judgment, prohibits states from intervening by coercive means in a way that affects a state’s domaine réservé (essential functions internal to a state’s domestic jurisdiction). There is some debate as to the level of state behavior required to meet this threshold and thereby violate the nonintervention principle. Arguably, it could include state cyber activity that impacts a public transportation system or that tampers with electoral infrastructure, for example.
Second, the doctrine of countermeasures is also potentially applicable in the context of the commission’s recommended strategies for deterring and managing cyber conflict. Countermeasures allow a state that is the victim of an internationally wrongful act to take actions intended to bring a state that is breaching an international obligation back in line with such legal obligations, even if that action would ordinarily violate international law. That action must be necessary and proportionate, and designed to cause the state to comply with its obligations, rather than exact a punishment or serve as retaliation. Of course, defend-forward operations that neither violate the nonintervention principle, nor other international obligations, need not be justified as countermeasures.
Since countermeasures are to be directed at an offending state, confidence in attributing cyber operations could play a particularly important role. Not only might uncertainty about attribution stand in the way of taking action under this doctrine, but it also may lead some states to question the legitimacy of the countermeasure and regard it, instead, as an internationally wrongful act. The commission’s report likewise stresses the importance of attribution, noting that “challenges in establishing timely and accurate attribution can weaken cyber deterrence by generating doubt about the identity of the perpetrator of a cyberattack and undermining the credibility of response options.”
One recent incident illustrates increased international capabilities and willingness to attribute specific cyberattacks to specific actors. In October 2019, a large cyberattack took thousands of websites offline, including websites of government agencies, in the country of Georgia. In response, multiple states, including Georgia, the United States and the U.K., as well as the EU, publicly attributed the attack to the Russian GRU—the same group responsible for the 2017 NotPetya cyberattack, as well as the attack on Ukraine’s electricity grid in 2015. The commission’s structural recommendations and recent legislative proposals, including the proposed Bureau of Cyberspace Security and Emerging Technologies within the Department of State, would, in part, work with key allies and partners to enhance multilateral cooperation, strengthen deterrence, and promote responsible state behavior in cyberspace, including through coordinated public attribution and the imposition of consequences.
Finally, with regard to state sovereignty, there are differing views as to whether sovereignty is a principle or a rule under international law. Whereas the Tallinn Manual and Tallinn Manual 2.0 approached sovereignty as both a principle of international law and a rule of international law, U.K. Attorney General Jeremy Wright took a different approach, noting that:
“[s]overeignty is of course fundamental to the international rules-based system. But I am not persuaded that we can currently extrapolate from that general principle a specific rule or additional prohibition for cyber activity beyond that of a prohibited intervention. The UK government’s position is therefore that there is no such rule as a matter of current international law.”
As of today, the U.S. Department of Defense’s perspective appears to have been articulated by Department of Defense General Counsel Paul C. Ney Jr., who has claimed that “States have sovereignty over the information and communications technology infrastructure within their territory.” Ney also explained, however, that “the [Defense] Department believes there is not sufficiently widespread and consistent State practice resulting from a sense of legal obligation to conclude that customary international law generally prohibits … non-consensual cyber operations in another State’s territory.”
Even viewing sovereignty as a rule, the question remains as to what constitutes a violation of state sovereignty in cyberspace and whether such a violation would require some threshold impact—whether physical or virtual. If a threshold impact is required, then only those incursions that cause an impact above a “de minimis” threshold would constitute violations of sovereignty. In contrast, the French Ministry for the Armed Forces apparently holds that “any unauthorized penetration by a State ... may constitute, at the least, a breach of sovereignty.” Whether the French Ministry for the Armed Forces equates this breach of sovereignty with a breach of international law is unclear, as is whether this is the perspective of the French government more broadly. In 2016, the Obama administration’s State Department legal adviser noted the practical difficulties with this approach, namely that “[t]he very design of the Internet may lead to some encroachment on other sovereign jurisdictions.”
Ultimately, there is a potential tension between certain defend-forward operations and norms of responsible state behavior in cyberspace regarded as rooted in the principles of state sovereignty and nonintervention. It is worth noting in this context, though, that the commission’s work has been consciously informed by principles of international law and expertise regarding how defend-forward operations could be undertaken in practice. In discussing the imposition of costs on adversaries in cyberspace, for example, the commission notes that “[t]his posture implies persistent engagement with adversaries as part of an overall integrated effort to apply every authority, access, and capability possible ... to the defense of cyberspace in a manner consistent with international law.” Although there may be challenges in executing proactive cyber activities in practice, the commission’s recommendations do not reflect a fundamental departure from the historic U.S. interpretation of international law principles. The commission readily confirms that U.S. strategy should be “consistent with norms of acceptable behavior defined by the United States and like-minded nations with a shared global interest in a stable cyberspace.” The commission recognizes that this area of law is still unsettled and that the majority of states may not agree on where international law stands with respect to a given cyber operation. The commission, accordingly, maintains the view that “norms of acceptable behavior will not emerge unless the United States is willing to act, in concert with allies whenever possible, to impose meaningful costs on bad actors in cyberspace to change their behavior.”
Conclusion
The coronavirus pandemic has shed light on the critical importance of building defense and resilience in our infrastructure. That lesson is just as crucial in cyberspace as it is in public health. Our society is completely reliant on a cyberspace infrastructure that currently faces systemic and widespread vulnerabilities. The commission recognizes that a significant attack could strain and potentially overwhelm this foundation of our society, economy and national security. The recommendations of the Cyberspace Solarium Commission seek to chart a course for investing more—and more smartly—in those areas that will be important to U.S. success and survival in the twenty-first century. These recommendations will present new and, in some cases, untested legal issues, while striving to reshape the governance of our digital economy.