Cyberwar and Cyberspace

International Cybertorts: Expanding State Accountability in Cyberspace 

103 Cornell L. Rev. (forthcoming 2018)

The Sony and DNC hacks exposed a significant gap in the international law of cyberspace: there is no mechanism for holding states accountable for the injuries associated with their costly and invasive cyberoperations. International law lacks a vocabulary for certain kinds of harmful acts in cyberspace, and in the absence of appropriate terminology and legal guidelines, victim states have few effective and non-escalatory responses to these increasingly common and harmful cyberoperations.

This article constructs a comprehensive regime of state accountability for harmful actions in cyberspace, grounded in both state liability for acts with injurious consequences and in state responsibility for internationally wrongful acts. First, this Article identifies a new class of cyberoperations—transnational cybertorts—and distinguishes them from transnational cybercrime, cyberespionage, and cyberwarfare based on the nature and scope of their respective harms. Second, it discusses the special case of cyberintervention and the importance of developing cyber-specific rules regarding the age-old prohibition on coercive interference. In addition to permitting the construction of tailored and non-escalatory remedies, this approach suggests new solutions to long-vexing issues, such as how to categorize data destruction attacks and better deter cyberespionage.

The Law of Cyber-Attack

100 Calif. L. Rev. 817 (2012) (with Oona A. Hathaway, Philip Levitz, Haley Nix, Aileen Nowlan, William Perdue, and Julia Spiegel)

Cyber-attacks pose a growing threat to national security and international peace. However, while often addressed in the context of humanitarian law, cyber-attacks bear little resemblance to traditional forms of warfare. This article clarifies the definition of cyber-attack and describes how such attacks are currently regulated under the law of war, international treaties, and domestic criminal law. Concluding that existing legal regimes address only a small fraction of potential challenges raised by cyber-attacks, this article proposes how international and domestic law might be adapted or created to more effectively regulate them.