Back in 2010, my colleague Duncan Hollis and I wrote a short op-ed for the National Law Journal sketching out the idea that international law should recognize a “duty to assist” – similar to the duty, under maritime law, to respond immediately upon receiving a “SOS” from another vessel – countries that have been the subject of a systematic and sustained “cyber-attack.” [Hollis went on to give the idea a much more thorough and thoughtful treatment in the Harv. J. of Int'l Law, available here]. The idea, at bottom, is fairly straightforward:
[I]nternational law needs a new norm for cybersecurity: a duty to assist, or DTA. DTAs are not themselves novel, nor do they require identifying bad actors to operate. They work by requiring assistance for victims facing emergent and serious harm. The most well known example—the SOS—does this by providing a universal maritime distress call and requiring vessels that hear it to “proceed with all speed” to provide whatever assistance they can. Depending on the context, other DTAs vary in terms of which victims can call for help, when they can do so, who must provide help, and what help those assisting must give. In all cases, the goal is the same: mitigate or avoid unwanted harm to life or property.
As yet, there is no DTA for the Internet. But an SOS for cyberspace, an e-SOS, could both regulate and deter the most severe cyberthreats. Unlike proscriptive approaches, a DTA would not require attribution to function effectively; those facing harm would not need to know if it came from a cyberattack, let alone who launched it. A DTA would seek to redress unwanted harms directly, whatever their cause. It would do so by marshaling sufficient resources to avoid or at least mitigate that harm as much as possible. If it does so effectively, attackers may think twice about whether it is worth the effort to attack at all.
It’s hardly a panacea, or even a full strategy, for dealing with the problem – but as a first step, it seemed to me then (and seems to me now) to be an important component of any such strategy. It avoids, critically, the need to identify the source of the attack, or the difficult question(s) surrounding the characterization of the attack (is it “war”? “criminal activity”? industrial espionage? etc.) which can, under current principles of international law, have a substantial impact on the permissible nature of the response. It is, simply, a device to mitigate the damage that such an attack could cause, by means of collective action to assist the target in recovering lost information and fending off additional debilitating commands.
So I was interested to note that at the upcoming NATO meeting, according to the Times, the 28 member States are “expected to ratify what seems, at first glance, a far-reaching change in the organization’s mission of collective defense: For the first time, a cyberattack on any of the 28 NATO nations could be declared an attack on all of them, much like a ground invasion or an airborne bombing.” It’s a start, at least.