Sending out an SOS in Cyberspace

Duncan Hollis & David Post
April, 2010
On January 1, 2009, an Indian oil tanker found itself under attack by machine gun fire
from pirates off the coast of Somalia. he ship!s captain sent out an SOS. " #alaysian
frigate heard the call and immediately responded, sending a helicopter to the scene. On
its arri$al, the pirates fled and the tankers! cre% escaped unharmed. he SOS sa$ed both
li$es and property. It %orked because for more than a century international la% has
clearly re&uired all those recei$ing an SOS signal to 'proceed %ith all possible speed( to
render assistance. oday, similar legal duties abound)%hat %e might call a 'duties to
assist()%hether in response to a pilot!s #ayday call, distress signals or emergency
numbers.
"s yet, ho%e$er, there is no SOS for the Internet. #ost companies and go$ernments are
reluctant to e$en admit the e*istence of a cyberattack, let alone ask others for assistance.
" defensi$e mindset predominates. +ictims focus their time and money on building
thicker security %alls in hopes of repelling further attacks. ,oogle!s recent disclosures,
ho%e$er, demonstrate that this defense-only strategy is insufficient. .y its o%n
admission, ,oogle failed to stop attacks from /hina on not only its infrastructure but also
the e-mail accounts of $arious /hinese human-rights ad$ocates. he fact that the great
,oogle could not defend itself suggests that cyberspace needs a duty to assist those %ho
ask for help.
/yberspace is not real space. 0or is a cyberattack akin to a physical attack. .ut as the
%orld!s dependence on information net%orks gro%s, cyberattacks can and %ill do great
harm. 1hen hackers marshaled a million computers to block access to 2stonian
computer net%orks in 2003, they took do%n emergency phone lines and fro4e online
ser$ices for the go$ernment, banks, uni$ersities and hospitals. oday, cyberattacks
repeatedly compromise communications, %hether among /hinese human rights acti$ists,
Iranian dissidents, or 5.S. 6efense 6epartment officials. 6o4ens of militaries ha$e
assembled cyberforces, not simply to defend against cyberattacks, but to launch them as
%ell. Indeed, /hina!s military remains the chief suspect in the ,oogle attacks. 2*perts
fear a future %here cyberattacks %ill disable anything from po%er grids to stock
e*changes.
7o% %ould a duty to assist deal %ith such risks8 If nations could agree 9%hether by
treaty or by customary practice: that anyone %ho can help must do so, it %ould pro$ide a
much needed first principle for cyberattacks. "t present, there is no agreement on %hat
rules go$ern these attacks. /riminal la%s sometimes apply, but if attacks come from
military sources, la%-enforcement methods %ill not %ork. he la%s of %ar may then
apply, but e*perts disagree on ho% to translate those rules into cyberspace. "nd e$en if
%e could agree on ho% to apply e*isting rules, they are unlikely to do much good.
/yberattacks are generally anonymous. "bsent outside intelligence or luck 9both of
%hich helped ,oogle:, %e %ill rarely kno% %ho launched an attack. .oth criminal la%
and the la%s of %ar, ho%e$er, %ork by regulating the attacker!s conduct. "s long as
technology allo%s cyberattackers to hide their true identity, they can escape the reach of
both sets of rules.
" duty to assist, in contrast, can %ork %ithout identifying the attackers. It focuses instead
on minimi4ing the attack!s effects. " $ictim %ould send out a distress call)an Internet
SOS)and all those in a position to pro$ide assistance)%hether go$ernments or pri$ate
actors)%ould ha$e an obligation to respond. 7elp could come in many forms. If
attackers denied ser$ice to a computer resource, internet ser$ice pro$iders could pro$ide
additional band%idth. If an attack crossed through a nation!s territory, that nation!s
go$ernment %ould ha$e to deny attackers further use of its information net%orks and
help trace the attack to its true origins.
" great deal of informal assistance already occurs in the aftermath of a cyberattack. .ut
no matter ho% robust, aid only comes from those %ho decide they ha$e the time,
resources, or interest to help. " duty to assist, in contrast, %ould mandate aid from all
&uarters. In 2003, %hen 2stonia asked ;ussia to cease attacks it belie$ed originated from
%ithin ;ussian territory, the ;ussian go$ernment refused by suggesting the attacks could
ha$e originated else%here. If it accepts an international obligation to assist, ;ussia
%ould no longer ha$e such e*cuses. Similarly, ,oogle could demand that /hina aid,
rather than resist, its efforts to undo damage from recent attacks. Of course, sometimes a
go$ernment might actually be the attacker. .ut if go$ernments like /hina agree in
ad$ance to a duty to assist, they might not attack in the first place. "fter all, %hy make a
mess you!ll ha$e to clean up e$en if no one kno%s you!re responsible8 In a %orld %here
%e cannot hold attackers accountable, the best %e can hope for is to minimi4e the harm
from cyberattacks so attackers think t%ice about %hether it!s %orth the effort to attack at
all. "nd minimi4ing the harm is e*actly %hat a duty to assist should do.
<a% has long-$alued rights of self-reliance and self-defense. " ship and its cre% can go
it alone most of the time, but the SOS is there %hen they need it. Similarly, companies
and go$ernments %ill often be able to defend their o%n computer net%orks, but that does
not mean the la% cannot step in cases %here those efforts fail. Of course, countries must
elaborate more precisely %ho can call for help, %hen they can do so, and %hat assistance
others must render. 1hate$er its details though, go$ernments, companies, and
indi$iduals should be able to kno% that %hen they make that call for help, it %ill come.
Duncan B. Hollis and David Post are on the Faculty of the Beasley School of Law at
Temple University.

Sign up to vote on this title
UsefulNot useful