In statements on the Sony hack on Friday, both Secretary of State John Kerry and President Obama highlighted the need to develop norms for state behavior in cyberspace. Tying the need for norm development to a cyber attack that the FBI has attributed to North Korea may seem a bit paradoxical. North Korea has shown itself willing to violate non-cyber international norms and law (see examples here and here), so it’s hard to imagine it would have felt restrained by cyber norms. However, norm development may be important for building the case internationally for the legality of a U.S. response, and that response in turn can help to spur solidification of international norms that the United States seeks.
In his end-of-year press conference, President Obama addressed the Sony hack in some detail and then explained:
More broadly, . . . this points to the need for us to work with the international community to start setting up some very clear rules of the road in terms of how the Internet and cyber operates. Right now, it’s sort of the Wild West. And part of the problem is, is you’ve got weak states that can engage in these kinds of attacks, you’ve got non-state actors that can do enormous damage. That’s part of what makes this issue of cybersecurity so urgent.
Secretary of State John Kerry sounded a similar theme. After condemning the attack and highlighting its freedom of expression implications, Kerry stated:
These lawless acts of intimidation demonstrate North Korea’s flagrant disregard for international norms. Threats in cyberspace pose one of the greatest national security challenges to the United States, and North Korea’s actions – intended to inflict significant economic damage and suppress free speech – are well beyond the bounds of acceptable state behavior in cyberspace. This provocative and unprecedented attack and subsequent threats only strengthen our resolve to continue to work with partners around the world to strengthen cybersecurity, promote norms of acceptable state behavior, uphold freedom of expression, and ensure that the Internet remains open, interoperable, secure and reliable. We encourage our allies and partners to stand with us as we defend the values of all of our people in the face of state-sponsored intimidation.
If North Korea already engages in “flagrant disregard” of norms, why push norms now? Short answer: because the United States would benefit from international support for or at least acquiescence in its own response to the Sony hack. President Obama pledged that the United States “will respond proportionally, and we’ll respond in a place and time and manner that we choose.” As the N.Y. Times has noted, “If he makes good on it, it would be the first time the United States has been known to retaliate for a destructive cyberattack on American soil or to have explicitly accused the leaders of a foreign nation of deliberately damaging American targets, rather than just stealing intellectual property.” When the United States engages in whatever retaliatory action it ultimately decides upon, it will want to avoid dispute over the legality of its actions.
The United States has long had an announced policy of pursuing the development of international norms for cyberspace, and it should seize this opportunity to make progress on developing such norms. In a great post on this blog, Mike Schmitt set out the international legal framework governing potential responses to North Korea, and Ashley Deeks on Lawfare added additional thoughts specifically on countermeasures. The United States can use its response to the Sony hack to build support around the applicability of these frameworks to cyber actions, both as a general matter and on specific questions. For example, in determining the proportionality of countermeasures, Article 51 of the International Law Commission’s Draft Articles on State Responsibility instruct that countermeasures “must be commensurate with the injury suffered, taking into account the gravity of the internationally wrongful act and the rights in question.” Secretary Kerry’s emphasis on the hack’s interference with free expression suggests that the United States will factor that right into its countermeasures calculations, and how it does so will provide a template for assessing similar attacks and countermeasures in the future.
Although North Korea may not care about the legality of its actions, the United States can and should use the Sony hack to advance international discussions of law for cyberspace.