Everyone seems to be talking about private sector active defenses these days — but we all seem to be focused on domestic American law (witness the debate between Stewart Baker and Orin Kerr). That got me to thinking — what about international law and the law of other nations? The result is this short academic paper that I’ve just posted on SSRN — International Law and Private Actor Active Cyber Defensive Measures. Here’s the abstract:
American legal theorists and policy analysts are increasingly considering whether it would be appropriate to authorize private sector actors to take active measures in their own cyber self-defense, a concept known colloquially as “hack back.” But none, to date, have given any consideration to how authorized American hack back might implicate international law. This short article seeks to fill that gap with some preliminary thoughts regarding the application of non-American law to American private sector hack back. The fundamental conclusions are two-fold: 1) To the extent any customary international law exists at all it is likely to discourage private sector self-help outside the framework of state-sponsored action; and 2) Almost certainly, hack back by an American private sector actor will violate the domestic law of the country where a non-US computer or server is located. In light of these twin conclusions, American companies considering offensive cyber operations would do well to proceed with caution.
The paper is still a work in progress, scheduled for publication in the Stanford Journal of International Law later this year, so any constructive feedback is most welcome.