Protecting the United States from malicious cyber activity and holding the perpetrators accountable has never been more important. The United States was already facing a cybercrime wave before the coronavirus pandemic hit. By the FBI’s account, daily cybercrime complaints have quadrupled during this crisis, as non-state actors look to exploit the pandemic for financial gain and nation-states turn to cybercrime to collect valuable intelligence and steal information related to America’s response to the pandemic. Congress should be taking more action to deal with these threats and impose consequences on the bad actors behind them. Legislators are understandably tempted to enact the Homeland and Cyber Threat Act (H.R. 4189, HACT Act), which would allow private lawsuits against foreign states for alleged unauthorized cyber activity. Yet this response is deeply misguided and would create more problems than it solves.
Litigation against private companies for data breaches resulting from unauthorized access has produced settlements in a number of cases. The HACT Act would allow those same companies, and any national of the United States, to sue the foreign governments that may have played a role in these attacks in U.S. courts. These suits are currently barred by the Foreign Sovereign Immunities Act (FSIA) of 1976, which shields foreign states from suit for their sovereign—but not their commercial—activities. The HACT Act invites reciprocal actions against the United States in foreign courts, as both Democratic and Republican administrations have pointed out in response to other immunity-stripping measures. This bill is especially troubling on that front because of the United States’s own extensive extraterritorial cyber activity. It also ignores the significant technical and capacity hurdles that law enforcement faces in investigating these crimes to begin with, let alone attributing them to foreign governments. Congress should focus on strengthening our law enforcement capabilities to identify, deter and punish cyber criminals rather than opening the litigation floodgates to unproductive civil suits against foreign states.
The Mounting Costs of Cybercrime
Victims of cybercrime and other forms of malicious cyber activity want and deserve justice for the attacks perpetrated against them. They justifiably wonder why they should bear the costs of an attack when one user’s accidental stroke of the keyboard exposes them to malicious cyber activity, even when they have put every safeguard in place. Oftentimes attacks are perpetrated by non-state criminal actors motivated by financial gain, but the coronavirus crisis highlights that the line between cybercriminals and state actors is increasingly blurry. Nation-states employ cybercriminals and cybercrime tools to advance a variety of objectives, including disinformation and espionage. And their victims often face tremendous financial costs as a result. The professional services firm Accenture estimated in 2019 that cybercrime could cost companies $5.2 trillion globally in the next five years. Here in the United States, the public sector alone has paid out millions of dollars as a result of ransomware that holds systems or data hostage. And the situation is only getting worse during the pandemic as malicious cyber actors exploit the fact that more and more people and organizations rely on technology. Victims may also incur a wide range of additional costs, including regulatory fines, litigation and attorney fees, reputational damage, and loss of proprietary information. Victims of malicious cyber activity, like victims of all crime, understandably seek justice and redress for the crimes perpetrated against them.
The think tank Third Way has highlighted the “blame-the-victim” mentality that is often pervasive on Capitol Hill, and among the American public, in response to cyberattacks. Quite regularly, the immediate response is to highlight victims’ failures to protect themselves while rarely questioning the U.S. government’s own inability to bring the perpetrators to justice. Third Way calculates that for every 1,000 cybercrime incidents in the U.S., only three ever result in an arrest. In public opinion polling, Americans say they want policymakers to do more to address this enforcement gap. In circumstances where a foreign state or state-sponsored actor plays a role in committing malicious cyber activity against a U.S. person or entity, individuals and companies have understandably looked for other routes to seek accountability.
The HACT Act was introduced to provide such an avenue for redress and allow these victims to seek compensation for their losses directly from foreign states by using U.S. courts. The legislation comes on the heels of a number of cases in which victims of malicious cyber activity have either attempted to file suit against a foreign state or expressed a desire to do so but are hindered by the FSIA. (For examples, see this on the suit brought by former Republican National Committee Chairman Elliott Broidy against Qatar or this on American military spouses who were targeted by Russian hackers.) The legislation would create an FSIA exception to allow a U.S. national to seek money damages from a foreign government for personal injury, harm to reputation, or damages or losses to property resulting from malicious cyber activity (regardless of whether the activity occurs in the United States). The bill covers broad categories of activity, mirroring a number of the actions currently covered under the Computer Fraud and Abuse Act. This includes everything from unauthorized access to a U.S.-based computer, to damage to computers due to various forms of malicious cyber activity, to the provision of material support for such activity. However, the bill makes no mention of the motivations of the foreign state for such actions and includes no standards for who can authoritatively attribute the harmful activity to a particular foreign state. Notwithstanding these fundamental flaws, the bill currently enjoys broad bipartisan support from a wide range of members across the ideological spectrum—perhaps in part because suits by both Democrats and Republicans against foreign states for cyberattacks have been dismissed under the FSIA.
The Contours of Foreign State Immunity
Under international law, and under the Foreign Sovereign Immunities Act, foreign states and their agencies and instrumentalities are not generally subject to the jurisdiction of U.S. courts. Claims between states, including claims on behalf of individuals, are generally resolved by international negotiations or adjudication, not private litigation. Without sovereign immunity from adjudication, U.S. government actions would be subject to legal proceedings in other countries’ courts. And without immunity from enforcement, U.S. assets worldwide could be subjected to foreign attachment and execution without any ability of the United States to object.
Foreign sovereign immunity is not a gift the United States provides to other countries. The United States relies on its immunity from the jurisdiction of foreign courts to protect U.S. taxpayer dollars from the cost of defending against lawsuits overseas and being forced to pay judgments that it might not think are well founded. To facilitate cross-border commercial transactions, however, the United States and most other countries allow claims to proceed against foreign sovereign defendants if those claims are based on commercial activities with a sufficient connection to the United States. This exception for “commercial activity” is one of a very few enumerated exceptions to sovereign immunity in the FSIA.
Jurisdictional immunity may block private claims from being litigated in court, but it does not prevent claims from proceeding in international tribunals or being settled through diplomatic negotiations. At times, however, victims demand direct judicial remedies. For example, in 1988, the bombing of Pan Am Flight 103 over Lockerbie, Scotland, tragically killed all 259 people on board and 11 on the ground. A joint U.S.-U.K. investigation into the bombing eventually led back to two suspects with alleged ties to Libyan intelligence. Ordinarily, private claims against Libya would be barred in U.S. courts because of the FSIA. In 1996, however, Congress adopted a novel exception to the FSIA for certain claims against state sponsors of terrorism.
In 1979, the United States had officially designated Libya and three other countries as state sponsors of terrorism. Recognizing that the surviving family members of American victims of the Pan Am 103 bombing could not sue Libya for damages because of the FSIA, Congress worked with the family members to provide a new exception for state sponsors of terrorism. New provisions in the Antiterrorism and Effective Death Penalty Act of 1996 did two things: They abrogated immunity for certain acts by designated state sponsors, and they loosened restrictions on attaching and executing upon commercial assets of state sponsors. Congress followed up with the “Flatow Amendment” to provide for punitive damages, which are otherwise unavailable against foreign states. (One of the authors was a staff member of the lead congressional sponsor of the Flatow Amendment and follow-up actions.) These provisions, with a further 2008 update, are now codified at 28 U.S.C. § 1605A and § 1610.
The Libya claimants ultimately received compensation through an out-of-court settlement reached during negotiations conducted by their private attorneys with Libyan representatives, with the blessing of the U.S. and U.K. governments. Later, in 2004, Libya’s cooperation in dismantling its weapons of mass destruction and missile programs led to the release of frozen assets that were used to further compensate Pan Am victims under the terms of the settlement.
In 2016, Congress again amended the FSIA to allow the families of victims of the 9/11 attacks to pursue claims against Saudi Arabia. The Justice Against Sponsors of Terrorism Act (JASTA) essentially creates an exception to immunity for any foreign state whose wrongful act causes an act of international terrorism in the United States, even if that state has not been designated as a state sponsor (which Saudi Arabia has not been). With the sovereign immunity barrier removed, claims against Saudi Arabia are currently being litigated in federal court in New York. In an ironic twist, one of the biggest complications to date has been the unwillingness of the FBI to produce records requested by the plaintiffs, on the grounds that turning over those documents would involve disclosing state secrets and compromise U.S. national security. This evidentiary dispute highlights the need for Congress to consider the potential impact of additional litigation against foreign states on our intelligence operations.
Because of these potential conflicts between private litigation and national security considerations, the executive branch has typically opposed Congress’s steps to carve out novel additional exceptions to foreign state immunity. In 2016, Congress even overrode a presidential veto to enact the JASTA exception. But seeking to further dismantle the FSIA would be a mistake. The foreign policy toolkit for dealing with foreign states whose conduct has harmed U.S. nationals includes diplomatic consequences, financial and trade sanctions, and other strategies. Criminal law can also play a role in securing justice for victims—for example, the two Lockerbie suspects were tried by a Scottish court sitting in the Netherlands, and the United States has recently begun indicting foreign state hackers under domestic criminal law. The ability of the president and the executive branch as a whole to coordinate and calibrate these responses remains critical to achieving U.S. foreign policy and national security priorities. For example, the U.S. could be pursuing negotiations with a foreign government that involve tying restoration of diplomatic ties to steps that country takes to denuclearize or to cooperate in countering terrorism. Allowing unrestrained litigation against that government may be a surefire way to ensure broader U.S. diplomatic and security goals are never achieved.
It is one thing for Congress to subject states to judgments for egregious conduct such as terrorism, which can ultimately form part of a diplomatic settlement. It’s quite another to essentially declare a free-for-all in disregarding traditional principles of sovereign immunity for conduct the U.S. itself engages in, which the trend toward immunity-stripping legislation could eventually threaten to do. Without immunity from adjudication, foreign courts could issue billions of dollars in judgments against the United States. And without immunity from enforcement, those judgments could potentially be enforced against various U.S. assets worldwide. It might seem far-fetched, but each novel immunity-stripping bill takes another step down that path. In certain circumstances, for certain limited types of claims, Congress might decide the trade-offs are worth it. That is far from the case with the HACT Act.
There are other options. While victims’ families understandably want control over the terms of any settlement, the long-standing practice of “diplomatic espousal” allows governments to settle claims on behalf of injured nationals, rather than resorting to domestic courts. This preserves foreign sovereign immunity and enables the executive branch to take into account other foreign policy interests in settling claims. It also promotes the ability to allocate finite resources among multiple claimants instead of simply rewarding the “first to file,” which is what authorizing private lawsuits does by incentivizing a race for the defendant's available assets. Conversely, when the United States is on the receiving end of compensation claims, diplomatic negotiations can produce settlements that take into account the bilateral relationship with the claimant country. Giving private plaintiffs leverage over foreign countries by allowing them to file civil suits undermines these goals. In addition, U.S. taxpayers end up footing the bill when plaintiffs seek to execute against foreign state assets that would otherwise be (or have been) forfeited to the U.S. Treasury or paid to the U.S. as penalties or fines, or where those assets come from legally disputed sources. For example, the Congressional Budget Office estimates that recent modifications to the Victims of State Sponsored Terrorism Fund, which was established to compensate certain U.S. victims of international state-sponsored terrorism, could cost $1.1 billion in U.S. taxpayer funds from various sources over the next decade. Because the sums involved (including provisions for attorneys’ fees) are so much greater than those available for other types of injuries, private attorneys may be disproportionately incentivized to pursue these types of claims instead of others and to lobby for further immunity-stripping provisions. If the goal is to make the cost of malicious activity high enough that it would deter the activity in the first place, then this approach often does nothing to advance that objective.
It is understandable that Congress, in representing constituents who have been injured by the egregious actions of foreign states, seeks to provide routes to compensation even in the face of potentially adverse foreign policy consequences. But the better strategy would be to pressure the executive branch to use the tools it has to secure justice for victims without jeopardizing the reciprocal protections the United States receives in foreign courts around the globe, which provides stability for cross-border governmental and commercial activities. Lawmakers should not let the false promise of a “simple” solution to foreign wrongdoing create more problems by directing potentially endless claims to domestic courts.
The HACT Act’s Fatal Flaws
We recognize that Congress is used to hearing concerns from the foreign policy and legal communities about exceptions it has carved out to the FSIA. And it has decided to take action a number of times despite these objections. So what makes our concerns about the HACT Act different?
Even apart from the problems with further eroding the FSIA, the HACT Act is particularly dangerous for three primary reasons. First, the categories of malicious cyber activity covered in this bill are so broad that they would include activity that the United States itself intentionally and legitimately conducts on a regular basis. This would include such actions as accessing a foreign computer “without authorization”—something the United States may regularly do in the course of its intelligence collection or other activities. While the categories of actionable activity may largely correlate with the Computer Fraud and Abuse Act (even though the cause of action would come from state tort law), removing foreign sovereign immunity for these actions would open up the U.S. government to reciprocal litigation for similar activity. Unless we are prepared to terminate all foreign intelligence collection activities, we will be faced with either endless litigation in foreign courts (and not necessarily just in the courts of adversarial nations) or the accumulation of massive default judgments against the United States that could set off a global race to enforce against U.S. assets. And it could also leave American allies and partners open for litigation if their networks played a role in U.S. cyber activity, potentially resulting in their disengagement from cooperation in the future for fear of litigation.
Second, broad categorization of acts that would expose a foreign state to litigation could also expose the U.S. or its allies to litigation for unintentional actions such as the accidental release of malware or other cyber tools. The recent report of the U.S. Cyberspace Solarium Commission noted the risk of such spillage, which may have already happened to U.S. intelligence tools before. Unlike aircraft sabotage or hostage-taking by designated state sponsors of terrorism, or providing support for acts of international terrorism on U.S. soil, the HACT Act would remove FSIA protections for cyber activity that the United States and its allies may conduct. Moreover, adding an intent element to the statute would not be sufficient to address this problem, because any claimant can plead malicious intent, thereby forcing judicial inquiry into highly sensitive and potentially even classified information.
Third and finally, the HACT Act fails to include any standards for who can authoritatively attribute the harmful activity to a particular foreign state. And this is important. To pursue litigation against a foreign state for malicious cyber activity, the claimants would have to know or at least make a case that a foreign government or an actor connected to that government played a role in the attack. Attribution can be technical in nature, requiring months and sometimes years of determining the source of the activity and the person(s) behind it, but it is also a political and policy process. Ultimately, if attribution is done by the U.S. government, the government has made a political decision to do so and has weighed the foreign policy implications with this determination. There could be many reasons why the government decides not to publicly attribute malicious cyber activity to a foreign state, even if the private sector has made such a determination. The HACT Act leaves these critical questions unanswered. Would litigation be pursuable only if the U.S. government has decided it is willing to publicly blame a foreign state and, thus, only those victims could pursue compensation? And what if such a determination is in conflict with what technical private-sector experts have found? U.S. courts are not in a position—and should not be asked—to resolve these disputes.
What Congress Should Do Instead
This does not mean that Congress should do nothing to help the victims of an increasing cybercrime wave hitting the United States. Only three in 1,000 cyber incidents ever see an arrest of the perpetrator—and probably even fewer, given the miniscule proportion of cybercrime reports actually received by the FBI. This is a vast and unacceptable enforcement gap. There is clearly a lot of work to be done to impose consequences on perpetrators and get justice for cyber victims. There could also be options for exploring alternative arrangements for insurance or indemnification that could better protect companies’ and individuals’ financial interests without implicating foreign policy concerns.
To start, there are a number of actions that Congress can take immediately to build the capacity and technical capabilities of U.S. and foreign law enforcement to identify, stop and bring to justice the perpetrators of malicious cyber activity. There is an entire body of research documenting the challenges faced by U.S. and international criminal justice actors in pursuing these investigations and facilitating the level of cooperation that is needed when a single malicious cyber incident crosses many different borders. Congress could take action to help the U.S. government get a better handle on how well it is doing in reducing cybercrime and holding accountable the perpetrators. It could push back against the Trump administration’s attempts to cut critical programming that boosts the capacity of global law enforcement to work on cybercrime and digital evidence. Congress could also provide even more support to this programming and make sure it is having an impact. For example, Congress could increase resources and personnel at the Department of State dedicated to cybercrime capacity building through state and foreign operations appropriations and push for assessments to measure the impact of such programming as House Foreign Affairs Chairman Eliot Engel and ranking minority member Michael McCaul have begun to do. And it could address the myriad issues that have prevented appropriate U.S. authorities from being able to collect, handle and analyze the digital evidence that is needed to pursue cybercrime investigations, while ensuring safeguards are in place for civil liberties and human rights..
Before even considering a bill that would repeal foreign immunity for malicious cyber activity, it would be prudent for Congress to reestablish and improve upon the high-level diplomatic leadership in the U.S. government that used to exist to lead our negotiations on cyber issues. In 2017, the State Department’s Office of the Coordinator for Cyber Issues, which was established by the Obama administration to serve as the office for America’s top cyber diplomat, was downgraded and folded into another bureau. Establishing a new cyber bureau and cyber ambassador at the State Department could help push governments to stop directly and indirectly supporting malicious cyber activity and to cooperate in cyber investigations. While the Obama administration had a Cyber Coordinator Office, it was not a full bureau in the State Department’s architecture, a move that could help it receive more dedicated resources and personnel. Congress could coordinate the needed carrots and sticks to support these desired outcomes and it could advocate for rules-of-the-road guiding state behavior in cyberspace aimed at reducing malicious cyber activity and holding perpetrators accountable. A fully resourced and supported diplomatic corps at the State Department could support the U.S. government’s efforts to negotiate settlements on behalf of American victims around the globe, without jeopardizing U.S. national security in the process.
Victims of malicious cyber activity understandably want to pursue compensation for the terrible crimes committed against them. But the HACT Act is not a wise approach. Even setting aside the general concerns about eroding the FSIA, the bill does not acknowledge, let alone address, any of the complexities of attribution or reciprocity that Congress must grapple with in detail before proceeding.
Egregious acts of international terrorism might warrant dramatic and even unprecedented actions to enable victims to pursue a measure of redress. But this bill that could open up the floodgates to litigation for a broad spectrum of cyber activity—as damaging as much of this activity can be—is simply an unwise approach for a government that itself may rely on such actions to counter threats from adversaries. Instead of going down the path of the HACT Act, Congress would be better advised to focus on the challenges that have prevented U.S. authorities and their partners from bringing perpetrators of cybercrime and other malicious cyber actions to justice.