The Sony cyberattack and the Legal options, in war and peace.

The Sony cyberattack and the Legal options, in war and peace.

There are a series of recent news reports that indicate that the Sony corporation in the US had been subject to a cyberattack. The result of this was the compromising of the corporation's internal systems, with the disclosure of both Intellectual property right material and private personal data relating to employees. This was in the form of movie scripts and emails. As one motive of the attack was a Sony film which denigrated the North Korean regime, "The Interview", it currently is thought this entity is the prime suspect in this.

From a legal perspective, what are the actions the various stakeholders can peruse in the context of how such international cyberattacks should be dealt with. These can be placed in context of earlier such attacks and what subsequent framework was created to pursue legal or other socio-political actions.

In 2007 the Baltic state of Estonia was targeted by a series of cyberattacks mostly on public sites. As it was believed to be related to moves purported to be anti-Russia by the Estonian government, this neighboring country was thought to be the main culprit. While this was never proved to be linked to the Russian government, traces of the cyberattack were connected to known pro-Russian sites. The actual damage done was by the targeting of infrastructure websites, incorporating defacement and DDoS which essentially made these unusable. This was of major impact as Estonia pursued a digitization of essential services: so a result as the seizing up of state utilities.

In the wake of this the Tallinn manual was crafted as a rule book to meet future attacks. In parallel as Estonia was a member of NATO, it was declared that any such cyberattack on a member state would be regarded as an attack on all. The means of this response was to be proportionate, but kinetic weaponry was not specially ruled out.

Thus the differences between this and the Sony attack are a private company was the subject to the attack and that incident while seemingly well planed did not extend to the same length of time. So in light of this, what in the US government's options as per the Tallinn Manual rule 11- ‘[a]‌ cyber operation constitutes a use of force when its scale and effects are comparable to non-cyber operations rising to the level of a use of force’.

First, was this an act of Armed Conflict/War? While Sony is a private company, the militarization of North Korean society would imply that any such attack would have the backing of their armed forces. Given the economic damage caused by the attack (loss of confidence in Sony and its cancellation of the film "The Interview") this breaches the prohibition on the use of force Article 2(4) of the United Nations Charter.

Second, however even if was so, then unlike physical world attacks, the identity of the perpetrators in cyberattacks might be cloaked and difficult to trace. For instance, the authors of the Stuxnet attack have not been definitely identified but only suggested.

So to sum up the author Roscini, the response has to be proportionate to the damage. While the private nature of this precludes an armed state response, in different circumstances with different actors such can never be ruled out.

Further Reading

- Who controls the Internet by Tim Wu

- Cyber Operations and the Use of Force in International Law by Marco Roscini