Cybersecurity 2018 – The Year in Preview: International Law and Cyber Warfare

by Foley Hoag LLP - Privacy & Data Security

Foley Hoag LLP - Privacy & Data Security

Editors’ Note:  This is the seventh in a multi-part end-of-year series examining important trends in data privacy and cybersecurity during the coming year.  Previous installments include analyses of HIPAA complianceemerging security threatsfederal enforcement trendsstate enforcement trendsbiometrics, and education.  Up next:  a deep dive into the SEC’s enforcement actions.

In this series, we’ve written about emerging threats and the industries they target. This post addresses one thread that ties them all together—cyber warfare.

Cyber warfare refers generally to the malicious use of information and communication technologies (ICTs) by state actors. This is particularly problematic, as state actors have more resources and are more sophisticated than run-of-the-mill cyber criminals. State actors are believed to be behind some of the most notable cyber attacks of this past year, such as the WannaCry ransomware attack, which some have attributed to North Korea.

Experts recognize the need for an international approach to rein in this behavior. However, given the events of this year, international consensus on such an approach appears unlikely. What follows are some significant developments from 2017, which shed light on what 2018 might have in store.

A Setback for International Rules on Cyber War

Back in November 2016, we wrote about the lack of any formal agreement among nations on how international law should apply to cyber warfare. Next year, we likely won’t see much meaningful headway in this area. This is due in part to the collapse of the fifth “GGE”—that is, the UN Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security.

The GGE was tasked with setting international norms for state behavior in cyber space. And for years, its member countries had been making slow but steady progress. In 2013, they agreed in the first instance that international law—particularly, the U.N. Charter—applied. They also agreed that state sovereignty was to be a bedrock principle, and that states were responsible for the “internationally wrongful acts attributable to them” and could not use proxies to commit “internationally wrongful acts.” These developments might seem minimal, but they were important stepping-stones to other pressing matters.

But this year, the GGE failed to agree on a draft for its fifth report. The sticking point appears to have been Article 51 of the UN Charter, dealing with the right to self-defense. That right is triggered by an “armed attack”—generally, a physical incursion into one state’s territory by armed forces under another state’s command. Certain GGE members worried about equating this concept with the “malicious use of ICTs.”

GGE members might also have been concerned about implicit approval of “countermeasures.” As experts Michael Schmitt and Liis Vihul explain, “[c]ountermeasures are actions or omissions that would be unlawful but for the fact that they respond to an internationally wrongful act of another State and are designed to cause the latter to comply with its legal obligations.” They give as an example the “hack-back in response to another State’s unlawful cyber operation.”

Commentators have criticized the falling out as a “manufactured controversy.” Indeed, the GGE had already agreed that the UN Charter applied, presumably in full. In any event, the GGE will not submit a fifth report, leaving an uncertain future for an international framework.

This does not mean that we are left without any guidance. In 2016, we wrote about the Talinn Manual—an ambitious attempt by a group of NATO-affiliated experts to distill from the laws of war several rules to govern cyber warfare. This year, the group released an update—the Talinn Manual 2.0. The new version takes the next step of setting out additional principles for how international law should apply to state cyber behavior in peacetime. But of course, the manual is mere guidance.

Experts appear to agree that some form of international order is preferable to the Wild West. As Arun M. Sukumar has noted, “[f]or those opposing the inclusion of specific legal principles, it should be clear that the tide is turning. Governments today increasingly desire rules that predict state behavior.” So does the private sector.

More Transparency in the Processes for Disclosure of Zero-Day Vulnerabilities?

Without international consensus on a legal framework, individual nations will begin to lead by example. One way the United States has started to do this is by releasing details of its process for notifying developers about zero-day vulnerabilities.

The intelligence community has warned Congress that “more than 30 nations are adopting offensive cyber capabilities” and integrating them into “military operations and planning.” These operations include the use of “zero-day” vulnerabilities—that is, vulnerabilities in equipment and software that are unknown to developers that, in some cases, bad actors can exploit and gain remote access to operating systems and web browsers. A recent study by RAND Corporation of 200 zero-day vulnerabilities found that they have an “average life expectancy—the time between initial private discovery and public disclosure—of 6.9 years.” The study also found that it is highly unlikely that two separate actors will discover the same zero-day vulnerability.

Just last week, the United States released its Vulnerabilities Equities Policy and Process, a document describing how the government balances different factors in deciding when to notify vendors about zero-day vulnerabilities. The United States is the only country to have done this so far. The United Kingdom, Canada, and some European countries have either acknowledged having a process or that they are working on developing one. But we don’t know much more than that.

Experts have criticized this lack of transparency, and are using the United States’ disclosure to prompt a discussion on the further development of similar processes in other countries. They warn that “multiple countries around the world are likely discovering, retaining and exploiting zero-day vulnerabilities without a process to properly consider the trade-offs.” Perhaps the United States’ release of its process will spur other countries into action.

More Cyber Attacks Causing Physical Disruption: The Threat to Critical Infrastructure

Last year, we wrote about cyber threats to the energy industry. Those threats continue to intensify. Just last week, Reuters reported a “watershed” cyber-attack against an unspecified “critical infrastructure facility.” That attack targeted a workstation running a safety shutdown system that is “widely used in the energy industry, including at nuclear facilities, and oil and gas plants.” The malware apparently “sought to reprogram controllers used to identify safety issues.” Cyber security professionals believe that the attackers were probing the safety system with the eventual goal of modifying it so that it would fail to detect a breach. FireEye, the cyber-security firm that discovered the malware—dubbed “TRITON”—reported with “moderate confidence” that the attacker was “sponsored by a nation state” actor.

FireEye did not disclose the location of the attacked facility or the nature of its operations. But some have theorized that the attack occurred in a facility in Saudi Arabia. These kinds of attacks have not yet occurred in the United States.

TRITON must be taken seriously. It is the third of a class of detected malware capable of physically disrupting a facility’s operations. (The first was Stuxnet, which disrupted equipment in Iranian nuclear facilities.) Now more than ever, it is important for utility companies and other critical infrastructure entities to guard against potential attacks that pose physical threats to their operations.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Foley Hoag LLP - Privacy & Data Security | Attorney Advertising

Written by:

Foley Hoag LLP - Privacy & Data Security

Foley Hoag LLP - Privacy & Data Security on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.