Amidst the ever-worsening onslaught of cyberattacks, companies are longing to go on the offensive, whether by “hacking-back” or by going after malicious actors in United States courts. While Congress has previously refused to enable the former, it now appears more open to the latter, particularly with the introduction of the Homeland and Cyber Threat Act (the HACT Act). But for companies, the best cyber defense will remain a strong defense, not a strong offense.
Recently, bipartisan lawmakers in the House of Representatives introduced legislation that would allow Americans to file suit in federal or state court against foreign governments and their employees for malicious cyber activity. The HACT Act, if passed, would eliminate the immunity of foreign nations and their employees or agents that have engaged in cyberattacks against US nationals and allow them to be sued in American courts. The legislation follows the massive Russian cyber espionage campaign now known as the SolarWinds Hack, which, according to the White House, compromised at least nine federal agencies and 100 private sector companies. Previously unknown vulnerabilities affecting a Microsoft email application announced in March of 2021 exponentially worsened this hack.
As attractive as this private, judicial redress for recent cyber threats may be, the legislation is unlikely to pass or to be effective, re-emphasizing the private sector’s need to continue to shore up its defenses and to engage in timely information sharing. The HACT Act also risks opening the doors to suits against the US Government, while the likelihood of success against foreign governments for cyberattacks in US courts will remain small.
The Supreme Court on Foreign Sovereign Immunity
The Supreme Court earlier this year recognized the peril in amending the Foreign Sovereign Immunities Act (FSIA), which allows only limited circumstances in which a foreign government can suffer suit in US courts. Federal Republic of Germany v. Philipp held that US courts did not have jurisdiction over claims against Germany asserted by the heirs of German Jewish art dealers who were compelled to sell property to the German state of Prussia during the Nazi regime.
Chief Justice John Roberts, writing for a unanimous court, warned of “the international discord that can result when the US law is applied to conduct in foreign nations.” The Chief Justice noted that, “[a]s a Nation, we would be surprised—and might even initiate reciprocal action—if a court in Germany adjudicated claims by Americans that they were entitled to hundreds of millions of dollars because of human rights violations committed by the US Government years ago.”
Finally, he concluded that there was no reason to believe that other governments wouldn’t also hold the US subject to foreign jurisdiction if the US government continued to expand exceptions to foreign sovereign immunity.
Even if the bill required State Department certification prior to enabling private lawsuits, foreign governments—especially those likely to sponsor cyberattacks against the US—would likely seize upon the opportunity to expand the circumstances under which their citizens could sue the US. After all, the US passed the FSIA to provide a comprehensive, uniform, and restricted regime for litigation against foreign states that are presumptively considered immune from suit. The broader the holes in the FSIA, the less incentive other governments have to provide the US with their own shield from suits in their courts.
Questions in the litigation process
The HACT Act also leaves open many practical questions as to what the process would be for a private litigant who attempts to bring suit against a foreign actor, entity, or government. These questions include what the discovery process would look like. Discovery against a foreign government agency or employee would likely either require the US to disclose classified intelligence on attribution or the defendant to disclose its state secrets.
Just as pressing is the question of whether a private litigant could reasonably expect to collect from a sovereign opposing party that might or might not consent to personal jurisdiction in US court.
There is precedent for allowing private claims against foreign governments, including the Iran-US Claims Tribunal (IUSCT) or, more broadly, the investor state dispute resolution system (ISDS). But those avenues are the product of diplomatic agreements between sovereigns. In the case of the IUSCT, the 1981 Algiers Declarations were designed to resolve the Tehran hostage crisis. In the case of the ISDS, bilateral or multilateral investment protection treaties have created a private right of action for qualifying investors from the home state as a means of encouragement of foreign direct investment. No comparable accord or treaty is available here.
Finally, Congress has not seized the opportunity within the HACT Act to clarify ambiguous language found in the Computer Fraud and Abuse Act (CFAA)—language that is before the Supreme Court this term in an effort to resolve a circuit split. By creating an actionable right against an entity that “exceeds authorized access,” as the CFAA does, the HACT Act opens itself up to the same challenges and disagreements in interpretation that have plagued the CFAA. Does merely violating website terms of service, for example, open up a country to suit in US courts? This question may lead to further issues and litigation down the line.
Especially during the heat of a crisis, companies may feel the urge to “hack back” at foreign intruders—something the CFAA does not necessarily authorize and which Congress has repeatedly refused to explicitly allow, including when it passed the Cybersecurity Act of 2015 (CISA). Even if companies could take on an individual hack, companies are unlikely to prevail against the resources of a determined state-backed hacker. It is also far more likely that hacking-back would result in collateral damage to third party networks as sophisticated hackers often route their malicious traffic through innocent infrastructure.
Defense and information sharing
CISA did not authorize hacking back, but it provided important liability protection for cyber threat information sharing between the private and public sectors, as well as within the private sector itself. Information sharing has also improved since 2015, and many companies find tremendous value in participating in general and sector-specific Information Sharing and Analysis Centers (nonprofit organizations that provide a central resource for gathering information on cyber threats to critical infrastructure).
While the HACT Act’s goals are laudable, and while the US Government and its allies need to do more to prevent state-backed cyberattacks—especially when foreign adversaries exploit seams in US legal authorities by launching attacks via US infrastructure—for the private sector, the keys remain in relentlessly improving cyber defenses and in information sharing.