President Barack Obama is taking Chinese President Xi Jinping for a sunset walk to talk cybersecurity. U.S. lawmakers introduced legislation to punish cyberspies. Never before have all parties in the ongoing cybersecurity conflict between the U.S. and China taken action in such a short time span to address the issue. But legal complexities and political realities render any actions merely the first pieces of an elaborate puzzle, according to legal experts.
Friday in California, Obama made cyberattacks a top priority during his meeting with the Chinese president. And Xi was open to hearing the president’s message in a more informal dialogue than Chinese leaders normally allow with the U.S.
For its part, Congress introduced June 6 bipartisan legislation aimed at punishing more cybercriminals backed by foreign agents. But Chinese officials haven’t yet even admitted cyberattacks targeted at the U.S. occur in their country (let alone that they are backed, even tacitly, by the government). And the difficulty of tracing a cybercrime back to its perpetrator renders any piece of legislation just a small part of any comprehensive set cybersecurity laws.
“These aren’t serial measures; it’s more of a mosaic,” said Randy Sabett, a lawyer with ZwillGen PLLC, a law firm focusing on new technologies. Sabett worked previously as a National Security Agency crypto engineer. “There’s different facets of the overall fabric that can be addressed or enabled. They all need to play together. This is a good step, but I think there’s more that can be done.”
Current domestic cybersecurity laws derive from the Computer Fraud and Abuse Act, enacted by Congress in 1986. The law has two main provisions, said Irving Lachow, a senior fellow and director of the program on technology and U.S. national security at the Center for a New American Security. One made accessing a computer without authorization illegal. The other made exceeding one’s authorization to use a computer illegal.
“Trying to define what that means and under what circumstances there might be exceptions” is the current difficulty, Lachow said. “It starts to get really tricky when you look at the scenarios.”
It’s like driving a truck through an area it was not built for, Sabett said. That doesn’t mean the CFAA is not useful, though. It’s the trespassing law for cyberspace; the basic building block upon which all other cyberintrusion regulation can be built.
“The difficulty with the CFAA specifically … is the ability to capture in legislative language concepts that are tied to a computing device,” Sabett said. “There are certain subtleties that are difficult to capture in language.”
Those subtleties have been teased out through six amendments — most recently in 2008 — and numerous court cases that have clarified definitions in the act (for instance, a smartphone is now considered a computer under CFAA protection). Sabett sees this process as refining the law’s boundaries. Peter Toren see it as “a Band-Aid, ad hoc approach” to cybersecurity law. Toren is a lawyer at Weisbrod Matteis & Copley and was one of the first federal prosecutors with the Justice Department’s Computer Crime Unit, created in 1992. Back then, the CFAA had only been amended once.
“If [Congress] wants to address [cybersecurity] from a criminal-law standpoint, and perhaps from a civil-litigation standpoint, they need to sit down from scratch and draft a new law,” Toren said.
Whether through a piecemeal or tabula rasa approach, cybersecurity legislation faces its biggest hurdle with accurate cybercriminal identification. The commercial Internet developed with little heed to notions of security, giving everyone incognito access to cyberspace.
“Anonymity occurred on the Internet more through evolution than as a result of ardent privacy activists,” Sabett co-wrote in an article for the Journal of Business & Technology Law. “Ultimately, we must contend with the fact that the current Internet is ‘flat,’ meaning the lack of ability to accurately identify people or devices can significantly inhibit online trust.”
Thus, bills such as the Cyber Economic Espionage Accountability Act — introduced Thursday by House Intelligence Committee Chairman Mike Rogers, R-Mich. — can only go so far. The bill would authorize the government to publish and punish a list of identified cyberspies, encourage DOJ to bring more economic espionage cases against foreign actors, and deport or freeze the financial access of foreign nationals residing in the U.S.
But none of those directives answer the question, “How do you investigate, identify and prosecute the person?” Toren said.
Cyberattacks are often routed through multiple networks in multiple countries. The labyrinthine route back to the original device, let alone the original person, is difficult to trace and crosses numerous legal jurisdictions. The Council of Europe tried to standardize international guidelines to address these issues during a 2001 convention on cybercrime. It adopted a treaty 50 countries have since signed on to.
Michael Vatis, a partner at Steptoe & Johnson LLP, contributed a chapter on the Convention on Cybercrime treaty to an academic book on developing U.S. cyber policy. The treaty, he said, has two halves: one on the collection of digital evidence and another on cybercrime.
“The first half is to foster cooperation among nations on cross-border investigations, when computers need to be searched or computer data needs to be obtained,” he said. The second half is a commitment to enact domestic laws criminalizing cyberhacking. Over the 12 years since, Vatis has heard from DOJ the treaty has aided cybercrime investigations. DOJ failed to respond to interview requests for this story.
“It raised awareness and it led to countries passing cybercrime laws that authorized them to investigate and assist other countries,” Vatis said. “I think it’s still as relevant and useful today.”
But it is barely useful for the U.S. in its ongoing cyberhacking conflict with China. China hasn’t signed the treaty, which isn’t legally binding, and is not likely to do so anytime soon. Japan, often at odds with China, is the only country in East Asia that has signed on to the treaty. Tim Junio, who studies cyberattacks at Stanford University’s Center for International Security and Cooperation, sees little reason the U.S. would push China to sign the treaty.
“It doesn’t strike me as a particularly useful diplomatic approach to use with China,” Junio said. “I think the best the United States can hope for is a Chinese admission that cybercrimes are taking place that originate on Chinese territory.”
And Rogers’ bill does give Obama tangible evidence to show Xi that U.S. lawmakers are not sitting idle on this issue, Sabett said. Even if China continues to deny the existence of these cyberattacks, Obama can say, “here’s a new bill that is pretty dramatic,” Sabett said.
In the best-case scenario, China admits to knowledge of cybercrimes and follows up the meetings with symbolic gestures to show it is serious about the issue. Arresting “corrupt military officials selling stolen trade secrets or rounding up some of the criminal gangs that coordinate large-scale online fraud,” Junio said, are two possible, but unlikely, examples.
But with the astronomical economic benefits of hacking intellectual property — National Security Director Gen. Keith Alexander has called the $300 billion-plus the U.S. economy loses each year to cyberattacks, “the greatest transfer of wealth in history” — no law or treaty will truly curb the persistent cyberattacks.
“If China wants to play in the international arena, it has to start complying with certain legal norms, which it does not seem to be doing right now,” Toren said. “Until China sees it as in their interest to protect intellectual property, they’re just going to continue.”