Is the international law of cyberwar a thing?

Episode 313 of the Cyberlaw Podcast

|The Volokh Conspiracy |

In today's interview, I spar with Harriet Moynihan over the application of international law to cyberattacks, a topic on which she has written with clarity and in detail. We disagree politely but profoundly. I make the case that international law is distinct from what works in cyberspace and is inconsistent with either clarity or effectiveness in deterring cyberattacks. Harriet argues that international law has been a central principle of the post-1945 international system and one that has helped to keep a kind of peace among nations. It's a good exchange.

In the News Roundup, David Kris and I discuss the state of Team Telecom, which is taking unwonted (but probably not unwelcome) fire for not being tough enough on state-owned Chinese telecom firms. Predictably, Team Telecom is going with the flow, and reportedly seeking to knock four such firms out of the US market.

Maury Shenk reports that Vietnam is suspected of hacking Chinese health authorities. In response to the accusations, the Vietnamese released what looks to me like a word-for-word clone of Chinese cyberespionage boilerplate denials. Sauce for the goose is sauce for the panda.

Gapple's design for a COVID-19 tracing app isn't the best way to track infections, I argue, but it's all that Google and Apple are willing to let governments do, apparently because of Silicon Valley's exquisitely refined and self-evidently superior sense of privacy. Nick Weaver disagrees, arguing that the Gapple system preserves privacy and allows health authorities all the information that they really need. Governments are mostly falling in line with Gapple's demands, either because they buy Nick's argument or because they have decided that Silicon Valley resistance has the ability to wreck any more centralized system. France is still fighting for its vision of contact tracing. Australia seems to be adopting a lightly tweaked version of the Gapple model. And Germany seems to be surrendering.

Several senators want Cyber Command and CISA to do more to deter coronavirus hackers, David reports. More importantly, he points out that asking a military organization to attack a civilian criminal gang raises a host of legal issues that should be sorted out before rather than after the attack begins.

Failure to protect your client from Chinese government hackers might be malpractice, a DC court rules. But as Maury points out, there's a long road from winning a motion to dismiss to winning at trial, so the lesson to be drawn from this case won't be certain for some time.

Three years later, the Shadow Brokers leak is making news, and still providing challenges for private security researchers. Nick reports on how a three-year-old leak led to the latest revelation of an unknown APT group.

Nick and I touch on confused reporting about the latest filing in the mud fight between Facebook and NSO Group over NSO's hacks of WhatsApp customers. NSO, Facebook says, has used a lot of US servers in those attacks. That matters for the technical question of whether NSO can be sued in the United States, but the volume (several hundred instances) also suggests to Nick that NSO did more than throw exploits over the wall to its customers – it was arguably offering espionage as a service.

David dings IBM for its handling of a researcher's disclosure of four zero-days – and that leads to a dive into what a good bug bounty program can and can't do.

Maury notes that Amazon is getting new scrutiny for its handling of third-party sales data, including suspicions on Congress's part that it may have been lied to. This isn't the last we'll hear of this story.

In quick hits, I am nonplussed by Vimeo's willingness to outsource its definition of "hate group" to, well, a left-wing hate group, the Southern Poverty Law Center.

Nick celebrates the end to what he calls the "Asshat meets BlackHat" affair: Crown Sterling's "defamation" lawsuit against BlackHat has been settled.

And Nick and I mark the surprising ouster of Marc Rotenberg, EPIC's long-time director, over what might be called excessive attention to his own COVID-19 privacy.

Download the 313th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.