North Korea’s cyberattack on Sony Pictures. Russian operatives shutting down the electric power grid for nearly a quarter-million Ukrainians. Chinese cybertheft of advanced warplane designs from a U.S. defense contractor.
These are only some of the most egregious international cybercrimes, where nation-states have attacked either other countries or private companies within other countries. And the cost of this troubling trend? A recent study from McAfee estimated the cost of cybercrime across 50 countries grew from $445 billion in 2014 to $600 billion in 2016.
{mosads}This isn’t really surprising when you consider how quickly cyber is changing our world. Consider that over the last two years alone 90 percent of the data in the world was generated. That’s a truly staggering number.
And cyber infrastructure is inherently global, making it easier to attack targets across national borders than at any time in history. And while international dialogue about cyber rights and wrongs is alive and well, it provides no actual recourse for those harmed.
While the United States and other nations have responded to attacks with sanctions, there are many legal gray areas. For instance, North Korea’s attack on Sony didn’t constitute an act of war. Yet it certainly harmed Sony’s public image and had significant financial implications.
The U.S. Department of Justice brought charges against Park Jin Hyok, but Park works for North Korea. As Assistant Attorney General for National Security John C. Demers noted, “The complaint alleges that the North Korean government, through a state-sponsored group, robbed a central bank and citizens of other nations, retaliated against free speech in order to chill it half a world away, and created disruptive malware that indiscriminately affected victims in more than 150 other countries, causing hundreds of millions, if not billions, of dollars’ worth of damage.”
It is time to explore new options. One gaping hole in this global ecosystem is governance; one aspect of governance is a judiciary and due process. No matter how powerful any one country, its sanctions or other punitive actions simply cannot carry the weight of a unified international response. Only when nation-state bad actors find themselves isolated in international trade, finance, and security circles are they likely to feel enough pain to change their behavior.
While such a court won’t be a solution by itself, it could be a vital part of a comprehensive approach. Just giving plaintiffs a neutral body to turn to in response to international cyberattacks would be a step in the right direction. But just as important is establishing agreed-upon standards or norms—in other words, clarity about what cyber behavior is illegal and what is not.
For instance, can we agree that each nation has a fundamental right to the integrity of their critical infrastructures, such as energy, communications, food, defense industrial base, transportation, water, and more? Do we believe that every country has the right to free, open, and secure trade without the threat of state-sponsored economic espionage? These questions, and others—such as the scope, jurisdiction, and the court’s level of authority—are all in front of us.
No doubt it will be difficult to secure international agreement even on seemingly basic questions. But they are certainly easier to address than simply allowing international cyber attackers to go unchecked and unpunished.
After all, nations have joined together to face even more difficult problems in the past. With all their limitations, our world is stronger and safer due to multinational organizations such as NATO, the International Criminal Court, the UN Refugee Agency and others.
The explosive growth of cyber won’t be changing any time soon, nor will the creativity and audacity of bad actors. If the United States, like-minded nations, and non-governmental organizations do not champion the norms we value, then we will soon find ourselves living by someone else’s.
Is it time for an international cyber court?
I say yes.
Emily Frye is Director of Cyber Integration at MITRE, a non-profit systems engineering firm.