Harvard Journal of Law & Technology Volume 25, Number 2 Spring 2012 MITIGATIVE COUNTERSTRIKING: SELF-DEFENSE 1 AND DETERRENCE IN CYBERSPACE Jay P. Kesan* and Carol M. Hayes** TABLE OF CONTENTS I. INTRODUCTION .............................................................................. 431 II. THE THREAT: CYBER INTRUSIONS AND POSSIBLE RESPONSES .................................................................................... 437 A. Attacks ...................................................................................... 438 1. What Is a Cyberattack? .......................................................... 439 A. Cyber-What? Attack or Exploitation? ............................... 439 B. Categories of Attackers ..................................................... 440 C. Categories of Attacks ........................................................ 442 i. Malicious Software Attacks ............................................. 442 ii. DoS and DDoS Attacks .................................................. 444 D. Effects of Cyberattacks ...................................................... 445 2. Recent Cyberattack Threats ................................................... 446 A. Frequency of Cyberattacks ................................................ 449 B. Potential Government Use of Cyberattacks and the Danger of Cyberwar ................................................. 450 i. Cyberwar and Warmaking Powers in the United States .................................................................. 452 ii. Cyberwar Preparations and the Private Sector ............... 456 C. Danger to Critical National Infrastructure ....................... 458 i. Federal Initiatives ............................................................ 460 ii. Public-Private Partnerships ............................................ 462 1. An earlier version of this work received an Honorable Mention Award in the National Research Council’s (“NRC”) Competition on Research and Scholarship in Cyberdeterrence. Jay P. Kesan & Carol M. Hayes, Thinking Through Active Defense in Cyberspace (Ill. Pub. Law and Legal Theory Research Papers Series, Working Paper No. 10-11, 2010), available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1691207. * Professor, H. Ross & Helen Workman Research Scholar, and Director of the Program in Intellectual Property & Technology Law, University of Illinois College of Law. ** Research Fellow, University of Illinois College of Law. After receiving her J.D. from the University of Illinois, Carol Hayes served as a Christine Mirzayan Science and Technol- ogy Policy Graduate Fellow at the National Academy of Sciences in Fall 2010. The authors wish to thank Herb Lin, Jack Goldsmith, and the many NRC workshop participants, whose guidance and suggestions greatly contributed to the direction of this Article. We also thank Morell E. Mullins for his assistance with earlier drafts. 430 Harvard Journal of Law & Technology [Vol. 25 B. Current Ways to Address Attacks ............................................. 464 1. Criminal Law Shortcomings .................................................. 467 2. Civil Law Shortcomings ........................................................ 469 3. Passive Defense Approaches ................................................. 471 III. ACTIVE DEFENSE AND MITIGATIVE COUNTERSTRIKING ............ 474 A. What Is Active Defense? ........................................................... 474 B. Different Parts of Active Defense ............................................. 478 1. Intrusion Detection Systems .................................................. 481 2. Traceback ............................................................................... 482 3. Responding to an Attack ....................................................... 483 C. A Need for More Advanced Technology .................................. 484 D. Socially Optimal Use of Active Defense .................................. 485 IV. ANALYZING ATTACKS AND COUNTERSTRIKES UNDER CURRENT LEGAL REGIMES ........................................................... 488 A. U.S. Law ................................................................................... 488 1. Statutes .................................................................................. 490 A. Computer Fraud and Abuse Act ........................................ 491 2. Common Law ........................................................................ 496 A. Intentional Tort .................................................................. 497 B. Negligence ......................................................................... 498 C. Defenses to Negligence Claims ......................................... 502 3. Presidential Authority ............................................................ 502 A. Applying Justice Jackson’s Test from Youngstown .......... 504 B. Voluntary Cooperation ...................................................... 506 C. National Defense Authorization Act .................................. 509 B. International Law ..................................................................... 510 1. The Law of War and the U.N. Charter .................................. 512 A. What Is a Use of Force? What Is an Armed Attack? ......... 515 2. European Convention on Cybercrime ................................... 518 V. LAW RELEVANT TO THE USE OF SELF-DEFENSE .......................... 520 A. U.S. Law ................................................................................... 520 B. International Law ..................................................................... 524 1. Self-Defense Under Article 51 of the U.N. Charter .............. 525 2. Anticipatory Self-Defense ..................................................... 527 3. Reprisals ................................................................................ 529 VI. POLICY CONCERNS RELATING TO MITIGATIVE COUNTERSTRIKING ........................................................................ 530 A. The When and Who of Active Defense and Mitigative Counterstriking ...................................................................... 530 1. Relevant Types of Intrusions ................................................. 530 2. Options for Control over Active Defense .............................. 532 A. Private Sector Participation .............................................. 532 B. Government Involvement ................................................... 533 No. 2] Mitigative Counterstriking 431 C. Public-Private Partnerships: An Alternative to Pure Government Control ................................................. 535 B. Potential Procedures for Mitigative Counterstriking .............. 537 C. Addressing the Effect of Mitigative Counterstriking on Third Parties .......................................................................... 538 VII. CONCLUSION ............................................................................. 541 I. INTRODUCTION IF WE DO NOT WISH TO FIGHT, WE CAN PREVENT THE ENEMY FROM ENGAGING US EVEN THOUGH THE LINES OF OUR ENCAMPMENT BE MERELY TRACED OUT ON THE GROUND. ALL WE NEED DO IS TO THROW SOMETHING ODD AND UNACCOUNTABLE IN HIS WAY.2 A STRANGE GAME. THE ONLY WINNING MOVE IS NOT TO PLAY.3 Ideas, computers, and intellectual property have become extreme- ly important in the modern Information Age. The Internet has become so essential to modern life that several countries have declared Inter- net access to be a fundamental right.4 But the importance of technolo- gy in the Information Age comes with a downside: the vulnerability of modern society and the global economy to minimally funded cyberat- tacks from remote corners of the world. In the 1950s, American school children were taught to “duck and cover” in the event of an atomic bomb explosion.5 A popular caution- ary film from 1951 warns that a flash of light brighter than the sun accompanies such an explosion and that the flash could cause an inju- 2. SUN TZU, THE ART OF WAR 25 (Lionel Giles trans., El Paso Norte Press 2005) (1910). 3. WARGAMES (United Artists 1983). WarGames is a Cold War-era action film about a sentient computer operated by the U.S. Government and programmed to play through nu- clear war scenarios to find an optimal outcome. The system is hacked by a teenage boy who unwittingly starts a simulation that brings the world to the brink of nuclear war. At the end of WarGames, the sentient computer controlling the U.S. nuclear arsenal finally learns one of the key tenets of deterrence during the Cold War: because of an opponent’s capacity to counterstrike, sometimes foregoing aggressive actions is the only path to an optimal result. See id. Similar principles of deterrence underlie this Article, as we posit that a formalized active defense regime would be more effective at discouraging cyber aggressions than the currently available passive defense methods and legal options under criminal and civil law. 4. See, e.g., COMM. ON OFFENSIVE INFO. WARFARE, NAT’L RESEARCH COUNCIL OF THE NAT’L ACADS., TECHNOLOGY, POLICY, LAW, AND ETHICS REGARDING U.S. ACQUISITION AND USE OF CYBERATTACK CAPABILITIES 38 (William A. Owens et al. eds., 2009) [hereinafter NRC REPORT] (noting Estonia’s adoption of this position); Internet Access Is ‘a Fundamental Right,’ BBC NEWS (Mar. 8, 2010), http://news.bbc.co.uk/2/hi/ 8548190.stm (noting that Finland and Estonia take this view); Marshall Kirkpatrick, Is Internet Access a Fundamental Human Right? France’s High Court Says Yes, READWRITEWEB (June 11, 2009,