Stop Foreign Cybercriminals From Masquerading as Diplomats

Senior Fellow and Director, Center for the Economics of the Internet
Legal Fellow, Center for the Economics of the Internet

Last month, North Korean state hackers sent COVID-19-themed phishing emails to more than five million American individuals and businesses in the United States, hoping to steal their personal and financial data. As Yogi Berra would say, "it's like déjà vu all over again. "

In attacking American businesses and individuals, North Korea is not alone. The Center for Strategic and International Studies has maintained a list of hundreds of cyberattacks from around the world since 2006. Of the countries blamed for perpetuating these attacks, most are the usual suspects that have invested significantly in cyberwarfare against America in recent years: China, Russia, Iran, North Korea and the like.

Despite these attacks' frequency and predictability, American victims of these attacks often have little to no recourse in American courts because of the Foreign Sovereignty Immunities Act (FSIA), which protects foreign state actors from American lawsuits, no matter how egregious the conduct. This same law that shields foreign diplomats from paying parking tickets in American cities also protects cybercriminals masquerading as diplomats.

Perhaps the highest-profile international cybercrime in recent years was North Korea's infiltration of Sony Pictures in 2014, which occurred in response to Seth Rogen's film, The Interview, mocking the nation's leader. In 2018, the Department of Justice filed a criminal complaint in relation to the attack against Park Jin Hyok, a computer programmer in North Korea. Mr. Hyok has, unsurprisingly, not traveled to the United States to be tried, and Sony Pictures has never been able to file a claim for extensive damages against North Korea.

If an ordinary criminal had been caught stealing physical property from Sony Pictures or any other American company, the injured party could seek the return of the stolen property and compensation for damages suffered. But in the twisted world of cyberspace, international cybercriminals can steal and injure with impunity by hiding behind diplomatic protections.

It is one matter to protect accredited foreign diplomats residing in the United States. America itself has diplomats residing in practically every country in the world, and we value those nations' protections for our diplomats. But it is an entirely different matter to protect cybercriminals operating abroad who make no pretense of acting as diplomats.

On March 30, President Trump extended an executive order that declared a National Emergency With Respect to Significant Malicious Cyber-Enabled Activities. The executive order was timely because of the recent cyberattack on HHS's computer system during the nation's response to the coronavirus pandemic. HHS attributed the attack to a "hostile foreign actor." Ultimately, the executive order properly identifies the problem of cyberattacks, but it does little to deter future similar attacks.

Deterrence is one of the foundational principles of law and economics. A would-be criminal will consider the likelihood of being caught and the likelihood of being punished before committing a crime. Yet in the case of cybercriminals operating in certain rogue countries, the likelihood of being punished for cyberattacks on the United States is virtually zero. Absent any sort of deterrence, cyberattacks on the United States continue to occur unabated.

There is a simple means of providing such deterrence. Several dozen members from both parties in the House of Representatives have cosponsored a bill, the "HACT Act, with Reps. Jack Bergman (R-MI) and Andy Kim (D-NJ) as the primary sponsors. The HACT Act would allow private parties in the United States to bring private complaints in federal courts against foreign state actors that allow cyberattacks on the United States. In essence, the HACT Act would pierce the shield of FSIA that, today, allows foreign cybercriminals to masquerade as diplomats and enjoy the privileges of diplomatic immunity.

The HACT Act certainly won't solve every problem in the world. COVID-19 will still afflict us, and rogue states will continue to harbor cybercriminals. But these rogue states and their cybercriminals will now face a new threat: deterrence in the form of the American legal system. It won't be perfect, but it will be a solid step in the right direction.

Read in Newsweek