Individuals, shadowy criminal organizations, and nation states all currently possess the capacity to harm modern societies through computer attacks. These new and severe cyberthreats put critical information, infrastructure, and lives at risk—and the threat is growing in scale and intensity with every passing day.
The conventional response to such cyberthreats is self-reliance; but when self-reliance comes up short, states have turned to law for a solution. Cybercrime laws proscribe individuals from engaging in unwanted cyberactivities. Other international laws establish what states can (and cannot) do in terms of cyberwarfare. Both sets of rules work by attribution, targeting bad actors—whether criminals or states—to deter cyberthreats.
This Article challenges the sufficiency of existing cyberlaw and security. Law cannot regulate the authors of cyberthreats because anonymity is built into the very structure of the Internet. As a result, existing rules on cybercrime and cyberwar have little deterrent effect. They may even create new problems when attackers and victims assume that different rules apply to the same conduct.
Instead of regulating bad actors, this Article proposes that states adopt a duty to assist victims of the most severe cyberthreats. A duty to assist provides victims with assistance to avoid or mitigate serious harms. At sea, anyone who hears a victim’s SOS must offer whatever assistance is reasonable. An e-SOS would work in a similar way. It would require assistance for cyberthreat victims without requiring them to know who, if anyone, was threatening them. An e-SOS system could help avoid harms from existing cyberthreats and deter others. Even when cyberthreats succeed, an e-SOS could make computer systems and networks more resilient against any harm they impose. At the same time, an e-SOS would complement, rather than compete with, self-reliant measures and existing legal proscriptions against cyberthreats.