Personally, I consider the problem of self-defence in Cyberspace to be one of the most neglected although relevant topics in the last decade. Notwithstanding the fact that Cybercrime has become such an important issue in the international legal culture, some aspects related to computer crimes are being left outside of the mainstream legal debates.
Even if some common-law scholars (e.g. Kesan J. P., Majuca R., 2009-2010) have tried to scratch the surface of this - I believe important - topic, there is still a serious gap in the European legal literature.
Because of that, I will try to enunciate some of the problems regarding self-defence outside of the physical world. Given the complexity of the topic at hand, I will not provide an in-depth analysis; rather I will comment on…
Why talk about self-defence in Cyberspace?
Firstly, because Cyberspace has led to Cybercrime, and Cybercrime systematically proved that traditional offences cannot entirely cover this new manifestation of antisocial behaviour. So I believe that it is mandatory to re-evaluate the traditional justificatory causes – in terms of self-defence, state of necessity, consent etc. – in order to verify whether their current foundation is enough to cover this new genre of crime.
Secondly, it is common knowledge that Cybercrime is one of the most cross-border types of crime. This is why we now have international legal instruments such as the European Convention on Cybercrime – which has as a main objective the harmonization of national criminal legislations in order to create an efficient framework of cooperation and the elimination of the so-called safe havens at the international level. Even if computer crimes in the US do not substantially differ from computer crimes across Europe, there is a problematic mismatch when it comes to the general part of the Criminal Law in different parts of the world. For example, in Romania self-defence is applicable only in cases where the attack can be materialized. In other words, a threat that does not raise the imminent risk of a material attack cannot create a framework of applicability for self-defence. But this is not the case in Germany or Spain, where self-defence could be used even if the attack has not been a material one. So if an agent from Spain remotely controls a computer system from Germany to attack another in Romania, a response from Romania would possibly be a legitimate one in Germany or Spain, but not in Romania. I see this as a problem of equity. Why apply a different treatment to a global threat?
Alternatives to the use of self-defence in Cyberspace
If self-defence is hard to theorize and apply in Cyberspace, some would argue that the best solution to counter cybercrime is to utilize alternative means.
1. One of the possible solutions is to use civil law sanctions to oblige software companies or Internet service providers to take care of their customers (see Hamdani A., 2002, p. 901). But from my point of view, this alternative is questionable. Could we impose the obligation to create perfect products with no security vulnerabilities on software companies? Definitely not. What about Internet service providers? Could the obligation to monitor the network data and stop digital attacks before they really occur be imposed on them? It must be said that even if this would be technically possible, the related economic costs would render the service very costly. Furthermore, it could raise a legal issue because monitoring the network data often means infringing the right to privacy of Internet users. Furthermore, the European Court of Justice made it clear in the case Scarlet Extended SA c. Société belge des auteurs, compositeurs et éditeurs SCRL (C 70/10), that monitoring electronic communications interferes with the right to privacy of each individual.
2. Another alternative is to use passive technical defence mechanisms. Even if this alternative offers protection to some degree, it is rather insufficient (Kesan J. P., Hayes C. M., 2010, p. 328). No matter how good a technological defence mechanism is, the means to circumvent that mechanism are very likely to develop in time.
So without further ado, I strongly believe that self-defence must be firmly analysed, at least due to equity reasons. If a person has the right to defend his property in the physical world, the same should apply in Cyberspace. So when the general criminal law sanctions do not function and a certain individual tries to commit a computer crime, the targeted individual must have in principle the same opportunities to defend himself or herself as a victim attacked in the physical world does. And this means that the possibility to use self-defence in Cyberspace must not be excluded.
What are the problems surrounding self-defence in Cyberspace
1. Identifying an imminent attack. A person can utilize self-defence only if the attack is imminent (see Sangero B., 2006, pp. 151). But when is a digital attack imminent? The answer is hard to give and it heavily depends on the specifics of each case. If the agent tries to explode a gas pipe by modifying some computer data (e.g. variables regarding gas pressure) stored on the gas pipe infrastructure (a computer system), is it an imminent attack when the agent gains unauthorized access? In this context, I believe that the central issue is whether the unauthorized access creates an imminent risk for the social good that will ultimately be harmed by the agent’s digital attack.
2. Putative self-defence. There are a lot of cases in which the one who believes to be defending himself or herself or his or her computer system is in error with regard to the apparent digital attack. But how should this wrong assessment be analysed? Should it be an invincible error or is it sufficient to identify an error that was formed because of the agent’s negligence? From my point of view, it is an error over a matter of fact – the agent mistakenly concludes that the digital attack is real when in fact this is not the case.
3. Identifying the attacker. In the majority of cases the attacker does not launch a direct attack towards a particular computer system. The most efficient method is to use proxy computer systems or zombies (other computer systems that were initially hacked), because this puts the victim in the difficulty to identify the attacker. Some could argue that this problem alone makes the self-defence in Cyberspace inapplicable. I argue the opposite. Exactly as in the physical world context, if the attacker uses the goods (a computer system in this case) of another person for the attack – even without their owner’s consent – the victim can respond by attacking those particular goods as well as the attacker.
In conclusion, I must argue that an in-depth analysis of self-defence in Cyberspace is stringently necessary. Obviously, the previously listed arguments are not the only ones to be considered, but at least they create the premise for a more detailed analysis on the topic.