HACKS DANGEROUS TO HUMAN LIFE: USING JASTA TO OVERCOME FOREIGN SOVEREIGN IMMUNITY IN STATE-SPONSORED CYBERATTACK CASES

State-sponsored cyberattacks are on the rise. With the continually growing presence of automated and autonomous technologies in our lives, the ability to harm individuals from behind a keyboard is becoming an increasingly plausible and desirable option for foreign states seeking to target persons abroad. Those particularly vulnerable to such attacks include political dissidents, activists, and any individuals deemed to be an enemy of the regime employing such cyberattacks. In recent years, U.S. nationals victimized by foreign state-sponsored cyberattacks have attempted to sue their foreign-state cyberattackers in U.S. courts under the traditional exceptions to the Foreign Sovereign Immunities Act (FSIA), to no avail. Commentators have offered a few suggestions to help these victims overcome the barrier of sovereign immunity, including an alternative interpretation of the FSIA’s noncommercial tort exception or a cyberattack exception amendment to the FSIA. This Note, however, presents a more concrete and accessible solution: the Justice Against Sponsors of Terrorism Act (JASTA). The recently passed JASTA creates the latest exception to the FSIA, which differs from the other exceptions in two important ways: (1) it does not require an alleged tort to have taken place in the United States, and (2) it does not require the foreign state being sued to have been officially designated a state sponsor of terrorism by the U.S. government. Thus, under JASTA, many U.S. victims of state-sponsored cyberattacks should be able to overcome sovereign immunity and attain justice against their foreign-state cyberattackers in U.S. courts.

The full text of this Note can be found by clicking the PDF link to the left.

* J.D. Candidate 2021, Columbia Law School. The author would like to thank Professor Lori Damrosch for her invaluable expertise and guidance, as well as Nick Argentieri for his support throughout this writing process. The author also extends special thanks to Adi Kamdar for giving him the initial spark of inspiration for this piece.

Introduction

Foreign state actors are increasingly using malware to target U.S. nationals. 1 “Malware” is short for “malicious software” and is used to “disrupt a computer’s normal operations, gather sensitive information, or gain access to private computer systems.” What Is Malware?, Univ. of Cent. Ark., https://uca.edu/it/knowledgebase/what-is-malware [https://perma.cc/P2MY-HH4L] (last visited Nov. 1, 2019). Malware is an umbrella term and can be used to refer to “computer viruses, worms, trojan horses, spyware, or adware.” Id. In 2016, the U.S. court system saw its first attempt to sue a foreign state for a cyberattack when an Ethiopian asylee and political dissident—going by the pseudonym “Kidane”—sued Ethiopia for installing and using spyware to monitor his online activity. 2 Doe v. Federal Democratic Republic of Ethiopia (Doe I), 189 F. Supp. 3d 6, 8–11 (D.D.C. 2016), aff’d, 851 F.3d 7 (D.C. Cir. 2017). “Spyware” grants a hacker the ability to “capture information like Web browsing habits, e-mail messages, usernames and passwords, and credit card information.” Spyware, TechTerms, https://techterms.com/definition/spyware [https://perma.cc/538L-WCVC] (last visited Nov. 2, 2019). Hackers infect their victims’ computers or phones with spyware either by sending it through email attachment or by attaching it to the installation of another program. Id. Kidane claimed jurisdiction under the noncommercial tort exception to the Foreign Sovereign Immunities Act (FSIA). 3 Doe I, 189 F. Supp. 3d at 16. The D.C. Circuit rejected this argument, noting that a tort must occur entirely in the United States for the noncommercial tort exception to apply. 4 See Doe v. Federal Democratic Republic of Ethiopia (Doe II), 851 F.3d 7, 10 (D.C. Cir. 2017) (citing Jerez v. Republic of Cuba, 775 F.3d 419, 424 (D.C. Cir. 2014)). Therefore, because the spyware infecting Kidane’s devices had been emailed to Kidane by somebody outside the United States, the D.C. Circuit deemed that the tort did not entirely occur in the United States. 5 See id. at 8, 10 (noting that the person who sent the email likely did so from London). Despite receiving heavy criticism, 6 See, e.g., Recent Case, Doe v. Federal Democratic Republic of Ethiopia, 851 F.3d 7 (D.C. Cir. 2017), 131 Harv. L. Rev. 1179, 1184–85 (2018) (“The court’s analysis of the acts that make up the tort has . . . problems.”). the D.C. Circuit’s narrow approach has now been adopted within two additional circuits. 7 See DNC v. Russian Federation, 392 F. Supp. 3d 410, 428 (S.D.N.Y. 2019); Broidy Cap. Mgmt., LLC v. Qatar, No. CV 18-2421-JFW(Ex), 2018 WL 6074570, at *5 (C.D. Cal. Aug. 8, 2018).

Doe v. Ethiopia raises a troubling question: What happens if a foreign state takes it one step further? What if, instead of simply spying on a U.S. national, a foreign state uses malware to cause that national’s self-driving car to crash? 8 See Saheli Roy Choudhury, Malicious Use of A.I. Could Turn Self-Driving Cars and Drones into Weapons, Top Researchers Warn, CNBC (Feb. 21, 2018), https://www.cnbc.com/2018/02/21/malicious-use-of-ai-by-hackers-could-pose-security-risksthreats.html [https://perma.cc/C5SD-ZVTZ] (“Self-driving cars . . . could be tricked into misinterpreting a stop sign that might cause road accidents . . . .”). To cripple the computer system of the hospital where that national is admitted? 9 See Alabama Hospital System Halts Admissions amid Malware Attack, Ala. Pub. Radio (Oct. 1, 2019), https://www.apr.org/post/alabama-hospital-system-halts-admissions-amid-malware-attack [https://perma.cc/PJC6-3M5B]. To remotely switch off that national’s insulin pump or pacemaker? 10 See Olivia Tambini, Life-Saving Pacemakers Could Be Hacked with Malware, TechRadar (Aug. 10, 2018), https://www.techradar.com/news/life-saving-pacemakers-could-be-hacked-with-malware [https://perma.cc/T5Q5-R8TS] (discussing a demonstration where researchers showed that they could “remotely switch[] off an insulin pump” and “tak[e] control of a pacemaker by hacking the program doctors use to monitor a patient’s device”). Moreover, what if a foreign state uses information it obtained with spyware to track down and directly kill a U.S. national? 11 Cf. David D. Kirkpatrick, Israeli Software Helped Saudis Spy on Khashoggi, Lawsuit Says, N.Y. Times (Dec. 2, 2018), https://www.nytimes.com/2018/12/02/world/middleeast/saudi-khashoggi-spyware-israel.html (on file with the Columbia Law Review). Saudi Crown Prince Mohammed bin Salman ordered Jamal Khashoggi, a Saudi national and dissident, to be killed in October 2018. Shane Harris, Greg Miller & Josh Dawsey, CIA Concludes Saudi Crown Prince Ordered Jamal Khashoggi’s Assassination, Wash. Post (Nov. 16, 2018), https://www.washingtonpost.com/world/national-security/cia-concludes-saudi-crownprin‌ce-ordered-jamal-khashoggis-assassination/2018/11/16/98c89fe6-e9b2-11e8a9399469f116‌6f9d_story.html (on file with the Columbia Law Review). The growth of automated and autonomous technologies presents foreign-state actors nowadays with a myriad of opportunities to harm political rivals and dissidents mostly, if not entirely, from abroad. In the aftermath of Doe v. Ethiopia, concerns arose questioning whether a U.S. national harmed by a state-sponsored cyberattack could ever obtain any redress against the sponsoring state. Nate Cardozo, Kidane’s attorney, went so far as to issue a statement saying that “[u]nder [Doe v. Ethiopia], you have no recourse under law if a foreign government . . . targets you for a drone strike . . . as long as the government planned the attack on foreign soil.” 12 Nate Cardozo, D.C. Circuit Court Issues Dangerous Decision for Cybersecurity: Ethiopia Is Free to Spy on Americans in Their Own Homes, Elec. Frontier Found. (Mar. 14, 2017), https://www.eff.org/deeplinks/2017/03/dc-circuit-court-issues-dangerous-decision-cybersecurity-ethiopia-free-spy [https://perma.cc/KL5C-CGS6]. Consequently, some have pushed to adopt a cyberattack exception to the FSIA, 13 See, e.g., Paige C. Anderson, Note, Cyber Attack Exception to the Foreign Sovereign Immunities Act, 102 Cornell L. Rev. 1087, 1102–03 (2017); Matthew A. Powell, Comment, A Call to Congress: The Urgent Need for Cyberattack Amendments to the Foreign Sovereign Immunities Act, J.L. & Cyber Warfare, Fall 2018, at 117, 144–47; Sam Kleiner & Lee Wolosky, Time for a Cyber-Attack Exception to the Foreign Sovereign Immunities Act, Just Sec. (Aug. 14, 2019), https://www.justsecurity.org/65809/time-for-a-cyber-attack-exception-to-the-foreign-sovereign-immunities-act [https://perma.cc/7E6E-3ETQ]. while others have urged for courts to adopt a more lenient approach to the noncommercial tort exception. 14 See, e.g., Samantha N. Sergent, Note, Extinguishing the Firewall: Addressing the Jurisdictional Challenges to Bringing Cyber Tort Suits Against Foreign Sovereigns, 72 Vand. L. Rev. 391, 413–16 (2019).

This Note argues, however, that there is already an existing alternative FSIA exception through which many future U.S. victims of malicious, state-sponsored cyberattacks can obtain jurisdiction over foreign-state sponsors: the Justice Against Sponsors of Terrorism Act (JASTA). 15 Justice Against Sponsors of Terrorism Act, Pub. L. No. 114-222, 130 Stat. 852 (2016) (codified at 18 U.S.C. § 2333 (2018); 28 U.S.C. § 1605B (2018)). Before 2016, U.S. victims of terrorism could sue a state responsible for the attack only if the state had been “designated as a state sponsor of terrorism.” 16 28 U.S.C. § 1605A(a)(2)(A)(i)(I). But in 2016, Congress passed JASTA, which expanded the FSIA to allow U.S. nationals to sue any foreign state that physically injured them or their property through “an act of international terrorism in the United States; and a tortious act . . . regardless where [it] occurred.” 17 Id. § 1605B(b). Accordingly, this Note argues that many future instances of state-sponsored cyberattacks can be characterized within the JASTA exception’s framework: A foreign state commits a tortious act of infecting a U.S. national’s device with malware, resulting in a separate act of terrorism that physically harms said national or their property on U.S. soil.

Part I overviews the FSIA and its exceptions, including the noncomercial tort exception, the terrorism exception, and the JASTA exception. Part II demonstrates why the noncommercial tort exception and other pre-JASTA FSIA exceptions, as well as the proposed cyberattack exception, provide inadequate solutions for U.S. victims of state-sponsored cyberattacks. Part III then offers the JASTA exception as a practical, already-existing mechanism through which U.S. nationals harmed by state-sponsored cyberattacks could potentially obtain jurisdiction over the foreign state responsible for the attack, and further addresses arguments for why courts may still wish to refrain from using JASTA as a means to sue a foreign state.