Foreign state actors are increasingly using malware to target U.S. nationals.
In 2016, the U.S. court system saw its first attempt to sue a foreign state for a cyberattack when an Ethiopian asylee and political dissident—going by the pseudonym “Kidane”—sued Ethiopia for installing and using spyware to monitor his online activity.
Kidane claimed jurisdiction under the noncommercial tort exception to the Foreign Sovereign Immunities Act (FSIA).
The D.C. Circuit rejected this argument, noting that a tort must occur entirely in the United States for the noncommercial tort exception to apply.
Therefore, because the spyware infecting Kidane’s devices had been emailed to Kidane by somebody outside the United States, the D.C. Circuit deemed that the tort did not entirely occur in the United States.
Despite receiving heavy criticism,
the D.C. Circuit’s narrow approach has now been adopted within two additional circuits.
Doe v. Ethiopia raises a troubling question: What happens if a foreign state takes it one step further? What if, instead of simply spying on a U.S. national, a foreign state uses malware to cause that national’s self-driving car to crash?
To cripple the computer system of the hospital where that national is admitted?
To remotely switch off that national’s insulin pump or pacemaker?
Moreover, what if a foreign state uses information it obtained with spyware to track down and directly kill a U.S. national?
The growth of automated and autonomous technologies presents foreign-state actors nowadays with a myriad of opportunities to harm political rivals and dissidents mostly, if not entirely, from abroad. In the aftermath of Doe v. Ethiopia, concerns arose questioning whether a U.S. national harmed by a state-sponsored cyberattack could ever obtain any redress against the sponsoring state. Nate Cardozo, Kidane’s attorney, went so far as to issue a statement saying that “[u]nder [Doe v. Ethiopia], you have no recourse under law if a foreign government . . . targets you for a drone strike . . . as long as the government planned the attack on foreign soil.”
Consequently, some have pushed to adopt a cyberattack exception to the FSIA,
while others have urged for courts to adopt a more lenient approach to the noncommercial tort exception.
This Note argues, however, that there is already an existing alternative FSIA exception through which many future U.S. victims of malicious, state-sponsored cyberattacks can obtain jurisdiction over foreign-state sponsors: the Justice Against Sponsors of Terrorism Act (JASTA).
Before 2016, U.S. victims of terrorism could sue a state responsible for the attack only if the state had been “designated as a state sponsor of terrorism.”
But in 2016, Congress passed JASTA, which expanded the FSIA to allow U.S. nationals to sue any foreign state that physically injured them or their property through “an act of international terrorism in the United States; and a tortious act . . . regardless where [it] occurred.”
Accordingly, this Note argues that many future instances of state-sponsored cyberattacks can be characterized within the JASTA exception’s framework: A foreign state commits a tortious act of infecting a U.S. national’s device with malware, resulting in a separate act of terrorism that physically harms said national or their property on U.S. soil.
Part I overviews the FSIA and its exceptions, including the noncomercial tort exception, the terrorism exception, and the JASTA exception. Part II demonstrates why the noncommercial tort exception and other pre-JASTA FSIA exceptions, as well as the proposed cyberattack exception, provide inadequate solutions for U.S. victims of state-sponsored cyberattacks. Part III then offers the JASTA exception as a practical, already-existing mechanism through which U.S. nationals harmed by state-sponsored cyberattacks could potentially obtain jurisdiction over the foreign state responsible for the attack, and further addresses arguments for why courts may still wish to refrain from using JASTA as a means to sue a foreign state.