Recently, a federal judge in New York dismissed the Democratic National Committee’s (DNC) civil lawsuit against Russia, Wikileaks, and others stemming from the 2016 cyber-attack on the DNC. While much of the media attention has focused on the judge’s decision that, under the First Amendment, Wikileaks and other “second-level participants” could not be held liable for publishing documents stolen from the DNC, there has been scant attention paid to how and why the Russian government—the “primary wrongdoer,” according to the Judge—was found not legally liable for the cyberattack.
The decision should concern all Americans who care about protecting our nation from state-sponsored cyber-attacks. While the United States government has certain tools to punish state-sponsored cyberattacks against American targets—including sanctions, diplomatic action and sometimes criminal indictment—these options cannot force a foreign state to pay compensation for the damage caused by cyberattacks. Only civil liability for sovereign cyberattacks can impose monetary costs for such attacks.
In finding Russia not liable, the court relied on the Foreign Sovereign Immunities Act of 1976 (“FSIA”)—a statute enacted decades before the internet existed in its current form. The FSIA provides foreign states immunity from civil suits in U.S. courts in all but a few circumstances. It’s clear that we need to update and amend the FSIA to reflect the modern reality of state-sponsored hacking by adding a cyber-attack exception to sovereign immunity.
The FSIA has limited existing exceptions, including exceptions for a sovereign’s commercial activities and noncommercial torts in the United States. Where the hacking has a political objective, it is unlikely that the commercial activity exception would apply. Under the noncommercial tort exception, an individual can bring a suit based on a foreign state’s “tortious act” if the tort occurs “in the United States.” That exception was enacted, according to a Congressional report, “to permit the victim of a traffic accident or other noncommercial tort to maintain an action against the foreign state.” Over the years, courts have generally interpreted the exception narrowly to require that the “entire tort” must have occurred in the United States.
The federal courts have previously held cyberattacks originating abroad to lie outside that exception because the hackers were not in the United States. The court in New York cited decisions by federal courts in Washington D.C. and California (where we represented a U.S. citizen who alleged that his emails had been hacked by a foreign sovereign) to hold that the “tort exception” to sovereign immunity doesn’t apply to a cyber-attack carried out by hackers located in Russia, outside the United States. In so ruling, United States District Court for the Southern District of New York Judge John G. Koetl held, “the DNC’s claims against the Russian federation are barred by the FSIA and no exception applies. Relief from the alleged activities of the Russian Federation should be sought from the political branches of the Government and not from the courts.”
This has created the strange situation in which a foreign state could be civilly liable if its agents in the United States were to commit tortious conduct (like physically assaulting a person here), but would be immune from any liability if its agents abroad initiated a tortious intrusion into that same person’s email server and computer systems located in the United States.
In the California case we handled, the district court found that the foreign sovereign was immune from liability for the alleged cyberattack but added a powerful call to Congress to fix the law: given “the growing prevalence of attacks in cyberspace, it may be an appropriate time for Congress to consider a cyberattack exception” to the FSIA.
This wouldn’t be the first time that Congress has amended the FSIA to ensure that Americans can get their day in court. When the FSIA was enacted in 1976 it didn’t have a provision allowing for a suit against a foreign state for acts of terrorism, so in 1996 Congress amended the law to allow Americans who had been the victims of terrorism to sue foreign states that had been designated by the State Department as “State Sponsors of Terrorism.”
After the September 11 attacks, the family members of victims (who we represent in separate proceedings) found that they faced an uphill legal battle as they pursued civil litigation against Saudi Arabia. Since Saudi Arabia was not a designated State Sponsor of Terror, they could not use that exception to the FSIA and were left to argue that Saudi Arabia had engaged in a noncommercial tort. In 2015, a federal judge in New York dismissed that lawsuit. The court held that Saudi Arabia was immune under the FSIA and that the tort exception would not apply because the “entire tort” wasn’t conducted within the United States.
In response to that case, Congress enacted the Justice Against Sponsors of Terrorism Act in 2016 (“JASTA”). The law created a civil cause of action against foreign states for injury or death occurring in the United States based on an act of international terrorism occurring in the United States and a tortious act undertaken by a foreign state or any official, employee, or agent of that state while acting in their official position. This amendment to the FSIA was fairly narrow in scope: it only held foreign states accountable where the terrorist act occurred on U.S. soil. Nonetheless, it was important in that it removed the requirement that the “entire tort” be committed in the United States and established that the foreign state need not be designated by the State Department. The same principles should apply to hold to account cyber-attackers who carry out attacks targeting U.S. persons.
Congress can, and should, respond to court rulings about the scope of foreign sovereign immunity.The Supreme Court has stated that “foreign sovereign immunity is a matter of grace and comity on the part of the United States, and not a restriction imposed by the Constitution” Verlinden B.V. v. Cent. Bank of Nigeria, 461 U.S. 480, 486 (1983). There is no need based on “grace and comity” to allow foreign adversaries to carry out cyberattacks against targets on U.S. soil, any more than to carry out terrorist acts here. The cyberattack exemption should cover attacks that are clearly politically motivated—such as the DNC attack—as well as cyber-attacks that have an economic or unclear motivation.
While the U.S. government can sometimes criminally indict individual hackers for crimes impacting U.S. persons—as the Special Counsel did in the Russian hack of the DNC—the reality is that civil suits could be more effective at confronting cyber-attacks undertaken by foreign sovereigns. Under §1610(a) of the FSIA, Plaintiffs can collect on a judgment against a foreign state by attaching “[t]he property in the United States of a foreign state” and that includes the property of an “agency” or instrumentality of the foreign state (such as state-owned enterprises). § 1610(b). Those judgments can be costly for foreign nations: in 2016 the Supreme Court ruled that almost $2 billion of frozen Iranian assets held in in New York must be turned over to the families of victims of Iranian terrorism. Iran has vocally criticized the fact that billions of their dollars have been seized and turned over to victims of terrorism. If a cyber-exception were enacted, even state-owned enterprises of foreign states operating in the United States could be forced to pay out damages awards. The threat of judgments worth billions of dollars that can be seized and then lost would be far more of a deterrent than the hollow threat of criminal indictments against hackers who may never set foot in this country.
The United States should protect its citizens on its own soil. We should send a clear signal to foreign nations that if they carry out hacks targeting computer systems on American soil, they should be prepared to be found liable in American courts—and pay the compensation due.
 It is worthwhile to note that the U.S. is facing billions in damages in responsive suits in Iranian courts, and that the ICJ is entertaining some of Iran’s claims at the ICJ. See https://www.justsecurity.org/62604/unpacking-icj-judgment-certain-iranian-assets/.