As 2009 began, an Indian tanker loaded with oil found itself under attack by machine gun fire from pirates off the coast of Somalia

Sending out an SOS in CyberspaceDuncan Hollis & David Post

April, 2010On January 1, 2009, an Indian oil tanker found itself under attack by machine gun fire from pirates off the coast of Somalia. The ships captain sent out an SOS. A Malaysian frigate heard the call and immediately responded, sending a helicopter to the scene. On its arrival, the pirates fled and the tankers crew escaped unharmed. The SOS saved both lives and property. It worked because for more than a century international law has clearly required all those receiving an SOS signal to proceed with all possible speed to render assistance. Today, similar legal duties aboundwhat we might call a duties to assistwhether in response to a pilots Mayday call, distress signals or emergency numbers.

As yet, however, there is no SOS for the Internet. Most companies and governments are reluctant to even admit the existence of a cyberattack, let alone ask others for assistance. A defensive mindset predominates. Victims focus their time and money on building thicker security walls in hopes of repelling further attacks. Googles recent disclosures, however, demonstrate that this defense-only strategy is insufficient. By its own admission, Google failed to stop attacks from China on not only its infrastructure but also the e-mail accounts of various Chinese human-rights advocates. The fact that the great Google could not defend itself suggests that cyberspace needs a duty to assist those who ask for help. Cyberspace is not real space. Nor is a cyberattack akin to a physical attack. But as the worlds dependence on information networks grows, cyberattacks can and will do great harm. When hackers marshaled a million computers to block access to Estonian computer networks in 2007, they took down emergency phone lines and froze online services for the government, banks, universities and hospitals. Today, cyberattacks repeatedly compromise communications, whether among Chinese human rights activists, Iranian dissidents, or U.S. Defense Department officials. Dozens of militaries have assembled cyberforces, not simply to defend against cyberattacks, but to launch them as well. Indeed, Chinas military remains the chief suspect in the Google attacks. Experts fear a future where cyberattacks will disable anything from power grids to stock exchanges.

How would a duty to assist deal with such risks? If nations could agree (whether by treaty or by customary practice) that anyone who can help must do so, it would provide a much needed first principle for cyberattacks. At present, there is no agreement on what rules govern these attacks. Criminal laws sometimes apply, but if attacks come from military sources, law-enforcement methods will not work. The laws of war may then apply, but experts disagree on how to translate those rules into cyberspace. And even if we could agree on how to apply existing rules, they are unlikely to do much good. Cyberattacks are generally anonymous. Absent outside intelligence or luck (both of which helped Google), we will rarely know who launched an attack. Both criminal law and the laws of war, however, work by regulating the attackers conduct. As long as technology allows cyberattackers to hide their true identity, they can escape the reach of both sets of rules. A duty to assist, in contrast, can work without identifying the attackers. It focuses instead on minimizing the attacks effects. A victim would send out a distress callan Internet SOSand all those in a position to provide assistancewhether governments or private actorswould have an obligation to respond. Help could come in many forms. If attackers denied service to a computer resource, internet service providers could provide additional bandwidth. If an attack crossed through a nations territory, that nations government would have to deny attackers further use of its information networks and help trace the attack to its true origins. A great deal of informal assistance already occurs in the aftermath of a cyberattack. But no matter how robust, aid only comes from those who decide they have the time, resources, or interest to help. A duty to assist, in contrast, would mandate aid from all quarters. In 2007, when Estonia asked Russia to cease attacks it believed originated from within Russian territory, the Russian government refused by suggesting the attacks could have originated elsewhere. If it accepts an international obligation to assist, Russia would no longer have such excuses. Similarly, Google could demand that China aid, rather than resist, its efforts to undo damage from recent attacks. Of course, sometimes a government might actually be the attacker. But if governments like China agree in advance to a duty to assist, they might not attack in the first place. After all, why make a mess youll have to clean up even if no one knows youre responsible? In a world where we cannot hold attackers accountable, the best we can hope for is to minimize the harm from cyberattacks so attackers think twice about whether its worth the effort to attack at all. And minimizing the harm is exactly what a duty to assist should do. Law has long-valued rights of self-reliance and self-defense. A ship and its crew can go it alone most of the time, but the SOS is there when they need it. Similarly, companies and governments will often be able to defend their own computer networks, but that does not mean the law cannot step in cases where those efforts fail. Of course, countries must elaborate more precisely who can call for help, when they can do so, and what assistance others must render. Whatever its details though, governments, companies, and individuals should be able to know that when they make that call for help, it will come. Duncan B. Hollis and David Post are on the Faculty of the Beasley School of Law at Temple University.