Foreign hackers are protected in our courts by an outdated law; Congress needs to change that

By Jacob Kamaras

October 3, 2018 - 1:25 PM

Imagine if your emails were secretly read by a hostile foreign power; if all of your intimate or hastily chosen words were cataloged by topic, and sent to the press to demean or destroy you.

More than 1,200 Americans—of both political parties—as well as foreign leaders and celebrities, don’t have to imagine. They are the victims of what appears to the largest hack ever conducted by a foreign government, according to a recent Bloomberg report.

The hack is breathtaking in its geographic reach (America, Europe, Middle East, and India), its duration (from 2014 to 2018), and its reported range of targets, which include a former CIA official, a Democratic Party operative, and a prominent Republican fundraiser. Outside the U.S., British journalists, European counter-terrorism experts, international soccer stars, and Bollywood actresses have each been hacked and attacked.

This massive hack—a spear-phishing attack that used tiny URLs to entrap the unsuspecting and launch virus-like software that sucked up personal information—appears to have been directed by the government of Qatar.

Bloomberg’s Eli Lake lays out some of the evidence of Qatar’s culpability: “For the most part, the hackers used virtual private networks to mask their IP addresses. In a couple instances, however, they did not — and the addresses linked back to the internet service provider, Ooredoo, which is majority-owned by Qatari government agencies.”

Other technical evidence points to Qatar carrying out the hack.

“The extent and volume of information that they were able to obtain in these subpoenas goes beyond the capabilities of an individual,” Sam Rubin, a vice president of the Crypsis Group cybersecurity firm, says in Lake’s report. “It’s set up in a systematic manner, to be shared by what appears to be a team.”

What motive could Qatar have? As Lake explains, the hack “looks like it was designed to yield political intelligence of interest to the Qatari government.”

Foreign governments have been using hacks to influence America for almost a decade. Whether wielded by the Russian military agencies that hacked the DNC in an attempt to influence the 2016 election and more recently targeted prominent conservative think tanks, or by the North Korean hackers who took down the president of Sony Pictures over a film they didn’t like, hacks have become a weapon of choice. They single out perceived opponents and destroy them, with little collateral damage and complete deniability. They function like invisible assassins, digital snipers.

And victims are powerless to strike back. No nation would use sanctions, demarches, or other measures to aid a few private citizens affected by such actions.

And hacking victims cannot even sue in U.S. courts for the damages they suffered.

That’s because state-backed hackers are exploiting a loophole in the Foreign Sovereign Immunities Act, or FSIA, which is ambiguous as to whether foreign governments can face criminal or civil penalties for this behavior.

Consider the case of Elliott Broidy, the former RNC finance chairman. In legal filings, he presented evidence that his emails were hacked by Qatar. In one of the lawsuits Broidy filed, a federal judge recently ruled that the Qatari government should have immunity under the FSIA.

The 1976 law was adopted long before the Internet was a thing. As presently written, the judge found, the FSIA “effectively precludes civil suits in United States courts against foreign governments.” Importantly, the judge noted that, given “the growing prevalence of attacks in cyberspace, it may be an appropriate time for Congress to consider a cyberattack exception” to the FSIA.

Here’s what the judge had in mind: The law now allows terrorism victims to sue foreign governments in federal courts; a “cyberattack exception” would extend the same protections to hacking victims.

Heeding the federal judge’s call, a growing number of lawmakers are weighing just such a “cyberattack exception,” including Reps. Ted Poe, R-Texas, and Steve Chabot, D-Ohio.

Closing the cyberwarfare loophole should be a bipartisan cause: hackers have targeted Republicans and Democrats alike.

And the worry that foreign governments might enact similar laws? It is no worry. Hackers should have no refuge, and our allies should make common cause against this scourge.

Until Congress acts, Russia, Qatar, North Korea, and Iran will have a free hand to intimidate and silence Americans—disrupting our democracy. Let’s not allow an outdated law to give our sword-wielding enemies an American shield.

Jacob Kamaras is the former editor-in-chief of the Jewish News Syndicate.