If your organization is attacked by nation-state backed threat actors, can those involved hide behind claims of diplomatic immunity?
The U.S. Ninth Circuit Court of Appeals just ruled that it can during a December 2020 decision.
Let's take a high-level look at the case between a U.S. based company and the nation of Qatar.
Revenge cyberattack allegedly launched by Qatar
Elliott Broidy runs a U.S. based investment firm and sits on a U.S. Homeland Security (DHS) Advisory Council.
He also is an outspoken critic of Qatar and the regime's alleged ties to Iran and terrorism. According to the court case, his criticism of Qatar was flying in the face of that country's efforts to improve its image among U.S. government leaders.
Court documents say Qatar responded by launching a retaliatory cyberattack against his firm, called Broidy Capital Management (BCM):
"The centerpiece of Qatar's purported targeting of Broidy was a concerted series of cyberattacks aimed at BCM's California-based computer servers. In the latter half of 2017, Qatar retained the New York-based firm of Global Risk Advisors LLC ('GRA') to coordinate that effort, and GRA thereafter introduced Qatar 'to cyber mercenaries in various countries to coordinate technical aspects of the illegal
intrusion.' Thereafter, through a series of 'spearphishing' attacks aimed at several persons connected to Broidy, including his executive assistant, the hackers obtained access to BCM's Los Angeles-based servers. Beginning on January 16, 2018, and continuing through at least February 25, 2018, the hackers engaged in 'thousands' of instances of unauthorized access into BCM's servers and obtained
'Plaintiffs' private communications, emails, documents and
Attribution of a cyberattack can be difficult, and nation-states can usually cover their tracks. But operational security is often imperfect, and there were a couple of glitches in this case:
"Subsequent forensic investigation revealed that the hackers were largely able to hide the origins of the attacks on BCM's servers by routing their communications through Virtual Private Networks ('VPNs'). However, two brief glitches in the VPN system revealed that at least two attacks in February 2018 originated from an IP address in Doha, Qatar, that belongs to an internet service provider that is majority-owned by Qatar. Additional forensic analysis also established that persons using IP addresses from Vermont 'directly accessed Plaintiffs' servers 178 times from February 12, 2018 to February 25, 2018.' Plaintiffs contend that these Vermont-based attacks were direct, i.e., that they were not 'associated with VPNs or similar anonymization tools.'"
The Qatar-backed cyberattacks were successful, and hackers stole confidential information from the firm and then shopped it around to get it published:
"A New York-based public relations firm that Qatar had previously hired in connection with its efforts to influence U.S. public opinion, Stonington Strategies LLC ('Stonington'), participated in this plan to 'organize and disseminate Plaintiffs' stolen emails to media organizations.' The metadata from some of these leaked PDFs revealed timestamps from the Central and Eastern Time Zones, suggesting that the conversion of these files into PDF format took place in the United States. Plaintiffs also allege that 'many of the instances of unlawful distribution of illegally obtained [documents] took place within the United States.'"
The hacked and stolen documents led to unflattering articles being published in The New York Times, Wall Street Journal, and other media. Broidy Capital Management says this caused the firm reputational harm. The kind of data breach harm we often hear discussed at virtual SecureWorld conferences.
So Elliott Broidy and his firm sued Qatar, and the known players involved, alleging unlawful intrusion into company servers under the U.S. Computer Fraud and Abuse Act and the Stored Communications Act.
Diplomatic immunity: does it apply to cyber attacks?
No matter where you live in the world, it is possible you've heard about a visiting diplomat breaking the law and getting away with it by citing diplomatic immunity.
In the U.S., visiting diplomats can do this under something called the Foreign Sovereign Immunities Act (FSIA) which has been on the books since 1976. The act does contain exceptions, but none of these were found to apply in this case.
And in response to this cyberattack lawsuit, Qatar argued that it was protected by this kind of immunity:
"Qatar filed a motion to dismiss under Federal Rules of Civil Procedure 12(b)(1) and 12(b)(2) for lack of subject matter and personal jurisdiction, asserting that it was immune under the FSIA."
The U.S. Ninth Circuit Court of Appeals in California just agreed with Qatar's defense and said the case should be dismissed.
"The panel held that neither the FSIA's exception to immunity for tortious activity nor its exception for commercial activity applied, and the State of Qatar therefore was immune from jurisdiction."
But wait a minute.
What about those computer intrusions detected from Vermont during those occasions when the VPN glitched? Wasn't that a U.S.-based attack that would be an exception to diplomatic immunity?
Here is what the district court decided and the Ninth Circuit affirmed:
"The alleged attacks from Vermont, the court held, 'were merely the continuation of purported conduct allegedly originating in Qatar' and 'do not demonstrate an independent tort occurring entirely within the United States.'"
Although there are exceptions to the FSIA, the court says they were not met in this case and there is no remedy here for the firm:
"The FSIA is the 'sole basis' for obtaining jurisdiction over a foreign state in a civil action.... Under the FSIA, a foreign state 'shall be immune from the jurisdiction of the courts of the United States' unless one of the Act's enumerated exceptions applies."
Cyber law continues to develop, we know this. Now, we also know that in some cases, diplomatic immunity extends to nation-state cyber attacks.
[Read the case: Broidy Capital Management, LLC v. State of Qatar]