chevron-down Created with Sketch Beta.

Dispute Resolution Magazine

Magazine Archives

Keeping Disputes Cybersecure in the Virtual Age

Brandon Malone

Summary

  • All dispute resolution disputes are susceptible to cyberattacks.
  • Hackers can become aware of arbitrations and use various methods to gain financial advantage.
  • The full Protocol on Cybersecurity in International Arbitration was launched at New York Arbitration Week in 2019 and is available on the International Council for Commercial Arbitration (ICCA) website.
Keeping Disputes Cybersecure in the Virtual Age
Marco VDM via Getty Images

Jump to:

Cyberattacks have a long history. The first instances of computer hacking were recorded shortly after the invention of computers, and the first internet “hacks,” as we would recognize the term today, date back to 1989.

Like any area of personal or business life that involves an online element, dispute resolution processes, including arbitration, are susceptible to cyberattack.

Why might a hacker be interested in an arbitration? There are countless reasons, but they can all be categorized under two broad headings: money and chaos.

Chaos is the simplest to explain, if not to understand. To paraphrase Michael Caine in the Batman movie, The Dark Knight, some people just want to watch the world burn. There is mischief to be had in interfering with the legal process, in shutting companies out of their own computer systems, and in posting confidential or compromising information online. That is how some people get their kicks.

Money is also easy to explain as a motivation, money being the motivation for most things. International arbitration often involves disputes over huge amounts of money. If hackers become aware of a high-value arbitration, they could use hacking in various ways, whether directly or indirectly, to gain financial advantage. Let’s consider some examples.

Regardless of the extent to which information about a dispute might be in the public domain, there are always aspects of the process where confidentiality is key. The communication between agent and client is an obvious one. A hacker acting on behalf of a party to an arbitration could try to obtain a direct advantage by accessing communications between an opponent and their lawyers, gaining knowledge of their opponent’s strategy and weaknesses.

There have been many examples of law firm and legal chamber hacks. Perhaps the most famous incident is the Mossack Fonseca hack, which resulted in the publication of the “Panama papers,” 11.5 million confidential documents. The firm closed its doors shortly afterwards. In the arbitration sphere, a recent case before the Brazilian courts involved a challenge to an arbitrator after agent-client communications were hacked.

Confidentiality is also important in tribunal deliberations. When the hearings are over and a draft decision is circulated for discussion by tribunal members, how valuable might that draft be to a bad actor? If a hacker knows the outcome of a high-value arbitration weeks before the award is published, there are obvious opportunities for insider trading. Similarly, with advance notice that a state is about to lose a multibillion-dollar arbitration to an oil company, fortunes could be made on the stock market and perhaps on the currency markets, depending on the strength of the state’s economy.

One annoying thing about hackers is that they don’t leave calling cards. In fact, a hack may not be discovered for weeks, months, or years after the hack has taken place, and it may not be discovered at all. In the meantime, the hackers, or the inside traders they have helped, have disappeared along with their ill-gotten gains.

There are other ways to influence the outcome of an arbitral process through cyberattacks. What if a party can see that an arbitration is not going well and they are likely to lose? Perhaps one of the arbitrators is clearly against them on a crucial issue and has the ear of the other arbitrators? What if that arbitrator could be removed from the process with the click of a mouse? How easy would it be for a hacker to access that arbitrator’s computer looking for kompromat? Nothing there? Could a hacker then put some compromising, perhaps illegal, material on that computer and call in the authorities?

An extreme example? Yes. But when enough money is involved, parties may be driven to extreme measures. Of course, it is not just money in dispute in large scale arbitrations. There may also be questions of state territory, maritime borders, and the like. Where state actors with cyber capabilities are involved, anything is possible.

In 2015, during an ongoing maritime border dispute between China and the Philippines, the website of the Permanent Court of Arbitration (PCA) was hacked. The website was infected with malware, which infected the computers of visitors to the site, potentially exposing them to data theft. It is not possible to say whether the Chinese government was behind this cyberattack. But the governments of China, Russia, and the United States have immense cyber warfare capabilities.

Of course, all dispute resolution processes are potentially susceptible to cyberattack. Arguably, arbitration is less susceptible than most processes, since it is confidential and hackers are less likely to know about the dispute in the first place (unless they are a party). It is, however, important to the integrity of the process, and therefore to users’ confidence in the arbitral process, that credible measures be put in place to mitigate the chances of a successful cyberattack.

Following a number of high-profile cyberattacks, the international arbitration community identified the need to defend the integrity of the arbitral process. This concern was captured and articulated in a seminal 2017 article by the independent arbitrators Stephanie Cohen and Mark Morril. The article identified and categorized the threat presented by cyberattacks, and it persuasively argued that while all parties involved in the process have a role to play, primary responsibility for avoiding a cybersecurity breach rests with the arbitral tribunal. This responsibility is consistent with an arbitrator’s duty to protect the confidentiality and privacy of the proceedings, preserve and protect the legitimacy of the process, and be competent.

In addition, tribunal members may have express or implied duties to maintain cybersecurity under applicable professional codes of conduct, data protection and cybersecurity laws, and contractual obligations arising from their agreement with the parties, or as a consequence of the applicable rules.

Against this backdrop, in 2017, the International Council for Commercial Arbitration together with the New York City Bar and the International Institute for Conflict Prevention and Resolution formed a working group on cybersecurity in international arbitration. In April 2018, the working group produced an initial draft Protocol on Cybersecurity in International Arbitration to coincide with the XXIVth ICCA Congress in Sydney. After a period of consultation and revision, the full protocol was launched at New York Arbitration Week in 2019 and is now available on the ICCA website. The protocol provides a framework to determine reasonable information security measures for individual arbitration matters and to increase awareness about information security in international arbitration.

Since the initial consultation on the draft protocol, there have been a number of further initiatives to increase awareness of cybersecurity issues, such as the International Bar Association’s Cybersecurity Guidelines. Some arbitral institutions have also amended their rules to recognize the need for cybersecurity.

But nothing has focused attention on cybersecurity issues that arise in arbitration processes quite as much as the COVID pandemic. Before the pandemic, while email was ubiquitous and online platforms were common, virtual hearings were rare and paper bundles were the norm. The lockdown changed that overnight. In-person hearings completely stopped. Those of us who had been using Zoom to communicate with a few other geeks suddenly found that even the most stubborn luddite was now, if not a fan, at least a regular user of videoconferencing platforms. Electronic bundles became the norm. Secure online platforms became an essential.

With this overnight migration to the virtual world and all arbitration activity occurring online, the opportunities for cybercrime increased exponentially. As a result, awareness of potential vulnerabilities and the need to take appropriate cybersecurity measures has increased. Cybersecurity is now recognized as an issue to be addressed early in proceedings.

Happily, the pandemic has not altered the risk factors, nor the solutions. There has been no need to alter the guidance given in the ICCA Protocol, and it remains an invaluable resource for everyone involved in the arbitral process.

Even though we are slowly returning to physical hearings and international travel (where merited), online arbitration has now achieved proof of concept and is here to stay. Consequently, all participants in the arbitral process must be familiar with the risks involved in the virtual world and put appropriate measures in place. The ICCA-NYC Bar-CPR Protocol and similar guides can assist with that process.

    Author