chevron-down Created with Sketch Beta.

International Law News

International Law News, Fall 2023

Anticipating Adversity: Enhancing Force Majeure Provisions for Cybersecurity Threats and Technological Disruptions

Joy Momin

Summary

  • How should force majeure clauses in contracts account for the mounting frequency of cyberattacks, cyberwarfare, and unforeseeable technical malfunctions?
  • This "Force Majeure Challenge" is precipitated by the surge in both severe cyber incidents and requests for relief from affected parties.
  • The Force Majeure Challenge requires a nuanced approach to address foreseeability in the context of cyber threats, where the frequency and sophistication of attacks are on the rise.
Anticipating Adversity: Enhancing Force Majeure Provisions for Cybersecurity Threats and Technological Disruptions
Arcansel/Shutterstock.com

Jump to:

In the era of escalating cyber threats and technological complexities, the question arises: how should force majeure clauses in contracts account for the mounting frequency of cyberattacks, cyberwarfare, and unforeseeable technical malfunctions? This “Force Majeure Challenge” is precipitated by the surge in both severe cyber incidents and requests for relief from affected parties.

Imagine a hypothetical scenario involving TechGuard, an entity responsible for safeguarding critical infrastructure against cyber threats. TechGuard is in the midst of executing a contract with a government agency, guaranteeing the integrity of national communication networks. Suddenly, a sophisticated foreign state-sponsored cyberattack cripples its software during implementation, causing widespread disruption. TechGuard, despite best efforts, is unable to avert the catastrophe and fails to fulfill the terms of the contract.

In this scenario, the force majeure provision becomes pivotal. TechGuard contends that the cyberattack qualifies as an event beyond its control and thus invokes force majeure. While this argument seems reasonable, granting such relief may establish a risky precedent. If the agency excuses TechGuard's noncompliance, will it do the same in the face of future cyber onslaughts affecting critical infrastructure?

Presently, force majeure provisions are interpreted narrowly. However, shifts in administration can alter enforcement policies, introducing ambiguity and uncertainty for contractual parties and stakeholders affected by cybersecurity-related breaches. Addressing the Force Majeure Challenge is of paramount importance, particularly for the burgeoning field of cybersecurity law.

Force Majeure Framework

The concept of force majeure, originating from principles of tort and contract law, pertains to unforeseen events that lead to a party's contractual breach or negligence. In the realm of environmental law, force majeure serves as an affirmative defense when sanctioned by statute or issued by regulatory bodies. This discourse focuses on its application in contractual breaches under the purview of cybersecurity and technological disruptions.

Current force majeure provisions necessitate events to be beyond the potentially responsible party’s control. Courts, however, have dismissed force majeure defenses when events were foreseeable. The Force Majeure Challenge requires a nuanced approach to address foreseeability in the context of cyber threats, where the frequency and sophistication of attacks are on the rise.

International Framework

Cyberwarfare, in the context of international law, refers to the use of digital technology and cyber capabilities by states or non-state actors to conduct operations that are tantamount to traditional acts of war. Several established principles and norms govern state behavior in cyberspace, but much of the cyberspace remains undefined. In our hypothetical TechGuard scenario, some concepts to keep in mind include:

Principle of Sovereignty: States have the sovereign right to control what happens within their borders, including in cyberspace. Unauthorized access or interference with another state's systems may be considered a violation of sovereignty.

Armed Attack and Self-Defense: An act of cyber aggression that rises to the level of an armed attack may trigger the right to self-defense under international law. However, there is significant debate about what constitutes an "armed attack" in cyberspace.

Due Diligence and State Responsibility: States are expected to exercise due diligence in preventing cyber operations originating from their territory that could harm other states. They can be held responsible for actions originating within their borders.

Cyber Espionage vs. Cyber Attack: Distinguishing between cyber espionage (theft of information for intelligence purposes) and cyber attacks (operations causing harm or damage) is crucial in legal terms. Espionage generally falls into a gray area and is not explicitly prohibited under international law.

State Responsibility for Cyber Operations: Determining which state is responsible for a cyber operation can be complex, especially in cases involving proxies, non-state actors, or false flag operations.

Norms of Responsible State Behavior in Cyberspace: Various international initiatives, such as the Tallinn Manual and the Paris Call for Trust and Security in Cyberspace, aim to establish voluntary norms of behavior for states in cyberspace.

A Suggested United States’ Framework

With consideration and a certain level of foresight, the rapid escalation of technological access and the inability to effectively mitigate all risks of bad actors necessitate a revision of traditional force majeure clauses. In evaluation, attorneys should imagine where an event occurred: (1) was it not "foreseeable" considering the reasonable predictability through official cybersecurity risk assessment models; and (2) was it not a risk acknowledged by the contracting party pursuant to relevant risk disclosure laws.

Future research in cybersecurity risk assessment models are likely to establish the threshold for "foreseeability." Entities may rely on well-recognized cybersecurity models, such as the National Institute of Standards and Technology (NIST)'s Cybersecurity Framework, to gauge the foreseeability of cyber threats. These models offer a systematic approach to identifying and managing cybersecurity risks, enabling entities to make informed assessments.

Moreover, contracting parties should be obliged to disclose cybersecurity risks in accordance with existing guidance, such as the Federal Trade Commission's standards and existing law, including the Gramm-Leach-Bliley Act (GLBA), Fair Credit Reporting Act (FCRA), Fair and Accurate Credit Transactions Act (FACTA), in addition to the Security Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC) measures.

Implementation

These suggestions may assist to establish a framework to judiciously assess force majeure claims in the wake of cyber threats and technological disruptions. By holding contracting parties accountable for disclosed risks and leveraging authoritative cybersecurity models, the proposed analysis aligns with the imperatives of a modernized digital landscape.

Proactively addressing the Force Majeure Challenge not only mitigates potential legal ambiguities but also incentivizes investments in robust cybersecurity infrastructure. In doing so, we fortify the resilience of critical systems and safeguard against future breaches, aligning with the administration's commitment to fortify national cybersecurity and protect against emerging threats.

Advocating for amendments to force majeure provisions in contracts represents a wise approach amid the mounting cybersecurity threats. By adopting this framework, we cultivate a digital landscape that is not only more secure and robust but also serves the collective interests of stakeholders. It is my strong recommendation that we, acting as safeguards of society, take proactive steps to bolster provisions in relation to cyber-protections, guaranteeing a fairer future for all.

    Author