As the threats posed by cyber attacks grow, it is prudent to look to and analogize from applicable domestic as well as international law. U.S. law does possess certain principles that are applicable to cyber attacks. For example, consider vicarious liability. This is a form of strict secondary liability that arises under the common law doctrine of agency, i.e., respondeat superior. Under this theory, the principal is responsible for the acts of the subordinate. In a broader sense, a third party that has the “right, ability, or duty to control” the activities of a violator but refuses or neglects to do so may in some circumstances be held responsible for the violator’s actions.125 Applied to cyber attacks, this principle may hold companies liable for a CNA that knowingly or negligently fail to provide sufficient cyber security for the persons or resources, including infrastructure, under their care. The fact that most of the critical infrastructure in the U.S. is privatized signifies that this principle of tort law and other related common law doctrines could prove decisive in developing a U.S. legal regime to deal with cyber attacks.
Several recent precedents may be used to begin laying the foundation for this regime of vicarious liability applied to IW. For example, the U.S. Supreme Court recently held in Metro-Goldwyn-Mayer Studios, Inc., v. Grokster, Ltd that software distributors could be held liable for contributory infringement of copyright based on the distributor’s knowledge of extensive infringement.126 This case stands for the proposition that, if a technology company is aware of a nefarious act and the firm refuses to develop filtering tools to diminish the infringing activity, then the company may be held liable for any resultant criminal or terrorist acts. Similarly, in Fonovisa v. Cherry Auction,
125 Meyer v. Holley, 537 U.S. 280 (2003).
126 Metro-Goldwyn-Mayer Studios, Inc., v. Grokster, Ltd., 545 U.S. 913 (2005). Cf CoStar Group v. LoopNet, Inc., 373 F.3d 544, 556 (4th Cir. 2004) (holding that a web provider was not liable as the manager of a system used by others who were violating U.S. law).