Microsoft Exchange Email Hacks!

numbers projected on face
Photo by Mati Mango on Pexels.com

Another cyber-attack labelled ‘Microsoft Exchange Email hacks’ hits the news again! This attack has been concerningly described as ‘zero day’ attack. A zero-day attack means that the points of vulnerability were unknown before the attack therefore the cyber-attack occurs on the same day that the weakness is discovered in the software. Like so many things happening around the world at this point, the race is on to get on top of these attacks which are believed to be state sponsored and cultivated in China by the hacking group Hafnium. Chinese government denies any involvement. This method of attack has already been replicated and used to infiltrate companies and public bodies in more than 115 countries around the world.  It is still early days, so many UK companies may still be unaware that their systems have been hacked. The European Banking Authority has reported that their system has been compromised and that there is a possibility that personal data has been exposed.  

What happened?

Microsoft announced that the hacking group exploited four (4) zero-day vulnerabilities in the server’s system to enter the Microsoft Exchange Server which is used by large corporations and public bodies across the world. The calendar software of governments and data centres were also compromised. The hackers also sometimes used stolen passwords to gain unauthorized access to the system. The hackers would then take control of the server remotely and steal data from the network. The attack has affected thousands around the world.

Tom Burts, a VP at Microsoft described in a sequential order how the attack was carried out;

First, it would gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access.

Second, it would create what’s called a web shell to control the compromised server remotely.

Third, it would use that remote access – run from the U.S. based private servers to steal data from an organization’s network.[1]

What is not affected?

The identified vulnerabilities do not affect Exchange Online, Microsoft’s cloud-based email and calendar services that’s included in commercial Office 365 and Microsoft 365 subscriptions.

International Response

In response Microsoft issued a software update for its 2010, 2013, 2016 and 2019 versions of Exchange. The UK National Cybersecurity Centre, the US and the Norwegian governments are already issuing warnings and guidelines to businesses about the hacks.

But what does this mean for insurers?

This is an extra dent in the cyber security efforts of companies and public bodies yet another opportunity for a lesson to the insurance market of the potential global and high aggregate loss from just one attack. This incident is another illustration of how susceptible computer systems and servers are to cyber-attacks. Similarly, it is another indication to corporations and public bodies that foreign entities are working assiduously to identify and exploit vulnerabilities within their systems to achieve their motives, whatever they may be. So far, the impact is widespread, and victims include organisations such as infectious disease researchers, law firms, higher education institutions, defence contractors, NGOs. Cybersecurity group Huntress has reported many of their partners servers have been affected and they include small businesses for example small hotels, ice cream company, senior citizen communities, banks, local government and electricity companies[2].

In light of the recent business interruption decision from the Supreme Court, it will be interesting to see how many of these UK companies will present their claims to insurers and how insurers will respond to claims from assured whose businesses may have been interrupted by the Exchange Email hacks.

There will be gaps and exclusions in these Business Interruption policies which may not provide adequate protection against cyber risks so it is the assured with a cyber risk policy / insurance coverage who will be the most protected during and after these attacks.

Applicable cyber insurance clauses and possible response of insurers

Most cyber insurance policies cover data loss and business interruption as a result of a security breach so this will not be much of an issue for assureds with cyber insurance coverage. There are exclusions in most cyber insurance policies which may leave an assured vulnerable when hacking of this nature (Microsoft Exchange hack) occurs. Let us consider some of these exclusions and their potential impact further:

  1. First Party Loss

costs or expenses incurred by the insured to identify or remediate software program errors or vulnerabilities or update, replace, restore, assemble, reproduce, recollect or enhance data or computer systems to a level beyond that which existed prior to a security breachsystem failuredependent security breachdependent system failure or extortion threat;

  • Betterment

for repairing, replacing or restoring the Insured’s Computer System to a level beyond that which existed prior to any Claim or Loss;

The inclusion of this or any clause with similar wording means the assured may not be covered for the expenses and cost incurred to hire experts to identify or remediate vulnerabilities within their IT systems. Consequently, the assured will not be indemnified for the expenses or costs incurred to install the patches as recommended by Microsoft as these will be classified as updates or enhancement to the computer system beyond a level that which existed prior to the security breach.

  • Infrastructure failure

We will not make any payment for any claim, loss or any other liability under this section directly or indirectly due to:

  1. Any failure or interruption of service provided by an internet service provider, telecommunications provider, utilities supplier or other infrastructure provider. However, this exclusion does not apply where you provide such services as part of your business.

OR

ii.     failure or malfunction of satellites or of power, utility, mechanical or telecommunications (including internet) infrastructure or services that are not under the insured organization’s direct operational control.

OR

  • Third party providers
  1. arising out of the failure of any third party provider including any utility, cloud, internet service provider or telecommunications provider, unless arising from a failure of the Insured to protect against unauthorised access to, unauthorised use of, or a denial of service attack or damage, destruction, alteration, corruption, copying, stealing or misuse by a Hacker of the Insured’s Computer system;

OR

ii.   The Insurer shall not be liable to indemnify the Insured against any Loss arising as a result of the failure of a third party service provider or cloud provider unless they are hosting hardware or software that is owned by the Insured.

Could the relationship between Microsoft and its clients fall into the category of ‘other infrastructure provider’ to relieve the insurer of any liability to the assured? As software service providers of Microsoft 365 and Azure it will be no surprise to see claims being denied based on clauses with the same or similar wording. However, the assured may object to the insurer’s denial of the claim by the applying ejusdem generis rule in stating that ‘or other infrastructure provider’ should be limited to companies such as Virgin Media, British Gas or Welsh Water and not extend to software providers. According to Cambridge dictionary, infrastructure as it relates to IT means the ‘equipment, software, etc. that a computer system needs in order to operate and communicate with other computers.’ If this definition is accepted by the parties, the challenge for the insurer will be to establish that the Microsoft Exchange Server qualifies as a software needed for a computer system to operate and communicate with other computers. Rather, the function of the Microsoft exchange server is to aid with email storage and calendaring and is unrelated to other operational functions necessary to communicate with other computers.

Certainly ‘infrastructure or services that are not under the insured organization’s direct operational control’ will create less problems for the insurer to establish that the exclusion applies as this broad construction will exclude losses and expenses from incidents such as Microsoft Email Exchange Hack.

  • Government intrusion
  1. which results, directly or indirectly, from access to, confiscation or destruction of the Insured’s Computer system by any government, governmental agency or sub-agency, public authority or any agents thereof;

Since the Microsoft Exchange Email are believed to be carried out by Hafnium which is a government backed group, it is reasonable to identify them as agents of the government of China.  Therefore, assureds whose policies include a government intrusion exclusion may be denied coverage for their loss or expenses arising directly or indirectly from access to or destruction of the assured’s computer system by groups such as Hafnium.

Conclusion and the way forward

As aforementioned, it is early days and the real financial impact if any from these attacks are not yet known. However, what is certain is that hackers, whether state sponsored are not are using very sophisticated techniques to identify and exploit vulnerabilities within computer servers and networks. Therefore, companies and public bodies must continue to invest in employee training and take reasonable steps to manage and mitigate their losses from potential cyber-attacks which unfortunately will happen at one point. Among those decisions should be the purchase of cyber insurance policies that addresses the needs of the business with particular attention being placed on the exclusions clauses and ensuring that as an assured you are adequately protected against the cybersecurity risks to which you are most directly and indirectly prone .

While large corporations and government entities may have the requisite IT expertise to support them, the real concern remains for those small and medium sized businesses that do not have the resources for a complete check and cleaning of their systems. Therefore, larger corporations within the supply chain must offer their expertise to the small and medium sized businesses with which they trade to respond to this and other cyber security threats.  Since Microsoft Exchange Online servers have not been affected, many small and medium sized businesses may begin to switch to using cloud-based email storage. However, this does not mean they will be immune from cyber-attacks.

Tokio Marine in their Cybersecurity Insurance Policy wording 0417 went as far as to include a list of reasonable steps that an insured should take to avoid / mitigate their loss and these along with government and industry guidelines should be a good starting point in your fight against cyber attacks and their debilitating impacts.

Reasonable steps to avoid Loss

The Insured shall protect its Computer system by:

a. having Virus protection software operating, correctly configured and regularly or automatically updated;

b. updating Computer systems with new protection patches issued by the original system or software manufacturer of supplier;

c. having a fire wall or similar configured device to control access to its Computer system;

d. encrypting and controlling the access to its Computer system and external devices including plug-in devices networked to its Computer system;

e. controlling unauthorised access to its Computer system by correctly configuring its wireless network;

f. changing all passwords on information and communication assets at least every 60 days and cancel any username, password or other security protection once an Employee’s employment has been terminated or after it knew or had reasonable grounds to suspect that it had become available to any unauthorised person;

g. taking regular back-up copies of any data, file or programme on its Computer system are taken and held in a secondary location;

h. having an operational system for logging and monitoring user activity on its Computer system;

i. remote wipe functionality is installed and enabled on all portable devices where such functionality is available


[1] Tom Burts, ‘New Nation – State Cyber attacks’ (02 March 2021) < https://blogs.microsoft.com/on-the-issues/2021/03/02/new-nation-state-cyberattacks/> accessed 14 March 2021.

[2] John Hammond, ‘Rapid Response: Mass Exploitation of On-Prem Exchange Servers’ (03 March 2021) < https://www.huntress.com/blog/rapid-response-mass-exploitation-of-on-prem-exchange-servers?__hstc=1139630.77196394391fe1afb6fc8e7d1d6a8bc9.1615725167878.1615725167878.1615725167878.1&__hssc=1139630.5.1615725167882&__hsfp=3684379411&hsutk=77196394391fe1afb6fc8e7d1d6a8bc9&contentType=listing-page> accessed 14 March 2021.

Cybersecurity recognised as an urgent global legal challenge

Delighted to see cybersecurity identified as one of the urgent global legal challenges to be addressed under the Hillary Rodham Clinton Scholarship programme just launched by Sky and Swansea University (see below).

No understanding of innovation is complete without an understanding of intellectual property law and as Alec Ross, Senior Advisor for Innovation to Hillary Clinton when Secretary of State, states in his work The Industries of the Future (2016), “We all want the liberty that comes with a vibrant online life, but liberty without security is fragile, and security without liberty is oppressive. The years ahead will force us to balance these two as we have not had to before.”

_____________________________________________________________________________

Sky and Swansea University today announced the first ever global Hillary Rodham Clinton Scholarship programme.

The scholarships will support the next generation of leaders committed to addressing urgent global challenges, including the rights and protection of children online, the climate crisis and cybersecurity.  

Each of the scholars will be selected over the summer and granted a fully-funded, postgraduate, one-year scholarship at Swansea University, starting in the autumn.

Launching the Hillary Rodham Clinton Global Challenges Scholarship, Secretary Clinton said: “I’m delighted that this partnership between Sky and the School of Law at Swansea will be able to achieve something truly unique, with an urgency that the challenges we face today demand. The programme is a modern, flexible approach which combines the rigour of academic excellence with practical, real world impact. These scholars will embody our shared values of working together across disciplines and geographic boundaries to improve conditions and opportunities for all, and especially for women, children, the marginalised and the disenfranchised.”

Sky Chief Executive, Jeremy Darroch said: “We are honoured to be the inaugural partner for the Hillary Rodham Clinton Global Challenges Scholarship and are immensely proud to support a programme so committed to building a better tomorrow.

“As a society we face a number of global challenges and as a responsible business we recognise the importance of using our reach and voice to make a difference in addressing these, making an impact in the wider world, and helping others do the same. I look forward to welcoming the scholars to the Sky family and exploring the good we can do together.”

Dean of the Hillary Rodham Clinton School of Law at Swansea University, Professor Elwen Evans QC, said: “This is a wonderfully exciting initiative and we are delighted to be working with Sky. These scholarships will support the delivery of a transformational programme and we hope that our students will be outward-looking in addressing the big issues. If we are to tackle the major challenges, such as climate, security, protecting children online, and inequality, we require innovative thinking and leadership, and a sustained commitment to transnational cooperation and collaboration. 

“This programme capitalises on the considerable research expertise within the Hillary Rodham Clinton School of Law in order to provide students with an incredible opportunity to undertake study into areas of global challenge, and to be equipped with the skills to undertake legal research and to effectively advocate for transformational change to law, policy and practice.”

Apply for a Hillary Rodham Clinton Global Challenges Scholarship.

Examples of recent IP Wales impact on the Welsh Innovation Economy

Reading the IP Wales SME Guide to IP Cybersecurity, underpinned by Beale A., Ratcliffe S., Tettenborn A., The Protection of Data in our Digital Age [2017] Journal of Business Law, Issue 6, 2017 p.461-472, has resulted in each of the following businesses seeking to adopt new methodologies and processes to protect their online commercial activities:-

Benchmark Skincare Limited (Managing Director: Peter Friswell) “By seeking to be certified for Cyber Essentials will enable our business to become “GDPR compliant, protect itself from phising emails, protect itself from external cyberattacks, creating an effective and robust backup data storage process.”

Boyns Information Systems (Director: Robert Boyns) “Reading the IP Wales SME Guide to IP Cybersecurity helped increase our awareness on the importance of cybersecurity in the field intellectual property. As a result, we have adopted new methodologies and processes to allow Boyns Information Systems to grow our cybersecurity infrastructure, whilst protecting us from online harm. Being awarded the IP Wales grant assisted our bid to achieve the Cyber Essentials Plus accreditation, preparing us more fully to mitigate any cyberattack.”

Cadmhas Limited (Director of Services: Elfed Williams) “We are a registered charity and company limited by guarantee and as the Director of Services of CADMHAS I have a duty of care and responsibility to both my Directors, Staff and Service Users that we mitigate the threat of a Cyber Attack. I have spoken to our suppliers Boyns Information Systems Ltd., and they have assured me that by following the 5 pillars of the Cyber Essentials Scheme this will help towards my goal of having a system secured to government guidelines. By having the certification and adhering to it, I will be able to focus on the development of our day to day operations and plan towards the future with a good IT foundation to move forward.”

Castell Howell Foods Limited (Head of IT: Paul Rankin) “Having read the IP Wales SME Guide to Cybersecurity, we decided to increase our protection to Cyber Essentials Plus to reduce the risk of being infiltrated or having data breaches in line with GDPR. With an ever-increasing rise in cybercrime it makes sense to do as much as we can to prevent attacks on our company. I can honestly say that I feel much more confident in our security now and would highly recommend others to carry out this process. Thanks again for considering us for the funding, much appreciated.”

CCTV Wales Limited (Compliance Supervisor: Steve Gallagher) “…to ensure that all customer data and company information is properly protected allowing the company to enhance their service and support Cybersecurity in the area.”

David W.Harris & Co. Solicitors (Practice Manager: Neil Startup) “We are now in the process of undertaking risk analysis and management relating to cyber security. We have updated our internal governance to include more detail on IT security, such as: maintenance of an asset register to include the addition or removal of any assets, Updated IT security and systems policies, Implementation of remote access control, Implementation of a protocol to manage remote devices with access to exchange accounts, Implementation of server password policies, Implementation of automatic screen lock down through user inactivity, Introduction of periodic penetration testing, Password Protection introduced for all electronic documents.”

Daydream Education (Operations Director: Wesley Paetel) “Reviewing and updating all internal cybersecurity awareness and reporting processes, reviewing all third-party anti-virus and malware applications, ensuring system security is reviewed regularly, and reviewing our disaster recovery processes as well as educating staff members about the dangers of cybersecurity and how to become more aware of threats.”

Guardian Property Services Limited (Business Development: Lauren Thomas) “It’s apparent that cybersecurity should be a priority of any business, irrespective of size. Having the right level of knowledge and preparation is vital to minimise and control damage, as well as an understanding of the consequences of a breach and how to recover.”

Health & Her Limited (Marketing Director: Kate Bache) “Collecting, protecting and processing sensitive customer data to improve our understanding in the therapeutic areas of female health, including menopause and menstrual wellbeing.”

Masons Moving Group Limited (Financial Controller: Robert Power) “Protecting the business from online harm is of paramount importance and the Guide has enabled us to implement new security and knowledge to ensure cyber threats are eliminated. These new systems will be monitored frequently and updated when necessary.”

Masons Self Storage Limited (Marketing Manager: James Mason) “The Guide has been extremely helpful in helping our business truly understand the impact cyberattacks can have on a small business. We have ensured brand new office procedures have been put in place with efficient regimes of how we hold and process all types of data.”

PLF Wealth Management Limited (Director: Jeremy Freeman) “Your Guide has made me appreciate the myriad of potential cybersecurity attacks that my small firm has to be aware of, and the steps we as a company need to take to protect our data and network from becoming a victim of these attacks. As a small business our in the financial services arena, we control large amounts of personal data and sensitive data which could make us a viable target to such attacks.”

The Business Centre (Cardiff) Limited (Centre Manager: Emma Mason) “Reading the Guide has given me great knowledge on how to protect our business from online harm. Using this knowledge has enabled us to put new office processes and procedures in place to ensure that we are protected. We have looked closely at how we hold and process our data.”

IP Wales Online Initiative (2017-2020)

IP crime is traditionally viewed as counterfeiting (false branding) and piracy (illegal copying) but cybercriminals (& some state players) are increasingly coming to recognise the value of confidential data held by businesses, be it sensitive information about the business operation (trade secrets) or customer information such as passwords and credit card details (made even more topical with the arrival of the EU General Data Protection Regulation 2016).

These attacks on confidential data are happening globally with increasing rapidity and ever more complexity. Zero-day vulnerabilities (where hackers have discovered and exploit a software security breach before a fix is available) are increasing exponentially.

In response our award-winning business support initiative IP Wales has launched a new Online Initiative 2017-2020, the aim of which is to help small/medium sized enterprises (SMEs) to protect their IP from online threats.

SMEs are particularly vulnerable to cyberattack, with our research (commissioned by the Welsh Government) showing that many take little or no precautions against cyber threats, in the mistaken belief that they are too small to attract the cybercriminal’s attention, or that they don’t possess any data worth stealing. Examples of cyberattacks on SMEs have included:-

• IP ‘Theft’ (i.e. trade secrets), the loss of which seriously undermines a company’s attractiveness to both investors and prospective buyers of the business.

• Ransoming of Data, where the business is coerced into paying off hackers in order to retrieve or access stolen or encrypted data.

.• ‘Theft’ of Customer Data (including payment details) which exposes the business to lawsuits, regulatory fines for improper handling of personal data, and reputational damage.

Our website www.ipcybersecurity.co.uk is dedicated to helping SME Boards of Directors to better understand and better protect their business from this increasing threat of IP cybercrime. It also acts as a repository for our research into emerging trends in Cyber-Risk oversight, offering free Briefing Guides for the IP Service Community (IP active Solicitors and Patent Attorneys) on:-

Protecting Trade Secrets Using Employment Law

Cyber Defence

SMEs Outsourcing Cybersecurity Incident Response & Data Recovery Activities

Who is threatening SME Clients & Why?

SMEs Reporting IP Cybercrime

First Intergovernmental Standard on AI & Cyber Risk Management

In giving evidence to the Public Accounts Committee (PAC) on Cybersecurity in the UK Sir Mark Sedwill (Cabinet Secretary, Head of the UK Civil Service and UK National Security Advisor) asserted, “the law of the sea 200 years ago is not a bad parallel” for the “big international question” of cyberspace governance today (see Public Accounts Committee Oral evidence: Cyber Security in the UK, HC 1745 [1st April 2019] Q93).

In making this assertion Sir Mark may have had in mind articles such as Dr. Florian Egloff’s Cybersecurity and the Age of Privateering: A Historical Analogy in which the author asserted: 1. “Cyber actors are comparable to the actors of maritime warfare in the sixteenth and seventeenth centuries. 2. The militarisation of cyberspace resembles the situation in the sixteenth century, when states transitioned from a reliance on privateers to dependence on professional navies. 3. As with privateering, the use of non-state actors by states in cyberspace has produced unintended harmful consequences; the emergence of a regime against privateering provides potentially fruitful lessons for international cooperation and the management of these consequences.”

In our IP Wales Guide on Cyber Defence we note: “Since 2004, a UN Group of Governmental Experts (UN GEE) has sought to expedite international norms and regulations to create confidence and security-building measures between member states in cyberspace. In a first major breakthrough, the GGE in 2013 agreed that international law and the UN Charter is applicable to state activity in cyberspace. Two years later, a consensus report outlined four voluntary peace time norms for state conduct in cyberspace: states should not interfere with each other’s critical infrastructure, should not target each other’s emergency services, should assist other states in the forensics of cyberattacks, and states are responsible for operations originating from within their territory.

The latest 2016-17 round of deliberations ended in the stalling of the UN GGE process as its members could not agree on draft paragraph 34, which details how exactly certain international law applies to a states’ use of information and communications technology. While the U.S.A. pushed for detailing international humanitarian law, the right of self-defence, and the law of state responsibility (including the countermeasures applying to cyber operations), other participants, like China and Russia, contended it was premature.”

Indeed China has gone further and condemned the U.S.A. for trying to apply double standards to the issue, in light of public disclosures of spying by their own National Security Agency (NSA).

Sir Mark went on to reveal that because cyberspace governance is being only partly addressed through the UN, “we are looking at coalitions of the willing, such as the OECD and some other countries that have similar systems to ours, to try to approach this.”

Evidence of this strategy in operation can be seen at Ministerial Council Meeting of the Organisation for Economic Co-ordination and Development (OECD) on the 22nd May 2019 when 42 countries adopted five value-based principles on artificial intelligence (AI), including AI systems “must function in a robust, secure and safe way throughout their life cycles and potential risks should be continually assessed and managed.”

The recently created UK National Cyber Security Centre (NCSC) has sought to give substance to this principle through offering new guidance on cybersecurity design principles. These principles are divided into five categories, loosely aligned with the stages at which a cyberattack can be mitigated: 1. “Establishing the context. All the elements that compose a system should be determined, so the defensive measures will have no blind spots. 2. Making compromise difficult. An attacker can target only the parts of a system they can reach. Therefore, the system should be made as difficult to penetrate as possible. 3. Making disruption difficult. The system should be designed so that it is resilient to denial of service attacks and usage spikes. 4. Making compromise detection easier. The system should be designed so suspicious activity can be spotted as it happens and the necessary action taken. 5. Reducing the impact of compromise. If an attacker succeeds in gaining a foothold, they will then move to exploit the system. This should be made as difficult as possible.”

Alec Ross (Senior Advisor for Innovation to Hillary Clinton as U.S. Secretary of State) warns that, “small businesses cannot pay for the type of expensive cybersecurity protection that governments and major corporations can (afford)” A Ross, Industries of the Future (2016). It remains to be seen to what extent cybersecurity design principles will become a financial impediment to small business engaging with AI developments in the near future.

EU takes action against cyber-enabled ‘IP theft’ perpetrated from outside the EU

In the first EU measure of its type, Council Regulation (EU) 2019/796 concerning restrictive measures against cyberattacks threatening the Union or its Member States [17th May 2019] contains targeted sanctions against online “external threats” to IP. This Regulation is aimed at threats which originate from outside the EU, use infrastructure from outside the EU, or otherwise the person(s) instrumental in such a cyberattack are established abroad (Article 1).

Amongst other criteria, Article 2 of the Regulation targets an actual or attempted cyberattack on IP which has a, potentially, “significant effect”, on the “loss of commercially sensitive data”. Such commercially sensitive data will fall within the definition of a ‘trade secret’ under Council Directive (EU) 2016/943 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure [8 June 2016] if that data: 1. is secret in the sense that it is not, as a body or in the precise configuration and assembly of its components, generally known among or readily accessible to persons within the circles that normally deal with the kind of information in question; 2. has commercial value because it is secret; 3. has been subject to reasonable steps under the circumstances, by the person lawfully in control of the information, to keep it secret.

Article 3 of this new Regulation imposes an asset freeze on natural or legal persons, entities or bodies who are responsible for the actual or attempted cyberattack; provide financial, technical or material support for or are otherwise involved in the cyberattack; or are associated with the natural or legal person, or bodies involved. As a result of such an asset freeze, all funds and economic resources belonging to, or controlled by, such listed persons and that fall under EU jurisdiction (e.g. held by EU banks) will be frozen. In addition, no funds or economic resources may be made available to or for the benefit of the said listed person by parties falling under EU jurisdiction.

This latest EU Regulation should serve to remind us that the “big international question” of cyberspace governance still remains to be resolved, albeit Sir Mark Sedwill (Cabinet Secretary, Head of the UK Civil Service and UK National Security Advisor) would note that the major private sector providers are more receptive than ever to its resolution (see Public Accounts Committee Oral evidence: Cyber Security in the UK, HC 1745 [1st April 2019] Q93).

In his article Jurisdiction In Cyberspace: A Theory of International Spaces Darrel Menthe asserts that, “unless it is conceived of as an international space, cyberspace takes all of the traditional principles of conflicts-of-law and reduces them to absurdity.” Akin to the “law of the flag” on the high seas, nationality of a vessel (manned or unmanned) in outer space or the nationality of the base in Antarctica, Menthe advocates, even in the absence of such a sui generis treaty regime as regulates the other three international spaces, that jurisdictional analysis requires cyberspace should be treated as a fourth international space governed by a comparable set of default legal rules (see Darrel Menthe, Jurisdiction In Cyberspace: A Theory of International Spaces 4 MICH.TELECOMM.TECH.L.REV 69 (1998)).