A Legal Construct for Understanding Adversarial Cyber Activities. This Presentation examines the international law applicable to cyber-operations in the public policy context. It draws attention to when existing legal principles cannot readily be applied to cyber-attacks. It identifies problems presented by politicians and international lawyers not having a common vocabulary
2018 april - aba legal construct for understanding adversarial cyber activities -- final
1. 1
Ethan S. Burger, Esq.
Legal Consultant &
& Adjunct Professor
ethansb@post.harvard.edu
A Legal Construct for Understanding Adversarial Cyber Activities
ABA Public Contracts Law Section Cybersecurity Division
Washington, DC – April 26, 2018
2. Troubled By the So-Called Expert Opinion?Troubled By the So-Called Expert Opinion?
Comment: There's No Such Thing as Cyber War - Infosecurity Magazine
https://www.infosecurity-magazine.com/.../comment-theres-no-such-thing-as-cyber-w...
Aug 1, 2013 - Too often, journalists, politicians, and security professionals are quick to
declare 'cyber war' at the earliest signs of hacking or intelligence gathering between
opposing states. True war consists of tragedy and tangible, kinetic impact. It involves
injury and death, not just an exchange of information.
Is There Such a Thing as Cyberwar? - Brookings Institution
https://www.brookings.edu/opinions/is-there-such-a-thing-as-cyberwar/
Ian Wallace asks, “what is the definition of cyberwar?” While cyber represents a
disruptive technology and a potential new battlespace, he argues that it
is not appropriate to describe current cyber activities as “war.” War is temporary and
objective-oriented, but cyber is a permanent space without clearly delineated goals.
Check the Hype — There's No Such Thing As 'Cyber' | WIRED
https://www.wired.com/2010/03/cyber-hype/
Mar 26, 2010 - Amit Yoran, a respected security expert who runs a company that sells
computer security services to the government, wrote a long post on a Forbes blog this
week to defend the concept of “cyberwar,” in no small part because this blog ranted
about how that term is used to hype militarization of the internet ...
Gen. Hyten: 'No such thing as war in cyber' - Fifth Domain
https://www.fifthdomain.com/dod/2017/.../gen-hyten-no-such-thing-as-war-in-cyber/
Aug 11, 2017 - Washington (AFNS) -- Gen. John Hyten, Air Force Space Command
commander, speaks to the audience on maintaining space and cyber capabilities
during the Air Force Association's 2014 Air and Space Conference at the Gaylord
National Convention Center Washington, D.C., Sep. 16, 2014. As AFSPC ...
2
3. The Constancy of Cyber-Attacks
http://map.norsecorp.com/#/
https://cybermap.kaspersky.com/
https://community.blueliv.com/map/
http://en.blitzortung.org/live_lightning_maps.php
https:..www.fireeye.com/cuber-map.html
https://www.networkworld.com/article/2366962/microsoft-subnet/spellbound-by-maps-
tracking-hack-attacks-and-cyber-threats-in-real-time.html
3
4. The Trigger for the Cyber-AttackThe Trigger for the Cyber-Attack
on Estonia (2007)on Estonia (2007)
4
5. Tallinn Manuals 1.0 (2013) and 2.0 (2017)Tallinn Manuals 1.0 (2013) and 2.0 (2017)
Experts assembled by the NATO Cooperative Centre for
Excellence prepared the Manuals.
Manuals are not official NATO documents, but intended to reflect
the views of the International Group of Experts as to how existing
legal norms apply to cyber operations.
They were not offered as a ‘best practices’ manual.
5
6. Tallinn Manual 2.0’s ScopeTallinn Manual 2.0’s Scope
Jus ad bellum – regulating the use of force by
states.
Jus in bellum – regulating how states may
conduct war.
Covers topics relating to cyber operations
during peacetime, but not domestic law,
intellectual property, international criminal law,
private international law, trade law, or
intellectual property.
6
7. Tallinn 2.0 is Organize intoTallinn 2.0 is Organize into
20 Chapters (1 of 2)20 Chapters (1 of 2)
1) Sovereignty (SEE BELOW).
2) Due Diligence (SEE BELOW)
3) Jurisdiction (SEE BELOW)
4) Law of International Responsibility (Attribution matters and SEE
OTHER IMPORTANT ISSUES BELOW)
5) Cyber Operations Not Per Se Regulated by International Law
6) International Human Rights Law
7) Diplomatic and Consular Law
8) Law of the Sea
9) Air Law
10) Space Law
7
8. Tallinn Manual Rules 5 -7Tallinn Manual Rules 5 -7
Rule 5 Sovereign Immunity and inviolability – Any interference by a
State with cyber infrastructure aboard a platform, wherever located, that
enjoys immunity constitutes a violation of sovereignty.
Rule 6 Due Diligence (General Principle) – A State must exercise due
diligence in not allowing its territory or cyber infrastructure under its
governmental control, to be used for cyber operations that affect the rights
of, and produce serious adverse consequences for, other States.
Rule 7 Compliance with the Due Diligence Principle – The principle of
due diligence requires a State to take all measures that are feasible in the
circumstances to put an end to cyber operations that affect a right of, and
produce serious adverse consequences for, other States.
8
9. Tallinn Manual Rules 10 & 13Tallinn Manual Rules 10 & 13
Rule 10 – Extraterritorial Prescriptive Jurisdiction.
A State may exercise extraterritorial prescriptive jurisdiction with regard to cyber
activities:
a. conduct by its nationals;
b. committed on board vessels and aircraft possessing its nationality;
c. conducted by foreign nationals and designed to seriously undermine
essential State interests;
d. conducted by foreign nationals against its nationals with certain
limitations; or
e. that constitute crimes under international law subject to the universality
principle.
Rule 13 – International cooperation in law enforcement.
Although as a general matter States are not obligated to cooperate in the
investigation and prosecution of cyber crime, such cooperation may be required
by the terms of an applicable treaty of other international obligation. 9
10. Tallinn Manual Rules Dealing withTallinn Manual Rules Dealing with
CountermeasuresCountermeasures
Rule 21– Purpose of Countermeasures (to induce a state to comply with
obligations with otherwise unlawful actions; in contracts acts of
‘retorsion’ are lawful but unfriendly, e.g. trade sanctions).
Rule 22 – Limitations on Countermeasures – (aimed to counter (stop)
attacks, in contrast with ‘reprisals’, which are always ‘unlawful’).
Rule 23 – Proportionality of Countermeasures
Rule 24 – States Entitled to Take Countermeasures (only injured states).
Rule 25 – Effect on Countermeasures (may not harm rights out to third
State – can be problematic.
Rule 26 – Necessity.
10
11. Tallinn 2.0 is Organized intoTallinn 2.0 is Organized into
20 Chapters (2 of 2)20 Chapters (2 of 2)
11. International Communications Law
12. Peaceful Settlement
13. Prohibition of Intervention
14. The Use of Force
15. The Law of Cyber Armed Conflict
16. The Law of Armed Conflict Generally
17. Conduct of Hostilities
18. Certain Persons, Objects, and Activities
19. Occupation
20. Neutrality
11
12. Harold Hongju Koh, Legal Advisor, U.S. Department of StateHarold Hongju Koh, Legal Advisor, U.S. Department of State
(2012)(2012)
THE TEN FUNDAMENTAL QUESTIONS (1 of 2):
1: Do established principles of international law apply to cyberspace? Yes.
2: Is cyberspace a law-free zone, where anything goes? Emphatically “No.”
3: Do cyber activities ever constitute a use of force? Yes.
4: May a State ever respond to a computer network attack by exercising a right of national
self-defense? Yes.
5: Do jus in bello rules apply to computer network attacks? Yes.
6: Must attacks distinguish between military and nonmilitary objectives? Yes.
7: Must attacks adhere to the principle of proportionality? Yes.
12
13. The Ten Fundamental Questions (2 of 2)The Ten Fundamental Questions (2 of 2)
8: How should States assess their cyber weapons?
States should undertake a legal review of weapons, including those that employ a
cyber capability. Such a review should entail an analysis, for example, of whether
a particular capability would be inherently indiscriminate, i.e., that it could not be
used consistent with the principles of distinction and proportionality.
9: In this analysis, what role does State sovereignty play?
States conducting activities in cyberspace must take into account the sovereignty
of other States, including outside the context of armed conflict.
10: Are States responsible when cyber acts are undertaken through proxies?
Yes (but this requires a complex factual analysis).
13
14. Unresolved Three QuestionsUnresolved Three Questions
Unresolved Question 1: How can a use of force regime take into account all of the novel kinds of effects
that States can produce through the click of a button?
The United States has affirmed that established jus ad bellum rules do apply to uses of force in cyberspace. [There are] some clear-cut cases where
the physical effects of a hostile cyber action would be comparable to what a kinetic action could achieve: for example, a bomb might break a dam
and flood a civilian population, but insertion of a line of malicious code from a distant computer might just as easily achieve that same result.
[T]there are other types of cyber actions that do not have a clear kinetic parallel, which raise profound questions about exactly what we mean by
“force.”
Unresolved Question 2: What do we do about “dual-use infrastructure” in cyberspace?
[I]nformation and communications infrastructure is often shared between State militaries and private, civilian communities. The law of war requires
that civilian infrastructure not be used to seek to immunize military objectives from attack, including in the cyber realm. [] Parties to an armed
conflict will need to assess the potential effects of a cyber attack on computers that are not military objectives, such as private, civilian computers
that hold no military significance, but may be networked to computers that are valid military objectives. Parties will also need to consider the harm
to the civilian uses of such infrastructure in performing the necessary proportionality review. Any number of factual scenarios could arise, however,
which will require a careful, fact-intensive legal analysis in each situation.
Unresolved Question 3: How do we address the problem of attribution in cyberspace?
Cyberspace significantly increases an actor’s ability to engage in attacks with “plausible deniability,” by acting through proxies. [] Legal tools
exist to ensure that States are held accountable for those acts. [M]any of [] challenges – in particular, those concerning attribution – are as much
questions of a technical and policy nature rather than exclusively or even predominantly questions of law. Cyberspace remains a new and dynamic
operating environment, and we cannot expect that all answers to the new and confounding questions we face will be legal ones.
14
15. Art. 2(4) -- All Members shall refrain in their international
relations from the threat or use of force against the territorial
integrity or political independence of any state, or in any
other manner inconsistent with the Purposes of the United
Nations.
Art. 51 -- Nothing in the present Charter shall impair the
inherent right of individual or collective self-defense if an
armed attack occurs against a Member of the United Nations,
until the Security Council has taken measures necessary to
maintain international peace and security. 15
U.N. Arts. 2(4) -- Use of ForceU.N. Arts. 2(4) -- Use of Force
& 51– Self-Defense& 51– Self-Defense
16. Threshold InquiryThreshold Inquiry
Not every ‘use of force’ is an armed attack, but every armed
attack is a ‘use of force’. Use ‘unlawful’ not ‘illegal’.
Significance of Difference:
Any ‘Use of Force’ is a violation of international law
[‘unlawful’] even when authorized by domestic
legislation and a declaration of law is made.
An ‘Armed Attack’ (use of force with significant
consequences, such as (i) death, (ii) injury, (iii)
physical damage & (iv) destruction) constitutes a
violation of international law and victim may respond
with force. 16
17. Armed-Attack AnalysisArmed-Attack Analysis
Self-Defense May Not be Justified if an Armed Attack is Merely:
Cyber-espionage;
Cyber theft (matter of scale); and
Cyber-interruptions of non-essential services.
Self-Defense is Justified if the Armed Attack is:
Instant;
Overwhelming;
No choice of other mean; and
No moment for deliberation.
How should attacks against private assets as opposed to critical
infrastructure and military targets be treated? Should cyber and kinetic
attacks be treated identically?
One should consider temporal and systemic issues! 17
18. Self-DefenseSelf-Defense
(Response to an Armed Attack)(Response to an Armed Attack)
Proportionality Principle:
1) Limited scale (Problematic with cyber).
2) Limit scope (Problematic with cyber).
3) Limited duration (Problematic with cyber).
4) Limited intensity (Problematic with cyber).
Retaliation is not permissible under the rubric “Self-
Defense) but Retorsion is (i.e., ‘proportional
retaliation’). Countermeasures are permitted when
aggressor’s action does not rise to an ‘armed attack’
(is this mere semantics?)
18
19. International Humanitarian Law: ShouldInternational Humanitarian Law: Should
there be a ‘Cyber’ Geneva Convention?there be a ‘Cyber’ Geneva Convention?
At the recent RSA Conference in San Francisco, Microsoft, Cisco, HP, Facebook,
and others proposed a “Digital Geneva Convention” for private organizations,
committing them not to assist governments, or participate, in the use of cyber
tools to attack civilians and civil infrastructure.
The relevant Geneva Convention language provides:
“In order to ensure respect for and protection of the civilian population and
civilian objects, the Parties to the conflict shall at all times distinguish between
the civilian population and combatants and between civilian objects and military
objectives and accordingly shall direct their operations only against military
objectives.”
Query whether cyber-attacks against population constitutes terrorism?
Of course, the same analysis may apply to the use of nuclear weapons.
19
20. Problem for Lawyers: The Growing Disconnect BetweenProblem for Lawyers: The Growing Disconnect Between
International Law and Practical/Political ViewsInternational Law and Practical/Political Views
Of course, not all causus belli result in ‘declarations of war’ (or the invocation of
authority under the U.S. War Powers Act (1973)). What are the characteristics of a
cyber-attack that will qualify as a causus belli?
On a daily basis, NATO registers 500+ million suspicious cyber events. Severe
cyber-attacks could trigger NATO’S Art. 5 mutual defense guarantee. Is this
guarantee credible that ‘appropriate action will be taken’? The response could be
by cyber, other means, or merely symbolic. In theory, the response would be
decided by consensus, but NATO members have their own sovereign right to take
action (rationale for ‘trip wire’ (West Germany or force de frappe (France).
Many politicians and thought-leaders regard Russian cyber-attacks to be ‘acts of
war’ (a political, not legal, concept). Such attacks may not qualify as such under
international law. What will be the consequence of an on-going divergence in
public and legal opinion?
20
21. Deterrence Failures are Like to Lead to Miscalculation and
Escalation
According to UK Foreign Minister Lord Ahmad: “the Russian military,
was responsible for the destructive NotPetya cyber-attack” causing more
than $1.2 billion (including UK-based Reckitt Benckiser). UK Defense
Secretary Gavin Williamson said Russia was "ripping up the rule book"
and the UK would respond. Cyber-attacks cannot be ‘contained’.
Russia Defense Ministry spokesman said that Secretary Williamson has
“lost his grasp on reason,” his fears being “worthy of a comic plot or a
Monty Python's Flying Circus sketch.” Eventually, the US attributes the
malicious NotPetya cyber-attack to Russia.
21
22. Active Cyber DefenseActive Cyber Defense
for the Private Sector?for the Private Sector?
[The Government could] protect the '.gov' and '.mil' addresses, but we
could not protect 'com.' [i.e. the rest of us]."
Former FBI Agent Clint Watt
paraphrasing former Homeland Security Advisor Tom Bossert
Consider the SONY Situation, where President Obama acted against
North Korea.
22
23. Possible Solution to the Political Divide IssuePossible Solution to the Political Divide Issue
Look to applicable domestic law during peacetime and
not the law of armed conflict.
Regard the Russian polity not as a state, but as an
organized crime group.
Apply U.S. criminal law (RICO, etc.) against relevant
individuals and organizations.
Use asset forfeiture mechanisms to reach the
‘criminals’.
23