SlideShare a Scribd company logo

2018 april - aba legal construct for understanding adversarial cyber activities -- final

Download as PPT, PDF
E
Ethan S. Burger

A Legal Construct for Understanding Adversarial Cyber Activities. This Presentation examines the international law applicable to cyber-operations in the public policy context. It draws attention to when existing legal principles cannot readily be applied to cyber-attacks. It identifies problems presented by politicians and international lawyers not having a common vocabulary

Law
1 of 23
1 Ethan S. Burger, Esq. Legal Consultant & & Adjunct Professor ethansb@post.harvard.edu A Legal Construct for Understanding Adversarial Cyber Activities ABA Public Contracts Law Section Cybersecurity Division Washington, DC – April 26, 2018
Troubled By the So-Called Expert Opinion?Troubled By the So-Called Expert Opinion? Comment: There's No Such Thing as Cyber War - Infosecurity Magazine https://www.infosecurity-magazine.com/.../comment-theres-no-such-thing-as-cyber-w... Aug 1, 2013 - Too often, journalists, politicians, and security professionals are quick to declare 'cyber war' at the earliest signs of hacking or intelligence gathering between opposing states. True war consists of tragedy and tangible, kinetic impact. It involves injury and death, not just an exchange of information. Is There Such a Thing as Cyberwar? - Brookings Institution https://www.brookings.edu/opinions/is-there-such-a-thing-as-cyberwar/ Ian Wallace asks, “what is the definition of cyberwar?” While cyber represents a disruptive technology and a potential new battlespace, he argues that it is not appropriate to describe current cyber activities as “war.” War is temporary and objective-oriented, but cyber is a permanent space without clearly delineated goals. Check the Hype — There's No Such Thing As 'Cyber' | WIRED https://www.wired.com/2010/03/cyber-hype/ Mar 26, 2010 - Amit Yoran, a respected security expert who runs a company that sells computer security services to the government, wrote a long post on a Forbes blog this week to defend the concept of “cyberwar,” in no small part because this blog ranted about how that term is used to hype militarization of the internet ... Gen. Hyten: 'No such thing as war in cyber' - Fifth Domain https://www.fifthdomain.com/dod/2017/.../gen-hyten-no-such-thing-as-war-in-cyber/ Aug 11, 2017 - Washington (AFNS) -- Gen. John Hyten, Air Force Space Command commander, speaks to the audience on maintaining space and cyber capabilities during the Air Force Association's 2014 Air and Space Conference at the Gaylord National Convention Center Washington, D.C., Sep. 16, 2014. As AFSPC ... 2
The Constancy of Cyber-Attacks  http://map.norsecorp.com/#/  https://cybermap.kaspersky.com/  https://community.blueliv.com/map/  http://en.blitzortung.org/live_lightning_maps.php  https:..www.fireeye.com/cuber-map.html https://www.networkworld.com/article/2366962/microsoft-subnet/spellbound-by-maps- tracking-hack-attacks-and-cyber-threats-in-real-time.html 3
The Trigger for the Cyber-AttackThe Trigger for the Cyber-Attack on Estonia (2007)on Estonia (2007) 4
Tallinn Manuals 1.0 (2013) and 2.0 (2017)Tallinn Manuals 1.0 (2013) and 2.0 (2017)  Experts assembled by the NATO Cooperative Centre for Excellence prepared the Manuals.  Manuals are not official NATO documents, but intended to reflect the views of the International Group of Experts as to how existing legal norms apply to cyber operations.  They were not offered as a ‘best practices’ manual. 5
Tallinn Manual 2.0’s ScopeTallinn Manual 2.0’s Scope  Jus ad bellum – regulating the use of force by states.  Jus in bellum – regulating how states may conduct war.  Covers topics relating to cyber operations during peacetime, but not domestic law, intellectual property, international criminal law, private international law, trade law, or intellectual property. 6
Tallinn 2.0 is Organize intoTallinn 2.0 is Organize into 20 Chapters (1 of 2)20 Chapters (1 of 2) 1) Sovereignty (SEE BELOW). 2) Due Diligence (SEE BELOW) 3) Jurisdiction (SEE BELOW) 4) Law of International Responsibility (Attribution matters and SEE OTHER IMPORTANT ISSUES BELOW) 5) Cyber Operations Not Per Se Regulated by International Law 6) International Human Rights Law 7) Diplomatic and Consular Law 8) Law of the Sea 9) Air Law 10) Space Law 7
Tallinn Manual Rules 5 -7Tallinn Manual Rules 5 -7 Rule 5 Sovereign Immunity and inviolability – Any interference by a State with cyber infrastructure aboard a platform, wherever located, that enjoys immunity constitutes a violation of sovereignty. Rule 6 Due Diligence (General Principle) – A State must exercise due diligence in not allowing its territory or cyber infrastructure under its governmental control, to be used for cyber operations that affect the rights of, and produce serious adverse consequences for, other States. Rule 7 Compliance with the Due Diligence Principle – The principle of due diligence requires a State to take all measures that are feasible in the circumstances to put an end to cyber operations that affect a right of, and produce serious adverse consequences for, other States. 8
Tallinn Manual Rules 10 & 13Tallinn Manual Rules 10 & 13 Rule 10 – Extraterritorial Prescriptive Jurisdiction. A State may exercise extraterritorial prescriptive jurisdiction with regard to cyber activities: a. conduct by its nationals; b. committed on board vessels and aircraft possessing its nationality; c. conducted by foreign nationals and designed to seriously undermine essential State interests; d. conducted by foreign nationals against its nationals with certain limitations; or e. that constitute crimes under international law subject to the universality principle. Rule 13 – International cooperation in law enforcement. Although as a general matter States are not obligated to cooperate in the investigation and prosecution of cyber crime, such cooperation may be required by the terms of an applicable treaty of other international obligation. 9
Tallinn Manual Rules Dealing withTallinn Manual Rules Dealing with CountermeasuresCountermeasures Rule 21– Purpose of Countermeasures (to induce a state to comply with obligations with otherwise unlawful actions; in contracts acts of ‘retorsion’ are lawful but unfriendly, e.g. trade sanctions). Rule 22 – Limitations on Countermeasures – (aimed to counter (stop) attacks, in contrast with ‘reprisals’, which are always ‘unlawful’). Rule 23 – Proportionality of Countermeasures Rule 24 – States Entitled to Take Countermeasures (only injured states). Rule 25 – Effect on Countermeasures (may not harm rights out to third State – can be problematic. Rule 26 – Necessity. 10
Tallinn 2.0 is Organized intoTallinn 2.0 is Organized into 20 Chapters (2 of 2)20 Chapters (2 of 2) 11. International Communications Law 12. Peaceful Settlement 13. Prohibition of Intervention 14. The Use of Force 15. The Law of Cyber Armed Conflict 16. The Law of Armed Conflict Generally 17. Conduct of Hostilities 18. Certain Persons, Objects, and Activities 19. Occupation 20. Neutrality 11
Harold Hongju Koh, Legal Advisor, U.S. Department of StateHarold Hongju Koh, Legal Advisor, U.S. Department of State (2012)(2012) THE TEN FUNDAMENTAL QUESTIONS (1 of 2): 1: Do established principles of international law apply to cyberspace? Yes. 2: Is cyberspace a law-free zone, where anything goes? Emphatically “No.” 3: Do cyber activities ever constitute a use of force? Yes. 4: May a State ever respond to a computer network attack by exercising a right of national self-defense? Yes. 5: Do jus in bello rules apply to computer network attacks? Yes. 6: Must attacks distinguish between military and nonmilitary objectives? Yes. 7: Must attacks adhere to the principle of proportionality? Yes. 12
The Ten Fundamental Questions (2 of 2)The Ten Fundamental Questions (2 of 2) 8: How should States assess their cyber weapons? States should undertake a legal review of weapons, including those that employ a cyber capability. Such a review should entail an analysis, for example, of whether a particular capability would be inherently indiscriminate, i.e., that it could not be used consistent with the principles of distinction and proportionality. 9: In this analysis, what role does State sovereignty play? States conducting activities in cyberspace must take into account the sovereignty of other States, including outside the context of armed conflict. 10: Are States responsible when cyber acts are undertaken through proxies? Yes (but this requires a complex factual analysis). 13
Unresolved Three QuestionsUnresolved Three Questions Unresolved Question 1: How can a use of force regime take into account all of the novel kinds of effects that States can produce through the click of a button? The United States has affirmed that established jus ad bellum rules do apply to uses of force in cyberspace. [There are] some clear-cut cases where the physical effects of a hostile cyber action would be comparable to what a kinetic action could achieve: for example, a bomb might break a dam and flood a civilian population, but insertion of a line of malicious code from a distant computer might just as easily achieve that same result. [T]there are other types of cyber actions that do not have a clear kinetic parallel, which raise profound questions about exactly what we mean by “force.” Unresolved Question 2: What do we do about “dual-use infrastructure” in cyberspace? [I]nformation and communications infrastructure is often shared between State militaries and private, civilian communities. The law of war requires that civilian infrastructure not be used to seek to immunize military objectives from attack, including in the cyber realm. [] Parties to an armed conflict will need to assess the potential effects of a cyber attack on computers that are not military objectives, such as private, civilian computers that hold no military significance, but may be networked to computers that are valid military objectives. Parties will also need to consider the harm to the civilian uses of such infrastructure in performing the necessary proportionality review. Any number of factual scenarios could arise, however, which will require a careful, fact-intensive legal analysis in each situation. Unresolved Question 3: How do we address the problem of attribution in cyberspace? Cyberspace significantly increases an actor’s ability to engage in attacks with “plausible deniability,” by acting through proxies. [] Legal tools exist to ensure that States are held accountable for those acts. [M]any of [] challenges – in particular, those concerning attribution – are as much questions of a technical and policy nature rather than exclusively or even predominantly questions of law. Cyberspace remains a new and dynamic operating environment, and we cannot expect that all answers to the new and confounding questions we face will be legal ones. 14
Art. 2(4) -- All Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations. Art. 51 -- Nothing in the present Charter shall impair the inherent right of individual or collective self-defense if an armed attack occurs against a Member of the United Nations, until the Security Council has taken measures necessary to maintain international peace and security. 15 U.N. Arts. 2(4) -- Use of ForceU.N. Arts. 2(4) -- Use of Force & 51– Self-Defense& 51– Self-Defense
Threshold InquiryThreshold Inquiry Not every ‘use of force’ is an armed attack, but every armed attack is a ‘use of force’. Use ‘unlawful’ not ‘illegal’. Significance of Difference:  Any ‘Use of Force’ is a violation of international law [‘unlawful’] even when authorized by domestic legislation and a declaration of law is made.  An ‘Armed Attack’ (use of force with significant consequences, such as (i) death, (ii) injury, (iii) physical damage & (iv) destruction) constitutes a violation of international law and victim may respond with force. 16
Armed-Attack AnalysisArmed-Attack Analysis Self-Defense May Not be Justified if an Armed Attack is Merely:  Cyber-espionage;  Cyber theft (matter of scale); and  Cyber-interruptions of non-essential services. Self-Defense is Justified if the Armed Attack is:  Instant;  Overwhelming;  No choice of other mean; and  No moment for deliberation. How should attacks against private assets as opposed to critical infrastructure and military targets be treated? Should cyber and kinetic attacks be treated identically? One should consider temporal and systemic issues! 17
Self-DefenseSelf-Defense (Response to an Armed Attack)(Response to an Armed Attack) Proportionality Principle: 1) Limited scale (Problematic with cyber). 2) Limit scope (Problematic with cyber). 3) Limited duration (Problematic with cyber). 4) Limited intensity (Problematic with cyber). Retaliation is not permissible under the rubric “Self- Defense) but Retorsion is (i.e., ‘proportional retaliation’). Countermeasures are permitted when aggressor’s action does not rise to an ‘armed attack’ (is this mere semantics?) 18
International Humanitarian Law: ShouldInternational Humanitarian Law: Should there be a ‘Cyber’ Geneva Convention?there be a ‘Cyber’ Geneva Convention? At the recent RSA Conference in San Francisco, Microsoft, Cisco, HP, Facebook, and others proposed a “Digital Geneva Convention” for private organizations, committing them not to assist governments, or participate, in the use of cyber tools to attack civilians and civil infrastructure. The relevant Geneva Convention language provides: “In order to ensure respect for and protection of the civilian population and civilian objects, the Parties to the conflict shall at all times distinguish between the civilian population and combatants and between civilian objects and military objectives and accordingly shall direct their operations only against military objectives.” Query whether cyber-attacks against population constitutes terrorism? Of course, the same analysis may apply to the use of nuclear weapons. 19
Problem for Lawyers: The Growing Disconnect BetweenProblem for Lawyers: The Growing Disconnect Between International Law and Practical/Political ViewsInternational Law and Practical/Political Views  Of course, not all causus belli result in ‘declarations of war’ (or the invocation of authority under the U.S. War Powers Act (1973)). What are the characteristics of a cyber-attack that will qualify as a causus belli?  On a daily basis, NATO registers 500+ million suspicious cyber events. Severe cyber-attacks could trigger NATO’S Art. 5 mutual defense guarantee. Is this guarantee credible that ‘appropriate action will be taken’? The response could be by cyber, other means, or merely symbolic. In theory, the response would be decided by consensus, but NATO members have their own sovereign right to take action (rationale for ‘trip wire’ (West Germany or force de frappe (France).  Many politicians and thought-leaders regard Russian cyber-attacks to be ‘acts of war’ (a political, not legal, concept). Such attacks may not qualify as such under international law. What will be the consequence of an on-going divergence in public and legal opinion? 20
Deterrence Failures are Like to Lead to Miscalculation and Escalation According to UK Foreign Minister Lord Ahmad: “the Russian military, was responsible for the destructive NotPetya cyber-attack” causing more than $1.2 billion (including UK-based Reckitt Benckiser). UK Defense Secretary Gavin Williamson said Russia was "ripping up the rule book" and the UK would respond. Cyber-attacks cannot be ‘contained’. Russia Defense Ministry spokesman said that Secretary Williamson has “lost his grasp on reason,” his fears being “worthy of a comic plot or a Monty Python's Flying Circus sketch.” Eventually, the US attributes the malicious NotPetya cyber-attack to Russia. 21
Active Cyber DefenseActive Cyber Defense for the Private Sector?for the Private Sector? [The Government could] protect the '.gov' and '.mil' addresses, but we could not protect 'com.' [i.e. the rest of us]." Former FBI Agent Clint Watt paraphrasing former Homeland Security Advisor Tom Bossert Consider the SONY Situation, where President Obama acted against North Korea. 22
Possible Solution to the Political Divide IssuePossible Solution to the Political Divide Issue  Look to applicable domestic law during peacetime and not the law of armed conflict.  Regard the Russian polity not as a state, but as an organized crime group.  Apply U.S. criminal law (RICO, etc.) against relevant individuals and organizations.  Use asset forfeiture mechanisms to reach the ‘criminals’. 23

Recommended

Dondi West Defcon 18 Slides
Dondi West Defcon 18 SlidesDondi West Defcon 18 Slides
Dondi West Defcon 18 Slides
dondiw
 
Cyberwar: (R)evolution?
Cyberwar: (R)evolution?Cyberwar: (R)evolution?
Cyberwar: (R)evolution?
zapp0
 
Ellen Amicus Piece
Ellen Amicus PieceEllen Amicus Piece
Ellen Amicus Piece
Ellen Tims
 
CYBERWAR: THE NEXT THREAT TO NATIONAL SECURITY
CYBERWAR: THE NEXT THREAT TO NATIONAL SECURITYCYBERWAR: THE NEXT THREAT TO NATIONAL SECURITY
CYBERWAR: THE NEXT THREAT TO NATIONAL SECURITY
Talwant Singh
 
Kenneth geers-sun-tzu-and-cyber-war
Kenneth geers-sun-tzu-and-cyber-warKenneth geers-sun-tzu-and-cyber-war
Kenneth geers-sun-tzu-and-cyber-war
MarioEliseo3
 
Asymmetric threat 5_paper
Asymmetric threat 5_paperAsymmetric threat 5_paper
Asymmetric threat 5_paper
MarioEliseo3
 
Vol7no2 ball
Vol7no2 ballVol7no2 ball
Vol7no2 ball
MarioEliseo3
 
Cybersecurity Law and Policy II Slides for First Summit Meeting
Cybersecurity Law and Policy II Slides for First Summit MeetingCybersecurity Law and Policy II Slides for First Summit Meeting
Cybersecurity Law and Policy II Slides for First Summit Meeting
David Opderbeck
 

Recommended

Dondi West Defcon 18 Slides
Dondi West Defcon 18 SlidesDondi West Defcon 18 Slides
Dondi West Defcon 18 Slides
dondiw
 
Cyberwar: (R)evolution?
Cyberwar: (R)evolution?Cyberwar: (R)evolution?
Cyberwar: (R)evolution?
zapp0
 
Ellen Amicus Piece
Ellen Amicus PieceEllen Amicus Piece
Ellen Amicus Piece
Ellen Tims
 
CYBERWAR: THE NEXT THREAT TO NATIONAL SECURITY
CYBERWAR: THE NEXT THREAT TO NATIONAL SECURITYCYBERWAR: THE NEXT THREAT TO NATIONAL SECURITY
CYBERWAR: THE NEXT THREAT TO NATIONAL SECURITY
Talwant Singh
 
Kenneth geers-sun-tzu-and-cyber-war
Kenneth geers-sun-tzu-and-cyber-warKenneth geers-sun-tzu-and-cyber-war
Kenneth geers-sun-tzu-and-cyber-war
MarioEliseo3
 
Asymmetric threat 5_paper
Asymmetric threat 5_paperAsymmetric threat 5_paper
Asymmetric threat 5_paper
MarioEliseo3
 
Vol7no2 ball
Vol7no2 ballVol7no2 ball
Vol7no2 ball
MarioEliseo3
 
Cybersecurity Law and Policy II Slides for First Summit Meeting
Cybersecurity Law and Policy II Slides for First Summit MeetingCybersecurity Law and Policy II Slides for First Summit Meeting
Cybersecurity Law and Policy II Slides for First Summit Meeting
David Opderbeck
 
Katherine Neal_Written Brief 1
Katherine Neal_Written Brief 1Katherine Neal_Written Brief 1
Katherine Neal_Written Brief 1
Kate Neal
 
A US Cybersecurity Strategy for 2030
A US Cybersecurity Strategy for 2030A US Cybersecurity Strategy for 2030
A US Cybersecurity Strategy for 2030
Scott Dickson
 
About cyber war
About cyber warAbout cyber war
About cyber war
eugenvaleriu
 
Pa862
Pa862Pa862
Pa862
Francesco Pompili
 
Reliability not Reliance.
Reliability not Reliance.Reliability not Reliance.
Reliability not Reliance.
George Briggs
 
Katherine Neal_Written Brief 2
Katherine Neal_Written Brief 2Katherine Neal_Written Brief 2
Katherine Neal_Written Brief 2
Kate Neal
 
Haaretz
HaaretzHaaretz
Haaretz
MarioEliseo3
 
2) international law and the use of force by states
2) international law and the use of force by states2) international law and the use of force by states
2) international law and the use of force by states
ilyana iskandar
 
Us gov't building hacker army for cyber war yahoo! news
Us gov't building hacker army for cyber war yahoo! newsUs gov't building hacker army for cyber war yahoo! news
Us gov't building hacker army for cyber war yahoo! news
MarioEliseo3
 
In cyber, the generals should lead from behind - College of Air Warfare - Puk...
In cyber, the generals should lead from behind - College of Air Warfare - Puk...In cyber, the generals should lead from behind - College of Air Warfare - Puk...
In cyber, the generals should lead from behind - College of Air Warfare - Puk...
Pukhraj Singh
 
RULES OF THE GAME IN CYBERWAR
RULES OF THE GAME IN CYBERWARRULES OF THE GAME IN CYBERWAR
RULES OF THE GAME IN CYBERWAR
Talwant Singh
 
Dr William Boothby
Dr William BoothbyDr William Boothby
Dr William Boothby
Hanah Croft
 
Understanding the 'physics' of cyber-operations - Pukhraj Singh
Understanding the 'physics' of cyber-operations - Pukhraj SinghUnderstanding the 'physics' of cyber-operations - Pukhraj Singh
Understanding the 'physics' of cyber-operations - Pukhraj Singh
Pukhraj Singh
 
BSides Delhi-2018 Keynote by Pukhraj Singh (Politics & Power in Cybersecurity)
BSides Delhi-2018 Keynote by Pukhraj Singh (Politics & Power in Cybersecurity)BSides Delhi-2018 Keynote by Pukhraj Singh (Politics & Power in Cybersecurity)
BSides Delhi-2018 Keynote by Pukhraj Singh (Politics & Power in Cybersecurity)
Pukhraj Singh
 
Private Military Contractors Role In Iraq March Updated Revision For Publication
Private Military Contractors Role In Iraq March Updated Revision For PublicationPrivate Military Contractors Role In Iraq March Updated Revision For Publication
Private Military Contractors Role In Iraq March Updated Revision For Publication
Vincent McNally
 
Raduenzel_Mark_ResearchPaper_NSEC506_Fall2015
Raduenzel_Mark_ResearchPaper_NSEC506_Fall2015Raduenzel_Mark_ResearchPaper_NSEC506_Fall2015
Raduenzel_Mark_ResearchPaper_NSEC506_Fall2015
Mark Raduenzel
 
Artificial Intelligence and the Law of Armed Conflict
Artificial Intelligence and the Law of Armed ConflictArtificial Intelligence and the Law of Armed Conflict
Artificial Intelligence and the Law of Armed Conflict
Dr. Lydia Kostopoulos
 
Cyber Security, Cyber Warfare
Cyber Security, Cyber WarfareCyber Security, Cyber Warfare
Cyber Security, Cyber Warfare
Amit Anand
 
The death of enterprise security as we know it - Pukhraj Singh - RootConf 2018
The death of enterprise security as we know it - Pukhraj Singh - RootConf 2018The death of enterprise security as we know it - Pukhraj Singh - RootConf 2018
The death of enterprise security as we know it - Pukhraj Singh - RootConf 2018
Pukhraj Singh
 
Cyber Crimes.pdf
Cyber Crimes.pdfCyber Crimes.pdf
Cyber Crimes.pdf
SunilSaklani6
 
Cyberwar threat to national security
Cyberwar threat to national securityCyberwar threat to national security
Cyberwar threat to national security
Talwant Singh
 
Cyber-what?
Cyber-what?Cyber-what?
Cyber-what?
Enrique J Cordero
 

More Related Content

What's hot

Katherine Neal_Written Brief 1
Katherine Neal_Written Brief 1Katherine Neal_Written Brief 1
Katherine Neal_Written Brief 1
Kate Neal
 
A US Cybersecurity Strategy for 2030
A US Cybersecurity Strategy for 2030A US Cybersecurity Strategy for 2030
A US Cybersecurity Strategy for 2030
Scott Dickson
 
Reliability not Reliance.
Reliability not Reliance.Reliability not Reliance.
Reliability not Reliance.
George Briggs
 
Katherine Neal_Written Brief 2
Katherine Neal_Written Brief 2Katherine Neal_Written Brief 2
Katherine Neal_Written Brief 2
Kate Neal
 
Us gov't building hacker army for cyber war yahoo! news
Us gov't building hacker army for cyber war yahoo! newsUs gov't building hacker army for cyber war yahoo! news
Us gov't building hacker army for cyber war yahoo! news
MarioEliseo3
 
Raduenzel_Mark_ResearchPaper_NSEC506_Fall2015
Raduenzel_Mark_ResearchPaper_NSEC506_Fall2015Raduenzel_Mark_ResearchPaper_NSEC506_Fall2015
Raduenzel_Mark_ResearchPaper_NSEC506_Fall2015
Mark Raduenzel
 
The death of enterprise security as we know it - Pukhraj Singh - RootConf 2018
The death of enterprise security as we know it - Pukhraj Singh - RootConf 2018The death of enterprise security as we know it - Pukhraj Singh - RootConf 2018
The death of enterprise security as we know it - Pukhraj Singh - RootConf 2018
Pukhraj Singh
 

What's hot (19)

Katherine Neal_Written Brief 1
Katherine Neal_Written Brief 1Katherine Neal_Written Brief 1
Katherine Neal_Written Brief 1
 
A US Cybersecurity Strategy for 2030
A US Cybersecurity Strategy for 2030A US Cybersecurity Strategy for 2030
A US Cybersecurity Strategy for 2030
 
About cyber war
About cyber warAbout cyber war
About cyber war
 
Pa862
Pa862Pa862
Pa862
 
Reliability not Reliance.
Reliability not Reliance.Reliability not Reliance.
Reliability not Reliance.
 
Katherine Neal_Written Brief 2
Katherine Neal_Written Brief 2Katherine Neal_Written Brief 2
Katherine Neal_Written Brief 2
 
Haaretz
HaaretzHaaretz
Haaretz
 
2) international law and the use of force by states
2) international law and the use of force by states2) international law and the use of force by states
2) international law and the use of force by states
 
Us gov't building hacker army for cyber war yahoo! news
Us gov't building hacker army for cyber war yahoo! newsUs gov't building hacker army for cyber war yahoo! news
Us gov't building hacker army for cyber war yahoo! news
 
In cyber, the generals should lead from behind - College of Air Warfare - Puk...
In cyber, the generals should lead from behind - College of Air Warfare - Puk...In cyber, the generals should lead from behind - College of Air Warfare - Puk...
In cyber, the generals should lead from behind - College of Air Warfare - Puk...
 
RULES OF THE GAME IN CYBERWAR
RULES OF THE GAME IN CYBERWARRULES OF THE GAME IN CYBERWAR
RULES OF THE GAME IN CYBERWAR
 
Dr William Boothby
Dr William BoothbyDr William Boothby
Dr William Boothby
 
Understanding the 'physics' of cyber-operations - Pukhraj Singh
Understanding the 'physics' of cyber-operations - Pukhraj SinghUnderstanding the 'physics' of cyber-operations - Pukhraj Singh
Understanding the 'physics' of cyber-operations - Pukhraj Singh
 
BSides Delhi-2018 Keynote by Pukhraj Singh (Politics & Power in Cybersecurity)
BSides Delhi-2018 Keynote by Pukhraj Singh (Politics & Power in Cybersecurity)BSides Delhi-2018 Keynote by Pukhraj Singh (Politics & Power in Cybersecurity)
BSides Delhi-2018 Keynote by Pukhraj Singh (Politics & Power in Cybersecurity)
 
Private Military Contractors Role In Iraq March Updated Revision For Publication
Private Military Contractors Role In Iraq March Updated Revision For PublicationPrivate Military Contractors Role In Iraq March Updated Revision For Publication
Private Military Contractors Role In Iraq March Updated Revision For Publication
 
Raduenzel_Mark_ResearchPaper_NSEC506_Fall2015
Raduenzel_Mark_ResearchPaper_NSEC506_Fall2015Raduenzel_Mark_ResearchPaper_NSEC506_Fall2015
Raduenzel_Mark_ResearchPaper_NSEC506_Fall2015
 
Artificial Intelligence and the Law of Armed Conflict
Artificial Intelligence and the Law of Armed ConflictArtificial Intelligence and the Law of Armed Conflict
Artificial Intelligence and the Law of Armed Conflict
 
Cyber Security, Cyber Warfare
Cyber Security, Cyber WarfareCyber Security, Cyber Warfare
Cyber Security, Cyber Warfare
 
The death of enterprise security as we know it - Pukhraj Singh - RootConf 2018
The death of enterprise security as we know it - Pukhraj Singh - RootConf 2018The death of enterprise security as we know it - Pukhraj Singh - RootConf 2018
The death of enterprise security as we know it - Pukhraj Singh - RootConf 2018
 

Similar to 2018 april - aba legal construct for understanding adversarial cyber activities -- final

Cyberwar threat to national security
Cyberwar threat to national securityCyberwar threat to national security
Cyberwar threat to national security
Talwant Singh
 
CyberSecurity Challenge Decision Document
CyberSecurity Challenge Decision Document CyberSecurity Challenge Decision Document
CyberSecurity Challenge Decision Document
LeAnn Rhodes
 
Reply to bellow post around 200 wordDefending cyberspace.docx
Reply to bellow post around 200 wordDefending cyberspace.docxReply to bellow post around 200 wordDefending cyberspace.docx
Reply to bellow post around 200 wordDefending cyberspace.docx
scuttsginette
 
Ames -- Memo (Cyber)
Ames -- Memo (Cyber)Ames -- Memo (Cyber)
Ames -- Memo (Cyber)
Kyle Ames
 
From the Cuckoo’s Egg to Global Surveillance Cyber Espion
From the Cuckoo’s Egg to Global Surveillance Cyber EspionFrom the Cuckoo’s Egg to Global Surveillance Cyber Espion
From the Cuckoo’s Egg to Global Surveillance Cyber Espion
JeanmarieColbert3
 
VFAC REVIEW issue12_extract_2016
VFAC REVIEW issue12_extract_2016VFAC REVIEW issue12_extract_2016
VFAC REVIEW issue12_extract_2016
Cameron Brown
 
Battlefield Cyberspace: Exploitation of Hyperconnectivity and Internet of Things
Battlefield Cyberspace: Exploitation of Hyperconnectivity and Internet of ThingsBattlefield Cyberspace: Exploitation of Hyperconnectivity and Internet of Things
Battlefield Cyberspace: Exploitation of Hyperconnectivity and Internet of Things
Maurice Dawson
 
ECON 202 Written AssignmentDue April 28th Submitted through Blac
ECON 202 Written AssignmentDue April 28th Submitted through BlacECON 202 Written AssignmentDue April 28th Submitted through Blac
ECON 202 Written AssignmentDue April 28th Submitted through Blac
EvonCanales257
 

Similar to 2018 april - aba legal construct for understanding adversarial cyber activities -- final (18)

Cyber Crimes.pdf
Cyber Crimes.pdfCyber Crimes.pdf
Cyber Crimes.pdf
 
Cyberwar threat to national security
Cyberwar threat to national securityCyberwar threat to national security
Cyberwar threat to national security
 
Cyber-what?
Cyber-what?Cyber-what?
Cyber-what?
 
Case study 11
Case study 11Case study 11
Case study 11
 
CyberSecurity Challenge Decision Document
CyberSecurity Challenge Decision Document CyberSecurity Challenge Decision Document
CyberSecurity Challenge Decision Document
 
Reply to bellow post around 200 wordDefending cyberspace.docx
Reply to bellow post around 200 wordDefending cyberspace.docxReply to bellow post around 200 wordDefending cyberspace.docx
Reply to bellow post around 200 wordDefending cyberspace.docx
 
Ames -- Memo (Cyber)
Ames -- Memo (Cyber)Ames -- Memo (Cyber)
Ames -- Memo (Cyber)
 
Cyber warfare ss
Cyber warfare ssCyber warfare ss
Cyber warfare ss
 
From the Cuckoo’s Egg to Global Surveillance Cyber Espion
From the Cuckoo’s Egg to Global Surveillance Cyber EspionFrom the Cuckoo’s Egg to Global Surveillance Cyber Espion
From the Cuckoo’s Egg to Global Surveillance Cyber Espion
 
Cyber Warfare - Jamie Reece Moore
Cyber Warfare - Jamie Reece MooreCyber Warfare - Jamie Reece Moore
Cyber Warfare - Jamie Reece Moore
 
Gillian Cafiero - "Codifying the Harm of Cybercrime": Injecting zemiology in ...
Gillian Cafiero - "Codifying the Harm of Cybercrime": Injecting zemiology in ...Gillian Cafiero - "Codifying the Harm of Cybercrime": Injecting zemiology in ...
Gillian Cafiero - "Codifying the Harm of Cybercrime": Injecting zemiology in ...
 
VFAC REVIEW issue12_extract_2016
VFAC REVIEW issue12_extract_2016VFAC REVIEW issue12_extract_2016
VFAC REVIEW issue12_extract_2016
 
Battlefield Cyberspace: Exploitation of Hyperconnectivity and Internet of Things
Battlefield Cyberspace: Exploitation of Hyperconnectivity and Internet of ThingsBattlefield Cyberspace: Exploitation of Hyperconnectivity and Internet of Things
Battlefield Cyberspace: Exploitation of Hyperconnectivity and Internet of Things
 
Application of IHL to Computer Network Attacks
Application of IHL to Computer Network AttacksApplication of IHL to Computer Network Attacks
Application of IHL to Computer Network Attacks
 
ECON 202 Written AssignmentDue April 28th Submitted through Blac
ECON 202 Written AssignmentDue April 28th Submitted through BlacECON 202 Written AssignmentDue April 28th Submitted through Blac
ECON 202 Written AssignmentDue April 28th Submitted through Blac
 
Cyber(in)security: systemic risks and responses
Cyber(in)security: systemic risks and responsesCyber(in)security: systemic risks and responses
Cyber(in)security: systemic risks and responses
 
Systemic cybersecurity risk
Systemic cybersecurity riskSystemic cybersecurity risk
Systemic cybersecurity risk
 
What Does the CFAA Mean and Why Should I Care? A Primer on the Computer Fraud...
What Does the CFAA Mean and Why Should I Care? A Primer on the Computer Fraud...What Does the CFAA Mean and Why Should I Care? A Primer on the Computer Fraud...
What Does the CFAA Mean and Why Should I Care? A Primer on the Computer Fraud...
 

More from Ethan S. Burger

2016 December -- Lithuanian Hybrid War Presentation
2016 December -- Lithuanian Hybrid War Presentation2016 December -- Lithuanian Hybrid War Presentation
2016 December -- Lithuanian Hybrid War Presentation
Ethan S. Burger
 
2016 December -- US, NATO, & The Baltics -- International Security and Cyber[...
2016 December -- US, NATO, & The Baltics -- International Security and Cyber[...2016 December -- US, NATO, & The Baltics -- International Security and Cyber[...
2016 December -- US, NATO, & The Baltics -- International Security and Cyber[...
Ethan S. Burger
 
2016 October 4 -- EHU US Presidential Election
2016 October 4 -- EHU US Presidential Election2016 October 4 -- EHU US Presidential Election
2016 October 4 -- EHU US Presidential Election
Ethan S. Burger
 
2011 -- AUSTRAC Presentation on Russian OCGs
2011 -- AUSTRAC Presentation on Russian OCGs2011 -- AUSTRAC Presentation on Russian OCGs
2011 -- AUSTRAC Presentation on Russian OCGs
Ethan S. Burger
 
2016 -- Ukrainian Presentation -- Final
2016 -- Ukrainian Presentation -- Final2016 -- Ukrainian Presentation -- Final
2016 -- Ukrainian Presentation -- Final
Ethan S. Burger
 
Complacency in the Face of Evolving Cybersecurity Norms is Hazardous
Complacency in the Face of Evolving Cybersecurity Norms is HazardousComplacency in the Face of Evolving Cybersecurity Norms is Hazardous
Complacency in the Face of Evolving Cybersecurity Norms is Hazardous
Ethan S. Burger
 

More from Ethan S. Burger (9)

Can We Avert A Cyber-Insurance Market Crisis?
Can We Avert A Cyber-Insurance Market Crisis?Can We Avert A Cyber-Insurance Market Crisis?
Can We Avert A Cyber-Insurance Market Crisis?
 
Ci2 cyber insurance presentation
Ci2 cyber insurance presentationCi2 cyber insurance presentation
Ci2 cyber insurance presentation
 
2018 february - gulc symposium -- roc
2018 february - gulc symposium -- roc2018 february - gulc symposium -- roc
2018 february - gulc symposium -- roc
 
2016 December -- Lithuanian Hybrid War Presentation
2016 December -- Lithuanian Hybrid War Presentation2016 December -- Lithuanian Hybrid War Presentation
2016 December -- Lithuanian Hybrid War Presentation
 
2016 December -- US, NATO, & The Baltics -- International Security and Cyber[...
2016 December -- US, NATO, & The Baltics -- International Security and Cyber[...2016 December -- US, NATO, & The Baltics -- International Security and Cyber[...
2016 December -- US, NATO, & The Baltics -- International Security and Cyber[...
 
2016 October 4 -- EHU US Presidential Election
2016 October 4 -- EHU US Presidential Election2016 October 4 -- EHU US Presidential Election
2016 October 4 -- EHU US Presidential Election
 
2011 -- AUSTRAC Presentation on Russian OCGs
2011 -- AUSTRAC Presentation on Russian OCGs2011 -- AUSTRAC Presentation on Russian OCGs
2011 -- AUSTRAC Presentation on Russian OCGs
 
2016 -- Ukrainian Presentation -- Final
2016 -- Ukrainian Presentation -- Final2016 -- Ukrainian Presentation -- Final
2016 -- Ukrainian Presentation -- Final
 
Complacency in the Face of Evolving Cybersecurity Norms is Hazardous
Complacency in the Face of Evolving Cybersecurity Norms is HazardousComplacency in the Face of Evolving Cybersecurity Norms is Hazardous
Complacency in the Face of Evolving Cybersecurity Norms is Hazardous
 

Recently uploaded

一比一原版(UM毕业证书)美国密歇根大学安娜堡分校毕业证如何办理
一比一原版(UM毕业证书)美国密歇根大学安娜堡分校毕业证如何办理一比一原版(UM毕业证书)美国密歇根大学安娜堡分校毕业证如何办理
一比一原版(UM毕业证书)美国密歇根大学安娜堡分校毕业证如何办理
A AA
 
一比一原版曼彻斯特城市大学毕业证如何办理
一比一原版曼彻斯特城市大学毕业证如何办理一比一原版曼彻斯特城市大学毕业证如何办理
一比一原版曼彻斯特城市大学毕业证如何办理
Airst S
 
一比一原版(UWA毕业证书)西澳大学毕业证如何办理
一比一原版(UWA毕业证书)西澳大学毕业证如何办理一比一原版(UWA毕业证书)西澳大学毕业证如何办理
一比一原版(UWA毕业证书)西澳大学毕业证如何办理
bd2c5966a56d
 
一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理
一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理
一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理
Airst S
 
一比一原版(OhioStateU毕业证书)美国俄亥俄州立大学毕业证如何办理
一比一原版(OhioStateU毕业证书)美国俄亥俄州立大学毕业证如何办理一比一原版(OhioStateU毕业证书)美国俄亥俄州立大学毕业证如何办理
一比一原版(OhioStateU毕业证书)美国俄亥俄州立大学毕业证如何办理
e9733fc35af6
 
一比一原版(KPU毕业证书)加拿大昆特兰理工大学毕业证如何办理
一比一原版(KPU毕业证书)加拿大昆特兰理工大学毕业证如何办理一比一原版(KPU毕业证书)加拿大昆特兰理工大学毕业证如何办理
一比一原版(KPU毕业证书)加拿大昆特兰理工大学毕业证如何办理
e9733fc35af6
 
一比一原版(Griffith毕业证书)格里菲斯大学毕业证如何办理
一比一原版(Griffith毕业证书)格里菲斯大学毕业证如何办理一比一原版(Griffith毕业证书)格里菲斯大学毕业证如何办理
一比一原版(Griffith毕业证书)格里菲斯大学毕业证如何办理
bd2c5966a56d
 
3 Formation of Company.www.seribangash.com.ppt
3 Formation of Company.www.seribangash.com.ppt3 Formation of Company.www.seribangash.com.ppt
3 Formation of Company.www.seribangash.com.ppt
seri bangash
 
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
bd2c5966a56d
 
一比一原版赫瑞瓦特大学毕业证如何办理
一比一原版赫瑞瓦特大学毕业证如何办理一比一原版赫瑞瓦特大学毕业证如何办理
一比一原版赫瑞瓦特大学毕业证如何办理
Airst S
 
一比一原版(KPU毕业证书)昆特兰理工大学毕业证如何办理
一比一原版(KPU毕业证书)昆特兰理工大学毕业证如何办理一比一原版(KPU毕业证书)昆特兰理工大学毕业证如何办理
一比一原版(KPU毕业证书)昆特兰理工大学毕业证如何办理
ss
 

Recently uploaded (20)

Elective Course on Forensic Science in Law
Elective Course on Forensic Science in LawElective Course on Forensic Science in Law
Elective Course on Forensic Science in Law
 
一比一原版(UM毕业证书)美国密歇根大学安娜堡分校毕业证如何办理
一比一原版(UM毕业证书)美国密歇根大学安娜堡分校毕业证如何办理一比一原版(UM毕业证书)美国密歇根大学安娜堡分校毕业证如何办理
一比一原版(UM毕业证书)美国密歇根大学安娜堡分校毕业证如何办理
 
Navigating Employment Law - Term Project.pptx
Navigating Employment Law - Term Project.pptxNavigating Employment Law - Term Project.pptx
Navigating Employment Law - Term Project.pptx
 
Hely-Hutchinson v. Brayhead Ltd .pdf
Hely-Hutchinson v. Brayhead Ltd .pdfHely-Hutchinson v. Brayhead Ltd .pdf
Hely-Hutchinson v. Brayhead Ltd .pdf
 
一比一原版曼彻斯特城市大学毕业证如何办理
一比一原版曼彻斯特城市大学毕业证如何办理一比一原版曼彻斯特城市大学毕业证如何办理
一比一原版曼彻斯特城市大学毕业证如何办理
 
一比一原版(UWA毕业证书)西澳大学毕业证如何办理
一比一原版(UWA毕业证书)西澳大学毕业证如何办理一比一原版(UWA毕业证书)西澳大学毕业证如何办理
一比一原版(UWA毕业证书)西澳大学毕业证如何办理
 
5-6-24 David Kennedy Article Law 360.pdf
5-6-24 David Kennedy Article Law 360.pdf5-6-24 David Kennedy Article Law 360.pdf
5-6-24 David Kennedy Article Law 360.pdf
 
一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理
一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理
一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理
 
Career As Legal Reporters for Law Students
Career As Legal Reporters for Law StudentsCareer As Legal Reporters for Law Students
Career As Legal Reporters for Law Students
 
A SHORT HISTORY OF LIBERTY'S PROGREE THROUGH HE EIGHTEENTH CENTURY
A SHORT HISTORY OF LIBERTY'S PROGREE THROUGH HE EIGHTEENTH CENTURYA SHORT HISTORY OF LIBERTY'S PROGREE THROUGH HE EIGHTEENTH CENTURY
A SHORT HISTORY OF LIBERTY'S PROGREE THROUGH HE EIGHTEENTH CENTURY
 
一比一原版(OhioStateU毕业证书)美国俄亥俄州立大学毕业证如何办理
一比一原版(OhioStateU毕业证书)美国俄亥俄州立大学毕业证如何办理一比一原版(OhioStateU毕业证书)美国俄亥俄州立大学毕业证如何办理
一比一原版(OhioStateU毕业证书)美国俄亥俄州立大学毕业证如何办理
 
一比一原版(KPU毕业证书)加拿大昆特兰理工大学毕业证如何办理
一比一原版(KPU毕业证书)加拿大昆特兰理工大学毕业证如何办理一比一原版(KPU毕业证书)加拿大昆特兰理工大学毕业证如何办理
一比一原版(KPU毕业证书)加拿大昆特兰理工大学毕业证如何办理
 
一比一原版(Griffith毕业证书)格里菲斯大学毕业证如何办理
一比一原版(Griffith毕业证书)格里菲斯大学毕业证如何办理一比一原版(Griffith毕业证书)格里菲斯大学毕业证如何办理
一比一原版(Griffith毕业证书)格里菲斯大学毕业证如何办理
 
3 Formation of Company.www.seribangash.com.ppt
3 Formation of Company.www.seribangash.com.ppt3 Formation of Company.www.seribangash.com.ppt
3 Formation of Company.www.seribangash.com.ppt
 
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
 
一比一原版赫瑞瓦特大学毕业证如何办理
一比一原版赫瑞瓦特大学毕业证如何办理一比一原版赫瑞瓦特大学毕业证如何办理
一比一原版赫瑞瓦特大学毕业证如何办理
 
It’s Not Easy Being Green: Ethical Pitfalls for Bankruptcy Novices
It’s Not Easy Being Green: Ethical Pitfalls for Bankruptcy NovicesIt’s Not Easy Being Green: Ethical Pitfalls for Bankruptcy Novices
It’s Not Easy Being Green: Ethical Pitfalls for Bankruptcy Novices
 
Cyber Laws : National and International Perspective.
Cyber Laws : National and International Perspective.Cyber Laws : National and International Perspective.
Cyber Laws : National and International Perspective.
 
Shubh_Burden of proof_Indian Evidence Act.pptx
Shubh_Burden of proof_Indian Evidence Act.pptxShubh_Burden of proof_Indian Evidence Act.pptx
Shubh_Burden of proof_Indian Evidence Act.pptx
 
一比一原版(KPU毕业证书)昆特兰理工大学毕业证如何办理
一比一原版(KPU毕业证书)昆特兰理工大学毕业证如何办理一比一原版(KPU毕业证书)昆特兰理工大学毕业证如何办理
一比一原版(KPU毕业证书)昆特兰理工大学毕业证如何办理
 

2018 april - aba legal construct for understanding adversarial cyber activities -- final

  • 1. 1 Ethan S. Burger, Esq. Legal Consultant & & Adjunct Professor ethansb@post.harvard.edu A Legal Construct for Understanding Adversarial Cyber Activities ABA Public Contracts Law Section Cybersecurity Division Washington, DC – April 26, 2018
  • 2. Troubled By the So-Called Expert Opinion?Troubled By the So-Called Expert Opinion? Comment: There's No Such Thing as Cyber War - Infosecurity Magazine https://www.infosecurity-magazine.com/.../comment-theres-no-such-thing-as-cyber-w... Aug 1, 2013 - Too often, journalists, politicians, and security professionals are quick to declare 'cyber war' at the earliest signs of hacking or intelligence gathering between opposing states. True war consists of tragedy and tangible, kinetic impact. It involves injury and death, not just an exchange of information. Is There Such a Thing as Cyberwar? - Brookings Institution https://www.brookings.edu/opinions/is-there-such-a-thing-as-cyberwar/ Ian Wallace asks, “what is the definition of cyberwar?” While cyber represents a disruptive technology and a potential new battlespace, he argues that it is not appropriate to describe current cyber activities as “war.” War is temporary and objective-oriented, but cyber is a permanent space without clearly delineated goals. Check the Hype — There's No Such Thing As 'Cyber' | WIRED https://www.wired.com/2010/03/cyber-hype/ Mar 26, 2010 - Amit Yoran, a respected security expert who runs a company that sells computer security services to the government, wrote a long post on a Forbes blog this week to defend the concept of “cyberwar,” in no small part because this blog ranted about how that term is used to hype militarization of the internet ... Gen. Hyten: 'No such thing as war in cyber' - Fifth Domain https://www.fifthdomain.com/dod/2017/.../gen-hyten-no-such-thing-as-war-in-cyber/ Aug 11, 2017 - Washington (AFNS) -- Gen. John Hyten, Air Force Space Command commander, speaks to the audience on maintaining space and cyber capabilities during the Air Force Association's 2014 Air and Space Conference at the Gaylord National Convention Center Washington, D.C., Sep. 16, 2014. As AFSPC ... 2
  • 3. The Constancy of Cyber-Attacks  http://map.norsecorp.com/#/  https://cybermap.kaspersky.com/  https://community.blueliv.com/map/  http://en.blitzortung.org/live_lightning_maps.php  https:..www.fireeye.com/cuber-map.html https://www.networkworld.com/article/2366962/microsoft-subnet/spellbound-by-maps- tracking-hack-attacks-and-cyber-threats-in-real-time.html 3
  • 4. The Trigger for the Cyber-AttackThe Trigger for the Cyber-Attack on Estonia (2007)on Estonia (2007) 4
  • 5. Tallinn Manuals 1.0 (2013) and 2.0 (2017)Tallinn Manuals 1.0 (2013) and 2.0 (2017)  Experts assembled by the NATO Cooperative Centre for Excellence prepared the Manuals.  Manuals are not official NATO documents, but intended to reflect the views of the International Group of Experts as to how existing legal norms apply to cyber operations.  They were not offered as a ‘best practices’ manual. 5
  • 6. Tallinn Manual 2.0’s ScopeTallinn Manual 2.0’s Scope  Jus ad bellum – regulating the use of force by states.  Jus in bellum – regulating how states may conduct war.  Covers topics relating to cyber operations during peacetime, but not domestic law, intellectual property, international criminal law, private international law, trade law, or intellectual property. 6
  • 7. Tallinn 2.0 is Organize intoTallinn 2.0 is Organize into 20 Chapters (1 of 2)20 Chapters (1 of 2) 1) Sovereignty (SEE BELOW). 2) Due Diligence (SEE BELOW) 3) Jurisdiction (SEE BELOW) 4) Law of International Responsibility (Attribution matters and SEE OTHER IMPORTANT ISSUES BELOW) 5) Cyber Operations Not Per Se Regulated by International Law 6) International Human Rights Law 7) Diplomatic and Consular Law 8) Law of the Sea 9) Air Law 10) Space Law 7
  • 8. Tallinn Manual Rules 5 -7Tallinn Manual Rules 5 -7 Rule 5 Sovereign Immunity and inviolability – Any interference by a State with cyber infrastructure aboard a platform, wherever located, that enjoys immunity constitutes a violation of sovereignty. Rule 6 Due Diligence (General Principle) – A State must exercise due diligence in not allowing its territory or cyber infrastructure under its governmental control, to be used for cyber operations that affect the rights of, and produce serious adverse consequences for, other States. Rule 7 Compliance with the Due Diligence Principle – The principle of due diligence requires a State to take all measures that are feasible in the circumstances to put an end to cyber operations that affect a right of, and produce serious adverse consequences for, other States. 8
  • 9. Tallinn Manual Rules 10 & 13Tallinn Manual Rules 10 & 13 Rule 10 – Extraterritorial Prescriptive Jurisdiction. A State may exercise extraterritorial prescriptive jurisdiction with regard to cyber activities: a. conduct by its nationals; b. committed on board vessels and aircraft possessing its nationality; c. conducted by foreign nationals and designed to seriously undermine essential State interests; d. conducted by foreign nationals against its nationals with certain limitations; or e. that constitute crimes under international law subject to the universality principle. Rule 13 – International cooperation in law enforcement. Although as a general matter States are not obligated to cooperate in the investigation and prosecution of cyber crime, such cooperation may be required by the terms of an applicable treaty of other international obligation. 9
  • 10. Tallinn Manual Rules Dealing withTallinn Manual Rules Dealing with CountermeasuresCountermeasures Rule 21– Purpose of Countermeasures (to induce a state to comply with obligations with otherwise unlawful actions; in contracts acts of ‘retorsion’ are lawful but unfriendly, e.g. trade sanctions). Rule 22 – Limitations on Countermeasures – (aimed to counter (stop) attacks, in contrast with ‘reprisals’, which are always ‘unlawful’). Rule 23 – Proportionality of Countermeasures Rule 24 – States Entitled to Take Countermeasures (only injured states). Rule 25 – Effect on Countermeasures (may not harm rights out to third State – can be problematic. Rule 26 – Necessity. 10
  • 11. Tallinn 2.0 is Organized intoTallinn 2.0 is Organized into 20 Chapters (2 of 2)20 Chapters (2 of 2) 11. International Communications Law 12. Peaceful Settlement 13. Prohibition of Intervention 14. The Use of Force 15. The Law of Cyber Armed Conflict 16. The Law of Armed Conflict Generally 17. Conduct of Hostilities 18. Certain Persons, Objects, and Activities 19. Occupation 20. Neutrality 11
  • 12. Harold Hongju Koh, Legal Advisor, U.S. Department of StateHarold Hongju Koh, Legal Advisor, U.S. Department of State (2012)(2012) THE TEN FUNDAMENTAL QUESTIONS (1 of 2): 1: Do established principles of international law apply to cyberspace? Yes. 2: Is cyberspace a law-free zone, where anything goes? Emphatically “No.” 3: Do cyber activities ever constitute a use of force? Yes. 4: May a State ever respond to a computer network attack by exercising a right of national self-defense? Yes. 5: Do jus in bello rules apply to computer network attacks? Yes. 6: Must attacks distinguish between military and nonmilitary objectives? Yes. 7: Must attacks adhere to the principle of proportionality? Yes. 12
  • 13. The Ten Fundamental Questions (2 of 2)The Ten Fundamental Questions (2 of 2) 8: How should States assess their cyber weapons? States should undertake a legal review of weapons, including those that employ a cyber capability. Such a review should entail an analysis, for example, of whether a particular capability would be inherently indiscriminate, i.e., that it could not be used consistent with the principles of distinction and proportionality. 9: In this analysis, what role does State sovereignty play? States conducting activities in cyberspace must take into account the sovereignty of other States, including outside the context of armed conflict. 10: Are States responsible when cyber acts are undertaken through proxies? Yes (but this requires a complex factual analysis). 13
  • 14. Unresolved Three QuestionsUnresolved Three Questions Unresolved Question 1: How can a use of force regime take into account all of the novel kinds of effects that States can produce through the click of a button? The United States has affirmed that established jus ad bellum rules do apply to uses of force in cyberspace. [There are] some clear-cut cases where the physical effects of a hostile cyber action would be comparable to what a kinetic action could achieve: for example, a bomb might break a dam and flood a civilian population, but insertion of a line of malicious code from a distant computer might just as easily achieve that same result. [T]there are other types of cyber actions that do not have a clear kinetic parallel, which raise profound questions about exactly what we mean by “force.” Unresolved Question 2: What do we do about “dual-use infrastructure” in cyberspace? [I]nformation and communications infrastructure is often shared between State militaries and private, civilian communities. The law of war requires that civilian infrastructure not be used to seek to immunize military objectives from attack, including in the cyber realm. [] Parties to an armed conflict will need to assess the potential effects of a cyber attack on computers that are not military objectives, such as private, civilian computers that hold no military significance, but may be networked to computers that are valid military objectives. Parties will also need to consider the harm to the civilian uses of such infrastructure in performing the necessary proportionality review. Any number of factual scenarios could arise, however, which will require a careful, fact-intensive legal analysis in each situation. Unresolved Question 3: How do we address the problem of attribution in cyberspace? Cyberspace significantly increases an actor’s ability to engage in attacks with “plausible deniability,” by acting through proxies. [] Legal tools exist to ensure that States are held accountable for those acts. [M]any of [] challenges – in particular, those concerning attribution – are as much questions of a technical and policy nature rather than exclusively or even predominantly questions of law. Cyberspace remains a new and dynamic operating environment, and we cannot expect that all answers to the new and confounding questions we face will be legal ones. 14
  • 15. Art. 2(4) -- All Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations. Art. 51 -- Nothing in the present Charter shall impair the inherent right of individual or collective self-defense if an armed attack occurs against a Member of the United Nations, until the Security Council has taken measures necessary to maintain international peace and security. 15 U.N. Arts. 2(4) -- Use of ForceU.N. Arts. 2(4) -- Use of Force & 51– Self-Defense& 51– Self-Defense
  • 16. Threshold InquiryThreshold Inquiry Not every ‘use of force’ is an armed attack, but every armed attack is a ‘use of force’. Use ‘unlawful’ not ‘illegal’. Significance of Difference:  Any ‘Use of Force’ is a violation of international law [‘unlawful’] even when authorized by domestic legislation and a declaration of law is made.  An ‘Armed Attack’ (use of force with significant consequences, such as (i) death, (ii) injury, (iii) physical damage & (iv) destruction) constitutes a violation of international law and victim may respond with force. 16
  • 17. Armed-Attack AnalysisArmed-Attack Analysis Self-Defense May Not be Justified if an Armed Attack is Merely:  Cyber-espionage;  Cyber theft (matter of scale); and  Cyber-interruptions of non-essential services. Self-Defense is Justified if the Armed Attack is:  Instant;  Overwhelming;  No choice of other mean; and  No moment for deliberation. How should attacks against private assets as opposed to critical infrastructure and military targets be treated? Should cyber and kinetic attacks be treated identically? One should consider temporal and systemic issues! 17
  • 18. Self-DefenseSelf-Defense (Response to an Armed Attack)(Response to an Armed Attack) Proportionality Principle: 1) Limited scale (Problematic with cyber). 2) Limit scope (Problematic with cyber). 3) Limited duration (Problematic with cyber). 4) Limited intensity (Problematic with cyber). Retaliation is not permissible under the rubric “Self- Defense) but Retorsion is (i.e., ‘proportional retaliation’). Countermeasures are permitted when aggressor’s action does not rise to an ‘armed attack’ (is this mere semantics?) 18
  • 19. International Humanitarian Law: ShouldInternational Humanitarian Law: Should there be a ‘Cyber’ Geneva Convention?there be a ‘Cyber’ Geneva Convention? At the recent RSA Conference in San Francisco, Microsoft, Cisco, HP, Facebook, and others proposed a “Digital Geneva Convention” for private organizations, committing them not to assist governments, or participate, in the use of cyber tools to attack civilians and civil infrastructure. The relevant Geneva Convention language provides: “In order to ensure respect for and protection of the civilian population and civilian objects, the Parties to the conflict shall at all times distinguish between the civilian population and combatants and between civilian objects and military objectives and accordingly shall direct their operations only against military objectives.” Query whether cyber-attacks against population constitutes terrorism? Of course, the same analysis may apply to the use of nuclear weapons. 19
  • 20. Problem for Lawyers: The Growing Disconnect BetweenProblem for Lawyers: The Growing Disconnect Between International Law and Practical/Political ViewsInternational Law and Practical/Political Views  Of course, not all causus belli result in ‘declarations of war’ (or the invocation of authority under the U.S. War Powers Act (1973)). What are the characteristics of a cyber-attack that will qualify as a causus belli?  On a daily basis, NATO registers 500+ million suspicious cyber events. Severe cyber-attacks could trigger NATO’S Art. 5 mutual defense guarantee. Is this guarantee credible that ‘appropriate action will be taken’? The response could be by cyber, other means, or merely symbolic. In theory, the response would be decided by consensus, but NATO members have their own sovereign right to take action (rationale for ‘trip wire’ (West Germany or force de frappe (France).  Many politicians and thought-leaders regard Russian cyber-attacks to be ‘acts of war’ (a political, not legal, concept). Such attacks may not qualify as such under international law. What will be the consequence of an on-going divergence in public and legal opinion? 20
  • 21. Deterrence Failures are Like to Lead to Miscalculation and Escalation According to UK Foreign Minister Lord Ahmad: “the Russian military, was responsible for the destructive NotPetya cyber-attack” causing more than $1.2 billion (including UK-based Reckitt Benckiser). UK Defense Secretary Gavin Williamson said Russia was "ripping up the rule book" and the UK would respond. Cyber-attacks cannot be ‘contained’. Russia Defense Ministry spokesman said that Secretary Williamson has “lost his grasp on reason,” his fears being “worthy of a comic plot or a Monty Python's Flying Circus sketch.” Eventually, the US attributes the malicious NotPetya cyber-attack to Russia. 21
  • 22. Active Cyber DefenseActive Cyber Defense for the Private Sector?for the Private Sector? [The Government could] protect the '.gov' and '.mil' addresses, but we could not protect 'com.' [i.e. the rest of us]." Former FBI Agent Clint Watt paraphrasing former Homeland Security Advisor Tom Bossert Consider the SONY Situation, where President Obama acted against North Korea. 22
  • 23. Possible Solution to the Political Divide IssuePossible Solution to the Political Divide Issue  Look to applicable domestic law during peacetime and not the law of armed conflict.  Regard the Russian polity not as a state, but as an organized crime group.  Apply U.S. criminal law (RICO, etc.) against relevant individuals and organizations.  Use asset forfeiture mechanisms to reach the ‘criminals’. 23