Challenges from the Cyber Domain: Cyber Security and Human Rights


Published on

This paper explores the key tensions between human rights and state-implemented cyber security. It examines three key tensions, attribution versus anonymity, international norms and cyber war.

Published in: News & Politics
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Challenges from the Cyber Domain: Cyber Security and Human Rights

  1. 1. Challenges from the Cyber Domain: Cyber Security and HumanRightsAuthored by Adam D BrownLondon School of Economics and Political Science2011Copyright © 2011 1
  2. 2. “If we wish to remain human, then there is only one way, the way into the opensociety. We must go on into the unknown, the uncertain and insecure, using whatreason we may have to plan as well as we can for both security and freedom.” 1 -- Karl Popper, The Open Society and Its EnemiesDeveloping countries frequently grace the pages of academic discourse on humanrights and civil liberties. Traditional human rights violations, by infamousdictatorships that fail to apply Western universal principles of human rights, are acommon narrative. The arguments advanced in this paper spare the developing world,at least for the present.2 Instead the arguments that follow indict the developed‘information societies’ that are now heavily dependant on cyber technologies.Dependency on the cyber domain, for all the benefits it brings society, deliversequally, a precarious state of vulnerability. State-implemented cyber security canprovide an allegory of good government, of security and freedoms, or succumb torepression and less desirable characteristics of human nature. United Nations SpecialRapporteur, Frank La Rue, has argued the internet is “one of the most powerfulinstruments of the 21st century,” a machine for building democracy.3 It is necessarythen, to understanding this twenty-first century global machine and its two billionhuman dependants.4This paper explores the key tensions between human rights and state-implementedcyber security. It will be argued that three central tensions exist between these twoprima facie competing goals. First, ‘attribution versus anonymity’ advances tensionsat the core of the debate around transparency on the internet and protection of privacy.Second, competing cyber security norms amongst nation-states, produce uneasetensions that threaten both security and the principle of internet freedom. Finally,looming cyber war threatens to erode the human rights and civil liberties enjoyed bythe global internet community. These three tensions comprise the first set ofarguments contended in this paper. The second argument advanced, within each1 Karl Popper, The Open Society and Its Enemies , Vol. 1 (Routledge , 1945). P.2012 It is acknowledged that depending on the definition of ‘developing world,’ some states have amoderate IT infrastructure. This paper is concerned with states with heavy dependency on cybertechnologies. The ‘digital divide’ has left large regions of the world out of the ‘internet revolution.’ Abrief look at recent states demonstrates this divide. See supra note 133.3 Frank La Rue, Report of the Special Rapporteur on the promotion and protection of the right tofreedom of opinion and expression, Human Rights Council (Geneva: United Nations, 2011).4 There are now over a two billion people using the internet. See supra note 133. 2
  3. 3. chapter, purports to navigate these tensions, elucidating the shortfalls and points ofconvergence between each competing tension. By balancing the goals of human rightsand cyber security, information societies in the twenty-first century will ultimately beprotected from the emergence of a tyrannical cyber state or the devastating effects ofcyber attacks.The emerging cyber lexicon is fraught with ambiguities and conflated language. Thispaper endeavours to articulate key term meanings, when required, in the context ofthe arguments being advanced but inevitability further definitional understanding maybe needed. Supplementary to the taxonomy used, is a glossary and a brief discussionon the key foundational terms discussed within this paper.5Attribution versus anonymityAttributionDiscovered in 2008 by researchers at the Munk Centre for International Studies,GhostNet was found propagating itself undetected through the internet using a trojanattack called gh0st RAT to hijack computers.6 By the end of 2009, GhostNet hadinfiltrated 1,295 computers in 103 countries.7 Subversively mining data, GhostNetrecorded keystrokes and silently engaged computer visual and audio inputs ofunknowing users.8 Military attachés, diplomats, journalists and human rightsorganisations were targeted; an estimated thirty percent of compromised computerswere considered to be of high diplomatic, political, economic or military value.9Despite accusations in the media that China was responsible, researchers conclusivelystated they were unable to attribute any actor to these high profile attacks.10 Theinherent design of the internet, using an antiquated IPV4 system of address5 Glossary on page 29 and a brief discussion on definitional foundations on page 31.6 Rafal Rohozinski, Tracking GhostNet: Investigating a Cyber Espionage Network, Munk Centre forInternational Studies (Toronto: Information Warfare Monitor, 2009).7 Ibid, 5.8 Ibid, 47.9 Ibid, 47.10 Ibid, 9 3
  4. 4. assignment had provided the malicious virus too many loopholes and methods formasking data and administrator identity.11By exploiting the characteristics of the internet that allow for anonymity, GhostNetand other forms of cyber attacks have proliferated throughout the internet, allowingnefarious actors to carry out their attacks “with almost complete anonymity andrelative impunity.”12 Conversely, dissents and those living under repressivegovernments are able to use the same anonymitsing technologies, encryption andother methods available on the internet, to facilitate the rights enjoyed in Westerndemocratic nations, freedom of speech and assembly. Internet ‘freedom’ is a centraltenant of the original creators of the World Wide Web but ‘freedom’ is a contentiousterm. Karl Popper contends, there needs to be freedom with security.13 Sir DavidOmand, former Director the Government Communications Headquarters (GCHQ),argues in Securing the State, that not only is balancing security and human rightsimportant but that intelligence and security work needs to operate in a “framework ofhuman rights.”14 Given the rise in malicious cyber attacks, security practitioners arearguing that the balance between anonymity, that facilitates free speech, is tilted toofar in one direction and that greater security on the internet is needed. In ChathamHouse report, Cyberspace and the National Security of the United Kingdom, itsauthors argue “…the Internet could scarcely be improved upon as a medium for extremist organization and activity. …[it] should be no surprise, therefore, that extremists are also attracted to a system which offers inbuilt resilience and virtual anonymity.”15The diversity in methods and uses, employed by terrorists networks on the internet, isincreasing in complexity. Exploiting cryptography, internet protocol spoofing, secureemail and other features of the internet that allow for anonymity, terrorists are able tocollaborate, educate and carry out attacks, subverting detection from authorities.1611 Ibid, 12.12 David Livingstone, Dave Clemente, Claire Yorke, Paul Cornish, On Cyber Warfare, The RoyalInstitute of International Affairs (London: Latimer Trend and Co Ltd, 2010). Vii.13 See supra note 1.14 David Omand, Securing the State (London: Hurst & Company, 2010). 321.15 Rex Hughes, David Livingstone, Paul Cornish, Cyberspace and the National Security of the UnitedKingdom: Threats and Responses, A Chatham House Report, Royal Institute of International Affairs(London, 2009). 5.16 Daniel McGrory Michael Evans, Terrorists trained in Western methods will leave few clues, 12 July2005, 22 May 2011 <>. 4
  5. 5. Elements of crime and terrorism have merged online. John Rollins and CatherineTheohary in a report for Congress, observe that ‘cyber crime’ “… has now surpassedinternational drug trafficking as a terrorist financing enterprise...”17 McAfee, one ofthe worlds largest cyber security companies, estimate one trillion dollars worth ofintellectual property was stolen via cyber attacks in 2008.18 In 2009, Symantec,another large cyber security company, reported in one cyber attack alone, the theft of130 million credit card numbers and in another incident, the same year, seventy-sixmillion personal identifications stolen.19 Detica and the Office of Cyber Security andInformation Assurance, reported in 2009, that cyber crime cost the United Kingdoman estimated twenty-seven billion pounds per annum.20 The scale of cyber crime andthreats from non-actors in the cyber domain, indicate to cyber security analysts, that afundamental re-design of the internet is needed. Former Director of NationalIntelligence, Mike McConnell, has argued “we need to re-engineer the Internet tomake attribution, geo-location, intelligence analysis and impact assessment – who didit, from where, why and what was the result – more manageable.”21 Federal Bureau ofInvestigation General Counsel Valerie Caproni, has argued in a case involving childtrafficking, that she lacked “the necessary technological capability to intercept theelectronic communications” that would have allowed for greater evidence against theaccused.22 Greater attribution on the internet aids law enforcement and facilitatesgreater protection of rights.23 Greater attribution can also erode civil liberties such asthe right to privacy and ‘chill’ freedom of speech.17 John Rollins, Catherine A. Theohary, Terrorist Use of the Internet: Information Operations inCyberspace, Report for Congress, Congressional Research Service (Washington, 2011). 2.18 Respondents to McAfee’s report, comprised of 800 chief information officers, broke this figuredown by stating $4.6 billion was lost in data and spent about $600 million cleaning up after breaches.See Elinor Mills, Study: Cybercrime cost firms $1 trillion globally, 28 January 2009, 08 March 2011<>.19 Symantec, “Symantec Global Internet Security Threat Report: Trends for 2009,” Volume XV (2010).28.20 Detica and the Office of Cyber Security and Information Assurance in the U.K. Cabinet Office, TheCost of Cyber Crime (London, 2011). 2.21 Susan Landau, David D. Clark, “Untangling Attribution,” Harvard National Security Journal 2(2011): 1.22 Jennifer Martinez, Feds want new ways to tap the Web, 7 March 2011, 26 April 2011<>.23 This is assuming that the state protects human rights within their legal framework. 5
  6. 6. AnonymityWithout ‘re-engineering’ the internet, business and government have devised alternateways of obtaining online identifications. Facebook, the largest social networkingwebsite,24 has established a strict no pseudonym policy, requiring users to use theirgovernment-authorised name.25 This policy, according to Facebook, leads to greateraccountability, safety and a “more trusted [online] environment” but human rightscampaigners have argued it limits their freedom of speech.26 Moreover, there areconsequences in the physical world to improving online identification. Lawenforcement officers in the United Kingdom have capitalised on Facebook’s policyand used it to identify and apprehend suspected criminals in the physical world.27More intrusive, have been the implementation of “real-name” systems in Italy, SouthKorea and China.28 These require citizens to prove their identity before accessingspecific websites or ‘logging on’ at internet cafes.29 China compliments its cybersecurity “real-name” system, with subversive internet monitoring tools. RebeccaMacKinnon author of Networked Authoritarianism, identifies one monitoring systemnamed Green Dam Youth Escort (GDYE) that “…not only censored political and religious content but also logged user activity and sent this information back to a central computer server belonging to the software developer’s company.”30GDYE “aimed at protecting children from inappropriate content,” was widelybelieved by Western observers to be affiliated with the Chinese government and used,24 New York Times, Latest Developments: Facebook, 06 July 2011, 10 July 2011<>.25 Tini Tran, Activist Michael Anti Furious He Lost Facebook Account--While Zuckerbergs Dog HasOwn Page , 03 March 2011, 23 April 2011 <>.26 Ibid,Tran.27 Arrest over social network site damage incitement, 14 August 2011, 17 August 2011<>.28 These “real-name” systems, despite their attempts at greater attribution, have received criticism asflawed and easily circumvented. Jonathan Ansfield, China Web Sites Seeking Users’ Names, 05September 2009, 02 June 201129 Ibid. Ansfield.<>. Also seeinformation on Italy at Italy: Internet Surveillance, 05 December 2010, 07 June 2011<>.30 Rebecca MacKinnon, “China’s “Networked Authoritarianism”,” Journal of Democracy (2011): 40. 6
  7. 7. subversively to collect personal data on its citizens.31 Russia has implementedmeasures to better identify Russian citizens in cyber space. In 2008 Russian Ministerof Communications, Leonid Reiman, reinstated obligations under SORM-II, legallyrequiring that internet service providers (ISP) submit reports to Russia’s secret serviceagency (FSB).32 These reports were required to provide “users’ names, telephonenumbers, e-mail addresses, one or more IP addresses, key words, user identificationnumbers, and users’ ICQ number (instant messaging client), among others.”33 Underorders of President Vladimir Putin, these details were made available to otherbranches of government, raising privacy concerns amongst human rights advocatesand at the United Nations.34 China and Russia, in 2009, were within the top 10 mostprolific producers of malicious cyber attacks worldwide.35 These figures question thecyber security methods used by Russia and China. They are either ineffective atstopping cyber attacks or are used and designed for other purposes. The UnitedNations report on The promotion and protection of the right to freedom of opinionand expression, has specifically identified ISP liability as a danger to human rights.36United Nations Special Rapporteur, Frank La Rue contends that a fundamental featureof the World Wide Web, is that it “depends on intermediaries, or privatecorporations” without government interference.37 ISPs that know they are beingmonitored by the state, leads to “self-protective and over-broad private censorship”that has a ‘chilling effect’ on freedom of speech and principles of internet freedom.According to La Rue, ISP liability is a serious threat to human rights and appears tobecoming more prolific throughout the world.38Moving forwardPrima facie tensions exist between the goals of increasing transparency on the WorldWide Web while maintaining privacy and anonymity. Bridging these conflicting aims31 Ibid, 40.32 OpenNet Initiative, Russia, 19 December 2010, 21 January 2011<>.33 Ibid, Russia.34 Ibid, Russia.35 See supra note 18 at 7.36 See supra note 3 at 11.37 See supra note 3 at 11.38 See supra note 3 at 11. 7
  8. 8. requires a proportionate, balanced and systematic response. Richard Clarke andRobert Knake argue a variety of technological-political solutions to advancing theaims of both cyber security and human rights advocates.39 It is contended, two aremost important to the arguments advanced, “deep-packet inspection” and replacingthe “TCP/IP protocol.” Clarke and Knake argue an effective method of combatingcyber crime and malicious online activity is to install “deep-packet” inspectionsystems on Tier 1 ISP networks.40 These systems would effectively scan data movingthrough the network identifying malicious activity.41 Knake and Clarke refute theargument that it is a “Big Brother” system, contending that the system would have“real oversight mechanisms” and be run by a “Civil Liberties Protection Board” withno affiliation to the government or ISPs.42 Moreover, data itself would not be read,rather the “signatures” or identifying features of malicious cyber threats.43 Thissystem is in direct opposition to Frank La Rue’s aforementioned report that states“…censorship measures should never be delegated to a private entity, and that no oneshould be held liable for content on the Internet of which they are not the author.”44La Rue’s report does not strike a proportionate balance between cyber security andhuman rights. In the United Nations Universal Declaration of Human Rights and theInternational Covenant on Civil and Political Rights, rights of freedom of speech,assembly and privacy are all qualified.45 Given the significant threat from maliciouscyber attacks argued, that themselves violate human rights, Knake and Clarke providea more balanced and propionate response. While there is an inherent danger in Knakeand Clarke’s system of corruption, this is inherent in any democratic system;defended against only through the continuous stewardship of human rights by citizensthemselves. Returning to Knake and Clarke’s second contention of resolving theaforementioned problems of attribution and anonymity, is to replace the currentTCP/IP protocol with an encrypted military protocol.46 Knake and Clarke argue that amilitary protocol would allow for better sorting of data travelling through the internet39 Robert Knake, Richard Clarke, Cyber War (New York: HarperCollins, 2010). 161-162 and 273.40 Tier 1 ISP networks are considered the “backbone” of national internet networks. Shutting a Tier 1network, would result in many smaller networks becoming ‘detached’ from the internet and largenumbers of people being disconnected from the internet. See Ibid. 161.41 See supra note 37 at 161.42 See supra note 37 at 162-163.43 Ibid, 162-163.44 See supra note 3 at 13.45 See supra note 3 at 7.46 See supra note 37 at 273. 8
  9. 9. into various priorities and networks.47 It would include better encryption facilities, sothat, unlike today, most data could be secured. Advocates of greater anonymity coulduse a network using this protocol, knowing their data was encrypted and was going toreach the destination without interference. This second argument by Knake andClarke is problematic in the context of Human Rights. Sorting data raises a number ofdilemmas in a global network. Questions emerge around who decides what and howdata is sorted. A single` global standard of encryption raises problematic issues ofvulnerability and ‘backdoor’ access. Governments have historically been wary ofallowing encryption technologies without ‘backdoors’ that they can use, if thattechnology were to be used by ‘criminals’ or ‘terrorists.’48 A global encryptionprotocol moreover, would need to be very secure. Haystack software, used in 2010,was developed by the United States to be used by Iranian dissents as a method ofevading Iranian government sensors.49 The software was soon ‘cracked’ byindependent experts who suggested that the Iranian regime might have done the same,exposing all those dissents that used the software.50 Knake and Clarke address thecore tensions between cyber security and human rights. It is argued the later solution,is less desirable then the former but both elucidate that bridging these competinggoals is achievable in varying degrees. As states continue to devised methods withincyber security, emerging cyber security norms develop. These norms can have asignificant impact on international human rights law and the principles of internetfreedom.Cyber security norms and human rightsCyber security norms increasingly differ as states move to exert greater sovereignty inthe cyber domain. Lack of global governance and advancements in technology haveresulted in states enacting their own cyber security policies, a move that tests the47 Ibid. 273.48 Will Rogers Richard Fontaine, “Internet Freedom and Its Discontents: Navigating the Tensions withCyber Security,” Travis Sharp Kristin M. Lord, America’s Cyber Future: Security and Prosperity in theInformation Age, Vol. II (Washington: Center for a New American Security, 2011) I-II vols. 150-151.49 Ibid. 151-15250 Ibid. 151-152. 9
  10. 10. principles of those who advocate for a ‘free’ and ‘unfettered’ World Wide Web(‘web’). Tim Berners-Lee, original architect of the hypertext protocol that governs theWorld Wide Web, contends that like democracy, a “free” and “open” cyber spaceneeds to be continuously maintained against governments and corporations who maysuccumb to more repressive cyber security tendencies.51 “The Web is now more critical to free speech than any other medium. It brings principles established in the U.S. Constitution, the British Magna Carta and other important documents into the network age: freedom from being snooped on, filtered, censored and disconnected.”52Here it is evident that there exists an analogous aim in both the internet freedomprinciples described by Berners-Lee and international human rights legal norms offreedom of speech and assembly.53 Berners-lee with his internet freedom principlesechoes Frank La Rue, who argues that the transformative nature of the internet, as atool for building democracy, has been revolutionary and that it is a result of theunique characteristic of free two-way communication.54 The right to freedom ofopinion, expression and the right “to hold opinions without interference” areenshrined in Article 19 of the Universal Declaration of Human Rights and theInternational Covenant on Civil and Political Rights.55 If there is any doubt, TheCovenant on Civil and Political Rights, states that freedom of opinion and expressionapplies to those who “… seek, receive and impart information and ideas of all kinds,regardless of frontiers, either orally, in writing or in print, in the form of art, orthrough any other media of his choice;” with emphasis on “other media of his choice”and “regardless of frontiers.”56 These United Nations conventions provide amplefodder for advocates of a ‘free’ internet but they are not determinant. On furtherreading of the Covenant on Civil and Political Rights, there resides, in Article 19,sections 3 (a) and (b) qualifying statements to limit these rights. “The exercise of the rights provided for in paragraph 2 of this article carries with it special duties and responsibilities. It may therefore be subject to certain51 Tim Berners-Lee, Long Live the Web: A Call for Continued Open Standards and Neutrality, 22November 2010, 04 April 2011 <>.52 Ibid, Berners-Lee.53 Given the level of abstraction argued in this paper, will contend that both the internet freedomprinciple and human rights share principle aims and will be used interchangeably.54 See supra note 3 at 6.55 See supra note 3 at 7.56 United Nations, “International Covenant on Civil and Political Rights,” Art.19. 16 December 1966,03 March 2011 <>. 10
  11. 11. restrictions, but these shall only be such as are provided by law and are necessary: (a) For respect of the rights or reputations of others; (b) For the protection of national security or of public order (ordre public), or of public health or morals.”57It is not unforeseeable, that governments would validate their cyber security policyusing sections (a) or (b). Riots and civil unrest throughout the Middle East, during the‘Arab Spring,’ led governments to temporary shut off internet access in, what wasargued, an effort to maintain public order.58 British Prime Minister David Cameronemployed the same reasoning during the August riots in London, advocating totemporarily “turn-off” access social media networks.59 This suggests that democraticregimes are not immune to bolstering their cyber security policy against human rightsconcerns. These examples demonstrate tensions between international human rightslaw and state cyber security measures. Cyber security norms are tenuous betweenstates as well.Western universal principles of human rights when applied to the concept of ‘cybersecurity’ are in tension with Eastern notions. In the Russia-U.S Bilateral onCybersecrity Critical Terminology Foundations, it emerged that the term ‘cybersecurity’ carried different connotations for both parties.60 While both teams ofnegotiators agreed that ‘cyber security’ denoted ‘protection’ and that it was analogouswith ‘information security,’ the Russian perspective was that ‘protection’ included“protecting the population from terrorism” and that censorship was “… an essentialaspect of ‘information security.’”61 China to, views anti-government dissonance as athreat and has adopted an analogous definition of cyber security as Russia.62 TheRussian and Chinese perspectives are incompatible with Western concepts of libertyand international human rights law, having a fissiparous effect on cyber security57 Ibid, 23.58 Reuters, Arab Web clampdown hurts own economies: Googles Schmidt, 26 May 2011, 24 June2011 <>.59 British Broadcast Corporation, England riots: Government mulls social media controls, 11 August2011, 15 August 2011 <>.60 Valery Yaschenko Karl Frederick Rauscher, Russia-U.S. Bilateral on Cybersecurity: CriticalTerminology Foundations, Worldwide Cybersecurity Initiative, EastWest Institute (New York:Moscow, 2011). 16.61 Ibid,16.62 Martha Finnemore, “Cultivating International Cyber Norms,” Travis Sharp Kristin M. Lord,America’s Cyber Future: Security and Prosperity in the Information Age, Vol. II (Washington: Centerfor a New American Security, 2011) I-II vols.P.89-90 11
  12. 12. norms with human rights. The Chinese and Russian interpretation of cyber securityleads to a third, consequential tension, with human rights; that between the state andcitizen.Censorship is a formidable and increasingly used tool by state-implemented cybersecurity regimes. Such is the threat of pervasive filtering or censorship that “VintonCerf, popularly known as the ‘father of the Internet,” has suggested, “…if everyjurisdiction in the world insisted on some form of filtering for its particulargeographic territory, the web would stop functioning.”63 Cerf’s observation illustratesthe extent the internet requires international cooperation and importantly, theestablishment of carefully crafted censorship norms. China is a world leader in the useof surveillance and censorship technologies, having “the largest and mostsophisticated filtering systems in the world.”64 Rebecca MacKinnon argues that therefined and sophisticated methods used by the Chinese government, allow for primafacie freedom of speech.65 MacKinnon describes that in China debate can be fierceand passionate, “bringing injustices to national attention… [causing] genuine changesin local-government policies or official behaviour.”66 These freedoms, to use asecurity analogy from Karl Popper, are a chimera.67 As Mackinnon observes, “in the networked authoritarian state, there is no guarantee of individual rights and freedoms … the government has continued to monitor its people and to censor and manipulate online conversations to such a degree that no one has been able to organize a viable opposition movement.”68Most concerning from MacKinnon’s observations, are the consequential politicalrepercussions of this censorship and surveillance. Reporters Without Boarders,reported in 2010, that out of 119 ‘cyber dissidents’ imprisoned around the world as aresult of their online political dissonance, 77 were detained in China.69 These arrestsremind Chinese dissidents that the government is watching and this has a ‘chillingeffect’ on freedom of speech. These electronic intrusions by the Chinese government63 Rex Hughes, David Livingstone Paul Cornish, Cyberspace and the National Security of the UnitedKingdom: Threats and Responses, A Chatham House Report, Royal Institute of International Affairs(London, 2009).P.1764 OpenNet Initiative, China: regional profiles, 15 June 2009, 11 July 2011<>.65 See supra note 30 at 32-46.66 Ibid. MacKinnon.67 See supra note 1 at 111.68 See supra note 33.69 Reporters Without Boarders, “The Enemies of the Internet,” 12 March 2011, World day againstcyber-censorship, 08 August 2011 P.5 <>. 12
  13. 13. go against the aforementioned principles of internet freedom. China’s cyber securitymethods are severe but China is not unique amongst states in censoring onlinecontent. Censorship, to varying degrees has become a global norm, practiced by moststates, even democratic regimes. Government censorship on the internet is bestelucidated by The OpenNet Initiative’s report, documenting YouTube censorshiparound the world. 70 Democratic and authoritarian governments are represented on thereport’s global map depicting where the YouTube website or its videos have beencensored. Evidently, it is clear that censorship is increasing in both intensity and inproliferation around the world.71 While the practice of internet censorship isbecoming a global norm, the type of content being censored differs markedly. Thissuggests that a secondary tension exists, between states with differing perceptions ofwhat “free speech” entails. Emblematic of this tension, is the Additional Protocol toThe European Convention on Cybercrime. It requires signatories to criminalise thedistribution of “…distributing xenophobic or racist material through a computer system; expressing denial,“ gross minimization” or approval of a genocide or crimes against humanity through a computer; distributing insults to people because of their race, color, religion, national or ethnic origin through a computer system or aiding and abetting any of these acts.”72As a signatory to this protocol, France bans publishing material that meets thesequalifications. Conversely, the United States, bound by its constitution, has notratified the protocol.73 In context of global cyber security norms and human rights,this exemplifies the problematic nature of conflicting cyber security regimes. France’sattempt to exert positive rights, conflicts directly with the United States attempt to‘exert’ negative rights in cyber space. As a global technological commons, theinternet allows for these competing and paradoxical ‘universal’ conceptions of humanrights, adding further difficulties to resolving cyber security norms and internationalhuman rights law. The current state of the international community and its response tohuman rights in the discourse of cyber security is inadequate. It will be argued, thereneeds to be greater unification of these norms at the international level.70 OpenNet Initiative, YouTube Censored: A Recent History, 02 August 2011<>.71 Ibid. OpenNet.72 See supra note 48.73 The United States has ratified the Convention, but not the protocol. 13
  14. 14. Cyber security norms and human rights unificationAltering and unifying international norms is the primary method of resolving thetensions between human rights and cyber security norms. Author Martha Finnemoreargues that “norm cultivation” is a three-part process of promulgation andarticulation, disseminating the established norms and the internalization, at the statelevel, of these norms.74 Finnemore is not naive to the tensions and difficulties ofestablishing unified global cyber security norms. A nuanced and reasoned approach isprovided that moves beyond the scope contended in this paper, but key themes arenecessary to incorporate into the context of the arguments made in this chapter. Cybersecurity, argues Finnemore, is analogous to other global issues such as protecting theenvironment, stopping corruption and improving gender equality.75 Techniques usedto advances these causes can be used to greater promote the compatible features ofcyber security and human rights. An example can be drawn from China, wherealthough its cyber security policies are repressive from a Western perspective, thereare greater freedoms of speech, due to cyber technologies, now then past decades.76Building on these movements through diplomatic pressure and encryptiontechnologies77 may bring China and other repressive nations into a cyber securityregime that reflects the United Nations conventions and aforementioned internetfreedoms. Finnemore further argues that given the stake private industry has withkeeping the internet unconstrained by national governments, they may play animportant part in harmonising global cyber security norms.78 Best practice corporatepolicies may, as Finnemore contends, insulate companies from accusations ofsubversive government agency.79 These arguments by Finnemore suggest there isroom for greater consensus on cyber security and human rights, although very little. Itis the contention of this paper, that the increasing trend in state censorship of the74 Martha Finnemore, “Cultivating International Cyber Norms,” Travis Sharp Kristin M. Lord,America’s Cyber Future: Security and Prosperity in the Information Age, Vol. II (Washington: Centerfor a New American Security, 2011) I-II vols.p.93.75 See supra note 58 at 96.76 See supra note 28 at 33.77 For a discussion on the potential of encryption devices being used to liberate those repressed underauthoritarianism, Richard Fontaine and Will Rogers article on internet freedom. See supra note 58 at150.78 See supra note 60 at 100.79 See supra note 64. 14
  15. 15. internet and the ideological divergence amongst states on the meaning of liberty and‘cyber security’ is of great concern. These indications suggest a trend toward statesimparting greater sovereignty within the cyber domain and a resulting fracturing ofthe World Wide Web against the principles of internet freedom. Most significant interms of cyber security norms and human rights has not yet been argued. Cyber war,as a cyber security issue, has not achieved international consensus in either the Lawsof Armed Conflict or humanitarian law. 15
  16. 16. Cyber war and human rights “Because the entire law of war regime has been built upon a Westphalian foundation, the transformative properties of cyber warfare are just as breathtaking. We are left pondering some fundamental questions – what constitutes force? What is a hostile act? When is self-defence justified in response to a cyber attack? Is the Use of traditional means of force ever justified in response to a cyber attack? These are not easy questions and the international legal regime is lagging far behind the problems presented by the increasingly sophisticate technological possibilities in the area.”80 -- Lieutenant Colonel Jeffrey K. WalkerCyber war, as the preeminent cyber security issue, is destructive and politicallycomplicated. Nuclear war strategist, Joseph S. Nye, has likened cyber war in thecontext of cyber security, to the dawn of the nuclear age, with opaque ‘adversarialinteractions’ and new, little understood weaponry.81 Cyber war analyists AndreyKorotkov and Karl Rauscher, argue that the international community of states has notdeveloped “rules of engagment” in cyber warfare, despite the cyber domain being“the linchpin of our mutual safety, stability and security.” 82 Without an internationalconsensus on what constitutes an ‘act of cyber war’ or the ‘conduct during cyber war,’nation-states are in endanger of subverting human rights, while the cyber domainbecomes increasingly militarised. Establishing then, the applicability of the Laws ofArmed Conflict (LOAC) and international humanitarian law (IHL) reside at thefulcrum of a discussion on cyber war and human rights. Navigating the argumentsadvanced will be framed through Michael N. Schmitt’s paradigm of what constitutescyber war, an ‘actor-based threshold’ or a ‘consequence-based threshold.’Rationalising cyber war in this way, teases out the problematic characteristics ofapplying international human rights law to cyber war. Addressing first the ‘actor-based threshold,’ exposes the tenuous relationship between cyber war and80 This quote is borrowed from Dr Rex Hughes’ illustrative article on a global cyber warfare regime.See Rex Hughes, “Towards a Global Regime for Cyber Warfare,” C, Geers K Cozosseck, The VirtualBattlefield: Perspectives on Cyber Warfare (Amsterdam: IOS Press, 2009) P.106. The original quotecan be found at Jeffrey K. Walker, “The demise of the nation-state, the dawn of new paradigm warfare,and a future for the profession of arms,” Air Force Law Review (2001): 51.81 “Power and National Security in Cyberspace,” Joseph S. Nye, America’s Cyber Future, Vol. II(Washington: Center for a New American Security, 2011). 7.82 Andrey Korotkov Karl Frederick Rauscher, Working Towards Rules for Governing Cyber Conflict:Rendering the Geneva and Hague Conventions in Cyberspace, EastWest Institute (New York, 2011).iii. 16
  17. 17. international human rights law. Secondly, it will be argued that a ‘consequence-basedthreshold’ is highly advantageous over its former and that rationalising cyber war inthis way provides a theoretical way of bridging the two aims of cyber war and humanrights together. Lastly, it will be contended that the consequences of failing to unitecyber war and international human rights law, is leading to a greater militarisation ofthe technological commons. Militarisation of this space is at great detriment to thecitizens in the ‘information societies’ who depend solely on this space in every daylife.Dr. Rex Hughes, in his article Towards a Global Regime for Cyber Warfare, arguesthat a war of aggression crime, in international law, is applicable to cyber war.83Hughes argues that United Nations (UN) General Assembly Resolution 3314,84 the‘Definition of Aggression,’ be applied to cyber attacks that disrupt national powergrids, health services, financial services and transportation links, among other sectorsof critical infrastructure (CI).85 Similarly, Richard Clarke contends that the GenevaConvention on “Protection of Civilians” and the United Nations Convention on“weapons with ‘Indiscriminate Effects’” be expanded to include cyber attacks oncritical infrastructure.86 Clarke argues that civilians, as opposed to the military, wouldbe most severely affected in a cyber attack and are thereby more venerable.87Militaries are better prepared for emergencies with stockpiled food, backup powersystems and hospitals, while civilian infrastructure is less resilient.88 Attacks on thesecritical sectors of civilian life, Clarke contends, could be no greater example of acyber war causing ‘indiscriminate effects’ and as a corollary, is thereby applicableunder humanitarian law.89 Hughes and Clarke suffice in framing the humanitarianimplications of cyber war, juxtaposed to an abstract level of international law, buttheir arguments are founded on unanswered questions and untested assumptions.83 Rex Hughes, “Towards a Global Regime for Cyber Warfare,” C, Geers K Cozosseck, The VirtualBattlefield: Perspectives on Cyber Warfare (Amsterdam: IOS Press, 2009) 106-116.84 U.N Resolution 3314 was originally drawn from U.N Charter, Article 2. See Elizabeth Wilmshurst,Definition of Aggression General Assembly resolution 3314 (XXIX), 24 June 2011,<>. Article 2, paragraph 4 states: Members shall refrain intheir international relations from the threat or use of force against the territorial integrity or politicalindependence of any state, or in any other manner inconsistent with the Purposes of the UnitedNations.”85 Ibid, 112.86 See supra note 37 at 242.87 Ibid, 242.88 Ibid, 242.89 Ibid, 242. 17
  18. 18. Michael N. Schmitt, in Wired warfare: Computer network attack and jus in bello,addresses these unanswered assumptions, by investigating the applicability of acomputer network attack (CNA) with the LOAC and HL.90 Schmitt’s contention isthat in order to apply existence international legal norms to computer network attacks,will require accepting various interpretive premises. These premise can be addressedin three arguments against the applicability of cyber war to international law; thatthere is no direct legal instrument applicable to cyber war, that cyber war technologiespostdate treaties thus rendering them invalid and that question of armed force.Determining ‘cyber war:’ an actor-based thresholdMartens Clause, introduced in the 1899 Hague Convention, refutes those argumentsthat stipulate international law is not directly applicable to cyber war.91 MartensClause states that “…civilians and combatants remain under the protection and authority of the principles of international law derived from established custom, from the principles of humanity, and from the dictates of public conscience.”92Schmitt contends that Martens Clause applies humanitarian law during armed conflictleaving “no lawless void” amongst those humanitarian situations not covered by aninternational agreement.93 Thereby, the Martens Clause norm in customary law doescover all occurrences, even those arising from cyber war. The second contentionadvanced, is that cyber technologies postdate the relevant HL legal instruments,rendering them inapplicable to cyber war. Refuting this contention requiresrecognising the International Court of Justice’s verdict on nuclear weapons in relationto international human rights law. The Court noted that “[i]n the view of the vastmajority of States as well as writers there can be no doubt as to the applicability of90 Schmitt’s argument focus on computer network attacks. This paper contends this argument can beexpanded to include all cyber technologies. See Michael N. Schmitt, “Wired warfare: Computernetwork attack and jus in bello,” International Review of the Red Cross 84.846 (2010): 368-369.91 Ibid. 369.92 Ibid, 369.93 Ibid. 369. 18
  19. 19. humanitarian law to nuclear weapons.”94 Cyber war attacks, given the gravity of theirdestructive capabilities on civilian populations, are arguably analogous to nuclearweapons, but even if this is dismissed, the underlying premise of the ICJ ruling holdsthat technologies are within the ambit of international law, regardless of when theycome into being. This leaves one last point of contention, that cyber war is notapplicable to international human rights law, due to the qualification requiring ‘armedconflict’ that is a present qualification in the Geneva and Hague conventions.95 TheInternational Committee of the Red Cross on the 1949 Geneva Conventions and the1977 Additional Protocols, define armed conflict as “… [a]ny difference arisingbetween two States and leading to the intervention of armed force.”96 While cyberattacks have consequential ‘war-like’ effects, this does not mean an ‘armed force’ hascarried them out. The Cooperative Cyber Defence Centre of Excellence (CCDCOE),legal team, investigating the legality of cyber attacks on Georgia in 2007, investigatedthis dilemma in an attempt to place cyber war within the ‘armed conflict’qualification.97 Armed force in the physical world requires physical troops andweapons that can, in contrast to cyber attacks, be more easily be verified andattributed to a hostile nation-state. Circumstantial and technical means of attributing acyber attack can rarely conclusively tie an attack to an attacker.98 Attribution, primafacie, in cyber war becomes an important characteristic in determining whatconstitutes ‘armed force’ and as a corollary, what constitutes an ‘armed conflict.’Attribution is an important characteristic in defining the ‘actor-based threshold’required to define an ‘act of war.’ GhostNet, has not been recognised as an ‘act ofwar’ by the international community but exemplifies the ‘actor-based threshold’dilemma. Investigators responsible for uncovering GhostNet, contend that plausibledeniability allows states to officially distance themselves from attacks.”99 ‘Plausibledeniability’ benefits state actors carrying out attacks, given the geographic time and94 Ibid. 370.95 See supra note 89.96 International Committee of the Red Cross, Convention (I) for the Amelioration of the Condition ofthe Wounded and Sick in Armed Forces in the Field, 12 August 1949, 8 June 2011<>.97 Eneken Tikk, Kadri Kaska, Kristel Rünnimeri, Mari Kert, Anna-Maria Talihärm, Liis Vihul. CyberAttacks Against Georgia: Legal Lessons Identified. NATO. (Tallinn: Cooperative Cyber DefenceCentre of Excellence, 2008). 12.98 Ibid, 12. 19
  20. 20. space required to carry out an investigation, versus the speed at which attacks can takeplace and the range of geographical locations that may be involved.100 Thesegeographical locations then have political implications, particularly if there is littletechnical evidence of the cyber attack. Senior National Security Agency official,Debora Plunkett, argues, “ …[because cyber attacks] are hard to detect and quantify,it is difficult to generate the political will required for effective solutions.”101Moreover, whereas with traditional conflict, comprising of troops and kineticweaponry, it soon becomes obvious an attack has taken place and politicians are thenobliged act. With cyber attacks, these often involve the less obvious exploitation of acomputer system vulnerability and politicians may be reluctant to publicise them ininstances of national security.102 For these reasons, Richard Clarke has advocated foran international organisation, similar to the International Atomic Energy Agency, toimpartially monitor cyber warfare attacks on states.103 As an institutional solution toattribution of cyber attacks, this would be of benefit but it fails to resolve the technicaldifficulties. These problematic characteristics of attribution, indicate that construing‘armed force’ or ‘armed conflict’ from a cyber war is highly difficult.The Geneva and Hague Conventions have, for decades, established the boundaries inwar. Prohibitions on asphyxiating the enemy, using poisonous gases or bacteriologicalwarfare, have been banned104 and restrictions placed on the most brutal weaponry.105Cyber war and its weaponry provide their own challenges to IHL and the LOAC butas with previously invented weaponry, should be accessed and if appropriate,incorporated into humanitarian law. It is beyond the scope of this paper to assess theentire ambit of cyber war strategy and weaponry in war but a focused analysis oncritical characteristics of cyber war conduct and weaponry elucidates the associatedhuman rights implications and actor-based approach. Rex Hughes introduces the‘cyber weapon’ as an electron travelling through the cyber domain violating the100 Daniel E. Geer, “How Government Can Access Innovative Technology,” America’s Cyber Future:Security and Prosperity in the Information Age, Vol. II (Washington: Center for a New AmericanSecurity, 2011) I-II vols.186.101 Debora Plunkett, “The Atlantic’s and Government Executive’s First Annual Cybersecurity Forum”(Washington, 2010).102 See supra note 37 at 238-255.103 See supra note 37 at 247.104 International Committee of the Red Cross, Protocol for the Prohibition of the Use of Asphyxiating,Poisonous or Other Gases, and of Bacteriological Methods of Warfare, 8 February 1928, 04 May 2011<>.105 See supra note 82 at 273. 20
  21. 21. Hague Convention as it passes from one neutral country to another.106 The HagueConvention, argues Hughes, forbids the “movement of weapons” across a neutralstate.”107 Hughes argument is academic at the present time but not an implausiblereality for the future. The example elucidates the problems and properties of usingcyber weapons in what is now recognised as the “fifth domain” 108 and theimplications for human rights. In an effort to best rationalise cyber weapons and theiruse in the scope of this brief argument, this paper will divide cyber attacks, used incyber war, into a taxonomy of two; kinetic and non-kinetic attacks. Kinetic cyberattacks (KCA) result in physical damage, designed with the intent to manipulate thedata that controls machines causing them to function improperly in the physicalworld. States are the usually targets of KCAs because as opposed to non-state actors,they have infrastructure to target and damage. There is an increasing number of KCAcases emerging in the cyber discourse. During the Cold War, the Central IntelligenceAgency planted a logic bomb in the computer software that managed a Russianpipeline in Siberia, setting off a three-kiloton explosion, large enough to be seen fromouter space.109 This event demonstrated the potential a kinetic cyber attack could haveon civilian infrastructure. In a recent example from 2010, a sophisticated piece ofmalware exploited four ‘zero-day’ attacks, known as Stuxnet, targeted theprogrammable logic controller (PLC) at an Iranian nuclear facility, controlling itsuranium enriching centrifuges.110 By injecting malicious code into the PLC, Stuxnetwas able to increase the speed of the Iranian centrifuges up to a rate of 1,410Hz thatcaused them severe damage.111 It is estimated that Stuxnet set back the Iranian nuclearprogramme by two years and set a dangerous precedent in cyber warfare.112Techniques used in the pipeline explosion and Stuxnet, resemble the type of kineticcyber attacks analysts fear will be used on civilian critical infrastructure,113106 See supra note 75 at 112.107 Ibid, 112.108 The Economist, War in the fifth domain, 1 June 2010, 26 May 2011<>.109 Peter L. Levin, Wesley K. Clark, “Securing the Information Highway: How to Enhance the UnitedStates Electronic Defenses,” Foreign Affairs 88.6 (2009): 4.110 Kim Zetter, Next post How Digital Detectives Deciphered Stuxnet, the Most Menacing Malware inHistory, 2011 July 2011, 04 August 2011 <>.111 IISS Stratigic Comments, Stuxnet: targeting Irans nuclear programme, Volume 17, Comment 6,The International Institute For Strategic Studies (London, 2011).112 Ibid, IISS Stratigic Comments.113 Examples of critical infrastructure sectors include, communications, emergency services, energy,finance, food, government, health, transport and water. These can all be affected by cyber attacks. See 21
  22. 22. specifically on supervisory control and data acquisitions (SCADA) systems thatcontrol the machines that manage critical infrastructure in many industrialisedcountries.114 These examples of kinetic cyber attacks on critical infrastructureelucidate the impact these types of attacks can have on human rights and civilliberties. To quote Lord Cameron of Dillington, the United Kingdom is “nine mealsaway from anarchy” referencing the impact a cyber disruption to the food supplychain on the “just-in-time” delivery method of supermarket chains.115 Ninety-fivepercent of the food eaten in the United Kingdom is oil dependant, meaning the oilsupply to the nation is vital.116 A kinetic cyber attack that targeted either set of criticalinfrastructure, the computer networks of the “just-in-time” system or the oil deliverysystems, would have a devastating impact the United Kingdom. The implications ofthese scenarios demonstrate the severity of kinetic cyber attacks and importance inframing some of these within international human rights law. The second types ofcyber attacks are non-kinetic attacks. These attacks are more problematic withtraditional the ‘actor-based threshold’ required to attribute an act as an ‘act of war.’The LOAC establish that in war, when an attack has taken place, there must beintentional “injury, death, damage or destruction” as a result of that attack.117 Kineticcyber attacks clearly fit within these qualifications but non-kinetic attacks elucidatemore problematic characteristics. Distributed Denial of Service (DDoS) attacksrepresent “among the most visible and disruptive of cyber-attacks” according to Dr.Jose Nazario, specialist in DDoS attacks.118 Estimates have suggested that threemonths of sustained DDoS attacks on the United States would have the effect of “40or 50 large hurricanes striking all at once.”119 DDoS attacks prima facie do not causeinjury, death, damage or destruction, it is the consequential externalities from theseattacks that can impart death and damage onto property. A DDoS attack works byCyber Security Strategy of the United Kingdom: safety, security and resilience in cyber space (London:The Stationery Office (TSO), 2009). 3.114 See supra note 37 at 98.115 See supra note 75 at 20.116 Ibid. 20.117 Ibid. 20.118 Jose Nazario, “Politically Motivated Denial of Service Attacks,” Kenneth Geers Christian Czosseck,The Virtual Battlefield: Perspectives on Cyber Warfare (Amsterdam: IOS Press, 2009). 163.119 Cyber Security Strategy of the United Kingdom: safety, security and resilience in cyber space(London: The Stationery Office (TSO), 2009). 4. 22
  23. 23. overwhelming the target computer’s bandwidth,120 so that it has no bandwidth forthose computers trying to ‘legitimately’ communicate with it.121 If communication isdisrupted between servers that run a website, then there is an infringement of freedomof speech, assembly and potentially privacy if the website fails to display. If theinterrupted communication is with a computer that runs a national power grid, thenfundamental rights such as the right to life may be engaged by the shutting off ofsystems dependant on electricity. Used by a state in a war capacity, these cyberattacks would, at a minimum, violate one’s right to privacy, guaranteed by article 17of the International Covenant on Civil and Political Rights122 and article 12 of theUniversal Declaration of Human Rights that states “…no one shall be subjected toarbitrary interference with his privacy.”123 DDoS attacks, do not easily fitqualifications of the ‘actor-based threshold’ refuted by Schmitt.Resolving tensions: the consequence-based thresholdReturning to Schmitt’s argument, he advances that in order to apply existenceinternational legal norms to computer network attacks, requires accepting variousinterpretive premises. That using a consequence-based threshold for determining what“armed conflict” and “attack” is in cyber space the most adequate way to bridge cyberattacks into an international legal regime. Schmitt contends, “…humanitarian law principles apply whenever computer network attacks can be ascribed to a State are more than merely sporadic and isolated incidents and are either intended to cause injury, death, damage or destruction (and analogous effects), or such consequences are foreseeable.”124Emphasis here needs to be placed on ‘consequences are foreseeable.’ Schmitt isconcerned with the consequence of a cyber attack, rather then the more difficult120 Oxford Dictionary defines ‘bandwidth’ as “the transmission capacity of a computer network orother telecommunication system.” See Oxford Dictionaries, Bandwidth, 8 August 2011<>.121 DDoS attacks thereby, are usually temporary and physically non-damaging to computer systems.See supra note 117.122 See supra note 3 at 16.123 United Nations, The Universal Declaration of Human Rights, 10 December 1948, 10 4 2010<>.124 See supra note 89. 23
  24. 24. ‘actor-based threshold’ that requires not only attribution of an actor but theestablishment of “armed force.” `In the context of the arguments contended in thispaper, Schmitt’s ‘consequence-based threshold’ would apply to the aforementionedkinetic cyber attacks with their devastating effects, but would not apply to GhostNettype of attacks that have no “foreseeable” consequences in terms of “injury, death,damage or destruction.” This is beneficial to the complex environment of cyberthreats that can emerge from an array of actors, not just states. Schmitt’s‘consequence-based threshold’ then, as a corollary, reduces the militarization of cyberspace that will be advanced, is a major threat to human rights and civil liberties.There is one further contention to argue, in addition to Schmitts ‘consequence-basedthreshold.’ Analogous to Schmitts paradigm, is an emerging body of customary lawthat does not necessarily require the qualification of a state actor when it comes tobelligerent activity. Increasing legal precedent within international law, is bindingstates to the actions of non-state actors within their territory. In The Republic ofNicaragua v. The United States of America, the International Court of Justice ruledthat the United States violated international law but supporting the Contras in theirrebellion against the Nicaraguan government.125 This set the precedent that stateswere liable for the actions of non-state actors if they “executed effective control oversuch actors.”126 The threshold was lowered further when, in 2001, the United Statescarried out Operation Enduring Freedom against the Taliban in Afghanistan, underthe legal presumption that the Taliban was harbouring and supporting al-Qaeda.127The United States argued it was using self-defence in accordance with internationallaw, in response to events of September 11.128 These legal precedents in internationallaw, suggest that states cannot as easily used the aforementioned plausible deniabilityto relinquish themselves from belligerent activity.129 Despite the advantagesarticulated in Schmitts ‘consequence-based threshold’ and customary law torectifying cyber war with international law, states, in absence of an international125 International Court of Justice, Military and Paramilitary Activities in and against Nicaragua(Nicaragua v. United States of America), 27 June 1986, 5 July 2011 <>.126 See supra note 96 at 21.127 Ibid. 21.128 Ibid. 21.129 The nation-state where the actor or actors are found to be working from when committing theattacks. 24
  25. 25. consensus, are demonstrating increasing war-like behavior. This is leading to themilitarisation of the cyber domain and this poses a significant threat to human rights.Militarisation of the global technological commonsWithout an established international consensus on the LOAC in cyber war, the cyberdomain remains a warring and anarchical space. Ambiguities around cyber war leadto an increase in the militarization of a shared civilian and military space. TravisSharp and Kristin Lord contend that “…there is no analogous empty “space” and the activities of civil and military users are intertwined together. Non-state actors cannot flee the domain...except by unplugging and dismantling part of cyberspace itself."130Internet and other forms cyber infrastructure have reached a level of ubiquity thatsociety in most developed nations, would be unable to function without it. Two billionpeople ‘logged on’ globally and ten trillion dollars worth of electronic commercepropagated through the internet in 2010.131 It is estimated by the end of 2010, therewill be 5.3 billion cellular subscriptions worldwide and nearly a billion subscriptionsto 3G services that allow mobile phones to gain high-speed access to the internet.132Between 2005 and 2010 internet users globally have doubled, surpassing two billionusers.133 Half a billion people now have access to internet in their home, representing29.5 percent of households worldwide, increasing to eighty percent in somedeveloped countries.134 While global dependency on cyber technologies increases,vulnerability becomes increasingly acute. Government, emergence services, powergrids and other critical infrastructure are represented in these figures, suggesting theseverity of “unplugging” from cyber space or its militarisation. To an extent, the130 Travis Sharp Kristin M. Lord, “Non-State Actors and Cyber Conflict,” Jason Healey Gregory J.Rattray, America’s Cyber Future: Security and Prosperity in the Information Age, Vol. II (Washington:Center for a New American Security, 2011) I-II vols. 67.131 Travis Sharp Kristin M. Lord, America’s Cyber Future: Security and Prosperity in the InformationAge, Volume I & II (Washington: Center for a New American Security, 2011). 24.132 The World in 2010: ICT Facts and Figures, “Information and Communication Technology (ICT)Statistics,” 20 10 2011, International Telecommunications Union, 03 06 2011 <>. 5.133 Ibid, 5.134 Sweden, South Korea and the Netherlands all have over 80% internet access in households.Broadband access across the developed world remains low; slightly fewer than five percent, per onehundred inhabitants, have broadband and only one percent, on average, for those living on the Africancontinent. See supra note 127. 25
  26. 26. cyber domain has already begun to be militarised. Former United States DefenseSecretary Robert Gates has escalated cyber space to be a ‘“fifth domain’ of militaryoperations, alongside land, sea, air and space,”135 followed one year later by PresidentBarak Obama’s International Strategy For Cyberspace signalling the cyber domain asa “vital national asset” that the United States reserves the right to “defend.”136Without geographical boarders, questions of the limits of sovereignty emerge.Defending a nation-state in the cyber domain will inevitably include the globaltechnological commons. The United States military exercised its ‘right to defend’during 2008 American cyber forces shut down a suspected high profile terroristwebsite.137 Inadvertently, the military operations shut down 300 servers in the MiddleEast, Germany and Texas, resulting in President Obama putting a moratorium onthese types of “network warfare” until further rules could be established.138 In anotherincident, a dispute between China and the United States in the South China Sea,resulted in the Californian power grid almost being “taken down.”139 With the rules ofcyber warfare not established, these incidences are likely to increase within theinternational community of states. Continuation of these ‘war-like’ activities in thetechnological commons threaten human rights and civil liberties, with no recourse toeffective international law. The United States, while a major cyber power, is not ananomaly in approaching the technological commons as a battlefield. The UnitedKingdom has also indicated the strategic importance of offensively acting in cyberspace, advancing in the first National Cyber Security Strategy, that offensivecapabilities are significant component of the county’s cyber defences.140 In June 2011,it was reported that British intelligence officers (SIS) sabotaged an al-Qaeda online‘webzine’ as a propaganda exercise.141 This ‘attack’ drew praise from U.S CyberCommander, General Keith Alexander, who argued, “…blocking the [online]135 Misha Glenny, Who controls the internet?, 8 October 2010, 5 July 2011<>.136 The White House, International Strategy For Cyberspace: Prosperity, Security, and Openness in aNetworked World, The United States of America (Washington, 2011). 12.137 Ellen Nakashima, Pentagon considers preemptive strikes as part of cyber-defense strategy, 28August 2010, 20 June 2011 <>.138 Ibid. Nakashima.139 Cyber Security Strategy of the United Kingdom: safety, security and resilience in cyber space(London: The Stationery Office (TSO), 2009). 4.140 Ibid. 15.141 Richard Norton-Taylor, British intelligence used cupcake recipes to ruin al-Qaida website, 2 June2011, 24 July 2011 <>. 26
  27. 27. magazine was a legitimate counter-terrorism target.”142 Securing the state throughproactive cyber security operations is a legitimate goal. Protecting website ownersand upholding principles of internet freedom and aforementioned U.N human rights,freedom of speech, association and privacy, are also legitimate aims. By establishinginternational “rules of engagement” and the LOAC in the cyber domain, thesecompeting goals can be balanced and proportionate in their application. Not all cyberattacks are state-sponsored and thereby not all cyber security threats require a militaryresponse. LulzSec and Anonymous hacker groups disrupted and temporary crippled anumber of high profile websites including the Central Intelligence Agency,Mastercard and Visa, using a DDoS attack.143 These are annoyances in civil society,but do not qualify as “acts of war” requiring a military response. Moreover, MathiasKlang argues with qualifications, that DDoS attacks can be a form of political protest,as he contends a form of civil disobedience or what he terms a “virtual sit-in.” 144LulzSec and Anonymous have been argued to be exercising a new form of protest thatshould be tolerated in a free society.145142 Ibid. Norton-Taylor.143 James Ball, By criminalising online dissent we put democracy in peril, 1 August 2011, 23 August2011 <>.144 Mathias Klang, “Virtual Sit-Ins, Civil Disobedience and Cyberterrorism,” Mathias Klang AndrewMurry, Human Rights in the Digital Age (London: Glasshouse Press, 2005) 1-234. It must be notedthat Klang qualifies types of DDoS attacks that would constitute as civil disobedience. For example,use of botnets would not constitute as a legitimate form of civil disobedience but DDoS attacks usingpeople and their own computers would.145 See supra note 117. 27
  28. 28. ConclusionThis paper has explored an important academic lacuna within the discourses of humanrights and cyber security. Despite national cyber security strategies on both sides ofthe Atlantic referencing the importance of framing security within liberties and rights,they have provided little substance on the nature of this relationship or how it is to beachieved. Moreover, a disproportionate amount of literature is aimed at strategiccyber war, rather then ways of achieving cyber peace. Within human rights, a body ofresearch has emerged on internet freedoms but very little within a cyber securityframework. It has been argued, cyber security is at the fulcrum of any discussion onhuman rights within the cyber domain; security and freedoms are analogous concepts.As elucidated, dependency on the cyber domain, for all the benefits it brings society,delivers equally, a precarious state of vulnerability. Dependency and the corollary ofvulnerability, is a reoccurring theme throughout this paper; without the former therewould be not cyber threat to human rights.The arguments contended in this paper, have explored three key tensions betweenhuman rights and state implemented cyber security. First, attribution versusanonymity has advanced the tensions at the core of the debate around transparency onthe internet and protection of privacy. Lack of attribution has allowed for theproliferation of malicious cyber attacks. Conversely, anonymity, provides dissentsand others freedom of speech and a cascade of subsequent human rights. Bridgingthese prima facie goals was argued to be achievable through the proportionate andsystematic application of technology but only to a degree. Political acumen is requiredas well. Authoritarian regimes, argued in the cases of Russia and China, are likely tofurther impart their sovereignty in the cyber domain, further limiting human rightsand fragmenting the internet. The second argument advanced, contended thatcompeting cyber security norms, produce unease tensions that challenge internationalhuman rights law and the principle of internet freedom. Cyber security norms conflictwith the United Nations conventions on human rights, amongst states, and betweennation-states and their citizens. Censorship, it was argued, is a concerning trendamongst all states to varying degrees. Despite Finnemore’s attempts at rectifyinginternational cyber norms, it was contended these are severely incompatible, notablyat the unilateral state level. Thirdly, the preeminent cyber security concern, cyber war, 28
  29. 29. was addressed in context to its impact on human rights. Through Schmitt’s paradigmof what constitutes cyber war, an ‘actor-based threshold’ or a ‘consequence-basedthreshold,’ this paper teased out the problematic characteristics of applyinginternational human rights law to cyber war. It was argued that a ‘consequence-basedthreshold’ is highly advantageous over its former and that rationalising cyber war inthis way provided a theoretical way of bridging the two aims of cyber war and humanrights together. Lastly, it was contended that the consequences of failing to unitecyber war and international human rights law, is leading to a greater militarisation ofthe technological commons. Militarisation of this space is at great detriment to thecitizens in the ‘information societies’ who depend solely on this space in every daylife.To conclude, from the cyber domain a variety of challenges emerge between cybersecurity and human rights. It has been argued, these challenges are in the form oftensions between the competing social goals, of security and freedom. In someinstances these goals can be unified, benefiting state and citizen. In other cases, thereseems to be an increasing trend toward greater cyber security at the expense of humanrights. Balancing these goals are critical for information societies in the twenty-firstcentury and will ultimately protect society from the emergence of a tyrannical cyberstate or the devastating effects of cyber attacks. 29
  30. 30. GlossaryCyberspace - a an electronic medium through which information is created, transmitted,received, stored, processed, and deleted.Cyber infrastructure - the aggregation of people, processes and systems that constitutecyberspace.Cyber services - are a range of data exchanges in cyberspace for the direct or indirect benefitof humans.Critical cyberspace - is cyber infrastructure and cyber services that are vital to preservation ofpublic safety, economic stability, national security and international stability.Critical cyber infrastructure - is the cyber infrastructure that is essential to vital services forpublic safety, economic stability, national security, international stability and to thesustainability and restoration of critical cyberspace.Critical cyber services - are cyber services that are vital to preservation of public safety,economic stability, national security and international stability.Cyber crime - the use of cyberspace for criminal purposes as defined by national orinternational law.Cyber terrorism - the use of cyberspace for terrorist purposes as defined by national orinternational law.Cyber conflict - a tense situation between or among nation-states or organized groups whereunwelcome cyber attacks result in retaliation.Cyber war - an escalated state of cyber conflict between or among states in which cyberattacks are carried out by state actors against cyber infrastructure as part of a militarycampaign (i) Declared: that is formally declared by an authority of one of the parties. (ii) De Facto: with the absence of a declaration.Cyber security - is a property of cyber space that is an ability to resist intentional andunintentional threats and respond and recover.* See discussion in definitional foundations forfurther clarity.Cyber warfare - cyber attacks that are authorized by state actors against cyber infrastructure inconjunction with a government campaign.Cyber attack - an offensive use of a cyber weapon intended to harm a designated target.Cyber counter-attack - the use of a cyber weapon intended to harm a designated 30
  31. 31. target in response to an attack.Cyber defensive countermeasure - the deployment of a specific cyber defensive capability todeflect or to redirect a cyber attack.Cyber defense - organized capabilities to protect against, mitigate from, and rapidly recoverfrom the effects of cyber attack.Cyber defensive capability - a capability to effectively protect and repel against a cyberexploitation or cyber attack, that may be used as a cyber deterrent.Cyber offensive capability - a capability to initiate a cyber attack that may be used as a cyberdeterrent.Cyber exploitation - taking advantage of an opportunity in cyber space to achieve anobjective.Cyber deterrent - a declared mechanism that is presumed effective in discouraging cyberconflict or a threatening activity fin cyberspace.Technological commons – the cyber space shared by civilians and government. 31
  32. 32. Definitional foundationsThe origins of the term ‘cyber’ are found in the Greek word κυβερνητικός, meaning “skilledin steering or governing” and influenced early usage of the word; the concept of sentientcontrols being administered.146 ‘Cybernetics’ was first coined and popularized by authorNorbert Wiener in his book Cybernetics or Control and Communication in the Animal andthe Machine, as a term used in the context of controlling ‘complex systems in the animalworld;’147 the term was later appropriated by the medical community as a means to describehuman or animal integration with machinery.148 More recently, the word ‘cyber’ has beenused in conjunction with other words to describe the ‘other-than-physical’ virtual space andactivities.149 Terms such as ‘cyberspace,’ ‘cyber warfare,’ ‘cyber security,’ ‘cyber services’and ‘cyber infrastructure,’ all fall under this recent appropriation. In the recent report Russia-U.S Bilateral on Cybersecrity Critical Terminology Foundations, the argument is made thatincorporating the term ‘cyber’ necessitates in some way “the technological representation ofinformation” and that this is by electronic means.150 This understanding is a useful startingpoint as a foundational definition in describing ‘cyber’ and its usage with other words.Building on this, Daniel T. Kuehl work From Cyberspace to Cyberpower: Defining theProblem, defines ‘cyberspace’ or the ‘cyber domain’ as, "a global domain within the information environment whose distinctive and unique character is framed by the use of electronics and the electromagnetic spectrum to create, store, modify, exchange, and exploit information via interdependent and interconnected networks using information-communication technologies.”151This definition builds on the root word ‘cyber’ defined previously, incorporating therequirement of electromagnetism and the use of information technologies. It also suggests theroot concept of “governing or steering” found in the original Greek meaning. To “create,store, modify or exchange” information, implies human sentience.152 The implications forhuman rights, in understanding “cyberspace” in these definitional terms, suggests that ‘cyberconjunctions’ mean something that is a human construct or artifact. Cyber space is engineeredby humans, that are bound by laws and that are capable of recognising human rights, whetherthose laws are domestic or international. In contrast to rival definitions, ‘cyber’ or‘cyberspace’ is not "[t]hat intangible place between computers where information146 Ibid. P.20147 Valery Yaschenko Karl, Frederick Rauscher, Russia-U.S. Bilateral on Cyber security: CriticalTerminology Foundations, Worldwide Cyber security Initiative, EastWest Institute (New York:Moscow, 2011). P.20148 Ibid. P.20149 Ibid P.16150 See supra note 12. During this bilateral agreement Russians posed the argument that ‘cyber’included all information, not just electronic data – ranging from thoughts in your head to theinformation in books. Their argument did not win out but may prove to be more useful in the futurewhen/if computing systems abandon their electromagnetic origins and use other forms of storing andtransmitting information; biologically based or DNA computing for example. For the argumentsadvanced in this paper, the agreed upon definition stated above suffices.151 Daniel T. Kuehl, “From Cyberspace to Cyberpower: Defining the Problem,” Stuart H. Starr, LarryK. Wentz Franklin D. Kramer, Cyberpower and national security (Washington: Potomac Books Inc,2009) P.27152 It could be argued that these tasks could be carried out by software with artificial intelligence.Sophisticated computer viruses carry out all the above functions stated in the definition, however, theystill requires human programmers to create them. It is not unimaginable that future programs will bereach the level of ‘intelligence’ that they are able to program themselves, at which point cyberterminology may need redefining. 32
  33. 33. momentarily exists"..."the ethereal reality,"153 nor is it as William Gibson famously wrote inhis 1984 book Neuromancer, "a consensual hallucination."154 Cyber security‘Cyber security’ is a key term that requires attention. In the Chatham House reportCyberspace and the National Security of the United Kingdom: Threats and Responses, ‘cybersecurity’ is defined as “security in and from cyberspace.”155 This definition is useful in itsbrevity but critically, it does not establish the nature of ‘security’. Does ‘security’ dennote‘protection’ and if it does, is it including offensive as well as defensive methods for ensuring‘protection’? To use an analogy, police officers may adopt the use of bullet proof vests indangerous neighbourhoods but also critical to their security they may argue, is the use offirearms to match the threat they face with offensive capablitiies. This understanding of‘cyber security,’ as a term that incorporates both aspects of protection, is most previlent incyberseurcrity literature.156 Taking the concept of protection suggested above into account,the Russian-U.S bilateral agreement on critical cyber security terminology, provides a usefuldefinition, defining ‘cyber security’ as “…a property of cyberspace that is an ability to resistintentional and unintentional threats and respond and recover.”157 In the context of humanrights, a ‘responsive’ cyber security policy can mitigate the impact on human rights. A cybercrime policing unit may disrupt and shut down an online paedophilia ring, thereby enforcingthe UN Convention on the Rights of the Child.158 A government cyber security policy mightenable lawmakers to arrest hackers, who limit others ability to exercise freedom of speech, byattacking and temporarily shutting down online services. Conversely, authoritarian regimesmay use offensive cyber security measures in the opposite way. ‘Cyber security’ as argued here displays numerous characteristics; security, understood asprotection, both offensive and defensive, along with placement in the more broad concept of“security in and from cyberspace, “ with connotations around cyberspace defined previously.Two terms within the U.S-Russian definition of cyber security not addressed, have been theuse of the words “intentional and unintentional threats” and the concept of ‘recovery’. Theformer terms will be explored during discussion around the impact of cyber threats on humanrights, Problems in Cyber security and Human Rights. The later term ‘recover’ is problematicin relation to a discussion around rights. ‘Recovery’ from a cyber attack might be possible intechnological terms, however, if it has involved human rights violations, ‘recovery’ may notbe satisfactory or even possible. It is not clear in the Russian-U.S bilateral agreement as to thespecific meaning behind ‘recovery.’ It will be proposed that ‘recovery’ in the context of acyber attack that has caused human rights violations, include a ‘recovery’ in legal recourse orpolicy and not just a technological restoration. Human Rights‘Human rights,’ as with the term ‘cyber,’ is used in a sweeping number of definitions.Depending on the questions being asked, definitional meanings of human rights can vary.Central to the arguments put forward in this paper are questions surrounding the state and itsadministration of cyber security against cyber threats and those implications on human rights.Although information within the cyber domain exists virtually, as has been argued, it is ahuman construct and consequently it is bound by human rights law. Given this corollary, it is153 Winn Schwartau, Information Warfare: Chaos on the Electronic Superhighway Ibid P.26154 William Gibson, Neuromancer (New York: Ace Books, 1984). P.51155 See supra note 2.156 See the UK National Cyber security Strategy.157 See supra note 13.158 Excepting Somalia and the United States who have yet to ratify this treaty. See, Child RightsInformation Network, Convention on the Rights of the Child, 21 July 2011,<>. 33
  34. 34. appropriate that ‘human rights’ are understood within a legal framework. ‘Human rights’ and‘human rights violations’ will be in context of international and domestic human rights law,including civil liberties that will be seen as a subsection of human rights.Human rights outside of cyberspace have been used as a “rallying cry of the homeless and thedispossessed, the political program of revolutionaries… [by] greedy consumers of goods andculture [and] … the pleasure-seekers and playboys of the Western world,”159 and are nowfinding their representation in the cyber domain. Overview of Internet Censorship160Internet censorship and content restrictions can be enacted through a number of differentstrategies which we describe below. Internet filtering normally refers to the technicalapproaches to control access to information on the Internet, as embodied in the first two of thefour approaches described below.1) Technical blockingThere are three commonly used techniques to block access to Internet sites: IP blocking, DNStampering, and URL blocking using a proxy. These techniques are used to block access tospecific WebPages, domains, or IP addresses. These methods are most frequently used wheredirect jurisdiction or control over websites are beyond the reach of authorities. Keywordblocking, which blocks access to websites based on the words found in URLs or blockssearches involving blacklisted terms, is a more advanced technique that a growing number ofcountries are employing. Filtering based on dynamic content analysis—effectively readingthe content of requested websites—though theoretically possible, has not been observed inour research. Denial of service attacks produce the same end result as other technical blockingtechniques—blocking access to certain websites—carried out through indirect means.2) Search result removalsIn several instances, companies that provide Internet search services cooperate withgovernments to omit illegal or undesirable websites from search results. Rather than blockingaccess to the targeted sites, this strategy makes finding the sites more difficult.3) Take-downWhere regulators have direct access to and legal jurisdiction over web content hosts, thesimplest strategy is to demand the removal of websites with inappropriate or illegal content.In several countries, a cease and desist notice sent from one private party to another, with thethreat of subsequent legal action, is enough to convince web hosts to take down websites withsensitive content. Where authorities have control of domain name servers, officials canderegister a domain that is hosting restricted content, making the website invisible to thebrowsers of users seeking to access the site.4) Induced self-censorshipAnother common and effective strategy to limit exposure to Internet content is byencouraging self-censorship both in browsing habits and in choosing content to post online.This may take place through the threat of legal action, the promotion of social norms, or159 Costas Douzinas, The End of Human Rights: Critical Legal Thought at the Turn of the Century(Oxford and Portland: Hart Publishing, 2000). P.1160 This content is taken from the, OpenNet Initiative, About Filtering, 05 June 2011<>. 34
  35. 35. informal methods of intimidation. Arrest and detention related to Internet offenses, or onunrelated charges, have been used in many instances to induce compliance with Internetcontent restrictions. In many cases, the content restrictions are neither spoken nor written. Theperception that the government is engaged in the surveillance and monitoring of Internetactivity, whether accurate or not, provides another strong incentive to avoid posting materialor visiting sites that might draw the attention of authorities.Points of ControlInternet filtration can occur at any or all of the following four nodes in network:1) Internet backboneState-directed implementation of national content filtering schemes and blocking technologiesmay be carried out at the backbone level, affecting Internet access throughout an entirecountry. This is often carried out at the international gateway.2) Internet Service ProvidersGovernment-mandated filtering is most commonly implemented by Internet ServiceProviders (ISPs) using any one or combination of the technical filtering techniques mentionedabove.3) InstitutionsFiltering of institutional level networks using technical blocking and/or induced self-censorship occurs in companies, government organizations, schools and cybercafés. In somecountries, this takes place at the behest of the government. More commonly, institutional-level filtering is carried out to meet the internal objectives of the institution such aspreventing the recreational use of workplace computers.4) Individual computersHome or individual computer level filtering can be achieved through the installation offiltering software that restricts an individual computer’s ability to access certain sites.Countries have been known to order filtering at all of these levels, whether setting upfiltration systems at the international gateway to eliminate access to content throughout theentire country, instructing ISPs to block access to certain sites, obligating schools to filtertheir networks, or requiring libraries to install filtration software on each individual computerthey provide.Filterings Inherent FlawsFiltering technologies, however, are prone to two simple inherent flaws: underblocking andoverblocking. While technologies can be effective at blocking specific content such as highprofile web sites, current technology is not able to accurately identify and target specificcategorizes of content found on the billions of webpages and other Internet media includingnews groups, email lists, chat rooms and instant messaging. Underblocking refers to thefailure of filtering to block access to all the content targeted for censorship. On the otherhand, filtering technologies often block content they do not intend to block, also known asoverblocking. Many blacklists are generated through a combination of manually designatedweb sites as well as automated searches and, thus, often contain websites that have beenincorrectly classified. In addition, blunt filtering methods such as IP blocking can knock outlarge swaths of acceptable websites simply because they are hosted on the same IP address asa site with restricted content.The profusion of Internet content means that Internet filtering regimes that hope tocomprehensively block access to certain types of content must rely on software providerswith automated content identification methods. This effectively puts control over access in 35
  36. 36. the hands of private corporations that are not subject to the standards of review common ingovernment mandates. In addition, because the filters are often proprietary, there is often notransparency in terms of the labeling and restricting of sites. The danger is most explicit whenthe corporations that produce content filtering technology work alongside undemocraticregimes in order to set-up nationwide content filtering schemes. Most states that implementcontent filtering and blocking augment commercially generated blocklists with customizedlists that focus on topics and organizations that are nation or language-specific. Bibliography2010 Foundation Index. “Technology: 2010 Shift Index Measuring the forces of long-term change .” 01 01 2011. Deloitte. < CM2000001b56f00aRCRD.htm>.International Committee of the Red Cross. Convention (IV) relative to the Protection of Civilian Persons in Time of War. 27, Article. 12 August 1949. 20 June 2011 < 125641e004aa3c5>.Ansfield, Jonathan. China Web Sites Seeking Users’ Names. 05 September 2009. 02 June 2011 <>.Arrest over social network site damage incitement. 14 August 2011. 17 August 2011 <>.Ball, James. By criminalising online dissent we put democracy in peril. 1 August 2011. 23 August 2011 < democracy-hacking>.Batty, David. LulzSec hackers claim breach of CIA website. 16 June 2011. 2 July 2011 <>.Berners-Lee, Tim. Long Live the Web: A Call for Continued Open Standards and Neutrality. 22 November 2010. 04 April 2011 <>.Blank, Stephen. “Web War I: Is Europes First Information War a New Kind of War?” Comparative Strategy 27.3 (2008): 227-247.British Broadcast Corporation. England riots: Government mulls social media controls. 11 August 2011. 15 August 2011 <>.British Broadcast Corpration.. US Pentagon to treat cyber-attacks as acts of war. 1 June 2011. 12 June 2011 <>.Catherine A. Theohary, John Rollins. Terrorist Use of the Internet: Information Operations in Cyberspace. Report for Congress. Congressional Research Service. Washington, 2011. 36