Autonomous Cyber Capabilities Below and Above the Use of Force Threshold: Balancing Proportionality and the Need for Speed

Protecting the cyber domain requires speedy responses. Mustering that speed will be a task reserved for autonomous cyber agents—software that chooses particular actions without prior human approval. Unfortunately, autonomous agents also suffer from marked deficits, including bias, unintelligibility, and a lack of contextual judgment. Those deficits pose serious challenges for compliance with international law principles such as proportionality. In the jus ad bellum, jus in bello, and the law of countermeasures, compliance with proportionality reduces harm and the risk of escalation. Autonomous agent flaws will impair their ability to make the fine-grained decisions that proportionality entails. However, a broad prohibition on deployment of autonomous agents is not an adequate answer to autonomy’s deficits. Unduly burdening victim states’ responses to the use of force, the conduct of armed conflict, and breaches of the non-intervention principle will cede the initiative to first movers that violate international law. Stability requires a balance that acknowledges the need for speed in victim state responses while ensuring that those responses remain within reasonable bounds. The approach taken in this Article seeks to accomplish that goal by requiring victim states to observe feasible precautions in the use of force and countermeasures, as well as the conduct of armed conflict. Those precautions are reconnaissance, coordination, repair, and review. Reconnaissance entails efforts to map an adversary’s network in advance of any incursion by that adversary. Coordination requires the interaction of multiple systems, including one or more that will keep watch on the primary agent. A victim state must also assist through provision of patches and other repairs of third-party states’ networks. Finally, planners must regularly review autonomous agents’ performance and make modifications where appropriate. These precautions will not ensure compliance with the principle of proportionality for all autonomous cyber agents. But they will both promote compliance and provide victim states with a limited safe harbor: a reasonable margin of appreciation for effects that would otherwise violate the duty of proportionality. That balance will preserve stability in the cyber domain and international law

'Cyber gurus' : a rhetorical analysis of the language of cybersecurity specialists and the implications for security policy and critical infrastructure protection

This paper draws on the psychology of risk and "management guru" literature (Huczynski, 2006) to examine how cybersecurity risks are constructed and communicated by cybersecurity specialists. We conduct a rhetorical analysis of ten recent cybersecurity publications ranging from popular media to academic and technical articles. We find most cybersecurity specialists in the popular domain use management guru techniques and manipulate common cognitive limitations in order to over-dramatize and over-simplify cybersecurity risks to critical infrastructure (CI). We argue there is a role for government: to collect, validate and disseminate more data among owners and operators of CI; to adopt institutional arrangements with an eye to moderating exaggerated claims; to reframe the debate as one of trade-offs between threats and opportunities as opposed to one of survival; and, finally, to encourage education programs in order to stimulate a more informed debate over the longer term

Cyber Law and Espionage Law as Communicating Vessels

Professor Lubin\u27s contribution is Cyber Law and Espionage Law as Communicating Vessels, pp. 203-225. Existing legal literature would have us assume that espionage operations and “below-the-threshold” cyber operations are doctrinally distinct. Whereas one is subject to the scant, amorphous, and under-developed legal framework of espionage law, the other is subject to an emerging, ever-evolving body of legal rules, known cumulatively as cyber law. This dichotomy, however, is erroneous and misleading. In practice, espionage and cyber law function as communicating vessels, and so are better conceived as two elements of a complex system, Information Warfare (IW). This paper therefore first draws attention to the similarities between the practices – the fact that the actors, technologies, and targets are interchangeable, as are the knee-jerk legal reactions of the international community. In light of the convergence between peacetime Low-Intensity Cyber Operations (LICOs) and peacetime Espionage Operations (EOs) the two should be subjected to a single regulatory framework, one which recognizes the role intelligence plays in our public world order and which adopts a contextual and consequential method of inquiry. The paper proceeds in the following order: Part 2 provides a descriptive account of the unique symbiotic relationship between espionage and cyber law, and further explains the reasons for this dynamic. Part 3 places the discussion surrounding this relationship within the broader discourse on IW, making the claim that the convergence between EOs and LICOs, as described in Part 2, could further be explained by an even larger convergence across all the various elements of the informational environment. Parts 2 and 3 then serve as the backdrop for Part 4, which details the attempt of the drafters of the Tallinn Manual 2.0 to compartmentalize espionage law and cyber law, and the deficits of their approach. The paper concludes by proposing an alternative holistic understanding of espionage law, grounded in general principles of law, which is more practically transferable to the cyber realmhttps://www.repository.law.indiana.edu/facbooks/1220/thumbnail.jp

The Liberty to Spy

Many, if not most, international legal scholars share the ominous contention that espionage, as a legal field, is devoid of meaning. For them, any attempt to extrapolate the lex lata corpus of the International Law of Intelligence (ILI), let alone its lex scripta, would inevitably prove to be a failed attempt, as there is simply nothing to extrapolate. The notion that international law is moot as to the question of if, when, and how intelligence is to be collected, analyzed, and promulgated, has been repeated so many times that it has become the prevailing orthodoxy. This paper offers a new and innovative legal framework for articulating the law and practice of interstate peacetime espionage operations, relying on a body of moral philosophy and intelligence ethics thus far ignored by legal thinkers. This framework diagnoses the legality of covert intelligence at three distinct temporal stages: before, during, and after. In doing so it follows the traditional paradigms of international law and the use of force, which themselves are grounded in the history of Just War Theory. Adopting the Jus Ad, Jus In, Jus Post model is appropriate, given the symbiosis between espionage and fundamental U.N. Charter principles. This paper focuses on the first of these three paradigms, the Jus Ad Explorationem (“JAE”), a sovereign’s prerogative to engage in peacetime espionage and the right’s core limitations. Examining a plethora of international legal sources, the paper exemplifies the myriad ways by which peacetime intelligence gathering has been already recognized as a necessary pre-requisite for the functioning of our global legal order. The paper then discusses the nature of the JAE. It argues that the right to spy is best understood as a privilege in Hohfeldian terms. It shows how understanding interstate intelligence operations as a weaker “liberty right” that imposes no obligations on third parties to tolerate such behavior helps capture the essence of the customary norms that form part of the practice. Recognizing the liberty right to spy opens the door for the doctrine of “abuse of rights” to play a role in constraining the practice. By identifying the only two legitimate justifications for peacetime espionage— advancing the national security interests of States and promoting an increase in international stability and cooperation—we are able to delimit what may constitute abusive spying, defined as exploiting one’s right to spy not for the purposes for which the right was intended. The paper concludes by introducing four categories of unlawful espionage: (1) spying as a means to advance personal interests; (2) spying as a means to commit internationally wrongful acts; (3) spying as a means to advance corporate interests; and (4) spying as a means to exploit post-colonial relations

The threat of state sponsored Cyber attacks in Canada: to serve and protect

This Masters of Global Affairs project has been constructed for the use as a piece contributing to policy recommendations for the Canadian Federal government on their response to handling state-sponsored cyber attacks on critical national infrastructure (CNI) in Canada. Throughout this project an exploration is undertaken to understand the means of attacks that Canada has faced since the millennium, as well as to see what defense and security measures were of use, and what security measures were under-utilized. By exploring these attacks to Canada’s CNI, clarification on improvements for the federal government on its future state of cyber defense become available. This project will also look to shape policy recommendations that can be considered in further national security agenda creation as well as governmental policies affecting domestic, and global governance on cyber attacks

Cybersecurity and cyber defence in the emerging democracies

How do we interpret current cybersecurity and cyber defence affairs beyond what we know from the advanced democracies and industrialised states? This article argues that in the emerging democracies, the military is on its way to being the dominant force controlling cyber centres or commands emulating those already established in the global North. There are three main takeaways from such developments when using the case study of the western hemisphere. First, states in the region have decided to manage their cyber affairs through inter-governmental and military-to-military diplomacy with more powerful states, such as the United States. Second, governments are eager to set up interactive policy communities at the national level to review cyber risks together with those in the defence sector. Third, militarising cyberspace in fragile political and policy settings can become somewhat risky for democratic governing. Ultimately, marrying the protection of the digital space to highly politicised armed forces might turn into a challenge when trying to set up a secure and egalitarian internet

Cyber-Attacks and the Use of Force: Back to the Future of Article 2(4)

This Article makes two overarching arguments. First, strategy is a major driver of legal evolution. Most scholarship and commentary on cyber-attacks capture only one dimension of this point, focusing on how international law might be interpreted or amended to take account of new technologies and threats. The focus here, however, is on the dynamic interplay of law and strategy – strategy generates reappraisal and revision of law, while law itself shapes strategy – and the moves and countermoves among actors with varying interests, capabilities, and vulnerabilities. The purpose is not to come down in favor of one legal interpretation or another, and the conclusions are necessarily speculative because no governments speak in much detail about their cyberwarfare capabilities and strategies at this point. There are downside risks and tensions inherent in any plausible approach, though, and this analysis helps in understanding their implications. Second, it will be difficult to achieve international agreement on legal interpretation and to enforce it with respect to cyber-attacks. The current trajectory of U.S. interpretation is a reasonable effort to overcome the translation problems inherent in a U.N. Charter built for a different era of conflict. However, not only do certain features of cyber-activities make international legal regulation very difficult, but major actors also have divergent strategic interests that will pull their preferred doctrinal interpretations and aspirations in different directions, impeding formation of a stable international consensus. U.S. policymakers should therefore prepare to operate in a highly contested and uncertain legal environment. The prescription is not to abandon interpretive or multilateral legal efforts to regulate cyberattacks; rather, it is to recognize the likely limits of these efforts and to consider the implications of legal proposals or negotiations in the context of broader security strategy

Cyber-Attacks and the Use of Force: Back to the Future of Article 2(4)

Cyber-attacks – efforts to alter, disrupt, or destroy computer systems, networks, or the information or programs on them – pose difficult interpretive issues with respect to the U.N. Charter, including when, if ever, such activities constitute prohibited “force” or an “armed attack” justifying military force in self-defense. In exploring these issues, and by drawing on lessons from Cold War legal debates about the U.N. Charter, this Article makes two overarching arguments. First, strategy is a major driver of legal evolution. Whereas most scholarship and commentary on cyber-attacks has focused on how international law might be interpreted or amended to take account of new technologies and threats, this Article focuses on the dynamic interplay of law and strategy – strategy generates reappraisal and revision of law, while law itself shapes strategy – and the moves and countermoves among actors with varying interests, capabilities, and vulnerabilities. Second, this Article argues that it will be difficult to achieve international agreement on legal interpretation and to enforce it with respect to cyber-attacks. The current trajectory of U.S. interpretation – which emphasizes the effects of cyber-attacks in analyzing whether they cross the U.N. Charter’s legal thresholds – is a reasonable effort to overcome translation problems of a Charter built for a different era of conflict. However, certain features of cyber-activities make international legal regulation very difficult, and major actors have divergent strategic interests that will pull their preferred doctrinal interpretations and aspirations in different directions, impeding formation of a stable international consensus. The prescription is not to abandon interpretive or multilateral legal efforts to regulate cyber-attacks, but to recognize the likely limits of these efforts and to consider the implications of legal proposals or negotiations in the context of broader security strategy