Peeling Back the Onion of Cyber Espionage after Tallinn 2.0

Tallinn 2.0 represents an important advancement in the understanding of international law’s application to cyber operations below the threshold of force. Its provisions on cyber espionage will be instrumental to states in grappling with complex legal problems in the area of digital spying. The law of cyber espionage as outlined by Tallinn 2.0, however, is substantially based on rules that have evolved outside of the digital context, and there exist serious ambiguities and limitations in its framework. This Article will explore gaps in the legal structure and consider future options available to states in light of this underlying mismatch

"Virtual disenfranchisement": cyber election meddling in the grey zones of international law

This Article examines remotely conducted election meddling by cyber means in the context of international law and asks whether such cyber operations qualify as "internationally wrongful acts." An internationally wrongful act requires both a breach of a legal obligation owed by one State to another under international law and attribution of the act to the former. The Article considers three possible breaches related to such meddling-violation of the requirement to respect sovereignty, intervention into the internal affairs of another State, and, when the cyber operations are not attributable to the State from which they were launched, breach of the due diligence obligation that requires States to ensure cyber operations with serious adverse consequences are not mounted from their territory. The Article then examines the various modalities for attributing a cyber operation to a State under international law. Whether cyber meddling in another State's election is unlawful, as well as the severity thereof, determines the range of responses available to the victim State. The Article concludes that the law applicable to remotely conducted meddling in another State's election is unsettled, thereby comprising a normative grey zone ripe for exploitation by States and non-State actors

Warfighting for cyber deterrence: a strategic and moral imperative

Theories of cyber deterrence are developing rapidly. However, the literature is missing an important ingredient—warfighting for deterrence. This controversial idea, most commonly associated with nuclear strategy during the later stages of the Cold War, affords a number of advantages. It provides enhanced credibility for deterrence, offers means to deal with deterrence failure (including intrawar deterrence and damage limitation), improves compliance with the requirements of just war and ultimately ensures that strategy continues to function in the post-deterrence environment. This paper assesses whether a warfighting for deterrence approach is suitable for the cyber domain. In doing so, it challenges the notion that warfighting concepts are unsuitable for operations in cyberspace. To do this, the work constructs a conceptual framework that is then applied to cyber deterrence. It is found that all of the advantages of taking a warfighting stance apply to cyber operations. The paper concludes by constructing a warfighting model for cyber deterrence. This model includes passive and active defences and cross-domain offensive capabilities. The central message of the paper is that a theory of victory (strategy) must guide the development of cyber deterrence

General Counsel of the FBI, James Baker, in Conversation with Professor Mary DeRosa on the FBI and International Justice

Mary DeRosa, Georgetown Law Professor, former Deputy Counsel to President Obama for National Security Affairs, former Legal Advisor to the National Security Council under President Obama, and former Deputy Legal Adviser to the National Security Council in the Clinton Administration, interviewed current General Counsel of the Federal Bureau of Investigation (FBI), James Baker. The two discussed the FBI’s role in international law enforcement and the domestic tension between technological advancement and law enforcement duties

Asia-Pacific cyber insights

This report aims to give insight into the wealth of cyber perspectives across the Asia–Pacific and amplify the regional voice on the key themes and questions of the Global Conference on CyberSpace 2015 in April 2015. Overview The Asia-Pacific region incorporates some of the most mature cyber actors in the world as well as some of the least connected. Governments throughout the region are becoming increasingly aware of the importance of cyberspace, however the capabilities, needs, and priorities of each state lie across a wide spectrum. Asia–Pacific cyber perspectives are far more diverse and dynamic than the dominant narratives coming from the ‘cyber great powers’ and it is important that the region’s distinct voices are heard in international cyber discussions. This report aims to give insight into the wealth of cyber perspectives across the Asia–Pacific and amplify the regional voice on the key themes and questions of the Global Conference on CyberSpace 2015 (GCCS) in April 2015. To achieve this the Australian Strategic Policy Institute’s International Cyber Policy Centre partnered with the Institute of Strategic & International Studies Malaysia to host a multistakeholder workshop to gather and collate the expertise of a broad cross-section of Asia–Pacific cyber experts. With generous support from the Ministry of Foreign Affairs of the Kingdom of the Netherlands, the workshop brought together participants from government, the private sector, academia, think tanks, non-governmental organisations (NGOs), as well as regional and international organisations from 12 Asia–Pacific countries. The report represents a collation of the thoughts and perspectives from the workshop and subsequent discussions. It is based on the key themes and questions of the GCCS and structured around the GCCS agenda. The intention was not to achieve consensus but instead accurately portray the points of convergence and divergence across the region. Throughout the process the recurring themes of clarity, capacity, and responsibility emerged as ways to ensure a more reliable, secure, and stable cyberspace. The findings of this effort will be presented at an Asia-Pacific Borrel, an official side-event of the GCCS

Cybervandalism or Digital Act of War? America\u27s Muddled Approach to Cyber Incidents Will Not Deter More Crises

If experts say a malicious [cyber] code \u27 has similar effects to a physical bomb, \u27 and that code actually causes a stunning breach of global internet stability, is it really accurate to call that event merely an instance of a cyber attack ? Moreover, can you really expect to deter state and non-state actors from employing such code and similarly hostile cyber methodologies if all they think that they are risking is being labeled as a cyber-vandal subject only to law enforcement measures? Or might they act differently if it were made clear to them that such activity is considered an armed attack \u27 against the United States and that they are in jeopardy of being on the receiving end of a forceful, law-of-war response by the most powerful military on the planet? Of course, if something really is just vandalism, the law enforcement paradigm, with its very limited response options, would suffice. But when malevolent cyber activity endangers the reliability of the internet in a world heavily dependent on a secure cyberspace, it is not merely vandalism. Rather, it is a national and international security threat that ought to be characterized and treated as such. Unfortunately, the United States\u27 current approach is too inscrutable and even contradictory to send an effective deterrence message to potential cyber actors. This needs to change

American Cyber Insecurity: The growing danger of cyber attacks

This paper aims to advise American policy makers on a correct course of action regarding the advent of cyber warfare. Cyber-attacks have become ubiquitous in the 21st century and pose a direct threat to the safety of American interests abroad and domestically. Beginning with an analysis of the history and lessons from past cyber conflicts this paper moves on to proscribe a set of actions to protect American security in the 21st century. We conclude that the current legal framework for evaluating cyber-attacks needs to be re-framed in a manner more conducive to American interests.Winner of the 2014 Alona E. Evans Prize, a Duke Political Science award for the undergraduate or graduate student(s) whose paper on international law best reflects excellence in scholarshi

Towards the International Rule of Law in Cyberspace: Contrasting Chinese and Western Approaches

This is the author accepted manuscript. The final version is available from OUP via the DOI in this record.China and Western countries have repeatedly portrayed each other as potential or actual adversaries in cyberspace. Yet, both sides ostensibly subscribe to an international consensus that cyber operations must be subjected to the rule of law. Against this background, the article examines five key aspects of the rule of law in cyberspace, which are ordinarily understood as areas of contention: (1) preferred method of identification and development of international law; (2) competing models of cyberspace governance; (3) application of sovereignty to cyberspace; (4) question of militarization of cyberspace; and (5) legality of cyber espionage. Our analysis demonstrates that it is inaccurate to view China and the West as sharply divided and competing camps. Rather, the emerging picture reveals a web of relationships and views that reflect an overall trajectory of convergence, even if modest in scope and velocity.Research on this topic was supported by the Major Projects of National Social Science Fund of China (Grant No.: 16ZDA074

An International Law Response to Economic Cyber Espionage

Cyber threats have emerged as one of the most serious dangers to U.S. and global security. Increasingly, malicious actors—some private, but others that appear to be state-sponsored—seek to advance their strategic aims through violent or non-violent cyber-attacks. This Article considers the problem of non-violent, yet still destructive, economic cyber espionage, which targets the intellectual, industrial, and information property of major global powers like the United States. The Article argues that the international community’s reticence is owing to a stale set of international legal norms. The Article explains how existing principles of international law—such as state sovereignty, non-intervention, and state responsibility—should evolve to address the current threat of economic cyber espionage. The Article also discusses how norms against economic cyber espionage could also be interpreted to exist within the World Trade Organization (WTO) agreements that deal with intellectual property. These WTO rules together with the relevant (and modernized) customary norms arguably provide WTO member states recourse to the Dispute Settlement Body to assert their claims of economic cyber espionage. The Article urges victim states to channel their legal complaints through this economic body and its dispute resolution mechanism. It concludes with a realist perspective on why the WTO would be the most effective institution to ensure compliance with these norms