Perspectives for Cyber Strategists on Law for Cyberwar

The proliferation of martial rhetoric in connection with the release of thousands of pages of sensitive government documents by the WikiLeaks organization underlines how easily words that have legal meanings can be indiscriminately applied to cyber events in ways that can confuse decision makers and strategists alike. The WikiLeaks phenomenon is but the latest in a series of recent cyber-related incidents––ranging from cyber crises in Estonia and Georgia to reports of the Stuxnet cyberworm allegedly infecting Iranian computers––that have contributed to a growing perception that “cyberwar” is inevitable, if not already underway. All of this generates a range of legal questions, with popular wisdom being that the law is inadequate or lacking entirely. Lt Gen Keith B. Alexander, the first commander of US Cyber Command, told Congress at his April 2010 confirmation hearings that there was a “mismatch between our technical capabilities to conduct operations and the governing laws and policies.” Likewise, Jeffrey Addicott, a highly respected cyber-law authority, asserts that “international laws associated with the use of force are woefully inadequate in terms of addressing the threat of cyberwarfare.” This article takes a somewhat different tact concerning the ability of the law of armed conflict (LOAC) to address cyber issues. Specifically, it argues that while there is certainly room for improvement in some areas, the basic tenets of LOAC are sufficient to address the most important issues of cyberwar. Among other things, this article contends that very often the real difficulty with respect to the law and cyberwar is not any lack of “law,” per se, but rather in the complexities that arise in determining the necessary facts which must be applied to the law to render legal judgments

The Intersection of Law and Ethics in Cyberwar: Some Reflections

The purpose of this short essay is to reflect upon a few issues that illustrate how legal and ethical issues intersect in the cyber realm. Such an intersection should not be especially surprising., Historian Geoffrey Best insists, “[I]t must never be forgotten that the law of war, wherever it began at all, began mainly as a matter of religion and ethics . . . “It began in ethics” Best says “and it has kept one foot in ethics ever since.” Understanding that relationship is vital to appreciating the full scope of the responsibilities of a cyber-warrior in the 21st century

Warfighting for cyber deterrence: a strategic and moral imperative

Theories of cyber deterrence are developing rapidly. However, the literature is missing an important ingredient—warfighting for deterrence. This controversial idea, most commonly associated with nuclear strategy during the later stages of the Cold War, affords a number of advantages. It provides enhanced credibility for deterrence, offers means to deal with deterrence failure (including intrawar deterrence and damage limitation), improves compliance with the requirements of just war and ultimately ensures that strategy continues to function in the post-deterrence environment. This paper assesses whether a warfighting for deterrence approach is suitable for the cyber domain. In doing so, it challenges the notion that warfighting concepts are unsuitable for operations in cyberspace. To do this, the work constructs a conceptual framework that is then applied to cyber deterrence. It is found that all of the advantages of taking a warfighting stance apply to cyber operations. The paper concludes by constructing a warfighting model for cyber deterrence. This model includes passive and active defences and cross-domain offensive capabilities. The central message of the paper is that a theory of victory (strategy) must guide the development of cyber deterrence

The nature of international law cyber norms

The special expanded issue of the NATO Cooperative Cyber Defence Centre of Excellence's Tallinn Papers examines the nature, formation and evolution of international legal norms governing cyber activities. The inquiry’s foundational premise is that the rules of international law governing cyber activities are identical to those applicable to other types of conduct. Any differences in their explication and application are the product of the unique nature of cyber activities, not a variation in the legal strictures that shape their content and usage. It conducts the examination by genre of legal norm: treaty, customary law and general principles

Beyond state-centrism: international law and non-state actors in cyberspace

Classically, States and non-State actors were differentiated not only by disparities in legal status but also by significant imbalances in resources and capabilities. Not surprisingly, international law developed a State-centric bias to account for these imbalances. Cyberspace and cyber operations, however, have closed a number of formerly significant gaps between States’ and non-State actors’ abilities to compromise international peace and security. In fact, some non-State actors now match, if not exceed, the cyber capabilities of many States in this respect. Where public international law had long proved chiefly relevant to States’ interactions with other States, cyber operations by non-State actors increase the frequency with which public international law provides relevant and binding legal rules. This article surveys existing public international law for norms relevant to the cyber interactions of cyber-empowered States and non-State actors. Specifically, the article illustrates how the principles of sovereignty, State responsibility and the jus ad bellum are particularly relevant to States engaged in struggles with non-State actors for security and supremacy in cyberspace

Peeling Back the Onion of Cyber Espionage after Tallinn 2.0

Tallinn 2.0 represents an important advancement in the understanding of international law’s application to cyber operations below the threshold of force. Its provisions on cyber espionage will be instrumental to states in grappling with complex legal problems in the area of digital spying. The law of cyber espionage as outlined by Tallinn 2.0, however, is substantially based on rules that have evolved outside of the digital context, and there exist serious ambiguities and limitations in its framework. This Article will explore gaps in the legal structure and consider future options available to states in light of this underlying mismatch

Between Hype and Understatement: Reassessing Cyber Risks as a Security Strategy

Most of the actions that fall under the trilogy of cyber crime, terrorism,and war exploit pre-existing weaknesses in the underlying technology.Because these vulnerabilities that exist in the network are not themselvesillegal, they tend to be overlooked in the debate on cyber security. A UKreport on the cost of cyber crime illustrates this approach. Its authors chose to exclude from their analysis the costs in anticipation of cyber crime, such as insurance costs and the costs of purchasing anti-virus software on the basis that "these are likely to be factored into normal day-to-day expenditures for the Government, businesses, and individuals. This article contends if these costs had been quantified and integrated into the cost of cyber crime, then the analysis would have revealed that what matters is not so much cyber crime, but the fertile terrain of vulnerabilities that unleash a range of possibilities to whomever wishes to exploit them. By downplaying the vulnerabilities, the threats represented by cyber war, cyber terrorism, and cyber crime are conversely inflated. Therefore, reassessing risk as a strategy for security in cyberspace must include acknowledgment of understated vulnerabilities, as well as a better distributed knowledge about the nature and character of the overhyped threats of cyber crime, cyber terrorism, and cyber war

State opinio juris and international humanitarian law pluralism

International humanitarian law has developed through a pluralistic process. Its history reveals a pattern of rough proportionality between State opinio juris and non-State expressions of law. These diverse sources have maintained a respectable yet realistic balance between humanity and military necessity. However, current IHL dialogue presents a stark contrast to the vibrant and pluralistic exchanges of the past. The substantive input of non-State actors such as non-governmental organizations, tribunals, and scholars far outpaces the work of States. Parity of input, especially in quantitative terms, is surely too much to demand and surely not necessary given the special status of State opinio juris. However, States’ legal agencies and agents should be equipped, organized, and re-empowered to participate actively in the interpretation and development of IHL. This article, extracted from a larger work, argues that reinvigorating opinio juris would reestablish the pluralistic IHL dialogue that formerly tested, updated, and enriched the balance between military necessity and humanity

Peacetime cyber responses and wartime cyber operations under international law: an analytical vade mecum

Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations examines the application of extant international law principles and rules to cyber activities occurring during both peacetime and armed conflict. It was intended by the two International Groups of Experts that drafted it to be a useful tool for analysis of cyber operations. The manual comprises 154 Rules, together with commentary explaining the source and application of the Rules. However, as a compendium of rules and commentary, the manual merely sets forth the law. In this article, the director of the Tallinn Manual Project offers a roadmap for thinking through cyber operations from the perspective of international law. Two flowcharts are provided, one addressing state responses to peacetime cyber operations, the other analyzing cyber attacks that take place during armed conflicts. The text explains each step in the analytical process. Together, they serve as a vade mecum designed to guide government legal advisers and others through the analytical process that applies in these two situations, which tend to be the focus of great state concern. Readers are cautioned that the article represents but a skeleton of the requisite analysis and therefore should be used in conjunction with the more robust and granular examination of the subjects set forth in Tallinn Manual 2.0