Virtual Violence - Disruptive Cyberspace Operations as Attacks Under International Humanitarian Law

Power outages, manipulations of data, and interruptions of Internet access are all possible effects of cyber operations. Unfortunately, recent efforts to address and regulate cyberspace operations under international law often emphasize the uncommon, though severe, cyber-attacks that cause deaths, injuries, or physical destruction. This paper deals with cyber operations during armed conflicts that cause major disruption or interruption effects – as opposed to deaths, injuries, or physical destruction. The purpose of this paper is to explore the consequences of these cyber operations that cause major disruption or interruption effects, and to argue that they might still constitute “acts of violence,” as the term “attacks” is defined under international humanitarian law. Cyber operations that qualify as “attacks” will have to comply with the principles of distinction and proportionality, thus requiring the initiator to design his or her cyber weapon humanely. Therefore, labeling these cyber operations as “attacks” will promote the (1) the protection of civilians and objects; (2) critical infrastructure, such as energy, transportation and emergency services, and (3) strengthen fundamental human rights

Virtual Violence - Disruptive Cyberspace Operations as Attacks Under International Humanitarian Law

Power outages, manipulations of data, and interruptions of Internet access are all possible effects of cyber operations. Unfortunately, recent efforts to address and regulate cyberspace operations under international law often emphasize the uncommon, though severe, cyber-attacks that cause deaths, injuries, or physical destruction. This paper deals with cyber operations during armed conflicts that cause major disruption or interruption effects – as opposed to deaths, injuries, or physical destruction. The purpose of this paper is to explore the consequences of these cyber operations that cause major disruption or interruption effects, and to argue that they might still constitute “acts of violence,” as the term “attacks” is defined under international humanitarian law. Cyber operations that qualify as “attacks” will have to comply with the principles of distinction and proportionality, thus requiring the initiator to design his or her cyber weapon humanely. Therefore, labeling these cyber operations as “attacks” will promote the (1) the protection of civilians and objects; (2) critical infrastructure, such as energy, transportation and emergency services, and (3) strengthen fundamental human rights

An Extraterritorial Human Right to Cybersecurity

Cybersecurity breaches have affected consumers and the landscape of politics globally. Legal developments have been reactive and incomprehensive. The fatal flaws of international law make it an ill-suited solution to these concerns because international law binds state actors and does not give individuals rights. International human rights law, however, provides the best solution because it does provide harmed individuals with rights and mechanisms to seek recourse. Cybersecurity relates to several key areas of human rights law and, therefore, its regulation is well suited to the existing international human rights regulatory scheme. This Article explores the possibility of using international human rights law to protect victims of attacks and the possible gaps left by the existing regulatory regime’s territorial nature, as well as issues that may arise from attempting to use human rights law to regulate cybersecurity

Freedom to Hack

Swaths of personal and nonpersonal information collected online about internet users are increasingly being used in sophisticated ways to manipulate them based on that information. This represents a new trend in the exploitation of data, where instead of pursuing direct financial gain based on the face value of the data, actors are seeking to engage in data analytics using advanced artificial intelligence technologies that would allow them to more easily access individuals’ cognition and future behavior. Although in recent years the concept of online manipulation has received some academic and policy attention, the desirable relationship between the data-breach law and online manipulation is not yet well-appreciated. In other words, regulators and courts are yet to realize the power of existing legal mechanisms pertaining to data breaches in mitigating the harm of online manipulation. This Article provides an account of this relationship, by looking at online manipulation achieved through psychographic profiling. It submits that the volume, efficacy, and sophistication of present online manipulation techniques pose a considerable and immediate danger to autonomy, privacy, and democracy. Internet actors, political entities, and foreign adversaries fastidiously study the personality traits and vulnerabilities of potential voters and, increasingly, target each such voter with an individually tailored stream of information or misinformation with the intent of exploiting the weaknesses of these individuals. While new norms and regulations will have to be enacted at a certain point to address the problem of manipulation, data-breach law could provide a much-needed backdrop for the challenges presented by online manipulation, while alleviating the sense of lawlessness engulfing current misuses of personal and nonpersonal data. At the heart of this Article is the inquiry of data-breach law’s ability to recognize the full breadth of potential misuse of breached personal information, which today includes manipulation for political purposes. At present, data-breach jurisprudence does very little to recognize its evolving role in regulating misuses of personal information by unauthorized parties. It is a jurisprudence that is partially based on a narrow approach that seeks to remedy materialized harm in the context of identity theft or fraud. This approach contravenes the purpose of data-breach law – to protect individuals from the externalities of certain cyber risks by bridging informational asymmetries between corporations and consumers. This Article develops the theoretical connection between data-breach law and online manipulation, providing for a meaningful regulatory solution that is not currently used to its full extent

Freedom to Hack

Swaths of personal and nonpersonal information collected online about internet users are increasingly being used in sophisticated ways to manipulate them based on that information. This represents a new trend in the exploitation of data, where instead of pursuing direct financial gain based on the face value of the data, actors are seeking to engage in data analytics using advanced artificial intelligence technologies that would allow them to more easily access individuals’ cognition and future behavior. Although in recent years the concept of online manipulation has received some academic and policy attention, the desirable relationship between the data-breach law and online manipulation is not yet well-appreciated. In other words, regulators and courts are yet to realize the power of existing legal mechanisms pertaining to data breaches in mitigating the harm of online manipulation. This Article provides an account of this relationship, by looking at online manipulation achieved through psychographic profiling. It submits that the volume, efficacy, and sophistication of present online manipulation techniques pose a considerable and immediate danger to autonomy, privacy, and democracy. Internet actors, political entities, and foreign adversaries fastidiously study the personality traits and vulnerabilities of potential voters and, increasingly, target each such voter with an individually tailored stream of information or misinformation with the intent of exploiting the weaknesses of these individuals. While new norms and regulations will have to be enacted at a certain point to address the problem of manipulation, data-breach law could provide a much-needed backdrop for the challenges presented by online manipulation, while alleviating the sense of lawlessness engulfing current misuses of personal and nonpersonal data. At the heart of this Article is the inquiry of data-breach law’s ability to recognize the full breadth of potential misuse of breached personal information, which today includes manipulation for political purposes. At present, data-breach jurisprudence does very little to recognize its evolving role in regulating misuses of personal information by unauthorized parties. It is a jurisprudence that is partially based on a narrow approach that seeks to remedy materialized harm in the context of identity theft or fraud. This approach contravenes the purpose of data-breach law – to protect individuals from the externalities of certain cyber risks by bridging informational asymmetries between corporations and consumers. This Article develops the theoretical connection between data-breach law and online manipulation, providing for a meaningful regulatory solution that is not currently used to its full extent

Privatized Cybersecurity Law

Tech companies have gradually and informally assumed the role of international lawmakers on global cybersecurity issues. But while it might seem as if the international community and Internet users are the direct beneficiaries of private tech industries’ involvement in making law, there are many questions about this endeavor that require a thorough examination. The end goal and risks associated with such ventures are largely obscure and unexplored. This Article provides an analysis of how tech companies are effectively becoming regulators on global cybersecurity, based on states’ inability to overcome geopolitical divides on how cyberspace ought to be regulated globally. This Article looks primarily at three separate proposals representing the larger trend of the privatization of cybersecurity law: the Digital Geneva Convention, the Cyber Red Cross, and the Cybersecurity Tech Accord. These, as well as other initiatives, reflect the gradual and uncontested assimilation of private tech companies into the machinery of international lawmaking. This Article argues that state governments, civil society organizations, Internet users, and other stakeholders need to step back and carefully evaluate the dangers of ceding too much lawmaking control and authority to the private tech sector. These private actors, while not yet on an equal footing to states, are increasingly displacing states as they seek to create their own privatized and unaccountable version of cybersecurity law

World Wide Web of Exploitations – the Case of Peacetime Cyber Espionage Operations Under International Law:: Towards a Contextual Approach

The emergence of cyber espionage, as well as the ability to leak gathered sensitive information, has exacerbated the complexity of determining the legality of espionage under international law. Cyber espionage, just like other cyber operations, offers a highly sophisticated, relatively inexpensive, and accessible medium to achieve certain informational, political, and operational goals. The indeterminacy of cyber espionage in international law has given rise to various arguments as to which international norms and principles are applicable to cyber espionage. Divergent positions, however, focus only on certain aspects of cyber espionage. For this reason, the scope of legal treatment of cyber espionage is limited and lacks context. The purpose of this article is to reject this dichotomous approach and propose a more nuanced framework for addressing cyber espionage in international law. Cyber operations should be analyzed on a continuum that triggers different norms depending on the context and consequences. The contextual approach focuses on the effects of a cyber operation and the context in which it occurs to determine the relevant set of norms applicable to it

Privatized Cybersecurity Law

Tech companies have gradually and informally assumed the role of international lawmakers on global cybersecurity issues. But while it might seem as if the international community and Internet users are the direct beneficiaries of private tech industries’ involvement in making law, there are many questions about this endeavor that require a thorough examination. The end goal and risks associated with such ventures are largely obscure and unexplored. This Article provides an analysis of how tech companies are effectively becoming regulators on global cybersecurity, based on states’ inability to overcome geopolitical divides on how cyberspace ought to be regulated globally. This Article looks primarily at three separate proposals representing the larger trend of the privatization of cybersecurity law: the Digital Geneva Convention, the Cyber Red Cross, and the Cybersecurity Tech Accord. These, as well as other initiatives, reflect the gradual and uncontested assimilation of private tech companies into the machinery of international lawmaking. This Article argues that state governments, civil society organizations, Internet users, and other stakeholders need to step back and carefully evaluate the dangers of ceding too much lawmaking control and authority to the private tech sector. These private actors, while not yet on an equal footing to states, are increasingly displacing states as they seek to create their own privatized and unaccountable version of cybersecurity law