New Essay on SSRN: International Law & Information Operations

by Duncan Hollis

Info Ops or “IO” has been a hot topic of late. In April and May 2007, Estonia claimed to have become the first victim of cyberwar, as denial of service attacks on its computer networks, disabled not just government websites, but those of its banks, universities, telecommunication companies, and hospitals. Estonia blamed the attacks on the Russian government, which denied the charges. NATO took notice though, sending in experts to observe the attacks, and other militaries are studying the incident, reviving questions about war in the information age that were often pushed aside in the aftermath of September 11.

I’ve just posted a short essay on SSRN that looks at the question of IO and international law generally—you can download it here. Aimed at a military audience, it’s entitled, New Tools, New Rules: International Law & Information Operations, and will appear in the Marine Corps University Foundation-sponsored book, The Message of War: Information, Influence & Perception in Armed Conflict. Here’s the abstract:

For more than a decade, military thinkers have debated the impact of “information operations” (IO) on armed conflict. Responding to the possibilities (and vulnerabilities) inherent in the interconnectivity of the Internet and other information networks, IO constitutes a new form of warfare. IO uses methods such as computer network attacks or psychological operations to influence, disrupt, corrupt, usurp and defend information systems and the infrastructure they support. As militaries work through what IO can do, however, they must wrestle with when and how they can employ it—i.e., the question of law’s application to IO. Since computer networks and modern information systems constitute new tools (and new targets) for military activities, international law currently regulates them only by analogy, and even then, in a patchwork fashion. Most states and scholars appear content with this situation, denying any need to develop IO-specific rules. This paper challenges that conventional wisdom. Even as it applies to IO, the existing legal framework suffers from several, near-fatal conditions: uncertainty (i.e., militaries lack a clear picture of how to translate existing rules into the IO environment); complexity (i.e., overlapping legal regimes threaten to overwhelm military commanders seeking to apply IO); and insufficiency (i.e., existing rules fail to address basic challenges of modern conflicts with non-state actors). This situation creates disincentives for militaries to use IO, notwithstanding IO’s potential to achieve military and political objectives with less harm than conventional bombs or missiles. To redress these deficiencies, I propose states adopt an international law for information operations, or “ILIO.” By adopting an ILIO, states could alleviate the uncertainty and complexity of the status quo, reduce transaction costs for states fighting global terror, and lessen the collateral costs of armed conflict itself.

http://opiniojuris.org/2007/08/27/new-essay-on-ssrn-international-law-information-operations/

3 Responses

  1. GETTING IT RIGHT: PROTECTING AMERICAN CRITICAL

    INFRASTRUCTURE IN CYBERSPACE

    Sean M. Condron

    Major Condron is an Army JAG currently on the faculty at the Army JAG School in Charlottesville

    Footnotes omitted.

    “The current jus ad bellum paradigm does not offer adequate safeguards rom cyber attacks. The problem with cyber warfare is that technology makes it nearly impossible to attribute the attack to a specific

    source or to characterize the intent behind it. Moreover, a cyber atacker can launch her assault with the push of a key, completing the attack almost instantaneously. A legal system that requires a determination of the attacker’s identity and intent does not account for

    these features of the digital age. The current international paradigm therefore ties a state’s hands, making it difficult to effectively respond

    without risking a violation of international law.”

  2. The cite for Major Condron’s article, which I should have included, is:

    Harvard Journal of Law &Technology

    Volume 20, Number 2 Spring 2007

    GETTING IT RIGHT: PROTECTING AMERICAN CRITICAL

    INFRASTRUCTURE IN CYBERSPACE

    Sean M. Condron

  3. Duncan:

    This is a tremendously important and neglected area, and you are right that the status quo is horribly vague. One reason it may be neglected is that it is so secretive (both them and us). It is difficult to publicly discuss that which one doesn’t know or is restricted from disclosing, which makes publicly-known situations like that in Estonia helpful (albeit not to the Estonians) to illustrate and illuminate the subject for the rest of us.

    Computer Network Attack is so tempting, even dangerously and provocatively enticing, in that actors think they are able to mask their own identity while rendering potentially devastating attacks on their enemies. Aside: Just like those horrible anonymous posters ;-). Seriously, whether it is a state or non-state actor, or some combination of the two (a private organization affiliated with or somewhat responsive to a government), the promise of nondiscovery or at least deniability greatly raises the risk that the action will be taken even if illegal.

    In your article you mention submarines as an example where the existing law was applied to a new weapon, but did the law not also change after WWII in response to actual state practice regarding submarines? I recall a legal requirement that submarines had to surface and announce their intent to attack prior to torpoedoing (the Hague?). We threatened afterward to try German U-boat commanders for violation of the law of war until it was privately admitted that we had engaged in similar ‘unrestricted’ submarine warfare, and so we changed the law.

    I am sure whatever we are doing with IO and especially CNA is not publicly disclosed, but we must take care that this future ILIO will not be ignored by actual state practices. If we do it or are prepared to do it ourselves, can we prohibit others? We certainly can prohibit non-state actors from the field, but we need to be able to follow up with effective enforcement against them. I am intrigued by your proposal of ‘shiprider’ agreements as an analogy to respect sovereignty. That would only work where the government was cooperative, but it could be effective in places such as Pakistan.

    Much of this seems to be technology dependent, which may be yet another reason lawyers have stayed away.

Trackbacks and Pingbacks

  1. There are no trackbacks or pingbacks associated with this post at this time.