Why States Need an International Law for Information Operations
For much of the last year, I’ve been thinking about whether existing international humanitarian law rules are up to the task of dealing with issues of cyberwar and cyberterror, or, to use the U.S. military terminology–information operations (IO). In addition to an Op-Ed and a short piece for a military audience, I’ve now posted on SSRN a more detailed discussion of IO geared toward international lawyers. It comes out of a Lewis and Clark Law School Symposium I attended last year, Crimes, War Crimes & the War on Terror. Using the Spring 2007 denial of service attacks on Estonia as my launching pad, my article argues that although the law of war currently applies to IO, it’s not well-suited to the task at hand. As a result, I propose states recognize the need to craft IO-specific rules and explore some of the issues that will accompany that effort. Here’s the abstract.
Just as states have spent the last several years wrestling with the appropriate legal response to terror, they must now undertake a similar effort to deal with the burgeoning use of information operations (IO). IO involves the use of information technology, such as computer network attacks or psychological operations, to influence, disrupt, corrupt, usurp or defend information systems and the infrastructure they support. More than thirty states have developed IO capacities. But IO is also undoubtedly attractive to non-state actors like Al Qaeda, since the technology is mostly inexpensive, easy-to-use, and capable of deployment from virtually anywhere.
This Article assesses the ways in which international law, specifically the rules regulating the use of force and the law of war, currently applies to IO. Conventional wisdom suggests existing rules can cover IO by analogy. The conventional wisdom is only half-right. This Article explains why the existing rules govern IO, but challenges the unstated assumption that they do so appropriately. Translating existing rules into the IO context produces extensive uncertainty, risking unintentional escalations of conflict where forces have differing interpretations of what is permissible. Alternatively, such uncertainty may discourage the use of IO even if it might produce less harm than traditional means of warfare. Beyond uncertainty, the existing legal framework is insufficient and overly complex. Existing rules have little to say about the non-state actors that will be at the center of future conflicts. And where the laws of war do not apply, even by analogy, an overwhelmingly complex set of other international and foreign law rules purport to govern IO.
To remedy such deficiencies, this Article proposes a new legal framework, an international law for information operations (ILIO). By adopting an ILIO, states could alleviate the uncertainty and complexity of the status quo, reduce transaction costs for states fighting global terror, and lessen the collateral costs of armed conflict itself. This Article concludes with a review of some of the regulatory design questions facing an ILIO, but does not offer any specific rules. Rather, its ultimate aim is to convince states and scholars about the need for an ILIO in the first place.