New Rules for Cyberwar?
More than a decade ago, the U.S. Defense Department’s Office of General Counsel (DoD OGC) released a detailed analysis of the way international law would operate to guide U.S. military activity in cyberspace. It was an impressive effort and is still worth reading today despite all the intervening, and dramatic, changes in the technology and the geopolitical landscape. At the same time, the DoD OGC memo was ultimately an exercise in issue-spotting rather than rule-clarification. Indeed, as I’ve noted for some time, international law may clearly govern military activities in cyberspace (whether in terms of the jus ad bellum or the jus in bello), but the content of those rules is far from clear; and where there are identifiable rules, they tend to derive from too many overlapping legal regimes while not adequately regulating the very areas (e.g., non-state actor attacks) most in need of regulation. As a result, cyber-specific rules of international law are clearly needed.
Now, international law can be created through a wide array of pathways. The most prevalent modern method would be treaty-making. As a result, the idea of a global treaty on cyberwar has become popular in various quarters, whether in the form of something like the Geneva Conventions, Russian proposals to regulate the proliferation of “cyberweapons,” or the Council of Europe’s efforts to combat cybercrime. Critics have questioned whether such an effort could succeed (while others continue to insist it is not necessary).
For proponents of international regulation, however, it is important to recognize that international law can come from sources other than treaties; customary international law remains possible, even prevalent, in much of international humanitarian law. And, custom comes from state practice. Indeed, it’s worth remembering that much of the modern law of war began with the effort by a single state–the United States–to draft regulations for its armed forces in their conduct of the Civil War with the Confederacy: General Orders No. 100, better known as the Leiber Code for its author, Columbia Professor Francis Leiber.
It’s with the Leiber Code in mind, therefore, that I am interested in seeing the Executive Orders President Obama signed last month, detailing what the U.S. military and intelligence agencies can do in cyberspace. The U.S. government has yet to put out any unclassified versions of its strategy or specific rules in this area. But, the Wall Street Journal noted last month that the United States will now regard certain cyber-attacks as acts of war. And, today, the AP is reporting further details. Here’s the meat of the most recent story:
As an example, the new White House guidelines would allow the military to transmit computer code to another country’s network to test the route and make sure connections work — much like using satellites to take pictures of a location to scout out missile sites or other military capabilities.
The digital code would be passive and could not include a virus or worm that could be triggered to do harm at a later date. But if the U.S. ever got involved in a conflict with that country, the code would have mapped out a path for any offensive cyberattack to take, if approved by the president.
The guidelines also make clear that when under attack, the U.S. can defend itself by blocking cyber
intrusions and taking down servers in another country. And, as in cases of mortar or missile attacks, the U.S. has the right to pursue attackers across national boundaries — even if those are virtual network lines.
Under the new Pentagon guidelines, it would be unacceptable to deliberately route a cyberattack through another country if that nation has not given permission — much like U.S. fighter jets need permission to fly through another nation’s airspace.
Uri Friedman over at the Atlantic Wire distills this to suggest the new Executive Orders will (1) regulate peacetime use of cyberespionage, (2) permit military retaliation to a cyberattack that constitutes an attack, and (3) prohibit deliberate (but not inadvertent) use of neutral networks in military cyberactivites.
I am really interested to see what the White House or the Pentagon papers will actually say about these three points. Working backwards, neutrality is a complicated (and frankly a bit esoteric) area of international humanitarian law in which the United States has already taken contested positions in its global efforts to combat Al Qaeda. Military retaliation, aka self-defense, is not a terribly controversial idea if in response to something that rises to the level of an armed attack; the trick will be to see if the Pentagon lays out clearly what that threshold will be.
The cyber-espionage point, however, is a bit more difficult than the AP describes it. It is true that cyberexploitations (where you simply gather unauthorized access to data from another computer system or network) are different than cyberattacks (where you deny, disrupt or degrade the computer system’s integrity, authenticity or availability). And, it is also true that international law has not prohibited espionage (although virtually every state has criminalized such acts). The problem is that some States may not be willing to equate the most extreme cyberexploitations with traditional acts of espionage. The scale of a cyberexploitation can be stunning if it can access all data resident within a military computer network or one, say, that controls a nuclear power plant. Depending on the target or scale of the exploit, it could compromise a nation’s security in ways that outstrip what human intelligence or satellite imagery has been capable of to date. As a result, while many states may regard most cyberexploitation as falling within the espionage status quo, I’m not as certain that all cyberexploitations will be regarded that way.
More importantly, while the United States can always say that it is only going to engage in peacetime cyberexploitations as distinct from cyberattacks, it is not clear if other states will accept that distinction. The reality is that for victims who identify a cyberexploitation, it may not be immediately apparent if the exploit is simply mapping the victim’s system or network, gathering data, or if it is also carrying some more nefarious cyberattack that could cause actual harm to the computer system or any infrastructure it supports. And if cyberexploitations cannot be distinguished from cyberattacks, that leaves open the risk that a U.S. cyberexploit might be treated as a cyberattack and subject to a military response (which could involve the very acts that the U.S. has suggested would justify military retaliation, and suddenly we’ve escalated the situation into a conflict). Now, to be clear, I’m not saying that all cyberexploitations can or should be regulated or banned. I’m just saying that it’s not as easy as the AP suggests for the United States to pursue a “peacetime” cyberexploitation strategy without any fear of unanticipated consequences. Given the anonymity that currently characterizes most cyberoperations, moreover, there is the added risk of mis-attribution, which only further complicates the picture. That’s why I’m very interested to see what the Pentagon or the White House has to say on these matters. Hopefully, we’ll get actual text to look at it in the coming days that detail what the United States thinks are the rules for cyberwar.