[This post is part of the Second Harvard International Law Journal/Opinio Juris Symposium.]

First, I want thank both Eric Jensen and Jonathan Zittrain for taking the time to respond to my article.  Both have thought long and hard (not to mention well!) about regulating cyberspace. Eric’s early work assessing computer network attacks under the legal rules on use of force was one of the foundational pieces on which I based my own scholarship.  More recently, I’ve been inspired by Jonathan’s efforts to grapple both theoretically and technically with the challenges of cyberspace.

So, I was very pleased to see in both of their comments that we all three share certain assumptions. Three in particular stood out: 1) cyberthreats are a real problem; 2) we need better responses to this problem, and 3) attribution makes the traditional governmental “proscriptive” response (namely, identifying and punishing wrongdoers) very very difficult.

That said, particularly, with Jonathan, I think we do have some differences in our starting positions.  Jonathan suggests that my worries may be a bit more at the “hawkish end of the spectrum” than his own, which explains his preference for community based mutual aid arrangements (such as his “mirror as you link” concept) in lieu of my international legal duty to assist (DTA).  I take Jonathan’s point on both my hawkishness and my turn towards law over community norms.  My paper readily acknowledges that there is still some dispute over the existence and extent of the cyberthreat, with charges of scaremongering facing off against those, like President Obama, who characterize cyberthreats as “among the most serious economic and national security risks we face as a nation.”  I expect those within the scaremongering camp are likely to perceive my e-SOS idea as a solution in need of a problem (on the other hand, as far as solutions go, I would hope critics would at least acknowledge that mine is more libertarian and less heavy-handed than those who would rewire the Internet to remove anonymity or allow government monitoring of private networks, etc.).

Similarly, my paper does assume that law can and should be part of the response to the cyberproblem.  I am less sanguine than Jonathan who thinks that we can regulate cyberthreats solely through community norms.  To be clear, I think Jonathan’s “mirror as you link” idea is a great one; both normatively desirable and practically possible (in many ways, I think his idea is a fellow traveller with my e-SOS proposition) Still, his proposal seems designed with only one type of cyberthreat–denial of service–in mind, and I’m not sure how it would deal with other types of attacks. I also am not sure how feasible community norms are in an environment that seems to have an increasingly diverse and adversarial set of actors (whether Russian hacktivists, military forces from China and the United States, Israeli teenagers, etc.).  Rather than limiting solutions to informal networks of like-minded groups, I believe law offers a vehicle for obtaining pre-commitments from state actors who might otherwise not be inclined to cooperate (indeed, international law is nothing, if not a vehicle for solving these sorts of cooperation problems).  Finally, I looked to law because my sense is that states themselves have begun to do so.  Although initially resistant to negotiating rules of the road, reports suggest that the United States has now come around to the idea of international negotiations on this topic (joining Russia which has touted the idea for more than a decade), although the substance of those negotiations remains very much up for grabs.  Hence, my paper is not focused so much on the question of whether international law should regulate cyberthreats, but how it should do so.

And my own response to this latter question ends up being, “if not a duty to assist, then what”? Notwithstanding Eric’s point about the need to flesh out the exact parameters of any international legal duty to assist, I’m still persuaded that it remains the best available legal option for dealing with the most severe cyberthreats.  My paper looks at the three other ways law might regulate this threat — (1) regulating the bad actors, (2) regulating the technology, or (3) regulating the victims — and explains how the attribution problem takes the first option off the table while political and economic barriers have so far stymied pursuit of the second and third possibilities.  We are in a situation where one cannot identify, let alone prosecute, the bad actors and where you can’t perfect the technology to block them.  As a result, we are in a situation where the best the law can do is try to provide assistance to mitigate the harm these threats cause, and if it does so successfully, maybe deter future such threats.

Thus, I take Eric’s point that the analogy between threats in cyberspace vs. those at sea is nowhere near perfect.  But I do think the conditions that led to an SOS in the latter context make it a worthy idea for cyberspace.  Like the high seas, we have an environment where no single nation can regulate the problem (the high seas are the quintessential commons), where bad actors cannot be proscribed (how do you prohibit hurricanes?), and where the technology can never be fully secured (as the Titanic so dramatically revealed, no boat is unsinkable).  In any case, the idea of a duty to assist is not limited to the oceans.  As my paper details, there are myriad other contexts in which DTAs exist, proving its utility as a broader legal device. Of course, I don’t believe Eric is per se opposed to these sorts of analogies; he just (rightly I think) seeks to explore how well they might work by flagging problems of proximity, frequency and technology protection.

In terms of proximity, Eric joins Orin Kerr and Dave Hoffman in noting that the physical proximity that motivates the SOS system is absent in cyberspace.  I think my response to them serves just as well here:

Orin (and Dave) separately take issue with my suggestion that the obligation to assist be defined by physical proximity. At sea, anyone who hears the SOS call has a duty to assist, not just those closest to the vessel in distress. But, I take Orin’s point that those who can actually help will usually be those closest to the threat physically (although Coast Guard helicopters, etc. mean that this will not always be true). I also agree with Orin and Dave that regulating who can assist in cyberspace is a harder proposition, since the physical limitations on who can assist are absent. In cyberspace, an e-SOS could theoretically reach anyone, and if the DTA is not limited to specific duty-bearers, everyone would be obligated to respond. Thus, my paper proposes several ways to limit assistance to avoid the costs of imposing the duty too widely. I do suggest that physical proximity may work, by which I mean proximity to the victim’s systems and networks that have encountered losses in confidentiality, availability, integrity or authenticity. I rely on Jack Goldsmith and Tim Wu’s ideas here that the Internet has allowed enough regulability by nation states so that a nation state where victims have suffered (or are suffering) losses could assist them even if it had nothing to do with the threat itself. Thus, a victim could send out an e-SOS that requires the nation state where the losses lie to respond and perhaps others in that jurisdiction as well (e.g., ISPs using networks in that state, major Internet companies who also have terminals or networks resident in that state, etc.).

I don’t think it’s fair, however, to read my paper as wedded to the idea of physical proximity; indeed, I make clear that “geographic or jurisdictional links between the victim and the duty-holder are not the only–nor necessarily the best–ways to identify duty-bearers online.” Instead, I propose using what I call technical proximity to the victim as a way to identify a duty-holder. For example, if a DDoS transits Comcast’s network, Comcast could be required on receipt of an e-SOS to assist in ceasing that traffic. Or, where the victim traces an attack to a nation state, that state would be obligated to assist (even if they were only the last in several stepping stones from the attack’s true source). This would mean, for example, that Russia would have had to block traffic routed through its networks attacking Estonia in 2007, whether or not Russia was responsible for that traffic. I also suggest tiering the DTA, so that there could be a series of first responders, who could call for additional help if the threat proved so drastic as to require spreading the pool of duty-bearers.

Next, Eric suggests that the SOS only works because of how infrequently it is invoked, worrying that its use could not be properly limited in the e-SOS context where there are so many cyberattacks (a worry Jonathan shares with his concern that states will view too many cyberattacks as severe based on the target rather than the effects). I’m not sure that the frequency dilemma is as great as Eric suggests.  Threats at sea are actually quite common, even if most do not require a distress call.  And even distress calls are far from rare. Consider the United States as an example; according to this paper, in 2003, the U.S. Coast Guard received 31,562 distress calls, saving an estimated 5104 lives with 655 lives lost and 481 unaccounted for.

And, to be clear, my proposal is not to deal with every cyberattack or exploit, which I agree number in the millions or maybe even billions, but only those that states would agree are “severe.”  My paper explores the severity of an attack along three dimensions — timing, scale and indirect effects — and contemplates different ways that states might delineate which attacks are severe.  Unlike Jonathan, I’d be inclined to let states themselves define severity, and would have no problem if they did so based on the effects (loss of life, disruption of critical infrastructure) or the targets (hospitals). Similarly, I think there are various ways states can deal with limiting the burdens of assistance from falling on any specific sub-group of actors (like the National Security Agency), whether through the ideas of technical proximity or tiering mentioned above.  Thus, I would argue that there are various ways states can work around proximity and frequency issues, with any such work-arounds ultimately turning on the states’ collective assessment of how severe the threats are and who should bear the costs of assisting.

Finally, Eric worries that technology transfer issues will disincentive assistance from more sophisticated helpers who fear that in helping they’ll be revealing too many of their technical “sources and methods.”  I agree that technology transfer is an issue, although I think it may actually cut both ways; currently, most victims don’t ask for help because they’re worried about having to expose their own operations to the world, and particularly to anyone who assists.  The essence of the e-SOS idea, however, is that it does not require victims to ask for help; they only do so if they feel the costs/benefits warrant making the call.  Just like an Ambassador can allow the embassy to burn to the ground, we should expect some victims will decide there’s too much additional risk in asking for help and continue to suffer in silence.  On the other hand, Google’s call for help in the Aurora incident shows how even the most sophisticated Internet actor may at some point cry “Uncle,” and negotiate terms for aid (which it did in a deal with the National Security Agency).  Similarly, duty-bearers might be allowed to say up front what kind of assistance they can provide and under what conditions they will do so.  Indeed, there are other DTAs in existence (notably in the nuclear context) where states work out in advance what assistance would be available and how it would be provided in the event of a crisis. Something similar could be replicated for the most severe cyberthreats, including conditions to limit any exploitation of the helper’s systems and networks by the victim or vice versa.

In closing, let me reiterate my thanks to Eric and Jonathan for taking the time to think about my idea.  Frankly, I hope they’re not the only ones who do so.  I sincerely believe that if law is going to be devised to regulate future cyberconflicts, a duty to assist, or an e-SOS could (and should) be a significant first principle for mitigating and hopefully deterring the most severe cyberthreats.

[This post is part of the Second Harvard International Law Journal/Opinio Juris Symposium.]

In 2007, I authored two papers — one for a military audience and another for a legal one — arguing that debates over the law’s response to the growing range of cyberthreats would likely track ongoing debates over law’s response to terrorism. In that context, we’ve seen 4 options emerge:

• First, those who say terrorism is a crime, and only a crime, with any legal response limited to law enforcement mechanisms.
• Second, those who insist terrorism is war, with the applicable law, if any, derived solely from international humanitarian law.
• Third, those who try to bridge the two camps by insisting terrorism can be both a crime and an act of war, applying the benefits (and burdens) of both legal regimes.
• Fourth, and finally, those who argue that terrorism is neither a classic crime nor a classic act of war, and thus requires a new legal response to regulate its threat.

My sense is that the same jockeying among camps — crime, war, both, neither — is beginning to play out in the context of cyberthreats as well.  The initial international legal response, most notably the Council of Europe’s 2001 Cybercrime Convention, rests entirely on a criminal law paradigm. In contrast, the recent emergence of U.S. Cybercommand (USCYBERCOM) and the guidelines reported to apply to it envisions significant cyberthreats in national security terms, more appropriately dealt with through a war model, rather than a criminal one.  Not surprisingly, some states and scholars tacked to Option 3, suggesting that we can employ both crime and war paradigms to deal with these issues.  Indeed, that’s how the Estonian government viewed the 2007 cyberattacks against it, calling them an act of war, but also launching criminal investigations and seeking extradition of those responsible. This third approach appears to be where the United States is heading as well.

I’ve spent the last 4-5 years advocating for Option 4 — the none of the above idea.  To be clear, I’ve never suggested that law doesn’t currently govern cyberthreats, but rather that it does so poorly. Thus, I’ve complained about the difficulties of translating existing rules into cyberspace, the complexity of those rules, and their inadequate scope when it comes to threats that can have either state or non-state origins.  As a result, I’ve advocated for nation states to work out new rules to regulate and mitigate the harm posed by the most severe cyberthreats.

Not surprisingly, the most frequent response to my call for new rules was a question:  what do I think those rules should be?  This paper – An e-SOS for Cyberspace — is my attempt at a response. In it, I offer a first principle — a Duty to Assist — that I believe states could adopt as an appropriate international regulatory response.  As the paper elaborates, a duty to assist is not some magic salve for all cyberthreats, but it could be a way for states to respond to the most severe ones that directly or indirectly take life or disrupt critical infrastructure.  I argue, moreover, that given the way anonymity is built into the very architecture of the Internet, a Duty to Assist may be all that we can expect law to do at this point to deal with these threats.  All of which is a long way of getting to my abstract:

Individuals, shadowy criminal organizations, and nation states all now have the capacity to harm modern societies through computer attacks.  These new and severe cyberthreats put critical information, infrastructure, and lives at risk.  And the threat is growing in scale and intensity with every passing day. The conventional response to such cyberthreats is self-reliance.  When self-reliance comes up short, states have turned to law for a solution.  Cybercrime laws proscribe individuals from engaging in unwanted cyberactivities.  Other international laws proscribe what states can (and cannot) do in terms of cyberwarfare.  Both sets of rules work by attribution, targeting bad actors—whether criminals or states—to deter cyberthreats.

This Article challenges the sufficiency of existing cyber-law and security. Law cannot regulate the authors of cyberthreats because anonymity is built into the very structure of the Internet.  As a result, existing rules on cybercrime and cyberwar do little to deter.  They may even create new problems, when attackers and victims assume different rules apply to the same conduct.

Instead of regulating bad actors, this Article proposes states adopt a duty to assist victims of the most severe cyberthreats.  A duty to assist works by giving victims assistance to avoid or mitigate serious harms.  At sea, anyone who hears a victim’s SOS must offer whatever assistance they reasonably can.  An e-SOS would work in a similar way.  It would require assistance for cyberthreat victims without requiring them to know who, if anyone, was threatening them. An e-SOS system could help avoid harms from existing cyberthreats and deter others.  Even when cyberthreats succeed, an e-SOS could make computer systems and networks more resilient to any harm they impose. At the same time, an e-SOS would complement, rather than compete with, self-reliant measures and existing legal proscriptions against cyberthreats.

I look forward to the comments of Professor Eric Jensen and Professor Jonathan Zittrain and the conversation (I hope) it generates.

A few months back, Opinio Juris was pleased to host an inaugural joint symposium with the Harvard International Law Journal.  Next week, we’re very pleased to be able to regularize this partnership with a second symposium (I’m particularly pleased with this development for reasons that should become apparent below).  The symposium will run from Tuesday, July 12, to Friday, July 15, and features the following line-up:

On Tuesday, John H. Knox will respond to Jacob Katz Cogan‘s article, The Regulatory Turn in International Law.

On Wednesday,  Eric Jensen and Jonathan Zittrain will respond to Duncan Hollis‘ article, An e-SOS for Cyber-Space.

On Thursday, Katharina Pistor will respond to Olivier De Schutter‘s article, The Green Rush: The Global Race for Farmland and the Rights of Land Users.

On Friday, Frédéric Mégret will respond to Philip Alston‘s article, Hobbling the Monitors: Should U.N. Human Rights Monitors be Accountable?

Most of the authors (myself included) will offer introductory comments on their work or direct responses to the questions and comments of the contributors.  I, for one, am looking forward to the conversations that result.

Just a quick note for folks following the Congressional wrangling over U.S. military activity in Libya and the War Powers Resolution:  later this morning, Opinio Juris‘ own Peter Spiro will be testifying before the Senate Foreign Relations Committee. U.S. State Department Legal Adviser Harold Koh is also set to testify and, presumably, defend the Administration’s position.  Louis Fisher of the Constitution Project rounds out the Senate witness list.  Peter’s already been very outspoken here about the issue (see here, here, and here), so I, for one, am really looking forward to seeing his presentation on a larger stage.

The hearing is set to begin at 10 am EST with Senator John Kerry presiding.  You can watch all the action here.

More than a decade ago, the U.S. Defense Department’s Office of General Counsel (DoD OGC) released a detailed analysis of the way international law would operate to guide U.S. military activity in cyberspace.  It was an impressive effort and is still worth reading today despite all the intervening, and dramatic, changes in the technology and the geopolitical landscape.  At the same time, the DoD OGC memo was ultimately an exercise in issue-spotting rather than rule-clarification.  Indeed, as I’ve noted for some time, international law may clearly govern military activities in cyberspace (whether in terms of the jus ad bellum or the jus in bello), but the content of those rules is far from clear; and where there are identifiable rules, they tend to derive from too many overlapping legal regimes while not adequately regulating the very areas (e.g., non-state actor attacks) most in need of regulation.   As a result, cyber-specific rules of international law are clearly needed.

Now, international law can be created through a wide array of pathways.  The most prevalent modern method would be treaty-making.  As a result, the idea of a global treaty on cyberwar has become popular in various quarters, whether in the form of something like the Geneva Conventions, Russian proposals to regulate the proliferation of “cyberweapons,” or the Council of Europe’s efforts to combat cybercrime.  Critics have questioned whether such an effort could succeed (while others continue to insist it is not necessary).

For proponents of international regulation, however, it is important to recognize that international law can come from sources other than treaties; customary international law remains possible, even prevalent, in much of international humanitarian law.  And, custom comes from state practice.  Indeed, it’s worth remembering that much of the modern law of war began with the effort by a single state–the United States–to draft regulations for its armed forces in their conduct of the Civil War with the Confederacy: General Orders No. 100, better known as the Leiber Code for its author, Columbia Professor Francis Leiber.

It’s with the Leiber Code in mind, therefore, that I am interested in seeing the Executive Orders President Obama signed last month, detailing what the U.S. military and intelligence agencies can do in cyberspace. The U.S. government has yet to put out any unclassified versions of its strategy or specific rules in this area.  But, the Wall Street Journal noted last month that the United States will now regard certain cyber-attacks as acts of war.  And, today, the AP is reporting further details.  Here’s the meat of the most recent story:

As an example, the new White House guidelines would allow the military to transmit computer code to another country’s network to test the route and make sure connections work — much like using satellites to take pictures of a location to scout out missile sites or other military capabilities.

The digital code would be passive and could not include a virus or worm that could be triggered to do harm at a later date. But if the U.S. ever got involved in a conflict with that country, the code would have mapped out a path for any offensive cyberattack to take, if approved by the president.

The guidelines also make clear that when under attack, the U.S. can defend itself by blocking cyber
intrusions and taking down servers in another country. And, as in cases of mortar or missile attacks, the U.S. has the right to pursue attackers across national boundaries — even if those are virtual network lines.

Under the new Pentagon guidelines, it would be unacceptable to deliberately route a cyberattack through another country if that nation has not given permission — much like U.S. fighter jets need permission to fly through another nation’s airspace.

Uri Friedman over at the Atlantic Wire distills this to suggest the new Executive Orders will (1) regulate peacetime use of cyberespionage, (2) permit military retaliation to a cyberattack that constitutes an attack, and (3) prohibit deliberate (but not inadvertent) use of neutral networks in military cyberactivites.

I am really interested to see what the White House or the Pentagon papers will actually say about these three points. Working backwards, neutrality is a complicated (and frankly a bit esoteric) area of international humanitarian law in which the United States has already taken contested positions in its global efforts to combat Al Qaeda.  Military retaliation, aka self-defense, is not a terribly controversial idea if in response to something that rises to the level of an armed attack; the trick will be to see if the Pentagon lays out clearly what that threshold will be.

The cyber-espionage point, however, is a bit more difficult than the AP describes it.  It is true that cyberexploitations (where you simply gather unauthorized access to data from another computer system or network) are different than cyberattacks (where you deny, disrupt or degrade the computer system’s integrity, authenticity or availability).  And, it is also true that international law has not prohibited espionage (although virtually every state has criminalized such acts).  The problem is that some States may not be willing to equate the most extreme cyberexploitations with traditional acts of espionage.  The scale of a cyberexploitation can be stunning if it can access all data resident within a military computer network or one, say, that controls a nuclear power plant.  Depending on the target or scale of the exploit, it could compromise a nation’s security in ways that outstrip what human intelligence or satellite imagery has been capable of to date.  As a result, while many states may regard most cyberexploitation as falling within the espionage status quo, I’m not as certain that all cyberexploitations will be regarded that way.

More importantly, while the United States can always say that it is only going to engage in peacetime cyberexploitations as distinct from cyberattacks, it is not clear if other states will accept that distinction.  The reality is that for victims who identify a cyberexploitation, it may not be immediately apparent if the exploit is simply mapping the victim’s system or network, gathering data, or if it is also carrying some more nefarious cyberattack that could cause actual harm to the computer system or any infrastructure it supports.  And if cyberexploitations cannot be distinguished from cyberattacks, that leaves open the risk that a U.S. cyberexploit might be treated as a cyberattack and subject to a military response (which could involve the very acts that the U.S. has suggested would justify military retaliation, and suddenly we’ve escalated the situation into a conflict).  Now, to be clear, I’m not saying that all cyberexploitations can or should be regulated or banned.  I’m just saying that it’s not as easy as the AP suggests for the United States to pursue a “peacetime” cyberexploitation strategy without any fear of unanticipated consequences.  Given the anonymity that currently characterizes most cyberoperations, moreover, there is the added risk of mis-attribution, which only further complicates the picture. That’s why I’m very interested to see what the Pentagon or the White House has to say on these matters.  Hopefully, we’ll get actual text to look at it in the coming days that detail what the United States thinks are the rules for cyberwar.

Those who have followed the cases relating to the Vienna Convention on Consular Relations (VCCR) here in the United States and at the ICJ know that the United States has a compliance problem. The United States does not provide the ‘judicial review and reconsideration’ remedy that the ICJ has indicated is required in the event a violation of an individual’s rights under Article 36 of the VCCR, and the Supreme Court has indicated that the President alone cannot order U.S. states to provide those remedies.  Since 2008, many commentators have suggested that the solution to this problem lies with Congress. Earlier attempts to enact legislation authorizing the necessary procedural steps to put the United States in compliance have fallen short.  Senator Patrick Leahy, however, is ready to try again in light of a pending execution of a Mexican national in Texas (apparently scheduled for July 7), which also seems certain to revive international attention to this issue.

Today, Leahy introduced the Consular Notification Compliance Act (for the text see here), which will give U.S. federal courts jurisdiction to provide the ICJ-dictated remedy. Here’s the quick take from Senator Leahy’s press release:

The Leahy-authored Consular Notification Compliance Act will give jurisdiction to federal courts to review the cases of foreign nationals currently on death row in the United States who did not receive consular access as required by the VCCR. It includes those individuals covered by a 2004 decision by the International Court of Justice, which held that the U.S. must review the convictions and death sentences of more than 50 Mexican nationals who had not been notified of their right to consular access. The legislation would also clarify for future cases that courts must ensure that all foreign nationals charged with a capital offense are informed of their right to contact their consulate. More than 100 foreign nationals from more than 30 countries are currently on death row in the United States.

And here’s what Senator Leahy had to say in longer remarks introducing his bill:

Each year, thousands of Americans are arrested and imprisoned when they are in foreign countries studying, working, serving the military, or traveling. From the moment they are detained, their safety and well-being depends, often entirely, on the ability of United States consular officials to meet with them, monitor their treatment, help them obtain legal assistance, and connect them to family back home. That access is protected by the consular notification provisions of the VCCR, but it only functions effectively if every country meets its obligations under the treaty – including the United States.

Unfortunately, in some instances, the United States has not been meeting those obligations. There are currently more than 100 foreign nationals on death row in the United States, most of whom were never told of their right to contact their consulate and their consulate was never notified of their arrest, trial, conviction, or sentence. There are many other foreigners in U.S. prisons awaiting trial for non-capital crimes, some facing life sentences, who were similarly denied consular access. This failure to comply with our treaty obligations undercuts our ability to protect Americans abroad and deeply damages our image as a country that abides by its promises and the rule of law. It would also be completely unacceptable to us if our citizens were treated in this manner.

The Consular Notification Compliance Act seeks to bring the United States one step closer to compliance with the convention. It is not perfect. It focuses only on the most serious cases – those involving the death penalty – but it is a significant step in the right direction and we need to work together to pass it quickly. Texas is posed to execute the next foreign national affected by this failure to comply with the treaty on July 7, 2011. He was not notified of his right to consular assistance, and the Government of Mexico has expressed grave concerns about the case. We do not want this execution to be interpreted as a sign that the United States does not take its treaty obligations seriously. That message puts American lives at risk.

The Government of Great Britain has expressed similar concerns about a case involving a British citizen facing the death penalty here, who was denied consular access.

The bill I am introducing would allow foreign nationals who have been convicted and sentenced to death to ask a court to review their cases and determine if the failure to provide consular notification led to an unfair conviction or sentence.

The bill also recognizes that law enforcement and the courts must do a better job in the future to promptly notify individuals of their right to consular assistance so the United States does not find itself in this precarious position again. To that end, the bill reaffirms that the obligations under the treaty are Federal law and apply to all foreign nationals arrested or detained in the United States. For individuals arrested on charges that carry a possible punishment of death, the bill ensures adequate opportunity for consular assistance before a trial begins. . . . .

I saw the need to resolve this issue first-hand this spring when a young, innocent Vermont college student was detained by Syrian police simply for taking photos of a demonstration. I worked hard with the U.S. consulate in Syria to obtain access to him. His safety depended on the ability of our consular officers to see him, provide assistance, and monitor his condition.

Similarly, the United States invoked the VCCR to seek access to the three American hikers detained in Iran after accidently crossing an unmarked boarder in 2009. In 2001, when a U.S. Navy surveillance plane made an emergency landing in Chinese territory, the State Department cited the VCCR in demanding immediate access to the plane’s crew. . . .

This bill has the support of the Obama administration, including the Department of Justice, the Department of Defense, the Department of Homeland Security, and the Department of State. I have heard from retired members of the military urging passage of the bill to protect servicemen and women and their families overseas, and from former diplomats of both political parties who know that compliance with our treaty obligations is critical for America’s national security and commercial interests. I ask unanimous consent to include those letters in the Record, as well as a recent public letter signed by retired judges and prosecutors from around the country urging the Governor of Texas to delay the upcoming execution to allow Congress time to act.

In short, it sure looks like the consular stuff is coming back (especially with a July 7, 2011 execution date).  As a result, Leahy’s bill and the potential for a new round of executions will bear watching.

My former State Department colleague, David Kaye, now the Executive Director of UCLA Law’s human rights program, has just authored a study under the auspices of the Council on Foreign Relations (John Bellinger and Matt Waxman also particiapted in the effort as Directors).  Kaye acknowleges the contributions made by the likes of the ICTY, ICTR, and ICC, but argues that more work is needed at the national level to supplement the international criminal law process.  Here’s a summary of the pitch:

Yet, after more than two decades of experience, the limits of these [international] courts’ capabilities are becoming clear. While they have brought some senior leaders to justice, the scope of the courts’ budgets and their enquiries can never reach all—or even most—perpetrators of atrocities. They are physically far removed from the scenes of the crimes they are prosecuting, cannot compel evidence or conduct independent investigations, and are vulnerable to changes in funding and international political support.

To overcome these and other difficulties, the international community must place greater emphasis on strengthening the national justice systems of the countries where atrocities have occurred. In this Council Special Report, David Kaye examines existing international justice mechanisms, analyzes how they have succeeded and where they have failed, and explains what reforms national legal systems will require to secure just and peaceful outcomes. Cognizant of the myriad individual challenges facing countries experiencing or emerging from violent conflict, Kaye nevertheless identifies a core set of common needs: political pressure on governments reluctant to prosecute perpetrators; assistance in building legal frameworks and training legal officials; support for investigations, including forensic analysis and security sector reform; and creating belief in the justice system among the local population.

To these ends, Kaye outlines several recommendations for U.S. policymakers and their governmental and nongovernmental partners worldwide. Beginning in the United States, Kaye argues that Washington should expand diplomatic and financial support for national justice systems and appoint a senior official to oversee initiatives from the State Department, Justice Department, USAID, and other agencies. Abroad, he calls for the secretary of state to organize a donor conference to agree on funding priorities and responsibilities for the international community, and to establish a coordinating body to ensure that support for national-level justice systems is properly coordinated and informed by best practices.

You can download the full report here.

The arrest on sexual assault charges of IMF Managing Director Dominique Strauss-Khan (or “DSK” as he’s known to the French tabloids) is big news this morning. Most of the main stream media attention (quite naturally) has focused on the salacious allegations themselves and/or DSK’s potential presidential ambitions back in France. Here at Opinio Juris, however, I’m sure I was not the only one whose first thought went to the immunity question — namely did officers of the Port Authority of New York and New Jersey detain DSK consistent with federal and international law? 

International Organizational immunity is a complicated topic given its tendency to operate by analogy to the more established concepts of diplomatic and consular immunity.  The relevant U.S. law, the International Organizations Immunity Act (IOIA), 22 U.S.C. 881, generally tracks consular immunity for international organization officers and employees. Thus, 22 USC 881d(b) provides:

(b) Representatives of foreign governments in or to international organizations and officers and employees of such organizations shall be immune from suit and legal process relating to acts performed by them in their official capacity and falling within their functions as such representatives, officers, or employees except insofar as such immunity may be waived by the foreign government or international organization concerned.

This approach mimics that taken in the IMF’s own Articles of Agreement.  Section IX(8) provides that officers of the IMF and employees of the Fund “(i) shall be immune from legal process with respect to acts performed by them in their official capacity except when the Fund waives this immunity.” 

Thus, it seems at first glance DSK is entitled only to official acts immunity, barring a waiver by the IMF (and I don’t think their current “no comment” can be read as a waiver here).  This would beg the question of what he was doing in New York on Saturday?  Was he there for some meeting?  Was he “in transit” to his planned Sunday meeting with German Chancellor Merkel?  Or, was he just enjoying a spring weekend in the Big Apple?  Ultimately, what qualifies as an “official act” is a tricky topic that will ultimately require us to know more facts. 

But, before we all assume official acts immunity is the governing framework, there’s a complicating factor — could DSK actually have diplomatic immunity?  Not all international organization officials are subject to official acts immunity, some of the most senior (see, e.g., the Secretary General and Assistant Secretaries General of the UN, senior OAS officials) get the same privileges and immunities as diplomats, meaning that they are absolutely immune in almost all cases from criminal arrest or civil suit.  And, at least some members of the IMF get this treatment as well.  The IMF is a specialized agency of the United Nations and the United Nations and the United States have a long-standing “Headquarters Agreement” that governs U.S. treatment of UN representatives and personnel. Article 15 of that agreement provides that

“principal resident representatives of members of a specialized agency and such resident members of the staffs of representatives of a specialized agency as may be agreed upon between the principal executive officer of the specialized agency, the Government of the United States and the Government of the Member concerned, shall whether residing inside or outside the headquarters district, be entitled in the territory of the United States to the same privileges and immunities, subject to corresponding conditions and obligations, as it accords to diplomatic envoys accredited to it.”

Thus, if DSK were a “principal resident representative” (PRR) of the IMF, he might actually be immune from arrest entirely.  I’m guessing he does not qualify because he’s not representing anyone other than the IMF as its Managing Director.  But that creates the rather odd result that a lesser IMF official might have absolute/diplomatic immunity denied to the titular head of the IMF (on the other hand, PRR immunity might be deemed more a function of the respect due the sovereign states these individuals represent rather than anything derived from their service to the IMF itself).

So, what do others think?  Can DSK claim anything other than official acts immunity?  If he does claim that status, how broadly should a court read what counts as “official” here?  And, to be clear, this will likely be a question for a U.S. court to resolve — as the State Department’s guidance to law enforcement makes clear on the question of what constitutes an “official act”:

official acts immunity pertains in numerous different circumstances. No law enforcement officer, State
Department officer, diplomatic mission, or consulate is authorized to determine whether a given set of circumstances constitutes an official act. This is an issue that may only be resolved by the court with subject matter jurisdiction over the alleged crime. Thus, a person enjoying official acts immunity from criminal jurisdiction may be charged with a crime and may, in this connection, always be required to appear in court (in person or through counsel). At this point, however, such person may assert as an affirmative defense that the actions complained of arose in connection with the performance of official acts. If, upon examination of the circumstances complained of, the court agrees, then the court is without jurisdiction to proceed and the case must be dismissed. Law enforcement officers are requested to contact the U.S. Department of State before arresting a consular officer, or, if not possible, immediately after arrest. 

There’s obviously a lot more that could be said (I’ve not touched on the “official acts” case law in the U.S. or elsewhere, nor have I analyzed whether the Convention on Privileges and Immunities of the United Nations (to which the United States is a party) would apply.  I hope some of the commentators can help further clarify these and other relevant issues.

I suspect that many of our readers already receive ASIL Insights, but for those of you who do not, I wanted to flag the release yesterday of Pakistan’s Sovereignty and the Killing of Osama Bin Laden by Ashley Deeks, a former colleague of mine in the Legal Adviser’s Office at the U.S. State Department. Deeks is now a fellow at Columbia Law School, but until recently served as the Assistant Legal Adviser for Political and Military Affairs at the State Department. Obviously, the views she articulates in this piece are her own.  But given her work experience, I wouldn’t be surprised if they don’t give some insight (pun intended) to the State Department’s internal arguments on the legality of the mission to kill Osama Bin Laden. In any case, here’s a few highlights from her argument:

International law restricts the situations in which a state may use force in the territory of another state. There are three situations in which such an act is lawful: pursuant to U.N. Security Council authorization under Chapter VII of the U.N. Charter; in self-defense; or (at least in some cases) with the consent of the territorial state. Once a state concludes that it has a right of self-defense, it must assess what specific types of actions it can take in response, including whether it can use force. The standard inquiry has three elements: whether the use of force would be necessary; whether the level of force contemplated would be proportionate to the initial armed attack (or imminent threat thereof); and whether the response will be taken at a point sufficiently close to the armed attack (i.e., whether it would be immediate).

In determining whether it is necessary to use force against a non-state actor operating in another state’s territory, the victim state must consider not just whether the attack was of a type that would require force in response, but also the conditions within the state from which the non-state actor launched the attacks. In this latter evaluation, states, absent consent, employ the “unwilling or unable” test to assess whether the territorial state is prepared to suppress the threat. If the territorial state is either unwilling or unable, it is reasonable for the victim state to consider its own use of force in the territorial state to be necessary and lawful (assuming the force is proportional and timely). If the territorial state is both willing and able, the victim state’s use of force would be unlawful. . . .

Based on an examination of state practice, it is possible to ascertain a few key principles that the international community might expect a state using force (the “acting state”) to follow. The principles might include requirements that the acting state: (1) ask the territorial state to address the threat and provide adequate time for the latter to respond; (2) reasonably assess the territorial state’s control and capacity in the region from which the threat is emanating; (3) reasonably assess the territorial state’s proposed means to suppress the threat; and (4) evaluate its own prior interactions with the territorial state. However, an important exception to the requirement that the acting state request that the territorial state act arises where the acting state has strong reasons to believe that the territorial state is colluding with the non-state actor, or where asking the territorial state to take steps to suppress the threat might lead the territorial state to tip off the non-state actor before the acting state can undertake its mission. . . .

Applying the Test . . .

Based on the facts that have come to light to date, the United States appears to have strong arguments that Pakistan was unwilling or unable to strike against Bin Laden. Most importantly, the United States has a reasonable argument that asking the Government of Pakistan to act against Bin Laden could have undermined the mission. The size and location of the compound and its proximity to Pakistani military installations has cast strong doubt on Pakistan’s commitment to defeat al Qaeda. The United States seems to have suspected that certain officials within the Pakistani government were aware of Bin Laden’s presence and might have tipped him off to the imminent U.S. action if they had known about it in advance. . . . Pakistan might argue that it would have been able to stage an effective mission against the compound, or that the United States at least should have constructed the mission as a joint operation, given that the two countries work closely together in other intelligence and military contexts. It also could point to the fact that it conducted searches for al Qaeda leaders in Abbottabad in 2003 and in subsequent years, and that it passed on information about the 2003 search to U.S. officials. On balance, however, Pakistan’s defense of its sovereignty in this case, while understandable from a political perspective, seems weak as a matter of international law.

I’ve been on a self-imposed blogging hiatus of late due to the dual demands of serving as Temple’s Associate Dean for Academic Affairs and editing the forthcoming book, The Oxford Guide to Treaties (on which I’ll blog more later).   But, I had to pass along the following significant and important development – Superman is renouncing his U.S. citizenship.  Here’s the scoop from Comics Alliance:

Despite very literally being an alien immigrant, Superman has long been seen as a patriotic symbol of “truth, justice, and the American way,” from his embrace of traditional American ideals to the iconic red and blue of his costume. What it means to stand for the “American way” is an increasingly complicated thing, however, both in the real world and in superhero comics, whose storylines have increasingly seemed to mirror current events and deal with moral and political complexities rather than simple black and white morality.

The key scene takes place in “The Incident,” a short story in Action Comics #900 written by David S. Goyer with art by Miguel Sepulveda. In it, Superman consults with the President’s national security advisor, who is incensed that Superman appeared in Tehran to non-violently support the protesters demonstrating against the Iranian regime, no doubt an analogue for the recent real-life protests in the Middle East. However, since Superman is viewed as an American icon in the DC Universe as well as our own, the Iranian government has construed his actions as the will of the American President, and indeed, an act of war.

Superman replies that it was foolish to think that his actions would not reflect politically on the American government, and that he therefore plans to renounce his American citizenship at the United Nations the next day — and to continue working as a superhero from a more global than national perspective. From a “realistic” standpoint it makes sense; it would indeed be impossible for a nigh-omnipotent being ideologically aligned with America to intercede against injustice beyond American borders without creating enormous political fallout for the U.S. government.

It’s too bad we don’t have anyone here at Opinio Juris with views on future trends in citizenship, global identity and the like to comment on this story.  Oh, wait . . . we do.  In any case, it’s clear that someone needs to advise DC Comics on the national and international laws in play here.  For starters, renouncing citizenship at the UN doesn’t seem to cut it under U.S. law.  8 U.S.C. 1481 lists the acts by which Superman could renounce his U.S. citizenship and they involve things like becoming a citizen of another state, declaring allegiance to another state, or formally renouncing his citizenship outside the United States before a U.S. diplomatic or consular office?  There’s nothing in there about becoming a global citizen or aligning with an international organization.  Indeed, can Superman even renounce citizenship while remaining in U.S. territory (and, yes, I consider the UN Headquarters to be in U.S. territory notwithstanding its privileges and immunities under the Headquarters Agreement)?  U.S. law limits renunciation within the United States to “whenever the United States shall be in a state of war” — which I suppose begs another whole set of questions concerning Afghanistan or even Libya.  Also, what happens if Superman has ulterior motives here?  Given his wealth, isn’t the IRS likely to investigate the possibility that this is simply an effort at tax evasion.   And that’s not even getting into the questions of statelessness or international law involved.  Clearly, this is an issue that needs attention from Opinio Juris to make sure D.C. Comics gets this right.  So, commentators, have at it.

We are pleased to welcome Michael Ramsey back to Opinio Juris, this time as a guest blogger. Mike is a Professor of Law at the University of San Diego Law School where he teaches U.S. Constitutional Law, Foreign Relations Law and International Business Transactions. His scholarship often focuses on U.S. foreign relations; he is the author of The Constitution’s Text in Foreign Affairs (Harvard Univ. Press, 2007) and his articles have addressed a range of topics, including the original scope of Executive Power and the distribution of war powers. Before joining the USD, Mike clerked for Ninth Circuit Judge J. Clifford Wallace and U.S. Supreme Court Justice Antonin Scalia. He has taught as a visiting professor for the University of California, San Diego, Department of Political Science and for the University of Paris-Sorbonne, Department of Comparative Law. Currently, he is visiting at Melbourne Law School. Welcome Mike!

I’m at Harvard Law School today for a symposium, Cybersecurity: Law, Privacy, and Warfare in a Digital World.  I’ll be talking about my e-SOS paper, how international law deals with cyberthreats, and ways it could do a better job.  Anyone who’s interested can watch the proceedings; it’s being live web-cast here. 

I wanted to flag a fascinating debate over the future of the Internet that just occurred between HLS Professor Jonathan Zittrain and Stewart Baker.  Baker, of Volokh fame, is well known for flagging the great potential of cyberthreats to produce systemic or catastrophic effects.  Today, he was on message, emphasizing how the threat of cyberwar and severely intrusive cyberexploitations like Ghostnet require construction of new social norms for the Internet.  And, for Stewart, he’d construct those norms by imposing attribution and punishment on the Internet.  Only by knowing who’s attacking and punishing them does Baker think the Internet can have true social order. 

Zittrain, who’s thought a lot about the Future of the Internet, agreed with Baker that its current state is problematic, and that things like Ghostnet are scary and worthy of real concern.  But, he disagreed that attribution (whether “attribution lite,” meaning more investigative resources, or “full attribution,” meaning a restructuring of the Internet to allow for real-time attribution) was the solution.  For starters, he doubted that total attribution would ever be possible, arguing that Ghostnet’s authors would always be sophisticated enough to circumvent whatever attribution system is devised.  He also suggested there were far more “boring” solutions to many cyberthreats in terms of better authentication and security to persue before restructuring the whole system.  Instead, Zittrain favored working with, rather than overriding, the Internet’s generative capacity and developing voluntary structures of mutual aid among Internet users.  He proposed some technical solutions to do so, most notably his preference that users help other users reciprocally by allowing basic applications to always be mirrored, thereby making it much more difficult to deny services to those applications. 

Both Baker and Zittrain made compelling arguments and did so without fireworks (but quite a bit of humor involving everything from the entire state of Qatar being banned from Wikipedia to Stewart Baker’s time at Brown).  It was great to see two people who have obviously different priors recognizing their common ground and trying to discern ways to deal with such a big (and serious) question as what the future holds for the Internet.  It bodes well for the rest of the day, which will conclude with a Keynote Address by Steven Bradbury, formerly a Principal Deputy in OLC.

[Update:  contrary to Ben's hope, Steven Bradbury's talk did not go to detainee issues, but he did make a rather dramatic assertion about the capacity of the United States to engage in cyberoperations, namely that where the law is unclear (which, by my own estimate, covers quite a lot of ground in the cybercontext), the President is free to decide as a matter of policy what cyberoperations to pursue.  In other words, I heard him to suggest that in the absence of a specific rule restricting U.S. activity, it is free to act as a matter of policy.  Not sure how well this matches up with the Martens clause (I'm going to try and ask him about that).]