I’m just back from the U.S. Naval Academy and a great conference put on by the Stockdale Center for Ethical Leadership: Warfare in a New Domain: The Ethics of Military Cyber Operations. Ed Barrett pulled together a truly impressive group of technologists, international lawyers, philosophers, ethicists, active duty military personnel and US Government officials to weigh in on existing cyberthreats and the appropriate legal and ethical frameworks for responding to them. I may blog more of the details later, but here are three quick take-aways from our two day conversation:
1) Cyber is hot. When I first started writing in this area, I frequently had to fend off charges that this was just fodder for international lawyers who happened to like science fiction. We’ve come a long way since those days. Cybersecurity is front and center in Congress, and cyberthreats and cyber-capacities have moved into the front seat in national security circles. Although I’m not sure everyone agrees with the cyber-arms race idea, it is true that the technological capacity is on a steep upward trajectory and the actors involved are constantly expanding (I’m told, for example, that Zimbabwe is the latest in a long list of States to get together its own cyberforce).
2) We don’t agree on why cyber is hot. Over the course of the conference, there were dissonant voices on what the cyberthreat really is. First, there’s what we might call the “Digital Pearl Harbor” crowd — folks worried about, and looking to head off, a massive, large-scale cyberattack with significant effects on the civilian populace (think — shutting down the U.S. power grid). A related view, are those clearly worried about how nation States will deploy cyber in armed conflicts, and what methods exist to deter escalation to such conflicts. In contrast, there is a growing, and vocal group, who say that to focus on cyberwar or the most dangerous cyberthreats is to ignore the real problem — China. This is the ”China’s eating our lunch” crowd, who blame cyberespionage by China and its proxies for the theft of petabytes of data, including intellectual property, business plans, R&D, etc from the private sector in what some call the greatest wealth transfer in history. Finally, there are those who view the cyberthreat as more diffuse, although perhaps no less dangerous. This view may best be summarized by the idea of a “death by thousand cuts”; that is, we shouldn’t expect drama in cyberspace so much as low-level but systemic attacks and threats that in the aggregate may significantly impact the United States as a nation.
3) We don’t know how law should deal with State cyber operations. For starters, we are seeing (just as we have in the terrorism context) claims that lawyers and law are getting in the way; that States need to operate in this new environment without rules. For those of you who’ve not seen it, I recommend this recent exchange between Stewart Baker and Charlie Dunlap on the relative merits (and demerits) of this idea.
Then, even among those willing to concede a role for law and lawyers, there are significant differences of opinion on the relevant legal frameworks. The US and like-minded States have taken the position that the Law of Armed Conflict (LOAC) can apply in cyberspace; Russia agrees, but insists other new norms must be applied to limit “information” that is destabilizing as well. For its part though, China says they’re not sure the LOAC has any role to play at all, leaving the issue to law enforcement or organizations like the ITU.
Finally, even on the more specific legal and ethical issues that formed the core of the McCain Conference this year — namely military cyber operations — it seems we’re still trying to figure out how to analogize existing rules into cyberspace. We’ve been doing that for some time now, but I must say I’m surprised to see how little progress has occurred. For example, I was struck by how many reasonable people disagreed on the question of whether Stuxnet constituted a use of force or an armed attack.
Which brings me to my last point, and one that was quite contested at this conference — whether there is a gap between a prohibited use of force under UN Charter Article 2(4) and an armed attack sufficient to trigger an Article 51 right of self-defense. Although I’d always understood that simply because something constituted a use of force, that didn’t mean that it rose to the level of an armed attack for self-defense purposes. In other words, there is a gap between armed attack and force. But at least one US government lawyer suggested at this conference that there is no such gap in cyberspace, and that this may even be the official US Government position for cyberspace. I’d be interested in what readers make of this position, both as to the original kinetic understanding of the relationship between Article 2(4) and 51 and how it translates to cyber. Simply put, are all uses of force in cyberspace armed attacks?