CYBER OPERATIONS THAT CONSTITUTE AN ARMED CONFLICT
DALE TEPHEN : It i intere ting that Profe or chmitt acknowledge that the red line of where a cyber operation con titute a violation of Article 2(4) wa not deci ively olved in the Tallinn Manual. Thi i a matter of ongoing tate practice to reveal more concretely though the Manual doe outline factor that may be taken into account when coming to thi determination. A more fundamental que tion i when doe a cyber operation amount to an armed attack for the purpo e of invoking a right of elf defence under Article 51 of the charter. Again, the Nicaragua ca e i in tructive in thi area, in that it hold that uch an armed attack mu t be of a ufficient gravity. Equally, it mu t be borne in mind that a cyber operation that con titute a violation of Article 2(4) on the threat or u e of force, may not actually ri e to the level of an 'armed attack', giving ri e to a right to re pond in elf defence through either cyber mean , or through kinetic force. Let' li ten to how the Tallinn Manual applie the e factor in the context of cyber operation . MIKE CHMITT: 2(4) i only about whether or not a tate ha violated international law with it cyber operation. The re pon e come in Article 51. When can I re pond? You can re pond when the u e of force directed again t you i of a particularly egregiou u e of force known a an armed attack. We believed -- that i , not the po ition of the United tate -- but all the expert concurred, that we believe the e are two different tandard . That the charter wa meant to allow people to trip over the u e of force pretty ea ily, but that before a tate could re ort to force in re pon e, it had to be a pretty bad u e of force. o here, we were much more comfortable aying the thre hold i armed attack -- I'm orry, i phy ical de truction injury. And ignificant. Not the phy ical de truction of my laptop, but rather ignificant phy ical damage or injury. It' at that point that the right of elf defence mature . Now we were very quick -- and I happen to be one of the e people, who aid, that we believe thi norm will evolve. And it' becau e international law i meant to track the value of a ociety. And, o if uddenly, we ee particular a pect of ociety' activitie ubject to new threat , we can expect the interpretation of exi ting law to, through tate practice, move very quickly to meet thi new threat. We aw thi example with re pect to tran national terrori m. I could go on and on about that. But I expect to ee the ame thing in cyber. o, for example, I've ju t explained that you probably need phy ical damage. What if omeone conducted a ma ive cyber attack again t the Au tralian economy? Which could be done. And you're tarting to collap e a pect of the Au tralian economy. That' not phy ically de tructive. It may manife t in phy ical con equence uch a hunger down the road. But it' not phy ically de tructive. Neverthele , I'm not quite certain that the Au tralian government would not re ort to force, either cyber force or kinetic force, in order to re pond to omething that deva tating. o we will ee that norm evolve pretty quickly, and we're tarting to ee ome movement on the part of tate , particularly the Dutch, in thi direction.
CYBER OPERATIONS THAT FALL SHORT OF AN ARMED ATTACK
DALE TEPHEN : Well, the ri e of cyber a a mean and method of warfare i now a real po ibility. It only activate the law of armed conflict when it con titute an attack in the cour e of that armed conflict. Thi will be dealt with in the next module. What we are dealing with in thi module i the international law applicable to cyber operation mounted by tate or non- tate actor that do not amount to a cyber attack, but nonethele can re ult in genuine negative con equence . One uch example wa the attack on ony in the U late in 2014. The incident I'll refer to a the ony Hack began on November 22, 2014, when it became apparent that ony Picture ' computer y tem had been compromi ed. The BBC reported that kull appeared on employee creen with a me age which threatened to expo e ecret from data obtained in hacking. Large quantitie of confidential information and company a et were tolen. Multiple film were then illegally uploaded to file haring ite . Confidential employee information wa leaked, and private email were made public. A group identifying them elve a the Guardian of Peace, who had been linked to the North Korean tate-run Bureau 121, claimed re pon ibility for the hack. The group al o made threat again t theatre et to conduct howing of ony Picture ' controver ial atire, The Interview, a film that had been critici ed by the North Korean foreign mini try. Another example i the interference with the cyber infra tructure of E tonia in 2007 following the removal of the oviet war memorial from the centre of the city that we've already covered in the fir t module. In that in tance, there were numerou denial of ervice attack on government web ite , defacement on many web ite , botnet attack and di tributed denial of ervice attack undertaken. The origin of the attack were tracked to over 150 other countrie , although a number were al o tracked to a number of Ru ian government in titution . What doe international law ay about uch interference? In e ence, international law provide a number of prohibition of increa ing ignificance relating to external interference. The varying ignificance of the gravity of the interference peak to the type of re pon e that are permitted under international law. A number of the e ground were articulated by the International Court of Ju tice in the 1986 Nicaragua ca e; although that ca e wa concerned with phy ical activity, not cyber, it till provide a u eful foundation. At it mo t ba ic, interference with another tate' overeignty can amount to a violation of international law. Hence overflying national air pace without permi ion, or non-innocent pa age within the territorial ea of a coa tal tate, con titute example of a violation of overeignty, and hence a violation of international law. In the context of cyber operation , it matter greatly what the tate undertaking the violation i doing. Li ten to Profe or chmitt a he detail three example of apparent cyber interference that do, or in hi opinion, do not, amount to a violation of overeignty. MIKE CHMITT: When do you violate the overeignty of another tate? We're looking at that in a proce called the Tallinn 2.0, it' an update to the Tallinn Manual, and, in fact, I ju t came back la t week from looking at that. And we believe there are three ituation . The fir t ituation i where one tate, and we're only talking tate here, not non- tate actor , where one tate conduct a cyber operation in a econd tate, and that cyber operation cau e ome ort of damage. omething break , omeone i injured. The computer doe n't work anymore, the computer doe n't function. I believe mo t international law expert would concur, there' ab olutely no que tion that that operation violated the overeignty of the target tate, even though the operation wa launched from out ide the territory of that tate. Now if we move down the continuum a little bit, we get to a ituation where an operation i launched by a tate from out ide the territory of the target tate, and in tead of breaking omething, phy ically omething doe n't work and no longer function , the fir t tate i manipulating one and zeroe , i changing data, i de troying data, i doing omething in ide the y tem of the territorial tate. Now, here all international lawyer do not agree that thi i a violation. But I do. I believe that' the functional equivalent of your agent being in the other tate, doing omething that the other tate would not have that agent do. o in my view, that' a violation of overeignty. And then there' the third ituation, where you're in ide another tate' y tem, but you're not manipulating data, altering data, changing data, in any way that' nece arily adver e to the target tate. For example, you put malware in ide the y tem where you imply track the activitie of that y tem. When doe the y tem come on, when doe it come off, to whom doe it communicate, et cetera, et cetera, et cetera. Here we have the malle t group of international lawyer that would ay thi i a violation of overeignty. I'm not one of tho e that would ay that' a violation. And the rea on I don't accept that a a violation i that, to me, mack of e pionage, and we've never aid that e pionage i a violation of international law. The act that underlie e pionage may be a violation, but not e pionage per e. o tho e are the two below the thre hold likely violation of international -- there are many more that I could come up with. For example, we're itting here in Newport, Rhode I land, where we ee the ea out here. That' the American territorial ea. If a war hip from another tate come into our territorial ea and conduct cyber operation again t the War College, then, in that ca e, that would violate our overeignty, our territoriality, becau e it would not be what i known a innocent pa age. It would be pa age through our ea adver e to our intere t . o there are many other violation I could give you, but the two big one are intervention and a violation of overeignty.
DALE TEPHEN : It i in tructive from Profe or chmitt' commentary, that a forming con en u accept that pa ive ob ervation of communication through cyber mean doe not, in it elf, con titute a violation of overeignty. Thi wa a point that I made back in week three about international urveillance activity. Whether regional human right law and practice will cry talli e in the future into ome more general international human right principle to prohibit uch activity remain to be een. But for now, it would appear to be not ubject to uch a conclu ion. In any event, it would eem unlikely that even a broadly ba ed prohibition would not till allow ome kind of national ecurity exemption. It eem very unlikely that tate would not include uch a qualification. What i caught for certain i any activity that cau e phy ical damage, po ibly including to the data it elf. Whether changing data within a y tem through intervention con titute a violation of overeignty i omething that ha divided opinion. A more ignificant breach of international law occur where a tate violate the principle of non-intervention. Thi principle exi t in cu tomary international law. In the Nicaragua ca e, the ICJ examined U funding of rebel group in Nicaragua, and determined that thi did amount to a violation of the principle of non-intervention. The principle of non-intervention wa expre ed by the court to be ba ed on the concept of coercion. The court then ventured an ob ervation that the principle i violated, not only in re pect of the u e of direct force, but al o by the application of indirect force, including, for example, monetary upport for ubver ive or terrori t activitie . How doe thi type of te t manife t in the cyber domain? Thi may be manife ted when tate A manipulate the election return of tate B, thu re ulting in the election of a candidate that may be more ympathetic to tate A' need or de ire . It may imilarly be manife ted in any kind of manipulation that indirectly, but cau ally, a i t in any rebel group gaining a pecific military advantage through the direct manipulation of data within the target tate. The breache de cribed above all fall below the actual armed attack criteria that the ICJ ha con i tently held in the Nicaragua and ub equent Oil Platform ca e a having a high thre hold. For example, that then give ri e to a right of kinetic or cyber elf defence under Article 51 of the charter. o what then i available to tate ubject to uch violation that don't meet the armed attack thre hold? In thi in tance, general international law doe provide ome guidance. The 'Article on Re pon ibility of tate for Internationally Wrongful Act ' are a product of the International Law Commi ion, and reflect many year of work. They are regarded a an authoritative reading of the right and obligation in thi field. Let' li ten to Profe or chmitt' outline of the right that a victim tate may have under principle of international law, and largely reflected in the tate Re pon ibility regime. The e cover retor ion, countermea ure , and nece ity. MIKE CHMITT: o if we're talking about the remedy of tate below the thre hold -- again, I want to empha i e thi i omething which in the ca e of remedie , doe not ri e to the level of an 'armed attack' under Article 51 of the UN charter, becau e that' the point at which you may u e force in elf defence. If we're not talking about tho e ituation , mo t of the re pon e appear in the law of tate Re pon ibility. The International Law Commi ion ha produced draft article on the law of tate Re pon ibility which mo t eriou cholar believe fairly accurately repre ent cu tomary law. And we are, in fact, in the Tallinn proce , u ing the article . o there are actually three remedie that are critical. At the lowe t level, a tate may alway engage in what' called retor ion. Retor ion i an unfriendly but lawful re pon e. o, for example, if you conduct, if your tate, tate A conduct a cyber operation again t my tate, tate B, I could choo e to hut off, ab ent any applicable treaty regime, hut off your acce to erver in my country. They're in my country, I have overeignty over tho e erver , territorial overeignty over the erver . Unle there' a treaty regime to the contrary, I have the authority to ay you can't, tate A can't come into my tate, tate B. That would be an act of retor ion. It' not friendly, it' unfriendly, but it' lawful. And that would be de igned to induce you back into compliance with international law. Now, if your act i an internationally wrongful act, it' a legal term that mean if you violated international law, in particular, an obligation you owe me, your tate owe my tate, then I might engage in what are called countermea ure . Now a countermea ure i a tep up from contor ion. What a countermea ure i , i a countermea ure i an act that would otherwi e be unlawful but for your initial act. o you, tate A, intrude into my y tem, violating my overeignty. I may do thing in cyber pace, or not in cyber pace, I may do thing that otherwi e would violate my obligation owed to you, in order to compel you back into compliance with the law. And the logical thing in cyber pace would be -- you hack into my y tem , you manipulate my one and zero , and o I re pond in kind. I hack back. I normally would not be able to do o, becau e I would be violating your overeignty. But becau e of your unlawful act, the veil of overeignty ha been pierced. And I can re pond. And then, the next level up i found in Article 25 of the article of tate Re pon ibility, and it' called the plea of nece ity. Now, the plea of nece ity i an act taken when your tate i uffering omething that affect it e ential intere t in a grave and imminent way. The e are term drawn from the law. o it mu t be an e ential intere t, very, very important, and in the cyber context, we in tantly think of critical infra tructure, e ential intere t i affected, and in a way that' grave, in other word , very, very eriou , and imminent. It' happening now, or it' about to happen. If your country find it elf in thi ituation, then it may re pond with action that would otherwi e violate international law obligation owed to other tate . o I could hack back at whoever' hacking. Now, why i the plea of nece ity important? The plea of nece ity i important for two rea on . Fir t, there' no requirement that there be a violation of law, of international law, a a condition precedent. All you know i omething really bad i happening to u , and I need to re pond right now. And the econd important thing i , i wherea countermea ure are limited to wrongful act by tate , when we're talking about the plea of nece ity, you can be re ponding to an act conducted by non- tate actor like cyber terrori t , or you can be re ponding to an act where you don't even know who' conducting the act. You don't know if it' a tate, you don't know if it' attributable to a tate, you don't know if it' a non- tate. All you know i it' really bad and I've got to do omething. Hack back or whatever. What thi doe i it give you, if you will, from the American game Monopoly, a get out of gaol free card. Your wrongful act i no longer wrongful, even if it affect the intere t of other tate , o long a the intere t of the other tate you're affecting i n't e ential to them. o in order to defend your cyber infra tructure, you can't hack back into their critical cyber infra tructure and hut that down. Becau e that would be their e ential intere t. o you ee a balancing happening here. And then the fourth tep along the journey, i the law of elf defence under Article 51.
DALE TEPHEN : In re pect of countermea ure that you've ju t heard Profe or chmitt refer to in the Article of tate Re pon ibility, they provide in Article 51 and 52 that uch countermea ure mu t be proportionate, and that notice mu t be given prior to any invocation of uch countermea ure . uch a requirement for proportionality may be manife ted in relation to a 'hack back', a reciprocal re pon e through imilar mechani m . But thi i not without it ambiguity. The que tion of notice i equally potentially problematic in under tanding what i required in giving uch notice. What i a rea onable notice to provide in uch circum tance where action are taken in tantaneou ly? What do the Article on tate Re pon ibility provide for in thi in tance? Can urgency, for example, be an excu e not to provide uch notice? The an wer to that que tion i actually Ye . Article 52(2) of the Article provide that an injured tate my take urgent countermea ure a are nece ary to pre erve it right . Thi rai e the i ue of attribution. In undertaking a re pon e, tate need to be clear a to the origin of the cyber operation, and al o the connection of the target and the tate. ignificantly, the que tion of attribution i one that come up frequently in thi field. But it i al o one that can be often over tated a being problematic. Li ten next to what Emma Lovett, a cyber expert, ha to ay on thi i ue. There are a number of way that attribution can be verified in practice. In the next clip, you'll hear her peak about the rea oning proce that goe into triangulating the origin of an attack, and the identifying ignature that code can reveal in e tabli hing attribution. EMMA LOVETT: A we know, the internet take package of information, and di per e them, and then a emble them again at the other end where you want them to arrive. Being able to ay with certainty what bit of the world they went through, and who wa making them go through there, i the attribution part. o, it' not o much about determining exactly where the e little bit and byte were at a particular time. It' being able to ay, we think country alpha wa attacked by country yankee, becau e we know there were, for example, ix erver that it went through. We know that two of them were in country tango, country uniform. But before we get to country yankee, we lo e a couple of erver . We don't get the whole trail. o how do you come to a point where I can be certain with very high confidence in my attribution? And I want a high confidence. If I'm aying that country yankee ha done omething contrary to my tate ufficient to be equivalent to an armed attack contrary to my intere t , and I want to re pond with force, whether it' cyber or not. And may I ju t add, You're not going to get kinetic attack without cyber in thi world. Ju t aying. o how do I get from here to here when I've got a gap? I'm al o going to be looking at the character of the attack. Becau e the nice thing about being attacked i you get to have the time, the luxury to pull apart the code, the programming, and you get a feel for where it come from. There are identitie that become apparent. o you can ay, well, thi i the ort of work that come from thi region of the world. Why? Becau e they peak a certain language and that' the way their brain work. Even though computer language i it own thing, we till have our own ethnic tendencie . And that' the ort of thing that we think come from there. Then you add the political overlay of why it would be that country. And if thi were an intelligence analy i , you add one, two, three, and four, and the character -- attribution. More likely than not.
DALE TEPHEN : In re pect to the plea of nece ity that you've heard Profe or chmitt refer to, you may recall that he mentioned that thi right of re pon e turned on a grave and imminent threat to an e ential tate intere t. Moreover, that uch a right could be exerci ed again t both tate and non- tate actor . Key to thi authority i that an e ential tate intere t ha been affected. While power ource and other infra tructure that ignificantly underpin normal daily life would be covered, it i le clear what el e may be included. A a criteria nece ary to be e tabli hed before any re pon e may be legitimately undertaken, it i important to under tand the boundarie of e ential tate intere t in thi context. The matter i one that i ubject to ongoing con ideration by both expert and tate in thi dynamic area. The final i ue to be canva ed in thi outline of right and obligation i when a cyber operation amount to a violation of Article 2(4) of the charter. Namely, a threat or u e of force. The Nicaragua ca e previou ly mentioned had determined that the upply of arm and training to rebel group within a overeign tate can con titute a violation of Article 2(4), thu giving ri e to a right of countermea ure , or potentially, even a plea of nece ity in re pon e. How doe thi manife t in the cyber phere? When would a cyber operation amount to a breach of Article 2(4)? Let' li ten to what Profe or chmitt ay on the i ue. MIKE CHMITT: With regard to Ju ad Bellum, and Ju ad Bello, there were a number of problem . With regard to, let' tart with the Ju ad Bellum. There were two. They are the cla ic que tion . What i the 'u e of force' pur uant to Article 2(4) of the UN charter? Becau e there' a prohibition on the u e of force unle there' one of two exception . The ecurity Council approve the u e of force, or alternatively, the u e of force i an act of elf defence. o when i a cyber operation by one tate again t another tate a u e of force? We agreed that any time a tate u e a cyber operation that cau e phy ical damage or injury, that wa a u e of force. And it could only be ju tified by one of the two exception . However, in the very famou Nicaragua ca e, the ICJ ca e in 1986 ca e, the ICJ held that you don't nece arily have to have forceful action to trip over thi wire. For example, if you arm and train guerilla , that could be a u e of -- you arm guerilla and then train them to u e weapon -- that could be a u e of force. And we aid, well golly, that mu t apply in the cyber context a well. If I give guerilla in another tate malware and then train them how to u e the malware, how i thi different than arming and training guerilla ? o one of the problem we had in the tran lation of the norm wa , when doe a cyber operation trip over the u e of force line, uch that it could only be ju tified by either a ecurity Council re olution or elf defence? We never olved that problem. Thi i -- we looked in there, in fact, it' from ome earlier wording, it' called the chmitt analy i . What we aid i , we don't know where -- until we ee tate practice -- we don't know where that red line i . Where i that thre hold?
CYBER OPERATIONS
DR DALE STEPHENS: So, in summary, we have been able to map out a reasonably robust international framework that applies when faced with cyber operations that interfere with a target state's activities. Hence a cyber operation that causes some kind of damage within the infrastructure of a victim state commits a violation of the principle of sovereignty. There may be room to include the destruction of data in this formulation. But what is not a violation of sovereignty, it would seem, is the passive tracking of communications itself. A step up from this principle of sovereignty in terms of severity, is the violation of the principle against intervention. The test turns on the issue of coercion. Further up the line was a violation of Article 2(4) of the Charter that prohibits the threat or use of force. This may be manifested when malware is supplied to rebel groups and cyber training for the manipulation of target states' cyber capacities. Finally, at the extreme end of the scale, a cyber attack could also amount to an 'armed attack' for the purposes of Article 51 of the UN Charter whenever there was a cyber attack that resulted in physical damage of sufficient gravity, such as the taking down of a power network. In terms of response, for actions that come below the 'armed attack' threshold, rights of retorsion, countermeasures, and necessity could be activated to at least permit a cyber response. The question of attribution obviously is important in these contexts and as we have heard Emma Lovett outline, this can be a slightly overstated problem in practice for which there are well rehearsed mechanisms for establishing attribution. Finally, for cyber operations that do meet the 'armed attack' threshold, then both cyber and kinetic means are available to mount a lawful action in self defence. This framework is one that applies in peacetime. Let's now turn to the next module where I'll discuss some issues relating to cyber in the context of armed conflict and the application of international humanitarian law to such activities.
No comments:
Post a Comment