CYBERWAR
DR DALE STEPHENS: In the previous segment, we addressed the legal framework that applied to the conduct of cyber operations that covered the range of interferences from violations of sovereignty and unlawful intervention through to an armed attack. Our focus was on the law relating to the Use of Force under the UN Charter and accompanying customary international law. In this segment, we will address the law applicable to cyber operations that occur during a time of armed conflict -- hence International Humanitarian Law, otherwise known as the Law of Armed Conflict or Jus in Bello, is the governing regime. This is an appropriate time to address this issue, as countries are starting to acknowledge that they do possess an offensive cyber capability and that such means and methods of warfare would undoubtedly apply during an armed conflict. The US does actually have, within its military structure, a Cyber Command. And also recently, China also acknowledged that it, too, has a cyberwar strategy and specialised units for waging war on computer networks. While International Humanitarian Law was designed with kinetic force as the reference, hence the firing of weapons and the physical effects of such weapons, it doesn't mean that it can't be adopted to apply to cyber means and methods. Indeed, the International Court of Justice, in the famous Nuclear Weapons Advisory Opinion, made it plain that emerging technologies were always subject to the applicable law in this area. On the whole, the drafters of the Tallinn Manual were able to apply existing rules and standards under International Humanitarian Law to the cybersphere. Despite this key acknowledgement, there are some important aspects of IHL that don't seem to fit too readily to the phenomenon of using cyber means to undertake wartime operations that we should consider. One such area is the central question of the definition of attack. Under Article 49 of Additional Protocol I, attack is defined as "acts of violence against the adversary, whether in offence or defence." This is a central question, because if I mount an attack, then I am subject to numerous rules about who or what I can attack, what level of incidental civilian loss I must take into account, and the amount of extra care that I must exercise as to reducing anticipated civilian losses to the lowest level possible. Hence, if I am not mounting an attack, as lawfully understood, then I am not so subject to such exacting rules, at least in relation to the law of armed conflict. So the question becomes whether the use of 'ones and zeroes' through cyber means can amount to an act of violence under Additional Protocol I or supporting customary international law, thus triggering my requirement to comply with a number of IHL rules. This issue caused considerable debate during the Tallinn process. Let's hear what Professor Schmitt has to say on this question and the outcomes reached. PROFESSOR MIKE SCHMITT: Why can't I conduct a psychological operation that intrudes into civilian systems and says, let's end the war now? This is an unreasonable war. So we said it can't possibly be any operation directed at the civilian population. That can't be an attack. What we eventually came up with was a definition of attack for the purpose of all of these prohibitions -- attack military objectives, et cetera, you can't attack anything other than military objectives -- a definition that said, we all agree it's death, injury, damage, or destruction. If a cyber operation does one of those four things, you're there. And then, through a torturous three-year process of thinking through this, we also came up with the notion that if a cyber operation affects the functionality of a tangible thing, then that, too, was an attack. So let me give you the simplest example. I have a laptop. I really don't care if you strike my laptop with a hammer or drop a bomb on it or conduct a cyber operation against it that means it doesn't work anymore. All I know is I now have an inanimate tangible object that only holds paper down. That's all it's good for. So this convinced us that attack includes not merely physical damage, but damage that affected the functionality of an object in some serious way.CYBERWAR
DR DALE STEPHENS: You can see from what Professor Schmitt describes that the Tallinn Manual authors recognised that in cyber operations, the term 'violence', as understood for the purposes of Article 49, can include impairment of functionality. While this would seem a natural and perhaps obvious step, it is not without its ambiguity. Listen to what Professor Schmitt says about debate concerning the need for physical replacement of parts for the cyber action to count as an attack under the law and the broader views concerning whether the destruction of data, requiring replacement of this data, itself constitutes a sufficient enough threshold to constitute an attack for the purposes of the Law of Armed Conflict. PROFESSOR MIKE SCHMITT: Because we're lawyers, we had more views than there were people in the room. We all agreed that -- the majority, not all -- the majority agreed that if there's a serious impediment to the functionality of the object, then that was an attack. Within this majority, there were multiple views. Some members said that this would require replacement of physical components of the object. And the classic example would be swapping out the logic board. I'm not sure why this doesn't work. Let me replace the logic board. Others-- I'm in this group-- said, no. I think it's more than that. If you have to replace the operating system or, indeed, if you have to replace data that the system relies on to perform its intended function, then that also is sufficient to meet the functionality test. Because to me, frankly, again, I really don't care if you drop a bomb on my computer, you hit it with a hammer, you have to replace the logic board, or you have to reload the operating system, or, in the case of certain unique computers, like computers that deal with space, they're designed solely for the purpose of dealing with space. And if you don't have particular data in it, it won't work at all. All I know is that I now have a useless item. Now, we need to be a little bit careful. We did not go so far-- and I was at a recent conference where I tried to make this point. Someone from another country, a non-English speaking country, had a PowerPoint, and it said, render the object dysfunctional. But they spelled dysfunctional D-Y-S-functional instead of disfunctional. We're talking about it being disfunctional, doesn't work. D-Y-S-functional means it doesn't work well. And we weren't willing to-- most of the experts weren't willing to go so far as to say, if you do something to my system and now it works slower or it doesn't-- maybe Word works, but PowerPoint doesn't or-- recently my computer kept turning off. Then it would turn back on if I waited 30 seconds. I just had to wait. We're not talking about that. That's interference. That's irritation. But that doesn't rise to the level of harm that would qualify a cyber operation as an attack. So we're talking about dis-- D-I-S-- functional, not D-Y-S-functional. There were some members, a very small minority, that said, no. It's even more than that. If you're interfering with the data resident on the computer, that's enough. You're damaging data. Most of us rejected that, because we said you've thrown out the baby with the bath water. That's far too far. That will encompass operations that every state in the world would today deem to be logical. Because when I conduct a psychological operation through cyberspace, I do have to manipulate ones and zeroes in order to do that. That's too far.
CYBERWAR
DR DALE STEPHENS: The significance of this threshold requirement for impairment of functionality carries with it a significant consequence. If a cyber operation conducted by a state or non-state actor does not rise to the threshold level of constituting an attack, then the myriad of rules and standards that seek to minimise civilian loss don't apply, at least as a matter of IHL. Does this constitute a potential worrying gap? The answer to that question is potentially yes. But it is instructive to listen to Professor Schmitt as he discusses the issue of causality and foreseeable damage that was debated during the Tallinn Manual process to understand that the law can apply in situations that most of us would consider obvious, to condition such attacks to reduce civilian harm. PROFESSOR MIKE SCHMITT: This whole discussion of attack had some very important consequences. One of the consequences is, at least in our view, if a cyber operation doesn't qualify as an attack as a matter of law, if it doesn't at least meet the functionality test, then what that means is that the civilian object involved or the civilian involved doesn't enjoy IHL protection, unless there's what we call special protection. So there's special protection for humanitarian assistance activities. There's special protection for civil defence. There's special protection for medical. There's special protection for religious. But unless the activity doesn't benefit from one of these special protections under IHL, humanitarian law, then what that means is you can target it. It means it's a valid target. We need to be careful. It's a valid target subject to the rules of proportionality and the requirement that you take precautions in an attack to minimise the effect on the civilian population. Now, this raises a very, very important point. So this causes people to be nervous. And so they should be. And in fact, I believe this law will change. I've written about this several times, that this is not an answer that is entirely responsive to the object and purpose of humanitarian law. So I anticipate change in this area of law. I would to hasten to add it's not as bad as it seems when you hear about it the first time. Because what the international group of experts agreed was that when you're assessing whether something's an attack, you must assess the consequences not only on the target system, the thing you're shooting at through cyberspace, but anything else that's affected in a way that would qualify it as an attack. So the classic example is I conduct an attack against an electrical grid, which is a very lucrative target in warfare. You often want to affect the electrical grid. I attack the electrical grid, and as a result of that, it has consequences that actually are physical in nature. Many, many people always use the incubator example, where the incubators shut down in the hospital. The children die as a result. If that's foreseeable, you must consider that, and that will qualify the operation as an attack subject to the prohibition. And the incubator one is the one that's most often used. But the one that's perhaps most likely is electricity or power, because we're in Newport, Rhode Island, right now -- we're in the midst of a cold spell -- it's February -- it's very cold. If you lose power in Rhode Island today, it's predictable people will die. The elderly will die. The sick will die. Because it will be too cold. So you must assess all of those consequences when you're trying to determine whether or not something is an attack that is subject to the prohibitions on attacking civilian objects, attacking civilians, and so forth.
CYBERWAR
DR DALE STEPHENS: While the law needs to keep pace with changing means and methods of warfare, there is naturally a worry that well established humanitarian standards may be eroded, because the law doesn't neatly fit with the new capability that departs from traditional conceptions of using force, such as cyber warfare. However, as paradoxical as it may sound, such new methods and means of warfare can actually promote a new recognition of greater humanitarian obligation. Take, for example, the rules contained within Article 57 of Additional Protocol 1. This provision, which is also reflected as a rule of customary international law, requires that states who are undertaking an attack make sure that they do all that is feasible to reduce civilian loss, even below what a proportionality analysis would otherwise allow for in respect of expected incidental civilian casualties. To this end, the rise of cyber as a weapon system may require a state to use such means to attack and render inoperative a military objective in a manner that results in no civilian losses whatsoever. Thus if I have a bomb and I have a cyber capability to render inoperative a military objective, say for example an air defence system, then as a matter of law, I may be required to use the cyber means. Certainly Professor Schmitt thinks this is the case, although his views are heavily caveated by the requirement of 'feasibility'. Let's listen to what he has to say. MIKE SCHMITT: You're sitting in a mission planning cell, a targeting cell, you are trying to achieve-- Targeting today isn't about destroying things, it's about achieving effects on the enemy. You're trying to achieve a particular effect and I can achieve that effect by dropping a bomb on it, by destroying the target. But in today's environment, I may be able to achieve the effect by simply shutting it down for a short period. And so under Article 57 and under customary law, if you can do so, without sacrificing any military advantage, then I believe, as a matter of law, you're obligated to engage in the cyber measure. Now I have to emphasise again that this is subject to the military feasibility of doing that. Not every case is it militarily feasible despite what you often hear in the press, our cyber resources are not unlimited. And if we're in a major conflict, various commanders will compete for cyber resources. Moreover, cyber has a real problem and it's a problem that the techies, the technical experts, are always telling me about. Once you fire a cyber weapon, that may be the last time you get to use that weapon because you're exploiting a vulnerability and the use of the cyber weapon reveals your capability such that the vulnerability is plugged. So I may not use the cyber weapon not because I need to use it elsewhere, but I don't know what's going to happen in the future and I may need to reserve it for situations where it may be more valuable in avoiding civilian harm.DR DALE STEPHENS: While the Tallinn Manual provides an extremely useful starting point for guidance regarding the manner in which cyber means and methods can be used in armed conflict, even this very brief overview of some of the concepts and conundrums demonstrates that this is an ever evolving area of law. In this area of cyber operations in armed conflict, there has been very little initiative by states in the arena of regulation. It has been left to academic and government experts to develop a best-practice type guidance, taking into account prevailing principles and concepts. If international law is to maintain its validity, it needs to be responsive to changing needs. It is clear that cyberspace activity is growing exponentially. This is in terms of both capacity to undertake intrusive action as well as recognised vulnerabilities due to the wired nature of daily life. The existing law applicable in armed conflict, which was designed solely on the basis of kinetic action, requires modification to keep pace. States are developing their cyber capacities that could be used in an armed conflict, yet are unsure where they sit on the policy continuum. Do they want greater defensive regulation? Or is this an area where perceived advantage in offensive capability means that they want to dispense with any kind of new regulatory oversight, at least through the means of a new treaty applicable to cyber in armed conflict. Hence, as we move forward we are left with the old principles derived from existing law. And as states begin to understand their cyber capacities and limits, manuals such as the Tallinn Manual provide a useful starting point to assess the lawfulness and legitimacy of actions. It is states, though, that make international law. And as cyber capacities are tested and defences assessed, there will inevitably develop state practice that will be the primary means through which law will continue to develop in this area. It will happen in fits and starts and will not be uniform. But as with all new technologies, cyber means and methods of warfare will be understood for their unique characteristics. And there will inevitably be a more informed debate about how humanitarian protections are to be better designed in law to account for the cyber warfare phenomenon. Courses such as this are intended to inform such debate.
No comments:
Post a Comment