On Feb. 13, our colleague Robert Chesney flagged the upcoming Cyber Command legal conference titled “Cyberspace Operations in the Gray Zone.” The conference—which begins Monday morning and involves heavy interagency and private sector and academia participation—is set to address a number of key international and domestic law issues surrounding cyberspace operations, such as the exploiting of social media in the gray zone, the characterizing of information warfare in cyberspace, the protecting of domestic information systems, the countering of gray zone cyber threats, technology and warfare, and privacy implications of military cyberspace operations. Much of the conference will be geared towards sub-use of force issues and activities that may not clearly be governed by the law of armed conflict, which raises questions about when exactly cyber activities do or not involve the use of force.
The U.S. asserts that extant international law, to include International Humanitarian Law (IHL) applies to cyberspace, but it has yet to offer definitive guidance on what cyberattacks, short of those causing obvious large scale kinetic destruction, constitute a prohibited use of force or invoke the LOAC. While the Tallinn Manual 2.0 may be the most comprehensive treatise on the applicability of international law to cyberspace thus far, it was developed without the official participation of, and has not been sanctioned by, States. The U.S. Government, for example, has taken no official position on the views set forth in the Manual. Because members of the military are tasked with following the law, defining the nuances of the applicability of international law in cyberspace should be a central priority. We hope that the following discussions can serve to enrich this week’s conference, and further DoD’s development of cyber law.
This year, a number of excellent pieces of scholarship emerged that could help enhance conference discussions on key elements of international law, namely the principles governing cyber operations outside the context of armed conflict, such as sovereignty and the IHL principles of distinction and proportionality. In his personal capacity, Colonel Gary P. Corn, Staff Judge Advocate of USCYBERCOM, co-authored “Sovereignty in the Age of Cyber” with Robert Taylor, Former Principal Deputy General Counsel of DoD, and posted on SSRN an advance draft of an upcoming chapter titled, "Cyber National Security: Navigating Gray Zone Challenges In and Through Cyberspace." Meanwhile, Commander Peter Pascucci, Chief of Operational Law at USCYBERCOM, authored “Distinction and Proportionality in Cyberwar: Virtual Problems with a Real Solution.” These works add nuance to the applicability of international law principles to cyberspace and vary somewhat from the publicly stated views of prior State Department Legal Advisers, as we’ll argue below.
First, harking back to former State Department Legal Adviser Harold Koh’s speech on the applicability of IHL to cyberspace in 2012, Koh offered this statement on sovereignty:
States conducting activities in cyberspace must take into account the sovereignty of other States, including outside the context of armed conflict. The physical infrastructure that supports the internet and cyber activities is generally located in sovereign territory and subject to the jurisdiction of the territorial State. Because of the interconnected, interoperable nature of cyberspace, operations targeting networked information infrastructures in one country may create effects in another country. Whenever a State contemplates conducting activities in cyberspace, the sovereignty of other States needs to be considered.
In Corn and Taylor’s work on sovereignty, after noting the series of problems that vex those attempting to delineate the law in cyberspace—including interconnectivity, mingling of private and public sectors, lack of geography, etc.)—the authors attempt to tackle specific sovereignty related challenges. Perhaps the most compelling of these is their discussion on activities that don’t reach the level of prohibited intervention.
Corn and Taylor assert that “jus ad bellum and the principle of nonintervention provide limited guidance in the realm of cyber because the vast majority of cyber operations are something less than a use of force, and do not fit squarely within the traditionally recognized elements of the nonintervention rule.” Below these thresholds, however, they argue there is insufficient evidence to support claims of a distinct customary international law rule of territorial sovereignty applicable to cyberspace operations. On its face, this argument appears to contrast with Koh’s position that sovereignty must be taken into account, even “outside the context of armed conflict.” Our sense is not that the authors consider sovereignty to be entirely irrelevant in the cyber context, but that they offer a more fully developed—and perhaps less rigid—framing of how sovereignty should be understood in the contemporary information environment. We also view their analysis as more descriptive of international law than a number of renowned scholarly works and speeches that seem intent on substituting personal viewpoints or policy preferences for the law as we understand it.
Corn and Taylor point to both law and state practice as evidence that sovereignty is not a binding rule in actions within cyberspace, rejecting the notion that a concrete norm presently exists or will soon develop that proscribes states’ use of cyber capabilities in all contexts short of armed conflict. They further argue that the principle of sovereignty is differently applied depending on the domain (air, space, sea, land) which makes it more of an overarching principle depending on the domain than a rule with legal repercussions. For instance, espionage may only be prohibited under international law when it violates a second principle of international law such as the prohibition on the use of force or the rule of non-intervention; otherwise, it would not rise to the level of breaching an established rule of international law. Corn further develops these arguments in his draft chapter, highlighting the operational and legal challenges of confronting evolving cyber threats outside of armed conflict and the difficulties of mapping the existing international law of state responsibility to cyberspace. Further state practice will clarify the principle of a sovereignty in cyberspace and what the legal repercussions may become in the future. Because of the variations in state practice regarding the respect for sovereignty in cyberspace, we believe that further discussion of the topic is warranted.
Second, Koh also addressed the principles of distinction and proportionality in his 2012 speech:
The jus in bello principle of distinction applies to computer network attacks undertaken in the context of an armed conflict. The principle of distinction applies to cyber activities that amount to an “attack”—as that term is understood in the law of war—in the context of an armed conflict. As in any form of armed conflict, the principle of distinction requires that the intended effect of the attack must be to harm a legitimate military target. We must distinguish military objectives—that is, objects that make an effective contribution to military action and whose destruction would offer a military advantage—from civilian objects, which under international law are generally protected from attack.
The jus in bello principle of proportionality applies to computer network attacks undertaken in the context of an armed conflict. The principle of proportionality prohibits attacks that may be expected to cause incidental loss to civilian life, injury to civilians, or damage to civilian objects that would be excessive in relation to the concrete and direct military advantage anticipated. Parties to an armed conflict must assess what the expected harm to civilians is likely to be, and weigh the risk of such collateral damage against the importance of the expected military advantage to be gained. In the cyber context, this rule requires parties to a conflict to assess: (1) the effects of cyber weapons on both military and civilian infrastructure and users, including shared physical infrastructure (such as a dam or a power grid) that would affect civilians; (2) the potential physical damage that a cyber attack may cause, such as death or injury that may result from effects on critical infrastructure; and (3) the potential effects of a cyber attack on civilian objects that are not military objectives, such as private, civilian computers that hold no military significance, but may be networked to computers that are military objectives.
Pascucci’s work on distinction and proportionality pushes the reader to consider the implications of Koh’s discussion of “cyber activities that amount to an attack” and what meeting the standard of attack means for civilian and military data in scenarios that may not meet that attack threshold. He argues that military operations that must abide by the principle of distinction are limited to those that constitute an attack according to Additional Protocol I Article 51(5)(b), and operations short of an attack do not trigger the application of the principle of distinction. This has particular implications for civilian data, which may not be protected.
In short, Pascucci rejects the position that civilian data should be treated as an object under IHL targeting principles. He sees material distinctions between, for example, kinetic force and using cyber means to gain placement and access to data or information systems that may not otherwise be affected. The distinction in effects and any physical manifestation, according to Pascucci, bears on whether or not IHL is the governing legal regime. He does not seem inclined to accept that analysis by analogy provides an appropriate legal analysis—even if such an approach may be appropriate for assessing the policy implications of operations or shaping discussions about what international law should be in the future.
We are thankful for these important pieces not only for their scholarly value but because we believe—despite their being written in the authors’ personal capacities—that they shed light on the thoughtful, detailed analysis that is being conducted at USCYBERCOM, across agencies and at events like the Cyber Command legal conference. After all, it was at this event in 2012 that Koh made his now famous speech on the applicability of international law to cyberspace. And we appreciate that the baselines set forth by Koh are being refined by those who must combat the constant contact of malevolent actors in cyberspace and who must find their own paths to understand such threats and provide for the nation’s defenses.
Note: It is with this sense of appreciation and optimism that Michael Adams will be leading the Cyber Command conference’s panel on Characterizing Information Warfare in Cyberspace on the afternoon of Monday, March 5, 2018. He will be joined by three leading authorities on the topic: Brian Egan, who, when serving as the State Department Legal Adviser, built on Koh’s speech with his own remarks on international law and stability in cyberspace; Sean Watts, who wrote an important piece that addresses "gaps and ambiguities" in the non-intervention principle in the cyber context; and Ryan Goodman, a leading scholar and commentator on Russian interference in the 2016 U.S. elections and implications under international and domestic law