Cybersecurity: LOAC-Military

Snowden Disclosures and Norms of Cyber-Attacks

By Matthew Waxman
Thursday, March 20, 2014, 11:00 AM

Secrecy---of the sort that typically shrouds cyber-defense and cyber-attack capabilities and doctrine---complicates the development of international norms.  Secrecy makes it difficult to engage in sustained diplomacy about rules.  Officials can talk about them at high levels of generality, but can’t get very specific, and it’s therefore hard to reach agreement.  Secrecy makes it difficult to verify commitments or demonstrate compliance.  Perceived distance between mere words and true actions may be large amid high degrees of secrecy.

It’s for these reasons that I’ve argued that intense secrecy around states’ cyber-capabilities will slow the development and clarification of international law governing cyber-attacks or responses to them.  I’ve also argued that because the United States “occupies a position of advantage on offensive cyber capabilities, it should seize the opportunity to lay out a set of rules for itself and others.”  Notwithstanding some important statements on this topic, such as then-State Department Legal Adviser Harold Koh’s remarks on applicability of self-defense rules and law of armed conflict to cyber-attacks, to do this the United States would need to resist its usual tendency to over-value secrecy at the expense of shaping international norms.

I was therefore struck by one of the written answers provided by NSA Director-nominee Admiral Michael Rogers to the Senate Armed Services Committee:

I believe the recent disclosures of a large portion of our intelligence and military operational history may provide us with opportunity to engage both the American public and our international partners in discussion of the balance of offense and defense, the nature of cyber warfare, norms of accepted and unacceptable behavior in cyberspace, and so forth (my emphasis).

This seems to refer to the Snowden disclosures, but it’s not clear what he has in mind with regard to norms.

The U.S. government talks a lot about norms as part of its overall cyber strategy, but with few exceptions (like the Koh remarks) it hasn’t been forthcoming about what norms it wants to advance.  Maybe this is because it prefers to work this very quietly through private diplomacy, but I suspect that it’s at least partly because the U.S. government hasn’t yet decided what rules it wants with regard to, for example, penetrating other states’ networks or distinguishing legitimate from illegitimate targets.  The Snowden disclosures could prompt more open and specific international legal discussion about offensive and defensive cyber practices, and it could prompt the U.S. government to clarify its legal positions or decide which ones are worth defending vigorously.  This has occurred to some extent with respect to revealed surveillance of individuals and the public (at home and abroad), but we don’t yet know much about what might yet be revealed about cyber-attacks.

It’s especially interesting that Admiral Rogers talks about Snowden revelations and their impact on norm development in positive, optimistic terms, because the general mood so far has been that the disclosures are damaging to American efforts on cyber norms.  For example, disclosures of major U.S. internet surveillance programs, including penetration of the internet backbone, undermines the credibility of American commitment to protecting an open, global web.  Disclosures of U.S. government spying on foreign companies like Brazil’s Petrobras has clouded American efforts to distinguish “legitimate” espionage from illegitimate commercial espionage.  But Rogers talks about all this as an “opportunity” to advance the U.S. agenda on norms.  He may be right, but it will require a concerted, proactive campaign rather than scrambling to respond to specific leaks.

As a related aside, secrecy of capabilities complicates deterrence (see Dr. Strangelove).  Admiral Rogers also suggests in his written answers that the Snowden disclosures might inadvertently contribute to American deterrence of cyber-attacks by revealing U.S. defensive and retaliatory capabilities in this area.  In fact, his brief allusion to international norms comes in his answer to a question about how to strengthen deterrence.