(My thanks to IntLawGrrls for the opportunity to contribute this introductory post)
"The Internet in Bello: Cyber War Law, Ethics & Policy."
Among the many speakers and moderators were these: IntLawGrrls' editor emerita Beth Van Schaack (below right), since March 2012 the Deputy to Stephen J. Rapp, U.S. Ambassador-at-Large in the Office of Global Criminal Justice; Anne Quintin of the ICRC (below left); and yours truly, Berkeley Law’s Kate Jastram. The keynote speaker was Air Force Colonel Gary D. Brown, Staff Judge Advocate for the U.S. Cyber Command, based at Fort Meade, Maryland. (Prior IntLawGrrls posts.)
Reflecting on how jus in bello norms apply, if at all, to cyber security operations, the main themes of the seminar are sketched below.
Characteristic of the uncertainty posed by cyber capabilities in armed conflict, it was a matter of some dispute whether the issue itself is even significant:
► From one perspective, cyber operations are a strategic development of first-order significance, heralding a revolution in military affairs analogous to the dawn of the nuclear age. In addition to posing new threats, cyber may offer unprecedented opportunities to comply with international humanitarian law/the law of armed conflict (typically abbreviated IHL/LOAC).
► Skeptics point to the profit-motivated hype associated with cyber security issues, and argue that there have been very few examples of serious cyber attacks in the accepted legal meaning of the word.
A recurring question is whether "war" is in fact the correct characterization for most hostile cyber activity, and therefore whether the law of armed conflict is the relevant legal framework. It was agreed both that IHL/LOAC applies to cyber operations in armed conflict, and that not all hostile cyber actions should engage this body of law.
It is difficult to analogize from established international law rules to new and rapidly changing technologies. Cyber’s lack of correlation to physical geography, for example, makes application of traditional rules problematic. While IHL/LOAC is too limited to deal with the full range of cyber security activities, and cyber issues must be addressed in other legal frameworks, it is also the case that IHL/LOAC needs to develop to respond to the capabilities and threats of cyber war.
The most promising, and underexplored, possibility is the potential for a more humane method of warfare.
Reviewing the cyber aspects of some basic definitions, it was agreed that cyber operations causing physical damage would constitute an "attack" under Article 49.1 of Additional Protocol I to the Geneva Conventions of 12 August 1949, which was adopted in 1977 and entered into force 1978. (The United States is not a party but accepts many of its provisions as customary international law.)
Article 49.1 states:
'"Attacks" means acts of violence against the adversary, whether in offence or in defence.'However, views on "neutralization" under Article 52.2 of Additional Protocol I differ. Article 52.2 provides:
'Attacks shall be limited strictly to military objectives. In so far as objects are concerned, military objectives are limited to those objects which by their nature, location, purpose or use make an effective contribution to military action and whose total or partial destruction, capture or neutralization, in the circumstances ruling at the time, offers a definite military advantage.'Some say neutralization is an attack, at least in the context of an ongoing armed conflict. Rejecting this notion, others point out that IHL/LOAC does not address acts short of violence. A related concern is the imprecise use of terminology: many cyber "attacks" are simply espionage.
Attribution is exceptionally difficult in the context of cyber. Perhaps a lower level of attribution is required in cyber war than in warfare that's kinetic (that is, warfare that uses physical force).
Regarding direct participation in hostilities, the role of nonstate actors is a particularly salient issue. The military-civilian overlap is significant, with the intelligence community perhaps more likely to have the relevant skill set than warfighters for carrying out cyber operations. While this may be appropriate, it also raises the issue of the relevant legal framework.
With the principle of distinction, indiscriminate attacks and unforeseen consequences are potentially the most serious problems of cyber operations. However, cyber can enhance the ability to be "hyper distinctive." One example is Stuxnet, the computer worm of 2010, which was tailored to destroy its target and nothing else.
On the related issue of proportionality, cyber may be the best way to minimize collateral damage. Cyber operations may be more compatible with IHL than kinetic operations. The relative lack of enthusiasm on the part of the IHL community thus far for this potential advance in enabling protection of civilians was noted.
Neutrality analysis is complicated because of the nature of cyber (for example, 60% of Internet traffic traverses privately owned U.S. servers), as well as the difficulty of conflict classification, and the lack of de jure neutrality rules in non-international armed conflict.
In the cyber realm, only a very rare set of events would rise to the level of prohibited perfidy (an offense about which Beth posted in another context here). But this may be an area where new norms should be developed.
Finally, views diverged as to whether precaution imposes on states the obligation to choose less harmful means to achieve military aims, which cyber may sometimes fulfill.
U.S. cyber security policy is underdeveloped, and complicated by the Title 10/Title 50 debate about which our colleague Robert M. Chesney has just published.
The United States should engage with, yet not dominate, discussion with its allies. The risk is that the U.S. voice is overwhelming, yet is driven by essentially domestic considerations. There is a need for greater appreciation on the part of the U.S. that even its close allies have different perspectives.
Two important points were made regarding the speed of cyber activity:
► First, it necessarily results in a diminished role for human decision-making. Reacting in cyber time essentially means autonomous decision logic.
► Second, cyber speed implies an important impact on traditional notions of space and geography. The closer an event gets to a time duration of zero, the closer it is to a non-event.
There is a high degree of control of cyberspace by the private sector in the United States. Financial institutions are investing heavily to protect their networks. At the same time, corporations are protective of their information, which presents an impediment to cooperation with the government and each other.
A recurring theme of the seminar was that there are more questions than answers. This is clearly a rich area for scholarship and debate, deeply informed by operational challenges.
Colonel Brown(right) of the U.S. Cyber Command noted that there is a reluctance to make rules and to say yes, since caution in this novel environment is safer. He emphasized the need for standing ground rules, so that each situation is not unique. IHL/LOAC norms provide at least the framework for such standing ground rules. Despite limitations on disclosing information to the public, it would seem that at least some of the situations and issues faced by Cyber Command could be discussed in general terms with interested scholars and practitioners such as ICRC, perhaps in closed sessions.