magnify
Home Articles posted by Michael Schmitt

France Speaks Out on IHL and Cyber Operations: Part II

Published on October 1, 2019        Author: 

In the first part of this post I discussed the position paper’s articulation of the views of France on the applicability of IHL to cyber operations, on the classification of armed conflicts, and on their geographical scope in the cyber context. In this part I will examine the position paper’s views on the concept of “attack,” on the conduct of hostilities and on data as an object.

The Meaning of the Term “Attack”

The issue of the meaning of the term “attack” has occupied center stage from the very inception of legal thinking about cyber operations during an armed conflict. It is a critical one because most key IHL “conduct of hostilities” rules are framed in terms of attacks – it is prohibited to direct “attacks” against civilians or civilian objects (distinction), an “attack” expected to cause collateral damage that is excessive to the anticipated military advantage is prohibited (proportionality), parties must take precautions in “attack” to minimize harm to civilians (precautions in attack), etc.  These prohibitions, limitations, and requirements beg the question of when a cyber operation qualifies as an “attack” such that the rules govern it.

Read the rest of this entry…

 

France Speaks Out on IHL and Cyber Operations: Part I

Published on September 30, 2019        Author: 

The French Ministry of the Armies (formerly the Ministry of Defense) has recently released Droit International Appliqué aux Opérations dans le Cyberspace (International Law Applicable to Operations in Cyberspace), the most comprehensive statement on the applicability of international law (IHL) to cyber operations by any State to date.  The position paper dealt definitively with many of the current unsettled issues at the forefront of governmental and scholarly discussions.

This two-part post builds on an earlier post at Just Security in which I examined the position paper’s treatment of the relationship between peacetime international law, including that set forth in the UN Charter regarding uses of force, and hostile cyber operations. The focus here, by contrast, is on France’s views as to how IHL applies in the cyber context. Key topics addressed in the paper include the applicability of IHL in cyberspace; classification and geography of cyber conflict; the meaning of the term “attack” in the cyber context; the legal nature of data during an armed conflict; and other significant IHL prohibitions, limitations, and requirements on cyber operations.

Read the rest of this entry…

 

Un-caging the Bear? A Case Study in Cyber Opinio Juris and Unintended Consequences

Published on October 24, 2018        Author:  and

On October 4, the United Kingdom’s National Cyber Security Centre (NCSC), a division of the GCHQ, issued a news release attributing multiple cyber campaigns to Russia’s military intelligence service, the GRU. They were, according to the NCSC, designed to ‘undermine [the] international sporting institution WADA [World Anti-Doping Agency], disrupt transport systems in Ukraine, destabilise democracies and target businesses’.

The release was notable in two regards. As the campaigns were conducted by the GRU, an organ of the Russian government, Russia is legally responsible under the law of State responsibility for any violations of international law that may have occurred. Second, the release stated that the operations were ‘conducted in flagrant violation of international law’. Indeed, Foreign Secretary Jeremy Hunt, whom the release quoted, observed, ‘[t]his pattern of behaviour demonstrates their desire to operate without regard to international law or established norms and to do so with a feeling of impunity and without consequences’. 

Unfortunately, neither the NCSC nor the Foreign Secretary delineated those rules of international law that Russia allegedly violated or otherwise undermined. In this post, we attempt to tease loose the legal significance of the operations by measuring them against the recently enunciated UK positions on international law in the cyber context. Attorney General Jeremy Wright set forth these positions in a 23 May Chatham House speech. We first highlight the UK approach to the key international law prohibitions that are relevant vis-à-vis the Russian operations. Second, we assess the operations themselves against the UK position on these legal rules. Finally, we conclude by making the point that legal policy decisions with respect to cyberspace may prove a double-edged sword. Compelling reasons may exist for adopting particular positions regarding international law norms in cyberspace, but seldom are those positions cost-free. In particular, we suggest that the United Kingdom’s rejection of a rule requiring respect for the sovereignty of other States eliminates its most defensible basis for arguing that the Russian cyber campaigns undermined international law. Other States should bear this in mind before following suit.

Read the rest of this entry…

 
Comments Off on Un-caging the Bear? A Case Study in Cyber Opinio Juris and Unintended Consequences

The NotPetya Cyber Operation as a Case Study of International Law

Published on July 11, 2017        Author:  and

The recent “NotPetya” cyber-operation illustrates the complexity of applying international law to factually ambiguous cyber scenarios. Manifestations of NotPetya began to surface on 27 June when a major Ukrainian bank reported a sustained operation against its network. The Ukrainian Minister of Infrastructure soon announced ‘an ongoing and massive attack everywhere’.  By the following day, NotPetya’s impact was global, affecting, inter alia, government agencies, shipping companies, power providers, and healthcare providers. However, there are no reports of NotPetya causing deaths or injuries.

Cybersecurity experts have concluded that despite being initially characterized as a ransomware attack similar to WannaCry and Petya, NotPetya was directed at specific systems with a purpose of ‘causing economic losses, sowing chaos, or perhaps testing attack capabilities or showing own power’. Additionally, most agree that Ukraine was the target of the operation, which bled over into other States. The key question, however, is the identity of the attacker. NATO Cooperative Cyber Defence Centre of Excellence experts have opined that ‘NotPetya was probably launched by a state actor or a non-state actor with support or approval from a state.’

Although the facts are less than definitively established, the EJIL: Talk! editors have asked us to analyse the incident on the assumption that it is factually and legally attributable to a State.  We begin with a peacetime international law survey and conclude with an international humanitarian law (IHL) analysis. Read the rest of this entry…

 

Cyber Responses “By The Numbers” in International Law

Published on August 4, 2015        Author: 

According to open source reports, the Obama administration is considering how to retaliate against China for hacks into the US government’s Office of Personnel (OPM). Although it has hesitated to openly pin the rose on China, the reports raise questions as to how it might respond consistent with international law.

The issue of responses to harmful cyber operations has generated a fair degree of rather confused dialogue among politicians, pundits and the public. In the aftermath of, inter alia, the Sony hack and the OPM incident, it might be useful to take a by-the-numbers look at the international law governing responses to harmful cyber operations. The International Group of Experts that prepared the 2013 Tallinn Manual on the International Law Applicable to Cyber Warfare under the auspices of the NATO Cooperative Cyber Defence Centre of Excellence dealt with the topic briefly. A follow-on project, “Tallinn 2.0,” is presently underway to examine these issues in greater depth. As director for both projects, I have found the most useful lesson to be that, despite persistent claims to the contrary by international law and policy alarmists, the extant international law provides a linear structure, and robust means, for response. In the same way that international law generally balances national interests and international stability in the non-cyber realm, so too does it with respect to cyber. What follows is a summary of my approach to deconstructing the applicable law.

Read the rest of this entry…