magnify
Home International Humanitarian Law Archive for category "Cyber Warfare"

France Speaks Out on IHL and Cyber Operations: Part II

Published on October 1, 2019        Author: 

In the first part of this post I discussed the position paper’s articulation of the views of France on the applicability of IHL to cyber operations, on the classification of armed conflicts, and on their geographical scope in the cyber context. In this part I will examine the position paper’s views on the concept of “attack,” on the conduct of hostilities and on data as an object.

The Meaning of the Term “Attack”

The issue of the meaning of the term “attack” has occupied center stage from the very inception of legal thinking about cyber operations during an armed conflict. It is a critical one because most key IHL “conduct of hostilities” rules are framed in terms of attacks – it is prohibited to direct “attacks” against civilians or civilian objects (distinction), an “attack” expected to cause collateral damage that is excessive to the anticipated military advantage is prohibited (proportionality), parties must take precautions in “attack” to minimize harm to civilians (precautions in attack), etc.  These prohibitions, limitations, and requirements beg the question of when a cyber operation qualifies as an “attack” such that the rules govern it.

Read the rest of this entry…

Print Friendly, PDF & Email
 

France Speaks Out on IHL and Cyber Operations: Part I

Published on September 30, 2019        Author: 

The French Ministry of the Armies (formerly the Ministry of Defense) has recently released Droit International Appliqué aux Opérations dans le Cyberspace (International Law Applicable to Operations in Cyberspace), the most comprehensive statement on the applicability of international law (IHL) to cyber operations by any State to date.  The position paper dealt definitively with many of the current unsettled issues at the forefront of governmental and scholarly discussions.

This two-part post builds on an earlier post at Just Security in which I examined the position paper’s treatment of the relationship between peacetime international law, including that set forth in the UN Charter regarding uses of force, and hostile cyber operations. The focus here, by contrast, is on France’s views as to how IHL applies in the cyber context. Key topics addressed in the paper include the applicability of IHL in cyberspace; classification and geography of cyber conflict; the meaning of the term “attack” in the cyber context; the legal nature of data during an armed conflict; and other significant IHL prohibitions, limitations, and requirements on cyber operations.

Read the rest of this entry…

Print Friendly, PDF & Email
 

Un-caging the Bear? A Case Study in Cyber Opinio Juris and Unintended Consequences

Published on October 24, 2018        Author:  and

On October 4, the United Kingdom’s National Cyber Security Centre (NCSC), a division of the GCHQ, issued a news release attributing multiple cyber campaigns to Russia’s military intelligence service, the GRU. They were, according to the NCSC, designed to ‘undermine [the] international sporting institution WADA [World Anti-Doping Agency], disrupt transport systems in Ukraine, destabilise democracies and target businesses’.

The release was notable in two regards. As the campaigns were conducted by the GRU, an organ of the Russian government, Russia is legally responsible under the law of State responsibility for any violations of international law that may have occurred. Second, the release stated that the operations were ‘conducted in flagrant violation of international law’. Indeed, Foreign Secretary Jeremy Hunt, whom the release quoted, observed, ‘[t]his pattern of behaviour demonstrates their desire to operate without regard to international law or established norms and to do so with a feeling of impunity and without consequences’. 

Unfortunately, neither the NCSC nor the Foreign Secretary delineated those rules of international law that Russia allegedly violated or otherwise undermined. In this post, we attempt to tease loose the legal significance of the operations by measuring them against the recently enunciated UK positions on international law in the cyber context. Attorney General Jeremy Wright set forth these positions in a 23 May Chatham House speech. We first highlight the UK approach to the key international law prohibitions that are relevant vis-à-vis the Russian operations. Second, we assess the operations themselves against the UK position on these legal rules. Finally, we conclude by making the point that legal policy decisions with respect to cyberspace may prove a double-edged sword. Compelling reasons may exist for adopting particular positions regarding international law norms in cyberspace, but seldom are those positions cost-free. In particular, we suggest that the United Kingdom’s rejection of a rule requiring respect for the sovereignty of other States eliminates its most defensible basis for arguing that the Russian cyber campaigns undermined international law. Other States should bear this in mind before following suit.

Read the rest of this entry…

Print Friendly, PDF & Email
 
Comments Off on Un-caging the Bear? A Case Study in Cyber Opinio Juris and Unintended Consequences

Reinventing Multilateral Cybersecurity Negotiation after the Failure of the UN GGE and Wannacry: The OECD Solution

Published on February 28, 2018        Author:  and

While the failure of cyber security negotiations under the auspices of the UN GGE has created a huge void in international regulation, recent cyber-attacks with global reach have shown that action is more urgent than ever. Reflection on standards, good practices and norms should include private sector actors who are often the first victims of cyber-attacks. We consider that the solution to the current vacuum in multilateral cybersecurity negotiations is the creation of a flexible and inclusive body within the OECD that would act as a hub for the various initiatives while promoting close cooperation between States, the private sector and civil society in order to promote standards of responsible conduct in cyberspace.

In recent years, States have tackled the problem of cyber security by multiplying initiatives in various intergovernmental organizations, be they universal organizations (such as the United Nations or the ITU) or regional or restricted organizations such as the European Union (with, for example, the recent cybersecurity package announced by the EU Commission in September), the Council of Europe, the OSCE, the OECD, the African Union, the Shanghai Cooperation Organization, NATO, ASEAN, the G7 or the G20. These initiatives are also developed in ad hoc frameworks specifically dedicated to cyber-security, where an impressive number of conferences are initiated by States, such as the Global Conference on Cyberspace (GCCS) which has launched the Global Forum on Cyber ​​Expertise (GFCE) – and this without counting academic initiatives such as the process that led to the adoption of the Tallinn Manuals 1 and 2 or the creation of Think Tanks like the Global Commission on the Stability of Cyberspace chaired by Marina Kaljurand (formerly Estonian Foreign Minister).

The failure of the UN GGE Read the rest of this entry…

Print Friendly, PDF & Email
 

The Fifth Transatlantic Workshop on International Law and Armed Conflict: Introduction to a Joint Blog Series

Published on September 27, 2017        Author: 

Over the coming weeks, three blogs – IntercrossEJIL:Talk!, and Lawfare – will host a joint blog symposium on International Law and Armed Conflict. The series will feature posts by some of the participants at the Fifth Annual Transatlantic Workshop on International Law and Armed Conflict, which was held at the European University Institute in Florence in late July. As in previous years, the workshop brought together a group of academic, military, and governmental experts from both sides of the Atlantic. The roundtable, held under the Chatham House Rule, was held over two days and examined contemporary questions of international law relating to military operations.

This summer, there a particular emphasis on issues arising from the ICRC’s updated commentaries to the 1949 Geneva Conventions. The publication of the updated commentaries provided an opportunity to revisit some of the core issues that relate to the obligations of parties to conflicts under Common Article1 (the obligation to respect and ensure respect), issues relating to classification of situations of violence as non-international or international armed conflicts under Common Articles 2 and 3, as well as issues relating to humanitarian access which arise under Common Article 3 and Common Articles 9/9/9/10 of the Conventions. The sessions also examined protection of the wounded and sick; cyberspace and the LOAC; and the Common Article 3 concept of non-state armed groups.

Some of those who attended the workshop have agreed to participate in a series of blog posts focusing on specific topics that were addressed during the workshop. Each blog post represents the different authors’ perspectives, and not necessarily those of anyone else at the workshop, nor any of the institutions represented.

Intercross kicked off the series yesterday with a post from Marten Zwanenburg (Netherlands Ministry of Foreign Affairs) on “The Obligation to ‘Ensure Respect’ for IHL: The Debate Continues” (available here). Read the rest of this entry…

Print Friendly, PDF & Email
 

The NotPetya Cyber Operation as a Case Study of International Law

Published on July 11, 2017        Author:  and

The recent “NotPetya” cyber-operation illustrates the complexity of applying international law to factually ambiguous cyber scenarios. Manifestations of NotPetya began to surface on 27 June when a major Ukrainian bank reported a sustained operation against its network. The Ukrainian Minister of Infrastructure soon announced ‘an ongoing and massive attack everywhere’.  By the following day, NotPetya’s impact was global, affecting, inter alia, government agencies, shipping companies, power providers, and healthcare providers. However, there are no reports of NotPetya causing deaths or injuries.

Cybersecurity experts have concluded that despite being initially characterized as a ransomware attack similar to WannaCry and Petya, NotPetya was directed at specific systems with a purpose of ‘causing economic losses, sowing chaos, or perhaps testing attack capabilities or showing own power’. Additionally, most agree that Ukraine was the target of the operation, which bled over into other States. The key question, however, is the identity of the attacker. NATO Cooperative Cyber Defence Centre of Excellence experts have opined that ‘NotPetya was probably launched by a state actor or a non-state actor with support or approval from a state.’

Although the facts are less than definitively established, the EJIL: Talk! editors have asked us to analyse the incident on the assumption that it is factually and legally attributable to a State.  We begin with a peacetime international law survey and conclude with an international humanitarian law (IHL) analysis. Read the rest of this entry…

Print Friendly, PDF & Email
 

Cyber Responses “By The Numbers” in International Law

Published on August 4, 2015        Author: 

According to open source reports, the Obama administration is considering how to retaliate against China for hacks into the US government’s Office of Personnel (OPM). Although it has hesitated to openly pin the rose on China, the reports raise questions as to how it might respond consistent with international law.

The issue of responses to harmful cyber operations has generated a fair degree of rather confused dialogue among politicians, pundits and the public. In the aftermath of, inter alia, the Sony hack and the OPM incident, it might be useful to take a by-the-numbers look at the international law governing responses to harmful cyber operations. The International Group of Experts that prepared the 2013 Tallinn Manual on the International Law Applicable to Cyber Warfare under the auspices of the NATO Cooperative Cyber Defence Centre of Excellence dealt with the topic briefly. A follow-on project, “Tallinn 2.0,” is presently underway to examine these issues in greater depth. As director for both projects, I have found the most useful lesson to be that, despite persistent claims to the contrary by international law and policy alarmists, the extant international law provides a linear structure, and robust means, for response. In the same way that international law generally balances national interests and international stability in the non-cyber realm, so too does it with respect to cyber. What follows is a summary of my approach to deconstructing the applicable law.

Read the rest of this entry…

Print Friendly, PDF & Email
 

The Tallinn Manual on the International Law applicable to Cyber Warfare

Published on April 15, 2013        Author: 

Liis Vihul is the Tallinn Manual Project Manager, NATO Cooperative Cyber Defence Centre of Excellence, Tallinn, Estonia.

Although scholars began to assess how international law applies in the cyber context during the late 1990s, it was not until the 2007 cyber operations directed at Estonia that the international community became fully sensitised to the subject. For the first time, it became publicly clear that cyber operations are a powerful tool for conveying political or strategic messages by States, non-State groups and individual hackers.  The operations also made the international community aware of how cyber operations could be used to dramatically disrupt life in a country.

The incidents led in part to the establishment of the NATO Cooperative Cyber Defence Centre of Excellence (NATO CCD COE), an international military organisation located in Tallinn, the capital of Estonia.  The Centre is a partnership between eleven States.

In late 2009, NATO CCD COE invited a group of twenty international law scholars and operational legal advisers (the International Group of Experts), under the directorship of Professor Michael Schmitt of the United States Naval War College, to conduct a three year research project examining the norms applicable during cyber warfare. The product of this effort is the “Tallinn Manual on the International Law Applicable to Cyber Warfare”, published in March by Cambridge University Press.

Read the rest of this entry…

Print Friendly, PDF & Email
 

Remote Attack and the Law

Published on November 7, 2012        Author: 

Dr William BOOTHBY Dr Bill Boothby, the former Deputy Director of Legal Services for the Royal Air Force, published through OUP his doctoral thesis on Weapons and the Law of Armed Conflict in 2009; he has now published his second book, again through OUP, on The Law of Targeting.

This post looks at three modern forms of distance attack, by autonomous unmanned platforms, by cyber means and in outer space, and asks whether they challenge, or are challenged by, contemporary law.  It concludes that in any challenge the law is likely to prevail, and suggests the extent to which, and conditions on which, such novel and increasingly controversial technologies may indeed prove to be legally compliant.

On 29 November 2011, The Guardian, discussing US drone strikes in Pakistan, asserted that the US military makes deadly mistakes all the time.  Al Jazeera has reported that during the period May 2011 to March 2012 about 500 people, many of them civilians, were killed in US drone strikes to push Al Qaeda from the Arabian Peninsula.  And yet, CNN recently reported New America Foundation research showing a markedly reduced civilian proportion of casualties in US drone strikes in Pakistan (from about 50 percent in 2008 to close to zero) which the researchers attribute inter alia to a presidential directive to tighten up target selection, the use of smaller munitions, longer linger periods over targets and congressional oversight.

So is new technology challenging the law, or is it the other way round?

There is nothing new about the idea of fighting at a distance.  The heroic Homeric tradition of the phalanx and of the hoplite fighting at close quarters was already in ancient Greek times called into question by the use of the bow, artillery and catapults, and the process of remote attack has continued to develop in succeeding centuries and millennia, spurred on by the evident military advantage such methods yield. But the Homeric objections persisted, for example during the Kosovo conflict in the form of objections to the NATO 15,000 feet bombardment policy.

And yet since World War II, the capacity to deliver ordnance from the air with precision has developed apace –the statistics are startling in terms of the reduced number of sorties required to get a bomb delivered from high altitude to within a given distance of a hypothetical target. So, and forgive a degree of over-simplification, the lay assumption that the closer the pilot is to the target the better has been trumped by technological innovation.

Is there anything qualitatively different about future developments in the realm of remote attack?

Read the rest of this entry…

Print Friendly, PDF & Email
 
Comments Off on Remote Attack and the Law