In continuation of the series I promised you on high-level debates surrounding Cyber Warfare, here is the next article in a series of three (part oner here).
This article will be the longest in the series due to the multi-parted nature of the question. Of course the answers given to each of the questions are merely my opinions on the matter.
Please feel free to comment or contact me with relevant remarks.
In how far, and in what way, are existing international Legal frameworks relevant to behavior in the Cyber domain; specifically in relation to cyber violence?
- [Ad Bellum] Under what circumstances can a cyber threat be considered use of force or threatening use of force, in the sense of article 2, section 4 of the UN Charter? Under what circumstances can a cyber attack be considered an armed attack that justifies violence in self-defence based on article 51 of the UN Charter?
- [In Bello] When does humanitarian law of war apply to behaviors in the Digital domain? Must these be linked to kinetic use of force? How would this, during such application, be given shape to the Law of War’s principles of distinction and proportionality, and the requirement of taking precautions for safety?
- How would Civil legal concepts such as Sovereignty and Neutrality be given shape in the Cyber Domain?
Relevant UN Charter articles:
- Article 2, Section IV: All Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations.
- Article 51: Nothing in the present Charter shall impair the inherent right of individual or collective self-defence if an armed attack occurs against a Member of the United Nations, until the Security Council has taken measures necessary to maintain international peace and security. Measures taken by Members in the exercise of this right of self-defence shall be immediately reported to the Security Council and shall not in any way affect the authority and responsibility of the Security Council under the present Charter to take at any time such action as it deems necessary in order to maintain or restore international peace and security.
An Answer – the Right to Self Defence
Although Cyber gives a new dimension to Warfare, it is my opinion that the general application and behavior apply in the same fashion as they do under conventional warfare.
It is important that one should look to the effects of cyber attacks rather than the method or the individual components therein. In the end it is the damage dealt that bears relevance to those it is inflicted upon rather than the method.
For this reason the thresholds that have bearing on the various articles in the UN Charter we have set for conventional warfare do not necessarily change because of innovation in technology, nor do international agreements automatically become void.
Under the current UN Charter, each member state has the right to actively defend itself when attacked (or threatened with attack) and I feel this right remains relevant when discussing cyber warfare.
I would like to point out though, that what is typical for Cyber Warfare, but uncommon in kinetic operations, is the problem of Attribution. Not knowing who will attack, is attacking or has attacked you complicates the situation considerably. It makes all action and reaction susceptible to a fair margin of error and so any response should be carefully considered before execution.
As far as humanitarian principles in warfare go, it is certainly conceivable that cyber attacks may directly or indirectly lead to injury or loss of life. For instance, when a cyber attack on a power plant successfully blacks out an area, this can cause all kinds of damage.
Some of the more obvious risk area’s are those that affect Hospitals and Emergency Services such as Police and Ambulance services, but this is not a new aspect of warfare.
Knocking out power and communications is always something that must be done with utmost care, and this advance in technology doesn’t change that. In this case a well-placed cyber attack may very well be preferred over a kinetic attack that does permanent damage.
Principles of distinction between military and civilian targets, as well as proportionality should still apply when discussing the use of cyber attacks.
The debate surrounding legal concepts such as Sovereignty and Neutrality are the subject of much debate amongst technical, political and legal experts from many nations, and any answers to these questions are most likely susceptible to change as insight is gained over time.
Many people take the approach that Cyberspace does not have physical borders, but this is not exactly true. While Cyberspace as a concept may be regarded as unbound by geography, it is held up by very real, physical networking equipment. Data flowing from one system to the next does actually cross physical space through cables, routers and maybe even airspace via satellites or Wi-Fi connections.
As such, this data may be subjected to all kinds of rules and regulations imposed by the owners of the networking equipment in between points of departure and arrival. And what to say about being used as a proxy during a cyber attack?
Without international understanding of the ‘rules of the game’, you may be involuntarily drawn into conflicts because one of the parties routes his cyber attacks through your networks, or even using systems that are hosted on your soil.
Regardless of what position you take, it’s clear that concepts such as Sovereignty and Neutrality have a place in the debates surrounding Cyber Warfare.
About the author: Don Eijndhoven has a BA in Informatics (System & Network Engineering) with a Minor in Information Security from the Hogeschool van Amsterdam, The Netherlands. Among a long list of professional certifications he obtained are the titles CISSP, Certified Ethical Hacker, MCITPro and MCSE. He has over a decade of professional experience in designing and securing IT infrastructures. He is the CEO of Argent Consulting and often works as a management consultant or Infrastructure/Security architect. In his spare time he is a public speaker, works as a Project Manager for CSFI and acts as its Director of Educational Affairs in the EU region. He also blogs for several tech-focused websites about the state of Cyber Security and is a founding member of Netherlands Cyber Doctrine Institute (NCDI), a Dutch foundation that aims to support the Dutch Ministry of Defense in writing proper Cyber Doctrine.
Cross-posted from ArgentConsulting.nl