How is Cyber Warfare Conceptualized in International Law?
Cyber warfare is subject to significant attention presently, and one key task is to ascertain how it articulates with international humanitarian law (jus in bello). The most comprehensive attempt thus far is the Tallinn Manual Process (TMP), based at the NATO Cooperative Cyber Defence Centre of Excellence (CCD COE) in Estonia. The Tallinn Manual on the International Law Applicable to Cyber Warfare (Tallinn Manual), an exhaustive analysis by international lawyers, finds that customary international law applies to cyberwarfare, as with other forms of military force. The Tallinn Manual addresses cyberweapons within this framework, suggesting that they are prohibited from causing “unnecessary suffering” to combatants if military objectives are not furthered by their use. Non-combatants are already protected by law and should not be subject to cyber weapons use. The TMP has no binding legal status, but NATO formally incorporated its recommendations into its Enhanced Cyber Defence Policy. The United Kingdom has confirmed these principles in defense strategy, as has the United States. US military doctrine for cyber warfare also respects opinion juries on the matter, although submits that “[p]recisely how the law of war applies to cyber operations is not well-settled” (US Department of Defense, 2015b: 996), a situation the second volume of the Tallinn Manual will address in late 2016.
Russia asserts that the TMP serves the bellicose interests of “the West,” whereas Russia prefers “a diametrically opposed policy of averting military and political confrontations in information space.” Both propositions are rejected by one TMP expert, who surmises that Russia criticizes the TMP because it “run[s] counter to their objective of modeling international law in a manner that serves the interests of the Russian Federation.” Neither the Russian claim nor the NATO rebuttal is unjustified: the law is as much about facilitation as it is about prohibition. When the law is translated into military doctrine, the doctrine is an enabler of military operations. It constrains actions in meaningful ways but provides opportunities to others. The TMP and any similar processes seek to preserve and maximize military freedom of movement in pursuit of political goals, congruent with particular interpretations of international law and universal norms. It follows that the legitimacy and modes of cyber weapons deployment in war depend on how different national and coalition interests are translated into laws, standards and, perhaps, future treaties.
The debate about cyber weapons and cyber warfare rests on the interpretation of existing international law and its applicability to a novel weapons class. In contrast, discussions about global cybercrime have, for the last 15 years, been with primary reference to an entirely new instrument, the Council of Europe Convention on Cybercrime (“Budapest Convention,” 2001). The Convention aims to harmonize national cybercrime legislation, enhance transnational policing measures in pursuing and prosecuting cyber criminals, and improve international cybercrime cooperation. The Convention has been signed and ratified by several non-European states, including Canada, Japan, Australia and the United States, and remains open for accession by others. Brazil and India have refused to sign the Convention, as neither played a role in the drafting of the treaty, and Russia claims that transnational policing and investigation violate its sovereignty. China and Russia have suggested that the Shanghai Cooperation Organization is their preferred forum for cybercrime cooperation. Notwithstanding these objections, and issues surrounding its practical implementation, the Convention is widely regarded as the pre-eminent framework for the prohibition of cybercriminal activities.
The Convention makes no mention of cyber weapons, but Article 4.1 requires state parties to criminalize intentional actions in and through computer systems that result in the “damaging, deletion, deterioration, alteration or suppression of computer data without right.” Furthermore, state parties may require that such actions “result in serious harm” (Article 4.2). These two articles alone would criminalize the deliberate use of code to cause damage, although the Convention does not further specify to which entities harm must be caused. Article 11 criminalizes “aiding and abetting” such activities. There is, therefore, a range of instances meeting the criteria of intent and harm outlined earlier and the Convention may have further utility in disrupting cyberweapons supply chains. State use of cyber weapons is presumably excepted, although their roles in cyberweapon components markets is legally a gray area and deserve closer attention.
The newest source of cyber weapons governance also relies on existing mechanisms, specifically the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies (1996). In December 2013, the Arrangement was extended to classes of hardware and software “specially designed or modified for the generation, operation or delivery of, or communication with ‘intrusion software’”, defined as software intended to extract or modify data from a computer system or networked device, or which would “allow the execution of externally provided instructions” (Wassenaar Arrangement, 2016). This was the first attempt to incorporate hardware and software associated with cyber weapons into a multilateral regime, although it did not extend to intrusion software itself, into which various cyberweapons components fall. At the end of 2014, EU member-states incorporated the new rules into domestic legislation. The United States expressed similar enthusiasm but public consultation revealed significant opposition, and in March 2016 the State Department admitted the amendment required renegotiation before translation into domestic law. The principal objection was that it would criminalize security researchers using malware systems to improve security products, a potential side-effect recognized since cyberweapons regulation was first discussed. Although “well-intentioned,” the amendment would, therefore, set back cyber security.
This indicates clearly the dual-use nature of malware, which can be used for “defensive” and research purposes, as well as “offensive” deployments as cyberweapons proper. In this context, intent determines if malware attains the status of a weapon, not technical considerations. It is unclear if the revised Wassenaar Arrangement can be renegotiated to protect legitimate malware uses. Its future efficacy depends on incentivising legitimate security research while controlling the export of illegal weapons components. This task is significantly complicated by Wassenaar’s weak enforcement mechanisms, the interplay of state interests, and the technical difficulties in monitoring the transfer of code across the internet. It does, however, count Russia and the United States as participants, along with 39 other states, which indicates the strength of normative commitments to export controls on dual-use technologies.
This article was excerpted from Cyberweapons: an emerging global governance architecture.