Published online by Cambridge University Press: 07 December 2018
This essay explores the ethical and legal implications of prioritizing the militarization of cyberspace as part of a roundtable on “Competing Visions for Cyberspace.” Our essay uses an ideal type—a world that accepts warfighting as the prime directive for the construction and use of cyberspace—and examines the ethical and legal consequences that follow for (i) who will have authority to regulate cyberspace; (ii) what vehicles they will most likely use to do so; and (iii) what the rules of behavior for states and stakeholders will be. We envision a world where states would take on a greater role in governance but remain constrained by law, including jus ad bellum and jus in bello criteria, but also sovereignty, nonintervention, and self-determination. We ask if the net result would mean states causing less harm than they do in kinetic conflicts. Ultimately, our essay takes no position on whether cyberspace should be a militarized domain (let alone one where warfighting is the prime directive). Rather, our goal is to situate a warfighting cyber domain within the reality of a pluralist cyberspace, where ethical imperatives compete or coalesce to support specific governance mechanisms.
1 Summary of 2018 National Defense Strategy of the United States of America (Washington, D.C.: U.S. Department of Defense, 2018), p. 6Google Scholar. The United States began to regard cyberspace as an operational domain in 2011. Department of Defense Strategy for Operating in Cyberspace (Washington, D.C.: U.S. Department of Defense, 2011), p. 5Google Scholar; and David Alexander, “Pentagon to Treat Cyberspace as an ‘Operational Domain,’” Reuters, July 14, 2011.
2 Steve Ranger, “US Intelligence: 30 Countries Building Cyber Attack Capabilities,” ZDNet, January 5, 2017.
3 See, for example, The Department of Defense Cyber Strategy (Washington, D.C.: U.S. Department of Defense, 2015), p. 14Google Scholar.
4 U.S. Cyber Command, for example, has recently emphasized the latter capacities in delineating its strategies for future operations. See, for example, Richard J. Harknett, “United States Cyber Command's New Vision: What It Entails and Why It Matters,” Lawfare, March 23, 2018.
5 Huang, Zhixiong and Mačák, Kubo, “Towards the International Rule of Law in Cyberspace: Contrasting Chinese and Western Approaches,” Chinese Journal of International Law 16, no. 2 (2017), p. 299CrossRefGoogle Scholar (quoting Ma Xinmin, a senior Chinese diplomat and international lawyer).
6 See, for example, Julian Ku, “How China's Views on the Law of Jus Ad Bellum Will Shape Its Legal Approach to Cyberwarfare,” Aegis Series Paper No. 1707, Stanford University, Hoover Institution (2017), p. 2; and Arun M. Sukumar, “The UN GGE Failed. Is International Law in Cyberspace Doomed As Well?” Lawfare, July 4, 2017.
7 Lindsay, Jon Randall, “Restrained by Design: The Political Economy of Cybersecurity,” Digital Policy, Regulation and Governance 19, no. 6 (2017), p. 493CrossRefGoogle Scholar.
8 Ibid., p. 494.
9 Benjamin Jensen and David Banks, “Cyber Operations in Conflict: Lessons from Analytic Wargames,” UC Berkeley, Center for Long-Term Cybersecurity Occasional White Paper Series (2018), cltc.berkeley.edu/wp-content/uploads/2018/04/Cyber_Operations_In_Conflict.pdf.
10 Ibid., p. 3.
11 See DeNardis, Laura, The Global War for Internet Governance (New Haven, Conn.: Yale University Press, 2014), ch. 1CrossRefGoogle Scholar.
12 Goldsmith, Jack L. and Wu, Tim, Who Controls the Internet? Illusions of a Borderless World (New York: Oxford University Press, 2006)Google Scholar; and Chander, Anupam and Lȇ, Uyȇn P., “Data Nationalism,” Emory Law Journal 64, no. 3 (2015), p. 677Google Scholar.
13 See, for example, Arun M. Sukumar, “The UN GGE Failed”; Garrett Hinck, “Wassenaar Export Controls on Surveillance Tools: New Exemptions for Vulnerability Research,” Lawfare, January 5, 2018; and Cerf, Vinton, Ryan, Patrick, and Senges, Max, “Internet Governance Is Our Shared Responsibility,” I/S: A Journal of Law and Policy for the Information Society 10, no. 1 (2014), pp. 1–42Google Scholar.
14 See Price, Richard, “Reversing the Gun Sights: Transnational Civil Society Targets Land Mines,” International Organization 52, no. 3 (1998), p. 613CrossRefGoogle Scholar.
15 See Demchak, Chris C. and Dombrowski, Peter, “Rise of a Cybered Westphalian Age,” Strategic Studies Quarterly 5, no. 1 (2011), pp. 32–61Google Scholar (predicting states will delineate cyberspace “by formal agreement” with a “new cyber–Westphalian process” and “digital regions complete with borders, boundaries, and frontiers that are accepted by all states”).
16 Hollis, Duncan B. and Newcomer, Joshua M., “‘Political’ Commitments and the Constitution,” Virginia Journal of International Law 49, no. 3 (2009), p. 507Google Scholar; Raustiala, Kal, “Form and Substance in International Agreements,” American Journal of International Law 99, no. 3 (2005), p. 581CrossRefGoogle Scholar; and Lipson, Charles, “Why Are Some International Agreements Informal?” International Organization 45, no. 4 (1991), p. 495CrossRefGoogle Scholar.
17 Some modern treaties (such as multilateral environmental agreements) attempt to overcome this problem by devising built-in adjustment mechanisms to accommodate new facts, scientific developments, or agreements. Brunneé, Jutta, “Treaty Amendments,” in Hollis, Duncan B., ed., The Oxford Guide to Treaties (Oxford: Oxford University Press, 2012), p. 347Google Scholar; and Helfer, Laurence R., “Nonconsensual International Lawmaking,” University of Illinois Law Review 1 (2008), p. 75Google Scholar.
18 Hollis and Newcomer, “‘Political’ Commitments and the Constitution,” pp. 512, 526.
19 Raustiala, “Form and Substance in International Agreements,” p. 613; and Lipson, “Why Are Some International Agreements Informal?” p. 511.
20 See Hollis, Duncan B., “The Existential Function of Interpretation in International Law,” in Bianchi, Andrea, Peat, Daniel, and Windsor, Matthew, eds., Interpretation in International Law (New York: Oxford University Press, 2015), p. 78CrossRefGoogle Scholar.
21 Finnemore, Martha and Hollis, Duncan B., “Constructing Norms for Global Cybersecurity,” American Journal of International Law 110 (2016), p. 471CrossRefGoogle Scholar.
22 See, for example, UN Charter, Ch. VII: Action with Respect to Threats to the Peace, Breaches of the Peace, and Acts of Aggression; Geneva Convention (IV) Relative to the Protection of Civilian Persons in Time of War, August 12, 1949, UNTS 75, p. 287; and Hague Convention (IV) Respecting the Laws and Customs of War on Land and Its Annex: Regulations Concerning the Laws and Customs of War on Land, October 18, 1907.
23 “The Montreux Document on Pertinent International Legal Obligations and Good Practices for States Related to Operations of Private Military and Security Companies during Armed Conflict,” Government of Switzerland and the International Committee of the Red Cross (2008). For a proposal along these lines, see Hoffman, Wyatt and Levite, Ariel (Eli), Private Sector Cyber Defense: Can Active Measures Help Stabilize Cyberspace? (Washington, D.C.: Carnegie Endowment for International Peace, 2017)Google Scholar.
24 Compare Henckaerts, Jean-Marie and Doswald-Beck, Louise, Customary International Humanitarian Law, International Committee of the Red Cross (New York: Cambridge University Press, 2005)CrossRefGoogle Scholar with “Letter from John B. Bellinger III, Legal Adviser, U.S. Department of State, and William J. Haynes, General Counsel, U.S. Department of Defense, to Dr. Jakob Kellenberger, President, International Committee of the Red Cross, Regarding Customary International Law Study,” November 3, 2006, reprinted in International Legal Materials 46, no. 3 (2007), pp. 514–15Google Scholar.
25 Nate Lanxon and Tim Ross, “U.K. Blames North Korea for WannaCry Attack on Health Service,” Bloomberg, October 26, 2017; and Dustin Volz, “U.S. Blames North Korea for ‘WannaCry’ Cyber Attack,” Reuters, December 18, 2017.
26 Sarah Marsh, “US Joins UK in Blaming Russia for NotPetya Cyber-Attack,” Guardian, February 15, 2018.
27 See, for example, Kristen Eichensehr, “Three Questions on the WannaCry Attribution to North Korea,” Just Security, December 20, 2017; and Fidler, David P., “Was Stuxnet an Act of War? Decoding a Cyberattack,” IEEE Security & Privacy 9, no. 4 (2011), p. 56CrossRefGoogle Scholar (“Nation-states have been curiously quiet about Stuxnet…including the victim state (Iran)”). With respect to the Sony Pictures hack, President Obama declined to classify the incident as cyber warfare but referred to it as an act of “cyber vandalism.” Brian Fung, “Obama Called the Sony Hack an Act of ‘Cyber Vandalism.’ He's Right,” Washington Post, December 22, 2014.
28 See UN Charter, Articles 39, 42, and 51.
29 See Schmitt, Michael, ed., Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (Cambridge: Cambridge University Press, 2017)CrossRefGoogle Scholar, Rule 71 (“A state that is the target of a cyber operation that rises to the level of an armed attack may exercise its inherent right of self-defense.”).
30 Ibid. (referring to “scale and effects” of the attack).
31 See, for example, UN General Assembly Resolution 2625 (XXV), “Declaration on Principles of International Law Concerning Friendly Relations and Co-operation among States,” October 23, 1970, A/RES/25/2625; and Military and Paramilitary Activities in and against Nicaragua (Nicaragua v. United States), ICJ Reports 1986, p. 97–98 [para. 205]; see also Case Concerning Armed Activities on the Territory of the Congo (Democratic Republic of the Congo v. Uganda), Judgment, ICJ Reports 2005, p. 63 [para.163].
32 Schmitt, Tallinn 2.0, p. 312.
33 Ibid., p. 314.
34 For a discussion, see Corn, Gary P. and Taylor, Robert, “Sovereignty in the Age of Cyber,” AJIL Unbound 111 (2017), pp. 207–12CrossRefGoogle Scholar.
35 Schmitt, Tallinn 2.0, p. 17 (Rule 4).
36 See, for example, Gary Corn, “Tallinn Manual 2.0—Advancing the Conversation,” Just Security, February 15, 2017.
37 Jeremy Wright, QC, MP, “Cyber and International Law in the 21st Century,” May 23, 2018, www.gov.uk/government/speeches/cyber-and-international-law-in-the-21st-century.
38 Schmitt, Tallinn 2.0, pp. 21–24.
39 See Ohlin, Jens David, “Did Russian Cyber Interference in the 2016 Election Violate International Law?” Texas Law Review 95 (2017), pp. 1579–598Google Scholar.
40 On retorsions and countermeasures, see International Law Commission, “Draft Articles on the Responsibility of States for Internationally Wrongful Acts,” in Report of the International Law Commission on the Work of its Fifty-Third Session, UN Doc. A/56/10, pp. 128–37 (articles 49–53).
41 See the Protocol Additional to the Geneva Conventions of August 12, 1949, and relating to the Protection of Victims of Armed Conflicts (Protocol I), June 8, 1977, UNTS 1125, p. 3, articles 48 (regarding distinction), 57(2)(a)(ii) (regarding precautions).
42 See Schmitt, Tallinn 2.0, pp. 415–22 (Rule 92).
43 One of us has written about such a duty in some detail. See Hollis, Duncan B., “Re-Thinking the Boundaries of Law in Cyberspace: A Duty to Hack,” in Ohlin, Jens David, Govern, Kevin, and Finkelstein, Claire, eds., Cyberwar: Law and Ethics for Virtual Conflicts (New York: Oxford University Press, 2015), p. 129Google Scholar.
44 Schmitt, Michael, “Military Necessity and Humanity in International Humanitarian Law: Preserving the Delicate Balance,” Virginia Journal of International Law 50, no. 4 (2010), p. 795Google Scholar.
45 See, for example, Davis, John S. II et al. , Stateless Attribution: Toward International Accountability in Cyberspace (Santa Monica, Calif.: RAND Corporation, 2017)CrossRefGoogle Scholar.
46 See David E. Sanger, “Tech Firms Sign ‘Digital Geneva Accord’ Not to Aid Governments in Cyberwar,” New York Times, April 17, 2018.
47 See, for example, Charlie Dunlap, “Why Companies Should Not Sign the ‘Cybersecurity Tech Accord,’” Lawfire, April 21, 2018.
48 See, for example, the Wassenaar Arrangement, www.wassenaar.org (detailing export controls participants should adopt domestically for certain intrusion software and IP network surveillance systems).
49 See generally Chander and Lê, “Data Nationalism.”
50 See, for example, Stewart Baker, Orin Kerr, and Eugene Volokh, “The Hackback Debate,” Steptoe Cyberblog, November 2, 2012, www.steptoecyberblog.com/2012/11/02/the-hackback-debate/.
51 Patrick Lin, “Ethics of Hacking Back—Six Arguments from Armed Conflict to Zombies,” U.S. National Science Foundation Paper, Sept. 26, 2016.
52 See generally Maurer, Tim, Cyber Mercenaries: The State, Hackers, and Power (Cambridge: Cambridge University Press, 2018)CrossRefGoogle Scholar.