As international conflicts move from air, sea and land onto a new frontier in cyberspace, governments around the world have been wondering if and how current laws and rules of engagement may apply. Earlier in the month, independent experts from the NATO-sponsored Cooperative Cyber Defense Center of Excellence (CCDCOE) released the Tallinn Manual, a 215-page primer on the emerging legal implications of cyberwarfare.
"One of the challenges states face in the cyber environment is that the scope and manner of international law's applicability to cyber operations, whether in offense or defense, has remained unsettled since their advent," Michael Schmitt, director and chairman of the international law department at the U.S. Naval War College, wrote in the manual's introduction. "Consequently, there is a risk that cyber practice may quickly outdistance agreed understandings as to its governing legal regime."
Use of force
The CCDCOE paid particular attention to the jus ad bellum, an international law governing how nations can justifiably resort to force as a matter of national security policy. In accordance with the United Nations Charter, Tallinn Manual experts suggested that cyber operations that constitute a use of force "against the territorial integrity or political independence" of any country is unlawful.
A digital threat may also be deemed unjustified if it is inconsistent with the expressed goals of the UN, though a use of force could be authorized by the body's Security Council for the purposes of humanitarian intervention and similar causes.
One of the most intriguing revelations in the report was the notion that an act of cyberwarfare may not necessarily come directly from a nation's armed forces. UN rules would apply to intelligence agencies and government contractors as well. But as we have seen so far, tracing advanced cyberweapons back to a single country, much less their direct executors, has proven to be rather difficult.
Finally, CCDCOE experts attempted to define the scope of what constitutes an act of cyberwarfare. The primary qualification, according to current UN statutes, would be a use of digital force that has the scale and effects comparable to a physical use of force. Although the report authors did not speculate, it would seem that the Stuxnet virus which disrupted operations at an Iranian nuclear facility could constitute such an act.
However, psychological attacks such as those intended to shake confidence in national infrastructure – but with no physical damage imparted – could not be defined as an act of cyberwarfare under current laws.
"To summarize, some cyber actions are undeniably not uses of force, uses of force need to involve a State's direct use of armed force and all armed attacks are uses of force," the report stated. "This leaves unresolved the question as to what actions short of an armed attack constitute a use of force."
The other focal point of the Tallinn Manual was the jus in bello, or the framework which regulates the conduct of armed conflict. Simply put, researchers determined that cyber operation "executed in the context of an armed conflict" are subject to the same fundamental laws governing physical hostilities.
"Despite the novelty of cyber operations and the absence of specific rules within the law of armed conflict specifically dealing with them, the [CCDCOE analysts were] unanimous in finding that the law of armed conflict applies to such activities in both international and non-international armed conflicts," the report stated.
But as one might imagine, there is still a great deal of nuance to account for. As with physical hostilities, the current laws governing potential cases of cyberwarfare get particularly thorny when it comes to defining the roles and accountability of each nation in an international affair.
The CCDCOE experts provided the example of nation A conducting a cyber operation to assist rebels from nation B. If nation A elected to use its superior technical capabilities to disable the communication networks of nation B in support of the rebels, the conflict would likely only be internationalized if the stricken networks were used to relay military communications. Otherwise, nation A could hypothetically evade culpability under current laws.
Finally, while the law of armed conflict does not bar any category of person from participating in cyber operations, according to the report, how participants are classified will greatly impact the legal consequences that may await them. For example, as with physical conflict, commanders and those with knowledge of battle plans could still be held criminally responsible even if they did not take a proactive role in operations. Similarly, an amateur computer programmer would be essentially waiving his or her civilian status if they decided to partake in a digital campaign that constituted a use of force.
Security News from SimplySecurity.com by Trend Micro