Onderwerp: Bezoek-historie

Militair Rechtelijk Tijdschrift Jaargang 111 - 2018 - 3 Cyber Special

Dit onderwerp bevat de volgende rubrieken.

1 Introduction

Netherlands’ Military Law Review

 

Special Edition


 

Cyber Seminar - Diplomacy and Defense in Cyber Space

 

1 Year Anniversary of the Tallinn Manual 2.0 on the International Law applicable to Cyber Operations’

 

 

As most readers will know, the ‘Tallinn Manual 2.0’ was published in Spring 2017. The Manual expands on the highly influential first edition by extending its coverage of the international law governing cyber warfare to peacetime legal regimes. The product of a four-year follow-on project by a new group of 19 renowned international law experts, it addresses such topics as sovereignty, State responsibility, human rights, and the law of air, space, and the sea. Tallinn Manual 2.0 identifies 154 ‘black letter’ rules governing cyber operations and provides extensive commentary on each rule.

 

In the preparatory phase the Dutch Ministry of Foreign Affairs sponsored “The Hague Process,” by which 50 countries (including all of the UN Security Council’s five permanent members) and international organizations convened in the Hague during three meetings to consider draft manual chapters, receive briefings from key members of the International Group of Experts, and offer verbal and written input to the team.

 

Against this background the idea of a ‘1 Year Anniversary Party’ was born. In an excellent cooperation between representatives of the Netherlands’ Ministries of Foreign Affairs and Defence, the Netherlands’ Military Law Association and this Military Law Review and in close coordination with Professor Michael Schmitt, General Editor of the Manual and Director of the Project, an international program was developed.

 

The central theme, reflecting the close cooperation between the two Dutch ministries, was: Diplomacy and Defense in Cyber Space. The Birthday Party took place on June 20, 2018, in the International Conference Room of the Ministry of Foreign Affairs in the Hague. Both minister of Foreign Affairs Stef Blok and Minister of Defence Ms Ank Bijleveld contributed with a keynote speech and two panels of academic and military speakers addressed a range of important issues. Approximately 175 participants, civilian and military, joined the festivities and participated in a frank exchange of views.

 

The Netherlands’ Military Law Review is proud to present most of the speeches and contributions of the ‘Cyber Seminar’ in this Special Edition.

 

I gladly take the opportunity to thank Minister Stef Blok, Minister Ank Bijleveld, Professor Michael Schmitt, all speakers and the supporting staffs wholeheartedly for their support and contributions. 

 

As indicated earlier by its General Editor, the Tallinn Manual 2.0 was not meant to be the ‘end of the story’ but was intended to enhance the process of norm identification and elucidation by States and, while the process is underway, assist State legal advisers in providing informed advice to their clients. The ‘Cyber Seminar – Diplomacy and Defence in Cyber Space’ certainly contributed to that broader goal.

 

 

Jan Peter Spijk LL.M. MA

Brigadier General, Military Legal Services RNLA (ret’d)

President, Editorial Board, Netherlands’ Military Law Review

2 Index Netherlands’ Military Law Review

Special edition:

Cyber Seminar - Diplomacy and Defense in Cyber Space

1 Year Anniversary of the Tallinn Manual 2.0 on the International Law applicable to Cyber Operations’

 

 

-Keynote by HE Mr. Stef Blok MA, Minister of Foreign Affairs

 

- Prof. Dr. Michael Schmitt

International Cyber Norms: Reflections on the Path Ahead

 

- Liisa Past MA

2016-2018 – Breaking the Cyber Security Taboos

 

- Carmen Gonsalves MA

International diplomacy and international cooperation in cyberspace

 

- Wieteke Theeuwen LL.M.

Attribution for the purposes of State responsibility

 

- Brigadier General Hans Folmer MSc MSS

Demystifying Cyber Operations

 

- Brigadier General Prof.Dr. Paul Ducheine and Prof. Dr. Terry Gill

From Cyber Operations to Effects: Some Targeting Issues

 

- Joost Bunk LL.M.

On the Protection of Intellectual Property in Cyberspace under International Humanitarian Law

 

-Keynote HE Ms. Ank Bijleveld MA, Minister of Defence

“We have to steer the cyber domain, before it steers us.”

Organising Committee Cyber Seminar - Diplomacy and Defense in Cyber Space

(in alphabetical order)

 

Major Willem van Amerongen LL.M. – MoD

Mr. Paul Bezuijen MA - MoD

Mr. Jeroen van den Boogaard LL.M. - MoD

Mr. Joost Bunk LL.M. – MoFA

Brigadier General Professor Dr. Paul Ducheine – MoD

Major Yvette Foliant LL.M. - MoD

Mr. Marc Gazenbeek LL.M. – MoD

Mr. Rob Geertsma MA – MoFA

Mr. Jan Jaap Gerards - MoFA

Ms. Carmen Gonsalves MA - MoFA

Mr. Alex Maas LL.M. – MoD

Ms. Jolande Niermeijer MA - MoFA

Brigadier General Mario Nooijen LL.M. MA MPA – MoD

Ms. Anne de Ruijter MA - MoFA

Professor Dr. Michael Schmitt – University of Exeter (i.a.)

Brigadier General (ret’d) Jan Peter Spijk LL.M. MA – MoD

Ms. Wieteke Theeuwen LL.M. – MoFA

Mr. Hugo Vijver MA - MoD

Ms. Sharon Witmer – MoD

Major Nick Wobma LL.M. – MoD

3 Keynote by HE Mr. Stef Blok MA, Minister of Foreign Affairs

Keynote by HE Mr. Stef Blok MA, Minister of Foreign Affairs

Keynote by HE Mr. Stef Blok MA, Minister of Foreign Affairs1

 

When I took office a little over three months ago, I saw in my calendar that I’d be delivering a speech on the first ‘birthday’ of… a manual. A first birthday is a special occasion, as any parent will agree. You know how new parents are – they love to celebrate every little milestone: baby’s first smile, baby’s first steps… All very understandable – for a child. But for a manual?

It makes me think of the booklet you get when you buy a new appliance or some flat-pack furniture. Not exactly a page-turner. And yet: very handy, if you want to get the most out of your expensive purchase. Or put together a piece of furniture that actually looks like the picture. In a sense, a manual can be the difference between a job well done and a disaster - as you will know, if you’ve ever tried to get by without it. The same is true of the Tallinn Manual - our set of instructions for state behaviour in cyberspace. It’s more than just a user’s guide. And this first birthday is more than just an anniversary; it’s an occasion to take stock of an issue of vital interest to us all.

 

The internet enriches our society and economy. It allows for big efficiency gains. The benefits can be very concrete. In that sense, cyberspace has come down from ‘the cloud’ and entered the reality of our daily lives. Consider, for example, the ultra-short supply lines for supermarkets: information about stock levels is communicated in real time. Stocks can then be replenished as needed.

But of course, this dependence comes with a risk. If the Web goes down, the supermarket may soon find itself with empty shelves. The impact of an unreliable internet can be highly concrete. And then the damage is not virtual, but painfully tangible. And quite substantial, too. We’ve unfortunately seen some real-world examples of that too. The WannaCry attack – untargeted but destructive – cost companies an estimated $592.5 million. The NotPetya attack was even worse: it cost companies an estimated $892.5 million in lost revenue.

Important battle

So, the Tallinn Manual is part of an important battle. A battle being waged by many, to defend the interests of many. Relevant not only to supermarkets, but to every domain of our daily lives. From parking garages to the port of Rotterdam, from power plants to public services like healthcare. Just an example. The WannaCry virus shut down computers in more than 80 National Health Service organisations in England alone. The result: almost 20,000 cancelled appointments, 600 family doctors’ practices having to resort to pen and paper, and five hospitals diverting ambulances, unable to handle any more emergency cases. So cyberspace is definitely no longer this elusive, distant dimension. There is no longer anything abstract or virtual about it. It is material, here and now, for all of us. Just look at the Netherlands. Our digital economy has been growing at an astonishing pace. We’re now one of the world’s most digitally advanced countries. Our digital economy accounts for 7.7 per cent of our total economy, a figure which is increasing all the time. IT plays an essential part in the daily work of 1.5 million Dutch workers. This digitally dependent workforce created €182 billion in added value in 2016 – around 30% of total GDP. And digital growth still hasn’t reached its peak. So it’s no surprise that the Netherlands is at the forefront of efforts to advance the debate on keeping cyberspace stable and safe.

Complex challenge

The challenge is a complex one. The internet belongs to everyone, and to no one. We have to work on many different tracks simultaneously: public and private, national and international. For example, in the Global Conference on Cyberspace (GCCS) and in the Global Commission on the Stability of Cyberspace (GCSC).

Domestically, the Netherlands is also investing heavily in this area.

The government has decided to set aside €95 million, with a special focus on setting standards for ‘Internet of Things’ – devices; establishing software liability; enhancing the National Cyber Security Centre; and improving public information campaigns. As a part of that investment, as of 2019, Dutch diplomacy will be further strengthened. As I also indicated in the Integrated International Security Strategy I recently presented: the diplomatic response to cyberattacks is essential. Of course, my ministry acts in concert with other ministries, including the Ministry of Defence – as Minister Bijleveld will confirm later today. Starting this year, cyber diplomats will be deployed at crucial bilateral missions, like Washington, Beijing and Moscow, and also at multilateral missions, like Brussels and Geneva. Other missions will be actively supported by a special cyber task force team.

What’s more, we are investing another 3 million euros in projects to deepen our knowledge about cyber issues, both in The Hague and in our network of missions abroad. This way, my ministry can continue to work effectively for the Netherlands, around the world – including in cyberspace.

International law

In our cyber-policy, one of the tracks we invest in heavily is the international law dimension. This should be no surprise in the country of Hugo Grotius, a country with a strong tradition in international law, and here in The Hague – city of peace and justice. The key to success lies in clear rules, which apply to everyone equally. This principle is no different for cyberspace: it’s not the technology that sets the rules; it’s us: the users. We take the position that there’s no need to develop a new system of international law for this purpose. On the contrary, making clear that existing laws apply equally in cyberspace is our best guarantee of a future with an open, free and stable internet.

Tallinn Manual

The question before us then is of course: ‘How?’.

This was the point of departure for the Tallinn Manual. Here, the Tallinn Manual gives clear guidance. On questions like, for instance: How should international law respond to cyberattacks? The Manual provides a framework. When can a state be held accountable? The roadmap is right there - in the Manual. What can we do in response, are countermeasures possible? The Manual describes the conditions and limitations clearly. Of course, the Tallinn Manual doesn’t provide all the answers. It’s not an official document, and the Netherlands doesn’t necessarily agree with everything in it. In fact, in some cases, the manual describes more than one possible interpretation. Nor is it simple. Issues like state responsibility are complicated enough in the ‘real’ world, let alone the ‘virtual’ world. In no small part, because there they represent uncharted legal territory. But the Tallinn Manual is the first document to address these questions. It is our first and only guide for this new world. And one year after its birth, our need for this guide has only grown. Because, in the meantime – as we must sadly note – the number of malicious attacks is on the rise. These are no longer isolated incidents. Rather, they are carefully planned attempts to trigger social disruption. So on this first birthday we must not only celebrate and eat cake. We must recognise that there is still reluctance to take action in the face of a cyberattack, to hold the perpetrators accountable. This reluctance is understandable. But over the long term it has a destabilising effect. Because in practice, failing to enforce the rules in cyberspace means: yielding to the law of the jungle. We can’t afford to let this happen. We can no longer live without the internet. It’s everywhere, and it lies at the foundation of everything: our ports and power grids; our hospitals and houses, our financial systems and supermarkets. So what are we all waiting for?

Second year

So in closing, I would like to say this. The Manual is now entering its second year. At this point, like the new parents, we cannot imagine our lives without this new arrival.

But now, the Manual needs to mature. It’s here to stay, and for our part, we have to start taking it seriously. If there ever was a time for governments to start applying this Manual, it is now.

This is the only way we can impose a price on bad behaviour.

This is the only way we can put an end to the growing impunity in cyberspace.

This is the only way we can keep the structure we call the internet stable and safe over the long term.

We will remain committed to that goal. Please, join us – here, and in cyberspace.

4 International Cyber Norms: Reflections on the Path Ahead

International Cyber Norms: Reflections on the Path Ahead

Prof. Dr. Michael N. Schmitt1

 

Recent events have proven rather discouraging with respect to the recognition and further development of a normative architecture to govern operations in cyberspace. Of particular note is the failure of the 2016 – 2017 UN Group of Governmental Experts (GGE) to agree on text regarding cyber norms for inclusion in the report it had expected to issue.2 Opposition from a number of states, most notably China and Russia, to any explicit mention of either the law of self-defense or international humanitarian law, as well as a degree of resistance to text that would implicate the right of states to take countermeasures (discussed below) pursuant to the law of state responsibility, prevented issuance of a consensus report by the group of 25 states.3 This was particularly disheartening because the 2013 and 2015 UN GGE reports had made significant progress with respect to articulating both binding and hortatory norms applicable in cyberspace.4 

 

Other efforts to identify cyber norms are underway, such as those of the Global Commission on the Stability of Cyberspace, which recently proposed adoption of a non-binding norm providing ‘State and non-state actors should not pursue, support or allow cyber operations intended to disrupt the technical infrastructure essential to elections, referenda or plebiscites’.5 The private sector has also been active in the field. Perhaps most significant in this regard are Microsoft’s proposed Digital Geneva Convention6 and the Cybersecurity Tech Accord.7  There are also growing rumors about the prospect of a future GGE to take up where the previous five iterations left off. 

 

In my view, however, the greatest prospect for progress in the near term lies in states making clear their positions with respect to when and how specific international law principles and norms apply in cyberspace. Involvement of non-state actors, such as the private sector, nongovernmental organizations and academia, is appropriate in light of the multi-stakeholder approach to norms that of necessity must be taken due to the shared nature of cyberspace. Nevertheless, it remains the case that states, and only states, have the formal authority to craft new international legal regimes and authoritatively interpret international law’s existing principles and rules. They do so through the adoption of treaties or by engaging in practices that when combined with expressions of opinio juris (expressions by states that the practice in which they are engaged, or that they refrain from, is required by law) results in the crystallization of customary international law.8

 

I am relatively pessimistic about the likelihood of a multilateral cyber treaty that is general in scope, for, as demonstrated by the unsuccessful attempt to articulate norms during the 2016-2017 GGE, key cyberspace players appear to remain at some distance from each other vis-à-vis the role that international law should play in cyberspace. I am also doubtful about the possibility of new customary international law crystallizing in the near future. The almost mystical process of crystallization is both intricate and vague. Complicating matters in that regard are the secrecy that surrounds cyber activities and the practical difficulties of attribution to states of observed cyber activities. In other words, state practice is highly difficult to identify with the requisite clarity and objectivity.

 

This being so, the best hope for international law governance in cyberspace lies in state interpretation of extant norms. While the Convention on the Law of Treaties sets forth rules for treaty interpretation,9 and mechanisms exist regarding the identification and understanding of customary international law,10 the reality is that in this relatively new sphere of activity, what states actually say about how they understand treaty and customary international law is what will matter, especially given the paucity of visible state cyber practice. Over time, a critical mass of complementary state views on a particular cyber legal issue will accumulate and that interpretation may become binding law. There is no mathematical precision as to when this point is reached. Yet, states that fail to participate in the process must understand that they are surrendering the interpretive battlespace to those states willing to set forth their views or, indeed, even to non-state actors who deftly move in to fill a void ignored by states.11

 

Unfortunately, the Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations is sometimes viewed as filling the interpretive void that has heretofore been unaddressed by states.12 Speaking as director of the project, I can confirm that this was never the intention of the participants who made up the two International Groups of Experts (IGE) that prepared the Manual. On the contrary the IGEs assiduously sought to set forth all reasonable views with respect to the application and interpretation of international law to cyber operations so as to empower states to better understand the interpretive options available to them. In other words, the Tallinn Manual 2.0 was always meant to be a tool for states in their own interpretive journey, rather than a document with any prescriptive effect, formal or informal.

 

The time is ripe for states to begin to set forth their positions with respect to the myriad issues of international law that arise in the cyber context.  Presentations by the Netherlands’ Ministers of Foreign Affairs and Defence made at the first anniversary celebration of Tallinn Manual 2.0’s publication, which are reprinted in this volume, are illustrative early steps in this process.13 So too are, for example, important speeches by U.S. Department of State Legal Advisors,14 submissions by states to international fora,15 and the very recent address by the Attorney General of the United Kingdom at Chatham House.16 Yet, in most cases such laudatory efforts, while substantively significant, fail to identify cyber norms with the granularity that is necessary to directly affect specific ongoing operations.

 

Accordingly, states need to redouble their efforts to shape the normative cyber architecture that will govern activities in cyberspace. Two tacks hold promise. First, they may do so by clearly articulating broad premises of law with which most states can agree, thereby allowing concentration on the narrower nuances of those positions. Second, there are certain areas of international cyber law where states need to immediately set forth their legal position in order to hold the line against assertions regarding international cyber law that are potentially destabilizing.

 

With respect to the former, states should confirm, and encourage other states to follow suit, the full applicability to cyber operations of the jus ad bellum, that is, the law governing the resort to force by states as an instrument of their national policy. Key to this legal regime are the customary law prohibition on the use of force codified in Article 2(4) of the UN Charter and the right of self-defense set forth in Article 51 of the Charter, which also reflects customary law.17 There appears to be relatively broad agreement that any cyber operation that is physically destructive or injurious is a use of force. There also appears to be, despite politically motivated opposition in the GGE by certain states, broad consensus that when the destruction or injuries are significant, the victim state enjoys the right of self-defense by both cyber and kinetic means against the state that launched the cyber ‘armed attack’.

 

Statements to this effect are useful in cementing these norms in place but could go further. In particular, states could publicly announce that cyber operations need be neither physically destructive nor injurious in order to trip over the ‘use of force’ or ‘armed attack’ thresholds respectively. Rather, they could announce their intention to assess harmful cyber operations against these thresholds based on the severity of the consequences that have manifested (or are expected to eventuate). An example is the Dutch Minister of Defence’s statement in her Tallinn Manual 2.0 anniversary presentation that a cyber-attack targets the entire Dutch financial system … or … prevents the government from carrying out essential tasks such as policing or taxation … would qualify as an armed attack.” Although such statements may lack legal precision in terms of articulating clear-cut criteria, a broad severity of consequences-based approach would serve a deterrent purpose by placing other states (and in the case of self-defense, non-state actors) on notice that, if severe, such a cyber operation would risk not only condemnation as an internationally wrongful act, but also, in certain cases, a robust response pursuant to the law of self-defense. The approach also reflects reality. After all, few states facing, or observing, a nationally disruptive cyber operation having widespread deleterious effects would hesitate to label it a violation of the prohibition on the use of force or believe themselves constrained by international law from responding forcefully pursuant to the right of self-defense.

 

Articulation of such a position would beg many questions, the most important of which is where to draw the lines and which criteria to apply when doing so. However, the position has the benefit of focusing the attention and effort of states where it belongs – on drawing those lines and identifying the appropriate criteria for qualifying a cyber operation that is neither destructive nor injurious as a use of force and, in acute cases, an armed attack. Moving the discussion in this direction would have the further benefit of sidelining the unsupportable objection of a few states to overt references to the right of self-defense in cyberspace; as states begin to refine the thresholds, any assertion that no such line exists would soon be seen as puerile by the remainder of the international community.

 

States also should affirm the full applicability of the jus in bello (international humanitarian law) to cyber operations that take place during an armed conflict, whether international or non-international in character. Like the applicability of the jus ad bellum, no convincing argument supports the non-applicability of IHL to these operations. As noted, politically motivated opposition to reference to ‘international humanitarian law’ arose during the 2016 – 2017 GGE, but such opposition was without logical or normative foundation. Therefore, the advancement of international cyber norms would be fostered significantly by widespread public embrace of the position. Such declarations would contribute measurably to those already made by states such as the Netherlands, United States, and United Kingdom, as well as NATO and the European Union.18 They would also help clarify the veiled reference to IHL implied by the reference to the principles of humanity, necessity, proportionality and distinction found in the 2015 UN GGE report.19

States could venture even further in adding granularity to this broad, and in my view self-evident, assertion. In particular, there is no reason that they should refrain from specifically acknowledging that the conduct of hostility rules appearing in the 1977 Additional Protocol I to the 1949 Geneva Conventions, most of which reflect customary IHL, apply to cyber operations during armed conflict. 20 Of particular note in this respect are the rules prohibiting attacks against civilian objects, which would include civilian cyber infrastructure, the rule of proportionality and the requirement to take precautions and attack. 21   The effect of such rules is very significant in the cyber context.  For example, a commander considering an attack against a valid military objective must, pursuant to the requirement to take precautions in attack, consider whether directing cyber operations rather than kinetic attack against the target would avoid civilian collateral damage without sacrificing the military advantage that the operation is intended to achieve. 22

 

There are unsettled issues with respect to IHL’s application to cyber operations that merit further development. It is there that states should focus their attention. Three merit particular attention. The first is the meaning of the term ‘attack’ in the cyber context. Article 49 of Additional Protocol I defines an attack as ‘an act of violence against the adversary, whether in offense or in defence’. This treaty provision, which is generally understood to reflect customary international law, confirms that a physically destructive or injurious cyber operation qualifies as an attack to which the prohibition on attacking civilian objects and other conduct of hostilities rules apply. It is important to note that despite the ‘against the adversary text’, it is well-accepted that violent cyber operations directed at civilians or civilian objects are attacks, as are cyber operations that, while not causing these effects with respect to the targeted system, nevertheless have indirect (collateral) consequences at that level.23

 

The unsettled issue is whether these rules apply to cyber operations not having physical effects or causing injury, such as those that interfere with the functionality of cyber infrastructure. It is my position that the rules governing attacks apply to many such operations,24 although the precise threshold at which the resulting consequences qualify an operation as an attack is a matter that demands the attention of states.  For instance, does a temporary loss of functionality do so? If the loss of functionality can be remedied through reloading either the operating system or data upon which functioning of the system relies, is the operation an attack? If this system continues to operate but does not do so in the intended manner, has the requisite loss of functionality occurred?  These are important queries because a cyber operation that does reach the attack threshold arguably may be conducted against civilian cyber infrastructure, as is the case with many cyber psychological operations. States need to develop their positions on such matters lest their armed forces be left without guidance when crafting rules of engagement and other guidance.

 

A related issue deals with the rule of proportionality, which prohibits an attack that is expected to cause collateral damage to civilian objects or incidental injury to civilians that is excessive in relation to the military advantage anticipated to be achieved as a result of the attack. The rule, which is found in both Articles 51 and 57 of Additional Protocol I, specifically refers to ‘damage’. The question is when does an effect on civilian cyber infrastructure that is not physically damaging nevertheless qualify as damage for the purpose of the rule?  Again, I am of the view that a loss of functionality may amount to damage that must be factored into the proportionality calculation. In my estimation, states should be focusing their attention on determining when it does so.

 

Finally, a long-standing debate surrounds the treatment of data. The issue is whether data is an ‘object’ such that the prohibition on targeting civilian objects25 applies to cyber operations that delete or alter civilian data. Relatedly, it is unsettled whether deletion or alteration of civilian data qualifies as collateral damage to civilian objects for the purposes of the rule of proportionality. There is widespread consensus that if the consequence of the loss of, or change to, the data is physical in nature, as in the case of cyber infrastructure that suffers physical damage when its data is altered, the prohibition applies. An example would be manipulation of data upon which the cooling system for cyber infrastructure relies, thereby causing the system to overheat in a manner that damages the infrastructure.

 

The legal challenge surrounds cyber operations directed at data that do not have a physical effect, such as those targeting civilian financial systems. There are some experts who assert that data should be treated as an object.26 In their view, broadly speaking, cyber operations against civilian data are unlawful attacks on civilian objects. Additionally, for them, any direct or indirect effect on civilian data that results collaterally during an operation directed against a lawful cyber target must be considered in the proportionality analysis and is subject to the requirement to seek to minimize civilian collateral damage (precautions in attack). This approach has the benefit of shielding the civilian population from the potential negative effects of cyber operations but is over inclusive in that it would include some cyber operations that states regularly engage in, like psychological operations.

 

Opponents of the approach note that data is intangible and therefore does not logically qualify as an object. This view seems to be consistent with the general approach in international law that terms should be interpreted in accordance with their ordinary meaning.27 Yet, if data is not an object, the door is wide open for cyber operations directed against civilian data; indeed, it would be lawful to conduct cyber operations that are extraordinarily disruptive to civilian life.

 

There is no easy answer to either the question of where the threshold of attack lies or that of how data should be treated as a matter of law. In a forthcoming article in the International Review of the Red Cross, I suggest that states make two policy commitments to address the situation.28 The first is that they accord special protection to certain ‘essential civilian functions or services’ by committing to refrain from conducting cyber operations against civilian infrastructure or data when doing so would interfere with those functions or services. The second proposal is states should commit to refraining from conducting cyber operations to which the IHL rules governing attacks do not apply (because, for instance, the operation is not at the attack level or data is not considered an object) when the expected concrete negative effects on individual civilians or the civilian population of the operation would be excessive relative to the concrete benefit related to the conflict that is anticipated to be gained through the operation. However, the adoption of policies does not resolve definitively the legal issues at hand. Therefore, states should begin to fashion their own stance on these issues and collaborate with other states in developing consensus positions, particularly within alliances like NATO.

 

As noted above, states also need to set forth their legal positions with respect to certain cyber issues that may prove destabilizing in the absence of rules governing them. Most significant among these is the question of sovereignty. Recently, assertions have been made that sovereignty is a principle of law that undergirds rules such as the prohibitions on intervention and the use of force, but not a rule that is separately binding of its own accord.29 By this interpretation, which appears to have been embraced by the United Kingdom,30 cyber operations are never rendered unlawful on the basis that they have violated the sovereignty of the target state.

 

This position makes operational sense if the objective is to avoid normative obstacles to offensive operations against other states. Yet, it must be cautioned that, pursuant to the principle of sovereign equality,31 the approach would apply equally to all states. As a result, a state that adopts the position cannot subsequently claim that other states have violated its sovereignty when it is victimized by hostile cyber operations conducted by, or attributable to, another state. For instance, the United Kingdom has now deprived itself of that argument when other states, like Russia, remotely conduct cyber operations into British territory.

 

Additionally, a state adopting this view cannot resort to cyber or non-cyber ‘countermeasures’ pursuant to the law of state responsibility by making the assertion that its sovereignty has been violated. A countermeasure in the cyber context is an operation that would violate international law but for the fact that it is designed to put an end to an unlawful cyber operation directed against the state taking the countermeasure. Thus, disavowal of a rule of sovereignty eliminates a significant response tool when facing hostile cyber operations. Moreover, states taking this position undervalue the effect of naming and shaming states to which hostile cyber operations may be attributed. The fact that most states deny their involvement in hostile cyber operations, as is unambiguously illustrated in the case of Russian election meddling around the world, is evidence of the importance states place on not being named a lawbreaker.

 

The better approach is for states to acknowledge that sovereignty is a rule that can be violated.32 and focus efforts on identifying when it is so violated. For instance, what types of effects must manifest before a remotely conducted cyber operation into a state’s territory violates that state’s sovereignty?  When is an activity inherently governmental such that interference with, or usurpation of, the activity by another state is a sovereignty violation? Addressing the matter in this manner would allow retain the protective veil of sovereignty while tempering its restrictive effect through reasonable interpretation consistent with the state’s national security imperatives. 

 

A second issue regarding which states are at legal risk if they do not seize the opportunity to take a position is due diligence. Pursuant to the rule of due diligence, which was raised in the International Court of Justice’s first case, Corfu Channel, a state is obligated to ensure that its territory is not used to the detriment of other states by either a state or a non-state actor.33 In the cyber context, this means that a state would have to put an end to a hostile cyber operation being launched from its territory or that remotely employ cyber infrastructure on that territory to conduct the operation.

 

There appears to be a degree of state concern that such an obligation imposes an unbearable burden. Therefore, although a number of states have adopted the position that the rule of due diligence applies, others are hesitant to acknowledge the obligation in the context of cyber operations. Such concerns are overstated, for the rule is often misunderstood.34 Most of the Tallinn Manual 2.0 experts were of the view that the due diligence obligation only requires states to act to terminate ongoing hostile cyber operations; it imposes no obligation to take measures to prevent future operations or to otherwise ensure the hygiene of cyber infrastructure located on the state’s territory. Moreover, the prevailing view is that it does not apply to all hostile cyber operations mounted from or through cyber infrastructure on the state’s territory, but rather only operations that have serious adverse consequences for another state.  This is a high bar to cross.

 

It is also generally understood that the rule does not apply to hostile cyber operations that only affect the interests of other states, as distinct from their rights. As an example, a hostile cyber operation against a bank’s network that causes damage affects (in my view) the sovereignty rights of the state where that network is located. But if the operation affects the ability of individuals in third states to access their bank accounts remotely, an interest of those states would be implicated, not a right under international law. Most importantly, pursuant to the rule, states need only take those actions that are feasible in the circumstances. If a state lacks the ability to put an end to the hostile operations, it is not in breach of its due diligence obligation. In other words, the obligation is one of conduct, not a result. In light of these limitations, states need not be concerned that the due diligence rule imposes an overly onerous obligation on them. On the contrary, as a responsible member of the international community they should already be taking measures consistent with it.

 

Additionally, what is sometimes missed is that the due diligence rule opens the door to conducting responses against cyber operations mounted by non-state actors.35 Pursuant to the law of state responsibility, countermeasures are only available in response to internationally wrongful acts that are engaged in by states, or that are attributable to states under that body of law.36 If a non-state actor’s hostile cyber operations cannot be attributed to a state, the victim state (‘injured’ state in the law of state responsibility) has no right to take countermeasures to put an end to the hostile operations.

 

Yet, because the non-state actors are operating from another state, that state has a due diligence obligation to put an end to the hostile operations. Should it be unwilling to do so, the state would be in breach of its obligations under the rule of due diligence. This would allow the injured state to take countermeasures against the territorial state on the basis of that breach and those countermeasures could take the form of violating the territorial state’s sovereignty by means of cyber operations against the non-state actor. The violation would be excused because the fact that the response qualifies as countermeasures is a ground for ‘precluding the wrongfulness’ of an action under the law of state responsibility.37 Simply put, the rule of due diligence makes possible responses against hostile cyber operations by non-state actors in situations in which a robust response would not otherwise be available. If only for this reason, states should acknowledge the due diligence obligation. 

 

Finally, states need to clearly articulate those response options that they believe are available under general international law. I have already addressed the issue of self-defense pursuant to Article 51 of the UN Charter and customary international law. However, most cyber operations do not rise to the level of an armed attack. Therefore, it is essential that two other response options be well understood and widely accepted.

 

The first, already mentioned, is the right to take countermeasures in the face of an unlawful cyber operation conducted by, or attributable to, another state. It should be cautioned that numerous restrictions apply to the taking of countermeasures, the most significant of which is a requirement that it be proportional in the sense of having some relation in terms of severity to the unlawful cyber operation to which it responds.38 Nevertheless, considering the degree of push-back against countermeasures during the 2016 - 2017 GGE, states should quickly seize the opportunity to affirm that they reserve the right to take countermeasures in response to unlawful cyber operations directed against them. Absent such an affirmation, states will generally be limited to responses called retorsion, that is, unfriendly but lawful actions such as the expulsion of diplomats and the imposition of economic sanctions.

 

An additional response option that has received very little attention is based upon what is known as the plea of necessity.39 Such responses, like countermeasures, may involve cyber operations that would otherwise be unlawful, but their wrongfulness has been ‘precluded’ because they are designed to put an end to hostile cyber operations directed against the state taking them. They are of particular importance because a response based on the plea of necessity is available against cyber operations mounted by non-state actors that are not attributable to a state or against those that cannot be reliably attributed to a state. In this sense, they differ from countermeasures. Thus, for example, a response based on the plea could be directed against non-state actors operating from a state that is in compliance with its due diligence obligation because it is willing to take measures to put an end to the non-state actor’s hostile cyber operations but lacks the ability to do so.

 

Although the plea of necessity remedies a number of the limitations that attach to countermeasures, it may only be resorted to when the ‘essential interests’ are facing ‘grave and imminent peril’.  The exact nature of these two phrases remains uncertain in international law. For example, states often designate certain infrastructure as ‘critical’, but that designation does not necessarily qualify the interest concerned as essential with respect to international law. Moreover, the point at which the harm being suffered can be characterized as grave is not only contextual, but also relatively vague. While these are complicated issues that states should be assessing with sensitivity to their own national interests, there is no obstacle to publicly taking the general position that the plea of necessity applies in the cyber contact.

 

Ultimately, the future of international cyber law lies in the hands of states, particularly as they interpret extant international law norms. They may choose to craft a relatively permissive environment in which international law plays little role in deterring hostile cyber operations or shaping the responses available thereto. This approach is exemplified in the British position that sovereignty is a principle of international law, but not a rule.

 

In my view, the better tactic is to employ the interpretive authority states enjoy vis-à-vis international law to safeguard the crucial activities of states and their societies in cyberspace, both during times of peace and armed conflict. With response options such as countermeasures, the plea of necessity and self-defence, states benefit from an array of lawful options for protecting these activities. And a well-developed IHL architecture applicable to cyber operations conducted during an armed conflict is consistent with the balancing of military necessity and humanitarian considerations that permeates all of international humanitarian law.40

 

Allow me to close by complementing the Kingdom of the Netherlands for its willingness to take the lead by beginning to announce its legal positions with respect to activities in cyberspace; other states must do the same.  The Netherlands also has perceptively identified a lack of understanding of the complexity of international cyber law as an obstacle to international agreement on the applicable norms for behavior in cyberspace. I accordingly also complement the Netherlands for its Hague Process, which provides international cyber law training, in collaboration with other governments and international organizations, for government officials around the world. Such programs will empower states to intelligently, responsibly and constructively craft their own legal positions with respect to the shared domain that is cyberspace.

5 2016-2018 – Breaking the Cyber Security Taboos

2016-2018 – Breaking the Cyber Security Taboos

Ms. Liisa Past MA1

 

Cyber security – at its core defined as is defending the confidentiality, integrity and availability of data, networks and systems – is often overly mystified. In practice, it is another sphere in which governments assert their interests in conflict and, more importantly, strive to provide a stable and safe environment during peacetime. For this, a stable legal and normative environment is required.

At the same time, the intensifying tensions in cyberspace are highlighted by an ever-increasing level of incidents and attacks. A number of recent campaigns have targeted nations and governments; these are often considered to have been state-backed.

Thus, 9 years ago, when the Tallinn Manual Process started, was perhaps a simpler, more hopeful time. In December 2012 when the Tallinn Manual 2.0 discussions kicked off, it was still hoped and sometimes believed that the lines in the sand regarding state-backed aggression in cyberspace will hold.

 

Amongst the most prominent of those red lines were the functioning of our democratic processes and our national critical information infrastructure. It was hoped that those two will not be targets of state-backed or politically inspired cyberattacks, at least not during peacetime. It is now clear that the attackers have broken those taboos in the last few years. Elections and participants in the democratic processes as well as water, power and air travel have all been targets of state-sponsored cyber-attacks.

The attacks against power supply in Ukraine on Christmas 2015 and 2016 served as a significant demonstration of the adversarial capabilities, a warning of things to come. By 2017 it was revealed that European and US power – including nuclear - and water systems had been compromised. Those attacks were initially believed to have been targeting business networks, often knocks on the door to map the perimeter. It is now known that the campaigns went further and the impact could potentially have been detrimental to power production and distribution.

 

The meddling in our democratic systems goes beyond campaign hacks or the compromise of candidates and parties as most notably seen with the campaigns of Emmanuel Macron and Hillary Clinton. Yes, the public most embarrassingly found out what Hillary Clinton's campaign chief John Podesta’s password was after a successful phishing incident, but election officials as well as vendors are now known to have been targeted.

 

This, in a number of ways, demonstrates the importance of the work that has gone into Tallinn Manual 2.0, particularly in terms of jurisdiction and state responsibility.

The biggest change underlining these attacks are that state-backed players or those directly representing the government agencies no longer operate in the grey zone of strategic ambiguity. The shame of being caught has diminished. The effects of state backed malicious cyber activity go further. This makes attribution more important than ever, not the least as a basis for any response to malicious state-backed cyber activity.

 

The US agencies have attributed the campaign hacks to Russia. Last May, WannaCry ransomware impacted 150 countries and hundreds of thousands of systems, paralyzing healthcare, production facilities and telecoms. It was attributed to North Korea by US, UK, Australia, New Zealand and Japan. Similarly, the NotPetya wiper was attributed to Russia by an international coalition in a show of solidarity.

Attribution, of course, matters as it can lead to deterrence. However, we need to be careful here, so that we are not trigger-happy. In the past few years, attribution has moved from being a largely technical discipline to something much larger than digital forensics. It balances technical, legal and political elements. And this balance is something states and governments have to consider carefully.

 

In looking for response options, in particular, the three elements have to be all considered. Attribution cannot be seen as paving way to retribution. This is simply not an option in our agreed-upon international law regime. Therefore the lawyers need to be present through the attribution process. In particular, cooperation is needed to figure out and address thresholds and mechanisms for attribution as well as standards for evidence within states and then internationally. This way we have a sustainable idea of what deterrence might look like.

 

Up to now, most of the options available in response to cyber attacks are not collective, leaving collective defence in the cyber sphere to be furnished by practice. Currently, governments are at most coordinating responses and countermeasures. It is clear that states are figuring out their diplomatic, cyber-enabled and conventional responses to the facilitators and organizers of nation-on-nation cyber attacks.

EU has recently empowered itself to respond to cyber attacks with a comprehensive set of Common Foreign and Security Policy (CFSP) measures, including diplomatic, economic and restrictive ones, “which can be used to prevent and respond to malicious cyber activities” (http://www.consilium.europa.eu/media/31666/st14435en17.pdf). NATO, having declared cyber space a domain of military operations, serves as the next step of the ladder of collective escalation of response to events in cyberspace. So, state responsibility as it is analysed in the Tallinn Manual continues to be central.

Looking ahead, there are obvious challenges. The use of AI, including possible automated weapons systems poses legal challenges, given how even regulating self-driving cars has been a struggle. The definition of data as military objective has multiple interpretations. However, state practice seems to becoming clearer, even if the legal interpretations are not moving closer to each other. Law enforcements ability to pursue cyber crime across borders needs to be improved, but again, this is up to the respective agencies.

 

The issues mentioned above refer to relationships between national actors and their actions. As societies and governments, however, we are uniquely and increasingly dependent on international corporations, their goods and services, be it software or equipment. We need to figure out ways, including legal mechanism, to be a demanding customer and have clear standards for supply chain assurance and vendors responsibility.

 

As governments, we have a pressing need for clarity and legal standards when it comes to cross border dependencies and supply chain management, particularly when dealing with global vulnerabilities such as Spectre. The Y2K bug, now almost two decades ago, was perhaps the first warning that national governments cannot ignore the role corporations play as vendors and supplies and the sort of dependencies we therefore have to be able to mitigate. A non-state problem cannot have a state solution, simply. These dependencies need to be addressed and governments need the international law discussion to move together with these challenges.

6 International diplomacy and international cooperation in cyberspace

International diplomacy and international cooperation in cyberspace

Carmen Gonsalves MA1

 

I would like to set the scene for this panel by giving you a short overview of the diplomatic efforts towards the legal-normative framework for cyberspace our minister referred to earlier.

I will start by focussing on the opportunities cyberspace continues to offer us. Then I will discuss the threats that unfortunately are on the rise. I will conclude with briefly discussing policies that might mitigate that threat: a two-pronged approach where we focus simultaneously on elaborating the normative framework and supporting and strengthening the consensus surrounding it.

 

So let me start with the opportunities. The digital revolution does more than contribute to economic growth. The interconnected computing power currently at our disposal has the potential to remedy some  of the most deep-seated challenges that modern societies have to deal with such as traffic congestion, waste of resources and environmental degradation. 

Self-driving cars and traffic systems can prevent both accidents and traffic jams. Smart thermostats and other residence based systems are not only convenient, but are limiting waste of valuable resources.

Also, with information moving ever more quickly and being disseminated more widely, the public debate should be enriched by contributions via online means. Our interconnectivity still carries the potential for a more inclusive and better-informed debate. You might very well think, after DNC and all that, that is a case of utter fake news. But it isn’t.

 

At least that is what we have to continue to strive for…

Unfortunately our increasing exposure and reliance on technological solutions also increases what is known as our ‘attack surface’.

A lot of the technology was not built with security in mind and if you look at the behaviour of some state and non state actors, it seems that an opportunistic, unrestrained and sometimes even reckless perspective on how cyberspace can be used is threatening the advances it has brought us and in the worst case even has a potential to set us back further.

Cyber operations conducted by states for geopolitical gain and disinformation, or ‘fake news’ operations, are part of this new stark reality.

 

So what to do? Strengthening our resilience, however important, will not suffice.

I believe that in order to counter this trend we need to engage in diplomacy. 

In the long term the only way to reach a structural solution is to agree upon a legal-normative framework that incentivizes states to abstain from harmful cyber operations.

Over the last years, we’ve made some progress in this regard. In  UN discussions, more precisely in the Group of Governmental Experts on developments in the field of information and telecommunication  in the context of international peace and security, a.k.a. the UN GGE, many countries have endorsed the principle of using existing norms for new technologies.  This sounds complicated but it simply means that the existing international legal order that rules the physical world equally applies to cyberspace and we have to make sure that these rules are upheld. The nature of cyberspace makes that this legal framework may require some clarification, but the point of departure is that the same principles that apply offline, do equally so online. That means, for instance, that in cyberspace the same restrictions on the use of force apply that the UN charter dictates for the physical world. It also means existing international obligations to respect and protect human rights apply equally in cyberspace.

 

Of course, concepts such as the inherent right of self-defense to respond to an armed attack and IHL only refer to a situation where military operations are being conducted. However, in practice a lot of harmful cyber operations cannot be qualified as the use of force and occur in - an albeit sometimes rather murky- peacetime. On top of that, cyberspace is evolving rapidly, resulting in new and unforeseen challenges.

Against this backdrop and in order to keep up, additional, complementary norms of behaviour are needed. The norms of behaviour as recommended by the UN GGE in 2015 can be considered of foundational importance in this regard.

Ideally further norm setting should benefit from input by stakeholders from industry, academia and civil society. There are processes in place to promote this. The Netherlands supports such processes. A good example is the Global Commission on the Stability of Cyberspace, a group of high-level experts deriving their expertise from distinguished careers in academia, politics, civil society and industry. Not surprisingly led by the former Minister of Foreign Affairs of Estonia, Marina Kaljurand.

Last month, the Commission has released a call for a new norm on the protection of electoral infrastructure. Topical against the backdrop of recent blatant attempts of election interference. Hopefully this norm will be endorsed by the UN, eventually. In time, widely accepted non-binding norms of behaviour have the potential to develop into customary international law.

 

Norms should not only apply to states, of course, industry is becoming more and more aware of the need to agree on norms for the private sector itself.

 

In addition to legal frameworks of domestic jurisdictions industry indeed has a role to play. The recent Tech Accord between Microsoft and 33 other big tech companies lays out principles aimed at protecting cybersecurity, including a commitment of security by design. Important, given the risks and security requirements related to the Internet of Things. Security by design cannot completely remedy but can substantially limit the risk that my internet connected bread toaster or fridge is used as a vehicle for attacks on an electricity grid or hospital nearby or in another hemisphere. Notwithstanding efforts by the private sector it is of course states that fulfill a unique responsibility as subjects of international law.

 

This leads me to the need for other states to respond, in case states do not abide by the international rule book. Diplomacy can be used to address this. This can vary from a diplomatic demarche delivered behind closed doors, to collective naming & shaming or, in more severe cases, building a coalition for imposing political or economic sanctions against a persistent law-breaker.

 

Finally, we need confidence building measures that ensure that countries can communicate clearly in case of a major international cyber incident in order to de-escalate  tensions. This is even more important in cyberspace, because you do not always immediately know where an attack comes from. Which can lead to dangerous misunderstandings.

 

So, from strengthening international law to supporting norm formulation and CBMs to respond to bad behaviour, diplomacy is an ingredient to make it all work. And we firmly believe that for this purpose we need to boost cooperation between likeminded countries, forging strategic alliances.

 

That’s why the Netherlands has triggered discussions not only on closer security cooperation, but also on stepping up diplomatic action in both NATO and the EU.

The EU cyber diplomacy toolbox adopted by Ministers last year, providing the EU and its member states with the tools to respond to cyber aggression, is one of the promising results.

 

The heart of the matter, however, remains a solid legal-normative framework. This is after all, the basis for how we conduct ourselves and therefore the focus of our diplomatic engagement.

 

Of course, it is not always easy to determine how the law applies in a particular situation. But this is obviously not unique to cyberspace. And most importantly, the fact that it may be difficult to apply the rules, does not mean that there is no law, or that we need a whole new set of rules.

 

And this is where the Tallinn Manual 2.0 comes in. It provides us with essential guidance. It is the most comprehensive, nuanced and authoritative work on how to apply the rules. Of course, the Manual provides guidance only. I should emphasize that we do not consider it is as prescriptive.

 

The Netherlands is firmly committed to the view that states, and states alone, make international law. As are, I believe, the authors of the Manual.

 

That is also the starting point for our capacity building efforts that we engage in in the so-called The Hague Process. Last year we organised a number of training courses in international law in cyberspace in both the ASEAN and OAS regions, aimed at foreign policy decision makers.

 

Both of these programmes will be continued into 2018 and beyond. Besides, we are working with partners to globally increase our reach and work in new regions.

Our rationale is simple. Since states are the ones making international law, we feel that it is essential to ensure that these decision makers, both lawyers and policy officers, are well informed on how international law applies to cyberspace. We believe that this is an area where expertise can still be strengthened.

 

We are aware that some countries are inclined to believe that new Codes of Conduct or treaties are the answer to all trouble emanating from cyberspace. The argument seems to be that cyberspace is so inherently ‘different’ that ‘something new’ is needed. However, in a great many cases, these views are harmful to these countries’ own interests. An example is the negation of the principle of the right to self-defense, a key tenet of international law, an element that features centrally in the narrative of supporters of a new cyber Treaty. Even more surprisingly, those supporters tend to reject the notion that International Humanitarian Law applies, an opinion fiercely contested by the ICRC, inter alia, which argues that the core principles of distinction, proportionality, necessity and humanity should protect civilians in situations of armed conflict to the furthest extent possible, in cyberspace as much as in the physical world.

 

The Treaty supporters argue all this would only lead to the militarization of cyberspace, a far from credible argument when considering who generally make it.

But the shoddy way in which the principles of self-defense and IHL are  dealt with by the supporters of the ‘Treaty approach’ is symptomatic of  broader risks to the international legal order. If one accepts that cyberspace is somehow fundamentally different and a new treaty should be devised, this opens the door to selectively shopping in international law and creating a mechanism that mostly benefits the mighty. Human rights are but one example of an established body of international law that can be exposed to serious risks.

 

I cannot emphasize enough that throwing this principle out of the window would only benefit those that have the most advanced cyber offensive programmes and are the least inhibited in using them. We think that capacity-building will help to shed a different, positive light on how these issues can be interpreted.

 

I hope to have clearly outlined where we stand on the role of international law and norms in cyberspace. Thus, as our Minister already said, we also need to ensure adherence to those rules, by responding to bad behaviour, in order to increase the costs for those going beyond the pale. Inaction leads to a situation where irresponsible behaviour becomes the new norm.

 

The nature of cyberspace is such that having a prompt and robust diplomatic response to bad actors’ behavior can be more difficult than in the physical world. Whereas it is mostly easy to see from where a missile was launched, the use of cyber weapons doesn’t create smoke plumes. These circumstances influence the risk-reward calculus for some actors when they consider to launch cyber operations. But we have to be careful that the perfect does not become the enemy of the good. In some cases attribution is possible and it is a crucial step in changing this risk-reward calculus of the perpetrator.

 

It is clear that existing international law applies in cyberspace the same way it does in the offline world, both in situations of armed conflict and in peacetime.

This is the guiding principle for the cyber engagement of The Netherlands and the starting point for any discussion on the need for and content of additional norms.

The Tallinn Manual 2.0 is a valuable reference work clarifying how the rules of international law apply. It is also an outstanding tool for ensuring that the consensus on the application of international law is strengthened. It helps us tremendously in the context of our capacity building efforts.

Increased clarity on how to apply international law, which we have the authors of the Tallinn Manual a lot to thank for, also creates a basis for a powerful lawful diplomatic response.

7 Attribution for the purposes of State responsibility

Attribution for the purposes of State responsibility

Wieteke Theeuwen  LL.M.1

 

The first lesson I learned when I started working on cyber was - or seemed - rather simple. International law applies to cyberspace. In that regard, I would like to quote one very important phrase from the 2013 report of the UN Group of Governmental Experts (UN GGE) on Developments in the Field of Information and Telecommunications in the Context of International Security:

 

"International law and in particular the United Nations Charter, is applicable and is essential to maintaining peace and stability and promoting an open, secure, peaceful and accessible ICT environment."

 

Thanks to the 2013 and the 2015 UN GGE reports, there is increasing recognition that international applies to cyber. So, many would agree with me that international law applies to cyberspace. When we start to apply the law and ask ourselves how international law applies to cyberspace the question is a more interesting one.

 

Part of my work has a focus on “the Hague Process”, an initiative by the Netherlands to further the debate on how international law applies in cyber space and to increase the level of agreement. For this purpose the Netherlands facilitated a number of consultation meetings between governmental legal advisors and the drafters of the Tallinn Manual.

The Tallinn Manual 2.0

The Manual is a well-used item in our library at the legal department. I carry it with me to meetings all the time. The book provides a good overview of the various legal questions that arise with respect to cyber and offers different views on the application of international law but it is not the law. It is not an official document, and the Netherlands does not necessarily agree with everything in it. In fact, in many cases the manual describes more than one possible interpretation of a particular rule. I consider the Tallinn Manual to be a very useful tool that we can use in our daily work. Whenever I am asked to advise on an issue relating to cyber and international law, I use the standard work for the specific field of law together with the Tallinn Manual, which provides helpful information on how this law may be applied in the cyber context. But the manual does not do all the thinking for me. To the contrary, the Tallinn manual 2.0 makes it very clear that there are a number of questions that still need a lot of thinking and debating before we can even dream of providing an answer to them. Which makes meetings like these so much more interesting. 

Attribution

Attribution has been the object of fierce debate. More specifically, attribution for the purposes of State responsibility - or legal attribution. Generally, depending on the context, the term attribution has different meanings when we talk about cyber.

 

My colleagues and I find it helpful to make a distinction between the following meanings of the word:

1) Technical attribution: the outcome of a factual and technical investigation both in terms of who the likely perpetrator is and the degree of certainty with which this can be established;

2) Political attribution: the decision whether or not to publicly and politically attribute a particular attack to a particular actor, without necessarily attaching legal consequences to this attribution; and

3) Legal attribution: the decision to attribute certain conduct to a particular State with a view to invoking the responsibility of that State for an internationally wrongful act.

 

Focusing on legal attribution, I am referring to the situation in which a State attributes a cyber operation to another State for the purpose of invoking State responsibility. The first State may then wish to enter into some form of judicial or diplomatic dispute settlement to take countermeasures or, in case the cyber operation is considered to amount to an armed attack, exercise its inherent right of self-defense.

 

Why is attribution important? When your car is stolen, or your house is covered in graffiti overnight, you want to take action. But against whom? That is why we go to the police when things like this happen: so that they can find out who did it and who deserves punishment. The same goes in international law: this body of law provides rules with regard to how States should behave towards each other, but it can only be applied when it is clear who violated the rules. When cyberattacks, or any attack for that matter, are launched, international law sets the parameters within which States can respond. The law on State responsibility, the example I will use, has a lot to say about when a State can be held responsible for the conduct of a proxy. It also allows taking measures that would normally be in breach of international law in order to address a prior breach by another State. But in order to do this, it is crucial to establish which other State committed the wrong in the first place.

 

So why is it important to be able to attribute a cyber operation to another State? When a cyber operation is directed against a State, or significantly impacts the society of that State, that State will want to take action. Certain action is only possible when it is clear which other State should be at the receptive end of such action. So, once a State has identified the actor behind the cyber operation and has established that this actor is in fact another State (either directly or by proxy), the targeted State has a number of options under international law.

 

Examples of responses are retorsive measures, unfriendly but not unlawful, such as the decision to declare a number of diplomats persona non grata. The taking of retorsions is permitted under international law, but may carry political consequences.

 

A State may also consider taking countermeasures, such as responding to a hack that constitutes an internationally wrongful act by hacking back. These are different from retorsive measures. Whereas retorsive measures can be taken at any time – again, this is according to international law, without taking into account possible political considerations  –  countermeasures are subject to strict requirements. This is reflected in the ILC Draft Articles on the Responsibility of States for Internationally Wrongful Acts. One of the most important criteria of these Articles is that countermeasures may only be taken against a State that is responsible for an internationally wrongful act, in order to induce that State to comply with its obligations. One requirement for such responsibility is that the conduct, the allegedly unlawful cyber operation, is attributable to that State. There are other requirements, but these will not be discussed.

 

Therefore, for a State to be able to consider all its response options, including countermeasures, the first question it will need to ask is: who did it? In legal terms: can the cyber operation be attributed to a State under international law? That is when legal attribution becomes important. 

What is an internationally wrongful act?

Before discussing what the Tallinn Manual 2.0 says about internationally wrongful acts in the cyber context, I would like to first discuss the Draft Articles on the Responsibility of States for Internationally Wrongful Acts.

 

What amounts to a breach of international law by a State depends on the actual content of that State’s international obligations, and this varies from one State to the next.  A State can only be held accountable with regard to obligations it has subscribed to, either by treaty or through customary law. The underlying concepts of State responsibility, however, are general in character.

 

Article 1 of the draft Articles states that every internationally wrongful act of a State entails the international responsibility of that State. But what does this act need to consist of?

 

Article 2

There is an internationally wrongful act of a State when conduct consisting of an action or omission:

(a) Is attributable to the State under international law; and

(b) Constitutes a breach of an international obligation of the State.

 

I will discuss attribution, not the entire characterization of conduct as internationally wrongful. The purpose of attribution is to establish that the act considered as internationally wrongful emanates from a certain State for the purposes of responsibility. That a certain conduct is attributable to the State says nothing, as such, about the legality or otherwise of that conduct.

 

So when is a cyber operation attributable to a State? Let me turn to the conditions under which conduct is attributed to the State as a subject of international law for the purposes of determining its responsibility. What it essentially does is distinguish the State-sector from the non-State sector for the purpose of responsibility. Basically, conduct by State organs is always attributable to a State whereas conduct of private individuals is not, unless a sufficient connection between these individuals and the State can be established.

 

Graph1

This graph explains the questions that need to be answered before a cyber operation can be attributed to a State.

 

The first question we need to ask in order to determine whether a cyber operation is attributable to a State is “Was the cyber operation conducted by an organ of the State?” If the answer is yes, the cyber operation is attributable to the State.

 

Rule 15 of the Tallinn Manual 2.0 states:

Cyber operations conducted by organs of a State, or by persons or entities empowered by domestic law to exercise elements of governmental authority, are attributable to the State.

 

The Tallinn Manual states that the clearest case of attribution is when State organs, such as the military or intelligence agencies, commit the wrongful acts. This includes for instance cyber activities of US Cyber Command, the Netherlands Defence Cyber Command, the French Network and Information Security Agency (ANSSI), and so forth. An organ of the State includes any person or entity which has that status in accordance with the internal law of the State, quite a broad concept according to the Tallinn Manual.

 

With cyber operations it is not always immediately clear whether the operation originated from an organ of the State. The use of proxies is very common in the cyber context. If it is not clear whether an individual or group are considered organs of the State, we need to determine whether their conduct can nonetheless invoke the responsibility of the State.

 

Proxies are individuals, groups or organisations carrying out cyber operations for States. This is the reality we are facing relatively often in the cyber context. We may be able to find which individual, group or organisation carried out the cyber operation, but can we link this to a State, and if so, how? Can the conduct of hacktivists be attributed to a State? What if the State told them to carry out a certain cyber operation? This brings me to the effective control test.

Effective control

When does a non – State actor operate under effective control of a State? As a general principle, the conduct of non-State actors such as private persons or entities is not attributable to the State under international law. The effective control test contains certain requirements that – if fulfilled – will allow to regard the conduct of the non-State actor as that of the State. This is the only way in which the conduct of proxies can be attributed to a State.

 

The conduct of a person or group of persons shall be considered an act of a State under international law if the person or group of persons is in fact acting on the instructions of, or under the direction or control of, that State in carrying out the cyber operation. The starting point is, however, that States are not responsible for the conduct of private individuals. This means that the threshold to establish effective control is high. It is not sufficient for example if a State has supported – financially or with supplies – the activities of the non-State actor.

Standard of proof

As regards the standard or burden of proof, international law does not dictate any minimum degree of proof regarding the decision to attribute a particular cyber operation politically to a particular State. Likewise, there is not a particular threshold of certainty for responses not amounting to countermeasures or the use of force.

 

However, if a State attributes a cyber operation to another State and takes countermeasures, or in case it exercises its inherent right of self-defence when the cyber operation is considered to amount to an armed attack, it may at some point have to provide justification for this attribution and meet a particular burden of proof. There is no internationally accepted legal standard in this respect. It will depend on the particular forum in which attribution takes place. The standard of proof required may differ depending on whether a claim is presented before a particular international court or tribunal, or whether it is part of diplomatic negotiations or consultations. The ILC Draft Articles on the Responsibility of States for Internationally Wrongful Acts do not include information on the standard of proof. The International Court of Justice (ICJ) has employed various formulations for the standard of proof. The Netherlands interprets these formulations as meaning that the standard may be different depending on the severity of the conduct and of the response considered.

 

Various cases show that the Court similarly pays regard to the specifics of the case when determining the level of proof required.

 

It would seem that the particular degree of proof required is closely connected to the severity of the cyber operation and of the response to such cyber operation: the more severe, the higher the standard. In some cases one may need to have absolute or near absolute certainty. For example, in the Bosnia Genocide the ICJ took the view that the Court had to be fully convinced that allegations of genocide and other acts had been clearly established. This concerned genocide. It makes perfect sense that a high degree of certainty, employed in different cases, would not have been sufficient.

How does attribution of cyber operations work in practice?

In May 2017 WannaCry ransomware targeted computers by encrypting data and demanding ransom payments in Bitcoin. The WannaCry Cyberattack affected a number of healthcare organisations in the United Kingdom (UK), including hospitals in London and Nottingham. So how did the UK respond?

 

19 December 2017 - Foreign Office Minister for Cyber, Lord Ahmad:

“The UK’s National Cyber Security Centre assesses it is highly likely that North Korean actors known as the Lazarus Group were behind the WannaCry ransomware campaign – one of the most significant to hit the UK in terms of scale and disruption.

[…]

We condemn these actions and commit ourselves to working with all responsible States to combat destructive criminal use of cyber space. The indiscriminate use of the WannaCry ransomware demonstrates North Korean actors using their cyber programme to circumvent sanctions”.

 

So did the UK attribute the cyber operation to a State? To me, this question is difficult to answer. The UK referred to North Korean actors, not the State.

 

How did the United States (US) respond?

 

19 December 2017 - Tom Bossert, security adviser to the President:

“Cybersecurity isn’t easy, but simple principles still apply. Accountability is one, cooperation another. They are the cornerstones of security and resilience in any society. In furtherance of both, and after careful investigation, the U.S. today publicly attributes the massive “WannaCry” cyberattack to North Korea.

[…]

The United Kingdom, Australia, Canada, New Zealand, and Japan have seen our analysis, and they join us in denouncing North Korea for WannaCry.”

 

Not only did the US refer to the State North Korea in its attribution, it also mentioned that the UK shares that analysis. A number of States issued statements on that same day, the 19th of December, varying from the very strong statement by the US to a statement on the importance of the application of international law by others.

 

None of the statements were followed by countermeasures. Why not? And why were they taking so many months after the attack took place? Was the information the States had at their disposal not considered sufficient enough to satisfy the standard of proof? Maybe the public statements were never intended to lead to the taking of countermeasures in the first place. 

Conclusion

Attributing a cyber operation to a State for the purpose of State responsibility is subject to a number of requirements, especially when the operation is carried out by proxies. It is a very delicate process. But the process is not more delicate than attribution outside the cyber context. The example I mentioned concerning WannaCry shows that a new phenomenon has emerged: publicly attributing a cyber operation. This type of attribution might not fulfill the requirements for legal attribution, but does it need to?

 

However, if a State decides to take countermeasures, legal attribution is very important. I mentioned at the beginning that with the Tallinn Manual we have been provided with a very useful tool, but a number of questions still need a lot of thinking and debating. Let me conclude with some of these questions. Is the effective control test workable in the cyber context or do we need to develop further criteria? Should the challenges related to technical attribution lead to adjusting the standard of proof for legal attribution in the cyber domain? Do we agree that the various formulations of the standard of proof employed by the ICJ in State responsibility cases must be interpreted as meaning that the standard may be different depending on the severity of the conduct and the response considered?

8 Demystifying Cyber Operations

Demystifying Cyber Operations

Brigadier General Hans Folmer MSc MSS1

 

Internet and internet services have become prevalent in our society for many people. Smart devices have become commonplace and a smartphone allowing immediate access to the internet has become the rule. This has changed the way we live, disrupted and generated entirely new business models. Directions are provided to us on the go while the sale of paper maps have been steadily declining. If we are lucky enough, voice enabled interfaces are able to provide us immediate answers, to questions that first required more research. Ordering personal transport is easier than ever, by using an app we are able to obtain a transparent ride for a set price and get an idea of the driver’s reliability. We can even opt to book a room in a stranger’s home instead of a more traditional hotel. Tomorrow holds great promises as well, with emerging tech such as the potential of Quantum Computing holding potentially new significant advances – but also disadvantages - in the digital era. The internet has opened up our society and boosted the transparency of the services we use.

 

In the military domain, however, openness and transparency are usually not the prevailing values. And to the average listener, military cyber operations sound even more mysterious. Military cyber operations are currently still viewed as ambiguous, elusive and concealed. What doesn’t help in this regard, is that up until now, integrating military cyber operations in the planning process has been an ongoing challenge. Awareness is growing, however, and progress is being made, not in the least due to the Tallinn Manual 2.0 efforts. 

 

In this presentation, I intend to ‘Demystify Cyber Operations’, because we need transparency, openness and a shared understanding to cooperate among nations and industries beyond our national frontiers. During my speech I will touch on some subjects which will be further elaborated upon by other speakers today.


Almost seven years ago I was asked to lead the Netherlands Armed Forces efforts to build up cyber capabilities. Next to the already existing branches of cyber security, cyber intelligence and later cyber law enforcement, I was tasked to establish a unit to support military operations with cyber capabilities. Not just defensive, but also offensive capabilities. As I look back on those seven years, the general cyber landscape has changed. Today the Netherlands has an Armed Forces Cyber Command of which I am the proud commander.

 

The rationale behind it was that digitization did not only bring societal changes, opportunities and wealth, but also altered the battlefield. During operations, plans are distributed via wireless connections, targets are fired upon using GPS coordinates, we gain situational awareness via live stream, and our supply vehicles contain more computers than our offices. We no longer have armoured vehicles, frigates or planes, but driving, sailing and flying computers.

 

This is not only the case for our own forces and our allies, but our opponents also rely heavily on digitization of their command and control, fire power and logistics. The current battlefield encompasses more than physical objects alone. Digital assets and connections can also be targeted to gain advantage over the opponent. Cyber operations are crucial means to do so and have fundamentally changed the conventional battlefield. There is however, still a long way to go, both from a technical and from a doctrinal point of view.  Preparing cyber operations takes time. Intelligence needs to be gathered well in advance and based on this intel, multiple attack scenarios need to be created. The preferred cyber weapons require testing and finally, code needs to be built at the moment of deployment.

 

An example of a cyber-operation could be the disruption of take-off and landing of airplanes from an airfield in a contested area. This could be shut down by disrupting its flight control systems instead of bombing the runway which leads to a lot of damage and casualties. A cyber operation can temporarily disrupt flight operations leaving the runway intact for future use by our own troops.

 

In the Tallinn manual a cyber-operation is described as: “The employment of cyber capabilities to achieve objectives in or through cyber space”. A cyber-attack is described as: “A cyber operation, whether offensive of defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects”.

 

The basis is Cyber Security, the need to operate safe and secure in your own digital environment. This includes defensive counter cyber operations and hunting for adversaries in your own network. As soon as we operate in the digital environment of others where we do not have free access, we talk about offensive cyber operations, which of course can have a defensive posture. Offensive cyber operations are scoped at information-related capabilities, which are linked to the information warfare capabilities of psychological operations, military deception, operational security, computer network operations and electronic warfare, as well as various kinds of intelligence.

 

We distinct four types of offensive cyber operations. The first are offensive counter cyber ops, an attack to prevent the adversary from attacking us. Secondly, cyber surveillance and reconnaissance in order to get an impression of the digital landscape of the opponent. What are the opponent’s dependencies and vulnerabilities? Third, offensive cyber can be used in support of other military operations and the fourth, ultimately, is an offensive cyber operation on its own. Offensive Cyber Operations are about achieving military effects that encompass denial, degradation, disruption or destruction of data in order to achieve 2nd and 3rd order effects in the physical and cognitive domain.

 

This differentiates cyber operations from intelligence operations, which are aimed at covered information gathering in general and more specific at the opponent’s digital systems and provides us insight in their means. This information is used to find an attack opportunity for a cyber-operation aimed at disrupting the opponent’s Freedom of Manoeuvre in the digital environment and denying access to objects as the example of the airfield showed.

 

Advanced cyber capabilities or cyber weapons require more than just a piece of malware or a form of live hacking. Cyber capabilities include people, technology, intelligence and processes. People with up-to-date coding skills, knowledge of state-of-the-art computer science techniques, creativity to design code and of course determination to debug the code. Technology, the tools to develop and to test and systems to store and communicate with our partners. Intelligence, the information about means and dependencies and vulnerabilities of our opponents. And last but not least processes, the development process including testing, debugging and the military planning and decision-making process.

 

In the field of Cyber Security, countries have been mutually cooperating and have been working together with industries to secure our own networks and systems. An excellent example of this is the NATO Computer Incident Response Capability or NCIRC. This Technical Centre provides services to prevent, detect, respond to and recover from cyber security incidents. Cyber defence is actually a part of the NATO Alliance core task of collective defence. It strives to integrate cyber defence into operational planning by creating indications and warning, potentially identifying potential threats. Currently, the Military Committee of NATO alongside SHAPE and the nations have been working on creating procedures that would enable nations to potentially integrate national offensive cyber effects in NATO operations, whenever such would be the desired response.  Hand in hand with this development is the creation of up to date Cyber ROE’s and the assessment of appropriate Targeting processes, all of course to be in synch with any obligations of the Law of Armed Conflict (as my colleagues will elaborate on later).

 

Now that NATO and others have adopted cyber as a domain of operations, increasing cooperation in the Cyber Domain similar to the way we cooperate in the conventional domains, is essential. Within NATO we contribute to the enhanced Forward Presence of the four battlegroups in Poland, Lithuania, Latvia and Estonia. The Netherlands supports this mission with troops together with 15 other nations and has deployed a Cyber Mission Team. We also contribute to the Very High Readiness Joint Task Force or VJTF. These partnerships are clear examples of a robust, multinational, and combat-ready mission to show that an attack on one Ally will be considered an attack on the whole NATO Alliance. Cyber operations should be an integral component of these missions and of our cooperation.

 

We need clear definitions of cyber operations when operating in a multinational context and these are currently lacking. In the Netherlands we distinct four types of offensive cyber operations, but do we all share this view? Do we have the same ‘modus operandi’ to conduct cyber operations? How do we coordinate our multinational operations in the cyber domain? We need a common Doctrine as currently drafted by the CCDCOE that provides a shared understanding to answer these questions in order to conduct cyber operations in the NATO alliance or in other international partnerships. Based on this doctrine mandates and Rules of Engagement can be further derived and used in cyber operations to support the military objectives of the missions.

 

After working in the Cyber domain for seven years, I am convinced that cyber operations should be just as common in current military operations as the smartphone is in our daily life. Part of ‘Demystifying Cyber Operations’ is observing that ‘Cyber is not something special, but maybe something new’.  Cyber operations are an integral part next to the physical and cognitive actions to achieve the desired operational end state. However, hurdles remain in relation to establishing definitive ROE; institutionalizing the integration of cyber effects in operational planning; and creating a framework for shared Cyber definitions to effectively deploy cyber operations. Therefore, it is important that we contribute to the development of the various doctrine and frameworks for integrating cyber into operations. I believe that this conference, celebrating the 1-year anniversary of the Tallinn Manual 2.0, is a great

impulse for further steps towards multinational cooperation and fosters a common understanding of the use of cyber in future conflicts.

9 From Cyber Operations to Effects: Some Targeting Issues

From Cyber Operations to Effects: Some Targeting Issues

Brigadier General Prof. Dr.  Paul Ducheine and Prof. Dr. Terry Gill1

 

 

 

Introduction

Ladies and gentlemen, you’ve just heard Brigadier General Hans Folmer explain what the purpose of applying cyber capabilities could look like. He described a wartime situation and explained that there was a need to prevent the enemy from using a specific airfield and dispatching aircraft from there. The military process to plan action to that end, is called targeting. In classic circumstances, those planning and deciding on operations of this kind, joined in a targeting board, would for instances consider the use of cluster munitions to destroy the runway of the airfield, so that aircraft are unable to start (and land). Thus rendering the airfield (and its aircraft) useless. Or, if the state involved would not possess this type of weapons (as it is a party to the treaty banning the use of it), the targeteers would come up with a larger scale operations with other air delivered weaponry. The backlash of the latter would perhaps be that collateral damage might occur, or that it might hamper future operations of own troops.

Brigadier General Folmer also presented another line of action. By tampering digitally with the airfield’s flight control system, aircraft would be unable to start (and land) as well. This cyber operation could nullify the amount of collateral damage and as it has only temporary effects, would guarantee future use of the airfield by own troops.

Today, targeting boards, at least in a number of states, have this alternative offered through cyber capabilities at hand. The process and procedures to consider these cyber capabilities is the same targeting process as is used in the classic situations. And it contains the same legal questions derived from the law of armed conflict (of international humanitarian law) as in the classic cases. The same basic questions, that is, with some new or not yet touched upon more detailed issues at hand.

My goal [Ducheine], is to briefly introduce this targeting process in the first place and then take you through the legal basic questions accompanying its various phases. Professor Gill will then elaborate on some of the general and specific legal issues involved.

The next lectures by Dr. Heather Harrison-Dinniss and mr. Joost Bunk will specifically deal with the issue of data as an object and its protection under IHL or other regimes such as intellectual property.

Just to iterate in order to prevent misinterpretation: we’re at war and IHL applies. In particular, the rules on hostilities, or in other words, the some called targeting rules in principle apply. These rules centre on the notion of attack (art. 49 API).

Targeting

As mentioned in the airfield case by Hans Folmer, all targeting starts with the ‘why’. The first phase of targeting involves stating the purpose, the end or goal of the action(s) to be taken. In the second phase potential targets that could be engaged with some kind of (military) action in order to contribute to that stated end will be listed. The weaponry will be considered in the third phase: what’s in the arsenal? What are the effects of those weapons? And will it be effective against the target(s)? Then, in the fourth phase, one of the weapons will allocated for a specific target. Phase five comprises the actual attack that will be launched, which will be evaluated (phase six) to see whether the attack was successful and generated the designated effect, thus contributing to the very purpose of the actions taken. If and when necessary, the procedures will be followed once more.

 

Just to remind you, this targeting process, or the targeting cycle, is based on a rational decision-making (and planning) model. The process itself can take up to months in preparation when pre-planned strategic campaigns are involved. But it could also be a matter of seconds when tactical opportunities arise on the battlefield.

Figure 1

Figure 1 : Targeting cycle with its legal (IHL) issues

During this targeting cycle, the staff officers combined in a targeting board and the commander who bears ultimate responsibility for the decision to (and how to) attack, are confronted which legal questions posed to them, as they are to adhere to the law of armed conflict when planning and conducting attacks. These legal questions are imposed through the so-called targeting rules, and they find their background in the principles of the law of armed conflict. The principles involved are: military necessity, humanity, distinction, proportionality and the obligation to take precautionary measures, and, finally, chivalry.

These principles and the more detailed targeting rules are part and parcel of the targeting cycle. When integrating the two – the targeting cycle and the legal issues – the targeting cycles can be amended to contain the legal questions related to targeting derived from the law of armed conflict (see Figure 1).

 

The first issue after having defined the goal (phase 1) and having listed the potential targets (phase 2) is which of these potential targets qualify as “military objectives” (ex art. 52 API), as “attacks shall be limited strictly to military objectives”.2

After that, when potential weapons are reviewed (phase 3), the question will be posed whether collateral damage (CD, ex art. 57 API) can be expected once the particular weapon is used against the legitimate target (i.e. a military objective). When no foreseeable collateral damage is expected, the weapon can be allocated to the legitimate target (phase 4). Quite often however, CD is to be foreseen.

Then, as part of one of the precautionary measures (ex art. 57 API), the question arises how this CD can be mitigated through changes in the choice of means (weapons) and/or methods of attacks. When tweaking of means and methods of attack nullifies the foreseeable CD expected, phase 4 (allocation) can be pursued. If and when this is not the case, the question will be posed whether this attack “may be expected to cause [collateral damage, that] would be excessive in relation to the concrete and direct military advantage anticipated”.3 If the attack is not expected to generate a disproportional (or “excessive”) amount of CD, allocation (phase 4) will commence. When the attack is disproportionate, the attack shall be “cancelled or suspended”.4 As a result, the targeting cycle has to start all over.

After weapons have been allocated to a legitimate target (“military objective”) in phase 4, the remaining precautionary measures, such as last minute verification and identification, warning, and last-minute actual checking of the CD estimation are to be taken. This could result in last-minute aborting the attack. After the attack (phase 5), the battle damage assessment is made (phase 6) and evaluation takes place.

 

This integration of the targeting cycle and the targeting rules apply to all attack in the meaning of article 49 API. Regardless of the weapons, or technique, used. This integrated cycle with targeting rules is thus to be used when the targeting board and the commander responsible for planning and executing the operations against general Folmer enemy airfield. Both when classic weapons are considered, and also when cyber capabilities are contemplated. In the first case, this is definitely a matter a legal obligation. In the latter, this will most likely be a matter of policy, as the debate on the applicability of the targeting rules to cyber operation is still continuing.5

This will now be explained by Prof. Gill in general terms.

A Brief Overview of the Main Controversies

The question of whether international humanitarian law (or the law of armed conflct as it is widely referred to in military circles) applies in cyber-space was supposed to have been resolved, but controversy remains on that issue.6 But assuming it does (and from our viewpoint it is impossible to see how it could not if cyber were employed in an armed conflict in either a stand-alone capacity or more probably alongside other means and methods of warfare), then certain other controversies remain. One of the most seemingly intractable of these is the question as to whether data is an “object” in the context of Article 49 of Additional Protocol I. The Group of Experts which drew up the Tallinn Manual could not reach consensus on this issue and various points of view have been put forward by other commentators , one of whom, Dr. Harrison Dinniss, will elaborate on her views in more detail presently.

The issue may seem for the non-lawyer perhaps a bit technical and arcane at first sight, but is of real importance in a practical sense. Put simply: if data is not an object, then the rules of IHL relating to targeting as set out above by my colleague Brigadier General Prof. Ducheine are not applicable to cyber operations which affect data without causing any directly related secondary physical injury to persons or damage to physical objects. Which rules would then be applicable are open to question, but in any case, the principles of proportionality, precautions in attack and so forth would be irrelevant in the absence of related physical effects resulting from tampering with or corrupting data. That means of course, that the permissible scope for many types of operations would be much wider. To take the example of the neutralization of an airfield by cyber means used by Brigadier General Folmer earlier, such an operation would not constitute an attack in the sense of Art. 49 AP I unless it caused the aircraft to crash. Simply making an airfield unusable by cyber means, without any directly related physical effects would be outside the scope of targeting principles if data did not constitute an object in itself. So this debate is really about whether a whole range of cyber actions in an armed conflict are subject to targeting law or not.

 

Several main positions have emerged on this issue. One is the majority opinion of the Group of Experts in the Tallinn Manual. This states in a nutshell that neither the text of Article 49, nor the Commentary thereto would include data as constituting an object for the purposes of determining whether its neutralization, alteration or removal would amount to an ‘attack’.7 This follows in the majority view expressed in the commentary from a textual interpretation of the word ‘object’ , which denotes in that view something with physical properties and is tangible in the “real” world. Another view expressed is that this is too restrictive and that data should be considered an object when its destruction or neutralization would have severe consequences for the civilian population even though these fell short of physical harm to persons or physical objects. This view has been put forward inter alia by Kubo Mačák, who argues that the term ‘object’ should be interpreted more expansively and that a teleological interpretation of Article 49 AP I is therefore called for to enhance the protection of the civilian population and internet infrastructure. 8 Other views include those of Dr. Harrison Dinniss who argues that while data as such may not constitute an object the systems data which operate the system as a whole do and that destruction thereof should fall within the ambit of ‘attack’.9 Still another is to be found in the writings of various commentators who argue by analogy that other intangibles such as intellectual property or electricity are regulated and protected by other branches of the law. Essentially what all these critiques of majority position in the Tallinn Manual is that they disagree with the outcome of excluding data from the general protection offered by the law of targeting in AP I. In this view an attack which would affect all or some data without any physical effects, but causing damage or destruction to the data with potential negative impact on the civilian population is or at least should be included in the notion of attack and covered by considerations of proportionality and precautions in attack.

 

This is as of yet, an unresolved issue, but one with real consequences. It remains to be seen how State practice and possibly other factors such as positions taken by the UN or by an international court or the preponderance of academic opinion may affect the outcome of this controversy.  In the meantime, it remains somewhat a grey area in the application of international law to cyberspace.

10 On the Protection of Intellectual Property in Cyberspace under International Humanitarian Law

On the Protection of Intellectual Property in Cyberspace under International Humanitarian Law

Mr Joost Bunk LLM1

Modern day information societies are digitalizing continuously and the production of intellectual property is becoming increasingly important for their economic sustenance. Equally there is an increasing number of cyber-operations, leading to an ever growing interest in developing cyber-capabilities. Former Director of the U.S. Cyber Command General Keith B. Alexander characterised cyber-operations designed to gain access to the intellectual property of American corporations as the “greatest transfer of wealth in human history”. These developments raise questions as to how international humanitarian law can address these cyber-operations.

One of the aforementioned questions is the focus of this presentation: the protection of intellectual property in cyberspace under international humanitarian law. Intellectual property can be defined as the novel product of human intellectual endeavour. Intellectual property rights, copyrights, patents and trademarks, therefore protect intangibles, a concept which raises a great variety of challenging questions in domestic law, human rights law and international humanitarian law.

Since it is clear from the start that there are no specific rules on the protection of intellectual property under international humanitarian law, the possible protection of intellectual property through the already existing protection of “normal” property will be explored. In order to achieve this, the concept and the development of the protection of property under the various instruments of international humanitarian law will be discussed first. Following this the scarce coverage of intellectual property in international humanitarian law will be discussed. But firstly, since intellectual property law and international humanitarian law are fields of law that do not often meet, the paragraph will start with a crash course in intellectual property law.

The term intellectual property has been used for over one hundred and fifty years to refer to the general area of law that encompasses copyrights, patents, trademarks and as well as a host of related rights for objects such as databases and software. Intellectual property law regulates the creation, use and exploitation of mental or creative labour. Intellectual property is, as pointed out previously, the novel product of human intellectual endeavour. Intellectual property rights therefore protect intangibles and this gives rise to questions over the control of the property and its protection.

For the purpose of this presentation it is important to note that three notions are therefore involved when it comes to intellectual property. The first notion is intellectual property, the intellectual labour which is the intangible concept of a creative work. Secondly, this intangible concept is only protected when it is confined in a produce, may it be a statue or a digital picture, it has to go beyond existing solely in the mind of the creator. Lastly, depending on the respective intellectual property law the creator is given certain intellectual property rights. These rights, the exploitation or economic rights are possessions and can be transferred to others.

The already complicated field of intellectual property law is becoming more complicated by the so-called “propertization” of intellectual property. In a growing trend human right courts and human right treaties are acknowledging that intellectual property should be afforded the same protection as tangible property. This acknowledgment was already present in the Universal Declaration of Human Rights of 1948, but only recently the effects of such acknowledgement have been developing. In its Article 27(2) it states: “Everyone has the right to the protection of the moral and material interests resulting from any scientific, literary or artistic production of which he is the author.” The ECtHR stated in Anheuser Inc. v Portugal that “intellectual property incontestably enjoys the protection of Article 1 of Additional Protocol No.1 ECHR. With regard to this it is interesting to note that the French version of Article 1 of Additional Protocol No. 1 uses the term “biens” while the English versions uses “possessions”, a definition and translation point also raised by Macak herafter.

These findings resulted in an extensive academic debate and the effects have not yet crystalized completely. However, it can be argued that a consensus exists that when discussing intellectual property as “normal” property, neither the abstract intellectual produce is meant, nor the produce itself, but the intellectual property right attached to it. In other words: the intellectual property right deserves the same protection as other property. Interestingly, while intellectual property rights play an important role in the development of digital technologies and therewith shaping the nature of cyberspace, cyberspace in return creates a threat to intellectual property rights. The sheer fastness of cyberspace, availability of protected works online and the relatively easy way of violating of intellectual property rights by i.a. copying has resulted in a rampant violation of intellectual property.

I am well aware of the fact that terms, norms and principles found in domestic law, intellectual property law and human rights law cannot be implemented in international humanitarian law without paying due regard to the context. However, the limited scholarship on international humanitarian law and intellectual property provides no clarity and references to other bodies of law are solely made to shed light on the idea of intellectual property.

The legal instruments predating Additional Protocol I used the term “property”, while Additional Protocol introduced the term “civilian object”. This choice was politically motivated to conciliate different political systems. This introduction initiated a definition discussion, which appears to be settled by means of reference to the tangibility requirement. The term “civilian object” is broad enough to encompass the immovable and movable property found in the previous legal instruments, provided that they are visible and tangible. The Experts follow this requirement for objects in cyberspace, thereby excluding objects solely existing in digital form from the definition.

The Military Tribunal ruled in the Krupp/I.G. Farben Trials that intangible property deserves the same protection as “normal” property. Despite not being explicitly mentioned by the Tribunal, Dinstein and Dinniss argue that this also applies to intangible objects and to intellectual property rights. It should be noted that the Military Tribunal ruled this in a property offences paradigm i.e. under the rules of booty, seizure, destruction, pillage and plunder.

The fact that the produce, the digital object, is protected under the property offences paradigm illustrates why the strict tangibility requirement in the targeting paradigm can be considered an inconsistency. The digital object is protected from wanton destruction, but falls outside the scope of civilian objects and is therefore outside the scope of protection provided by the principle of distinction and does not have to be taken into account in the principle of proportionality, making it a legitimate target and potential object of destruction. Evidently, there is a distinct level of protection in both paradigms, stemming from the tangibility requirement introduced by the term “civilian object”, which in its turn is introduced to circumvent political debate. If the purpose of international humanitarian law is to mitigate civilian suffering by extending protection to property, the exclusion of digital objects is problematic. Especially when taking into consideration that the term was introduced to forfeit political debate and not to deprive intangibles from their protection, which during the drafting of Additional Protocol I was a common legal concept.

It was found that introducing the term “civilian object” led to a disparity within the two paradigms that are part of one body of rules of international humanitarian law. The protection against property offences is depending on the proprietary relationship: if it qualifies as property, tangible or intangible, and is privately owned, it falls under the protective scope of the relevant provisions. The protection in the targeting paradigm is depending on the civilian use of the object and the object must be visible and tangible. While this more restrictive protection flows from the introduction of the term “object” and its definition, it results in a disparity of protection: intangible objects are protected in the property offences paradigm, but not in the targeting paradigm. This disparity especially manifests itself with regard to cyber-operations taking place and only having effect in cyberspace.

A question for further research is if the intangible object can be afforded protection as property under the Krupp/I.G. Farben interpretation. It appears prima facie that this is possible since the Trials refer to intangible property, especially when considering the protection of this digital property under human rights and domestic legal systems. Subsequently, it is of interest to know whether this digital property then also can be considered a civilian object. Since the tangibility requirement is now limiting the protection of civilians in cyberspace, it is worthwhile to explore. This would then in turn render the omnipresent prefix “cyber” superfluous and provide civilians with adequate protection, irrespective of the dimension.

11 Keynote HE Ms. Ank Bijleveld MA, Minister of Defence

Keynote HE Ms. Ank Bijleveld MA, Minister of Defence

Keynote HE Ms. Ank Bijleveld MA, Minister of Defence1

 

“We have to steer the cyber domain, before it steers us.”

 

What a day it has been. This day has brought forth several important new insights.

As you are aware, the Netherlands is playing an active role in fostering the discussion on international law in cyberspace. To further substantiate our role, my colleague Minister of Foreign Affairs Stef Blok, and I, thought it would be a good idea to talk about this issue in an open setting. And to do so here in The Hague, the legal capital of the world, on the first birthday of the Tallinn Manual 2.0. Today was also an excellent opportunity to demonstrate the close relationship between our respective ministries.

 

It is important that Defence and Foreign Affairs work together on promoting international peace and security. I am most pleased with the international composition of the two panels, under the guidance of Professor Mike Schmitt.

 

You may have already heard this, but the word cyber actually stems from the Greek word kubernetes, which can be translated as cybernetics. It means ‘steersman’. And that is exactly what this conference is about.

We have to steer the cyber domain, before it steers us.

 

I think all of us in this room would agree that the world will not be better off if we allow the cyber domain to spiral out of control. Digital technology may be moving at a dazzling speed, but that does not mean that it should fall outside the scope of international law. This point was the very essence of the 2011 ‘Cyber Warfare’ report.

This ground-breaking report was published by two Dutch advisory bodies:
- the Advisory Council on International Affairs
- and the Advisory Committee on Issues of Public International Law.


The report stated that a cyber-attack can be considered an ‘armed attack’, if it leads to a serious disruption with long-lasting consequences. For instance, if a cyber-attack targets the entire Dutch financial system or if it prevents the government from carrying out essential tasks such as policing or taxation...it would qualify as an armed attack. And it would thus trigger a state’s right to defend itself, even by force.


The Dutch government supports the general conclusions of this report. Luckily, more and more states have since acknowledged that in the cyber domain - as in all other domains - all states are equal before the law. So, it’s not so much a question of whether the rules apply, but of how to apply them. Out of this need for clarity and consensus, the Tallinn Manual was born. Both the original manual and the updated manual ‘Tallinn 2.0’ have helped clarify the legal framework for cyber operations.

 

Let me please note that the Dutch Government is very grateful for the work done by Professor Mike Schmitt, Ms. Liss Vihul and the international group of experts. The Netherlands actively supports the work of the Cooperative Cyber Defence Centre of Excellence in Tallinn. And we are proud that two members of Dutch academia participated in the Tallinn Manual 2.0 process. I think the manual’s added value will continue to grow over the coming years.


But having a clear legal framework would be null and void, if states are not able to attribute digital attacks. Without a clear answer to ‘who did it?’ there can be no legal retribution, no countermeasures and no self-defence. You have to know what and who hit you, before you can hit back. And whether that should be with your fist or by a slap on the wrist. Now as we know, attribution of cyber-attacks is quite complex. It is subject to much debate and confusion.

So to shed some light on this matter, our scholars at the Netherlands Defence Academy have developed a conceptual framework. It comprises 4 phases.


The first phase is: detection. Attribution starts with the fact that you have to be aware of the harmful effects caused by a cyber-attack. Only then is it possible to start determining the full scope of its effects. And what digital interference is causing these harmful effects.

 

This brings us to the second phase: technical attribution. In this phase, the attack is linked to a digital source. This can be an email account, a piece of malware or an IP address. The aim of technical attribution is to establish technical authorship: who did it? Which individual or group actually conducted the attack?

 

The third phase brings in the lawyers. Once the technical author of the attack is known, it will be their task to advise the government on legal responsibility. Who is behind the attack? And especially: which state? If any. If states are involved, the rules on State Responsibility apply.

Once legal responsibility has been established, it is up to the Government to come up with a response. That is the fourth and final phase of the framework. This response could take the shape of purely protective measures, law enforcement, countermeasures, or ultimately self-defence.

 

In brief: attribution requires 1. detection, 2. technical authorship, and 3. legal authorship, before one is able to respond.
 

Each state can decide for itself whether it wants to make public the parties responsible for an attack.  Or whether it wants to respond directly – discretely – to the actor responsible. Quite often, attribution will not take place publicly. But if this process is made public, it can help if more states become involved. If states work together to detect and attribute cyber-attacks, they can make more effective and accurate assessments. Two recent examples of this are the WannaCry ransomware-attack and the NotPetya cyber-attack.

 

Together, states can also send a strong signal to the world that all actions - offline or online - have consequences. Governments will also have to practice cyber-attack scenario’s as often as they can, as they are doing with the Locked Shields exercise. Because time is ticking away. Over the last decade, the likeliness of a cyber-attack has increased and will continue to increase. This was noted once again in the latest Cyber Security Assessment for the Netherlands, published just last week. Last month, the United Kingdom's Attorney General Jeremy Wright gave an outstanding speech, in which he set out the UK’s position on this issue. He stated the following: “The clearer we are about the boundaries of acceptable behavior, the lower the risk of miscalculation and the clearer the consequences can be for transgressing them.”
I couldn’t agree more.

 

If we want to preserve our rules-based international order and properly steer cyber operations, we have to work together and set clear boundaries. I thank every one of you present here today for helping us achieve that goal. And for doing what you can to make this world – online and offline – a safer place. Thank you.

Naar boven