The online academic journal Questions of International Law has just published a symposium on my book Cyber Operations and the Use of Force in International Law (which is now available also in paperback). Two excellent scholars, Prof. Christian Henderson (Sussex University) and Dr. Emanuele Sommario (Scuola Superiore Sant’Anna – Pisa) discuss my analysis of the jus ad bellum and jus in bello issues arising from the use of cyber technologies. Their reviews are themselves very interesting contributions to the debate on cyber security and well worth reading.
Another excellent (and very positive!) review of my book has been written by Vincent Roobaert and has been published in the latest issue of the NATO Legal Gazette.
My book on Cyber Operations and the Use of Force in International Law has just been published by Oxford University Press. If you are interested in ordering a copy, please click here, or, if you prefer the US OUP website, here.
Here is the abstract:
The internet has changed the rules of many industries, and war is no exception. But can a computer virus be classed as an act of war? Does a Denial of Service attack count as an armed attack? And does a state have a right to self-defence when attacked in cyberspace? With the range and sophistication of cyber attacks against states showing a dramatic increase in recent times, this book investigates the traditional concepts of ‘use of force’, ‘armed attack’, and ‘armed conflict’ and asks whether existing laws created for analogue technologies can be applied to new digital developments.
The book provides a comprehensive analysis of primary documents and surrounding literature to establish whether and how existing rules on the use of force in international law apply to cyber operations. In particular, it assesses the rules of the jus ad bellum, the jus in bello, and the law of neutrality (whether based on treaty or custom), and analyses why each rule applies or does not apply in the context of cyber operations. Those rules which can be seen to apply are then discussed in relation to each specific type of cyber operation. The book addresses the key questions of whether a cyber operation amounts to a use of force and, if so, whether the victim state may exercise its right of self-defence; whether cyber operations trigger the application of international humanitarian law when they are not accompanied by traditional hostilities; what rules must be followed in the conduct of cyber hostilities; how neutrality is affected by cyber operations; and whether those conducting cyber operations are combatants, civilians, or civilians taking direct part in hostilities. The book is essential reading for everyone wanting a better understanding of how international law regulates cyber combat.
The book also contains a thought-provoking Foreword by Prof. Yoram Dinstein.
My article on ‘Cyber operations as a nuclear counterproliferation measure’ has just been published in the Advance Access section of the Journal of Conflict and Security Law. It will appear in print later in 2014.
Abstract: Focusing on recent malware that allegedly targeted Iran’s nuclear programme, the article discusses the legality of inter-state cyber operations as measures to prevent the proliferation of nuclear weapons approaching the problem from the perspective of the law of State responsibility, in particular the circumstances precluding wrongfulness. After examining the role that cyber attacks and cyber exploitation can play in preventing nuclear proliferation, the article explores whether cyber operations can be justified as countermeasures in response to a possible breach by Iran of its non-proliferation obligations. It then discusses whether counterproliferation cyber operations amounting to a use of force are submitted to a more lenient legal regime than other more traditional forms of the use of force in international relations. Finally, the article explores the legality of counterproliferation cyber operations from the perspective of Chapter VII of the UN Charter, and in particular of the resolutions adopted against Iran by the Security Council. The article concludes that the legality of counterproliferation cyber operations must be assessed in the light of the general primary and secondary rules of international law: neither the means used (cyber instead of kinetic) nor the aim pursued (the non-proliferation of nuclear weapons) justify a special legal regime.
In today’s New York Times, David Sanger published an article that the damage caused by Edward Snowden’s disclosures of NSA surveillance might have killed what Sanger calls “the equivalent of a ‘Star Wars’ defense for America’s computer networks, designed to intercept cyber attacks before they could cripple power plants, banks or financial markets.” More specifically:
Under this proposal, the government would latch into the giant “data pipes” that feed the largest Internet service providers in the United States, companies like A.T.&T. and Verizon. The huge volume of traffic that runs through those pipes, particularly e-mails, would be scanned for signs of anything from computer servers known for attacks on the United States or for stealing information from American companies. Other “metadata” would be inspected for evidence of malicious software.
Whether this idea would have matured and proceeded without leaks about NSA surveillance is not clear because opposition within the US government existed:
Top officials of the Department of Homeland Security, which is responsible for domestic defense of the Internet, complained that N.S.A. monitoring would overly militarize America’s approach to defending the Internet, rather than making sure users took the primary responsibility for protecting their systems.
The deputy secretary of defense, Ashton B. Carter, described in speeches over the past year an alternative vision in which the government would step in to defend America’s networks only as a last line of defense. He compares the Pentagon’s proper role in defending cyberattacks to its “Noble Eagle” operation, in which it intercepts aircraft that appear threatening only after efforts by the airlines to identify the passengers and by the Transportation Safety Administration to search passengers and luggage have failed.
The disclosures about NSA surveillance and its scale have, however, altered the nature of discourse in Washington, D.C. about this debate on US cyber defense in ways that make progress in this area, for the near future, potentially very, very difficult.
Today, President Obama outlined steps his administration would take to address the controversial debate taking place concerning NSA surveillance activities disclosed by Edward Snowden. The New York Times reports that:
Mr. Obama announced the creation of a high-level task force of outside intelligence and civil liberties specialists to advise the government about how to balance security and privacy as computer technology makes it possible to gather ever more information about people’s private lives.
The president also threw his administration’s support behind a proposal to change the procedures of the secret court that approves electronic spying under the Foreign Intelligence Surveillance Act in order to make its deliberations more adversarial. The court, created in 1978, was initially envisioned to carry out a limited role of reviewing whether there was sufficient evidence to wiretap someone as a suspected foreign terrorist or spy.
. . .
The Obama administration is also planning to release a previously classified legal analysis explaining why the government believes it is lawful under a provision of the Patriot Act known as Section 215 for the N.S.A. to collect and store logs of every phone call dialed or received in the United States.
At the same time, the N.S.A. was expected to release a paper outlining its role and authorities, officials said. The six- to seven-page document was described as setting up a “foundation” to help people understand the legal framework for its activities. Next week, the agency will open a Web site designed to explain itself better to the public amid Mr. Snowden’s disclosures.
The “previously classified legal analysis” on the government’s interpretation of Section 215 is available now in a document entitled: Administration White Paper: Bulk Collection of Telephony Metadata Under Section 215 of the USA PATRIOT Act (August 9, 2013).
For the argument that the bulk telephony metadata program does not satisfy the requirements of Section 215, see this amicus brief filed with the US Supreme Court today by a group of professors expert in information privacy and surveillance law, a group that includes me. This amicus brief supports the petition filed in July with the Supreme Court by the Electronic Privacy Information Center against the bulk telephony metadata program.
Related to the President’s announcement, the NSA released a document today entitled The National Security Agency: Mission, Authorities, Oversight and Partnerships (August 9, 2013), which, among other things, describes NSA’s authorities to collect intelligence under Executive Order 12333 and the Foreign Intelligence Surveillance Act, including Section 702 of that Act (the legal basis for the PRISM program targeting non-US persons located outside the US).
Greg Austin of the EastWest Institute published a piece in China-US Focus on August 6th in which he identifies possible push-back against the US government’s race to achieve “cyber superiority” and the emergence of “the American cyber industrial complex” from people in the US military knowledgeable about US nuclear weapons and strategy. He argues that disclosures by Edward Snowden reveal a “lack of restraint” in US cyber behavior and:
This lack of restraint is especially important because the command and control of strategic nuclear weapons is a potential target both of cyber espionage and offensive cyber operations. The argument here is not to suggest a similarity between the weapons themselves, but to identify correctly the very close relationship between cyber operations and nuclear weapons planning. Thus the lack of restraint in cyber weapons might arguably affect (destabilize) pre-existing agreements that constrain nuclear weapons deployment and possible use.
The cyber superiority of the United States . . . is now a cause of strategic instability between nuclear armed powers. . . . [I]n the long run, the most influential voice to end the American quest for cyber military superiority may come from its own armed forces. There are military figures in the United States who have had responsibility for nuclear weapons command and control systems and who, in private, counsel caution. They advocate the need to abandon the quest for cyber dominance and pursue a strategy of “mutual security” in cyber space – though that has yet to be defined. They cite military exercises where the Blue team gets little or no warning of Red team disruptive cyber attack on systems that might affect critical nuclear command and control or wider war mobilization functions. Strategic nuclear stability may be at risk because of uncertainty about innovations in cyber attack capability. This question is worth much more attention.
Cybersecurity literature contains references and analogies to nuclear weapons and nuclear strategy, including attempts to draw on the nuclear experience to address what some perceive as a cyber arms race. However, Austin is talking about something different–concern among experts that what is happening with US cyber policy, strategy, and capabilities threatens US nuclear strategy and stability. I do not know how prominent such strategic introspection actually is, or whether it deserves the level of deliberation Austin advocates.
In the most general terms, Austin seeks reassessment of what he and others believe is an insufficiently restrained American quest for superiority in military and intelligence cyber capabilities–not because of perceived threats to privacy and other civil liberties at home, but because this path might create strategic problems for US national security down the road, including in the context of nuclear weapons. For Austin, this reassessment should include more scrutiny of permitting one military officer to lead both NSA and US Cyber Command, a situation Austin provocatively describes as “an unprecedented alignment of Praetorian political power in any major democracy in modern political history.”
A unrestrained cyber industrial complex led by a cyber Praetorian guard potentially causing strategic nuclear instability? Well, now, the “national conversation” is getting more interesting by the day . . .