My book on Cyber Operations and the Use of Force in International Law has just been published by Oxford University Press. If you are interested in ordering a copy, please click here, or, if you prefer the US OUP website, here.
Here is the abstract:
The internet has changed the rules of many industries, and war is no exception. But can a computer virus be classed as an act of war? Does a Denial of Service attack count as an armed attack? And does a state have a right to self-defence when attacked in cyberspace? With the range and sophistication of cyber attacks against states showing a dramatic increase in recent times, this book investigates the traditional concepts of ‘use of force’, ‘armed attack’, and ‘armed conflict’ and asks whether existing laws created for analogue technologies can be applied to new digital developments.
The book provides a comprehensive analysis of primary documents and surrounding literature to establish whether and how existing rules on the use of force in international law apply to cyber operations. In particular, it assesses the rules of the jus ad bellum, the jus in bello, and the law of neutrality (whether based on treaty or custom), and analyses why each rule applies or does not apply in the context of cyber operations. Those rules which can be seen to apply are then discussed in relation to each specific type of cyber operation. The book addresses the key questions of whether a cyber operation amounts to a use of force and, if so, whether the victim state may exercise its right of self-defence; whether cyber operations trigger the application of international humanitarian law when they are not accompanied by traditional hostilities; what rules must be followed in the conduct of cyber hostilities; how neutrality is affected by cyber operations; and whether those conducting cyber operations are combatants, civilians, or civilians taking direct part in hostilities. The book is essential reading for everyone wanting a better understanding of how international law regulates cyber combat.
The book also contains a thought-provoking Foreword by Prof. Yoram Dinstein.
My article on ‘Cyber operations as a nuclear counterproliferation measure’ has just been published in the Advance Access section of the Journal of Conflict and Security Law. It will appear in print later in 2014.
Abstract: Focusing on recent malware that allegedly targeted Iran’s nuclear programme, the article discusses the legality of inter-state cyber operations as measures to prevent the proliferation of nuclear weapons approaching the problem from the perspective of the law of State responsibility, in particular the circumstances precluding wrongfulness. After examining the role that cyber attacks and cyber exploitation can play in preventing nuclear proliferation, the article explores whether cyber operations can be justified as countermeasures in response to a possible breach by Iran of its non-proliferation obligations. It then discusses whether counterproliferation cyber operations amounting to a use of force are submitted to a more lenient legal regime than other more traditional forms of the use of force in international relations. Finally, the article explores the legality of counterproliferation cyber operations from the perspective of Chapter VII of the UN Charter, and in particular of the resolutions adopted against Iran by the Security Council. The article concludes that the legality of counterproliferation cyber operations must be assessed in the light of the general primary and secondary rules of international law: neither the means used (cyber instead of kinetic) nor the aim pursued (the non-proliferation of nuclear weapons) justify a special legal regime.
Yesterday I came across this report to the European Parliament (‘An appraisal of technologies of political control’). According to the report, ‘[w]ithin Europe, all email, telephone and fax communications are routinely intercepted by the United States National Security Agency, transferring all target information from the European mainland via the strategic hub of London then by Satellite to Fort Meade in Maryland via the crucial hub at Menwith Hill in the North York Moors of the UK’ (p. 19). The date? 6 January 1998. In light of the recent disclosures, it seems that the warning contained in the report fell on deaf ears.