Book Link: https://ccdcoe.org/multimedia/international-cyber-norms-legal-policy-industry-perspectives.html
I have some serious questions about how much "Cyber Excellence" you can get when only one of the authors of your book has any technical background in their Bios. But disregarding the urge to ask why quoting, say, POLITICO or the ECONOMIST is how policy-suggestions are made, I wanted to analyse in depth what the book was actually saying.
To be fair, it says a lot of things, but it also says their opposites, leaving a reader wondering which of those paths is going forwards and which is backwards. The book itself primarily seems to reflect internal struggles with whether policymaking around cyber norms is even possible.
This book would have been ten times better if it had focused on two things:
1. Every person in the book who claimed that yes, geography and cyber were totally connected and therefor all sorts of laws were simple to apply to cyber needs to go and take five random IP addresses and Geolocate them
. Then someone should point out to them how onion routing, VPNs, co-hosting, and content delivery networks work. You can tell people in this book who don't know what they are talking about because they go on and on about "scholars" opinions when what they should be doing is learning how to use traceroute.
2. Stuxnet is the acceptable norm. And this book should have focused very clearly on WHY that is so from a technical perspective, because the answer is very interesting, and not at all in coherence with the policies espoused in this book (or by the cyber norms crowd in general) :) .
My notes are in italics below, along with what I felt were telling excerpts of each chapter.
The Nature of International Law Cyber Norms
Michael N. Schmitt and Liis Vihul
One of the better chapters, but also one of the most ambivalent. Perhaps because of that.
"With respect to the jus ad bellum, the primary terminological obstacle deals with the use of the word ‘attack’. Article 51 of the UN Charter allows states to use force in self-defence in situations amounting to an ‘armed attack’. Not all hostile cyber operations directed at a state rise to this level. As a general matter (the precise threshold is by no means settled), such operations must result in the destruction of property or injury to persons before qualifying as an armed attack that opens the door to a forceful response, whether kinetic or cyber in nature."
- Is destruction of an entire industrial sector over a decade "destruction of property". How much data destruction is "destruction of property"?
Finally, a similar IHL-based debate is underway as to whether the term ‘civilian object’ extends to data.61 If so interpreted, a cyber operation designed to destroy civilian data would be prohibited by Article 52 of Additional Protocol I, which bans direct attacks against civilian objects. If not, civilian data is a lawful object of attack, except in those circumstances where its loss might cause physical damage to objects or injury to persons. The critical and unresolved fault line in the debate lies between interpretations that limit the term to entities that are tangible, which is arguably the plain meaning of the term ‘object’, and those based on the argument that in contemporary understanding the ordinary meaning of ‘object’ includes data.62
Where does dropping of mail spools fall, I wonder?
Therefore, it can be difficult to point to a particular state’s cyber practice to support an argument that a norm has emerged. States, including victim states, may be reticent in revealing their knowledge of a cyber operation, because doing so may disclose capabilities that they deem essential to their security. Undisclosed acts cannot, as a practical matter, amount to state practice contributing to the emergence of customary international law.
. From an international security perspective, normative clarity is not always helpful. Two recent examples are illustrative. The relative silence of states in reaction to the 2010 Stuxnet operation against Iranian nuclear enrichment centrifuges does not necessarily indicate that states believe that the operation was lawful (assuming for the sake of analysis that it was launched by other states, since only states can violate the prohibition on the use of force set forth in Article 2(4) of the UN Charter). On the contrary, they may have concluded that the attack violated the prohibition on the use of force because it was not in response to an Iranian armed attack pursuant to the treaty and customary law of self-defence. Yet those states may logically have decided that the operation was nevertheless a sensible means of avoiding a pre-emptive and destabilising kinetic attack against the facilities by Israel.
Considered in concert, these factors render improbable the rapid crystallisation of new customary norms to govern cyberspace
. Therefore, the normative impact of customary law on cyber conflict is most likely to take place in the guise of interpretation of existing customary norms, and if so, interpretive dilemmas similar to those affecting treaty interpretation will surface.
Cyber Law Development and the United States Law of War Manual
Clearly trying to push an agenda but needs to go back and learn traceroute.
In early treatments of the subject, a viewpoint emerged that might be termed Exceptionalist. According to this view, cyberspace represented an unprecedented novelty entirely unlike other domains previously regulated by international law. Exceptionalists imagined an Internet owned and regulated by no one, over which states could not and should not exert sovereignty. Some Exceptionalist views ran so strong that they issued manifesto-like declarations of independence that defied states to intervene.1 They advanced a view that Professor Kristen Eichensehr aptly termed ‘cyber as sovereign’.
In response to Exceptionalists, a view developed that might be termed Sovereigntist. According to the Sovereigntist view, cyberspace, while novel with respect to the conditions that informed the creation of most existing treaties and customs, remains fully subject to international law. The Sovereigntist view continues to recognise sovereign states as both the stewards and subjects of international law in cyberspace.3 Scholars sometimes refer in this respect to a ‘cybered Westphalian age’.4
These debates concerning the role of international law in managing cyberspace spawned a cottage industry of legal commentary and scholarship seeking to influence and shape future cyber law. Overwhelmingly resolved in favour of Sovereigntists, these debates were in large part conducted by and between non-state actors such as academics, non-governmental organisations, and think tanks.6 They produced commentary and claims that in both quantitative and qualitative terms have dwarfed the input of sovereign states.
This is the kind of horrible grandiosity this chapter is full of.
At minimum, the observation confirms the US viewpoint that a number of important regulatory ambiguities and even voids exist under the current legal framework.
Nothing about the structure, composition or operation of cyberspace convinces the Manual’s authors that cyberspace is a legal void or unregulated by existing law.
This whole chapter was written to draw this rather tenuous conclusion, the reader senses immediately.
What the Manual clarifies with respect to cyber operations and what it leaves unresolved should be understood simply as a snapshot of the state of international law cyber norms as well as an indication of a single state’s limited interest in immediately cultivating more developed and meaningful international norms in that area.
The International Legal Regulation of State-Sponsored Cyber Espionage
This chapter was pure fantasy.
In light of state practice, however, ‘[t]he argument that cyberspace constitutes a law-free zone is no longer taken seriously’.
Here, again the lady is protesting quite a lot.
By analogy, I would argue that where a state stores confidential information in servers located in another state or transmits such information through cyber infrastructure located in another state, that information represents ‘a crucial dimension of national sovereignty that presupposes the nation state’ and the right to have that information protected from intrusion flows from the general entitlement of states to have their political integrity respected, that is their sovereignty.
The whole chapter is full of this kind of ridiculous legal rationalization. Don't even bother reading it. Did anyone peer review this book?
Beyond ‘Quasi-Norms’: The Challenges and Potential of Engaging with Norms in Cyberspace
Rips up the bombastic and confident tone of the previous chapters by pointing out they are not looking at norms, but just normative aspirations (aka, wishful fucking thinking).
Toni Erskine and Madeline Carr
It is not at all surprising to think that agents with particular interests or values will seek to impose rules and codes of conduct on practices that further these interests or values. This is a common, and often laudable, occurrence in discussions of cyberspace. Our very simple point is that these preferred principles and proposed rules are not norms. They are normative aspirations.
This tension between the desire to apply domestic law to digital information that does not remain tethered by geography and the promotion of an online experience that transcends territorial borders is a common framework within which justifications for imposing sovereign control are put forward. What is important here is not exactly how these actors account for their failure to adhere to the principle of de-territorialised data, but the perceived need to do so.
United Nations Group of Governmental Experts: The Estonian Perspective
A rather sad chapter of helpless indignation.
A major breakthrough on detailed interpretations of international law applicable in cyberspace was not to be expected. However, any consideration that the Group would be able to bring out and agree upon, in addition to the general declaration of 2013, would be a positive development. Estonia recognised that there are complex issues concerning the application of international law, in particular the ‘thresholds’ for a breach of sovereignty, use of force, aggression or armed attack. However, in our view such questions cannot be set theoretically, but rather on a case-by-case basis and taking into account all relevant facts and circumstances. The absence of definitions of these concepts does not mean the impossibility of application of international law.
The preamble of Resolution 58/199 sets a non-exhaustive list of examples of critical infrastructures, such as those used for the generation, transmission and distribution of energy, air and maritime transport, banking and financial services, e-commerce, water supply, food distribution and public health – and the critical information infrastructures that increasingly interconnect and affect their operations.
Estonia sees the 2015 Report as a remarkable achievement. Given the ideological battle and differences in national ICT capabilities, taking the 2013 consensus further was a difficult, but successfully completed task. In particular, Estonia welcomes attention to norms of responsible state behaviour that, in the absence of shared detailed consensus on how international law applies in cyberspace, is a way forward towards building such understanding.
CBM's in all flavors and charts. A good chapter - not too technical, but covers some ground. Worth a read.
The following paragraph sets the flavor of badness for the whole chapter. It is like reading Scientology's Dianetics but just because a childhood friend made you.
The third common feature is that while military activity is present in both environments, and has been for several years, these environments have not yet been ‘weaponised’ or transformed into active battle zones. In this context, weaponisation means the general introduction into an environment of offensive arms capable of destroying or damaging objects within that same environment.
The report recommends that a further GGE be created in 2016, although mere continuation of GGE studies may begin to suffer from diminishing returns. It is evident in the cyber security field that as countries move beyond statements of lofty general principles and begin to address specific measures, divisions of views become more pronounced and concrete outcomes more elusive
This chapter avoids the obvious conclusions at all costs.
A legal norm is the result of diplomatic compromise among the states which crafted it. Moral rectitude is in the eye of the beholder. Thus any privileging of one country’s normative position over that of another state – for example suggesting that the US position is preferred over China’s – is a statement of an individual ethical choice not one of political or legal analysis.
One import of this was that the membership of the SCO (all authoritarian states) strongly identified with China’s positions on most issues, especially the balance to be struck between state sovereignty and international openness.
From the GGE:
States should not attack each other’s critical infrastructure for the purpose of damaging it; • States should not target each other’s cyber emergency response systems; and • States should assist in the investigation of cyber attacks and cyber crime launched from their territories when requested to do so by other states.102
This is not a commitment to refrain from all use of military cyber assets against each other. Article 4 only says that each country has an equal right of self-defence in cyberspace against ‘unlawful use or unsanctioned interference in the information resources of the other side, particularly through computer attack’. Neither Russia nor China regards cyber espionage or preparations for war in cyberspace as ‘unlawful’ or ‘unsanctioned’.
One important change has been in China’s sense of urgency in using such norms to restrain countries like the US from more rapid strengthening of what China sees as the US hegemonic position in cyberspace.
By September 2015, there are increasing signs that China feels obliged to cooperate in cyberspace rather than risk the fabric of its economic ties. China’s economy is almost certainly not immune from serious damage that could be brought on by a US cyber attack.
Technological Integrity and the Role of Industry in Emerging Cyber Norms
Ilias Chantzos and Shireen Alam
An argument against govt control of crypto, written pre-Apple lawsuit, I assume.
Technological integrity is a principle that promotes privacy measures and shuns the prospect of hidden functionality. Law enforcement agencies around the world are battling against widespread encryption and asserting that a lack of backdoors is causing criminal – including terrorist – investigations to ‘go dark’.3 However, it is nearly impossible to have the luxury of strict security together with surveillance, since beyond a certain point the ability to survey erodes security.4 In turn, this means that there remains no option for governments to have spying capabilities without creating this opportunity to criminals.
Some concrete ways in which the cyber security industry plays a role in influencing cyber norms include: 1) developing the latest technologies and their use; 2) monitoring and informing on the evolution of the threat landscape; 3) engaging in Public Private Partnerships (PPP) and capacity-building efforts; 4) assisting law enforcement in fighting cyber crime; and 5) providing technologies and scalable capabilities to enable countries to implement regulations and public policies.
Government agencies at all levels should form meaningful partnerships with the private sector. A single player does not have all the answers, resources, skills, assets or scalable capabilities to counter rapidly growing and evolving cyber threats. Therefore, it is in the interests of all parties to foster different collaboration models that enable the exchange of information, as well as the dissemination of expertise and capacity-building.
Missing is the idea that governments are often the adversary. :)