Tuesday, February 26, 2019

International Humanitarian Cyber Law

Image result for red cross cyber

So Friday I attended a meeting with the Red Cross in DC aimed at discussing the issues around extending international humanitarian law tenets (IHL) to the cyber domain. I'm going to assume it was under a ruleset that prevents me from naming names or specific positions. But I wanted to write down some take-aways to help future analysis of proposals to interpret IHL in particular ways. As one lawyer says "If you give me the choice of writing the law, or interpreting the law, I take interpreting ten out of ten times".

It was pointed out that we do, as a country, take IHL into account when planning cyber ops, as we do with operations in any domain. But that doesn't mean there's nearly as cut and dry a port of the existing concepts that many international humanitarian lawyers want.

You'll find yourself, as you think about this stuff, asking many questions, for example:

  • Can we create a standard interpretation of the law that works on both easy targets and hard targets? The difference is often that with an easy target, you have direct control of your implants and your operation, and the effect you are trying to have may also be very direct and simple. With a more complex targets, you may be launching a worm into a system and hoping for an effect, and your targeting may have to be more diffuse to give you any hope at all.
  • Can we create a useful interpretation of IHL when none of the terms are defined when it comes to cyber? If North Korea takes out Sony Pictures Entertainment, what is the proportional response in the cyber domain? What does it mean to be indiscriminate in the cyber domain?
  • Is data a "Civilian Object"? And of course, if it is, does that mean governments can't use cloud hosting with civilians? The implications are an endless fractal of regulatory pain.
  • Is OPSEC or IHL driving any particular policy? It's impossible to tell, since everything is handled covertly in this space, whether we refrained from an action for OPSEC or IHL reasons. Or if there is a collision, does OPSEC win? Because hiding from attribution may require not looking like your op was written by a legal team in Brussels... This is a particularly hard problem because other domains we tend to have a massive advantage, but in Cyber we are essentially peer-on-peer, and may not have the overwhelming force necessary to take all the precautions the IHL lawyers would prefer.
  • How do you apply this in a space that has extremely fuzzy attribution at best? (Attendees wanted to basically live on the hopes that attribution would become a mostly solved problem - which I personally found hilarious)
  • How well does this all work when no two states agree on anything in the space? Obviously meetings like this are an attempt to get some level of agreement between parties, but it may not be possible to get agreements that any large set of states agree on.
Many lawyers in this space, even the aggressively pro-IHL lawyers, assume that "access" and "ops" are quite different, and most say that all access is fine. Access whatever you want, as long as you don't turn it off on purpose. I find this interesting in the case that access really does require risk. It's impossible to test your router trojans perfectly, and sometimes they take whole countries offline by mistake.

So much in whether something is deemed to be violating IHL is about the "intent" of the attacker, which typically is going to be completely opaque. Various lawyers will also point out that different aspects of laws apply depending on whether an armed conflict is already happening, which I frankly think is avoiding the issues at stake and hoping to come to an agreement on principals nobody really feels they will ever have to put into practice.

Activists (and citizens) probably have a different opinion on access vs ops, at least based on the reaction to Snowden. They might claim that even accessing their naked pictures violates, if not IHL, then some universal right to privacy. But this starts reaching into the issues we have with espionage law, and how we define domestic traffic, and a whole host of other things that are equally unsettled and unsettling.

No comments:

Post a Comment