An Inspection Regime for Cyber Weapons: A Challenge Too Far?

T. Minárik et al. (eds), 11th International Conference on Cyber Conflict: Silent Battle, 2019

In an age of cyber insecurity, anxieties about the silence of States concerning the applicability of international law to peacetime cyber operations have been growing. Concerns have focused on the reluctance of States to agree cyber-specific multilateral treaties and to publicly clarify the customary international rules applicable to hostile cyber operations. Taking these concerns as its point of departure, this paper argues for greater specificity in evaluating the silence of States in the cyber context by distinguishing between three distinct types of peacetime security threats: cyber attacks, cyber espionage, and cyber information operations. Cyber attacks and cyber espionage are technical security threats which involve breaking into and targeting information and communications technologies. The primary distinction between the two is in the nature of the payload to be executed􏰍 while a cyber attack􏰎s payload is destructive, a cyber espionage payload ac􏰏uires information non-destructively. Cyber information operations are content-based security threats which involve harnessing the power of online information to cognitively target human intelligence. Relying on this typology, this paper highlights how State silences concerning the application of international law to peacetime cyber operations are not uniform, but vary in terms of their targets, scope and rationale depending on the particular security threat under examination. It is suggested that these variations not only reveal an important dimension of the politics of international law, but are also salient to how the silence of States in different cyber contexts may be evaluated. Contrary to the tendency to automatically cast State silences in a negative light, this paper reveals that silences can perform different and sometimes constructive functions that are yet to be fully acknowledged or appreciated.

Conflicts today are no longer confined to the three conventional areas of warfighting – land, sea, and air. Cyber space is now increasingly being recognized as a fourth area of conflict, with countries incorporating cyber elements into their traditional military doctrines, or developing offensive cyber capabilities and cyber military commands. As cyber space becomes more militarized, we are also increasingly seeing nation-state or state-sponsored cyber-attacks rise. Difficult to trace and shrouded in anonymity, how can the world address the potential risks of cyber weapons proliferation? What kind of agreement could be reached to prevent cyber conflict with these new capabilities? What role can confidence building measures or cyber norms play in de-escalation? This paper provides an analysis on the cyber weapons proliferation debate, leveraging the lessons learned from past international agreements, and offering a potential way forward to ensure that an open, stable, and secure cyber space remains.

Philosophy & Technology, 2017

States’ capacity for using modern information and communication technology to inflict grave harm on enemies has been amply demonstrated in recent years, with many countries reporting large-scale cyberattacks against their military defense systems, water supply, and other critical infrastructure. Currently, no agreed-upon international rules or norms exist to govern international conflict in cyberspace. Many governments prefer to keep it that way. They argue that difficulties of verifiability and challenges posed by rapid technological change rule out agreement on an international cyber convention. Instead, they prefer to rely on informal cooperation and strategic deterrence to limit direct conflict. In this article, I seek to rebut some of themain objections to seeking an international convention on the use of cyber weapons. While there are significant obstacles to achieving effective arms control in the cyber domain, historical experience from other areas of international arms control suggests that none of these obstacles are insurmountable. Furthermore, while most critics of cyberarms control assume that cyberspace favors offensive strategies, closer inspection reveals the dominance of cyber-defensive strategies. This in turn improves prospects for striking an effective international agreement on cyberarms control.

International Cybersecurity Law Review, 2021

This is a review of two monographs on cyber operations and international law. Published in 2020, both books discuss state-sponsored cyber operations, legal frameworks with which they could be assessed, as well as legal tools to evaluate the reactions of targeted states. Regarding low-intensity cybersecurity incidents, the two books set up frames of reference very differently. Henning Lahmann's Unilateral Remedies to Cyber Operations almost exclusively focuses on the principle of nonintervention and sets it up narrowly. François Delerue's Cyber Operations and International Law proposes applying the same principle under less strict requirements, and also proposes using territorial sovereignty as an independent assessment tool. While the two books go on to examine more or less the same set of legal tools regarding the reactions of targeted states, because of the initial difference, they offer significantly different views on these tools. Nevertheless, the combined reading of the reviewed books confirms the current state of the debate on cyber operations and international law: despite the general acceptance that international law applies to cyber operations, shared understanding to make the law operational is still lacking.

International Review of Law, Computers & Technology, 2018

The paper argues that the obligation of States to prevent harmful international activities perpetrated within their territory, or any other area under their exclusive control, applies to activities conducted in cyber space. Thus, a State is bound by an obligation to prevent detrimental cyber conduct committed from its territory or transiting through its territory, or any other area under its exclusive control, when it knows or should have known of the conduct, when the conduct contradicts the rights of another State, and when it may cause or is causing serious harm. Where a State is aware or should have been aware of the misuse of its territorial cyber infrastructure, the State must attempt to prevent or to react to the harmful transboundary operation, applying all reasonable measures. The content of the obligation of due diligence to prevent damaging crossborder cyber activities depends on the economic, financial and human resources of the State. The paper concludes that the obligation to preclude harmful international cyber operations constitutes only a first step in securing information and communication technology and should be sustained and improved by the introduction of a treaty on cyber security.

The Hague Program for Cyber Norms Policy Brief, 2020

This policy brief offers a comparative analysis of the positions of seven States on how international law applies to cyber operations. The scope of analysis is limited to peacetime cyber operations; questions regarding the applicability of International Humanitarian Law in cyberspace are not covered. The policy brief analyses States’ views with regard to the legal qualification of cyber operations, their attribution and the response options which States have under international law.

Groningen journal of international law, 2024

The use of force in international relations takes different forms and changes year by year due to the development of cyber technology. The problem mentioned in this study is that the Charter of the United Nations (UN Charter) and international law have not considered weapons development and future weapons that may be used in international relations , as Russia has used such weapons during the war against Ukraine. Unfortunately, cyber technologies were used to deter and weaken Ukraine's chance to gain an advanced result on the ground. Although such cyber operations can cause the same physical damage as other weapons, the international community is still struggling to determine whether using a cyber weapon is considered a use of force. This study argues that cyber attacks against third-party countries that support Ukraine during the war may count as the use of force and a breach of Article 2(4) of the UN Charter.

Hackers have been attacking and inflicting mayhem on governments businesses, and individuals for at least the past fifty years. During the 70s, they were breaking in to mainframes, and paying their electricity bills, or stealing and corrupting databases and other electronic files within reach. When bulletin boards and very slow 300-baud modems became popular in the early 80s, along with desktop computers, hacking became a worldwide activity, with activists readily sharing intrusion methods and conversing on public bulletin boards, electronic meeting places. During two months toward the end of 2010, when inspectors of the International Atomic Energy Agency recorded a significant failure of two thousand centrifuges used to enrich uranium in the North Iranian town of Katanz, subsequent investigations pointed the finger of blame at a piece of code labelled the Stuxnet Worm; many states were under suspicion, including Israel and the United States. Due to the complexity of the code, and the estimate that it would have taken a team of many talented programmers months to develop, the general consensus was that a sovereign state was responsible. But, to date, the evidence needed to place blame has never been gathered. How can international law, in fact how can any law adapt to scenarios where the crime is so deeply beneath the surface of reality, and is of a nature where technical expertise can eradicate all evidence of origin. Scholars and legal experts have written many papers on this subject, yet, there remain two divided camps. In 2000, NATO brought together a consortium of experts from across the world, and spent three years to produce the Tallinn Manual, trying to shoehorn international law in to cyber activities. However, the manual has no legal standing, as even in the Manual it states that the many opposing opinions are simply that, opinions without group consensus. The problem is with the evidence. It is too easy to cover-up tracks across the world wide web, and it also is very easy to plant code within code that can result in misdirection, in one state wrongly suspecting another state. The answer, at this stage anyway, lies squarely with the gathering of evidence. Programming and computer networking expertise will provide the tools for the legislators to adapt laws to fight cyber warfare. Those same technical experts are the only hope of gathering evidence before seeking international law remedies. However, there is another growing movement, one of international co-operation and preparedness. Many sovereign states have rallied and pooled resources, signing Memorandums of Understanding, sharing knowledge and experiences. The reason the legal experts and the scholars are divided, is that the solution lies elsewhere, not in the legal arena. The coming together of people with advanced programming and electronic forensics skills, with co-operation between nations will hopefully shrink in size the unknown spread of cyber terrorists. And, as the light shines brighter, the few rogue nations and hacker groups will have less places to hide, making the gathering of useful evidence less difficult. This paper will not only consider the attempts to adapt international law, but will understand how the actual hacking techniques work, and how computer experts may hold the key to making law reform and enforcement easier.

Cyberspace is erroneously characterized as a domain that transcends physical space and thereby is immune to state sovereignty and resistant to international regulation. The purpose of this paper is to signify that cyberspace, in common with the other four domains (land, sea, air and outer space) and despite its unique characteristics, is just a reflection of the current international system, and thereby is largely affected by the rules that characterize it. The issue of state sovereignty in cyberspace is critical to any discussion about future regulation of cyberspace. Although cyberspace is borderless and is characterized by anonymity and ubiquity, recent state practices provide sufficient evidence that cyberspace, or at least some components of it, are not immune from sovereignty. The increasing use of Internet filtering techniques by both authoritarian regimes and democracies is just the latest example of attempting to control information flows. Cyberspace is non‐territorial, but in sharp contrast to the land, sea, air and outer space, cyberspace is not a part of nature, it is human‐made and therefore can be unmade and regulated. States have continuously emphasized their right to exercise control over the cyber‐infrastructure located in their respective territory, to exercise their jurisdiction over cyberactivities on their territory, and to protect their cyber‐infrastructure against any trans‐border interference by other states or by individuals. As a result, states are filtering and monitoring cyber‐bytes. Over the past years, there is a growing number of states that is publishing national cyber‐policies and establishing cyber‐centers that aim to protect the national cyber‐infrastructure and control their citizens’ access to information. The issue of state sovereignty in cyberspace raises critical questions about the need to regulate the cyber domain and gradually reach an international cyber‐order.