20 July 2015

Why 'Cyberwar' Is So Hard To Define

Cyberwar is currently a hot topic of discussion and debate, much of which is potentially damaging. The term “cyberwar” is too frequently casually bandied about for dramatic effect, to instill fear, or exaggerate or obfuscate grim realities.

The book There Will Be Cyberwar is a moderating and significant contribution to current cyberwar discourse. Richard Stiennon, the book’s author and renowned cybersecurity industry analyst, declares that there will be cyberwar, but first adeptly anticipates and defeats possible accusations of hyperbolic use of the term by explaining how the term “war” has been used colloquially in many contexts, including “trade war,” “currency war” and even “war of words.”

Stiennon then, unlike too many cyberwar commentators, adopts a constrained definition of the term and leads the reader on a measured, persuasive explanation of how the move to network-centric war fighting has set the stage for cyberwar. In contrast to Stiennon’s carefully considered approach that provides a definition and methodology, much public commentary is merely banter about cyberwar,” without definition of the term and with distortions in its application, up to and including the fantastic and fictionalized.

To the detriment of informed public debate, “cyberwar” is not a defined term of art in law or legal convention. Rather, traditional law of war concepts are applied to cyber “issues” or more precisely, cyber operations. While the lack of normative guidance on the conduct of “cyberwar” may be self-evident to scholars in the field, it is not to the public. It is important for the public to begin to grapple with the intricacies of the law of war as applied to cyber operations.

“Cyberwar” as a term can be used a handy shorthand for the law of war as applied to cyber operations in general, provided that actual explanation is accurate according to current authoritative precepts. A more precise discussion of law of war as applied to cyber operations will provide a more structured underpinning for public debate, and one that does not obfuscate important details. Focusing on currently developing guidance on the law of war as applied to civilian participation in cyber operations may also bring more precision to the “cyberwar” table by personalizing the topic.

Department of Defense Law of War Manual (LOWM) including a section on Cyber Operations.

The Department Of Defense Law Of War Manual – June 2015

Arguing the semantics of the term “cyberwar” is, itself, a war of words. There is no legal definition of the term. This was made conspicuously evident on June 12, 2015, when the U.S. Department of Defense released the Law of War Manual (LOWM). The LOWM covers all manner of topics pertaining to wartime actions (such as classes of persons and their treatment under the laws of war, conduct of hostilities, weapons, prisoners of war, maval warfare, air and space warfare, etc.), as well as extensively discusses “war as a legal concept.” The LOWM explains that the precise definition of war “often depends on the specific legal context in which it is used.” The LOWM also includes a section entitled Cyber Operations.

Nowhere in the Cyber Operations section, or in the entire 1022-page LOWM, is the term “cyberwar” (or “cyber war” or “cyber warfare”) even used, much less defined. In the introduction to the Cyber Operations section of the LOWM, the DoD states: “[p]recisely how the law of war applies to cyber operations is not well-settled …”

The LOWM does, however, define “cyberspace” and describes “cyber operations” in the context of that definition. The LOWM reiterates the DoD’s 2011 announcement that it will begin treating “cyberspace” as an operational domain, like air, land, sea and space, and defines “cyberspace” as “[a] global domain within the information environment consisting of interdependent networks of information technology infrastructures and resident data, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers.” LOWM Section 16.1.2,

Description of Cyber Operations, provides: “Cyberspace operations may be understood to be those operations that involve “[t]he employment of cyberspace capabilities where the primary purpose is to achieve objectives in or through cyberspace.” Cyber operations: (1) use cyber capabilities, such as computers, software tools, or networks; and (2) have a primary purpose of achieving objectives or effects in or through cyberspace.”

However the LOWM falls short of declaring war-like acts in cyberspace to be cyberwar. The LOWM further recognizes that “aspects of the law [of war in cyberspace] are likely to continue to develop, especially as new cyber capabilities are developed and States determine their views in response to such developments.”

The Tallinn Manual On The International Law Applicable To Cyber Warfare

The Tallinn Manual on The International Law Applicable to Cyber Warfare, first produced in 2013 by a special Independent Group of Experts (IGE) convened by NATO’s Cooperative Cyber Defence Centre of Excellence (CCDCOE), also does not define “cyberwar” or “cyberwarfare.” Its use of “cyber warfare” is expressly used in a “purely descriptive, non-normative sense.” The Tallinn Manual further recognizes that “[t]here are no treaty provisions that directly deal with ‘cyber warfare.’” 

While recognizing that the community of nations is “understandably concerned about the lack of normative ambiguity” of the application of the laws of war to cyber operations, it stated that such “lack of guidance does not relieve states from their obligation to comply with international law in their cyber operations.” 

It should be noted here that the Tallinn Manual has been revised, and version 2.0 is scheduled to be released in 2016. Tallinn 2.0 is stated to expand beyond the first edition (that focuses on the most disruptive and destructive cyber operations that qualify as “armed attacks” and therefore allow States to respond in self-defense) to assess the international legal framework that applies to malevolent cyber operations that do not rise to the level of actions in armed conflict, as well as address, with respect to individuals, human rights law. 

In Cyber Espionage or Cyber War? International Law, Domestic Law, and Self-Protective Measures Professor Christopher S. Yoo explains that “the threshold determination for the applicability of jus ad bellum (right to war) and jus in bello(limits to acceptable wartime conduct) in cyberwar has been whether the damage to persons or property is analogous to those inflicted by traditional kinetic war. Yoo argues that “[t]his standard leaves many of the types of cyber operations that have raised the greatest concern outside the scope of the law of war.” Yoo then goes on to analyze in more depth the applicability of these concepts to cyber operations, in particular as applied in the Tallinn Manual. Yoo explains that while that Manual “glosses over many important ongoing debates,” it does, as the leading a source on how the law of war applies to cyber conflicts, “provide an important cornerstone for analysis.” 

In utilizing the Tallinn Manual for that analysis, Yoo reviews types of cyber actions that the international community would clearly recognize as uses of force, in particular explaining the concept that “use of force ” traditionally covers “all conduct that [rises] to the level of armed attack and acts that injure or kill persons or damage or destroy objects.” 

The LOWM also applies this traditional destruction and death precept as a qualifier. Under the LOWM, if the results of cyber operations were the same as the kinetic acts of “dropping a bomb or firing a missile “ then traditional law of war would apply. It goes on to state that the law of war principles of “humanity, suffering, injury, or destruction unnecessary to accomplish a legitimate military purpose must be avoided in cyber operations.” 

Civilian Participation In Cyber Operations Forfeit Protection From Attack 

Importantly, the LOWM addresses the use of civilian personnel to support cyber operations, “including support actions that may constitute taking a direct part in hostilities.” The Tallinn Manual also addresses the wartime problems arising from mixed civilian/military cyber operations, including obligations to notify the enemy of the civilian presence, and the activities of civilian groups being governed by the rules pertaining to participation in hostilities. 

The Tallinn Manual Rule 29 permits civilians to participate in cyber operations that amount to hostilities, but also iterates that they “forfeit their protection from attacks for such time as they so participate.” Like the Tallinn Manual, the LOWM expressly extends to cyber operations the traditional civilian participation principle that is applicable in non-cyber war operations: “Civilians who take a direct part in hostilities forfeit protection from being made the object of attack.” This includes “civilian cyber specialists who have been authorized to accompany the armed forces.” 

As a practical matter, this statement should raise serious considerations for the “private industry partners” and their employees who have taken part in the Cyber Guard “cyberwar game, Cyber Guard 15, that took place this past June 8-26, encompassed private-industry participation including several information sharing and analysis centers, as well as public and private research institutions. As reported by theWall Street Journal, these “cyberwar games” established that the government was seeking to test the various industries that could be forced to respond in the event of a cyberattack” (emphasis added). 

“The outcome we are seeking is operational readiness,” said Coast Guard Rear Adm.Kevin E. Lunday, director of exercises and training at U.S. Cyber Command, a division of the military. In view of civilian forfeiture of protection in the event of a cyber attack, and the preparation of private industry for operational readiness in the event of such attack, companies across many sectors need to keep a close eye on the doctrinal developments in “cyber warfare” and its extant and forthcoming rules, including the just-issued LOWM, the forthcoming Tallinn 2.0, and last week’s U.N. Governmental Group of Experts-agreed “norms in cyberspace,” due to be made public in late August. 

While “cyberwar” may not exist as a legal term of art, its colloquial use will undoubtedly continue in popular discourse. Moving colloquial use of the term towards a more productive, structured discussion about the law of war as applied to cyber operations will greatly benefit public debate.

No comments: