21 February 2017

Norms aren’t substitute for international law in cyberspace

Mark Pomerleau

The international community is still grappling with how to create a framework for normative behaviors, or norms, for how states should act and use cyber.

The current track has been to apply the rules of war, conflict and international law to a domain that by its very nature enables a great deal of confusion and obfuscation.

One of the key efforts in crafting internationally recognized norms in cyberspace has been the Tallinn Manual project, which recently celebrated the release of “Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations.” Tallinn 2.0 follows the first Tallinn Manual, released in 2013, which focused on cyber operations that violate the prohibition of the use of force in international relations, where one state must not coerce another state with regard to things reserved to that state.

The genesis for the Tallinn project was in part due to what happened in Estonia in 2007 and the cyber operations as part of the armed conflict in between Russia and Georgia in 2008, Liis Vihul, project manger and managing editor of the Tallinn Manual Process, said at the Tallinn 2.0 rollout event at the Atlantic Council Feb. 8 in Washington. Those cyber operations made legal analysts and policy folks ask whether those operations were acceptable as a matter of international law or if they should be regarded as unlawful, she said.

The Tallinn 1.0 effort was successful in a lot of ways as a first real crack at the issue, but it’s not in itself law, it’s just the opinion of academics, Duncan Hollis, associate dean for academic affairs at Temple Law School, said during a panel discussion at the Carnegie Endowment for International Peace Feb. 6 in Washington. The Tallinn Manual is a treaty, it’s not custom, it’s not some general principles that states have to pay attention to, he added, noting that it did advance the conversation.

Tallinn 1.0 was subjected to additional criticism that it only focused on warfare, not peacetime or general relations between states and how cyber intersects that. Tallinn 2.0, however, expanded its scope to cover international law governing cyber operations to peacetime legal regimes and more common cyber incidents that a state might encounter day to day.

DNC hack in ‘legal gray zone’

During the Tallinn 2.0 rollout in Washington, Michael Schmitt, a law professor at the U.S. Naval War College and director of the Tallinn Manual project, expounded on the DNC hacking incident and Russia’s behavior more broadly, noting how this incident is a perfect example of what he calls the gray zone of international law.

In the manual, which was written before the DNC hack, Schmitt said elections were used as the example to illustrate domaine reserve – the principle in international law that prohibits one state from intervening in the internal affairs of another. Elections are the cleanest example of domaine reserve, he said, as states have a right to choose their own representatives and government.

Many states will intentionally operate in these gray areas, Schmitt continued, providing the example that a “spectacular Estonian attorney,” who is no friend of the Russians, has objectively come to the conclusion that the DNC hack was not a violation of international law.

“So in this case, the Russians have selected an area of law in which to operate in which it will be hard for states to come to a consensus that they have violated international law,” Schmitt said. “If states don’t move forward with a little more dispatch and a little more focus, our opponents are going to play in this gray area. The Russians are masters. It’s not that they’re bad lawyers … they’re spectacular lawyers.”

He cited the example of Ukraine and the “masterful” way in which the conducted their destabilization of the country with the little green men and the election in Crimea. These are fuzzy from an intentional law perspective, he said.

Now that the Tallinn project has concluded, it will be up to states to use it to craft treaties and common operating procedures in cyberspace, even if it is just a reference.

Absent ‘warfare’ rules of the road needed

When discussing norms and state behavior use of cyber in warfare, Michele Markoff, deputy coordinator for cyber issues at the State Department, described that Russian and Chinese counterparts were saying this is all well and good to talk about warfare, but they’re not seeing a lot of warfare. What they are seeing is a lot of malicious activity that’s very destabilizing, she said at Carnegie, adding that the goal should rather hone in on international cyber stability.

Three peacetime norms that were accepted among many in the international community were don’t attack critical infrastructure; don’t attack a computer emergency response team unless it is engaged in offensive activity on behalf of the state; and if a state is victimized by malicious activity emanating from your territory, you should help the victim state. Markoff clarified that these norms only applied to peacetime, not conflict, and were nonbinding and voluntary,

Norms are for the good guys, she asserted, adding they are for responsible state behavior for responsible states who understand how states ought to behave. This base enables “good states” to understand when they might want to do something about bad state behavior.

Waiving a norm agreement in front of Russia or China is not a deterrent, she explained. Rather, it provides the ability to decide at what point other states think the transgressions have been of significant national implication that they and other responsible states may want to get together and do something.

Incidents such as DNC hack, while provocative might bode well for developing international norms in this space as it forces states to take a position.

Discussions like crafting international norms can move slowly because states approach the subject cautiously, not wanting to restrict their own capabilities, said Schmitt, the Tallinn Project director. Incidents such as the most recent election hacking allegations could force states to become more aggressive in pursuing laws and norms they otherwise would not have endorsed, he added.

No comments: