Legal Issues Of Cyber War Are Big & Complex

state-responsibility-3-638.jpg?cb=1400013002

Much of the unchartered legal territory begins with questions of what it takes to trigger self-defense in cyberspace, and what does it mean for a nation-state to have 'effective control' of a hacker? 
    
Claims that technical experts have solved attribution ignore legal challenges that could slow or limit how states might lawfully respond to a major cyberattack. 

First, a country hit with a major cyberattack would face the novel challenge of persuading allies that the scale and effects of a cyberattack were grave enough to trigger a right to self-defense under the UN Charter. No simple task, given that the UN rules were drawn up seven decades ago by countries seeking to end the scourge of traditional, kinetic warfare. Jurists still debate how self-defense applies in cyberspace and US officials admit building a consensus could be a challenge.

If a victim state does corral a consensus that the right to use force in self-defense has been triggered, a second legal question could compound the attribution challenge even further.

Can the actions of a hacker be attributed to a nation-state as a matter of law? Answering this question presents a major legal hurdle if the attack is launched by an ostensibly non-state hacker with murky ties to an adversary government—a growing trend already seen in cyberattacks linked to Russia and Iran.

Legal precedents born out of traditional conflicts and proxy wars suggest the evidentiary burden to attribute the actions of non-state hackers to a state will be substantial. And experiences from recent incidents offer a discouraging preview. It took less than 24 hours for a prominent cybersecurity expert to cast doubt on claims by unnamed US officials that China was behind the breach of OPM’s networks. Official accounts of Pyongyang’s role in the Sony attack played out similarly, with news outlets featuring competing expert accounts of responsibility—a line-up of suspects that included North Koreans, Russians, hacktivists, cyber criminals, and disgruntled employees.

In 2013, some of the world’s major cyber powers reached a consensus that law applies in cyberspace, including principles of the law of state responsibility. Attributing conduct to a nation-state under this body of customary international law, however, requires extensive evidence of state control over a hacker—a significant ask of intelligence agencies already burdened with looking out for and mitigating the cyberattacks themselves.

Under the law of state responsibility, a state is accountable for the actions of individuals acting under its “effective control.” Legal scholars debate what “effective control” looks like in practice, but the International Court of Justice has ruled that violations of the law of armed conflict by private individuals can be attributed to a state only if it could be shown the state “directed or enforced” an operation. In a landmark 1986 case, evidence the United States financed, organized, trained, supplied, and equipped the Nicaraguan contras, as well as aided in the selection of targets and planning of contra operations, was not enough to show the United States exercised effective control over the contras. Contra war crimes, it followed, could not be attributed to the United States.

Extending the Nicaragua precedent to cyberspace, a victim of a cyberattack would likely have to prove more than an adversary supplied a cyber weapon to a non-state actor. A victim would instead have to show the state ordered or had “effective control” over all aspects of the cyberattack. Without such evidence, a victim’s lawful response options may be limited to actions against the non-state actors—cold comfort for a nation reeling from a cyberattack perpetrated by hackers financed, organized, trained, supplied, and equipped by a nation-state adversary. The victim state can of course decide for itself whether it has met the burden of proof in its attribution and unilaterally unleash an armed response—attribution, it has been said, is what states make of it—but a desire for international legitimacy could require meeting international law’s significant evidentiary burden before acting in self-defense.

Together, clearing these two legal thresholds will pose a significant challenge for countries seeking to respond to cyberattacks. Only after both are cleared is a victim endowed with a right to use force in self-defense against an attacker’s armed forces or other military objectives. This double burden could leave a victim state choosing between two bad outcomes: responding with force in a manner deemed illegitimate in the eyes of the international community; or responding with “non-forcible countermeasures” (criminal sanctions or diplomatic measures such as a demarche). Either outcome would lend support to the growing sense of cyberspace as a lawless frontier.

Expert contributors to the Tallinn Manual, an influential treatise on how international law applies to cyber warfare, are attempting to develop a consensus around how the law of state responsibility applies to the use of proxies in cyber operations. But until a shared understanding of state responsibility in cyberspace emerges, governments must themselves push for and enforce—as publicly as possible to ensure their behavior sets responsible precedents—a standard that punishes the use of proxies for cyberattacks and holds countries accountable for the consequences of those attacks. Public attributions, declassification of relevant intelligence, and the responsible use of countermeasures will do far more than tribunals and legal scholars can to shape how we deal with attribution and responsibility in cyberspace.
The views expressed in this article are those of the author and do not necessarily represent those of the Department of State or the US government.
DefenseOne: http://bit.ly/1gLlH42

 

 

 

 

 

 

« Bitdefender Suffers Data Breach, Customer Records Stolen
Japan: Court Rules Against Bitcoin Compensation »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

FT Cyber Resilience Summit: Europe

FT Cyber Resilience Summit: Europe

27 November 2024 | In-Person & Digital | 22 Bishopsgate, London. Business leaders, Innovators & Experts address evolving cybersecurity risks.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Echelon

Echelon

Echelon Company is a provider of information security services specializing in certification of security software and hardware products in Russia.

F-Response

F-Response

F-Response is a software utility that enables an investigator to conduct live Forensics, Data Recovery, and eDiscovery over an IP network using their tools of choice.

Bayshore Networks

Bayshore Networks

Bayshore Networks was founded to safely and securely protect Industrial IoT (IIoT) networks, applications, machines and workers from cyber threats.

International Telecommunication Union (ITU)

International Telecommunication Union (ITU)

ITU is the United Nations specialized agency for information and communication technologies – ICTs. Areas of activity include cybersecurity.

Ericsson

Ericsson

Ericsson is a leading provider of telecommunications services and network infrastructure solutions including all aspects of network security.

BlackBerry Security Services

BlackBerry Security Services

Blackberry provides intelligent security software and services to enterprises and governments around the world.

Smokescreen

Smokescreen

Smokescreen's IllusionBLACK employs deception technology to detect, deflect and defeat advanced hacker attacks.

ECOS Technology

ECOS Technology

ECOS Technology specializes in the development and sale of IT solutions for high-security remote access as well as the management of certificates and smart cards.

Findings

Findings

Findings (formerly IDRRA) is a scalable AI powered assessment platform that streamlines security compliance across sectors, jurisdictions and regulatory frameworks.

Cofrac

Cofrac

Cofrac is the national accreditation body for France. The directory of members provides details of organisations offering certification services for ISO 27001.

IT Career Switch

IT Career Switch

An IT Career Switch Traineeship is the easiest way to start a new career in IT or Cybersecurity with fantastic career prospects.

PNGCERT

PNGCERT

PNGCERT is the national Computer Emergency Response Team (CERT) for Papua New Guinea.

Kalima Systems

Kalima Systems

Kalima’s mission is to securely collect, transport, store and share Industrial IoT (IIoT) trusted data in real time with devices, services and mobile workers.

Stratus Technologies

Stratus Technologies

Edge Computing solves the inherent challenges of bandwidth, latency, and security at edge locations to enable IIoT devices and data acquisition.

Moss Adams

Moss Adams

Moss Adams is a fully integrated professional services firm dedicated to assisting clients with growing, managing, and protecting prosperity.

HP Wolf Security

HP Wolf Security

HP Wolf Security protects your organization and devices from cyberattacks no matter where, when or how you work.