The Cybersecurity Canon: Cyber Operations and the Use of Force in International Law

We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite. 

The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!

Book Review by Canon Committee Member, Christina Ayiotis: Cyber Operations and the Use of Force in International Law (2014) by Marco Roscini

EXECUTIVE SUMMARY

In a world awash with stories about “cyberattacks,” “cyberwar” and “cyberespionage,” it is difficult to understand exactly what is going on and why political leaders respond the way they do. After reading this book, an admittedly dense legal tome, any reader interested in or affected by the U.S. Office of Personnel Management “hack” will have a better understanding of the U.S. government’s response.

Cyber Operations provides an excellent overview of the international laws applicable to “cyber attacks” (a term of art) and will make its readers think twice about how they use cyber terminology. It is meticulously researched with a whopping 1,807 footnotes and cites leading authorities on the law of armed conflict, as well as on international law. In today’s interconnected world, completely dependent on computers and the internet (where economic security is national security), it will stimulate both lawyers (military, government, private sector, etc.) and laypersons to think about how much more we should all be doing to protect our networks, data, intellectual property and critical infrastructure.

REVIEW

The Foreword, provided by esteemed scholar Yoram Dinstein, observes that “problems are scrutinized in a sober fashion, and that the legal investigation displays erudition as well as insight”—I concur. Organized like a textbook, the book reads quite easily for a law book. Several chapters even provide “Conclusion” sections that include extremely helpful summaries (e.g., in bullet-point fashion, as well as tables)—a most satisfying reward to the journey through the complicated, multi-layered legal issues.

Chapter 1 necessarily starts with the emergence of the cyberthreat to international security and explains where international law comes into play (to wit “cyber activities conducted by states against other states” as distinguished from those activities that constitute cybercrime). Taxonomy is established (Professor Roscini prefers “cyber operations” to “cyberwar”) and then we are off to the races, learning about the differences between “information operations,” “computer network operations,” “computer network defense,” “offensive counter-cyber operations,” “cyber collection,” “cyber exploitation,” etc. Terminology really matters—particularly with respect to understanding the legality of these activities in the context of international law. The chapter includes a review of applicable law (i.e., treaties, customary international law, and the Tallinn Manual on the International Law Applicable to Cyber Warfare), as well as discussion of the “Identification and Attribution Problems.” It ends with explaining the book’s scope and purpose: analyzing the jus ad bellum (Law establishing when states may use force in international relations) and jus in bello (Law which regulates how hostilities may be conducted in armed conflict and that protects those affected by them) issues arising from military cyber operations.

Chapters 2 and 3 walk through every stage in the lifecycle of cyber operations issues of armed conflict and its attendant legal issues and criteria. Professor Roscini does a great job of illustrating concepts using well-known cyber examples, such as Stuxnet, Duqu, Flame, etc., as well as scenarios related to RBN, Hezbollah, botnets, Anonymous, etc. Chapter 4 addresses the legal issues arising from the use of cyberwarfare in armed conflict, including “means and methods,” the law of targeting, and cyber operations short of attack. Chapter 5 focuses on the law of neutrality, a particularly interesting subject given the global nature of information technology infrastructure and the global companies that own it.

For the more time-pressed reader, the General Conclusions expertly summarize the important issues in the book. Taking the militarization of cyberspace as a given, the author contends that “existing jus ad bellum and jus in bello provisions apply to cyber operations, even though the rules were adopted well before the advent of cyber technologies.” He addresses the issue with lack of territoriality of cyberspace (in a Westphalian sense) by suggesting a focus on “where the prejudicial activity is undertaken and where the effects occur.” Finally, he acknowledges the likelihood of increased cyber operations (in frequency and gravity) but surmises that they “will probably supplement, not replace, traditional warfare.” As such, we would do well to understand existing rules and apply them correctly.

CONCLUSION

A scholarly work, Cyber Operations and the Use of Force in International Law should be part of the Cybersecurity Canon (as well as required reading for 1^st year law students around the globe) as it will help cybersecurity practitioners understand what government’s role is versus the private sector (and may even cause people to stop frivolously using the terms “cyberwar” and “cyberattack”). Appreciating that the focus is on military operations, it nonetheless enables us to place geopolitical/global commerce matters (e.g., theft of intellectual property, interference in national elections, etc.) in context. I recommend both campaigns in the U.S. 2016 national election read it.