Cyberthreats And International Law
Author: Georg Kerschischnig
Publisher: The Hague: Eleven International Publishing, 2012. 386p.
Reviewer: Anita Lavorgna | May 2013
In a world where threats to the international community might come not only in traditional forms but also from cyberspace, the legal framework has to adapt and evolve to deal with these new security issues. Indeed, cyber attacks, at least potentially, could cause severe harm, since any critical infrastructure that is accessible from the Internet could be penetrated. Even if the setting of a “true” cyberwar is still hypothetical and luckily we have not experienced it so far, in the last few years some significant cyber attacks occurred. It is likely to think that these events are destined to happen increasingly more often. As a consequence, states have to find a proper way to respond to these new security threats. To what extent should public international law deal with these “cyberthreats”? A first step is to question whether existing norms, practices and institutions are proper to meet the eventuality of a cyberwar. Cyberthreats andInternationalLaw is a timely book that effectively presents and discusses these fundamental issues.
The book is divided into five parts: the first part, which is the longer and more complex one, focuses on the conceptualization of cyber threats. As Kerschischnig makes clear from the very beginning of the book, this is not a book on cybercrime—even if it contains elements of cybercrime, and this latter certainly constitutes a threat in cyberspace. Indeed, the author makes an explicit choice to limit the scope of the book “to actions in cyberspace that are commissioned either by states or by individuals whose underlying intention is neither pure pleasure nor the realization of profit, but rather the furtherance of political, social, or ideological goals” (13). The book begins by presenting a short introduction to the evolution of the main characteristics of dangers in cyberspace, followed by a clear and concise overview of the relevant technical and institutional background and by a synthetic explanation of the vulnerabilities of the Internet, here conceived as a critical information infrastructure (CII). The initial three chapters certainly constitute a major strength of the book. Indeed, even if it is true that these short chapters do not deal with all the technical opportunities that can be exploited in cyberspace, they are particularly useful to give “laypersons”—such as lawyers and policy makers, who could lack knowledge of the methods and techniques behind cyber attacks—at least a basic understanding of the technicalities. The section dedicated to the actors involved in cyberspace is particularly effective in presenting the complexity of the setting in which cyber threats take place in a simple way. Also the presence of well-fitting empirical examples is appreciable. In particular, Chapter 5 presents a series of “cyber incidents” with political background (59 ff). These examples represent the major cyber attacks as experienced so far, and allow for preliminary observations on state practices. Furthermore, the first part of the book has the merit of paying considerable attention to the terminology used. Being a relatively new research field, labels used by scholars in identifying actors and behaviors in cyberspace are often confusing and misleading. Here, however, Kerschischnig constantly and successfully draws clear and unambiguous definitions when describing these new cyber threats.
In the following chapters, the book turns to more legal aspects and analyses. Part II, dedicated to interstate cyber threats, begins by introducing the notion of “cyberwar” (83 ff). Kerschischnig reflects on the role of cyberspace in warfare, and underlines how this differs from traditional warfare both in terms of potential dangers and actors involved. For instance, in cyberspace actors that would lack the capacity to compete on the physical battlefield could attack and produce huge damage (88). After having considered recent practices of major players in the international arena, ranging from the U.S. to the People’s Republic of China, the author concludes that an arms race is ongoing in cyberspace, albeit substantially different from the previous experience of the Cold War.
If cyberwar is nowadays a real possibility, a question arises as to whether the existing “law of armed conflict” can still be applied (102). Kerschischnig logically distinguishes between the jusadbellumand the jusinbello rules. As concerns the applicability of the jusadbellum (which regulates the right to wage war) and in particular the UN Charter, Kerschischnig’s idea of adopting “Schmitt’s scheme”—i.e., a set of criteria assessing the reasonably foreseen consequences of an attack (133)—seems a valuable solution to understand whether a cyberattack can be classified as “use of force” or as “other coercive measures.” Indeed, as the author points out, “cyber attacks do not fit into traditional categories,” but “they lie somewhere in between.” They have, however, to be somehow “placed within the traditional prescriptive system” until the international community adopts a clear position (132). Similarly, in considering under what circumstances a cyberattack reaches the threshold of an armed attack (and hence can justify the right of forceful self-defense), Kerschischnig effectively discusses the requirements of necessity and proportionality in the realm of cyberspace, and he retraces traditional possibilities of aggression to identify cyber attacks that could allow forceful self-defense.
On the other hand, the chapters concerning thejusinbello question whether the existing principles of international humanitarian law are still applicable in the context of cyberspace. The likelihood of civilian participation in cyberwar activities and the difficulties in attributing a cyber attack to a state render particularly complicated the legal reasoning. In this case also the author shows how existing legal principles can be adapted by analogy to cover cyber threats and avoid a legal void. Indeed, as Kerschischnig points out, “when law confronts new phenomena, legal analysis is often based on analogy” (271).
Finally, two small and intriguing chapters are dedicated to cyber espionage in the context of national security. The chapters dedicated to thejusadbellumand inbellocertainly raise a number of interesting points. However, by drawing a continuous comparison between cyber and traditional warfare, the result is really dense and sometimes dispersive. To have a clear and concise summary of the main points and research results the reader has to wait until almost the end of the book (Part V, Chapter 23).
Part III considers instead security cyber threats caused by non-state actors when they are driven by social, political, or ideological motivations. Indeed, as the Internet can be used by marginalized or oppressed groups to enhance their possibilities of communication, it can also be exploited by extremist groups and terrorists for their causes. Also in this case, even if until now large-scale disruptions have not yet been provoked, this does not mean that cyber terrorism could not become an increasingly disturbing aspect in the international arena. However, according to Kerschischnig, existing legal instruments seem to provide sufficient coverage for potential cyber attacks, and thus states should focus on striving for the ratification of the existing counter-terrorism and cybercrime international conventions. Kerschischnig’s observations on human rights aspects and in particular on issues of censorship and surveillance in cyberspace are probably the major contribution of this third part. The peculiar characteristics of cyberspace create uncertainties in relation to data handling, to the point that “it has to be taken into consideration that some rights might change or disappear in cyberspace” (252). The need for a new normative instrument (an “Internet Bill of Rights”) is therefore sustained.
Part IV of the book considers certain procedural legal aspects of cyber threats, in particular as regards jurisdictional issues. These depend on the way in which different states regulate cyber intrusions in different ways; sometimes criminal law becomes applicable, while other cyber criminal activities could be considered as war crimes. Even if some guidance on procedural aspects is given by the Budapest Convention on Cybercrime, this legal instrument is not sufficient in governing the international community in its entirety and for all procedural aspects.
The book’s main contribution is probably offered by Part V. After providing an effective and useful summary of the previous parts of the book, this final part offers a number of recommendations to the international community. Kerschischnig not only takes into consideration the adaptation of the existing laws, but he also explores the possibilities offered by new approaches, such as (cyber)arms control based on a Declaration of Principles as a de-escalatory instrument, or the institution of an independent international organization in the UN framework dealing with cyber threats. However, some of the speculations on possible solutions seem to go a little too far, e.g., without considering the huge negative impact for law-abiding citizens, such as in the case of an “infoblockade” (308).
Overall, Cyberthreats andInternationalLaw provides an updated and comprehensive introduction to cyberwar and cyberterrorism, without forgetting the fundamental and related issues concerning hacking and cyber espionage. For most of its chapters, the book reads like a manual, being mostly descriptive and presenting different opinions. In this sense, it is certainly useful for those wishing a general overview of the main challenges affecting security, international law, and international relations in the Internet age.
In its conclusion, the book offers guidance on the best ways to deal with cyber threats as a matter of public international law. Cyber attacks and cyber intrusions are inherently different from the forms of warfare that are regulated by the UN charter and the Geneva Conventions. Even if these legal instruments can offer a valid framework for some of the new security threats, the international community sooner or later will have to deal with the need “to address the division between the system of state sovereignty and the realities of cyberspace” (291). Thus, Kerschischnig’s book is also a valuable resource and a good basis for a genuine debate on the new possible directions in international law for scholars, practitioners, and policy makers.
Schmitt, Michael N., Computer Network Attack and the Use of Force in International Law: Thoughts on a Normative Framework (1999). ColumbiaJournalofTransnationalLaw, Vol. 37.
Anita Lavorgna, PhD student, School of International Studies, University of Trento (Italy)