Research Handbook on International Law and Cyberspace
Editors: Nicholas Tsagourias and Russell Buchan
Publisher: Cheltenham, UK; Northampton, MA: Edward Elgar Publishing, 2015. 552p.
Reviewer: Peter Grabosky | May 2016
A quarter of a century ago, it had already become trite to suggest that cyberspace knew no boundaries. Subsequent developments have hardly challenged this assertion. Recent years have seen a wide variety of questionable cross-border digital activities by a diverse range of actors. In 2000, a 15- year-old Canadian boy engineered denial of service attacks against major e-retailers in the United States. A succession of transnational child pornography rings continue to exchange images of abused children. Thriving online markets facilitate international trade in malicious software and credit card details. Sophisticated criminal gangs operating from the other side of the globe have engaged in fraud against financial institutions and their customers. U.S. and Israeli security services have disrupted Iranian nuclear enrichment operations. In retaliation, Iranian hackers have attacked financial institutions and have allegedly infiltrated the control system of a small dam near New York City. Officers of the People’s Liberation Army have engaged in global economic espionage. Russian “patriotic hackers” have degraded communications and information systems in Estonia and elsewhere. One could go on.
Activities such as these raise a spate of difficult issues. First and foremost is that of attribution ̵̶ determining the identity and location of the offender. This may require the assistance of authorities in the jurisdiction from which the offending conduct appears to have been initiated. Suffice it to say that the requisite cooperation is not always forthcoming. Indeed, states themselves may be the source of the problem, rather than any solution. In the absence of such cooperation, does the jurisdiction against which the offending activity was targeted have any recourse?
Another interesting question involves the role of non-state actors in international conflict, whether on the ground or in cyberspace. At one extreme, offenders may be thinly-veiled agents of a state, operating under contractual or quasi-contractual arrangements. Alternatively, they could be semi-independent, operating with tacit encouragement or implicit condonation on the part of state authorities. Or, they could be “rogue” operators acting without the direction or even the knowledge of authorities in the jurisdiction in which they are physically situated. Governments may be held responsible under international law for activities that are within their control. In other words, they are required to exercise “due diligence,” which may entail the creation of an adequate legal framework of substantive criminal law and procedural law, a degree of vigilance in enforcing cybercrime law, the prosecution of domestic offenders, and the rendering of assistance to foreign victims of cyber-offences originating from within one’s jurisdiction.
But how does one determine with certainty what activities are within the knowledge and capacities of a government, and those which are not? Some governments lamely attribute responsibility for cyber attacks to “criminal” groups beyond state control. This is hardly a convincing excuse when proffered by states such as Russia, China and North Korea, who have demonstrated their capacity to pursue those cyber activities which they see as a security threat. Deniability is not always plausible.
Today, a number of states are investing significantly in the militarization of cyberspace technology. The United States Cyber Command is prepared to conduct “full spectrum military cyberspace operations.” Scores of other nations have also turned their attentions to the prospect of cyber warfare, and to the allure of enhancing their offensive and their defensive capabilities.
At what point does a cyber-attack by a state or a state proxy constitute the use of force? At what point may the use of force be regarded as an act of war? What is the appropriate response to a cyber attack: in-kind retaliation or the application of conventional military force? Is there a point beyond which retaliatory force becomes excessive? How does one discriminate between military and civilian populations? Are the structures and principles governing “conventional” cross-border criminality, and the use of force in terrestrial international conflict, sufficient to accommodate cyberspace analogues?
One quite appropriately turns to terrestrial analogues to address some of the above questions. There remains, however, a gap between international law and international practice. Nations have gone to war based on evidence that was misinterpreted, if not fabricated. The alleged presence of weapons of mass destruction in Saddam Hussein’s Iraq, and the second “attack” against US naval forces by North Vietnamese patrol craft in the Gulf of Tonkin in 1964 are but two examples. In the post 9/11 era where US hegemony is being challenged by China, Russia, and various Islamic militant groups, the potential for miscalculation, and indeed, for misinformation, is real. The tendency to define certain undesirable conduct on the part of an adversary as an “act of war” is not always consistent with international law. Consider the suggestion by the North Korean Government that the release of the film The Intercept would constitute acasus belli.
One notes that President Obama, in a Presidential Decision Directive, insisted that offensive cyber operations minimize collateral damage. This is gratifying to learn. Rather less gratifying is the fact that we the public are indebted to Edward Snowden for this information, rather than to the normal processes of transparency and consultation that should prevail in a democratic society.
The escape of Stuxnet, the popular name given to the software that supported the attack on Iranian nuclear facilities, placed an extremely sophisticated set of malware in the public domain. The malware is now available to state and non-state actors around the world for whatever purposes they see fit. Whether Stuxnet technology will be further exploited for illicit purposes remains uncertain. Fortunately, IT security professionals, now familiar with this malware, have developed countermeasures. Unfortunately, when virtuous states embrace and then act upon the idea that the end justifies the means, it inspires the less virtuous.
Description of the book
As one might expect of a handbook, this is a large volume. Its 552 pages are divided into five parts, including a total of twenty-two chapters. The twenty-six contributors, mostly affiliated with European institutions, come from nine countries, primarily Great Britain, Australia and the Netherlands.
Part I deals with general principles of international law. Some of the chapters are indeed general, addressing such issues as sovereignty, jurisdiction and state responsibility. Others have a more specific substantive focus, such as intellectual property, and human rights.
Part II looks at cyber threats and international law, and covers such topics as cyber terrorism and cyber espionage.
Part III addresses jus ad bellum, justifications to engage in war. It discusses cyberoperations and the use of force, as well as the use of force in self-defence.
Part IV, devoted to jus in bello, discusses the boundaries of acceptable conduct in wartime. Issues canvassed include the classification of cyber warfare and the distinctive ethical challenges posed by the use of cyber weapons. It also covers the law of neutrality, and the applications of international humanitarian law to cyber warfare.
Part V surveys regional and international approaches to cyber security, focusing on the efforts of the European Union, NATO, the United Nations, and Southeast Asian bodies such as the Association of Southeast Asian Nations (ASEAN), and the Asia-Pacific Economic Cooperation (APEC) forum.
Overall, the Handbook will appeal to national security professionals, advanced law students, and to international lawyers more generally. The volume is rich in references, as a handbook should be. Among criminologists, it merits the attention of those interested in transnational crime, cybercrime, and state crime. Trans-national cybercrime specialists would be attracted to the chapters relating to jurisdiction and to regional cooperation efforts. However, one might have preferred more discussion of issues relating to remote cross-border searches, mutual assistance and extradition. Those who study state crime will find the chapter on state responsibility to be informative.
Two decades ago there was a spirited debate on whether existing criminal laws were adequate to deal with offences committed using digital technology. After all, an extortion threat is an extortion threat, whether it is conveyed in a letter or by means of an email. The creation and dissemination of digital viruses, however, was another matter. To be on the safe side, many jurisdictions drafted volumes of legislation explicitly for the digital age.
The emergence of offensive cyber-operations has raised similar questions. Is the current law of warfare adequate to manage cyber hostilities? Do we need the digital equivalent of a Geneva Convention or Nuclear Test Ban Treaty? Are there transnational cybercrimes that might be referred to the International criminal court, or a comparable tribunal? Some commentators think not, but others, protective of their sovereignty and wishing to appear active, or prominent, or indeed, dominant in the cybersecurity space, will press for such initiatives.
As is the case with terrestrial conflict, the potential risk of collateral damage looms large in offensive cyber operations. It has been reported that President Obama, in authorising the cyber attack on Iranian nuclear facilities, sought reassurances that it would not disable unrelated systems such as those supporting the operations of hospitals. The Handbook’s chapter on ethical challenges of cyberweapons suggests that in the absence of a state of war, actors responsible for collateral damage should be liable for the cost of diagnosis and remediation. The author notes that Stuxnet appears to have been “primarily an Israeli operation,” and concludes that “since much initial analysis of Stuxnet was done in Russia, …. Israel owes Russia a significant sum.” These assertions might benefit from further scrutiny. It has been suggested, for example, that the United States was deeply implicated in the operation, and that the skills of Russian IT specialists received global recognition and valuable publicity as a result of their diagnostic achievements.
The contributions are generally well written and well edited, although one chapter contains a sentence embracing 90 words. Elsewhere, one notes the unfortunate misspellings of Ehud Olmet (sic: should be Olmert), Petrobas (sic: should be Petrobras) and colleting (sic: should be “collecting”). The chapter on cyberespionage asserts that Edward Snowden’s disclosures were made through Wikileaks, when in fact they were made directly to journalists. (Wikileaks did assist Snowden in his travel to Russia, and in rallying support for his cause.)
One other aspect of the book bears mention. The price would appear somewhat prohibitive to a prospective consumer with but a casual interest in the subject matter: US$255 from Amazon.com; GBP£160 from the publisher.
International lawyers and cybersecurity specialists will find this a useful collection of timely analyses. The Handbook thus complements the Tallinn Manual on the International Law applicable to Cyber Warfare, and is a useful port of call for those preparing themselves for 21st century conflict. There seems little doubt that the problems identified in the volume are likely to remain on the public agenda and indeed, to intensify, in the months ahead.
Peter Grabosky, Professor Emeritus, Australian National University