Conflict in Cyberspace and International Law

Abstract

In this dissertation, through four separately published articles, I address several contentious questions with regard to offensive cyberspace capabilities and the role of international law in the digital era. Offensive cyberspace capabilities, which for clarity purposes I refer to as “cyberattacks,” are operations in cyberspace that target the confidentiality, integrity, and availability (colloquially known as the CIA triad) of information technology systems.1 Throughout these four articles, I explore contemporary international law as it applies to cyber conflict. I argue interntional law, at present, is not always well-suited to fully address the full breadth of challenges presented by the increasing use of cyber-attacks by states. Moreover, cyber-attacks are not used exclusively by states. For example, civilians and certain organized groups are finding this domain appealing for achieving their ends. In Doxfare, I challenge the prevalent view that the prohibition on intervention, in order to be triggered, should be accompanied with a coercive act. The context of this paper is the 2016 U.S. election interference, allegedly orchestrated by the Russian government, carried out primarily through cyberspace. This interference, in the form of hacking the Democratic National Committee and John Podesta’s e-mail accounts, as well as publishing these e-mails through WikiLeaks (“doxing”), challenges the very basic notions of wrongful interference under contemporary international law. The crux of the difficulty is in international law’s inability in delegitimizing transnational hacking for political purposes, because these acts are often non-coercive, a constitutive element of the norm on non-intervention. This paper argues, that in order to address transnational election interferences, international law should adapt by redefining the boundaries of the norm on non-intervention, given that interventions could be in the form of non-coercive hacking and doxing. World Wide Web provides a new theory to address cyber espionage through international law. Traditionally, while most domestic legal systems make foreign espionage illegal, international law does not explicitly prohibit inter-state espionage, neither does it condemn this well-established practice. This article argues that changes in surveillance technology enable some serious threats to international peace and security, and should therefore be treated in a more nuanced manner under international law – that is, an evaluation of the nature of espionage, the data collected, and the possible nature of future use of that data. This approach rejects the blanket legitimization of espionage provided by international law, considering how cyber espionage could potentially threaten human rights, such as the right to privacy.2 Virtual Violence considers the extent to which international humanitarian law protects civilians, in an armed conflict, from cyber-attacks that are not kinetic in nature. Intuitively, direct effects resulting from cyber-attacks may vary from minor inconvenience, to disruption and interruption, and more rarely – to kinetic effects. Translating into the international humanitarian law taxonomy – whether disruptive cyber-attacks qualify as “attacks,” therefore requiring that the adversary using them comply with the rules on conduct of hostilities – distinction, military necessity, proportionality, and humanity.3 By analyzing current cases of disruptive cyber-attacks the article argues that scope of “attacks” should be adapted to afford better civilian protection from serious disruptive effects caused by cyber-attacks. In Hacktivites, I argue that the concept of direct participation in hostilities (DPH) does not consider the full breadth of cyber activities that civilians could be engaged in, potentially externalizing these civilians to being classified as civilians who directly participate in hostilities, thus losing their protected status under international humanitarian law. Such classification could mean the difference between life and death – since civilians who have taken arms and joined the hostilities are forfeiting their protection from direct attacks. Junaid Hussein, an ISIS-affiliated hacker, was the first known case of a civilian who was targeted with lethal force, in relation to his allegedly hostile cyberspace activities – including the spread of personal information about U.S. soldiers in active duty. This raises a host of questions about how the DPH’s framework constitutive elements apply in cyberspace, for example – threshold of harm. The paper concludes that there is no uniform interpretation of the DPH framework (comparing U.S., ICRC, and the Tallinn Manual), and that most of these interpretations, when applied to cyber-attacks, adopt overly broad views on what constitutes direct participation in hacktivities. I have also contributed some of my findings on specialized media platforms – such as Just Security and Wired. These op-eds are also part of my dissertation, as they demonstrate my research endeavors in a more informal context. They also illustrate my approach to legal scholarship, that outsourcing it to the broader public in a more manageable and succinct manner.