First talk at #enigma2021 is coming up in just a moment: @scottjshapiro speaking about "IS CYBER WAR LEGAL: A FOUR HUNDRED YEAR RETROSPECTIVE".
Don't worry, it's a 20-minute talk, not 400 years. 😅
usenix.org/conference/eni…
Don't worry, it's a 20-minute talk, not 400 years. 😅
usenix.org/conference/eni…
Imagine you log into Twitter one morning and see that the Pentagon's network was taken down, chlorine gas is being released, NYC stock exchange is taken down, and then the electric grid is taken down... by Iran by cyber-attacks in retaliation for sanctions.
Would this be legal?
Would this be legal?
It would be illegal for Iran to bomb is. Chemical warfare is illegal.
Did the outlawing of kinetic war outlaw cyber-law or not, thought?
Did the outlawing of kinetic war outlaw cyber-law or not, thought?
Survey of the right to war:
"Old order": 1625-1928
Starts with Grotius: it's a legit tool of statecraft, not just to resist invasion. It's fine for any conflict: to collect debts, protect freedom of the seas, punish crimes, disputes about lines of descent and more
"Old order": 1625-1928
Starts with Grotius: it's a legit tool of statecraft, not just to resist invasion. It's fine for any conflict: to collect debts, protect freedom of the seas, punish crimes, disputes about lines of descent and more
In effect, war was legal and like going to court: if you have a disagreement you can go fight about it.
Legal right of conquest: if a state could use war to right wrongs, then they could keep what they conquered, otherwise what was the point?
Legal right of conquest: if a state could use war to right wrongs, then they could keep what they conquered, otherwise what was the point?
For example, the US conquered a whole chunk of Mexico "because" Mexico owed them $4 million.
That was considered just fine, as odd as that seems now.
That was considered just fine, as odd as that seems now.
No economic sanctions allowed. If states are allowed to go to war to do things like collect on debts, that system isn't compatible with economic sanctions.
For example, when France and England went to war, the US had to figure out (a la Hamilton cabinet battle #2) whether economic sanctions would be like declaring war.
This all changed in 1928: Kellogg-Briand pact outlaws war
No more going to war for anything other than repelling attacks and invasion. No more using war to resolve disputes.
No more going to war for anything other than repelling attacks and invasion. No more using war to resolve disputes.
This outlawing of war is in the UN charter, in article 2(4): All members shall refrain from use of force
Outlawing war dramatically changed it. It affected how all the other legal rights were treated.
Conquest example: when Japan invaded Manchuria, basically no one would recognize it because in the new world order there was no legal right of conquest.
Economic sanctions: used to be illegal, but now a main way to handle disputes between states.
How about cyber war? Is it more like kinetic war (which is illegal) or like economic sanctions (which is legal).
Well, why is kinetic war illegal:
1. It's really violent
2. It's the active harming of one state by another
1. It's really violent
2. It's the active harming of one state by another
Economic sanctions are legal because:
1. It's not violent
2. It's passive harming: just refusing to cooperate
1. It's not violent
2. It's passive harming: just refusing to cooperate
So we can put these together like this: 
How do cyber attacks fit in? Well, we can see that they're so hard to categorize because they don't fit in any one cell of the matrix.
Some cyber attacks are violent and active like kinetic war, like blowing up power plants.
How about setting up a giant firewall and blocking internet traffic from Iran? This is a passive refusal to cooperate, like economic sanctions.
How about setting up a giant firewall and blocking internet traffic from Iran? This is a passive refusal to cooperate, like economic sanctions.
But cyber attacks fit in all four boxes.
Some cyber attacks are active, some passive. Some are non-violent, some violent.
Some cyber attacks are active, some passive. Some are non-violent, some violent.
Dangit my browser crashed; I lost some in here.
So the boxes which are active/violent and passive/non-violent we know what to do with. What about the other boxes?
So the boxes which are active/violent and passive/non-violent we know what to do with. What about the other boxes?
@scottjshapiro proposes making "cyber clubs" to enforce the rules in those other boxes, e.g. slowing down or reducing or cutting off access to folks who don't follow the rules (e.g. about letting other people use your networks for Nefarious Purposes).
Also thanks to Prof Oona Hathaway, coauthor on the book The Internationalists.
Q: How does espionage fit into this framework, especially as a route in for spying gives you the ability to mess with things? [paraphrased]
A: Cyber things is so fascinating because it can be crime, espionage, or acts of war. Legality is based on the purpose of the act.
A: Cyber things is so fascinating because it can be crime, espionage, or acts of war. Legality is based on the purpose of the act.
Q: Should corporate espionage be considered an act of war? There's not usually just a loss of data or tools, but a massive loss of money, which hurts the economy, which is necessary for a country?
A: Look back at US/China agreement: US took the position that it was illegal.
A: Look back at US/China agreement: US took the position that it was illegal.
[cont] Whether you think economic espionage is illegal depends on your economic system. If your industries are built up in a way that they're tied into the state, then there isn't going to be so much of a difference.
With the Trump trade war it got mixed up again
With the Trump trade war it got mixed up again
If states cannot figure out how to deal with it, then different clubs should be formed. Very against hacking back by companies. Hacking back is the kind of behaviour is the kind of behaviour that the world decided not to engage in.
Q: What if the actor in a cyber-war can't be identified?
A: Attribution is a key question. I think the real problem is that states don't want to admit they know who do what.
[My note: THIS IS VERY HARD. REALLY.]
A: Attribution is a key question. I think the real problem is that states don't want to admit they know who do what.
[My note: THIS IS VERY HARD. REALLY.]
Q: Is attribution something clubs could provide their members?
A: One of the great victories of law was the ozone layer, effectively a club for CFC supply/manufacturing to see if states are cheating.
[end of talk]
A: One of the great victories of law was the ozone layer, effectively a club for CFC supply/manufacturing to see if states are cheating.
[end of talk]
• • •
Missing some Tweet in this thread? You can try to
force a refresh
