This is the second DSEi of the post-Stuxnet era, and the amount of space devoted to cybersecurity at this year’s edition of the London defense show is greater than ever.
But the so-called “fifth domain” of warfare is conspicuous by its absence: nobody wants to talk about offensive cyber-capabilities. Perhaps contractors and their nation-state customers are keen to preserve a perceived tactical advantage, and have no wish to disclose even the most loosely defined parameters of any tactical cyberwarfare capability. Or could it be that everyone is still uncertain of the legal position?
“I would not presume to speak about the capabilities that governments have or don’t have, or their motivations for making them public for the purpose of deterrence or keeping them secret for the purpose of surprising the enemy,” says Tom Wingfield, a former U.S. Navy intelligence officer who deployed to Afghanistan as a civilian rule-of-law advisor to Army Gen. (ret.) Stanley McChrystal’s Counterinsurgency Advisory and Assistance Team in 2009-10 and is currently a professor of International Law at the George C. Marshall European Center for Security Studies in Garmisch-Partenkirchen, Germany. “But one thing as a lawyer I know is that there’s broad agreement on the law that applies to cyberoperations,” he says.
In 2009, Wingfield was part of a multinational, 20-strong team of legal experts who began work on a project attempting to apply international laws of armed conflict to the cyberdomain, under the auspices of NATO’s Co-operative Cyber Defense Centre of Excellence in Tallinn. The results were published in April by the Cambridge University Press as the Tallinn Manual on the International Law as Applicable to Cyber Warfare.
The manual broadly views cyberattacks through the prism of their real-world effects. A botnet taking down a national government’s home page is not cyberwarfare, just a nuisance. Nut a targeted cyberweapon that causes a nuclear power station to explode is equivalent to an armed attack.
“Although we haven’t seen a cyberattack at that level yet, no serious expert thinks it will never happen,” says Wingfield. “And most serious experts fear that it may happen in the shorter term rather than decades from now.”
The manual’s authors conclude that a state would be acting entirely within international law if it responded to such an attack kinetically, as long as the response was proportionate and the attacker had been correctly identified.
“There was remarkably little disagreement,” says Wingfield. “This idea that cyber is a new battlefield and we need new law, we need new treaties, new text books to cover it -- I just don’t see that. I know that’s the Russian position, I know the Chinese believe that, but I’m with the majority of the rest of the world on that. The fundamental principles -- of distinction, of unnecessary suffering, of proportionality; there’s even a principle called chivalry, believe it or not, that almost every country in the world subscribes to. These general principles can be re-oriented to sea, to air, to outer space, and now to cyberspace, with no real problem. Now: applying them in specific cases is going to be brain surgery -- that will be very difficult, and there will be disagreements, even among close allies.”
Reactions have varied. While the U.S. State Department has said that, barring a couple of points of divergence, U.S. cyberdefense policy is largely in accord with the Tallinn Manual’s conclusions, other nations have not been quite as enthusiastic.
“It’s been contentious,” Wingfield says, emphasising that he is speaking for himself, not for any government or nation.
The Russians objected to the idea that the manual applies to all cyberoperations, he says, adding that is a misunderstanding. The rules aim to establish rules for lethal force in cyberspace, but those do not necessarily govern gambling, spying or larceny.
The devil, of course, will remain in the details. While it is clear that many of the kinds of attacks experienced by individuals, companies and governments, in which intellectual property or sensitive/secret information is stolen, destroyed, traded or published, do not constitute a use of lethal force, it is possible that some forms of digital espionage may turn into efforts to prepare the battlefield. An adversary may begin probing a target nation’s critical infrastructure to find information, but then discover an exploitable weakness that could later be used to cause that power station to explode. At what point does the line get crossed?