Why Should We Worry About the Militarization of Cyberspace?

As a lawyer, and especially as one for a non-governmental international human rights group, I often encounter a good deal of skepticism from some military audiences, who perceive my “mission” as a form of “lawfare,” that is, using law as a weapon against state interests. It seemed wise to just flush this out at the start, because it is a misperception with serious consequences for a democratic society and its armed forces, just as downplaying terrorism or insurgency as a threat to human rights is a dangerous game for civil rights advocates. National security and human rights, though often in tension, are codependent in any society in which we would choose to live. Even if we understand national security as a relative, not absolute condition, it is integral to the conception of state obligation to protection of individual rights. The state cannot effectively protect rights if national security and public order are inadequately maintained; one only needs to look to the phenomenon of “failed states” or indeed, to almost any zone of conflict for illustration. 

Few dispute that national security and human rights coexist in relation, but the nature of that relationship is under constant debate. Since 9/11, the debate has been heated in counter-terrorism strategy, and well predating Edward Snowden’s revelations, it has been heated in the context of digital technology and the regulation of what we imprecisely call “cyberspace” as well. Recently, the rallying cry has been against “militarization of cyberspace,” a concern that (perhaps counter-intuitively) shows a good deal of common ground between those whose mission is to defend rights and those whose mission is to defend the nation. 

The denomination of these malicious events as cyberattacks in the sense of threats to national security, and the delegation of responsibility (and enormous resources) for preparedness, defense and reaction to military organs, is to a large degree responsible for the perception of militarization. Viewing the cyberspace as an incipient battleground has led to tremendous emphasis on both intelligence and the question of how the laws of armed conflict might apply. 

But while there is scholarly debate on what actually constitutes an “attack” in cyberterms, there is a fair amount of consensus that for the purposes of determining what triggers armed conflict or constitutes an act regulated by International Humanitarian Law (IHL), such “attacks” are only a very small subset of the most destructive malicious actions or interventions in cyberspace. A much larger set of what are casually called “attacks” involve economic damage, defacement, espionage, identity theft, reputational damage, or other consequences that are subject to ordinary peacetime law. In terms of established law, these malicious events take place either in armed conflict or its absence, and not in some new and unregulated dimension. Human rights, both through the vector of municipal and international law, apply regardless, except to the extent modified in armed conflict by the lex specialis of IHL, or the limitations or derogations permitted under various human rights laws and treaties. 

To sketch the legal territory is not to say any of the demarcations or applications are clear, or there is no need for further law. Indeed, it’s quite muddy out there, with the boundaries between a state of armed conflict and the absence of armed conflict hazy and subject to fluctuation, cyberattacks frequently transnational but with weak means of international protection and regulation, and deterrence or retribution complicated by problems of attribution. Great struggles involving states, their militaries, industry, civil society and technologists are still in progress over whose code will predominate in what situation and what standards ultimately govern the Internet. But as novel as we think “cyberspace” and its features may be, it is dangerous to conceive of it as terra nullius, an empty land where self-help is the rule. For one thing, we are living there; our communications, economies, relational networks, defense systems, culture, and our human rights are all situated in this medium on which we grow more dependent by the day. The legal landscape may be a bit foggy, a bit wild, but we should not think it is foggy in the sense of the “Fog of War”, where a margin of overreaction, miscalculation or error is accepted, or wild in the sense of the Wild West, where the gun is the law. 

To begin with, the condition of war is not the default setting of a democratic society. With good reason the law questions prolonged declarations of emergency; these are often hallmarks of the undemocratic societies or ones that have settled into permanent abrogation of rights. The absence of armed conflict is not necessarily “peaceful”– it can be full of insecurity, ongoing threats and attacks, both internal and external – but it also is not simply the pause between wars. In a democratic state, the power of response to threats and attacks in peacetime is given to authorities subject to constant public and political accountability, through oversight, rule-making and adjudication. This produces a much different mindset than a single-minded focus on military preparedness. 

The state’s deployment of force in peacetime, even in exigent situations, is highly regulated by concepts of human rights that are alien to the battlefield. It is well accepted, for example, that even in a public emergency, law enforcement officers must use force as a last resort and in a way so as to minimize damage and injury – even to the criminal suspect. Longstanding international standards for law enforcement require that lethal force only be used for the purpose of protecting life. To lawfully incapacitate someone in peacetime requires not simply capture, injury or destruction – where these acts are permitted at all – but also authority deriving from a particular law criminalizing particular intentional behavior. Then, even assuming the state has got a plausible criminal suspect in hand, that person is entitled to a presumption of innocence and can contest the state’s action and win, unless the state provides the requisite amount of proof in a fair and usually public trial before an independent judiciary with full rights of due process and defense. Given this burden, public officials in peacetime really don’t have broad license for mistake or overreaction, and consequently don’t like to operate too much in a gray zone where it could be difficult to sufficiently justify their actions and win their cases. We accept these less than optimal conditions for protection of security because we do not want to live in a police state, where our liberties would constantly be subordinated. 

Of course, the greater the apparent threat to the nation’s security, the more likely it becomes that democratic polities will loosen restraints and allow greater latitude and powers to the state, sometimes edging nearer or even sliding into the legal regime governing conflict. The recent paradigm for this is the so-called “war on terror” in the United States, which was accompanied by greatly expanded police powers, limitations on rights, and a legislative authorization for the use of military force that was interpreted expansively to enable military action far from the theatre of battle in Afghanistan, and is now being repurposed to justify intervention against the Islamic State in Syria and Iraq. It has been observed that it is easier to understand the beginning point of armed conflict than the point at which it ends, and this is true even beyond issues of direct military engagement. Once the nation is invested in armed conflict, inevitably this condition influences its peacetime institutions. A rebound effect from resort to military force can be seen in municipalities across the United States, who often employ veterans of war in law enforcement or corrections, and who receive Pentagon surplus weapons that are often unnecessary and inappropriate for keeping the peace in a civilian society. The heavy-handed approach of the police to protest in Ferguson, Missouri, had at least some roots in these practices. 

These intangible effects of the different mindset and standards of armed conflict are part of the reason why it is important to be sensitive to the nuances of terms like “attack,” a gateway term between the laws of armed conflict and peacetime law. In the sense of jus ad bellum, there has been a good deal of scholarly debate as to what type of cyberoperation would constitute an “armed attack” under Article 51 of the UN Charter sufficient to permit self-defense and override Article 2(4)’s prohibition against “the threat or use of force against the territorial integrity or political independence” of another state. Most writers point to the severity and purpose of the anticipated consequence, such as whether the cyberattack has similar effects to a kinetic attack (lives lost, planes or trains crashing). Target may also matter, such as an attack bent on disabling a state’s critical infrastructure or its military operations. Attribution of the attack to a state rather than a criminal gang (when that can be determined) may be relevant, as well as duration of the attack, and whether it is related to contemporaneous kinetic attacks. But even this rough list should demonstrate that a cyberattack justifying the use of force in national self-defense is a relatively rare event. The pervasive discourse of “cyberattack” and “cyberwar” in policy circles to refer to the whole world of malicious actions obscures this and undermines thinking on robust peacetime protections. 

Similarly, the standards of IHL that regulate state response in “attack” revolve around anticipated military advantage. Whatever this means – for it is also a contested concept – it is not the same as the objectives of law enforcement, which center squarely on the protection of human life and security (which, it must be noted, is not the same thing as the elimination of all threat). While in practical terms proportionality governs the use of force in both law enforcement and IHL situations, the difference in objectives makes for profoundly different calculations, means, methods and outcomes. 

“National security” is a similar term, pivotal in international human rights law as signaling points of limitation or derogation of certain rights. Though undefined in human rights instruments, it has been given contours through adjudication and commentary in both national and international fora. To begin with the most extreme national security case, a number of international human rights instruments allow derogation of certain rights in a declared public emergency which threatens the life of the nation. This might include some situations of armed conflict or natural catastrophe, but not necessarily all, and even then the measures taken must be strictly required by the exigency of the situation and no longer than necessary. If ordinary limitations will suffice to handle the situation, derogation is unacceptable, and in any event, many rights are non-derogable. Thus strictly limited in scope and duration, derogation is hardly the wholesale suspension of human rights law, which continues to apply even in situations of armed conflict. So the term “national security” is neither a light switch that “turns on” the military framework of IHL, nor one that automatically “turns off” human rights. 

Apart from these extreme and temporary situations, some rights may be limited in the ordinary course of events to protect national security, provided such limitation is actually necessary and no more intrusive on the right than needed to handle the threat in a democratic society. It is difficult to imagine, for example, a necessary and proportionate protection of national security requiring either suspension or restriction of privacy of correspondence on a massive scale because of endemic threats such as crime or terrorism, although targeted and temporary intrusions on privacy may be justifiable. 

To appreciate the application of this principle, it is vital to hold “national security” to the meaning it has in human rights law, rather than in political rhetoric. While not a specifically defined treaty term, it has evolved through usage by international bodies, courts and scholarship to entail protection of the state’s existence, territorial integrity or political independence from threat or use of force, as well as preservation of the state’s capacity to respond to such a threat. Courts and international interpretive bodies have rejected equating diplomatic embarrassment, threat to the current government, or economic disadvantage to a threat to national security. But right there the gap between existing law and politics is evident, as officials have defended surveillance as necessary for economic or geopolitical advantage, or for being able to search large groups – perhaps even whole countries  – for indicators of incipient radicalization apart from any specific situation, all purposes international human rights law would not recognize as necessary to protect national security. 

While many scholars complain of the difficulty of governing war by law, the project of regulating surveillance or other state cyberoperations is at least as fraught. Surveillance of individuals can be lawful, but is usually secret and even when detected or suspected, not very susceptible to challenge in court due to doctrines of standing, state secrets, deference to national security concerns, etc. When conducted on targets outside the state’s territory, it is usually illegal in the foreign state’s law, but seldom exposed or prosecuted even when detected. Freedom of information regimes, and even parliamentary inquiries, often run into the wall of secrecy too, and in the cases where surveillance orders are evaluated or approved by courts, these proceedings or decisions may be undisclosed as well. Unfortunately, invoking national security to reflexively avoid public review of surveillance hollows out the concept of legality over time. Reliance on law that has no tether to democratic accountability risks losing public trust and confidence in the legitimacy of the state’s actions and policies. This encourages on the one hand, vigilantism, as in the appeal to victims of retaliatory “hack-backs,” and on the other hand, retaliation against the state (or against companies seen as its agents or facilitators). Neither is conducive to securing genuine national security much less avoiding cyberwar or protecting human rights.

What, then, is conducive to these goals, which must also be goals for military leaders in any democratic society? In 2013, a UN group of governmental experts with China, Russia, the United States and the United Kingdom as long-standing members, managed to agree that “International law, and in particular the Charter of the United Nations, is applicable and is essential to maintaining peace and stability and promoting an open, secure, peaceful and accessible ICT [Information and Communications Technology] environment.” It further concluded that “State efforts to address the security of ICTs must go hand-in-hand with respect for human rights and fundamental freedoms set forth in the Universal Declaration of Human Rights and other international instruments”. This in itself is a strong affirmation that we are neither in the Wild West nor in some foggy new dimension. Yet while there are clear landmark principles of international law to follow, there is much to be done in elaborating them and making them applicable to cyberevents. 

First, recognizing that the vast majority of malicious events in cyberspace are not “attacks” in any sense of jus ad bellum or jus in bello, we should stop talking as though they were. That means applying normal criminal law and civilian authority to their investigation, prosecution and adjudication. When the U.S. treated terrorism as “war,” even when it was unrelated to actual armed conflict, it led to grave violations of fundamental rights and legal principles, degraded the U.S.’ soft power, and created terrible precedents for the transborder use of force. One hopes that these mistakes will not be replicated in the domain of cyberspace. To that end, it is unhelpful to characterize protests, or even protests with some incidentally damaging element, such as some under the Anonymous umbrella, either as “attacks” or “terrorism” when what they amount to is essentially the cyberequivalent of defacement of property or symbolic, evanescent or nuisance-grade civil disobedience, in the tradition of chaining oneself to the gates of the nuclear plant. 

Similarly, when considering cybercrime, it is important to apply normal principles of law and not use the term “national security” as a trump to human rights interests. Not every conceivable threat to an interest of the state or its government of the day implicates national security. Publishers who reveal the leaks of whistleblowers may embarrass a government or make its diplomacy more complicated, but without tangible evidence that they have damaged the territorial integrity, political independence or defense capability of a state, their rights and the rights of their readers should not be abridged. Where whistleblowers reveal secrets, the actual damage to national security, in the sense that human rights law gives that term, should be put in the balance against the considerable interest in speech and the public’s right to know of official wrongdoing, an aspect of access to information that is in some situations termed “the right to truth.” Even where national security is plainly under threat, that fact must not short-circuit public, legislative and judicial review of preventative measures that compromise rights. There is already an evolving body of cybercrime law that addresses a wide array of public interests. While not all emerging cybercrime laws are well-considered or balanced in terms of rights protection, in democratic societies they are generally subject to the normal legal and political processes that test framing, interpretation and application, and this testing process is best when it fully engages the public and civil society.

With respect to ensuring that a peacetime framework governs most state actions relating to national security in cyberspace, it is critical to consider the separation of military and civilian direction of cyberpolicy at the national level. Indeed, at the close of 2013, the Review Group on Intelligence and Communications Technology recommended to President Obama the appointment of a civilian head of the National Security Agency, but the White House declined to adopt the view of its own hand-picked advisors. While there is no doubt that coordination is needed between civilian and military agencies of government in the area of intelligence as well as territorial security and defense, there are important reasons why these functions are separate in most democracies. It is unhealthy for the military to serve a political agenda rather than a nation. Civilian agencies, in contrast, are headed by political appointees and responsible for implementing policies and laws created by politically accountable officials. It’s not bad that the NSA has created a senior risk assessment position to “look at the big picture”, but when the functions of signals intelligence gathering and offensive cyberoperations share a roof with a mission to defend critical infrastructure, there are bound to be conflicts of interest that one or two positions, however senior, will find difficult to reconcile. This is the sort of issue that requires broad government engagement, and not just in one or more executive departments. 

The conflation of military and civilian authority in some countries mirrors the entanglement of civilian and military infrastructure in cyberspace. The reliance of military cyberoperations on civilian infrastructure and civilian companies has troubling implications for the principle of distinction in the event of armed conflict. U.S. multinational companies that long avoided locating customer data in countries known for human rights violations now face increasing pressure to localize because of the U.S. government’s invasion of such data, with and without these companies knowledge. Without shared protocols and commitment to protect rather than exploit civilian infrastructure, we can expect that such infrastructure will become a fair target; a predicament that in turn feeds militarization of approach to cyberthreats. International action is needed, both to segregate critical civilian infrastructure and mark it in ways that create strong presumptions of illegality of attack. This sort of segregation and marking may be difficult, and may always be imperfect and incomplete, but without efforts and experiments in feasibility, the principle of distinction will be extremely difficult to implement in cyberspace.

The dangerous game of trying to find a gray zone without rules is being played out with the question of whether civilian data is a protected object under the laws of war. The Tallinn Manual, a comprehensive study of the application of international humanitarian law applied to cyberwar, recognizes cyberinfrastructure and hardware as potentially a civilian object, but denies that status to data and code, under the rational that it is intangible. This conclusion, which rests on an old commentary of the International Committee of the Red Cross (ICRC) parsing the analogue world of military objectives as visible, tangible “objects,” would render the deliberate targeting of civilian databanks as outside IHL unless it affected some physical computer system as well. So you could not target a civilian data bank were it written on paper, but you could aim to destroy it if it were written in code. Various commentators have noted this is hardly a plain or intuitive reading of the law as applied to a new means of war, and it is squarely at odds with the purpose of IHL to protect civilians from the effects of armed conflict. The dangers of enabling no-holds barred attack on civilian data should be obvious, and of deep concern to everyone. 

Finally, the feasibility of arms control should be firmly brought onto the international agenda in all its dimensions, including verification and confidence building measures. This has already begun with discussions of the need to regulate particularly dangerous surveillance technology being sold to highly abusive governments by European firms. The European Commission, in a report this April to the European Council and Parliament, recognized “the emergence of specific ‘cybertools’ for mass surveillance, monitoring, tracking and interception” and noted “cyber-proliferation” as an important dimension of export controls. The issue is also coming to the attention of national governments, particularly as remote interception products made by Western companies such as Gamma Group and Hacking Team turn up in countries with a solid record of repression, being deployed against “threats” such as human rights activists and political protestors. 

There are already many discussions on such topics, but most exclude civil society apart from the occasional academic or the ICRC. Experts on cybersecurity such as Ronald   Deibert have called for “civil networks to be players in rule-making forums,” a mandate he puts into creative practice at gatherings of policy makers, technical experts, academics and activists. Multistakeholder engagement including technicians, corporations, and academics is becoming more accepted as a mode in many areas of cyberpolicy but in matters of cybersecurity, the vital role of human rights experts who can speak to both war and peacetime contexts is sometimes overlooked. This is a critical dimension of the international law governing cyberspace, and the ethical considerations that democratic societies employ to define themselves and defend their security. Partnership between the military and the human rights movement, both experts in human security, is essential to preventing cyberspace from becoming a prospective battlefield and keeping it a realm of democratic society. 

The author would like to thank Camille Francois, Cynthia Wong and Eileen Donahoe for their insights and suggestions; errors, however, are her own.