Conflict in Cyberspace and International Law Ido Kilovaty a Thesis Submitted in Partial Fulfillment of the Requirements For

Conflict in Cyberspace and International Law Ido Kilovaty a Thesis Submitted in Partial Fulfillment of the Requirements For

Conflict in Cyberspace and International Law Ido Kilovaty A thesis submitted in partial fulfillment of the requirements for the degree of Doctor of Juridical Science (S.J.D.) at the Georgetown University Law Center 2017 1 Published as: Law journal publications Doxfare – Election Hacking as Prohibited Intervention 9 HARVARD NATIONAL SECURITY JOURNAL (Forthcoming Fall 2017) World Wide Web of Exploitations: The Case of Peacetime Cyber Espionage Operations Under International Law: Towards a Contextual Approach 18 COLUMBIA SCIENCE AND TECHNOLOGY LAW REVIEW 42 (2017) Virtual Violence – Disruptive Cyberspace Operations as "Attacks" under International Humanitarian Law 22 MICHIGAN TELECOMMUNICATION AND TECHNOLOGY LAW REVIEW 113 (2017) ICRC, NATO and the U.S. – Direct Participation in “Hacktivities” – Targeting Private Contractors in Cyberspace under the Law of Armed Conflict 15 DUKE LAW AND TECHNOLOGY REVIEW 1 (2016) Op-eds Want to Keep Hackers Out of Gadgets? Try International Law WIRED.COM (February 7, 2017). Violence in Cyberspace: Are Disruptive Cyberspace Operations Legal under International Humanitarian Law? JUST SECURITY (March 3, 2017). The Democratic National Committee Hack: Information as Interference JUST SECURITY (August 1, 2016). Will “Cyber Bonds” Mitigate Transnational Cyberspace Threats? JUST SECURITY (June 15, 2016). 2 ABSTRACT Conflict in Cyberspace and International Law Ido Kilovaty In this dissertation, through four separately published articles, I address several contentious questions with regard to offensive cyberspace capabilities and the role of international law in the digital era. Offensive cyberspace capabilities, which for clarity purposes I refer to as “cyber- attacks,” are operations in cyberspace that target the confidentiality, integrity, and availability (colloquially known as the CIA triad) of information technology systems.1 Throughout these four articles, I explore contemporary international law as it applies to cyber conflict. I argue interntional law, at present, is not always well-suited to fully address the full breadth of challenges presented by the increasing use of cyber-attacks by states. Moreover, cyber-attacks are not used exclusively by states. For example, civilians and certain organized groups are finding this domain appealing for achieving their ends. In Doxfare, I challenge the prevalent view that the prohibition on intervention, in order to be triggered, should be accompanied with a coercive act. The context of this paper is the 2016 U.S. election interference, allegedly orchestrated by the Russian government, carried out primarily through cyberspace. This interference, in the form of hacking the Democratic National Committee and John Podesta’s e-mail accounts, as well as publishing these e-mails through WikiLeaks (“doxing”), challenges the very basic notions of wrongful interference under contemporary international law. The crux of the difficulty is in international law’s inability in delegitimizing transnational hacking for political purposes, because these acts are often non-coercive, a 1 Mike Gault, The CIA Secret to Cybersecurity That No One Seems to Get, WIRED (Dec. 20, 2015), https://www.wired.com/2015/12/the-cia-secret-to-cybersecurity-that-no-one-seems-to-get. 3 constitutive element of the norm on non-intervention. This paper argues, that in order to address transnational election interferences, international law should adapt by redefining the boundaries of the norm on non-intervention, given that interventions could be in the form of non-coercive hacking and doxing. World Wide Web provides a new theory to address cyber espionage through international law. Traditionally, while most domestic legal systems make foreign espionage illegal, international law does not explicitly prohibit inter-state espionage, neither does it condemn this well-established practice. This article argues that changes in surveillance technology enable some serious threats to international peace and security, and should therefore be treated in a more nuanced manner under international law – that is, an evaluation of the nature of espionage, the data collected, and the possible nature of future use of that data. This approach rejects the blanket legitimization of espionage provided by international law, considering how cyber espionage could potentially threaten human rights, such as the right to privacy.2 Virtual Violence considers the extent to which international humanitarian law protects civilians, in an armed conflict, from cyber-attacks that are not kinetic in nature. Intuitively, direct effects resulting from cyber-attacks may vary from minor inconvenience, to disruption and interruption, and more rarely – to kinetic effects. Translating into the international humanitarian law taxonomy – whether disruptive cyber-attacks qualify as “attacks,” therefore requiring that the adversary using them comply with the rules on conduct of hostilities – distinction, military necessity, proportionality, and humanity.3 By analyzing current cases of disruptive cyber-attacks, 2 See Art. 17 of the International Covenant on Civil and Political Rights (ICCPR). 3 G.A. Rep. of the Group of Governmental Experts on Developments in the Field of Information and Telecommunication in the Context of International Security, 2, U.N. Doc. A/ 70/150, para. 28(d) (July 22, 2015); Also 4 the article argues that scope of “attacks” should be adapted to afford better civilian protection from serious disruptive effects caused by cyber-attacks. In Hacktivites, I argue that the concept of direct participation in hostilities (DPH) does not consider the full breadth of cyber activities that civilians could be engaged in, potentially externalizing these civilians to being classified as civilians who directly participate in hostilities, thus losing their protected status under international humanitarian law. Such classification could mean the difference between life and death – since civilians who have taken arms and joined the hostilities are forfeiting their protection from direct attacks. Junaid Hussein, an ISIS-affiliated hacker, was the first known case of a civilian who was targeted with lethal force, in relation to his allegedly hostile cyberspace activities – including the spread of personal information about U.S. soldiers in active duty. This raises a host of questions about how the DPH’s framework constitutive elements apply in cyberspace, for example – threshold of harm. The paper concludes that there is no uniform interpretation of the DPH framework (comparing U.S., ICRC, and the Tallinn Manual), and that most of these interpretations, when applied to cyber-attacks, adopt overly broad views on what constitutes direct participation in hacktivities. I have also contributed some of my findings on specialized media platforms – such as Just Security and Wired. These op-eds are also part of my dissertation, as they demonstrate my research endeavors in a more informal context. They also illustrate my approach to legal scholarship, that outsourcing it to the broader public in a more manageable and succinct manner. see Ido Kilovaty, Virtual Violence – Disruptive Cyberspace Operations as "Attacks" under International Humanitarian Law, 22 MICH. TELECOMM. & TECH. L. REV. 113, 116 (2017). 5 Table of Contents I. Introduction page 7 II. Doxfare – Election Hacking as Prohibited Intervention page 13 III. World Wide Web of Exploitations page 59 IV. Virtual Violence page 96 V. Hacktivities page 132 VI. Op-eds page 170 6 I. Introduction While the advent of the Internet has contributed enormously to the communication between people, access to knowledge, and economic and business growth, it has also created a plethora of threats to individual security, privacy, and infrastructure. To the phenomenon enabling these threats I refer collectively as “cyber conflict.” Cyber conflict is often named the fifth domain of warfare,4 and it is constantly reshaping the way States wage conflict, in addition to how diplomacy and global affairs take place in the 21st century. Cyberspace transcends political borders, it is readily available to a wide audience, and has the potential of causing enormous harms if used in certain malicious ways. That leads to a critical question – is international law ready to meet these challenges? Many argue that cyber-attacks, and perhaps even cyber conflict, present no new challenges to international law, and that international law is sufficiently complete to apply by analogy to new weapons and technologies.5 According to this view, international law is a seamless legal system, adaptable to changes in the realities of the battlefield. This approach, however, ignores several important questions. For example, how does international law respond to the growing capability of non-state actors to cause enormous harm through cyberspace? How does the principle of distinction apply to civilians who participate in a range of hostile cyberspace activities – ranging from online hacktivism to kinetic cyber-attacks? Is cyber espionage more harmful than traditional espionage, and if so, should it be delegitimized? Does international humanitarian law regulate disruptive operations, similar to its regulation of destructive operations (“attacks”)? And, whether 4 War in the Fifth Domain, ECONOMIST (July 1, 2010), http://www.economist.com/node/16478792. 5 See Duncan Hollis, Re-Thinking the Boundaries of Law in Cyberspace 127, 146 in OHLIN, GOVERN, FINKELSTEIN, CYBER WAR: LAW AND ETHICS FOR VIRTUAL CONFLICTS (2015). 7 the principle of non-intervention

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    181 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us