Despite years of negotiations, countries have been unable to agree on what kind of cyber hacking activities violate international law, one of the world’s leading cyber-warfare law experts told The Jerusalem Post during his current visit to Israel.
Michael Schmitt is not only the lead author of the Tallinn Manuals, the most influential international treatises on cyber law, but also a former senior US Air Force lawyer and currently a professor at the US Naval War College as well as at the University of Exeter in England.
Alongside his participation on Sunday at a closed cyber conference at Hebrew University, Schmitt spoke to the Post
about the frustrations and future possibilities that exist in trying to develop global cyber warfare norms in order to mitigate the nearly unlimited risks.
Schmitt had already authored articles in recent months about his disappointment that Russia, China and Cuba wrecked a years-long multinational effort to achieve a global cyber agreement that would have banned certain kinds of cyber hacking.
Since 2004, the UN Group of Governmental Experts on cybersecurity had made “slow, yet meaningful progress in developing state consensus regarding applying international law to cyberspace,” said Schmitt.
Yet, on June 23, the process collapsed.
Explaining the breakdown, he said, “Certain states, certainly Russia, like a lack of certainty. It gives them room to maneuver.”
He said, “Russia’s assertions about their cyber activity’s legality are ridiculous, but they do want to be perceived as complying with applicable laws or they know there will be consequences which can impact their position in the international community.” They therefore would want to oppose an agreement on formal cyber limits.
Furthermore, he said, “China maybe opposed a big cyber treaty so that it can exert greater control over its people at home. They may like ambiguity and believe it gives them a strategic and operational advantage. That is not something I agree with. I think it creates instability in the system.”
But his message in Israel is a newer one.
He had thought the debate in the West was about categorizing which cyber activities violate which aspects of another nation’s sovereignty and international law. Therefore, the international cyber experts he had worked with from around the world debated issues like whether a distributed denial-of-service attack would be considered a full violation of a state’s sovereignty or “just slowing systems down.”
But he has learned that some in the US Department of Defense don’t take the issue of sovereignty as an obvious rule for protecting states from cyber attacks.
Schmitt said that in the two versions of the Tallinn Manual he was lead author for, he had summarized a range of viewpoints on cyber law questions, but did not even consider that sovereignty would not apply as an ironclad rule of international law.
“And no state objected,” he pointed out, explaining this to be because “sovereignty is the legal firewall” preventing a complete free-for-all for cyber attacks.
In contrast, he said, elements of the US cyber command want a freer hand for “cyber spying, manipulating systems and offensively using malware [against adversaries].”
According to Schmitt, Russia’s hacking of the Democratic National Committee should be viewed as a “clear violation of sovereignty because elections are an inherently governmental act, even the mother of all sovereign prerogatives which is to pick your representatives.”
However, if the US ultimately takes the new hardline on the sovereignty issues, even if it “gives you a freer hand to conduct your own cyber actions, it is harder to name and shame other states” when they take actions, like the hack of the Democratic National Committee.
Schmitt, who has written articles justifying US and Israeli attacks in urban environments even where there has been criticism for the collateral damage caused to civilians, said: “I would like to think that I am not naïve and that you can undertake cyber operations to ensure your national defense, but that do not need to sacrifice [your own principles].”
As opposed to Russia, he said, it’s important for the US – even if it wants to preserve some flexibility in its cyber actions – “to work hard to keep its operations within the four corners of the law. Sometimes people say ‘Let’s stretch the limits,’ but they are still trying to stay within the four corners. Russia is the opposite. They start out saying: ‘What is the limit [which we can push to]?” He said he understood that this “puts the US at a disadvantage, since our primary opponents could care less [about preserving the spirit of the law].”
Looking into the future, Schmitt said: “We need to continue to try negotiations, but maybe what we want to do is less ambitious. We can look for like-minded states. Groups of states agreeing can also make a new legal status. If 20 countries sign on to certain standards for cyber operations in warfare, it will create forward momentum.”
One area which he thinks is “starting to gain traction” would be putting aspects of the financial industry and essential civilian functions off limits. For example, he noted that regarding “a country’s pension system – why would any country need to mess with this? This won’t benefit other states.”
Schmitt said that both bilateral and smaller multilateral deals, even if not fully global, could “help articulate legal positions... and lead to agreements as a matter of policy that certain cyber targets would be off limits,” even if they are not formally banned by a new global convention.