International Legal Aspects of Cyber Security

Thomas C. WingfieldProfessor of International Law

George C. Marshall European Center for Security StudiesGarmisch-Partenkirchen, Germany

June 11, 2013

International Cyber Law

• Threats• Framework• Priority• Regimes• Top Legal Issues• “Act of War”

Threats• Sources

– States– Corporations– Hackers– Hacktivists– Disgruntled Insiders– Terrorists– Botnet Operators– (Spear)phishers– Spammers– Spyware and Malware Authors– Pedophiles

• Categories– Confidentiality

• Espionage• Personal Data Theft• Data Mining• Fraud

– Integrity• Propaganda / Disinformation• Intimidation• Destruction

– Availability• External Information• Internal Information

Framework and Priority

• Possible: Technology• Permissible: Law• Preferable: Policy

• Treaty Law• Customary International

Law– State practice– Opinio juris

• Persistent objection• Jus Cogens

Legal Regimes in Cyberspace

Neutrality

• Infrastructure-in-exile• General Rule• Absolute vs.

Floating Standards• Loss of protection– Targets– Belligerency

• Georgia

Proportionality

• Schmitt Uncertainties– What is being hit– Precision of targeting– “Blast” radius

• Solutions– IPE– Hardware/Software– Phone Home

• Legal vs. Policy• STUXNET, et al.

Human Rights

• Reporting• Organization• Tracking• Cyber Stents• Egypt, Libya, Syria, etc.

Attribution

• Two dimensions– Degree of involvement• State responsibility

– Certainty• MP v. C&C v. BRD

• Reactive attribution• CYBERCOM statement• China, Russia, . . .

State Fingerprints• Criteria

– Claim of Responsibility • High: Lulz Security v. US/UK• Low: Unknown exploits (but see MI-6)

– Monetization • High: Citi names, addresses, e-mails, and transaction histories (200,000)• Low: IMF internal e-mails and documents; French Finance Ministry/G-20

– Sophistication• Low: (Spear)phishing, many zero-day exploits• High: STUXNET

• Best Resources– Website: Information Warfare Monitor

• http://www.infowar-monitor.net/ – Book: Cyber Adversary Characterization

• http://www.amazon.com/s/ref=nb_sb_noss?url=search-alias%3Daps&field-keywords=cyber+adversary+characterization

“Act of War”

• Threat or Use of Force– “Scale and effects”– Schmitt Criteria

• Severity• Immediacy• Directness• Invasiveness• Measurability• Presumptive Legitimacy• Responsibility

• Armed Attack– Loss of life, extensive

property damage– “Tanks across the

border,” 9/11

Questions?

Thomas C. WingfieldProfessor of International LawGeorge C. Marshall European Center for

Security Studiesthomas.c.wingfield@marshallcenter.org +49 (0) 8821 750 2307

Incitement

• Nuremberg: Streicher v. Fritzsche• Genocide Convention: Art. III(c)

“Direct and public incitement”• Rome Statute: Art. 25(3)(e)• Hate Speech– EU Framework Decision (28 Nov 08)

• Free Speech• Rwanda: radio; Estonia: cyber

Hate Speech vs. Free Speech

• Framework Decision– Public incitement and hatred against persons of a

different race, color, religion, or national or ethnic origin

– Public approval, denial, or gross trivialization of international crimes, notably genocide

• First Amendment: Congress shall make no law . . . abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances.

Human Rights: Treaty• General Comment No. 34 to Art. 19, ICCPR• http://www2.ohchr.org/english/bodies/hrc/comments.htm • 3. Freedom of expression is a necessary condition for the realization of the

principles of transparency and accountability that are, in turn, essential for the promotion and protection of human rights.

• 43. Any restrictions on the operation of websites, blogs or any other internet-based, electronic or other such information dissemination system, including systems to support such communication, such as internet service providers or search engines, are only permissible to the extent that they are compatible with paragraph 3. Permissible restrictions generally should be content-specific; generic bans on the operation of certain sites and systems are not compatible with paragraph 3. It is also inconsistent with paragraph 3 to prohibit a site or an information dissemination system from publishing material solely on the basis that it may be critical of the government or the political social system espoused by the government.

Human Rights: Custom

“We do not seek to impose any system of government on any other nation, but we also don’t believe that the principles that we stand for are unique to our nation. These freedoms of expression and worship, of access to information and political participation, we believe are universal rights.”

President Obama, 16 Nov 09