Search This Blog

Wednesday, September 19, 2012

Harold Koh on Cyber-Attacks

U.S. State Department Legal Advisor Harold Koh spoke at the USCYBERCOM Inter-Agency Legal Conference in Ft. Meade, MD, on September 18, 2012, regarding the law of cyberspace.  This is the State Department's first full-length statement regarding the appropriate legal regime governing cyber-attacks.  I'll have more to say on this shortly, but until now here is the full text of the speech, which is also available here.

As prepared for delivery
Thank you, Colonel Brown, for your kind invitation to speak here today at this very important conference on “the roles of cyber in national defense.” I have been an international lawyer for more than thirty years, a government lawyer practicing international law for more than a decade, and the State Department’s Legal Adviser for nearly 3 ½ years. While my daily workload covers many of the bread and butter issues of international law—diplomatic immunity, the law of the sea, international humanitarian law, treaty interpretation—like many of you, I find more and more of my time is spent grappling with the question of how international law applies in cyberspace.
Everyone here knows that cyberspace presents new opportunities and new challenges for the United States in every foreign policy realm, including national defense. But for international lawyers, it also presents cutting-edge issues of international law, which go to a very fundamental question: how do we apply old laws of war to new cyber-circumstances, staying faithful to enduring principles, while accounting for changing times and technologies?
Many, many international lawyers here in the U.S. Government and around the world have struggled with this question, so today I’d like to present an overview of how we in the U.S. Government have gone about meeting this challenge. At the outset, let me highlight that the entire endeavor of applying established international law to cyberspace is part of a broader international conversation. We are not alone in thinking about these questions; we are actively engaged with the rest of the international community, both bilaterally and multilaterally, on the subject of applying international law in cyberspace.
With your permission, I’d like to offer a series of questions and answers that illuminate where we are right now – in a place where we’ve made remarkable headway in a relatively short period of time, but are still finding new questions for each and every one we answer. In fact, the U.S. Government has been regularly sharing these thoughts with our international partners. Most of the points that follow we have not just agreed upon internally, but made diplomatically, in our submissions to the UN Group of Governmental Experts (GGE) that deals with information technology issues.
I. International Law in Cyberspace: What We Know
So let me start with the most fundamental questions:
Question 1: Do established principles of international law apply to cyberspace?
Answer 1: Yes, international law principles do apply in cyberspace. Everyone here knows how cyberspace opens up a host of novel and extremely difficult legal issues. But on this key question, this answer has been apparent, at least as far as the U.S. Government has been concerned. Significantly, this view has not necessarily been universal in the international community. At least one country has questioned whether existing bodies of international law apply to the cutting edge issues presented by the internet. Some have also said that existing international law is not up to the task, and that we need entirely new treaties to impose a unique set of rules on cyberspace. But the United States has made clear our view that established principles of international law do apply in cyberspace.
Question 2: Is cyberspace a law-free zone, where anything goes?
Answer 2: Emphatically no. Cyberspace is not a “law-free” zone where anyone can conduct hostile activities without rules or restraint.
Think of it this way. This is not the first time that technology has changed and that international law has been asked to deal with those changes. In particular, because the tools of conflict are constantly evolving, one relevant body of law – international humanitarian law, or the law of armed conflict – affirmatively anticipates technological innovation, and contemplates that its existing rules will apply to such innovation. To be sure, new technologies raise new issues and thus, new questions. Many of us in this room have struggled with such questions, and we will continue to do so over many years. But to those who say that established law is not up to the task, we must articulate and build consensus around how it applies and reassess from there whether and what additional understandings are needed. Developing common understandings about how these rules apply in the context of cyberactivities in armed conflict will promote stability in this area.
That consensus-building work brings me to some questions and answers we have offered to our international partners to explain how both the law of going to war (jus ad bellum) and the laws that apply in conducting war (jus in bello) apply to cyberaction:
Question 3: Do cyber activities ever constitute a use of force?
Answer 3: YesCyber activities may in certain circumstances constitute uses of force within the meaning of Article 2(4) of the UN Charter and customary international law. In analyzing whether a cyber operation would constitute a use of force, most commentators focus on whether the direct physical injury and property damage resulting from the cyber event looks like that which would be considered a use of force if produced by kinetic weapons. Cyber activities that proximately result in death, injury, or significant destruction would likely be viewed as a use of force. In assessing whether an event constituted a use of force in or through cyberspace, we must evaluate factors: including the context of the event, the actor perpetrating the action (recognizing challenging issues of attribution in cyberspace), the target and location, effects and intent, among other possible issues. Commonly cited examples of cyber activity that would constitute a use of force include, for example: (1) operations that trigger a nuclear plant meltdown; (2) operations that open a dam above a populated area causing destruction; or (3) operations that disable air traffic control resulting in airplane crashes. Only a moment’s reflection makes you realize that this is common sense: if the physical consequences of a cyber attack work the kind of physical damage that dropping a bomb or firing a missile would, that cyber attack should equally be considered a use of force.
Question 4: May a State ever respond to a computer network attack by exercising a right of national self-defense?
Answer 4: YesA State’s national right of self-defense, recognized in Article 51 of the UN Charter, may be triggered by computer network activities that amount to an armed attack or imminent threat thereof.As the United States affirmed in its 2011 International Strategy for Cyberspace, “when warranted, the United States will respond to hostile acts in cyberspace as we would to any other threat to our country.”
Question 5: Do jus in bello rules apply to computer network attacks?
Answer 5: Yes. In the context of an armed conflict, the law of armed conflict applies to regulate the use of cyber tools in hostilities, just as it does other tools. The principles of necessity and proportionality limit uses of force in self-defense and would regulate what may constitute a lawful response under the circumstances. There is no legal requirement that the response to a cyber armed attack take the form of a cyber action, as long as the response meets the requirements of necessity and proportionality.
Question 6: Must attacks distinguish between military and nonmilitary objectives?
Answer 6: Yes. The jus in bello principle of distinction applies to computer network attacks undertaken in the context of an armed conflict. The principle of distinction applies to cyber activities that amount to an “attack” – as that term is understood in the law of war – in the context of an armed conflict. As in any form of armed conflict, the principle of distinction requires that the intended effect of the attack must be to harm a legitimate military target. We must distinguish military objectives – that is, objects that make an effective contribution to military action and whose destruction would offer a military advantage – from civilian objects, which under international law are generally protected from attack.
Question 7: Must attacks adhere to the principle of proportionality?
Answer 7: Yes. The jus in bello principle of proportionality applies to computer network attacks undertaken in the context of an armed conflict. The principle of proportionality prohibits attacks that may be expected to cause incidental loss to civilian life, injury to civilians, or damage to civilian objects that would be excessive in relation to the concrete and direct military advantage anticipated. Parties to an armed conflict must assess what the expected harm to civilians is likely to be, and weigh the risk of such collateral damage against the importance of the expected military advantage to be gained. In the cyber context, this rule requires parties to a conflict to assess: (1) the effects of cyber weapons on both military and civilian infrastructure and users, including shared physical infrastructure (such as a dam or a power grid) that would affect civilians; (2) the potential physical damage that a cyber attack may cause, such as death or injury that may result from effects on critical infrastructure; and (3) the potential effects of a cyber attack on civilian objects that are notmilitary objectives, such as private, civilian computers that hold no military significance, but may be networked to computers that are military objectives.
Question 8: How should States assess their cyber weapons?
Answer 8: States should undertake a legal review of weapons, including those that employ a cyber capability. Such a review should entail an analysis, for example, of whether a particular capability would beinherently indiscriminatei.e., that it could not be used consistent with the principles of distinction and proportionality. The U.S. Government undertakes at least two stages of legal review of the use of weapons in the context of armed conflict – first, an evaluation of new weapons to determine whether their use would beper se prohibited by the law of war; and second, specific operations employing weapons are always reviewed to ensure that each particular operation is also compliant with the law of war.
Question 9: In this analysis, what role does State sovereignty play?
Answer 9: States conducting activities in cyberspace must take into account the sovereignty of other States, including outside the context of armed conflict. The physical infrastructure that supports the internet and cyber activities is generally located in sovereign territory and subject to the jurisdiction of the territorial State. Because of the interconnected, interoperable nature of cyberspace, operations targeting networked information infrastructures in one country may create effects in another country. Whenever a State contemplates conducting activities in cyberspace, the sovereignty of other States needs to be considered.
Question 10: Are States responsible when cyber acts are undertaken through proxies?
Answer 10: YesStates are legally responsible for activities undertaken through “proxy actors,” who act on the State’s instructions or under its direction or control. The ability to mask one’s identity and geography in cyberspace and the resulting difficulties of timely, high-confidence attribution can create significant challenges for States in identifying, evaluating, and accurately responding to threats. But putting attribution problems aside for a moment, established international law does address the question of proxy actors. States are legally responsible for activities undertaken through putatively private actors, who act on the State’s instructions or under its direction or control. If a State exercises a sufficient degree of control over an ostensibly private person or group of persons committing an internationally wrongful act, the State assumes responsibility for the act, just as if official agents of the State itself had committed it. These rules are designed to ensure that States cannot hide behind putatively private actors to engage in conduct that is internationally wrongful.
II. International Law in Cyberspace: Challenges and Uncertainties
These ten answers should give you a sense of how far we have come in doing what any good international lawyer does: applying established law to new facts, and explaining our positions to other interested lawyers. At the same time, there are obviously many more issues where the questions remain under discussion. Let me identify three particularly difficult questions that I don’t intend to answer here today. Instead, my hope is to shed some light on some of the cutting-edge legal issues that we’ll all be facing together over the next few years:
Unresolved Question 1: How can a use of force regime take into account all of the novel kinds of effectsthat States can produce through the click of a button?
As I said above, the United States has affirmed that established jus ad bellum rules do apply to uses of force in cyberspace. I have also noted some clear-cut cases where the physical effects of a hostile cyber action would be comparable to what a kinetic action could achieve: for example, a bomb might break a dam and flood a civilian population, but insertion of a line of malicious code from a distant computer might just as easily achieve that same result. As you all know, however, there are other types of cyber actions that do not have a clear kinetic parallel, which raise profound questions about exactly what we mean by “force.” At the same time, the difficulty of reaching a definitive legal conclusion or consensus among States on when and under what circumstances a hostile cyber action would constitute an armed attack does not automatically suggest that we need an entirely new legal framework specific to cyberspace. Outside of the cyber-context, such ambiguities and differences of view have long existed among States.
To cite just one example of this, the United States has for a long time taken the position that the inherent right of self-defense potentially applies against any illegal use of force. In our view, there is no threshold for a use of deadly force to qualify as an “armed attack” that may warrant a forcible response. But that is not to say that any illegal use of force triggers the right to use any and all force in response – such responses must still benecessary and of course proportionate. We recognize, on the other hand, that some other countries and commentators have drawn a distinction between the “use of force” and an “armed attack,” and view “armed attack” – triggering the right to self-defense – as a subset of uses of force, which passes a higher threshold of gravity. My point here is not to rehash old debates, but to illustrate that States have long had to sort through complicated jus ad bellum questions. In this respect, the existence of complicated cyber questions relating tojus ad bellum is not in itself a new development; it is just applying old questions to the latest developments in technology.
Unresolved Question 2: What do we do about “dual-use infrastructure” in cyberspace?
As you all know, information and communications infrastructure is often shared between State militaries and private, civilian communities. The law of war requires that civilian infrastructure not be used to seek to immunize military objectives from attack, including in the cyber realm. But how, exactly, are the jus in bellorules to be implemented in cyberspace? Parties to an armed conflict will need to assess the potential effects of a cyber attack on computers that are not military objectives, such as private, civilian computers that hold no military significance, but may be networked to computers that are valid military objectives. Parties will also need to consider the harm to the civilian uses of such infrastructure in performing the necessary proportionality review. Any number of factual scenarios could arise, however, which will require a careful, fact-intensive legal analysis in each situation.
Unresolved Question 3: How do we address the problem of attribution in cyberspace?
As I mentioned earlier, cyberspace significantly increases an actor’s ability to engage in attacks with “plausible deniability,” by acting through proxies. I noted that legal tools exist to ensure that States are held accountable for those acts. What I want to highlight here is that many of these challenges – in particular, those concerning attribution – are as much questions of a technical and policy nature rather than exclusively or even predominantly questions of law. Cyberspace remains a new and dynamic operating environment, and we cannot expect that all answers to the new and confounding questions we face will be legal ones.
These questions about effects, dual use, and attribution are difficult legal and policy questions that existed long before the development of cyber tools, and that will continue to be a topic of discussion among our allies and partners as cyber tools develop. Of course, there remain many other difficult and important questions about the application of international law to activities in cyberspace – for example, about the implications of sovereignty and neutrality law, enforcement mechanisms, and the obligations of States concerning “hacktivists” operating from within their territory. While these are not questions that I can address in this brief speech, they are critically important questions on which international lawyers will focus intensely in the years to come.
And just as cyberspace presents challenging new issues for lawyers, it presents challenging new technical and policy issues. Not all of the issues I’ve mentioned are susceptible to clear legal answers derived from existing precedents – in many cases, quite the contrary. Answering these tough questions within the framework of existing law, consistent with our values and accounting for the legitimate needs of national security, will require a constant dialogue between lawyers, operators, and policymakers. All that we as lawyers can do is to apply in the cyber context the same rigorous approach to these hard questions that arise in the future, as we apply every day to what might be considered more traditional forms of conflict.
III. The Role of International Law in a “Smart Power” Approach to Cyberspace
This, in a nutshell, is where we are with regard to cyberconflict: We have begun work to build consensus on a number of answers, but questions continue to arise that must be answered in the months and years ahead. Beyond these questions and answers and unresolved questions, though, lies a much bigger picture, one that we are very focused on at the State Department. Which brings me to my final two questions:
Final Question 1: Is international humanitarian law the only body of international law that applies in cyberspace?
Final Answer 1: No. As important as international humanitarian law is, it is not the only international law that applies in cyberspace.
Obviously, cyberspace has become pervasive in our lives, not just in the national defense arena, but also through social media, publishing and broadcasting, expressions of human rights, and expansion of international commerce, both through online markets and online commercial techniques. Many other bodies of international and national law address those activities, and how those different bodies of law overlap and interact with the laws of cyber conflict is something we will all have to work out over time.
Take human rights. At the same time that cyber activity can pose a threat, we all understand that cyber-communication is increasingly becoming a dominant mode of expression in the 21st century. More and more people express their views not by speaking on a soap box at Speakers’ Corner, but by blogging, tweeting, commenting, or posting videos and commentaries. The 1948 Universal Declaration of Human Rights (UDHR) – adopted more than 70 years ago – was remarkably forward-looking in anticipating these trends. It says: “Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers.” (emphasis added) In short, all human beings are entitled to certain rights, whether they choose to exercise them in a city square or an internet chat room. This principle is an important part of our global diplomacy, and is encapsulated in the Internet Freedom agenda about which my boss, Secretary Clinton, has spoken so passionately.
You all know of this Administration’s efforts not just in the areas of cyberconflict, but also in many other cyber areas: cybersecurity, cybercommerce, fighting child pornography and other forms of cybercrime. stopping intellectual property piracy, as well as promoting free expression and human rights. So the cyberconflict issues with which this group grapples do not constitute the whole of our approach to cyberspace; they are an important part – but only a part –of this Administration’s broader “smart power” approach to cyberspace.
What I have outlined today are a series of answers to cyberspace questions that the United States is on the record as supporting. I have also suggested a few of the challenging questions that remain before us, and developments over the next decade will surely produce new questions. But you should not think of these questions and answers as just a box to check before deciding whether a particular proposed operation is lawful or not. Rather, these questions and answers are part of a much broader foreign policy agenda, which transpires in a broader framework of respect for international law.
That leads to my Final Question for this group: Why should U.S Government lawyers care about international law in cyberspace at all?
The Answer: Because compliance with international law frees us to do more, and do more legitimately, in cyberspace, in a way that more fully promotes our national interests. Compliance with international law in cyberspace is part and parcel of our broader “smart power” approach to international law as part of 
U.S. foreign policy.
It is worth noting two fundamentally different philosophies about international law. One way to think about law, whether domestic or international, is as a straitjacket, a pure constraint. This approach posits that nations have serious, legitimate interests, and legal regimes restrict their ability to carry them out. One consequence of this view is that, since law is just something that constrains, it should be resisted whenever possible. Resisting so-called “extensions” of the law to new areas often seems attractive: because, after all, the old laws weren’t built for these new challenges anyway, some say, so we should tackle those challenges without the legal straitjacket, while leaving the old laws behind.
But that is not the United States Government’s view of the law, domestic or international. We see law not as a straitjacket, but as one great university calls it when it confers its diplomas, a body of “wise restraints that make us free.” International law is not purely constraint, it frees us and empowers us to do things we could never do without law’s legitimacy. If we succeed in promoting a culture of compliance, we will reap the benefits. And if we earn a reputation for compliance, the actions we do take will earn enhanced legitimacy worldwide for their adherence to the rule of law.
These are not new themes, but I raise them here because of they resonate squarely with the strategy we have been pursuing in cyberspace over the past few years. Of course, the United States has impressive cyber-capabilities; it should be clear from the bulk of my discussion that adherence to established principles of law does not prevent us from using those capabilities to achieve important ends. But we also know that we will be safer, the more that we can rally other States to the view that these established principles do impose meaningful constraints, and that there is already an existing set of laws that protect our security in cyberspace. And the more widespread the understanding that cyberspace follows established rules – and that we live by them – the stronger we can be in pushing back against those who would seek to introduce brand new rules that may be contrary to our interests.
That is why, in our diplomacy, we do not whisper about these issues. We talk openly and bilaterally with other countries about the application of established international law to cyberspace. We talk about these issuesmultilaterally, at the UN Group of Governmental Experts and at other fora, in promoting this vision of compliance with international law in cyberspace. We talk about them regionally, as when we recently co-sponsored an ASEAN Regional Forum event to focus the international community’s attention on the problem of proxy actors engaging in unlawful conduct in cyberspace. Preventing proxy attacks on us is an important interest, and as part of our discussions we have outlined the ways that existing international law addresses this problem.
The diplomacy I have described is not limited to the legal issues this group of lawyers is used to facing in the operational context. These issues are interconnected with countless other cyber issues that we face daily in our foreign policy, such as cybersecurity, cyber-commerce, human rights in cyberspace, and public diplomacy through cybertools. In all of these areas, let me repeat again, compliance with international law in cyberspace is part and parcel of our broader smart power approach to international law as part of U.S. foreign policy. Compliance with international law – and thinking actively together about how best to promote that compliance – can only free us to do more, and to do more legitimately, in the emerging frontiers of cyberspace, in a way that more fully promotes our U.S. national interests.
Thank you very much.

Tuesday, September 18, 2012

An Alternate History of the Charles Taylor Trial

There is continuing fallout from the Special Court of Sierra Leone's conviction of Charles Taylor, who received a 50-year sentence for crimes against humanity.  As many of you know, the alternate judge in the case, Judge Sow, apparently disagreed with Taylor's conviction, and during the reading of the judgment he started to voice his disagreement before the microphones were turned off and the judges hastily left the courtroom.  The moment would have to rank as one of the strangest in the recent history of international criminal justice.

Apparently, the judges did not take kindly to Judge Sow's attempted intervention, and subsequently moved to suspend him as a judge, which they succeeded in doing.  It is unclear why exactly he needed to be removed, unless his attempt to speak when he didn't have authorization to speak is itself sufficient grounds for removal.  Perhaps he asked for permission to speak during the reading of the verdict and the panel of judges denied his request, and his decision to speak anyway constituted a form of judicial defiance.  But that's just pure speculation on my part.

Although much of the current affair is inscrutable, a recent court filing has revealed additional insights into the dispute.  Taylor's defense team filed a motion to have the rest of the judges recused on grounds of partiality and an appearance of bias.  As Bill Schabas notes on his blog, the motion was denied, but the decision sheds some light on the inner workings of the court.

One judge filed a separate opinion, concluding that the court's decision to remove Judge Sow was procedurally improper.  The decision, by Judge King, complains that Judge Sow was not given adequate notice and opportunity to respond to the charges against him, and therefore objects to his removal.

There are several points to be made here.  First, there is insufficient consensus in the field regarding the appropriate role for alternate judges.  Should they just witness the trial but not participate in the deliberations?  But what if one of the judges gets sick during the deliberations and needs to be replaced?  So perhaps alternate judges should attend the deliberations too but not speak until they are elevated to full status.  Others argue that alternate judges should participate in the deliberations at every stage of the proceedings, the only difference being that they do not get to vote regarding the disposition of the case.  In that regard, should they be allowed to file a written opinion?  Should it be part of the final record?  If the procedures do not allow for a written opinion from an alternate judge, can they publish a written opinion as a private citizen (a blog perhaps!)?  In general, should an alternate judge have a voice?

Second, and perhaps more importantly, what are we to make of Judge Sow's doubts regarding the conviction?  Schabas concludes that it ought to concern us greatly, since doubts regarding the factual guilt of a defendant in a major international trial is literally unprecedented.  Although several judges have voted not guilty, these votes have been for individual counts only or with regard to issues of law.  I'm not sure I'm completely convinced by this distinction, mostly because it is unclear to me whether Judge Sow's doubts were exclusively factual in nature, or whether they were related to the relevant legal standard governing the case.  This is precisely why I think it is important to get a full accounting from Judge Sow on his reasoning.  Hopefully he will give a keynote address at one of the upcoming international criminal law conferences.  

Conference organizers: take note and start drafting those invitations.

Friday, September 7, 2012

Libya vs. The ICC

In the past few months I've discussed at length the fight between Libya and the ICC over who will conduct trials of former Gaddafi regime leaders, including his son Saif as well as his former intelligence chief, Senussi.  Libya has been insisting that it is both willing and able to prosecute them, a fact which -- if correct -- would deprive the ICC of jurisdiction under the principle of complementarity.  

However, that claim was seriously weakened by the fact that the Libyan government had custody of neither men.  Saif was in the custody of the Zintan rebels, who were refusing to transfer him to the custody of the central government.  And Senussi was being held by officials in Mauritania.  It is very hard to argue that a domestic prosecution is possible when the defendants are not in custody (although this assumes that an in absentia trial does not satisfy complementarity, which is an interesting argument).  This suggested that the ICC could take jurisdiction over the case, although the Office of the Prosecutor (at least under former prosecutor Moreno-Ocampo) has shown little interest in asserting jurisdiction over the case, preferring to let the Libyans take the lead.

Two days ago Mauritania extradited Senussi to Libya.  This now paves the way for the first domestic trial of a top former Gaddafi official, and I suspect that Libyan officials will now try to fast-track a prosecution.  Unfortunately, there are several obstacles that remain, and I'm skeptical that a trial can be set up any time in the near future.  There is no functioning judiciary so far as I can tell, at least not one that a fully developed legal system would recognize as a sophisticated system of criminal law.  The only way Libya can pull this off is with substantial input from international experts and foreign monitors, but there will be substantial political pressure to keep the process dominated by local characters.  

The real question here is how long it is appropriate to wait for such a system to be created.  So far as I know, there is no judicial precedent that sets a specific time frame on the Rome Statute's standard for complementarity.  If it takes two or three or five years for Libya to get a trial ready, does that indicate that Libya is unable to prosecute?  At some point, the future trial will look like the ever-advancing horizon, always in sight but never attainable.  The ICC can wait, but it won't wait forever.