The Fine Print: Legal Ambiguities in Cyberspace

Photo by Syndroid

Recently, instances of statecraft through cyberspace have captured headlines worldwide—but the terms and concepts used are not known to enough people. This is partially due to the mainstream media conflating all of them as ‘cyber-attacks’. There is a gap between what most people understand from reading the news and the conceptual legal framework offered by academics. There are clear opinions, grounded in international legal theory, that could form the foundations of a cyberspace legal regime. ‘Cyberspace’ itself is a contested definition—making the meaning of ‘cyber-security’ and ‘cyber-crime’ contingent on getting that first definition right. For the purposes of this article, I borrow from the American National Security Directive: cyberspace is defined as an “interdependent network of information technology infrastructures, and includes the Internet, telecommunications networks, computer systems, and embedded processors and controllers in critical industries.” From here we can delineate what cyber-attacks are, why cyber-space is unique, what the existing legal regime to govern cyberspace conduct is like, and, ultimately, why we must come to a better understanding of this common space of opportunity and vulnerability.

In law, the difference between a ‘crime’ and ‘warfare’ is crucial in proving causation, guilt, appropriate response, and so forth. With respect to a ‘crime,’ actors are private and non-state. If cyber-criminals are caught, their crimes are prosecuted like other crimes are, except with intelligence-sharing and enforcement-cooperation charges if it is a cross-border event. But for ‘warfare,’ the entire artifice changes: states are involved and the evidence process and punitive measures available are vastly different. No state has yet claimed the right to self-defence under UN Charter Article 51 when they experience a cyber-attack—arguably because the stakes are so much higher.

First, the definition of ‘cyber-attacks’ is critically contested along a political framework. Scholars have pointed out that the US government and the Russia- and China-led Shanghai Cooperation organisation differ on whether a cyber-attack is designated by the target of the attack—i.e., intending to disrupt a computer network—or by the way in which an attack is carried out—i.e., using a network to achieve political goals. The implication of the first definition is that this may be used to go after political dissenters on social media; but the second definition, if too broadly defined, would lump together less severe cyber-crimes with cyber-attacks which may warrant a different level of countermeasures.

Additionally, ‘cyber-attacks’ must be differentiated from ‘cyber-espionage’. Unlike the violent connotations associated with an attack, espionage is a non-destructive, often clandestine, form of cyber-exploitation that seeks to obtain information that would otherwise remain confidential. Espionage is conducted by all states; one can even argue that espionage facilitates the reduction of information asymmetry, calming international ties. The conflation can cause tensions to spike. Country A, thinking that it is conducting tacitly acceptable espionage, may do something understood by country B as an attack—and country B may respond more vigorously than country A had assumed. For instance, Chinese cyber-espionage directed against the US risks unwanted escalation.

Cyber-attacks cannot be assumed to be identical to cyber-crime. Cyber-crime can occur without being a cyber-attack, the most common ones being tax-refund fraud, stealing a corporate entity’s money, and identity theft. But it can also be a cyber-attack. In the instance of the non-state “Anonymous” group of hackers who shut down the Egyptian government’s website, if they actually undermined the computer network for a political purpose and violated Egypt’s criminal law, their cyber-crime becomes a cyber-attack. This distinction enables us to decide what responses are most appropriate to punish the actors involved, deter future attacks, and mitigate current damage, amongst other things.

As opposed to this cyber-crime, cyber-warfare necessarily falls within the superset of cyber-attacks. Like any other cyber-attack, it must somehow undermine a targeted computer system for political purposes, but it must also cause harm equivalent to conventional armed attack or be in the context of armed conflict. Typically, this would mean death, damage to property and infrastructure, or a high level of disruption.

In practice, these definitions have complicated implications. The Chinese PLA Unit 61398 is considered a state actor, but its targets are often companies based in America rather than military or strategic targets. Allegedly, private Chinese firms can even ‘hire’ this unit’s services to learn the trade secrets of their American rivals and gain a competitive advantage. How would one classify an attack by a state actor with an arguably non-political purpose and commercial, rather than military, losses? Even if this is state-sanctioned theft, how is an appropriate response determined? The effects of a cyber-attack are more difficult to quantify than conventional damage to physical property or loss of civilian lives, hindering state-level responses.

Cyber-based activities in statecraft flip the table of power and vulnerability; it is the modern industrialised state, rather than the “pre-modern” agrarian-based economy, that is made more vulnerable to cyber-attacks due to their heavy dependence on computer networks for basic utilities and food distribution, transport systems, communication, and production. Due to the decentralised nature of cyber-based activities, quasi-states or those with weak government institutions stand a better chance of increasing their leverage over strong states.

Furthermore, cyberspace-based tactics are accessible to non-state actors in particular, as they require less financial backing, authorities’ permission, and clearance as compared to conventional military weaponry. The cyber-world is open and flat, and extradition treaties are lacking. Countries may deflect the blame from their citizens’ actions and avert the repercussions that would otherwise occur if the action was always traceable. To explain: when a private citizen of country A independently carries out attacks against country B, the lack of extradition for these crimes can allow them to go unpunished by country B. That citizen may also go unpunished by their home country, if country A has benefitted from the attack on country B.

In some sense, these tactics are the conceptual opposite of nuclear weapons. Despite never being outrightly banned by international law, no nuclear strikes occurred post-WWII as any attack would be easily traced to the aggressor and cause unimaginable retaliation. The high-level technology inherent in nuclear systems also prevented its widespread proliferation. But the accessibility of cyberspace and barriers to retribution make it radically different—it arguably incentivises offence.

For instance, President Xi Jinping recently said that China and the US would not “knowingly support” cybertheft of commercial secrets. Newsreaders must dissect every word carefully. Although this specific case is more about ‘cyber-crime’ than ‘cyber-attacks’ (because it is for commercial rather than political purposes) it shows governments can claim that they didn’t know their citizen was attacking another country’s government or firms due to misguided nationalist sentiments or whatnot. They can thus better deflect blame and escape culpability.

In recognition of this, countries around the world have tried to adapt to this new plane. The US instituted a full Cyber Command in 2009. But why does it seem so feckless in the face of the recent attacks that robbed it of federal personnel’s information?

In part, this is due to a prevailing paucity of international agreements on this matter. The ones that exist are mostly region-based and aligned closely to with the political values of their blocs. If an international treaty is not formed, or in the interim while it is, cyberspace could be regulated by drawing on non-cyber law regimes. Oona Hathaway of Yale University suggests the use of the International Telecommunications Law, justified by cyber-attacks’ use of the electromagnetic spectrum, or the International Law of the Sea, if the cyber-attacks originate from the high seas.

The final complication of cyberspace is that it is a shared military-civilian arena. In the US, the Department of Defense reports that “the private sector owns and operates over ninety percent of all of the networks and infrastructure of cyberspace and is thus the first line of defense.” This is likely to be common in developed countries and raises an interesting question: to what extent should private actors like companies be obliged to cooperate with governments in the interest of national cyber-defence?

The ubiquity of cyberspace makes even private citizens important stakeholders in the regulation of cyberspace. But the enthusiasm with which populist politicians, for instance, fling ideas around of waging ‘cyber-war’ is symptomatic of the existing confusion. For treaty-based negotiation and conflict management to succeed, all parties must come to operate from a clear and shared understanding.

Latest Posts By