Cyber Porposal - Paper Answers

Cyber Proposal

Instructions

Research topic (Cyberwar, Law and Policy).

1. Write a research proposal

2. Create a research question,

3. Write purpose statement.

4. Use all of the attached sources provided and provide 4 additional outside sources.

Technical Requirements

· Your proposal paper must be at a minimum of 1-2 pages (the Title and Reference pages do not count towards the minimum limit).

· Type in Times New Roman, 12 point and double space.

· Use Turabian Style as the sole citation and reference style

· Do not use Wikipedia or encyclopedic type sources.

· For the 4 outside source utilize books, peer-reviewed journals, articles, archived documents, etc.

Internet Governance:
Territorializing Cyberspace?

CAROL M. GLEN
Valdosta State University

Internet governance evolved in an ad hoc manner and produced a
decentralized, regulatory environment that has been shaped by a myriad
of public and private organizations. The decentralized nature of this
form of Internet governance is now being challenged. New technical,
security, and privacy issues have raised political questions concerning
whether such loose regulatory coordination can adapt quickly enough
to twenty-first-century challenges. Such doubts go well beyond the
technical; they reflect profound questions about who should control the
Internet. This article examines the issue of Internet governance in light
of recent challenges. Discussion is centered on assessing efforts to
replace the current decentralized, multistakeholder governance model
with a centralized, multilateral model. Trends are examined with
reference to efforts by some member states of the International
Telecommunication Union to strengthen the role of governments in
Internet regulation, especially during negotiations at the 2012 World
Conference on International Telecommunications.

Keywords: Internet Governance, E-Government, Cyberspace,
Territorialization, Global Governance, Internet Policy, Multistakeholder
Governance, Multilateral Governance, World Conference on International
Telecommunications, WCIT, International Telecommunication Union,
Regulation Policy, Decentralization, Multistakeholderism, Security,
Privacy, Social and Moral Political Issues, International Relations.

Related Articles:
Walsh, James I. 2008. “Persuasion in International Politics: A Rationalist
Account.” Politics & Policy 33 (4): 642-670.
http://onlinelibrary.wiley.com/doi/10.1111/j.1747-1346.2005.tb00217.x/abstract
Turner, Scott. 1997. “Transnational Corporations and the Question of
Sovereignty: An Alternative Theoretical Framework for the Information
Age.” Southeastern Political Review 25 (2): 303-324.
http://onlinelibrary.wiley.com/doi/10.1111/j.1747-1346.1997.tb00841.x/abstract

Acknowledgements: The author would like to thank the anonymous reviewers of the manuscript,
as well as Dr. Emma Norman, at Politics & Policy for their insightful suggestions.

bs_bs_banner

Politics & Policy, Volume 42, No. 5 (2014): 635-657. 10.1111/polp.12093
Published by Wiley Periodicals, Inc.
© 2014 Policy Studies Organization.

http://onlinelibrary.wiley.com/doi/10.1111/j.1747-1346.2005.tb00217.x/abstract

http://onlinelibrary.wiley.com/doi/10.1111/j.1747-1346.1997.tb00841.x/abstract

Fisher, Bonnie, Michael Margolis, and David Resnick. 1996. “Surveying
the Internet: Democratic Theory and Civic Life in Cyberspace.”
Southeastern Political Review 24 (3): 399-429.
http://onlinelibrary.wiley.com/doi/10.1111/j.1747-1346.1996.tb00088.x/abstract

Related Media:
Film Clips: E.U. Registry. 2010. What is Internet Governance?

Diplofoundation. 2008. Evolution of Internet Governance.

ISOCDC Panel Discussion. 2014. Internet Governance 2020: Geopolitics
and the Future of the Internet.

La gobernanza de la internet se desarrolló de manera específica y
produjo un entorno regulatorio descentralizado que ha sido moldeado
por una miríada de organizaciones públicas y privadas. La naturaleza
descentralizada de esta forma de gobernanza está siendo cuestionada.
Nuevos asuntos tanto técnicos como de seguridad y privacidad han
provocado inquietud política sobre qué tanto el entorno regulatorio
descentralizado podría adaptarse oportunamente a los desafíos del siglo
21. Las inquietudes van más allá de lo técnico; reflejan preguntas serias
sobre quién debería controlar la internet. Este artículo examina el
asunto de la gobernanza de la internet a la luz de desafíos recientes. La
discusión se centra en la evaluación de los esfuerzos para remplazar el
actual modelo de gobernanza descentralizado y de múltiples entidades
involucradas en su regulación, a un modelo de gobernanza centralizada
y multilateral. Tomo en cuenta las tendencias con referencia a los
esfuerzos de estados miembros de la Unión Internacional de
Telecomunicaciones de reforzar el papel de los gobiernos en la
regulación de la internet, especialmente durante las negociaciones de la
conferencia mundial de Telecomunicaciones Internacionales de 2012.

Internet governance evolved in an ad hoc manner and produced a
decentralized regulatory environment that has been shaped by a myriad of
public and private organizations, as well as civil society. Governance by these
multistakeholder networks has been so conducive to growth that the Internet is
said to be the fastest growing resource ever known (Toure 2011). Nevertheless,
the decentralized nature of this form of Internet governance is now being
challenged. New technical, security, and privacy issues have raised political
questions concerning whether such loose regulatory coordination can adapt
quickly enough to twenty-first-century challenges. Such doubts go well beyond
the technical; they reflect profound questions about who should control the
Internet.

This debate also relates to a broader theoretical discussion concerning
global governance. More than 20 years ago, Peter Haas (1992) argued that as

636 | POLITICS & POLICY / October 2014

http://onlinelibrary.wiley.com/doi/10.1111/j.1747-1346.1996.tb00088.x/abstract

governance becomes increasingly technical, government leaders turn to experts
to acquire information to help ameliorate uncertainties. The highly technical
nature of some aspects of the Internet has increased the need for such
nongovernmental experts, especially in the area of governance. The Internet
enhances the power of nonstate actors, permitting them to network at an
ever-increasing level of sophistication (Drezner 2004). Internet policy and
regulation, probably more than any other area of international relations,
has been shaped by nonstate actors. Recent events, however, suggest
that this multistakeholder model of Internet governance is under
threat. Challenges to existing Internet governance arrangements surfaced
prominently before and during negotiations at the World Conference on
International Telecommunications (WCIT), convened by the International
Telecommunication Union (ITU), a specialized agency of the United Nations
(UN), in December 2012. The ITU was established in 1865 as the main standard
setting organization for international telecommunications, and before the 2012
WCIT had been largely noncontroversial. The organization is charged with
such seemingly mundane but important tasks as allocating the global radio
spectrum and satellite orbits, developing technical standards that ensure
networks connect, and improving global access to information and
communication technology (ICT). Although the ITU lists 700 private sector
entities among its membership, it is only the 193 member states that participate
and vote in the Plenipotentiary Conference, the key event at which member
states decide on the future policies of the organization.1 The ITU is, therefore,
a typical multilateral organization; decision-making power is held by states that
cooperate to develop international communications and telecommunication
policies.

The last major treaty negotiated under the auspices of the ITU created the
International Telecommunications Regulations (ITRs) in 1988. Ratified by 190
countries, these regulations outlined the principles underpinning international
voice, data, and video traffic, and were successful in bringing a level of
standardization to ICT. In the years that followed, however, a growing
consensus emerged recognizing that the 1988 regulations needed to be updated
to take account of the dramatic changes that had taken place in international
telecommunications. The growth of the Internet as a telecommunications
medium, therefore, placed the ITU at the center of the Internet governance
debate, and also brought considerable controversy. The intergovernmental
structure of the ITU prompted fears that the traditional multistakeholder model
of Internet governance was about to be replaced by a multilateral approach that
would give the ITU control over the Internet.2

1 For more information concerning ITU responsibilities, visit http://www.itu.int/en/Pages/default
.aspx
2 For example, on December 5, 2012, the U.S. House of Representatives unanimously passed a
resolution urging the U.S. government not to give the ITU control over the Internet.

Glen / INTERNET GOVERNANCE | 637

http://www.itu.int/en/Pages/default.aspx

The 2012 WCIT is particularly significant for the study and practice of
Internet governance for it raises questions concerning the role of nation states
in Internet governance, as well as the crucial issue of multistakeholder
representation (Levinson 2012). The primary focus of this article is, therefore,
on the techno-political controversies that surrounded the 2012 WCIT,3 in
particular efforts by some member states of the ITU to replace the current
decentralized, multistakeholder Internet governance model with a centralized,
intergovernmental, multilateral one. In doing so, the inherent conflict
between two competing theoretical perspectives, multistakeholderism and
multilateralism, is also addressed. To add context, the article begins by
reviewing the theoretical underpinnings of Internet governance with an
overview of the concept of global governance generally. The global governance
literature is relevant because it highlights the increasingly influential role of
nonstate actors in governance. I then assess the multifaceted nature of the
current multistakeholder Internet regulatory framework, especially the central
role afforded to the Internet Corporation for Assigned Names and Number
(ICANN) within the system. The authority of ICANN was challenged before
the WCIT meeting, and continues to be challenged today. The heart of the study
analyzes the competing debates that emerged at the WCIT and introduces three
new taxonomies to delineate competing policy positions of ITU member states
before and during the conference. Two of these policy perspectives sought to
challenge existing multistakeholder arrangements, while the third sought to
maintain the status quo.

Global Governance

The term governance has been used in international relations literature for
many years, but not always with clear and consistent meaning. Finkelstein
(1995, 368) described governance as a fuzzy term that we use “when we don’t
really know what to call what is going on,” while others have noted that the
“loose handling of the concept has contributed to blurring much of its content”
(Dingwerth and Pattberg 2006, 188). By 2004, Van Kersbergen and Van
Waarden commented that the governance literature had become a “veritable
growth industry” characterized by theoretical and conceptual confusion (Van
Kersbergen and Van Waarden 2004, 144). Even a cursory review of the
governance literature confirms that the term has been used in a variety of ways.
Governance describes a system of governing styles where the boundaries of
public and private sectors have become blurred (Stoker 1998). It involves a
dichotomous redefinition of the relationship between government and society,
or between state and market Glasbergen (1998). It is the setting, application,

3 Rasmussen (2007) discusses techno-political issues in relation to culture.

638 | POLITICS & POLICY / October 2014

and enforcement of the rules of the game (Kjaer 2004, 12), and it refers to
interorganizational networks characterized by interdependence and autonomy
from the state (Rhodes 1997, 15).

At the international level, several authors have attempted to clarify the
meaning of the term. Dingwerth (2008, 1) asserts that the “global governance
thesis” can be disaggregated into four major claims: the internationalization of
policy making, diffusion of authority beyond the state, changing procedural
norms beyond the state, and the distribution of governing resources among an
increasing range of actors. Bierstecker (2011) characterizes global governance as
patterned regularity at the international level that has purposive goals, formal
and informal rules, and authoritative self-regulation.

Much of this literature draws from, and builds upon, broader analyses of
international relations that focus on the issue of global order. Rosenau (1992, 8)
notes that governance and order are interactive phenomena: “there can be no
order without governance and no governance without order.” He also warns
that we should not conflate government and governance, they are not
synonymous. While the former can exist in the presence of widespread
opposition to its policies, the latter requires acceptance by the majority of those
it affects. From this line of reasoning, Rosenau (1992) asserts that informal
mechanisms of governance can exist without the presence of formal government
authority. The state-centric world, where national actors dominate, is said to
coexist with a multicentric world that includes a diverse range of relatively equal
actors (Rosenau 1992). The idea that world order can be maintained in the
absence of centralized government authority echoes regime theory. However,
there are distinctions between these two concepts. Whereas regimes are “sets of
implicit or explicit principles, norms, rules and decision-making procedures” in
a given issue area of international relations (Krasner 1983, 2), governance is not
confined to a single policy area. Regimes can therefore be characterized as a
subcategory of global governance (Rosenau 1992).

The literature on governance and regimes highlights the emergence of
nonstate actors on the global political stage, so too does the literature on
networks. Like the concept of governance, networks have been defined in a
number of different ways. In their transgovernmental form, they are described
as peer-to-peer interactions between domestic officials and their foreign
counterparts (Slaughter and Zaring 2006). These transnational regulatory
networks (TRNs) bring together representatives from national regulatory
agencies “to facilitate multilateral cooperation on issues of mutual interests”
(Verdier 2009, 118). Such arrangements help solve some of the collective
problems caused by globalization because they are able to address complex
issues in a speedy and flexible manner, unhindered by partisan politics
(Slaughter 2004). Another important idea related to networks and governance is
the concept of epistemic communities. Like TRNs, epistemic communities
comprised issue experts, but they also encompass professionals from outside
of regulatory agencies. Moreover, epistemic communities also differ from

Glen / INTERNET GOVERNANCE | 639

bureaucratic entities because their members exhibit a set of “shared normative
and causal beliefs” that coalesce around a common set of policy goals (Haas
1992). A third form of governance network that is relevant to the present
discussion concerns global public policy networks. These have been defined as
“multisectoral partnerships linking different sectors and levels of governance
and bringing together governments, international organizations, corporations
and civil society” (Streck 2002, 123). This definition sees networks as actors who
coordinate collective action in pursuit of policy goals at the international level.
Networks are commonly distinguished from the hierarchical organization of
states because of their decentralized decision making and their horizontal
patterns of interaction (Zanini and Edwards 2001, 33).

A further evolution in the practice of global governance emerged at the
beginning of the twenty-first century in the concept of multistakeholderism. A
somewhat inelegant term, it refers to the “processes which aim to bring together
all major stakeholders in a new form of communication, decision-finding (and
possibly decision making) on a particular issue” (Hemmati 2002, 2). The
multistakeholder concept has been championed by the UN as a way to
democratize and legitimize decision making at the international level. As a 2004
UN report illustrates, the UN “should emphasize the inclusions of all
constituents relevant to the issue . . . and foster multistakeholder partnerships to
pioneer solutions and empower a range of global policy networks” (Cammaerts
2011, 133). Multistakeholderism has become increasingly visible across a broad
range of issues, including global business regulation (Waz and Weiser 2012) and
diplomacy (Hocking 2006). However, nowhere has multistakeholderism been
more developed than in the area of Internet governance.

Global governance, regimes, networks, and multistakeholderism all point to
a fundamental shift in the way that international relations function. Sovereign
states have been joined by a myriad of other actors who now have important
roles to play in shaping global policy agendas. Although the relative power of
these new actors vis-à-vis the state can be debated (and it is certainly not equal),
their presence illustrates that international relations is now about more than
interstate relations. At their core, these theoretical models challenge
perspectives that focus on intergovernmental cooperation to the exclusion of
other actors. As such, they are more relevant to discussions of Internet
governance than those based on state-centric assumptions. The practice of
Internet governance incorporates numerous facets proposed in the global
governance literature, including the internationalization of policy making,
public–private partnerships, the growing importance of technical experts,
peer-to-peer interactions, as well as diffused authority. With respect to Internet
governance, Mueller (2010) describes the latter as distributed control, arguing
that the sheer volume of Internet transactions often overwhelms traditional
government processes, creating a disconnect between political authority and
Internet control. “Decision-making authority over standards and critical
Internet resources rests in the hands of transnational networks of actors that

640 | POLITICS & POLICY / October 2014

emerged organically alongside the Internet, outside of the nation-state system”
(Mueller 2010, 4).

Current Internet Regulatory Framework

Internet governance is not without its challenges; the Internet has grown in
a piecemeal, uncoordinated fashion, it has traditionally lacked centralized
authority, and it extends across a multitude of diverse jurisdictions. This has led
to a common perception that the Internet is ungovernable, a “benevolent
anarchy” (Klein 2002, 193). However, the growing corpus of regulations
contradicts this view. Not only is the Internet regulated, but multistakeholder
participation in shaping that regulation is highly developed. Nonstate actors
have played a prominent role from the earliest days of Internet regulation, none
more so than the ICANN. This organization lies at the heart of Internet
governance. Its significance for the present discussion is based on the fact that
ICANN was founded as an alternative to existing intergovernmental
organizations, such as the ITU (Mueller and Woo 2004).

ICANN was established in 1998 as a private, nonprofit organization,
governed by California law and operating on the basis of a Memorandum of
Understanding with the U.S. Department of Commerce. It is responsible for the
Internet’s domain name system, which means that it allocates and controls
Internet domain names and numeric IP addresses, and manages the “root,” the
master file of top-level domain names. Although these functions appear to be
largely technical in nature, they have very significant political implications. A
domain name is required to exist on the Internet, without that name a computer
will not be found by others. Whoever controls the allocation of domain names
controls the Internet (Klein 2002, 195). This is a sizeable business; ICANN
regulates a $3 billion per year domain name registration industry, which gives it
considerable power over technical standards (Mueller and Woo 2004, 7). The
establishment of ICAAN was noteworthy not only because it represented
the centralization and privatization of control over the Internet, but also
because it was a “revolutionary departure from traditional approaches to global
governance” (Mueller 2010, 60).

ICANN is governed by a 21-member Board of Directors, which is required
to be responsive to the Internet community, through consultations, public
meetings, and coordination. Indeed, ICANN’s founding document stipulated
that this new body should be committed to “private, bottom-up coordination”
and be open to “input from a broad and growing community of Internet users.”4

On paper, ICAAN exemplifies a multistakeholder system where governments
are relegated to an advisory role that takes place within the Government

4 ICANN’s founding memorandum can be found here: https://www.icann.org/resources/
unthemed-pages/icann-mou-1998-11-25-en

Glen / INTERNET GOVERNANCE | 641

https://www.icann.org/resources/unthemed-pages/icann-mou-1998-11-25-en

Advisory Committee. While ICANN is clearly not an intergovernmental body,
some question the degree to which ICANN is truly accountable. Mueller (2010,
248) asserts that ICANN has “created a mélange of participatory mechanisms,
none of which have any real power . . . [it] is a parody of bottom-up consensus
building-governance.” Others point out that the ICANN Board of Directors
has always been subject to a higher authority, that of the U.S. government. “The
Internet was internationalized and privatized but only under the watchful
oversight of the US government” (Klein 2002, 201).

Multistakeholder participation has also grown as result of purposeful UN
action. The two UN-sponsored World Summits on the Information Society
(WSIS) held in Geneva in 2003 and in Tunis in 2005 proved to be particularly
important. Both were designed to promote bottom-up multistakeholder
participation, and each attracted representatives from governments and civil
society across the globe. Although the main focus of these summits was intended
to be the global digital divide, they nevertheless offered an authoritative
definition of Internet governance that is founded on the multistakeholder
principle.

Internet governance is the development and application by governments,
the private sector and civil society, in their respective roles, of shared
principles, norms, rules and decision-making procedures, and programmes
that shape the evolution and use of the Internet. (Working Group on
Internet Governance 2005, 11)

The application of multistakeholderism is also evidenced in the Internet
Governance Forum (IGF). Established in 2006, the IGF brings together
all interested stakeholders in the Internet governance debate, including
representatives of governments, civil society, business, and academia. Its
mandate includes requirements to strengthen the engagement of stakeholders
and make recommendations regarding emerging governance issues. The
barriers for participation in IGF meetings are low, so participation is high. One
analysis showed that the participation by governments (26 percent), civil society
(24 percent), and the private sector (20 percent) are relatively even, with slightly
lower participation from the technical and academic community (15 percent)
(Maciel and Pereira de Souza 2011).

Tangible collaborative innovations that emerged from the first IGF meeting
in Athens 2006, and continued thereafter, are known as dynamic coalitions.
These informal issue-specific groups comprise members from a variety of
stakeholder groups organized on a functional basis. They are quintessential
epistemic communities because they comprised experts who have competence
in a particular domain and who have shared normative beliefs. A review
of their membership reveals that they include representatives from
academic institutions, government agencies, international organizations, and
nongovernment organizations, as well as private telecommunications and media

642 | POLITICS & POLICY / October 2014

companies. At the time of writing, there were one dozen dynamic coalitions,5

but the Dynamic Coalition on Core Internet Values is the most relevant to the
present discussion. As its name suggests, the stated aim of this coalition is to
create and define a core list of values designed to inform and shape discussions
as the Internet continues to evolve. Coalition objectives are clearly normative,
as the following excerpt from their 2009 workshop indicates:

The Internet model is open, transparent, and collaborative and relies on
processes and products that are local, bottom-up, and accessible to users
around the world. These principles and values are threatened when policy
makers propose to regulate and control the Internet, with inadequate
understanding of the core values. (Intergovernmental Forum 2009)

It is the perceived attack on core Internet values that created the firestorm
that surrounded the 2012 WCIT, especially with regard to Internet regulations
and governance.

World Conference on International Telecommunications:
Competing Visions of Internet Governance

Opposing visions of Internet governance emerged in difficult and
contentious negotiations during the 2012 WCIT. During the 12-day conference,
more than 1,275 proposals were discussed by more than 1,600 delegates, but in
the end the treaty that was produced fell far short of unanimous support. The
main point of contention was again Internet governance. It is easy to depict the
controversies surrounding the WCIT as signaling a new Cold War over Internet
governance, and many have done so.6 These divisions have been most frequently
portrayed as a split between governments that strive to protect and promote
freedom of expression, and those that seek to use the Internet to censor and
control their populations. While this narrative may be applicable in some, or
even many, cases, it does not tell the full story. An analysis of policy positions
prior to and during the WCIT reveals that there were three, not two, competing
policy visions. These are delineated here as the following archetypes: (1) the
open multistakeholder model, (2) the repressive multilateral model, and (3) the
open multilateral model, outlined in Table 1.

The first of these, the open multistakeholder model, in its purest form refers
to openness in terms of limited regulation, freedom of expression, and free
market interests. This position is consistent with the historical development of
Internet norms. While the Internet grew out of research conducted by the U.S.

5 For a list of dynamic coalitions and a description of their goals, see http://www.intgovforum
.org/cms/dynamiccoalitions/90-dynamic-coalitions/dc-meetings-2009#weblog
6 The following article headline from The Economist is one example, “A Digital Cold War.”
December 14, 2012. http://www.economist.com/blogs/babbage/2012/12/internet-regulation

Glen / INTERNET GOVERNANCE | 643

http://www.intgovforum.org/cms/dynamiccoalitions/90-dynamic-coalitions/dc-meetings-2009#weblog

http://www.economist.com/blogs/babbage/2012/12/internet-regulation

Department of Defense, it was nevertheless promoted as a vehicle for
unrestricted academic research and communication from its earliest days. The
establishment of the Internet as an “open commons” was a deliberate policy
choice to promote innovation and free expression. The core architectural
guideline of the Internet is the end-to-end-principle. It is based on the idea that,
in a distributed computing network, functionality should be provided by end
hosts rather than by the network itself, using a common protocol known as
TCP/IP. It was first proposed by Saltzer, Reed, and Clark (1981), and the design
led to a number of technological advances, including most significantly, the
creation of the World Wide Web.

The end-to-end principle is based on the idea of smart terminals and a dumb
network, as well as the assumption of “net neutrality.” The term was coined by
Tim Wu, when he described net neutrality as “an Internet that does not favor
one application over others” (Wu 2003). Essentially, net neutrality is a
nondiscrimination principle that affirms that all Internet content should be
treated in the same way. In other words, all Internet data should be transmitted
equally, regardless of content; any computer can send an information packet
to any other computer without interference in the transmission of that
information. There should be no separate “fast lanes,” no selectivity by carriers
over content, and no blocking of access to some websites. The “dumb” network
does not examine the constituent parts of the communication. This architecture
has been credited with the rapid growth of the Internet. As Vinton Cerf (2005),
coinventor of the Word Wide Web noted in a letter to Congress, the success of
the Internet can be directly attributed to the fact that it was designed without

Table 1. Three Models of Internet Governance

Model Actors Institutions Concerns/Objectives

Open
multistakeholderism

NGOs, civil society,
business, and
government
agencies

ICANN, IGF Open Internet, net
neutrality, maintenance
of existing Internet
governance arrangement

Repressive multilateral Governments WCIT and ITU Multilateral Internet policy
decision making,
domestic control, and
security

Open multilateral Governments WCIT and ITU Multilateral Internet policy
decision making, equal
access, and greater
accountability

Notes: ICANN, Internet Corporation for Assigned Names and Number; IGF, Internet
Governance Forum; ITU, International Telecommunication Union; NGOs, nongovernment
organizations; WCIT, World Conference on International Telecommunications.

644 | POLITICS & POLICY / October 2014

“gatekeepers.” The open multistakeholder approach favors the maintenance of
this basic architectural design for political as well as technical reasons. The
end-to-end principle and net neutrality provide a safeguard against government,
as well as commercial, interference in Internet content.

The open multistakeholder model best describes the approach adopted by
the United States, and many of its allies at the WCIT. The first U.S. proposals
were published in August 2012, and called for only limited changes to the
ITRs, largely aimed at promoting market-based solutions instead of global
regulations. The proposals noted that the telecommunications market has
transformed significantly since 1988, when most traffic was exchanged between
monopoly carriers in the form of fixed telephony, fixed data, and telegraph. By
contrast, in today’s market, most traffic is exchanged between commercial
carriers operating in competitive environments. The United States, therefore,
proposed to include provisions in the revised treaty that would promote further
market liberalization and private sector investment. With regard to Internet
governance, the U.S. position was made clear.

[T]he United States will not support proposals that would increase the
exercise of control over Internet governance or content. The United States
will oppose efforts to broaden the scope of the ITRs to empower any
censorship of content or impede the free flow of information and ideas. It
believes that the existing multi-stakeholder institutions, incorporating
industry and civil society, have functioned effectively. (USA Proposals for
the Work of the Conference Document #E, 1-2)

The United States, therefore, sought to maintain the status quo with respect
to Internet governance, namely a decentralized, free-market approach with the
public–private partnership of ICANN at its center. The U.S. position is
consistent with long-held political values concerning freedom of expression and
a limited role of government in the economy, but it is also conveniently
self-serving. Despite ICANN’s global influence, it clearly remains a U.S.
construct.

The open multistakeholder model also applies, to some extent, to the
membership composition of the U.S. delegation to the WCIT. The 95-member
U.S. delegation included representatives from government (e.g., State
Department, Department of Defense, and the Federal Communications
Commission), industry (e.g., Google, Facebook, Cisco, Amazon, AT&T, and
Verizon), and consumer advocacy groups (e.g., Public Knowledge).7 Although
civil society groups played advisory roles, since only member states can vote,
their influence was brought to bear in terms of their expertise and as a result of
a global media campaign that raised awareness of Internet governance issues.

7 For a full list of the U.S. delegation, see U.S. Department of State (2012).

Glen / INTERNET GOVERNANCE | 645

For instance, prior to the start of the WCIT, Google launched a “Take Action”
online petition in support of a “free and open Internet,” which urged users to
oppose new Internet regulations; it received more than three million signatures.8

Yet the number of nongovernmental participants in the U.S. delegation appears
to be heavily weighted toward corporate interests, whose concerns clearly do
not always coincide with those of broader civil society groups.

The repressive multilateral model with respect to the WCIT applies to those
governments that seek both to use the Internet to enhance domestic security and
to internationalize Internet governance. This type of increased Internet control
has been on the rise in recent years, as a 2009 report by Freedom House makes
clear.

Even as new information sources become more prevalent and influential
governments and in some cases private actors, [sic] have begun to push
back through the development of techniques designed to control what
people read, view and discuss. (Karlecker and Cook 2009, 1)

The report goes on to say that for the most repressive regimes, “torture and
imprisonment await those who cross ‘red lines’ separating acceptable and
unacceptable behavior” (Karlecker and Cook 2009, 1). The most technically
sophisticated method of control, known as deep packet inspection, directly
challenges the end-to-end principle since it allows for third-party examination
and manipulation of information as it travels over networks. Every digitized
packet of online data can be deconstructed, examined for key words, and
reconstructed within milliseconds. It is conceivable that governments could, and
perhaps do, use deep packet inspection as a subtle form of censorship.
Removing criticism or rewriting news stories as the information passes through
the networks is a more cost-effective and subtle form of censorship simply than
blocking web access (Wagner 2009).

It is clear from these examples that sovereign states can, and do, exercise
considerable control over some parts of the Internet. However, they cannot
disconnect from the wider Internet entirely if they are to reap the economic
rewards that it brings. This has forced some countries into “imperfect
compromises” that try to balance information security with economic benefits
(Nye 2014). While authoritarian regimes might prefer to act unilaterally, the
interconnectivity of the Internet and the need for global regulation and
standardization prevents them from doing so. The best that they can hope for is
to try to replicate domestic policy at the international level. This requires
cooperation with like-minded governments; it also requires placing Internet
governance firmly in the hands of intergovernmental institutions where they
have the most influence.

8 Google’s “Take Action” website is https://www.google.com/takeaction/

646 | POLITICS & POLICY / October 2014

https://www.google.com/takeaction/

The repressive multilateral model focuses attention on governments that not
only seek to strengthen their own security, but also shift responsibilities for
Internet governance to a multilateral intergovernmental body, such as the ITU.
A proposal at the WCIT, known as Contribution 27, submitted by Russia,
China, Saudi Arabia, Algeria, Sudan, and Egypt, fits that classification. Explicit
within the document were statements that directly challenged the existing
Internet governance framework. It called for greater national controls over
Internet routing and content. Article A.2 notes: “Member States shall have
equal rights to manage the Internet . . .” Article 3A.3 asserts: “Member states
shall have the sovereign right to establish and implement public policy,
including international policy, on matters of Internet governance . . .” The
document also challenged ICANN’s monopoly control over domain names.
Article 3B.1 declares: “Member states have the right to manage all naming,
numbering, addressing and identification resources used for international
telecommunications/ICT within their territories” (WCIT 12/27 2012).

Although Contribution 27 failed to gain enough support for these
statements to be included in the final treaty, its proponents did succeed in
adding language to the final document that has important implications for
Internet governance. Three provisions, in particular, proved to be controversial.
The first was Resolution Plen/3 entitled To foster an enabling environment for the
greater growth of the Internet, which declares that as “the Internet is a central
element of the information society . . . all government should have an equal role
and responsibility for international Internet governance” (WCIT Final Acts
2012, 20). This provision was opposed by dozens of countries, since they
regarded it as a step toward intergovernmental control of the Internet and a
challenge to the existing multistakeholder framework. As a result, it was
included only in the nonbinding appendix of the final document. Perhaps of
greater significance was the inclusion of security-related sections in the treaty, in
Article 5A Security and Robustness of Networks and Article 5B Unsolicited Bulk
Electronic Communications (WCIT Final Acts 2012). While these articles do not
deal with Internet governance specifically, they contain provisions that would
require greater coordination and government oversight of Internet practices,
including network security, fraud, and spam. Such obligations are distinct from
the existing 1988 ITRs because they clearly go beyond technical standardization
to deal with content.

In addition to content-related issues, several countries were concerned that
references to security in the treaty could be used by some regimes to reinforce
control of telecommunications. The inclusion of security-related issues in
Article 5 is illustrative of an ongoing effort to transform the prevalent norms on
which Internet governance has been based, from openness and freedom to
security and control. Such efforts represent the culmination of several earlier
attempts. For instance, in September 2011, China, Russia, Tajikistan, and
Uzbekistan, proposed an international code of conduct for Internet security to
the General Assembly of the UN. The document asserted that policy authority

Glen / INTERNET GOVERNANCE | 647

for the Internet is the sovereign right of all states, and called for global
cooperation with regard to “curbing dissemination of information which incites
terrorism, secessionism, extremism or undermines other countries’ political,
economic and social stability, as well as their spiritual and cultural
environment” (Code of Conduct A/66/359 (C) 2011, 4). This resolution offers a
succinct overview of the policy positions that several countries promoted at the
WCIT. Such positions are consistent with the repressive multilateral model
because, if implemented, they would allow governments to “legitimately”
obstruct communications with which they disagree, including “spiritual” and
“cultural” content.

The final approach, the open multilateral model, applies to those
governments that seek to internationalize Internet governance, but are not
primarily motivated by issues of domestic control. In this model, multilateralism
is viewed as having value in its own right. The open multilateral model applies
to countries that are lower on the global power hierarchy and view
multilateralism as a way to increase their influence. For powerful states, the
downside of multilateralism is some loss of policy control, but for weaker
countries participation in multilateral institutions can provide additional venues
in which to exercise authority. Multilateralism is “the most egalitarian form
of cooperation and decision making” because developing countries can
potentially have an equal voice (Powell 2003, 7). Even if those countries are
underrepresented in multilateral institutions, this is preferable to the complete
absence of representation that they might face in traditional state-centric
arrangements. Multilateral institutions also have the potential to provide
greater external accountability than state-centric forms of decision making. As
Keohane (2002) notes, even when governments are internally accountable, as is
the case in democracies, it is often difficult to hold them externally accountable.
Multilateral institutions can effectively do so, at least on some issues, because
“intergovernmental institutions are among the most accountable entities in
world politics” (Keohane 2002).

The open multilateral model applies to those WCIT participants who were
primarily concerned with accountability in Internet governance, as well as
nondiscriminatory access to Internet resources. The target of much of their
concerns was the perceived lack of accountability in ICANN. For instance,
during the 2005 WSIS, India, Brazil, and South Africa (a group known as IBSA)
challenged ICANN’s dominance directly when they identified an “urgent need”
for the establishment of an Internet oversight entity that would be part of the
UN system. Attempts were also made to link the issue of the global digital divide
to Internet governance. One Brazilian delegate, for example, argued that the
digital divide is not simply about financial inequalities and access to computers,
it is also concerned with “political inequalities, arising from the inability of
developing countries to influence Internet decision-making” (Capdevila 2005,
16). Such criticism of ICANN is not limited to developing countries. In 2010,
the U.S. Department of Commerce accused ICANN of falling short in its

648 | POLITICS & POLICY / October 2014

response to an accountability review, and that its efforts to strengthen
transparency and accountability “are incomplete.”9

During the 2012 WCIT, proposals that emanated from developing country
blocs fit most closely with the open multilateral model. These countries sought
to internationalize Internet governance, and they challenged the dominant role
of ICANN in a way that is similar to the repressive multilateral model.
However, in addition, they pressed for provisions to be included in the treaty
that would guarantee nondiscriminatory access. This proposal proved to be
unexpectedly controversial and ultimately brought to an end any possibility of
unanimity. The problem emerged during final discussions when the African
block proposed adding text in the preamble that raised the issue of human rights
and recognized “the right of access of Member States to international
telecommunications services” (ITU 2012, 1). Equal access is an important issue
for developing countries, several of which have complained that the current
multistakeholder model of Internet governance is not as open and inclusive as
has been claimed. Under the existing framework, governing bodies such as
ICANN are dominated by the Global North, which means that often
developing world perspectives and problems are not fully represented nor
addressed. Even as the Internet becomes more important in the developing
world, non-Westerners are not entering the leadership of multistakeholder
organizations. Mueller and Woo (2004, 10) note that developing countries are
disadvantaged in ICANN as a result of a number of structural issues, including
language, funding, and cultural factors that hamper communication and
understanding. For these countries, the ITU holds at least the promise of
greater representation because as an intergovernmental organization, it is based
on the principle of one country one vote.

The idea of including a reference to human rights in the treaty was
immediately rejected by the United States, Canada, and several European
states, and they refused to sign the revised treaty.10 The amendment nevertheless
passed with 77 votes in favor, 33 against, and eight abstentions. The African
bloc was joined by several Middle Eastern countries, as well as China and Cuba.
So ironically, pro-Internet freedom democracies argued against declaring
Internet access as a human right, while nondemocracies argued in favor of that

9 On the other hand, despite such criticism, it is clear that the U.S. government regards ICANN
as the most appropriate body to oversee global Internet governance; it should be restructured but
not abolished.
10 The U.S. government listed five reasons for rejecting the treaty: (1) terminology: expanding the
definition with regard to which entities will be covered by the treaty; (2) spam: seen as a form of
content, the regulation of spam opens the door to regulating other forms of content, including
political and cultural speech; (3) security: granting that authority to deal with cybercrime could
lead to an abuse of power if governments use this as a pretext to review and control content; (4)
Internet governance: the United States will not support any UN-sanctioned Internet control or
mandates; (5) Internet resolution: the WCIT is not the appropriate venue to discuss Internet
issues, so Resolution 3 should be removed (Popescu 2012).

Glen / INTERNET GOVERNANCE | 649

right. This incongruity can be explained by the type of human rights that were
being discussed. Since the amendment argues for the establishment of a right of
access for countries, not a right of access for people, it is not surprising that
countries like China and Cuba supported its inclusion. Moreover, such regimes
would naturally favor an amendment that guarantees access as insurance
against possible Internet sanctions imposed by the U.S. government. At the
same time, none of this self-interested maneuvering changes the basic
proposition that the current multistakeholder model does not serve the
developing world well. Ultimately, the dispute over access proved to be the
barrier that brought the WCIT to a close without consensus. Of the 144
countries present, 89 signed the new treaty, while 55 did not.

Although most of the countries that refused to sign the treaty are advanced
democracies and most of the nonsignatories are not, it would be overly
simplistic to explain the outcome of the conference solely in these terms. With
respect to Internet governance, three broad perspectives were evident before and
during the WCIT: first, those who sought to protect the status quo, represented
by the open multistakeholder model; second, those who sought to strengthen
domestic Internet controls and internationalize Internet governance,
represented by the repressive multilateral model; and finally a third group,
characterized by the open multilateral model, was primarily motivated by access
and representation issues. Figure 1 confirms that nonsignatory countries were a
heterogeneous group in terms of their political makeup. Using Freedom House
data from 2012, signatory countries are relatively evenly divided across “free,”
“partially free,” and “not free” classifications. Since more than one-quarter of

Figure 1.
Signatories and Nonsignatories of the 2012 World Conference on International

Telecommunications (WCIT) Final Acts

650 | POLITICS & POLICY / October 2014

signatory countries are designated as free, it is difficult to assert that support for
the WCIT treaty was predicated entirely upon a desire to adopt repressive
Internet controls. Similarly, although a majority of nonsignatory countries are
“free,” almost one-fifth are classified as “partially free” or “not free.” This
contradicts a common perception that depicts disputes at the WCIT as
primarily disagreements between freedom-loving democracies and security-
obsessed dictatorships.

Conclusion

While the dire predictions made prior to the WCIT that the UN was about
to take over the Internet were clearly overblown, the December 2012 conference
nevertheless represented a significant challenge to the current multistakeholder
model of Internet governance. That challenge is part of a longer term trend that
sees some governments attempting to territorialize cyberspace, increasingly
placing domestic controls on the Internet, and demanding sovereign rights over
the technology. Attempts to transfer responsibility for Internet governance
from bodies such as ICANN to the ITU is part of this trend because the latter
is an intergovernmental multilateral body where only countries have the right to
vote, to the exclusion of civil society. During the WCIT, it was clear that many
governments prefer a multilateral state-centric form of Internet governance to a
distributed multistakeholder one. While this idea was not universally accepted,
references in the treaty to Internet security in particular indicate that the state is
trying to reassert control over the “global commons.”

In the period following the 2012 WCIT, tensions between proponents
of intergovernmentalism and multistakeholderism continued. These were
heightened by revelations by Edward Snowden of electronic eavesdropping by
the U.S. National Security Agency (NSA). At the 24th session of the Human
Rights Council in September 2013, Pakistan, speaking on behalf of Ecuador,
Venezuela, Cuba, Zimbabwe, Uganda, Russia, Indonesia, Bolivia, Iran, and
China, expressed concerns regarding the use of advanced surveillance
technologies. They declared that the Internet should not be operated by “a few
who have misused it without any international legislation and monitoring
of these abuses.” The statement went on to demand an “international
intergovernmental mechanism of Internet governance” (Joint Statement 2013).

In March 2014, the Obama Administration unexpectedly announced that it
would cede control over ICANN when the organization’s current contract with
the U.S. Commerce Department expires in September 2015. Although this move
was criticized by many as “giving the Internet away,” it can also be viewed as an
attempt to forestall pressures for greater intergovernmental control in light of
the NSA scandal. The Obama Administration has made it clear that specific
conditions need to be satisfied before the transfer of authority can occur. The
new system of oversight should incorporate four principles: (1) support and
enhance the multistakeholder model; (2) maintain the security, stability, and

Glen / INTERNET GOVERNANCE | 651

resiliency of the Internet domain name system; (3) ensure transparency,
accountability, and auditability; and (4) maintain the openness of the Internet.
The Obama Administration has also explicitly stated that it would not accept a
proposal that replaces the Commerce Department’s role with a government-led
or an intergovernmental solution.11

The future of ICANN remains to be seen, as does the future of Internet
governance more generally. This study is necessarily exploratory, but it does
point to an important emerging trend, namely that Internet governance is
entering a new phase in its development. Although the multistakeholder
tradition has been robust for some time, the current analysis suggests that the
role of nongovernmental actors in governance can be quickly marginalized with
the reassertion of state power. The literature on global governance promotes the
idea that the relative influence of states is declining in relation to a multiplicity
of nonstate actors. With respect to Internet governance, there is no doubt
that the impact of such actors has been great. However, if the state can
reassert authority over this arena, a policy area where nonstate actors have
been prominent, then it is clearly too early to assert the triumph of
multistakeholderism over multilateralism.

About the Author

Dr. Carol M. Glen is a professor of political science at Valdosta State
University. She has published in a number of areas, including the United
Nations and global governance, international security, human rights,
nationalist movements, and technology and politics.

References

BIERSTECKER, THOMAS J. 2011. “Global Governance.” In Routledge
Companion to Security, edited by Miriam Dunn Cavelty and Victor Mauer. New
York: Routledge. 439-451.

CAMMAERTS, BART. 2011. “Power Dynamics in Multi-Stakeholder Policy
Processes and Intra-Civil Society Networking.” In The Handbook of Global
Media and Communication Policy, edited by Robin Mansell and M. Raboy.
Oxford, UK: Wiley-Blackwell. 131-146.

11 Testimony of Lawrence E. Strickling, Assistant Secretary for Communications and Information
National Telecommunications and Information Administration United States Department of
Commerce, before the Subcommittee on Communications and Technology Committee on Energy
and Commerce United States House of Representative, April 2, 2014.

652 | POLITICS & POLICY / October 2014

CAPDEVILA, GUSTAVO. 2005. “Internet: Groups Meet to Hash Out Who’s in
Charge.” Inter Press Service English News Wire. Accessed on July 15, 2014.
Available online at http://www.highbeam.com/doc/1P1-113100672.html

CERF, VINTON. 2005. “Letter to Committee on Energy and Commerce.” U.S.
House of Representatives. Accessed on January 21, 2013. Available online at
http://googleblog.blogspot.com/2005/11/vint-cerf-speaks-out-on-net-neutrality
.html

CODE OF CONDUCT A/66/359 (C). 2011. “Letter Dated 12 September 2011
Form the Permanent Representative of China, the Russian Federation
Tajikistan, and Uzbekistan to the United Nations Addressed to the Secretary
General.” General Assembly of the United Nations, 66th Session.

DINGWERTH, KLAUS. 2008. “From International Politics to Global
Governance? The Case of Nature Conservatism.” Garnet Working Paper No.
46/08. Institute for Intercultural and International Studies, University of
Bremen.

DINGWERTH, KLAUS, and PHILLIP PATTBERG. 2006. “Global Governance as a
Perspective on World Politics.” Global Governance 12: 185-203. Accessed on
July 15, 2014. Available online at http://www.jstor.org/stable/27800609

DREZNER, DANIEL W. 2004. “The Global Governance of the Internet: Bringing
the State Back In.” Political Science Quarterly 119 (3): 477-498.

FINKELSTEIN, LAWRENCE S. 1995. “What Is Global Governance?” Global
Governance 1 (3): 367-372. Accessed on July 15, 2014. Available online at
http://www.jstor.org/stable/27800120

GLASBERGEN, P., ed. 1998. “The Question of Environmental Governance.” In
Co-Operative Environmental Governance; Public-Private Agreements as a Policy
Strategy. Dordrecht, The Netherlands: Kluwer Academic Publishers. 133-156.

HAAS, PETER M. 1992. “Introduction: Epistemic Communities and
International Policy Coordination.” International Organization 46 (1): 1-35.
Accessed on July 15, 2014. Available online at http://www.jstor.org/stable/
2706951

HEMMATI, MINU, ed. 2002. Multi-Stakeholder Processes for Governance and
Sustainability: Beyond Deadlock and Conflict. London: Earthscan.

HOCKING, BRIAN. 2006. “Multistakeholder Diplomacy Forms, Functions and
Frustrations.” In Multistakeholder Diplomacy: Challenges and Opportunities,
edited by Jovan Kurbalija and Valentin Katrandjiev. DiploFoundation.
Accessed on February 3, 2013. Available online at http://textus.diplomacy.edu/
textusbin/env/scripts/Pool/GetBin.asp?IDPool=95613-29

Glen / INTERNET GOVERNANCE | 653

http://www.highbeam.com/doc/1P1-113100672.html

http://googleblog.blogspot.com/2005/11/vint-cerf-speaks-out-on-net-neutrality.html

http://www.jstor.org/stable/27800609

http://www.jstor.org/stable/27800120

http://www.jstor.org/stable/2706951

http://textus.diplomacy.edu/textusbin/env/scripts/Pool/GetBin.asp?IDPool=95613-29

INTERGOVERNMENTAL FORUM. 2009. “Workshop (319) on Fundamentals:
Core Internet Values.” Accessed on February 21, 2013. Available online at
http://isocindiachennai.org/?p=122

ITU. 2012. “Final Acts of the World Conference on International
Telecommunications.” Dubai. Accessed on December 18, 2012. Available
online at http://www.itu.int/en/wcit-12/Documents/final-acts-wcit-12

JOINT STATEMENT. 2013. “On Behalf of Group of Countries Joint Statement on
Right to Privacy 24th Session of HRC.” Accessed on June 23, 2014. Available
online at https://cdt.org/files/pdfs/HRC24_Pakistan_20130919-1

KARLECKER, KAREN D., and SARAH G. COOK. 2009. “Access and Control: A
Growing Diversity of Threats to Internet Freedom.” Freedom House
Special Report. Accessed on August 1, 2011. Available online http://www
.freedomhouse.org/sites/default/files/Freedom%20OnThe%20Net_Full%20
Report

KEOHANE, ROBERT. 2002. “Global Governance and Democratic
Accountability.” Accessed on October 26, 2012. Available online at http://
unpan1.un.org/intradoc/groups/public/documents/apcity/unpan034133

KJAER, ANNE METTE. 2004. Governance. Cambridge, UK: Polity Press.

KLEIN, HANS. 2002. “ICANN and Internet Governance; Leveraging Technical
Coordination to Realize Global Public Policy.” The Information Society 18:
193-207. Accessed on July 15, 2014. Available online at http://www.ip3.gatech
.edu/images/Klein-Governance

KRASNER, STEPHEN. 1983. International Regimes. Ithaca, NY: Cornell
University Press.

LEVINSON, NANNETTE. 2012. “Ecologies of Representation: Knowledge,
Networks, & Innovation in Internet Governance.” Paper prepared for the 2012
APSA Annual Meeting Information Technology & Politics Section. August
30-September 2.

MACIEL, MARILIA, and CARLOS AFFONSO PEREIRA DE SOUZA. 2011.
“Multi-Stakeholder Participation on Internet Governance: An Analysis from
A Developing Country Civil Society Perspective.” Accessed on February 18,
2013. Available online at http://www.apc.org/en/pubs/issue/governance/multi
-stakeholder-participation-internet-governanc

MUELLER, M., and J. WOO. 2004. “Participation in International Governance
Regime by the ‘Rest of the World’: An Analysis of ICANN.” Paper presented
at the Annual Meeting of the International Communication Association, New
Orleans Sheraton, New Orleans, LA. May 27-31. Accessed on June 16, 2014.
Available online at http://www.allacademic.com/meta/p112362_index.html

654 | POLITICS & POLICY / October 2014

http://isocindiachennai.org/?p=122

http://www.itu.int/en/wcit-12/Documents/final-acts-wcit-12

https://cdt.org/files/pdfs/HRC24_Pakistan_20130919-1

http://www.freedomhouse.org/sites/default/files/Freedom%20OnThe%20Net_Full%20Report

http://unpan1.un.org/intradoc/groups/public/documents/apcity/unpan034133

http://www.ip3.gatech.edu/images/Klein-Governance

http://www.apc.org/en/pubs/issue/governance/multi-stakeholder-participation-internet-governanc

http://www.allacademic.com/meta/p112362_index.html

MUELLER, MILTON L. 2010. Networks and States. Boston, MA: Massachusetts
Institute of Technology.

NYE, JOSEPH. 2014. “Safeguarding Cyber Space.” Project Syndicate.
Accessed on July 2, 2014. Available online at http://www.project-syndicate
.org/commentary / joseph – s–nye – contrasts – multilateral – and – multi-stakeholder
–approaches-to-governing-cyberspace

POPESCU, ADAM. 2012. “5 Reasons Why the U.S. Rejected the ITU Treaty.”
Readwrite. December 14. Accessed on July 3, 2013. Available online at
http://readwrite.com/2012/12/14/5-reasons-why-the-us-rejected-the-itu-treaty

POWELL, LINDSAY. 2003. “In Defense of Multilateralism.” Yale Center for
Environmental Law and Policy. Accessed on February 12, 2013. Available online
at http://www.yale.edu/gegdialogue/docs/dialogue/oct03/papers/Powell

RASMUSSEN, TERJE. 2007. “Techno-Politics, Internet Governance and Some
Challenges Facing the Internet.” Oxford Internet Institute, Research Report.
October 15. Accessed on June 18, 2014. Available online at http://papers.ssrn
.com/sol3/papers.cfm?abstract_id=1326428

RHODES, R. A. W. 1997. Understanding Governance: Policy Networks,
Governance, Reflexivity and Accountability. 1st edition. Buckingham, UK: Open
University Press.

ROSENAU, JAMES N. 1992. “Governance, Order, and Change in World
Politics.” In Governance without Government: Order and Change in World
Politics, edited by James N. Rosenau and Ernst-Otto Czempiel. Cambridge:
Cambridge University Press. 1-29.

SALTZER, J. H., D. REED, and D. D. CLARK. 1981. “End-to-End Arguments in
System Design.” In Proceedings of the Second International Conference on
Distributed Computing Systems. Paris, France. IEEE Computer Society. April
8-10. 509-12.

SLAUGHTER, ANNE-MARIE. 2004. A New World Order. Princeton, NJ:
Princeton University Press.

SLAUGHTER, ANNE-MARIE, and DAVID ZARING. 2006. “Networking Goes
International: An Update.” Annual Review of Law and Social Science 2:
211-229.

STOKER, GERRY. 1998. “Governance as Theory: Five Propositions.”
International Social Science Journal 50 (155): 17-28. Accessed on July 15,
2014. Available online at http://onlinelibrary.wiley.com/doi/10.1111/1468-2451
.00106/abstract

Glen / INTERNET GOVERNANCE | 655

http://www.project-syndicate.org/commentary/joseph-s-nye-contrasts-multilateral-and-multi-stakeholder-approaches-to-governing-cyberspace

http://readwrite.com/2012/12/14/5-reasons-why-the-us-rejected-the-itu-treaty

http://www.yale.edu/gegdialogue/docs/dialogue/oct03/papers/Powell

http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1326428

http://onlinelibrary.wiley.com/doi/10.1111/1468-2451.00106/abstract

STRECK, CHARLOTTE. 2002. “Global Public Policy Networks as Coalitions for
Change.” In Global Environmental Governance, Options and Opportunities,
edited by Ivanova Esty. New Haven, CT: Yale School of Forestry and
Environmental Studies. 121-140.

TOURE, HAMADOUN. 2011. “Worldwide Internet Users Reaches 2bn.”
News.com.au. Accessed on August 10, 2011. Available online at http://www
.news.com.au/technology/worldwide-internet-users-reaches-2bn/story-e6frfro0
-122599532828

USA PROPOSALS FOR THE WORK OF THE CONFERENCE. 2012. “Document
#E.” Accessed on February 21, 2013. Available online at http://www.state.gov/
documents/organization/196244

U.S. DEPARTMENT OF STATE. 2012. “World Conference on International
Telecommunications (WCIT) Delegation List.” October 25. Accessed on July
15, 2014. Available online at http://www.state.gov/e/eb/cip/rls/199736.htm

VAN KERSBERGEN, KEES, and FRANS VAN WAARDEN. 2004. “Governance as
a Bridge between Disciplines: Cross-disciplinary Inspiration Regarding Shifts in
Governance and Problems of Governability, Accountability and Legitimacy.”
European Journal of Political Research 43 (2): 143-171. Accessed on July 15,
2014. Available online at http://onlinelibrary.wiley.com/doi/10.1111/j.1475
-6765.2004.00149.x/abstract

VERDIER, PIERRE-HUGUES. 2009. “Transnational Regulatory Networks and
Their Limits.” The Yale Journal of International Law 34: 113-172. Accessed on
July 15, 2014. Available online at http://papers.ssrn.com/sol3/papers.cfm?
abstract_id=1333201

WAGNER, BEN. 2009. “Deep Packet Inspection and Internet Censorship:
International Convergence on an ‘Integrated Technology of Control.’ ”
Accessed on August 17, 2011. Available online at http://advocacy.globalvoices
online.or

WAZ, JOE, and WEISER PHIL WEISER. 2012. “Internet Governance: The Role of
Multistakeholder Organizations.” Journal of Telecommunications and High
Technology Law 10 (2): 331-350. Accessed on July 15, 2014. Available online at
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2195167

WCIT 12/27. 2012. “Russia, UAE, China, Saudi Arabia, Algeria, Sudan, and
Egypt Proposals for the Work of the Conference.” December 5.

WCIT FINAL ACTS. 2012. “Final Acts: World Conference on International
Telecommunications.” Dubai, December 3-14. Accessed on July 14 2014.
Available online at http://www.itu.int/en/wcit-12/Documents/final-acts-wcit
-12

656 | POLITICS & POLICY / October 2014

http://www.news.com.au/technology/worldwide-internet-users-reaches-2bn/story-e6frfro0-122599532828

http://www.state.gov/documents/organization/196244

http://www.state.gov/e/eb/cip/rls/199736.htm

http://onlinelibrary.wiley.com/doi/10.1111/j.1475-6765.2004.00149.x/abstract

http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1333201

http://advocacy.globalvoicesonline.or

http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2195167

http://www.itu.int/en/wcit-12/Documents/final-acts-wcit-12

WORKING GROUP ON INTERNET GOVERNANCE. 2005. “Background Report.”
June. Accessed on June 29, 2014. Available online at http://www.wgig.org/docs/
BackgroundReport

WU, TIM. 2003. “Network Neutrality, Broadband Discrimination.” Journal of
Telecommunications and High Technology Law 2: 145. Accessed on July 15,
2014. Available online at http://papers.ssrn.com/sol3/papers.cfm?abstract_id
=388863

ZANINI, MICHELE, and SEAN J. A. EDWARDS. 2001. “The Networking of
Terror in the Information Age.” In Networks and Netwars: The Future of Terror,
Crime, and Militancy, edited by John Arquilla and David Ronfeldt. Santa
Monica, CA: RAND. 29-60.

Glen / INTERNET GOVERNANCE | 657

http://www.wgig.org/docs/BackgroundReport

http://papers.ssrn.com/sol3/papers.cfm?abstract_id=388863

The 14th International Scientific Conference

eLearning and Software for Education

Bucharest, April 19-20, 2018
10.12753/2066-026X-18-222

The Appearance and Development of National Cyber Security Strategies

Petrișor PĂTRAȘCU
“Carol I” National Defence University, Panduri str. No. 68-72, 5th distr., Bucharest, Romania

patrascupetrisor@yahoo.com

Abstract: In the last years, digital world have took a lot of importance applied on multiple fields, due to

benefits, but also due to multiple number of users from both government and private companies. This

development had involved a lot of risks and vulnerabilities. Nowadays a lot of vulnerabilities had been

attacked, another ones had been tried to jeopardize and because of that were issued measurements for

protection and cyber defense. The cyber security concept was generate by a permanent development of

the information and communications technology, due to an increased number of users, due to an

increased number of cyber threats and attacks and also due to the importance of this concept as an

instrument of the national power strength. All through, the cyberspace became a field that applied to

diplomatic, information, economic and military level of the global and country policy. The cyber

security had an ascendant course started from technical discipline, developed to tactical level and

finally reached strategically level of the powerful countries. Development of the cyber security became

country policy and worldwide directives as a consequence of an increased number of threats and cyber-

attacks. Because of those a lot of states took a lot of countermeasures to protect the national cyber

infrastructure. Is observed that those countermeasures had been took when the cyber infrastructures

were attacked or after that. Therefore, after these moments when cyber-attacks became a threat to

critical cyber infrastructure, worldwide countries started to take in consideration that prevention is the

basement of the cyber security and started to develop strategies and some of these states applied laws of

cyber security.

Keywords: technology, risks and vulnerabilities, cyber security strategy.

I. MOTIVATION AND BACKGROUND FOR THE APPEARENCE
OF STRATEGIES

As a preamble of what was to happen over a quarter of a century, the 1982 cyberattack was the

first event that opened a new challenge to the classical confrontational environment. The 1982

cyberattack was one of the Cold War’s results, involving the secret services of both Cold War

combatants. American specialists have created and placed a logical bomb in the software of a

computerized control system and deliberately left it to the Soviet services to be accessed.

Subsequently, the devastating physical effects of a Siberian energy transmission network

appeared, which were described as [1] the largest non-nuclear explosion ever detected in space.

The first significant moment in cyberspace, with worldwide resonance, was represented by the

2007 cyberattacks in Estonia.

Prior to the launch of the attacks, the Estonian government administrative system consisted of

150 public information systems serving approximately 1,000 electronic services. Almost half of the

citizens knew how to use the public electronic services, and public organizations and businesses were

using Estonian x-road digital services on a daily basis. Banking operations were largely electronic,

recently targeting the rural population as well. The voting system was using the Internet for the first

time in the populated areas that had access to the network, the mobile telephony had extended

mailto:patrascupetrisor@yahoo.com

throughout the territory and also the national education system benefited from the facilities provided

by them [2].

Compared to other Eastern bloc countries, at that time, Estonia was much more developed in

the digital field, with major investments in modern technologies and a responsive population to the

innovation through which most of them had acquired the quality of users. In this context and due to

the lack of a security strategy, cyberattacks on public and private institutions and organizations were

launched between April-26 and May-18-2007.

The attacks took place in two different phases, each consisting of several events. The initial

phase, unfolded during the first three days, consisted of simple, spontaneous and ad-hoc attacks.

Denial of Service (DOS) attacks on targeted computers were launched, followed by ping of death

attacks directed at government and Estonian press websites.

In the second phase, the attacks were more intense, more sophisticated, through strong botnet

networks. Simultaneously, several websites were attacked, most of them governmental. At this stage,

Distributed Denial of Service (DDOS) attacks prevailed, the effects of which were also felt by users

outside of the country. The transition from simple attacks to the most complex ones was carried out

gradually, and the latter were coordinated by specialized structures in the field, following well-

established plans, targets and allocated resources.

The moment of the attacks in Estonia will remain the zero kilometer point in the history of

cybernetic security. From here on, the cyberspace defense has been taken seriously by several nations,

and the identified results have contributed tremendously to strategy and policy-making. Also, the aid

received from other states during the attacks has proven the benefits of the cooperation between states.

Another important moment, which occurred closely in time, is represented by the cyberattacks

on Georgia in the summer of 2008. Techniques and means of attack were basically similar to those in

Estonia, but less in number, on the grounds that cybernetic infrastructure in Georgia was not so

developed. The cyberattacks were DDOS type, targeting public and private organizations, aiming to

destabilize the operation of cyber-infrastructures.

The novelty was the combination between the cyberspace and the classic confrontation

environment where “it was the first time when a known cyberattack coincided with a real conflict”

[3]. The cybernetic offensive has preceded Russia’s aerial, maritime and land-based military actions

on Georgian forces.

Thus, the result is that cyber-actions in the context of classical conflicts benefits the side that

uses them to achieve success at the expense of those who do not use them or who have not

implemented defense measures to protect their critical infrastructures.

Another country where critical infrastructures were affected by cyberattacks is Iran. In 2010, a

computer virus called STUXNET has managed to get into the Iranian nuclear power plants. Kaspersky

Lab’s specialists [4] have confirmed that this is a highly sophisticated and unique IT industry attack,

prepared by a team of cybercriminals with extensive knowledge of SCADA technology (Supervisory

Control and Data Acquisition). Interestingly, it was not spread through the INTERNET, but only

through the local networks with the help of physical sources. It was largely designed to destroy the

nuclear centrifuge control systems. At that time, Iran was very active in the nuclear field and yet, with

the help of software system vulnerabilities, the power plants could be sabotaged and damaged.

Following these major events, the number of threats and cyberattacks has grown throughout

the world in the years to come. The most significant ones, independently directed at one single state,

were reported around crisis and conflict situations, in countries such as Ukraine or North Korea. The

rest of the attacks were of lesser intensity or have not yet managed to destroy national critical

infrastructures. After the attacks outlined in the above, there have been reports from both field and

media specialists signaling numerous other cyberattacks with a different typology, that have been

launched simultaneously or shortly after, directed at several states and targeting one or more of many

cyber infrastructures, especially the critical ones in various sectors of activity.

II. EVOLUTION OF STRATEGIES

Simultaneously with the evolution of attacks and threats, cybersecurity has become

increasingly important for nations. As a result of these signals, the states have begun to take such

events very seriously.

Initially, some of them have developed and adopted cyber defense regulations as part of the

national security strategies, later on the accent being set on the cybersecurity strategies alone, a fact

which also points to the transition from the cyber defense concept to the cybersecurity concept.

The first cybersecurity strategy was adopted by the US [5] in 2003, being a milestone both for

its own future strategies and for other world states strategies. Also in the past decade, Malaysia has

adopted its strategy in 2006 and Estonia in 2008 as a result of the attacks from the previous year. If we

analyze the geographical position of these three countries, we can note that from the very beginning

the adoption of national strategies has started from all over the world, which implies an extended

deployment environment. Cyber threats and attacks are dynamic, have no borders and can easily target

various critical infrastructures of nations.
One of the first countries to closely reflect on the issue of cyber-security was the United States

of America. Motivated by the context of the terrorist attacks of September 11, 2001, they have

succeeded in adopting two years later the National Cybersecurity Strategy, its main objectives being

the prevention of cyberattacks against critical infrastructures, the reduction of national vulnerabilities

and the minimization of the effects of such attacks.

In 2009, the newly elected US president, Barack Obama, has called for a robust strategy to be

achieved within 60 days in order to combat current threats. Thus, the Cyberspace Policy Review [6]

has been developed and published with many cybersecurity enhancements to ensure confidence and

resilience of communications and information infrastructures.

In the past 15 years, over 70 countries have adopted cybersecurity strategies and policies. The

current situation, represented in Figure 1, shows that the highest percentage of national strategies

implemented relative to the number of countries of each continent is held by Europe, and at the

opposite end is Africa. European countries justify their classification also arguing that most of them

are members of NATO and the EU, which involved the forums of these organizations to reflect on

collective protection.

Greece is the only member country of the North Atlantic Organization that has remained at the

project stage in the adoption of the national cybersecurity strategy, and at European level, the

strategies of Serbia and Sweden are also in a project stage. The reason why Greece has not yet

managed to develop a strategy may also be due to its delicate situation in recent years, especially since

strategies involve financial spending and consumption of human resources.

For the American continent, the US and Canada are the main countries with important

cybersecurity efforts, and the Latin American countries are on the opposite side but they are also

showing signs that they are beginning to develop their cyber-strategies.

Figure1. Cybersecurity strategies adoption by states until 2017

Currently, according to Table 2 on the adoption of national cybersecurity strategies by the

world’s states, over a third have managed to adopt their own strategies and policies, and some of them,

including the Netherlands, Belgium, Estonia, the Czech Republic, France, Japan, Luxembourg,

Germany, the United Kingdom, Turkey have treated cybersecurity more rigorously and thus have

reached a much more advanced stage by improving the quality of strategies or by developing new

strategies. Countries such as Croatia, Latvia, Israel, the Czech Republic, Hungary, Lithuania and

Germany have put a great emphasis on information security, and thus have adopted laws that support

their strategies.

Year 2009 2010 2011 2012 2013 2014 2015 2016 2017

No. of strategies

adopted in that year
0 3 9 9 15 14 10 9 3

Total no. of strategies

adopted before the

next year

3 6 15 24 39 53 63 72 75

Table2. The number of states that have adopted cybersecurity strategies

Therefore, after a statistical analysis on the evolution strategies, the emerging conclusion is

that the period 2013-2014 is the lead in the adoption of national cybersecurity strategies according to

the data in table no. 2. The evolution of strategies adoption by states is an upward trend that can

continue in the future. In less than a decade, the number of strategies has grown considerably, which

implies a future continuity from the countries that have not yet implemented them and an

improvement from the countries that have already implemented them.

III. EDUCATION: One of the strategic cybersecurity objectives

There are listed a number of goals of the content strategy, starting from the first strategy of the

United States up to the present, including the goals on education which are seen not only a necessity

but also a long-term investment of the countries that are interested in building a strong cybersecurity.

Therefore, developing a culture of security in the area of education involves institutions,

academia, education providers and employers. Initiating and developing educational programs in

cybersecurity require two major stages, depending on levels of education.

The first stage is accomplished by establishing curricula for young people up to the age of 18

years, from primary to secondary school, aiming at discovering their skills and talents [7]. Therefore,

while formal educational activities are carried out in the classroom, non-formal activities are being

diversified by projects, after-school sessions or summer schools conducted by cybersecurity experts.

The second stage regards the undergraduate and postgraduate education that have a defining

role in the development of skills in order to obtain a certificate for a safe and reliable practice. At this

stage, the future cyber security profession is clearly outlined.

Currently, many countries have invested human and material resources to carry out educational

programs, as a feedback for the strategic objectives in terms of promoting and enhancing

cybersecurity. The aim of these programs consists into creating products for beneficiaries of the new

digital age.

Another important aspect of the strategy content is that through education the position of

science in information technology is extended and strengthens along with the expansion of university

programs.

For example, in Europe [8], the universities of 29 countries have introduced in their curriculum

the cybersecurity discipline. Thus, countries like Belgium, Spain, Cyprus, Ireland, Malta and the

Netherlands have adopted the option of distance learning where the classes take place online.

Introduction in Cybersecurity, Computer Science, Cybercrime Investigation, Online Course in

Cybersecurity are only some of the online cybersecurity courses.

Also, a thought model [9], represented in figure 1, consists of the following dimensions:

knowledge areas, crosscutting concepts, and disciplinary lenses.

Knowledge areas are intended for organizing cyber security context. Each area of knowledge is

structured in a flexible way depending on the requirements and consists of critical knowledge that

have a great importance in several computing disciplines.

Thus, the exploration of the connections between the areas of knowledge is performed through

the cross-disciplinary concepts, regardless of the disciplinary lens. They offer students an

organizational interleaving scheme for knowledge and strengthen the security mentality transmitted

through each knowledge area.

Disciplinary lens through its approach, depth of content and learning can develop the

cybersecurity program. The way of thinking includes the following disciplines: computer science,

computer engineering, information systems, information technology and software engineering. Thus,

the application of one of the transversal concepts may differ for the students that attend to certain

disciplinary lens, dependent on its objective.

The foundational requirements that support all of the curricular content include competencies

such as communication, analytical and problem-solving skills, numeracy, critical thinking, and

teamwork which are developed through general education. Along with technologica literacy and

ethical conduct, these requirements lead students to become contributing members of society.

In support of the states of the European Union, in 2016, ENISA launched the National Cyber

Security Strategies e-learning platform [10]. This platform is recommended for experts involved in the

process of creating or implementing a strategy at a national level.

The e-learning platform offers interactive training courses in order to facilitate the process of

designing a national cyber security strategy, implementing a national action plan, evaluating the cyber

security awareness after the end of the timeframe, raising awareness on cyber security topics and

offering advice to the public bodies that need to take over the initiative.

In fact, many organizations in the field have created e-learning platforms that provide courses to

strengthen the knowledge and skills of the beneficiaries. Most offer both general cyber security

solutions as well as particular cases depending on the requests. The achievements of a cyber security

e-learning platform involve three elements: infrastructure, content and services. Infrastructure consists

of a set of hardware and software resources that allow the user to access the necessary information.

Also, the content is the knowledge in electronic form that provides all the themes. Last but not least,

the services are represented by the curricula, the knowledge record, the beneficiary’s capacity

management and the requirements that the platform needs to manage.

Therefore, e-learning specific to cyber security is found on the one hand in universities, such as

those of the abovementioned countries, and on the other hand in institutions, companies or other

entities which are usually in the field of information security. Thus, the platform of universities relies

more on general knowledge and tries to cover a larger range of themes than some companies or

institutes that are more focused on delivering particular solutions.

Another increasingly common variation is the involvement of several actors through

partnerships to form solid platforms in cyber security. Among these partners are aligned security

service developers, mobile operators, one or more universities, and beneficiaries. All of these e-

learning platforms in the field of cyber security have emerged from the needs of specialists. In this

sense, they meet the requirements of the beginner to advanced level. Depending on the objectives

proposed, e-learning platforms specific to cyber security can be defensive capability testing platforms,

information platforms, incident management platforms, and platforms that offer security solutions.

These include, for the most part, threats and cyberattacks, security alerts, data security and cyber

infrastructures, cyber security assurance programs, while complying with international security

standards, such as ISO/IEC 27001:2013 – Information technology, Security techniques, Information security
management systems, Requirements [11]. The standard specifies the requirements for establishing,

implementing, maintaining and continually improving an information security management system

within the context of the organization. It also includes requirements for the assessment and treatment

of information security risks tailored to the needs of the organization. The requirements set out are

generic and are intended to be applicable to all organizations, regardless of type, size or nature.

In terms of e-learning specific standards, one of the most important standards is IEEE P1484 is

the model which was proposed by IEEE LTSC (IEEE Learning Technology Standards Committee)

[12]. This standard represents a data model for describing, referencing, and sharing competency

definitions, primarily in the context of online and distributed learning. This Standard provides a way to

represent formally the key characteristics of a competency, independently of its use in any particular

context. It enables interoperability among learning systems that deal with competency information by

providing a means for them to refer to common definitions with common meanings.

At the same time, cyberspace security, operating systems, software security, network security,

machine learning, advanced cryptography, risk management are among the most common disciplines

on platforms.

On the other hand, e-learning systems have the same characteristics and challenges as other

electronic services that require distribution of information. Moreover, this service involves Internet

access, service consumption and user payments, which recommends the implementation of cyber

security policies in the management of the system, based on cyber infrastructures security policies, the

human resource, and security risk management. The main threats of the e-learning systems are

software attacks, mostly denial of service, viruses and worms, followed by acts of theft and espionage,

infringement, copyright and piracy. Also, technical and human errors, hardware equipment failures,

quality of service deviations from service providers and technological obsolescence can be considered.

Through an effective policy and the competencies held, network administrators and

beneficiaries can maintain a solid security. The implementation of a new services, to meet the needs of

users, involves constantly updating security policies and continuing training of staff involved in

managing the system. The basic requirements related to confidentiality, integrity and availability must

be respected by all the staff involved, not just those responsible for security.

IV. CONCLUSIONS

The cyber-strategy has not only kept to the level of states, it has also been treated in terms of

collective defense by organizations such as NATO, EU, UN, SCO and BRICS. In this respect, various

institutions and centers of excellence are operational, with a growing number of specialists in the field.

It is also notable that all NATO member countries have adopted their own national cybernetic strategy,

with the exception of Greece, where it is under development and adoption. The European Union is an

active presence in the field of cybersecurity with a wide range of regulations and directives covering

the widest possible area of the digital space and focusing mainly on the protection of critical

infrastructures, by activity sectors. At the European Union level, the energy and transport sectors are

the critical infrastructures that need to be protected also from the attacks coming from the cyberspace.

Today’s society reflects the increasing addiction to cyber infrastructure and strong

cybersecurity, which turned the cybersecurity into a discipline that consists of several subfields and

focused on the training of specialists.

Reference Text and Citations

[1] Reed, Thomas, 2005. At the Abyss, Ballantine Books. New York. Page132.
[2] Plăvițu, D., 2011. Războiul cibernetic- de la posibilitate la realitate, Revista Infosfera, anul III, nr.2, București.

Pagina 5.

[3] Markoff, John. Before the Gunfire, The New York Times, found at http://www.nytimes.com/2008/08/13/
technology/13cyber.html, on 09.05.2017.

[4] https://www.kaspersky.com/about/press-releases/2010_kaspersky-lab-provides-its-insights-on-stuxnet-worm,
accessed on the 4th June 2017.

[5] The National Strategy to Secure Cyberspace, 2003, found at https://www.us-cert.gov/sites/default/files/
publications/cyberspace_strategy , on 14.09.2017.

[6] https://ccdcoe.org/cyber-security-strategy-documents.html, accessed on 03.07.2017.
[7] National Cyber Security Strategy 2016-2021, found at https://www.gov.uk/government/uploads/system/uploads

/attachment_data/file/567242/national_cyber_security_strategy_2016 , on 18.01.2018.

[8] https://www.enisa.europa.eu/topics/cybersecurity-education/nis-in-education/universities, on 20.01.2018
[9] https://www.acm.org/binaries/content/assets/education/curricula-recommendations/csec2017 ,

on 25.01.2018

[10] https://www.enisa.europa.eu/news/enisa-news/e-learning-platform-by-enisa-on-national-cyber-security-strategies,

on 25.01.2018

[11] https://www.iso.org/standard/54534.html, on 15.01.2018
[12] http://www.ieeeltsc.org/, on 15.01.2018

http://www.nytimes.com/2008/08/13/%20technology/13cyber.html

https://www.us-cert.gov/sites/default/files/%20publications/cyberspace_strategy

https://ccdcoe.org/cyber-security-strategy-documents.html

https://www.gov.uk/government/uploads/system/uploads%20/attachment_data/file/567242/national_cyber_security_strategy_2016

https://www.enisa.europa.eu/topics/cybersecurity-education/nis-in-education/universities

https://www.acm.org/binaries/content/assets/education/curricula-recommendations/csec2017

https://www.enisa.europa.eu/news/enisa-news/e-learning-platform-by-enisa-on-national-cyber-security-strategies

https://www.iso.org/standard/54534.html

http://www.ieeeltsc.org/

Reproduced with permission of copyright owner. Further reproduction
prohibited without permission.

Full Terms & Conditions of access and use can be found at
https://www.tandfonline.com/action/journalInformation?journalCode=rsan20

Strategic Analysis

ISSN: 0970-0161 (Print) 1754-0054 (Online) Journal homepage: https://www.tandfonline.com/loi/rsan20

Cyber: Also a Domain of War and Terror

Suryakanthi Tripathi

To cite this article: Suryakanthi Tripathi (2015) Cyber: Also a Domain of War and Terror, Strategic
Analysis, 39:1, 1-8, DOI: 10.1080/09700161.2014.980549

To link to this article: https://doi.org/10.1080/09700161.2014.980549

Published online: 14 Jan 2015.

Submit your article to this journal

Article views: 2533

View related articles

View Crossmark data

https://www.tandfonline.com/action/journalInformation?journalCode=rsan20

https://www.tandfonline.com/loi/rsan20

https://www.tandfonline.com/action/showCitFormats?doi=10.1080/09700161.2014.980549

https://doi.org/10.1080/09700161.2014.980549

https://www.tandfonline.com/action/authorSubmission?journalCode=rsan20&show=instructions

https://www.tandfonline.com/doi/mlt/10.1080/09700161.2014.980549

http://crossmark.crossref.org/dialog/?doi=10.1080/09700161.2014.980549&domain=pdf&date_stamp=2015-01-14

Commentary

Cyber: Also a Domain of War and Terror
Suryakanthi Tripathi

India, the IT nation, did not make a news splash at CyberTech 2014. That is worth apassing thought. Because cyber is the fifth and new domain of warfare, after land,
sea, air and space.

CyberTech 2014 took place in Tel Aviv in January, and displayed Israel’s prowess
in cyber-defence. Israel’s National Cyber Bureau, which played a major role in
organising the event, defines its goals as drawing up cyber-defence policies, deve-
loping cybersecurity legislation and turning Israel into a global cyber incubator. The
Israelis say that as hackers keep getting more sophisticated, the brightest digital
security minds from around the world will need to come together. And CyberTech
2014 did do that, bringing together some 500 heads of industry, representatives of
cybersecurity agencies from across the world, as well as a large US delegation from
the White House and their Department of Homeland Security. Many agreed that
Israel’s experience in foiling thousands of cyber-attacks each day and the quality of
their cyber start-ups could be very lucrative for business within and outside its
borders.

According to a 2013 UN document,1 by the year 2017, mobile broadband
subscriptions will cover 70 per cent of the world’s total population. By 2020, the
number of networked devices (the ‘internet of things’) is expected to outnumber
people by six to one, transforming current conceptions of the internet. In this hyper-
connected world, the document says, it will become hard to imagine any crime not
linked with cyber-connectivity.

It is said that roughly 80 per cent of cybercrime acts originate not as individual but
as some form of organised activity, which, in its diversification, keeps attracting new
actors, including those with relatively modest skills.2 Cybercrime is now a business
opportunity, driven by profit and personal gain. McAfee, the computer security soft-
ware firm, estimates that cybercrime now costs the global economy about $500 billion
annually. Even so, cybercrime is still in its infancy and, according to an expert in the
European Cybercrime Centre, ‘You ain’t seen nothing yet’.3

The data breach of the US retailer giant Target, in which around 80 million
customer accounts were compromised during the 2013 holiday season, was a harsh
warning. Estimates suggest that the cost to Target and its shareholders may exceed
$1 billion.4 It has generated fears of cyber-fatality, something that could happen when

Suryakanthi Tripathi is a former diplomat and her last posting was as India’s ambassador to Spain.
She is the Managing Trustee of India Foundation, a non-political trust that is engaged in social and
cultural activities.

Strategic Analysis, 2015
Vol. 39, No. 1, 1–8, http://dx.doi.org/10.1080/09700161.2014.980549

a security breach is so extensive and damaging that the company simply cannot
recover from it.

After the attack on Target, at the end of February 2014 the cybersecurity firm Hold
Security LLC announced that it had discovered the data of some 360 million account
credentials that were available for sale on a cyber black market site. It is being called
the largest single data breach ever and, of the total account credentials, 105 million
seem to have come from a single attack. Apparently, hackers only have to install
malware on point-of-sale devices, and then the credit and debit card details come
streaming in.

Understandably, cybersecurity companies and stock valuations are on the rise. As
cybersecurity no longer remains just a matter of corporate choice, its budgets are
escalating. Forecasts indicate that the global cybersecurity market will increase from
$80 billion at present to over $140 billion by 2017. Entrepreneurs rake in profits in
addressing these risks, although building effective security strategies does need a high
level of expertise and funds. According to the research firm CB Insights, venture
capitalists are investing record highs in cybersecurity companies, from mobile-app
security platforms to online authentication infrastructures.

A further incentive is that cybersecurity start-ups generally exit rather quickly,
either through acquisition or an Initial Public Offering (IPO) and, according to some
reports, with some tenfold return on investment.6 FireEye’s IPO, for example, in
September 2013 raised about $304 million, and just five months later had a market
cap of $10 billion, highlighting the booming real-time virtual security sector.
Although its stock dropped thereafter, the increased demand for the highest quality
cybersecurity software continues. It is said that FireEye operates a network of more
than two million virtual machine-based security platforms, which constantly evolve to
identify advanced threats that might have gone unnoticed by older technologies. In
2014, FireEye also acquired Mandiant whose core business is forensic cybersecurity
and is said to be best known for unveiling a Chinese set-up believed to have been
behind a series of hacking attacks in the US. Other deals include Cisco’s $2.7 billion
purchase of network security firm Sourcefire, and IBM’s purchase of Trusteer, an
Israeli start-up, for $800 million. Even Google has been active in acquiring cyberse-
curity start-ups.

RSA, a well-known US electronic security company, presents a scenario in which
cybercrime will continue to improve its techniques—hacktivism will target enterprises
and cyber-criminals will leverage Big Data principles to improve effectiveness.

Mr. Preet Bharara, familiar to many in India thanks to the India–US discomfiture
over the wage tangle of an Indian diplomat and her domestic help, had this to say
about cybercrime: ‘As the United States attorney in Manhattan, I have come to worry
about few things as much as the gathering cyber threat’.7

The cybersecurity world is currently divided into two types of companies. There
are the established companies such as Kaspersky, Checkpoint or Symantec, who
provide solutions for individual users as well as enterprises. Next are the recent
breed of start-ups that develop cyber-defence strategies, adopting quicker heuristic
approaches or crowd-sourcing to solicit ideas from a larger online community.

The American response

According to President Obama, the economic prosperity of the USA, its national
security and individual liberties depend on them securing cyberspace. Only then

2 Suryakanthi Tripathi

would the internet also remain an engine for economic growth and a platform for the
free exchange of ideas.

Calling cyberspace a ‘new domain of warfare’ in 2011, the US Department of
Defense has set up the US Cyber Command, apart from cyber commands for its army,
air forces and ocean fleet, for ‘defending US and allied interests in cyberspace’, and
‘working together to make that inherently collaborative, adaptable environment … for
military command and control’.8 Cyber Command has been called the newest global
combatant and its sole mission is cyberspace, outside the traditional battlefields of
land, sea, air and space.

The US Congress, for its part, has under consideration the National Cybersecurity
and Critical Infrastructure Protection Act that will amend the 2002 Homeland Security
Act. It would require the Department of Homeland Security to conduct cybersecurity
activities on behalf of the federal government and would also codify the role of the
department in preventing and responding to cybersecurity incidents involving federal
civilian agencies and critical infrastructure in the United States. Since 95 per cent of
the American cyber infrastructure is reportedly private sector owned and operated, the
bill aims to establish a threat information-sharing partnership between Homeland
Security and the private sector.

Hacker attacks against JPMorgan Chase and nine other US financial institutions in
recent months have caused alarm and the US administration is seeking to enhance the
legal authority of the Department of Homeland Security to fight cyber-terrorists.
JPMorgan is also now set to double its $250 million annual computer security budget.
This is expected to improve firewall protection, internal protection, vendor protection
and everything that links to a client or customer. In August 2014, the giant company
disclosed that it had been attacked by hackers, and subsequently announced that the
contact information of 76 million households and seven million small businesses had
been exposed. The reassurance, however, was that despite the hacking having gone
unnoticed for about two months, there was no evidence that financial information,
such as passwords, dates of birth, social security numbers or account numbers, had
been compromised.

After the vulnerability of the most heavily fortified American financial institutions
had been laid bare, the FBI is reported to have initiated a criminal inquiry into these
attacks. But what appears worrisome to the American authorities is the scale of the
attack, combined with the lack of clarity about the hackers’ identity or motives.
According to industry experts, despite huge sums invested in detection technologies,
it is becoming very difficult to trace an attack to its source and, hence, it will be
almost impossible to deter one.9

The Obama administration has been working to address the weakness of pass-
words via the National Strategy for Trusted Identities in Cyberspace. The White
House cybersecurity coordinator, Michael Daniel, at a recent news event said that
he would like to kill the password dead since it could no longer ensure security. Using
a password to access a bank account or mobile phone would soon be a thing of the
past, according to him.10 Instead, he recommended the use of biometric security
measures to access computers and smartphones or facial recognition security through
the device’s camera. Even a selfie could be a security measure instead of just being
used for posting on Facebook. The idea was multifactor authentication to make
hacking that much more difficult.

On the other hand, this also has to be seen in the context of the current friction
between the US Justice Department and a company like Apple, which has introduced

Strategic Analysis 3

new privacy features for its iPhones and iPads. Features like fingerprint scanners on
phones are becoming popular because consumers believe they will also be better
protected from the government intruding on their private data. The FBI is consider-
ably upset with these tech companies for ‘marketing something expressly to allow
people to place themselves beyond the law’.11

US cyber resilience policy also includes their voluntary Cybersecurity Framework,
announced in February 2014, for providers in 16 critical infrastructure sectors. First
introduced in the US president’s 2013 State of the Union address as a key deliverable,
it has been developed by companies, federal agencies and international contributors
working together, and is a reference guide for the private sector and government to
jointly face a shared challenge. It comprises a set of cybersecurity activities that cover
identifying, protecting, detecting, responding to and recovering from cyber intrusions,
and also provides for an organisation that will gauge its cyber effectiveness, weak-
nesses and strengths included.

China awakens

China has the largest number of internet users—more than 600 million—and was
once listed as the second most cyber-targeted nation. Chinese leaders accept that their
IT abilities are lagging and want to transform China into a cyber power. President Xi
Jinping, in his first year in office, began presiding over a new group on cyber and
information security. Its mandate is to draft strategies for protecting national secrets
and developing digital defences, viewing it as a most pressing strategic concern.

The Obama administration asserts that there are cyber-attacks by Chinese hackers
on Americans and American companies doing business in China, some of them
possibly even state-sponsored. Beijing, in its turn, says that it is a frequent victim
of attacks of American origin. Talks between the two countries over cyber-attacks and
national security leaks have become complicated after revelations that the US
National Security Agency has been spying around the world, even on American allies.

Israel’s innovation

Israel has invested heavily in cybersecurity and supplies—over 10 per cent of global
IT security products, significantly disproportionate to its size. This is also impressive
because of the export restrictions that their businesses have to contend with. Hoping
to consolidate its position as a world leader, Israel depends on a cutting-edge talent
pool capable of rapid innovation. Israel has also created a new cyber-defence author-
ity to defend Israel’s civilian networks and help bridge the public–private cyber
divide.

At the World Economic Forum in January 2014 in Davos, Switzerland, Israeli
Prime Minister Netanyahu, before addressing international issues, talked of his
nation’s high-tech abilities and its intention to become one of the top three countries
in cybersecurity. On the heels of Davos, at CyberTech 2014, he said: ‘Foreign
countries want three things—Israeli technology, Israeli technology and Israeli tech-
nology’. He also called on tech giants and Western powers to band together to protect
the world from cyber-attacks, promising to relax export restrictions on Israeli security-
related technologies.12

This may be a little problematic since tech companies and intelligence agencies
would be loath to trade secrets with each other or reveal their own vulnerabilities.

4 Suryakanthi Tripathi

While Israel is currently formulating export regulations, some Israelis see a security
compromise in allowing cyber companies, mostly formed by graduates of their own
stealth security units, to export advanced technologies that could then be turned
against Israel itself. There are concerns about safeguarding their technology advan-
tages and limiting the access of potential hackers to their cybersecurity research and
solutions. Israeli intelligence is also guarded as it does not want to help its enemies
better protect their own systems by using Israeli skills. However, in cyberspace it is
difficult to wall up technology, since it eventually finds its way to the marketplace.

According to experts, Israel faces roughly 100,000 cyber threats a day, and was
the victim of an average of 1.5 serious cyber-attacks an hour in 2013. These attacks,
they claim, have been turned into a source of strength as Israel was pressurised into
advancing its technology and knowledge. It is now being called the nation of
cybersecurity start-ups, with these start-ups getting tax incentives through their
National Cyber Bureau.13 US companies Lockheed Martin and RSA Security
announced that they would invest in Israel’s national cyber complex in Beersheba,
joining the likes of Deutsche Telekom and IBM. The market, in fact, is dominated by
smaller enterprises, demonstrating that technology ‘giants’ generally do not have the
security solutions that Israeli start-ups are offering. Israel is said to have the largest
number of high-tech start-ups globally in absolute terms after the US.

Israel’s state-of-the-art ‘Cyber Gym’ was opened in February 2014 by the Israel
Electric Company (IEC) to train its employees to defend against cyber-attacks. IEC,
which alone receives around 10,000 attacks per hour according to its CEO, claims that
it has the unique capabilities to train other companies from around the world against
system hacking.14 Training consists of real-time defence by students against attacks
by live instructor-hacks.

India alert

It was the NSA leaks that revealed that American agencies were also spying on
Indians and that India had no legal or technical safeguards in this matter. This
prompted the Government of India to announce its first National Cyber Security
Policy in July 2013. The policy was expected to help build a secure and resilient
cyberspace for citizens, businesses and the government, namely a cyberspace in which
all stakeholders within the country as well as the global community had confidence.

The challenge of a cyber policy lies also in its operationalisation and implementa-
tion. Critical infrastructure such as defence systems, power infrastructure, nuclear
plants and telecom networks need to be protected. As far as India is concerned, the
training of 500,000 cybersecurity professionals in the next five years is considered
key, as is the verification of IT products and services used by government departments
and enterprises. The last measure was apparently inspired by the NSA leaks that
indicated that US agencies had used technology companies to enhance their ability to
spy on foreigners.

After launching the policy, the concerned minister of state at that time, Shri Milind
Deora, tweeted: ‘Unveiled India’s First Cyber Security Policy to safeguard individual
privacy, corporate data and sovereign virtual assets’.15 There were reactions to this
policy, but few over the moon, the ministerial tweet notwithstanding. And there were
many questions. Is India’s cyber policy all words and no action? Where is the
implementation plan? Where are the details—where are the hows and whos? Where
are the manpower and tech resources? How will the policy make its way through

Strategic Analysis 5

academia and industry? Have we also announced a policy just because the world
has one?

Even so, it is better to start with a policy than have none at all.
India’s online vulnerability is said to be immense but is not even remotely

quantified as there is no central body for reporting cybercrime. For example, an
estimated 16.6 million Americans were defrauded in 2012. What is the figure for
India? We will never know unless there is some mechanism to gauge the volume,
variety and innovation of cybercrimes.

The EC Council outlined its view about India in its report, published in two parts
over 2013–2014, entitled ‘Talent Crisis in Indian Information Security’.16 It revealed
worrisome gaps in India’s IT security, which could impact handling cyber threats in
banking, defence, information, energy and so on, and also highlighted that India’s
vulnerability lay in the shortage of talent.

The EC Council, with almost 100 countries as members, is a top certification body
for information security professionals, and the owner/creator of the famous Certified
Ethical Hacker (CEH) and similar programmes. They say India is poorly equipped to
handle cyber intrusions owing to a ‘serious shortage’ of skilled professionals. In nine
crucial segments of information security, such as application architecture, code review
and cryptography, Indian talent is said to be alarmingly low. Only 0.97 per cent of
Indian IT students reportedly have basic skills in information security, and only 13 per
cent have an understanding of concepts necessary for being trained. Setting an earlier
target even than the government’s, the EC suggested that India needed 500,000 cyber
professionals by 2015, but that less than one per cent of future IT professionals were
being trained in this field. The scenario is said to be bleak, and could impact the future
operations of India’s government, businesses and individuals.17

At a New Delhi roundtable in February 2014, Sanjay Bavisi, president of the EC
Council, summarised the situation as follows: India is the software capital of the
world. However, the risks posed by vulnerabilities and information security threats to
the nation’s IT infrastructure across industries are disheartening. In an ever evolving
cybersecurity landscape, we need to respond to sophisticated threats immediately and
this, in turn, requires a trained talent pipeline. He thereafter told Press Trust of India
(PTI) that India’s response to cyber-terrorism was disjointed, with no central cyber
command and a non-existent cybersecurity training programme.18

Let us take an example. How well protected is the biometric ‘Big Data’ collected
by the Unique Identification Authority of India (UADAI) for the issue of unique
identification numbers? Do we have clear-cut answers? On the UIDAI website
(www.uidai.gov.in) are pages relating to its mandate, vision, core values, technology
development and so on, but, as far as one can see, nothing much is mentioned about
information security. In any case, this project was taken up before the National Cyber
Security Policy was announced. Is this data then accessible to cyber-smart hacker
groups or agencies in different countries? How valid is this Big Data since its collection
itself is said to have been poorly monitored? How is this data’s security kept constantly
upgraded against theft or sabotage, given the relentless advances in hacking techni-
ques? What are the ramifications for national security if the system is compromised?

With the threat landscape changed, cybersecurity is no longer just an IT issue, but
a strategic business issue needing a cross-functional team. According to Deloitte,
banks and financial services companies adopt innovations for growth and cost
optimisation that, in turn, introduce new vulnerabilities and complexities in their
technology ecosystem.19 Cybersecurity thus needs to be integrated in the decision-

6 Suryakanthi Tripathi

http://www.uidai.gov.in

making process, even if it alters the very decision itself. The mainstream adoption of
cloud computing, ‘internet of things’ and Bring Your Own Device (BYOD) is
expected to increase attacker opportunities.

Mobile phone use in India presents specific challenges. Large businesses in India
—primarily banks that promote mobile transactions as being critical to growth—do
seem to be gearing up. Corporate networks have to handle sophisticated, targeted and
advanced persistent threats (APTs) against data security. A challenging task is to
manage the vast range of mobile operating systems and platforms that amplifies
overall security exposure. The use of unsecured internet connections on mobile
devices can corrupt the end point, which could then threaten the whole network.
Banks, nudged by the Reserve Bank of India (RBI), are being compelled to revisit
their architecture and security mechanisms. Some banks, for example, adopt two-
factor authentication of image and phrase, as well as an SSL protocol, an encrypted
link between server and client. As with internet banking, mobile transactions also go
through different levels of security checks before a transaction can be completed.
Companies are also introducing their own apps that offer customers greater flexibility
and functionality through an outside-in approach while also bettering the security of
transactions.

During the Ukraine crisis in 2014, just before the Crimean referendum, NATO
websites were hit in cyber-attacks, reflecting the region’s territorial tensions in cyber-
space. While the alliance said that none of its essential systems had been compro-
mised, it was reported that the main NATO website and the NATO-affiliated
cybersecurity centre in Estonia were affected by the so-called ‘distributed denial of
service’ (DDoS) attack, in which hackers bombard websites causing them to slow
down or crash. The attack was claimed by a group calling itself ‘cyber berkut’, who
said it was the retaliation of those Ukrainians angered by what they saw as NATO
interference in their country.20

There are obvious military risks to computer and communications systems. There
is also the vulnerability of critical civilian infrastructures to cyber-sabotage. Attacks
could be from nation-states or non-state actors.

Many future battles will shift to cyberspace. Cyber-terrorism, whose definition
continues to be debated, is essentially an internet-based terrorist attack causing large-
scale disruption of computer networks. Eugene Kaspersky, founder of Kaspersky Lab,
feels that ‘cyber-terrorism’ is a more accurate term than ‘cyberwar’, because in
today’s attacks, one is clueless about who did it or when they might strike again.
He equated large-scale cyber weapons, such as the Flame Virus and NetTraveler
Virus, with biological weapons, for they could be just as destructive in an intercon-
nected world.21

Cybercrime could make traffic lights freeze, garble aircraft communications,
paralyse banks, erase satellite data and splinter military command-and-control sys-
tems. The EC Council has a slogan: ‘Hackers are here. Where are you?’ That should
trigger a nation to frequently ask itself, ‘Where are we?’

Where are we, India?

Notes
1. United Nations Office on Drugs and Crime, Vienna, ‘Comprehensive Study on Cybercrime –

Draft’, February 2013.
2. Pierluigi Paganini, ‘The Impact of Cybercrime’, InfoSec Institute, Illinois, February 2013.

Strategic Analysis 7

3. Holly Ellyatt, ‘The Threat from Cybercrime’, CNBC Report, 13 August 2013, at http://www.
cnbc.com/id/100959481# (Accessed December 2, 2014).

4. John Vomhof Jr, ‘Target’s data breach fraud cost could top $1 billion’, Charlotte Business
Journal, Feb 3, 2014.

5. PM lauds Israeli prowess at Cybertech 2014 Opening, The Times of Israel, January 27, 2014, at
http://www.timesofisrael.com/pm-lauds-israeli-prowess-at-cybertech-2014-opening/ (Accessed
December 2, 2014).

6. Bob Ackerman Jr., ‘Stealing the Show: Cybersecurity Stock Valuations on the Rise’, Special
to CNBC.com, March 9, 2014.

7. Preet Bharara, ‘Asleep at the Laptop’, Op-Ed, The New York Times, June 3, 2012 at http://
www.nytimes.com/2012/06/04/opinion/preventing-a-cybercrime-wave.html?_r=1& (Accessed
December 2, 2014).

8. The Cyber Domain – Security and Operations, Special Report, US Department of Defense.
9. Michael Corkery, Jessica Silver-Greenberg and David E. Sanger, ‘Obama Had Security Fears

on JPMorgan Data Breach’, The New York Times, October 8, 2014, at http://dealbook.
nytimes.com/2014/10/08/cyberattack-on-jpmorgan-raises-alarms-at-white-house-and-on-wall-
street/?_php=true&_type=blogs&emc=edit_na_20141008&nlid=55349507&_r=0 (Accessed
December 2, 2014).

10. Guy Taylor, ‘Obama’s cybersecurity adviser: Biometrics will replace passwords for safety’s
sake’, The Washington Times, October 9, 2014, at http://www.washingtontimes.com/news/2014/
oct/9/obamas-cybersecurity-adviser-biometrics-will-repla/ (Accessed December 2, 2014).

11. Craig Timberg and Greg Miller, ‘FBI blasts Apple, Google for locking police out of phones’,
The Washington Post, September 25, 2014, at http://www.washingtonpost.com/business/techno
logy/2014/09/25/68c4e08e-4344-11e4-9a15-137aa0153527_story.html (Accessed December 2,
2014).

12. Joe Barnes, ‘Israel utilises its cyber security expertise’, The Financial Times, February 24,
2014, at http://www.ft.com/intl/cms/s/0/8b6e572c-97e7-11e3-8dc3-00144feab7de.html#axzz3
KXXT0Je6 (Accessed December 2, 2014).

13. Ari Yashar, ‘Israel’s New “Cyber Gym” Trains Cyber-Warfare’, December 2, 2013, at http://
www.israelnationalnews.com/News/News.aspx/174712#.VHre6jSUd3E (Accessed December
2, 2014).

14. Ibid.
15. https://twitter.com/milinddeora/status/351946198816526336 (Accessed December 2, 2014).
16. EC- Council Foundation, ‘The Talent Crisis in InfoSec – An Outlook of the Future of the

Indian Information Security Scenario.’
17. Ibid.
18. PTI, ‘India not prepared to handle cyber terrorism threat: EC Council’, Economic Times, February

19, 2014, at http://articles.economictimes.indiatimes.com/2014-02-19/news/47489884_1_cyber-
ddos-participants (Accessed December 2, 2014).

19. Jim Eckenrode, ‘Transforming cybersecurity: New approaches for an evolving threat land-
scape’, Deloitte Center for Financial Services, 2014.

20. Adrian Croft and Peter Apps, ‘NATO websites hit in cyber attack linked to Crimea tension’,
Reuters, Mar 16, 2014, at http://www.reuters.com/article/2014/03/16/us-ukraine-nato-
idUSBREA2E0T320140316 (Accessed December 2, 2014).

21. David Shamah, ‘Latest viruses could mean “end of world as we know it,” says man
who discovered Flame’, The Times of Israel, June 6, 2012, at http://www.timesofisrael.com/
experts-we-lost-the-cyber-war-now-were-in-the-era-of-cyber-terror/#ixzz3KQV7Alyw (Accessed
December 2, 2014).

8 Suryakanthi Tripathi

http://www.cnbc.com/id/100959481#

http://www.timesofisrael.com/pm-lauds-israeli-prowess-at-cybertech-2014-opening/

http://www.nytimes.com/2012/06/04/opinion/preventing-a-cybercrime-wave.html?_r=1%26

http://www.washingtontimes.com/news/2014/oct/9/obamas-cybersecurity-adviser-biometrics-will-repla/

http://www.washingtonpost.com/business/technology/2014/09/25/68c4e08e-4344-11e4-9a15-137aa0153527_story.html

http://www.ft.com/intl/cms/s/0/8b6e572c-97e7-11e3-8dc3-00144feab7de.html#axzz3KXXT0Je6

http://www.israelnationalnews.com/News/News.aspx/174712#.VHre6jSUd3E

Unveiled India's 1st Cyber Security Policy to safeguard individual privacy, corporate data & sovereign virtual assets pic.twitter.com/GaXOJlHFWK

— Milind Deora | मिलिंद देवरा (@milinddeora) July 2, 2013

http://articles.economictimes.indiatimes.com/2014-02-19/news/47489884_1_cyber-ddos-participants

http://www.reuters.com/article/2014/03/16/us-ukraine-nato-idUSBREA2E0T320140316

http://www.timesofisrael.com/experts-we-lost-the-cyber-war-now-were-in-the-era-of-cyber-terror/#ixzz3KQV7Alyw

The Customary International Law
of Cyberspace

Gary Brown, Colonel, USAF

Keira Poellet, Major, USAF

The first thing to know about international law is that it bears only a
passing resemblance to the kind of law with which most people are familiar.
Domestic laws in most countries are passed by some sort of sovereign
body (like Congress) after due consideration. Statutes are carefully crafted
so the law has a precise effect. International law is nothing like that. Con
trary to popular belief, treaties are not the primary means of establishing
international law. The body of international law is a jumble of historic
practice and tradition as well as signed agreements between nations.

Within this patchwork of guidance, customary international law oc
cupies a position of preeminence in developing areas of the law—ahead
of treaties and conventions.1 Customary international law develops from
the general and consistent practice of states if the practice is followed out
of a sense of legal obligation.2 When this occurs, customary law is con
sidered legally binding on nation-states. In situations not addressed by es
tablished consensus on what constitutes lawful behavior, nations may take
actions they deem appropriate.3 This is the heart of the well-established
Lotus principle, so named for the International Court of Justice decision
in which it was established.4

Only a handful of actions are considered peremptory norms of inter
national law; that is, things that are universally held to be wrong and
impermissible.5 These are exceptional areas, including piracy, human traf
ficking, and hijacking. One reason there are so few universally accepted
norms is the very nature of the international legal regime. It is established

Col Gary Brown has been the staff judge advocate (SJA) at US Cyber Command, Fort Meade,
Maryland, since its establishment in 2010. Previously, he was the SJA at Joint Functional Component
Command—Network Warfare. He is a graduate of the University of Nebraska College of Law.

Maj Keira Poellet is an operations law attorney at US Cyber Command. Her previous assignment was
deputy SJA at Lajes Field, Azores, Portugal. She received her LLM in space and telecommunications law
from the University of Nebraska College of Law and her JD from Whittier Law School.

[ 126 ] Strategic Studies Quarterly ♦ Fall 2012

The Customary International Law of Cyberspace

by what nations do and believe they are bound to do, making consensus
difficult to reach. Without consensus, there is no law, even in what seem
to be straightforward cases, such as torture. “Torture or cruel, inhuman,
or degrading treatment or punishment” is recognized by most states as
violating human rights principles that have attained the status of customary
international law. Yet, actions amounting to torture continue, and states
sponsoring those actions are not often condemned, so it cannot be said
there is complete international agreement on the issue.6

Although the few prohibitions accepted as peremptory norms do not
deal with war, that is not to say armed conflict is completely ungoverned.
There is a body of customary law reflecting the extensive and virtually
uniform conduct of nation-states during traditional warfare that is widely
accepted and well understood—the law of war. Unfortunately, the appli
cation of the law of war to cyberspace is problematic because the actions
and effects available to nations and nonstate actors in cyberspace do not
necessarily match up neatly with the principles governing armed conflict.
Cyberspace gives nation-states new options, enabling them to take non-
kinetic actions that may not have been available previously. Actions that
may have required the use of military force in previous conflicts now can
be done with cyber techniques without the use of force. States can also
take actions in cyberspace that would be consistent with the use of armed
force but more easily avoid taking responsibility for the actions—they can
take cyber action “without attribution.”

In the absence of a specific legal regime for cyberspace, the logical
approach is to take what guidance exists to govern more conventional
warfare and determine whether it can be applied to cyberspace activities.
The subsequent brief discussion is a general examination of how national
practices become customs binding on the body of nations as customary
international law. Following the general discussion is a more detailed dis
cussion of how customary international law might apply to nation-state
cyber actions.

The Development of Customary International Law
It is common for states to disagree about what constitutes a general

practice accepted as law. The easiest form of proof is found in state actions,
published government materials, official government statements, domestic

Strategic Studies Quarterly ♦ Fall 2012 [ 127 ]

Gary Brown and Keira Poellet

laws, and court decisions that detail actual practice.7 Over time, specific
instances of state practice may develop into a general custom.8

The second part of the equation is more difficult. For a custom to be
binding, states not only need to act in a certain way; they have to act that
way because they think they are legally obligated to do so.9 Acceptance of
general practice as an obligation, that it is “accepted by law,” is referred
to as opinio juris.10 Evidence of opinio juris is primarily shown through
statements of belief, as opposed to statements about state practice, such as
treaties or declarations.11

There is no mathematical formula governing how many states must
accept a practice or for how long it needs to be practiced for it to be
come binding custom.12 For the most part, the more states that practice a
custom, the more likely it is to evolve into law, but not even that simple
rule holds completely true. The practice of politically powerful and active
states carries more weight than that of smaller nations, especially ones not
actively engaged in the area under consideration. For example, actions of the
United States or Great Britain will have more bearing on the development
of international law governing naval operations than those of Switzerland.

As noted, the length of time to develop customary international law
can vary greatly. The law of war is a good example. The customary law
of war has developed over thousands of years, but the practice of limiting
conflict (e.g., to protect noncombatants) evolved primarily in the last 150
years. For example, the Greeks began developing the concept of jus ad
bellum, or just war, in the fourth century BC.13 By contrast, while the
principles governing the way in which combatants engage in warfare (jus
in bello) also have historical ties to that era, they did not begin to assume
their current form until the 1860s during the Franco-Prussian War and
the American Civil War. Documented atrocities during those wars led to
rapid development of the modern law of war regime, beginning with the
first Hague Convention in 1899.

An example of customary law that developed quickly is space law.14 In
1958, just one year after the launch of Sputnik, the UN General Assembly
created a committee to settle on the peaceful uses of outer space. By 1963,
the United Nations had put forth the Declaration of Legal Principles Govern
ing the Activities of States in the Exploration and Use of Outer Space, formally
recognizing what had become customary law applicable to space activities.
Since then, most space law has been generated through international agree
ments, beginning with the first outer space treaty signed in 1967.

[ 128 ] Strategic Studies Quarterly ♦ Fall 2012

http:custom.12

http:declarations.11

http:juris.10

The Customary International Law of Cyberspace

Sometimes even state inaction can establish practice. For example, when
one state engages in conduct harmful to another, the official silence of
the “victim” state can be evidence that the conduct in question does not
constitute a violation of international law. This passiveness and inaction
can produce a binding effect under what is called the doctrine of acquies
cence.15 The more times a state permits an action to occur without mean
ingful protest, the more likely it is the action will be accepted as lawful
state practice.

Development of Cyber Law through Custom
The increasing use of computers and computer networks through the

1970s and 1980s was followed swiftly by the rise of the “network of net
works” known as the Internet in the mid-1990s.16 Ultimately, the Inter
net spawned an entirely new domain of operations referred to as cyberspace.
It is in and through this virtual space that cyber activities occur. So, not
only are the activities in cyber new, where cyber actions take place is a
unique location.17

Because it has existed for such a short time, there is not a robust body
of law governing state conduct in cyberspace.18 There are documented
instances of state cyber practice, however, and these have begun to lay a
pattern for establishing customary cyber law. As noted above, custom
ary law does not instantly appear but is developed through state practice
and rationale. The cyber practices of states and the thought behind those
actions over the past 30 years must be examined to determine if there is
customary law in cyberspace. If no principles have developed, as earlier
discussed, cyberspace remains unconstrained under the default customary
international regime.

Although opinio juris is a critical element, it is easiest to analyze the
development of custom beginning with an examination of state action,
which is more visible and easily documented than motivation. Compli
cating the analysis is the secrecy surrounding most cyber operations. The
US Department of Defense (DoD), for example, claims it suffers millions
of scans and thousands of probes into its networks each day.19 With rare
exceptions, no states or individuals come forward to take credit for these
actions, so assessing the motivation of these unknown cyber actors is dif
ficult. Albeit complicated and difficult, a few examples of state practice in
cyber are available for examination.

Strategic Studies Quarterly ♦ Fall 2012 [ 129 ]

http:cyberspace.18

http:location.17

http:mid-1990s.16

http:cence.15

Gary Brown and Keira Poellet

Arguably, the first cyber attack occurred in the Soviet Union. In 1982, a
trans-Siberian pipeline exploded. The explosion was recorded by US satel
lites, and it was referred to by one US official as “the most monumental
nonnuclear explosion and fire ever seen from space.”20 It has been reported
the explosion was caused by computer malware the Central Intelligence
Agency implanted in Canadian software, apparently knowing the software
would be illegally acquired by Soviet agents. Because the explosion hap
pened in remote Siberia, it resulted in no casualties. It also embarrassed
the Russian Committee for State Security (the KGB), who thought they
had stolen the most recent software technology from the United States.
As a result, the facts behind the explosion were concealed, and the USSR
never publicly accused the United States of causing the incident.21

Multiple “soft” computer attacks occurred against US systems as the Internet
grew exponentially over the next 25 years. Many of these involved at
tempts to copy sensitive information or relatively simple but potentially
devastating denial of service attacks.22 Some of the more infamous include
Moonlight Maze (1998–2001), which probed government and academic
computer systems in the United States; Code Red (2001), which launched
a worm intended to conduct a denial of service attack against White House
computers; and Mountain View (2001), a number of intrusions into US
municipal computer systems to collect information on utilities, govern
ment offices, and emergency systems.23 Although there was speculation
about the origins, none of these incidents could be definitively attributed
to a state actor.

In contrast to the, until recently, little-known Siberian incident, it was a
very public series of cyber events considered by many to have heralded the
advent of cyber warfare. In April 2007, following the removal of a Rus
sian statue in Estonia’s capital of Tallinn, a widespread denial of service
attack affected its websites. As a result Estonia, one of the world’s most
wired countries, was forced to cut off international Internet access. Russia
denied involvement in the incident, but experts speculate the Russian Federal
Security Service (FSB) was behind the distributed denial of service event.24

The following year, Russian troops invaded the Republic of Georgia
during a dispute over territory in South Ossetia. In August 2008, prior to
Russian forces crossing the border, Georgian government websites were
subjected to denial of service attacks and defacement. While there is wide
spread belief the incident was “coordinated and instructed” by elements

[ 130 ] Strategic Studies Quarterly ♦ Fall 2012

http:event.24

http:systems.23

http:attacks.22

http:incident.21

The Customary International Law of Cyberspace

of the Russian government, no one has been able to attribute these actions
definitively to Russia.25

The wakeup call for the US military occurred in 2008, although the
details did not become public until two years later. Operation Buckshot
Yankee was the DoD’s response to a computer worm known as “agent.btz”
infiltrating the US military’s classified computer networks.26 The worm
was placed on a flash drive by a foreign intelligence agency, from where it
ultimately made its way to a classified network. The purpose of the mal
ware was to transfer sensitive US defense information to foreign computer
servers.27 In what qualifies as bureaucratic lightning speed, US Cyber Com
mand was established less than two years later, with a mission to, among
other things, direct the operations and defense of DoD computer net
works.28 In addition to unmasking the extent of network vulnerabilities,
the event highlighted the lack of clarity in international law as it relates to
cyber events.

Two recent incidents merit attention before discussing the law in depth.
In 2010, Google reported Chinese hackers had infiltrated its systems and
stolen intellectual property. Through its investigation, Google learned the
exfiltration of its information was not the only nefarious activity; at least
20 other companies had been targeted by Chinese hackers as well. These
companies covered a wide range of Google users, including the computer,
finance, media, and chemical sectors. The Chinese had also attempted to
hack into G-mail accounts of human rights activists and were successful
in accessing some accounts through malware and phishing scams. Google
released a statement explaining what it discovered through its investiga
tion and what steps it was taking in response to China’s action, including
limiting its business in and with China.29

Also in 2010, a computer worm named Stuxnet was detected on com
puter systems worldwide. Stuxnet resided on and replicated from computers
using Microsoft’s Windows operating system but targeted a supervisory
control and data acquisition (SCADA) system manufactured by Siemens.
Cyber experts determined the worm was designed to affect the automated
processes of industrial control systems and speculated that either Iran’s
Bushehr nuclear power plant or its uranium enrichment facility at Natanz
was the intended target.30 After Stuxnet became public, Iran issued a state
ment that the delay in the Bushehr plant becoming operational was based
on “technical reasons” but did not indicate it was because of Stuxnet.31
The deputy director of the Atomic Energy Organization of Iran stated,

Strategic Studies Quarterly ♦ Fall 2012 [ 131 ]

http:Stuxnet.31

http:target.30

http:China.29

http:works.28

http:servers.27

http:networks.26

http:Russia.25

Gary Brown and Keira Poellet

“Most of the claims made by [foreign] media outlets about Stuxnet are ef
forts meant to cause concern among Iranians and people of the region and
delay the launch of the Bushehr nuclear power plant.”32 Iranian president
Ahmadinejad stated at a news conference that malicious software code
damaged the centrifuge facilities, although he did not specifically state it
was Stuxnet or the Natanz facility.33

Even disregarding the Siberian pipeline incident and considering Moon
light Maze the first major state-on-state cyber incident, there have been
about 12 years of general practice to consider when determining what
constitutes customary law in cyberspace. Incidents that have occurred
during this period have set precedent for what states consider acceptable
cyber behavior. What is remarkable is the lack of protest from nations
whose systems have been degraded in some way by obnoxious cyber activity.
Iran seemed reluctant even to admit its nuclear plant’s computers had been
affected and still does not claim to have been cyber attacked.34

If the damage caused by the Stuxnet malware had instead been caused
by a traditional kinetic attack, such as a cruise missile, it is likely Iran
would have vigorously responded. For one thing, in more-traditional at
tacks it is easier to determine the origin of attack. There are a variety of
reasons Iran may have refrained from public complaint over the Stuxnet
event; one possibility is that it believes the action was not prohibited under
international law. Whatever the reason for Iran’s silence, it remains true
that no state has declared another to have violated international law by a
cyber use of force or an armed attack through cyberspace. Aside from the
Stuxnet event, those in Estonia and Georgia came closest.

The situation in Georgia can be distinguished because the cyber action
was taken in concert with Russian troops crossing the Georgian border—a
clear use of force. Cyber activity against Georgian websites did not start
until after Georgia made its surprise attack on the separatist movement
in South Ossetia on 7 August 2008. The cyber activity commenced later
that same day, on the eve of Russia launching airplanes to bomb inside
Georgian territory. It appears as though it was a military tactic to sever
Georgia’s ability to communicate during the attack. It was not until 9
August 2008 that Georgia declared a “state of war” for the armed attack
occurring inside its territory. It did not declare the cyber activity itself an
attack or use of force.35

A case has also been made that the 2007 massive distributed denial of
service activity in Estonia was a cyber attack. However, after deliberation,

[ 132 ] Strategic Studies Quarterly ♦ Fall 2012

http:force.35

http:attacked.34

http:facility.33

The Customary International Law of Cyberspace

even the Estonian government concluded it was a criminal act as opposed
to a use of force by another state. That may be because they were not able
to attribute it with certainty to the Russian government (or any other govern
ment), but the precedent remains. Attribution problems will continue to
plague this area of law. It is more difficult for custom to develop if the
source of the action is unknown. The actions of criminal gangs or recreational
hackers do not set precedent for international law, and as long as the actor
remains unknown, the events have no precedential value.

Cyber Activity and Espionage
Much of what has occurred in cyberspace between states can be viewed

as merely espionage—simply intrusions onto computer systems for the
collection of intelligence. If these actions are equivalent to espionage,
however, this creates a dilemma in the analysis of cyber law.

Spying has been around even longer than customary international law.
Despite the famous statement, “Gentlemen do not read other gentlemen’s
mail,” espionage has existed since the earliest days of armed conflict.36 Al
though the law of war addresses wartime espionage and the treatment of
captured spies, customary international law is notably silent on the prac
tice of spying during peacetime. States have domestic laws prohibiting
espionage—including the United States, where spying is punishable by
death—but there is no international law prohibiting espionage or insist
ing it violates sovereignty.37

Despite the absence of specific guidance, it is generally not argued that
espionage is actually legal under international law. Most international
lawyers contend espionage is “not illegal” internationally. Presumably, this
is because it would be unseemly for countries to openly note that it is
acceptable to undertake as much espionage as they can get away with.
Despite the “ungentlemanly” nature of espionage, it is an open secret that
countries spy on friends and foes alike. Most of the time, when spies are
caught, the result is a declaration of “PNG” (persona non grata) and de
portation or an exchange for other spies.38

The practice of nations with regard to espionage amounts to a tacit
acceptance of spying. The activity is not overtly endorsed but rather oc
cupies an ill-defined policy space that permits it to occur without violating
international law. There is a general prohibition against violating territo
rial sovereignty, but as an exception to the rule, state practice does not

Strategic Studies Quarterly ♦ Fall 2012 [ 133 ]

http:spies.38

http:sovereignty.37

http:conflict.36

Gary Brown and Keira Poellet

prohibit spying that might involve crossing international borders without
permission. Reflecting this general view, one author summarized, “The
law of espionage is, therefore, unique in that it consists of a norm (territo
rial integrity), the violation of which may be punished by offended states,
but states have persistently violated the norm, accepting the risk of sanc
tions if discovered.”39

This assertion aptly illustrates the bizarre position espionage holds in
the international community. Years of state practice accepting violations
of territorial sovereignty for the purpose of espionage have apparently led
to the establishment of an exception to traditional rules of sovereignty—a
new norm seems to have been created. As cyber activities are frequently
akin to espionage, even if conducted for another purpose, perhaps it is
not too much of a leap to assert that most cyber activities can also occur
without violating territorial sovereignty.

As states have begun to use the Internet and other computer capabilities
to store, process, and communicate information, the use of cyber capa
bilities by intelligence agencies around the world has similarly increased.
“Motives for spying [have not] changed in decades. What has changed
are the means by which people spy. Cyber spying has accelerated due to
increased network speeds and sophisticated chip processing capabilities.”40
One might think this would mean all nonkinetic national cyberspace
operations would be governed by the loose international standards of
espionage. Unfortunately, it is not quite so simple.

Manipulating cyberspace in the interest of national security began with
espionage, but the continuing development of cyber capabilities means it
could be used in military operations independent from espionage. Perhaps
for this reason, policies and practices governing cyber espionage are more
fully developed than those governing official cyber activities undertaken for
other reasons. Objectively, there is little rationale for this disconnect, as most
military actions in cyber would fall short of a use of force. In fact, many
military actions in cyber would be indistinguishable from cyber espionage.

On the other hand, in some cases there are important differences between
cyber espionage and more traditional means of spying. Surreptitiously enter
ing a foreign country and leaving behind a sensor to collect and transmit
intelligence data is one thing. But what if that sensor also contained a
powerful explosive that could be detonated from a distance, causing grave
destruction? If a government discovered such a device, it would be clas
sified as a weapon of war; that would subsume any thought that it might

[ 134 ] Strategic Studies Quarterly ♦ Fall 2012

The Customary International Law of Cyberspace

have been placed during an espionage activity. This second scenario is
perhaps more akin to some current cyber espionage techniques. Network
accesses and cyber spying capabilities may be just as capable of being used
for disruption of systems or deletion of data. The cyber victim may be
left to wonder whether the rogue code it discovers on its network is a tool
meant for espionage or attack.

A nation on the receiving end of espionage-like cyber activity (such as
illicitly gaining access to a government computer network) has no sure
method of discerning the intent of an intrusion and may have little no
tion of who is behind it. Whatever unauthorized access is gained through
nefarious means could be used to collect data, destroy data, or even damage
or destroy equipment. “The difference between cybercrime, cyber-espionage
and cyberwar is a couple of keystrokes. The same technique that gets you
in to steal money, patented blueprint information, or chemical formulas
is the same technique that a nation-state would use to get in and destroy
things.”41 Once illegitimate users have access to a network, they can con
duct whatever mischief they like, and the software tools used by spies
might well be the same as those used by criminals and saboteurs.

So, even if the target government could effectively attribute the activity
to a certain state, it would not know the “why” of the activity. The nature
of cyberspace does not allow for a clear distinction between intrusions for
collection means and those of a more nefarious nature.

For this reason, it might follow that cyberspace operations that fall be
low the use of force should be covered by the same broad international law
umbrella of “not illegal” that governs espionage. After all, most military
cyber activities are more similar to espionage than they are to traditional
military action.42 Conceptually, there is little difference between tip-toeing
into an office and stealing a sheaf of papers from a file cabinet and elec
tronically sneaking into a computer to steal a file. There is a significant
difference, however, between destroying something and a reversible action
temporarily rendering something less functional. In the kinetic realm,
few minimally invasive options are available. In cyber, options range from
tweaking a single digit to crashing a national power grid. To treat all cyber
activity equally as “attacks” is unreasonable.

To facilitate the collection of intelligence, computer code (malware) is
planted in government systems. That code, in some cases, can either be
used in intelligence gathering or in destructive ways, for example, to hard-
break a computer system controlling e-mail at a military headquarters.

Strategic Studies Quarterly ♦ Fall 2012 [ 135 ]

http:action.42

Gary Brown and Keira Poellet

The system access created for intelligence purposes may also be used to
disrupt computer systems at a level well below what would be considered a
use of force under international law. Although it might be argued that the
intent of the actor controls how a cyber action should be analyzed under
international law, this line of argument tends to mix international and
national standards of behavior.43 A person’s intent is key to many criminal
charges under national law, yet in the law of war, a nation that feels threat
ened or as though it is under attack may not be especially concerned with
the intent of the offending nation.

There is no international legal body to which states can turn to col
lect evidence and carefully analyze it to determine the intent behind
another state’s cyber activity. Neither the International Court of Justice
nor other international courts can fill this role. Any evidence that existed
would be classified as secret by the actor nation and would be politically
sensitive as well. Witnesses would mostly be intelligence officials and
politicians. In short, the system bears little resemblance to a national
court system, where police officers, official reports, and witnesses may
be scrutinized fully over the course of many months to determine intent.
When a state becomes aware of a cyber intrusion, it must decide quickly
whether it is a prelude to an attack or “merely” espionage. Even if the
victim state were of a mind to inquire about intent, it might not be able
to determine the source of the intrusion. Further, it might not want to
disclose that it detected the intrusion.

The issue of international intent has not been much discussed as it applies
under the law of war. That may be because, in the case of kinetic attacks,
the intent of the attacking state is generally unambiguous.44 This sets up
an interesting conundrum. If intent does not matter in cyber operations,
and only a few keystrokes determine whether a cyber activity will con
stitute espionage or attack, then any intrusion for collection purposes is
potentially a threat or use of force. If that is the case, the UN Security
Council could be set for a big increase in business.45

The international legal system operates under its own rules, which are
established by consensus and are fundamentally different than domestic
law. The law of war is driven almost entirely by the effect of actions rather
than by some sort of “national mens rea.”46 The intent of an actor taking
an action against another state that could be interpreted as hostile is, for
practical purposes, irrelevant to the international law analysis.

[ 136 ] Strategic Studies Quarterly ♦ Fall 2012

http:business.45

http:unambiguous.44

http:behavior.43

The Customary International Law of Cyberspace

All this leads back to the current international legal regime govern
ing cyber activities. The question is whether state practice coincides with
these norms and whether states are complying out of a sense of legal ob
ligation. Otherwise, it is still the “Wild West” when it comes to behavior
in cyberspace.

In general, cyberspace is a permissive regime, analogous to the espio
nage rule set—little is prohibited, but states can still do their best to pre
vent others from playing in the arena. There is also nothing to prevent
states from prohibiting cyber behavior with national laws. Specifically, as
long as cyber activity remains below the level of a use of force and does
not otherwise interfere with the target nation’s sovereignty, it would not
be prohibited by international law, regardless of the actor’s intent.

One important caveat is that aggressive cyber activities resulting in kinetic
effects (i.e., physical destruction, damage, or injury) are covered by the
law regarding the use of force and armed attack. They are kinetic events,
governed by the traditional law of war just like kinetic effects caused by
more traditional means of warfare. So, for example, a cyber event resulting
in the physical destruction of a power plant turbine would be a military
attack subject to the same international law governing any other kinetic
attack.47 Although determining exactly what constitutes a kinetic effect is
not always simple, this line is as clear as others governing the murky cor
ners of customary law and is clear enough effectively to distinguish cyber
attacks from something less. One example of the gray area is a cyber action
against an electric power grid that causes it to temporarily cease function
ing. Although no actual kinetic event may occur, the reliance of modern
societies on electricity for health care, communications, and the delivery
of essential services makes it clear this would qualify as a kinetic-like effect
and would therefore constitute a military attack if the disruption were for
a significant period of time.48

Turning to areas of cyber operations that do not rise to the level of a
military attack, there are few rules. But few is different than none, and
some markers appear to have been set on the table to guide international
attorneys in assessing the state of affairs.

In 2003, during the months leading up to the invasion of Iraq, the
United States planned a cyber operation that would have greatly affected
Iraq’s financial system and frozen billions of dollars during the opening
stages of the war.49 Ultimately, US officials chose to forego this option.
Reportedly, this was because they were concerned an attack on one nation’s

Strategic Studies Quarterly ♦ Fall 2012 [ 137 ]

http:attack.47

Gary Brown and Keira Poellet

financial system would affect international confidence in the global financial
system, harming the United States and its allies as well as Iraq. So, there is
some question about whether they refrained due to opinio juris or out of
mere self-interest.

In the end, it makes little difference. The financial systems of modern
states are inextricably intertwined, more now than in 2003. If any nation’s
action would most likely damage the financial systems of many other
nations, it seems this type of action would be a violation of customary
international law. If for no other reason, these actions would be question
able, as they would be indiscriminate. Financial systems include banking
and stock markets, essentially any “high finance” connected to the inter
national financial system. The worldwide recession of 2007–08 demon
strated again how when one of the world’s large economies sneezes, the
rest are likely to catch cold.50

There is some potential counterevidence to this conclusion. In 2011, the
NASDAQ reported an intrusion into its computer systems.51 NASDAQ is
an important financial entity, and if shut down, would certainly qualify
under our definition as a cyber attack; that is, a cyber activity that is im
permissible under international law. In this case, however, it appears the
intrusion was detected before any harm was done, and the United States
may have decided it was criminal activity not meriting a diplomatic
brouhaha, or NASDAQ may have been unable to determine the source
of the penetration. This does not affect the conclusion here: large-scale
disruption, or destruction, of a nation’s financial institutions qualifies as
cyber attack.

It also appears penetration or disruption of nuclear command and control
systems is a violation of customary international law. This assertion is sup
ported by the absence of state practice to the contrary and the abundance
of opinio juris regarding the nonproliferation and the monitoring and
control of nuclear weapons.52

Other than these two areas, state cyber activity that falls below the level
of a use of force is not prohibited under international law. It may be under
taken, just as espionage is, without sanction from the international com
munity. Some examples of permissible behavior, as demonstrated by state
practice, are penetrating and maintaining a cyber presence on government
computer systems (including SCADA systems), exfiltration of government
data (including the most sensitive military secrets), and denial of service or
similar activities that decrease bandwidth available for government websites.

[ 138 ] Strategic Studies Quarterly ♦ Fall 2012

http:weapons.52

http:systems.51

The Customary International Law of Cyberspace

The above is premised on the thought that countries would react if they
were attacked. Because all of these things have occurred but not elicited
significant recriminations or a self-defense response, the conclusion is they
are not attacks. However, those who take these actions in government systems
run the risk of misperception that their cyber espionage is a cyber attack.
If they are not armed attacks or uses of force under international law, they
are not governed by the customary law of war. As a result, these disrup
tive cyber activities are governed by the overall customary law regime. As
earlier discussed, the customary regime is permissive in the absence of
norms, as is the case here. The closest existing analogy is to the rule set
governing espionage. Under either the permissive or the espionage regime,
disruptive cyber activities undertaken by states are permissible as a matter
of customary international law, with the two exceptions (financial systems
and nuclear command and control systems) noted here.

Shaping US Strategy for International Cyber Law
Because of its reliance on cyberspace, the United States should con

sciously craft a strategy to influence the development of customary inter
national cyber law rather than merely observing the development. The
best method to do so is through acknowledged state practice. Because of
the secrecy involved in many cyberspace activities, few actually influence
the development of norms. A prudent examination of US actions—and
public disclosure of some—would help establish a baseline for accept
able behavior.

After the United States determines what actions it believes it is autho
rized to take in cyberspace, it should openly share at least examples of
actions it has taken. Further, it should certainly look to the possibility
of disclosing actions taken against it. By proposing certain of its own
actions as acceptable and recognizing those taken against it as either
acceptable or unacceptable, the United States could lead a dialogue on
cyber norms, driving toward conclusions that would be beneficial for its
national security.

In addition to state practice, the United States should provide releasable
government materials stating what it believes are cyber norms. In May
2011 the president released the International Strategy for Cyberspace. This
strategy recognizes that “the development of norms for state conduct in
cyberspace does not require a reinvention of customary international law,

Strategic Studies Quarterly ♦ Fall 2012 [ 139 ]

Gary Brown and Keira Poellet

nor does it render existing international norms obsolete. Long-standing
international norms guiding state behavior—in times of peace and
conflict—also apply in cyberspace.”53

In recognizing that certain principles apply to cyberspace activities
just as they apply to more traditional activities, the United States pro
vides a basic framework for the cyber norms it expects will develop:
upholding fundamental freedoms, respect for property, valuing privacy,
protection from crime, and the right of self-defense. Although at this
point, the list is more aspirational than actual, it can serve as a frame
work on which the United States can hang future examples of real cyber
behavior by itself and others.

It is important to note that the norms set out in the International Strategy
for Cyberspace are not universally recognized as customary international law
(except for the right of self-defense). For example, although the strategy
discusses fundamental freedoms such as free speech and privacy, it is
apparent that particular norm is not followed worldwide. Twitter, which
has been an important communications tool for government protestors
in many countries, announced that it will restrict certain speech and
freedom of expression if it appears to violate a local law by “reactively
withhold[ing] content from users in a specific country while keeping it
available to the rest of the world.”54 So, even if the United States does
not, Twitter recognizes that not all these things are accepted as norms of
behavior worldwide at this point.

The Department of Defense Strategy for Operating in Cyberspace (DSOC)
recognizes the same principles and encourages the development and pro
motion of international cyberspace norms. The DSOC reiterates the Inter
national Strategy’s defense objective to “oppose those who would seek to
disrupt networks and systems, dissuading and deterring malicious actors,
and reserving the right to defend these vital national assets as necessary
and appropriate.”55 Neither strategy document includes actual examples
of what would be necessary and appropriate and leaves it open to interpre
tation. While it is helpful to provide the statement that the United States
has the right to defend its vital national assets, for the purpose of customary
international law it would also be helpful to know what the United States
considers as a threat to those assets. On the other hand, the United States
may have intentionally left this ambiguity in its international strategy to
allow for the flexibility of a relevant response.

[ 140 ] Strategic Studies Quarterly ♦ Fall 2012

The Customary International Law of Cyberspace

Conclusion
In the absence of formal international agreements, cyber custom is be

ginning to develop through the practice of states. The custom permits
most cyber activity that falls below the level of a use of force, with serious
actions against major financial institutions and disruptive actions to nuclear
command and control systems being notable exceptions. While there has
been some movement toward declarations, agreements, treaties, and inter
national norms in the area, the hopeful statements most often heard do
not coincide with current state practice. In a practical demonstration of
realpolitik, states generally would like to prohibit others from undertaking
the same cyber activity in which they are already engaging. The discon
nect between practice and public statements creates a poor environment
for negotiating international agreements and infertile soil for positive
customary law—norms—to flourish. In this case, for better or worse,
the default—permissive international law regime—governs. Unless states
positively determine that disruptive cyber actions should be treated dif
ferently than espionage, this area will continue to be a competitive intel
lectual battlefield, where the cyber savvy do what they will and the cyber
naïve suffer what they must.

This is not necessarily a bad-news story. Recognizing the permissive
nature of cyber custom will encourage states to negotiate agreements that
moderate behavior in cyberspace. To negotiate agreements, states will have
to address critical cyber issues of attribution and state responsibility. In the
long run, negotiated and enforceable agreements governing cyberspace
may be a better option than waiting for the necessarily languid develop
ment of custom in an area that changes at the speed of thought.

Notes

1. See Statute of the International Court of Justice, Art. 38 (18 April 1946), http://www.icj-cij
.org/documents/index.php?p1=4&p2=2&p3=0.

2. John B. Bellinger III and William J. Haynes II, “A US Government Response to the
International Committee of the Red Cross Study Customary International Humanitarian Law,”
International Review of the Red Cross 89, no. 866 (June 2007): 443–71, http://www.icrc.org/eng
/assets/files/other/irrc_866_bellinger .

3. Guidance to the contrary may be exhibited, for example, through bilateral treaties or
consistent objection by other states.

4. It is a “residual negative principle which provides that in the [absence of law], whatever
is not prohibited in international law is permitted.” Anthea Roberts, “Traditional and Modern
Approaches to Customary International Law: A Reconciliation,” American Journal of Inter-

Strategic Studies Quarterly ♦ Fall 2012 [ 141 ]

http://www.icrc.org/eng

http://www.icj-cij

Gary Brown and Keira Poellet

national Law 95 (2001): 757–91. While it is possible that the Lotus principle could prompt
states to attempt to regulate on any matter that could affect them negatively, international
law expects that states “may not exercise jurisdiction to prescribe law with respect to a person
or activity having connections with another state when the exercise of such jurisdiction is
unreasonable.” Restatement of the Law, Third, Foreign Relations Law of the United States, §403,
1987 [hereinafter Restatement].

5. “A norm accepted and recognized by the international community of States as a whole as
a norm from which no derogation is permitted and which can be modified only by a subsequent
norm of general international law having the same character.” Vienna Convention on Treaties, Art.
53, 23 May 1969, http://untreaty.un.org/ilc/texts/instruments/english/conventions/1_1_1969
.

6. The United States considers the prohibition on torture to be jus cogens, but as noted, the
practice of nations may not support that conclusion. Restatement, §702, comment n.

7. Restatement, §102, comment b.
8. Roberts, “Traditional and Modern Approaches, 757–58.
9. Restatement, §102, comment c, n. 4. This comment also suggests that explicit evidence

may not always be necessary to establish opinio juris; in some cases it may be inferred from state
practice alone.

10. Peter Malanczuk, Akehurst’s Modern Introduction to International Law, 7th rev. ed. (London:
Routledge, 1997), 39.

11. Roberts, Traditional and Modern Approaches, 758, n. 4.
12. Restatement, §102, comment b.
13. See Polybius, The Histories, Book V, 9 (discussing the right to retaliate for sacrilegious

acts committed by Aetolians), http://penelope.uchicago.edu/Thayer/E/Roman/Texts/Polybius/5*
.html.

14. “The analysis of the practice of states before the conclusion of the 1967 Outer Space Treaty
shows that historically, custom was the first source of the international law of outer space.” Vladelen
S. Vereshchetin and Gennady M. Danilenko, “Custom as a Source of International Law of Outer
Space,” Journal of Space Law 13, no. 1 (1985): 22, 25.

15. Malanczuk, Akehurst’s Modern Introduction to International Law, 43, n. 10. See I. C.
MacGibbon, “The Scope of Acquiescence in International Law,” 1954 British Yearbook of Inter
national Law, 143, 145–46; and MacGibbon, “Customary International Law and Acquiescence,”
1957 British Yearbook of International Law, 115, 138.

16. Harry Newton, Newton’s Telecom Dictionary, 23rd ed. (New York: Flatiron Publishing,
2007), 502–3.

17. The DoD defines cyberspace as a war-fighting domain. Joint Publication 1-02, DoD Dic
tionary of Military and Associated Terms, 12 April 2001 (as amended through April 2010), 121.

18. As distinguished from state actions that use cyber capabilities merely as a means to ac
complish a more traditional effect. For example, using e-mail to deliver a diplomatic note is
legally no different than sending the note with the ambassador. The importance of “effects” is
discussed below.

19. Deputy Secretary of Defense William J. Lynn III, “Remarks on Cyber,” Council on Foreign
Relations, 30 September 2010, http://www.defense.gov/speeches/speech.aspx?speechid=1509.

20. Bret Stephens, “Long before There Was the Stuxnet Computer Worm, There Was the
‘Farewell’ Spy Dossier,” Asian Wall Street Journal, 19 January 2010, 10. In the early 1980s, a
KGB officer leaked to French intelligence the names of Soviet agents involved in industrial
espionage. This information was used by the West to feed misleading information to the USSR;
the leaked data was referred to as the Farewell Dossier.

[ 142 ] Strategic Studies Quarterly ♦ Fall 2012

http://www.defense.gov/speeches/speech.aspx?speechid=1509

http://penelope.uchicago.edu/Thayer/E/Roman/Texts/Polybius/5

http://untreaty.un.org/ilc/texts/instruments/english/conventions/1_1_1969

The Customary International Law of Cyberspace

21. William Safire, “The Farewell Dossier,” New York Times, 2 February 2004, http://www
.nytimes.com/2004/02/02/opinion/the-farewell-dossier.html?ref=williamsafire.

22. A denial of service (DoS) attack prevents a website from being responsive by overwhelming
it with thousands of requests (pings). Often these requests originate from a robotic network,
more commonly referred to as a botnet. “Bots” are malware-infected computers belonging to
unwitting individuals. The bots become part of a botnet—a grouping of bots—which is con
trolled by the unfriendly actor. Bots may be used to perform a variety of unsavory acts, such as
sending spam and collecting data for identity theft. Botnets are usually composed of computers
from many geographic locations, so the action is called a distributed DoS, or DDoS. Newton,
Newton’s Telecom Dictionary, 300, n. 16.

23. A worm is a type of computer virus that can spread without human action and duplicate
itself through an entire network. A worm can allow an unauthorized user to remotely access a
computer.

24. William Ashmore, “Impact of Alleged Russia Cyber Attacks,” Baltic Security and Defence
Review 11, no. 8 (2009).

25. Cooperative Cyber Defence Centre of Excellence (CCDCOE), Cyber Attacks Against
Georgia: Legal Lessons Identified (Tallinn, Estonia: CCDCOE, November 2008), 12.

26. Noah Shachtman, “Insiders Doubt 2008 Pentagon Hack Was Foreign Spy Attack,” Wired:
Danger Room, 25 August 2010, http://www.wired.com/dangerroom/tag/operation-buckshot
-yankee/; and Sergi Shevchenko, “Agent.btz: A Threat That Hit Pentagon,” Threat Expert blog, 30
November 2008, http://blog.threatexpert.com/2008/11/agentbtz-threat-that-hit-pentagon.html.

27. William J. Lynn III and Nicholas Thompson, “Defending a New Domain,” Foreign Affairs
89, no. 5 (September/October 2010).

28. US Cyber Command, “Mission Statement,” http://www.stratcom.mil.
29. See Google’s statement at http://googleblog.blogspot.com/2010/01/new-approach-to

-china.html. Google has now resumed doing business in China.
30. Yossi Melman, “Computer Virus in Iran Actually Targeted Larger Nuclear Facility,”

Haaretz.com, 28 September 2010, http://www.haaretz.com/print-edition/news/computer-virus
-in-iran-actually-targeted-larger-nuclear-facility-1.316052.

31. Ministry of Foreign Affairs, Islamic Republic of Iran, weekly briefing, 5 October 2010,
http://www.mfa.gov.ir/cms/cms/Tehran/en/NEW/137891.html.

32. “No Delay in Launch of Bushehr Power Plant Due to Stuxnet: Official,” Tehran Times, 5
February 2011, http://www.tehrantimes.com/index_View.asp?code=23518.

33. Mark Clayton, “Stuxnet: Ahmadinejad Admits Cyberweapon hit Iran Nuclear Program,”
Christian Science Monitor, 30 November 2010, http://www.csmonitor.com/USA/2010/1130
/Stuxnet-Ahmadinejad-admits-cyberweapon-hit-Iran-nuclear-program.

34. See, for example, Bob Sullivan, “Could Cyber Skirmish Lead U.S. to War?” Red Tape
Chronicles, 11 June 2010, http://redtape.msnbc.com/2010/06/imagine-this-scenario-estonia-a
-nato-member-is-cut-off-from-the-internet-by-cyber-attackers-who-besiege-the-countrys-bandw
.html; and Gary D. Brown, “Why Iran Didn’t Admit Stuxnet Was an Attack,” Joint Force Quarterly
63 (4th Quarter 2011), http://www.ndu.edu/press/why-iran-didnt-admit-stuxnet.html. In the
wake of Stuxnet, one Iranian official noted that “[a]n electronic war has been launched against
Iran,” but there was never an official government statement endorsing that view. Atul Aneja,
“Under Cyber-Attack, Says Iran,” Hindu, 26 September 2010, http://www.thehindu.com/news
/international/article797363.ece.

35. CCDCOE, Cyber Attacks against Georgia, 4.
36. Quoting Henry Lewis Stimson, secretary of state under Herbert Hoover, justifying closing

the “Black Chamber” in 1929, the code-breaking office. Documentation of espionage dates back

Strategic Studies Quarterly ♦ Fall 2012 [ 143 ]

http://www.thehindu.com/news

http://www.ndu.edu/press/why-iran-didnt-admit-stuxnet.html

http://redtape.msnbc.com/2010/06/imagine-this-scenario-estonia-a

http://www.csmonitor.com/USA/2010/1130

http://www.tehrantimes.com/index_View.asp?code=23518

http://www.mfa.gov.ir/cms/cms/Tehran/en/NEW/137891.html

http://www.haaretz.com/print-edition/news/computer-virus

http:Haaretz.com

http://googleblog.blogspot.com/2010/01/new-approach-to

http:http://www.stratcom.mil

http://blog.threatexpert.com/2008/11/agentbtz-threat-that-hit-pentagon.html

http://www.wired.com/dangerroom/tag/operation-buckshot

http://www

Gary Brown and Keira Poellet

thousands of years. Egypt had an organized intelligence service 5,000 years ago, and espionage
is one of the dominant themes in Sun Tzu’s Art of War 2,500 years ago. Kurt D. Singer, Three
Thousand Years of Espionage (New York: Books for Libraries Press, 1948), vii.

37. Some legal scholars argue that espionage is a violation of sovereignty, but this is the minority
view. See Manuel R. Garcia-Mora, “Treason, Sedition and Espionage as Political Offenses under
the Law of Extradition,” University of Pittsburgh Law Review 26, no. 65 (1964): 79–80; and
Quincy Wright, “Espionage and the Doctrine of Non-Intervention in Internal Affairs,” in Essays
on Espionage and International Law, ed. Roland J. Stranger (Columbus: Ohio State University
Press, 1962), 12. See 18 U.S.C., pt. 1, chap. 37, “Espionage and Censorship,” and 18 U.S.C.,
§§ 793–98, for the US domestic law.

38. For example, in July 2010 the United States and Russia exchanged spies after the FBI
uncovered a Russian sleeper cell. See “U.S. Confirms Successful Exchange of Spies,” CBS News,
9 July 2010, http://www.cbsnews.com/stories/2010/07/09/world/main6661165.shtml.

39. CDR Roger Scott, “Territorially Intrusive Intelligence Collection and International
Law,” Air Force Law Review 46 (1999): 217–18.

40. Josh Zachry, associate director for research operations, Institute for Cybersecurity, University
of San Antonio, quoted in “Cyber Espionage Threatens Global Security,” Intelligencesearch.com, http://
www.intelligencesearch.com/ia158.html.

41. Tom Gjelten, “Cyber Insecurity: U.S. Struggles to Confront Threat,” NPR.org, http://
www.npr.org/templates/story/story.php?storyId=125578576.

42. See discussion of “effects” below.
43. Prescott Winter, “Cybersecurity—Governments Need to Cooperate,” Cyber Threat blog, 8

April 2010, http://blogs.computerworlduk.com/cyber-threat/2010/04/cybersecurity–governments
need-to-cooperate/index.htm#.

44. A notable exception is the case of mistake of fact or accident, such as air strikes that hit
the wrong targets or targets that were unintentionally mischaracterized, in which case the victim
state and the international community may assess the reasonableness of the mistake before char
acterizing the action under the law of war. See Daniel Williams, “NATO Missiles Hit Chinese
Embassy,” Washington Post, 8 May 1999, A-1; and “US Warplanes ‘Bomb Afghan Wedding
Party,’ ” Independent, 6 November 2008.

45. Art. 2(4) of the UN Charter prohibits even threats of a use of force. As states have proven
themselves unwilling to give up espionage, it is unlikely the “threat of force” prohibition will be
given a broad interpretation in the case of cyber activities. This might mean that states will be
free under international law to implant dual-use computer code and be poised to strike, while
defending states would legally be expected to wait until the moment the code was converted
before acting in self-defense. A fuller discussion of this interesting issue is beyond the scope of
this article.

46. Mens rea is a legal term referring to the intent element necessary to be convicted of a crime.
47. In a 2007 Department of Homeland Security exercise called Aurora, controlled hacking

into a replica of a power plant control system enabled researchers to change the operation of
a generator, resulting in its violent physical destruction. “Staged Cyber Attack Reveals Vulner
ability in Power Grid,” CNN, 26 September 2007, http://articles.cnn.com/2007-09-26/us/power
.at.risk_1_generator-cyber-attack-electric-infrastructure?_s=PM:US.

48. Other factors have been suggested to form a test for a use of force. The most commonly
cited is Prof. Mike Schmitt’s six-part test for cyber attack, which requires assessing cyber actions
for severity, immediacy, directness, invasiveness, measurability, and presumptive legitimacy. Al
though this is a rational test for analyzing cyber actions post facto, we would argue that only the
first––severity––is necessary to determine if the event qualifies as an attack. The lightning speed

[ 144 ] Strategic Studies Quarterly ♦ Fall 2012

http://articles.cnn.com/2007-09-26/us/power

http://blogs.computerworlduk.com/cyber-threat/2010/04/cybersecurity–governments

www.npr.org/templates/story/story.php?storyId=125578576

www.intelligencesearch.com/ia158.html

http:Intelligencesearch.com

http://www.cbsnews.com/stories/2010/07/09/world/main6661165.shtml

The Customary International Law of Cyberspace

of cyber actions makes swift decision making critical, and it is unlikely nations will have the in
formation or the time to consider these factors in the heat of potential battle. Professor Schmitt’s
test could be very useful in determining whether a cyber action violated an international norm
not predicated on a use of force, such as the principle of nonintervention. See Michael N.
Schmitt, “Computer Network Attack and the Use of Force in International Law: Thoughts on
a Normative Framework,” Columbia Journal of Transnational Law 37 (1998–99): 885; and The
Principle of Non-Intervention in Contemporary International Law: Non-Interference in a State’s In
ternal Affairs Used to Be a Rule of International Law: Is It Still?, Chatham House discussion group
summary, http://www.chathamhouse.org.uk/files/6567_il280207 .

49. John Markoff and Thom Shanker, “Halted ’03 Iraq Plan Illustrates U.S. Fear of Cyber-
war Risk,” New York Times, 1 August 2009.

50. Financial Inquiry Commission, Final Report of the National Commission of the Causes of
the Financial and Economic Crisis in the United States, January 2011, http://www.fcic.gov/report.

51. Devlin Barrett, Jenny Strasburg, and Jacob Bunge, “NASDAQ Confirms a Breach in
Network,” Wall Street Journal, 7 February 2011. For a general discussion of the National Asso
ciation of Securities Dealers Automated Quotation (NASDAQ), see “NASDAQ Wiki,” Motley
Fool, http://wiki.fool.com/Nasdaq.

52. See “U.S.-Soviet/Russian Arms Control,” Arms Control Today, June 2002, http://www
.armscontrol.org/act/2002_06/factfilejune02.

53. International Strategy for Cyberspace: Prosperity, Security in a Networked World (Washington:
White House, May 2011), 9.

54. Gerry Shih, “Twitter to Restrict User Content in Some Countries,” Reuters, 27 January
2012, http://in.reuters.com/article/2012/01/26/twitter-idINDEE80P0IR20120126.

55. International Strategy for Cyberspace, 12; and Department of Defense Strategy for Operating
in Cyberspace (Washington: DoD, July 2011), 10.

Strategic Studies Quarterly ♦ Fall 2012 [ 145 ]

http://in.reuters.com/article/2012/01/26/twitter-idINDEE80P0IR20120126

http://www

http://wiki.fool.com/Nasdaq

http://www.fcic.gov/report

http://www.chathamhouse.org.uk/files/6567_il280207

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

Defense AT&L: January-February 2018 30

Sun Tzu
and the Art of

Cyberwar
Roy Wilson

Wilson is an Acquisition Cybersecurity professor at the Defense Acquisition University’s Mid-Atlantic campus in California, Maryland. He
is a retired U.S. Air Force (USAF) officer with more than 35 years of experience in aviation systems engineering for the USAF and U.S. Navy.

S
un Tzu is widely recognized as the premier military strategist in the history
of the world. His book “The Art of War” was written approximately 2,500
years ago in China but its strategic and tactical information remains widely
recognized as valid for modern warfighters. It has influenced the strategic
and tactical thinking of military leaders such as America’s Gen. Douglas

MacArthur, China’s Mao Zedong and Vietnam’s Gen. Vo Nguyen Giap.

Modern warfare historically has been conducted in four domains; land, sea, air and space. In 2016, NATO accepted
the cyber domain as a fifth domain for warfare. The decision is aligned with the U.S. military strategy that already
recognized cyberspace as a warfare domain. In 2009 the U.S. Government established the United States Cyber

31 Defense AT&L: January-February 2018

Command (USCYBERCOM) to fulfill tasks related to
cyber conflicts. Examining Sun Tzu’s “The Art of War”
in light of the new cyberwarfare domain reveals some
very interesting and highly applicable strategies and tac-
tics. “The Art of War” is laid out in 13 chapters with the
following chapter titles.

Laying Plans
Waging War
Attack by Stratagem
Tactical Dispositions
Energy
Weak Points and Strong
Maneuvering
Variation in Tactics
The Army on the March

Terrain
The Nine Situations
The Attack by Fire
The Use of Spies

Strategies from each of these 13 chapters are herein
examined from the cyberwarfare domain perspective.
The Sun Tzu quote is provided in italics in bulleted items,
followed by a short analysis of cyberwarfare domain ap-
plicability. In the interest of space, the number of strate-
gies examined are limited to a few from each chapter in
“The Art of War.”

Chapter 1. Laying Plans
n The art of war is of vital importance to the state. It is
equally true today that the art of cyberwar is of vital

https://suntzusaid.com/book/1

https://suntzusaid.com/book/2

https://suntzusaid.com/book/3

https://suntzusaid.com/book/4

https://suntzusaid.com/book/5

https://suntzusaid.com/book/6

https://suntzusaid.com/book/7

https://suntzusaid.com/book/8

https://suntzusaid.com/book/9

https://suntzusaid.com/book/10

https://suntzusaid.com/book/11

https://suntzusaid.com/book/12

https://suntzusaid.com/book/13

Defense AT&L: January-February 2018 32

importance to the state. Defending our national infrastructure
and commerce systems is not just vital, but critical to main-
taining our citizen’s safety. The ability to conduct offensive
cyber operations as a means of degrading our enemy’s war-
fighting capability is of equal importance.

n Hold out baits to entice the enemy. Sun Tzu apparently under-
stood the concept of a honeypot 2,500 years ago. A honeypot
entices the enemy into a cyber arena where the defender has
the initiative.

nAttack him where he is unprepared. An unsecured network is
the “low hanging fruit” for a cyber warrior.

Chapter 2. Waging War
n Use the conquered foe to augment one’s own strength. Sun Tzu
apparently understood the

concept of a botnet 2,500 years ago.

n There is no instance of a country having benefited from pro-
longed warfare. This is an interesting observation and equally
true in the cyberwarfare domain. As a cyberwar progresses,
it would be wearing on the population to have disruptions in
commerce, health care and compromises to personal privacy
that would be likely targets in the cyber domain.

Chapter 3. Attack by Stratagem
n The skillful leader subdues the enemy’s troops without any
fighting; he captures their cities without laying siege to them; he
overthrows their kingdom without lengthy operations in the field.
Warfare in the cyber domain could potentially result in over-
throw of the enemy without any physical combat in the other
four warfare domains.

n We may know that there are five essentials for victory:

• He will win who knows when to fight and when not to fight.
• He will win who knows how to handle both superior and

inferior forces.
• He will win whose army is animated by the same spirit

throughout all its ranks.
• He will win who, prepared himself, waits to take the enemy

unprepared.
• He will win who has military capacity and is not interfered

with by the sovereign.

An argument can be made that each of these essentials
apply to the cyber domain. Choosing the cyber battlespace
time and location, understanding streng ths and weak-
nesses of our cyber forces and the enemy cyber forces,
having the initiative, and free rein from civilian authorities
are keys to success.

n If you know the enemy and know yourself, you need not fear
the result of a hundred battles. Winning in the cyber domain
depends on knowing your cyberwarfare capabilities and those
of the enemy.

Chapter 4. Tactical Dispositions
n To secure ourselves against defeat lies in our own hands, but
the opportunity of defeating the enemy is provided by the enemy
himself. Cybersecurity needs to be engineered into our sys-
tems, both military and civilian. Cybersecurity applies to both
networks as well as platforms and control systems. Weak-
ness in enemy systems need to be exploited vulnerabilities
in cyberwarfare.

n To lift an autumn hair is no sign of great strength; to see the sun
and moon is no sign of sharp sight; to hear the noise of thunder is
no sign of a quick ear. In our cyberwarfare domain, we need to
be more than “script kiddies” on defense and offense.

n The skillful fighter puts himself into a position which makes de-
feat impossible, and does not miss the moment for defeating the
enemy. In cybersecurity, our systems need to be resilient that
they cannot be defeated. Our cybersecurity defensive observe,
orient, decide and act (OODA) loop must react to and defeat
any cyberattack.

Chapter 5. Energy
n The impact of your army may be like a grindstone dashed against
an egg—this is effected by the science of weak points and strong.
Analysis of software or hardware weaknesses, vulnerabilities,
pivot points and attack surface will support the identification
of weak points and strong points.

n Energy may be likened to the bending of a crossbow; decision,
to the releasing of a trigger. A Trojan implanted in a system has
potential energy that is released when the trigger command
conditions are satisfied.

Use the conquered foe to augment

one’s own strength.

Sun Tzu apparently understood the

concept of a botnet 2,500 years ago.

33 Defense AT&L: January-February 2018

n Energy amid the turmoil and tumult of battle, there may be
seeming disorder and yet no real disorder at all. Disorder and
chaos may be the intended desire of a cyberattack on a na-
tion’s infrastructure. However, the perceived disorder and
chaos is a result of the orderly commands executed by a cyber
attacker—and, hence, no disorder at all.

Chapter 6. Weak Points and Strong
n The clever combatant imposes his will on the enemy, but does not
allow the enemy’s will to be imposed on him. Warfare in the cyber
domain requires both an offensive and defensive capability.

n A general is skillful in attack whose opponent does not know
what to defend; and he is skillful in defense whose opponent does
not know what to attack. A cyberattack surface can provide
multiple entry points into a system that the attacker can use
to enter and then pivot to critical subsystems. Keeping knowl-
edge of our weaknesses from our enemy will reduce the likeli-
hood of a successful attack.

n O divine art of subtlety and secrecy! Through you we learn to
be invisible, through you inaudible; and hence we can hold the en-
emy’s fate in our hands. This cuts to the heart of cyberwarfare
principles. A successful advanced persistent threat (APT) is
subtly and secretly entered into the target system or a Trojan
is likewise introduced. From that point on the system is owned
(“Pwned”) by us, and its fate is in our hands.

n Do not repeat the tactics which have gained you one victory,
but let your methods be regulated by the infinite variety of cir-
cumstances. Our offensive tactics in the cyber domain must
continually evolve. What worked in one engagement will very
probably not work in the next unless we stay inside of the
defenders OODA loop. Conversely, our cyber defenses must
be threat agnostic and behavioral based. Beat the abnormal
behavior and you’ve defeated the threat regardless of the
tactics evolution. This also is associated with Sun Tzu’s fol-
lowing precept:

n He who can modify his tactics in relation to his opponent and
thereby succeed in winning, may be called a heaven-born captain.

Chapter 7. Maneuvering
n Let your plans be dark and impenetrable as night, and when you
move, fall like a thunderbolt. Maneuver in the cyber domain must
be kept secret and when the trigger is pulled, the cyberattack
must be designed to effectively accomplish the mission.

n Ponder and deliberate before you make a move. This is equally
true and maybe more so in the cyber domain. Cyberattacks
may result in retaliatory attacks that the aggressor is unpre-
pared to respond to or may even lead to traditional warfare in
the other domains.

Chapter 8. Variation in Tactics
n In the wise leader’s plans, considerations of advantage and of dis-
advantage will be blended together. Strategic and tactical trade

space in the cyber domain needs to be understood prior to any
engagement. We will always hold some advantages but will
also have a disadvantage somewhere.

n Reduce the hostile chiefs by inflicting damage on them; and
make trouble for them, and keep them constantly engaged; hold
out specious allurements, and make them rush to any given point.
Modern cyberattacks that take down Internet connectivity,
disable communications, or disrupt power generation systems
would be very appealing to Sun Tzu.

n The art of war teaches us to rely not on the likelihood of the en-
emy’s not coming, but on our own readiness to receive him; not on
the chance of his not attacking, but rather on the fact that we have
made our position unassailable. In the cyber domain of warfare,
it is inevitable that we will be attacked. In fact, both our civilian
and military information technology (IT) systems have been
and are being subject to cyberattacks. This is the rationale be-
hind the new System Survivability Key Performance Parameter
that says in part that all new systems need to be designed to
survive in a cyber contested environment. We need to design
our systems to deter, detect and recover from any cyberattack.

Chapter 9. The Army on the March
n Pass quickly over mountains, and keep in the neighborhood of
valleys. Concealing one’s activities to avoid discovery by the
enemy is a central tenet of any good cyberattack. Being able to
enter a system undetected and move laterally within a system
to reach the objective is essential to success.

n If in the neighborhood of your camp there should be any hilly
country, ponds surrounded by aquatic grass, hollow basins filled
with reeds, or woods with thick undergrowth, they must be care-
fully routed out and searched; for these are places where men in
ambush or insidious spies are likely to be lurking. This saying of
Sun Tzu speaks to the design and architecture of our IT sys-
tems. We need to employ software assurance practices in
design/implementation and security architectures that give
our adversary no place to hide malware.

Chapter 10. Terrain
n With regard to ground of this nature [accessible], be before the
enemy in occupying the raised and sunny spots, and carefully guard
your line of supplies. Several studies have shown that our cyber
supply lines are very vulnerable. Department of Defense In-
struction (DoDI) 5200.44, Trusted Systems and Networks,
lays out some countermeasures to address the supply chain
concern. It is essential that the military Services develop sup-
ply chain risk countermeasures and document them in classi-
fied appendices in program acquisition documentation such as
the Life Cycle Support Plan and the Program Protection Plan.

n If you know the enemy and know yourself, your victory will not
stand in doubt. The first phase in the anatomy of a cyberattack
is reconnaissance. The importance of good reconnaissance
was made abundantly clear in the StuxNet virus attack on the
Iranian nuclear fuel enrichment facility. Specific hardware in

Defense AT&L: January-February 2018 34

the facility was subject to the attack and that could not have
been accomplished if necessary intelligence wasn’t gathered
well during the reconnaissance phase.

Chapter 11. The Nine Situations
n Those who were called skillful leaders of old knew how to drive a
wedge between the enemy’s front and rear; to prevent co-operation
between his large and small divisions. Skillful leaders in the cyber
domain will drive a cyber wedge between the enemy’s front
and rear; to prevent co-operation between divisions. DoDI
8510.01, Cybersecurity, recognizes the importance of informa-
tion communication on the modern battlefield and structures
the DoD cybersecurity around protection of the information.
Our modern systems are ever more reliant on participation in
the DoD Information Network (DODIN) for success on the
battlefield. In fact, it has been stated, the “If you are not on
the net, you are a target.”

n Rapidity is the essence of war: take advantage of the enemy’s
unreadiness, make your way by unexpected routes, and attack
unguarded spots. Our successful cyberattack will enter via
unguarded or weakly guarded spots. Conversely, we need to
examine the cyberattack surface for our systems to ensure we
leave no entry point unguarded. The unguarded spot is where
the adversary will launch their exploit.

n The skillful tactician may be likened to the shuai-jan. Now the
shuai-jan is a snake that is found in the Ch`ang Mountains. Strike
at its head, and you will be attacked by its tail; strike at its tail, and
you will be attacked by its head; strike at its middle, and you will
be attacked by head and tail both. Our cyber defensive coun-
termeasures must be modeled after the shuai-jan. Behavioral
monitoring tools that provide for active countermeasures need
to be developed to ensure system resiliency in the face of a
cyberattack. Cyber domain defense tactics are still in their
infancy relative to the other domains of warfare. “The Art of
War” had a significant influence on the works of U.S. Air Force
Col. John Boyd (1927-1997), arguably the best military strate-
gist to work in the field since Sun Tzu. Boyd advanced tactics
in the domain of air warfare following World War II, and cyber
warriors need to do the same in their warfighting domain be-
fore a major conflict in the cyber domain breaks out.

n Forestall your opponent by seizing what he holds dear. Likewise
in the cyber domain! For our systems, we need to conduct a
Cyber Failure Modes Effects and Criticality Analysis (Cyber

FMECA) to determine what is critical and crucial to defend
from cyberattack. In risk management terminology, these
must-defend areas are those that score the high mark of 5
on the consequence (or impact) axis of the risk matrix. In an
aviation system, this may be the flight control algorithms, or in
a defense business system this may be the personal identifica-
tion information of active-duty Service members.

Chapter 12. The Attack by Fire
n The enlightened ruler lays his plans well ahead. A cyber order
of battle and cyber battle plans need to be developed to ensure
the cyber effects are fully considered in other battle

plans.

Likewise, we need to expect cyberattack plans to have been
developed by our adversaries and build cyber effects into our
campaign models.

n No ruler should put troops into the field merely to gratify his own
spleen; no general should fight a battle simply out of pique. War-
fare in the cyber domain must be carefully considered. Hasty
action in the cyber domain may result in retaliatory action in
either the cyber or any of the other four warfare domains. An
act of war is an act of war.

Chapter 13. The Use of Spies
n What enables the wise sovereign and the good general to strike
and conquer, and achieve things beyond the reach of ordinary men,
is foreknowledge. The cyber domain throughout history has
been an essential element in gathering intelligence. Crypto-
graphic algorithms, such as the Julian cypher, have been in use
for centuries providing information protection. Likewise, the
breaking of cryptographic algorithms to discover information
has been a key to decisive victories. As proof, I refer the reader
to the victory secured by U.S. forces at the battle of Midway
only 6 months after the devastating Japanese attack on the
U.S. Navy at Pearl Harbor in World War II.

n Be subtle! Be subtle! And use your spies for every kind of busi-
ness. The best advanced persistent threat is subtle and un-
detected in execution of its mission. Our adversaries do not
limit their cyber espionage to the business of the DoD. They
infiltrate the defense industrial base, civilian institutions of
higher learning, financial institutions, and infrastructure (hos-
pitals, power generation and water systems to name a few
such targets).

The author can be contacted at roy.wilson@dau.mil.

The enlightened ruler lays his plans well ahead.
A cyber order of battle and cyber battle plans

need to be developed to ensure the cyber
effects are fully considered in other battle

plans.

This content is in the Public Domain.

T
he term cyberwar is common in
today’s discussions of the national
security challenges facing the United
States and its allies. Understand-

ing what law applies within the cyber domain is
critical for all operational planners, whether or
not they are directly involved in cyber operations.
This article discusses the basics of how the Law of
Armed Conflict (LOAC) affects cyber operations.
It does not address the full spectrum of cyber
operations, namely, defensive cyber operations
and cyber exploitation (espionage activities).
The focus is offensive cyber operations
and the efficacy of existing international
law in governing the use of cyber
capabilities.

First, offensive cyber opera-
tions (hereafter referred to as
cyber operations) are dis-
cussed generically as they
pertain to military opera-
tions. Next, the “triggering”
effects of certain activities
rising to the level of “use of
force” or “armed attack” are con-

sidered. Lastly, the article examines the law that
applies to cyber activity during armed conflicts.
In conclusion, the analysis of cyberwar reinforces
the theory that although means and methods may
change, the underlying rules regulating military
operations adapt well to the evolution of warfare.
Ultimately, the Law of Armed Conflict is suf-
ficient to deal with the novel aspects of operations
in the cyber domain.

The Cyberspace Domain
Cyberspace is defined in a recent Chairman

of the Joint Chiefs of Staff memorandum as a
“domain characterized by the use of electronics

and the electromagnetic spectrum to store,
modify, and exchange data via networked

systems and associated physical infra-
structures.”1 The cyber domain is

more than access to the Internet. As
the definition implies, the cyber

domain encompasses networked

70 JFQ / issue 70, 3 rd quarter 2013 ndupress.ndu.edu

U
.S

.
A

rm
y

(A
u
st

in
B

er
n
er

)

Unpacking cyberwar
The Sufficiency of the Law of Armed Conflict in the Cyber Domain

By K y L e G e n A r o P h i L L i P S

Major Kyle Genaro Phillips, USMC,
is an Assistant Professor at the

U.S. Naval Academy.

ndupress.ndu.edu issue 70, 3 rd quarter 2013 / JFQ 71

Airmen discuss Joint Precision Airdrop
System prior to mission at Joint Base
Lewis-McChord, Washington, using GPS
to guide cargo to drop zone

U.S. Air Force (Leah Young)

systems regardless of whether those systems
are publicly accessed. Additionally, the
cyber domain is a manmade physical entity
and must be distinguished from operations
performed within the domain itself. For
example, information operations may be
performed within the cyber domain but also
through other domains of land, sea, and air
as evidenced by the dropping of leaflets, per-
sonal engagements of key leaders with local
populations, and public broadcasts.2

For purposes of the application of the
LOAC, it is important to separate operations
conducted exclusively in the cyber domain
from operations in which cyber activity sup-
ports larger military efforts. Two examples
from Richard Clarke’s Cyber War illustrate
the distinction.

First, the Estonia cyber event in 2007,
although not officially attributed to the
Russian government, involved attacking
“botnets” resident in “zombie” computers
that created a flood of cyber access requests.
The distributed denial-of-service (DDOS)
attacks led to the collapse of online banking,
newspaper Web sites, and government elec-
tronic services within the state.3 The DDOS
activity was conducted during a heated politi-
cal dispute between the Russian government

and Estonia. A bronze statue was erected in
Estonia recognizing the Red Army’s efforts in
“liberating” the Estonian population from the
Nazis after World War II. The dispute over the
statue involved Estonian legislation calling for
the removal of the statue due to the increasing
resentment by the population over the history
of Soviet control following the war. The leg-
islation was subsequently vetoed by the Esto-
nian president in response to intense political
pressure from Moscow. However, nationalists
continued to call for the removal or destruc-
tion of the statue. The dispute moved into the
cyber domain where the DDOS activity tem-
porarily crippled the population.4 The activity
against Estonia is an example of utilizing a
cyber capability as the primary tool during a
dispute.

Next, compare the Estonian case to
an event involving Syria and Israel the same
year. According to Clarke, the Israeli military
utilized a cyber tool to control the detection
systems in the Syrian air defense. The result
was a radar picture that displayed only what
the Israeli military wanted the Syrians to see.
After the air defense systems were “owned”
by the Israeli military, attack aircraft flew in
and bombed a suspected nuclear weapons
plant. Despite a number of contrary accounts

of the event, if true, the raid on Syria is an
example of utilizing a cyber tool as a support-
ing effort to a traditional military operation.5

Cyber Activity and Jus Ad Bellum
Jus ad bellum is the international law

governing a state’s use of force and is based on
the customary international law principle of a
state’s inherent right of self-defense. It is codi-
fied in Article 51 of the United Nations (UN)
Charter governing individual and collective
self-defense.6 The threshold question that must
be answered to determine what law may apply
to military cyber activity conducted by a state
is whether an armed conflict exists between a
state and adversary, be that adversary a state
or nonstate actor. Jus ad bellum provides a
starting point for the analysis on the lawful
use of cyber activity by a state’s military.

Article 2(4) of the UN Charter prohibits
the threat or use of force by member states
in their international relations against the
territorial integrity or political independence
of any state.7 As specified above, Article 51
recognizes a state’s inherent right to indi-
vidual and collective self-defense against an
armed attack. The International Court of
Justice in the case of United States v. Nica-
ragua highlighted the distinction between
activity that would be an impermissible use of
force under Article 2(4) but would not rise to
the level of an armed attack, and that which
would permit military action under Article
51’s inherent right of self-defense.8 The cyber
domain allows a state to conduct operations
that fall below the use of force, as well as oper-
ations that might cause destruction to prop-
erty or injury and death to persons. Cyber
activity that causes death, injury, or property
damage could rise to the level of a use of force
or armed attack under international law.

As described by U.S. Cyber Command,
cyber activity can be viewed along a spectrum
of actions ranging from cyber espionage to
access operations, and ultimately, on the far
end of the spectrum, activity causing death or
the destruction of property (see figure).9

Cyber espionage, for example, would
not amount to the impermissible use of force
or armed attack triggering the right of the
offended state to respond in self-defense
because the result is simply theft or access to
another state’s networked systems. Further
along the spectrum, cyber disruption opera-
tions likewise would fall short of an unlawful
use of force. For instance, disruption opera-

FEATURES | Unpacking Cyberwar

Figure. Description goes here.

72 JFQ / issue 70, 3 rd quarter 2013 ndupress.ndu.edu

Figure. Spectrum of Cyber Operations*

tions that involve accessing another state’s
networked systems and interfering with the
operations of the network could violate the
principle of nonintervention. This principle
is grounded on the premise that states are
prohibited from interfering in the internal
affairs of other states. An aggrieved state may
protest such activity through the UN Security
Council, but simply accessing and manipulat-
ing data would not justify an armed response
under customary international law or Article
51. The far right of the spectrum in the cyber
domain is the use of force/armed attack
through cyber operations. The threshold
standard justifying the invocation of self-
defense under Article 51 and customary
international law is high. The cyber activity
must result in either physical destruction
of property or death or injury of persons
through sufficient scale and effect to meet
the definition of an armed attack justifying a
proportional response in self-defense.10

The closest open-source example of use
of force in cyberspace is the Stuxnet virus,
which was introduced into Iranian nuclear
facilities and essentially damaged the centri-
fuges used to enrich uranium.11 This example
is intriguing because what is known about
the operation involved exclusively computer-
based means to cause the physical destruc-
tion of a state’s critical infrastructure. Of
course, how a victim state qualifies “action”
as either a use of force, armed attack, or some
other activity interfering with the sovereignty
of the state is an essential step in justify-

ing countermeasures or, in the extreme, a
military response. The fact that the Iranian
government downplayed the damage and
impact of Stuxnet lessened the likelihood
that the activity would be subject to an armed
response in self-defense.

Despite arguments to the contrary, the
application of jus ad bellum in cyber space
is compatible with the traditional approach
under international law. Matthew Waxman
argues persuasively that cyber activity is not
unlike any other novel weapon introduced in
the international community. Furthermore,
by applying an effects-based approach to
cyber activity, operations in cyberspace
should be judged by whether the effect of the
cyber activity is tantamount to a prohibited
use of force or military attack.12 For example,
if a certain cyber operation results in the
physical destruction of critical infrastructure
of another state, then the activity could be
characterized as a use of force. Such activity
might constitute an armed attack under inter-
national law if the force used were significant
in the scale and effect against another state.13

The question of what activity rises to
the level of a prohibited use of force under
Article 2(4) and whether that activity con-
stitutes an armed attack has been subject
to differing international interpretations in
the context of conventional weapons. Cyber
activity certainly provides unique tools
for states to employ against other states in
furthering national security goals.
However, by applying the

law as it exists today (lex lata) to an effects-
based approach to cyber operations, states
have a basis for characterizing the nature
of the activity in order to determine what
lawful responses are available.

Cyber Activity and Jus in Bello
The jus in bello is the law applied in

war. The LOAC presupposes that an armed
conflict exists. At that point, the jus in bello
regulates violence in the conduct of military
operations. Armed conflict is one of two
varieties, international armed conflict or
noninternational armed conflict. As Gary
Solis notes in The Law of Armed Conflict:
International Humanitarian Law in War, the
conflict status is critical to determine what
law applies.14 In an international armed con-
flict, defined as armed conflict between two
or more states, the entire body of Geneva Law
(Four Geneva Conventions of 1949 and Addi-
tional Protocol I) and Hague Law governing
armed conflict would apply. However, in a
noninternational armed conflict, defined as
armed conflict between a state and an orga-
nized armed group, Common Article 3 of
the Geneva Conventions, and, in certain cir-
cumstances, Additional Protocol II applies.15
While the cyber domain is novel in the tools
available to warfighters, the current law is
sufficient to govern activity in the cyber
domain within the context of an armed con-
flict, be it international or noninternational.

Department of Defense policy
is to comply with the

PHILLIPS

.S
.
A

ir
F
o
rc

e
(J

o
rg

e
In

tr
ia

g
o
)

Air National Guardsman uses
ROVER 5 handheld portable
transceiver to view targeting
data while performing close
air support

ndupress.ndu.edu issue 70, 3 rd quarter 2013 / JFQ 73

LOAC no matter how an armed conflict is
characterized and in all other military opera-
tions.16 The four core principles of LOAC
are military necessity, distinction, propor-
tionality, and unnecessary suffering. Cyber
activity conducted during an armed conflict
is governed by the same rules as other capa-
bilities that a military force may use to ensure
accomplishment of a unit’s mission. However,
prior to analyzing cyber activity within
the framework of the four core principles,
the first question that must be answered is
whether the cyber activity constitutes an
“attack” under the LOAC.

Attack is defined in Article 49 of
Additional Protocol I as “acts of violence
against the adversary, whether in offense
or defense.”17 Michael Schmitt emphasizes
in his article on “Cyber Operations and the
Jus in Bello” that violent action is required
to constitute an attack.18 Cyber operations
during armed conf lict certainly could result
in “violent actions” triggering the same
legal and operational analysis of the four
core principles as any weapon or capabil-
ity within a state’s arsenal. However, as
discussed in the jus ad bellum analysis of
sub-uses of force in the cyber domain, it is
easy to contemplate that most cyber activity
would not reach the violent action standard.
Cyber activity could certainly be used as a
shaping action in conjunction with a much
larger operation carried throughout the
military domains of land, sea, air, and space.
For example, cyber activity could be used to
provide certain information to the civilian
population within the battlespace in the
course of information operations. The target
is the civilian population, but if the sole

purpose, and more importantly, the effect
of the cyber activity is simply to inf luence
and provide information favorable to U.S.
military operations, the activity would not
constitute an attack and the four core prin-
ciples are not implicated.

A more difficult analysis lies in cir-
cumstances where there will be damage or
destruction to civilian property. For civilian
property to be subject to an attack, the prin-
ciple of military necessity must be satisfied.
Military necessity authorizes the use of force
required to accomplish the mission. However,
military necessity does not authorize acts oth-
erwise prohibited by the law of war. Closely
related to military necessity is the concept of
distinction, which requires that attacks only
be directed against military personnel and
military objects. To satisfy this principle,
cyber activity must be attributed to a state or
nonstate actor. The example of the Estonian
DDOS activity is a classic problem of attribu-
tion. The Russian government claimed no
responsibility and blamed the DDOS activ-
ity on “hacktivists,” patriotic Russians who
independently used cyber tools to influence
a foreign state.19 Attribution is certainly a
significant problem in cyber operations;
however, it is not insurmountable. Terrorist
attacks and military operations conducted
by insurgents sponsored by third-party states
have raised attribution problems in the past.
Existing resources can address the attribu-
tion problems in the cyber domain. Detailed
intelligence, coupled with the experience and
judgment of the responsible commander, are
just as applicable in the cyber domain as in
other areas of military operations.

Once a target is identified, it must meet
the requirement of being a valid military objec-
tive, defined in Additional Protocol I as an
object that by its nature, location, purpose, or
use makes an effective contribution to military
action, and whose total or partial destruction,
capture, or neutralization offers a definite
military advantage.20 Cyber operations may be
directed against exclusively military objects or
against so-called dual-use structures having
both military and civilian purposes. Target-
ing dual-use objects must comply with the
standards of military necessity and meet the
definition of a valid military objective.

A unique aspect of operating in the
cyber domain is the simple fact that much of
the infrastructure subject to attack also sup-
ports the civilian population. The concept of
proportionality becomes critical to determin-
ing the lawfulness of cyber operations that
result in the physical destruction of dual-use
targets. The principle of proportionality states
that the anticipated loss of civilian life and
damage to civilian property incidental to an
attack must not be excessive in relation to
the concrete and direct military advantage
expected.21 Dual-use structures such as radio
transmission towers, power lines, and oil
refinery stations are some of the most dif-
ficult targeting decisions to work through
because of the effect their destruction will
have on the civilian population.

Dual-use targets in the context of
cyberwar are further complicated when the
target is data contained on a network server.
It is easy to imagine how certain data that aid
enemy operations would meet the definition
of a valid military objective. Also easy to
imagine is how that same data could aid the
civilian population. Professor Schmitt argues
that data should not generally be character-
ized as an object in itself in the cyber domain
unless its destruction causes the requisite
level of harm.22 For example, destroying the
entire banking system of a state may severely
affect the civilian population. Additionally,
destroying digital art would be analogous to
destroying tangible art. Some attacks in the
cyber domain would clearly be impermissible
(targeting digital art), while others would
only be permissible if there were articulable
military necessity or operations could dis-
tinguish between the valid military objective
and civilian objects. In the case of dual-use
targets, the principle of proportionality would
have to be satisfied. Cyber operations do
present a unique opportunity to specifically

U
.S
.
A
rm
y

(S
h
aw

n
o
n
L

o
tt

)

Soldier attempts to set up
connection with call manager
during exercise Cyber Endeavor,
Grafenwoehr, Germany

Soldier attempts to set up
connection with call manager
during exercise Cyber Endeavor,
Grafenwoehr, Germany
FEATURES | Unpacking Cyberwar

74 JFQ / issue 70, 3 rd quarter 2013 ndupress.ndu.edu

target certain aspects of a dual-use structure
through methods that would easily satisfy
the principle of proportionality. For example,
the Stuxnet virus was specific as to which
components of the centrifuges would be
affected and what harm would result. If
given the option to “destroy” a target using
cyber methods that carefully calculate the
anticipated damage to the surrounding area,
clearly that method would be preferable
to dropping a bomb on the target causing
substantially more damage and potentially
resulting in greater collateral effects. It is
important to keep in mind that such opera-
tions resulting in the “destruction” of infra-
structure—and in limited circumstances,
data—are at the extreme end of the spectrum
of cyber operations. The vast majority of
operations discussed in open-source report-
ing involve a sub-use of force. Operations that
focus on accessing data, influencing the civil-
ian population through information opera-
tions, or disrupting cyber capabilities will

generally not reach the threshold of a “use of
force” or “attack” as currently defined.

Finally, cyber operations must avoid
causing unnecessary suffering to combatants.
The LOAC principle of unnecessary suffer-
ing (commonly referred to as superfluous
injury) recognizes that the harm caused even
to combatants should not be unlimited. The
LOAC proscribes certain means and methods
of warfare designed to cause suffering to
combatants that is substantially dispropor-
tional to the military advantage.23 Examples
of means or methods that cause superfluous
injury include poison gases, certain exploding
bullets, and glass fragmentation devices that
preclude identifying and treating wounds by
X-ray. Lawful weapons can also be used in a
manner that violates the principle of unneces-
sary suffering. Incendiary devices used for
marking and screening in military operations,
if used with the intent of causing unneces-
sary suffering by burning combatants, is one
often-cited example. Cyber tools must be
treated no differently than any other weapon
system. Cyber tools and activity are not likely
to trigger a prohibition per se, as have poison
gases and blinding lasers; however, the effects
of the cyber tool must still be considered

against the core principle of unnecessary
suffering. Cyber tools have the unique advan-
tage of not only mitigating the effects on the
civilian population, but also more completely
taking into account the effects on combatants
and steering clear of any effects that cause
unnecessary suffering under the LOAC.

Conclusion
The threat to U.S. national security

in the cyber domain is real, but is the cyber
sky falling? A discussion of all cyber threats
facing the United States is beyond the scope
of this article. Obvious challenges exist in
the cyber domain, to include attributing
cyber activity to a specific state or nonstate
actor and the speed of action in the cyber
domain. Both attribution and speed of action
complicate the decisionmaking process and
effectiveness of existing countermeasures.
However, what is apparent is that within the
context of jus ad bellum and jus in bello, the
current framework is adequate to navigate

through the operational issues facing military
professionals. From an operational perspec-
tive, cyber is simply one of five domains
(land, sea, air, space, and cyber) that com-
manders must understand, plan, and operate
in to accomplish the assigned mission.
Similar to the introduction of airplanes and
submarines in a commander’s battlespace,
cyber tools can be regulated using existing
laws governing the use of force and military
operations. The advantage of cyber tools
exists in the potential to control the effects
during an attack that could dramatically
reduce the collateral damage associated with
targeting military objectives. JFQ

N o T e s

1 General James E. Cartwright, USMC,
Memorandum for Chiefs of the Military Services,
Commanders of the Combatant Commands, and
Directors of the Joint Chiefs Directorates, “Joint
Terminology for Cyberspace Operations” n.d., 7.

2 David T. Fahrenkrug, “Cyberspace
Defined,” available at .

3 Richard A. Clarke, Cyber War: The Next
Threat to National Security and What to Do About
It (New York: Harper Collins, 2010), 13–14.

4 Ibid., 15–16.
5 Ibid., 1–3.
6 Sean Condron, “The Legal Basis for the Use

of Force,” Operational Law Handbook (Charlot-
tesville, VA: The Judge Advocate General’s Legal
Center and School, 2011), 1.

7 Brian J. Brill and J. Porter Harlow, Law of
War Documentary Supplement (Charlottesville,
VA: The Judge Advocate General’s Legal Center
and School, 2010), 1.

8 International Court of Justice (ICJ), Military
and Paramilitary Activities in and against Nicara-
gua (Nicaragua v. United States of America), Judg-
ment of June 27, 1986, LEXIS 4.

9 Paul Walker, “Assessing Actions Along the
Spectrum of Cyberspace Operations,” PowerPoint
briefing at the James Stockdale Center for Ethical
Leadership, Annapolis, February 29, 2012.

10 Tom Ruys, Armed Attack and Article 51 of
the UN Charter (Cambridge: Cambridge Univer-
sity Press, 2010), 140.

11 Gary D. Solis, “Cyberwarfare, the New
Normal,” The Law of Armed Conflict: International
Humanitarian Law at War, 2nd ed. (New York:
Cambridge University Press, 2012).

12 Matthew C. Waxman, “Cyber Attacks as
‘Force’ under UN Charter Article 2(4),” Interna-
tional Law Studies 87; Raul A. Pedrozo and Daria
P. Wollschlaeger eds., International Law and the
Changing Character of War (Newport, RI: U.S.
Naval War College, 2011).

13 See Nicaragua v. United States; also Oil Plat-
forms Case (2003 ICJ LEXIS 11).

14 Solis, 149.
15 Ibid., 167–168.
16 Condron, citing Department of Defense

Directive 2311.01E, “DoD Law of War Program,”
para. 4.1.

17 Brill and Harlow, 210.
18 Michael N. Schmitt, “Cyber Operations and

the Jus in Bello: Key Issues,” International Law
Studies 87, 92–93.

19 Clarke, 15–16.
20 Condron, 12.
21 Brill and Harlow, 211.
22 Schmitt, 96.
23 Solis, 272.

the effects of the cyber tool must still be considered against
the core principle of unnecessary suffering

PHILLIPS

ndupress.ndu.edu issue 70, 3 rd quarter 2013 / JFQ 75

Reproduced with permission of the copyright owner. Further reproduction prohibited without
permission.

CYBER DOMAIN: STRATEGIES, POLICIES, DOCTRINES AND

LEGAL PERSPECTIVES

Mihai-Ştefan DINU
Senior Researcher, National Defense University “Carol I”,

mihaistdinu@yahoo.co.uk

Abstract: Once it was understood that the term” information society” is something more than a metaphor
suggesting the ongoing reality for almost five decades, different more or less complex theories made their way

into the ideas of specialists and the academia that promoted development of most human activities in a virtual

space created by semiconductors and developed over the networking infrastructure of the 7 continents.

Gradually, population of this space by government entities, corporate, military, educational, etc. but also its use

as a medium of socialization through various platforms like Google+, Facebook, and Twitter brought to the

attention of all users the presence of behaviors less desirable. It is about criminal activities whose range can go

from mere unauthorized access to a computer or computer system and continues with identity theft and

launching various attacks on governmental critical infrastructure, inflicting significant damages.

On this background, policymakers, supported by field theorists have promoted and implemented through various

government policies, cyber security strategy in order to protect national infrastructures and ensure continuity of

daily activities. This type of defensive behavior against damaging cyber actions was also adopted by military

organizations having seen the opportunity to conduct certain types of operations in cyberspace. So they were

issued and implemented the cyber operations doctrines, while extending the conceptual field and leading to the

emergence of terms like cyber war, cyber warfare, cyber operations and elements regarding legal framework of

waging this kind of war etc.

In this paper we analyze how some of these concepts were defined and implemented, focusing on the need for

adopting new legal regulations, both national and international adapted to the new realities of the modern

information society.

Keywords: cyberspace, cyber-attack, cyber conflict, cyber security strategy, cyber doctrine, cyber law

Introduction

There is no doubt that modern human life on the XXI century could not be perceived
in its entirety without the significant role of technology, especially information and
communication technology, which permitted in the last two decades a burst regarding not
only at professional level of communication and information of human activities, but at the
individual intimate level of every individual. Along with these aspects of human life, research
and development activities benefitted of the means provided by the technological
development. Thus, should not have been a surprise for anyone that the perspective depicted
at the beginning of the 8th decade of XXth century by Yoneji Masuda in his work The
Information Society as Post-Industrial Society1, promoted information utility as the main
production center of information society. In his perspective the information utility constitute
of information networks and data banks, in other words a public infrastructure based on
interconnected computers.

In the same period Masuda’s view was promoted another significant event was taking
place: The Internet emerged public from the military testing laboratories. Initially perceived
as a tool that facilitated communication, Internet rapidly expanded its functions along with
geographic area. Today, the Internet is not only a technological tool, in 2011 the United

1 Yoneji Masuda, The Information Society as Post-Industrial Society, World Future Society, Washington D.C.,
1981.

139

Nations declared in a report issued by the Special Rapporteur on the promotion and protection
of the right to freedom and opinion and expression, Frank LaRue, that by the fact that it
facilitates the realization of a range of other human rights2, the access to internet is a
fundamental right. This affirmation comes in the context in which, 11 years earlier, Estonia
legislates3 Internet access as a basic human right, in the year 2009 France Constitutional
Council4 declared it a fundamental right and, similarly, a 2010 decision5 of Costa Rica
Constitutional Court.

Obviously, the free access to internet did not attract only positive actions, but also
criminal ones, the large virtual cyberspace becoming populated not only with actors offering
facilitating social, educational or professional tools but with diverse criminal actors whose
actions lead to decisions taken by vast majority of nation states to legally, politically and
technically protect their infrastructures.

On the actors and actions taken by the states or organizations we will focus on the
subsequent structures of this paper.

Brief Presentation of Actors in Cyberspace – their targets, techniques and effects

Statistics indicates that malevolent actions of actors in cyberspace in the previous year
(2016) experienced an increased number comparing with th previous two years as depicted in
the following graph.

Figure no 1. Comparison of monthly cyber-attacks in previous three years6

Regarding categories of actors in cyberspace we briefly mention here:

 State sponsored actors
 Individual actors
 Hacktivists
 Cyber-terrorists

2 ***, A/HRC/17/27/ – Report of the Special Rapporteur on the promotion and protection of the right to freedom
and opinion and expression, Frank LaRue, United Nations’ General Ansambly, 16 May 2011, p. 7
3 Stephen Tully, A Human Right to Access the Internet? Problems and Prospects, in Human Rights Law Review,
vol. 14, Issue 2, Oxford University Press, pp. 175-195
4 ***, Decision no. 2009-580 of June 10th 2009 at www.conseil-constitutionnel.fr/conseil-
constitutionnel/root/bank_mm/anglais/2009_580dc (14.02.2017)
5 Sala Constitutional, La Sala en la Prensa 2010(2011) p. 118 at www.poder-judicial.go.cr/sala-
constitutional/documento/salaenpresa2010 (14.02.2017)
6 Paolo Passeri, 2016 Cyber Attacks Statistics, at www.Hackmageddon.com/2017/01/19/2016-cyber-attacks-
statistics/ (16. 02.2017)

140

http://www.conseil-constitutionnel.fr/conseil-constitutionnel/root/bank_mm/anglais/2009_580dc

http://www.poder-judicial.go.cr/sala-constitutional/documento/salaenpresa2010

2016 Cyber Attacks Statistics

 Organized crime actors
 Organizations
 Information security actors
 Authorities and Law enforcement
 Unknown Identity or no affiliation actors

In most cases, statistics indicates that motivations driving the attacks are as follows:
 Cyber crime
 Hacktivism
 Cyber espionage
 Cyber warfare
 Unknown

Figure no 2. Comparison of percentages regarding motivations of attacks in 2015 and 20167

The targets affected by these attacks are diverse, percentages of these attacks by target

being graphed in figure no.3.

Figure no 3. Comparison of percentages indicating nature of targets in 2015 and 20168

There is an important characteristic of those attack resulting from the graph, namely
the fact that if industrial, governmental and organization entities, keep their top places, in

7 Paolo Passeri, 2016 Cyber Attacks Statistics, at www.Hackmageddon.com/2017/01/19/2016-cyber-attacks-
statistics/ (16. 02.2017)
8 Ibidem

141

2016 Cyber Attacks Statistics

2016 there was an increase in attacks regarding education entities. According to a report9
issued in 2016, the main vectors of attack used against education entities were:

 Obtained credentials
 Phishing
 Reconnaissance
 Remote access tools
 Scanning tool
 SQL Injection
 Web Shell

In this point we can make the transition from targets to the attacker’s preferred
techniques. Also cited statistics realized by Paolo Passeri, indicates that top ten techniques
(figure no. 4) used by the attackers are as follows:

 Account hijack
 Targeted attack
 DDoS attack
 SQL Injection
 Malware etc.

Figure no 4. 10 most used attack techniques in 2014, 2015 and 201610

Divers actors acting in Cyberspace, the multitude of targets and the complex

techniques of attack, should be an indicator measuring permeability level of cyberspace by
malevolent attacks that can range from cybercrime to cyber espionage and cyber warfare.

Strategies and doctrines in the cyber warfare era

Cyber-attacks are a very cheap and accessible way of striking the power of a State. In
context of rapid development of the global cyber system, the interdependency level is
growing along with the dependence of energy, transportation, communications, financial and
military critical infrastructures on the global network.

9 ***, Common Cyber Threats to Universities, Multi-State Information Sharing & Analysis Center, New York,
2016, p. 2.
10 Paolo Passeri, 2016 Cyber Attacks Statistics, at www.Hackmageddon.com/2017/01/19/2016-cyber-attacks-
statistics/ (16. 02.2017)

142

2016 Cyber Attacks Statistics

Thus, the effects of a major cyber-attack could be disastrous for the entire human
activity11, leading to economic crisis, disruptions12 in communications and transportations and
health infrastructure, we previously mentioned some of the consequences in the Russian-
Georgian war back in 2008. Such cyber tools can be easily transformed in cyber weapons in
the hand of terrorist or criminal organizations which can be very active during an ongoing
armed conflict.

In order to prevent such situations nation states issued Cybersecurity National
Strategies and Cybersecurity Implementation Plans. In this regard international organizations
like NATO assumes the mission to enhance the capability, cooperation and information
sharing among NATO, NATO nations and partners in the field of cyber defense through
education, research and development, lessons learned in order to accumulate, create and
disseminate knowledge in the above mentioned field.

So here is a first distinction we have to mention, that between cyber security and cyber
defense. In terms of definition such distinction is rather difficult because of the specific
definitions issued in national strategies or doctrine by every nation state.

When the cyber security is discussed there are proposed definitions like the desired
state of an information system in which it can resist events from cyberspace likely to

compromise the availability, integrity or confidentiality of the data stored, processed or

transmitted and of the related services that these systems offer or make accessible.

Cybersecurity makes use of information systems security techniques and is based on fighting

cybercrime and establishing cyber defense13, or the protection of internet connected systems
(to include hardware, software and associated infrastructure), the data on them, and the

services they provide, from unauthorized access, harm or misuse. This includes harm caused

intentionally by the operator of the system, or accidentally, as a result of failing to follow

security procedures or being manipulated into doing so14.
In Romanian perspective, cyber security means the state of normality resulting from

the application of a set of proactive and reactive measures that ensure the confidentiality,

integrity, availability, authenticity, and non-repudiation of information electronically for

public and private resources and services in cyberspace. Proactive and reactive measures

may include policies, concepts, standards and guidelines for security, risk management,

training and awareness activities, implementing technical solutions to protect cyber

infrastructure, identity management, and consequence management15.

Diversity of perspectives it is kept also in defining cyber defence/defense concept, the
common element being the military characteristics of the term. Therefore, the proposed
definitions stated that cyber defense means:

 organized capabilities to protect against, mitigate from and rapidly recover
from the effects of cyber-attack (US/Russia perspective16);

11 Dănuţ Turcu, Main Information Security Activities Of An Intelligence Service, in Buletin of “CAROL I”
National Defense University, No. 1/2014, Bucuresti, 2014, p. 51.
12 Sorin Topor, Aproach About Joint Cyber And Electronic Warfare And Futures Of The Military Operations, in
the 10th International Scientific Conference “Strategies XXI”: Strategic Changes In Security And International
Relations, vol. 3, “CAROL I“ National Defense University Publishing House, Bucharest, 2014 , pp. 72-76
13 ***, Information systems defence and security: France’s strategy, French Network and Information Security
Agency, Paris, 2011, p. 21.
14 ***, National Cyber Security Strategy 2016-2021, issued by HM Government, 2016, p. 75.
15 ***, HG 271/2013, pentru aprobarea Strategiei de securitate cibernetică a României şi a Planului de acţiune
la nivel naţional privind implementarea Sistemului naţional de securitate cibernetică, Monitorul Oficial Partea I
nr. 296 din 23.05.2013
16 https://ccdcoe.org/cyber-definitions.html

143

 the set of all technical and non-technical measures allowing a State to defend
in cyberspace information systems that it considers to be critical (France
perspective)17;

 all measures to defend cyber space with military and appropriate means for
achieving military-strategic goals. Cyber defense is an integrated system,

comprising the implementation of all measures relating to ICT and information

security, the capabilities of milCERT and CNO (Computer Network

Operations) as well as the support of the physical capabilities of the army

(Austria perspective18).
Implementing National Security Strategy, there are some states, namely US that

translates strategy’s imperatives into military doctrine19. The US doctrine integrates
cyberspace into joint operations, defines cyberspace operations and their relation to joint
functions, along with their planning and coordination, covering authorities, roles and
responsibilities, providing a joint doctrine for the planning, preparation, execution, and
assessment of joint cyber operations across the range of military operations.

Legal perspectives

As we stated in previous section of our paper, cyber-attacks are a very cheap and
accessible way to strike the power of a State. Techniques of cyber-attack can be easily
transformed in cyber weapons in the hand of terrorist or criminal organizations which can be
very active during an ongoing armed conflict or even on the background of non-violent
tensions. What happened if cyber-attacks are conducted as an armed conflict? There are any
norms of law of armed conflict applicable to cyber conflicts?

Article 2 Common to the four 1949 Geneva Conventions sets forth the traditional
formula: all cases of declared war or to any other armed conflict which may arise between
two or more of the High Contracting parties20. In this sense, we could consider that if a cyber-
attack that can be attributed to a State result in material damages or loses of human life and
therefore an international armed conflict is occurring.

In this regard there are various perspective on the existence of a legal framework
applicable to cyber warfare. Thus, in this section of our paper we will analyze different
perspectives on this matter, focusing on the views of United Nations (UN), EU and NATO.

At the level of UN, which theoretically benefits from the contributions of almost all
countries, there were few initiatives looking to set an international legal framework regarding
the regulation of cyber-attacks. Among these initiatives we should mention the 2004
resolution on creation of a global culture of cybersecurity and the protection of critical
informational infrastructures, which had a week feedback from the member nations. Beside
these initiatives we must note the proposal that Security Council to be empowered with the
attribute to decide when a cyber-attack constitutes a threat and violates the international
treaties and peace on the basis of article 42: Should the Security Council consider that
measures provided for in Article 41 would be inadequate or have proved to be inadequate, it

may take such action by air, sea, or land forces as may be necessary to maintain or restore

international peace and security. Such action may include demonstrations, blockade, and

other operations by air, sea, or land forces of Members of the United Nations21.

17 Ibidem
18 ***, Austrian Cyber Security Strategy, Federal Chancellery of the Republic of Austria, Vienna, 2013, p. 21
19 ***, Joint Publication 3-12 (R), Cyberspace Operations, 2013
20 ***, Geneva Convention I, art. 2; Geneva Convention II, art. 2; Geneva Convention III, art. 2; Geneva
Convention IV, art. 2
21***, Charter of the United Nations, at http://www.un.org/en/sections/un-charter/chapter-vii/

144

At European Union level strong efforts were conducted in the direction to norm the
behavior of cyberspace actors. We can indicate at least four major legal milestones in this
regard:

 2001 Convention on Cybercrime issued by the Council of Europe which could
constitute a limitation framework for cyber warfare operations;

 2004 Establishment of European Union Agency for Network and Information
Security (ENISA) as a center of expertise for cyber security in Europe.

 2011 Communication on Critical Information Infrastructure protection (CIIP)
adopted by European Commission focusing on the protection of Europe from
cyber disruptions by enhancing security and resilience22.

 European Parliament resolution of 12 June 2012 on critical information
infrastructure protection – achievements and next steps: towards global cyber-
security23.

Regarding politic and military level covered by NATO, the initiatives to regulate
attacks in cyberspace were taken under the institutional umbrella of NATO Cooperative Cyber
Defense Centre of Excellence located in Tallinn (Estonia). Strongest initiative in the analyzed
domain is The Tallinn Manual, which was published earlier this month, in its second edition,
an updated version that constitute the most comprehensive analysis of how existing
international law applies to cyberspace. According to authors Tallinn Manual 2.0 analysis
rests on the understanding that the pre-cyber era international law applies to cyber

operations, both conducted by and directed against states. This means that cyber events do

not occur in a legal vacuum and thus states have both rights and bear obligations under

international law24. The same source states that the manual covers a full spectrum of
international law as applicable to cyber operations, ranging from peacetime legal regimes to
the law of armed conflict. The analysis of a wide array of international law principles and
regimes that regulate events in cyber space includes principles of general international law,
such as the sovereignty and the various bases for the exercise of jurisdiction. The law of state
responsibility, which includes the legal standards for attribution, is examined at length.
Additionally, numerous specialized regimes of international law, including human rights law,
air and space law, the law of the sea, and diplomatic and consular law are examined within the
context of cyber operations.

Conclusions

Following this brief analysis, it is necessary to draw some conclusions. First of all is
referring the fact that cyberspace is a relatively new space of human activities and despite its
“youth” there are a lot of controversial issues raised at international level regarding behaviors
manifesting within it.

In order to correct such behaviors and to limit disastrous effects that could be brought
by the use of dangerous cyber tools/weapons, most of nations took the initiative to issue at
domestic and organizational levels national, European, cyber security strategies or similar. All
these strategies and military doctrine are resting on the norms of International Law existing
before the emergence of cyber space. That is why acting in time of conflict in the cyber space
bring to surface diverse legal issues on which the international community must focus a lot
from now on, considering the fact that along with the unprecedented development of cyber
domain there are similar fields (robotics, artificial intelligence etc.) awaiting to know their

22 http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2009:0149:FIN:EN:PDF
23 http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML+TA+P7-TA-2012-
0237+0+DOC+PDF+V0//EN
24 https://ccdcoe.org/sites/default/files/documents/CCDCOE_Tallinn_Manual_Onepager_web

145

behavior in the framework of International Law and also the ethical norms that will shape this
behavior.

BIBLIOGRAPHY

1. ***, A/HRC/17/27/ – Report of the Special Rapporteur on the promotion and
protection of the right to freedom and opinion and expression, Frank LaRue,
United Nations’ General Assembly, 16 May 2011

2. ***, Austrian Cyber Security Strategy, Federal Chancellery of the Republic of
Austria, Vienna, 2013

3. ***, Charter of the United Nations, at http://www.un.org/en/sections/un-
charter/chapter-vii/

4. ***, Common Cyber Threats to Universities, Multi-State Information Sharing &
Analysis Center, New York, 2016

5. ***, Decision no. 2009-580 of June 10th 2009 at www.conseil-
constitutionnel.fr/conseil-constitutionnel/root/bank_mm/anglais/2009_580dc
(14.02.2017)

6. ***, Geneva Convention I, art. 2; Geneva Convention II, art. 2; Geneva
Convention III, art. 2; Geneva Convention IV, art. 2

7. ***, HG 271/2013, pentru aprobarea Strategiei de securitate cibernetică a
României şi a Planului de acţiune la nivel naţional privind implementarea
Sistemului naţional de securitate cibernetică, Monitorul Oficial Partea I nr. 296
din 23.05.2013

8. ***, Information systems defence and security: France’s strategy, French Network
and Information Security Agency, Paris, 2011

9. ***, Joint Publication 3-12 (R), Cyberspace Operations, 2013
10. ***, National Cyber Security Strategy 2016-2021, issued by HM Government,

2016
11. ***, Sala Constitutional, La Sala en la Prensa 2010(2011) p. 118 at www.poder-

judicial.go.cr/sala-constitutional/documento/salaenpresa2010 (14.02.2017)
12. Dănuţ Turcu, Main Information Security Activities Of An Intelligence Service, in

Buletin of “CAROL I” National Defense University, No. 1/2014, Bucuresti, 2014
13. http://eur-

lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2009:0149:FIN:EN:PDF
14. http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-

//EP//NONSGML+TA+P7-TA-2012-0237+0+DOC+PDF+V0//EN
15. https://ccdcoe.org/cyber-definitions.html
16. https://ccdcoe.org/sites/default/files/documents/CCDCOE_Tallinn_Manual_Onep

ager_web
17. Paolo Passeri, 2016 Cyber Attacks Statistics, at

www.Hackmageddon.com/2017/01/19/2016-cyber-attacks-statistics/ (16.
02.2017)

18. Sorin Topor, Aproach About Joint Cyber And Electronic Warfare And Futures Of
The Military Operations, in the 10th International Scientific Conference
“Strategies XXI”: Strategic Changes In Security And International Relations, vol.
3, “CAROL I“ National Defense University Publishing House, Bucharest, 2014

19. Stephen Tully, A Human Right to Access the Internet? Problems and Prospects, in
Human Rights Law Review, vol. 14, Issue 2, Oxford University Press

20. Yoneji Masuda, The Information Society as Post-Industrial Society, World Future
Society, Washington D.C., 1981

146

Reproduced with permission of the copyright owner. Further reproduction prohibited without
permission.

Full Terms & Conditions of access and use can be found at
https://www.tandfonline.com/action/journalInformation?journalCode=fasi20

Asian Security

ISSN: 1479-9855 (Print) 1555-2764 (Online) Journal homepage: https://www.tandfonline.com/loi/fasi20

Privateering in Cyberspace: Should Patriotic
Hacking Be Promoted as National Policy?

Forrest B. Hare

To cite this article: Forrest B. Hare (2019) Privateering in Cyberspace: Should
Patriotic Hacking Be Promoted as National Policy?, Asian Security, 15:2, 93-102, DOI:
10.1080/14799855.2017.1414803

To link to this article: https://doi.org/10.1080/14799855.2017.1414803

Published online: 26 Dec 2017.

Submit your article to this journal

Article views: 1414

View related articles

View Crossmark data

https://www.tandfonline.com/action/journalInformation?journalCode=fasi20

https://www.tandfonline.com/loi/fasi20

https://www.tandfonline.com/action/showCitFormats?doi=10.1080/14799855.2017.1414803

https://doi.org/10.1080/14799855.2017.1414803

https://www.tandfonline.com/action/authorSubmission?journalCode=fasi20&show=instructions

https://www.tandfonline.com/doi/mlt/10.1080/14799855.2017.1414803

http://crossmark.crossref.org/dialog/?doi=10.1080/14799855.2017.1414803&domain=pdf&date_stamp=2017-12-26

Privateering in Cyberspace: Should Patriotic Hacking Be Promoted
as National Policy?
Forrest B. Hare

ABSTRACT
Leaders in some Asian countries have argued that it is necessary to follow
the lead of the Russians and Chinese, who have been promoting patriotic
hackers to achieve national security goals. The arguments in support are
not without historical precedence. In naval warfare, many nations advo-
cated using private citizen fighters called privateers to support their military
operations. In this analysis, I look at the role privateering has played
historically in naval warfare to see what lessons can be applied to the policy
option of promoting independent but government-sponsored hacking to
achieve national security objectives. I also present legal considerations that
have evolved since the practice of privateering was abolished. The analysis
argues that countries unable to fully control and coordinate civilian hacking
activity with government operations should not promote the activity.

Introduction

Several countries have begun to consider an approach to cyberspace operations that is modeled on
the actions of other states that have outsourced the cyber operation components of their military and
intelligence communities. Russia and China, for example, have promoted “patriotic hacking” to
support their efforts to prepare for a potential conflict or to use during one. In both countries, the
civilian hacker community has been leveraged to gather intelligence and create cyber effects that
support conventional military operations and other coercive actions.1 Thought leaders and officials
in other Asian countries that have limited ability to generate a professional cyber force have argued
that it is necessary “to fight fire with fire” and follow the lead of the Russians and Chinese. In effect,
they propose that it would be more efficient to rely similarly on patriotic hacking groups to achieve
their desired objectives in cyberspace.2 Although cyberspace and its many complexities have become
a national security issue only in recent decades, the arguments made here are not without historical
precedence.

In naval warfare from the 1500s to the 1800s, private citizen fighters who were called priva-
teers – in essence, legalized pirates – supported the war efforts of many countries. These countries
justified their support for privateers because the privateers helped them overcome the advantage
held by the naval powers of the time and enabled them to exploit all combat power at their
disposal. Eventually, however, the countries that promoted privateering concluded that the prac-
tice should be banned.

In this analysis, I look at the role privateering has played historically in naval warfare to see what
lessons can be applied to the policy option of promoting independent but government-sponsored
patriotic hacking to achieve national security objectives. Promoting this kind of patriotic hacking, a
form of modern-day privateering, may have long-term negative effects on national and international
security that outweigh the potential benefits. Therefore, this analysis argues that countries unable to
fully control and coordinate civilian hacking activity with government operations should not
promote patriot hacking as a way to prepare for or wage war.

ASIAN SECURITY
2019, VOL. 15, NO. 2, 93–102
https://doi.org/10.1080/14799855.2017.1414803

http://orcid.org/0000-0001-5655-9119

https://crossmark.crossref.org/dialog/?doi=10.1080/14799855.2017.1414803&domain=pdf&date_stamp=2019-06-08

The analysis starts with a short explanation of patriotic hacking and review of instances where it
appears patriotic hackers have been tacitly encouraged or even prompted to operate in cyberspace to
achieve national security objectives. I then turn to examples of thought leaders recommending that
other states follow suit. With this background in mind, I address the similarities and differences
between promoting privateering and patriotic hacking, and then describe the experiences that led to
the decision to abolish privateering across the world at the end of the 1800s. I also present an
argument based on legal considerations to further discourage governments from promoting priva-
teering activities in cyberspace without fully integrating the actor into professional cyber organiza-
tions. The analysis ends with my conclusions and policy recommendations.

“Citizens in the Fight”

In this section, I explore the activities that common citizens conduct in cyberspace under the guise of
patriotic hacking and review how the Chinese and Russians have leveraged patriotic hacking
effectively. I then present cases where other Asian nations are calling for the same approach in
their countries.

Dorothy Denning, a prominent cyber security researcher with the United States Naval
Postgraduate School, has defined patriotic hacking as “networks of citizens and expatriates
engaging in cyber attacks to defend their mother country or country of ethnic origin.”3

Considering these citizens have often acted even when their mother country was not directly
threatened, the definition can be expanded to include cyber attacks launched by self-identified
patriots in support of nationalist agendas of their country. The targets of these attacks are most
often visible symbols of target country governments and businesses such as official websites. The
classic example of patriotic hacking is the denial of service attacks on Estonian government and
banking systems that were traced to many thousands of ordinary Russian citizens who were
offended by the decision of Estonia to move a statue.4 These attacks made the online government
services in Estonia inaccessible for several days. Though there was no observable threat to
Russian sovereignty from the move of the statue, the act appeared to offend Russian pride, and
the patriots clearly felt the need to retaliate.

In China (the PRC), there is strong evidence that the government promotes state-sponsored
hacking against both governments and private corporations around the world.5 While the PRC
agenda may be centrally organized and controlled, the actions are most often conducted by less
tightly controlled amateurs, students, and private companies.6 For example, researchers traced the
Aurora attacks of 2010, which went after scores of businesses and the US think tank RAND
Corporation, back to at least two Chinese universities identified as training grounds for patriotic
hackers.7 In 2013, Time magazine profiled Wan Tao of the China Eagle Union hacking group.
According to Hannah Beech of Time, Wan Tao explained that the Chinese government closely
monitored the activities of his group. While the government never punished him for his actions
overseas, he was ordered on at least two occasions to censor all domestic content on the Chinese
Eagle Union’s website, which suggests that the Chinese government selectively controls the group’s
actions.8

Wan also identified individuals who were coerced to hack for the government.9 These examples
pertain mainly to cyber espionage that is conducted during peacetime to promote economic
advantages or achieve other state goals. However, because China has not recently engaged in a
conventional conflict with its regional adversaries, it may be difficult to predict how the government
would interact with patriot hackers during such a conflict or what level of control they would have
over the hackers’ activities. Probably the best insight on this matter can be gained from Chinese
hackers’ response to the midair collision between a Chinese fighter jet and a US Navy EP-3 aircraft
in early 2001. After this incident, Chinese patriotic hacker groups declared a “hacking war” and
attacked hundreds of US government and military websites. They appeared to have done so with the
encouragement of the Chinese government.10 While it is difficult to confirm that the actions of

94 F. B. HARE

Chinese patriotic hackers are closely coordinated or controlled by the Chinese government, there are
clear indications that the government at least encourages their actions.

Unlike the Chinese actions, one can draw a clear link between the Russian government and
patriotic hackers during the conflicts Russia has been involved in recently. Cyber operations that
were coordinated with Russia’s invasion of Georgia provide the clearest picture of how patriotic
hackers can be integrated with conventional kinetic operations. This invasion was the first conflict in
which we could assess the military operations that occurred in all domains of the operation,
including cyberspace.11 A detailed analysis of the cyber component of this conflict was documented
in the 2009 Project Grey Goose cyber operations report. In the report, Jeffrey Carr, the lead
investigator, and his team drew a clear link between the stopgeorgia.ru forum and Russian intelli-
gence organizations:

In the case of possible Russian government involvement with the cyber attacks on Georgian government
websites in July and August, 2008, the available evidence supports a strong likelihood of GRU/FSB planning
and direction at a high level while relying on Nashi intermediaries and the phenomenon of crowdsourcing to
obfuscate their involvement and implement their strategy.12

More recently, there have been indications that the Russian government is supporting the hacker
groups that targeted the Ukrainian power grid in 2015 in an attempt to undermine Ukraine’s ability
to secure its territory against Russian insurgents. Attacks by the Sandworm Team, which analysts
have found to have links to the Russian government, caused 800,000 Ukrainians to suffer a wide-
spread winter power outage.13

While the evidence of linkages is strong, ultimately, the Chinese and Russian governments need
not publicly acknowledge their relationships with their respective patriotic hacker groups. According
to public statements, it appears that some influential individuals in South and East Asia are
convinced that the Chinese and Russian governments have successfully leveraged patriotic hacking
as a national policy. More importantly, the same individuals have argued that, instead of building a
professional cyber force, their own countries should follow suit.14 In India, Kapil Sibal, the former
communications and information technology minister, first called for an army of ethical hackers to
help the nation in 2011.15 Indian cyber lawyer Pavan Duggal explained that he welcomes the effort to
establish patriotic hacking groups in India, but that the IT Act would have to be amended to allow
“patriotic stealth operations.”16 In Japan, a leading cyber security researcher has raised the idea of his
country establishing a legion of “patriotic geeks” to counter foreign cyber threats. Professor
Motohiro Tsuchiya argues that there are too few experts in the military and government because
they offer lower salaries than the private sector. He calls on strident patriots to fill the gap.17 If
individuals in both India and Japan, large nations with tech-savvy populations, argue for such a
policy, it would be plausible for smaller Asian nations with even more limited government resources
to consider turning to patriot hackers to bolster the number of cyber operators in their nations.
There are three possible reasons why encouraging patriot hackers might be more attractive to these
countries than growing their own organic cyber force.

First, training a highly skilled cyber operator can take several years and be expensive. Some
previous examples of patriotic hacking were committed by unskilled hackers (the online equivalent
of throwing a rock at a glass window), but conducting detailed espionage and offensive operations
that support national objectives against advanced targets is much more complicated. The operators
must be skilled in several operating system, network protocols, and end use programs. They need to
be able to infiltrate and navigate without being immediately detected. By the same token, it takes
advanced training and experience to defend effectively against such attacks. Nations already reliant
on cyberspace that have not implemented a policy to train for and grow such expertise are already at
risk in the domain.

Second, unlike the skills developed by other military warriors who look forward to finding only a
small job market outside of the government, the cyber warrior’s skills are highly valued by many
private-sector companies. These companies are concerned about cyber security and exploitation, and

ASIAN SECURITY 95

they are prepared to pay well for employees with strong cyber security skills. As such, most
governments will have difficulty holding onto their cyber professionals once the professionals have
fulfilled any commitment made to pay back their taxpayer-funded training and development.

Lastly, the actions of private hackers allow a government a modicum of plausible deniability.18

States can covertly endorse patriotic hackers’ actions, and if the hackers are caught or the operation
otherwise backfires, the government can then claim they are not connected to the attackers and have
little power to stop them.19 In the previous examples from Russia and China, both governments
denied having any links to patriotic hacking, to their advantage. This argument may therefore appeal
to governments that want to employ patriotic hackers in situations where they want to avoid
confrontation with a great power. Plausible deniability might also provide protection against a
backlash from the international community if an action were to be uncovered and determined to
be illegal. For these reasons, the call to promote patriotic hacking is understandable. However, there
are several arguments against the strategy, which can be highlighted by comparing government
support of patriotic hacking and the historical advocacy of privateering on the high seas.

Lessons Learned from Privateering

Although we often read about how the Internet has become a lawless space where governments can
no longer control the actions of individuals, this situation is not new in the history of the world.
Before the 1900s, global violence was carried out by a slew of non-state actors.20 One of the more
impactful groups of private players in the market of international conflict was the privateers. In this
section, I describe the practice of privateering and compare it to governmental promotion of
patriotic hacking. Then I present an example that demonstrates why privateering was ultimately
abolished as a state practice, and why governments today might likewise wish to discourage patriotic
or privateering hacking.

Privateering occurs when a private person or ship engages in a maritime conflict under the
authority of a state involved in the conflict. Whether for reasons of patriotism or plunder, the
privateer has tacitly been given license to attack enemy ships and seize the cargo.21 Privateering
could only be conducted while a conflict was ongoing between countries, and a privateer’s attacks on
the objects of a sovereign involved in the conflict were considered hostile acts.22 Privateers differed
from militias in that privateers acted largely independently of a national navy. They were, in fact,
often employed by a sovereign to compensate for a weak national navy. Nations attempted to control
the actions of their privateers by requiring them to post a bond. These governments also inspected
the privateers’ ships to ensure compliance with restrictions on their operations.23 Although it
originated much earlier, privateering was a popular practice in naval conflicts from the 1500s to
the 1800s.24

Given this description of privateering, similarities can be found between privateering and
government-sponsored patriotic hacking, and in the justifications states have used to promote
these actions. First, both privateering and government-sponsored patriotic hacking may amount to
combat actions taken by private individuals and groups under the authority of a national
government. Second, although there is still significant debate about where the threshold is for
cyber attacks, it can easily be argued that the actions of both a privateer and a patriotic hacker
can amount to a hostile act that leads to or occurs during a conflict.25 Third, both types of actors are
motivated by patriotic and potential financial gain, and both often have an adventurous spirit. The
privateer and hacker enjoy being legally authorized to do what would otherwise be considered
illegal.26 They both seem to enjoy the notoriety they gain from being “semi-rogue” actors in support
of their nation. Even if the patriotic hackers do not gain directly from their actions during a conflict,
they may use their increased notoriety to seek future financial reward as a cyber security consultant
or hacker for hire. Lastly, both types of actor are free to choose their level of involvement in a
conflict. Since they do not sign a contract binding them to a term of service nor are they conscripted

96 F. B. HARE

and obligated to serve, they can withdraw from a conflict at will without the risk of being tried for
desertion.

While there are several similarities, a few differences relating to relative risks of privateering and
patriotic hacking also bear mentioning. First, the personal risks to the privateer are much higher. In
order to seize booty, the privateer had to venture far from home and place themselves in danger of
direct confrontation with foreign naval vessels. If caught by the enemy, they were often hanged as
pirates. On the contrary, the patriotic hacker need never leave the relative safety of their basement.
Adding in the greater potential for the patriotic hacker to act with anonymity in cyberspace, even an
adversary that has the military means to retaliate will have difficulty locating them quickly enough to
do so. Second, the financial risk to the patriotic hacker is also much lower. There is no need to invest
in the fast and sturdy ship that was required for the privateer to chase down and threaten enemy
shipping. The patriotic hacker only needs their laptop computer, Internet connection, and the short
time needed to learn the skills required to contribute to a denial of service attack. In fact, the
patriotic hacker need not be concerned about the financial gains of their action to compensate for
any risks. They can hack at night and still work a day job. These factors surely make the idea of
joining the ranks of patriotic hacking much more appealing than joining a privateer ship’s crew.
Lastly the physical threats to victims of the patriotic hackers’ actions are much lower. Website
defacement and other attacks may generate a financial loss for the victim, however there is much less
risk of a loss of life from patriotic hacking than from privateering. This difference de-sensitizes the
populace of both parties to a conflict to the risk from patriotic hacking and may make it more
difficult to impress upon governments that they should not encourage the behavior. These differ-
ences do not lessen the practicality of drawing comparisons for policy reasons. In fact, they may
serve to strengthen the argument made later that the actions of the patriotic hacker will be difficult
for a government to control and align with national policy.

In addition to comparing the activities themselves, it is useful to compare the justifications
forwarded by leaders who have endorsed both activities. Interestingly, sovereign rulers use the
same justifications to promote patriotic hacking as they did to promote the activities of privateers.
For example, England in the 1500s did not have the technology or revenues to generate a national
navy strong enough to compete with sea powers like Spain, thus the English rulers authorized
privateers to exercise political power and conduct warfare on their behalf.27 In the 1600s, states
essentially invented plausible deniability to promote privateering. According to Thomson, if a
venture met with success, the ruler could claim a portion of the financial profit and all the political
profit, but if it was a failure or was condemned in the international community, the ruler could claim
it was a private operation.28

However, even with these arguments supporting the practice, national governments eventually
decided to abolish privateering. The reasons for this change of attitude are demonstrated in the story
of one of the most infamous privateers, the “Sea Dog,” Sir Walter Raleigh.

Sir Walter Raleigh first set sail as an explorer in 1584 under the authority of Queen Elizabeth I to
colonize the New World.29 After many years of uneven luck, he became a privateer and led
successful raids against the Spanish in the Atlantic.30 However, in 1618, after the British and
Spanish had signed a peace treaty, one of Raleigh’s ships attacked a Spanish ship. The Spanish
ambassador insisted that King James hold Raleigh accountable for the actions of his crew, which
amounted to piracy. In this case, the king was compelled to make an example of Raleigh in order to
maintain the peace with Spain. As a result, Sir Walter Raleigh was brought back to London and
publicly executed.31 This story is just one of many that show how difficult it was to control
privateers, both during the conduct of war and in peacetime.

Ironically, the state’s efforts to incentivize the privateer to take personal risks made it that
much more difficult for the authorities to control their actions and the risks they posed to
international relations. Once the privateers had tasted the excitement of acting with impunity
during a conflict, the crews became harder to control during lulls in the action. During such lulls,
the privateers reverted to piracy.32 The cycle would start again during the next war when,

ASIAN SECURITY 97

suddenly, pirates were legitimized as privateers. The privateers then began to attack both friendly
and neutral ships during war and peacetime, a pattern of privateering behavior that several
researchers found throughout history. Statham noted, for example, that even if a privateer captain
wanted to follow the rules, his crew had little regard for the laws of war, and trying to control
them risked sparking a mutiny.33 The famous naval theorist Julian Corbett complained that, by
the 1800s, the privateers’ actions had become militarily counterproductive.34 He argued that
sporadic and disorganized attacks by privateers “could never be so efficient as an organized
system of operations to secure a real strategical control of the enemy’s maritime
communications.”35 The pressure mounted, and by the 1800s the allies of countries that still
promoted privateering, neutral countries, and insurance companies all began to complain about
the effects of privateer attacks.36 Finally, when Great Britain determined that privateering was
becoming more advantageous to its weaker adversaries than to itself, the government agreed to
ban naval attacks on neutral ships in exchange for a ban on privateering. The resulting
Declaration of Paris was signed in 1856 by parties to the Crimean War.37 By World War I, all
major powers had committed to adhere to the tenets of the Declaration of Paris, and privateering
was no more.38

So how do these lessons apply to cyberspace? Experts have in fact identified similar challenges in
synchronizing the private actor’s actions in cyberspace with government objectives. For example, the
hacker could ignore orders to stay off critical networks and direct their attacks against domestic and
friendly targets.39 Lin takes the challenges of controlling patriotic hackers a step further, arguing that
they could even hinder control over escalation of a conflict. He suggests that a rush of patriotic
hacking activity may contribute to “catalytic escalation,” which occurs when “some third party
succeeds in provoking two parties to engage in conflict.”40 The anonymity of cyberspace exacerbates
the potential for malicious third parties to blend in with patriotic hackers and instigate instability or
contribute to escalation.

The issues raised to this point have been developed independently of legal considerations, given
that privateering was widely abolished before the laws of armed conflict had been codified. However,
as the application of international humanitarian law in cyberspace becomes clearer, two additional
disadvantages to promoting patriotic hacking have become apparent: the potential for patriotic
hackers to become legally targetable during a conflict, and the potential for their actions to make
a government responsible for violating the laws of armed conflict.

Additional Concerns with Promoting Patriotic Hacking

Governments that adhere to international law, specifically the law of armed conflict (LOAC), should
consider the legal implications of their position toward patriotic hackers. The Tallinn Manual,
drafted by a panel of international legal scholars under the sponsorship of the NATO Cooperative
Cyber Defense Center of Excellence, provides an analysis of international law as applied to cyber
warfare.41 While the manual is not considered a definitive interpretation of LOAC as it pertains to
the domain, policymakers may use the arguments contained therein as a starting point when
considering the actions of patriotic hackers and national responsibilities under LOAC. As argued
by the authors of the Tallinn Manual, LOAC does not prohibit private actors from participating in a
conventional conflict nor does it prohibit anyone from participating in a cyber operation as part of
an international conflict. However, the legal consequences of being an active participant may differ
according to the category to which an individual belongs.42 For example, members of the armed
forces of a party to a conflict are designated as combatants, and they have the legal right to
participate in international conflicts. Importantly, this affords them combatant immunity and, if
captured, prisoner of war status. However, lawful combatants are also assigned “targetability,”
meaning they can be lawfully targeted by the adversary. In the extreme, such targeting means
being killed without any repercussions for the adversary, who also has combatant immunity. Thus
a civilian who participates directly in hostilities will lose the protections given civilians during the

98 F. B. HARE

time they are participating.43 Therefore, it is important to understand what status a patriotic hacker
will maintain during a conflict and the implications for their personal safety if they should become
the target of a conventional attack. This status, which is directly influenced by the state’s position
toward the patriotic hacker, may also affects state authorities’ liability for the hacker’s actions.

Referring to the Tallinn Manual, the authors argue that organized patriotic hackers that have any
de facto relationship to a party to an armed conflict may be considered combatants.44 As such, the
patriotic hacker would be afforded combatant status rights but also the responsibility to adhere to
LOAC. The two important requirements here would be that the hackers be organized, meaning there
is some form of leadership and internal discipline system to enforce adherence to LOAC, and that
some form of relationship exists between the state and the organization that need not be officially
declared. According to Rule 26 of the Manual, the authors suggest that the relationship may be a
“tacit agreement or conclusive behavior that makes clear for which party the group is fighting.”45

Therefore, when a state openly promotes the behavior of organized patriotic hackers, or others can
show that the state has even covertly promoted the actions, it may achieve the threshold of a de facto
relationship between the state and the hacker group. Therefore, “promoting” and “integrating” could
be seen as the same relationship from the perspective of international law.46

If a state chooses to ignore or even discourage the actions of the patriotic hackers, the Tallinn
Manual authors assert it no longer matters whether the hackers are organized as a group. In this
case, there is no de facto relationship, so the patriotic hackers would not meet the minimum
requirements to be lawful combatants. They then become at best “unprivileged belligerents.”
According to Rule 29 of the Tallinn Manual, they would remain civilians and no longer enjoy the
benefits of combatant status, such as combatant immunity and prisoner of war status, should they be
captured. However, should the hackers still choose to engage in the conflict, they would lose their
protection from attack, by cyber or other means, and become lawful targets of the adversary. Should
the state actively discourage the patriotic hacker, it will recognize its responsibility to protect citizens
from being targeted by an adversary’s military operations. The state could also assert it is acknowl-
edging its responsibility under international law to reduce the possibility that any of its citizens will
commit a war crime.

To summarize, from the perspective of the authors of the Tallinn Manual, if patriotic hackers are
organized and at least promoted by the state, they will be recognized as a party to the conflict and
have combatant status. In most other cases, patriotic hackers who take it upon themselves to enter
the fray will be considered citizens who have lost their protection from attack, including a kinetic
attack, when engaging in the conflict with cyber operations. The hackers also will be directly
responsible for any war crimes they may commit. Therefore, from a legal perspective, any nation
considering encouraging patriotic hacking should take pause: if the patriotic hacker cannot be fully
integrated into the operations of government forces, they are best discouraged from launching
attacks. Any option in between may leave the hacker in a grey area and create unnecessary risk to
both the government and the individual.

Conclusions and Policy Recommendations

In 1856, the world’s major powers came together and decided it was time to stop the practice of
privateering on the high seas. Is it time to do the same in cyberspace?

Non-state actors continue to play a significant role in international conflicts, as they have for
hundreds of years. Most types of private party involvement, such as privateering and mercenaries,
were largely removed from the international system by the early 1900s. State control of violence in
the international system has been looked upon as a much more favorable way to manage conflicts
and reduce the potential for escalation and heinous acts. While there have been appealing arguments
for promoting patriotic hacking to achieve national ends, history has shown that promoting private
violence for public ends has had a detrimental impact on the nations that encouraged it, as well as on
global security. A comparison with the historical practice of privateering has been useful to highlight

ASIAN SECURITY 99

the drawbacks of such a course of action. Patriotic hacking is similar to privateering in many ways
such as the combatant status and goals of the private actors to engage in conflict to support national
objectives. They are also similar in the justifications that governments used to encourage their
behavior such as the desire to leverage expertise outside the military and provide plausibility
deniability for hostile actions. Admittedly, there are significant differences between the high-risk
but high-reward pursuit of privateering and the low risks and low barriers to entry associated with
patriotic hacking. However, the differences do not significantly detract from the potential lessons
that modern nations can gain from a comparison. In fact, the lower risks to the patriotic hacker will
most likely exacerbate the challenges a government would have controlling their actions. Some
countries less interested in their standing within the international community may continue to
encourage patriotic hacking to achieve state objectives, if the benefits continue to outweigh any
challenges the government has in controlling the hackers’ actions. But for countries that want to
adhere to international law and ensure their citizens do the same, promoting patriotic hacking in lieu
of developing a professional force should not be considered an option.

Therefore, these private actors should be either discouraged from participating in a conflict on
behalf of the government or the patriotic hackers should be fully integrated with government cyber
defenders. In order to discourage the actions of patriotic hackers, a publicly stated policy denouncing
their actions could be developed and promulgated by national law enforcement agencies. The
hackers must be made aware of potential criminal penalties to which they would be subjected should
they engage in a conflict as a private citizen. On the other hand, integration could take the form of
an auxiliary cyber militia to be mobilized during a crisis, such as the one established in Estonia. In
Estonia, the voluntary Estonia Defence League Cyber Unit (CU) was established in response to the
events of 2007. The main tasks of the CU are to aid in the protection of Estonia’s e-lifestyle and
strengthen the cooperation between public and private stakeholders in the domain of cyberspace.47

The Estonia Defence League even provides refresher training for its volunteers so the civilian
employers of the members can benefit during peacetime as well.48 This model appears to be working
well for this small Baltic nation as it provides for a close control of the volunteers’ actions in the
domain but allows the government to maintain a smaller, full time defense organization.

Privateers have historically been proven to be difficult to control both during and after a conflict.
We can expect that modern day privateers in cyberspace will be equally difficult to control. Their
improper integration can lead to either violations of international law or poor protection from
retaliation in a conflict. We should use lessons learned from the past to encourage the professiona-
lization of cyber operators and keep cyber conflict within the domain of state actors in order to
reduce global insecurity.

Acknowledgements

I am grateful for the research assistance of Tengku Nur Qistina of the Institute of Strategic & International Studies
Malaysia. I am also thankful for comments received on earlier versions of the manuscript from Jordan Thomas, David
Fahrenkrug, and two anonymous article reviewers.

Disclaimer

The views expressed in this article are those of the author and do not reflect the official policy or position of the
Department of Defense or U.S. Government.

Notes

1. Jeffrey Carr, Project Grey Goose Phase II Report (Seattle Washington, USA: Grey Logic, March 20, 2009),
fserror.com/pdf/GreyGoose2 .

2. James Simpson, “Motohiro Tsuchiya: Patriotic Geeks Wanted to Counter a Cyber Militia,” Japan Security
Watch, February 20, 2012, http://jsw.newpacificinstitute.org/?p=9952; “Desi Hackers Join Indian Cyber Army!”

100 F. B. HARE

http://fserror.com/pdf/GreyGoose2

http://jsw.newpacificinstitute.org/?p=9952

Gadget Now, August 5, 2010, http://www.gadgetsnow.com/jobs/Desi-hackers-join-Indian-cyber-army/article
show/6260494.cms

3. Dorothy E. Denning, “Cyber Conflict as an Emergent Social Phenomenon,” in Corporate Hacking and
Technology-Driven Crime: Social Dynamics and Implications, edited by Thomas Holt and Bernadette Schell
(Idea Group Inc, 2010), 170–86, https://www.igi-global.com/chapter/cyber-conflict-emergent-social-
phenomenon/46425.

4. “A Cyber-Riot,” Economist, May 10, 2007.
5. James Mulvenon, “Workshop Keynote Speaker James Mulvenon Discusses Dangers of Chinese Cyber Attacks

Against America,” Text, Hoover Institution, http://www.hoover.org/news/workshop-keynote-speaker-james-
mulvenon-discusses-dangers-chinese-cyber-attacks-against-america.

6. James Andrew Lewis, “Five Myths about Chinese Hackers,” The Washington Post, March 22, 2013, https://www.
washingtonpost.com/opinions/five-myths-about-chinese-hackers/2013/03/22/4aa07a7e-7f95-11e2-8074-
b26a871b165a_story.html?utm_term=.2abf4380709d.

7. Mara Hvistendahl, “China’s Hacker Army,” Foreign Policy, March 3, 2010, http://foreignpolicy.com/2010/03/
03/chinas-hacker-army/.

8. Hannah Beech, “China’s Red Hackers: The Tale of One Patriotic Cyberwarrior,” Time, February 21, 2013,
http://world.time.com/2013/02/21/chinas-red-hackers-the-tale-of-one-patriotic-cyberwarrior/.

9. Beech, “China’s Red Hackers.”
10. Richard Stiennon, Surviving Cyberwar (Lanham, MD: Government Institutes, 2010); P. W. Singer and Allan

Friedman, Cybersecurity and Cyberwar: What Everyone Needs to Know, 1st ed. (Oxford and New York: Oxford
University Press, 2014).

11. Andrzej Kozlowski, “Comparative Analysis of Cyberattacks on Estonia, Georgia and Kyrgyzstan,” European
Scientific Journal 10, no. 7, http://eujournal.org/index.php/esj/article/view/2941.

12. Carr, “Project Grey Goose Phase II Report.”
13. Matthew Dean and Catherine Herridge, “‘Patriotic Hackers’ Attacking on Behalf of Mother Russia,” Text.

Article, FoxNews.Com, January 16, 2016, http://www.foxnews.com/politics/2016/01/16/patriotic-hackers-
attacking-on-behalf-mother-russia.html.

14. Segal, “The Danger of Patriotic Geeks.”
15. ET Bureau, “We Need a Community of Ethical Hackers, Says IT Minister Kapil Sibal,” The Economic Times,

November 16, 2011, http://economictimes.indiatimes.com/news/politics-and-nation/we-need-a-community-of-
ethical-hackers-says-it-minister-kapil-sibal/articleshow/10748691.cms.

16. “Desi Hackers Join Indian Cyber Army!”
17. Motohiro Tsuchiya, “No. 143: ‘Patriotic Geeks Wanted to Counter a Cyber Militia,’” Institute for International

Policy Studies, Tokyo, Japan. February 17, 2012, http://www.iips.org/en/publications/2012/02/17153229.html.
18. Heather Harrison Dinniss, Participants in Conflict: Cyber Warriors, Patriotic Hackers and the Laws of War

(Leiden, Netherlands: Martinus Nijhoff Publishers, 2013), 251–78, http://www.diva-portal.org/smash/record.jsf?
pid=diva2:699087.

19. Segal, “The Danger of Patriotic Geeks.”
20. Janice E. Thomson, Mercenaries, Pirates, and Sovereigns (Princeton, NJ: Princeton University Press, 1996).
21. Edward Phillips Statham, Privateers and Privateering (London, England: Cambridge University Press, 2011).
22. Statham, Privateers and Privateering.
23. Thomson, Mercenaries, Pirates, and Sovereigns.
24. Thomson, Mercenaries, Pirates, and Sovereigns.
25. Actions executed through cyberspace that could be classified as hostile acts would be attacks to degrade a

national command and control system or attacks that disable critical infrastructure.
26. Ian Rice and Douglas A Borer, “Bring Back the Privateers,” National Interest, April 22, 2015, http://nationa

linterest.org/feature/bring-back-the-privateers-12695?page=3.
27. Thomson, Mercenaries, Pirates, and Sovereigns.
28. Thomson, Mercenaries, Pirates, and Sovereigns.
29. “Charter to Sir Walter Raleigh: 1584,” Avalon Project Lillian Goldman Law Library (New Haven, CT: Yale

University, 2008), http://avalon.law.yale.edu/16th_century/raleigh.asp.
30. Angus Konstam, Elizabethan Sea Dogs 1560–1605 (Oxford, UK: Osprey, 2000).
31. Thomson, Mercenaries, Pirates, and Sovereigns.
32. John Jameson, Privateering and Piracy in the Colonial Period: Illustrative Documents (New York: Macmillan

Company, 1923).
33. Statham, Privateers and Privateering.
34. Julian S. Corbett, Principles of Maritime Strategy (Mineola, NY: Dover Publications, 2004).
35. Corbett, Principles of Maritime Strategy, p. 93.
36. Thomson, Mercenaries, Pirates, and Sovereigns.
37. Charles H. Stockton, “The Declaration of Paris,” The American Journal of International Law 14, no. 3 (July,

1920): 356–68. doi:10.2307/2187654.

ASIAN SECURITY 101

http://www.gadgetsnow.com/jobs/Desi-hackers-join-Indian-cyber-army/articleshow/6260494.cms

https://www.igi-global.com/chapter/cyber-conflict-emergent-social-phenomenon/46425

http://www.hoover.org/news/workshop-keynote-speaker-james-mulvenon-discusses-dangers-chinese-cyber-attacks-against-america

https://www.washingtonpost.com/opinions/five-myths-about-chinese-hackers/2013/03/22/4aa07a7e-7f95-11e2-8074-b26a871b165a_story.html?utm_term=.2abf4380709d

China’s Hacker Army

China’s Red Hackers: The Tale of One Patriotic Cyberwarrior

http://eujournal.org/index.php/esj/article/view/2941

http://www.foxnews.com/politics/2016/01/16/patriotic-hackers-attacking-on-behalf-mother-russia.html

http://economictimes.indiatimes.com/news/politics-and-nation/we-need-a-community-of-ethical-hackers-says-it-minister-kapil-sibal/articleshow/10748691.cms

http://www.iips.org/en/publications/2012/02/17153229.html.I

http://www.diva-portal.org/smash/record.jsf?pid=diva2:699087

http://nationalinterest.org/feature/bring-back-the-privateers-12695?page=3

http://avalon.law.yale.edu/16th_century/raleigh.asp

38. Stockton, “The Declaration of Paris.”
39. Segal, “The Danger of Patriotic Geeks.”
40. Herbert Lin, “Escalation Dynamics and Conflict Termination in Cyberspace,” Strategic Studies Quarterly 6,

no. 3 (Fall, 2012): 53.
41. Michael N. Schmitt, Tallinn Manual on the International Law Applicable to Cyber Warfare (Tallinn, Estonia:

Cambridge University Press, 2013).
42. Tallinn Manual, Rule 25.
43. Tallinn Manual, Rule 35.
44. There was disagreement among the writers of the Tallinn Manual as to whether or not the members of the

patriotic hacker organization needed to wear a patch in order to meet combatant status. An additional
requirement for combatant status under international law is for the combatants to carry arms openly. The
complexity of this point would be the topic of another article. Therefore, this article assumes that computers are
weapons and those placed on a desk are considered to be in the open.

45. Schmitt, Tallinn Manual, p. 98.
46. Dinniss, “Participants in Conflict.”
47. Estonian Defence League, “The Main Tasks of the EDL CU,” Government Document, KAITSELIIT (August 17,

2017), http://www.kaitseliit.ee/en/the-main-tasks-of-the-edl-cu.
48. Estonian Defence League, “The Main Tasks of the EDL CU.”

ORCID

Forrest B. Hare http://orcid.org/0000-0001-5655-9119

102 F. B. HARE

http://www.kaitseliit.ee/en/the-main-tasks-of-the-edl-cu

Abstract

Introduction
“Citizens in the Fight”
Lessons Learned from Privateering
Additional Concerns with Promoting Patriotic Hacking
Conclusions and Policy Recommendations
Acknowledgements
Disclaimer
Notes

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

Navigating Conflicts in Cyberspace: Legal Lessons from the History of War at Sea
Rabkin, Jeremy;Rabkin, Ariel
Chicago Journal of International Law; Summer 2013; 14, 1; ProQuest Central
pg. 197

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

Turn in your highest-quality paper
Get a qualified writer to help you with

“ Cyber Porposal ”

Get high-quality paper

NEW! AI matching with writer

Order an Essay Now & Get These Features For Free:

Turnitin Report

Formatting

Title Page

Citation

Outline

Place an Order