Sponsored by Spectra Cyber Security Solutions
——————————————————————-
20 Jul 17. We Need Cyberwar Rules of Engagement Now. The U.S. and Russia need to agree on basic notions, such as what constitutes an attack, as opposed to a mere nuisance. Today, Russia and the U.S. are engaged in creeping cyberwarfare against each other, and they may well be working to disable or undermine each other’s critical infrastructure. The conflict is potentially deadly and, unlike military interactions between the two adversaries, not subject to even the most rudimentary rules or mutual arrangements. That needs to be fixed, and although a multilateral process under the auspices of the United Nations or the G-20 would be preferable, a bilateral working group, of the kind proposed by Russian President Vladimir Putin during his recent meeting with U.S. counterpart Donald Trump, could be a useful start. The greatest tension in cyberspace today is between the U.S. and Russia; the two can lead the way in defusing it. They have experience doing so on nuclear disarmament after taking the world to the brink of catastrophe. An agreement could serve as a blueprint for a multilateral convention or other bilateral deals—say, with China, which has been known to take an interest in U.S. networks. Countries need to agree on basic notions, such as what constitutes an attack or an illegal intervention, as opposed to a mere nuisance, and what retaliatory moves are legitimate or excessive. An informal but highly authoritative attempt to lay out the issues has already been made. Earlier this year, NATO’s Cooperative Cyber Defense Center of Excellence presented the second edition of the so-called Tallinn Manual, a detailed exploration of current international law as it applies to cyberwarfare. The authors, 19 academics and international law practitioners led by Michael Schmitt of the U.S. Naval War College, had started compiling the manual in 2009 in response to massive Russian cyberattacks on Estonia and then on Georgia during the brief Russo-Georgian conflict. They identified 154 existing rules, but the manual isn’t an official document—it reflects only the authors’ understanding of the law. Within the framework laid out in the Tallinn Manual, the interference U.S. intelligence services ascribe to Russia in the 2016 presidential election wouldn’t qualify as illegal intervention. The activity—spying, “criticism, public diplomacy, propaganda, retribution, mere maliciousness”—wasn’t meant to coerce Americans, who still chose their president freely. Stealing Democratic Party functionaries’ emails, however, would be illegal because it violated their right to privacy. The U.S. would be justified in retaliating—or, in the manual’s legal language, taking “countermeasures.” The scope of such measures, however, would be limited: Any actions that violate fundamental human rights wouldn’t be allowed. The Tallinn Manual’s authors couldn’t agree on whether violating privacy would be permissible as a countermeasure. To retaliate for the election interference, President Barack Obama, the Washington Post reported, ordered U.S. intelligence services to place “implants” in Russian networks “important to the adversary and that would cause them pain and discomfort if they were disrupted.” Activating the implants probably wouldn’t wash under the Tallinn Manual, because it would be a disproportional response. We often use “cyberattack” indiscriminately to describe any kind of intrusion. The Tallinn Manualuses the word “attack” only for cyber operations “reasonably expected to cause injury or death to persons or damage or destruction to objects.” Shutting down a power grid, taking over a city’s traffic light system, or cutting off mobile communications to an area would qualify as an attack because of real-world consequences. It would also be an illegal attack, because it would target civilians, somet