The Evolving Global Cyberwarfare Crisis
March 30, 2017
The intelligence community’s subsequent assessment of the allegations found Russian President Vladimir Putin to be centrally involved in cyberattacks that broke into the e-mail accounts of the Democratic National Committee and Hillary Clinton’s campaign chairman, John Podesta, interfering with the outcome of the United States presidential election. The response was, expectedly, one of shock and distress; the incident questioned the inviolability of American democracy and undermined the presumption that the workings of an election are transparent and that the decision is up to the people of the nation. Russian officials have denied the allegations, and Putin has held that the accusations are merely another ploy on the part of the United States to undermine his power.  It is necessary to add some perspective to this incident; cyber warfare legislation has always been a weakly defined area of international law. The legal ambiguities of cyber warfare, coupled with the rapid evolution of technology over the past few decades, have brought the world into an unprecedented realm of information access that often does not adhere to any national boundaries.
The appropriate legal response to uses of cyberspace, as in the role of Russia’s hacking in the election is unclear. Legislation on cyber-warfare is premature as litigators are unable to clearly classify ‘cyber-attacks’, ‘cyber-warfare’, and other related expressions under legal statute. The most authoritative document in this field is the Tallinn Manual, which is a non-binding NATO publication prepared by military and legal experts. In this document, ‘cyber-attacks’ are defined as ‘‘cyber operations’, whether offensive or defensive, that are expected to cause injury or death to persons or damage or destruction to objects.’ Under NATO’s definition, it is difficult to deem unlawful influence as a ‘cyber-attack.’ Yet, as had been observed in the US election, subversion through cyberspace, with no physical causality, can still create deleterious consequences.
Moreover, the intersection of civil and military space runs against realist security ideations.Today, armies are found developing in-house cybersecurity capabilities when better expertise might be available in the private sphere; the bureaucratization of a cyber-response is slower than that of an independent security agent. However, privatization of national security erodes the exclusive power of the nation-state, legitimizing unpredictable sub-state actors who are usually more damaging.
The Private Sector and Cybersecurity
The rise of the information economy is recent decades has presented a shift in firms towards storing valuable property online, on corporate networks. However, often, the risk associated with storing valuable information online, is underestimated, and allocated poorly, due to the complex relationships among financial institutions. This poorly-organized risk is apparent in the transfer of risk, when a person or firm responsible for protecting the information system is not the one feeling repercussions from its failure. A clear example of this lies in the healthcare industry, where online medical records are bought by hospital directors and insurance companies, who do not feel the same level of privacy-infringement risk as patients, and, therefore, leave much more up to chance. Additionally, firm managers often neglect to consider the impact cybercrime could have on their companies when making decisions regarding costs. For one, companies look to minimize IT costs without considering the major spillover effects a failure in one sector of the company could have on another. This short-term decision can have a lasting impact on the long-term prosperity of the firm. However, it is important to acknowledge that as perfect security is not possible, management must constantly be making informed decisions regarding the trade-off between efficiency and security. With very stringent security requirements, many firms can find it difficult to operate at a competitive level with other companies in their industry.
Information asymmetries regarding the market for secure software also poses issues to the private sector due to firms caring more about their reputations, and less about security. For one, firms have an incentive to under-report incidents, as not to tarnish their reputations with investors and consumers. Therefore, inaccurate information regarding the prevalence of cybercrime and information insecurity exists in the market, which makes it harder to manage risk in that area. This information asymmetry subsequently impacts the decision-making of buyers and vendors in the secure software industry – since ill-informed consumers and businesses are more likely to refuse premiums for protection, as they are ignorant of the magnitude of the threats, software vendors and less likely to invest in secure measures in the first place.
Despite the many cyber security issues that plague the private sector, the unparalleled technological development in the United States economy makes it a powerful tool to be used to combat cyber threats. Some policymakers are now exploring the idea of having governmental agencies such as the Department of Homeland Security work with private companies to create standardized cyber security protocols. Their rationale, along with those of other Information Specialists, is that private sector security protocols will be much more specific and holistic than any government directives. Additionally, the United States government views foreign governments as posing the most substantial cyber-threats to the nation; however, many private-sector businesses rank private groups such as “Anonymous,” and other cybercriminals ahead of countries such as Russia and China. These legislators, thus, believe, that the power that lies with these private groups in their ability to infiltrate national security, is best understood and combated by using the United States’ private sector. 
The Legal Situation in Detail
The impasse on cyber legislation can only be resolved by a strong supranational response. However, supranational organizations have not been enthusiastic about this thorny issue. There are several possible reasons for this reluctance.
First, smaller states are driving cyberwarfare legislation. It is no coincidence that the defining document in this area was written in Tallinn. Estonia has been at the forefront of digital developments in Europe at least since the 2007 cyberattacks, when alleged Russian hackers crippled the Estonian government and other corporations. Estonia is now becoming increasingly spooked by Russia’s alleged use of digital propaganda in Ukraine.Estonia is rightfully vigilant. Previously, small states could hide under the umbrella of military alliances like NATO. Yet, if war is becoming less about hard power projection, small states will be left to secure their critical information independently (sensitive national information is not shared in such alliances), which leaves them much more vulnerable. Thus, it is evident why small states are driving change; without the protection of past alliances, these small states are looking to hold their own against information giants by pioneering their own cyberwarfare legislation.
Second, powerful nations fear the legitimization of cyberwarfare. Implementing binding resolutions will have the ancillary consequence of recognizing the legitimacy of cyber-attacks. This would grant belligerent actors greater firepower. Moreover, modern armies are built on computer systems. Any attack on their digital infrastructure could undermine the army more than any conventional force. Thus it is very understandable that powers such as the United States would prefer to wage conventional battles.
Third, cyberwarfare legislation requires thorough clarification of civil laws. The Universal Declaration of Human Rights achieved consensus chiefly over physical security rather than ideological ones. The regulation of cyberspace requires protection of digital identities and concerns, which are far more abstract by nature. Thus, any consensus on securitizing cyberspace must pass through the civil rights organs of the UN, where approval is slower by design.
Regardless of the reason, slow supranational organization has allowed individual nations to construct autonomous policy. For the purposes of clarifying the US election issue, an examination of US and Russian policy is in order.
US Cyber-Policy In Practice
The Cyber Command of the United States of America was established in 2009 after the Estonian cyber-attacks. In the same year, the Stuxnet worm infected Iranian nuclear facilities. While this act was never confirmed by the US, experts have determined that US and Israeli agencies likely carried out the attack to stymie the Iranian nuclear program. If true, this would have marked a notable departure from the United States’ propagated cyberwarfare strategy of deterrence and defense, and demonstrates the power of cyberspace to subvert official policy. However, the US is typically conservative in its use of cyber-technology: the Cyber Command is designed to protect the ability of conventional military forces to function, and prevent escalation of violence to innocents. Moreover, the US is aware of high contagion risks, and thus officially restricts cyber capabilities to “support[ing] operational and contingency plans.”
Given the climate of support, and necessity of protecting civilians, international negotiators must expedite cyber legislation. This could take many forms. First, security organs could be restructured to allow small, motivated states to drive change further. Former UN Secretary-General Ban Ki Moon reiterated at the Small Nation States conference that small nations make up in ideas what they lack in size. Consultative committees and caucuses must thus be led by these small nations. Second, international bodies need to adopt community-driven approaches to security. With expertise of cyber-security lying in the private as well as public sphere, the Security Council would do well to consult non-governmental agencies. Third, the line between civil and military space needs to be clearly defined. Estonia embarked on a digital citizenry drive which clearly articulates digital private property and digital rights. This catalyzes the process of segregating the internet to limit contagion effects of potential attacks. Moreover, the articulation of a digital identity allows treaties with legal precedents, like the Geneva Convention, to apply to cyberspace easily.
In short, the US election issue is only the tip of the iceberg of issues in cyber-warfare legislation. Violent declarations of aggression must be accompanied with legal pressures for clear definitions, along with set precedents for sound progress for cyber-defense to have any meaning. In the meantime, cyber-attacks will continue to occupy a slippery space in international legislation fraught by loose language and hot temperaments.
Additional Blog Posts
Student Blog Disclaimer
The views expressed on the Student Blog are the author’s opinions and don’t necessarily represent the Penn Wharton Public Policy Initiative’s strategies, recommendations, or opinions.