TABLE OF CONTENTS I. INTRODUCTION II. CHALLENGES A. Lexicon B. Organization and Structure C. Culture III. NORMS FOR CYBERSPACE IV. EXISTING NORMS RELEVANT TO CYBER PARTICIPATION IN THE INTERNATIONAL COMMUNITY A. Civil Transactions B. Misbehavior in Cyberspace C. Espionage, Netcentric Warfare, and Information Operations V. APPLYING THE LAW OF ARMED CONFLICT VI. PROPOSED NORMS RELEVANT TO THE INTERNATIONAL LEGAL COMMUNITY A. Principle #1: No nation may knowingly allow its information infrastructure to be used to harm another nation B. Principle #2: The fact that a harmful cyber incident is conducted via the information infrastructure subject to a nation's control is prima facie evidence that the nation knows of the use and is responsible for the cyber incident. C. Principle #3: A neutral nation that takes no action that favors one belligerent over another does not lose its neutral status VII. PROPOSED NORMS RELEVANT TO INTERNAL LAWS AND REGULATIONS A. Principle #4: Each nation is responsible, through creation of public and private laws, for ensuring the security and resilience of the information infrastructure subject to its national jurisdiction B. Principle #5: A nation-state has the right of self-defense against internal cyber threats to public order as well as external cyber threats to the state VIII. CONCLUSIONS I. INTRODUCTION
Law is at its best when it is consistent and predictable. Bruno Zeller opines, "In an ideal world one law would be applicable to cover all transactions of a similar nature wherever they occur." (1) Consistency and predictability allow us to form reliable expectations about the legal risks associated with our decisions. This is particularly important when the legal regime is complex and rapidly evolving, as is the case with cyberlaw. (2) Consistency has, of course, temporal characteristics as well as geographic aspects. When laws and regulations governing behavior in cyberspace are consistent throughout the international community, stable over time, and have predictable applications and results, confidence grows in users' abilities to use cyberspace safely. Nation-states can also have more confidence regarding national and international security of assets and systems dependent upon the global information infrastructure.
Of course, consistency must be more than a characteristic of legal codes; it must also be a characteristic of the legal systems applying the codes. Consistent legal codes applied inconsistently or corruptly will lead to inconsistent results, and hence confusion and suboptimization of our decision processes. Predictability allows us to use the law to base our decisions on sound risk management, knowing the probable legal consequences of the decisions we make. (3) International law, by its very nature, seeks treaties and principles of customary law that help achieve consistency and predictability. In this article, we use a normative approach to invoke common principles that can inform and guide the development of a consistent and predictable international cyberlaw.
It is widely recognized that human beings are increasingly interacting in cyberspace: meeting, communicating, playing, buying and selling, as well as hacking, stealing, perpetrating fraud, invading privacy, harassing, defaming, denying service through flooding, and engaging in other forms of misbehavior. (4) As human activities flow between "real" space and cyberspace, legal tools for conflict resolution must evolve to suit the changing needs. The conflicts may remain in cyberspace, but it is not impossible that conflicts arising in cyberspace could stem from, lead to, or accompany violence in real space.
Two examples serve as apt illustrations: cyber incidents in Estonia and Georgia. As described by Tikk, et al., (5) the Estonian incident took place in April and May of 2007, when the Estonian government decided to move a Soviet-era memorial from central Tallinn to the Tallinn Military Cemetery outside of town. (6) Many from Estonia's approximately twenty percent ethnic Russian population protested the move, and the protest escalated into violence, looting, and vandalism. (7) Simultaneously, Estonian public and private sector Internet use was compromised by the flooding of the country's information infrastructure with ping requests (simple communications that seek to determine the availability of targeted devices), SYN flooding, (8) and malformed queries. (9) Later, more sophisticated and intense distributed denial of service assaults on the Estonian cyber infrastructure indicated that botnets (10) had been brought into play. (11) The flooding came from co-opted sources around the world and it is not forensically possible to technologically attribute the flooding to the specific perpetrators, although Russians have acknowledged responsibility for some of the attacks and one ethnic Russian Estonian student from Tallinn was eventually convicted of defacing an Estonian website. (12)
The Georgian cyber incident took place in August 2008 during a conflict between the Russian federation and Georgia over the status of South Ossetia. (13) Georgia had been having trouble with Russian-supported separatists in South Ossetia, and launched a military attack on August 7th against separatist forces. (14) On August 8th, Russian forces invaded Georgian territory, ostensibly to protect Russian citizens in the region. (15) Georgia declared that a "state of war" existed on August 9th. (16) The cyber incident began on the 8th and continued throughout the month despite cessation of kinetic operations on the 12th. (17) As in Estonia, the cyber incident consisted of distributed denial of service flooding and web page defacements. (18) Russian-controlled servers distributed instructions on how to attack Georgian websites and scripts that would automate ping flooding of the Georgian information infrastructure. (19) Georgian Internet traffic was rerouted through Russian-controlled servers and blocked. (20) As with Estonia, forensic attribution is not possible. (21) Botnets were used, and the flooding came from co-opted servers all over the world. (22) Not only were the attacks international in character, so was the response; the international community assisted Georgia with advice and forensic assistance, and by hosting Georgian websites and governmental functions on servers in the United States, Estonia, and Poland. (23)
These types of cyber incidents were not necessarily anticipated in the primordial days of the Internet (from its inception in December of 1969 until about 1991 when the first user-friendly interfaces were developed), when the Internet was mostly the province of academics, scientists and engineers, and librarians. (24) Early misbehavior was motivated by curiosity or the need for peer-recognition, but as the use of the global information infrastructure grew, opportunities for financial gain arose and economic motives for misbehavior followed. (25) Eventually, cyberspace became a venue for religiously or politically motivated conflicts (e.g., the incidents in Estonia and Georgia). Such conflicts may result from disputes between individuals or groups, or may stem from disagreements between or among nation-states, and occasionally may arise between non-state organizations and nation-states. As in real space, in cyberspace the international community needs to be able to resolve conflicts via peaceful means, or, if peaceful means fail, in ways that limit the destruction and human suffering that follow the application of non-peaceful technologies (virtual or kinetic).
One way to avoid conflicts is to establish guidelines for expected behaviors. Since human use of cyberspace is relatively recent, (26) we are only in the nascent stages of developing international frameworks for regulating behavior conducted against or via information infrastructures. This article provides some background regarding the challenges we face in developing these frameworks, and then it contributes several proposals we hope will further the ongoing discussion of international legal norms for cyberspace, particularly those norms relevant to national and international security.
In developing legal frameworks that effectively and efficiently regulate behavior in cyberspace, difficulties may arise due to the very words we use to describe cyberspace and human interactions in cyberspace, the organization and structure of the global information infrastructure, as well as cultural variations among those who inhabit and use cyberspace.
For the purposes of this article, cyberlaw is defined as a body of norms governing human behavior in cyberspace. The development of relevant, practical cyberlaw is challenged by the very words we use to "discuss cyberspace. (27) There is little consensus on the precise definitions needed for developing candidate principles, norms, treaties or statutes. The term "cyberspace" itself is not well-defined. The term was coined by the science fiction author William Gibson in his 1982 cyberpunk (28) story "Burning Chrome" which viewed cyberspace as a computer technology that allowed humans to directly experience data and the relationships among data. In a later book, "Neuromancer," Gibson described it this way:
A consensual hallucination experienced daily by billions of legitimate operators, in every nation.... A graphic representation of data abstracted from banks of every computer in the human system. Unthinkable complexity. Lines of light ranged in the nonspace of the mind, clusters and constellations of data. Like city lights, receding into the distance.... (29) Later definitions have abandoned the experiential focus, but still disagree as to the precise definition. Todd says,
I define cyberspace as an evolving man-made domain for the organization and transfer of data using various wavelengths of the electromagnetic spectrum. The domain is a combination of private and public property governed...