Legal phantoms in cyberspace: the problematic status of information as a weapon and a target under international humanitarian law.

• Author: Beard, Jack M.
• Position: Abstract Through II. Information as a Weapon and Target: Problems of Access and Control, p. 67-112

ABSTRACT

Reports of state-sponsored harmful cyber intrusions abound. The prevailing view among academics holds that if the effects or consequences of such intrusions are sufficiently damaging, international humanitarian law (IHL) should generally govern them--and recourse to armed force may also be justified against states responsible for these actions under the jus ad bellum. This Article argues, however, that there are serious problems and perils in relying on analogies with physical armed force to extend these legal regimes to most events in cyberspace. Armed conflict models applied to the use of information as a weapon and a target are instead likely to generate "legal phantoms" in cyberspace--that is, situations in which numerous policy questions and domestic criminal issues are often misinterpreted as legal problems governed by the IHL framework or the jus ad bellum. This Article assesses this dilemma in the context of four key problem areas relating to dimensions of information: (1) problems of origin, organization, and availability; (2) problems of access and control; (3) problems of exploitation; and (4) problems of manipulation and content.

TABLE OF CONTENTS I. INFORMATION AS A WEAPON: PROBLEMS OF ORIGIN, ORGANIZATION, AND AVAILABILITY A. The Legal Status of Cyber Capabilities as Potential Weapons 1. Information: The Problem of Origin 2. Information: The Problems of Organization and Armed Conflict Classification 3. Information: The Problem of Territory 4. Information: The Problems of Unlimited Availability and Ubiquitous Processors II. INFORMATION AS A WEAPON AND TARGET: PROBLEMS OF ACCESS AND CONTROL A. Accessing Information: "Acts of Violence" Against "Objects of Attack"? B. Controlling, Confining, and Segregating Information III. INFORMATION AS A TARGET: THE PROBLEM OF EXPLOITATION AND CHALLENGES TO CONSEQUENCE-BASED LEGAL THRESHOLDS A. Exploitation: A Harmful--But Problematic--Act B. Information Exploitation, Legal Thresholds, and Consequentialist Approaches to the Jus ad Bellum C. Information Exploitation, Legal Thresholds, and Consequentialist Approaches to the Jus in Bello IV. INFORMATION AS A TARGET: PROBLEMS OF MANIPULATION AND THE CHALLENGES OF CONTENT AND USERS A. Information Manipulation or Exploitation? The Problem of Content and Economic Targets B. Manipulating Information, Layers of Cyberspace, and Users of Information V. CONCLUSION **********

It has long been clear that private persons and state-sponsored actors can cause damage by transmitting information through cyberspace (to disrupt, exploit, manipulate, or deny access to data in other computer systems and networks) and that such actions pose a real threat to businesses and governments. (1) While cybercrime, state-sponsored hostile cyber acts, and diverse types of cyber mischief are common, the world has not yet experienced a "cyberwar." (2) In spite of dire, repeated predictions to the contrary, a cyberwar (an armed conflict limited to cyber actions alone) may in fact be unlikely. (3)

Yet regardless of how conflict and competition in cyberspace may be characterized, military organizations have concluded that cyberspace is in fact a new contested "domain" for military operations (joining the land, maritime, air, and space domains), and some have announced their intention to achieve "superiority" in it. (4) This willingness to apply a traditional model of military operations is based on the assumption that conflict in cyberspace represents an extension of conflict in physical domains, and therefore, actions taken in this realm should generally be subject to the same rules and approaches that apply to the employment of "kinetic capabilities." (5)

The feared arrival of a new epoch of cyber warfare and the decision by military organizations to treat cyberspace as a new operational military domain have been accompanied by an eagerness to view the law of armed conflict or the jus in bello (also referred to as international humanitarian law or IHL) as the appropriate legal framework to govern many cyber operations, particularly those conducted in response to so-called cyber attacks. (6)

The decision to apply the IHL framework to events in cyberspace may appear to be an easy one, drawing on the perceived similarity of the effects of cyber operations and those of conventional military operations in physical domains. For example, a former U.S. military official has suggested that "a cyberattack is governed by basically the same rules as any other kind of attack if the effects of it are essentially the same." (7) It is thus not surprising that military organizations have proceeded to equate many conventional and cyber operations, concluding for example that "[t]he fundamental targeting issues arising are no different in cyber operations as compared to those applicable to kinetic targeting." (8)

By viewing conflict in cyberspace as an extension of conflict in physical domains and by emphasizing the apparent similar effects of cyber and conventional weapons, the IHL framework becomes by default the appropriate lens for assessing many hostile cyber acts. This Article argues, however, that due to the unusual properties of information itself, there are serious problems and perils in relying on such analogies to extend the IHL framework to most events in cyberspace.

Rather than being easily governed by a broad application of the IHL framework, the use of information as a weapon and a target will more often be highly problematic. Armed conflict models are likely to generate "legal phantoms" in cyberspace--that is, situations in which numerous policy questions, domestic criminal issues, and technological challenges are misinterpreted as legal problems governed by the IHL framework or that implicate the jus ad bellum. (This latter body of international law--which is prominently reflected in obligations in the United Nations Charter--governs recourse to armed force, as opposed to the IHL regime, which governs the way warfare is conducted.) (9)

As examined in this Article, the clear reluctance by states to apply these rules to cyber incidents, standing alone, is prudent. There is an underappreciated and significant danger in broadly applying the IHL framework to diverse areas of state-sponsored competition and conflict. (10) This is particularly true with respect to the application of IHL principles and obligations, as well as the jus ad bellum, to the many diverse uses and dimensions of information in cyberspace.

The IHL framework and the jus ad bellum nonetheless continue to be advanced as appropriate legal frameworks to fill perceived gaps in existing legal coverage of cyberspace, particularly in an environment where even the U.S. secretary of defense warns of a "cyber Pearl Harbor," in which catastrophic physical damages are caused by a future cyber attack. (11) However, such hypothetical, devastating, and stand-alone cyber attack scenarios remain highly unlikely from several different perspectives. (12) The reality of the current cyber threat is much different--it is informational in nature, characterized by diverse and increasingly complex cyber actions involving the disruption, exploitation, manipulation, or damage of data.

Current state practice reflects this more complex reality, since no state has actually invoked and applied IHL rules or the jus ad bellum to any hostile cyber act standing alone (nor actually engaged in cyberwar). In practice, cyberwar is in fact still a theoretical concept, and states have thus not yet applied an effects-based approach to real cyber incidents, nor have they done so based exclusively on analogies drawn from the use of conventional weapons in the physical world. (13) As examined in this Article, the more nuanced and reluctant approach taken by states instead reflects both practical considerations and serious legal concerns, the latter being integrally linked to fundamental problems posed by information as a weapon and target. Cyber operations must thus be contrasted with conventional military operations, which involve weapons-employing physical forces and objects, including (but not limited to) those employing kinetic energy. (14)

While it is possible to characterize various types of information as "cyber weapons" and various data sets (including those connected to physical objects) as "targets," these uses of information raise many issues that are much different than those presented by the use of conventional weapons against physical targets. The wholesale importation of the IHL framework and the jus ad bellum into the world of cyber conflicts thus risks ignoring problematic and legally significant dimensions of information.

This Article examines the impact of these dimensions of information on the IHL framework and the jus ad bellum when they are applied to conflicts and competition in cyberspace and contrasts them with the application of IHL rules in conventional conflicts in physical domains. These dimensions of information are assessed in the context of four key problem areas as they relate to the use of information as a weapon and target.

These problem areas, which are examined in Parts I through IV of this Article, are (1) problems of origin, organization, and availability; (2) problems of access and control; (3) problems of exploitation (and related challenges to effects-based legal thresholds); and (4) problems of manipulation (and related questions concerning content and users). A careful assessment of these problem areas calls into question the general application of the IHL framework and the jus ad bellum to conflicts in cyberspace and also challenges supporting theories that focus on effects-based analogies with conventional weapons in physical domains. The Article concludes with further reflections on the inherent difficulties associated with regulating information as a weapon, the problems in broadly analogizing conventional armed conflicts with events in cyberspace, and the...