Armed Conflict Cybersecurity & Tech

Moving Forward on Cyber Norms, Domestically

Ashley Deeks
Monday, July 10, 2017, 1:10 PM

Several analysts, including Mike Schmitt and Liis Vihul at Just Security and Arun Sukumar at Lawfare, have highlighted (here and here) the collapse of the 2017 Group of Government Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (GGE).

The Allée des Nations in front of the Palace of Nations (Tom Page)

Published by The Lawfare Institute
in Cooperation With

Several analysts, including Mike Schmitt and Liis Vihul at Just Security and Arun Sukumar at Lawfare, have highlighted (here and here) the collapse of the 2017 Group of Government Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (GGE). The GGE was unable to reach consensus on a report that would have advanced the conversation about the ways in which international law applies to cyber activities. In the wake of this failure, Homeland Security Adviser Tom Bossert indicated that the U.S. government plans to work with smaller groups of like-minded partners to develop and shape cyber norms. This seems like a reasonable approach, but there are steps the United States can pursue unilaterally as well. In particular, the Department of Justice and the FBI should continue to assertively investigate and indict individuals—including state actors—who engage in cyber activities that the U.S. Government ultimately would like to see the international community characterize as wrongful.

Many cyber experts agree that international law does not yet draw crisp lines between permissible and impermissible activities in cyberspace. Indeed, a key mandate for the 2017 GGE was to articulate with greater specificity the cyber rules of the road under international law. The GGE breakdown further illustrates that we are a long way from any kind of international agreement that would define prohibited activity or at least clarify the way that existing jus ad bellum, jus in bello, and state responsibility norms apply in cyberspace.

And yet the United States and a number of other states clearly believe that it is in their interests (and the interests of international peace and security) to further articulate how international law applies in cyberspace. The United States has done more than most states (through speeches by then-Legal Advisers Harold Koh and Brian Egan, for instance) to articulate publicly how it conceives of both binding and voluntary international cyber norms. It should continue to do so.

But it also should keep robustly employing domestic criminal prosecutions—and, relatedly, domestic courts—to help flesh out these legal norms. We have seen a rise of U.S. criminal indictments since 2014, and though few of the cases actually have gone to trial, it is in the U.S. interest to continue to pursue indictments against defendants who are engaged in unacceptable cyber activities.

Developing international humanitarian law in U.S. courts: a parallel?

By way of a possible parallel, consider what happened in the context of international humanitarian law (IHL) post-9/11. The United States strongly asserted that there were lacunae in IHL that failed to provide sufficient answers to the questions the United States and its allies were facing in the fights against al Qaeda and the Taliban. Even the ICRC agreed that there were “gaps or weaknesses in the existing legal framework” that required further clarification. Then-Legal Adviser John Bellinger (with Vijay Padmanabhan) flagged four critical questions for which IHL fails to provide clear guidance: which individuals in non-international armed conflicts (NIACs) are subject to detention; what legal process states must provide to those detained; when a state’s right to detain terminates; and what legal obligations states have when repatriating detainees at the end of detention. States were forced to grapple with these questions in their military operations and likely would have welcomed clearer legal answers. Yet there was no real appetite among states to negotiate a new treaty, both because some states resisted the idea that there were legal gaps and because states would have found it difficult to agree in substance on the rules that should apply.

Instead, as I have argued elsewhere, various rules for state conduct in NIACs evolved through litigation in domestic courts. These court opinions were themselves binding only on the states at issue, though their outcomes were often infused with international legal norms. In U.S. courts in particular, a vast number of cases brought by detainees forced judges to take into consideration and analogize to existing IHL norms in establishing who was detainable in NIACs, what process was due to them, and what standards of proof applied to the detaining government. The United States was not the only state whose courts got involved: Israeli, British, Danish, and Canadian courts, as well as the European Court of Human Rights, all opined on NIAC- and detention-related issues. To the extent that states ever come together to craft a treaty that expands NIAC rules, these holdings will be relevant focal points, even as they continue to bind the specific governments as a matter of domestic law in their conduct of IHL against non-state actors.

The factors that favored this production of what I called “domestic humanitarian law” (rather than the production of international law per se) are similar to those that exist in the cyber context. First, the geopolitical atmosphere was quite toxic; inter-state politics would have made it difficult to negotiate a new international agreement. (The GGE breakdown indicates a similar political climate in the cyber arena.) Second, the incentive structure for compliance with new international rules would not have been reciprocal. In the IHL context, new rules developed by states would have mostly tied states’ own hands in their actions against non-state actors without necessarily assuring reciprocity in behavior by those non-state actors. (In the cyber context, new international rules would apply reciprocally to states, but different states parties at the table would have stronger or weaker incentives to comply with any new rules.) Third, there is systemic diversity: the states involved in these recent NIACs had different perceptions of the threat, different relevant adversaries, different capacities to respond to the threats, and different views of the proper international law baseline from which to start. The same is true today for states that are evaluating cyber threats against them. Fourth, as with cyber, the IHL issues were highly complex because the situations to be regulated implicated IHL, international human rights law, the jus ad bellum, and law enforcement. Each of those bodies of law could be in play in a new cyber treaty as well.

In short, various Western domestic courts and the European Court of Human Rights produced decisions to guide state behavior in current and future conflicts. We might think of these decisions as a set of laboratories experimenting with the appeal and durability of different approaches to these NIACs. Future international discussions about NIACs could—and likely would—explore these “domestic humanitarian law” approaches when negotiating rules on the international plane.

Domestic cyber national security cases

International law abhors a vacuum. Further, the United States—perhaps more than other states—is interested in seeing progress in developing cyber-norms. This suggests that the United States will continue to explore all possible avenues to help shape such norms.

One such avenue is the use of criminal prosecutions in U.S. courts. The United States already has issued indictments against five Chinese military officials for economic cyber-espionage and against Russian officials for hacking millions of Yahoo accounts. The Department of Justice also indicted Ardit Ferizi for providing material support to ISIS by hacking a U.S. company, obtaining personally identifiable information of U.S. military and other government personnel, and providing that information to an ISIS recruiter and attack facilitator, who published it. Ferizi was convicted in September 2016 and was sentenced to 20 years. Further, the Department indicted seven individuals who worked at companies affiliated with the Iranian Revolutionary Guard Corps; the individuals engaged in DDOS attacks that disabled various U.S. banks’ websites. Notably, the Department charged one IRGC-associated defendant with obtaining unauthorized access to the control system of a New York dam. In yet another case involving national security, a Chinese national named Su Bin pled guilty to charges of conspiring to hack the computer networks of major U.S. defense contractors and send the stolen data to China. In short, the United States has begun to indict foreign officials and others who threaten U.S. national security through their cyber activities.

Although it will be very difficult for the United States to obtain physical custody over many of these defendants, the cases that go to trial could implicate international law directly. The cases in which the defendants are government officials will raise questions about official immunity, for instance, and might implicate questions about the scope of jurisdiction under international law. Further, the cases could prompt courts (and the government in its briefings) to address the status of economic and political espionage in international law. Even if the courts end up not addressing any of those issues head on, the cases’ outcomes may indirectly shape how other states perceive what are acceptable norms of cyber behavior. The judgments provide a clear basis for discussion about cyber norms and could slowly lay the groundwork for greater international consensus about which acts states should place off-limits.

Chances of success?

As noted, various cases will not proceed because of difficulties taking custody of the defendants (though Canada extradited Su Bin and Malaysia transferred Ferizi to U.S. custody). Yet the indictments themselves serve as deterrents, both because they make it harder for the defendants to travel and because of their symbolic effect. Jim Lewis at the Center for Strategic and International Studies told the Washington Post’s Ellen Nakashima that the Chinese “hated” the PLA indictments.) The indictments themselves also serve as clear signals of what the United States will not tolerate. Further, if there are convictions, the presence of a court in the decision chain offers an element of neutrality that Executive condemnation alone lacks. And of course any opinion that emerges in one of these cyber cases will also provide important information to other states that are watching the proceedings.

One way for the United States to try to accelerate the effect of this approach is to urge its allies to issue similar indictments. Convictions from a host of states on similar charges will be more persuasive than convictions from a single state, if it ever comes time to get serious about an international instrument. The United States should encourage its law enforcement partners to undertake these types of national security cyber cases, and can facilitate those prosecutions by assisting with attributions.

It goes without saying that the use of criminal prosecutions is just one tool in the toolkit of any state seeking to influence the behavior of foreign officials and their associates. But now that a truly international conversation has hit a dead end (for problematic reasons, as Schmitt and Vihul detail), fleshing out acceptable cyber behavior through domestic law is a way to keep the conversation moving.

Ashley Deeks is the Class of 1948 Professor of Scholarly Research in Law at the University of Virginia Law School and a Faculty Senior Fellow at the Miller Center. She serves on the State Department’s Advisory Committee on International Law. In 2021-22 she worked as the Deputy Legal Advisor at the National Security Council. She graduated from the University of Chicago Law School and clerked on the Third Circuit.

Subscribe to Lawfare