We use cookies to provide some features and experiences in QOSHE

More information  .  Close
Aa Aa Aa
- A +

How Cyberspace Changes International Conflict

18 2 0
08.12.2019

This is an excerpt from Reprogramming the World: Cyberspace and the Geography of Global Order. Get your free copy here.

In May of 2013, Cody Wilson printed a working gun with a 3D printer and fired it.[1] Shortly thereafter he made the computer file, that is a set of instructions for a 3D printer to print what he called the Liberator, available online for download. It was downloaded more than 100,000 times before Wilson removed the file.[2] Little did Wilson know that he was running afoul of the United States’ International Traffic in Arms Regulations (ITAR). These regulations prohibit the export of “defense items” – in other words, weapons – found on the United States Munitions List (USML) without authorization from the government.[3] ITAR also, significantly, prohibits the export of “technical data” on these items, which is data that would assist the manufacturing of the prohibited item.[4] Wilson’s file was in a standard language that would allow anyone with an Internet connection to download it and use a 3D printer to manufacture a gun. The file, since it was on the Internet was downloadable anywhere in the world, and Wilson removed the file from his website when confronted by the U.S. Government.[5] Three years later Wilson’s file is still online and freely available through sources like the Pirate Bay.[6] Wilson started a company called Defense Distributed, which now manufactures a product called the Ghost Gunner.[7] This desktop CNC mill will take a block of aluminum and mill a lower receiver for an AR-15.[8] Wilson’s product cannot be exported, and the computer file is sold only to United States citizens to keep this product from running afoul of ITAR. Yet this product still effectively digitizes a gun, which lowers barriers to access. The gun that it creates is of high quality, and is a gun that is outside of the regulatory loop; it is an untraceable “ghost gun.”[9] And while Wilson is keeping tight control over the “technical data” in the .cad files that allow the machine to manufacture the part, he has open sourced the machine itself so that the plans for the hardware and the software that runs it are freely downloadable.[10] Anyone with these files can develop new design files for the Ghost Gunner, and enable it to make a variety of guns and other items. Defense has been distributed, digitally.

The Ghost Gunner is interesting because it shows the capacity of the state to lose control over violence in two ways. First, it lowers the barriers to the production of the means of violence, which weakens government control over violence. It is legal under U.S. federal law for an individual to manufacture a lower receiver, but it was a time-consuming process and required a high level of skill.[11] The Ghost Gunner makes gunsmithing a plug-and-play venture. Second, and important to the discussion below, it shows that the state no longer has control over the spread of violence at its borders. ITAR is specifically meant to help maintain international peace and security by restricting the export of munitions to countries or persons that might use them for ill. ITAR is directly related to the international project of bracketing war, by cutting off the supply of armaments, and ITAR correlates to regimes such as the Wassenaar Arrangement[12] and the Arms Trade Treaty.[13] These initiatives are mechanisms used to stop the flow of armaments across their borders, which was easy when armaments needed to be carried on trucks. Ghost guns are digitized, just as lethal, and save on the shipping cost.

This chapter investigates how Cyberspace changes the nature of territory by examining how Cyberspace changes international conflict. Schmitt’s claim “that law and peace originally rested on enclosures in the spatial sense” is particularly salient here as it highlights the role of borders in conflict prevention.[14] In Schmitt’s territory-centric conception of international law, war is “bracketed” to locations such that it does not “disturb” the spatial order.[15] This chapter will probe this bracketing of war, and illustrate the diminished importance of the border in constructing the space of conflict.

The argument here is not meant to be a “dethroning of Clausewitz,” but it does argue that Cyberspace dramatically changes the context of international conflict through the subversion of territorial borders.[16] In short, it argues that armed conflict as conceived in the international system is tied to territorial geographies, and that international governance mechanisms that are meant to minimize international armed conflict are structured around this link. The chapter then shows how the concept of cyberwar dislodges conflict from these territorial linkages, which makes the application of norms meant to control international violence ineffective at bracketing it. Section one of this Chapter will use the Stuxnet attack on Iran’s centrifuges to analyze how international law has traditionally dealt with war as well as some of the observable gaps in that regime. This section will show how Cyberspace dislodges territory from the governance of international armed conflict. The second section will analyze the role of the international concepts of disarmament and deterrence in limiting cyber conflicts, and it will show that these mechanisms are ill equipped for placing substantive limitations on cyberweapons. Finally, it will use the North Korean Sony hack to show how international politics becomes de-territorialized and distributed in Cyberspace, which means that international conflicts processed through Cyberspace become de-territorialized as well.

Territorial Integrity

At the heart of the post-1945 settlement is the UN charter’s Article 2(4), which prohibits “the threat or use of force against the territorial integrity or political independence of any state.”[17] This article sought for the first time to create a legal prohibition against interstate armed conflict.[18] Article 2(4) and the UN Charter in general were transformative for international law as it enshrined the state as “the arena within which self-determination is worked out and from which, therefore, foreign armies have to be excluded.”[19] For the first time the resort to war, characterized in the Charter as the “use of force,” was legally prohibited outside of a few exceptions.[20] Article 2(4) compartmentalizes violence within the borders of a state and gives the state sovereignty over violence within its borders. This compartmentalization, or “bracketing” as Schmitt would call it, is not a new process. The bracketing of war is an act of delineating order from chaos, and Schmitt’s project is to show how the international spatial order emerged from the externalization of war. For instance, he notes that during the age of European empires violence was pushed to the peripheries of empires by conceptualizing newly found territories as existing outside of the Western-centric international legal system.[21] Article 2(4) represents a new bracketing of war by conceptualizing every state as an inviolate territory of order. States in this new spatialization were connected to law both internally and, importantly, externally in a legal dynamic between de facto control and external recognition.[22]

Art. 2(4) did not change extant borders in a way that was perceptible on a map. Nonetheless, Art. 2(4) did change the content of those borders, and in a very dramatic way. By giving all states an obligation to contain violence within their borders, it also gave all states the right to be free of chaos from outside their borders. Article 2(4) underpins the entire international legal regime, which seeks to contain international armed conflict. The Art. 2(4) prohibition on force is central to jus ad bellum, and its goals are further advanced through the jus in bello and international disarmament efforts. Cyberspace by recoding borders changes international law’s ability to bracket digitized war affecting the nature of international peace and security.

The best place to start to unravel this problem is Stuxnet. Stuxnet presents a clear case for the application and analysis of the law of the use of force in the cyber arena. In 2010, researchers uncovered a computer virus that was propagating itself on computers in Iran.[23] The virus, now known as Stuxnet, was a carefully developed computer program that made its way into computers in the Natanz nuclear facility in Iran. Once there, the malware attacked industrial control systems and executed a program that sped up uranium enrichment centrifuges to damage and destroy them before the end of their expected lifetime. The program itself “displayed a level of technical sophistication and integration never before seen in malware,”[24] and it has been referred to as the ”world’s first digital weapon.”[25] The sophistication of Stuxnet was such that it incorporated four zero-day exploits, and was able to jump an air gap that separated Natanz from the Internet.[26] The program was reportedly developed and released by the United States and Israel as a way to slow the Iranian nuclear program.[27] For the purposes of the discussion below, it is assumed that this is a state on state act, placing it firmly within the realm of the international system, making international law the controlling governance mechanism. This raises the “principle intellectual challenge in the law of information conflict . . . deciding which areas can be covered by a mere extension of conventional legal principles to cyberspace by analogy, and which require whole new methodologies.”[28]

The first question to be asked is whether there has been a violation of Article 2(4). If the United States or Israel had flown a plane across the border and bombed the plant, as Israel did to a Syrian facility in 2007, then there would clearly be a violation of Article 2(4).[29] In this case there was no physical violence in a ballistic sense, however, violence was achieved in a kinetic sense in that the centrifuges themselves were physically manipulated in order to destroy them. The centrifuges were attacked, but it is unclear whether this amounts to a use of force under Article 2(4).[30] The Tallinn Manual on the International Law Applicable to Cyber Warfare, Rule 11, states that “[a] cyber operation constitutes a use of force when its scale and effects are comparable to non-cyber operations rising to the level of a use of force.”[31] The Tallinn Manual is an attempt by a NATO group of experts to identify “the law currently governing cyber conflict,”[32] but it notes that “the lack of agreed-upon definitions, criteria, and thresholds for application creates uncertainty when applying the jus ad bellum.”[33] When compared to a statement by a U.S. defense official on the United States Cyber Strategy, who stated “If you shut down our power grid, maybe we will put a missile down one of your smokestacks,” it seems as if at least one of the parties has characterized attacks such as Stuxnet as a use of force.[34] The Tallinn Manual experts themselves agreed unanimously that Stuxnet was a use of force that violated international law, but they “split … on whether it constituted an armed attack.”[35] This split illustrates the disjuncture that occurs when international law is de-territorialized. The separation of “use of force” from “armed attack,” categories that were previously substantially concurrent due to the nature of violence, is indicative of the encounter between international and cyber geographies.

Interestingly, Iran never made any complaint to the relevant UN bodies, and instead opted to maintain a high degree of silence on the matter. Iran’s silence is related to its own interests in keeping its nuclear program secret, but it also points to one of the key lessons from Natanz: everyone knows that the United States and Israel were responsible for Stuxnet, but no one can prove it definitively. This is dissimilar from, for instance, U.S. covert involvement in Nicaragua, which the ICJ deemed a use of force.[36] In that case, there were physical border crossings by the U.S. and its warfighting capacity that were observed by witnesses to physical attacks.[37] In the case of Stuxnet, no one saw the attack, yet there is ample evidence pointing the finger at the United States and Israel, e.g. the complexity of programming, the target of the attack, the use of high value zero-day vulnerabilities, and anonymous sources informing journalists. There is, however, no definitive evidence of that fact, and the United States has officially made no statement confirming its involvement resting on the plausible deniability that Cyberspace provides.[38]

Digital computing enables the ability to encrypt communications and to hide the source of cyberattacks. Even if a cyberattack were to be traced to an IP address within a state, that state can claim that it is the victim of a hacker using it as a digital hiding spot or that one of its own citizens is the malefactor for which there is limited responsibility. US DoD acknowledges this potential by noting that “low barriers of entry . . . means that an individual or small groups of determined cyber actors can potentially cause significant damage.”[39] In the case of Stuxnet, the virus was feeding information back to servers located around the world.[40] Attribution is a core concept in international law, and for there to be an internationally wrongful act the act must be attributable to a state.[41] The Draft Articles on State Responsibility state that “conduct directed or controlled” by a state is attributable to it, but this requires the establishment of a definitive link that proves such. In Cyberspace such links are hidden by veils of government secrecy, including secrecy classification systems and digital veils of encryption making it difficult to attribute an act to the territory of a state and to the state itself.[42] Attribution is a necessary precondition in international law, but attribution “is an enduring problem” in Cyberspace.[43] The attack, though initiated from some specific geographic point, is experienced as coming from Cyberspace. Cyberspace as an origin for an attack is supported by the military adoption of Cyberspace as a fifth domain.[44]

This fifth domain........

© E-International