To prevent automated spam submissions leave this field empty.
Professor Laura A. Dickinson, of the George Washington University Law School, moderated the panel, which included Colonel Gary Corn (U.S. Army), Professor Sean M. Watts of Creighton University School of Law, and attorney Jeannie S. Rhee. Each panelist offered 10 minutes of introductory remarks, followed by questions from Professor Dickinson and members of the audience.
During his preliminary remarks, Col. Corn, the Staff Judge Advocate for the U.S. Cyber Command, spoke about the use of cyber operations as a means of statecraft. He emphasized the challenges posed by the “grey zone” of cyber incidents, which go beyond ordinary competition between states but fall below the threshold of an armed attack. He acknowledged that the offensive cyber capabilities of our most sophisticated adversaries will likely exceed the ability of the U.S. to prevent cyberattacks for the foreseeable future. Col. Corn concluded his opening remarks by noting that even though there is now widespread agreement that existing international law applies to cyberspace, there is still considerable room for debate as to how international law should be applied to the “grey zone” of cyber operations employed by state and non-state actors.
Professor Watts, a Lt. Colonel in the U.S. Army JAG Reserve, focused his introductory remarks on the recently published Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations. Serving on the committees that drafted the Tallinn Manual 2.0 and its precursor, the Tallinn Manual on the International Law Applicable to Cyber Warfare, enabled Professor Watts to identify some of the key differences between the first and second iterations of the manual. In particular, he noted that the authors of Tallinn 2.0 actively solicited and incorporated feedback from policymakers in foreign ministries around the world. They also broadened the scope of the publication to incorporate cyber operations in the “grey zone” that do not rise to the level of an armed attack.
Ms. Rhee, a partner in the law firm of Wilmer Cutler Pickering Hale and Dorr LLP who has represented corporate clients that have been the targets of high-profile cyber attacks and data breaches, provided a private sector perspective. Her opening remarks emphasized the disconnect between the public sector actors responsible for defending the nation against cyber attacks and the private sector actors who are most often the victims of such attacks and end up bearing most of the costs. State actors encourage information sharing to combat cyber attacks, but many corporations are reluctant to do so for fear of exposing their vulnerabilities. Although the corporate sector is generally satisfied with the federal government’s efforts prosecute non-state actors responsible for the most serious data breaches, there is widespread frustration that the volume of routine cyber attacks continues to grow, as does the cost of managing them.
Professor Dickinson’s first set of questions for the panel addressed the utility of the Tallinn Manual 2.0 and its relevance, if any, to the private sector. Professor Dickinson followed up with questions about the doctrine of state responsibility, the role of non-state actors in cyber attacks, whether non-state actors can be deterred, and whether it makes sense to distinguish between non-state actors who operate independently and those who act as agents of a state or with the clandestine support of a state. Prof. Dickinson’s final set of questions focused on the issue of state sovereignty. She asked the panel members to comment on how robust the principle of sovereignty is in the context of cyber security, and the extent to which it precludes private sector actors from engaging in defensive measures against hackers who operate across national borders.
Charles Bjork, International & Foreign Law Reference Librarian, Georgetown University Law Library