Recent Developments and Revelations Concerning Cybersecurity and Cyberspace: Implications for International Law
In recent weeks, media reports have addressed actions, discoveries, and controversies relating to cybersecurity and cyberspace that have implications for international law, including war, espionage, terrorism, and crime in cyberspace and the architecture and governance of the Internet. This Insight describes these episodes and analyzes their importance for the relationship between international law and cybersecurity and cyberspace.
Developments and Revelations Concerning Cybersecurity and Cyberspace
Origins of Stuxnet
On June 1, 2012, David Sanger of the New York Times reported that the United States and Israel developed the Stuxnet computer worm and used it to attack Iranâs uranium enrichment facilities. When discovered in 2010, experts considered Stuxnet to be a âgame changingâ cyber weapon because of its complexity, purpose, and performance. The Stuxnet worm exploited unknown vulnerabilities in Windows software, targeted industrial control systems at Iranâs enrichment facilities, and reportedly damaged over 1,000 centrifuges and disrupted Iranâs enrichment efforts. The complexity and nature of the attack led many to suspect that a state, most likely the United States and/or Israel, created Stuxnet. Sanger appeared to confirm this suspicion, revealing that the Stuxnet project, code-named âOlympic Games,â began during the George W. Bush administration and accelerated under President Barack Obama.
The Flame Virus
In late May 2012, experts discovered a computer virus dubbed âFlame.â Unlike Stuxnet, Flame operated as an espionage tool because it infiltrated computers and exfiltrated information from them. As such, experts believe that a government or governments created Flame to spy on other countries. This large and complex virus was predominantly found in computers in the Middle East, with Iran being particularly affected. Some information indicated that Flame had been operating for years before detection and shared some code with early versions of Stuxnet. The Iran and Stuxnet aspects encouraged speculation that the United States and/or Israel were responsible for Flame. Although cyber espionage is not a new problem, Flame garnered international attention, including an alert from the International Telecommunications Union (âITUâ) and assertion by the ITUâs cybersecurity coordinator that Flame constituted âa much more serious threat than Stuxnet.â
U.S. Cyber Activity Against Al-Qaeda Web Sites
On May 23, 2012, Secretary of State Hillary Clinton described U.S. efforts to alter information on web sites used by al-Qaedaâs affiliate in Yemen. This State Department-led, interagency activity sought to discredit terrorist use of the Internet. Terrorists have not demonstrated interest in launching cyber attacks, but they use the Internet for recruiting and other purposes. Although described in press reports as âhackingâ or âcyber war,â the State Department apparently altered and re-posted recruiting ads that appeared on al-Qaeda web sites in ways that described the toll al-Qaeda has inflicted on Yemenâs peopleâactions that probably did not require hacking into or attacking computers. Government-sponsored actions against terrorist web sites have occurred before, but Secretary Clintonâs description of a State Department-led strategy that includes altering information on terrorist web sites potentially revealed a more open, coordinated, and forward-leaning U.S. approach to cyber counter-terrorism.
Global Transition to Internet Protocol Version 6
On June 6, 2012, the Internet Societyâa global non-governmental organization dedicated to promoting the open development and use of the Internetâsponsored the âWorld IPv6 Launch,â an effort to have major Internet service providers and web companies accelerate the transition from Internet Protocol version 4 (âIPv4â) to Internet Protocol version 6 (âIPv6â). Internet communications occur through the Transmission Control Protocol/Internet Protocol (âTCP/IPâ) standard, which controls how data is organized, addressed, transmitted, and received on the Internet. The âInternet Protocolâ provides the addressing system for sending information over the Internet. As with other Internet protocols, the non-governmental Internet Engineering Task Force (âIETFâ) developed IPv6.
Internet experts believe IPv6 is critical because growth in Internet usage has exhausted the number of addresses IPv4 had available (approximately 4.3 billion). IPv6 increases the number of addresses to approximately 340 undecillion (or trillion, trillion, trillion), making exhaustion of addresses virtually impossible. IPv6 will ensure that the Internet can handle growth in future use. Although IPv6 solves the Internet address problem, it has raised questions about its potential impact on cybersecurity, ranging from claims that IPv6 will provide greater online security and help law enforcement address cyber crimes to concerns that IPv6 might benefit cyber criminals and governments seeking to repress political dissent.
Internet Governance Controversy
In May 2012, controversy intensified about the December 2012 meeting of the ITUâs World Conference on Telecommunications (âWCITâ). WCIT delegates will consider revising the International Telecommunication Regulations (âITRâ), a treaty adopted by ITU member states. Some countries want significant changes to the ITR, including potentially expanding the ITUâs role with respect to Internet governance. Moving in this direction would require shifting Internet governance from multi-stakeholder, non-governmental mechanisms, such as the Internet Society, IETF, and Internet Corporation for Assigned Names and Numbers (âICANNâ), to the inter-governmental ITU. The Obama administration, members of Congress, and stakeholders in the current governance system oppose attempts to centralize Internet governance in an inter-governmental forum for many reasons, including perceived threats from governance centralization to Internet innovation and freedom. The WCIT controversy represents the latest flare-up about Internet governance, with similar disagreements appearing during the ITUâs World Summit on the Information Society (2003-2005).
Implications for International Law
Cybersecurity and International Law
These developments and revelations underscore the expanding importance of cyberspace and cybersecurity in international relations. Stuxnet, Flame, and U.S. actions against al-Qaeda web sites demonstrate deepening interest in the utility of cyber technologies to achieve national security objectives, including armed conflict, covert sabotage, espionage, and counter-terrorism. Like previous advances in communication technologies, states are harnessing the Internet for security needs as opposed to treating cyberspace as a unique political domain. How well existing rules of international law apply to such security-driven behavior is important to explore. This question is not new, but developments, such as Stuxnet and Flame, renew debates about the application of international law to cybersecurity problems.
With respect to cyber espionage, the lack of international law on espionage means that Flame and other state-crafted spyware operate without international regulation. The ubiquity of cyber espionage suggests that no consensus exists among states to change this reality, which replicates what happened with every new technology adapted for spying. Unless states begin to perceive cyber espionage as an atypical danger to national security and international order, international law is unlikely to gain traction in this area, no matter how many headlines Flame or future spyware produces.
In terms of Stuxnet, attribution of this cyber attack to the United States and Israel does not answer international legal questions about this episode. To analyze Stuxnet under international law requires characterizing what this incident means in legal terms. Commentators have often described Stuxnet in terms of âcyber war,â but governments have not yet responded to Stuxnet (before or after revelations about its origins) as if it constituted an illegal use of force or armed attack or a legal use of force in self-defense. If state use of a cyber weapon designed to damage property is neither a use of force nor armed attack, then how should international lawyers characterize it? Stuxnet is only one incident, so state practice might lack clarity for many reasons. However, even with the problem of attribution resolved, international lawyers confront the problem of how to apply international law on the use of force to cyber weapons and cyber attacks after Stuxnet.
The international legal significance of the U.S. governmentâs alterations to propaganda on al-Qaeda web sites relates to questions about what cyber counter-terrorism might involve in the future. What the State Department accomplished does not appear to violate international law applicable to counter-terrorism. However, will integration of cyber technologies with counter-terrorism strategies lead to more aggressive use of such technologies against terrorist organizations, and, if so, what would such use mean under international law? Some might not consider this question significant because U.S. counter-terrorism already involves aggressive and controversial use of lethal weapons against terrorists deployed from drones or by special operations forces. More aggressive use of cyber technologies against terrorists is unlikely to cause the political and legal notoriety non-cyber U.S. counter-terrorism strategies have generated.
Cyberspace and International Law
The transition of Internet architecture to IPv6 is important to ensuring that the Internet maintains sustained growthâa significant achievement globally for political, economic, and social reasons. And, it is an achievement that owes little, if anything, to international law. IPv6 has been developed, supported, and largely implemented by non-state actors operating without reference to treaties or rules of customary international law. With the transition to IPv6 still underway, assessing how adoption of IPv6 might affect security, privacy, and human rights in cyberspace is difficult, which complicates exploring IPv6âs implications for international law. Certainly, if IPv6 produces security benefits through technological advances, it will mitigate perceptions that new international legal tools or initiatives are needed for cybersecurity problems, such as cyber crime.
Possible negative externalities of IPv6 adoption, such as providing new opportunities for cyber crime or repressive governments to undermine privacy and Internet freedom, could affect international law. Many experts consider international legal instruments relevant to cyber crime, such as the Council of Europeâs Convention on Cybercrime, ineffective and inadequate. If cyber criminals find the IPv6 environment as or more conducive to cyber crime than IPv4, then existing international law on cyber crime might become more suspect, possibly falling into disrepute. Similarly, if IPv6 permits governments to attribute Internet activity more readily to specific devices and persons, this outcome might adversely affect enjoyment of Internet-relevant human rights protected by international law, including the rights to privacy, freedom of expression, and freedom of association.
The WCIT controversy involves international law in the form of the ITRâa binding treaty adopted in 1988, before the Internet became a global phenomenon. Proposals to amend the ITR to take account of the Internetâs importance could seek to bring more of what is now governed in a decentralized manner largely by non-governmental organizations, such as IETF and ICANN, within formal international law. Some countries have expressed dissatisfaction with the status quo, arguing that it does not respond to their needs and permits the United States to influence Internet governance disproportionately. For example, in June 2011, Russian Prime Minister Vladimir Putin stated a desire to establish âinternational control over the Internet, using the monitoring and supervisory capabilities of the International Telecommunication Union.â
In response to fears that WCIT would change Internet governance, the U.S. House of Representatives declared on May 30, 2012, its concern about proposals that âwould justify under international law increased government control over the Internet and would reject the current multistakeholder model that has enabled the Internet to flourish[.]â Similarly, in congressional hearings on May 31, an Internet Society policy official argued that âit is not clear . . . that the international treaty making process represents the most effective way to manage cross-border Internet communications, or that some of the proposals currently being floated are consistentâor even compatibleâwith the multistakeholder model of Internet governance that has emerged over the past 15 years.â
Leaks in early June 2012 of ITU documents being prepared for WCIT produced skepticism about the alleged ITU âtakeoverâ of Internet governance and the argument that âthe real conflict is not over governance of the Internet . . . but over the division of the spoils, with international telecommunications operators [within countries] trying to use the I.T.U. to extract revenue from American Internet companies.â In this contentious context, what ITR changes member states of the ITU can negotiate in December 2012 remains to be seen.
Analyses of cybersecurity and cyberspace often involve doubts about the applicability and effectiveness of international law. Information about Stuxnetâs origins and discovery of Flame reinforce these doubts because they highlight the lack of international law (as with cyber espionage) and uncertainty in its application (as with Stuxnet). Nothing about the Stuxnet or Flame revelations suggests that states, especially the great powers and, in particular, those concerned about U.S. cyber power, will scale back cyber espionage activities or development of offensive and defensive cyber capabilitiesâa situation not conducive to developing international legal rules on cybersecurity challenges. Uncertainty whether IPv6 might benefit cyber criminals and repressive governments focuses attention on the ineffectiveness of existing international legal instruments on cyber crime and on cyber-facilitated human rights. Negotiations on revising the ITR reveal the unimportance of international law to existing Internet architecture and governance and the difficulties facing efforts to change the status quo through new international legal rules. These developments and revelations suggest that international lawâs role in shaping what the Obama administration has called ânorms of responsible behavior in cyberspaceâwill be fraught with difficulties for the foreseeable future.
About the Author:
David P. Fidler, an ASIL member, is the James Louis Calamaras Professor of Law at the Indiana University Maurer School of Law, and is a Fellow at the Indiana University Center for Applied Cybersecurity Research. He thanks Lesle Conway and Patrick LaMondia for research assistance.