 So without any further ado, this is talk number two today. We have two more talks tomorrow. I'd like to introduce Zana. She's going to take care of our musical scales of cyber warfare. Take it away. Welcome. My name is Jana. And I'd like to thank the Data Duplication Village for this opportunity to share my research with you on the law of war in cyberspace. But more importantly, I'd like to thank you for taking time out of your schedule today from DEF CON to share that with me to learn about the musical scales of cyber warfare. So whether your background is in law, technology, policy, or academia, this is a beginner's guide to understanding the basic legal principles that drive cyber and international conflict. Now, you might be wondering, why did she use a music analogy? Well, the American poet Longfellow wrote that music is the universal language of mankind. So by using that analogy here, I hope to engage a broader cross-section of the community to discuss these issues. By bringing more participants, more cyber stakeholders to the table, we can better strategize how to mitigate conflict in this domain and strategize for peace. Now, if you do have a basic understanding of how to play the piano, you will be at a slight advantage. But if you don't, that's perfectly fine. Not only will you walk away from this presentation with an understanding of the basic principles of war, but also a little bit on how to play the piano. So only at DEF CON would you get both of those. In terms of my research work on this, I compiled this while working as a postdoctoral fellow at the Harvard Kennedy School Belfer Center Cybersecurity Project. This presentation will also draw upon my research work, which I published with the Houston Law Review online. So with the preliminaries out of the way, let's dig in. Core terminology. Now, the main takeaway point developed by a group of government experts internationally offers under Rule 30 the following definition. A cyber attack is a cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects. So what do we have here in this definition? We have the loss of human life and then some form of physical damage. But what about data? This talk, after all, is for the data duplication village. It would seem remiss to not at least mention harm to this form. Other scholars have advocated for less of a preoccupation with direct physical effects and the broadening of that harm spectrum to include data. Specifically, Professor Matthew Waxman at Columbia Law University had the following to say. He said that a cyber attack should include the effort to alter, disrupt, or destroy computer systems, networks, information, or programs on them. But to present to you the other side of the debate, there are others saying, time out here. The problem isn't that we don't have an international legal definition of what is a cyber attack. The real problem is that we don't have a consensus on what misconduct in cyberspace needs to be stopped. And I'd like to read to you some comments from Senator Mark Warner that he offered several months ago at the National Security Agency's Law Day, which are available on Lawfare's blog. Senator Warner bemoaned the lack of clarity on what cyber activities are tantamount to an attack. And he said that failing to articulate a clear policy and to set expectations about when and where we will respond to a cyber attack isn't just bad policy. It's downright dangerous. So I highlight to you these different definitions, these different visions on what a cyber attack should be defined as to underscore the point that this field is very much still in development. And I commend you for taking the time today to learn the basic principles. It'll be worth your time. Next up, cyber operations. Continuing with the music analogy, consider a cyber operation as one instrument in a grand symphony orchestra of power. The maestro, take your pick of a state actor or a non-state actor, cues the cyber section, sometimes in conjunction with other sections to produce the right pitch. And that can be a political effect, a social effect, a military effect, economic. It works together. Now the US Department of Defense categorizes cyber operations in three areas. There's offensive cyber operations which are about projecting power to your adversary. Then there's defensive cyber operations, which is about protecting data, networks, the information on them. Last but not least, you have Department of Defense information network operations. Now if you're wondering how gray zones fit into this, hold on, we will get to that area. It is very exciting, more to come on that. The US Supreme Court Justice, Oliver Wendell Holmes Jr. remarked that the right to swing my fist ends where the other man's nose begins. Now apart from sounding like a code of conduct for an 18th century gentleman's fight club, this is actually, that we can finally turn to our first note on the piano keyboard. We have middle C. So just as your first point when you're learning how to play a song on the piano, you placed your thumb on middle C. Similarly here, your first starting point, United Nations Tartar and Customary International Law. So I'll be building upon that analogy. Now I'm gonna walk the caters of formula on what is a cyber attack, correction please, on what is a use of force? We do have some clarity. We have some common examples. And I'd like to read to you Harold Coe's description of those three examples. He was a former legal advisor to the US State Department. Mr. Coe said that the following constitutes a use of force in cyberspace. One, operations that trigger a nuclear plant meltdown. Two, operations that open a dam above a populated area causing destruction. And three, operations that disable air traffic control resulting in plane crashes. So what do these three examples share in common? Will they all reference some form of loss of human life or catastrophic damage? Next, turning to the right of self defense. How do we define an armed attack in this situation? Well, we need to turn to our first case law which was decided in 1986 by the International Court of Justice. It was a case called Nicaragua versus the United States. While the International Court of Justice did not explicitly define an armed attack, it did describe the general nature as the following. Acts which can be treated as constituting armed attacks. Specifically, if such operations because of its scale and effect, those are the key words and we'll be echoing them throughout this presentation. Because of its scale and effects would have been classified as an armed attack rather than as a mere frontier incident, had it been carried out by regular armed forces? Thus, the scale and effects of an operation are requisite inputs for evaluating an armed attack which in turn provides the legal basis for the victim state to respond under Article 51. One point I'd like to highlight before we go any farther on the musical scale is that just like in music theory, you have a treble clef and a bass clef and playing piano, notes that guide the player on what notes to play. Here, we have two different legal regimes. We have the use adbellum and the use embello. Now, for those of you that are frightened by the Latin phrases, you could think of it as use one, that is the preliminary phase that you write leading up to war. Then there's a triggering event and then we have the use embello, the law governing how war is carried out. You can think of it as use two. With that, we are ready to move on to our first scale, octave set one, which is how states evaluate an armed response to an aggressive act in cyberspace. Step one, the victim state needs to evaluate what type of harm was produced. Here we have a de minimis damage or injury threshold. How I like to conceptualize it, which might be helpful for you, when I see de minimis damage or when I hear armed attack, I think high level destruction. It's an easy way just to cut to the wick. Here, did the state suffer a de minimis damage, high level destruction in the form of a cyber attack? Now that analysis is going to take in a variety of factors. You're going to look at the time, place, manner surrounding circumstances and not all of it will be known at the time of the attack, so it is a flexible analysis. But assuming that we have an act that does rise to that level of being an armed attack, next step, we need to be able to identify the proper legal basis under international law to respond with force. Now, if the US is performing this analysis, we also need to ground it in domestic law, such as the War Powers Resolution Act. Now, one point I'd like to highlight here is that the majority view in the international community, which is beautifully summarized by Michael Schmidt, who's a professor at the Naval War College, said that all armed attacks are uses of force, but not all uses of force are armed attacks. The US, however, does not subscribe to this view. In the use ad bellum, the preliminary phase, we equate a use of force with an armed attack. So with that said, if the state has determined that there is not enough damage to rise to that level of being an armed attack, what are their options then? Well, they have two modes of recourse. They can appeal to the United Nations Security Council under Article 39, and they can employ non-forcible countermeasures. And what I mean by that is economic sanctions, diplomatic efforts, and also legal sanctions. And we've seen this in practice. In January 2017, the US Department of Justice issued indictments against several Iranian hawkers for engaging in impermissible cyber activities with ties imputed to the state. And also we saw the Department of Justice issue sanctions and indictments against China, several Chinese hackers for engaging in commercial economic espionage. With that, we can move on to our second scale of anticipatory self-defense. So this scale in yellow, you'll notice a pattern that will be going out on the keyboard. Here, this scale displays the range of permissible activity when a state is evaluating how to respond anticipatorily. Now, the US Army Law of Armed Conflict Deskbook defines it as follows. It's force that's justified anticipation of an imminent attack, and imminent, that is the key word here to emphasize. The difference between a permissible act of anticipatory self-defense and an impermissible act of preventative self-defense lies in the state's ability to demonstrate a decision by the aggressor state to attack it. For anticipatory self-defense to be lawful, there is a high standard of proof. And rightly so, this requirement goes beyond merely proffering evidence of the state's hostile intent, but also evidence of some pending attack. So there's a temporal requirement there that needs to be met. To that end, the complexities of pairing evidentiary standards with attribution in reality makes this a difficult analysis for the state to do in a timely manner when faced with an imminent attack. So I will need to pivot here to discuss attribution. While this could be a talk in and of itself, there's a misconception that I'd like to clear up. Attribution is not a plain vanilla construct. In fact, it comes in a variety of flavors. Now these flavors, these frameworks, if you will, were developed by four different attribution frameworks. And the reason why I'm taking the time to go over these is that the next time you hear the term bandied about, I want you to critically think about what type of attribution framework that speaker is referring to. Let's start with perfect attribution. Now in this type of system, the attribution challenge doesn't exist. Attributes of the sender and recipient are known to both in a timely fashion and at little cost to the investigating party. So in this type of world, we can imagine a surveillance state being happy with this type of outcome and whistleblowers and activists being at a disadvantage because everything is knowable in real time. Perfect nonattribution, turn into the second one. It's the complete opposite of the first one. Here we can imagine the whistleblowers and activists will be happy because they have the perfect nonattribution, the protections of anonymity, the surveillance state, not being happy with that outcome. Third, perfect selective attribution. Here, the actor wants attributes known to some entities, but not to others. So there's a freedom of choice here that is key to the third system. And in this system, you can disclose to your intended party, your name, organization, your internet protocol address, and also your ISP. Fourth, you have false attribution. This would be the ideal petri dish for waging false flag operation. So here it's overpopulated with digital strawmen or you can determine some attributes of the message or the actor, but can you really trust it? Can you really go off on that information to be true? So having highlighted those attribution frameworks, we're going to turn back to our keyboard and have an example of how this would work in theory. So imagine if you will, innocuous state eyes electrical grid was attacked by nefarious state N and accurately attributed to state N. Now in order for state I to be entitled to a use of force against state N under international law, there are three requirements that must be met. So let's take these in turn. One, the victim state's opponent must have decided to actually exploit that system's vulnerabilities. Two, the strike is likely to generate consequences at the armed attack level. And three, the victim state must immediately act to defend itself. Unless all three of these requirements are met, then state eyes response would not be restricted to only non-forceful responses such as economic sanctions or legal action. Also, any act to defend yourself in cyberspace if you are a state has to be grounded in two principles of necessity and proportionality. Proportionality being that you can't escalate the amount of force to counter that threat or that attack. And then you have necessity, which is doing your due diligence to ensure that you've exhausted all other peaceful means of resolution in order to protect yourself in cyberspace, to protect your state. All right, with that, we're moving to octave set three. Now this is the most difficult one to explain and I'll explain why because it involves the doctrine of state responsibility. So with this, let's charge the hill. It does get easier from here. Now, this orange octave labeled here, this demonstrates the range of state action that may be somewhat permissible. And the reason why I'm emphasizing it and saying it like that is that the surrounding circumstances will, including the scale and effects of the operation and the legal status of the aggressor will influence how the victim state can respond. And here the range of qualifying hostile cyber activity can range from writing and executing malicious code, launching a distributed denial of service attack, providing malware or other cyber tools to the party of the conflict. And the state's analysis is further complicated when there are cyber proxy actors involved. In addition to that, that group might be clandestinely receiving the financial support or other forms of support from a state entity. Now, turning to the doctrine of state responsibility, the 2018 US Department of Defense's National Defense Strategy Summary makes clear that states are the principal actors on the international stage. However, non-state actors also threaten the security environments with increasingly sophisticated capabilities. So here, armed attacks from non-state actors, how would a state evaluate that? Well, ultimately the legal analysis hinges on the doctrine of state responsibility and the International Court of Justice's analysis and recommendation has been to evaluate whether an armed attack, the high-level destruction, waged by a non-state actor, can ultimately be imputed back to the state. Thus, if the state has effective control over the cyber operation, waged by a non-state actor, then responsibility can be imputed back. This is a flexible area that's still undergoing development. It's one of the most difficult to explain on the scale, but with some knowledge of how the doctrine of state responsibility operates, hopefully that provides us with a good ground work to evaluate this going forward. Last but not least, we have our final scale here. These are musical notes that you cannot play on the scale that you will not play, preventative self-dispense. Employee to counter non-imminent threats is illegal under international law. You also have acts that don't amount to high-level disruption and what Professor Gary Solis at Georgetown University Law Center has classified as cyber intrusions. It's a cyber operation short of an attack into another state's cyber systems. You can think of routine intelligence gathering, cyber theft, activities that don't amount to the level of an armed attack. So putting this all together, you might ask, that's all fine and well, but what if a state's cyber punch doesn't amount to a use of force? Well, I'm no Rod Serling. I would say we've entered into a fifth dimension in amorphous realm between peace and war. In short, next up ahead, the Twilight Zone. Again, I'm no Rod Serling. It's amazing what you learn in law school, though. Okay, so I like to use this analogy of the Twilight Zone to help highlight the ambiguity between the amorphous realm between peace and war where you have an act in cyberspace that doesn't amount to a cyber punch in the face. It's not high level destruction, but it's still disruptive. It's not intrusion, so it's that amorphous middle ground between the two. You might have heard the term gray zone or gray zone tactics. Now, in 2015, U.S. Army Special Operations Commander Joseph Attelle testified before the House Armed Services Committee talking about gray zone tactics, describing them as tactics that actors leverage as part of a strategy campaign that seeks to secure their objectives while minimizing the scope and scale. It's pretty brilliant when you come to think about it, where it doesn't toll that level of going past and to minimize damage. However, it's still disruptive and it can still deal a blow to your opponent. Now, some case examples of this. In 2014, we're all very familiar with North Korea's intrusion into the networks of Sony Pictures Entertainment. Here are the perpetrators deleted critical information to the extent that it irreparably damaged some of Sony's infrastructure. And indeed, the 2015 U.S. Department of Defense's Cyber Strategy Report references this Sony hack as an example of the political utility of cyber operations. This case demonstrates how cyber operations can present an opportunity for revisionist state actors to challenge the geopolitical status quo. You can affect your opponent's psyche. You can deliver that blow with a relatively low risk of retribution and financial cost. Another more recent example involves the July 2016 email leaks from the U.S. Democratic National Committee and Russia's involvement in undermining the integrity of the 2016 U.S. presidential election and disinformation campaigns. So what is the future of Twilight Zone conflicts? Ultimately, states that employ great tactics in cyber operations, you don't need to be successful in actually infiltrating the system in order to further your revisionist ambitions. Rather, the sheer ramifications from the cyber act in and of itself has the power to disturb the nation's psyche and to grab that international spotlight and attention to challenge the geopolitical status quo that you are a power to be listened to and reckoned with. Going forward, a significant challenge for the United States and for other countries is how to develop tactics that can counter gray-zone tactics. It's one that we won't reach the answer to in this presentation, but we've seen the United States at least respond by pursuing economic sanctions, legal indictments, and other diplomatic efforts to damper gray-zone tactics. But again, it's one that is ongoing. Now, this is the visual summary of consequences to those actions. And going back to Longfellow's words that music is the universal language of mankind here, it is the hope in this presentation by drawing on this analogy that a piece of it resonates with you and that by endeavoring to understand the basic principles of law through music, we can collectively strategize for peace and also may the euphonious sound of peace always appeal to our ears. So I thank you for your attention today. I have a handout on this musical piano legal guide that I'll be distributing. I understand also that I am the last speaker of the day and I stand between you and a lovely dinner in Vegas, which is quite dangerous. So by all means, if you need to leave, I understand. If you have questions, you're more than welcome to stay as well, and I'll be passing out these handouts. Thank you for your attention. That's true. Can you summarize that question for the audience? Sure. So the question asked by the gentleman in blue was the de minimis damage threshold standard that we have, that there must be some high level form of destruction. Does that harm us? Crap, you're new question, right? Does that harm us when we have an attack that is equally disruptive but you don't have a loss of human life or a physical structure, wasn't damaged, but you have the degradation of data. And it goes back to the second slide that I had up there that the definition that currently carries weight is that it has to be tied to a loss of human life or physical kinetic effects. And I agree with you that that type of notion of trying to shoehorn kinetic damage into this new medium of warfare is harmful. We can see how that scenario that you gave or attack on Wall Street would produce very harmful effects. And while it doesn't result in the loss of human life it does have this cascading effect that can spill over into other sectors. I wouldn't be surprised if those areas of the US's structures would be classified as protected critical infrastructure so that if attack were made upon that, that signals that this was protected, you attacked it, now we will respond in a time place and manner of our choosing. It wouldn't necessarily be confined to cyber but the US would respond to protect its critical infrastructure. And in 2017, then DHS Secretary Jay Johnson classified election systems as critical infrastructure to signal to the international community. Thank you for your question. Thank you, so that is an excellent point and the piece on sovereignty, the gentleman had asked what about acts in cyberspace that undermine political sovereignty or the integrity or political independence of that state. And I think that's an excellent point that you've raised in article 24 could be a strong point to underscore that and granted this is all very flexible and still in development but that perspective needs to be heard. Thank you. Yes, very dynamic. When I was conducting this research, the idea of gray zone tactics, I hadn't considered when I first developed the cyber scale. So that's why in now 2018, I tacked it on as a separate slide to describe how this keyboard is still flexible to envelop that but also highlight that there's no international legal definition on what is a cyber attack. And here we've kind of teased out the difficulties referencing what about cyber acts and undermine political sovereignty? True, there's no loss of human life. There isn't high level destruction but it's still disruptive. So how can the law be developed to embrace that? Unfortunately, the law is very, oh, I guess it's a mixed blessing actually. The law is very slow in evolving to adapt to the pace of technology and that's your questions today. That is why I developed this presentation so we can have that type of dialogue because it's not being had here. So this is perfect that we're each seeing a different piece of the elephant here and developing a legal definition or some other cyber doctrine that can account for these nuances but still be breathable to absorb new developments. That's the goal. So thank you. Not commenting politically on the statement that you raised. I'd like to highlight a general principle that this is from Madeline Albright in her book, The Mighty and the All Mighty. And she reasons that while countries often do take action outside the UN guidelines which you just raised, despite such violations, the standards in the charter remain relevant. And she reasons that just as laws against murder remain relevant even though murders are, if I understand your question correctly, you're asking about would psychological operations fall in? Yes, so psychological operations would fall into gray zone. So gray zone tactics, subversion, sabotage, economic coercion, information warfare, psychological operations. Yes, that does fall into that category. Thank you for that observation. The observation that the gentleman made was that there's a group of international governmental experts that created the talent manual. There's actually two. There's talent manual 1.1 and then 0.2. The first one talking about cyber conflict in a war setting. He had raised that while it's international, you don't have participation from all international, sorry, participation from all members of the international community, all members of the United Nations Charter. How to bring them to the table? I don't know. It's too bad that we can't have participation from everyone. You can, from a liberalist standpoint, international theory, we want to buy in from all countries to develop these norms that will guide us towards peace. But in reality, some players don't want to participate in this type of a forum thinking that, well, if I do that, I have more to lose potentially. Speaking hypothetically, I don't know how you rebut that other than with facts and with a large number of states coming together. Hopefully there's a bandwagoning effect that more states would want to join in to support this type of a dialogue and definition creation. That's the first that I've heard of it. It sounds like a Chinese faction decided to break off and develop their own discussion on cyber norm building. Interesting, we'll see what comes of that. One would hope that in the spirit of international cooperation, that when you have these states come together, that they would stay committed to trying to develop some consensus. I suppose it's inevitable that some groups will form off and create factions. But thank you for raising that. If there are no further questions, again, thank you all for your time. I appreciate it.