 Good evening everybody. My name is Dundee West and I'm a security analyst at Booz Allen Hamilton. Tonight I will discuss a paper that I started writing at the University of Maryland School of Law in order to fulfill the law school's advanced writing requirements. In this paper I argue that the current rules of war can address the emerging issues raised by cyber warfare. Before I begin just a few quick caveats. First the views expressed in the opinions expressed in this talk are mine and mine alone. They don't represent the views of Booz Allen Hamilton or any entity of the US government. Secondly this talk is for general information purposes only and is not intended to be and should not be taken as legal or consulting advice on any matter. My purpose here tonight is just to contribute towards a what I think is an important topic and just to contribute to the debate. So what will we talk about tonight? First I'll give an introduction to computer network operations and the actors that are involved. Secondly I'll give a survey of the laws that I feel that I believe have the largest impact on cyber warfare. I will also give my give a little bit of brief commentary on some popular issues that I think intensify the cyber warfare debate and then I'll get to the meat and potatoes of my paper where I would give five reasons why I believe the US should not enter into an international treaty for cyber warfare. Immediately upon taking office and in the midst of the worst economic downturn since the Great Depression, President Obama commissioned a 60-day study to review the plans programs and activities related to cyber security. And an investigation of recent events show why secure in cyberspace has been named a major national security priority of the Obama administration. First we have all probably heard about the 2008 cyber attack against Georgia or the Estonia cyber war. It is now come in place for cyber related events to make the front page of the Wall Street Journal have a clip in there. And actually when that clip came out just two or three days later it was another cyber related clip. And so I think as a whole we all get the threat of cyber security. So that was just interesting. But the results of the 60-day study I thought was an interesting they included several near-term and mid-term action plans. One action item recommended that legal analysis be conducted concerning cyber security issues. However this action item is rather broad and vague. In particular under this action item the government is not required to address the unique issues that arise as a result of cyber warfare. In fact there remains an intense debate on whether there should be an international treaty for cyber warfare hence the purpose of my paper. I will now give a brief introduction to computer network operations and the actors that are involved. So when you hear the word cyber I think it's thrown around sort of loosely. I believe that analysts often discuss the concepts of cyber warfare and cyber security in overly broad terms. For example if a cyber actor gains unauthorized access to a computer network and copies data then a commentator may refer to this act as a cyber attack. But if the cyber actor is merely snooping and didn't alter the performance or content of the network then a cyber attack hasn't occurred according to military doctrine because cyber acts can be divided into three unique domains collectively titled computer network operations or CNO. CNO is one of five core domains under information operations. The other four domains are psychological operations or a PSIOP, military deception or a Mildec, operation security or Opset and electronic warfare. So just a little bit of a few more details about computer network operations. On the computer network operations you have three more sub domains called computer network defense, computer network exploitation and computer network attack. More information about these can be found in the joint pub 3-13 and the cover of it is seen on the slide. Below each one of those sub domains I've included the formal definition out of the joint pub. That's a little bit long so I'm gonna give you my version of the definition. First C&D that's what most people are familiar with. That's just traditional computer security such as deploying a firewall or some type of intrusion detection system. C&E and the lines between C&E and C&A can sometimes be kind of blurry but a good definition, a good easy to remember definition for C&E to me is that'll be like snooping and you don't affect the performance or alter any, the performance of the network and you don't alter any data. And then C&A, the way I like to define C&A is that you are negatively affecting the performance or your altering data of an information system. This paper is mainly concerned with C&A so from henceforth when I use the term cyber warfare that's synonymous with computer network attack because again when we're saying stuff about cyber security that term can be really, really broad and I want it to be understood that I'm referring to the laws related to computer network attack. So I promised myself that I was going to find a way to talk about Raven's football. I love the Baltimore Ravens. I'm a season ticket holder, a proud season ticket holder. With that said, I have what I call... So I have... So when I was first learning this stuff, it's kind of dry. When I first decided to do this research in law school, at first I thought it was all sexy and all this stuff and I found out this is simply military doctrine and it kind of seems sort of dry. So I had to think of a fun way to remember these domains. So I call this the Dundee's football example to break down these three domains. So first, you know, when we're talking Raven's football, right? C&D. That's Ray Lewis and company. So they're the protectors. C&D, that's pretty straightforward. C&A, that's Joe Flacco, Ray Rice, you know, they're on an attack ready to score. Now C&E, Dundee, what the word? Like, how can you relate C&E to football? Think real hard. You know who the C&E guys are. They are the guys that are up in the press box, you know, sending down plays, calling in signals. One thing, Peyton Manning, for instance. If you watch Peyton Manning, he's always on the sidelines and he's looking at pictures while the defense is on the field, Peyton Manning, he's always looking at pictures. Those pictures are probably pictures taken from a blimp of plays and formations. He's getting, he's essentially getting the intel from the press blocks. So that's how I like to remember C&D, C&E, and C&A, Dundee's football example. So a similar distinction must be made when we talk about the actors that are involved. For the purpose of the study, I consider two unique scenarios in order to limit the actors involved. First, a nation state versus a nation state. That may be a traditional conflict, you know, a nation going against another nation. Secondly, we have a nation state versus a non-state actor. Now, that one is a little bit more interesting, but a good way to remember that one is, is if you think about what happened post 9-11, immediately after 9-11, I believe the next day you had the UN Security Council Resolution No. 1368, where basically a nation state was authorized to take action against a non-state actor, which were, you know, terrorists. So for the purpose of this study, not really concerned with international cyber crimes, not concerned with a situation where there's a private hacker going against another private hacker. Another situation is attribution. So like, you know, if we're going to talk about the scope of cyber actors, a good question is like attribution. Like, how do you know who's doing what on the internet? Internet is international. Attribution is a very, very important topic. I think it's probably the most important topic when it comes to cyber security. But, you know, for the purpose of this study, I had to leave attribution as a separate and a unique issue. But I plan to include attribution in the future. So, so now I will talk about the the laws of cyber warfare. So first, here's one interesting thing that I found out when I started this study. The laws of conventional warfare are applicable to the laws of cyber warfare. So to say that is to say, the same laws that govern shooting a missile also governs conducting cyber warfare. So I like, I chose to divide it into two regimes. One, what are the laws pre-hostility, you know, before a actual conflict begins? And what are the laws post-hostility, you know, while a war is ongoing? So that's the way I divided up these laws. So pre-hostilities. The long and short of it is, you know, under UN Charter, under the UN Charter, Article 24, there's basically a general prohibition against all uses of force. And I think the UN Charter is pretty clear on that. All uses of force. So how clear is that? Let me give a crazy example. If one nation was to get a soldier to pick up a pebble and throw a throw that pebble towards the embassy of another nation under the UN Charter, and it's a far example. And I don't know if two nations will actually go to war over a pebble being thrown, but I'm used, I'm giving this example just to prove short point. So a soldier throws a pebble at that UN, at that embassy. Technically, the UN Security Council has the authority to sanction that act or to punish that act, to say that that act was an unlawful use of force. More than likely, chances are they won't, but they have that power to say that it was. Now there is an exception to that general prohibition against uses of force. That exception is under Article 51, is the general right to self-defense. So to put those two rules together, and we're talking pre-hostilities for it, to put those two rules together, there is a general prohibition against all uses of force except those sanctioned by the UN Security Council or authorized by the UN Security Council, or those done in self-defense. So that's pre-hostilities. So, and I'll talk about this a little bit more, but that's very important because it's a lot of talk that I see going on about when is a side-reactor use of force. I think that that may be sort of, it's not that important if you think about the UN's broad authority. Their authority is pretty much all uses of forces are prohibited, unless otherwise noted as below. So post-hostilities, this is a little bit interesting because this is talking about the laws during an ongoing conflict. So basically, once two nations are in an armed conflict with each other, the laws of war applies. The law of war must apply in all operations, including cyber operations. So that's where that piece come in where I said the laws of conventional warfare are the same for cyber warfare. The law of war must apply in all military operations, including cyber operations. And here's another one, only lawful military targets may be attacked. So in the conventional context, if a building was about to be bombed, that building must be shown to be a lawful military target. So the cyber equivalent to that is before a computer can be hacked, before a network can be hacked, that network must be shown to be a lawful military target. So how do you tell what is a lawful military target? Well, combatant commanders are required to use, consider three principles. Those principles are distinction, balancing military necessity with humanity and proportionality. So first about distinction. Distinction. Under distinction, two concepts emerge. These are mainly that there must be a formal distinction between combatant and non-combatant commanders. And then secondly, and the one that I think is the most important is that there is a duty to conduct warfare in manners that minimizes harms to civilians. So we'll talk about, let's talk about distinction in the cyber context. In the cyber context, so we know that the internet is very, is pretty much interconnected. So the chances are, if you want to attack something on the internet, that is also serving a dual purpose to do something to assist civilians. So for that, for, because of that, you know, commanders must take reasonable steps to limit attacks on the part of the network used by the enemy. So a good example of that is, if a virus was to be released in a network that's essential to a civilian function, such as banking or electrical power, and, you know, so even though you may have a military purpose to, you know, attack that network, if that network is also servicing banking or electrical power, that likely violates the principle of distinction. And so second, military necessity and humanity. These are two parts. Necessity. An attack on a target must further legitimate military objectives or grant a definite military advantage. And on the humanity, the attack shouldn't cause unnecessary suffering. So in the context of cyber, let's say that someone, this is a hypothetical example, someone that wanted to attack a power system or what one many call a skater system. Here to cross the threshold to legally do this according to military necessity, that's easy. You can easily argue that it's a military necessity. But, you know, let's throw out a question. What if that power also supplies a civilian hospital? Now the principles of humanity might be violated because even though you have a purpose to attack, you know, a skater system, it may have the, the collateral effect of unnecessarily affecting a civilian hospital. Last but not least, proportionality. This is basically, I call it a calculus. And a good way to remember this is that the ends must justify the means. And for the business types out there, this is essentially a return on investment analysis. Basically, you know, what you're doing must be worth it. The ends must justify the means. So that's post hostilities. So now, you know, I'll take a few minutes to hop on my soapbox. We have discussed computer network operations and the actors involved. We have looked at laws related to cyber warfare, both pre and post hostilities. And I will now provide commentary on popular issues that I believe are anticipating the cyber warfare debate. So first, we have the use of force debate. A popular issue as I was discussing before is about the use of force. When is the cyber act considered a use of force? One of the most popular answers to that question was proposed by Michael Smith. He's very, very famous. I read everything I can, anything I can get my hands on that he wrote I read. He basically had proposed a multi-factor test to determine when a cyber act constitutes a use of force. Smith, he recommends a consequence-based analysis to determine whether an act constitutes a use of force using the following factors. First, severity. He looks at immediacy, directness, invasiveness, measurability, the presumptive legitimacy and responsibility. But, so my response to that is, you know, as a reminder and what I was saying earlier, you know, it may not even be that important because all uses of force are presumed to be wrong for it unless it was, you know, allowed by the UN Security Council or done on the self-defense. So then the question is, you know, should the UN Security Council just be required to adopt one standard multi-factor test? Well, my response to that is that a multi-factor test may unnecessarily limit the broad authority that the UN Council has. I think that with cyber acts is very important that the UN Security Council maintain their broad authority. Now, it is one way that a lot of courts, when it comes, you know, when you're making a rule, multi-factor tests are very commonplace in the law. Most of the time when courts want to maintain a broad authority, they may have a list of multi-factors, but that last factor may allow for them, allow for the court to maintain its broad authority. So for example, you may have a statute or a law with factor one, factor two, factor three, all the way down to the last factor. And then that last factor will then say it will be very broad after all those factors and any other factor that the court deems necessary. So I would like to propose and add to the Smith test that in addition to his numbered factors, it should be another factor added that says any other factor, you know, that the UN Security Council deems necessary or something to that effect. That way the UN Security Council maintains their broad authority but then still has a standard. But that's that's sort of the only way I would I agree with a multi-factor test. So then, you know, in light of the general prohibition against users of force, I want to propose the following rule. A nation conducting any any CNA prior to hostilities is legally doing so only in the case of reasonable self-defense. If self-defense is not involved, then the nation actor is conducting CNA with the risk of being sanctioned or punished by the UN Security Council. That's the rule I propose. I think that'll be a great standard. Now, does the UN Security Council need to do more to monitor cyber acts? Yes. But I don't think it implies that the current rules of war are inadequate for addressing cyber warfare. So secondly, I've been seeing an analogy floating around called the cyber arms race or cyber gain or cyber cold war, that type thing. I think that that is sort of an exaggeration. So basically, we're comparing cyber weapons to nuclear weapons. I think that that may be a unfair comparison. Furthermore, I believe that that may give a false sense of urgency of the of the necessity of creating a cyber treaty. So, you know, when you hear cyber, you know, cold war, when you hear that, you automatically think about, you know, the dangers of nuclear power. And now all of a sudden, you think it's necessary to create an international treaty for cyber warfare. And I think that that's a danger of doing that. So then, similar though, similar to that, though, it's important to know that the cyber threat is real. I don't know if you guys heard of it, but recently, there was a debate where, you know, Bruce Snyder came out, and he said something that was pretty revolutionary. He believed that, you know, the cyber threat has been grossly exaggerated. Now, Bruce, he has an excellent blog called Threat Chaos. I go to it every day. Bruce is another person that I read. Anything that he writes, I try to read. Bruce Snyder. I'm sorry, sneer, sorry. Yeah, but so anything Bruce writes, I try to read. I kind of like track him and stalk him because he's genius. And he's on this LinkedIn group called the Cyber Warfare Forum initiative that I'm a member of and I try to like look at stuff he's writing and stuff. But he thought, he believes, and he strongly believes that the cyber threat has been grossly exaggerated. So my view is that, my view is that, you know, it's very, very, very hard to exaggerate cyber warfare. So, but at the same time, he has a point. So I propose this rule. I have what I call the Fire Marshal Bill test. So how did I come up with this test? Basically, I think that cyber is the new fire. So fire safety, fire awareness is so important that it's ingrained everywhere. If you look over there, there's an exercise for fire safety. If you were to see a commercial on TV that say, you know, don't forget to change your batteries to your smoke detector, you wouldn't say, hey, what the hell? Why are they saying, why are they reminding me that they're exaggerating the danger of fire? You would think, man, I do need to change my batteries. I believe that cyber needs to become the new fire. We need to really, really be conscious of the threats of cyber. And we need to become cyber conscious. So if someone wants to come up to you and say something, you wouldn't, about fire, you wouldn't accuse that person of grossly exaggerating. And I don't think that you, we should accuse people of grossly exaggerating cyber threats. So again, I propose the Fire Marshal Bill test. How do you know when someone is exaggerating a cyber threat? How do you know that? Well, it takes real, real, like, gross exaggeration. And let me show it to you. I don't know if anybody remembers Fire Marshal Bill from In Living Color. Honey, honey, how's that roast coming along? It's almost ready, dear. Fire Marshal Bill is the only guy that can exaggerate the fire threat. Stop right in front of the house. So you gotta find a similar guy to show the cyber threat in the dead room. Nice to meet you, folks. Fire Marshal Bill here. Won't you come in? No, Marshal. And that's right, Princess. Say, I sure have a beautiful family here. Why, thank you, Fire Marshal Bill. Now, how can we help you? Well, it's National Fire Safety Week. I've been going door to door, looking for fire hazards. Mind if I give your place a little infection? It's free. Please do. Son, does your father always smoke a pipe? Yes, sir. Pipes, cigarettes, number one cause of domestic fires. Let me show you. Certainly. Now, day one night you're drifting off to sleep on the couch and the pipe falls out of your hand like that. Now you start dreaming that you're having a little barbecue. You pull out a can of lighter fluid. I've got fire so many times I can't even feel it anymore. The trick is not the panic. Fire is what you're flying. Look what I found. Now at the station, we like to call this an octopus. Pull these up. It becomes an exposed electrical outlet. Let's just say it's after dinner. You've got a fork in your hand. Somebody says, hey, I've got the liquor. Are you joking? I've been hit by lightning 19 times. I'm starting to enjoy it. Okay, everybody. Okay. What an idiot, right? So, hold on. Let me get my slide back. So I showed that example, you know, just to say this, to me, it is very, very hard to exaggerate the threat of cyber. It's very hard to exaggerate that. I think that Bruce may have had that wrong. Again, I believe that cyber is the new fire. You know, we got to take it serious. So if you're, but it is a time that you need to throw the flag, right? When it is being grossly exaggerated. So when you want to throw that flag, you know, to say someone is grossly exaggerating the cyber threat, think about that Dundee's fire marshal bill test. That person is not, you know, doing, you know, exaggerating stuff and being an idiot like fire marshal bill. Don't throw the flag. You know, cyber, the cyber threat is real. So now I'll get to the meeting potatoes of my study. I'll come off my soapbox, get to the meeting potatoes of it. I'll now give five arguments why I believe creating a distinct body or international treaty for cyber warfare. Excuse me. I'll now give five arguments why I believe we should not create a distinct body or international law or international treaty for cyber warfare. First, I've already shown that the current rules of war can address it. So that's reason number one. The current rules already can address the rules of cyber warfare. Reason number two. Fields of law are seldom demarcated by technology. I want to point to the summer argument that was proffered by Joseph summer. Basically, he argued against the creation of a distinct body of cyber law. He asserted that cyber law is not a body of law in and of itself as technologies generally do not define bodies of law. Also, he thought that it was dangerous to consider cyber law as his own body of law and that to do so will lead to development of bad law. Summer highlighted the fact that there was never a law of the steam engine despite its role in technology. So similarly, I kind of took that summer argument and looked at it from a warfare standpoint and built on it. Basically, summer was like, if you look at old stuff, they're revolutionized society like the car, the steam engine, the train. It was no such thing as train law. So why should we now all of a sudden come out with cyber law? He thought that it was dangerous. I think that that's very relevant to whether or not it should be an international law for cyber warfare. Now if you look at that list right there, I have some very, very interesting treaties listed. Check that one out. The law of equestrian warfare, horse law. At some point during warfare, it was pretty revolutionary to use horses. It was pretty revolutionary to do that. So looking at the summer argument, believe it or not, some of those are real and some of those are actually false. But before I talk about which ones were false, I want to point to that mass right there. It's from my favorite movie, 300. Those were the mortals in one of the legendary battles in 300. If you think about it, back then, that mass was a serious technology. That was something that assisted warfare. It probably fell under the domain of psychological operations, but that was pretty serious. So imagine it being like the year B.C. or whenever 300 were supposed to have taken place and you show up to fight you and Leonidas in the rest of the 300. You got to see his name like that, Leonidas. Imagine you show up and all of a sudden you see that, that mask. That's very intimidating. That's a psychological effect. So technically, they could have came out with a law that basically bans the use of or bans the imitation of paranormal activity. That's similar to what we're trying to do now. If we come out with a law about cyber warfare, that's no different than back in the days of Leonidas, that's no different from coming out with a law trying to regulate the use of masks or intimidating paranormal activity. What about when bowls and arrows and spears and shields first started to be used? I would imagine that it was a day in time where we fought war with just fists, right? But when someone came out with a sphere or the bow or the bow and arrow, that was revolutionary. So looking back on it, should there have been an international treaty on bowls and arrows and shields? Now, I'll admit the first one, two, three, the first five of those, actually the first four of those were made up by me just to drive home the point that just because there's something new and revolutionary, we should now automatically think that we should have an international treaty. But believe it or not, the last five of those were real. Upon the first use of aircraft and warfare, there was a treaty drafted to address aerial warfare. That treaty basically was typed up, signed, never to be seen again. Also, there was a use when it was some discussion about scientists wanting to modify the environment, create hurricanes to support warfare. That was a real treaty, never went anywhere. It was also a treaty about x-rays. When we started coming out with x-ray technology, they thought that that was dangerous. That was new and exciting. Came out with a treaty for that, went nowhere. And last but not least, this is a similar thing with banning the use of blind and lasers. We came out with that. So I guess my point is showing that is, we got to remember history. Just because something is new, sexy, and exciting doesn't mean we got to automatically think that we have to enter into an international treaty for it. So we got to think ahead 2,000 years from now, it'll be something, a new kid on the block. And right now it's cyber. So basically we got to recognize the power of the current rules of war. We got to recognize that they apply. They adequately address cyber technologies. And we got to go with that instead of having a knee-jerk reaction and coming up with an international treaty. Next, I believe that an unintended consequence of a cyber warfare treaty is that it may pose an undue limitation on a primarily non-lethal strategic deterrence. Despite the many doomsday scenarios, such as a nuclear power plant being hacked and causing a nuclear explosion, I believe that a cyber Katrina is unlikely. In fact, I believe that cyber warfare is unlikely to ever even cause the loss of human life. It could be argued that cyber warfare is a primarily non-lethal strategic deterrent. So my purpose in this rule, well not rule, but this reason for not having an international treaty for cyber warfare is to say that maybe cyber weapons may be the greater of two evils. You know, do you want a missile dropping on a building, you know, possibly killing thousands of people, or do you want like maybe an internet outage for a limited period of time? I think that cyber is a new, it's a, cyber is a non-lethal deterrent. Because of that, I think that if we have an international treaty on cyber warfare, it may pose an undue limitation on what I believe is a non-lethal deterrent for the most part. So I think that that's very important is to recognize that cyber is non-lethal and we shouldn't put a limitation on it. So last, not last, but this one is also very important. If we come out with an international treaty for cyber warfare, who will comply? Who's likely to comply? Right now, those people right there, terrorists, extremists, those are the main enemies. They don't even abide by regular rule of law, let alone a rule for cyber warfare. So before we enter into an international treaty for cyber warfare, it's important to ask, are real enemies likely to comply? Probably not. Those guys don't want to hear anything about a cyber treaty or a cyber law. They don't abide by regular law. And last but not least, I believe that the rate of technology will outpace the ability for international cyber regime to produce responsible policy while the flexibility allotted by the UN Charter is able to absorb technological advances. I say that to say this, you know, so let's say right now we set out to create this international treaty for cyber warfare six months later or a year or maybe even five years later, we come out with a treaty. By that time, technology would have revolutionized again. So each time we come out with a treaty, all of a sudden there's a new technology out that probably finds loopholes in that treaty. So I think with technology, we've got to stick with the current rules of war and abide by those because the current rules of war have withstood the test of time. So in conclusion, you know, I believe that the laws of cyber of war will be tested by cyber warfare in two situations. First prior to the commencement of an armed conflict and second after a conflict is ongoing. It is important to note that in each of these situations, the current laws of war can address the emerging issues raised by cyber warfare. Although several hot-button issues related to cyber warfare are often discussed and few of the cyber warfare debate, I believe that they may not be issues at all. A careful analysis shows that the current UN Charter and Laws of War should continue to govern cyber warfare. Creating an international treaty or law for cyber warfare, in my opinion, would do more harm than good and seriously cripple our country's ability to conduct war. And that's all I have.