 Good evening. Good evening, welcome. Welcome to this fourth event of our cycle of conferences and debates on new technologies and warfare. Thanks especially to all of you in Geneva who came despite the rain. And I want to explain to our audience on the web, that's why we are late because we had a heavy rain in Geneva so we start a little late this conference. So thanks for your patience. It's indeed a live webcast. So we have also people following this event on the internet. So thanks to all of you. Our cycle of events, as I said, focuses on the development and use of new technologies in warfare. We have seen in recent years the development of new means and methods of warfare, new technologies entering the battlefield such as drones, robots, cyber warfare. And we think there is no doubt internationally modern law applies to them, applies to their use. However, applying those rules, pre-existing rules to new technologies make us ask the questions, are they clear enough? Are they adapted enough? So these are the challenges we want to discuss in this series of events. I forgot to introduce myself. My name is Vincent Bernard. I'm the editor-in-chief of the International Review of the Red Cross. And I am hosting this event here at the ICRC headquarters in Geneva. So we have had several events on specific issues. Some of you may have attended our first conference on the 25th of March here in Geneva which discussed various legal, operational and ethical questions linked to the development and use of new technologies in warfare. We had a second event, a panel on autonomous weapons and armed conflicts during the conference of the American Society of International Law in Washington DC in April. And recently we also had a webinar, a web seminar on new warfare and technologies and new protection challenges in partnership with the HPCR in Boston. So this event is, as I said, part of a cycle. You will find more information on our leaflet here which presents also the upcoming events. So we'll have a panel on soldier enhancement, new technologies and the future battlefield in Melbourne next week in Australia. Then the cycle will end with two events here in Geneva, a webinar on technological innovation and humanitarian action. And finally the cycle will end with an event at the Maison de la Paix in partnership with the Geneva Academy of IHL and Human Rights. So the recording of all these events will be available on the web and you can just access a web page using the QR code on the leaflet. So cyber warfare is obviously a very important new development in the field of warfare and possible humanitarian consequences. So we devote two events actually. The past two days there was a workshop devoted to this issue and this event tonight marks also the end of this workshop so probably most of the participants who were there in this workshop will make good use of the discussions and that will be probably reflected in our debates tonight. I would like to thank all the panelists for joining us. Our moderator, initial moderator, Anakandthik Rengas could not attend this event but we are very happy to have Dr. Hiva Ruff with us tonight who kindly accepted to replace Anakand. Thank you very much. So Hiva is currently a lecturer at the Corbel School at the University of Denver and our research interests include international ethics and a just war tradition and how it relates to emerging new technologies of warfare. Current research projects include cyber use of force short of war and moral and legal aspects related to lethal autonomous weapons. So I'm looking forward to this discussion and Hiva, the floor is yours. Thank you very much. Thank you and thank you all for coming tonight and Braving the Rain. I know that I had to run quite quickly through it to get here and I'm not too must so that's good. So I'd like to introduce our panelists for this evening really quickly and their bios are actually available in your pamphlet and they should be available online as well. I should also note that two procedural things. Everybody here I think except for Laurel is going to be speaking in their private capacities. They're not going to be representing any particular state or institutions viewpoints. The other instance is a clarificatory issue which is trying to keep separate issues of use add belem and issues of use in bello. And so when we're talking about the law of hostilities that's a particular area and the justification to fight is another justification to use force is another area. So I think the panelists will try to keep those separate and it's a good heuristic as well for you to try to keep those separate in your minds as you go forward and ask questions. So quickly we have Duco Le Clec, I don't speak French and he is the legal and policy advisor for the Netherlands Ministry of Defense and so we'd like to welcome him and his opinions on the cyber warfare and other legal aspects of warfare that he is working on. We have the chief scientist Dr. Herbert Lin for the Computer Science and Telecommunications Board and the National Research Council. He has been working on these issues quite prolifically for some time. We have Laurent Gisele, the legal advisor for the ICRC and again particularly interested right now in emerging technologies and cyber. We have Dr. Zhu Langui, the associate research fellow at the China Institute of International Studies and we have Dr. Professor Bradley J. Strasser, an associate professor at the Naval Postgraduate School in Monterey and with that I'd like to begin some questions. So the first question I'd actually like to pose is a definitional one so we're all working from the same page and that is briefly if each of the panelists could give me their view and their definitions of cyber. Start with you Brad. Just cyber? Just the word cyber? I wasn't prepared for that. Ones and zeros, computer stuff, the binary world of stuff that we can't touch well maybe we can't but we can't feel it that we all run the magical devices that we carry around with us every day on but it also is far beyond of course our personal computers and our network computers and our business computers it's also the information superstructure girding most of our infrastructure today in the corporate and industrial realms guiding our transportation, our communication, our economies, our markets and becoming an indispensable part of everyday life. How about that? That's cyber. And cyber conflict is when bad things happen in that space and you don't want those bad things to happen. I've already moved to that from other bad things which also happen in cyberspace which is for example cybercrime or cyberterrorism or cyber espionage and at least when we at the ICRC speak of cyber warfare that has nothing to do with industrial espionage and that is different from cybercrime and cyberterrorism but it's really when you use a cyber operation as a means and method of warfare in an armed conflict in the sense of internationally maintained law so basically when you use one and zero as BJ said when you use one and zero to kill people or to destroy or integrate objects in an armed conflict. Very briefly about the concept of cyber personalizing contains two parts one is the hard part the internet infrastructure and the other part is about the information personal information and so on and maybe intellectual property rights and so on. I'm afraid my esteemed co-panelists stole the ones and zeros which was I was going to name as well however my other esteemed co-panelists has the very valid points that the physical infrastructure that all these ones and zeros live in is in fact also part of cyberspace and I think cyber warfare as a phrase is somewhat confusing. Cyber warfare has been used for a very broad range of cyber activities which do not necessarily qualify as warfare or armed conflict if you will so to keep it pure I would suggest that cyber warfare is somewhat broader and vaguer than cyber armed conflict and I think that last one is what we're talking about today. I think my microphone is off a bit. Okay great so I think there's a few questions still at play here right so if we have an idea that there's hardware and software and data and infrastructure and information nodes and everything else and cables things right so I'm a little bit ambiguous about what we think cyber warfare is in terms of we have a very stark definition that it is these types of means used in the conduct of hostilities that Laurent has discussed and then we have the kind of it's really vague so I'm wondering if we have between these two posts I will ask maybe B.J. to pick on you and start over here and then I'm going to ask Herb to follow it up on the technical side a little bit so on the moral side where do you see a cyber warfare in the just word tradition and then Herb what do you see a cyber warfare in the technical tradition? Yeah well from a moral perspective I think cyber warfare is just yet one more advancement in the means that people can use when they want to engage one another to exert their will it's one more method it's one more weapon of war that's been developed by human beings throughout the history of time we keep coming up with better and maybe not better but more interesting and more sophisticated ways to harm and kill but also just influence or force a political will or some other agenda upon other human beings and so in that regard morally I don't think cyber warfare is in terms of what it is as a tool of warfare is not particularly more unique it's different and it has all kinds of new difficult ramifications in the way we understand that but in that sense I think it's just yet one more extension in the long history of ways human beings have figured out to use the tools available to them to wage war. So the definition of warfare has a long and storied history which to a large extent the United Nations and the ICRC have or keep as stewards in terms of what affects what I'm going to call destructive cyber operations has destructive cyber operations which do something bad to your computer can do two things they can affect people and they can affect machines that are attached to these computers the people part is when you can trick a computer into giving wrong information and so somebody takes action on the basis of wrong information and does something that he or she shouldn't be doing similarly with a machine you can compromise the computer that's controlling the machine which can be a missile or a car or a pacemaker or your smartphone or that camera over there or anything into doing bad things which they shouldn't be doing sometimes those bad things include things like blowing up and destroying things and killing people so there are certainly bad things that can happen there but if it were not for the fact that we couple computers to everything now which we don't have to do I mean there was a world in which all these things existed without the computer if it weren't for that coupling then there would be no effect really on people so it's the coupling of the physical artifacts to the computer that creates the destructive potential that's inherent and that gives rise to IHL kinds of concerns well great I think it's really helpful for us to understand kind of that this is not just an isolation it's an interactive effect with the technology in human society but I think all of this is also premised on a understanding or at least maybe an ambiguous understanding right now as to what constitutes an attack in cyber warfare so the Tulin manual that has been widely disseminated the world over has a very specific definition of attack which it seems to me and I can ask Laurent to explain the distance between the ICRC's position on the definition of attack and the Tulin manual's view of a definition of attack because if there's daylight between the two which may give rise to ambiguities is to still what causes a right to wage war in response so please thank you for the question I think that's a very important point and before going into the definition I want to clarify what I'm talking about by attack and cyber attack because as Ducco was referring before so for cyber warfare it has been used in very different ways to mean different things and we need to be precise on what we mean when we use those terms and cyber attack have been used for any kind of purpose so I think what you refer to here, Heather is the notion of attack as it is understood within the lower farm conflict so it has nothing to do with an armed attack under the UN Charter it has all to do with how you conduct hostilities the conduct of hostilities is based on the principle of distinction proportionality and precautions and those principle applies primarily to attack in the legal sense so you need to define what is an attack to know how to apply the principle of distinction, proportionality and precaution in the first place the debate has been about functionality of objects cyber operation which leads directly to killing somebody as you mentioned for example disrupting the person's space maker if it's linked to internet and you kill the person everybody agrees that's an attack in that sense same if it leads to injuries, same if it leads to physical damage I think there is agreement generally on that the debate has been if cyber operations lead only to a loss of functionality of an object and there have been very few in the group leading to the talent manual there have been lots of debates originally they were I mean the views did not merge at the end there was still a diverging position at the end but the majority of the expert eventually agreed that some form of loss of functionality amount to damage and therefore that the cyber operation which would lead to a loss of functionality is an attack and therefore that you have to apply the principle of distinction proportionality and precaution before launching such a cyber operation there is debate in the commentary of which kind of loss of functionality would amount to an attack I mean depending on what you have to do to restore functionality in all of you it's immaterial how the loss of functionality occur whether it's through destruction or through I mean if your object no longer functions that's what is important and that's what the law has been created for it's to make sure that human being can still use the object and if it's for a computer if you cannot use it any longer whether it's destroy or it's just dysfunctional change nothing for you so in all of you loss of functionality would amount as a damage and therefore a cyber operation which would be intended to only lead to a loss of functionality without physical damage have to respect the rules on the conduct of hostilities there's a still an ongoing debate I think within the cyber community about how difficult it is once we even so if we witness an attack loss of functionality property damage loss of life things of this nature bottle injury there's still another problem on the table before us right which is who launched the attack and so even if we can become clear on whether or not and understand whether an attack is the ICRC's definition and that's when we want to accept that includes loss of functionality along with property damage loss of life and bodily injury where we want to be more restrictive on the Tallinn manuals definition we still have to figure out attribution of who launched the attack and so I think this is a new difficulty right and I'd actually like to pose this question to Yuko which is you know how how do governments really handle this ability to and the difficulties in attributing responsibility for cyber attacks in particular attributing in a timely manner right so here's another one right it's another layer of complexity is that cyber forensics take time so how do governments attribute in a timely manner the origin of attack and how that might affect a government's decisions to either respond at all or maybe escalate or what type of response is appropriate given the time lag that it takes to figure out any sort of attribution question so can you explain for us kind of the political minefield that results with problems of attribution? Well the truly honest answer is we've fortunately never had to do that so we're not entirely sure what would happen in practice is at least taking my own country as an example we do have a fairly well organized sort of defensive system against cyber attacks in the broader sense not necessarily IHL attack where any major incidents targeting whether it be the government whether it be vital infrastructure whether it be Facebook would be reported to the sort of national hub of cyber security a search type organization which has links with the police with the military with the intelligence community with the private sector they would in the case of a serious cyber incident get straight to work doing all sorts of cyber defense stuff firewalls, patching disconnecting networks, whatever which doesn't really require a legal framework because it's your own network and you can do what you want at the same time and here's the problem because that does take time you would also try and figure out what just happened and what just hit you in the case of a major incident the sort of national crisis structure however exactly that was organized that will differ per country we'll presumably get together and say well you know they just shut off all the lights in our country now what and as information comes in then you can start to think this is a political issue as well on what your response should be and you have a very broad range of responses as a government it can be from sending the police to write a very angry letter to country X asking them to please make that stop to doing countermeasures in cyber or in fact if you fancy doing that sort of thing yep still or at the sort of extreme range of the spectrum send a cruise missile to take out the server that is attacking you many of but in order to make that choice you need to have a better idea of what just happened what just hit you where did that come from and even if you can make the assessment that this is in fact an armed attack I now have the right under the UN Charter to act in self-defense well that's good for you if you don't know who to punch back that doesn't help you very much so there is from a legal point of view a distinction between noting that I've just been hit by an armed attack yay I now have self-defense if I don't know who did it or where they came from then that doesn't help me at all but the answer would I think be that it will take a couple of hours to perhaps a couple of days for a government to truly respond in well apart from the defensive measures which will go into which will start almost immediately as soon as you people can log in that will go quickly that will go quickly but the response will be instant and as I said having a bad day with this but as I said that's where the difficulty lies and we'll hope we won't have to make it up as too much when this actually does happen so this kind of medicals and the four counterfactual reasoning that we're doing right now because we've never really seen a cyber attack and we've never really seen a state respond a large scale cyber attack that's the types of worries that get produced in the media and since we haven't seen one of these happen and we haven't then witnessed a government response to this leads me to technical questions what's possible what's possible technologically what's possible in terms of the forensics so we could actually start to understand attribution better I'd actually like to pose a question to Herb about what are our technological capacities for cyber forensics and how do you see the future kind of playing out in that direction well an attacker that wants to attack you and stay anonymous should do a number of things so he should use techniques that he's never done before he's never used before he should not talk about it to anybody that is he should practice perfect operational security he shouldn't leave any clues behind so leaving leftover files around and so on and he shouldn't make any demands and if all of those conditions are met it's going to be mighty hard to identify the perpetrator especially on a very short time scale but in fact attackers do make mistakes and they do leave behind clues and they do use techniques that have been used in the past so it will take some time you may not be able to identify him the first time but you may be able to identify him on the seventh time after you've built up evidence from all from the six preceding attempts to do bad things to you and if you're not faced with the need to evaluate or to respond immediately then you have a much better chance of responding in a pinpointed in a pinpointed way that is with much higher confidence so the question that I have is really a technical guy going to throw it back to the political people which is why do you need to respond promptly and that's an interesting question sometimes there are political imperatives who need to respond promptly but at least in the case of the United States with which whose case I'm most familiar with we've always said we reserve the right to respond at a time and a place in a manner of our own choosing and it doesn't put any time limits on how long it will take so there is no particular reason in my view that you have to necessarily respond instantly under all circumstances so the answer in terms of the desire to remain anonymous versus the desire on the other side to attribute that's going to run back and forth depending on the pendulum will swing back and forth depending on the circumstances at any given time and particulars of what they're trying to do if I may just make the point there is certainly cyber forensics play part but as you said the ideal hacker leaves no demands makes no idea then there's really not that much point unless you're very nihilist any attack coming your way does serve a purpose right and if he tells if he wants to make a demand of you and says if you don't do X then I'm going to continue attacking you well then you know where the demand is coming from that would be a pretty decent hinge right and so there are times when in order to achieve their political goals the attacker has to claim credit so yes it may be true that in some idealized vacuum state where there's no other context and so on it's very very hard but in the real world it probably is a lot easier than people give it credit for and I do have to make the point that the assessment of attribution is is an all-source assessment you don't just go sifting through the code and see if there's any signature there it really depends on the context on the political situation if there's an ongoing shooting war that might be a bit of a hint as well there's many many factors and in the end you can probably never be 100% sure but at some points given the big enough crisis then good enough is probably good enough I'd actually like to follow up on this this thread because Dr. Longy's work in international relations and international security right most international relations scholars look at war as kind of a bargaining model right and so you you give information you get information and war sometimes results because of either a problem of information but in this instance right what we're talking about is someone waging attacks without making demands potentially right then that would be you know making attribution more difficult so what do you see as a strategic why would somebody on a kind of a political international relations strategic vision why would someone engage in cyber attacks if it makes bargaining and everything else completely impossible it's just harm for harm's sake why why this kind of attacks happen rather than using the word of cyber attack personally I'd prefer to use cyber activities and before talking about the cyber attack I think we should clarify what kind of cyber activities are going on on the internet as a matter of fact there are different people have different clarifications or characterizations of the cyber activities some say there is cyber terrorism some will say there is cyber crime and some will say cyber warfare so from this different kind of categorization we can see we can just have kind of guess work about why the attack will have this kind of cyber activities I think personally there are some different motives behind this kind of cyber activities firstly during the early period of the appearance of the internet most cyber activities or attacks out of personal curiosity or personal interest for example a teacher can sign a homework to a student especially in the computer science department if you can take down if you can deface a website then your coursework will be passed and get a grade this is the early period most of the cyber activities or cyber attacks during the early period to show demonstrate cyber talents cyber skill and of course there are some other activities and competitions going on between different companies especially in the field of business different companies will compete for a bid to win in bid so there are a lot of cyber tests going on between these different corporations what is the purpose between this kind of behavior of course to get to out win the competitors and to guess what they are doing and of course there is another kind of motive that is cyber activity conducted by state actors of course with regard to this kind of behavior there will always be no single motives there must be a lot of various motives behind this kind of activities with various motives behind potentially state launched attacks which may be hard to disaggregate because we have problems of attribution we have problems of discerning motives which may then be a messy situation when it comes to diplomacy that is the outward looking way to think about cyber and I would actually like to think about it again on the inward looking way but too which is given that these types of questions are extremely difficult from a diplomatic and a legal and a moral standpoint what can states do in the interim given that these are kind of pervasive problems at the moment so what might states do to protect their civilian populations given that they may be attacked and they may not be able to respond right away or take an offensive measure defensive measure back so I would like to pose the question actually to each of the panelists to figure out what you think what states obligations may be to their civilian populations to control to protect them under some sort of hostilities cyber hostilities so maybe Laurent you could kick us off on that one okay so again I'm going to talk about only the situation where it's within an armed conflict and not what states can do to protect their citizens in general or their companies in general and in cyber hostile operations but really when it's the question of the law of armed conflict and the law of armed conflict within the principle of precaution is the obligation to take precaution against the effect of attacks that means separating military objective from civilians removing military objective from populated places and take any kind of precautionary measures to try to protect your population what does that mean in terms of cyber I think that's certainly a domain which have been under looked at until now one of the main problem in cyber is that you have one cyberspace which is entirely used for both military and civilian purposes so that would raise the question whether network segregation is feasible whether physical segregation between military networks and civilian networks is feasible if it's not done is it because of costs is it because it's physically impossible or whether it's for all the reason and have any thoughts been given to that whether virtual segregation would be enough and here I maybe turn to the technical expert which I'm not to know whether virtual separation is already done what does that mean to what extent does that help to protect civilian networks and then they've been recently and I think that's important a big trend on protecting critical infrastructure I don't think that states see that under the lens of the law of armed conflict and protecting against the effect of attack but that's actually something which is very important that states have to take measures and take measures in advance to ensure that the water delivery to the population can remains despite the fact that there would be a cyber attack in terms of cyber that means what states are trying to do now to protect their critical infrastructure so certainly there are things that states can reflect on and hopefully not only reflect but move on in terms of protecting the I mean first the most critical infrastructure water, electricity etc that is necessary for the people when they I mean against the effects of attack in warfare if you could follow up with that because I think there is this kind of question of technical capacity can you actually separate these things out so that the networks are less prone to dual use attacks sure in the limiting case you can have completely separate networks where you put all of your critical infrastructure on for example and take them off of the what you would call the public internet every proposal that has ever been the thought of that I know of to implement such a separate network fails because not for technical reasons but for one for economic reasons very costly to do that the reason that power companies and water companies and so on want to run on the internet is that it's cheap and the the costs of sending communications along the internet are very much lower than they are to send them along to create a private network so there's no incentive to move to the private network in the absence of somebody saying this is something that you must do furthermore to the extent that you want to integrate the services that you provide in critical infrastructure to the public you're naturally going to turn to the public internet and so if you think about a smart grid that will help end users monitor their energy usage and turn on their electricity at night when the rates are lower to charge up their cars or to do their laundry or whatever you need to connect to the public internet and so now you have a connection between your secure internet and your public internet and that's we can argue about whether you can make that secure but arguably connecting them makes it much it makes your secure internet much less secure so it really is a question of costs and convenience and you have to be willing to give up those costs and convenience if you want to maintain the kind of separation that you think that you think is desirable today we have military communications running on the internet a large fraction of military communications run on the internet could you do it separately sure but the militaries would pay a lot more money on the communication side and it's not clear that certainly in the united states we would not be willing to do that at this point Duko how would you follow up from the state perspective on this right the herbs charge that states just aren't willing to pay the costs to kind of protect their civilians from being a or their civilian infrastructure from being a legitimate military target well there's there's a number of facets to that for one you know sure money is tight and if you would put all your military communications via whole separate networks then that would be prohibitive prohibitively expensive that's one I mean there are separate military networks especially for the costs a lot more especially for the highly classified ones but just the regular emails I sent I send over the regular internet so there is certainly a matter of cost and on the other hand your vital infrastructure is usually not which is a good way of hitting at a state in fact hitting at a military if you run out of water run out of electricity run out of fuel whatever then we have pretty much the same problem as if we run out of ammunition so if you would take this to the extreme then you would also need to have another separate network for the vital infrastructure that could possibly be supportive to your military activities then another one which is just for the civilians we have to have two different water companies there comes a level where it's just not going to be practical now if you talk about what are the obligations as a state Lauren spoke of just in the case of IHL fortunately this is one of those areas where day to day life and misery joins in quite well with IHL because what governments should do and in fact usually do is we do try and work on cyber security you try and have promotional campaigns to get people to buy antivirus you do have a whole network of search be they military be their civilian both from the public and the private sector to try and keep everything running and that defends I mean it's mostly designed to defend against crime and just generic IT mishaps which also just occur that also has an effect to protect the population against attacks in an IHL setting incidentally also to protect ourselves of course as a military which is a wonderful side effects but just the general resilience of your infrastructure both civilian and government is something that governments are working on but there is always a limit to the means that you can put in there and of course there is a couple of the obvious things don't put a military data center in a historical building with a blue shield that's fairly clear a couple of other obvious things like that but a true separation I don't think is feasible anymore EJ how would you respond to this from the kind of the just war side of things with the possibility of really separating things out a couple points on that first I think you're suffering a cyber attack on your microphone I think that state responsibility to protect its citizens from harm is really interesting when we get to the cyber realm because it's funny how we view it differently you just mentioned that there might be a campaign to encourage people to buy their own antivirus it's interesting in the United States they spend a great deal of money and time and effort on cybersecurity measures to protect their own cyber assets but interestingly they don't spend much effort trying to protect your average citizens and in conventional warfare we would not have this intuition at all whether it's warfare or cyber crime imagine if somebody was somehow trying to break into a Walmart and just steal some money we would presumably say that the local police should have some involvement in helping that stop from that happen well that's Walmart's problem similarly if there was a cruise missile coming out of the sky from some other country and landed into a Walmart we would assume that the state has some responsibility to protect that Walmart but notice with cyber how different it is if there's a cyber criminal stealing money somehow through some tricky little hack move into Walmart servers and take some money from this corporation it's unclear that the state says our responsibility is to protect you from that crime although I think they should there's a big distinction between the moral and the legal here and I think there's a moral responsibility on states to take this seriously the same way they try to protect their citizens from any harm the cruise missile story sounds of course silly if you imagine a cruise missile coming in and hitting a local business of course the state's military is going to call to arms but if a cyber attack of some type coming from some other state goes after some corporation if a DDoS attack goes after Amazon then an equivalent amount of money that may be a missile blowing up one of their warehouses would have we don't seem to think that the military should rush to arms to block that DDoS attack it doesn't seem like it's the same relationship at least in the main social consciousness we tend to say boy Amazon they better get their cyber security measures up but we wouldn't say that with other things so I guess my point is that I think we should I think morally a state has an obligation to protect its citizens its businesses from cyber harm obviously I'm talking lower than armed conflict but also obviously in armed conflict just as they would with conventional but yet we don't see that I actually wanted to give the floor really quickly to Zhu because as a researcher in China we do face the fact that China I think takes that obligation quite seriously and so has it has the great firewall as a way of disconnecting because of the potential threat so maybe you could speak to something like that with regard to the state responsibility to protect the citizens in cyber space I think different people from different countries with different cultures and the religion background maybe we have different understandings here I'd like to perform my own ideas from an academic point of view firstly I think the government can do several things different dimensions or aspects firstly the government should enact or make laws make policies and strategies concerning cyber issues concerning cyber security this is the highest level that is on the strategic level the government has to show responsibility to make policies overall strategies over cyber security and second point is technological technologically the government should create kind of environment for the companies to invest in computer science technologies in ICTs to make the cyber space safe except the policy I think personally the most important part will be technological part without computer scientists there will be no security to mention at all so this is the second part second aspect of government's responsibility to protect the citizens and third of course which is also very important that is the legal aspect as now we know there is a lot of different variety kinds of cyber online activities but a large proportion or majority of the online activities are cyber crime and the subcrime is becoming increasingly severe especially in recent years and cause a large amount of losses every year to people to corporations and to a country so the government should enact laws for example now a lot of countries have such kind of laws as electronic signature laws of electronic evidence and so on these kind of laws will play a very important role in combating cyber crime and protects the interests of their citizens and the last but not least importance is that especially in the developing countries nowadays more and more people have access to the internet especially in the developing countries but a large proportion of them are just first time users and the green hands they have no awareness of what kind of threats are behind the serving online activities so they just have no awareness so in this aspect the government should have played a role to advocate to raise the awareness of their citizens this is very important for example if a citizen himself or herself does not upgrade the antivirus database make patches to his or if an individual does not make patches to his commuter it's really very easy to do this but if he has this kind of awareness and if the government can play a role in raising this kind of awareness this will be greatly the level of security will be greatly improved and their interests will be better protected that's my idea I have to agree to some extent certainly the state has a responsibility to protect its citizens be it from crime be it from attack however if I take your parallel I would say that encouraging people to get their own software patch is more equivalent to expecting them to have a lock on the door given the fact that there is crime you can expect Walmart to at least put a policeman in front of every building that simply cannot be done it's layered you can expect a level of self-sufficiency from your citizens from your private sector and once that escalates there are private search, government search and in the ultimate scenario I'm sorry the search is a computer emergency response team I have no idea what they do because I'm a lawyer by training and I have little practical skill but they tell me they're sort of the imperial storm troopers amongst IT guys they are sort of the they come in when there is a massive IT problem which can be man-made or just a technical slip up it's sort of the ambulance, the fire service if you will for cyber situations that's as much as I understand I'm sure you disagree with me but there is a layer and even the example we've had discussions with our civilian authorities you have to defend us against the cyber attack to a certain extent if you draw the parallel to the civilian world sure if there is an incoming cruise missile or an incoming bomber then it's the job of the military to shoot that thing down however if that accidentally fails it's still up to both private persons and civilian authorities to put out the fires to do the ambulance it's not suddenly because you are in an armed conflict situation that everything has to be done by the military I agree just a real quick point I didn't mean to say that encouraging citizens to take their own individual precaution was somehow wrong of the state and of course you could just say that the way the state encourages them to do that is a form of the state protecting its citizens through proactive help my point is simply that I think this balance between how much is the homeowner responsible for putting out fires versus how much do we want to rely on the fire department it might be mismatched in cyber compared to other ways it needs to take on more of its moral duty in this regard just to give another analogy the other direction again in the US and perhaps it's different in other states I'm sure it is but in the United States the Department of Defense spends a great deal of resources protecting their own cyber assets incredibly well but they don't really use those resources to protect civilian and business cyber assets from external attack they kind of just tell the businesses hey you have to take care of that yourself a really picture of that would be like imagine a giant aircraft carrier of a Navy fleet the only reason it exists is to protect itself from attack that would be very strange you should use your abilities to protect and block cyber attacks for everyone in the state not just for your own resources I agree with the point but perhaps the duty is higher than states realize I guess but that's by policy the United States Department of Defense sorry the American people have said we don't want the United States Department of Defense the military defending our intruding into our networks and quote protecting us and so on there's great resistance to that idea so it's not that the military per se is reluctant to do this it does what it's been told to do by law I'm gonna call moderator privilege and not make it about a U.S. foreign policy or domestic policy debate just because we're not can I make a point that the dilemma that BJ addresses is most stark when you consider the fact that the U.S. Department of Defense has said it's willing to conduct offensive operations in cyberspace for defensive purposes for protecting U.S. military assets in cyberspace military assets only which is an interesting question is there another entity that's willing to conduct similar offensive operations to protect the private sector and that question is completely unresolved my microphone too there's actually a question from the audience and I would encourage if you do have questions I think we've got some good ideas on the table that if you start thinking about this and we can start opening up more questions to the audience David please hold it up to your mouth is that citizens have rights to be protected not only from attack by enemy governments but also from attack and harm by their own state so that's implicit and responsibility to protect and many other instruments of international law in theory and as you've brought out in the discussion a a cyber attack against civilian networks could certainly be considered to be a regulated kind of attack under IHL and one of the panelists mentioned for example a state leader like President Erdogan or President Putin threatening for example to shut down Facebook or Twitter or if you think about the attempt by and the question is do we view these as forms of cyber attack by states or by our own population that is regulated under relevant international law and could we ever envisage a situation in which these kinds of attacks could potentially be the kinds of activities that could trigger an international responsibility to protect given the definition used under IHL that Loront gave before about the fact of loss of functionality I'm going to interrupt the five seconds to remind everyone both in the audience as possible in the microphones and straight in the microphones too whoever wants to take this because I think it's a fascinating question I don't have an answer to it but just on the R2P point I mean it's a very interesting point right if you take the state responsibility that I was just speaking of to protect some citizens and then if you buy into the responsibility to protect doctrine as I find quite plausible then you could imagine could we have cases where one state would be justified in intervening in another states affairs on how they govern their own cyber policy because it's viewed that their cyber policy is a type of attack or harm at least on its own citizens. Now I don't think the kind of things you describe would qualify as an attack certainly I could be wrong I don't think they would be an attack because it wouldn't be the destruction of property and there wouldn't be these kinds of things it would be limiting access but depending on how you understand an individual's right to expression and to freedom of speech and to these kinds of things depending on how you take seriously you know some recent movement to say that the access to the internet itself is a human right then certainly it seems that in theory the ground is there that you could invoke an R2P clause to intervene in another state to prevent its own cyber policy against its own people that seems a little wild but it doesn't seem impossible I guess would be what I'd say but I think the reason is I think the threshold of harm would probably be too low but in principle I think it's there Does anybody else want to take this? Laura? Oh sorry You mentioned that in China now we cannot access to the Facebook or Twitter but do you know in China we have a similar application called WeChat it carries similar or same functions as Twitter or Facebook and as far as I know more and more people foreigners are using WeChat so how can you say that we are limiting the access to the internet Right and that's a great response I mean you could say you're going to have to define here is it do you need this specific oh you need to give people the right to Facebook particularly or is it that she's making the point that you need to give people certain access that maybe that's a right they can demand but if that's the case maybe it doesn't have to take one form versus another and I think that's a very plausible response to say that we are meeting a demand if you think that is a demand there's ways that they could say they're meeting a state could so that'd be a very difficult argument to make against any state for that reason I'd like to there's another question in the audience but as someone who actually studies R2P and if we're going to be legal sticklers there's only four crimes that trigger R2P instances right so outside war crimes things of this nature so loss of functionality and they have to be large scale and massive that doesn't go under R2P but it's a good exercise to think about when we start taking the definition of attack as a loss of functionality sir please I'm sorry I came late so I didn't hear how this whole debate started but I think the emphasis exclusively on the defense really misses to some extent the point because obviously when we talk about conflict and armed conflict we are also concentrating on the act of violence of war and so the first question is before we talk about who should defend whom who is attacking whom and what is considered to be an act of war an act of violence which then obviously can have a justified response so in this context I find it quite I mean neutrality has its limits but I mean you have read probably as I've had and all of us the issue of the Chinese US accusations of Chinese direct attacks on foreign cyber facilities that's called that way and the argument the way it comes out from the New York Times is that we have not done it but if you know you are worse it's the same kind of arguments that the Soviet used to use well you know the Americans should not talk about human rights in the Soviet Union because there is not no full integration in the United States so there is no clear statement what really is the Chinese position what constitutes a private crime or a minor crime or what is considered to be the area that we can do now the second point here that is very important is that cyber also means not just disturbing but also supporting that means if you are supporting, allowing through your cyber facilities hostile behavior by another state say Syria airspace North Korean missile tests North Korean nuclear tests which obviously have a very important cyber dimension and these are are these considered to be normal things or are these considered things that can be seen as a hostile attack either by the Japanese or by the international community as a whole thank you I can take try that last one a little bit the an interesting case is that if country A wants to attack country B but he has to root the attack through country C what is the status of country C so let's make country C Switzerland a neutral country if I were flying if I wanted to attack C with airplanes and wanted to fly over Swiss airspace they would have to get permission and the Swiss would say no okay that's part of the tradition of neutrality but if they want to use the communications facilities in Switzerland to route an attack it turns out there is an international law about this which says that if you let the if you can use the communications facilities of a third party of a neutral nation freely to both sides then it doesn't count as it doesn't count as a violation of neutrality so then you have to ask the question which is the better analogy flying over the airspace or communications I don't know how to answer that that's for a philosopher and a lawyer to decide but that's the technical reality that you have to make that sort of decision about how you want to treat that sort of thing I also say that it's very difficult for A to say I want my attack to go through to specify a particular route I don't really have control over that it may go to here I just don't know where it goes and it may traverse Switzerland completely inadvertently and then that's a total mess Laura did you maybe want to weigh in on the legal side On the question of neutrality I fully agree with you that neutrality and cyberspace in terms of cyber warfare and neutrality creates lots of problems because of the reason that Herb so well explained and I think I share your question and the debate I mean the way you frame the debate with regard to neutrality law I wanted to maybe come back on the last question and the emphasis on I mean to keep emphasis on attack and again speaking from the perspective of an armed conflict and I would do not to simplify a matter but I mean this to be clear on what I'm talking about let's take a situation where you have an ongoing armed conflict with kinetic operations, bomb flying around and when you want to use a cyber operation to make disruptive activities you have some additional different concerns than there is with bombs and that's related to the interconnectedness of cyberspace and that's one of the elements why we are concerned with the potential human cost of cyber warfare the military potential of cyber is not very clear and I would say or the better that means it has not been used or widely used for the time being but still it appears that attack against dam or nuclear facility are technically possible and that would obviously create an enormous amount of casualties but even if you want to try to do something more legally directed at a military objective like disrupt the air control facility of your opponent to disrupt its air forces during the conflict then how do you know that your attack against will not spread to other parts of the network to civilian parts of the network and disrupt civilian flights and lead to civilian flights falling down because everything is interconnected in cyber so that's why we are concerned and I think the concern on the side of the attack is and the type of precaution you need to take before deciding to carrying out a cyber attack are extremely important I'd actually like to oh Dukor did you have something so I'd actually like to talk about this too because there seems to be bright line cases of when we have an attack either we're in a state of hostilities and we understand that the law that IHL is governing we're in this state but there's also some ambiguity as to when that state might begin given that we have a cyber attack that maybe is a loss of functionality or something that doesn't maybe doesn't even rise to the threshold of an armed conflict so there's some serious ambiguity in gray area here so I'd actually like to pose to each of the question each of the panelists what they think is a threshold for the application of IHL or what is subbelow that do we need physicality perhaps do we need consequential damage, what's involved in this maybe we should unpack it so maybe starting with BJ if you could take that it's a great question there's a lot of if it's a case like the one I was talking about if it's a clear armed conflict already going on where you have a military operation and cyber weaponry cyber attacks are being used in conjunction with that that's clearly an armed conflict so we don't have any kind of confusion but if there's a case where it's perhaps a very damaging cyber weapon launch but let's say it's just launched against other cyber assets so it's cyber to cyber if you will and there's no boom there's no physicality people wonder is that going to invoke article 51 because there's no physicality to it so this is an interesting metaphysical question really what is cyber right and we haven't really talked about the metaphysics in here and don't worry we won't for long but I think it's an interesting question and philosophers disagree on this there's actually a philosopher who's written on this Ryan Jenkins actually he's in the room Professor Jenkins I think is over there he's made a really good argument on this and I agree with him and I think he claims that look it is physical it is physical because it's causal first of all it's a thing that has causality against other physical objects in some way and it also exists in space and time and so it depends how you define metaphysically what physicality means what is physical and any sort of good answer to that in proper metaphysics is going to conclude that cyber weapons cyber attacks are physical now that does not mean so I think they are physical right so I think that that's not going to be a problem people disagree on that but that does not mean of course that a cyber attack necessarily will trigger the legal question of armed conflict because presumably if we're talking about a cyber to cyber thing we might not have any kind of secondary order effects of death or things like that we might not have the kind of harm necessary for the legal trigger to flip to armed conflict but I think the physicality question although interesting for this domain I think the answer is yes it is physical but I'll leave the legal threshold question to Laurent and others let me give an example which to me is totally confusing in this space imagine a cyber attack conducted against electronic voting machines now I'm not sure in Switzerland do you have electronic voting machines or do you vote on paper I don't know but in the United States and in many other countries in the world they're using electronic voting machines by tampering with those electronic voting machines in cyberspace one in principle could change the outcome of an election no bombs no bullets nothing nothing destroyed but this is clearly this is clearly not a friendly act and so does that count in any sense of the term as a use of force or as an armed attack or as anything that causes Bella and I don't know how to answer that one certainly don't know how to answer that one either because but because the ICRC is focusing on in bellow and not at bellow issues and issues relating to whether it's an armed attack under article 51 of the charter or use of force or threat of the user or use of force under article 2 of the UN Charter are issues of at bellow what we look at it whether an act alone because as BJ mentioned before of course if you have an ongoing armed conflict IHL applies but if it's only a cyber operation whether this cyber operation might by itself make that the Geneva Convention or the Hague Convention that you mention on neutrality applies I mean on the rules and the legal consequence for example would be that if the operation is directed against civilian object and or against a civilian person and leads to civilian death and that's what you target in addition to question of at bellow that maybe it's an armed attack maybe there are other problem in addition that could be a war crime if it doesn't meet the threshold of IHL then all those issues are moot so we saw the two things being closely related of course an armed attack will normally I mean what is considered an armed attack normally triggers the applicability of IHL now we also see the question being separate in the sense that possibly IHL might be triggered by operation we do not amount to an armed attack in the sense of 51 of the Charter now it depends also how states understand an armed attack on the 51 because here you have a wide range of views as well but so we see it rather in the terms of the scope of application of the low of armed conflict and on that I think there are clear cases if it's a I mean there are certainly some operation that I would expect and here I'm talking my personal name because you said before I talked in the IHLC name not always certainly that I could imagine that you have operation which by the magnitude of the effect even if it's a cyber operation only states would consider that this amount to an armed conflict by itself and trigger the application of IHL and there are other and the debate is different than the debate I was mentioning before on the notion of attack under IHL within IHL and now where is that threshold and does every operation which lead to the loss of functionality of an object to I mean trigger the application of IHL without any other bombs I would imagine that this is not what states would consider today but that certainly a matter which states will have to somehow figure out and that we will figure out through state practice eventually I have to respond very briefly to the senior gentlemen's of China I have to say that it is very repeated that you are a victim of the news report you are misled and misguided and you follow blindly about the report rather than have a kind of independent thinking of this kind of accusations against China about cyber attacks against other countries it is repeated that we the Chinese government's position on this is very clear this kind of accusations will not work and it is groundless especially giving the fact very simple fact that attribution that is suspect who is the attacker is extremely difficult but from the experts point of view I would like to provide you some details take the manual report as an example I suppose that everybody here knows the manual report released by last year I am sure that few people read into the report from beginning to the end though a lot of people are talking about and aside the report I read into I read through some of the points first when I try to trace back the materials the Chinese language materials used by the manual report frankly speaking I cannot find where does the materials come from it simply cannot find it so this report is less convincing you know that as a Chinese language I trace back the material used especially the phone notes you can trace back the phone notes and find where does the material come from I actually cut off the US foreign policy and domestic policy debate so I'm going to cut off the Chinese one too because this is an international discussion and I don't want it to be about state particular state policy one sentence very simple another issue is the report says the attack pattern is 9.5 attack begin in morning at 9 o'clock and finish at 5 o'clock in the morning do you think the Chinese if it is done by the Chinese attacker do you think that the Chinese people are so stupid to begin attack at 9 o'clock and finish at 5 o'clock every day that's all that's my idea when it comes to the threshold of application of IHL there's really two facets there's the use at Belom part and use in Below part we the Netherlands are of the opinion but we I think we're a bit more enthusiastic than other countries about that it is possible for cyber to be an armed attack not just if it has secondary effects that would equate to a kinetic attack clearly the example that Lauren has given of a power plant or a dam which we're pretty susceptible to being below sea level if that were to break then clearly that I think there's very little argument in an attack we've taken that one step further where a cyber attack which leads to loss of functionality not so much of Facebook or whatever but if that truly threatens the existence of a state if you're no longer able to provide your government function at all for more than half a day just because you have problems with Microsoft but for any duration of time then we may consider that to be an armed attack which gives us the right to act in self-defense of course we won't have any communication so that will be hard in practice but that's a theory anyway when it comes to not so much one giant attack triggering an armed conflict to foresee anything that we would qualify as an armed attack as in U.N. Charter article 51 to not be sufficient to trigger an armed conflict and thus invoke IHL that's almost inconceivable I think as for the other way around to have a number of cyber incidents which all don't quite qualify as an attack you're not quite sure but if you have dozens or thousands or millions of them does that finally reach above that threshold of violence that's a very good question and one final point to just draw away from IHL again for which I apologize there are many conceivable situations where as a state you will be under a cyber activity unfriendly cyber activity to avoid the word attack where the normal legal framework human rights criminal law international cooperation in criminal matters which doesn't always function as well as it should there are situations conceivable where as a state you are sufficiently harmed in your interests that you may indeed take actions of them counter measures call them actions under the plea of necessity call them go back to the Caroline criteria Caroline case criteria which are 150 years old and still work quite well you may at some point decide and have a pretty good legal argument to actually act in response to cyber activities directed against you possibly through the use of force be it via cyber be it kinetic yet remain below that threshold of an armed conflict and IHL and I suspect that that is in fact it's below that threshold but where sort of cyber skirmishing if you will where most of the activity is going to be happening in the future a strictly cyber armed conflict is certainly feasible but I don't think that's what we'll be seeing most of on that note I actually am thinking about these issues so I'm going to put that to the panelists too kind of this notion of the way forward this is the way forward counter measures, cyber skirmishes kind of knowing what IHL says and knowing what maybe article 51 at least broadly ambiguously says you know gravity, scope, duration these types of things states know this and so what are they doing, well they're being smart about it and they're trying to keep it below those levels so if it's a strategic choice to keep below those levels what do you guys see as the way forward maybe some optimism that might be nice but where do you guys see this going I won't be optimistic I'll say that there's a real puzzle here it's a real moral puzzle several of the philosophers that have been part of the workshop we've had this conversation a few times which is that if you keep the harms low enough there's an interesting moral question here if could they aggregate together enough such that they justify a response setting aside the legal question I really don't know but morally I also don't know because there's certain types of harms that you might think there's even a state a state B that's being attacked by state A and state A is doing all these low level cyberattacks but really if you take an effects based approach to how we should weigh out cyberattacks if you say look just look at the effects of the cyberattack and however you can quantify that maybe in monetary cost or some kind of damage compare that to the effects of a conventional attack if you take that approach then you can somehow kind of get a cost an estimate to them but imagine the state that's under these attack that could respond cyberally that they could respond kinetically and perhaps even lethally it's a very difficult moral puzzle to suggest that these low level harms which are clearly harms and clearly wrong perhaps let's just say let's say unjust and immoral to do whether or not they can be aggregated up enough to give a different kind of harm if you think there's kinds of harms response like death or killing or kinetic response now on one view you could say of course they can if you add up enough of these small harms then you can respond with a perhaps proper justifiable response because you think harm is all on a continuum on another view you might think these are distinctly different kinds of harms that especially once we start using bombs and bullets and actually killing human beings that that's a different kind of force such that these smaller harms could never add up to it I'm genuinely torn on which way I go on it there's philosophers in this room that have established both of those camps but notice however you answer that I think should dramatically dictate the law on cyber harm going forward because I think the most likely future scenario is this low level very small state-to-state often but also non-state cyber harms that's below this threshold but yet is significant and matters and it can be very large if you aggregate it together and so that I think is the fundamental moral question to answer and that's a puzzle for moral philosophy far beyond cyber war just really presses it as a pragmatic question we have to answer and it's a perfectly good description as the future that I see as well so I wish I could give you optimism about that I note that Iran who is known to be the victim of something called Stuxnet whether or not it was perpetrated by the United States or some other country has not said very much about it has not complained very much hasn't tried to complain about it very much and to the extent that international law is set by the behavior of states and if they're silent about it they don't complain about it if this tradition takes on a practice of people not complaining about it it establishes a precedent that this is not something to complain about and so it is by definition below threshold and if it's below threshold you can see a lot more of the stuff happening and the effects were still significant if a bomb had done them if a missile had done them it would not be considered insignificant but it was a very significant effect that's right I mean we don't know what the future will be it's true that the likelihood of cyber only grand scale warfare is probably unlikely because if states are having cyber attacks of a huge magnitude and respond to it they probably will make at some point the political decision to also resort to kinetics probably especially the ones who have possibly less cyber capacity but that's all I mean it's unknown and the future will say and what will suddenly also occur in the future and already occurred and will continue to occur in ongoing armed conflict cyber operation will be more and more used and unfortunately conflicts have been here and will unfortunately probably remain here so we will certainly see more and more cyber operation within ongoing armed conflict and that's why we have also so much concern about it and not only on the below the threshold issue which is certainly extremely important as well I don't want to dispute that but I think the within IHL is also very important because it will be used within otherwise kinetic armed conflict and I'm not saying it's a good thing I'm just saying that's a fact I wouldn't imagine that someone with me who works for the ICRC would want to see more violence done during war but that's a safe assumption I hope Dr. Lungi personally I also share the optimism expressed by our colleagues in recent years we know there was a lot of discussion internationally about how to protect the how to tackle cyber stress and protect the interests of the netizens and some discussions are very constructive valuable and meaningful because in the future we should have continued this process of discussion my idea is that we really want to tackle the cyber threats and to build a peaceful, secure and open cooperative even a resilient cyber space I think personally we can take several measures on several levels first on the global level you see last year the third UNGGE have reached a consensus report I think that is a kind of milestone style report consensus, a lot of consensus was reached and I think in the future more work should be done on the basis of last year's report. Secondly, on the rhythm level now we see the regional organizations are very active in cyber issues for example the OSCE and OS organization of American states and of the original forum and other countries and this regional organizations focus on specific and concrete measures for example CCBM cyber companies building measures I think all these are very good steps and this process will continue and of course biologically I think states can do a lot in recent years we see a burden of biologically cyber security consultation dialogues I think this kind of momentum and should also be continued and on the state level I think the state should also take responsibility to maintain the cyber order maintain cyber security and tackle cyber stress. Thank you, Dukou. Well I'm sort of torn between optimism and pessimism I think as Brandt already argued people do terrible things to each other we've been doing them since we climbed out of the trees and learned how to walk we've just gotten an awful lot better at them so be it crime, be it warfare be it just annoying people which is still within the law just unpleasant we've gotten an awful lot better at them and cyber offers many exciting new opportunities of being unpleasant towards each other that said we've mankind has over the millennia learned to deal with most of that and I'm sure we'll be able to deal with it as well with this new particular set of being unpleasant towards each other and we do have the framework there are legal regimes governing pretty much everything from crime to warfare to commerce I mean just put cyber in front of it and it sounds new and exciting but it really isn't there is the frameworks are there and there is certainly going to be a slight practical challenge in applying these frameworks exactly to a new situation but as I said if we get back to IHL as I said to Laurent earlier today you know when we started out with the Geneva Convention the first one and the first Hague Convention of 1907 sorry and I think the Sennheiser cooperation really dislikes me when we started out with the corpus of what has evolved but is still largely there of IHL the airplane had not been invented or it was around but it was really not used this added a whole new dimension to warfare and nevertheless here we are 100 years later even more and we've found that IHL pretty much does the job for that as well we didn't have to make a whole special Geneva Convention for anything that flies it was incorporated and it was slightly you had to do a little bit of interpretation but it sort of worked so I do have confidence that given enough state practice which is of course a bad thing because that means that we have a cyber war but that in time will manage to adapt at least via some minor interpretations and make that work for cyber as well however do not have the illusion that peace will break out and mankind will be friendly toward each other because that's not really the way we're hardwired well I actually think there's an empirical argument here that I'm going to push back on both of you I'm in charge there is some data being collected right now by social scientists looking at the behavior of states in cyberspace and one data set in particular finds that for the most part states are showing cyber restraint that they are not engaging in they are engaging in attacks but they're these lower level attacks and they're not responding in kind and they're not escalating and so if that's the case we have kind of optimism and pessimism in one thing they're actually engaging in it so they are starting to engage in this creation of norms this creation of peaceful restraint they're not going out with their shiny new toy and blowing up our computers so hopefully that might kind of go for both ways right the airplane was horrible for armed conflict but maybe cyber doesn't have to be I'd like to open up the floor to more questions unless the panelists want to keep the point of that so maybe the internet the question was the airplane caused a whole lot of really bad stuff and war and it intentionally killed a bunch of non-combatants on large scales in horrible wars so that's not a very good measure of success because you were pointing out that the airplane came along that was after the Geneva Conventions and we figured it out we got away from IHL to work and I think that's right so I actually am going to kind of agree with both points it was of course terrible for humanity in these wrongful ways in war but of course he's correct that we figured out how IHL can talk about that and can think about that and can say why it was wrong because it was targeting non-combatants and what have you now seen since the early uses of air power and war we have seen I think tremendous moral improvement air weaponry now of course across militaries is becoming ever more precise it's intended to cause ever lesser collateral damage still too much of course think of the carpet bombing of earlier eras compared to the precision JDAMs of today so it doesn't mean that that's of course perfect but it means we have a moral trajectory and I think we have IHL its attempt to put legal language on to air power and war is responsible for a lot of that trajectory and so that's a good thing so it might not be a success story but it might be a sign that IHL is malleable in these ways that could be helpful and I think that was your point the optimist says this is the best it took us too long that's right Shannon I hope this works just given that basic notion that states are kind of self synchronizing some similar word that is the job of those of us who do normative work I'm including lawyers ethicists and soft-hearted strategists like myself is our job really to try to map this emerging kind of convention if you like or is the job to really try to steer and guide it do you think should we be a thermometer or a thermostat I think we should do our best to be a thermostat to try to change and to of course influence because we are thinking hard about these questions and as is often pointed out and it really was again the same thing with the air power the technology moves faster than the policy and the technology moves faster than the ethicists and the lawyers and it certainly moves faster than any ability to kind of enforce international military law on to these things and to the extent that we can we should try to be thermostats that said I don't know how successful we'll be at that and I don't I given that we've had some policy debates I'd actually like to put the kibosh on that one more time no domestic state foreign policy or policy positions so for the questions but yeah I'd like to raise two I hope we can start with the kibosh one is about collective security I think it's clear that preventing or stopping cyberattacks depends very much on collective action and I think if there is real desire to prevent threats to I think collective collective action can be quite effective now I think there is a need really to spell out what are real threats and I think here the ICRC can be do a good work now I think the second point is that we all know that using dependence on IT on internet everything increases not only our well-being but also our vulnerability the fragility of the whole civilization and I think there ICRC with its partners could do I think not just philosophical but specific thinking what that vulnerability could be in the future I would like to say like this antipersonal landmines that is to say here we have a problem but saying this is if this continues in the future this is what happens and I think this vulnerability and fragility is what should be the concern and not so much would anyone like to respond to that thank you for the question and thank you also for the previous question which were very interesting suddenly when a new technology emerge and then there is a it's potentially used in armed conflict is the time to reflect on whether the specific characteristic of the technology and the risk that they pose in terms of potential human cost are adequately addressed by the law leads to a new interpretation or to possibly new development of the law most of the development of the law occurred after practice have shown that there are huge human cost to the use of a particular weapon but there is at least one example where the law moved quicker than the technology which is banning anti sorry blinding laser weapons quicker than the technology and they were banned before being ever used on a field so that's the optimist note now to come back on the airplanes and the fact that they did I mean human mankind did horrible stuff with airplane and whether that means IHL failed the test I think we should be clear on how we see the test whether that means the rules is inadequate or whether that means the rules was not followed and was widely violated and whether it's a question of I mean enforcement or how it is complied with thank you and or understanding that regard and I think that's what was also expressed here earlier on the panel is that the law as such prohibits wiping out cities by airplanes or by any other means that's a direct attack on civilians and that's a war crime if you just wipe out the city without further thinking and now whether that was what was done in the past or not I'm not here to pass judgments but you use the word wiping out city wiping out the city is not directing an attack on a specific military objective so the law prohibits it sir, turn the green and then a follow up over here how do you see this in terms of non-state activity because most of the conflicts today are non-international armed conflicts and it might be likely that if a state even would carry out an attack on another state they would do that through a proxy which would be and it is today most of the armed conflicts in the world are non-international and they are carried out although involved but they are involved through their proxies and how would you see that and in terms of because then they wouldn't need to be carried out I mean in terms of command structure as well they wouldn't need to be carried out from the ops room of some general but they could be from a very small cell just in terms of how this would apply to non-state actors whoever wants to take it you're the expert yeah today armed conflicts are mainly non-international armed conflicts the IHL as you certainly know applies also in non-international armed conflict and basically the rules on the conduct of facilities even if there is no treaty but largely customary at least with regard to as I said conduct of facilities for non-international armed conflict so the non-state armed group and if you really talk in IHL sense an organized armed group which is a party to the conflict is subject to the same obligation then the state party when it resorts to cyber operations so the same principle of distinction proportionality and precautions whether that makes it for that party easier to resort to that means because it's more easily available I don't know rifle eye also extremely easily available all over the world and that's how most of non-international conflict are waged today at least on the non-state actor side so legally speaking I don't know whether there are more issues with non-state actors using cyber operation than with a state party to the conflict using cyber operation so I don't know whether there are more issues with non-state actors using cyber operation so I don't know whether there are more issues again maybe practically for a state it will be seen as being more convenient to work through proxies now if I mean if the question relies on effective control and that's true for cyber operation then that way the question of whether the proxy is itself an organised group in the legal sense and is a party to the conflict as such or not or whether some of their member are directly participating in hostilities through the cyber operation if you meet all the criteria for direct participation in hostility so that open a range of other issues which are not all specific to cyber please just to throw in my two cents here certainly you're absolutely right that most conflict is now a non-international conflict and on the other hand certainly to do cyber to do cyber attacks very well to do something more elegant, more sophisticated more effective than simple defacement or DDoS which pretty much any annoyed teenager can do from their bedroom you do need a certain amount of capability so these tiny cells tiny groups notwithstanding a number of Hollywood films it's very rare for that to have any truly serious effect and the other thing is and that's what we come back to what Laurel said the main issue really is is compliance especially with regard to non-state actors or organized armed groups depending how you call them but that is no different from today compliance is an issue whether there's people chopping each other up with machetes or whether they're doing unspeakable things with ones and zeroes and that is something that we need to think about which we're thinking about which regrettably has no easy solution but the framework is there again so it's not a legal issue it's a compliance issue and that's sort of the main takeaway I think so we've got time for one more question quickly and actually I promised I promised already if you could thank you very much actually my question has mostly been answered too because it was very much linked to the one that has just been raised the question of the discussion has been mostly focused on state to state issues while there is also great scope for used by non-state actors and Mr. Leclerc in a way answered it that my impression was that the analogy between weapons and cyber weapons was not entirely relevant because maybe one difference was that cyber weapons are more accessible to a broader range of people because guns are accessible everywhere but major planes and tanks and heavy weapons or missiles are in general less accessible but it appears I don't know if it's the consensus that real serious weapons are not so I've been too much influenced by Hollywood and the major weapons are not so accessible and maybe Herb could quickly answer the technological capacity and we'll finish this lovely session up it is true that there are many equivalents of cyber weapons that are like small arms they tend to be relatively I wouldn't say superficial but they're relatively broad spectrum that is they don't exercise a lot of selectivity as you pointed out you can do a denial of service attack from any place and you can even go out and buy a botnet service to conduct a denial of attack a denial of service attack for you so you can buy the service and you don't have to know anything so there are those at one end at the very sophisticated end the very sophisticated end turns out to be what you mean by that is very highly targeted highly selective you want to go after a particular uranium enrichment centrifuge or something like that those are the kinds of capabilities that you can purchase but they cost a lot of money they take a long time you have to collect a lot of intelligence for their effective operation and so on so there's not the scale of how much it takes to invest is really the more money you spend it typically is the less damage it does that is the more targeted the damage is so well thank you I think we're right at our time so I'd actually like to give our panelists a round of applause and thank them very much for their time today well thank you Ida now we have the pleasure to invite you for a drink in the other room outside before that I just wanted to thank few people for the organization of this event as we said at the beginning this event comes at the end of a two day workshop which has been organized by a group of academics sponsored by the US National Science Foundation and that we had the pleasure to host here so I'd like to thank this group in particular Pat Lien thank you Pat like also to thank BJ and Fritz Olhoff for this work we did together thank you very much and on the other side of the ICRC I'd like to thank all the colleagues who made it possible especially Anne Quentin Geneviève Monnier and Boulain Belbashir for the webcast and I would like to thank all of you the audience for having braved the rain and also for those who listened to this event on the internet which was a good use of cyber so thanks to everybody and now let's enjoy this drink thank you