 Ladies and gentlemen, good morning from the Stockton Centre for International Law, the US Naval War College, and indeed good afternoon and good evening from wherever you are in the world. I'd like to welcome back those who joined us yesterday and indeed welcome those who are unable to. Before we begin the conference in earnest today, just a few announcements. The first is to reiterate that yesterday, today and tomorrow, so all three days of the conference will be recorded and be made available to the public via YouTube. The second thing is to encourage questions, so you'll notice at the bottom of your screen there is a Q&A box. Please post your questions there to our panellists as they come to you during their presentations. There's also a like feature there, so if you particularly like a question that someone else has posed and you want the moderator to see that ahead of other questions, please use the like function. And then finally, I'll post in the Q&A box at a link to our website and from there you can download the program for the conference where you can see the bias for all the speakers and panellists. So with that, I'd like to hand over to the Charles A. Stockton Professor of International Maritime Law and Chair of the Stockton Centre, Professor James Kraska. Thank you very much, Kieran. Thank you everybody for participating in day two of the Disruptive Technologies and International Law Conference and Stockton Centre. This morning it's our real honor and pleasure to be able to listen to Dr. Ray Schoendorf. He is Israel's Deputy Attorney General for International Law and in that capacity, he's responsible for all aspects of interpretation and application of international law in Israel's legal system with respect to international litigation, as well as treaty negotiations and representation of the State of Israel in international affairs and international forums. He has also been the Director of the Department of Special International Affairs within the State's Attorney's Office and previously he was in the International Dispute Resolution Group at DeVoy and Plimpton LLP and he has served in, on a number of delegations of the State of Israel, including delegations for peace negotiations with Syria, Lebanon, Jordan and the Palestinians, as well as for negotiations for the creation of the International Criminal Court. Dr. Schoendorf earned a Doctor of Dritical Science, that's the PhD of equivalent of law in the United States and from NYU University School of Law and he also earned and studied law and economics at Tel Aviv University. Dr. Schoendorf, thank you very much for participating in this conference. The floor is yours. Thank you James. Good morning everyone. I would like to thank the organizers for the opportunity to speak at this prestigious event. The last time I participated in this conference was on a panel regarding the Gaza flotilla incident in 2010. I remember that Professor James Trasca, James, spoke on the issue of maritime blockade. It was a compelling presentation and while I'm not sure I remember each and every detail of it, you must have known what you were talking about James, given your current position here at the Naval War College. In any event it gives me great pleasure to be a part of this conference again as a keynote speaker, so I wish it could have been in person. I would like to present here today Israel's perspective on key aspects of the application of international law in connection with cyber operations with a particular emphasis on issues related to the use of force and armed conflicts. The question of how international law adapts to emerging technologies is one of the most challenging faced by legal advisors. These challenges compel us to revisit notions that have been with us for decades and sometimes centuries. We can see this in the fields of artificial intelligence, blockchain and of course in the context of cyber operations. Israel considers that international law is applicable to cyberspace and this is a view that has become almost axiomatic for a vast majority of states. However when seeking to apply particular legal rules to this domain we're mindful of its unique features. These unique features shape policy and affect the legal framework applicable to the cyber domain. I wish to shortly address some of these. First cyber operations are conducted through a global network passing through infrastructure located in multiple jurisdictions and lacks any meaningful physical manifestation. Second much of the cyber infrastructure is held and controlled by the private sector and civilian components are a major part of the picture. Thus regulation of the cyber domain may have various social and economic implications as well. Third the cyber domain is highly dynamic given the fast pace of technological development and innovation. The development of international legal rules on the other hand is a more gradual process. This is understandable since these rules are designed to stand the test of time and are not easily amended. All these factors taken together suggest that an extra layer of caution must be exercised in determining how exactly international legal rules apply to cyber operations and in evaluating whether and how additional rules should be developed. We as government and military legal advisors are tasked with the role of identifying the relevant rules including those set by the law of armed conflict and determining how they apply to a particular set of facts. In some cases it will be possible to apply a certain rule as it is while in other cases the situation is conceptually different such that it might not be possible feasible or even desirable to draw from existing legal rules. This process obviously has to consider the behavior of states in the cyber domain as international law is state made. When dealing with a treaty provision we look to the regular rules of treaty interpretation to ascertain the relevance and applicability of the provisions at hand in the cyber context. As for customary law it is necessary to examine whether there is general state practice accepted as law substantiating the existence of a rule in the cyber domain. It cannot be automatically presumed that a customary rule applicable in any of the physical domains is also applicable to the cyber domain. The key question in identifying state practice is whether the practice is whether the practice which arose in other domains is closely related to the activity envisaged in the cyber domain. Additionally it must be ascertained that the opinioneurists which gave rise to the customary rules applicable in other domains was not domain specific. Given the unique characteristics of the cyber domain such analysis is to be made with particular prudence as it is very often the case that relevant differences exist. Since this is the naval war college conference it is only fitting that I will give an example from the law of maritime warfare. As you all know the rules regulating maritime blockade evolved long ago. Over the years these rules have crystallized into customary law. Nonetheless this custom was formed specifically in the maritime context. Putting aside the question of whether the concept of blockade is relevant to cyber space the maritime practice is not closely related to any type of activity in the cyber domain. While the opinioneurist in this regard is domain specific it is therefore quite clear that the rules of maritime blockade are not applicable in the circumstances of activities in the cyber domain. The law of neutrality also illustrates the challenges of applying rules that evolved in the context of traditional warfare to the contemporary environment of cyber space as many of its rules were tailored specifically to the land sea and air domains. For example in relation to one of the basic overarching rules of neutrality the inviolability of a neutral states territory while in the land domain it is forbidden to transfer troops or convoys of ammunition at sea the passage of warships in territorial waters is possible and in the air such passage is subject to discretion or limitations of each neutral state. Given these differences it remains unclear if and how this rule would be applicable in cyber space. These are just examples that show why it is not always easy to move from the general statement that international law applies to the cyber domain to concrete legal rules that bind states and non-state actors in their actual behavior. Accordingly the state of Israel has largely refrained thus far from making specific statements on whether and how particular rules apply. That is not to say that we take no position indeed we have consistently affirmed the application of international law to cyber space in forums like the UNGGE and the open-ended working group. In parallel over the last few years we have been gradually formulating and developing our views on some contemporary issues relating to cyber operations. This is a meticulous and delicate process impelled by the need for thorough legal and practical research and careful consideration of a multitude of views together with an assessment of potential implications. Bearing in mind all these challenges in my presentation today I would like to share with you some of the insights that we have reached thus far regarding international law applicable to cyber operations particularly in connection with armed conflicts. My hope is that this will contribute to the current legal discourse in this field. I will start by addressing a few key issues concerning the EU's ADBELUM. First and this has already been acknowledged by many others the customary prohibition set out in Article 24 of the Charter of the United Nations on the threat or use of force in international relations is clearly applicable in the cyber domain. We share the support among states for the view that a cyber operation can amount to use of force if it is expected to cause physical damage injury or death which would establish a use of force if caused by kinetic means. For example hacking into the computers of the railroad network of another state and programming the controls in a manner that is expected to cause a collision between trains can amount to a use of force. As with any legal assessment relating to the cyber domain as practices in this field continues to evolve there may be room to further examine whether operations not causing physical damage could also amount to use of force. Second when the use of force in the cyber domain by either a state or non-state actor can be considered as an actual or imminent armed attack the state under attack may act in accordance with its inherent right to self-defense as enshrined in Article 51 of the UN Charter. Of course the exercise of this right is subject to the customary principles of necessity and proportionality. Finally the use of force in accordance with the right of self-defense against an armed attack conducted through cyber means may be carried out by either cyber or kinetic means just as the use of force in self-defense against a kinetic armed attack may be conducted by kinetic or cyber means. I would like to move on and address some key issues concerning the applicability of the law of armed conflict to the cyber domain. I will start by stating the obvious the law of armed conflict and its fundamental principles generally apply to cyber operations conducted in the context of an armed conflict. Indeed and I quote the right of belligerence to adopt means of injuring the enemy is not unlimited end quote even in the cyber domain. Israel is a party to the four Geneva conventions and other treaties governing particular aspects of conduct in armed conflict and is also bound by applicable customary law. Israel like the United States and others is not a party to the additional protocols and is not bound by them as a matter of three kilo. However we see the following as consistent with the relevant customary law and the additional protocols. One of the key issues in the conduct of hostilities in particular is how to define attacks and in which circumstances cyber operations amount to attacks under law. The concept of attack is central to targeting operations and only acts amounting to attacks are subject to the targeting rules relating to distinction precautions and proportionality. The definition of attack in law requires several elements but I will focus on those aspects carrying special relevance in the cyber context. Specifically I will address the element requiring that an act will constitute an attack only if it is expected to cause death or injury to persons or physical damage to objects beyond the minimis. One aspect of this element concerns the reasonably expected consequences of the acting question. Reasonably expected consequences are those that are anticipated with some likelihood of occurrence and entail adequate causal proximity to the act. A second aspect in this element is the type of required damage. The requirement for physical damage has been accepted law since the introduction of the legal term of art attack into the law discourse. For this reason practices such as certain types of electronic warfare, psychological warfare, economic sanctions, seizure of property and detention have never been considered to be attacks as such and accordingly were not considered as subject to law targeting rules. Only when a cyber operation is expected to cause physical damage will it satisfy this element of an attack under law. In the same being the mere loss for impairment of functionality to infrastructure would be insufficient in this regard and no other specific rule to the contrary has evolved in the cyber domain. However if an impediment to functionality is caused by physical damage or when an act causing the loss of functionality is a link in a chain of the expected physical damage that act may amount to an attack. For example if a cyber operation is intended to shut down electricity in a military airfield and as a result is expected to cause the crash of a military aircraft that operation may constitute an attack subject of course to the additional elements for attacks under law. The existence of physical damage is assessed purely on objective and technical grounds. It is a factual question and as such does not depend on the subjective perception or the manner in which the other side chooses to address the loss of the or impairment of functionality. Finally the fact that a cyber operation is not an attack does not mean that no legal limitations apply there too. Indeed there are general obligations in law that apply to all military operations regardless of being attacks or not. Central among those is the requirement to consider the danger posed to the civilian population in the conduct of military operations. It is widely accepted today that parties to conflicts cannot blatantly disregard such harmful effects to the civilian population in their military operations. But there are also more specific protections that may apply to actions other than attacks. For example cyber operations affecting medical units are regulated and limited inter alia by the law obligation to respect and protect medical units which applies regardless of whether the act constitutes an attack or not. Moving on from the issue of attack another question which is especially relevant to the cyber domain is whether the term object as it is understood in law encompasses computer data. This bears implications with regard to the implementation of the law rules relating to distinction precautions and proportionality. Objects for the purposes of law have always been understood to be tangible things and this understanding is not domain specific. It is therefore our position that under the law of armed conflict as it currently stands only tangible things can constitute objects. Here again this does not mean that cyber operations adversely affecting computer data are unregulated. In particular when an operation involving the deletion or alteration of computer data is still reasonably expected to cause physical damage to objects or persons and fulfills the other elements required to constitute an attack the operation would be subject to law targeting rules. Likewise one must have regard to rules which are not dependent dependent on the concept of objects such as the obligation to respect and protect medical units. Now in addition to the use at Bellum and Loach there are other legal frameworks pertinent to cyber operations that do not center around armed conflicts. Given their importance I believe it is valuable to address them shortly and perhaps leave some room for further thoughts. I will start by addressing perhaps the broadest topic which continues to be a subject of vibrant discussion sovereignty. To begin with there are diverging view regarding whether sovereignty is merely a principle from which legal rules are derived or a binding rule of international law in itself the violation of which would be considered an internationally wrongful act. This issue has many facets and while I will not offer any definitive position for the time being I would like to stress a number of important points. The first is that sovereignty is a cornerstone of international law and international relations. Of course we need to distinguish in this regard between sovereignty which is typically used as a general concept that connotes independence and territorial sovereignty which is an international legal rule. States will sometimes point to the need to protect their sovereignty referring broadly to their political will and autonomy without necessarily referring to a legal rule. The two meanings are sometimes conflated and we need to be very careful when drawing legal conclusions. A second and related point is that states undoubtedly have sovereign interests in protecting cyber infrastructure and data located in their territory. However states may also have legitimate sovereign interests with respect to data outside their territory. For example as governments store more and more of their data by using cloud services provided by third parties whose servers are located abroad how do we describe the interest that they have in relation to that data? Would they interest in protecting the data not be a sovereign interest in this case as well or alternatively when a state conducts a criminal investigation and needs to access data located abroad from its own territory under what circumstances does it need to request the consent of the territorial state? Of course there are no easy answers to these questions and some of them are currently being discussed such as in the context of the protocol to the Budapest Cyber Crime Convention currently being negotiated to address this very topic. These questions reflect an inherent tension between states' legitimate interests and the concept of territorial sovereignty as we understand it in the physical world. In practice states occasionally do conduct cyber activities that transit through and target networks and computers located in other states. For example for national defense, cyber security or law enforcement purposes. Under existing international law it is not clear whether these types of actions are violations of the rule of territorial sovereignty or perhaps that our understanding of territorial sovereignty in cyberspace is substantively different from its meaning in the physical world. Another matter closely related to the issue of sovereignty is that of non-intervention. Traditionally this concept has been understood as having a high threshold. It has been taken to mean that state A cannot take actions to coerce state B in pursuing a course of action or refraining from a course of action in matters pertaining to state B's core internal affairs such as its economic or foreign policy choices. Its traditional application has focused on military intervention and support to armed groups seeking the overthrow of the regime in another state. This could presumably also relate to support given to armed groups in the cyber domain such as providing information regarding cyber vulnerabilities of the state. A more recent issue that has come to the fore relates to interference in national elections. We concur with the various positions expressed in this regard such as that which was presented by former State Department legal advisor Brian Egan and more recently reiterated by DOGP general counsel Paul May that and I quote a cyber operation by a state that interferes with another country's ability to hold an election or that manipulates another country's election results would be a clear violation of the rule of non-intervention end quote. I will now turn into addressing three somewhat related topics due diligence attribution and countermeasures. The concept of due diligence means that states should take reasonable measures to avoid or minimize harm to other states and seems to be useful in fields such as environmental law. In the 2015 UNGGE report the concept was addressed as the basis for a voluntary non-binding norm of responsible state behavior providing that states should not allow their territory to be used for the commission of international wrongful acts. There was wisdom in mentioning it in the chapter covering norms of responsible state behavior as it does not at this point in time translate into a binding rule of international law in the cyber context. This was the position expressed by other states as well. As I mentioned regarding the examples of maritime blockade and neutrality we have to be careful in applying to the cyber domain rules that emerged in a different distinct context. For instance in the field of environmental law where much of the focus and application of due diligence obligation has been in recent years the acting state typically has control or at least oversight over the harmful activity for example regulating the polluting power plant. However cyberspace is mostly private and decentralized. The inherent different features of cyberspace its decentralization and private characteristics incentivize cooperation between states on a voluntary basis such as with the case of national computer emergency response teams. Certs are already doing what could arguably fall into that category exchanging information with one another as well as cooperating with each other in mitigating incidents. However we have not seen widespread state practice beyond this type of voluntary cooperation and certainly not practice grounded in some overarching opinionaries which would be indispensable for a customer rule of due diligence or something similar to that to form. The issue of attribution is also widely debated with respect to cyber operations. Some have suggested that there needs to be more legal certainty with respect to attribution in order to avoid mistaken attribution which can lead to conflict escalation. This is increasingly becoming more of a theoretical issue. Over time the attribution capabilities of states have improved and even states with lesser capabilities have been able to rely on solid information provided by other states and by the private sector. In any event this is a technical matter a factual one and I would advise against over regulating the issue. That being said there is also the question of public perceptions because sometimes when an offensive cyber operation is public and the attribution is public the government needs to communicate with its citizens and with the international community at large in order for its positions and actions to be understood. But there will be cases when a state will prefer not to disclose the attack the attribution or any ensuing actions taken for diverse reasons such as national security and foreign relations. Either way as a matter of international law the choice whether or not to disclose the attribution information remains at the exclusive discretion of the state. With respect to the issue of countermeasures I would like to echo the positions taken by the UK the US and other states to the effect that there is no absolute duty under international law to notify the responsible state in advance of a cyber countermeasure. Prior notification is perhaps more realistic and practical in fields such as international trade allowing the responsible state to reconsider its actions without frustrating the ability of the injured state to take the intended countermeasures. However in the cyber domain where the pace of events can be extremely fast and the other side may swerve the action if it anticipates it announcing a cyber countermeasure in advance would often negate the utility and effectiveness and in some instances undermine the interests of the injured state as well as render the countermeasure obsolete. One last point. I focused thus far on cyber operations but it is important to keep in mind that the application of international law to cyberspace is much broader than the issue I touched upon. Questions relating to cyber security, cyber crime, digital trade and human rights in the cyber domain are just a few examples. I think that international law has a crucial role to play in addressing these topics. By focusing on these topics international law can contribute to enhancing global stability in a concrete way. We hope to share our views on these and other topics as well in due course. I wish to conclude my remarks by taking a step back. In the discussions that we're having on the application of international law in dealing with emerging technologies, I think that the challenges lie not in identifying the basic rules of international law, the prohibition on the use of force, self-defense, non-intervention, territorial sovereignty, etc., but in determining when and how they apply in new circumstances. Picture the land, air and sea domains of international law as independent trees, each with its own branches and leaves, each yielding its own fruit. Each of these trees is sustained by common ingredients, soil, water, sunlight, yet each tree grows differently, depending on the external conditions, the type of seed sown, and how the roots grow. We now have a new tree whose roots are just beginning to take shape. International law of cyber-operations is a nascent field. It is emerging from the same grounds of international law, the same core principles that the heart of the international system and its leaves and fruit will bear some similarities to the other fields of law, but we do not expect that it will be identical, once fully grown. So while the vast majority of states agree on the starting point of the application of international law to cyber-operations, the international community is still very much at the beginning of the journey, and the applicability of each existing rule of international law to the cyber domain requires careful assessment and review. Thank you again for inviting me to speak here today. I look forward to your questions. Thank you. Well, thank you so much, Dr. Schindorf. That was obviously a wonderful presentation and very informative. And I think your tree analogy was very interesting and very fitting. I think we have two trees growing right now. We have obviously the tech tree that has cyber and space and artificial intelligence, as well as the international law tree that's trying to go to keep up with these technologies. I think that's a fantastic way to look at it. You provided a very frank and practical approach, frank and practical comments regarding Israel's operational approach to the cyber domain. Could you perhaps share a little more on the reasons, kind of the background and considerations that have led to Israel's present views with respect to international law in the cyber domain? Certainly. We have been thinking for quite a while whether it would be appropriate for us to make a statement and make our views known with respect to our positions, at least on some issues in the cyber context. And for a long time, we actually did spend a lot of time thinking about these issues and trying to follow the practice and comments of other states. We do see a responsibility international law being state made to participating in the process of of identifying and conceptualizing the rules of international law. And our discussion or our presentation of these issues is intended to be part of the discourse and conversation that goes on. We felt at this point that a substantial number of countries have already made presentations and when we got the invitation to speak at this prestigious conference, we thought that might be an excellent opportunity to make our views more public. We certainly appreciate that. An audience does as well. If I could ask maybe a more specific question. Professor Eric Jensen from BYU asks that you allow that it may be with respect to Article 24, practice may evolve in such a way that cyber operations not causing damage might amount to a use of force. Can you provide more details on what you mean? And he asked that are you referring to economic operations? And if so, what standards might we start thinking about as the trigger for economic effects that amount to a use of force? Yeah, so I wouldn't. It's a tricky question. It's an excellent question, of course. And I don't really want to use this platform to give anybody any ideas. I think that the approach that we have taken, that we are taking to identifying rules in the cyber domain like many other states is a cautious approach. And so we feel that at this point in time, the safest view would be, the safest view that is supported by state practice is that there needs to be a physical component to that. But we certainly see the possibility that in the future states may feel compelled to respond to a tax that may not be or to actions that may not also have a physical component in them. And if that happens in other states, except that there may be a development of the legal rules. So that is to say that the world of cyber operations is developing. And we have still very limited state practice and very limited state practice in actual real life situations. And so we think that the prudent approach is to be cautious about the rules we identify and to have them grounded in the state practice as it exists, but to be also open to the possibility that in the future as things evolve, there may be developments that will justify rethinking or reinterpreting some of these concepts. Thank you, and we talk about the type of effects that cyber operations may have. And Professor Anna Petrick looks at a question with regard to the temple aspects and she says, the right to use force and self-defense is subject to a requirement of immediacy. However, in some cases, the fact that a cyber attack has occurred or is occurring may not be apparent for some time. What is your view on the immediacy criteria in such cases? Can it be interpreted more broadly or must the standard be the same for a kinetic or a physical attack? So I want to be cautious. I mean, I didn't consider this specific scenario before this presentation and I don't want in that more formal and public context to take a definitive view. I will say that imminence is a component, of course, of one of the requirements for the use of self-defense. Some view it as part of necessity and others see it as an independent prone. Provisionally, without making any commitments on this, I think that the imminence in such a scenario should relate to the point in time where one becomes aware of the attack and not the time that the attack was actually originated or occurred. And obviously these are interesting questions and legal advice in this world can be interesting and certainly I think tricky. From your experience, what are the challenges in providing legal advice with respect to cyber operations? Well, that's actually an excellent question to ask Deputy Attorney General that needs to advise on these issues. I will say some of the cyber operations and cyber in general is a field that requires a relatively high level of technical knowledge. And sometimes not necessarily in Israel our political leaders may have vast knowledge of maybe cyber technology, but in some cases at senior levels there may be gaps in the understanding of some of the technical issues. And I think that is a challenge when one needs to present legal advice to people that have less expertise perhaps on cyber technology. I think another aspect is sometimes the very fast pace that things happen. I mean, this is true also in other fields related to law, to the laws of armed conflict that the military operations need to take to happen relatively quickly, but in cyber it may be even more apparent. And maybe the last but not least is that the fact that the rules are still very much on many issues are very much in flux. And there is a large degree of uncertainty. Certainly puts the challenge to the legal advisor how to describe or to provide the legal advice to those that seek it, whether you identify the scope of possible interpretations and let the military operators or the political decision makers to decide the force of action or whether you need to take a more to move or shift more of the decision making to the lawyers and take a more concrete and stronger views about what the appropriate legal interpretation should be. I think that's a very important challenge given where we are today on the law of cyber operation. Yeah, certainly and speaking of challenges, we're running short of time here, but I do have one more question for you. Yesterday we talked a lot about artificial intelligence and autonomy, how it is now and how we see it in the future. And so I'll ask you with regard to cyber operations, where do you see this cyber domain heading and what's Israel's role in the future? Well, I spent most of the time allocated to me here speaking about challenges that the cyber operations and cyber technology poses, but I think the real story of course is the opportunities that cyber operations, that cyber technology presents. And I think cyber technology of course creates huge opportunities for cooperation between states. I mentioned the certs as an example, but I think in many more or in many additional fields and certainly in the private sector, cyber has a huge promise of creating technologies that could make and that do make life of all of us much better, make production more efficient, make things cheaper. There are many advantages of course in the cyber field and I think Israel, with our technological capabilities, is very much eager to participate in these positive processes. I really appreciate you participating today with us. I really appreciate your comments and your frank answer to these questions. And we hope you have a great evening and thank you for joining us toward the end of your day. And we look forward to more engagement with you in the future and of course Israel. Thank you very much, doctor. Thank you very much and good luck with the rest of the conference. Thank you. Thank you. Take care. Ladies and gentlemen, we will now turn to our next panel, which will be led by Herbert Lynn and that will be the attribution of cyber operations. And if I ask Dr. Lynn to join me here on screen, I will say that this panel today is probably the most diverse with regard to time. I think they're breaking the time-space continuum. We have Dr. Lynn from the west coast and it is around close to zero nine his time. And then we have Eval Shaney, who is well into the evening where he is. And then Tomahiro is, well, it's very, very early in the morning and I think Tomahiro is going to win the award for the most painful time to be a panelist here. So we thank him. But so Dr. Herbert Lynn is the Hank J. Holland Fellow in Cyber Policy and Security at the Hoover Institution. And now I turn it over to Dr. Lynn, please. Okay. Thank you for having me. My role here is to present the short version of the some technical background for attribution. And so that's my job for the next 10 minutes. So with that, next slide, please. Okay. So our keynote speaker made reference to this about the conventional wisdom being that you can't attribute cyber operations because the technical forensic information can be faked or false flag with a variety of consequences if you can't, if you can't attribute. But the convention medicine pointed out as a previous speaker pointed out the conventional wisdom is wrong on this or at least it's incomplete. Next slide, please. Okay. I want to present a scenario. It's based on a US computer, but it doesn't matter that it's US. You can read it here. Imagine a US computer is attacked in cyberspace, the attack comes from a computer based in Kansas owned by a grandmother. The computer in Kansas was compromised using a computer in Greece. George was at the keyboard in Greece. George is a citizen of Germany, but also a member of Russian organized crime group. And the leader of the crime group was a close personal friend of the senior leader of the FSB. Who is responsible for the attack on the US computer? And I submit whatever your answer is, only the steps in red can be identified just technically. Everything else is a political or a policy decision. Next slide, please. So when you're talking about attribution, there are three meanings that you need to keep in mind. Are you trying to identify the machine or the machines that are responsible? That's something for the forensic people, the technical guys, the computer science guys. Is it the human operator who initiates the hostile action? That is the guy sitting at the keyboard. That is you have to decide who is sitting at the keyboard. That's not a technical issue. Yes, I know you can activate the guy's computer, the guy's camera on the computer, but he's wearing a mask. So you don't really know who's actually pressing the keys. And then the party who's ultimately responsible for the actions of the human operator, that's a political determination, who set this whole thing in motion. The most important point here is that the first knowing any of those, the machine, the human or the party, does not necessarily give you any information about the others. And that's, you must keep that in mind. So when we talk about the party ultimately responsible, it can be determined by a variety of political decisions. Is it the geographical location of the machine that launched the attack? So therefore, Greece is responsible, because that's where it was. Is it the, because George is a citizen of some country, then it's a German responsibility because its citizen did something bad. And then it could be the entity under whose auspices the individual activity. Is George working for the organized crime cartel? Is the crime cartel responsible? Again, all of these are political decisions. Now, what's the appropriate meaning for attribution? It depends on what you're trying to do. If your goal is to try to mitigate the pain, to stop the pain of the attack as quickly as possible, you need to know the machine. You don't care who's operating the machine, you just want the machine to stop attacking you. If you want to take into it, if you want to prosecute the actor or take him and take the person into custody, you need to actually know the human being who's at the keyboard. You have to know who that is. Are you trying to deter future acts? In that case, you want to know the party who set the whole thing in motion. Next slide, please. Now, what does this attributing to a state mean? There's a whole range of this. This is stolen from a paper that Jason Healy at the Atlantic Council wrote about six or seven years ago. And it's still the best spectrum of meanings of what attribution to a state might mean. It goes all the way from, it might be state prohibited, but the state doesn't have any capability to enforce its prohibitions against it, against third-party actions. Or the state tolerates it, or the state encourages it, or the state directs it, or the state actually conducts it. There are, there's a range of meanings. Again, this is a political decision. You can decide what you want, which one of those levels you want and for what purpose. Next slide, please. Okay. The second, the, the, an important point about attribution is that it is not just about technical intelligence. It's not about forensics alone. Forensics are very important. They tell you, they give you the information about the one, about one attack. But there are many, many other sources of information. For example, you might have preposition sources, you might be monitoring other people's networks, and then you see that they launched an attack. That's useful information. Okay. That's not forensic information from the attack that happened on you, but that, that's from your other intelligence sources. Okay. The other guy make, make, may make some technical mistakes in his, in his trade path. So he might refer, he might use, there might be a character string that turns out to be the name that he used on his dating profile. In which case you can go look up the, the dating profile and, and get some information about him and how do you know? Well, you pretend to be a person who's interested in, in, in, in this person, and then you get him into a conversation and so on. You get, get information that way. There's a potential history of, have they used this weapon or techniques before? It's again, it's not definitive, but it's, it's suggestive. There are operational security failures. The other guy make this, discuss his plans on an open bulletin board or insecure media or brag about it on a cell phone. And there's the, there's a geopolitical context. Who's making demands on, on you? What do they want? And, and what else is going on in the world? All of these sources of information play into, into, into this. What's really hard is prompt attribution. That is to know very quickly who's responsible and that it takes time to analyze and assemble clues. Next slide, please. Okay. And different levels of attribution and certainty of certainty are needed for different goals. If you, in the United States, the standard is beyond a reasonable doubt for criminal prosecution. Okay. But there are lower levels, there are lower levels of certainty. There is the phrase clear and compelling. There is the phrase preponderance of the evidence. We know what that means. It's sort of more than 50%. But the goal here is that you have to convince an impartial jury or judge. And that, that's what you need. In national security decision making, the standards for taking action are much less formal. So due process, rights of the cues, they, they don't have any good analog. So you don't exclude evidence from a tech for a technicality on, in doing national security decision making. They're the audiences ourselves. We need to be convinced of who did it. And it's a separate question of who, who else has to be convinced, for example, the public. So assigning responsibility, the bottom line here is assigning responsibility entails policy choices and not just technology. Next slide, please. Okay. Who are the parties that need to be convinced? So I mentioned one of them are the policymakers. The second possible audience is the, is the, the national public of a, of the attack nation. They have to be convinced that whatever the nation is going to do in response, it's justified. Likely only partial information is going to be available. For example, you might need to protect sources and methods of, of, of intelligence. This part is very, very complicated. At least in the United States, because of huge arguments about what a court of law is and the rights of the accused and really a confusion between criminal proceedings and national security proceedings. You may have to consider the leaders of other nations. And that, that depends on reputation and trust to a large degree. I'll point out that in the Cuban Missile Crisis, the Secretary of State went over to DeGaul to ask for his support. And he offered to show President DeGaul the, the pictures of the Russian, of the Soviet missiles in Cuba. And DeGaul said, I'm sorry, I don't need to see them. If the President of the United States says it is true, I believe it. I believe you. And France is with you. We'll stand with you. Can you imagine how that happening now? That, that is just a mind boggling image to consider now. It just wouldn't happen. So, you know, trust makes a big difference here. And then, you know, the attacking government are the non-state actors. They'll never acknowledge it publicly. They know its role. They know what they did. On the other hand, they might be unsure about what you know. And they can maintain plausible deniability unless extensive and undeniable evidence is available, which is highly unlikely. Some people say that naming and shaming helps. It's hard to imagine certain countries being shamed by their being pointed out. In fact, they may want to be caught so that we understand what their powers are and so on. So, and I think that is the last slide. So, with that, I am pleased to introduce my two next speakers. They have prerecorded presentations and then they will be live here to answer and respond to the questions. I'm supposed to moderate that. The first up is Yuval Shani, who is the professor of public law at Hebrew University in Jerusalem. And Tomihara Nekanagi is deputy legal advisor of the Japanese foreign ministry, who oversees international law for Japan, including cyber space. So, with that, Yuval, please, let's have your presentation. Good morning. And thank you for inviting me to this very interesting, disruptive technologies and international law conference. I'm very pleased to participate in this panel and to virtually meet a lot of old friends and colleagues. My presentation will focus on the issue of the possibilities for establishing an attribution mechanism in international law. And it is based on a research project, which I have engaged in in recent years, together with a number of colleagues, including Mike Schmidt, who many of you know, Dan Efroni, who's been the Israeli MAG, Paul Duchain, who's been with the Dutch military, and a number of additional researchers. And that research project was trying to look critically at the question of why have recent efforts to establish an attribution mechanism have come to naught, and whether there is still a space to establish such a mechanism for certain purposes and for certain constituencies. Let me backtrack and try to situate the question of attribution within a broader framework, which is the framework of the rule of law in the field of cyber security. So we all know of these allusions to cyberspace as wild west or a lawless space. And we have all seen many efforts at the parts of lawyers and policymakers to try to reduce that lawlessness by introducing clearer standards, telling manual being one of these efforts and recent annunciations of state's policies in the field of cyberspace. But by a number of mostly European countries, Australia as well, is another effort to introduce a greater role or greater clarity about what international law actually governs cyberspace and hostilities and other forms of operations in cyberspace. But by and large, a paper which Dan Efroni and I have written and published a couple of years ago in the American Journal of International Law, did suggest quite strongly that although some standards clearly apply in cyberspace, there is a strong propensity by states or at least there has been until recently a strong propensity by states not to invoke international law when encountering cyber attacks. And that implied that states that were attacked often didn't acknowledge that they were being attacked. Even when they acknowledged that they were being attacked, they often didn't point a finger towards another state. And they often didn't resort in any overt countermeasures or retortions vis-à-vis the other states. And even if they have done all these things, they have rarely if ever invoked international law when doing so. And in that article Efroni and myself have presented a number of hypotheses as to why international law has been so marginalized and over and beyond the question of whether the norms of international law are adequate to regulate the cyber operations and whether the kinetic international law is fully applicable, is fully amenable to adaptation to cyberspace. It was also quite clear that some key states are not interested in invoking international law because they see international law as in a way limiting their options in this field and serving as a constraint on their ability to operate below the radar screen and to generate deterrence in that path. So there has been some preference for non-legal although we maintain still normative response in cyberspace. But perhaps, and this is really what Schmidt and I have written on in this international law studies piece, on attribution perhaps what one reason for this possibility of utilization of international law in cyberspace has been the limited availability of attribution mechanisms in the following sense that if you are going to make an allegation against a state, if you want to name, blame, shame, another state that they have been involved in a violation of a legal norm in cyberspace, then you should have some way to credibly make your case in the court of public opinion, of world public opinion. And the non-availability of such a mechanism could serve as one explanation for the limited utilization of international law in cyberspace. Now of course this is not this does not mean that states cannot generate technical attribution. Most states can do that and that doesn't mean that states cannot convince their close allies to join themselves in making attribution. They often do and we are seeing a rise in what is called collective attribution statements. But the fact that you do not have a credible international mechanism could serve as a sort of constraint upon these efforts. Now what you could see, what you can see is that the fact that cyberspace in this regard is a sort of anomaly in the sense that in other branches of international law the movement has been towards developing such attribution capacities. So one field where there is a very extensive use of fact-finding as part of the project of improving compliance and strengthening implementation is human rights law, where you have a very broad host of fact-finders such as reporters, fact-finding missions, special treaties, etc. that are raising so to speak the costs of violating international human rights law without paying a price and a similar logic could also apply in cyberspace. But perhaps even more closely related are the developments that we have seen in the field of regulating weapons of mass destruction, where we have seen the major treaties that regulate chemical weapons or the use of nuclear weapons or nuclear testing to have introduced some technological capacity within their respective secret areas that would enable those organizations to perform other requests of state parties what are called challenges inspections or special inspections. And in fact when one is looking at the recent experience of the United Kingdom following the Salisbury attack in 2018 the use of chemical agents vis-à-vis two Russian citizens it is quite interesting to see how although the United Kingdom clearly had the capacity to conduct its own investigation and to identify the chemical agent in question the UK went out of its way to invite OPCW assistance in Salisbury so as to generate greater credibility to its finding and to point the finger more poignantly vis-à-vis Russia and I believe and Schmitt and I in the article claim that the same logic could also apply in certain circumstances also with regard to attribution of responsibility in cyberspace and indeed we think that if one looks at what what recent developments in the last two three years show is that actually we are moving in a direction where the lack of an attribution mechanism is going to prove more and more problematic and that direction comprises of first an increased propensity by states to engage in collective attribution and we have seen a move by states post-war to cry and not Petya to engage in broader and broader collective attribution statements and we believe that without having a credible attribution mechanism there would be limits on the degree to watch to which state would be willing to take victim states at their word in terms of of of joining an attribution statement without actually having some independent independent guarantee independent safeguards to the credibility of the attribution statements and an international mechanism could help in this regard and secondly we have seen a movement toward a more institutionalized sanction regime especially within the context of the EU and here the interplay between generating black lists which impose compulsory sanctions on individuals and groups that are involved in cyber operations and the need for for meeting certain due process requirements in domestic courts this is going to generate a considerable push on European countries to to generate a credible mechanism that would vet these these attribution allegations now add to that a more multilateral outlook by NATO and also by the US in its in its in its cyber policy in its cyber deterrence initiative this all points to an increased attempt to go multilaterally against states and groups within states that engage in in hostile and harmful cyber operation or malicious cyber activity and the argument is that the increased density of multilateralism in in this field of cyber security does does assume or does require a legal infrastructure but also an institutional infrastructure to support this and that an international mechanism that will be optional that would be state centered and that would be that would generate credible attribution findings both for states with limited technological capacity but also more importantly states that need to enhance their diplomatic push capacity and also with as to our company institutions and multilateral initiatives in this field this could be a very important step forward and the past initiatives in this field a principal reason why they have not succeeded has been that they have not closely identified and and hone their scope of power structures ambition so to speak vis a vis that specific constituency and those specific aids so this has been a very brief introduction of the raison d'etre for continuing to pursue the project of developing an international attribution mechanism I'll be very happy during further discussions in this conference and in other venues to continue to think about how we can go forward both with regard to the specifics of what such a mechanism should look like but also with regard to how are we going to get from point A to point B and and basically identify those states and structures that could advance this idea in practical terms thank you very much for your time and attention and next up is the pre-recorded presentation of Tom Harrow hello I am Tomohiro Mikanagi deputy legal advisor of Japanese ministry of foreign affairs it's my great pleasure to participate in this conference I'm working for the government but the following presentation will be made in my personal capacity the following presentation first before addressing the main issue of attribution I will touch upon the ongoing debate concerning violation of sovereignty then I will address the issue of attribution to states under international law and lastly considering the uncertainty about the feasibility of attribution I will briefly talk about due diligence obligation this spring responding to the cyber instance targeting medical facilities amid the pandemic more than 100 public international lawyers coordinated by oxford scholars joined to issue this statement here later in august they issued another statement focusing on the cyber operations targeting vaccine research they strongly endorsed the existence of a primary use prohibiting cyber operations that have serious adverse consequences for essential medical services in the other states the legal basis for this prohibition seems to be the violation of sovereignty the violation of sovereignty is probably the most likely legal basis to be used against actual cross-border cyber operations but there's ongoing debate over the relationship between the violation sovereignty and non-intervention I understand many states including Japan have been recognizing the existence of rules prohibiting violation of sovereignty beyond rules of non-intervention but there are also different views in this context I'd like to draw your attention to article 32b of the Budapest Convention quoted here this provision seems to indicate a participating states view that access by a state to data in another state without lawful and voluntary consent is not allowed if so the legal basis for such restriction seems to be the respect for sovereignty this issue requires further discussion but state practice including those relating to the relevant international agreements should be taken into account with that now I'll move to the main issue of attribution there has been no case before ICJ directly dealing with the issue of attribution of cyber operations to states and most of the so-called attribution statements are ambiguous about the evidence but affidavit on the PAK gene showcase published in 2018 was relatively detailed this affidavit argued that Mr. PAK was a member of the conspiracy behind many cyber incidents and he was working on behalf of the North Korean government this is a figure showing the image of the evidence in the affidavit DPRK is shown in the top right Mr. PAK is shown with a photo in the left small red boxes connected by arrows constitute the IT infrastructure used in cyber operations and blue boxes in the bottom are actual cyber operations affidavit explains that programs using various operations have strong similarities they are indicating the same also it also explains connections between address and accounts used in these operations and those used by Mr. PAK in addition it explains a connection to DPRK including access to these email accounts from IP addresses in DPRK and use of email accounts using these operations by DPRK officials this affidavit gives an impression that it is not impossible to prove the perpetrator implementing cyber operations through these evidence on the other hand due to the multiple layers of aliases and proxies it seems more difficult to obtain evidence proving control by a state over cyber operations regarding the attribution under international law ILC articles on state responsibility clarify the substantive rules of attribution the most relevant article applicable to cyber operations which are likely to be conducted through proxies seems to be article 8 here this article refers to instruction direction for control which requires certain specificity and strength of the influence of the state over the conducting question evidence relating to the use of various components of IT infrastructure and relating to similarities among programs may be able to prove IT infrastructure used in cyber operations and possibly the perpetrator who implemented the operation but due to the aliases and proxies it seems difficult to correct direct evidence proving instruction direction or control by state with regard to the issue of evidence the court channel judgment said when victim state is unable to present direct proof due to the exclusive territorial control by the respondent such as states should be allowed more liberal records to inferences of fact and circumstantial evidence in addition indirect and circumstantial evidence is to be accorded special weight when it is based on the series of facts which are linked together and read logically to a single conclusion that judgment also indicated the relationship between gravity and standard of proof judge Higgins in her separate opinion on the oil platform judgment referred to the general agreement that grave charges require higher standard of proof so this should also mean that less serious charges would require lower standard of proof so the relation of sovereignty is not so serious as use of force or genocide and evidence on attribution of cyber operations emanating from other states is difficult to obtain so we close to indirect and circumstantial evidence should be allowed and the standard of proof for violation of sovereignty should not be as high as in cases concerning use of force or genocide however in order to lead logically to a single conclusion of the existence of instruction direction or control by a state facts showing a strong influence of a state over the IT infrastructure used in cyber operations or over the perpetrator must be collected and linked together here are some cases indicating the existence of such evidence but unfortunately their details are not published so at the moment it is difficult to say whether it is possible to obtain sufficient evidence for proving attribution to states considering this uncertainty as an alternative path to state responsibility applicability of due diligence obligation should also be considered ICJ confirmed in the cork channel judgment every state's obligation not to allow knowingly its territory to be used for acts contrary to the rights of other states this obligation exists as a general obligation under international law and there is a consensus that existing international law applies to cyberspace so there are states including Japan we think this obligation applies to cyber operation however UN members have not yet agreed on whether it applies to cyber operations in order to address the concerns of some states about its extensive application i think it is important to clarify and discuss its core content in this regard uh jurisprudence relating to the concept of due diligence should be referred to among that jurisprudence the alabama arbitral award pointed out that due diligence obligation ought to be exercised in proportion to the risk and bosnian genocide judgment characterized obligation to prevent genocide as due diligence and found its violation by fr wise failure to use this capacity to influence bosnian save army in my view the proportionality to the seriousness and obligation to use the capacity to influence are inherent in the nature of the due diligence so this should be agreed as core content of the due diligence obligation applied to cyber operations this core content would mean if a state is financially or otherwise supporting non-state actor and becomes aware of the risk of the actor to engage in serious cyber operations damaging critical infrastructure of other states the state must stop its support here are the summary of my presentation violations of orientation not be excluded from primary rules of international law applicable to cyber operations and due to the layers of aliases and loxies it seems difficult to obtain direct evidence showing states control over actual operations so recalls to indirect and circumstantial evidence should be allowed and standard proof should be lowered for less serious charges evidence showing states influence over it infrastructure used for cyber operations and perpetrators should contribute to the proof of attribution but it is difficult to say whether it is possible to obtain sufficient evidence for proving attribution to states therefore the application of due diligence obligation should not be denied and discussion on its core content should commence thank you very much for listening okay thank you for both of those presentations and I think now with the scheduled calls for the three of us you've all told my hero and me to get together online live so if our tech people could arrange that that would be great and we can start the the discussion to my hero and you val are you val are you here excellent thank you so the first question here comes from Laura Dickinson and it raises a question which I had too she asks whether the you value proposed to use human rights mechanisms as a model for developing an attribution mechanism and she asks how do you propose to adjust the weakness namely that states often still all special rapporteurs because state consent is required for access and so on and therefore you don't get the the information that you need I had a similar question in that which is that many states will just not be willing to give up the information that they have because of that attribution I know the United States certainly wouldn't be willing to give up information much information about attribution because it comes from sensitive sources and methods so it's wondering how you would address that question right hi there and I was also asked by doki lovati and I have raised this this question by mistake about the cyberspace institute so maybe if there is time I can also take this issue as well we will so so on Laura's question well it's a great question and and of course I mean the human rights model has has many interesting dimensions but also many disadvantage which have been served eight years in one of these bodies I'm painfully aware of but I think what two major differences are one I mean when talking about human rights fact finding normally one is talking about entering into one country in order to ascertain violations committed by that country vis-a-vis its own population here I think that the the problem pattern that we are thinking about is that is somewhat is somewhat different here we're talking about a state that has been the victim of a cyber attack that originated from another state so this is a little bit more like the UK Southbury attack when you have a state a committing an attack against state b and state b actually interested to go out of its way to cooperate with the investigation in order to generate an international finding that would help it diplomatically to turn the table vis-a-vis the attacking state and this also goes to your point herb about the issue of cooperation of course a state that has its own capacity and its own diplomatic possibilities opportunities they may not need such a mechanism but if you take a mid-sized state which may have limited technological capacity and also very limited diplomatic weight so to speak for such a state I mean being transparent vis-a-vis the mechanism of course everything could be still protected by all sorts of confidentiality safeguards for this state this is not a bad this is not a bad deal to get an official finding by an international body that it was the target of an attack so if Ukraine for instance wants to leverage to basically assemble public opinion vis-a-vis Russia in a cyber conflict I think it is it is more likely than not that they will be quite cooperative with an international technical body that would actually look at the evidence look at the computers and assess the data that is available there and just on the side no please continue I was going to say on the cyber peace institute the question by Ido I think that's a great step forward but of course the cyber peace institute is not an international mechanism for fact finding it's a mechanism that collects a lot of information about cyber attacks it includes transparency it provides it developed tools it would also develop norms but it does not engage in specific investigations as to who who did it I mean who was behind specific attacks and this is the gap that we're working on so Yvonne I think that your proposal I mean you made a very clear and compelling case I think for the idea that a mechanism is necessary and would be helpful and I think you have said just now tell me if I'm wrong is that if this is going to work it's going to require full access to at least at the very least the targeted nations uh computers and and so on to to gather forensics and and and and the like uh and may in fact require a range of other information perhaps available from other sources uh to contribute to the judgment is and then if it doesn't have that uh it's like to the extent it doesn't have that it's likely to not succeed yeah I I think you would need to have uh you you need to have a high degree of access to the so so to speak crime scene uh to the forensic in order to get the forensic rights forensics right otherwise I don't think it's going to be very useful and it's not going to have credibility uh I mean we I mean states already do that with private companies it's not so exceptional I mean states do bring in private cybersecurity companies to conduct these sort of investigations and they sign them on to confidentiality agreements and I think you can envision that the similar a similar arrangement would be undertaken with uh with an international attribute interstate into an attribution mechanism that would be bound to the same confidentiality requirements okay um so uh Michael uh Pazanski uh and Michael uh asks also ask you can you speak to the barriers of uh associated with collective attribution uh given the issues of forces and methods yeah I mean exactly this is currently how this is really the the the current impediment that we have because we do have collective attributions at this point in time but the it's basically uh based on some lip of faith I mean states are willing so so so some very close allies I mean the five eyes what have you they share intelligence okay so there are some countries that share uh with each other intelligence and within this small cluster of countries there isn't really a problem but once you start widening the scope and if you really want to get dozens of states on board it this this may not work unless you find ways to generate trust so basically just taking a state on its uh on on on its word I mean this is this is not likely to fly very high and it's going to look as if the states that have you know uh joined ranks with the state that have been attacked have done this out of political reasons and not because they are trying you know to uphold the legal principle and that would make also the collective attribution considerably uh less persuasive in the court of world opinion and and would also raise question marks especially if some legal measures are attached to that such as you know freezing uh freezing bank accounts the issuing personal sanctions or taking even hackbacks or what have you so so uh so this is really what's the impediment that we are seeing now and the proposal here is really to fix this by creating you know introducing an option and mechanism option for states who are willing to share of course states who are not willing to share information would still have to go it alone and and you know rely on trust that they are able to generate but but for some states this could be an an opening okay thank you um uh the question for a tomahiro from from uh professor kanahara uh who asks whether it is possible to apply um uh the uh article eight from the articles of state responsibility because uh the unclear definition of instruction direction and and and control uh so i was wondering if you could respond to to that question yes uh thank you for the question uh professor kanahara um i agree these uh uh time knowzies are not clearly defined so it is uh not appropriate to rely on each a term in detail but i think the the general thrust of this article eight is you need to explain certain specific specificity about uh you know attribution uh some influence by the state over the perpetrator who are arguing for uh the attribution uh to the state and uh generally speaking it is difficult to get uh obtain uh information evidence uh directly showing the uh you know uh strong influence of uh state over the perpetrator so i don't i agree that this uh article itself is not uh clearly defined and but still it has a kind of uh indication that you need to be careful when you are attributing to a state and you need to show some evidence showing a strong uh connection to state uh okay and i'm going to take one one more from uh uh eric jensen hi eric um uh that uh our keynote speaker stated uh with that with respect to that sovereignty uh can't be assumed uh the customary rule and other domains automatically applies into the cyber domain that is you can't assume the sovereignty right there do you agree with that uh statement with respect to sovereignty from harrow so i couldn't hear your question um could you repeat all right it's in it's in the uh chat if you want to take a look um the our keynote speaker said that uh with respect to sovereignty that it can't be assumed that the customary rule on other domains automatically applies to cyber do you agree with that and does it strengthen your argument uh here uh that's do do do do diligence yeah um that is a very good question i think uh general speaking uh existing international law should apply and uh in my view you know uh violation of sovereignty and due diligence are general principles and general obligation of states uh which should apply to any areas of international law but on the other hand cyber uh space have its uh kind of a uh unique character and it is uh you don't need to be very cautious in applying these general uh a little bit ambiguous concepts to this particular unique uh space so i uh my approach is probably different from the keynote speaker i'm starting from the uh applicability of the general obligation uh to cyberspace but i also agree that approach uh must be very careful and cautious so uh special uh character of cyberspace should be taken into account when applying this uh general obligation thank you okay thank you i think that's it for our time uh here thank you very much uh for all of uh the questions again apologies to people who have not been able to get into queue thank you gentlemen thank you very much and dr lin thank you for moderating it and again i thank each of you for joining us at what is most notably inconvenient times for all three of you we appreciate that um and at that we will turn to our lunch break we will come back on at 330 for a panel that is co-sponsored by the rural air force and that panel will address perfidy ruses and blockades and cyberspace interesting to be sure thank you again very much and have a wonderful lunch welcome back from the break everyone it's now my great pleasure to introduce the moderators plural for uh our next panel um a vice marshal tam jennings ob is the director of legal services of the rural air force and during her distinguished career in the r r she served in myriad roles including deployments to kosovo iman borrain and canada alongside headquarters one uk armored division her operational tour advising the uk red hot car holder sorry in the kalk and alidit saw her awarded in aac's commendation a corner mark felt so he's the deputy director of legal services for the rural air force he served as legal advisor to special operations command elements in afghanistan and acted as chief advisor to the official protect which is the 2011 campaign in libya he's also currently undertaking research for phd focused on the legal ethical and moral implications for tomas warfare so mom over to you and thank you karen thank you very much um firstly i must thank uh rear admiral chatfield um for her kind words yesterday and also professor james casca for the invitation today and also for allowing karen the opportunity to organize this conference it's no surprise to me that what i've seen so far has been first class it is my great pleasure alongside my colleague air come adorn mark felps to act as a moderator for this panel he'll ask the questions to avoid confusion uh in typical officer senior officer fashion um i delegated that part of the moderation to him um the use of ruses and blockades have a long history in the art of war as has the condemnation of killing by treachery so this panel will look to clarify how if at all such longstanding methods of warfare applying an error of cyber operations so without further ado let me introduce our first panelist kubo machak is a legal advisor in the icrc's legal division and he's also the general editor of the cyber law toolkit which is an inline an online interactive resource on the international law of cyber operations kubo over to you good afternoon from geneva uh it is a pleasure to be here and to speak today about cyber deception during armed conflict on behalf of the international committee the red cross and so during today's brief talk i'm going to focus on specifically rules on perfidy and ruses of war as they apply in the cyber context and i'll try to illustrate it on a few practical examples so before we begin we have to ask ourselves what we actually understand under deception and you know weaving together approaches from military doctrine and psychology and general dictionary definitions let me propose the following working definition that under the deception we're going to understand the use of measures that are designed to mislead another by either manipulation distortion fabrication or falsification of information in order to induce the misled party to act or fail to act as the case may be in a way that's prejudicial to their interests now in the cyber context when we talk about deception this may relate to a number of things it may relate to the origin of the cyber operation so meaning where it is actually launched from so we can think of you know false flag operations as those that deceive us to the origin of the operation it can deceive us to the nature of the cyber operation you know uh it can masquerade emplacement of malware as legitimate communication or the effects of the cyber operation so it might appear to freeze computers but in fact what it does is it wipes the data of those computers and it can also relate to information that concerns persons objects or events in the physical world and we will see that how that can happen on some of our examples so when we talk about deception in the context of ihl of course for the icrc the step is that ihl as a body of law applies to cyber operations during armed conflicts now this is still an issue that is being debated by states but i think it's fair to say that a growing number of states accept and affirm the applicability of ihl to cyber operations during armed conflicts and so this is going to be the premise on which the rest of the talk is made or is based but that being said we have to acknowledge that ihl is not the only legal framework or not even often the most appropriate legal framework for all conduct even during an armed conflict and so what is relevant here is that the acting question or the conducting question must have a sufficient link to an ongoing armed conflict so you know what we refer to this to this test is the nexus requirement and it's maybe better illustrated on a specific example so in the cyber context if we have a non-combatant who uses deception to infect some computer systems with malware and then this person this non-combatant attempts to extract ransom from the users of those computers now this is clearly a cyber operation involving deception it might even take place during an ongoing armed conflict and it might even take advantage of for example the less defectiveness of the police during the armed conflict but it would still not be governed by ihl because of its lack of nexus to the country and so you know the applicable legal framework to assess such a cyber operation would be the domestic criminal law in the territory in question but now there are of course many operations that will have this nexus so let's have a look at how ihl will apply to them now i would propose that we put these types of operations on a so-called deception spectrum so let's start with examples that are clearly prohibited and so this is the notion of prohibited perfidy and in identifying the elements of prohibited perfidy we are basing ourselves on article 37 paragraph one of additional protocol one and also rule 65 of the icrc customer international military law study and so on that basis we see that the key elements are that the cyber operation needs to relate to a protection that's provided for in ihl for example the protection of civilians or protection of civilian objects against the tax then this cyber operation must invite the confidence of the adversary that they are either entitled to receive this protection or that they must accord this protection to someone else then thirdly there is a condition that the perpetrator must intentionally betray the adversary's confidence so it invites and then betrays that confidence and then finally the cyber operation in question must result in the adversary's death or injury and in the icrc's view also capture and i would say that perhaps with the exception of that last word the rest of the definition is not so controversial even under customer international law although i'm very happy to discuss it in the q&a afterwards now moving on with our spectrum on the other side of the spectrum we have permitted russies now permitted russies are cyber in the cyber context are cyber operations that do rely on deception to mislead the adversary because if it didn't rely on deception we would be outside of the scope of today's panel today's of my talk and of what we are doing but there are two additional conditions the second condition is that the cyber operation itself must not infringe any rule of ihl and then the third condition is that the cyber operation does not invite the confidence of the adversary with regard to the protection under ihl and so together these three conditions can be identified on the basis again of article 37 but now its second paragraph in additional protocol one and it also reflects the rule as it was identified in the icrc's customer international humanitarian law study in rule 57 now often when perfidy and russies are discussed this is where the investigation ends but i would put it to you that the spectrum actually consists of quite an important part of the types of conduct that fall between perfidy and russies and so this is the area or the idea of non-prohibited perfidy now in the words of the icrc's commentary on additional protocols between prohibited perfidy and permitted russies of war there is quote unquote a sort of a gray area of perfidy which is not explicitly sanctioned as such but what we must keep in mind is that even though these types of conduct that we might describe as perfidious but because they will fail to meet all four conditions of perfidy they will not amount to prohibited perfidy they may still fall foul of other rules of ihl and so maybe the best way how to do that is to look at specific examples so let me move on to three such examples and for their discussion let's let us assume that we are in an international armed conflict for the sake of simplicity so ihl clearly applies and let me give you three examples that you can think about and see where you would place them on the spectrum that we have just discussed so first of all let's have a situation in which there is a humanitarian organization we will not give you the name which designs a phone application that's used by the beneficiaries now unfortunately one of the belligerents hacks into that phone application and then using the platform using the phone app that's that was designed by the humanitarian organization this belligerence starts sharing fake messages with the beneficiaries and so what it does is for example it tells them to arrive at a certain destination where aid will be dispersed and so the civilian population does that and in doing so they block a bridge and as a result the enemy cannot send reinforcements which leads to a big military advantage for the belligerent that was active so you see the the element of deception now i'm going to leave the legal analysis on the side for the time being let's now have a look at the second example so the second example here we have fake military networks so what's this what does this represent what is this idea so this idea is that one of the belligerents sets up fake digital platforms and it does that in order to dissimulate its own real military networks and so the effect is that the enemy who wants to penetrate the military networks of first belligerent is spending a lot of time and a lot of resources trying to compromise the fake systems and again this results in a military advantage to the first belligerent and then thirdly let's consider an example of a fake civilian airliner so in this example one belligerent gains unauthorized access to the enemy's air traffic systems and so as it does that it manipulates the system of the enemy to misidentify an incoming attack aircraft as a civilian airliner so there is an incoming attack aircraft but because of the unauthorized access to the enemy system it gets mischaracterized misidentified as a civilian airliner but then the military aircraft conducts a successful attack against the enemy which results in the deaths of combatants belonging to that side of the conflict so again third advantage through the means of deception now let's move back to our spectrum that I described earlier on so how would we analyze these cases so let's start firstly with the military networks now clearly this cyber operation relies on deception to mislead the adversary right because it leads them to believe that these networks have a military value but it does not infringe any rule of IHL there is no rule of IHL against creating false networks and in fact decoys are expressly mentioned in article 37 paragraph 2 as a permissible use of war and then finally the cyber operation does not invite the confidence of the adversary with respect to protection under IHL because the networks even if they were real they would constitute the military objective so they would not be protected under IHL so we can place this example under permitted loses now secondly let's take the civilian airliner now this I would put it to you much clearly falls under prohibited perfectly why well we mentioned four conditions so first of all there must be a protection provided by IHL yes here we have the protection of civilian objects like like a civilian airliner against attack the operation must invite the confidence of the adversary that they must accord that protection yes they believe that they cannot attack this that this supposed airliner then thirdly the perpetrator must intentionally betray the adversaries and so again yes this condition is met because it betrays the confidence by using that confidence to launch an attack through the actual military aircraft and then finally the cyber operation must result in the adversary's death injury or capture and we have said that the attack was lethal so this operation would qualify as prohibited perfectly and then finally we have the fake aid application the fake aid or the abuse of the humanitarian app so I would put it to that this falls somewhere in the middle because the operation does not meet all of the four conditions of perfectly and specifically it does mislead someone but it does not mislead the adversary right so it doesn't meet the second and the third condition because it does not invite or betray the confidence of an adversary but it invites and and perhaps betrays the confidence of the civilian population of the beneficiaries of this act so as regards as far as the spectrum of from perfidy to russis is concerned such an operation does not violate the prohibition of perfidy but that does not mean that the operation is permitted by IHL it could amount to a violation of number of different rules of IHL which we don't have enough time for today but it could be the misuse of established indicators right if this is an app that uses for example the red cross as its emblem it might amount to a violation of the obligation to respect and protect humanitarian relief personnel and it might also amount to a violation of the prohibition on the use of human shields so there might be other rules of IHL that would be implicated by this particular operation now if you would like to explore these issues further as you might know the ICRC is involved in the cyber law toolkit project along with several partners and so just a few weeks ago we actually issued a big update of the project and one of the new scenarios focuses specifically on cyber deception during armed conflicts so if you look at that particular scenario which is scenario 15 you will find some of the case studies I mentioned today and much more and I hope you will find it useful and I hope that you found this presentation interesting and I look forward to continuing it in the Q&A afterwards thank you. Great thank you our second speaker is Jeff Biller who is an assistant professor of cyber law and policy with CyberWorks which is a department of the United States Air Force Academy he's also the co-director of the Air Force Academy's law technology and welfare research cell over to you Jeff. Hello my name is Jeff Biller I'm an assistant professor of cyber law and policy and the co-director of the law technology and warfare research cell at the United States Air Force Academy I'd like to issue a very special thank you to the Stockton Center for inviting me to participate in this conference the Stockton Center is a place as a very special place in my heart having spent three wonderful years there as indicated on the screen today's discussion is on protected indicators in cyberspace a long-held protection under IHL exists for aid organizations such as the ICRC and observer organizations such as the UN these groups are distinguished through the use of various indicators governed by an extensive body of law international humanitarian law the basic notion of extending the body of IHL regarding these indicators into cyberspace is uncontroversial however a full agreement does not yet exist as to what constitutes recognized indicators in the cyber domain the IHL rules against the improper use of protected and recognized indicators developed as a recognition to the need to protect certain classes of individuals organizations and locations on the battlefield from targeting by combatants as such the law focuses primarily on these emblems use as concrete visible representation although it is unlikely that the use of protected indicators in a purely electronic environment was initially envisaged I believe the language within the relevant articles is broad enough to encompass its extension into the cyber domain the first Geneva Convention defines the emblem of the Red Cross and delineates its permissible use specifically GC1 states that the emblem and the words Red Cross may not be employed either in time of peace or in time of war except to indicate or to protect the medical units and establishment the personnel and material protected by the present convention and other conventions dealing with similar matters similarly article 38 of AP one prohibits the improper use of the distinctive emblem of the Red Cross Red Crescent or Red Lion and Sun and also to make use of the distinctive emblem of the United Nations except as authorized by that organization the 2016 commentary to GC1 notes that the GC emblems may serve both as a protective device indicating protection under the convention and as an indicative sign demonstrating it's a connection to the organization of the international Red Cross and Red Crescent although the indicative uses use does not imply that the bear holds protections under the convention its improper use is still prohibited AP one does not address the indicative use focusing on the protective use which provides a visible sign of the protection conferred by international law on certain persons and objects unlike misuse of the emblem as an indicative sign the ICRC customary international law study found that a misuse of the protective function could implicate the prohibition on perfidy GC1 article 53 further expands the law relating to the GC emblems including any sign or designation constituting an imitation thereof whatever the object of such use by including imitations thereof such as the abbreviation ICRC article 53 broadens the prohibition and suggests that abbreviations or approximations of the words Red Cross that are meant to imitate an official representation would violate this prohibition AP one also prohibits the unauthorized use of the distinctive emblem of the UN however the treaty law governing the UN emblem is less expansive than that of the Red Cross emblem and protects neither the words United Nations nor approximations thereof additional categories of protected emblem signs and signals established under international law include the head for an AP one prohibition against the improper use of a flag of truth and the AP one prohibition against the deliberate misuse and an armed conflict of other internationally recognized protective symbols signs or signals recognize protected indicators include those markings that indicate objects or locations such as installations containing dangerous forces cultural property among others unlike the prohibition on perfidy there is an absolute character to those prohibitions meaning that there is no requirement for a particular result following the prohibited misuse extension of the basic rule prohibiting making improper use of the protective emblem signs or signals that are set forth in the log armed conflict into the cyber domain is relatively uncontroversial however protected indicators signal the ability to trust and trust plays a prominent role in network security systems which depend on forming trust relationships between parties before allowing access and sharing information masquerading as a party known to be a trusted agent by a target system is frequently a frequently used method of defeating network security there are many other cyber methods that involve violations of the trust relationship but addressed here are variations on phishing internet protocol spoofing and domain name spoofing and these are mentioned as a way of contextualizing and exploring these rules first of the use of phishing a type of social engineering to manipulate authorized system users into providing information and thus allowing unauthorized system access this manipulation occurs in the cyber context through the use of email e-messaging or online communications the talon international group of experts the ige addressed this situation citing the example of an adversary sending an email with the bare assertion that the sender is a delegate of the international committee of the red cross the ige found no misuse in this example despite the use of the words red cross although gc1 article 44 specifically protects these words from unauthorized use the presumed argument is that the operator's use of the words red cross is not formal enough to be considered as an emblematic identifier however if the words were implored in a more formal manner such as in an email signature block letterhead to an attachment or another manner formally indicating an official red cross document there is a much stronger argument that the use violates the gc1 article 44 prohibition the second type of operation is a related type of phishing campaign but with the aim of tricking the target operator into taking cyber base self-defeating actions this method uses social media messaging and websites to induce the target into either downloading malicious attachments or following web links to malicious websites like other types of social engineering these attacks rely on the target operator trusting the email website or attachment such that they will take the desired action protected emblems could easily be implanted into the email message or website to induce trust in the target as the actual protected emblem would clearly be used in such an unauthorized manner this is a clear ihl violation the talent ige came to the same conclusion on this question a third method illustrating misuse of emblems is ip spoofing or internet protocol spoofing here cyber operators attempt to gain unauthorized system access by creating a malicious message that appears to originate from a trusted machine imitating its ip address for example spoofing an ip address associated with the icrc to defeat a firewall that relies on ip addresses for filtering the primary question is whether ip addresses should be viewed as a legal indicator of a protected organization the sphere is logical given the widespread use of ip addresses as trust indicator by cyber operators for example a defensive operator may specifically program a firewall to permit connections from icrc or un ip addresses during an armed conflict these connections may allow communications regarding the treatment of wounded or prisoners of war if an adversary were to spoof these ip addresses the network operator may be forced to block communications from these previously trusted sources permitting a party to a conflict to represent a communication as coming from the icrc or un appears to run counter to the intent of ihl article 31 of the vina vina convention on the law of treaties states that a treaty should be interpreted partly in the light of its object and purpose however the same treaty also states that treaties should be interpreted in accordance with the ordinary meaning to be given to the terms of the treaty in their context provisions governing use of the emblems suggest an element of general awareness or recognition of the emblem as such thus it is unlikely that a spoofed icrc ip address could be considered as an imitation of the emblem under article 33 article 53 standard given the lack of general awareness as to what the sequence of numbers in an ip address specifically indicates the fourth method for analysis involves the spoofing of email addresses or domain names by spoofing an email address such as ic at icrc dot org and the recipients from field the operator hopes to induce either the target system to allow the email through the firewall or a target individual to trust the contents of the email once this trust is established the operator may then use that connection to conduct the next phase of a cyber operation similarly a domain name system hijacking operation may send an unwitting target to access the icrc.org or un.org websites to his spoofed website containing malicious links or false information here the focus is on domain names which serve to provide users with a recognizable identity to resources found on the internet although related to ip addresses domain names differ in that they often contain an organization's name or abbreviation as opposed to the numerical designator of an ip address the narrower protection for the un emblem which does not include the name united nations or approximations eliminates its applicability from this analysis the relevant question as to the red cross is whether a spoofed email address or domain name containing the words red cross the acronym icrc or similar abbreviation would constitute an imitation thereof the talent ige struggled with the issue and laid out two potential approaches the first approach argued that the email address and domain names are not protected indicators because they do not constitute electronic reproductions of the relevant graphic emblems this approach may overlook the prohibitions in article 44 and 53 on the unauthorized use of the words red cross or an imitation thereof when they function as an indicative or protective emblem the second approach found the key factor to be the use of an indicator upon which others would reasonably rely and extending protection provided for under the law of armed conflict thus the imitation of the icrc.org domain name or email address would be an unauthorized use because as the ige states it invites confidence as to the affiliation of the originator although the ige does not reference article 53 this view would be consistent with the article's inclusion of any sign or designation constituting an imitation thereof given the ubiquitous use of the acronym icrc it would be hard to argue that it does not constitute an imitation thereof therefore the second approach of the ige appears to be a more accurate reflection of it the various methods of phishing and spoofing are not the only types of cyber operations that implicate the rules against misuse of protected emblems however they highlight methods in which protected indicators might be used in remote access cyber operation they also serve to help identify which cyber indicators could constitute protected indicators and reveal gaps where adversaries could take advantage of the trusted nature of organizations such as the icrc and un to conduct offensive cyber operation thank you very much for your time and i look forward to your questions thank you and our our third presenter is professor von heinsteil von heinig who holds the chair of public law at the europea university at via drina in frankfurt germany he's also a former charles h stockton professor of international law at the us naval college and he contributed to talent two on the international law applicable to cyber operations i'm looking forward to hearing this presentation thank you ladies and gentlemen let me first of all thank the organizers for having invited me to this very interesting and i think important workshop i am von heinsteil von heinig from germany and i have been tasked to talk about cyber locates um but before i start i would like to clarify some basic issues so when i'm talking about cyberspace i'm not using any of the proposed definitions but as the joint chiefs of staff of the united states i'm looking at cyberspace uh from the perspective of the three layers model but irrespective of all this it is quite clear that the special characteristics of cyberspace are of course interconnectivity and ubiquity now when it comes to the notion of cyber operations i'm again making use of the recent do d law of war manual so we are talking about cyber operations if and to the extent we are employing cyber capabilities with the primary purpose of achieving objectives in or through cyberspace one of these or two of these objectives could be the disruption or the denial of data or information resident in the respective target systems so this begs the question of whether the disruption or denial of data to a given state or from a given state would qualify as a cyber blockade well of course if what you see here on the world's map are the world's ip addresses and of course arguably denying the access or the transmission of data let's say to the us east coast or the transmission from the us east coast to other countries could arguably qualify as a blockade but let us first look at what a blockade is a blockade is a method of warfare of course it is characterized by the line in the case of naval warfare which other vessels may not cross either from the inside or from the outside the consequence of any such breach of blockade would be the capture of the vessel the same holds true for aerial blockades this might of the fact that aerial blockades were only considered as being a method of air warfare recently the sources which apply to blockades naval and air blockades are as you can see considerably old we have to go back to the 1856 Paris declaration then we have two informal documents like such as the 1909 Blondon declaration just one provision of the Oxford manual of 1913 arguably article 70 of the additional protocol at least for the state's parties to that treaty would be applicable to blockades and then again we have two private drafts the 1994 Sunway manual on the law of naval warfare which more or less repeats the rules of the 1909 London declaration and the 1856 Paris declaration and finally the 2009 missile warfare manual on aerial blockades what all these rules have in common are the following requirements blockades must be declared a notified they must be applied that means also enforced impartially including your own aircraft and your own vessels they may be maintained by a combination of all lawful means of warfare and the locate is valid only if it is effective which of course is a question of fact access to neutral territory may not be barred and there are two further requirements of a humanitarian design which are not all too relevant for cyber so can we imagine a situation to which these traditional routes that have been developed for naval and aerial blockades to apply to a cyber blockade but of course arguably the prevention of egress or ingress of data traffic and information to and from the parts of an enemy state would arguably qualify as something which would deserve the name cyber blockade if you look at some of those who propose the notion of cyber blockade to have become part and parcel of international law they are referring first of all to the 2007 cyber DDoS attacks against Estonia and secondly they are referring to the 2008 cyber operations against Georgia in its armed conflict with the Russian Federation and in fact in that conflict we had again DDoS attacks quite sophisticated and we had a defacement of public websites and what is more interesting Georgia's internet traffic was blocked or could be blocked almost entirely because it was then depending on rules through the Russian Federation now if we took the position that any of these situations qualified as a cyber blockade then the law of blockade would have to be observed in other words such a blockade needs to be declared and notified it must be enforced impartially and in order to be valid it must be effective in other words there must be a high probability that all data can no longer be transmitted from or to the blockaded territory and this is already reflected in the law as it stands today what about a cyber operation which merely has internal effects such in the case of the DDoS attacks against Estonia or Georgia and finally just consider the cutting of a submarine communication cable that would compromise the connectivity of the target state whatever that have been qualified as a blockade or as an operation subject to the rules that were drafted for naval or aerial blockades well if you look at the talent manual you may be very disappointed of course some of the experts believe that there were some similarities between a traditional blockade and a cyber operation that would at least deny the transmission of data to or from a given state but at the end of the day the international group of experts was not able to arrive at any consensus so the only rules they provided in the talent manual 2.0 was traditional blockades which are enforced including by cyber means but the experts were not able to arrive at a consensus according to which a concept of a cyber blockade would already be part of international law as it exists today and let me add that it's never a good idea to draw conclusions by analogy this was already done in 1923 with the Hague rules on air warfare where the experts there simply copied and pasted the law of naval warfare and they replaced the term vessel with aircraft and then they suddenly presented the 1923 Hague rules on air warfare however as Spade has rightly stated in 1947 without any precedence without any cases without any state practice that would allow any of the conclusions they arrived at in 1923 so I think we simply have to be patient we should not hurry to apply some rules of the traditional law of armed conflict only because of some similarities with the interception of aircraft and vessels accordingly the next letter is to be understood as follows the concept of cyber blockade has not yet been recognized and has not yet become part and parcel of the law of armed conflict the prevention of data transmission into or from a given country is in other words lawful and if at all subject to only a few legal restrictions such as the rules on submarine cables but let me remind you the only provision on submarine cables is article 54 of the 1907 Hague regulations so for the time being any interference with the transmission of data to or from an enemy state in an international armed conflict is not subject to the rules applicable to traditional naval or area blockades I thank you for your attention and I'm looking forward to the discussion gentlemen thank you very much for your very interesting presentation this evening I think we'll kick off with a question to Cuba if I may picking up on your example you gave a little bit earlier in relation to the hacking of a humanitarian convoy can you elaborate on that little please because I'm interested if that isn't falling within perfectly what rules of international humanitarian law do you think may have been convened in those circumstances okay thank you for the question so that relates to the sort of middle example that I mentioned during my talk so we had this example of a phone app that's developed by a humanitarian organization and then the belligerents hacking to the application to to achieve a military advantage through misleading the beneficiaries of this app now like I said this would not amount to a prohibited perfidy but the rules that we would consider would be I think first and foremost and that would be irrespective of which humanitarian organization it would be as long as it would be considered an independent and impartial so truly would be the obligation to respect and protect humanitarian personnel because this application is meant to be used by human personnel and so if someone takes control over it and uses this to the detriment that then leads to the loss of trust in the provider of the application by the beneficiaries and of course it also interferes with the with the with the activities of the humanitarian organization but I think what can be more interesting and then there is an overlap with Jeff's excellent presentation is whether it could also amount to a misuse of protective indicators and so this is something that we looked into in the scenario but then it would depend which organization we are talking about so if it was as in the cyber law toolkit scenario that I referred to if the application was indeed run by the ICRC and it would use the the nomination red cross in the application's name then there are two interpretations and so we detailed that in the scenario but it's interesting to consider that by taking control over the application the hackers thus are at least under one interpretation are for the duration of their malicious cyber activity they are utilizing this denomination denomination red cross in a way that would not be consistent with article 40 for one of the questions mentioned and thus under this interpretation it would also amount to a violation of financial so there are other rules that it also depends on what exactly happens in practice like the prohibition on human on the use of human shields but so I think I would highlight those two as the primary ones thank you thank you very much for that um if I if I can pose a question to to Wolf please um the question we have is if a state successfully manages to prevent the transmission of data in and out of another state outside of the confines of an armed conflict would you consider the sanctions would amount to armed attack triggering sorry triggering a state's right for self-defense sorry professor we've got you on uh we've got you on silent I'm so sorry um yeah I'm getting too old for this um so I apologize so uh triggering the right of self-defense would require an armed attack so blocking data traffic into or from a country well hardly qualifies as an armed attack that would trigger the respective state's right of self-defense and the remember it needs to be an armed attack and if you follow the IC the ICJ it would mean that it would be a very great form of a use of force and uses of force as was stated by Roy Schöndorf in his keynote they all require at least some damage destruction injury or death so the mere blocking of data may result in inconvenience but would certainly not have the effects of a traditional use of force of a sufficient gravity to qualify as an armed attack thank you for your comprehensive answer um uh I think we have a couple of questions in the Q&A now if I can just turn to one um if I open up to to generally to the panel the question is is reasoning by analogy that is applying existing rule to an unregulated issue to the extent of the similarities between the two ratios an illegally relevant point not a usual form of legal reasoning common to all legal systems and subscribe to the rule of law is is it not based on the concept of equality before law and the idea of justice and so looking there at taking what we have already in international law and applying it to cyberspace to see if we we get to equality rules um I would imagine that's more aimed at the idea of blockade so perhaps Wolf if you take that to begin with yes analogy is common to many maybe even all legal systems but to use analogy in international law is I think not a good idea international law must always be based on a sufficient consensus of states and even though you may be able in theory to identify a gap as for example with regard to cyber operations that does not mean that you can borrow from existing rules only because there are some similarities because even if you accept it which I don't the concept of analogy in international law then you would still have to identify that the gap has been unintended and had the states took the taken notice of the gap they would have regulated in a similar manner as they did in other areas and I don't think that you can apply that in international law so it simply doesn't work if you don't mind my hopping and I would definitely agree with with Wolf on what he just said and I would also add that if you were however to do that analogy I would think you would want there to be significantly similar circumstances in order to achieve that analogy and the question with cyber is are our cyber operations so fundamental fundamentally different than other types of military operations that the analogy just breaks down too quickly and I do think that's the case I think there's such significant differences in and how cyber operations work how they're conducted you know all the issues that we've talked about today right the the tangibility of data the ideas of attacks these are all such fundamentally different things in the cyber domain that even if you were to argue that you could reason by analogy I think in this case it's just too attenuated and the analogy would break down too quickly thank you. Cooper do you have anything on this point at all? Sure I'm happy to come in so let me try to advance a slightly different approach and I'm putting off my head as my CRC representative and kind of meet to be in a recovering academic so my view of international law is that it's a harmonious system and the states we cannot only expect states to approach it on a very casuistic basis international law does have also general rules of interpretation that states have agreed on and those and so you know some of them are now considered to be reflective of customer international law for example the treaty interpretation rules that we find in the Vienna Convention on the World Treaties and perhaps we're not saying different things here but I would argue that we cannot be so casuistic as to always expect that there would be a singular state practice and opinionaries for every situation that might occur and so because that's unrealistic we also have these general approaches general principles general ways of reasoning and of interpreting agreed rules and thus we might arrive through interpretations also without there being a specific amount of opinionaries and practice on every given situation so that's my defense on this question. Gentlemen thank you all so much for your contributions I'm being told that we are actually out of time but I'm sure that the questions that are still in the Q&A box can be archived and maybe can be presented to you in different format for you to engage with at a later point can I thank you for your involvement today though and for your very interesting observations thank you. Thank you sir thank you for all our panelists we'll now take a short break and reconvene at 14 30 hours so about nine minutes okay well welcome back last but by certainly no means least we have our final panel today which is co-sponsor is with one of our co-sponsors here for the conference the U.S. Air Force Academy. I'm very excited to hear what the panelists have got to say on this issue and let me first introduce our moderator today which is Lieutenant Colonel Timothy Goines who came to the Air Force in 2004. He currently serves as a senior military faculty assistant professor of law U.S. Air Force Academy and is there that he teaches cyber law and serves as the director of the law technology and warfare research cell. So sir over to you. Thank you very much good afternoon. First on behalf of the United States Air Force Academy I want to thank the Stockton Center for hosting this week's conference and for inviting a number of us to participate thank you especially to Lieutenant Colonel Cherry and Squadron Leader Tinkler for their efforts this week in hosting what has been thus far a fantastic conference. For the third of three panels on cyber operations we will begin by addressing the evolving state practice in cyber operations. As cyber capabilities near ubiquity we are starting to see more and more states beginning to provide their views on how international law applies to cyber operations. For example New Zealand recently published a position paper on the topic and as you heard in this morning's presentation Dr. Scheindorf spoke about Israel's position regarding the application of international law cyber operations specifically addressing topics such as whether data is an object sovereignty power measures among others. As Dr. Scheindorf analogized it this area of the law it's like a tree a nascent seedling just now growing roots. So it's very timely for us to discuss how state practice is evolving and how this tree is starting to function. We have three great panelists for our discussion. First is Professor Eric Talbot Jensen a former army judge advocate who is currently serving as a professor of law at Brigham Young University over to the Stockton Center for Professor Jen. Hello my name is Eric Talbot Jensen and I am a professor at Brigham Young University Law School. I am happy to be a part of this conference on disruptive technology and international law and I'm especially grateful to be part of this panel on evolving state practice and cyber operations. I'd like to start by sharing my screen with you and walking you through some slides. This conference but especially this panel deals with disruptive technologies as you know. Now when we think of disruptive technologies there are lots of things we could think about autonomous systems, artificial intelligence, neuromorphic weapons, human brain machine interface, bio enhancement, virology, nanotechnology, quantum computing all of these things may be considered disruptive technologies and some have been on the top of the topics previously discussed in this conference. My task however is to talk to you about cyber operations and I believe that of all these interventions cyber tools are in a special category with respect to disruptive technologies. To do that I want to convince you of that. I want to take you for a brief moment into the business world. You see there a picture of Professor Clayton M. Christensen from the Harvard Business School. He introduced to the world this idea of disruptive innovation. I'll let you read the slide that describes what disruptive innovation is. I want to draw your attention to the fact that the innovation is not a breakthrough in technology rather the thing that makes the innovation disruptive is that it makes products that previously were not accessible now accessible and affordable to people. In other words it's not a leap forward in science but rather making those innovations those scientific innovations broadly accessible. As this slide reflects it's the simplicity, convenience, accessibility, and affordability of innovation that is most important. The impact is not because of a movement forward rather because of a movement across the field. Now here are three factors that make innovation disruptive. I've given three examples here. The long life light bulb, the personal computer, the smartphone. These innovations were not really leaps forward in and of themselves it was really their accessibility that made them disruptive. The fact that now all of us had access to those kinds of tools. So let me bring this back to cyber operations. You see I have two pictures there. One a hacker, one a tank. Not many of us have neighbors who have tanks parked in their driveway or battleships or carriers or ages cruisers or F-16s etc. Those kinds of tools require state level resources. On the other hand cyber tools don't require state level resources. Really cyber tools are accessible to certainly to criminal gangs, to transnational criminal gangs, to terrorist groups, and even to individuals. This devolution of state level violence through cyber tools to non-state actors and even individuals has forced states to seriously think about what that impact will be on national security. So this really brings me to the topic of the panel which is how has this disruptive cyber technology impacted state practice? Well here's what I believe. Now let me be clear. I am not one of those who is calling for new law or thinks current law is inadequate. However what we do see through state practice is that states are starting to look at fundamental principles of international law in a different way because of this disruptive technology of cyber operations. So this course is well let me back up. If I don't think that we need new law what do we do? Well we evolve the law through state practice. Again I think just on the fringes but we evolve the law through state practice. So I want to focus us on state practice and I want to particularly look at US state practice and I know most of you are very well aware of these provisions but let me briefly walk through these five provisions that I think reflect current US practice. The first is the 2018 US Cyber Command Strategic Vision and let me just read that to you. Superiority through persistence seizes and maintains the initiative in cyberspace by continuously engaging and contesting adversaries and causing them uncertainty wherever they maneuver it describes how we operate maneuvering seamlessly between defense and offense across the internet interconnected battle space. It describes where we operate globally as close as possible to adversaries in their operations. It describes when we operate continuously shaping the battle space. It describes why we operate to create operational advantage for us while denying the same to our adversaries. Now this strategic vision really I think about the idea of wherever they maneuver and where we operate is globally. This was followed by some the 2019 National Defense Authorization Act and there are three specific provisions I would like to draw your attention to. First section 1632. It section 1632 read as two things. First it provides expanded authority to conduct military operations in cyberspace and again let me just read what the Section A stands. The Secretary of Defense shall develop, prepare and coordinate, make ready all armed forces for purposes of and when appropriately authorized to do so conduct military cyber activities or operations in cyberspace including clandestine military activities or operations in cyberspace to defend the United States and its allies including in response to malicious cyber activity carried out against the United States or United States person by a foreign power. Second and for those of you involved in intelligence law this will be especially meaningful. Section C says a clandestine military activity or operation in cyberspace shall be considered a traditional military activity for the purposes of and then it lists a couple of sections of Title 50. So this is transitioning what might have been argued were intelligence activities under Title 50 requiring intelligence oversight into traditional military activities making cyber common department tends more generally much more giving them much more freedom of maneuver with respect to the use of cyber activities. Let me transition to section 1636. Also accomplishing two important things. First it clearly states the policy of the United States on cyber war, cybersecurity and cyber warfare. Here is what it says quote it shall be the policy of the United States with respect to matters pertaining to cyberspace, cybersecurity and cyber warfare that the United States should employ all instruments of national power including the use of offensive cyber capabilities to deter if possible and respond to when necessary all cyber attacks or other malicious cyber activities or foreign powers that target the United States. Second section 1636 directs the DOD to operate in such a way that it would impose costs on adversaries. Here's what section subsection B says quote in carrying out the policy set forth in subsection A which is what I just read through response operations develop pursuant to subsection B the United States shall develop and when appropriate demonstrate or otherwise make known to adversaries the existence of cyber capabilities to impose costs on any foreign power targeting the United States or United States persons with cyber attack or malicious cyber activity described in subsection A. We'll come back to that idea of imposing costs. Finally section 1642 creates what many of us have termed as a mini AUMF. This provision applies specifically to four countries Russia China North Korea and Iran and it specifically gives cyber command the authority to quote take appropriate and proportional action in foreign cyberspace to disrupt defeat and deter such attacks under the authority and policy of the Secretary of Defense to conduct cyber operations information operations as traditional military activities. Then finally in March of 2020 the DOD General Counsel Mr. Paul Nye made this statement he said a key element of the US military strategy in the face of these cyber threats is to defend forward implementing this element of the strategy begins with continuously engaging and contesting adversaries and causing them uncertainty wherever they which we refer to as persistent engagement. Now to me this combination of recent US practice seems to promote a trend of being much more aggressive with respect to cyber activities and not just at home but also abroad. In that same 2019 NDAA in section 1652 Congress created a cyberspace solarium commission. Oops wrong way cyberspace solarium commission here we go and that commission was specifically tasked to quote develop a consensus on a strategic approach to defending the United States cyberspace against cyber attacks of significant consequences. This cyberspace solarium commission was designed after a similar commission in the early days of the cold war and it was really established to figure out how we could as a whole of nation approach begin to defend better and to deter our adversaries. The commission included congressional and the executive branch representatives as well as representatives from the private sector. The report was released in March 2020 and the report advocates a strategic approach based on three themes shape behavior, denied benefits, impose costs. Again remember impose costs from the NDAA section that I mentioned. One of the key factors in this strategic approach is layered cyber defense that embraces DOD's defend forward posture as essential to effective deterrence. Here's a quote from the cyberspace solarium commission with respect to defend forward. The report goes on to define defend forward in this way that wording I've highlighted in yellow seems important to me because it is in a sense a summation of all of the prior recent US practice I showed you. To defend forward we must be proactive in observing and pursuing and countering adversary operations and imposing costs again not just on our own networks but on networks of others. So how do we do this? Well we can't do it from our own networks. We must be outside our own networks and on the networks of others but that might cause significant legal implications which I hope you will get to in the question and answer period. Let me just sum up by saying where I think we are with current US practice. First the United States must be including department of defense must be proactively operating on foreign infrastructure and I again I don't have access to classified information though some of you do. I believe that now with this change we are proactively operating on foreign infrastructure. We act by permission we're feasible but by action we're not. We act in conjunction with allies and partners where possible but alone we're not. We have an increased willingness to attribute harmful cyber activities and you've seen that reflected in recent statements on attribution to various countries who have been involved in malicious cyber behavior. I would not term it as gloves off meaning no rules but I would say this more aggressive stance is a challenge to use our gloves to get involved in the fight and again to take the fight to our adversaries. Now I appreciate your patience with my slides. I am looking forward to questions and answers and I hope to talk with you in life in real life here at just a moment. Thank you Professor Jensen. Second we have Professor Ashley Deeks who previously served as a legal advisor in the Department of State and who is currently the E. James Kelly Jr. class of 1965 research professor and the director of the National Security Law Center at the University of Virginia Law School. Back to the Stockton Center for Professor Deeks initial remarks. Hi thank you for having me join this this great conference. I'm delighted to be a part of it. I am engaged in a broader project that is framed around this idea of a double black box. In the United States national security is in many ways a black box. It is hard for Congress to oversee and regulate a range of intelligence and military actions. As many of you know courts tend to be highly deferential and classification issues mean that we're forced to rely on alternatives such as leaks internal executive checks constraints imposed by foreign allies and even private companies these days that interact with the executive behind the veil of secrecy. And even with those alternative checks we're still in a highly imperfect system. So the goal of my project is to explore how adding tools such as those of machine learning specifically and artificial intelligence more generally into the national security ecosystem will exacerbate or what I'm calling double the existing black box problem that we run into in national security. So machine learning can for example exacerbate citizens abilities to know what's being done in our name. And it may also exacerbate the ability of our usual proxies to know and to understand what the executive is doing. It may even undercut the strengths of some of these other tools that we rely on such as leaks interagency negotiations the role of general councils in some room. And yet I think many people in this room might agree that we are going to come under lots of pressure to adopt these tools in the military and intelligence setting because states like Russia and China seem very firmly committed to them. So how do we pursue these tools in a way that ensures that our executive branch pursues these tools while remaining faithful to our public law values. So my inquiry is more of a domestic law inquiry than an international law one but international law obviously is a big factor in preserving those public law values by making decisions that continue to adhere to international law in the use and development use in Belarus space. Further while the project is focused on the double black box inside the United States the challenge it captures I think is likely also to hold true for a range of democratic states that are thinking about increasing their use of machine learning in the space. So how does this relate to cyber. Well I recently wrote an article in international law studies thanks to the naval war college that uses the looming likelihood of autonomous cyber operations to try to test some of these arguments. So one premise of the piece and others have suggested this as well is that we're likely to see a growing use of autonomous tools in the cyber setting both in offense and in defense. Now there's admittedly a diversity of views about the likelihood of inadvertent escalation in cyberspace above the use of force threshold but the possibility of what we might think of as flash crashes seems realistic when we're talking about two cyber algorithms that are confronting each other and having encountered each other before. We know that this kind of escalation took place in the stock market setting. Once we're thinking about the possibility of that kind of escalation it's important to consider the existing roles of parliaments and legislatures in regulating states resort to force. There are three main ways that parliaments tend to be involved in decisions about extraterritorial uses of force. They can authorize force x anti, they can authorize force x coast, and they can provide ongoing oversight and funding to the operations. So why do we value legislative involvement in use of force decisions? Well it creates an obvious avenue by which we can hold executive branches democratically accountable for their force-related decisions and there's also a body of literature that suggests that legislative involvement can help states avoid bad wars. But of course for legislators to do their jobs they need to have access to a certain flow of information and they need to possess some level of confidence to understand the tools that they're confronted with by their executive branches. For some legislatures that is a big challenge and even relatively big and well-funded committees such as those in the U.S. Congress have faced problems of getting full access to information about policies, legal interpretations and technologies that the executive branch in the U.S. is using. And in some systems the executive has a wide range of discretion to resort to force extraterritorially unless the level of armed force being deployed is significant. So against that background how will growing cyber autonomy impact the role of legislators? How will it affect the ability of democracies to ensure that decisions to resort to force remain careful and deliberate choices? Well I think it'll potentially do at least three things. First it might empower further executive branches at the expense of legislators. Legislators will have less time to weigh in especially once cyber exchanges begin. Legislators might suffer greater informational deficits about the fact that these autonomous systems exist as well as about what their capabilities are and it may be harder to audit operations ex-posts to understand what transpired especially where the tools involved the use of machine learning or deep learning. Second it could empower militaries at the expense of other ministries such as the foreign ministries, justice ministries, these other actors that often have a role to play in national security decisions. That said I do think there's some possibility that the growth of algorithm-driven decision making could actually centralize interagency conversations. If those other ministries recognize that the operations driven by machine learning will implicate laws of war domestic legal and policy issues and the lawyers in those ministries seek a role at the table in making these interpretations of domestic law and international law as the algorithms are being structured on the front end. A third thing that I think this development could do is it might end up empowering computer scientists at the expense of other actors inside these agencies such as lawyers, such as policy makers. So overall unless carefully managed I think the major concerns that cyber autonomy might increase the the number of bad or inadvertent conflicts in a way that would be reduced if there were consistent and continued legislative involvement. So how do we address these challenges? First you could see legislators doing more work to actually legislate things like the algorithms parameters in advance. So they could for example require that in most instances operations being driven by autonomous cyber systems be reversible. They might demand that the executives try to make their algorithms white white boxes rather than black boxes and they could even demand that the executives share information with them about where they have prepositioned tools inside other states systems. Legislatures could also establish cyber specific oversight committees that gain a level of sophistication about these tools. And third you could have the interagency itself collectively develop rules of engagement rather than leave that entirely to militaries or military lawyers. And in terms of the relevance of international law if NATO states are all going to confront these issues then I think it's critical to increase the level of detail of the conversations that states inside NATO have been having about the interactions potential interactions among autonomous cyber tools and to start to clarify at least among each other when those interactions will rise to a level that implicates the use at Bellum. Great thank you Professor Deeks. Finally we have Professor Pyshemic Roguski. He's a lecturer in law at Yajelone University in Krakow, Poland and an expert on cyber security and international law at the Puszczuśka Institute. Back over to the stocking center for Professor Roguski's initial remarks. Good afternoon ladies and gentlemen. My name is Thomas Hofroguski and it is both an honor and privilege to speak to you at this great conference and in such an illustrious panel. The topic of my talk today will be the topic of collective countermeasures against cyber attacks. And I would like to start by inviting you to consider the following scenario. Now let's imagine that state A's electric power grid and hospitals are targeted by a prolonged ransomware campaign which as it turns out is being directed by state B. Now state A on its own lacks sufficient cyber capabilities to make state B stop. However it has powerful allies state C and D and it asks those allies to help. Question then becomes whether state C and D which are not themselves directly injured by the ransomware campaign can nevertheless intervene on behalf of state A by instituting countermeasures against state B either in real world for instance by severing trade ties transfer transportation links and so forth or in cyberspace by targeting state B's cyber infrastructure in order to induce it to stop attacking state A. Now this topic has become prominent in the last one and a half years because it has been taken out by states. It was first taken out by Estonia during the SIPHON conference in 2015 when President Kersti Kandelweig while presenting Estonia's position on international law in cyberspace has stated and I quote that Estonia is furthering the position that states which are not directly injured may apply countermeasures to support the state directly affected by the malicious cyber operation. Several months later France responded and it responded in its document on international law applicable to operation in cyberspace by stating that and I quote again collective countermeasures are not authorized which rules out the possibility of France taking such measures in response to an infringement of another state's funds. But the question then becomes well which of those two statements is correct with respect to international law as it stands today. And we should perhaps begin by defining what we mean by countermeasures. So if we look at the law of international responsibility we will see that the countermeasures are actions by a state which normally would constitute an internationally wrongful act or violate an international obligation of that state whose wrongfulness is concluded precisely because they are taken in response to a previous international wrongful act of another state and directed against that state with the aim of inducing that state to stop its initial violation. Now under international law countermeasures can be taken by the injured or victim state and this is because enforcement under international law is essentially a bilateral nature within the law of state responsibility only the states whose interests are being directly affected can request the responsible state to stop and invoke the responsibility of that state as we say. So the question is well do third states have any role in such constellations and if we look at the articles on state responsibility which reflect the customary law in this regard we will see that other states and invoke the responsibility of the attacking state only in limited circumstances namely only if the obligation that has been reached is also a group of states not to one state individually to a group of state and crucially it is established for the protection of a collective interest of the group and not of an individual into interest of the victim state and we would call them ergo on this part as obligations or if the obligation that has been reached is opposed to the international community as a whole and we would call that ergo on this obligation. There is a further limitation or difficulty namely under the article on state responsibility even in those limited circumstances third states can invoke the responsibility of non of the responsible state only to call for the cessation of that act and to demand the performance of reparation to the benefit of the injured state the articles themselves do not mention countermeasures as such and this is because there has been a discussion within the international law commission when those articles have been drafted whether those third party countermeasures are permissible or not but there has been inserted a backdoor in article 54 namely which says that this chapter does not prejudice the right of any third state to take lawful measures against the responsible state and so the question is well would counter measures fall under this definition of lawful measures. Now this question has been studied recently and I would invoke here two major studies from 2010 and 2017 which both come to the conclusion that state practice and opinionaries is sufficiently widespread and uniform to suggest that third party or collective counter measures are permitted under customary international law however and crucially it is permitted only within those confines of article 48 so they are only permitted against violations of ergo onness or ergo onness parties obligations not against violations of individual obligations protecting individual interests of a particular state so the follow-up question is name will hand cyber attacks violate collective obligations and if we take a look at obligations ergo onness or ergo onness parties as they have been identified in the jurisprudence of the international court of justice we will see such obligations as the prohibition of aggression or genocide the prohibition of slavery or racial discrimination but I believe you will agree with me that those are not the obligations that are typically affected by cyber attacks and constellations such as the initial scenario rather obligations that are most likely to be violated by cyber attacks are for instance the obligation of non-intervention or the duty to respect the territorial sovereignty of another state if indeed you believe that such a duty exists and is applicable to cyberspace or perhaps to religions and so forth so obligations that are targeted or violated by cyber attacks usually are there to protect individual interests of states not collective interests of the international community or groups of states as evident and by those examples given from the jurisprudence of the international court of justice so the follow-up question would be are there perhaps cyber specific collective obligations that the international court of justice has not known so far and I would argue that there are none however there are certain candidates from non-binding norms which may given time and given sufficient state practice and opinion theories hardened into binding collective obligations and I would propose two the first one is the norm to protect the public core of the internet which has been discussed in many fora and has been proposed for instance by the Paris call in principle two and has found its way already in legislation in the european union and if this becomes more widespread and more states adopt such legislation followed by opinion this could well evolve into a cyber specific collective obligation the second one is the norm not to affect critical infrastructures such as hospitals or vaccine research facilities which is reflected in non-13f of the UNGGE report in 2015 and in these pandemic times I believe it is in the interest of the international community as a whole to protect those critical infrastructures and not only does this protect the individual interests of a particular state so allow me to come to my conclusions of this brief survey and the first conclusion would be that international law and the currency stands allows for collective countermeasures but only against those actions including cyber attacks which violate norms established to protect collective interest and given that most cyber attacks as we have seen you know violate such norms but rather violate norms that are there to protect individual interests by state the consequence would be that under international law as it currently stands collective countermeasures are not permitted against most cyber attacks simply because this requirement of a violation of a collective interest or norm to establish to protect the collective interest rather is not fulfilled now international law could develop to include such cyber specific collective interest norms as the ones discussed previously which we are not there yet but in the most relevant example namely in the come back to my initial scenario where there are attacks against that potentially violate obligations which protect individual interests of states for instance the interest not to be interfered with in their domain reservoir not to allow interventions from outside international law does not permit collective countermeasures and it would require further development of international law to include this possibility but this is a long way requiring lots of state practice and opinion this concludes my brief observations and I thank you for your attention and look forward to the questions great thank you professor Roguski thank you all for your remarks we'll now move to the q and a portion of the panel for our panelists I'll ask that you just turn on your videos and unmoved your microphones and I'll also reiterate what was in the chat log I'd encourage participants to put their questions in the q and a box and upload those questions that you're interested in that's why we wrote wait for those to roll in and get upvoted I'll start with a question that I was particularly interested in hearing professor Jensen respond to this is from Mike Sinclair acting by permission where possible but in action we're not it's a on your last slide do you layer in an unwilling or unable analysis here or is it pure unilateralism well I thank you for that great question and thanks again to the organizers this this has been a fantastic two days I hope that that I don't ruin it here at the end I hesitate to discuss unable and unwilling in the presence of Ashley Deakes who is like the world renowned guru on this issue so Ashley feel free to jump in and correct me at any moment but but I view the the unable and unwilling really to be used in the self-defense idea and it's mostly used as a self-defense notion certainly the the framework agreement produced by the Obama administration in 2016 supports this idea so the one of the interesting things about this is that in this case I don't think the US might be using unable and unwilling by analogy but it's not using it in a self-defense mode it's using it in a much more proactive mode so even though you could argue that the principles as laid out in current US practice seem to embrace this unable or unwilling procedure or view it's not doing it in a self-defense mode instead it's doing it in a proactive way to kind of deter as a deterrence issue and that that seems to me to be a little bit unique than the way we have normally used unable or unwilling in the past I immediately pass it to Ashley for her comments go Ashley thanks Eric I'll make a pitch for international law studies here I wrote a 2013 piece through them on the geography of cyber conflict that asked this question but Eric's exactly right I asked it in the context of self-defense thinking about unwilling or unable as a as a sub-inquiry on the necessity question after you suffer an armed attack but I tend to agree with Eric that it may be that the US government is using the concept as a matter of policy and attaching it to its defend forward concept it has long said that it's sensitive to the sovereignty of other states whether sovereignty is is a rule or a principle and I think that's a way to to express concern for other states sovereignty trying to get their consent maybe even thinking about things like pre-consent agreements that say look we met we know operations might happen within your territory if you're willing we can ride to the rescue that of course implicates the the question about collective countermeasures if we're talking about an activity below the use of force great thank you so I'm going to try to give each of you a turn in the hot seat so next we'll go to Professor Roguski this is a question from Jeff Biller given the reports on malicious cyber operations related to development of the COVID vaccine might this be an excellent opportunity to consider third-party responses against ergo ominous interests yes thank you very much for this excellent question and of course this is indeed you know the the avenue that I was trying to hint at the problem of course that we see here is well which ergo ominous obligation has been violated so if we take a look at at stateside obligations we would ask well has this been an intervention into the internal affairs of a state well even if it has been does the norm against intervention constitute an ergo ominous obligation I would say probably not and the same would be with with sovereignty taking aside the the discussions about whether sovereignty applies in cyberspace or not so the only candidate that I can think of and I have been giving this some thought would be if we say that we employ collective countermeasures in order to protect a collective interest under human rights namely the right to health because then we could say that the ICESCR which contains the the right to health it is an ergo or creates ergo ominous parties obligations and in order to enforce those obligations then states that are not affected would be entitled to collect to take collective countermeasures however one one note to finish on of course we only need collective countermeasures only need to talk about collective countermeasures if we as the acting state are not ourselves injured so if a cyber attack has also affected our ability to to do COVID-19 research and so forth then we would be entitled to act as a directly injured state and there then we would not need those collective countermeasures construction so on that point Mike Sikler has another question and it's I'll just give it to you Professor Grisky because we're still on you does international law allow for collective countermeasures when the attack state requests the assistance of a third party in doing those well there is nothing in in the article some state responsibility that would would speak to to such an analogy to to collective self-defense so basically the the third state instituting collective countermeasures would need to have to act in furtherance of a collective interest and not you know just acting on on to help the the injured state here again we can think of many scenarios for instance well what does it mean to to to help so all actions that themselves do not violate a norm by which the acting state the third state would be bound are permitted on the international law so for instance a couple of days ago US cyber command has issued a statement where it said that it has conducted hand forward operations together with Estonia within Estonian networks and so this presumably was requested by the Estonians and this is not a countermeasure situation because this is limited to to Estonian networks so the only question is if cyber command together with the Estonians were to go to Russian networks because Russian the Russian actors or any other state actor has intervened in that state requesting help then we would need to to to find a construct to justify this action on the half of a third state but simply a request by the third state would not be sufficient can I just add to that I mean I thought that that example of Russia and Estonia was really great because how a country thinks about sovereignty is a huge piece of that right because if if a country doesn't recognize a violation of sovereignty as an unlawful act under international law then that also would not be a countermeasure or if the method by which they were engaging on another state's infrastructure wasn't unlawful then they would not consider themselves as being involved in a countermeasure it would be retortion or some other thing right so so that again we come back to that piece that Roy Shrondorf talked about this morning so important and and states I mean I think we're finding a real varied reflection from states on that topic great thank you so much um professor Deeks I was going to ask this question this is a sort of a hybrid of a question I had so I'm glad I get to ask it through another person uh Pazanansky Michael Pazanansky adds this question what do you see as the trade-offs associated with President Trump's 2018 decision to give more latitude to certain entities to conduct offensive cyber operations especially President-elect Biden continues his policy how should we weigh the core benefits for example acting more nimbly and responsibly against the potential drawbacks for example less oversight risks of escalation in my particular question was similar especially if we're trying to gain the benefits of autonomy the speed at which these these machines can make the decision will this potential oversight or even potential intervention by the legislature cause delay and essentially lose those potential benefits yeah great so um so that's a fantastic question and part of the answer I think is uh there's an empirical aspect to the answer that I don't know and that is uh what exactly has happened since 2018 uh in reliance on this new latitude and uh what do we think objectively about whether it has been good or bad and it may well be that the defense department is very happy about it and could be that the state department's happy about it but it might also be that the state department feels as though that was a mistake so um so I need a little bit more empirical information to to know how to think that through but I think it's exactly the right question so I'm not advocating that we want to bog down policies just for the sake of having sort of slow process um but I do think you know the state department for example has long been a really important player within the United States in interpreting international law uh and I would hate to see uh them get cut out of that loop entirely on issues that are almost certainly going to implicate international law um and if you just have a single agency uh thinking about these issues then we might think about um David Pozen wrote a piece about um deep secrecy and he thinks about deep secrets as being ones that few people know and only few types of people know uh and by introducing the state department and the justice department and so on you are making it a little bit less of a deep secret even though it remains a classified operation and so I think it's healthy to keep that not entirely within a single agency um but to answer um the colonels question too I think a lot of this gets done at the front end right that it's not that you want to hold up each operation by bringing it back to the group but you need to have hard and I think intense conversations up front that play out how different things could could work and maybe you know collectively agree on the rules of the road uh for many of the situations you're going to encounter but do it at the front end so you don't slow down and lose the advantage of the autonomy at the at the tail end. Fair enough thank you so much Professor Diggs uh Professor Jensen uh one question I have for you that I wanted you to expand on mainly because I really liked it and so I wanted to hear your full explanation is you mentioned um to not uh not it's we should operate not with gloves off but with the use of gloves I was hoping you could expand on that. Yeah well so I mean this this is probably not a great uh way to pose this in an international audience but uh we have this saying in the United States that that you know you were going gloves off which means the rules kind of don't apply anymore right we're just fighting um and I don't I certainly don't think that this US practice has gotten us there we still are bound by rules and the United States government is heavily legally committed they they want you know when the government takes actions they they rely heavily on what's lawful but I do think what these instances of US practice say is um you're not just going to stand back and take it right you're going to actually put the gloves on and engage in the fight and you know the the 2019 NDAA particularly sets up some pretty specific authorities and permissions and not just permissions but in some senses um you know Congress is expressing the will of Congress and telling DoD to take actions and to do certain things and to me that is a much more aggressive approach as as referred to in the last question that's a much more aggressive approach and and I for one will be interested to see if President-elect Biden continues that uh that you know that method and I think that will give us some insight into Ashley's question about the empirics you know he's he and his new administration are going to look at that they're going to look at the empirics and I think that that will be an indication to us if they continue this approach that those empirics have in fact worked to the United States national security benefit. Thank you so much and so it looks like we have time for one final question um and so I think Professor Deeks you mentioned this I I think you answered it but I want to make sure that we we give it give it it's due uh Peter Margulis uh says is the view of autonomy as a black box and a biting concern or can we address it through explainable AI? Um great hi Peter um thanks for the question so um of course one of the reasons this matters including for legislatures is whether you can audit after the fact uh why a system made the choices it did and um and Congress could help the executive take remedial steps if we end up in a place that we don't want to be an unintended escalation for example um so again here I mean I think this is also an empirical question there's been a lot of attention paid to the problem of uh the black box nature of machine learning and deep neural nets uh and a lot of different uh uh forms that explainable AI can take. Some people worry about uh making it explainable because you lose uh you degrade the quality of the system the very thing you're trying to use the system for um but I do I am relatively optimistic that there are um going to be some helpful solutions to this and from what I understand in conversations with the military they too are really interested in making sure that they understand why the system is making certain recommendations and taking certain steps and not just saying you know go off and and uh we trust it entirely so I think that incentive will also enhance uh the work of computer scientists to to drive towards a more explainable AI. Great thank you and so I will ask I I I realize I'm going over time but I want to ask one final question to any of the panelists uh this is from my colleague Jeff Biller who asks have we seen suggestions that defending forward could be applied on behalf of allies? I guess I can take that on first and just say um you know this goes back to some extent to the collective countermeasures discussion that we had um as long as you don't depending on your view of sovereignty and as long as you either do or don't view this as unlawful therefore it can be a countermeasure certainly there uh as as I noted on my slide there are lots of opportunities now where the United States is acting in conjunction with allies so to the extent that that is the answer to Jeff's question uh I mean that's that's right we're doing that all the time we're doing it more often and and and especially with people who have like-minded views on this application international law. All right well great uh I want to thank each and every one of you uh each of the panelists uh very interesting very fascinating topic thank you for your remarks for your time and from the questions I'll turn it back over to the Stockton Center for I believe closing our remarks. Great well thank you for all the panelists there I think it's fitting that having just discussed um the evolving nature of state practice and cyber operations uh we finished there having started the day with the remarks um from Israel in terms of uh state practice there so thanks again to all the speakers from today for an excellent day uh focus on cyber operations tomorrow we will reconvene 1100 hours east in standard time and for everyone who has joined today's is interested in cyber operations um the opening keynote by Doug Burnett is on suffering cable security in international law and given the extent to which such cables underpin cyber operations and capabilities um hopefully you'll be able to join us there so I'll leave it there and we'll see you tomorrow