 I'm Captain Kevin Brewe. I'm the duty lawyer at JMO. I'm the spy embedded in JMO. Before we begin would you please turn off your phones and things of that nature. This is a reminder. The good news about the Naval War College, as many of you know it's unique in that we have an international law department as well as what we call the Stockton Professor, who is an international lawyer from throughout the world that we bring in and he speaks or he's here to lecture research on various issues. Today we're honored to have Professor Wolf Heinchel von Hainig from Germany. He will speak to us first about cyberspace international law. Hopefully you've got his bio. I asked to be sent out to all the seminar groups. He's a quite amazing man. This is his second time here as the Stockton Chair, I believe. He will be returning to Germany to return to be the Vice President of the Europa Institute University in Frankfurt on odor. More importantly he's been involved in many expert working groups with various international lawyers on various manuals. One of which is the San Remo Manual on the application of the law of armed conflict to operations at sea. Another is on air and missile warfare. But more importantly for today he's been involved in a project known as the Tallinn Manual, which I believe is about to be officially announced perhaps this week in Tallinn, which is dealing with international law and cyberspace. So let's just let him get at it and now Professor. Well, good morning. I want you to join me into two domains. One of the domains is rather familiar to you. It's called cyberspace. And the other may be frightening to you. It's called law. The problem that we have with new technologies is always the same and has always been the same. As soon as a new technology is being used, especially in the security environment, you will see many international lawyers, experts, self-proclaimed experts, and others who believe to have an idea of what the law says about that new technology. And what I will try to do today is to introduce you to some aspects of international law that relate to or apply to cyber operations. Now let me give you an overview. First of all, the question, of course, is if cyberspace is such a novel phenomenon, can the existing rules of international law, some of which are more than one century old, apply at all to that new technology? If we have more or less settled this issue, we will talk about some of the security issues involving cyberspace, and then we will go into the legal aspects of it. Starting with the talent manual, I will shortly explain the process of the talent manual, and then we will talk about two aspects of international law, one relating to the question of whether a user force is lawful at all in interstate relations, and the second, whether and to what extent you are entitled to use cyber means or to conduct cyber operations during an armed conflict. And I will close, of course, with some concluding remarks, and I will reserve, I hope, sufficient time for any questions you may have. So let's start with the question of whether the law applies at all to cyberspace, the digital information infrastructure, and all kinds of definitions are around there. But I think you are very well aware that indeed cyberspace, which is, as it rightly said here, the network of networks, digital information, infrastructure, et cetera, et cetera, which is a global phenomenon, which cannot easily be grasped with if you apply a traditional approach to the law. I think that's quite clear. However, what we must be aware that it is always a little bit creative, to say the least, if not prohibited, to apply certain legal concepts because they seem to fit. And, of course, you all know the labeling of cyberspace as the fifth domain. Others are calling it a global domain, and they are assimilating it to the high seas, to outer space, and international airspace. And indeed there seems to be some logic in that. But you have to be aware that lawyers think a little bit differently than other human beings. So if you tell them something like that, they immediately say, oh, then it is something that belongs to all. And no single state may take any action within cyberspace because that would be to the detriment of others. So one should be very hesitant to apply such legal concepts too easily to this phenomenon which is not that new after all because we already have the year 2013, don't forget that. And we have been talking about cyber issues and international law for quite a while now. The first conference that was held on these issues took place here at the Naval War College in 1999. And many people have forgotten that. So then they discovered it only a couple of years ago as a new subject matter, although the Naval War College had already dealt with a couple of years before, which shows you that you are here at a very good, creative, and up-to-date institution. Now, if I am saying that those traditional legal concepts do not apply too easily to cyberspace, do we then need new rules? Which is always something that many people believe is the only way of solving certain problems when it comes to international law or even domestic law. Well, new rules seems to be a good idea because it would involve and mean legal clarity, right? But can you imagine today or in two, three, four or five years from now on to have an international conference with 193 states, ideally 193 states participating and agreeing on international law applicable to cyberspace and cyber operations? This will be or would be a horrifying exercise. They cannot even agree on simple things, certainly they could not agree on that. So I don't think that this is the right way. My approach and that of others has been and continues to be that the existing law is well suited and it will apply to cyberspace and to cyber operations if you apply it in a sober manner. Now, why am I saying that? I'm saying that because the United States president in the International Strategy for Cyberspace has exactly said that. The president has said that the existing rules, principles of international law do apply and in order to make it quite clear this is not only a solitary United States position but it's also shared by others. Now you will see that this is a draft strategy of the European Union so it's not yet accepted by the 27 member states but there's a good chance that this strategy will be accepted by the member states and you see here exactly the same approach as the approach by the United States president. So you see that at least the European states and the United States and I would guess Canada and other like-minded states would take exactly the same approach. There is no need to reinvent the law or to invent new rules of international law in order to deal with cyber security issues. What we have to be aware is that despite of the rather mystified characterization of cyberspace as a fifth domain etc. etc. there is an infrastructure which is necessary for cyberspace to exist at all and to operate and that infrastructure will in most cases be located somewhere. It's not in some nirvana but it is located in territory. It is connected to the national grid of the respective country. You see that countries do indeed not only claim that the cyber infrastructure located in their territory is protected by the principle of territorial sovereignty but they also exercise all kinds of jurisdictions. They regulate cybercrime. They enforce their laws when it comes to certain forms of cybercrime. They regulate activities in and through cyberspace and last but not least they even regulate and enforce access to cyberspace. There is no evaluation in that finding. Of course I don't like certain governments to block off internet access because they are afraid of certain political groups etc. etc. But what we must be aware of is the reality out there. The law and the world is not as I like it to be but as it is and that's what states are in fact doing and states are showing us every single state whether a dictatorship or a good democracy that is law abiding and of course pledging allegiance to the rule of law they all regulate activities in and through cyberspace they even regulate access to cyberspace. But one example, Sweden which seems to be the most democratic, most advanced democracy in the world they regulate all aspects of cyberspace because they are saying we are a consensus government so each time you are using your smartphone there via internet access or whatever all data will be stored. Would anybody doubt the democratic character of the Swedish state, the Swedish kingdom? I guess not. So this is the reality. Of course states protect their cyber infrastructure. They must by necessity protect their cyber infrastructure not only against intrusions but against all transporter interference and the conclusion is like it or not the law as it stands international law as it stands does indeed apply to cyberspace. The only thing one can say is that because of its characteristics of course cyberspace cannot be appropriated by a single state, sure. But on the other hand the fact that all states are interconnected via cyberspace does not mean that they have waived their territorial sovereignty or their right to exercise jurisdiction over certain cyber activities. Having clarified that international law applies, of course we must be very much aware that there are some very, very considerable security issues. Many economic sectors are heavily dependent on cyberspace. Cyberspace offers new opportunities, business opportunities. You can today make money even though you only have one computer at your home and after a while you will be big in business whatever that business is. But it has been rightly stated that in view of those new opportunities offered by cyberspace the focus was rather on interoperability, speed, reliability maybe a little bit but certainly not on the aspect of security. And those new characteristics, openness, ubiquity, name it what you want they of course have somehow created new vulnerabilities. I very often use the following picture. Imagine I have a safe at my house. It's filled with one million dollars. I leave the safe open. I make a sign at my door which is open. There's the safe with one million dollars and I go on vacation and when I return I find out the safe is empty. Can I complain about that? It's a little bit the same in cyberspace. Because we are for example very often relying on products that everybody can acquire. The vulnerabilities of those products are well known. Still we are using those products because there seems to be no alternative for whatever reasons financial etc etc etc. Now in view of those new vulnerabilities the Department of Defense the US Department of Defense in its strategy for operating in cyberspace has clearly identified the vulnerability of the United States and of their allies. And if you only look at the parts in bold you will see yes all aspects of society can be affected by malicious cyber activities and of course it may even result in physical damage and certainly in economic disruption if a massive cyber attack is being launched by whoever. The best examples of certain sectors that cannot do without cyberspace are the financial and the banking industries. They are so heavily interconnected today that even a short interruption of the communications via cyberspace would have rather long lasting and severe detrimental effects. But also other services which we consider essential health, water, electricity etc. They are all dependent on cyberspace. The funny thing however is that or not that the main actors in that area are private. Private companies and others and governments do not play such a big role and some are even saying that the private sector even has a lead role when it comes to guaranteeing and establishing cyber security. But as you all know and many of you may even have been confronted with certain issues of cyber crime that your account was suddenly empty or the like and you very well know that there is a heavy organized crime out there that dispose of the means and the will to inflict serious economic damage on almost every one of us. So what is the role of the governments if there is this heavy private involvement? Cyber crime on the one hand, private enterprises and corporations on the other hand. Do governments play a role at all? Shouldn't they just leave it to the private sector to deal with these issues and then hope that the private sector will come up with some solutions? Well some indeed in favor of such an approach. They even say that the cyber crime convention is a template for cyber security as such. I don't buy into that because for a simple reason there is a very important public slash military dimension to cyberspace and I don't want any of our governments to be put on the same footing as organized crime somewhere east of us or west of us depending on how you look at it. So in view of that I think the role of governments is still important and what we must be aware of there is a very, very important public military dimension to cyberspace. Now we have seen in the recent past that foreign governments exercise power through cyberspace and I recommend to you to read that report that was published just a couple of weeks ago. You can easily find it on the internet. What the report tells you is that they were able to track back cyber attacks against the United States to a certain building in China which shows you that the alleged problem of attributing cyber attacks or cyber operations to a given state or even to a given individual is of course big but it's not an insurmountable problem and you may also be aware that the United States president has recently reacted by addressing China with regards to the findings that were laid down in the Mandiant report and those exploitations will continue. Now how far they go whether they merely exploit the information resident in the respective cyber infrastructure or whether they even inflict damage on the cyber infrastructure doesn't at the end of the day make too much difference because we must be aware that not only the United States but many other countries are very, very vulnerable against any form of cyber intrusion or cyber attack. Of course we are trying to increase the resiliency of the cyber infrastructure. We are building up defensive capabilities and even offensive capabilities which I think is rightly being done because without knowledge of the offensive capabilities how can you defend yourself properly? So there needs to be some offensive capabilities to the least and as you all know modern military operations heavily depend on cyber space because otherwise mission success would not be guaranteed. So in view of that, in view of the public and military dimension of cyberspace we must be most serious when we are dealing with the legal issues involved. Now how did the international discussion start? I already told you back in 1999 here at the Naval War Culture we already talked about those issues but the international community, I hate that word but that's what they are calling them only got aware of it with the cyber attacks against Estonia back in 2007 and one year later when certain distributed denial of service attacks were conducted against Georgia in its short term conflict with the Russian Federation. Then suddenly everybody believed that this is a big issue and of course you all have heard about Stuxnet which is a rather elegant means of achieving your political goals what I think or even the alleged downing of an American UAV over Iran by cyber means. So it plays a role and of course the media are very eager to jump on those subjects and because they are new they can attract a lot of attention but again this is not new but fortunately enough those events have triggered an international discussion and that is the good part of it. Now if you see that the United States and not only the United States but many other countries as well claim the right that certain cyber attacks if they are significant enough would trigger the target country's right of self defense well then you must really start to think about what international law says about it because seemingly certain cyber attacks will be considered so grave that not only a response within cyber space is an option but even the use of kinetic means in order to respond to those attacks. So the question then is what does the law say? Because the determination of the threat should be unambiguous that should be clear but what is the law? Well here's the answer that's the law. Now you are in a funny situation here why? Because tomorrow in London this manual will be officially launched but they forgot about us so we are one day ahead not really one day because they have the time difference but 20 hours or so. So that is not the answer to the issues I have talked about but the Tallinn manual provides some answers to make you aware of that. So what is it? After the cyber attacks against Estonia they established a close connection with NATO the cooperative cyber defense center of excellence must be a German who has invented the title but the thing is that many countries joined their efforts with a view to increasing cyber security and cyber defense capabilities and the idea was to have that process being accompanied by a study group of legal experts who were tasked with identifying which rules of international law which principles of international law apply to cyber operations and indeed the group was tasked to do that within a timeframe of three years and if you believe it or not the group succeeded. The director of the group was Professor Michael Schmidt who is also the chairman of the international law department here at the Naval War College. We had a group of experts of a couple of countries the names that are put in bold are the members of the drafting committee in other words we had to do all the work the experts met twice a year, enjoyed Tallinn in winter which is rather cold or in summer and they only came there for a couple of days and we stayed on and had to do the drafting but you see it's a rather mixed group of a variety of different countries and those who are marked in red were not part of the expert group but observers and you will see for example Colonel Gary Brown who was then at U.S. Cyber Command as an observer he now switched sides to the ICRC maybe because of the Tallinn manual then somebody from the ICRC and last but not least from NATO from Allied Command Transformation so they were all working on that issue to a varying degree and they came up with a product after three years now what have we done, we dealt with sovereignty we dealt with the rules of international law relating to the legality of the resort to force we talked about self-defense of course we talked about the law applicable in armed conflict both international and non-international about neutrality, occupation and even zones and we tried to figure out to what extent the existing rules of international law do indeed apply now the beauty of the process is that you will find two different kinds of statements in the Tallinn manual the one is the black letter rule which in short sentences identifies the applicable law and those rules have been agreed upon by consensus so all the experts agreed that this is the law but as you can imagine put three lawyers together and ask them to give one answer you won't get it of course the consensus on the black letter rules does not mean that we agreed in every single detail there were of course differences in opinion, different approaches different opinions and competing views are now reflected in the commentary to the respective rules now you may say so what well I say that is indeed one of the advantages of the manual because like states it's easy to agree on certain fundamental rules and principles but of course very often the devil lies in the detail and the different opinions and views that are being clearly stated in the commentary open options for all governments that are willing to make use of the Tallinn manual and to my knowledge there are already some governments that use the Tallinn manual as a point of reference or as at least a basis for arriving at certain legal conclusions now the question is what did we find out now first we dealt apart from other things with the question when does a cyber operation violate the prohibition of the use of force as laid down in the charter of the United Nations and here you see article 24 of the charter which clearly prohibits states from resorting to the use of force and even to the threat of force in their international relations so indeed the question is for example was the Stuxnet operation was that a use of force and you can imagine that some of the experts had a hard time to cope with that issue some of them were not even able to deal with the sophisticated coffee machine and now they had to answer that question now of course as many people do when they are suddenly confronted with a new problem with a new question they take what they are familiar with and they say yeah what about the effects mustn't it be somehow kinetic or akin to the use of traditional kinetic force like bombs being dropped etc etc and the problem is that the respective rule article 24 has of course been dealt with also by the International Court of Justice for example in the Nicaragua case and in the Nicaragua case for example the court found that the arming of guerrillas that were conducting operations in and against Nicaragua constituted a use of force wow without the respective state firing a single shot but of course the shots were fired by the guerrillas on the other hand there was always clarity that not every form of coercion constitutes a use of force even though the South American states back in the 1940s and 1950s were very much in favor of assimilating economic sanctions, pressure etc to a prohibited use of force they didn't succeed so we know there is a clear case when you are dropping bombs and there is another clear case when you are doing something below that but of course the problem is what is in between especially in view of the decision of the International Court of Justice now as you can imagine of course a use of a weapon will in every case constitute a use of force even though the weapon does not have any kinetic effects for example biological weapons right or a chemical weapon they are all considered a use of force if one state are using them against another state so the argument that it must by necessity be of a kinetic nature can be easily rejected by reference to the chemical and biological weapons but what about those other forms of cyber operations because for example if you are intruding into a foreign system you are by necessity changing data when you are intruding they may not have far reaching effects but still you are changing data what about data theft what about interference with the operating system off or a skater system off some very important infrastructure like for example the energy sector or the water sector is that a use of force now you have to understand that international law is a very dynamic order and this is the good side of it and what we are experiencing now is that we seem to be in some form of intermediate period where states yet have to find out which cyber operations against which critical infrastructure would for them constitute a use of force or be assimilated to a use of force for example the well known scenario of an attack against the New York Stock Exchange because of the potential of far reaching effects not only on the United States economy is very often used to say but can't we do anything against such an attack if it brings our economy to its knees isn't that a use of force or isn't it even worse than a use of force why can't I bombard the capital of the enemy if they have dropped bombs but why can't I do it if they have ruined our economy and brought it to or have neutralized it almost all together and those questions are rightly asked but there is no clear standard yet so our idea was to make use of the so called Schmidt approach indeed something that was developed by Mike Schmidt and these are criteria these are criteria so if we look at a certain cyber operations at a certain cyber operation we will try to evaluate each of those criteria in order to give states the possibility of evaluating whether the fulfillment of these criteria or one of those criteria is sufficient to consider a cyber operation a use of force you may say wow that is nothing right where is the good heart law which tells me yes or no when I want to come to a conclusion well that's the character of international law and don't blame us we are not the creators of international law even though some of my colleagues would love to do that and many people do that unfortunately but international law is made by states and if states have not yet come to a clear consensus on whether and to what extent certain cyber operations qualify as a use of force who am I to say what it is or what it is not so the only way out was to come up with those criteria and to admit because that's what you have to do if you are doing serious business in international law that there is not yet a clear generally agreed upon standard period that's what it is like it or not the other question we dealt with was well when do we or when are we allowed to use force well clearly there are two situations the one is the security council has authorized it under its powers according to chapter 7 of the charter and as you know the security council has a wide margin of discretion it could determine that almost every situation constitutes at least a threat to peace and security and it could then authorize those member states that are willing and able to take the respective measures and to conduct cyber attacks against a given country the other one which is much more important because the problem with the security council is a little bit that the permanent five members do not necessarily always share the same views they very often go into different directions as we have experienced or as we are experiencing right now in the case of Syria and in other situations so the most important aspect of the use at Bellum is self-defense but again it's not that easy because if you look at the charter at the United Nations charter article 51 it clearly states well there must be an armed attack and if an armed attack occurs then you are entitled to resort to self-defense and you are not limited by the way to respond in kind even though you may be the target of a massive cyber attack which constitutes an armed attack then you may respond with all traditional means and methods of warfare you don't have to limit your response to cyber space alright so far the theory but what does it mean? what is an armed attack? and here again we have exactly the same problems as in the case of what constitutes a use of force if you look at the charter you will see that article 24 only speaks of a use of force and the right of self-defense applies if an armed attack occurs so seemingly an armed attack is something different than a use of force how do you distinguish the two? well it's difficult, I admit that but it doesn't mean it's impossible however, just to be clear on this the United States and the present administration considers the both to be identical they say every use of force is an armed attack and vice versa which seems to be a very rational approach but I don't think that it is politically opportune and there are good legal arguments against it all experts came to a contrary conclusion they say that of course every armed attack is a use of force but not vice versa meaning not every use of force is an armed attack the distinguishing factor is severity meaning that it is a use of force that is of a severe nature not just a simple use of force like for example the ICJ, the International Court of Justice identified certain border clashes as not amounting to an armed attack so here you can see that distinction has been accepted so how do we determine severity? well by the scale and effects but again the question is what are the scales and effects and how must they materialize and here again the discussion has been well we agree on the scales and effects approach but which scale and which effects may we take into consideration in order to arrive at the conclusion that there has been an armed attack now let me take the Stuxnet example and just let me assume for the argument's sake that a state used that malware in order to accomplish what they wanted to accomplish and indeed did accomplish if you are looking at what happened well it was quite simple there was sufficient information that malware was constructed in a very sophisticated manner that certain centrifuge and other parts most of them provided by a German corporation called Siemens that were used in Iran for their nuclear program were manipulated in a way that the centrifuge did not any longer function as they were supposed to function and that inflicted damage to the centrifuge that did not any longer rotate in the way they should so the centrifuge were damaged right? damaged were they expensive? I don't care they were damaged okay now was that a use of force? well I guess you can say so you can say so it was a use of force but was it an armed attack? well I guess there we must be a little bit more cautious because if there is a difference between an armed attack and a use of force the mere fact that damage has been inflicted on those centrifuges and even though you may consider that to be a use of force does not necessarily mean that it already constitutes an armed attack interestingly the target state of that operation meaning Iran said well well that was not so bad we can cope with that they bought some new centrifuge somewhere on the black market so okay maybe it was a little bit more expensive than before but obviously the target state itself did not consider that to be an armed attack right? of course it was embarrassing for them because Stuxnet had been resident there for quite a while and they didn't even notice but here you see we must also look at what states do in a given case and we cannot easily determine as academics that this is an armed attack because we have decided it to be so so states seem to look at it a little bit differently but even if you say that you have an armed attack and that you may even respond kinetically with traditional means of warfare you are still bound by certain limits that accompany the right of self-defense meaning it must be necessary and proportionate and of course it must be immediate the other issue that comes up of course immediately is the question of may you respond before the attack has certain effects negative effects on your cyber infrastructure meaning can you preemptively use your right of self-defense or anticipatorily and there are so many different labels to this that I hesitate to use them all but the simple question is of course for a state whose critical infrastructure may be about to be attacked must it wait until the damage is done or can that state respond earlier? well interestingly the experts agreed yes of course the state must not wait until the damage has been inflicted because international law after all is not a suicide pact but of course in the cyber domain it is sometimes rather difficult to establish and to determine when and whether an armed attack is about to occur and that there is no other opportunity to prevent the negative consequences than resorting to because that's what self-defense is about a use of force so what is the conclusion of the Tallinn manual? well it is rather simple the easiest case of the one in the first paragraph if there is a cyber operation that indeed results in inflicting injury or death to people or damage and destruction of property well then the scale and effects requirement will most likely be fulfilled and that qualifies as an armed attack on the other hand they also agreed that mere cyber intrusions even if they result in data theft also intellectual property meaning that you are inflicting harm on the economy of another country because then those products will simply be copied and they didn't have to spend all that money for research etc still espionage whether by traditional means or by cyber means is not yet prohibited why? everybody does it and states would not do themselves a favor if they agreed on a prohibition of espionage on the other hand there are some others some other scenarios where the experts simply couldn't come up with a solution and those are those that have extensive negative effects but those effects are not akin to the use of traditional means of warfare and here again the example of New York Stock Exchange was heavily discussed you can imagine that almost in all respects the group was divided at least into three groups very often into three groups plus two or three subgroups that took a differentiated approach but again the black letter rule the substance of the law as such is clear but of course we must agree on how it applies to a given situation but that's again not the duty of academics that was not the task of the talent manual that's something our governments will have to do our governments will have to come together at least those that are like-minded that have a similar approach to cyber security and must agree on certain standards and if they do so and they are in a process of doing that right now they will come up at some day in the hopefully near future where they have agreed on certain criteria and then we are on a much safer ground with regard to the question of whether a certain operation constitutes an armed attack certainly if you look at what States did after the attacks on Estonia even though it brought down the entire cyber infrastructure of Estonia for a couple of days and it had far-reaching effects but still even though Estonia would have loved that to be a case of Article 5 of the NATO Treaty meaning a case of an armed attack against one of the Alliance members the other members said clearly no way, no way so the mere fact that you are vulnerable that you are even very vulnerable against cyber operations does not by necessity mean that other States would also consider that to constitute an armed attack that would trigger the right of self-defense of the target state now that was the first big part of the Tallinn Manual when may you resort to the use of force how may you respond to a cyber attack but then we also dealt with the other issue of conducting military operations in and through cyber space during an armed conflict in other words there is already an ongoing armed conflict between two or more States or in one single state a non-international armed conflict and the question has been which cyber operations may you conduct and which then of course must be in accordance with the law of armed conflict and don't forget there are some examples but before we dealt with these issues in the relation between the parties to the conflict we first had a look at neutrality even though you find that chapter much later in the Tallinn Manual because of the characteristics of cyber space you will always be if you are conducting a cyber operation somehow interfering with States that are not a party to the respective conflict you will route certain data during that state's cyber infrastructure etc etc and the question then is wow what about the obligation of those countries that are not directly participating in the armed conflict aren't they obliged to be impartial aren't they even obliged to prevent certain operations from being conducted from within their territory against one of the belligerents well we all agreed and that was an approach that had already been taken by the Air and Missile Warfare Manual that was published a couple of years ago that the mere fact that you are using something like the internet and don't forget the internet is only one aspect of cyber space the mere fact that you are conducting certain cyber operations through cyber space does not mean that this is a violation of neutrality in other words the neutral state even if it becomes aware of a certain cyber operation being conducted via its cyber infrastructure does not violate its obligations on the other hand and that is very important there is a clear prohibition for neutral states to knowingly allow their territory to be used for acts detrimental to any of the belligerents and if the neutral state so allows then the aggrieved belligerent is entitled to respond so the prohibition of the use of force for example does not apply in cases of severe violations of neutrality so imagine that one of the belligerents is conducting a cyber attack from the territory of utopia if utopia has knowledge of that operation or if it has been informed by one of the belligerents that that attack has been launched or is being launched from its territory then the neutral state is obliged to terminate that violation of its neutral status but don't forget this launching of a cyber attack from neutral territory must be clearly distinguished from an attack that is being conducted through or via the cyber structure of a neutral state the latter not being prohibited the former being prohibited and if there is a serious violation of the neutrality obligations well then the neutral state if it's unwilling or unable to terminate the violation must tolerate all measures by the aggrieved belligerent to restore the legal status which the neutral state is obliged to preserve the other questions of course what may a target during armed conflict and here we do have first of all the mother of all principles of the law of armed conflict the principle of distinction again that sounds pretty clear but the problem is what does this mean for cyber operations during an armed conflict especially in view of the fact that cyberspace is run by private actors much much more than by governmental or military institutions in other words the cyber infrastructure within a state will to 90% sometimes even more be of a so-called dual use character rather than of a genuinely military character if you have a genuinely military installation that's no problem you may of course destroy it you may neutralize it by all means that are not prohibited under the law of armed conflict so of course you can destroy a military cyber infrastructure in another country but does the interconnectivity of cyberspace mean and the fact that there are so many civilian actors using the same infrastructure as for example the enemies military does that make a cyber attack under the law of armed conflict impossible because you would immediately violate the principle of distinction where the short answer is no of course we must be aware that attacks against civilians and direct attacks against civilian objects are clearly prohibited there's even a prohibition of reprisals and there's also the prohibition of indiscriminate attacks which has very many aspects to it and you are of course always under a clear obligation to limit your attacks during an armed conflict to those objects that qualify as lawful targets and even if you have identified a lawful target you must take the necessary and feasible precautions in order to minimize as far as possible collateral damage to civilians and to civilian objects so after all it seems cyber operations during an armed conflict are rather difficult to accomplish right? no because we must be aware that the rules and I'm using here the additional protocol of 1977 only as a reference because the rules are undisputed the rules I'm referring to here are also recognized for example by the United States of America even though the US has not become a part into the additional protocol but we all agree that the substance of the articles I'm referring to are customary in character and are also binding on the United States so first of all we must be aware that there is a clear definition of attacks and we all agree on that definition it's another attack here, not the armed attack triggering the right of self-defense now we have to do here with attacks during an armed conflict and the rules I've just referred to principle of distinction prohibition of indiscriminate attacks etc etc they all apply to a given conduct meaning attack even though the language in other articles is a little bit loose in the protocol because it very generically only refers to military operations we can easily deduce from those rules that after all it means all attack so when it comes to the prohibition of collateral damage it's about attacks when it comes to precautions it's about attack and not about operations I'm saying that because there may be many cyber operations that are more akin to propaganda or something like which of course you may conduct without being limited by the principle of distinction and the other rules I've just referred to so it's only about attacks and attacks are defined as acts of violence and an act of violence means that there must be certain consequences like death and injury to individuals and destruction or and that's the important point, damage to an object so that is all agreed upon and we also can again refer to the examples of biological and chemical weapons that it need not be kinetic in character so that's all agreed but what does that mean in the consequence well first of all any cyber operation or cyber attack rather of which you can reasonably expect that it will inflict or will cause death, injury, destruction or damage constitutes an armed attack that does not mean that those effects must materialize in the real world they can indeed be limited to cyberspace but the mere fact that data have been manipulated that data have been interfered with that data in some or the other form have been modified as such is never enough we will may be there in some distant future from now but today mere interference with data does not qualify as an attack and be grateful for that because you may interfere with your enemies data without being limited by principle of proportionality etc etc you have a rather wide margin of discretion so interference with data is not an attack good but what is then an attack well remember destruction or damage how do you define damage well if I damage my car I know it's damage because somebody must repair it it must that person must in other words reinstall functionality because I cannot use it otherwise if it's damaged the functionality has been somehow detrimentally affected so if something needs to be repaired that's a clear indication that damage has been inflicted on an object so how do you translate that to the cyber world well I guess quite simply by saying even though there may be no material damage to the cyber infrastructure in another state but if you must reinstall the entire operating system that certainly amounts to a repair and if you agree with that then the operation constitutes and qualifies as an attack and you would be bound by the respective rules but the mere fact that secondary or tertiary effects are the consequences of a cyber operation does not mean that this amounts to an attack to give you a simple example New York Stock Exchange again the mere fact that a broker is so desperate that he jumps out of the window well yeah that's bad but that's certainly only a secondary or even a tertiary effect so the fact that you have attacked or conducted an operation against New York Stock Exchange does not mean that you have inflicted death or injury by that operation because there is no direct link to that but as you can imagine again two lawyers, five different answers that was a compromise position and there are many details where the experts either disagreed or weren't able to come to a solution but at least the substance is clear now since cyberspace is so heavily dependent on private actors just a short clarification we have heard so much about direct participation about civilians being prohibited from actively taking part in the hostilities forget that, that is wrong there is no prohibition for civilians to directly participate in hostilities so a government is free to use its regular armed forces or any other governmental agency even though that agency does not qualify as military the dark side of it is to put it short, don't get caught because as a member of the regular armed forces you have a certain privilege you enjoy combatant immunity nobody may prosecute or punish you for what you have done during an armed conflict apart from war crimes of course so you may kill, you may destroy you may injure, you may damage because that is your job and nobody can complain about it in an armed conflict as long as you do it in accordance with the law of course but a civilian doesn't have that privilege even though the civilian is not prohibited from conducting an attack during an armed conflict well, the civilian does not enjoy combatant immunity so if that civilian gets caught by the enemy that for him he is an unlawful combat may be prosecuted and punished for having directly participated but there is yet another aspect to it you may want to target that civilian right because that civilian is in a position to inflict serious damage on your military operations for example and there the law is again very clear direct participation by a civilian means that that civilian is not any longer protected as a civilian you may target that civilian so even if a 16 year or make it more drastically a 14 year old young man I think that's what you have to call them is actively and directly participating in hostilities you may kill him you may kill him that's the consequence at least for such time that he is so directly participating now the question of course is what is direct participation in hostilities unfortunately the International Committee of the Red Cross had the brilliant idea of publishing an interpretive guidance of what they considered direct participation in hostilities originally they had tried to do that with the consent of international experts Mike Schmidt and I and others being part of that group of experts we moved out, we withdrew our names because we said what you have done here is not a sober interpretation of international law what you have done here is wishful thinking and developing the law into a direction which does not reflect the present consensus of states but unfortunately the thing is out there and lawyers are lazy people unfortunately so they like to have a huge number of footnotes and what do you see? see also the interpretive guidance by the ICRC and then they believe that is the law that they have correctly identified the law well they have not because the ICRC in many points is simply wrong but of course the difficulties remain when does a certain activity amount to a direct participation for example what is the designing of malware which is not specifically intended to be used in armed conflict I think everybody can agree that this is not direct participation because a munitions factory worker is not directly participating in hostilities for the mere fact that he is manufacturing munitions or even weapons so we can agree on that but if they are maintaining a computer system for example that is crucial for a given military operation well then that civilian is clearly participating in hostilities so what have we achieved? you may say not much well I would object to that we have achieved quite a lot because as the united states president has said in 2011 this is a necessary first step to identify whether and to what extent the rules of international law applying to the user force in interstate relations and to the right of self defense we need to clarify those and the talent manual is a contribution to that process of clarification now as you can imagine there are already the critics out there even though the launching will be tomorrow but the critics have already gathered and there are two groups of critics the ones say ah, you have invented new rules and the others are saying exactly the contrary they are saying you are being slaves of the traditional rules of international law the lax later, the rules as they stand why haven't you used your imagination, your creativity well the short answer is because that was not our task and that is not what we wanted to do what we wanted to do was to identify which rules of the existing international law apply to cyber operations and if so to what extent we again are not the creators of international law that is the prerogative of states and not of NGOs, not of academics so our task was merely to look at the law and see does it apply or not and if so what does that mean in the concrete circumstances of the case so there is no progressive development in there and if you want to yes we were slaves to the law as it stands today and it may well be that in two or three years from now there must be a second edition of the talent manual because states will have in the meantime agreed on criteria, standards and even more elaborated rules that we of course then must take into consideration but as of today or tomorrow, March 15 or 14, 2013 that's what you have that's what you have so the talent manual is clearly a restatement of the existing law clearly then of course there are others who are saying ah look at the group United States, United States United Kingdom, Germany this is a Western thing, right how dare you what about geographical proportionality without which you can never ever identify existing rules of international law well welcome to Dreamland ah I remember when we drafted the San Remo manual on the law of naval warfare and when we drafted the Air and Missile warfare manual that we were desperately looking for somebody from Russia, China, other countries and we didn't find anybody we didn't find anybody neither by personal contacts nor by a research with regard to what has been published in those countries so the short answer is there was simply a lack of experts and don't forget geographical proportionality is only necessary if it comes to identifying new rules of international law but we limited ourselves to identifying the existing law as it already exists, as it already stands as states agree upon, right so there was no necessity for asking somebody from Utopia or Demonia or Ruritania whether he or she shares our findings hey after all we are experts, okay so we know how to deal with the law now the other problem is of course remember what I told you about cyber security issues can we really continue on the way that was taken by the Talin manual can we continue to make that clear distinction between the private sector and cyber crime on the one hand and a public state military sector on the other hand shouldn't we rather have a holistic a nice word that is so often being misused holistic approach, transparency yeah shouldn't we take that rather than having that sectorial approach to cyber security well again this is the first step this first step does not rule out that it will be further developed in the near future states may consider that to be the right approach they may say well we must do something about the existing law but I think this distinction is valid and continues to be valid again I don't want any of our governments to be put on the same footing as a member of the mafia or some other organized crime organization cyber crime is an issue, no question it is an important aspect of cyber security, no question but this does not mean that governments should waive their right to conduct certain operations even in cyberspace and even though that operation if conducted by a civilian would be considered an ordinary crime but that is the difference and rightly so governments have certain privileges as civilian simply doesn't have and they may do things civilians simply may not do and that is the right way of approaching cyber security so it may well be that we have with the Tallinn manual somehow interrupted a process that some would have liked to be or constitute a holistic approach to cyber security without a distinction between the public and the private sector any longer but I think we have added something to legal clarity and thus to legal security and we will have to wait and see whether and to what extent governments are willing to take up what we have come up with and I am proud to say that many governments have already told us informally of course hey we like what you did so if that's the case why should we then be too nervous about what the future will bring so ladies and gentlemen it's up to you now you have 18 minutes