Legal requirements in international relations of governments for cyber-attacks?
Topic question: What are the legal requirements in international relations of governments for cyber-attacks?
Description:
The overarching theme I wish to focus my thesis on is terrorism in the form of cyberwarfare This is fine but drop the terrorism part- some cyberattacks may be terrorist, some are not so keep the focus on cyberattacks to avoid getting sidetracked into the whole terrorism debate. The reason I chose to research this topic over others is because more and more governments are beginning to transition their data and other sensitive information onto digital platforms (e.g. online databases) which can be compromised- so do you just want to look at cyberattacks on information databases or cyberattacks in general- for instance, these could be on infrastructure, on weapons, or even on corporations (like the Sony attack).
In particular, I wish to focus on how the change in the scope of power from hard power to soft power has also shifted in the process of military attacks to cyberattack- cyberattacks would also fall under hard power depending on the target of the attack. As of now, there is a gray area as to how cyber-attacks fit into the framework of humanitarian law- better to think of it how it fits into the legal framework for war. In order for cyber-attacks to be viewed in the same light as armed attacks it is necessary for cyber-attacks to fit into the same framework of humanitarian law that armed attacks are- why? Not really necessary- unless you make the case.
Currently there are existing documents identifying governments responsibilities in conducting? military strikes- unsure what this means? Do you mean obligations?. Therefore, I wish to develop an analytical-descriptive method based on these existing documents to identify governments responsibilities for their cyberattacks. Cyber-attacks, like armed attacks, impact humanity in a variety of ways- potentially, yes. Cyberattacks can target a large variety of sectors within a government- so one thing to decide on is what kind of cyberattacks you’re interested in- maybe pick two that target different types of entities- government or civilian. The damage done by these attacks can also vary substantially. To limit this scope I will create two baskets of cyberattacks: one which warrants legitimate defense, to the same degree that a government would take in an armed attack situation, and one which does not.
- The question shifts throughout this and is not clear but the broader topic of cyberattacks and determining their legal status is fine. You have some options as to the precise direction you could take:
- Examine the existing legal status of cyberattacks at the international level- what’s the existing set of frameworks, responses, how does it fit into international law – and what are the loopholes/problems that it creates for states that want to retaliate for cyberwarfare. I think this is the most promising angle
- Pick existing cases (maybe 2 contrasting cases depending on the target) and examine how retaliation in a legal sense can work- what are the problems/issues with that for states?
- You could also look at non-legal retaliation for cyberwarfare- sanctions etc.
Either way- Definitely identify some cases of cyberattacks so that you ground your paper in something concrete- Stuxnet is an important case, Russian attacks in Estonia in the mid 2000s are also important as is U.S. cyberattacks on Russian powergrids.
And read Joseph Nye’s work on cyberdetterence and Susan Hennesey to get started on an understanding of the issues.
Sources:
International Relations:
- Pick existing cases (maybe 2 contrasting cases depending on the target) and examine how retaliation in a legal sense can work- what are the problems/issues with that for states?
State actors:
- USA
- Israel
- Ukraine
- Iran
- Russia
Cases:
- Stuxnet (Iran nuclear program)
- Estonia (Russia)
- Bulgaria (Russia)
- Russia (U.S. attacks on power grid)
- Ukraine (Russian attacks on power grid)
- Stuxnet
- Dates: January 2010 – July 2015
- 3 November 2005: C&C server registration (version 0.5)
- 4 July 2009: Infection stop date (version 0.5)
- 22 June 2009: Main binary compile timestamp (version 1.0)
- 24 June 2012: Infection stop date (version 1.0)
- 10 August 2012: President Barack Obama signed into law the Iran Threat Reduction and Syria Human Rights Act (expanding Jan sanctions)
- 14 July 2015: Joint Comprehensive Plan of Action (JCOPA) passed in the US Congress and the Iranian Parliament approving the deal
- Authors:
- S. National Security Agency
- CIA
- Israeli Intelligence
- Overview:
- Stuxnet is a computer worm that was aimed at Iran’s nuclear facilities. The worm has since mutated and spread to other industrial and energy-producing facilities.
- Stuxnet gained notoriety for its capability of crippling hardware. The computer worm targeted the programmable logic controllers (PLCs) used to automate machine processes. Stuxnet was programed to make the uranium enrichment centrifuges spin faster than they were supposed to, causing them to break.
- International authorities suspected Iran’s nuclear facility in Natanz was where the country was working on its secret nuclear weapons program. Stuxnet reportedly destroyed one-fifth of the centrifuges in Iran’s Natanz uranium enrichment facility.
- Sources:
- Stuxnet 0.5: The Missing Link by Geoff McDonald, Liam O Murchu, Stephen Doherty, Eric Chien. 2013. Symatec Security Response.
- 32.Stuxnet Dossier. Symatec Security Response by Nicolas Falliere, Liam O Murchu, Eric Chien. 2011. W.32.Stuxnet Dossier.
- Deterrence and Dissuasion in Cyberspaceby Joseph S. Nye Jr., International Security, Vol. 41, No. 3, Winter 2016/2017.
- Dates: January 2010 – July 2015
Regions:
- Middle East:
- The use of cyber-attacks in exchange for geopolitical power is unraveling a already unstable region.
- Actors: Iran, Saudi Arabia
- Americas:
The use of cyber-attacks in exchange
