Reflections on Second Substantive Session of UN OEWG on ICT Security (Part 3):Confidence Building Measures, Capacity Building and Institutional Dialogue

Ananya Moncourt & Sidharth Deb

“Smoking Gun” by Claudio Rousselon is licensed under CC BY 4.0

• Introduction

In Part 1 this three-part series on the second substantive session of the United Nations’ (UN) Open-Ended Working Group (OEWG) on ICT security (2021-25) we critiqued how the OEWG is incorporating the participation of non-governmental stakeholders within its process. In Part 2 we reflected on States’ (including India’s) participation on discussions under three main themes of the OEWG’s institutional mandate as detailed under para 1 of the December 2020 dated UN General Assembly (GA) Resolution 75/240.

This analysis revealed how lawfare and geopolitical tensions are resulting in substantive divides on matters relating to (a) the definition and identification of threats in cyberspace; (b) the future direction and role of cyber norms in international ICT security; and (c) the applicability of international law in cyberspace. In Part 3 our focus turns to discussions at the second session as it related to inter-State and institutional cooperation. Specifically, we examine confidence building measures, cyber capacity building, and regular institutional dialogue. The post concludes by offering some expectations on the way forward for ongoing international cybersecurity and cybercrime processes.

• Confidence Building Measures (CBMs)

Under CBMs, States focused on cooperation, collaboration, open dialogue, transparency and predictability. These included  proposals operationalising a directory of national point of  contacts (PoCs) at technical, policy, law enforcement and diplomatic levels. Several States suggested that CBMs would benefit from including non-governmental stakeholders and integrating with bilateral/regional arrangements like ASEAN, OSCE and OAS. States identified UNIDIR’s Cyber Policy Portal as a potential platform to advance transparency on national positions, institutional structures and best practices. South Korea, Malaysia and others proposed using the portal for early warning systems, new cyber norms discussions, vulnerability disclosures, and voluntary information sharing about national military capabilities in cyberspace. Other priority issues included (a) collaboration between CERTs to prevent, detect and respond to cybersecurity incidents; and (b) critical infrastructure protection.

CBMs were another site of substantive lawfare. Russia and its allies stressed on the need for objective dialogue to prevent misperceptions. They urged States to consider all technical aspects of cyber incidents to minimise escalatory risks of “false flag” cyber operations. As we have discussed earlier in Part 2, Iran and Cuba argued against States’ use of coercive measures (e.g. sanctions) which restrict/prevent access to crucial global ICT infrastructures. These States also highlighted challenges with online anonymity, hostile content, and the private sector’s (un)accountability.

India focused on cooperation between PoCs for technical (e.g. via a network of CERTs) and policy matters. They espoused the benefits of integrating CBM efforts with bilateral, regional and multilateral arrangements. Practical cooperation through tabletop exercises, workshops and conferences were proposed. Finally, India stressed on the importance of real-time information sharing on threats and operations targeting critical infrastructures. The latter is a likely reference to challenges States like India face vis-a-vis jurisdiction and MLAT frameworks.

• Capacity Building

Consistent with the first OEWG’s final report, States suggested that capacity building activities should be:

• sustainable,
• purpose and results focused,
• evidence-based,
• transparent,
• non-discriminatory,
• politically neutral,
• sovereignty respecting,
• universal, and
• facilitate access to ICTs.

States advocated international capacity building activities correspond with national needs/priorities and benchmarked against internationally determined baselines. The UK recommended Oxford’s Cybersecurity Capacity Maturity Model for national assessments.  States recommended harmonising capacity building programmes with bilateral and regional efforts. Iran and Singapore proposed fellowships, workshops, training programmes, education courses, etc as platforms for technical capacity building for State officials/experts. States suggested UNIDIR assume the role of mapping global and regional cyber capacity building efforts—spanning financial support and technical assistance—aimed at compiling a list of best practices. Disaster and climate resilience of ICT infrastructure was a shared concern among Member States.

Even under this theme Russia and their allies addressed unilateral issues like sanctions which limit universal access to crucial ICT environments and systems. Citing the principle of universality, Russia even proposed the OEWG contemplate regulation to control State actions in this regard. Iran built on this and proposed prohibiting States from blocking public access to country-specific apps, IP addresses and domain names.

India recommended capacity building targeting national technical and policy agencies. It proposed funnelling capacity building through regular institutional dialogue to ensure inclusivity, neutrality and trust. India proposed a forum of CERTs, under the UN, to facilitate tabletop exercises, critical infrastructure security, general cybersecurity awareness campaigns, and cyber threat preparedness. India proposed establishing an international counter task force comprising international experts in order to provide technical assistance and infrastructural support for cyber defences and cyber incident response against critical infrastructure threats. Member Sates requested India to elaborate on this proposal.

• Regular Institutional Dialogue

Several States like France, Egypt, Canada, Germany, Korea, Chile, Japan and Colombia identified a previously proposed Programme of Action (PoA) to facilitate coordinated cyber capacity building. France proposed the PoA assist States with the technical expertise for cyber incident response, national cybersecurity policies, and critical infrastructure protection. States also identified the PoA to maintain a trust fund for cyber capacity building projects, and serve as a platform to assist States identify national needs and track implementation of cyber norms. Prior to the third substantive session, co-sponsors are expected to share an updated version of its working paper with the OEWG secretariat. These States have also proposed that the PoA serve as a venue for structured involvement of non-governmental stakeholders.

In order to harmonise the mandates of the OEWG and the PoA, Canada proposed that the OEWG serve as the venue where core normative aspects are finalised, and the PoA works on international implementation. The Sino-Russian bloc and developing countries expressed concerns about the PoA as a forum for regular institutional dialogue. Iran suggested that the OEWG instead operate as an exclusive international forum on cybersecurity. Cuba and Russia maintained that a parallel PoA would undercut the OWEG’s centrality.

While India’s intervention recognises the importance of regular institutional dialogue, it insists that such interactions be intergovernmental. It recommends that States retain primary responsibility for issues in cyberspace relating to national security, public safety and the rule of law.

• Way Forward

The OEWG Chair aims to finalise a zero draft of its first annual progress report, for consultations and written inputs, approximately six weeks prior to the OEWG’s third substantive session in July 2022. It will be interesting to track how lawfare affects the report and other international processes.  

In this regard, it is crucial to juxtapose the OEWG against the UN’s ongoing ad-hoc committee in which States are negotiating a draft convention on cybercrime. Too often these conversations can be stuck in silos, however these two processes will collectively shape the broad contours of international regulation of cyberspace. Already, we observe India’s participation in the latter is shaped by its doctrinal underpinnings of the Information Technology Act—and it will be important to track how these discussions evolve.

Reflections on Second Substantive Session of UN OEWG on ICT Security (Part 2): Threats, Cyber Norms and International Law

Ananya Moncourt & Sidharth Deb

“Aspects of Cyber Conflict (pt. 3)” by Linda Graf is licensed under CC BY 4.0

Introduction

Part 1 of this three part series on the second substantive session of the United Nations’ (UN) Open-Ended Working Group (OEWG) on ICT security (2021-25) analysed key organisational developments regarding multistakeholder participation. The post contextualised the OEWG’s institutional mandate, analysed the impact of the Russia-Ukraine conflict on discussions, traced differing State positions, and critiqued the overall inclusiveness of final modalities on stakeholder participation at the OEWG.

This post (and subsequently Part 3) analyses substantial discussions at the session held between March 28 and April 01, 2022. These discussions were organised according to the OEWG’s mandate outlined in UN General Assembly (GA) Resolution 75/240. Accordingly, Part 2’s analysis covers:

• existing and potential threats to “information security”.
• rules, norms and principles of responsible State behaviour i.e. cyber norms.
• international law’s applicability to States’ use of ICTs.

Both posts examine differing State interventions, and India’s interventions under each theme. The combined analysis of Parts 2 and 3 provides evidence that UN cybersecurity processes struggle with an inherent tension. This relates to the dichotomy between the OEWG’s mandate, which is based on confidence building, cooperation, collective resilience, common understanding and mutual accountability; as against the geopolitical rivalries which shape multilateralism. Specifically, it demonstrates the role of lawfare within these processes.

Existing and Potential Threats

Discussions reflected the wide heterogeneities of States’ perceptions of threats in cyberspace. The US, UK, EU, Estonia, France, Germany, Canada, Singapore, Netherlands and Japan prioritise securing critical infrastructure and ICT supply chains. Submarine cables, communication networks, rail systems, the public core of the internet, healthcare infrastructure and information assets, humanitarian databases, and oil and gas pipelines were cited as contemporary targets. Ransomware and social engineering were highlighted as prominent malicious cyber techniques.

In contrast, Russia, China and allies like Syria, Cuba and Iran urged the OEWG to address threats which conform to their understanding of “information security”. Premised on information sovereignty and domestic regime stability, prior proposals like the International Code of Conduct for Information Security offers a template in understanding their objectives. These States advocate regulating large-scale disinformation, terrorism, recruitment, hate speech and propaganda occurring over private digital platforms like social media. Cuba described such ICTs as tools for interventionism and destabilisation which interfere in States’ internal affairs. Iran and Venezuela cautioned States against using globally integral ICT systems as conduits for illegitimate geopolitical goals, which compromise other States’ cyber sovereignty—a recurring theme of these States’ engagement at the session.

Netherlands and Germany described threats against democratic and/or electoral processes as threats to critical infrastructure. Similarly, France described disinformation as a risk to security and stability in cyberspace. This is important to track since partial intersections with the Sino-Russian understanding of information security could increase future prospects of information flows regulation at the OEWG.

Developing States like Brazil, Venezuela and Pakistan characterised the digital/ICT divide between States as a major threat to cyberspace stability. Thus, capacity building, multistakeholder involvement and international cooperation — at CERT, policymaking and law enforcement levels — were introduced early as key elements of international cybersecurity. UK and Russia supported this agenda. France, China and Ecuador identified the development of cyber offensive capabilities as an international threat since they legitimise cyberspace as a theatre of military operations.

India’s participation in this area treads a middle ground. ICT supply chain security across infrastructure, products and services; and the protection of “critical information infrastructures” (CIIs) integral to economies and “social harmony” were stated priorities. Notably, the definition of CIIs under the Information Technology Act does not cite social harmony. India cited ransomware, misinformation, data security breaches and “… mismatches in cyber capabilities between Member States” as contemporary threats. To mitigate these threats, India advocated for improved information sharing and cooperation at technical, policy and government levels across Member States.

Cyber Norms

States disagreed on whether prior GGE and OEWG consensus reports serve as a minimum baseline for future cyber norms discussions. The Sino-Russian camp which includes Iraq, Nicaragua, Pakistan, Belarus, Cuba and others argued that cyber norms are an insufficient fix, and instead proposed a new legally binding instrument on international cybersecurity. China proposed a Global Initiative on Data Security as a blueprint for such a framework. Calls for treaties/conventions could trigger reintroduction of prior proposals on information security by these States.

The US, UK, Australia, Japan, France, Germany, Netherlands and allied States, and developing countries like Brazil, Argentina, Costa Rica, South Africa and Kenya argued that, instead of revisiting first principles, the current OEWG’s focus should be the implementation of earlier agreed cyber norms. Self-assessment of States’ implementation of the cyber norms framework was considered an international first step. The United Nations Institute for Disarmament Research (UNIDIR) in partnership with Australia, Canada, Mexico and others, launched a new national survey tool to gauge countries’ trajectories in implementation. Since cyber norms are voluntary, the survey serves as a soft mechanism of accountability, a platform which democratises best practices, and a directory of national points-of-contact (PoCs) wherein States can connect and collaborate.

States also raised substantive areas for discussions on new norms or clarifications on existing ones. Netherlands, US, UK and Estonia called for protections safeguarding the public core of the internet, since it comprises the technical backbone infrastructure in cyberspace which facilitates freedom of expression, peaceful assembly and access to online information. “Due diligence”— which requires States to not allow their territory to be used for internationally wrongful acts—was another substantive area of interest.

ICT supply chain integrity and attribution generated substantial interest. Given the close scrutiny on domestic companies, under this theme China recommended new rules and standards on international supply chain security. If analysed through lawfare this proposal perhaps aims to minimise targeted State measures against Chinese ICT suppliers in both telecom and digital markets.

The US pressed for deliberations on “attribution” and specifically public attribution of State-sponsored malicious cyber activities. China cautioned against hasty public attributions since it may cause escalation and inter-State confrontation. China argued that attributions on cyber incidents require complete and sufficient technical evidence. The sole emphasis on technical evidence (which ignores surrounding evidence and factors) could be strategic since it creates a challenging threshold for attribution. As a result it could counter-intuitively end up obfuscating the source of malicious activities in cyberspace.

Discussions on “critical infrastructure” protection also raised important interventions. Singapore stated that critical infrastructure security should protect electoral and democratic integrity. China argued for an international definition of “critical infrastructure” consistent with sovereignty. Over time such representations could further legitimise greater information controls and embed the Sino-Russian conception of information security within global processes.

India focused on supply chain integrity, critical infrastructure protection and greater institutional and policy cooperation. They advocated close cooperation in matters involving criminal and terrorist use of ICTs. There were also brief references to democratisation of cyber capabilities across Member States and the role of cloud computing infrastructure in future inter-State conflicts. This served as a prelude to India’s interventions under international law.

International Law

Familiar geopolitical fragmentations shaped discussions. Russia, China, Cuba, Belarus, Iran, and Syria called for a binding international instrument which regulates State behaviour in cyberspace. Belarus argued that extant international legal norms and the UN Charter lack meaningful applicability to modern cyber threat landscapes. Russia and Syria called for clarity on what areas and issues fall within the sphere of international cybersecurity. Viewed through the lens of lawfare, it appears that such proposals aim to integrate their conceptions of information security within OEWG discussions.

EU, Estonia, Australia and France argued this would undermine prior international processes and the cyber norms framework. The US, UK, Australia, Canada, Brazil, France, Japan, Germany and Korea instead focused on developing a common understanding on international law’s applicability to cyberspace, including the UN Charter. They pushed for dialogue on international humanitarian law, international human rights law, prohibition on the use of force, and the right to self-defence against armed attacks. Similar to previous failed negotiations at the 5^th GGE, these issues continue to remain contentious areas. For instance, Cuba argued against the applicability of the right to self-defence since no cybersecurity incident can qualify as an “armed attack”.

Sovereignty, sovereign equality and non-interference in States’ internal affairs were prominent issues. Other substantive areas included attribution (technical, legal and political), critical infrastructure protection and the peaceful settlement of disputes. To enable common understanding and potential consensus on international law, the US, Singapore and Switzerland advocated the OEWG follow a similar approach to the 6^th UN GGE. Specifically, they suggested developing a voluntary compendium of national positions on the applicability of international law in cyberspace.

India addressed issues relating to sovereignty, non-intervention in internal affairs, prohibition of the use of force, attribution, and dispute settlement. It discussed the need to assign international responsibility on States for cyber operations emerging from one State and which have extra-territorial effects. They argued for States enjoying the sovereignty to pass domestic laws/policies towards securing their ICT environments. India advocated imposing upon States an obligation to take reasonable steps to stop ICT-based internationally wrongful acts domestically. Finally, it highlighted that international law must adapt to the role of cloud computing hosting data/malicious activities in cross-border settings.

Conclusion | Previewing Part 3

In Part 2 of this series on the second substantive session of the OEWG on ICT Security (2021-25) we have analysed States’ interventions on matters relating to existing and potential threats to information security; the future role of cyber norms for responsible State behaviour in cyberspace; and the applicability of international law within cyberspace. In Part 3 we assess discussions relating to confidence building measures, capacity building and regular institutional dialogue. While this post reveals the geopolitical tensions which influence international cybersecurity discussions, the next post focuses extensively on the international cooperation, trust building, technical and institutional collaboration, and developmental aspects of these processes.

Technology & National Security Reflection Series Paper 10: International Responsibility for Hacker-for-Hire Operations: The BellTrox Problem

Anmol Dhawan^*

About the Author: The author is a 2021 graduate of National Law University, Delhi.

Editor’s Note: This post is part of the Reflection Series showcasing exceptional student essays from CCG-NLUD’s Seminar Course on Technology & National Security Law. In the present essay, the author’s contribution serves as an adapted reflection to the following proposition:

“From the standpoint of international law, does the Government of India bear any international legal responsibility for the actions of BellTrox InfoTech Services (or any other similar ‘hackers-for-hire’ operations run from Indian territory)? If yes, what are the legal prerequisites that need to be satisfied to affix such responsibility on the Government? If not, explain with reasons.” 

1. INTRODUCTION 

In 2020, The Citizen Lab released a report naming an obscure Delhi-based company, Belltrox Infotech Services, as a major player in commercial espionage operations against high-profile organizations as a hacker-for-hire entity. The targets included nonprofits and advocacy groups working on issues like climate change and net neutrality in the US, such as the Rockefeller Family Fund, Free Press, and Greenpeace.

Such cyber-espionage activities, inter alia, highlight the uncertainty in the application of international law in cyberspace. An analysis of BellTrox’s alleged operations raises questions as to whether there is an internationally wrongful act for which responsibility needs to be affixed, who bears such responsibility, and to what extent. 

As per Article 2 of the International Law Commission’s Articles on Responsibility of States for Internationally Wrongful Acts (‘ARSIWA’), a State is responsible for an internationally wrongful act when it commits an act or omission fulfilling two basic criteria. First, the act or omission is attributable to that State; and second, it constitutes a breach of that State’s international obligation. 

Accordingly, this piece analyses the nature of attribution in the cyber context, the problems therein, and whether current frameworks take account of the unique nature of cyber-attacks vis-à-vis hacker-for-hire situations. Further, the article evaluates whether low-level cyber-attacks such as BellTrox’s constitute a breach of an international obligation, with particular reference to the principles of sovereignty and non-intervention. Finally, the piece attempts to distill shortcomings under the international law regime governing cyberspace and considers avenues to bridge the gaps. 

“Hackers (pt. 1)” by Ifrah Yousuf is licensed under CC BY 4.0. From CyberVisuals.org, a project of the Hewlett Foundation Cyber Initiative.

2. ATTRIBUTION 

Attribution is a normative operation used to demonstrate a nexus between the perpetrators of an act and a State. Although conduct under ARSIWA is limited to acts of State organs, Article 8 states that the wrongful conduct of a non-State entity directed or controlled by that State may be attributable to the State.

Traditionally, such attributability was restricted to activities carried out under a State’s ‘effective control’. As applied by the International Court of Justice (‘ICJ’) in Nicaragua, the effective control test requires a State to have, directed, commanded, or otherwise directly controlled the actor in question. The Tallinn Manual also follows this threshold for attribution in cyberspace. However, BellTrox’s conduct cannot be attributed to India under this test as the company is neither a State organ nor is there any evidence reflecting that it acted under the control of the Indian state. Further, BellTrox’s conduct cannot be attributed to India under the much lower threshold of the ‘overall control’ test of the International Criminal Tribunal for the Former Yugoslavia’s in Tadic (which the ICJ later rejected in the Bosnian Genocide Case) either. Under the overall control test, even supporting, equipping, or financing a non-state actor could suffice for attribution.

In evaluating responsibility for non-state actors’ conduct, we must consider other standards seen in international law. The US response to the 9/11 attacks marked a shift from the traditional responsibility thresholds towards an ‘indirect responsibility’ criterion. This threshold can be inferred from the communication of the US to the UN Security Council, in establishing a right of self-defense. The US focused on an ‘unwillingness’ standard, highlighting the Taliban regime’s refusal to change its policy towards Al Qaeda despite having control over large areas where it operated. However, in invoking this standard, the US emphasized that the Taliban gave some degree of support to Al Qaeda over and above mere sanctuary.

Although this theory of indirect or vicarious responsibility does not have enough support to constitute customary international law, it does find some backing in the Corfu Channel judgment. The ICJ held that States ought not to allow their territory to be used in a way that endangers other States. This idea has developed in relation to terrorist activities, whereby the Friendly Relations Declaration as well as UN Security Council  Resolution 1373 demand that States deny safe haven to terrorist activities.

Jason Healey expands on such a standard of passive responsibility, focussing on a State’s accountability for fostering an environment where attacks could occur instead of “shrinking the sanctuaries from where criminals act with impunity.” ICJ’s Tehran judgment also supports the proposition that a State’s failure to take appropriate steps to prevent violations could render it responsible for the wrongful conduct.

If we were to apply this broad threshold, it is conceivable that BellTrox’s conduct could be attributed to India. However, a State cannot be held responsible for all acts perpetrated within its territory. Thus, a more ideal starting point of assigning State responsibility for non-State actors’ conduct in cyberspace should involve combining the aforementioned standard with the ‘due diligence’ principle. Accordingly, attribution would entail a two-step determination. First, ascertaining a State’s unwillingness to prevent a non-state actor’s illegal conduct despite being in a position to do so. Second, whether the State exercised reasonable due diligence in attempting to prevent the conduct. A failure in either could render the State internationally responsible. 

Scholars have suggested specific guidelines for due diligence, including enacting criminal law against the commission of cyber-attacks, instituting good-faith investigations and prosecution, and cooperation with victim States. The 2015 Report of the Group of Government Experts (GGE) calls upon States to respond to requests for mitigating malicious ICT activity arising out of their territory. The GGE report highlights that knowledge plays a role in determining attributability and States have a due diligence obligation towards post-facto mitigation of identified unlawful cyber activity emanating from their territory. 

As Healey emphasizes– unfortunately, in cyberspace, States do not expect other States to exercise the same degree of control over their subjects; and the international community considers States helpless in mitigating cyber attacks originating from their territory.  However, moving away from a narrow attribution requirement, victim States could push origin States towards taking well-established steps for mitigating attacks and ensuring prosecution to avoid responsibility for wrongful conduct.

3. SOVEREIGNTY AND NON-INTERVENTION 

The second prong of State responsibility is the requirement of the breach of a State’s international obligation. As per the UN GGE’s 2013 and 2015 reports, States are, in principle, at a consensus as to the application of the principles of sovereignty and non-intervention in cyberspace. In essence, the principle of State sovereignty relates to a State’s authority over its territorial integrity, sovereign functions, and political independence to the exclusion of others. The prohibition on unlawful intervention derives from the principle of sovereignty, and as outlined by the ICJ in Nicaragua, points to the coercion of one State by another in matters within the former’s sovereignty.

The first element of intervention, i.e., ‘coercion’, refers to an attempt to influence an outcome in the target state, depriving the target state of control over the ‘functions inherent in sovereignty’. An  example of coercive behavior could be the use of cyberspace to compel another state to adopt a particular legislation. This understanding under the Tallinn Manual is broadened to include all kinds of coercive acts designed to force a state to act, or not act, in a particular manner. 

It is unlikely that international law, as it stands, would find cyber-operations like BellTrox’s to be coercive. Although targeting of eminent private groups and advocacy organizations may point towards an attempt to influence US policy, it cannot be concluded that the operations or the information gathered could have pressurized the US government to legislate in a particular manner. 

The second element of intervention is that the coercive behaviour must be directed towards the ‘matters in which a State is permitted to decide freely’. The Friendly Relations Declaration defines an intervention as interference in the State’s personality or against its political, economic, and cultural elements. The Tallinn Manual 2.0 bases violation of sovereignty on the usurpation of an inherently governmental function through interference in matters within the domaine reserve of the State.

However, to engage the non-intervention principle, the operations must be directed at the State’s practical ability to exercise its sovereign function. Thus, the NotPetya attacks attributed to Russia, which targeted Ukraine’s financial system, transport and energy facilities have been considered violations of international law by the UK and its allies. However, a spear-phishing campaign attacking private Universities and NGOs or the WannaCry ransomware attack attempting to extort hard currency from users were not considered as such. The US called the alleged Russian hacking of the Democratic National Congress an ‘attempt to interfere with its election process’, with Department of State’s Legal Adviser Brian Egan categorizing it “a clear violation of the rule of non-intervention.”

In contrast, Belltrox’s alleged hacker-for-hire scheme appears to target private persons, institutions, and advocacy firms without directly interfering in sovereign functions. Even if BellTrox’s actions are considered as attempts to influence US policy, public interest advocacy and policy research are not exclusively governmental functions. Moreover, espionage against private organizations does not preclude a State from deciding freely on sovereign matters. Resultantly, it is unlikely that BellTrox’s operations would ipso facto constitute an internationally wrongful act of intervention.  

4. CONCLUSION 

The BellTrox problem highlights the need to move away from the traditional attribution fixation to hold States accountable for mitigating cyber-attacks. The conventional understanding of internationally wrongful acts only takes into account the nature of kinetic warfare and interventions in other States, thus failing to account for the ability of non-State actors to cause similar damage when shielded and given a safe haven by States. Therefore, instead of the ‘effective control’ and ‘overall control’ tests, a shift towards the theory of ‘indirect responsibility’, in combination with a due diligence standard for states, would be more effective in the cyber world. 

Applying such a test, if India did provide a safe haven to BellTrox, in that it ignored the threat or was unwilling to mitigate it despite knowledge of malicious cyber-activities, these activities could be attributed to India. Further, on account of the due diligence requirement, a State’s failure to take appropriate action on intimation by a victim State would strengthen the latter’s claim for affixing responsibility. 

In regard to intervention in sovereign matters, the expanded understanding in Nicaragua and the Tallinn Manual reflects that a direct attempt to cause a change in another State’s law or policy would constitute an unlawful intervention. However, the problem in the current scenario lies in showing that BellTrox could use the information gathered to coerce the US to act towards a particular objective. Indirectly influencing the actions of private individuals and advocacy organizations might not restrict the State in its sovereign functions and hence, is unlikely to constitute intervention. 

The BellTrox case outlines multiple gaps in international law with respect to cyberspace. Although existing law might not hold States internationally responsible for non-state actors’ private cyber operations originating from within their territory, victim States must invoke the accountability of origin States for mitigating cyber threats and ensuring prosecution. Further, pressure by the international community on States to conform to their due diligence obligations would be a substantive move in the right direction.

---

*Views expressed in the blog are personal and should not be attributed to the institution.

Technology and National Security Law Reflection Series Paper 9: Legality of Foreign Influence Operations (“FIOS”) Under International Law

Neeraj Nainani^*

About the Author: The author is a 2020 graduate of National Law University, Delhi. He currently works as an Associate at AZB & Partners, Mumbai. 

Editor’s note: This post is part of the Reflection Series showcasing exceptional student essays from CCG-NLUD’s Seminar Course on Technology & National Security Law.

1. INTRODUCTION

States have always tried to influence opinions and politics of other sovereign states. Sun Tzu advocated spreading false information to take tactical advantage while Genghis Khan and his men planted rumors about their cruelty and their horsemen to spread fear and to weaken the enemy’s resilience.¹ However, changes in technology have drastically altered the way in which influence operations are conducted. The continuous evolution of information technology (“IT”) has resulted in progressive transformation in the information environment both in terms of constituent elements and inherent dynamics. 

Due to this transformation, the dissemination of information on a large scale is no longer controlled by a few stakeholders within democracies. This transformation is accelerated by the advent of online and social media platforms. Such platforms have upended the financial configuration of the media landscape in a manner in which prioritizes commercial revenues over the reliability and integrity of information which is consumed. 

These incentive structures have become fertile ground for influence operations which are increasingly shifting to cyberspace. In fact these online influence operations are being used to interfere in matters of other countries, especially elections. Cyber influence operations are defined as

“… activities that are run in cyberspace, leverage this space’s distributed vulnerabilities, and rely on cyber-related tools and techniques to affect an audience’s choices, ideas, opinions, emotions or motivations, and interfere with its decision making processes”.

The author will look at the status of cyber influence operations under international law and examine whether they violate principles of sovereignty and non-intervention and other obligations of states under international law. 

“Aspects of Cyber Conflict (pt. 4)” by Linda Graf is licensed under CC BY 4.0. From CyberVisuals.org, a project of the Hewlett Foundation Cyber Initiative.

2. FIOs AND THE PRINCIPLE OF SOVEREIGNTY

A state’s sovereignty is one of the most important concepts in international law. The ICJ has recognized the centrality of sovereignty by holding that “the whole international law rests” upon the concept of sovereignty. However, scholars highlight two issues as challenges to the argument that cyber influence operations may violate a State’s sovereignty. 

First, the conceptual understanding of sovereignty is currently challenged as an international legal obligation, especially in cyberspace. The authors of the Tallinn Manual on the international law applicable to cyber operations have recognized sovereignty as a primary and central principle of international law. The United Kingdom has observed that even though sovereignty is an important concept in international systems, “we can currently extrapolate from that general principle a specific rule or additional prohibition for cyber activity beyond that of a prohibited intervention”. The chief lawyer to the U.S. Cyber Command has also argued that sovereignty is “a principle of international law that guides state interactions, but is not itself a binding rule that dictates results under international law”.

The second argument pertains to the application of sovereignty principle over influence operations. Tallinn Manual 2.0 recognizes that a cyber operation constitutes a violation of sovereignty when they result in cause “physical damage or injury”, or the remote causation of “loss of functionality” of infrastructure in the target state or when they interfere with or usurp inherently governmental functions. However, there was division among the experts on the threshold which would amount to violation. The test is irrelevant for cyber influence operations as they generally do not cause physical damage or loss of functionality. Further, the authors of Tallinn manual were also not able to reach consensus on whether the cyber influence operations violate notions of territorial sovereignty of nations states.

The other touchstone to test cyber influence operations is on the notion of interfering with or usurping inherently governmental functions. Some authors have argued that it is unclear “whether a cyber influence operation on an election falls within the bounds of the terms ‘interference’ or ‘usurpation’.” Authors of Tallinn Manual have argued that the transmission of propaganda alone is generally not a violation of sovereignty. Michael Schmitt argues that the doxing operations disclosing crucial confidential information at crucial moments before the national elections as well disinformation campaigns involving overt acts from fake accounts are serious and classification of these serious influence operations as violations of sovereignty is “somewhat supportable”. Schmitt concludes that influence operations currently fall within “the legal grey zone of the law of sovereignty”.

One of the arguments to consider is that influence operations are generally backed with some additional overt or covert act such as doxing supported by hacks, or information warfare supported by the violation of privacy. UNGA has observed in the context of elections that “any activities that attempt, directly or indirectly, to interfere in the free development of national electoral processes, in particular in the developing countries, or that are intended to sway the results of such processes, violate the spirit and letter of the principles established in the Charter”. 

Influence operations do more than merely transmit propaganda. They perform subversive acts aiming at destabilizing State institutions by influencing nationals of another State; and enable militant democracy which allows the attacking state to indulge in political and legal warfare in the medium and long term. Further, influence operations interfere with the duty of the state to conduct free and fair elections.

3. FIOs AND THE PRINCIPLE OF NON-INTERVENTION

The other possible argument questioning the legality of influence operations under international law is the settled principle of non-interference. As per the ICJ’s decision in Nicaragua, an intervention by a State is unlawful when first, it has a bearing on matters which by principle the state can decide freely, second, the state uses methods of coercion. Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations provides that “a State may not intervene, including by cyber means, in the internal or external affairs of another State” 

Duncan Hollis identifies two key issues with bringing cyber-enabled foreign influence operations within the principle of non-intervention. Firstly, that the content of the categories i.e. internal and external affairs of the state is not well defined. He argues that in earlier times there were subjects clearly cabined off from international attention that a state could address. However, with technological advancements and globalization, such subjects are limited and every subject attracts international attention. Therefore, any idea defining internal affairs of the state is likely to be limited, contested, and dynamic. However, the influence operations do not merely mean ‘international interest’ from a particular state. Influence operations more often than not, are clandestine operations by States – designed to meddle with the internal affairs of the country which shows a hint of militant democracy. 

Second, Hollis argues that influence operations do not meet with the criteria of coercion as narrowly defined in International Law. Tallinn Manual defines Coercion as “designed to deprive another State of its freedom of choice, that is, to force that State to act in an involuntary manner or involuntarily refrain from acting in a particular way”. This must be “distinguished from persuasion, criticism, public diplomacy, propaganda, retribution, mere maliciousness…” because “such activities merely involve either influencing (as distinct from factually compelling) the voluntary actions of the target State, or seek no action on the part of the target State at all”. It has been argued that the very nature of influence operation is to have target adopt or change certain behaviors willingly, which implies an absence of coercion. Another argument is that a legal finding that the State acted due to/under the influence of coercion would depend on recognizing and attributing some individual or group as the target of the coercion and identifying threatened consequences.

However, a broader conceptual understanding of coercion can be identified in efforts to bolster the argument that non-intervention includes the conduct of a State which weakens, undermines or compromises the authority of another State. The argument emphasizes on the examination of context and consequences while determining whether a State was compelled to act in a manner it otherwise wouldn’t have.

This broad approach is supported by observations made by the experts in Tallinn Manual 1.0 where they observed that the prohibited forms of interventions include “the manipulation by cyber means of elections or of public opinion on the eve of elections, as when online news services are altered in favor of a particular party, false news is spread, or the online services of one party are shut off”.

4. CONCLUSION

Various authors have highlighted that it is very difficult to argue that cyber influence operations questioning the democratic legitimacy of a target State falls within the ‘prohibited forms of intervention’. Similar arguments have been made for questions pertaining to the principle of sovereignty as well. Michael Schmitt has also observed cyber influence operations fall within a significant legal grey zone. However, an important question which is asked is whether these primary principles of international law which have developed on the basis of kinetic conflicts could be applied to cyberspace by analogy. Other scholars have also argued that cyber influence operations can better examined through lens of “self-determination”, “duty of due diligence” and also arguing  “information ethics” should inform our legal interpretation of damage and violence in cyberspace. Due to challenges posed by traditional understanding of sovereignty and principle of non-intervention, it is important to reexamine these concepts in context of cyber influence operations and to apply concepts accordingly to address concerns raised by them. 

---

*Views expressed in the blog are personal and should not be attributed to the institution.

References:

1. Sunil Narula, “Psychological Operations: A Conceptual Overview,” Strategic Analysis 28, no. 1 (2004): 180.

Technology & National Security Reflection Series Paper 8: Tallinn Manuals as Law of the States or for the States– a Sola Fide Exploration?

Karan Vijay*

About the Author: The author is a 2021 graduate of the National Law University, Delhi. He is currently an Associate at Talwar Thakore & Associates, Mumbai. His interests lie in evolving landscapes of technology and their impact on international law and economics.

Editor’s note: This post is part of the Reflection Series showcasing exceptional student essays from CCG-NLUD’s Seminar Course on Technology & National Security Law.

INTRODUCTION

In this post, we evaluate the authoritative value of interpretations of international law expressed in the Tallinn manual with reference to Article 38 of the Statute of the International Court of Justice. 

NATO’s Cooperative Cyber Defence Centre of Excellence (“CCDCOE”) was established for NATO members to coordinate their efforts in the field of cyberwarfare in 2008, in light of the 2007 cyberattacks on Estonia’s critical cyber infrastructure. Given the international nature of cyberspace and consequently cyberwarfare, the CCDCOE convened a group of international experts to analyse how international law can be applied to cyberwarfare. Thus, the Tallinn manual came into existence, named after Estonia’s Capital, in 2013. The group of experts released Tallinn 2.0 in 2017 as a follow up which deals with a much broader field of ‘cyber operations’ instead of cyberwarfare. The original manual involved conflict while 2.0 deals with cyber operations both inside and outside conflict.

As far as the authoritative value of the Manual is in question, it is pertinent to point out that the Manual notes that every rule or assertion may not be a representation of principles of international law. Moreover, neither the rules nor the commentaries of the Tallinn manuals reflect the NATO doctrine or has been adopted as the official position of any State. Thus, prima facie, the Tallinn manuals (including Tallinn 2.0) were an end result of an academic study to determine and restate the lex lata i.e. the law as it exists; and probably deduce the direction of the lex ferenda i.e. as future law should be (although the manuals expressly stated that they avoided any statements or lex ferenda or the preferred policy for States). However, this still leaves the question unanswered about the value it holds today amongst other sources of international law.

Photo by Ministerie van Buitenlandse Zaken. Licensed under CC BY 2.0

THE LEGAL CONUNDRUM ENCIRCLING ARTICLE 38 (1) AND TALLINN MANUAL

Article 38(1) of the Statute of the International Court of Justice is considered as the most widely recognized iteration of sources of international law. It is no debate that the Manuals would fall under 38(1)(d) as the teachings of most qualified publicists as the international group of experts who were involved in their drafting are legal luminaries who are recognized for their contributions in cyber law and international law. 

We must note here that Article 38(1)(d) is different from the rest of the iterations or sources as it is subsidiary to others, i.e., these teachings per se are not law in and of themselves but are rather references that can be looked into for finding the law applicable.Thus, the manuals positing the arguments of the experts is not the law itself. However, they are a helpful source of determining the other authoritative sources of international law because the premise on which the publicists argue an assertion is usually based on a combination of the other three sources enshrined in article 38(1).

The question now becomes whether these manuals have been elevated to the level of customary international law (CIL). In addition to treaties, rights and obligations of States can also be recognized under CIL which is basically ‘evidence of a general practice accepted as law.’ In brief, a norm of CIL can form with State practice, that is the behavior of States with regards to the custom in question, and opinio juris, which is the belief that the State practice is in fact an obligation arising out of the law that is claimed as CIL.¹ This implies that towards formation of a custom, the State practice is the objective element or the manifestation of the subjective element, opinio juris. Interestingly, a minority of scholars also argue that it is not a watertight framework of having both of these elements, and a strong existence of the opinio juris may lead to the creation of a norm of CIL.

With respect to Cyber-operations, jurists hold that it is still too recent a field and there is no consistent State practice. However, most States have expressed the need of cyber-regulation and security via domestic law or through their representatives. The States are also publicly equipped to create or respond to military cyber operations. This amounts to a valid State practice, and even if it has not taken place for a long time but has been uniformly exercised, and there is proof of existence of the opinio juris, it can still validly contribute towards forming CIL.

ON THE QUESTION OF REPRESENTATION 

The question that we now face is whether the Tallinn manuals are a reflection of this global opinio juris. We can analyse from the available evidence and conclude that it may not be the case. To be clear, the international group of experts whose opinions led to the creation of the Manuals participated in their individual capacity– were not representing their country. This is important to note because when a scholar represents a country, they voice or manifest the State’s ‘opinion’ on points of disagreement as we see at the International Law Commission. What Tallinn scholars represent in their individuality or have represented are ideologies such as the Chicago School of Economic Thought or the English School of International Relations but never their State, making the manuals a scholarly exercise rather than a reflection of any opinio juris.

When we talk about representation, another issue which comes up with the manual is that it does not have fair representations from all parts of the world. A few of the biggest players of cyberspace are China and Russia. These States have successfully hacked/controlled their way to becoming important State actors within the cyber realm. Their opinions or voices; and even that of Israel (Israeli experts were on board for Tallinn 2.0), which is a dominant player in cyber-security today or that of Iran, were not taken into consideration. This further takes away from any claims whatsoever that the manuals represent opinio juris of States. The Manuals only take this issue of representation further in circumstances wherein only the military manuals of first world countries are referenced without providing any objective criteria for such selection.

At the same time there are some rules, which arguably do reflect opinio juris of States. For example, “Rule 4 – A State must not conduct cyber operations that violate the sovereignty of another State.” However, it is not the Tallinn manuals that made these laws customary in nature. Instead the manuals merely restate a preexisting custom adding the reference to cyberspace. 

From a content point of view, Pukhraj Singh points out that the manual which was touted to bring clarity to complex questions of cyberspace and law has turned a complete volte-face. Singh highlights that experts disagreed with each other at places providing counter-narratives, and that the manuals jump the gun by over- analogizing with conventional operations. The legal imputation of physical laws, such as the law of armed conflict to cyber-attacks may not always make complete technical sense. At the end of day, cyberspace is an intangible concept of connected computers, and not as physically controllable as how the manuals consider it to be. 

Most cyber-attacks will be done in a clandestine fashion with no clear indication as to which State did it or is responsible for it. The manuals (especially Tallinn 1.0) are not of much help as they simply restate the law on attribution and do not completely fulfil their role of creating practical and acceptable attribution standards (even if it meant holding the US responsible for Stuxnet!).

Moreover, it must be looked into whether the Manuals’ rules have been adopted and followed by various States or not and to what extent. This ascertains whether the States consider themselves bound by the rules of the manual (or is regarded as opinio juris). Now, apart from the disagreements that States have on some rules of the manual, a study done on 11 hostile cyber-operations that happened between 2013-2017 revealed that the manual or its rules were not followed.

CONCLUSION

Thus, with this understanding, we can conclude that while some of the rules restate CIL, the manuals as a whole do not seem to represent the global lex lata or the opinio juris of the States. It may seem that they instead represent the lex ferenda or what the law should be. However, that is also not exactly the case with their many loopholes and misplaced allegiances as they themselves state. 

It can instead be said that the manuals represent a hope or even a viable precedent that an exercise such as this can be undertaken by various other clusters of nations, like EU, SCO, SAARC, OAS or ASEAN. As more and more clusters will come up with their own varying opinions on cyber-space and cyber-operations, the chances of them possibly culminating into a mutual understanding between all States regarding international law applicable to cyberspace becomes more plausible. For this long drawn vision, Tallinn manuals seem to be a worthy starting point.  

---

*Views expressed in the blog are personal and should not be attributed to the institution.

References:

1. North Sea Continental Shelf (Libya v Malta) (Merits) [1985] ICJ Rep 13[27].; Legality of the Threat or Use of Nuclear Weapons (Advisory Opinion) 1996 ICJ Rep 226 [64].; ILC, ‘Draft conclusions on identification of customary international law, with commentaries’ (2018) UN Doc A/73/10 Conclusion 2.  Antonio Cassese, International Law, (2nd edn. OUP 2005), 156.

Technology & National Security Reflection Series Paper 7: Use of Force in Modern Times: Sisyphus’ First World Boulder

Karan Vijay^*

About the Author: The author is a 2021 graduate of the National Law University, Delhi. He is currently an Associate at Talwar Thakore & Associates, Mumbai. His interests lie in evolving landscapes of technology and their impact on international law and economics.

Editor’s note: This post is part of the Reflection Series showcasing exceptional student essays from CCG-NLUD’s Seminar Course on Technology & National Security Law.

INTRODUCTION 

In this post, we discuss a rather contentious point that whether in international law, a mere threat or use of force by a State against another State would give rise to a right of self-defense. 

For context Article 2(4) of the UN Charter provides for all member States to refrain from the threat of or the actual use of force which may threaten the territorial integrity or political independence of any other state. This provision is regarded to have a jus cogens character, i.e., binding on all States as a non-derogable one. Each Member State also has the positive duty to refrain from the use of force against other  States under international law.

Pursuant to Article 51 of the UN Charter, States which face a use of force at the level of an ‘armed attack’ have the right to exercise self-defense. An armed attack is when this force is used on a relatively large scale, is of sufficient gravity, and has a substantial effect. Dinstein states that armed attack presupposes a use of force producing serious consequences, epitomized by territorial intrusions, or human casualties or considerable destruction of critical infrastructure.

Photo by Kyle Glenn on Unsplash. Copyrighted under Unsplash license.

MEMBER STATE’S RIGHT TO SELF DEFENSE

We need to be aware that this right of self-defense does not manifest at every instance of use of force against another State. In certain instances victim States can instead exercise ‘countermeasures’ against the belligerent State. However, when this right of self-defense does manifest, it must abide by the doctrines of necessity and proportionality.

These doctrines were initially laid down in the aftermath of the Caroline incident of 1837, which has inadvertently governed the rules of use of force for nearly two centuries. Herein, the doctrine of necessity posits that an armed attack can only be responded to when there is no other alternative means to seeking viable redressal. Necessity requires that military action should be used only as a last resort. Then, the doctrine of proportionality provides that the size and scope of an armed attack shall determine the overall objective of the defensive responses. This leads to the conclusion that such action will only be towards self-defense and not retaliatory in nature or have a punitive outlook against the aggressor. The counter attack cannot be unreasonable or excessive and can only be carried out to repel or prevent an attack.

Thus, if we were to literally interpret the law, the answer would be that a mere threat or even a use of force that is not of a level of an armed attack does not give rise to the right of self-defense. However, a look at how State practice has shaped this understanding might lead to a different conclusion.

EMERGING FAULTLINES AND EXPANSION OF LEGAL INTERPRETATION OF RIGHT OF SELF-DEFENSE

The United States, with their invasion of Afghanistan for harboring terrorists in 2001 and the subsequent invasion of Iraq in 2003 for allegedly procuring weapons of mass destruction have posited a changed landscape to the  right of self-defense. American actions of ‘self-defense’ completely subvert the legal interpretation of the right being unavailable against threats and conventional use of force. Furthermore, it has led to the emergence of an anticipatory right to self-defense.

At the outset, it is observed that the opinion on the legality of such acts that anticipate armed attacks from threats or other information is divided. Some scholars (usually the ones who have a favorable outlook towards American and/or the Israeli Government actions) argue that the right to anticipatory self-defense is not only in consonance with customary international law but also with article 51 of the U.N Charter.

However, an anticipatory right of self-defense would actually be contrary to the wording of Article 51, since an armed attack must ‘occur’. In any case, Article 51 must be interpreted narrowly containing a prohibition of anticipatory self-defense as one of the purposes of the Charter was to reduce to a minimum the unilateral use of force. At the very least, States claiming the right will have to prove that they face an imminent attack^.. It is ideal to have a ‘clear and convincing’ evidence of the same to avoid situations like that of the invasion of Iraq, which was initiated based on extremely faulty intelligence. 

There are checks and balances enshrined within Article 51 itself to ensure that this does not become a practice. Key mechanisms include the requirement or duty to report immediately to the Security Council when such an act is undertaken, which can act as a limitation on the exercise of self-defense. However, even this duty does not have the power to stop the states exercising such ‘rights’ as reporting to the Security Council is a mere procedural matter, and nonfeasance cannot technically deprive a state of the substantive right of self-defense or invalidate it.

Therefore, it can be said that the scope of the right to self-defense despite fair legal objections may have already expanded to practically include threats or even conventional uses of force not amounting to an ‘armed attack’. What becomes important now is to see how this right of a sovereign state will shape in the future. Towards this, there are two important questions that need to be answered. Firstly, whether this right can be exercised against non-state actors and secondly, can this right be exercised against a cyber-operation?

When the right of self-defense towards non-state actors is considered, the legal position seems pretty clear. The International Court of Justice itself has expressed that the inherent right of self-defense in the case of armed attack by one state is available only against another state.

The general understanding is that Article 51 of the Charter is an exception to the prohibition on the use of force as enshrined in Article 2(4). Given that Article 2(4) refers only to a ‘state’, its exception must also deal with the same. However, some do argue that while Article 2(4) of the Charter, in proscribing the use of force, refers solely to state actors on both sides.  On the other hand, Article 51 mentions a member only as the potential target of an armed attack. This means that the perpetrator of that armed attack is not identified necessarily as a state, especially during these times where it is not just State but non-State entities like terrorists that pose the significant threats to national security concerns of States.

Moreover, regardless of what the law states or what the law should be, the tacit acknowledgement of the Security Council, NATO and EU towards the American invasion of Afghanistan to attack Al Qaeda has given credence to the understanding that self-defense is available against non-State actors. Thus, contemporary state practice (of the first world countries) shows that non-State actors can be behind ‘armed attacks’ which can give rise to self-defense. The ‘pro-democracy’ opinion now states that self-defense against a non-State actor can be justified when the territorial State has manifestly and persistently been unwilling or unable to prevent such attacks in other States, like invasion of Afghanistan on the pretext that if they are harbouring terrorists, they are as liable as the terrorists themselves.

Coming to the second question of whether cyber-operations against a state can give a right to self-defense to that State, it is imperative to determine whether a cyber-operation is an armed attack (as per the prevailing legal view as there is no contrary contemporary state practice yet).

An ‘armed attack’ may not strictly require the use of kinetic weapons, but may, in principle, also be conducted by computers used by hackers. In order to reach this very threshold, the consequences and effects of the cyber-operation in question, must be compared to that of conventional use of force. These operations cannot be isolated or random acts of cyber-attacks and exercising the right against these one-off incidents are excluded from the scope of right to self-defense. Thus, the bar to classify a cyber-operation as an armed attack exists against which a right to self-defense will also exist. However, this bar must be considerably high and will not trigger when hypothetically Indian college students hack a Pakistani bank’s website as a one-off incident.

CONCLUSION

The high standard set is important to ensure that self-defense is not ‘exercised’ in a ubiquitous manner. However, the first world tells us that if the standard is too high and is creating an obstacle towards their political interests, the standard will be disregarded or modified accordingly making an effective set of laws a Sisyphean task. This is what happened to non-State actors, to threats and simple uses of force and will most likely happen to cyber-operations as well. 

Self-defense will be heavily exercised if doing so aligns with the political ideology of the State regardless of what the law states. The law understandably does not allow a State to exercise the right to self-defense against mere threats or even conventional uses of force. However, as we understand from a third-world vantage point of international law, the law is what the first world will allow it to be.

---

*Views expressed in the blog are personal and should not be attributed to the institution.

Technology and National Security Law Reflection Series Paper 6: The Legality of Lethal Autonomous Weapons Systems (“LAWS”)

Drishti Kaushik*

About the Author: The author is a final year student at the National Law University, Delhi. She has previously been associated with CCG as part of its summer school in March 2020 and has also worked with the Centre as a Research Assistant between September 2020 and March 2021. 

Editor’s note: This post is part of the Reflection Series showcasing exceptional student essays from CCG-NLUD’s Seminar Course on Technology & National Security Law.

Introduction

When a machine has the ability to perform certain tasks which typically require human intelligence it is known as Artificial Intelligence (AI). AI is currently used in a variety of fields and disciplines. One such field is the military where AI is viewed as a means to reduce human casualties.

One such use case is the development and use of Lethal Autonomous Weapons Systems (LAWS) or “killer robots” which can make life and death decisions without human intervention. Though the technology behind LAWS and its application remains foggy, LAWS have become a central point of debate globally. Several countries seek a complete preemptive ban on its use and development, by highlighting that technology to achieve such outcomes already exists. Other countries have expressed their preference for a moratorium on its development till there are universal standards regarding its production and usage. 

This piece examines whether LAWS are legal/lawful under International Humanitarian Law (IHL) as per the principles of distinction, proportionality and precautions. LAWS are understood as fully autonomous weapon systems that once activated, have the ability to select and engage targets without any human involvement. The author argues that it is premature to conclude LAWS as legal or illegal by hypothetically determining their compliance with extant humanitarian principles. Additionally, they pose ethical considerations and legal reviews under IHL that must be satisfied to determine the legality of LAWS. 

What are LAWS?

There is presently no universal definition of LAWS since the term ‘autonomous’ is ambiguous. ‘Autonomous’ in AI refers to the ability of a machine to make decisions without human intervention. The US’ Department of Defense issued a 2012 directive which defines LAWS as weapon systems that can autonomously or independently “select and engage targets without any human intervention” once activated. This means LAWS leave humans “out of the loop”. The “lack of human intervention” element is also present in definitions proposed by Human Rights Watch, the International Committee of the Red Cross (ICRC)  and the UK Defence Ministry. 

While weapon systems that are completely autonomous currently do not exist, the technology to develop the same does. There are near-autonomous weapons systems like Israel’s Iron Dome and the American Terminal High Altitude Area Defense that can identify and engage with incoming rockets. These are defensive in nature and protect sovereign nations from external attacks. Conversely, LAWS are weapon systems having offensive capabilities of pursuing targets. Some scholars recommend incentivizing defensive autonomous systems within the international humanitarian framework.

Even though there is no singular definition, LAWS can be identified as machines or weapon systems which once activated or switched on by humans have the autonomy to select and search for targets as well as engage or attack them without any human involvement in the entire selection and attacking process. The offensive nature of LAWS as opposed to the use of automated systems for defensive purposes is an important distinguishing factor for identifying LAWS. An open letter by Future of Life Institute calls for a ban on “offensive autonomous weapons beyond meaningful human control” instead of complete ban on AI in the military sector. This distinction between offensive and defensive weapons in the definition of LAWS was also raised in the Group of Governmental Experts on LAWS 2017 meet.

Autonomy and offensive characteristics are primary grounds behind demands for a complete ban on LAWS. Countries like Zimbabwe are uncomfortable with a machine making life and death decisions and others like Pakistan are worried about military disparities with technologically superior nations leading to an unfair balance of power.

There remains considerable uncertainty surrounding LAWS and its legality as weapons to be used in armed conflicts. Governance of these weapons, accountability, criminal liability and product liability are specific avenues of concern.

Autonomous anti-air unit by Pascal. Licensed under CC0.

Legal Issues under IHL

The legality of LAWS under IHL is observable at two levels: (a) development, and (b) deployment/use. 

Legal Review of New Weapons

The Geneva Convention provides for Legal Review of any new weapons or means of warfare under Article 36 of Additional Protocol I (“AP 1”) to determine whether the development of new weapons is in compliance with the Geneva Convention and customary international law. The weapon must not have an “indiscriminate effect” or cause “superfluous injury” or “unnecessary suffering” like chemical weapons.

The conduct of LAWS must have ‘predictability’ and ‘reliability’ for them to be legally deployed in armed conflicts. If not possible then the conduct of LAWS in the midst of conflict  may lead to “indiscriminate effect or superfluous injury or unnecessary suffering”. 

Principles of Distinction, Proportionality & Precautions 

LAWS must uphold the basic rule of distinction. LAWS should differentiate between civilians and military objects; and between those injured and those active in combat. Often even deployed troops are unable to successfully determine this and thus, programming LAWS to uphold the principle of distinction remains a challenge.

Second, LAWS must uphold the principle of proportionality. Civilian casualties, injury and destruction must not be excessive in comparison to the military advantage gained by the attack. Making such value judgments in the middle of intense battles is difficult. Programmers who develop LAWS may struggle to comprehend the complexities around these circumstances. Even when deploying deep learning, as machines recognise patterns, there might be situations when it first has to gain experience and those growing pains in technological refinement may lead to violations of the proportionality principle. 

Finally, LAWS must adhere to the principle of precaution. This is the ability to recall or suspend an act when it is not proportionate or harms civilians as opposed to military adversaries. The ability to deactivate or recall a weapon once deployed is tricky. There is general consensus that LAWS will fail to comply with these principles and violate the laws of armed conflict.

Conversely others argue that its autonomous characteristics are not enough to prove that LAWS violate IHL. Existing principles are enough to restrict the use of LAWS to situations where IHL is not violated. Furthermore, autonomous weapons might be able to wait till they are fired upon to determine whether a person is civilian or military as their sense of ‘self-preservation’ will not be as strong as that of human troops thereby complying with the principle of distinction. Moreover, they might be employed in the navy or other areas not open to civilians, thereby affording LAWS a lower threshold for compliance with IHL principles. Supporters contend that LAWS might calculate and make last minute decisions without any human subjective emotions allowing them to choose the best possible plan of action thereby respecting the principles of proportionality and precautions. 

Marten’s Clause 

Article 1 of AP I to the Geneva Conventions states that if certain cases are not covered under the Convention, then the civilians and the combatants are protected under “Customary International Law, principles of Humanity and Dictates of Public Conscience”. This has also been reiterated in the preamble of AP II of the Geneva Conventions. This is referred to as Marten’s Clause and provides the basis for ethical and moral aspects to the law of armed conflict. Since LAWS are not directly covered by the Geneva Convention, their development and use must be guided by Marten’s clause. Therefore, LAWS may be prohibited due to noncompliance with customary international law or principles of humanity or dictates of public conscience. 

LAWS cannot be declared illegal under customary international law since there is no defined state practice; as they are still being developed. The principles of humanity require us to examine questions about whether machines should have the ability to make life or death decisions regarding humans. Moreover, recent data suggests that dictates of public conscience may be skewed against the use of  LAWS. 

It might be early to term LAWS, which do not currently exist, as legal or illegal on the basis of compliance with the Geneva Convention. However, any discussion regarding the same must keep these legal and ethical IHL-related considerations in mind.

Present Policy Situation 

The legal issues relating to LAWS are recognised by the UN Office of Disarmament.  Under the Convention of Certain Conventional Weapons (CCW), a Group of Governmental Experts was asked to address the issues regarding LAWS. This group is yet to provide a singular definition of the term. However, it has recommended 11 guiding principles which were adopted by the High Contracting Parties to the CCW in 2019.

The first principle states that IHL shall apply to all autonomous weapons systems including LAWS. The second principle addresses accountability through “human responsibility” during decision making relating to the use of these systems. Further, any degree of human-machine interaction at any stage of development or activation must be in compliance with IHL. Accountability for development, deployment and use of these weapons must be as per IHL by ensuring there is a “chain of human command and control”. States’ obligation of ensuring a legal review for any new weapons is also reiterated.

The guidelines also state that cyber and physical risks, and the  risk of proliferation and acquisition by terrorists must be considered while developing and acquiring such weapons. Risk assessment and mitigation must also be made a part of the design and development of such weapons. Consideration must be given to compliance with IHL and other international obligations while using LAWS. While crafting policy measures, emerging technologies in LAWS must not be “anthropomorphized”. Discussions on LAWS should not hinder peaceful civilian innovations. The principles finally highlight the importance of balancing military needs and human factors under the CCW framework. 

The CCW also highlights the need for ensuring “meaningful human control” over weapon systems but does not define relevant criteria for the same. Additionally, there are different stages such as development, activation and deployment of autonomous weapons. Only a human can develop and activate the autonomous systems. However, deployment is determined by the  autonomous weapon on its own as per its human programming. 

Therefore, the question arises – will that level of human control over the LAWS’ programming be enough to qualify as meaningful human control? If not, will an override human command which may or may not be exercised allow for “meaningful human control”? These questions require further deliberation on what qualifies as “meaningful human control” and whether this control will even be enough given how rapidly AI is being developed. There is also a need to ensure that no bias is programmed into these weapons. 

While these guiding principles are the first step towards an international framework, there is still no universal/comprehensive legal framework to ensure accountability on LAWS.

 Conclusion

The legal, ethical and international concerns regarding LAWS must be addressed at a global level. A pre-emptive and premature ban might stifle helpful civilian innovation. Moreover, a ban will not be possible without the support of leading States like the US, Russia, UK. Conversely,  if the development of LAWS is left unregulated then it will make it easier for countries with LAWS to go to war. Moreover, development and deployment of LAWS will create a significant imbalance between the technologically advanced and technologically disadvantaged nations. Furthermore, no regulation may lead to the proliferation and acquisition of LAWS by bad actors for malicious, immoral and/or illegal purposes.

Since LAWS disarmament is not an option, control on LAWS is recommended. The issues with LAWS must be addressed at the international level by creating a binding treaty which incorporates a comprehensive definition of LAWS. The limits of autonomy must also be clearly demarcated along with other legal and ethical considerations. The principles of IHL including legal reviews must also be implemented. Till then, defense research centers around the world should incorporate AI in more “defensive” and “non-lethal” military machineries. Such applications could include disarming bombs or surveillance drones or smart borders instead of offensive and lethal autonomous weapons systems without any overriding human control.

---

*Views expressed in the blog are personal and should not be attributed to the institution.

Technology and National Security Law Reflection Series Paper 5: Legality of Cyber Weapons Under International Law

Siddharth Gautam^*

About the Author: The author is a 2020 graduate of National Law University, Delhi. 

Editor’s note: This post is part of the Reflection Series showcasing exceptional student essays from CCG-NLUD’s Seminar Course on Technology & National Security Law. In the present essay, the author reflects upon the following question: 

What are cyber weapons? Are they cyber weapons subject to any regulation under contemporary rules of international law? Explain with examples.

Introducing Cyber Weapons

In simple terms weapons are tools that harm humans or aim to harm the human body. In ancient times nomads used pointing tools to hunt and prey. Today’s world is naturally more advanced than that. In conventional methods of warfare, modern tools of weapons include rifles, grenades, artillery, missiles, etc. But in recent years the definition of warfare has changed immeasurably after the advancement of the internet and wider information and communication technologies (“ICT”). In this realm methods and ways of warfare are undergoing change. As internet technology develops we observe the advent/use of cyber weapons to carry out cyber warfare.

Cyber warfare through weapons that are built using technological know-how are low cost tools. Prominent usage of these tools is buttressed by wide availability of computer resources. Growth in the information technology (“IT”) industry and relatively cheap human resource markets have a substantial effect on the cost of cyber weapons which are capable of infiltrating other territories with relative ease. The aim of cyber weapons is to cause physical or psychological harm either by threat or material damage using computer codes or malware.

2007 Estonia Cyber Attack

For example during the Estonia –Russia conflict the conflict arose after the Soldier memorial was being shifted to the outskirts of Estonia. There was an uproar in the Russian speaking population over this issue. On 26^th and 27^th April, 2007 the capital saw rioting, defacing of property and numerous arrests.

On the same Friday cyber attacks were carried out using low tech methods like Ping, Floods and simple Denial-of-Service (DoS) attacks. Soon thereafter on 30^th April, 2007 the scale and scope of the cyber attack increased sharply. Actors used botnets and were able to deploy large scale distributed denial of service (D-DoS) attacks to compromise 85 thousand computer systems and severely compromised the entire Estonian cyber and computer landscape. The incident caused widespread concerns/panic across the country.

Other Types of Cyber Weapons

Another prominent type of cyber weapon is HARM i.e. High-speed Anti Radiation missiles. It is a tactical air-to-surface anti radiation missile which can target electronic transmissions emitted from surface-to-air radar systems. These weapons are able to recognise the pulse repetition of enemy frequencies and accordingly search for the suitable target radar. Once it is visible and identified as hostile it will reach its radar antenna or transmitter target, and cause significant damage to those highly important targets. A prominent example of its usage is in the Syrian–Israel context. Israel launched cyber attacks against the Syrian Air defence system by blinding it. It attacked their Radar station in order not to display any information of Airplanes reaching their operators. 

A third cyber weapon worth analysing can be contextualised via the Stuxnet worm that sabotaged Iran’s nuclear programme by slowing the speed of its uranium reactors via fake input signals. It is alleged that the US and Israel jointly conducted this act of cyber warfare to damage Iran’s Nuclear programme.

In all three of the aforementioned cases, potential cyber weapons were used to infiltrate and used their own technology to conduct cyber warfare. Other types of cyber risks emerge from semantic attacks which are otherwise known as social engineering attacks. In such attacks perpetrators amend the information stored in a computer system and produce errors without the user being aware of the same. It specifically pertains to human interaction with information generated by a computer system, and the way that information may be interpreted or perceived by the user. These tactics can be used to extract valuable or classified information like passwords, financial details, etc. 

HACKERS (PT. 2) by Ifrah Yousuf. Licensed under CC BY 4.0.From CyberVisuals.org, a project of the Hewlett Foundation Cyber Initiative.

Applicable Landscape Under International Law

Now the question that attracts attention is whether there are any laws to regulate, minimise or stop the aforementioned attacks by the use of cyber weapons in International law? To answer this question we can look at a specific branch of Public international law; namely International Humanitarian law (“IHL”). IHL deals with armed conflict situations and not cyber attacks (specifically). IHL “seeks to moderate the conduct of armed conflict and to mitigate the suffering which it causes”. This statement itself comprises two major principles used in the laws of war.

Jus ad Bellum – the principle which determines whether countries have a right to resort to war through an armed conflict,

Jus in bello– the principle which governs the conduct of the countries’ soldiers/States itself which are engaging in war or an armed conflict. 

Both principles are subjected to the Hague and Geneva Conventions with Additional Protocol-1 providing means and ways as to how the warfare shall be conducted. Nine other treaties help safeguard and protect victims of war in armed conflict. The protections envisaged in the Hague and Geneva conventions are for situations concerning injuries, death, or in some cases  damage and/or destruction of property. If we analyse logically, cyber warfare may result in armed conflict through certain weapons, tools and techniques like Stuxnet, Trojan horse, Bugs, DSOS, malware HARM etc. The use of such weapons may ultimately yield certain results. Although computers are not a traditional weapon its use can still fulfil conditions which attract the applicability of provisions under the IHL.

Another principle of importance is Martens Clause. This clause says that even if some cases are not covered within conventional principles like humanity; principles relating to public conscience will apply to the combatants and civilians as derived from the established customs of International law. Which means that attacks shall not see the effects but by how they were employed

The Clause found in the Preamble to the Hague Convention IV of 1907 asserts that “even in cases not explicitly covered by specific agreements, civilians and combatants remain under the protection and authority of principles of international law derived from established custom, principles of humanity, and from the dictates of public conscience.” In other words, attacks should essentially be judged on the basis of their effects, rather than the means employed in the attack being the primary factor.

Article 35 says that “In any armed conflict, the right of the Parties to the conflict to choose methods or means of warfare is not unlimited. It is prohibited to employ weapons, projectiles and material and methods of warfare of a nature to cause superfluous injury and unnecessary suffering”

The above clause means that the action of armed forces should be proportionate to the actual military advantage sought to be achieved. In simple words “indiscriminate attacks” shall not be undertaken to cause loss of civilian life and damage to civilians’ property in relation to the advantage.

Conclusion

Even though the terms of engagement vis-a-vis kinetic warfare is changing, the prospect of the potential of harm from cyber weapons could match the same. Instead of guns there are computers and instead of bullets there is malware, bugs, D-DOS etc. Some of the replacement of one type of weapon with another is caused by the fact that there are no explicit provisions in law that outlaw cyber warfare, independently or in war.

The principles detailed in the previous section must necessarily apply to cyber warfare because it limits the attacker’s ability to cause excessive collateral damage. On the same note cyber weapons are sui generis like the nuclear weapons that upshot in the significance to that of traditional weapons

Another parallel is that in cyber attacks often there are unnecessary sufferings and discrimination in proportionality and the same goes for  traditional armed conflict. Therefore, both should be governed by the principles of IHL. 

In short, if the cyber attacks produce results in the same way as kinetic attacks do, they will be subject to IHL.

---

*The views expressed in the blog are personal and should not be attributed to the institution.

Technology & National Security Reflection Series Paper 4: Redefining National Security

Animesh Chaudhary*

About the Author: The author is a 2021 graduate of National Law University, Delhi. He is currently working at Rural Electrification Corporation Limited.

Editor’s note: This post is part of the Reflection Series showcasing exceptional student essays from CCG-NLUD’s Seminar Course on Technology & National Security Law.

Introduction

“National Security” is one of the foremost concerns of any nation state. However, the meaning of this term has acquired an overwhelmingly military character over time. This military approach to national security follows the assumption that the principal threat to security comes from other nations. While such an understanding was suitable a few decades ago health pandemics, climate change, technological changes etc. are challenging this notion today. This submission aims to identify the gaps in traditional understandings of national security and proposes redefining the concept. 

This piece is divided into three parts- Part I looks at the traditional military approach to “National security”. Part II analyses the need to update this traditional understanding. Part III identifies “Human Security” as a modern and suitable concept of national security.

Photo by MySecuritySign.com. Licensed via CC BY 2.0.

I.         Traditional Military approach to “National Security”

The traditional approach has been to view “National Security” from a military lens i.e. ‘securing the nation from military threat’. The policy measures of nation States and many strategists have followed this understanding.

Weber found a monopoly on violence, allowing to deal with internal or external military threats, as a crucial condition for the State. Similarly, James Baker notes that while no common definition of “national security” exists, the core issues which warrant national security treatment will primarily include nuclear attack, terrorist attacks and conventional attacks. “National Security” is also used to justify “the maintenance of armies, the development of new weapon systems, and the manufacture of armaments”.

In many ways, it can be easily understood how this understanding of National security developed. Wars in 18^th and 19^th century were generally short. The security strategy in the past was focused mainly on “external military threats”, which consequently required corresponding military responses.  However, in present times, such an understanding is inadequate.

II.                Need to update the definition of National Security

 i)  Nature of threats is changing

Today, for most nations, the threat of military aggression has reduced considerably. Instead, nations have to face “environmental pollution, depletion of ozone, [global] warming, and migrations of refugees“¹ among others. Health issues such as the Coronavirus pandemic, changes in technology, or spiralling economy as seen in many third-world countries are other threats to nations. 

One of the greatest enablers of this change is technology. It is difficult to place technological threats within the traditional military approach to national security, yet it is undeniable that technological disruptions present great danger to the security of nations.  The impact of technologies on the international security environment are all-encompassing.² These include both conventional changes like technological weapons, and non-conventional changes like cyber warfare.

ii)  Non-Military Threats can cause Military Conflict

Another reason for updating the present understanding of “National Security” is that a number of non-traditional threats can lead to military conflict. This makes it imperative for proactive policymakers to treat all such threats as National Security issues.

Scholars have studied resource conflicts, energy security, climate change and insecurity and tied them in with military conflicts. Some have found that “… water resource scarcity can be both the cause and the consequence of armed conflicts.” ³

Proactive policymaking demands recognising such threats before they acquire a military character.

iii)  Conventional understanding of ‘National Security’ is narrow and patriarchal

If National Security means the security of a nation, it is imperative to define ‘nation’ first. While it is difficult to come up with a precise definition of a ‘nation’, it is submitted that any definition, that does not take into account the people is narrow in scope. 

In this context, national security fails to include everyday experiences of a significant population. Further, the current definition is patriarchal and excludes the experiences of women.

J.Tickner finds that the traditional perspectives on security through a military point of view has marginalised or omitted women, which has resulted in a masculine and militaristic definition of National Security.⁴ Women, on the other hand, have defined security as “absence of violence whether it be military, economic, or sexual.”⁵ National Security, when understood as “absence of violence against people of the nation”, can then be extended to all other disempowered groups.

Similarly, the perception of security that many people of colour have in America, does not align with the dominant definition of national security in America. In the Indian context, crimes against underprivileged groups are not considered a national security threat. Understood in these terms, it is clear that the traditional understanding does not cover the security threats faced by disempowered groups in a nation. A definition that does not take into account is therefore severely lacking in scope, and needs to be updated.

III.          “Human Security”- A Modern understanding of National Security

Put forth in 1994 by the United Nations Development Program, ‘Human Security‘ very simply relates to the security of people. Erstwhile Prime Minister of Japan Obuchi Keizo called Human Security “the keyword to comprehensively seizing all of the menaces that threaten the survival, daily life, and dignity of human beings”

In essence, Human Security puts “people first” and recognises that the security of States does not necessarily translate to security of the people in it.  This has been borne out of the events of the 20^th century – world wars, multiple genocides, and the realisation that conventional notions of security need to be challenged when serious violations of rights occur.

The advantages of a human security understanding of national security are manifold:

i)   People first approach

The biggest advantage of this concept is that it puts people first in its definition of the ‘nation’. It recognises different forms of violence and threats that individuals face every day.  It brings into focus “structural violence” i.e. “the indirect violence done to individuals when unjust economic and political structures reduce their life expectancy through lack of access to basic material needs.”⁶

Understanding National Security as “absence of violence for people in a nation”, also allows us to recognise new unconventional threats that arise in the 21^st century.

ii)    Radically alters Public notions of Emergency and Urgency

There is normative value in recognising ‘Human Security’ as ‘National Security’. By recognising violence against individuals as national security threats, it sends a message that threats faced by individuals are the most important threats that any nation faces. It legitimises the security issues faced by groups that are not dominant in a nation.

“National Security” issues receive utmost urgency and importance in policy making. As Sachs notes, “Questions of “security” are often given pride of place before other potential policy concerns.”

This leads to a number of questions, why should emergency conditions and sense of urgency be reserved only for military threats? Why should crimes against women be considered any less urgent in a country which reports 87 rapes per day? Why shouldn’t crimes against Scheduled caste and Scheduled tribes be considered as urgent? How do nations issue national or local emergency in times of military conflict, but go on about in a routine manner when extreme gender, social and economic injustices exist?

By equating human security issues with national security threats, it is these questions that we can answer adequately. Crimes against minorities, women and other groups, poverty, lack of access to healthcare and education, and other social, economic and environmental ills that plague nations have become normalised to such an extent that all these issues have become routine. The concept of ‘Human Security’ challenges this status quo.

iii)   Leveraging Public Trust

National Security threats often generate public trust and public consensus swiftly. Public trust is an important part of a democratic system,⁷ while a lack of public trust is one the biggest obstacles in governance. By recognising “Human Security threats” as “National Security” threats, this public trust can be leveraged to improve governance.

As Lester Brown notes, while responding to a national security threat, “the ‘public good’ is much more easily defined; sacrifice can not only be asked but expected, it is easier to demonstrate that “business as usual” must give way to extraordinary measures.”

If such consensus and unity could be achieved with respect to “Human security”, it would allow governance to take place a lot more efficiently.

Conclusion

The traditional understanding of National Security in terms of military threats to the State is no longer adequate in the 21^st century. Today, ‘Human Security’ offers a more holistic understanding with its ‘people first’ approach. It recognises and legitimises the experiences of disempowered groups and challenges conventional notions of security.

Human Security offers multiple advantages as an analytical concept, and holds normative value by contesting the traditional understanding of a nation, urgency and emergency. The definition of Human Security is broad, but that acts as an advantage for it covers a wider range of threats, including the new threats caused by technology and climate.

This redefinition of ‘National Security’ does pose challenges relating to vagueness, increased powers of the executive, conceptual and funding issues, among others, but overall provides a strong base for policymakers to realign their priorities as per the requirements of today.

---

*Views expressed in the blog are personal and should not be attributed to the institution.

References:

1. Kalevi J. Holsti, The State, War, and the State of War (1996), Pg. 15.
2. Group Captain Ajay Lele, “Technology and National Security” Indian Defence Review Issue Vol 24.1 Jan-Mar 2009.
3. Swain, A., 2015. “Water Wars”. In: International Encyclopaedia of the Social & Behavioural Sciences, 2nd edition, Vol 25. Oxford: Elsevier. pp. 443–447.
4. Tickner J. A. (1997b), “Re-visioning Security”, in: International Relations Theory Today, eds. K. Booth, S. Smith, Polity Press Cambridge.
5. Tickner, J. (1993). “Gender in International Relations: Feminist Perspectives on Achieving Global Security” Political Science Quarterly.
6. J. Ann Tickner, “Re-visioning Security,” International Relations Theory Today (Ken Booth and Steve Smith, eds., 1994), p. 180.
7. Beshi, T.D., Kaur, R. “Public Trust in Local Government: Explaining the Role of Good Governance Practices”. Public Organiz Rev 20, 337–350 (2020).

Technology & National Security Reflection Series Paper 3: Technology and the Paradoxical Logic of Strategy

Manaswini Singh^*

About the Author: The author is a 2020 graduate of National Law University, Delhi. She is currently pursuing an LLM with specialization in Human Rights and Criminal law from National Law Institute University, Bhopal. 

Editor’s note: This post is part of the Reflection Series showcasing exceptional student essays from CCG-NLUD’s Seminar Course on Technology & National Security Law.

In the present essay, the author reflects upon the following question: 

According to Luttwak, “The entire realm of strategy is pervaded by a paradoxical logic very different from the ordinary ‘linear’ logic by which we live in all other spheres of life” (at p. 2) Can you explain the relationship between technological developments and the conduct of war through the lens of this paradoxical logic?

Introducing Luttwak’s Paradoxical Logic of Strategy

While weakness invites the threat of attack, technologically advanced nations with substantial investment in better military technology and R&D that are capable of retaliation, have the power to persuade weaker nations engaged in war to disengage or face consequences. Initiating his discussion on the paradox of war, Luttwak mentions the famous roman maxim si vis pacem, para bellum which translates to – if you want peace, prepare war. Simply understood, readiness to fight can ensure peace. He takes the example of the Cold War to discuss the practicality of this paradoxical proposition. Countries that spend large resources in acquiring and maintaining nuclear weapons resolve to deter from first use. Readiness at all times, to retaliate against an attack is a good defensive stance as it showcases peaceful intent while discouraging attacks altogether. An act of developing anti-nuclear defensive technology – by which a nation waging war may be able to conduct a nuclear attack and defend itself upon retaliation – showcases provocativeness on its part.

The presence of nuclear weapons, which cause large scale destruction, have helped avoid any instance of global war since 1945. This is despite prolonged periods of tensions between many nations across the globe. Nuclear weapons are an important reason for the maintenance of international peace. This is observable with India and its border disputes with China and Pakistan where conflicts have been frequent and extremely tense leading to many deaths. Yet these issues have not escalated to large scale or a full-fledged war because of an awareness across all parties that the other has sufficient means to engage in war and shall be willing to use the means when push comes to shove. 

Using the example of standardisation of antiaircraft missiles, Luttwak points out that ‘‘in war a competent enemy will be able to identify the weapon’s equally homogeneous performance boundaries and then proceed to evade interception by transcending those boundaries… what is true of anti aircraft missiles is just as true of any other machine of war that must function in direct interaction with reacting enemy – that is, the vast majority of weapons.”

Image by VISHNU_KV. Licensed via CC0.

Luttwak’s Levels of Strategy

The five levels of strategy as traced by Luttwak are: 

1. Technical interplay of specific weapons and counter-weapons.
2. Tactical combat of the forces that employ those particular weapons.
3. Operational level that governs the consequences of what is done and not done tactically.
4. Higher level of theatre strategy, where the consequences of stand alone operations are felt in the overall conduct of offence and defence.
5. The highest level of grand strategy, where military activities take place within the broader context of international politics, domestic governance, economic activity, and related ancillaries.

These five levels of strategy create a defined hierarchy but outcomes are not simply imposed in a one-way transmission from top to bottom. These levels of strategy interact with one another in a two-way process. In this way, strategy has two dimensions: the vertical dimension and the horizontal dimension. The vertical dimension comprises of the different levels that interact with one another; and the horizontal dimension comprises of the dynamic logic that unfolds concurrently within each level.

Situating Technological Advancements Within Luttwak’s Levels of Strategy

In the application of paradoxical logic at the highest level of grand strategy, we observe that breakthrough technological developments only provide an incremental benefit for a short period of time. The problem with technological advancement giving advantage to one participant in war is that this advantage is only initial and short-lasting. In discussing the development of efficient technology, he gives an example of the use of Torpedo boats in warfare which was a narrow technological specialisation with high efficiency. Marginal technological advancement of pre-existing tech is commonplace occurrences in militaries. The torpedo naval ship was a highly specialised weapon i.e. a breakthrough technological development which was capable of causing more damage to larger battleships by attacking enemy ships with explosive spar torpedoes. The problem with such concentrated technology is that it is vulnerable to countermeasures. The torpedo boats were very effective in their early use but were quickly met with the countermeasure of torpedo beat destroyers designed specially to destroy torpedo boats. This initial efficiency and technical advantage and its ultimate vulnerability to countermeasures is the expression of paradoxical logic in its dynamic form. 

When the opponent uses narrowly incremental technology to cause damage to more expensive and larger costlier weapons, in the hopes of causing a surprise attack with the newly developed weapon, a reactionary increment in one’s weaponry is enough to neutralise the effects of such innovative technologically advanced weapon(s). The technological developments which have the effect of paradoxical conduct in surprising the opponent and finding them unprepared to respond in events of attacks, can be easily overcome due to their narrowly specialised nature themselves. Such narrowly specialised new tech are not equipped to accommodate broad counter-countermeasures and hence the element of surprise attached with such incremental technology can be nullified. These reciprocal force-development effects of acts against torpedo-like weapons make the responding party’s defence stronger by increasing their ability to fight and neutralise specialty weapons. Luttwak observed a similar response to the development of Anti-tank missiles which was countered by having infantry accompany tanks.

Conclusion

The aforementioned forces create a distinctly homogenous and cyclical process which span the development of technology for military purposes, and concomitant countermeasures. In the same breadth, one side’s reactionary measure also reaches a culmination point and can be vulnerable to newer technical advancement for executing surprise attacks. Resources get wasted in responding to a deliberate offensive action in which the offensive side may be aware of defensive capabilities and it is just aiming to drain resources and cause initial shock. This can initiate another cycle of the dynamic paradoxical strategy. Within the scheme of the grand strategy, what looks like deadly and cheap wonder weapons at the technical level; fails due to the existence of an active thinking opponent. These opponents can deploy their own will to engage in response strategies and that can serve as a dent to the initial strategic assumptions and logic.

In summary, a disadvantage at the technical level can sometimes also be overcome at the tactical level of grand strategy . Paradoxical logic is present in war and strategy, and use of technology in conduct of war also observes the dynamic interplay of paradoxical logic. Modern States have pursued technological advancements in ICT domains and this has increased their dependence on high-end cyber networks for communication, storage of information etc. Enemy States or third parties that may not be equipped with equally strong manpower or ammunition for effective adversarial action may adopt tactical methods of warfare by introducing malware into the network systems of a State’s critical infrastructure of intelligence, research facilities or stock markets which are vulnerable to cyber-attacks and where States’ inability in attribution of liability may pose additional problems.

---

*Views expressed in the blog are personal and should not be attributed to the institution.