Why Cyberwar Confounds International Law - Part 1: Word Games
Adam Zivo | NATO Association of Canada | 2018 | 900 words
Discussions of cyberwar are ubiquitous within security and foreign policy circles, so much so that one can sometimes forget how novel cyberwafare actually is. The internet has changed society profoundly. The last two decades have felt like an eon, and, while society-at-large may have been able to adapt to the rapid evolution of our technology, culture, and norms, our laws have not. That matters. Even if cyberwarfare is culturally banalized, it must be understood from the perspective of our legal systems, because it is our laws that will control cyberwar. Our laws protect us from it. Yet those same laws, which were largely written in times when the internet was inconceivable, are ill-equipped to either govern cyberwar or adapt to it. This article is the first in a series that explores a few, but not all, of the reasons why that’s so.
The first (and likely most pedantic) problem is that we just don’t have a consensus on how we define terms that are essential to cyberwar. This lack of consensus doesn’t just exist between nations, it extends to agencies within states. Consider the term “cyberspace”. What does it mean? If you ask the United States’ Department of Defense, they’ll tell you one thing. The United States Congress will tell you another. Still yet, the American National Military Strategy for Cyberspace Operations has its own definition. They all point to the same idea, but while that idea is something we can all somewhat imagine, in a hazy, intuitive way, it evades clear articulation. To illustrate, the Department of Defense defines cyberspace as “a global domain within the information environment consisting of the interdependent network of information technology infrastructures, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers” (even truncated, it’s an inelegant mouthful). In contrast, a Congressional Research Service Report defines cyberspace as the “total interconnectedness of human beings through computers and telecommunications without regard to physical geography.”
The Congressional Report’s definition stresses human interconnectedness whereas the Department of Defense’s stresses interconnected infrastructure. The former definition seems to exclude inter-machine communication from cyberspace. The latter definition, with its focus on the materiality of the internet, seems like a friendlier foundation for laws which limit attacks on critical infrastructure. We can have one or the other, but not both. We can also have neither, if we use one of the many other competing definitions other organizations have proposed. Each definition brings unique caveats. In a low stakes environment, this wouldn’t matter. The differences between these definitions are fairly minor and reducible to gaps in connotation. However, if these terms are to form the basis of international law, that’s a different story. International law partially dictates how states act and relate to one another, determining, for example, what legitimate alliances, justified force, and appropriate sanctions look like. Misunderstandings can change global history, and states will also ruthlessly exploit semantic ambiguity to their advantage if given the opportunity to do so. Hence the constituent phrases and definitions of international law are always held under close scrutiny. So long as cyberwar is of words that have no universally agreed-upon meaning, the legal framework around it will be cloudy and insubstantial.
“Cyberspace” has the advantage of being a foundational concept. The effects of its definition are are second-order and indirect, felt mostly through how it determines the meaning of other, higher-order terms. The chance of achieving a consensus on its semantics is better than with more controversial terms. As a foil, consider the word “cyberwar” itself. It’s a term whose definition has concrete political implications, directly affecting, for example, whether the United States and Russia are militarily engaged. With clearer stakes involved, there has understandably already been some jockeying to control the term. Case in point: the Shanghai Cooperation Organization is an international organization consisting of Russia, China, and some Central Asian autocracies. Through this organization, Russia and China have pushed for an expansive definition of cyberwar, one in which cyberwar includes “information warfare” and in which information warfare is defined as “mass psychological brainwashing to destabilize society and state…” Critics worry that this definition of cyberwar could be used to suppress dissident political speech, and that accepting it would be a concession to authoritarianism. As if to underline this, Russia has stated that any attempt to engage in information warfare against it would be considered a military attack, which in this context can be read as domestic information control. Western states have a strong reason to reject this definition of “cyberwar”. However, we also all saw what happened during the 2016 American Presidential Election (and a handful of European elections), so it might be unwise for their governments to adopt a definition that excludes information warfare. An international legal framework built around such a definition would provide less effective tools against Russian election meddling or similar aggressive acts. The point of this case is that it illustrates how the choice of how to define a key term becomes a question of geopolitical calculation. This is but one example in which politics muddles terms the cyber realm.
All things considered, cyber’s general lack of semantic clarity, coupled with the politics of language construction, means that it will be astounding if we manage to produce functional, international treaties on cyberwar in the near future. Lacking the centuries of precedent produced by conventional war, cyberwar is a conceptual, and ergo legal, quagmire from the get-go.
(Stay tuned for Part 2)