“ALGORITHMS FIGHTING TERRORIST CONTENT – A THREAT TO OUR BASIC FREEDOMS?”

ALGORITHMS FIGHTING TERRORIST CONTENT – A THREAT TO OUR BASIC FREEDOMS?

The Islamic State efficiently weaponized social media with their hashtag #alleyesonISIS and the publication of thousands of Youtube videos.[1] The marring videos of beheadings and other ghastly executions trolled the Internet to the inspiration of some, and the abhorrence of most.[2] Their social media propaganda recruited more than 40 000 foreign fighters from 110 countries.[3]

The Internet is a very efficient propaganda machine because content uploaded to one webpage spreads like wildfire to other platforms. This is why heads of states from all over the world have called for the industry to do more and faster to strike down terrorist content with new technology.[4] However, the current algorithms for detecting terrorist and extremist content do not have the same ability as humans to distinguish between legal and illegal content.[5] The question thus becomes: Are we ready to trade our right to freely express and receive information in exchange for security?

In this blogpost I want to address the tension between our efforts to win the online war against terrorism and the responsibility to respect and protect our right to freely express and receive information. I do not aim to answer the questions that arise, but rather, to highlight some of the challenges that must be addressed. I start by looking briefly at international and European human rights law. Then I turn to a recent legislative proposal from the European Union that calls for the development and use of automatic detection tools to rid us of “terrorist content”. Further I look at how this pressure from world leaders and legislators to take action has impacted the conduct of companies with YouTube as the example. Finally I offer some thoughts on the limitations of the current technology and how the rush to use it may seriously impact our fundamental freedoms.

1. The Law

Freedom of expression is a fundamental right enshrined in the constitution of most democratic states. It also forms an integral part of international human rights treaties. According to the Universal Declaration on Human Rights article 19, ”[e]veryone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers.”[6] This right was further codified in the International Covenant on Civil and Political Rights (ICCPR) article 19, which means that the Covenants 172[7] state parties are obligated to respect, protect and fulfil this right.[8] As the quoted article emphasises, the right to freely seek and receive information is an integral part of the human right to free expression.

Freedom of expression also holds a central place in the European Convention on Human Rights and Fundamental Freedoms (ECHR). Similarly to the ICCPR article 19 nr. 3, the ECHR article 10 provides that any restriction that removes information or access to it must be “prescribed by law and necessary in a democratic society” as well as protect a legitimate interest listed in article 10 nr. 2 such as “national security” and “public safety.”[9]

As the prime interpreter of the ECHR, the European Court of Human Rights has repeatedly emphasised the importance of scrutinizing national decisions to censor the publication of information in whatever form. In the case Yildirim v. Turkey, the Court held that “the dangers inherent in prior restraints are such that they call for the most careful scrutiny on the part of the Court, (…) for news is a perishable commodity and to delay its publication, even for a short period, may well deprive it of all its value and interest.”[10] The Court further stated that “a prior constraint is not necessarily incompatible with the Covenant as a matter of principle” but that any such restraint must be subject to a legal framework to ensure ”both tight control over the scope of bans and effective judicial review to prevent any abuse of power”.[11] This legal test is just as important to uphold in regard to traditional media as it is on the Internet. The Court acknowledged the special role of Internet in today’s information environment in the case Times Newspapers Ltd v. the United Kingdom. In their reasoning the Court stated that “[i]n the light of its accessibility and its capacity to store and communicate vast amounts of information, the Internet plays an important role in enhancing the public’s access to news and facilitating the dissemination of information in general.”[12]

These human rights obligations demand that governments strike a fair balance between protection of free speech and the need to curtail terrorist propaganda in order to prevent terrorist activities. Governments are not released from their responsibility where they demand that private companies effectively provide censorship on their behalf.

2. The Rush to Crack Down on Offensive Content

For years the online platform providers have worked both separately and together to remove online terrorist and extremist content.[13] The pressure to take action has come from all corners of the world. Back in 2016 the Obama administration made it quite clear that Silicon Valley should do more to contribute to combat terrorists utilizing their online platforms.[14] Since then leaders from all over the world have joined up to pressure private companies to act faster and with more vigour to crack down on terrorist propaganda.[15]

In response to this pressure the tech-giants are taking steps to repeal unwanted content such as terrorist propaganda. As the mother company of Youtube, Google reports that it removed 1,667,587 channels and a baffling number of 7,845,400 videos during a three-month period in 2018 alone.[16] The videos are removed because they breach the YouTube Community Guidelines that prohibit content with incitement to violence, harassment, pornography or hate speech.[17] Of these removals, 6,387,658 videos were removed by automated flagging and 74,5 % of that number was removed before receiving any views, effectively prohibiting publication.[18] Although nowhere near the height of their power and popularity, ISIS supporters still managed to upload 1,348 YouTube videos and generated 163,391 views between March and June 2018.[19]

Google and Facebook have previously stated that human beings review whether to remove the content or not.[20] The reality, however, is that large parts of the removals are effected by automated or semi-automated decisions.[21] As I shall highlight below, the sophistication of this technology becomes very important for whether any laws obliging the companies to continue this practice complies with the right to express and receive information.

  1. EU Proposal: Legal Duty to Proactively Eradicate Terrorist Content

Deciding that the private companies responsible for these platforms are not doing enough, the European Union has decided that the voluntary measures are insufficient to win the battle against the terrorist propaganda. In September 2018 the European Commission launched a hard-hitting new regulation targeting “terrorist content” specifically.[22] According to the press release this term refers to “material and information that incites, encourages or advocates terrorist offences, provides instructions on how to commit such crimes or promotes participation in activities of a terrorist group.”[23]

The private companies obligated by the proposal are “all hosting service providers offering services in the EU”.[24] This definition is so broad that it is likely to affect all servers hosting user content no matter where they are based as long as they provide services in the European Union.[25] The provisions are aimed at compelling the companies to take both proactive and reactive measures to reduce the amount of terrorist content online.

The reactive duty includes the duty to remove any content flagged by the relevant member state authority within 1 hour of notice.[26] A daunting fine of up to 4 % of global turnover is what looms in the background if a company systematically fails to comply with these “removal orders” in time.[27] The one-hour limit might sound short, but if the goal is to take down the terrorist content before it creates too much damage it may even be too long. A report from 2018 spells it out for us: during one minute more than 2.5 quintillion bytes of data are created, we make more than 3,877,140 Google searches, watch more than 4,333,560 Youtube videos, and send more than 473,400 tweets.[28] When contemplating these numbers one can only imagine how much impact a video or tweet from ISIS could have in 60 minutes.

In recognition of these statistics the legislative proposal includes a duty for the private companies to deploy “automated detection tools where appropriate and when they are exposed to the risk of hosting terrorist content.”[29] These automated detection tools are algorithms that can sift through an amazing amount of data in a very short amount of time. The caveat is that applying automated detection tools to differentiate between what is “terrorist content” and what is merely “the expression of radical, polemic or controversial views in the public debate on sensitive political questions”[30] may fail. There is a risk that the algorithm detects and flags perfectly legal content.

The Commission is aware that this automated process must comply with the human rights legal framework protecting the freedom to express and receive information. The proposal therefore includes several provisions that try to ensure these rights. Examples include the duty to ensure “oversight and human assessment” of the content detected and enforcement of “effective safeguards to ensure full respect of fundamental rights, such as freedom of expression and information.”[31]

On the face of it seems like a great way to strike the balance between waging war on terrorist content and respecting fundamental human rights. The problem is that the legislation sets a lot of store by the sophistication of the automatic detection technology. It is hard to believe that the European Commission actually thinks that there can be human oversight over all content flagged by an algorithm. The details of the proposal are not yet out, so it is still unclear whether this would be an obligation or not. In any case, the use of automated detection tools to both detect and make the decision to remove content to comply with the regulation is very tempting if the goal is to take down the terrorist propaganda before it spreads.

Whether these automated detection and decision tools are within the limits of the human rights legal framework depends, as I see it, on at least three questions: 1) whether the state of technology is so sophisticated that the algorithm can differentiate between “terrorist content” and other content 2) whether the algorithm can ensure the human rights balancing test when it makes a decision to remove content at the cost of freedom to express and receive information, and 3) even if it can, whether the use of automated decisions will make it impossible for judicial review because the algorithm may not be able to provide an explanation of its legal analysis that humans can understand.

  1. Misconceptions on the Sophistication of the Technology

So how sophisticated is this automated detection and decision technology? Is it up to the job of replacing a human that can decipher legal from illegal content and make the requisite human rights legal analysis? A number of voices within the legal tech-community appear to think that it is not. The Center for Technology and Democracy (CTD) published a report on the limitations of automated social content analysis where they emphasised that the technology is not sophisticated enough to comprehend “the nuanced meaning of human communication or to detect the intent or motivation of the speaker.”[32] It is therefore important that politicians and legislators understand these limitations before they make statements or enact legislation that calls for action that cannot be done without compromising our basic human rights.

Stakeholders all over the world have reacted to the European Commissions press release on the new “terrorist content”-legislation with a message of caution and warning. This includes three United Nations Special Rapporteurs, the Council of Europe, private companies and NGOs.[33] One of these organisations, The Global Networking Initiative (GNI), stated as part of a lengthy article that they believe the proposal as it stands “could unintentionally undermine [the shared objective of tackling dissemination of terrorist content online] …by putting too much emphasis on technical measures to remove content, while simultaneously making it more difficult to challenge terrorist rhetoric with counter-narratives.”[34] In addition, the GNI expressed concerns that the regulation would place significant pressure on the affected companies to ”monitor users’ activities and remove content in ways that pose risks for users’ freedom of expression and privacy.”[35] As many other stakeholders share this concern, it indicates that they do not believe the European legislator understands the limitations of the technology when they propose this duty to put in place “proactive” measures.

  1. Blindly Trading Liberty for Security?

The possibilities for using machine learning to automate decision-making can turn out to be both a blessing and a curse. The pressing need for our politicians and jurists to have in-depth knowledge on emerging technology is mounting. The fight on the online battlefield against terrorism demonstrates the stakes we are facing. Striking the balance between liberty and security is difficult, but at least up until now it has been an issue where we could understand in what direction the wind is blowing when reviewing new legislation. The duty to use automated detection and decision-making tools may shake this safeguard. We must therefore ask our selves whether we are about to, or perhaps already did, enter an era where we unintentionally and unknowingly trade our fundamental right to express and receive information in exchange for security.

 

[1] Singer, P.W. and Emerson T. Brooking. LikeWar, New York: Houghton Mifflin Harcourt, 2018, p.5.

Greenemeier, Larry. Social Media’s Stepped-Up Crackdown on Terrorists Still Falls Short. (2018), https://www.scientificamerican.com/article/social-medias-stepped-up-crackdown-on-terrorists-still-falls-short/ [Cited 02/14/2019]

[2] Koerner, Brendan I. Why ISIS is Winning the Social Media War. (2016), https://www.wired.com/2016/03/isis-winning-social-media-war-heres-beat/ [Cited 02/14/2019]

[3] BBC.com. IS foreign fighters: 5,600 have returned home – report. (2017) https://www.bbc.com/news/world-middle-east-41734069 [Cited 02/05/2019]

[4] Sengupta, Somini. World Leaders Urge Big Tech to Police Terrorist Content. (2017)

https://www.nytimes.com/2017/09/21/world/internet-terrorism-un.html [Cited 02/05/2019]

[5] Center for Democracy and Technology. Mixed Messages: the Limits of Automated Social Media Content Analysis. (2017), https://cdt.org/insight/mixed-messages-the-limits-of-automated-social-media-content-analysis/  [Cited 02/05/2019]

[6] United Nations. Universal Declaration of Human Rights. (Date unknown), http://www.un.org/en/universal-declaration-human-rights/ [Cited 02/05/2019]

[7] United Nations Treaty Collection. International Covenant on Civil and Political Rights. (2019), https://treaties.un.org/Pages/ViewDetails.aspx?chapter=4&clang=_en&mtdsg_no=IV-4&src=IND [Cited 02/09/2019]

[8] United Nations Human Rights Office of the High Commissioner. International Law. (Date Unknown), https://www.ohchr.org/en/professionalinterest/Pages/InternationalLaw.aspx [Cited 02/09/2019]

[9] Convention for the Protection of Human Rights and Fundamental Freedoms, Rome, 4.XI.1950, Article 10 nr. 2.

[10] Case of Yildirim v. Turkey, Application no. 3111/10, 12/18/2012, paragraph 47.

[11] Case of Yildirim v. Turkey, Application no. 3111/10, 12/18/2012, paragraph 64.

[12] Case of Times Newspapers Ltd (nos 1 and 2) v. the United Kingdom Application no. 3002/03 and 23676/03, 03/10/2009, paragraph 27.

[13] Greenemeier, Larry. Social Media’s Stepped-Up Crackdown on Terrorists Still Falls Short. (2018), https://www.scientificamerican.com/article/social-medias-stepped-up-crackdown-on-terrorists-still-falls-short/ [Cited 02/14/2019]

[14] Handeyside, Hugh. Social Media Companies Should Decline the Government’s Invitation to Join the National Security State. (2016), https://www.justsecurity.org/28755/social-media-companies-decline-governments-invitation-join-national-security-state/ [Cited 02/14/2019]

[15] Sengupta, Somini. World Leaders Urge Big Tech to Police Terrorist Content. (2017)

https://www.nytimes.com/2017/09/21/world/internet-terrorism-un.html [Cited 02/05/2019]

[16] Google. Transparacy Report: YouTube Community Guidelines enforcement. (2018), https://transparencyreport.google.com/youtube-policy/removals?hl=en&total_removed_videos=period:Y2018Q3;exclude_automated:&lu=total_removed_videos [Cited 02/05/2019]

[17] Ibid.

[18] Ibid.

[19] Greenemeier, Larry. Social Media’s Stepped-Up Crackdown on Terrorists Still Falls Short. (2018), https://www.scientificamerican.com/article/social-medias-stepped-up-crackdown-on-terrorists-still-falls-short/ [Cited 02/14/2019]

[20] Council of Europe. “Algorithms and Human Rights: Study on the Human Rights Dimensions of Automated Data Processing Techniques (in particular algorithms) and Possible Regulatory Implications.” Council of Europe Study DGI(2017)12, p. 18.

[21] Ibid.

[22] European Commission. State of the Union 2018: Commission proposes new rules to get terrorist content off the web. (2018), http://europa.eu/rapid/press-release_IP-18-5561_en.htm [Cited 02/06/2019]

[23] Ibid.

[24] European Commission. State of the Union 2018: Commission proposes new rules to get terrorist content off the web. (2018), http://europa.eu/rapid/press-release_IP-18-5561_en.htm [Cited 02/06/2019]

[25] Bennett, Owen. The EU Terrorist Content Regulation – a threat to the ecosystem and our users’ rights. (2018), https://blog.mozilla.org/netpolicy/2018/11/21/the-eu-terrorist-content-regulation-a-threat-to-the-ecosystem-and-our-users-rights/ [Cited 02/06/2019]

[26] European Commission. State of the Union 2018: Commission proposes new rules to get terrorist content off the web. (2018), http://europa.eu/rapid/press-release_IP-18-5561_en.htm [Cited 02/06/2019]

[27] Ibid.

[28] DOMO. Data Never Sleeps 6.0: How Much Data is Created Every Minute? (2018/2019), https://www.domo.com/learn/data-never-sleeps-6 [Cited 02/06/2019]

[29] European Commission. State of the Union 2018: Commission proposes new rules to get terrorist content off the web. (2018), http://europa.eu/rapid/press-release_IP-18-5561_en.htm [Cited 02/06/2019]

[30] Ibid.

[31] Ibid.

[32] Center for Democracy and Technology. Mixed Messages? The Limits of Automated Social Media Content Analysis. (2017) https://cdt.org/insight/mixed-messages-the-limits-of-automated-social-media-content-analysis/ [Cited 02/06/2019]

[33] See for example: 1) Open Letter from the UN Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression; the Special Rapporteur on the right to privacy and the Special Rapporteur on the promotion and protection of human rights and fundamental freedoms while countering terrorism, 12/07/2018, https://spcommreports.ohchr.org/TMResultsBase/DownLoadPublicCommunicationFile?gId=24234, and 2) Council of Europe. Misuse of anti-terror legislation threatens freedom of expression. (2018),

https://www.coe.int/en/web/commissioner/blog/-/asset_publisher/xZ32OPEoxOkq/content/misuse-of-anti-terror-legislation-threatens-freedom-of-expression https://edri.org/terrorist-content-regulation-warnings-from-the-un-and-the-coe/

[34] Global Network Initiative. GNI Statement on Europe’s Proposed Regulation on Preventing the Dissemination of Terrorist Content Online. (2019), https://globalnetworkinitiative.org/gni-statement-draft-eu-regulation-terrorist-content/#_ftn15 [Cited 02/06/2019]

[35] Ibid.

The Evolution of a Hostile Cyberspace and Why You Should Care

The Evolution of a Hostile Cyberspace and Why You Should Care

  1. Crime and War to Replace Smileys and Hearts?

Cyberspace provides a basic infrastructure for work, reading news and sending hearts and smileys on social media. If you hear the words “cyberspace” and “cyber attacks” it might bring to mind a science fiction-like scene of aliens battling with code somewhere in the matrix. ‘Cyberwar’ may not be a concern to you at the moment. The reality is that cyberspace could soon be concerned with more weapons than smileys.

The statistics speak for themselves: in 2017 an estimate of 611,141 web attacks were blocked every day[1] and the cost of global cybercrime in 2017 is estimated to $ 600 billion.[2] The persons behind these attacks and crimes are mostly criminals and vigilantes. These are scary private actors, but enhancing the capability of cyber law enforcement may arguably control them. State actors targeting each other through hostile cybermeans is to many a much more unnerving trend.[3] This hostile state practice and its implications could be one of the greatest challenges facing our generation of leaders. And yet, it seems like it is a task that neither our leaders nor the civil society is prepared to discuss or handle in a conscientious way.[4]

The knowledge gap between what the average person knows about cybersecurity and cyberwarfare, and what is actually happening, should be a concern to everyone. In this blog post, I will first explain what cyberspace is and what law applies. Next, I will turn to some examples of infamous cyberattacks involving state actors and then comment on current cyber strategies adopted by states to meet these threats. Finally, I will present some thoughts about the problem of the cyber-knowledge gap and the way forward for law in cyberspace.

  1. What is Cyberspace and What Law Applies?

There is no universally agreed upon definition of what constitutes “cyberspace.”[5] The Pentagon has tried to define it and has so far come up with cyberspace as “the global domain within the information environment consisting of the interdependent network and information technology infrastructures, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers.”[6] This term is both so broad and incomprehensible that, for most of us, we might as well continue to coin the term like the novelist Gibson did in the Neuromancer, as “a consensual hallucination experienced daily by billions of legitimate operators…”[7]

Defining the space where it all happens is hard enough. Defining what international legal norms should apply has not only proven to be hard, but many nations do not even want to. For differing reasons, China, Cuba and Russia do not acknowledge that international law and the right to self-defense necessarily applies to cyberspace.[8] This was made clear during the now dead in the water UN negotiations concerning what legal norms apply in cyberspace.[9] Other nations, like the US and UK, acknowledge the application of international law in cyberspace, but refrain from taking a stance that most of the stuff happening in cyberspace rises to the level of unlawful breach of sovereignty.[10] This school of thought has been termed the school of “sovereignty as a principle,”[11] whilst others, perhaps especially those rooting for the application of the soft law principles of the Tallinn Manual[12], belong to the school of what we may call “sovereignty as a rule.”[13]

The “sovereignty as a principle” school is likely the most pragmatic approach as state practice within cyberspace is still in its infancy. It allows flexibility for what are considered “legal responses” to the most frequent cyber incidents, as long as they are defined in the “grey zone” not rising to the level of illegal interference or intervention.[14] At the same time, it may be argued that this approach first and foremost favours the state actors on the scene of international cyberwarfare that has the capability of deterring these incidents in a meaningful way. For the nations that do not have the capability of responding in cyberspace it may be better to be able to point to a breach of sovereignty and respond with non-cyber countermeasures. On the other hand, allowing non-cyber countermeasures to cyberattacks rising to the level of intervention or interference could lead to unwanted escalation of hostilities.

The downside of keeping it pragmatic is that without clear rules of what is and is not accepted state action in cyber space, we might end up with a fearful virtual society favouring the strongest states. The capabilities of cyberweapons become more powerful and sophisticated by the minute. As we shall see in some examples below, the attackers are hard to identify and for many nations it is impossible to respond by cybermeans.

3. Stuxnet and Estonia: Cyber Weapons With Real-World Consequences

Examples of cyberhacks and cybercrime are myriad. Cyberwars and weapons are not. This may both be due to the covert nature of the cyber military operations, but also due to the fact that these hostilities and capabilities are still developing. However, there are a few notable exceptions.

The first example of a large-scale cyberweapon with real-world consequences is the infamous “Stuxnet”-malware targeting the Iranian nuclear facilities.[15] The malicious code (malware) infected the computers controlling a part of the nuclear program causing them to self-destruct by making the centrifuges speed up or slow down.[16] It successfully took down almost a thousand centrifuges (P-1 machines) by simply manipulating software.[17] European security consultants detected Stuxnet in 2010 when the malware infected thousands of computers running the same operating system as the one it was meant to target. It was so sophisticated that it did not cause actual harm anywhere, but the nuclear facility in Iran.[18] The cyberweapon was allegedly created by the NSA and the Israeli intelligence agency as part of operation “Olympic Games.”[19] The security analyst part of the team that exposed Stuxnet stated that the malware was all about “destroying its targets with utmost determination in military style.”[20] What Stuxnet shows us is that a cyberweapon may in itself consist of mere code, but can cause significant real-world damage to essential infrastructure and business. Former CIA Director, Michael Hayden, stated that Stuxnet was a ”game changer” and went so far as to compare its implications to that of Hiroshima in 1945.[21] Whether or not people agree to the latter statement, they probably do agree that capabilities of weapons like Stuxnet can only improve and that we are already part of a cyber arms race.[22]

Another example of cyberweapons that had notable real-world consequences is the attack on Estonia in 2007. The “hacktivist”[23], or as some say “cyber terrorist,”[24] attack on Estonian governmental functions remains one of the most notorious cyberattacks in Europe so far. The attack came as a response to the decision to relocate a statue in tribute to the Soviet liberation of Estonia from the Nazis.[25] The Russian minority in Estonia reacted with an uproar that included cyberattacks on key governmental and economic institutions.[26] The Estonian society was, at the time, one of the most digitally progressed societies in the world as they relied heavily on cyberspace when developing their own public and private institutions after the fall of the Soviet Union.[27] This vulnerability enabled the cyberattackers[28] to paralyze vital governmental and economic institutions for weeks on end by targeting the media, intergovernmental communications, and online banks.[29]  Ten years after the Estonian attack, an Estonian cyber defense expert stated that a major difference between cyberattacks and kinetic force is that a cyberattack “allow you to create confusion, while staying well below the level of an armed attack. Such attacks are not specific to tensions between the West and Russia. All modern societies are vulnerable.”[30]

These are just some examples of how cyberweapons is becoming a part of state practice and warfare. Below we shall see how different state actors have responded to this threat in different ways.

4. Cyber Strategies: is ‘Offense by Defense’ the Best Way Forward?

Governments all over the world experience cyber hostilities on a daily basis. The “cyber threat” is on the top of most governmental agendas though few leaders can truly say they understand its ramifications. It took the US government 15 years to finally present a brand new National Cyber Security Strategy this September.[31] To get some perspective of how “long” 15 years is in cyberspace, it is worth reminding ourselves that this means the last strategy was launched a whole four years before the first iPhone came.[32] For those of you who feel like that is just like yesterday, it certainly does not feel like that to the “digital” generation.

This new US cyber strategy carries one major message to other state actors: the gloves are off – we will “defend forward” to deter malicious actors.[33] In other words, offense is the new defense. Some critics have pointed out that this aggressive strategy may remove critical resources from defending essential infrastructure from attack and lead to unnecessary escalation of hostilities.[34] Others, like the former Director of the National Security Agency, Admiral Michael Rogers, firmly hold that the aggressors in cyberspace will not be deterred by anything less than a firm and rapid response.[35] With the memories of meddling in the 2016 US presidential elections by Russian actors still fresh in mind, you may sympathize with this combative approach.

At the same time, it is important to keep in mind that a national cyber strategy need not be first and foremost aggressive. The European Union approach is an example of this.[36] Although the EU is not a military power with a common defense for Europe, the Union is still an important actor in Cyberspace, particularly regarding the importance of a common trade market.[37] Their cyber strategy, first published in 2013 and renewed in 2017, emphasizes the importance of building a safe, prosperous, and open cyberspace relying on fundamental rights and freedoms.[38]

The EU and US are longstanding allies. Despite their different approaches in cyberspace they will likely remain cyberfriends. China is another story all together. China is one of four states explicitly coined as long-term strategic threats to the US and its allies in the new US strategy.[39] A Chinese cybersecurity analyst recently commented upon the cyber strategy and expressed concerns about how “defending forward” may look a lot like early attack for the ones experiencing the “defense”.[40] She compared the situation of power balance in cyberspace to the one of the Cold War, warning that we are at a crossroads in cyberspace where “one route may point toward achieving general stability, while the other may lead to chaos and conflict”.[41]

The question one might ask in light of this discussion is what legal order de lege ferenda we should or should not work towards in cyber space. Although the UN effort to reach consensus on cyber space regulation did not succeed, there are other attempts to facilitate state cooperation on cyber legal norms in the making.[42] Should it be a lawless space for the survival of the fittest or should we adopt the existing framework of international law applicable for the use of force and in armed conflict? Or should we instead aim for completely new norms and principles adopted through a treaty? And perhaps more importantly, are the stakeholders capable of discussing the technical nature of cyberspace and cyberwarfare in a meaningful way?

Hope for a Peaceful Cyberspace and the Need for Cyber Knowledge

The rules that govern the use of force and the conduct of war in the ‘real world’ originate from hundreds of years of custom and treaties. Meanwhile, much of the emerging hostilities may utilize cyberweapons with both cyber and real-world consequences. As noted above, without clear rules of state action in cyberspace, one could ask whether we are moving in the wrong direction, towards a state practice of “the survival of the fittest” approach. Cyberweapon capabilities are not, as far as we know, anywhere close to the danger that nuclear weapons present. Yet, Stuxnet showed us that hatching cyberweapons with the capability of disruption of essential infrastructure was already a reality in 2005.[43] Without the will to regulate the attacks happening in cyberspace, one may end up with a fearful international community reminiscent of the Cold War. Or perhaps even more fearful, as the problem of attribution in cyberspace keeps the attacker in the dark and the victim in the unknown.[44]

Internationalists remain hopeful that we will reach a consensus on cyber legal norms that aim for a peaceful coexistence in this space by prohibiting the use of force. In the event it is not possible for states to coexist peacefully, then the law of armed conflict must make it clear that virtual civilian life and infrastructure is as well worth protecting as they are in the ‘real’ world.

Cynical minds might argue that there is no point in trying to establish international law in cyberspace when many states do not even comply with existing custom and conventions in the ‘real’ world. That the idea of international rule of law is just as much a hallucination as Gibson deemed cyberspace to be in 1984. Of course, they do have a point. All sides of the conflict in Yemen and Syria prove this point everyday. The western and eastern nations fighting and funding the wars demonstrate disregard and distain for the law of armed conflict and the value of human life as civilians are slaughtered[45] and children starve in the thousands[46].

It is true that many states do not comply with the rules, but the point still stands. It is worth aspiring for an international legal order in cyberspace. In spite of our daily news feed, international law is more often respected than not.[47] History has also shown us that adversaries can go from hostile competition to peaceful cooperation, just as US and Russia did with the outer space program.[48] It is better to strive for a cyber rule of law where some states comply, than none at all. Real-world consequences emerge from actions in cyberspace. If we create rules we may legitimately expose breaches of them, and hope that this leads to more civil conduct and the de-escalation of emerging conflicts.

Whatever the major players in the field of cyber-international relations decide, we should all, as citizens of the virtual world, be able to understand cyberspace in order to hold our governments accountable – and at the moment we do not.[49] The term “cyber threats in cyberspace” probably still produce a little sci-fi feeling for us all. Both public and private institutions need to take steps to close the cybersecurity knowledge gap. If not, we will end up with a world where only the techy people speak the language of power and influence.

[1] Statista. Global number of web attacks blocked per day from 2015 to 2017 (in 1,000s). (2018), https://www.statista.com/statistics/494961/web-attacks-blocked-per-day-worldwide/. [Cited 12/01/2018]

[2] Lewis, James. ”Report: Economic Impact of Cybercrime—No Slowing Down”, McAfeee and the Center for Strategic and International Studies (CSIS), (2018), p. 4. [https://www.mcafee.com/enterprise/en-us/forms/gated-form.html?docID=5fee1c652573999d75e4388122bf72f5&tag=ec&eid=18TL_ECGLQ1_CT_WW&elqCampaignId=23163] [Cited: 11/13/2018]

[3] Wheeler, Tara. ”In Cyberwar There are no Rules,” ForeignPolicy.com, 09/12/2018. [https://foreignpolicy.com/2018/09/12/in-cyberwar-there-are-no-rules-cybersecurity-war-defense/] [Cited 11/13/2018]

[4] Singer, P.W and Allan Friedman. Cybersecurity and Cyberwar – What Everyone Needs to Know, New York, Oxford University Press, 2004, p. 4.

[5] As far as I have been able to understand through my research.

[6] Singer, P.W and Allan Friedman. Cybersecurity and Cyberwar – What Everyone Needs to Know, New York, Oxford University Press, 2004, p. 13.

[7] Gibson, William. Neuromancer. New York, ACE Books, 1984, p. 51.  See also Shachtman, Noah. ”26 years after Gibson, Pentagon Defines ’Cyberspace,’” Wired, 05/23/08. [https://www.wired.com/2008/05/pentagon-define/] [Cited: 12/14/2018]

[8] Bowcott, Owen. ”Dispute along cold war lines led to collapse of UN cyberwarfare talks”, The Guardian, 08/23/017. [https://www.theguardian.com/world/2017/aug/23/un-cyberwarfare-negotiations-collapsed-in-june-it-emerges] [Cited 12/01/2018].

[9] Schmitt, Michael and Liis Vihul. “International Cyber Law Politicized:  The UN GGE’s Failure to Advance Cyber Norms”, Justsecurity.com, 06/30/2017. [https://www.justsecurity.org/42768/international-cyber-law-politicized-gges-failure-advance-cyber-norms/] [Cited: 12/01/2018]

[10] Waxman, Matthew. ”U.K. Outlines Position on Cyberattacks and International Law,” Lawfareblog, 05/23/2018. [https://www.lawfareblog.com/uk-outlines-position-cyberattacks-and-international-law] [Cited 12/01/2018]

[11] Schmitt, Michael. ”In Defense of Sovreignty in Cyberspace,” Justsecurity, 05/08/2018. [https://www.justsecurity.org/55876/defense-sovereignty-cyberspace/] [Cited: 12/12/2018]

[12] Schmitt, Michael N. Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations, Rhode Island, Cambridge University  Press, 2017.

[13] Watts, Sean and Theodore T. Richard. ”Baseline Territorial Sovereignty and Cyberspace,” Lewis & Clark Law Review, 03/16/2018. Available at SSRN: https://ssrn.com/abstract=3142272, p. 856-858.

[14] See e.g. Schmitt, Michael. ”In Defense of Sovreignty in Cyberspace,” Justsecurity, 05/08/2018. [https://www.justsecurity.org/55876/defense-sovereignty-cyberspace/] [Cited: 12/12/2018]

[15] Singer, P.W and Allan Friedman. Cybersecurity and Cyberwar – What Everyone Needs to Know, New York, Oxford University Press, 2004, p. 115.

[16] Ibid, p. 116.

[17] Broad, William J, John Markoff and David E. Sanger. ”Israeli Test on Worm Called Crucial in Iran Nuclear Delay,” The New York Times, 01/15/2011. [https://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html] [Cited: 12/05/2018]

[18] Singer, P.W and Allan Friedman. Cybersecurity and Cyberwar – What Everyone Needs to Know, New York, Oxford University Press, 2004, p. 116.

[19] Ibid, p. 118.

[20] Broad, William J, John Markoff and David E. Sanger. ”Israeli Test on Worm Called Crucial in Iran Nuclear Delay,” The New York Times, 01/15/2011. [https://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html] [Cited: 12/05/2018]

[21] Shinkman, Paul D. ”Former CIA Director: Cyber Attack Game-Changers Comparable to Hiroshima,” US News, 02/20/2013. [https://www.usnews.com/news/articles/2013/02/20/former-cia-director-cyber-attack-game-changers-comparable-to-hiroshima] [Cited: 02/12/2018].

[22] Singer, P.W and Allan Friedman. Cybersecurity and Cyberwar – What Everyone Needs to Know, New York, Oxford University Press, 2004, p. 118.

[23] Herzog, Stephen. ”Revisiting the Estonian Cyber Attacks: Digital Threats and Multinational Responses,” Journal of Strategic Security, Vol. 4, No. 2: 49-60, 2011. p. 49. [Available at SSRN: https://ssrn.com/abstract=2807582]

[24] Richards, Jason. ”Denial-of-Service: The Estonian Cyberwar and Its Implications for U.S. National Security,” International Affairs Review at Elliot School of International Affairs George Washington University, Volume XVIII, No. 1: 2009. [http://www.iar-gwu.org/node/66]

[25] Herzog, Stephen. ”Revisiting the Estonian Cyber Attacks: Digital Threats and Multinational Responses,” Journal of Strategic Security, Vol. 4, No. 2: 49-60, 2011. p. 50. [Available at SSRN: https://ssrn.com/abstract=2807582]

[26] Ibid.

[27] Dycus, Stephen et. al.  National Security Law, 6 th Edition, Aspen Publishers, 2016, p. 447.

[28] The attacks were for the most Distributed Denial of Service Attacks, (DdoS), which entails flooding the targeted websites with fake access requests effectively prohibiting the access of real requests.

[29] Dycus, Stephen et. al.  National Security Law, 6 th Edition, Aspen Publishers, 2016, p. 447.

[30] McGuinness, Damien. ”How a cyber attack transformed Estonia,” BBC News, 04/27/2017. [https://www.bbc.com/news/39655415] [Cited 12/05/2018]

[31] US Department of Defense. White House Releases First National Cyber Strategy in 15 Years. https://dod.defense.gov/News/Article/Article/1641969/white-house-releases-first-national-cyber-strategy-in-15-years/ (09/21/2018).  [Cited 11/03/2018]

[32] Ritchie, Rene. ”11 years ago today, Steve Jobs introduced the iPhone,” iMore, 01/09/2018. [https://www.imore.com/history-iphone-original] [Cited: 10/14/2018]

[33] US Department of Defense. Summary of Department of Defense Cyber Strategy. (2018), p. 1. [https://media.defense.gov/2018/Sep/18/2002041658/-1/-1/1/CYBER_STRATEGY_SUMMARY_FINAL.PDF] [Cited: 11/12/2018]

[34]Wolff, Josephine. ”Opinion: Trumps Reckless Cybersecurity Strategy,” The New York Times,10/0272018. [https://www.nytimes.com/2018/10/02/opinion/trumps-reckless-cybersecurity-strategy.html]

[35] Rogers, Michael. Public speaking event hosted by Center for Security Research and Education at Penn State Law. State College, 11/13/2018.

[36] European Commission. Cybersecurity package ‘Resilience, Deterrence and Defence: Building strong cybersecurity for the EU’. (2018), https://ec.europa.eu/digital-single-market/en/news/cybersecurity-package-resilience-deterrence-and-defence-building-strong-cybersecurity-eu [Cited: 10/14/2018]

[37] Bleiberg, Joshua and Darrell M. West. ”The benefits of a Digital Single Market in Europe and the United States,” Brookings Techtank Blog, 06/17/2015. [https://www.brookings.edu/blog/techtank/2015/06/17/the-benefits-of-a-digital-single-market-in-europe-and-the-united-states/] [Cited: 11/12/2018]

[38] European Commission, General Secretary. (2017)  Resilience, Deterrence and Defence: Building strong cybersecurity for the EU, 09/13/2017. [https://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1505294563214&uri=JOIN:2017:450:FIN] [Cited 11/17/2018]

[39] US Department of Defense. Summary of Department of Defense Cyber Strategy. (2018), p. 1. [https://media.defense.gov/2018/Sep/18/2002041658/-1/-1/1/CYBER_STRATEGY_SUMMARY_FINAL.PDF] [Cited: 11/12/2018]

[40] Jinghua, Lyu. ”A Chinese Perspective on the Pentagon’s Cyber Strategy: From ‘Active Cyber Defense’ to ‘Defending Forward,’” Lawfareblog, 10/19/218. [https://www.lawfareblog.com/chinese-perspective-pentagons-cyber-strategy-active-cyber-defense-defending-forward] [Cited: 12/02/2018]

[41] Ibid.

[42] Schmitt, Michael and Liis Vihul. “International Cyber Law Politicized:  The UN GGE’s Failure to Advance Cyber Norms”, Justsecurity.com, 06/30/2017. [https://www.justsecurity.org/42768/international-cyber-law-politicized-gges-failure-advance-cyber-norms/] [Cited: 12/01/2018]

[43] Zetter, Kim. ”An Unprecedented Look at Stuxnet, the World’s First Digital Weapon,” Wired, 11/03/2014. [https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/] [Cited 12/01/2018]

[44] Singer, P.W and Allan Friedman. Cybersecurity and Cyberwar – What Everyone Needs to Know, New York, Oxford University Press, 2004, p. 150.

[45] Reuters. ”Syrian Observatory says war has killed more than half a million,” Reuters, 03/12/2018.[https://www.reuters.com/article/us-mideast-crisis-syria/syrian-observatory-says-war-has-killed-more-than-half-a-million-idUSKCN1GO13M] [Cited 12/01/2018]

[46] Karasz, Palko. ”85,000 Children in Yemen May Have Died of Starvation,” The New York Times, 11/21/2018. [https://www.nytimes.com/2018/11/21/world/middleeast/yemen-famine-children.html] [Cited: 12/1/2018] See also: Elbagir, Nima et. al. ”Made in America Shrapnel found in Yemen ties US bombs to string of civilian deaths over course of bloody civil war,” CNN, 09/2018. [https://www.cnn.com/interactive/2018/09/world/yemen-airstrikes-intl/] [Cited 12/01/2018]

[47] ICRC. Frequently asked questions on the rules of war. (2016), https://www.icrc.org/en/document/ihl-rules-of-war-FAQ-Geneva-Conventions [Cited: 14/12/2018]

[48] Kruger, Hanna. ”In Space, U.S. and Russia Friendship Untethered,” NBC News, 09/30/2017.  [https://www.nbcnews.com/news/us-news/space-u-s-russia-friendship-untethered-n806101] [Accessed 12/12/2018]

[49] Sanger, David E. ”The age of cyberwar is here. We can’t keep citizens out of the debate,” The Guardian, 07/28/2018. [https://www.theguardian.com/commentisfree/2018/jul/28/cyberwar-age-citizens-need-to-have-a-say] [Cited: 12/06/2018]