Accusations and International Law in Global Cybersecurity
By Gozde Berkil
The Center for International Law and Governance at the Fletcher School of Law and Diplomacy hosted a conference on cybersecurity and the law on September 14 and 15. Following is a review of one of the panels held during the conference.
The draft paper for this session can be viewed here.
The second panel of the conference focused on a paper authored by Professor Martha Finnemore and Professor Duncan B. Hollis, titled “Naming without Shaming? Accusations and International Law in Global Cybersecurity”. In this paper, the authors examine the application of naming and shaming theory in international relations to international cybersecurity framework. They conclude that “naming” does not give way to “shaming” when applied to cyber operations, nonetheless the accusations may serve the purpose of having a consensus on unlawfulness of cyber attacks, which would be a good first step for the emergence of a customary international law.
The assumption behind naming and shaming technique is that “the accusations can change an accused’s behavior”.[i] Correspondingly, the authors suggest that “naming and shaming can improve international law compliance”.[ii] In reality, it works for obvious legal or moral violations by producing shame of the accused. However, applying this technique to states conducting or supporting cyber operations gives a different result. Mostly the engaged states continue to conduct cyber operations regardless of accusations by not commenting on previous attacks or simply by denying them.
Another difference is that naming and shaming in other contexts like human rights has been usually attached to violations of international law rules, while cyber operations are tied to violations of “international norms” but not “international law”.[iii] Nevertheless, deploying an accusation publicly may have legitimate purposes, five of which the paper touches upon: seeking the accused comply with the rules, providing information to third parties to be used for defensive purpose in the future, creating public attention as a deterrent function, also with punitive purposes and seeking to send a message to international community about the appropriate behavior in cyber space.[iv]
Besides, the success of an accusation for cyber operations depends on internal and external factors, both essential. First, how strategically the accuser constructs an accusation by disclosing facts is very crucial. Broadly speaking, accusations have three elements, attribution, exposure and condemnation,[v] among which the accuser chooses to construct the accusation. Particularly, when the victim of the cyber operation opts for not to disclose its vulnerabilities, the accuser skips exposure while resorting to only accusation and condemnation.
Second, the external factors are as important as the construction of an accusation. The existence of a norm governing a cyber activity is particularly important to measure the accusing behavior.[vi] Notably, the cyber economic espionage is condemned for the first time by filing a criminal charge against some PLA members.[vii] Although jurisdictional challenges of implementing the charges are obvious, a legal reference is used to raise public awareness of accusation and condemnation of cyber espionage.
The relationship between the accuser, the accused and the community significantly matters in naming of cyber operations. In the paper, the authors emphasize the more the accused value the relationship with the accuser considering political, diplomatic and economic interests of each state, the more effective the accusation is.[viii] The capacity of the accuser to influence the international community is another significant component of the success of an accusation. Therefore, the external factors seem as indispensable as the construction of accusation for its success.
However, the reflection of “naming and shaming” on international law is not very conclusive for now. Because states do not achieve consensus on the application of existing international legal rules to cyber space, the accusations lack legal terms. According to the authors, the reason might be also a fear of reciprocity as to be legally framed by their own acts in cyber space, such as Iran’s reluctance to use legal terms on Stuxnet worm attack on nuclear facilities and not being legally accused for its own cyber operations against U.S. financial targets in return.[ix]
The most important aspect of the analysis of “naming and shaming” is to inquire its impact on the emergence of a customary international law. The authors claim “the resulting delineation of wrongful behavior in cyberspace can constitute the practice from which opinio juris may emerge over time”.[x] Considering that whether practice and opinio iuris can be inferred from the same source has been long discussed in North Sea Continental Shelf Cases[xi] and in USA v. Nicaragua[xii], the author’s perspective will also be positioned in these long debates.
[i] Finnemore, Martha and Duncan B. Hollis. Naming Without Shaming? Accusations and International Law in Global Cybersecurity. (Paper presented at Protecting Civilian Institutions and Infrastructure from Cyber Operations: Designing International Law and Organizations Conference, Medford, September 14-15, 2018), 3. Accessed September 16, 2018. https://sites.tufts.edu/cilg/files/2018/09/compliancedraftsm.pdf
[ii] Ibid., 4.
[iii] Ibid., 3.
[iv] Ibid., 3-9.
[v] Ibid., 12.
[vi] Ibid., 22.
[vii] US Department of Justice. Office of Public Affairs. U.S. Charges Five Chinese Military Hackers for Cyber Espionage Against U.S. Corporations and a Labor Organization for Commercial Advantage. May 19, 2014. Accessed October 1, 2018. https://www.justice.gov/opa/pr/us-charges-five-chinese-military-hackers-cyber-espionage-against-us-corporations-and-labor
[viii] Finnemore, Martha and Duncan B. Hollis. Naming Without Shaming? Accusations and International Law in Global Cybersecurity. (Paper presented at Protecting Civilian Institutions and Infrastructure from Cyber Operations: Designing International Law and Organizations Conference, Medford, September 14-15, 2018), 21. Accessed September 16, 2018. https://sites.tufts.edu/cilg/files/2018/09/compliancedraftsm.pdf
[ix] Ibid., 25.
[x] Ibid., 29.
[xi] North Sea Continental Shelf Cases. Federal Republic of Germany v. Denmark; Federal Republic of Germany v. Netherland. (Merits. International Court of Justice. February 20, 1969). Accessed October 1, 2018. http://www.refworld.org/cases,ICJ,50645e9d2.html
[xii] Case Concerning Military and Paramilitary Activities In and Against Nicaragua. Nicaragua v. United States of America. (Merits. International Court of Justice. June 27, 1986). Accessed October 1, 2018. http://www.refworld.org/cases,ICJ,4023a44d2.html