Tag Archives: Cybersecurity

Cybercrime, Cyberespionage, Cybersecurity, International Law, Online Supplement

Why is the “Spectrum Model” of Internationally Wrongful Acts Problematic in Cyberspace?

February 21, 2023 Leave a comment

There are generally four concepts in international law that describe a state’s wrongful acts: violation of sovereignty, prohibited intervention, use of force, and armed attack. These four concepts emerged in the pre-internet era, thus the application of them in cyberspace has caused many disagreements. However, notwithstanding the disagreements on the scope of any particular concepts, most scholars and states have implicitly or explicitly accepted a “spectrum model” to conceptualize the relationship between these four concepts. According to the spectrum model, the difference between these four concepts lies only in the severity of their violations. And the severity of a wrongful act is in turn connected to and depended upon the effects caused by it. Therefore, the four concepts operate by drawing four lines or “thresholds” measuring the effects of particular cyber operations. Accordingly, a cyber operation that violates a principle with a higher threshold must also violate a principle with a lower threshold.

This paper will argue that the spectrum model is problematic because it is incompatible with the usual understanding of the non-intervention principle. It does not correctly reflect the relationship between the non-intervention and the non-use of force principles. And it tends to improperly entangle the prohibition of armed attack and non-use of force principle. This paper will then propose an alternative “pyramid model” to conceptualize internationally wrongful acts.

I. Problematic Implications of the Spectrum Model in Cyberspace

1. The spectrum model and the principle of non-intervention

The principle of non-intervention is a well-established customary international law that prohibits states from coercively intervening in another state’s internal and external affairs. But there are two approaches to its application in cyberspace. The first view is that the non-intervention principle prohibits cyber operations that are “specifically designed to compel the victim State to change its behavior with respect to a matter within its domaine réservé.” This view is supported by states including the Netherlands and Germany. Under this approach, a prohibited intervention can be found if and only if (1) the acting state has the intent to influence the victim state’s behaviors or policies within its domaine réservé and (2) the acting state resorts to a coercive method. In contrast, the second approach argues that what’s important is not the victim state’s free will in deciding its affairs but its “ability to control or govern” such matters. Surprisingly, this view is not only supported by authoritarian states but also by liberal states like Australia and New Zealand as well as a minority of experts in Tallinn Manual 2.0.

It is not hard to understand the attractiveness of the second approach to many scholars, as this view is more compatible with the spectrum model of internationally wrongful acts. The spectrum model implies a pure effect-based logic, as it distinguishes different internationally wrongful acts only by the effects caused. The first approach’s inquiry into the victim state’s free will in deciding matters within its domaine réservé, however, requires more than such a logic. On one hand, such inquiries can be harder to objectivize compared to the second approach’s “ability to control” test as it depends on many factors that require case-specific inquiry like the victim state’s national power and leadership; but the effect-based logic necessarily requires a clear, objective, and universal standard. On the other hand, the effect-based logic emphasizes the direct impacts of cyber operations. Whereas a state’s “ability to control” matters within its domaine réservé can be directly harmed by another state’s cyber activities, its free will cannot. Instead, in situations short of using armed forces, a state can only influence another state’s policy choices or behaviors indirectly. In deciding whether a particular cyber operation coerced another state to change its policy, it is usually not enough to investigate simply the direct effects caused.

However, whereas the first approach is less compatible with the spectrum model, it better reflects the logic of the non-intervention principle and is more compatible with how such a principle is used to be interpreted by the international community. The principle of non-intervention is not written in the U.N. Charter. However, it is reflected in the 1970 Friendly Relations Declaration, which recognizes that all states have “an inalienable right to choose its political, economic, social and cultural systems” and it is prohibited to “coerce another state in order to obtain from it the subordination of the exercise of its sovereign rights.” It is worth noting that the Friendly Relations Declaration does not support the spectrum model because it does not say that the violation of the non-use of force principle per se constitutes a violation of the non-intervention principle. Instead, a more reasonable reading is that only some kinds of use of force are prohibited intervention – for example, the Declaration asserts that the use of force to “deprive peoples of their national identity” is also regarded as a violation of the principle of non-intervention. Besides the Declaration, the International Court of Justice (ICJ) in the 1986 Nicaragua case held that for an operation to constitute a prohibited intervention, it must satisfy two requirements: (1) it must “be one bearing on matters in which each State is permitted, by the principle of State sovereignty, to decide freely” and (2) it must “uses methods of coercion in regard to such choices.” Apparently, the freedom to “choices” instead of “control” is the standard here. Moreover, the majority of experts in the Tallinn Manual 2.0 also accept this reading, and they explain that a prohibited intervention must “have the potential for compelling the target State to engage in an action that it would otherwise not take (or refrain from taking an action it would otherwise take).”

Continue reading →

Cybercrime, Cyberespionage, Cybersecurity, Emerging Technology, International Law, Vol. 13 No.1

Shot in the Dark: Can Private Sector “Hackbacks” Work?

December 16, 2022 Leave a comment

In an era when cyberattacks are becoming ever more prevalent, there is a growing demand for private companies to “hackback” to deter and defend against attacks. But federal law precludes them from doing so. Sam Parker addresses the risks and benefits of allowing companies to respond to cyber-threats by going on the offensive and analyzes three legislative hackback proposals.

Because Parker finds that each proposal is either insufficiently effective or bears unacceptable risks, he recommends a hybrid proposal that would allow federal authorities to authorize and strictly supervise companies to engage in defensive cyberattacks. Parker argues this approach enables private companies to be “force multipliers” against cyberthreats while also mitigating the risks of a feared “Wild West” scenario where the private sector can hackback against anyone without restraint.

Shot in the Dark: Can Private Sector “Hackbacks” Work?

Download

Cybersecurity, Emerging Technology, Human Rights in Cyberspace, Online Supplement

A Multiverse of Metaverses

September 16, 2022 Leave a comment

By Sadev Parikh

Eric Ravenscraft’s Wired article shows us the difficulty of defining the “metaverse,” which may be better understood through the lens of Wittgenstein’s idea of family resemblances than through any attempt at clear-cut definition. Metaverse can be seen as a concept made up of family resemblances that include elements of virtual reality, augmented reality, and haptic feedback. While these technical elements may ground the concept, various metaverses could vary along parameters such as the centralization of power, financialization, and degree of anonymity for users. Armed with this framework, we might predict how the metaverse may manifest in the United States.

Considering centralization of power, we see two competing visions: one concentrated around Facebook (i.e., Meta), and the vision of a “Web 3” that might include worlds like Decentraland built around principles of decentralized decision-making and power enabled by blockchain technology.

A Facebook-driven metaverse could become the dominant mode, simply through its incumbent network effects and persistence as a premier destination for advertisers, as well as customer lock-in stemming from adjacent services (such as Messenger, Groups) that are increasingly essential to participating in modern life. The “Future Threats to Digital Democracy” report captures internet harms directly tied to the influence of Facebook and its business model on the internet.

Digitally impaired cognition is driven by social media content algorithms “engineered for virality, sensationalism, provocation and increased attention.” Reality apathy comes from the diffusion of re-shared negative content that is upranked by Facebook’s algorithms. It’s easy to imagine that a Facebook-driven metaverse is therefore likely to replicate the same features given Facebook’s need to monetize.

Only now, Facebook’s paradigm may disintermediate not only our cognitive lives via smartphones but also our physical interactions, from the mundane like work meetings to even intimate moments like hugging enabled by haptic feedback suits. That said, perhaps Libra’s failure and Facebook’s February stock plummet portend a future where Mark Zuckerberg’s dreams no longer translate inevitably to our reality.