Juristische Fakultät

20.07.2022

AI Meets Law – Cyber Operations and International Law

How is the "Morris Worm" connected to the war in Ukraine? Which challenges does the application of international law face in cyberspace? These and more questions were answered by François Delerue within his interactive talk.

On Tuesday, the 12th of July, Prof. Michèle Finck and Prof. Stefan Thomas welcomed their guest François Delerue at the Audimax of Tübingen University as one of the leading experts on the intersection between cyber security and international law.
François is currently working as a Senior Researcher in Cyber Security Governance at the Institute of Security and Global Affairs at Leiden University. Besides, he is also a Team Leader on International Law for EU Cyber Diplomacy Initiative (EU Cyber Direct). In his speech, François presented his latest research, which has just been published as a book on “Cyber Operations and International Law”.

He started by giving a summary of the most important state sponsored cyber operations, each of them raising new legal issues and questions that evolved with the types of operations.
The history of cyber operations started by the creation of the Morris Worm in 1988, the first malware. In 2007, Estonian governmental sites were attacked by pre-infected computer systems from about 160 countries at the same time, sending a huge number of requests and therefore causing a denial of service. The operation sent a “wake up-call” to the international community, reinforced discussions within the NATO and ultimately led to the creation of the Center of Excellence on Cyber Defence in Tallinn.
In 2009, the US-created malicious software Stuxnet should penetrate into computer systems to harm atomic power plants in Iran. For the first time, a cyber operation created real physical damage. Cyber operations were also supposed to influence US and French elections in 2016 and 2017. Ransomwares as WannaCry, Not Petya and Bad Rabbit being based on a leaked US software, caused victims all over the world.
Although the SolarWinds hack in 2020 was basically a low intensity attack, a large number of US agencies including the US government was hacked through the SolarWinds supply chain. Since the beginning of the war in Ukraine in 2022, cyber operations as complex acts were part of the war, producing effects in cyberspace and the real world.

François placed these operations in a legal perspective and identified emerging problems in terms of responsibility, territoriality of law, and the qualification of individuals escaping traditional perceptions of belligerents.

To him, the question of applicability of international law did not really exist since cyberspace was not a new domain, but a new technology developed in an existing domain of networks. Therefore, he focused on how international law could be applied to these “non-traditional” cyber operations and which issues the application faces.
Since the UN Charter entered into force, international law was characterized by vague forms and flexible interpretation options. Terms as “use of force” had to be interpreted and still have not found a settled definition in this respect.
Two Tallinn Manuals, released in 2013 and 2017, should help to find an answer to the question how concepts of international law could be applied on cyber operations. Whereas the first Tallinn Manual only concentrated on cyber warfare, the use of force and self-defence, the second one was supposed to close a gap that had not been considered before: low intensity interventions and possible reactions of the attacked state.
Besides, François named a quite surprising developing practice in the domain of international law regarding cyber operations. The application of concepts such as sovereignty, non-intervention, self-defence and human rights was discussed.

Subsequently, François presented four steps of international law’s application and consequences: attribution to a state as an act of state, unlawfulness of the operation, responsibility and accountability.
According to our speaker, the international community did not consent about the question whether territorial integrity could be violated in cyberspace. It was possibly out of fear that the qualification as violation could be used against it that the United Kingdom – the nation conducting the most cyber operations worldwide – denied the possibility of sovereignty violation in cyberspace. France would qualify every breach of international law as a violation of sovereignty whereas others preferred a de minimis approach.
In terms of accountability, the fact that legal judgements in international law strongly depended on the voluntariness of states, unilateral proportionate countermeasures should be taken into account as appropriate reactions, François concluded. In general, he regretted the absence of international law within the evaluation of cyber operations and illustrated the situation by the example of the Georgia case. Several countries had condemned a Russian large-scale cyber-attack on Georgian websites. However, only half of the condemning nations had made a loose reference to international law. According to François, this lack of reference was possibly explainable by the intention of countries to avoid the evolution of international law due to the concern that their own actions could be regulated. International law would be prepared to handle the situation, if it was used, according to our speaker.

After the presentation, the audience had a lively discussion with François which allowed to delve deeply into the complexities of the international legal order being applied in the cyber realm.

Report: Alina Rehmann

Back