Advantage one is Ambiguity —

Download 94.81 Kb.
Size94.81 Kb.
1   ...   8   9   10   11   12   13   14   15   16
0. 1AC A5
the gutters, 2nc Lansing Rnd5, 1AC Practice 10-20, Speech 1ac Ag runoff 8-31 12AM, Speech 1AC CAFOs personal, send cards, 2nr , Con Side, Movements DA, Marijuana Neg, Federalism DA, Court Packing DA, Death Penalty Negative, Death Penalty Affirmative, Aff AT Movements DA
Hill ’21 — Steven Hill (Ex Chief Legal Counsel, NATO; Member, Executive Council of the American Society of International Law; Associate Senior Policy Fellow, Institute of Security and Global Affairs, Leiden University); “NATO and the international law of cyber defence;” Research Handbook on International Law and Cyberspace, Chapter 24; 2021; Edward Elgar Publishing, Accessed via KU Libraries
What role has international law played in the evolution of NATO’s cyber defence policy? And what influence might NATO’s cyber policy decisions have on the international law applicable to cyberspace?
(a) Applicability of International Law to Cyberspace
Perhaps the most straightforward way in which international law has played a role in NATO’s cyber policy evolution has been in the Alliance’s constant affirmations of the applicability of international law in cyberspace. As explained above, at the NATO Summit in Wales in 2014, Allies recognised that international law, including international humanitarian law and the UN Charter, applies in cyberspace. More recently, at the Brussels Summit in July 2018, allies re-affirmed their commitment to act in accordance with international law, including the UN Charter, international humanitarian law, and human rights law, as applicable.
These statements were part of a broader movement of cyber diplomacy conducted by States, international organisations, and non-governmental organisations. That effort had some notable successes at the international level, including the 2013 and 2015 reports of the UN Group of Governmental Experts.56 However, this consensus proved to be tenuous. Currently some States, among them China and Russia, are pushing back on the very notion of the applicability of international law principles, including the applicability of international humanitarian law, in cyberspace.57 Many NATO Allies are attempting to counter these attempts to dismantle previous consensus. Their techniques include detailed legal statements of a series of how international law applies in cyberspace.58 However, while the number of States making such statements is slowly growing, it still remains a small number that of course does not include all NATO allies. In this context, language like that adopted at NATO can be useful as evidence of where all NATO allies and likeminded States currently stand.59 These and similar statements in other international organizations may help with ongoing cyber diplomacy.
(b) Article 5 and Armed Attack
International law considerations have also factored into NATO’s cyber policy in relation to Article 5 of the North Atlantic Treaty. As mentioned above, the 2014 Wales Summit contained the basic policy decision regarding the interplay between cyber attacks and the international law concept of armed attack: ‘We affirm therefore that cyber defence is part of NATO’s core task of collective defence. A decision as to when a cyber attack would lead to the invocation of Article 5 would be taken by the North Atlantic Council on a case-by-case basis’. Article 5 is the self-defence provision at the core of the North Atlantic Treaty.60 It refers back to Article 51 of the UN Charter, which itself reflects the ‘inherent’ right of self-defence under customary international law. In NATO’s practice to date, Article 5 has been treated as coterminous with the customary right reflected in Article 51.61 All of these formulations revolve around the notion of armed attack.
From an international law perspective, NATO’s policy illustrates at a minimum that a cyber attack could constitute an armed attack giving rise to the right of individual or collective self-defence under international law. It clearly does not say that all cyber attacks would rise to this level. Nor does it provide any further guidance on important international law questions, such as the threshold for an armed attack. For example, the policy does not refer to the well-known analysis that an armed attack must attain a certain level of scale and effect. That analysis features prominently in a range of judicial decisions62 and in scholarly commentary.63 Nor does it seek to address some of the debated questions. These include whether an attackhaving severe albeit neither injurious nor physically destructive effects could ever constitute an armed attack and, if so, under what circumstances’.64
From a policy perspective, the primary reason for this lack of detail about what would constitute an armed attack is straightforward. It is seen as strengthening the deterrence value of NATO’s posture. The NATO Secretary General has said: ‘I am often asked, “under what circumstances would NATO trigger Article 5 in the case of a cyber-attack?” My answer is: we will see. The level of cyber-attack that would provoke a response must remain purposefully vague’.65 In any event, as the policy makes clear, the decision to invoke Article 5 would be taken on a case-by-case basis. This decision would be taken by the North Atlantic Council on the basis of consensus of all Allies. Whether or not an armed attack has occurred is a question of fact and law. NATO does not prejudge the threshold for an Article 5 decision. This would be a political decision in which a wide range of factors, including but not limited to legal advice, would be considered by the North Atlantic Council.”
If Article 5 were invoked in response to a cyber attack, the Alliance’s collective response would also be decided on a case-by-case basis by the North Atlantic Council. The legal obligation on Allies under Article 5 is set forth in the North Atlantic Treaty:
each of them, in exercise of the right of individual or collective self-defence recognised by Article 51 of the Charter of the United Nations, will assist the Party or Parties so attacked by taking forthwith, individually and in concert with the other Parties, such action as it deems necessary, including the use of armed force, to restore and maintain the security of the North Atlantic area.66
This is an obligation of assistance to the State or States that are the victim of the armed attack. The Treaty does not specify what actions the attacked State’s Allies are under an obligation to take. Rather, it requires each Ally to takesuch action as it deems necessary, including the use of armed force, to restore and maintain the security of the North Atlantic area’. The text specifies that this is actions for all each ally to take both on its own and together with (‘in concert with’) other Allies.
It is impossible to predict what might happen if NATO Allies were to decide that a future cyber attack crosses the armed attack threshold in Article 5. The exact collective response would be decided on a case-by-case basis by the North Atlantic Council. This could include the use of force in exercise of the right of individual or collective self-defence. Such a use of force would not necessarily be limited to the cyber domain and could include action in other domains. As Secretary General Stoltenberg put it, NATO’s response under Article 5 ‘could include diplomatic and economic sanctions, cyber-responses, or even conventional forces, depending on the nature and consequences of the attack’.67 Finally, given the text of Article 5, it is possible that in addition to the collective response agreed by consensus, individual States would take action that they deem appropriate.
(c) ‘Below the Threshold’ Incidents
Since the vast majority of cyber incidents occurs below the armed attack threshold, international lawyers have had to think about the peacetime legal framework for responses to such malicious cyber activity. NATO’s recent work has includeda NATO guide that sets out a number of tools to further strengthen NATO’s ability to respond to significant malicious cyber activities’.68 However, this is document is not publicly available, so it is difficult to assess what its contents may indicate on some of the key questions that arise in responding to internationally wrongful acts against the Alliance or individual Allies.
In response to future incidents, Allies may wish to use NATO as a forum to coordinate multilateral responses to such responses, or as a means of requesting assistance with their own responses. In the case of a serious incident, one option would be to request consultations under Article 4 of the North Atlantic Treaty. Article 4 provides that ‘[t]he Parties will consult together whenever, in the opinion of any of them, the territorial integrity, political independence or security of any of the Parties is threatened’. Article 4 has only been explicitly been called upon in a handful of situations during NATO’s history, none of which has been focused on cyber.69 It is certainly possible that future malicious cyber activity could constitute the kind of threat to territorial integrity, political independence or security envisioned by Article 4. However, it is not necessary to use Article 4 in order for NATO to take action to deal with any given incident.
Close attention to NATO’s future responses tobelow the threshold’ cyber incidents may yield some insight on a range of international law questions. For example, given NATO’s collective defence mandate, one question is whether States will be willing to consider NATO as a means to conduct collective countermeasures. At the time of writing, some Allies appear to have different views on whether collective countermeasures are a legally available option under international law.70
Finally, some NATO allies have developed a practice of using public identification of the perpetrators of malicious cyber activity as a means of countering that activity. This practice is referred to as attribution. As the Brussels Summit declaration put it in 2018, ‘[i]ndividual Allies may consider, when appropriate, attributing malicious cyber activity and responding in a coordinated manner, recognising attribution is a sovereign national prerogative’.71 There is an increased trend of States making attributions, either unilaterally or in concert with others.72
(d) Providing a Forum for Expressing Legal Views
As an international organisation, NATO does not create international law or other norms that regulate State behaviour. While NATO’s cyber practice to date may help shed light on some questions of international law (or at least help stimulate thinking on these questions), there would be little appetite among Allies and in the broader international community for NATO to take a lead role in driving such debates forward.73 Put another way, NATO does not see itself as a norm-creating institution. At the same time, as a well-established multinational intergovernmental organisation with a considerable amount of practical experience on cyber defence issues, NATO can often provide a good vantage point not just for emerging State practice, but for encouraging it to be expressed.
More and more States have been making public statements of their views of how international law applies in cyber space. This process should be encouraged. One of the advantages of NATO is that it provides a forum for daily multilateral discussions and exchanges of views on cyber defence. NATO is also a way for Allies that have not yet taken a view on a subject can express support or alignment with positions of other Allies. Regular meetings at the ministerial and even Head of State and Government level provide an opportunity for Allies to make clear public statements. In addition, NATO has the convening power to host regular high-level interaction between government cyber policy experts, lawyers, academics and industry representatives. Sometimes sponsored and led by individual Allies, these are initiatives that can take a holistic approach by bridging the legal, political, and military domains. Finally, NATO also conducts regular multilateral cyber exercises, often with a legal component or designed so as to raise legal questions. Properly designed, multilateral cyber defence exercises that engage the highest level of government decision makers could help clarify State practice. Leveraging all of these advantages may help generate more clarity on the international legal framework.
NATO’s cyber policy evolution over more than two decades has been a prime example of how the Alliance has adapted to new threats. What challenges can NATO expect in future cyber policy? And how can NATO’s traditional approach to legal issues pertaining to cyberspace help the alliance address these challenges? In the future, the trajectory for NATO’s cyber defence policy work will continue to be shaped by the threat environment as it evolves and will likely follow the direction indicated by existing work as the alliance seeks to further strengthen the cyber defences of the alliance itself and those of individual allies, deter cyber activities directed against NATO and its allies, and respond to future incidents.
The future cyber threat environment will be equally if not more intense than NATO sees today. For example, cyber defence will need to become increasingly powered by artificial intelligence in order to respond to AI-powered attacks.74 Especially as technology evolves, the cyber domain of operations will become more central to – and more integrated with – other domains. For example, in December 2019, NATO Heads of State and Government declared outer space as NATO’s newest domain of operations.75 There is a strong link between outer space and cyber.76 If the intensity of attacks and their potential impact on all domains continues to increase, one future outcome would be for Allies to be interested in stronger responses to them. Whether Allies prefer to do this individually or on a bilateral or ‘small group’ basis, or whether they will seek out stronger collective tools for the alliance is an open question.
Given Allies’ commitment to the rule of law, compliance with international law will continue to be a cornerstone of NATO’s cyber policies in the future. The challenge will be how to ensure that other actors in the international system, both State and non-State, comply as well and whether the broad cooperation among like-minded States that has been developing in numerous venues can be sustained in the long term.77 Pressure for more collective action against cyber attacks and malicious cyber activities may well raise the stakes on some of the open legal questions that have been on NATO’s agenda. One recommendation would be for allies to continue their ongoing legal dialogue on questions such as the armed attack threshold for Article 5, the types of response measures available for malicious cyber activity below the armed attack threshold, whether techniques like countermeasures are available not just for use by an individual victim State but also for collective use, and others. Technological developments may also lead to more calls for legal dialogue. For example, since applications of artificial intelligence and machine learning for use in cyber defence have already made their way onto NATO’s agenda, there will likely be demand for multilateral ways of responding to them. Another recommendation would be for more dialogue on the legal framework for the use of such technologies.78 Legal dialogue on these forward-looking issues might help bring allies closer together, not only in the legal area but in broader cyber policy terms.

Download 94.81 Kb.

Share with your friends:
1   ...   8   9   10   11   12   13   14   15   16

The database is protected by copyright © 2022
send message

    Main page