Application of principles of international law to computer networks operations management

Application of principles of international law to computer network operations management

Adriana Dvoršak

1st international academic conference on intelligence and security Contemporary Intelligence Support Systems. 

1. Security of IP (concern of the IETF).

2. Security of networks (focus on CERT). 3. Security of business.

4. The individual's human rights (privacy)5. National security (state sovereignty, national

interests, cyber warfare).(Doria, 2007)

Providing security to individuals, business, state.

Concepts of cyber security

and law of armed conflict:

1. military necessity,

2. distinction, 3. proportionality,

4. perfidy, 5. neutrality, and6. unnecessary suffering.

Principles of international law

(Kanuck, 2007)

CNO in operation Allied forceCNE - NATO, SerbiaCNA – NATOCND – US (?)

Propaganda - SerbiaMilitary deception - Serbia

Learning points for NATOVulnerabilities National decision making processes

State practice from the region

Offensive doctrine Military foreign policy options are expanded Small states with offensive foreign policy

Can Slovenia advocate cyber offensive? Article 124 of Constitution: In the provision of security the state

proceeds principally from a policy of peace, and an ethic of peace and non-aggression.

Legal conditions for CNARight for self-defensePart of general and information warfareRequest from UNSCCoalitions of the willing supported by UN Resolution

Cyber offensive

CNA CND

TARGET

IW AREAS

TACTICS TACTICS

WEAPONS ATTRIBUTES

CONSEQUENCESREACTIONSperceptions,actions

RECOVERY

DECISIONCONTEXT

CONSIDERATIONS FORIW PLANNING1 Legal,political,social2 Skil levels, technical3 Financial

reev

alua

tion

CNO lifecycle model

Adapted from van Niekerk, 2011

The self-defence rule: Everyone has the right to self-defence.

The cooperation rule: The fact that a CNA has been conducted via information systems located in

a state’s territory creates a duty to cooperate with the victim state.

The access to information rule: The public has a right to be informed about threats to their life, security

and well-being.

The mandate rule: An organisation’s capacity to act (and regulate) derives from its mandate.

The data protection rule: Information relating to an identified or identifiable natural person is

regarded as personal data. (Tikk, 2011)

NATO 10 rules

The territoriality rule: Information infrastructure located within a state’s territory is

subject to that state’s territorial sovereignty.

The responsibility rule: Fact that CNA was launched from inf.system located in a state’s

territory is evidence that the act is attributable to that state.

The duty of care rule: Everyone has the responsibility to implement a reasonable level

of security in their information infrastructure.

The early warning rule: There is an obligation to notify potential victims about known,

upcoming cyber attacks.

The criminality rule: Every nation has the responsibility to include the most common

cyber offences in its substantive criminal law.

NATO 10 rules

Member States required to have:• national network and information security (NIS)

strategy;• NIS cooperation plan;• NIS competent national authority:

– technical expertise, – international liasion, – security breach reporting,– CERT functions.

• Computer Emergency Response Team (CERT).

EU Directive on common level of NIS

Obligatory breach notification to the competent authority, it determines which notification is in the public interest (security intelligence?).

Competent authority requires market operators and public administrations to: – provide information needed to assess the security of their NIS; – undergo a security audit and make the results available to the

competent authority;– issues binding instructions to market operators and public

administrations.(Articles 14 and 15)

EU Directive – competent authority

Difference Proposal for a Directive on network and info security vs Cyber Security Strategy

Cyberdefence policy and capabilities related to Common Security and Defence Policy (CSDP)

Aims: – To concentrate on cyberdefence capability on detection,

response and recovery from sophisticated cyber threats;– synergies between civilian and military approaches.

Cyber Security Strategy and CSDP

High Representative, MS, EDA will assess capability development: doctrine, leadership, organisation, personnel, training, technology,

infrastructure, logistics and interoperability.

Develop EU cyberdefence policy: missions and operations, dynamic risk management, improved

threat analysis, information sharing, training and exercise for militaries in the EU and multinational context.

Promote dialogue and coordination – civilian and military actors in the EU,– international partners, NATO, international organisations.

High Representative activities

National cyber security and cyber defense strategy.

Analysis of external environment Pressure - normative dimension (EU Directive obligations, NATO

minimum requirements);Threats.

Internal environment Changes to legal framework (information society, criminal code,

privacy).Stakeholders (military, police, academia, civil society,

business).Synergies between national cyber incident capabilities, CERT,

and competent authority (EU Directive on network and info security)

Way ahead for Slovenia

Centre vs. PeripheryGlobal North - Global South relations

Balkanization of CNE 1981 UNGA Declaration on Non-intervention: “the right of states

and peoples to have free access to information and to develop fully, without interference, their system of information and mass media, and to use their information media in order to promote their political, social, economic, and cultural interests and aspirations.”

Certain CNE amount to an unlawful intervention, e.g. cyber propaganda activities aimed at fomenting civil upraising in a target state, interference with elections.

Non-intervention

National assesement

Synergies between national needs and international requirementsEU DirectiveNATO requirementsNew institutions

Conclusions

AppendixConstitution of International Telecommunications Union (1992).Doria, A. (2007). What do the Words »Internet Security« Mean? In Kleinwoechter (Ed.), The Power of Ideas: Internet Governance in a Global Multi-Stakeholder Environment. BerlinKanuck, S. (2009). Sovereign Discourse on Cyber Conflict under International Law. Texas Law Review, 88. van Niekerk, B., & Maharaj, M. S. (2011). The Information Warfare Life Cycle Model. SA Journal of Information Management, Vol 13, No1 European Commission. (2013a). Cyber Security Strategy of the European Union: An Open, Safe and Secure Cyberspace. Retrieved from http://ec.europa.eu/digital-agenda/en/news/eu-cybersecurity-plan-protect-open-internet-and-online-freedom-and-opportunity-cyber-security. European Commission. (2013b). Proposal for a Directive of the European Parliament and of the Council concerning measures to ensure a high common level of network and information security across the Union. (COM(2013) 48). Retrieved from http://ec.europa.eu/digital-agenda/en/news/eu-cybersecurity-plan-protect-open-internet-and-online-freedom-and-opportunity-cyber-security.Tikk, E. (2011). Ten Rules for Cyber Security. Survival: Global Politics and Strategy, 53(3).