Nato’s Cooperative Cyber Security Center of Excellence put cyber conflicts at the centre of its two recent international gatherings, CyCon in Tallinn, Estonia, and the Ethics of Cyber Conflict workshop in Rome, Italy. E&T went along to both.
Professor Michael Schmidt (pictured right) is chairman of the International Law Department at the United States Naval War College in Rhodes Island. We caught up with him at a recent International Conference on Cyber Conflict in Tallinn.
Q Ethics of cyber conflict… a problem of extreme importance and sheer uncertainty. Is there still a lot of work for lawyers, for the issue appears to be a total legalistic blank spot at the moment?
Yes and no. There’s absolutely no question that very little work on cyber warfare had been done until the Tallinn Manual Project was launched a couple of years ago. We discovered that although we had thought we were moving into a new legal area, the existing law worked fairly well in cyberspace too. I don’t mean that it fits perfectly – we found areas where it did not suit cyberspace at all, but on the whole we discovered that the existing law as applied to an armed conflict in general worked well. The acting international humanitarian regulations that govern the use of force during armed conflict were pretty robust and could be applied to cyberspace too.
Q In your impressive presentation, you spoke about the stigma habitually attached to cyber conflict and cyber warfare as utterly inhuman and hellish. You pointed out that, in actual fact, cyber weapons were not necessarily that evil…
On the contrary, on the battlefield cyber weapons can be a very useful tool in avoiding harm to civilians and civilian objects, simply because the alternative may be the use of conventional weapons, which is much worse. If I can bomb an enemy command inside a control facility, I very well might cause harm to civilians and civilian objects, but if I use cyber, I can achieve the same goal without any effect on the civilian population.
I don’t mean to suggest that cyber weapons are a panacea; there are scenarios where they could be very destructive, very harmful to the civilian population – just like any other weapon. The point I’d like to make is that you should never trust a person who says a particular weapon, especially a new weapon, is bad or good. Its “goodness” or “badness” usually depends on who is using the weapon and whether they are complying with international humanitarian law.
Q At the end of the day, it boils down to a judgement…
A It boils down to judgment and to the commitment of the party controlling the weapon – cyber or not – to comply with the requirements of international humanitarian law. It really doesn’t matter if we’re talking about a cyber weapon or a stick; a stick can be used in violation of international law too! The same is true in cyber space: you can use it in accordance with the law by targeting and attacking military objectives, or you can use it in breach of the same humanitarian law by causing damage to civilian infrastructure. What I found throughout my career, having looked at a lot of different systems and currently looking at autonomous weapons, is that it is usually not the weapons system that is the problem, but its use by the actors on the battlefield.
Q In a way it is reflective of the US gun policy – it’s not guns that kill people, it’s people armed with guns…
I know nothing about the gun debate in my own country! I’m from Texas, I don’t own guns, I don’t want to get involved in that. This is a very interesting subject, and I can assure you: if you come to the Schmidt house, you won’t be shot - you’ll be beaten to death with a baseball bat! (laughs)
Q The cyber conflict legislation we are talking about – what stage is it at? In other words, how far are we from a comprehensive legislation on cyber conflict?
There are a number of proposals that have been floated, but I’m very pessimistic about them. The reason is that the theory of cyber conflict isn’t developed yet, and most states don’t know if they want to limit the use of cyber weapons, or to be able to use them freely. So I’m relatively pessimistic about the prospect of new legislation or new treaties on cyber warfare any time soon, but I don’t lament the fact, because I believe that if we simply apply the existing law, this will act as a very constructive restraint on the misuse of the weapons on the battlefield.
To me, the problem isn’t the absence of treaties or the law, but the challenge of making different states commit to abiding to the existing law as applicable to cyber space, of helping them understand exactly how that law applies.
Q So instead of reinventing the bicycle, we should just apply the existing legislation to this relatively new area?
This is a perfect metaphor, I think we need to fine-tune the existing bicycle rather than invent a new one. I must confess there are areas I’m a little nervous about, but by and large, I think that we just need to teach states to ride a new kind of bicycle...
Q To sum up this Conference – what was achieved here?
I’m a Senior Fellow at the Cooperative for Cyber Defence, I’ve been working with this Centre for three years and I think this is a very important conference. Few gatherings bring together people from the field of ethics, law, policy, strategy and technology, and for me this is one of the major issues in the field.
As a lawyer I generally talk to other lawyers, the policy people talk to policy people and technicians talk to technicians. However, what I could see very clearly at this particular conference was that, although we’re bringing people from different fields together – and that’s extraordinarily valuable, it remains clear that as groups we are talking at each other rather than with each other.
The ethicist explains ethics to the lawyer and the lawyer explains ethics to the lawyer, but we’re not talking together. I think this conference was a success in bringing the groups together and showing they’re not listening to each other!
Q And how about the venue – Estonia?
I’m very impressed with this small country, with the way they use technology and the way they dealt with and recovered from the cyber attacks of 2007.