Cyber Security in the Age of Privacy

By: Urmil Shah


INTRODUCTION

The internet has developed so rapidly since the 1990’s that we have now entered an age where we require laws to regulate and govern it. Essentially, the internet relies upon voluntary adherence and theoretically is a network of people passing along packets of information so that when the time comes you pass along packets for them. Tim Berners Lee, the inventor of World Wide Web, conceived it with the idea that the internet was meant to be decentralised and an absence of choke point should make it impossible for one person to control. However, this utopian internet now seems to be threatened by governments and business corporations worldwide who are seeking regulation, control, and accountability to make profits.

The central idea behind the conception of the internet was to enable and increase the exchange of information and this fundamental exchange has since the commencement increased human interactions and its openness is coming under threat by businesses. This ‘generative technology’ has since 2006-07 started experiencing security issues due to several leaks, hacks, and attacks. As a result of the security issues, surveillance has become a key area for research in this field and the privacy of individuals has come under scrutiny. It is not an unearth fact that privacy is an inherent human right and therefore any threat to privacy be it physical or digital results in activism. The need for governance right from sexual orientation to privacy is resulting in the creation of cyberwar between the citizens on one front and governments and businesses on the other.

While surfing on the internet we do not realise the amount of information and identity we give up to third-parties and then blame the government to protect our privacy trying to hide our own mistake. If used in the right manner, this information generated from our daily activities can reveal a great deal about who we are and what we want to achieve. It is essentially upon us as to how we use this tool to prosper our development. But on the corollary, this doesn’t mean there is no obligation on the State to protect our fundamental right. A generalised view as to how the internet is used as a means to initiate conflict can help us understand the significance of privacy and the need for regulation and governance of the ‘openness’ of this tool which is increasingly becoming a tool of mass destruction.

THE RISE OF HACKTIVISM

A portmanteau of ‘hacking’ and ‘activism’ could be the way forward to bring about a social change in this era of the political internet. It is not a surprise that governments along with businesses keep a check on our routine activities in the name of surveillance leaving less room for personal autonomy and privacy. Transparency is something which is not provided to us by the State when it comes to matters of surveillance and as result, the growth of digital activism has led to the birth of Hacktivism.

Several crucial information and data are kept classified to the people under the name of war secrets or trade secrets. This confidentiality of information, therefore, gives rise to societal corruption. It is because of this undisclosed information that hacking and leaks have been increased to bring about transparency. WikiLeaks was one such form of Hacktivism which challenged the Government and traditional media models providing large scale dissemination of leaks. The motive behind this creation of the internet was to promote transparency and as an international grassroots movement to fight data war under the name of internet freedom.

The Snowden revelations and attacks of Anonymous on the Church of Scientology are methods of individual data protection and are an important step in realising that we as citizens do have right to know about how, where, when and by whom our data is being collected and for what purpose it is being utilised by the State. This concept of power is converting the open internet into a totalitarian platform to promote network conspiracy. At the core of this cypherpunk philosophy lies the central debate of politics that in the age of the internet the State would undermine individual freedom and privacy through its ability of e-surveillance or autonomous individuals or hacktivist groups would destroy the State by the deployment of electronic weapons. As a result of this activism, there has been a rapid change in the whistleblowing and media laws but has not reduced the matters of cyber espionage. The Internet is increasingly becoming a threat to civilisation as our greatest tool of emancipation is transforming into the most dangerous facilitator of totalitarianism. This form of digital activism is the only possible method of achieving transparency and replaces bad governance with transparency which is the need of the hour.

THE CYBER BATTLE

The definition of warfare and hostilities have changed in this digital era with cyber weapons coming to the fore and constantly being utilised as weapons of mass destruction to inflict terror among the people. Cybercrime is another form of illegal internet moderated activities that take place along the transnational global networks. Most of the countries around the world do not have adequate laws to deal with such international web-related crimes and they often challenge the existing international laws and its enforcement in this area which are yet developing to cope up with such new modes of warfare increasingly being adopted by criminals (mostly non-state actors).

These cyber crimes vary from minor financial fraud and phishing scams to the major and highly technical cyber terrorism and cyber warfare which has large scale impacts. Such highly technical transnational crimes are conducted very sophisticatedly which has severe consequences ranging from physical casualties to virtual attacks. These modern terrorists and criminals are increasingly moving towards cellular networks to counter state intelligence and have challenged the traditional surveillance mechanisms severely.

The governments have started realising the colossal threat this form of warfare has on its citizens and therefore there is a strict need for international cooperation to counter such alarming intimidation. Several organisations have appealed for global standards of legislation and law enforcement to counter these threats but there are very institutional statues that deal with such crimes. The Budapest Convention or more popularly known as Convention on Cybercrime was adopted in 2001 signed by 46 European member states aims at providing the grounds of an efficient legal system to fight transnational cybercrime by enabling international cooperation.

Charles Dodd, a former US consultant calls such kind of terrorism as guerilla warfare and urges that intelligence sharing is a key component to fight this modern method of warfare. Some guidance with this regards can be taken from the United States National Counterterrorism Center (hereinafter ‘NCTC’) who after the 9/11 attacks exchanges valuable intelligence information among its other US agencies to prevent further attacks and have been useful since then. Although the real threat with this regards comes from non-state actors like terrorist organisations and not from States but it is equally important to understand that this cyber battle is not only between States and non-state actors but also between the Government and its citizens as protecting individual privacy with regards to data and identity is a key duty of every State during times of such warfare.

CYBERSECURITY IN TIMES OF ARMED CONFLICTS

It is not an unknown fact that Governments have placed the task of mass surveillance ahead of cyber security as they feel the need for regulation is more important than arming the cyber networks of the country. It is important to realise that protecting cyber boundaries is equally as important as protecting the actual ecological boundaries of the country. Overriding a cyber-boundary of a State has adverse consequences not only on the military population but also on the civilian mass. Hiring non-state agencies is not a permanent solution to this problem as they can’t guarantee the extent of security that governments and State can. It is in this context that mass surveillance becomes a security theatre when the actual threat comes from outside and not the inside. It is also in this regards that surveillance becomes a political task and agencies like DRDO Netra and National Cyber Coordination Centre (hereinafter ‘NCCC’) become a mockery of the security mechanism when the threat comes from the borders. The real question is not about the right to international privacy of an individual provided for in Article 17 of International Covenant on Civil and Political Rights[1] (hereinafter ‘ICCPR’) but for the protection of mass population at the hands of non-state entities and corporations willing to collect the data to upsurge mass warfare.

An effective interpretation of Article 17 of ICCPR can help obtain a balance between privacy and national security. Thus the conduct of actual wars become important and also the effectiveness of the law of wars or jus in bello specifically because of the justness and legitimacy of wars. However, this instrument of international law falls short when countered with the emerging method of warfare i.e. cyber battle. The international humanitarian law (hereinafter ‘IHL’) was drafted taking into account the conventional kinetic warfare and not the cyber warfare that we encounter. It is an accepted fact that there is only one cyberspace which is shared by military and civilian users, and everything is interconnected and it is impossible to restrict the consequences of a cyber-attack against one part of the system without damaging other parts of the system.’ It is this inter-connectivity that poses the major threat to the civilian population when a cyber-attack takes place disrupting the entire communication system of that particular area and violating the most fundamental principle of proportionality in IHL. Therefore, it is absolutely essential to understand what constitutes a just method of warfare. St. Thomas Aquinas, the celebrated Italian philosopher once indicated that a fair method of war is to guarantee maximum civilian population in the interest of social justice.

It is in this context important to reconcile that the IHL does not regulate any cyber operations that fall outside the purview of jus ad bellum. The IHL has well-systematised legislation to protect people (mostly civilian) from the consequences of cyber warfare and therefore business corporations are as much concerned by cyber espionage, cybercrimes, and other malicious activities as they are by cyber-attacks that would fall within the IHL. As there is only one cyberspace shared by military and civilian populations together and this interconnectivity becomes a detriment to launch defensive cyber-attacks in response to counter offensive cyber-attacks launched by non-state actors. Although new units to ensure cyber security are created by the government at all levels on a regular basis but the efficiency of these units is challenged as cyber operations are intended to have an effect in the real world and tampering with a country’s air traffic controls, banking systems, hospital systems, railroads, oil pipeline flow systems, or nuclear plants become easy. Thus the potential humanitarian cost on the civilian mass becomes enormous.

Over the past few years, it has become known that ‘war is not only fought with bombs and rifles but also with bytes and bits. With the increased consumption of the internet in our society and its increasing necessity in our routine lives, it is only a matter of time that some entity would utilise cyberspace to their advantage in combat and anyone who doesn’t have a cyber-warfare strategy will fall lack behind in military struggle.’[2] The claims of various States in this regards varies as the public at large knows little of the military planning and policies of the States for countering cyber warfare from non-state enemies. There have been several discussions about the need for a new treaty on cybersecurity by various countries yet the US and the other Western States have advocated that none is needed. The stance of China is, however, a different one suggesting that it is too premature to take such huge steps as ‘the existing laws of armed conflict as well as the principles IHL regarding war and the use or threat of force still apply to the universal cyberspace – in particular the “no use of force” and “peaceful settlement of international disputes” imperatives as well as the principles of “distinction and proportionality” in application to jus in bello’ and therefore constantly oppose the militarisation of the internet.

Because of such conflicting stance taken by countries, the role of The International Committee of the Red Cross (ICRC) becomes a guiding a factor as it acts as a guardian to the IHL. The main aim of this impartial, neutral, and independent humanitarian organisation is to protect the lives and dignity of victims of war or in layman terms civilians. The ICRC also identifies ways of limiting the humanitarian cost incurred by cyber operations used particularly at times of armed conflict. As already seen that a cyber-attack can have serious repercussions on commercial computer infrastructure relying on global positioning system (GPS) satellites making it largely impossible to differentiate between purely civilian and purely military infrastructure, it thus violates the cardinal principle of distinction in IHL. The state signatories to the ICRC rely upon the Geneva Conventions of 1949 and their Additional Protocols of 1977 as the founding legal grounds to protect the victims of war. The first Geneva Convention relates to the protection of the wounded and the sick in the field, second to the wounded and the sick at sea, third to prisoners of war (hereinafter ‘POW’) and the fourth to civilians but there is however no provision in IHL or customary international law that explicitly prohibits cyber warfare carried out during war times. Thus the role of academic soft law in this becomes important as no such hard law lies.

TALLINN MANUAL AND THE NEED FOR REGULATION

It is not the laws which act as primary guarantor of our privacy but the high cost of surveillance incurred by the State and thus it is high time we realise that we don’t need regulation of our private sphere but to protect our cyber boundaries from non-state actors who are willing to compromise the sovereignty of our State. Cyberwarfare in its most fundamental sense is an electronic mode of conflict in which information is counted as a strategic asset worthy of conquest or destruction and manages the use of this information in all its forms and all levels to achieve a decisive military advantage, where other communication and information systems (civilian) become attractive first-strike targets, having capability of stealing sensitive, classified information and flooding the networks of host computer with malwares, denial of service attacks (DoS), corruption and cyber espionage. A Cyber-attack has capability of paralysing the critical infrastructure of a country and damage could range from simple shutdown to complex paralysis of significant portion of infrastructure of entire country like meltdown of nuclear reactors, disabling power plants, causing warplanes to crash, cut off military command to control and malfunction civilian and military networks by controlling and choking the cyberspace from one end of the spectrum.[3]

In the virtual cyberspace, it is not easy to identify criminal activities and require specific skills coupled with state-of-art technology and an up-to-date law to deal with such cases and as already discussed that we lack on any international hard law to deal with in this area of law, therefore the academic works like Tallinn Manual become important. Tallinn Manual on the International Law Applicable to Cyber warfare is an academic, non-binding soft law instrument in international law which applies to cyber warfare in the context of IHL. The manual was drafted by a number of legal experts in the field at the request of NATO Cooperative Cyber Defense Centre of Excellence (hereinafter ‘CCDCOE’) and was one of its sole attempts to analyse this area of law comprehensively and authoritatively to bring a certain degree of clarity in this complex field.[4]

Means and methods of warfare have evolved over time and are clearly not the same as the ones available when the Geneva Conventions were drafted in 1949, which acts as a cornerstone for IHL and therefore such manuals ensure that use of cyber operations in cyberspace during armed conflict be in accordance with the international obligations of the State. There is a lot of debate and discussions currently with reads to how IHL should be interpreted and apply to State and non-State activities occurring in cyberspace and precisely this is what the experts say in the Tallinn Manual. The Manual defines ‘cyber operations’ as the ‘usage of cyber capabilities with the objective of achieving goals in or by use of cyberspace.’ There is some sort of conundrum with regards to the fundamental definition of cyber operations as it merely talks about objectives and not specific objectives. As a non-state actor, the objective of a terrorist organisation could be of espionage as international law does not address espionage or cyber espionage per se, and thus generalises all objectives.

Further taking a look at international law, Article 2.4 of the UN Charter which provides for the principle of non-intervention and Article 51 of the Charter talks about self-defence in case of armed conflict. However, there is no clause for counter-measures in the Charter and reference has to be taken from the text of Responsibility of States for Internationally Wrongful Acts, 2001 where Article 22 provides for countermeasures. There are several modes of countermeasures suggested ranging from retorsion, to piercing the veil of sovereignty of the State to plea of necessity (where one can hack the data of the other state, more popularly known as hack-back) which means that your act isn’t internationally wrongful even if it affects the interest of other State. But to take advantage of the countermeasures, a State must prove that the act committed by the other State or the non-state entity was internationally wrongful in nature. However, the same cannot be solved as for it to be recognised there has to be a state practice and this new method of warfare thus gets away with international wrongs even by States as it does not amount to breach under Article 2(4) of the UN Charter. It is here that the Tallinn Manual falls short and acts merely as guidance and therefore it is in this interest that Schmitt Analysis is necessary to understand where Michael Schmitt, the key drafter of Tallinn Manual talks about the uncertainty of a State’s involvement in a cyber-attack constitutes a use of force.[5] The nature of a cyber-attack can determine which legal mechanism should regulate state conduct, and the Schmitt analysis is one popular way of analysing that nature, but more comprehensively the Tallinn Manual 2.0 solves all these problems to some extent as it looks at sovereignty, jurisdiction, state responsibility, law of sea, air, space, human, diplomatic and consular law, international telecommunications law and most importantly prohibition of intervention and countermeasures. Tallinn 2.0 expanded the scope of its predecessor ‘from disruptive and destructive cyber operations that qualify as ‘armed attacks’ to cyber operations as opposed to cyber conflict.

As it is states and only states that develop the international law, the validity of such non-binding law also depends upon them and their enthusiasm to take interest in protecting the cyber boundaries which distinguish civilian from a military population and shifting the regulation from the mass surveillance model towards the legislation of laws related to cyber warfare.

PROTECTION OF VIRTUAL SOVEREIGNTY 

There have been several cyber-attacks (be it offensive or defensive) that have taken place since the evolution of new methods of warfare but not all are treated with enough seriousness because the Governments are more often than not concerned with physical damage to the country. We must understand that protecting the virtual sovereignty of a State is equally important as protecting physical boundaries. The IHL principles must be used in a manner that analyses the legality of various means and methods of warfare. But in recent times, this has not been the case as these methods are used in a manner inconsistent with the legislative framework.

Some of the most famous and destructive cyber-attacks include 2007 Estonia Attacks where a series of cyber-attacks swamped websites of bureaucratic websites of Estonia including the Parliament, banks and ministries of Estonian Government and resulted in distributed denial-of-services. Another form of attack occurred in Singapore where a series of computer hacks were made by the hacktivist group Anonymous in the year 2013 to counter web censorship regulations in the country. The StuxNet worm attack in 2010 and the Sony Hack case in 2015 was of grave importance as large quantities of confidential data was stolen, employee information was leaked and private e-mails were made public causing chaos all around.

Of all these cyber-attacks, the attacks during the time of Russo-Georgian War are of utmost significance as they were a real example of cyber-attacks causing grave damage to the critical infrastructure of a country and devastating humanitarian effect on the civilians. Up to this point in time, cyber warfare was restricted to single cyber-attacks by one party or between hackers and non-state actors without serious measures taken. But this conflict between these countries was unprecedented because of the offensive mode of attacks conducted regularly as a part of gaining the tactical military edge. This altercation between Russia and Georgia was more unusual than the ones previous to this. There was an extensive makeup of cyber-attacks against military and civilian infrastructure and the bulk of this altercation targeted to disrupt communications and information flow within Georgia.

The humanitarian impact of this attack was such that about 24,032 persons were displaced from Georgia and had to live as refugees in Russia followed by looting, bombings, arson attacks, rape and abductions and as per the ICRC report there were 1200 casualties. The abuse of the civilian population was the major outcome of this deadly cyber-attack launched by Russia. This new method of warfare has become a norm for Russia’s political interaction like in Kyrgyzstan (2009) and Lithuania (2008) and such campaigns are cost effective having a more international impact than by military itself. Taking a cue from these destructive attacks, it is time we understand the need to regulate and govern the virtual boundaries than just physical space.

CONCLUSION

In recent times, activities related to cyberspace have increased drastically and is utilised more and more for offensive purposes and as it comes there has been very less initiative by States regarding regulation in this area and is left mostly to academic and government experts to further develop a practice type guidance taking into consideration the existing principles. Such cyber warfare systems are currently being developed and used by at least 120 countries because several attacks have taken place in the US, UK, Kyrgyzstan, Estonia and India.[6] As there is a very rare consensus among leading countries with regards to gaps in the law, the application of soft law is becoming an ever growing and urgent need.

Academicians and legal scholars who develop guides like the Tallinn Manual act as a reference for orientation but it is only through the evolution of state practices that this area of law will develop. International law in this sense must be responsive and dynamic to changing needs and demands. We must acknowledge that cyber-attacks can’t be stopped completely but with effective technological developments the damage can only be minimised and it is in this context that respect towards laws like IHL is going to be the key moving ahead. Also, under Article 1 of the Geneva Conventions, states undertake to “respect and ensure respect” of laws as we know that there are a number of challenges to IHL that requires attention but States and all parties to an armed conflict constitute an obligation to respect and ensure respect for IHL in all hostile circumstances. ‘This respect must be two-fold that States must do their utmost to ensure that IHL is respected by their citizens and take all possible steps to ensure that IHL is respected by other States as well arising out in context of armed conflicts because we must reconcile that wars have rules and limits and should as much apply to cyber warfare as well.’ Every time such cyber-attacks occur whether, in international armed conflicts or non-international armed conflicts, they test the international community because the next world war will happen in cyberspace.

There has been a lot of debate with regards to cybersecurity towards a State but in context of an individual, it is equally essential to understand that law surveillance in name of law enforcement leads to nothing but a lack of privacy for its citizens. It is not a surprising fact that there are grey patches in all areas of law but to regain the lost public trust in the State and ensure a transparent future for the posterity, maintain individual privacy is necessary as privacy isn’t about power, context autonomy or secrecy but about who we are and what we want to be. Just as human rights, the digital rights of a citizen of a State are equally important in this age of abuse of data protection. It is rightly said that ‘security is both a reality and feeling’ and justifies what Bruce Scheneir, the American cryptographer has to say that ‘we don’t need technology to perfectly enforce and regulate all laws so that we don’t have room to explore.’

[1] International Covenant on Civil and Political Rights (ICCPR) art 17.

[2] Willaim Lynn III, ‘Defending a New Domain: The Pentagon’s Cyberstrategy’ (2010) Sept-Oct Foreign Affairs 97–108.

[3] Roscini Marco, ‘World Wide Warfare, – jus ad bellum and use of cyber force’(2010)14 Max Plack Yearbook of United Nations Law 87-88

[4]  Michael Schmitt, Tallinn Manual on the International Law Applicable to Cyber Warfare (Cambridge University Press 2013).

[5] Michael Schmitt, ‘Computer Network Attack and the Use of Force in International Law: Thoughts on a Normative Framework’ (1999) 37 Columbia Journal of Transnational Law 1998-99.

[6] ‘The New Warrior: The Cyber Warfare poses a big challenger to India’ (2011) 1 (9) Geopolitics 38-44.


(Urmil is currently a student at School of Law, Auro University.)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s