Letter from the Dais
Dear Delegates,
Welcome to YMUN Taiwan!
I'm a first-year in Jonathan Edwards College hailing from the busy metropolitan city of Jakarta, Indonesia. Since freshman year of high school, I’ve competed in moot court, parliamentary debate, and Model UN—and I’m excited to bring my fascination for international politics to the Advisory Legal Panel here at YMUNT V. At Yale, I’ve been involved in YMUN and SCSY, as well as writing for Yale’s political magazine, The Politic. In my spare time, I love to explore the beautiful nooks and crannies scattered all throughout campus and enjoy a cup of coffee at a New Haven café. I also love to watch Netflix—House of Cards and Black Mirror are my favorite shows!
In this exciting, unique Advisory Legal Panel committee, we will play both the role of judge and lawmaker—to deliver an advisory ruling on an alleged war crime in Yemen and to draft a new international legal framework for cyber warfare. We will be exploring and applying important principles of International Humanitarian Law, such as the principle of distinction, necessity, proportionality, and humane treatment, all of which you may find in this topic guide. But although those ideas may seem lofty, and legal documents like the Rome Statute and Geneva Conventions may seem grand, it is our job to remember what is human behind all of this. We must keep in mind the children and families impacted from the alleged war crime we are discussing, and the disastrous consequences that might ensue from a cyberwar.
Just a note, please read the supplementary material in this topic guide! Our committee will adopt a different format than normal MUN committees and it would benefit everyone if you all understand how a case is argued in the International Criminal Court.
The Advisory Legal Panel will truly be an exciting and enriching committee. I hope you are excited for YMUNT V as I am! I cannot wait to meet you all. If you have any questions, please do not hesitate to contact me at gregory.jany@yale.edu.
Sincerely,
Gregory Jany
Committee History
The International Criminal Court, established in 1998, is the highest judicial body that tries individuals accused of grave crimes concerning international justice, such as: war crimes, crimes against humanity, and genocide. With its international mandate (authority given by the international community) and power, it ushers in a new age of human rights protection that provides retribution for perpetrators and deterrence for future atrocities.
While the ICC operates as a traditional judicial body, with lawyers, witnesses, judges, and formal trials, our committee will be an ad-hoc advisory panel under the purview of the United Nations Security Council. It will be composed of law experts from countries around the world. These experts will deliver an advisory verdict on the Yemeni case and establish a legal framework for cyberwarfare. These experts, however, are not wholly independent as they serve as delegations of their home countries, with national interests and biases in mind.
Although in this committee you will not be members of the ICC, you will debate almost as if you are: using legal texts and standards that the ICC actually uses, and coming to conclusions that are intended for UNSC and ICC considerations. These legal standards are found in the Rome Statute and the customary body of international humanitarian law will provide a framework for our debate and discussion. As such, you will have to scrutinize legal terms and grapple with difficult and polarizing questions, which will require an understanding of the history of the ICC and its powers.
Since the end of the World War II, the international community entertained ideas of creating an international judicial body that would exist to adjudicate the most heinous of crimes. After a post-WWII criminal trial was created in Nuremberg and Tokyo, the UN Security Council also established tribunals in Rwanda and the former Yugoslavia, adjudicating the horrific genocide and human rights abuses that occurred in the two countries, respectively. In June 1998, the decades-long effort to create a permanent international court succeeded, and the United Nations adopted the Rome Statute, which lays out the goals and structure of the new International Criminal Court.
However, not all countries have ratified the Rome Statute. Doing so would mean agreeing to abide by warrants issued by the ICC and follow its judgment. This complicates the ICC's equal-handed administration of justice. Countries like the United States, who are involved in many conflicts throughout the world, are hence unable to be held accountable as they do not fall under the jurisdiction of the ICC.This is especially troublesome, since the ICC has jurisdiction to open an investigation into a country and/or its leader when a member state of the Rome Statute or the Security Council requests it. Indeed, the ICC has been criticized for seemingly focusing its investigatory powers on African leaders, while other human rights allegations are directed against the US and other European countries. The ICC has a;so been plagued by additional allegations of ineffectiveness, securing two convictions in more than 15 years of operation. These long trials are expensive and they threaten the ICC's legitimacy, especially when it positions itself as a supranational court of justice.
Topic History
The development of cyber warfare over the last few decades has utterly changed the landscape of war. While war used to be confined to physical combat--whether on land, in the sea, on air, or even in outer space--the use of cyberattacks has transferred the domain of conflict into a world of information and code. Cyberwarfare, however, further blurs the distinction between the tangible and the abstract, as attacks that are seemingly targeted only on computer infrastructure systems may cause a crash in the financial system, the meltdown of a nuclear reactor, the launching of weapons systems, or even influence the results of democratic elections.
One of the first known cyberattacks, the Morris worm, was launched on November 2, 1988 and affected computers in the United States. Released by a graduate student at Cornell, who claimed that he wanted to know how large the Internet was, it affected around 6,000 computers out of the 60,000 operating in the United States. Experts from the University of California at Berkeley and the Massachusetts Institute of Technology were able to contain the attack, and the worm’s writer, Robert Tappan Morris Jr. became the first person to be convicted of violating the 1986 Computer Fraud and Abuse Act.
However, as technology evolved the degree of such cyberattacks increased and began to include state-to-state attacks. In April 2007, Estonia experienced a Distributed-Denial of Service attack, also known as DDOS, which caused the disruption of online banking service systems, as well as both government and media operations. This rendered citizens unable to access cash machines and government employees unable to communicate with one another. While the attack was traced to a Russian IP address and the recent statue removal of a USSR soldier have created tensions with Moscow, there was no direct evidence to prove that Russia was the source of the attack. This incident may have been the first suspected state-backed attack and demonstrated many crucial aspects about cyberwar--that it is difficult to uncover the perpetrators of such wars and that cyberattacks may result in destruction and harm beyond the cyberspace domain. It also proved to be a wake-up call for Estonia, which responded with increased investments and funding for cyber-defence.
Russia conducted another prominent cyber attack against computer networks in Georgia in August 2008. During the Russo-Georgian war, two waves of Distributed Denial of Service attacks crippled Georgian news and government websites, as well as financial institutions, businesses, and educational institutions. In what Poland academic Andrzej Kozlowski called “information warfare,” the attack prevented the Georgian government from communicating with its public through the Internet and the media from providing crucial information; on the official website for the Georgian President, for example, regular content on current policies were replaced by a picture of the President as Adolf Hitler. This event was particularly significant as it coincided with the Russian invasion into Georgia, particularly the regions of Abkhazia and South Ossetia. Similar to the incident in Estonia, while circumstantial evidence pointed blame for the cyberattack to Russian hackers, there is no clear evidence linking the two incidents. Nevertheless, this episode illustrated how cyberattacks can be used to support conventional, physical military strikes. During the war, for example, media and communication facilities were left physically unscathed, but were targets for the cyberattack.
While Russia was the alleged perpetrator of both these episodes, it is foolish to assume that the methods of cyber warfare are limited to countries seen as traditional rivals of NATO. In fact, one of the world’s most powerful worms, the Stuxnet, was allegedly used by the United States and Israel to attack Iran’s nuclear reactors.
The Stuxnet allegedly hit Iranian enrichment facilities, specifically the IR-1 centrifuges at the Fuel Enrichment Plant at Natanz, hindering Iran’s progress in developing nuclear weaponry. The Institute for Science and International Security suggests that the Stuxnet malware was created to destroy those nuclear centrifuges; it is also known that it has destroyed about 1000 IR-1 centrifuges out of about 9,000 in late 2009 or early 2010. Internal Obama administration reports suggest that the effort was set back by 18 months to two years (this was back in 2012, before the Iranian Nuclear Deal, also known as the CJPOA, was established). The Stuxnet is known to have a code 50 times as big as a typical computer worm--it is sophisticated and difficult to decode. The New York Times reported that this program was authorized by President Bush and was sped up by President Obama, implying that such cyberattacks allowed the Israeli and US governments to weaken the Iranian centrifuge program without launching a physical military strike (which may cause an overt war). After all, even though the existence of Stuxnet is now public information, US and Israeli officials continue to deny involvement, and the attack was likely launched as part of a covert intelligence operation.
As reports of these attacks continue to surface, the international community has increasingly been calling for a new regulatory framework for cyber warfare. As a result of the 2007 cyberattack in Estonia, the North Atlantic Treaty Organization (NATO) realized the lack of a coherent strategy to tackle the growing problem of cyber warfare and held a summit in Bucharest to discuss its commitment to respond to cyber warfare. The product of this conference was the creation of a Cooperative Cyber Defense Center of Excellence in Tallinn, Estonia and the creation of a Cyber Defense Management Authority in Brussels. Legal issues, however, still lie with the question of whether NATO Treaty nations must assist the victim nation in combating cyber warfare. Outside of NATO, a top official in the Chinese government have called for states to devise a unified set of rules to regulate cyberattacks. Russia has also started negotiations with the United States to establish a joint cybersecurity working group. Investigation in the United States that have proven Russian interference in the 2016 US presidential election, however, may prove to be a challenge in establishing cooperation between the two countries.
Ultimately, the key question for this Legal Advisory Panel lies with how the international community should translate International Humanitarian Law -- the law that currently governs the just conduct of war -- into the framework of cyber warfare. In 2013, the International Group of Experts released the Tallinn Manual on the International Law Applicable to Cyber Warfare. Although it was sponsored by the NATO Cooperative Cyber Defense Center of Excellence, it is an independent manual that provides the most comprehensive guidelines as to establish a legal framework for cyber warfare. Twenty international law experts contributed to this manual, which focused on “the most severe cyber operations, those that violate the prohibition of the use of force in international relations, entitle states to exercise the right of self-defence, and/or occur during armed conflict”--the focus of our committee. It was updated in 2017 to include cyber incidents that are not classified under an armed conflict. Since its authors mostly originate from NATO member countries and its allies, however, the manual is often seen as a NATO-influenced document rather than an independent academic work.
Current Situation
To further understand the debates surrounding the creation of a new international legal framework for cyber warfare, we must first understand the different types of possible cyberattacks, the legal issues surrounding such regulation, and cases in which these issues become problematized:
Types of Cyberattacks
There are several types of cyberattacks that we can recognize:
A denial of service attack: an attack that overwhelms a computer network with such a massive amount of requests, thus rendering it unable to respond to any prompts. A distributed-denial-of-service attack is similar and coordinates multiple infected computers to concurrently attack a single system.
Malicious programs or malware operate by “disrupting normal computer functions, or by opening a backdoor for a remote attacker to take control of the computer,” oftentimes being in the form of a virus that attaches itself to a computer program, or a worm that is similar to a virus, but is more powerful in a sense that it is “capable of travelling across a computer system without aid from individual computer users” and “replicating itself thousands of times within a single computer.”
Logic bombs: malicious programming that is able to run when triggered by particular events, after a predetermined time period
IP spoofing: an operations that allows a hacker to conceal its true identity, appeal as a trusted host, and gain access to key computer networks.
Definitional Issues
One of the most foundational challenges to establish an international legal framework for this issue is to define what exactly is a cyber attack. The US Department of Defense alone have suggested 12 separate definitions of what a cyberattack is. After all, cyberattacks can have numerous effects: “ ranging from a virus that scrambles financial records or incapacitates the stock market, to a false message that causes a nuclear reactor to shut or a dam to open to a blackout of the air traffic control system that results in airplane crashes."
On the one hand, a cyberattack can be defined as having a limited scope. Oona Hathaway, a professor of international law at Yale Law School, proposed the definition of a cyber-attack as “any action taken to undermine the functions of a computer network for a political or national security purpose.” Hence, it can be a form of offense or active defense that, unlike biological or chemical warfare, is defined by its objective rather than its means. Such a definition would imply that the leak of sensitive information, the theft of intellectual property, or cyber-espionage do not constitute cyberattacks since they do not undermine the functions of a computer network.
Furthermore, the clarifying clause of a “political or national security purpose,” once again brings into question the matter of intent. Hathaway, thus argues that without such an intent, a hacking cannot be classified as a cyberattack. It also opens up questions about whether intent supersedes the damage created by such attacks. How would we classify a virus that affected millions of computers, but was created by an 18-year-old highschool student who spread it without any specific target, but just for fun? How would we classify the Morris worm and the actions of Robert Tappan Morris Jr.?
On the other hand, a cyberattack may also have a broader scope. Broader definitions may include the general dissemination of false information, as it occurs in cyberspace, though it does not undermine the operations of any particular computer systems. Such a definition would include the Russian employment of online Twitter and Facebook bots to promote certain hacked material and post anti-Clinton messages to be a form of manipulation that would constitute a cyberattack.
This video provides an accessible overview of definitional issues, although deeper exploration of Oona Hathaway’s paper, the Tallinn manual, and other academic publications are highly encouraged.
Applying International Humanitarian Law to Cyber Warfare
The challenge offered to the Legal Advisory Panel is to establish new legal standards for humanitarian treatment in a cyberwar--think of a Geneva Convention for cyberwarfare. The Legal Advisory Panel should create a guideline as to what is considered lawful and unlawful in a cyberwar. These would revolve around the justi cause (jus ad bellum) for war, meaning whether the war itself is lawful, as well as the just conduct (jus in bello) for war, meaning whether the conduct of the war is lawful. For the latter, think about our First Topic with regards to the Question in Yemen and the conduct of war in terms of distinction and proportionality.
Jus ad Bellum: What is a just cause for war?
Although Article 2(4) of the UN Charter prohibits all UN member states from using force against other states, Article 39 allows the Security Council to authorize collective security operations to respond against “the existence of any threat to peace” and Article 51 enshrines the “inherent right of individual or collective self-defence if an armed attack occurs.” Hence, it is clear that at least according to the UN charter, a just cause for war is one conducted in self-defense against an “armed attack.” This phrase begs scrutiny as it may be difficult to interpret what exactly an armed attack constitutes.
Within scholarly debates, there have been three approaches to determine such armed-attacks. Firstly, the instrument-based approach claims that a cyber-attack only is categorized as an armed attack if it uses military weapons, such as bombing computer servers or military weapons. The second approach is the target-based approach, which classifies an armed attack as any attack that targets a sufficiently important computer system. Third, the effects-based approach classifies a cyberattack as an armed attack based on the gravity and severity of the harms.
Jus in Bello: What defines just conduct in cyberwarfare?
Harking back to our discussion in Topic I, in customary international law, we encounter the jus ad bellum principles of necessity and proportionality. The principle of necessity states that force may only be used only if necessary--if peaceful means cannot achieve the established aim. Proportionality, on the other hand, prohibits the intensity of force in excess to the danger, especially when there is an excessive loss of civilian life and civilian objects. Moreover, there also exists a principle of distinction, which requires military forces to distinguish between civilian and military objectives, prohibiting indiscriminate attacks.
Such principles, however, are difficult to be applied in the context of cyberspace and cyber warfare. For one, what would constitute a civilian? As Hathaway et al. suggests, sometimes this is clear. For example, the distinction between military air traffic control systems and places of worships is fairly apparent. However, other times it is not so clear, especially considering that ninety-five percent of military communications use civilian networks.
Similarly, these principles are also complicated by civilians that are actively participating or engaged in hostilities. According to customary international law, such civilians would lose their protections. However, in terms of cyberattacks, how can we differentiate between civilians recruited by militaries or intelligence groups, non-state vigilante actors, and unknowing civilian programmers that has had their code modified to become a source of attack? This question is particularly relevant, because in the 2007 cyberattacks against Estonia, Nashi, a pro-Kremlin youth group took responsibility for the attack, allowing the Russian government to deny involvement.
Accountability and Intent
Accountability and intent are hard to be determined by virtue of the characteristics of cyberwarfare. Firstly, it is difficult to ascertain the chains of command that exist in the cyber domain, as it is created for and is dependent on traditional methods of warfare. But more importantly, it is difficult to trace both the origins and intent of possible cyberattacks. For example, there are several concealment methods that hackers can use to target networks to attack. The Botnet method allows the hacker to access a network of private computers, launching a DDOS without the computers’ owners knowing. Attackers may also obtain an IP address of a legitimate host and use that IP address to make it seem like that stolen address is the source of the attack. Considering the global nature of internet traffic, this can not only lead to the difficulty of using digital signatures to track cyber attacks, but also the ability of attackers to shift blames to civilians, or even other states.
Case Studies
These are several case studies that are worthy of consideration and demonstrate these issues. You do not need to analyze these cases like you did in Topic 1, because you will not be tasked to deliver a verdict, but rather create a new international legal framework similar to the Tallin Manual.
Case Study 1: State vs State - Russia and Ukraine
In February 2017, Ukraine accused Russia of attacking its power grid, financial systems, and infrastructure. This is the latest in a series of cyberattacks from Russia since its annexation of Crimea in 2014, attack which has also penetrated the media, transportation, and military sectors. Both in 2015 and 2016, a series of attacks on Kiev’s power grid took down the city’s electricity for an hour, with a mechanism that progressed in complexity each year, evolving from being one that manually controlled the mouse of engineers, to an automated multi-targeted process in 2016. The Ukrainian treasury also lost terabytes of data as they were preparing for the budget in 2016 and hundreds of computers have been destroyed in several government agencies, including the Ministries of Infrastructure, Defense, and Finance. A similar case occurred ahead of the 2014 elections in revolutionary Ukraine, a pro-Russian group called CyberBerkut also rigged the website of Ukraine’s Central Election Commission, showing on the frontpage that it was not Peter Poroshenko, the current president of Ukraine, who won, but rather a far-right candidate who only garnered a small number of votes.
Key Questions:
Knowing that there are no physical casualties, can these cyberattacks be classified under an “armed attack”? Does it warrant a military response from NATO and Ukraine under the principle of self-defense? What if we recognize that these attacks occurred under the pretext of an actual war between Russia and Ukraine? Think about what defines a cyberattack and how we should regulate it.
Case Study 2: State vs Private - North Korea
Back in 2014, the world was surprised by a hack into the film studio Sony Pictures, which leaked personal information of Sony Pictures employees, internal corporate communications, and even unreleased movies. The group of hackers, which named themselves as the “Guardians of Peace,” demanded that Sony cancel its film The Interview - a satirical movie about North Korean leader Kim Jong Un. United States security agencies suspected that the attack was conducted by North Korea, tracing it to an alleged special cell in North Korea’s spy agency called Unit 190.
In May 2017, this North Korean agency was again brought into the spotlight when it was allegedly implicated in the Wanna Cry ransomware attack, which affected 300,000 computers in 150 countries. The effects of the Wanna Cry attack was expansive, hitting the the National Health Service in England, the automaker Renault in France, as well as the German railway company Deutsche Bahn and the Spanish telecommunications provider Telefonica. Once again, the effects of these attacks not just on military objectives, but rather private corporations raises the question of private entities being the target of cyberattacks. Experts suggest that, besides having a political incentive, North Korean cyberattacks often have underlying economic motives too. North Korea has allegedly conducted attacks against banks in 18 countries, often drawing hard money and providing financial resources for their cash-strapped government.
Key Question: How do we distinguish between state entities and private entities in cyberwar? Does it matter whether cyberattacks have a non-military or non-political objective? Does it make a difference if a state conducts the attack?
Case Study 3: Involvement of Non-State Actors
Of course, the accessibility of cyberattacks methods, especially as a medium that can be utilized and deciphered not just by military experts, but rather anyone with sufficient knowledge in computer science makes cyberwarfare almost “democratic.” There are numerous cases, which illustrate how non-state actors are conducting these efforts.
Anonymous, the hacktivist group, has attacked both governmental and non-governmental targets since 2008, with the general aim of opposing Internet censorship and control. In 2008, the group started with launching DDOS against websites of the Church of Scientology. During the Arab-Spring, in an operation dubbed Operation Tunisia, Anonymous helped protect the web browser's of Tunisians from government surveillance, shared online videos about the Tunisian uprising, and hacked the website of the Tunisian prime minister. In October 2011, the hacktivist targeted websites with child pornography, hacking a site called “Lolita City,” and leaked the name of users that were accessing the site. In 2015, they also released the names and private information of members of the Ku Klux Klan, an extremist white supremacist group with a history of violence and hate crime.
Other cases include the ILOVEYOU bug in 2000, which did not undermine the operations of any computer system, but spread an email with the subject line “I LOVE YOU” and an attachment titled “LOVE-LETTER-FOR-YOU”. When an email was opened, it would send itself to all the other email addresses owned by the person who opened the email, often creating a barrage of email that caused many corporate mail servers to crash under the load. Although authorities managed to trace the bug to Onel de Guzman, a student at the AMA Computer College in Philippines, Guzman claimed that it was part of his thesis proposal for university, and was never charged.
Key Question: How do non-state actors fall under an international legal framework for cyberwar? Once again, does it matter what the intent and the severity of the effects of the operations conducted by these non-state actors? How should we think about state jurisdictions, especially when considering groups like Anonymous that have members spread all over the world?
Bloc Positions
Considering that cyber operations are a tool of war that can be used by any state with enough developed capabilities--whether it be the United States, Russia, China, or North Korea--these states have to balance both their interests to maintain a peaceful international framework, but also allow them to develop military capabilities to potentially conduct cyber espionage or even attacks in times of war.
This is a brief introduction on possible positions held by different countries. To further research your country’s position, you can look at:
•Recent press releases or speeches by the Ministry of Foreign Affairs or other government officials regarding the use of cyberwarfare
•The positions of blocs the countries belong to--such as the Gulf Cooperation Council for Saudi Arabia and ASEAN for Indonesia
•Previous experience either being a victim or a user of cyber-operations as a method of warfare
The United States, for example, did conduct the destructive Stuxnet cyberattack against NATO, but US officials have also reserved the right to use military force in response to a cyberattack, in a publication called the “International Strategy for Cyberspace” published by the White House. Lawmakers also raised the importance of a cyber strategy -- which both implies a defensive and offensive plan. Allies like the United Kingdom have also expressed the importance of a secure cyberspace, launching a National Cyber Security Program worth 860 million pounds, alongside France, which created the French Network and Information Security Agency, which handles the country's response against cyber attacks.
Similarly, both Russia and China who have also been accused of using cyberattacks as a method of warfare, established a joint forum with language that advocates cyber-sovereignty, meaning that the Internet is a reflection of a state’s sovereign territory, as well as non-aggression in the international sphere. In a 2015 letter to the Secretary General, China, Russia, and other members of the Shanghai Cooperation Organization asked to prevent members of the UN to use cyberspace for acts of aggression.
In terms of other blocs, such as members of the African Union, the African Union has adopted the “Convention on Cyberspace Security and Protection of Personal Data.” The convention states the importance of adherence to international human rights law, but has been vague in its provisions.
Further Research
Questions to consider
Here are several questions for you to consider as you further research your topic:
1. How do we define a cyberattack? What differentiates a cybercrime with a cyberattack?
2. What military actions would justify the use of force? How can we interpret collective self-defense in terms of cyberwarfare?
3. Research the concept of the responsibility to protect (R2P). Is there such a responsibility in terms of cyberwarfare?
4. How do we regulate cyberwar when non-state actors are taken into account?
5. Should they be tried under domestic or international jurisdictions?
6. How do we interpret cyberattacks conducted by states against private corporations?
7. What about private entities against states?
8. Should the protection accorded to civilian persons also be extended to corporations?
9. How do we ensure accountability and investigate intent in cyberattacks?
10. Should intent be a parameter at all to establish culpability?
11. How do we measure the severity of a cyber operation? Should we think about the damage
12. How do we extend the principles of proportionality, distinction, and necessity to the cyberspace?
Further ReSources
Here are some additional sources you may find useful for research:
Primary documents
The Tallinn Manual, which features the most comprehensive guidelines of cyberlaw
The Budapest Convention on Cybercrime
For academic analysis on international law and cyber warfare
Cyberwar as an International Affairs [PRIO Policy Brief]
Cyberwar and International Law [Buchan and Tsagorias, 2016]
Cyber Espionage or Cyberwar?: International Law, Domestic Law, and Self-Protective Measures [Christopher Yoo, 2015]
For reports on cases of cyberwar discussed:
US and Iran: https://www.nytimes.com/topic/subject/cyberattacks-on-iran-stuxnet-and-flame
WannaCry ransomware: https://www.cnet.com/news/wannacry-wannacrypt-uiwix-ransomware-everything-you-need-to-know/
Russia and Ukraine: https://www.wired.com/story/russian-hackers-attack-ukraine/
Growing use of cyberattacks in the Middle East: https://warontherocks.com/2016/01/2016-the-year-of-the-great-middle-east-cyberwar/
