Published online by Cambridge University Press: 08 November 2013
How should international law deal with the uncertainty arising from the rise of irregular forms of warfare? In the past decade, this question has been the topic of several reports produced by international groups of experts in the field of conflict and security law. The most recent examples include the study on the notion of the ‘direct participation in hostilities’ under the auspices of the International Committee of the Red Cross, and the Tallinn Manual on cyberwarfare prepared at the invitation of NATO. In this article, we discuss the Tallinn Manual, showing how experts faced with uncertainty as to the law's precise scope and meaning construct legal interpretations, legal definitions, and institutional facts and norms that can be used to make sense of a contingent world. At the same time, we argue, this absorption of uncertainty produces new uncertainty. Consequently, the power of experts does not reside in their knowledge, but in their control and management of uncertainty and non-knowledge.
1 Note, however, that the study on direct participation in hostilities was eventually published as a document of the ICRC, because several experts withdrew their names from the project due to fundamental disagreements regarding the interpretation of some key terms of international humanitarian law. The study is available at: www.icrc.org/eng/assets/files/other/icrc-002-0990.pdf. Some other reports dealing with the articulation of law in the area of conflict and security law include the San Remo Manual on International Law Applicable to Armed Conflicts at Sea, the Red Cross Study on Customary Law, or the Harvard Manual on Air and Missile Warfare.
3 For a study of the International Law Commission from the perspective of ‘legal expertise’ see J. S. Morton, The International Law Commission of the United Nations (2000). The part on the ILC's mandate for progressive development is interesting when read against the background of legal expertise. Apparently, the General Assembly believed that having legal expertise implies not only knowledge of international law, but also the most reliable opinions for how international law ought to develop.
4 From the perspective of our uncertainty approach, the power of expertise is related to the fixation of meaning in giving structure to uncertainty and turning it into manageable risks. See author for a longer discussion.
5 See the discussion of Habermas’s views on law in M. Deflem (ed.), Habermas, Modernity and Law (1996).
6 Report of the Study Group of the International Law Commission, Fragmentation of International Law: Difficulties Arising from the Diversification and Expansion of International Law, A/CN.4/L.702, para. 4.
7 D. Kennedy, Of Law and War (2006). Anecdotal evidence of Kennedy's point can be found in the complaints by former NATO supreme allied commander Europe, General Jones: ‘It used to be a simple thing to fight a battle . . . In a perfect world, a general would get up and say, “Follow me, men”, and everybody would say “Aye, sir” and run off. But that's not the world anymore . . . [now] you have to have a lawyer or a dozen. It's become very legalistic and very complex.’ See L. W. Winik, ‘A Marine's Toughest Mission’, Parade, 19 January 2003, quoting General J. L. Jones, a former NATO commander, explaining how the legalistic nature of today's warfare has complicated the fight.
9 For a broader analysis see Werner, W. G., ‘The Politics of Expertise: Applying Paradoxes of Scientific Expertise to International Law’, in Hey, E. (ed.), The Role of Experts in International Decision Making (2013, forthcoming)Google Scholar.
11 Walker, J. K., ‘The Demise of the Nation-State, the Dawn of New Paradigm Warfare, and a Future for the Profession of Arms’, (2001) 51 Air Force Law Review 323Google Scholar. Quoted in R. Huges, ‘Towards a Global Regime for Cyber Warfare’, available at www.ccdcoe.org/publications/virtualbattlefield/07_HUGHES%20Cyber%20Regime.pdf (accessed 18 December 2012).
12 On a more social theoretical level, we thus argue that uncertainty reduction goes hand in hand with uncertainty production. One cannot have one without the other. What the manual does, however, is to transform unstructured into structured uncertainty, and thereby stabilize the meaning and applicability of the legal vocabulary (and imagination). The source of uncertainty is related to the uncertainties generated by cyberspace, which are framed in terms of risks. The Tallinn Manual reduces these uncertainties by invoking the legal vocabulary centered around norms. The ‘structured’ uncertainties result from the conflicts arising from bringing risks under the heading of norms.
14 See Tallinn Manual, respectively, under Rules 70–3, 27, and 63.
15 N. Grundmann and R. Stehr, Experts: The Knowledge and Power of Expertise (2011), at 40, describing experts as ‘mediators between producers of knowledge and users of knowledge; and thus, between those who create the capacity to take action and those whose task it is to act’.
16 In other words, the co-constitution of expertise and field of study runs through the stabilization of imaginations.
17 The objective of this section is neither to provide a complete overview of the history of cybersecurity, nor to provide a comprehensive account of all aspects of cybersecurity. This section simply reconstructs the extent to which transformative dynamics associated with cybersecurity trespass traditional legal confines and at the same time calls for ‘new’ legal expertise.
18 M. Dunn Cavelty, Cyber-Security and Threat Politics: US Efforts to Secure the Information Age (2008), at 45, 54, and M. Dunn Cavelty, ‘From Cyber-Bombs to Political Fallout: Threat Representations with an Impact in the Cyber-Security Discourse’, (2013) International Studies Review 15(1), at 109.
20 The reason for focusing on these three uncertainties – without neglecting other sources or understandings of uncertainties – relates to the fact that all these three sources of uncertainty make a classic use of the law of war problematic.
21 The report is available at www.cyber.st.dhs.gov/docs/PCCIP%20Report%201997.pdf. For a discussion on critical infrastructure, see Giacomello, G., ‘Bangs for the Buck: A Cost–Benefit Analysis of Cyberterrorism’, (2004) 27 (5)Studies in Conflict and Terrorism 387CrossRefGoogle Scholar; G. Weimann, Terror on the Internet: The New Arena, the New Challenges (2006). Cavelty, M. Dunn and Kristensen, K. Soby (eds.), Securing the Homeland: Critical Infrastructure, Risk, and (In)Security (2007)Google Scholar.
22 US President's Commission on Critical Infrastructure Protection 1997, available at www.cyber.st.dhs.gov/docs/PCCIP%20Report%201997.pdf, at ix.
23 For a longer discussion, see S. J. Collier and A. Lakoff, ‘The Vulnerability of Vital Systems: How “Critical Infrastructure” Became a Security Problem’, in Dunn Cavelty and Soby Kristensen, supra note 21. See also Herrera, G. L., ‘The Politics of Bandwidth: International Political Implications of a Global Digital Information Network’, 2002 28 (1)Review of International Studies 93CrossRefGoogle Scholar; see also www.blog.internetgovernance.org/blog/_archives/2011/9/20/4903371.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A±IGPBlog±%28IGP±Blog±Main%29.
25 Soon after the President's Report in 1997, the word ‘cyberterrorism’ was introduced and gained widespread attention with the terrorist attack on 11 September 2001. See Dunn Cavelty, supra note 18, 101. The idea that terrorist groups could use the cyberspace to launch an attack from anywhere in the world (including from within the US itself) was not too far away from what has happened on 9/11. Even though, as Dunn Cavelty argues, the Bush Administration actually followed Clinton's frames, the US The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act expanded the range of cyberterrorism extensively: what was previously treated as cybercrime could now easily be reinterpreted as acts of terrorism.
26 See in particular Deibert, R., Rohozinski, J., and Crete-Nishihata, M., ‘Cyclones in Cyberspace: Information Shaping and Denial in the 2008 Russia–Georgia War’, (2012) 43 (3)Security Dialogues 3CrossRefGoogle Scholar. They point out that the C&C servers responsible were located on Russian territory, but appear to originate from a private company. Also, see J. Bumgarner and S. Borg, ‘Overview by the US-CCU of the Cyber Campaign against Georgia in August 2008’, available at www.registan.net/wp-content/uploads/2009/08/US-CCU-Georgia-Cyber-Campaign-Overview.pdf. See also www.worldaffairsjournal.org/article/shadow-wars-debating-cyber-disarmament.
27 See for example www.erratasec.blogspot.de/2012/09/there-was-no-georgia-cyber-war.html (last accessed on 13 May 2013). The point here is not to call into question the existence of DDoS attacks or to deny Russia's involvement, but to simply point out that attribution is difficult if, for example, a government-owned computer can be ‘hijacked’ by a hacker and manipulated. There is simply uncertainty around who is to be held responsible for an attack and under what conditions it can be attributed to a state.
28 Given the tensions between Estonia and Russia right before the attack, Russia was accused of standing behind these attacks. See www.spiegel.de/international/world/old-wars-and-new-estonians-accuse-kremlin-of-cyberwarfare-a-483394.html (last accessed on 13 May 2013). Eventually a 20-year-old student was thought to be responsible for the attack. The fact that Estonia is part of NATO might explain why NATO has a specific interest in clarifying the status of ‘cyberwar’ for its own Art. 5.
29 See www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html?pagewanted=all&_r=0 (last accessed 10 May 2013).
30 As Deibert, Rohozinski, and Crete-Nishihata, supra note 26, point out, cyberspace is now considered equally important as ‘traditional’ areas of land, air, sea, and space. At the time of writing, there are news reports that the US army has quadrupled its cybersecurity capacity.
31 See www.telegraph.co.uk/technology/news/9800946/Red-October-computer-virus-found.html (accessed 10 May 2013). Even though Red October is more a case of cyberespionage than cyberwar, it highlights the difficulties of attribution.
32 Because the virus remained undetected for years and used new techniques that made it ‘silent’ (at least for common antivirus alert systems), experts labelled the new virus ‘Red October’, in memory of the USSR submarine in the Hollywood movie.
33 For a map of infected countries, see www.spiegel.de/international/spiegel/how-russian-virus-hunters-tracked-down-a-global-espionage-network-a-879467.html.
34 Rule 13, para. 13.
35 Even though we generally agree with Dunn Cavelty (2008) that the history of cybersecurity is a history of failed securitization moves and can rather be understood in terms of ‘threat politics’, this contribution differs from the literature on securitization, critical infrastructure, or threat politics insofar as it is interested in the constitution of legal expertise and not the security experts. However, we do agree that the representation of the ‘object’ is crucial to understanding the kind of knowledge claims put forward and the form of legitimate expertise.
37 For an excellent discussion of legalism as the ethos of the legal profession see J. Shklar, Legalism (1964). We also thank a reviewer for pointing out the conflict between successful securitization and legalization.
38 For an interesting juxtaposition of the logics of risk and legal responsibility see F. Ewald, L’état providence (1986).
40 The quotes are taken from a presentation by Michael Schmitt on the Tallinn Manual CyCon 2012. M. Schmitt, ‘Tallinn Manual Part I’, posted at youtube: http://www.youtube.com/watch?v=wY3uEo-Itso (0:40).
42 This raises the question how disciplinary knowledge – and the boundaries it sets – constitute certain power relations and make expertise possible. Apart from questions of representation and legitimation (who elected the bankers? Or the lawyers?), this constitutes also a fight between these disciplines over issue areas, a problem we cannot deal with in further detail at this point. However, it does raise the question through which practices, concepts, and images ‘law’ allows for certain ‘experts’, and how these experts have to relate to law in a specific way to count as experts. This boundary then also sets the boundary of critique – because not every critique will be taken into consideration. See O. Kessler, ‘Beyond Sectors, Before the World: Finance, Security, and Risk’, (2011) 42(2) Security Dialogue, 197.
45 Megret, F., ‘From Savages to Unlawful Combatants: A Postcolonial Look at International Law's “Other”’, in Orford, A., International Law and Its Others, 265Google Scholar, also available at http://people.mcgill.ca/files/frederic.megret/Megret-SavagesandtheLawsofWar.pdf, at 29.
47 This audience encompasses policy makers and security experts but also the discipline of ‘international law’. Hence ‘audience’ in our understanding relates to the problem of ‘the public’.
50 Schmitt was one of the experts that took part in the deliberations on the ICRC study on civilians directly participating in hostilities. Schmitt, however, was one of the experts that disagreed so fundamentally with the propositions contained in the ICRC's Interpretative Guidance that he asked to delete his name as one of the participants. Schmitt basically disagreed with the way in which the ICRC study struck the balance between humanity and military necessity.
51 The debate on the legal aspects of cyberwar took off after M. Schmitt, ‘Computer Network Attacks: Thoughts on a Normative Framework’, (1999) Columbia Journal of Transnational Law 37, 885.
52 ‘Yet, cyberspace is not a lawless firmament. As with the aforementioned weapons, the established norms . . . govern their use’, in Schmitt, M., ‘Cyberspace and International Law: The Penumbral Mist of Uncertainty’, (2013) Harvard Law Journal 126, 176–89Google Scholar, at 176.
54 Schmitt, M., ‘The Interpretative Guidance on the Notion of Direct Participation in Hostilities: A Critical Analysis’, (2010) 1 Harvard National Security Journal 5Google Scholar, at 7.
55 Ibid., at 6. Note that Schmitt's reliance on international law as a pre-existing system and his assumption that international law stems from the will and interests of states reflects the mainstream international law position identified by M. Koskenniemi, From Apology to Utopia (2005). This raises again questions about attribution in the context of cybersecurity.
57 On this point see infra, p. 803.
59 See ABC News, ‘Arming for Virtual Battle: The Dangerous New Rules of Cyberwar’, 7 April 2013, at www.abcnews.go.com/International/arming-virtual-battle-dangerous-rules-cyberwar/story?id=18888675&page=3.
60 See ‘Rules of Cyberwar: Don't Target Nuclear Plants or Hospitals, Says Nato Manual’, Guardian, 18 March 2013, available at www.guardian.co.uk/world/2013/mar/18/rules-cyberwarfare-nato-manual.
61 M. Mimoso, Tallinn Manual Interprets International Law in Cyberwar Context (25 March 2013), available at www.threatpost.com/tallinn-manual-interprets-international-law-cyberwar-context-032513.
62 ‘NATO Publishes a How-to Manual for Cyber Warfare’ (19 March 2013), available at www.digitaltrends.com/cool-tech/natos-cyberwar-rules-leave-the-civilians-out-of-it.
63 Statement by Colonel Kirby Abbott, assistant legal adviser at Nato, in ‘Rules of Cyberwar’ supra note 60.
64 H. Koh, ‘International Law in Cyberspace’, USCYBERCOM Inter-Agency Legal Conference (18 September 2012), available at www.state.gov/s/l/releases/remarks/197924.htm. According to Schmitt, ‘since the speech had been fully cleared in the inter-agency process, it can be viewed as expressing the US government views on the issues’. Schmitt, M., ‘International Law in Cyberspace: The Koh Speech and Tallinn Manual Juxtaposed’, (2012) 54 Harvard Law Journal 13Google Scholar, at 14.
66 In relation to scientific expertise this point was made by, inter alia, Ulrich Beck, ‘a different computer, a different specialist, a different institute – a different “reality”. It would be a miracle if it did not already exist, a miracle and not science’. See U. Beck, Risk Society (1992), at 166.
67 Rule 35, under 10. Note that this critique reflects the position of Michael Schmitt who initially participated and eventually withdrew from the ICRC project precisely because it failed to strike a proper balance between humanity and military necessity. See supra note 1.
68 Rule 22, under 12–14, see also section 2.2 above
69 Rule 20, under 5.
70 Rule 21, under 3.
71 Rule 22, under 9; Rule 23, under 3
72 B. Simma et al., The Charter of the United Nations: A Commentary (2002).
73 Rule 10, under 5.
74 As may be recalled, the Court regarded an armed attack (as mentioned in Art. 51 of the UN Charter) as ‘one of the most grave forms of use of force’, that gives rise to a right to self-defense for the victim state. In order to determine whether a use of force is of such magnitude as to constitute an armed attack, the Court used the ‘scale and effects’ test: it examined the consequences of a particular use of force in order to determine whether it also constitutes an armed attack.
75 Rule 11, under 1.
76 See, for example, the way in which the Manual deals with the question whether affording sanctuary amounts to an illegal use of force under international law. A majority (in other words, not all members) answered this in the negative, but added that ‘the provision of sanctuary coupled with other acts, such as substantial support or providing cyber defences for the non-State group could, in certain circumstances, be a use of force’ (my italics). What the ‘could’ and the ‘certain circumstances’ entail is not spelled out further.
77 Rule 11, under 8. Note that the Manual uses the careful formulation ‘took notice’. The rest of the text, however, does more than just ‘noticing’: it takes up the approach as an apparently useful tool in assessing cyberattacks.
78 Schmitt, M. N., ‘Computer Networks and the Use of Force in International Law: Thoughts on a Normative Framework’, (1999) 37 Columbia Journal of Transnational Law 885Google Scholar, at 914. The factors include: severity of the attack, immediacy of the response, directness of the link between the attack and the harm done, invasiveness of the attack, measurability of the effects, military character of the attack, state involvement in the attack, presumptive legality of actions under international law generally.
79 Para. 9.
80 Para. 9.
81 Para. 10.