1

Challenges from the Cyber Domain: Cyber Security and Human

Rights

Authored by Adam D Brown

London School of Economics and Political Science

2011

Copyright © 2011

2

“If we wish to remain human, then there is only one way, the way into the open society. We must go on into the unknown, the uncertain and insecure, using what reason we may have to plan as well as we can for both security and freedom.”

-- Karl Popper, The Open Society and Its Enemies1

Developing countries frequently grace the pages of academic discourse on human

rights and civil liberties. Traditional human rights violations, by infamous

dictatorships that fail to apply Western universal principles of human rights, are a

common narrative. The arguments advanced in this paper spare the developing world,

at least for the present.2 Instead the arguments that follow indict the developed

‘information societies’ that are now heavily dependant on cyber technologies.

Dependency on the cyber domain, for all the benefits it brings society, delivers

equally, a precarious state of vulnerability. State-implemented cyber security can

provide an allegory of good government, of security and freedoms, or succumb to

repression and less desirable characteristics of human nature. United Nations Special

Rapporteur, Frank La Rue, has argued the internet is “one of the most powerful

instruments of the 21st century,” a machine for building democracy.3 It is necessary

then, to understanding this twenty-first century global machine and its two billion

human dependants.4

This paper explores the key tensions between human rights and state-implemented

cyber security. It will be argued that three central tensions exist between these two

prima facie competing goals. First, ‘attribution versus anonymity’ advances tensions

at the core of the debate around transparency on the internet and protection of privacy.

Second, competing cyber security norms amongst nation-states, produce unease

tensions that threaten both security and the principle of internet freedom. Finally,

looming cyber war threatens to erode the human rights and civil liberties enjoyed by

the global internet community. These three tensions comprise the first set of

arguments contended in this paper. The second argument advanced, within each

1 Karl Popper, The Open Society and Its Enemies , Vol. 1 (Routledge , 1945). P.201 2 It is acknowledged that depending on the definition of ‘developing world,’ some states have a moderate IT infrastructure. This paper is concerned with states with heavy dependency on cyber technologies. The ‘digital divide’ has left large regions of the world out of the ‘internet revolution.’ A brief look at recent states demonstrates this divide. See supra note 133. 3 Frank La Rue, Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, Human Rights Council (Geneva: United Nations, 2011). 4 There are now over a two billion people using the internet. See supra note 133.

3

chapter, purports to navigate these tensions, elucidating the shortfalls and points of

convergence between each competing tension. By balancing the goals of human rights

and cyber security, 'information societies' in the twenty-first century will ultimately be

protected from the emergence of a tyrannical cyber state or the devastating effects of

cyber attacks.

The emerging cyber lexicon is fraught with ambiguities and conflated language. This

paper endeavours to articulate key term meanings, when required, in the context of

the arguments being advanced but inevitability further definitional understanding may

be needed. Supplementary to the taxonomy used, is a glossary and a brief discussion

on the key foundational terms discussed within this paper.5

Attribution versus anonymity

Attribution

Discovered in 2008 by researchers at the Munk Centre for International Studies,

GhostNet was found propagating itself undetected through the internet using a trojan

attack called 'gh0st RAT' to hijack computers.6 By the end of 2009, GhostNet had

infiltrated 1,295 computers in 103 countries.7 Subversively mining data, GhostNet

recorded keystrokes and silently engaged computer visual and audio inputs of

unknowing users.8 Military attachés, diplomats, journalists and human rights

organisations were targeted; an estimated thirty percent of compromised computers

were considered to be of high diplomatic, political, economic or military value.9

Despite accusations in the media that China was responsible, researchers conclusively

stated they were unable to attribute any actor to these high profile attacks.10 The

inherent design of the internet, using an antiquated IPV4 system of address

5 Glossary on page 29 and a brief discussion on definitional foundations on page 31. 6 Rafal Rohozinski, Tracking GhostNet: Investigating a Cyber Espionage Network, Munk Centre for International Studies (Toronto: Information Warfare Monitor, 2009). 7 Ibid, 5. 8 Ibid, 47. 9 Ibid, 47. 10 Ibid, 9

4

assignment had provided the malicious virus too many loopholes and methods for

masking data and administrator identity.11

By exploiting the characteristics of the internet that allow for anonymity, GhostNet

and other forms of cyber attacks have proliferated throughout the internet, allowing

nefarious actors to carry out their attacks “with almost complete anonymity and

relative impunity.”12 Conversely, dissents and those living under repressive

governments are able to use the same anonymitsing technologies, encryption and

other methods available on the internet, to facilitate the rights enjoyed in Western

democratic nations, freedom of speech and assembly. Internet ‘freedom’ is a central

tenant of the original creators of the World Wide Web but ‘freedom’ is a contentious

term. Karl Popper contends, there needs to be freedom with security.13 Sir David

Omand, former Director the Government Communications Headquarters (GCHQ),

argues in Securing the State, that not only is balancing security and human rights

important but that intelligence and security work needs to operate in a “framework of

human rights.”14 Given the rise in malicious cyber attacks, security practitioners are

arguing that the balance between anonymity, that facilitates free speech, is tilted too

far in one direction and that greater security on the internet is needed. In Chatham

House report, Cyberspace and the National Security of the United Kingdom, its

authors argue

“…the Internet could scarcely be improved upon as a medium for extremist organization and activity. …[it] should be no surprise, therefore, that extremists are also attracted to a system which offers inbuilt resilience and virtual anonymity.”15

The diversity in methods and uses, employed by terrorists networks on the internet, is

increasing in complexity. Exploiting cryptography, internet protocol spoofing, secure

email and other features of the internet that allow for anonymity, terrorists are able to

collaborate, educate and carry out attacks, subverting detection from authorities.16

11 Ibid, 12. 12 David Livingstone, Dave Clemente, Claire Yorke, Paul Cornish, On Cyber Warfare, The Royal Institute of International Affairs (London: Latimer Trend and Co Ltd, 2010). Vii. 13 See supra note 1. 14 David Omand, Securing the State (London: Hurst & Company, 2010). 321. 15 Rex Hughes, David Livingstone, Paul Cornish, Cyberspace and the National Security of the United Kingdom: Threats and Responses, A Chatham House Report, Royal Institute of International Affairs (London, 2009). 5. 16 Daniel McGrory Michael Evans, Terrorists trained in Western methods will leave few clues, 12 July 2005, 22 May 2011 <http://www.timesonline.co.uk/tol/news/uk/article543004.ece>.

5

Elements of crime and terrorism have merged online. John Rollins and Catherine

Theohary in a report for Congress, observe that ‘cyber crime’ “… has now surpassed

international drug trafficking as a terrorist financing enterprise...”17 McAfee, one of

the worlds largest cyber security companies, estimate one trillion dollars worth of

intellectual property was stolen via cyber attacks in 2008.18 In 2009, Symantec,

another large cyber security company, reported in one cyber attack alone, the theft of

130 million credit card numbers and in another incident, the same year, seventy-six

million personal identifications stolen.19 Detica and the Office of Cyber Security and

Information Assurance, reported in 2009, that cyber crime cost the United Kingdom

an estimated twenty-seven billion pounds per annum.20 The scale of cyber crime and

threats from non-actors in the cyber domain, indicate to cyber security analysts, that a

fundamental re-design of the internet is needed. Former Director of National

Intelligence, Mike McConnell, has argued “we need to re-engineer the Internet to

make attribution, geo-location, intelligence analysis and impact assessment – who did

it, from where, why and what was the result – more manageable.”21 Federal Bureau of

Investigation General Counsel Valerie Caproni, has argued in a case involving child

trafficking, that she lacked “the necessary technological capability to intercept the

electronic communications” that would have allowed for greater evidence against the

accused.22 Greater attribution on the internet aids law enforcement and facilitates

greater protection of rights.23 Greater attribution can also erode civil liberties such as

the right to privacy and ‘chill’ freedom of speech.

17 John Rollins, Catherine A. Theohary, Terrorist Use of the Internet: Information Operations in Cyberspace, Report for Congress, Congressional Research Service (Washington, 2011). 2. 18 Respondents to McAfee’s report, comprised of 800 chief information officers, broke this figure down by stating $4.6 billion was lost in data and spent about $600 million cleaning up after breaches. See Elinor Mills, Study: Cybercrime cost firms $1 trillion globally, 28 January 2009, 08 March 2011 <http://news.cnet.com/8301-1009_3-10152246-83.html>. 19 Symantec, “Symantec Global Internet Security Threat Report: Trends for 2009,” Volume XV (2010). 28. 20 Detica and the Office of Cyber Security and Information Assurance in the U.K. Cabinet Office, The Cost of Cyber Crime (London, 2011). 2. 21 Susan Landau, David D. Clark, “Untangling Attribution,” Harvard National Security Journal 2 (2011): 1. 22 Jennifer Martinez, Feds want new ways to tap the Web, 7 March 2011, 26 April 2011 <http://www.politico.com/news/stories/0311/50755.html>. 23 This is assuming that the state protects human rights within their legal framework.

6

Anonymity

Without ‘re-engineering’ the internet, business and government have devised alternate

ways of obtaining online identifications. Facebook, the largest social networking

website,24 has established a strict no pseudonym policy, requiring users to use their

government-authorised name.25 This policy, according to Facebook, leads to greater

accountability, safety and a “more trusted [online] environment” but human rights

campaigners have argued it limits their freedom of speech.26 Moreover, there are

consequences in the physical world to improving online identification. Law

enforcement officers in the United Kingdom have capitalised on Facebook’s policy

and used it to identify and apprehend suspected criminals in the physical world.27

More intrusive, have been the implementation of “real-name” systems in Italy, South

Korea and China.28 These require citizens to prove their identity before accessing

specific websites or ‘logging on’ at internet cafes.29 China compliments its cyber

security “real-name” system, with subversive internet monitoring tools. Rebecca

MacKinnon author of Networked Authoritarianism, identifies one monitoring system

named Green Dam Youth Escort (GDYE) that

“…not only censored political and religious content but also logged user activity and sent this information back to a central computer server belonging to the software developer’s company.”30

GDYE “aimed at protecting children from inappropriate content,” was widely

believed by Western observers to be affiliated with the Chinese government and used,

24 New York Times, Latest Developments: Facebook, 06 July 2011, 10 July 2011 <http://topics.nytimes.com/top/news/business/companies/facebook_inc/index.html>. 25 Tini Tran, Activist Michael Anti Furious He Lost Facebook Account--While Zuckerberg's Dog Has Own Page , 03 March 2011, 23 April 2011 <http://www.huffingtonpost.com/2011/03/08/michael-anti-facebook_n_832771.html>. 26 Ibid,Tran. 27 Arrest over social network site damage incitement, 14 August 2011, 17 August 2011 <http://www.bbc.co.uk/news/uk-england-tyne-14521031>. 28 These “real-name” systems, despite their attempts at greater attribution, have received criticism as flawed and easily circumvented. Jonathan Ansfield, China Web Sites Seeking Users’ Names, 05 September 2009, 02 June 2011 29 Ibid. Ansfield. <http://www.nytimes.com/2009/09/06/world/asia/06chinanet.html?pagewanted=1&hp>. Also see information on Italy at Italy: Internet Surveillance, 05 December 2010, 07 June 2011 <http://opennet.net/research/profiles/italy>. 30 Rebecca MacKinnon, “China’s “Networked Authoritarianism”,” Journal of Democracy (2011): 40.

7

subversively to collect personal data on its citizens.31 Russia has implemented

measures to better identify Russian citizens in cyber space. In 2008 Russian Minister

of Communications, Leonid Reiman, reinstated obligations under SORM-II, legally

requiring that internet service providers (ISP) submit reports to Russia’s secret service

agency (FSB).32 These reports were required to provide “users’ names, telephone

numbers, e-mail addresses, one or more IP addresses, key words, user identification

numbers, and users’ ICQ number (instant messaging client), among others.”33 Under

orders of President Vladimir Putin, these details were made available to other

branches of government, raising privacy concerns amongst human rights advocates

and at the United Nations.34 China and Russia, in 2009, were within the top 10 most

prolific producers of malicious cyber attacks worldwide.35 These figures question the

cyber security methods used by Russia and China. They are either ineffective at

stopping cyber attacks or are used and designed for other purposes. The United

Nations report on The promotion and protection of the right to freedom of opinion

and expression, has specifically identified ISP liability as a danger to human rights.36

United Nations Special Rapporteur, Frank La Rue contends that a fundamental feature

of the World Wide Web, is that it “depends on intermediaries, or private

corporations” without government interference.37 ISPs that know they are being

monitored by the state, leads to “self-protective and over-broad private censorship”

that has a ‘chilling effect’ on freedom of speech and principles of internet freedom.

According to La Rue, ISP liability is a serious threat to human rights and appears to

becoming more prolific throughout the world.38

Moving forward

Prima facie tensions exist between the goals of increasing transparency on the World

Wide Web while maintaining privacy and anonymity. Bridging these conflicting aims

31 Ibid, 40. 32 OpenNet Initiative, Russia, 19 December 2010, 21 January 2011 <http://opennet.net/research/profiles/russia>. 33 Ibid, Russia. 34 Ibid, Russia. 35 See supra note 18 at 7. 36 See supra note 3 at 11. 37 See supra note 3 at 11. 38 See supra note 3 at 11.

8

requires a proportionate, balanced and systematic response. Richard Clarke and

Robert Knake argue a variety of technological-political solutions to advancing the

aims of both cyber security and human rights advocates.39 It is contended, two are

most important to the arguments advanced, “deep-packet inspection” and replacing

the “TCP/IP protocol.” Clarke and Knake argue an effective method of combating

cyber crime and malicious online activity is to install “deep-packet” inspection

systems on Tier 1 ISP networks.40 These systems would effectively scan data moving

through the network identifying malicious activity.41 Knake and Clarke refute the

argument that it is a “Big Brother” system, contending that the system would have

“real oversight mechanisms” and be run by a “Civil Liberties Protection Board” with

no affiliation to the government or ISPs.42 Moreover, data itself would not be read,

rather the “signatures” or identifying features of malicious cyber threats.43 This

system is in direct opposition to Frank La Rue’s aforementioned report that states

“…censorship measures should never be delegated to a private entity, and that no one

should be held liable for content on the Internet of which they are not the author.”44

La Rue’s report does not strike a proportionate balance between cyber security and

human rights. In the United Nations Universal Declaration of Human Rights and the

International Covenant on Civil and Political Rights, rights of freedom of speech,

assembly and privacy are all qualified.45 Given the significant threat from malicious

cyber attacks argued, that themselves violate human rights, Knake and Clarke provide

a more balanced and propionate response. While there is an inherent danger in Knake

and Clarke’s system of corruption, this is inherent in any democratic system;

defended against only through the continuous stewardship of human rights by citizens

themselves. Returning to Knake and Clarke’s second contention of resolving the

aforementioned problems of attribution and anonymity, is to replace the current

TCP/IP protocol with an encrypted military protocol.46 Knake and Clarke argue that a

military protocol would allow for better sorting of data travelling through the internet

39 Robert Knake, Richard Clarke, Cyber War (New York: HarperCollins, 2010). 161-162 and 273. 40 Tier 1 ISP networks are considered the “backbone” of national internet networks. Shutting a Tier 1 network, would result in many smaller networks becoming ‘detached’ from the internet and large numbers of people being disconnected from the internet. See Ibid. 161. 41 See supra note 37 at 161. 42 See supra note 37 at 162-163. 43 Ibid, 162-163. 44 See supra note 3 at 13. 45 See supra note 3 at 7. 46 See supra note 37 at 273.

9

into various priorities and networks.47 It would include better encryption facilities, so

that, unlike today, most data could be secured. Advocates of greater anonymity could

use a network using this protocol, knowing their data was encrypted and was going to

reach the destination without interference. This second argument by Knake and

Clarke is problematic in the context of Human Rights. Sorting data raises a number of

dilemmas in a global network. Questions emerge around who decides what and how

data is sorted. A single` global standard of encryption raises problematic issues of

vulnerability and ‘backdoor’ access. Governments have historically been wary of

allowing encryption technologies without ‘backdoors’ that they can use, if that

technology were to be used by ‘criminals’ or ‘terrorists.’48 A global encryption

protocol moreover, would need to be very secure. Haystack software, used in 2010,

was developed by the United States to be used by Iranian dissents as a method of

evading Iranian government sensors.49 The software was soon ‘cracked’ by

independent experts who suggested that the Iranian regime might have done the same,

exposing all those dissents that used the software.50 Knake and Clarke address the

core tensions between cyber security and human rights. It is argued the later solution,

is less desirable then the former but both elucidate that bridging these competing

goals is achievable in varying degrees. As states continue to devised methods within

cyber security, emerging cyber security norms develop. These norms can have a

significant impact on international human rights law and the principles of internet

freedom.

Cyber security norms and human rights

Cyber security norms increasingly differ as states move to exert greater sovereignty in

the cyber domain. Lack of global governance and advancements in technology have

resulted in states enacting their own cyber security policies, a move that tests the

47 Ibid. 273. 48 Will Rogers Richard Fontaine, “Internet Freedom and Its Discontents: Navigating the Tensions with Cyber Security,” Travis Sharp Kristin M. Lord, America’s Cyber Future: Security and Prosperity in the Information Age, Vol. II (Washington: Center for a New American Security, 2011) I-II vols. 150-151. 49 Ibid. 151-152 50 Ibid. 151-152.

10

principles of those who advocate for a ‘free’ and ‘unfettered’ World Wide Web

(‘web’). Tim Berners-Lee, original architect of the hypertext protocol that governs the

World Wide Web, contends that like democracy, a “free” and “open” cyber space

needs to be continuously maintained against governments and corporations who may

succumb to more repressive cyber security tendencies.51

“The Web is now more critical to free speech than any other medium. It brings principles established in the U.S. Constitution, the British Magna Carta and other important documents into the network age: freedom from being snooped on, filtered, censored and disconnected.”52

Here it is evident that there exists an analogous aim in both the internet freedom

principles described by Berners-Lee and international human rights legal norms of

freedom of speech and assembly.53 Berners-lee with his 'internet freedom principles'

echoes Frank La Rue, who argues that the transformative nature of the internet, as a

tool for building democracy, has been revolutionary and that it is a result of the

unique characteristic of free two-way communication.54 The right to freedom of

opinion, expression and the right “to hold opinions without interference” are

enshrined in Article 19 of the Universal Declaration of Human Rights and the

International Covenant on Civil and Political Rights.55 If there is any doubt, The

Covenant on Civil and Political Rights, states that freedom of opinion and expression

applies to those who “… seek, receive and impart information and ideas of all kinds,

regardless of frontiers, either orally, in writing or in print, in the form of art, or

through any other media of his choice;” with emphasis on “other media of his choice”

and “regardless of frontiers.”56 These United Nations conventions provide ample

fodder for advocates of a ‘free’ internet but they are not determinant. On further

reading of the Covenant on Civil and Political Rights, there resides, in Article 19,

sections 3 (a) and (b) qualifying statements to limit these rights.

“The exercise of the rights provided for in paragraph 2 of this article carries with it special duties and responsibilities. It may therefore be subject to certain

51 Tim Berners-Lee, Long Live the Web: A Call for Continued Open Standards and Neutrality, 22 November 2010, 04 April 2011 <http://www.scientificamerican.com/article.cfm?id=long-live-the-web>. 52 Ibid, Berners-Lee. 53 Given the level of abstraction argued in this paper, will contend that both the internet freedom principle and human rights share principle aims and will be used interchangeably. 54 See supra note 3 at 6. 55 See supra note 3 at 7. 56 United Nations, “International Covenant on Civil and Political Rights,” Art.19. 16 December 1966, 03 March 2011 <http://www2.ohchr.org/english/law/ccpr.htm>.

11

restrictions, but these shall only be such as are provided by law and are necessary:

(a) For respect of the rights or reputations of others;

(b) For the protection of national security or of public order (ordre public), or of public health or morals.”57

It is not unforeseeable, that governments would validate their cyber security policy

using sections (a) or (b). Riots and civil unrest throughout the Middle East, during the

‘Arab Spring,’ led governments to temporary shut off internet access in, what was

argued, an effort to maintain public order.58 British Prime Minister David Cameron

employed the same reasoning during the August riots in London, advocating to

temporarily “turn-off” access social media networks.59 This suggests that democratic

regimes are not immune to bolstering their cyber security policy against human rights

concerns. These examples demonstrate tensions between international human rights

law and state cyber security measures. Cyber security norms are tenuous between

states as well.

Western universal principles of human rights when applied to the concept of ‘cyber

security’ are in tension with Eastern notions. In the Russia-U.S Bilateral on

Cybersecrity Critical Terminology Foundations, it emerged that the term ‘cyber

security’ carried different connotations for both parties.60 While both teams of

negotiators agreed that ‘cyber security’ denoted ‘protection’ and that it was analogous

with ‘information security,’ the Russian perspective was that ‘protection’ included

“protecting the population from terrorism” and that censorship was “… an essential

aspect of ‘information security.’”61 China to, views anti-government dissonance as a

threat and has adopted an analogous definition of cyber security as Russia.62 The

Russian and Chinese perspectives are incompatible with Western concepts of liberty

and international human rights law, having a fissiparous effect on cyber security

57 Ibid, 23. 58 Reuters, Arab Web clampdown hurts own economies: Google's Schmidt, 26 May 2011, 24 June 2011 <http://www.reuters.com/article/2011/05/26/us-g8-google-arab-idUSTRE74P4EO20110526>. 59 British Broadcast Corporation, England riots: Government mulls social media controls, 11 August 2011, 15 August 2011 <http://www.bbc.co.uk/news/technology-14493497>. 60 Valery Yaschenko Karl Frederick Rauscher, Russia-U.S. Bilateral on Cybersecurity: Critical Terminology Foundations, Worldwide Cybersecurity Initiative, EastWest Institute (New York: Moscow, 2011). 16. 61 Ibid,16. 62 Martha Finnemore, “Cultivating International Cyber Norms,” Travis Sharp Kristin M. Lord, America’s Cyber Future: Security and Prosperity in the Information Age, Vol. II (Washington: Center for a New American Security, 2011) I-II vols.P.89-90

12

norms with human rights. The Chinese and Russian interpretation of cyber security

leads to a third, consequential tension, with human rights; that between the state and

citizen.

Censorship is a formidable and increasingly used tool by state-implemented cyber

security regimes. Such is the threat of pervasive filtering or censorship that “Vinton

Cerf, popularly known as the ‘father of the Internet,” has suggested, “…if every

jurisdiction in the world insisted on some form of filtering for its particular

geographic territory, the web would stop functioning.”63 Cerf’s observation illustrates

the extent the internet requires international cooperation and importantly, the

establishment of carefully crafted censorship norms. China is a world leader in the use

of surveillance and censorship technologies, having “the largest and most

sophisticated filtering systems in the world.”64 Rebecca MacKinnon argues that the

refined and sophisticated methods used by the Chinese government, allow for prima

facie freedom of speech.65 MacKinnon describes that in China debate can be fierce

and passionate, “bringing injustices to national attention… [causing] genuine changes

in local-government policies or official behaviour.”66 These freedoms, to use a

security analogy from Karl Popper, are a chimera.67 As Mackinnon observes,

“in the networked authoritarian state, there is no guarantee of individual rights and freedoms … the government has continued to monitor its people and to censor and manipulate online conversations to such a degree that no one has been able to organize a viable opposition movement.”68

Most concerning from MacKinnon’s observations, are the consequential political

repercussions of this censorship and surveillance. Reporters Without Boarders,

reported in 2010, that out of 119 ‘cyber dissidents’ imprisoned around the world as a

result of their online political dissonance, 77 were detained in China.69 These arrests

remind Chinese dissidents that the government is watching and this has a ‘chilling

effect’ on freedom of speech. These electronic intrusions by the Chinese government 63 Rex Hughes, David Livingstone Paul Cornish, Cyberspace and the National Security of the United Kingdom: Threats and Responses, A Chatham House Report, Royal Institute of International Affairs (London, 2009).P.17 64 OpenNet Initiative, China: regional profiles, 15 June 2009, 11 July 2011 <http://opennet.net/research/profiles/china>. 65 See supra note 30 at 32-46. 66 Ibid. MacKinnon. 67 See supra note 1 at 111. 68 See supra note 33. 69 Reporters Without Boarders, “The Enemies of the Internet,” 12 March 2011, World day against cyber-censorship, 08 August 2011 P.5 <http://march12.rsf.org/en/#ccenemies>.

13

go against the aforementioned principles of internet freedom. China’s cyber security

methods are severe but China is not unique amongst states in censoring online

content. Censorship, to varying degrees has become a global norm, practiced by most

states, even democratic regimes. Government censorship on the internet is best

elucidated by The OpenNet Initiative’s report, documenting YouTube censorship

around the world. 70 Democratic and authoritarian governments are represented on the

report’s global map depicting where the YouTube website or its videos have been

censored. Evidently, it is clear that censorship is increasing in both intensity and in

proliferation around the world.71 While the practice of internet censorship is

becoming a global norm, the type of content being censored differs markedly. This

suggests that a secondary tension exists, between states with differing perceptions of

what “free speech” entails. Emblematic of this tension, is the Additional Protocol to

The European Convention on Cybercrime. It requires signatories to criminalise the

distribution of

“…distributing xenophobic or racist material through a computer system; expressing denial,“ gross minimization” or approval of a genocide or crimes against humanity through a computer; distributing insults to people because of their race, color, religion, national or ethnic origin through a computer system or aiding and abetting any of these acts.”72

As a signatory to this protocol, France bans publishing material that meets these

qualifications. Conversely, the United States, bound by its constitution, has not

ratified the protocol.73 In context of global cyber security norms and human rights,

this exemplifies the problematic nature of conflicting cyber security regimes. France’s

attempt to exert positive rights, conflicts directly with the United States attempt to

‘exert’ negative rights in cyber space. As a global technological commons, the

internet allows for these competing and paradoxical ‘universal’ conceptions of human

rights, adding further difficulties to resolving cyber security norms and international

human rights law. The current state of the international community and its response to

human rights in the discourse of cyber security is inadequate. It will be argued, there

needs to be greater unification of these norms at the international level.

70 OpenNet Initiative, YouTube Censored: A Recent History, 02 August 2011 <http://opennet.net/youtube-censored-a-recent-history>. 71 Ibid. OpenNet. 72 See supra note 48. 73 The United States has ratified the Convention, but not the protocol.

14

Cyber security norms and human rights unification

Altering and unifying international norms is the primary method of resolving the

tensions between human rights and cyber security norms. Author Martha Finnemore

argues that “norm cultivation” is a three-part process of promulgation and

articulation, disseminating the established norms and the internalization, at the state

level, of these norms.74 Finnemore is not naive to the tensions and difficulties of

establishing unified global cyber security norms. A nuanced and reasoned approach is

provided that moves beyond the scope contended in this paper, but key themes are

necessary to incorporate into the context of the arguments made in this chapter. Cyber

security, argues Finnemore, is analogous to other global issues such as protecting the

environment, stopping corruption and improving gender equality.75 Techniques used

to advances these causes can be used to greater promote the compatible features of

cyber security and human rights. An example can be drawn from China, where

although its cyber security policies are repressive from a Western perspective, there

are greater freedoms of speech, due to cyber technologies, now then past decades.76

Building on these movements through diplomatic pressure and encryption

technologies77 may bring China and other repressive nations into a cyber security

regime that reflects the United Nations conventions and aforementioned internet

freedoms. Finnemore further argues that given the stake private industry has with

keeping the internet unconstrained by national governments, they may play an

important part in harmonising global cyber security norms.78 Best practice corporate

policies may, as Finnemore contends, insulate companies from accusations of

subversive government agency.79 These arguments by Finnemore suggest there is

room for greater consensus on cyber security and human rights, although very little. It

is the contention of this paper, that the increasing trend in state censorship of the

74 Martha Finnemore, “Cultivating International Cyber Norms,” Travis Sharp Kristin M. Lord, America’s Cyber Future: Security and Prosperity in the Information Age, Vol. II (Washington: Center for a New American Security, 2011) I-II vols.p.93. 75 See supra note 58 at 96. 76 See supra note 28 at 33. 77 For a discussion on the potential of encryption devices being used to liberate those repressed under authoritarianism, Richard Fontaine and Will Rogers article on internet freedom. See supra note 58 at 150. 78 See supra note 60 at 100. 79 See supra note 64.

15

internet and the ideological divergence amongst states on the meaning of liberty and

‘cyber security’ is of great concern. These indications suggest a trend toward states

imparting greater sovereignty within the cyber domain and a resulting fracturing of

the World Wide Web against the principles of internet freedom. Most significant in

terms of cyber security norms and human rights has not yet been argued. Cyber war,

as a cyber security issue, has not achieved international consensus in either the Laws

of Armed Conflict or humanitarian law.

16

Cyber war and human rights

“Because the entire law of war regime has been built upon a Westphalian foundation, the transformative properties of cyber warfare are just as breathtaking. We are left pondering some fundamental questions – what constitutes force? What is a hostile act? When is self-defence justified in response to a cyber attack? Is the Use of traditional means of force ever justified in response to a cyber attack? These are not easy questions and the international legal regime is lagging far behind the problems presented by the increasingly sophisticate technological possibilities in the area.”80

-- Lieutenant Colonel Jeffrey K. Walker

Cyber war, as the preeminent cyber security issue, is destructive and politically

complicated. Nuclear war strategist, Joseph S. Nye, has likened cyber war in the

context of cyber security, to the dawn of the nuclear age, with opaque ‘adversarial

interactions’ and new, little understood weaponry.81 Cyber war analyists Andrey

Korotkov and Karl Rauscher, argue that the international community of states has not

developed “rules of engagment” in cyber warfare, despite the cyber domain being

“the linchpin of our mutual safety, stability and security.” 82 Without an international

consensus on what constitutes an ‘act of cyber war’ or the ‘conduct during cyber war,’

nation-states are in endanger of subverting human rights, while the cyber domain

becomes increasingly militarised. Establishing then, the applicability of the Laws of

Armed Conflict (LOAC) and international humanitarian law (IHL) reside at the

fulcrum of a discussion on cyber war and human rights. Navigating the arguments

advanced will be framed through Michael N. Schmitt’s paradigm of what constitutes

cyber war, an ‘actor-based threshold’ or a ‘consequence-based threshold.’

Rationalising cyber war in this way, teases out the problematic characteristics of

applying international human rights law to cyber war. Addressing first the ‘actor-

based threshold,’ exposes the tenuous relationship between cyber war and 80 This quote is borrowed from Dr Rex Hughes’ illustrative article on a global cyber warfare regime. See Rex Hughes, “Towards a Global Regime for Cyber Warfare,” C, Geers K Cozosseck, The Virtual Battlefield: Perspectives on Cyber Warfare (Amsterdam: IOS Press, 2009) P.106. The original quote can be found at Jeffrey K. Walker, “The demise of the nation-state, the dawn of new paradigm warfare, and a future for the profession of arms,” Air Force Law Review (2001): 51. 81 “Power and National Security in Cyberspace,” Joseph S. Nye, America’s Cyber Future, Vol. II (Washington: Center for a New American Security, 2011). 7. 82 Andrey Korotkov Karl Frederick Rauscher, Working Towards Rules for Governing Cyber Conflict: Rendering the Geneva and Hague Conventions in Cyberspace, EastWest Institute (New York, 2011). iii.

17

international human rights law. Secondly, it will be argued that a ‘consequence-based

threshold’ is highly advantageous over its former and that rationalising cyber war in

this way provides a theoretical way of bridging the two aims of cyber war and human

rights together. Lastly, it will be contended that the consequences of failing to unite

cyber war and international human rights law, is leading to a greater militarisation of

the technological commons. Militarisation of this space is at great detriment to the

citizens in the ‘information societies’ who depend solely on this space in every day

life.

Dr. Rex Hughes, in his article Towards a Global Regime for Cyber Warfare, argues

that a war of aggression crime, in international law, is applicable to cyber war.83

Hughes argues that United Nations (UN) General Assembly Resolution 3314,84 the

‘Definition of Aggression,’ be applied to cyber attacks that disrupt national power

grids, health services, financial services and transportation links, among other sectors

of critical infrastructure (CI).85 Similarly, Richard Clarke contends that the Geneva

Convention on “Protection of Civilians” and the United Nations Convention on

“weapons with ‘Indiscriminate Effects’” be expanded to include cyber attacks on

critical infrastructure.86 Clarke argues that civilians, as opposed to the military, would

be most severely affected in a cyber attack and are thereby more venerable.87

Militaries are better prepared for emergencies with stockpiled food, backup power

systems and hospitals, while civilian infrastructure is less resilient.88 Attacks on these

critical sectors of civilian life, Clarke contends, could be no greater example of a

cyber war causing ‘indiscriminate effects’ and as a corollary, is thereby applicable

under humanitarian law.89 Hughes and Clarke suffice in framing the humanitarian

implications of cyber war, juxtaposed to an abstract level of international law, but

their arguments are founded on unanswered questions and untested assumptions.

83 Rex Hughes, “Towards a Global Regime for Cyber Warfare,” C, Geers K Cozosseck, The Virtual Battlefield: Perspectives on Cyber Warfare (Amsterdam: IOS Press, 2009) 106-116. 84 U.N Resolution 3314 was originally drawn from U.N Charter, Article 2. See Elizabeth Wilmshurst, Definition of Aggression General Assembly resolution 3314 (XXIX), 24 June 2011, <http://untreaty.un.org/cod/avl/ha/da/da.html>. Article 2, paragraph 4 states: Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations.” 85 Ibid, 112. 86 See supra note 37 at 242. 87 Ibid, 242. 88 Ibid, 242. 89 Ibid, 242.

18

Michael N. Schmitt, in Wired warfare: Computer network attack and jus in bello,

addresses these unanswered assumptions, by investigating the applicability of a

computer network attack (CNA) with the LOAC and HL.90 Schmitt’s contention is

that in order to apply existence international legal norms to computer network attacks,

will require accepting various interpretive premises. These premise can be addressed

in three arguments against the applicability of cyber war to international law; that

there is no direct legal instrument applicable to cyber war, that cyber war technologies

postdate treaties thus rendering them invalid and that question of 'armed force.'

Determining ‘cyber war:’ an actor-based threshold

Martens Clause, introduced in the 1899 Hague Convention, refutes those arguments

that stipulate international law is not directly applicable to cyber war.91 Martens

Clause states that

“…civilians and combatants remain under the protection and authority of the principles of international law derived from established custom, from the principles of humanity, and from the dictates of public conscience.”92

Schmitt contends that Martens Clause applies humanitarian law during armed conflict

leaving “no lawless void” amongst those humanitarian situations not covered by an

international agreement.93 Thereby, the Martens Clause norm in customary law does

cover all occurrences, even those arising from cyber war. The second contention

advanced, is that cyber technologies postdate the relevant HL legal instruments,

rendering them inapplicable to cyber war. Refuting this contention requires

recognising the International Court of Justice’s verdict on nuclear weapons in relation

to international human rights law. The Court noted that “[i]n the view of the vast

majority of States as well as writers there can be no doubt as to the applicability of

90 Schmitt’s argument focus on computer network attacks. This paper contends this argument can be expanded to include all cyber technologies. See Michael N. Schmitt, “Wired warfare: Computer network attack and jus in bello,” International Review of the Red Cross 84.846 (2010): 368-369. 91 Ibid. 369. 92 Ibid, 369. 93 Ibid. 369.

19

humanitarian law to nuclear weapons.”94 Cyber war attacks, given the gravity of their

destructive capabilities on civilian populations, are arguably analogous to nuclear

weapons, but even if this is dismissed, the underlying premise of the ICJ ruling holds

that technologies are within the ambit of international law, regardless of when they

come into being. This leaves one last point of contention, that cyber war is not

applicable to international human rights law, due to the qualification requiring ‘armed

conflict’ that is a present qualification in the Geneva and Hague conventions.95 The

International Committee of the Red Cross on the 1949 Geneva Conventions and the

1977 Additional Protocols, define armed conflict as “… [a]ny difference arising

between two States and leading to the intervention of armed force.”96 While cyber

attacks have consequential ‘war-like’ effects, this does not mean an ‘armed force’ has

carried them out. The Cooperative Cyber Defence Centre of Excellence (CCDCOE),

legal team, investigating the legality of cyber attacks on Georgia in 2007, investigated

this dilemma in an attempt to place cyber war within the ‘armed conflict’

qualification.97 Armed force in the physical world requires physical troops and

weapons that can, in contrast to cyber attacks, be more easily be verified and

attributed to a hostile nation-state. Circumstantial and technical means of attributing a

cyber attack can rarely conclusively tie an attack to an attacker.98 Attribution, prima

facie, in cyber war becomes an important characteristic in determining what

constitutes ‘armed force’ and as a corollary, what constitutes an ‘armed conflict.’

Attribution is an important characteristic in defining the ‘actor-based threshold’

required to define an ‘act of war.’ GhostNet, has not been recognised as an ‘act of

war’ by the international community but exemplifies the ‘actor-based threshold’

dilemma. Investigators responsible for uncovering GhostNet, contend that plausible

deniability allows states to officially distance themselves from attacks.”99 ‘Plausible

deniability’ benefits state actors carrying out attacks, given the geographic time and

94 Ibid. 370. 95 See supra note 89. 96 International Committee of the Red Cross, Convention (I) for the Amelioration of the Condition of the Wounded and Sick in Armed Forces in the Field, 12 August 1949, 8 June 2011 <http://www.icrc.org/ihl.nsf/COM/365-570005?OpenDocument>. 97 Eneken Tikk, Kadri Kaska, Kristel Ru ̈nnimeri, Mari Kert, Anna-Maria Talihärm, Liis Vihul. Cyber Attacks Against Georgia: Legal Lessons Identified. NATO. (Tallinn: Cooperative Cyber Defence Centre of Excellence, 2008). 12. 98 Ibid, 12.

20

space required to carry out an investigation, versus the speed at which attacks can take

place and the range of geographical locations that may be involved.100 These

geographical locations then have political implications, particularly if there is little

technical evidence of the cyber attack. Senior National Security Agency official,

Debora Plunkett, argues, “ …[because cyber attacks] are hard to detect and quantify,

it is difficult to generate the political will required for effective solutions.”101

Moreover, whereas with traditional conflict, comprising of troops and kinetic

weaponry, it soon becomes obvious an attack has taken place and politicians are then

obliged act. With cyber attacks, these often involve the less obvious exploitation of a

computer system vulnerability and politicians may be reluctant to publicise them in

instances of national security.102 For these reasons, Richard Clarke has advocated for

an international organisation, similar to the International Atomic Energy Agency, to

impartially monitor cyber warfare attacks on states.103 As an institutional solution to

attribution of cyber attacks, this would be of benefit but it fails to resolve the technical

difficulties. These problematic characteristics of attribution, indicate that construing

‘armed force’ or ‘armed conflict’ from a cyber war is highly difficult.

The Geneva and Hague Conventions have, for decades, established the boundaries in

war. Prohibitions on asphyxiating the enemy, using poisonous gases or bacteriological

warfare, have been banned104 and restrictions placed on the most brutal weaponry.105

Cyber war and its weaponry provide their own challenges to IHL and the LOAC but

as with previously invented weaponry, should be accessed and if appropriate,

incorporated into humanitarian law. It is beyond the scope of this paper to assess the

entire ambit of cyber war strategy and weaponry in war but a focused analysis on

critical characteristics of cyber war conduct and weaponry elucidates the associated

human rights implications and 'actor-based approach.' Rex Hughes introduces the

‘cyber weapon’ as an electron travelling through the cyber domain violating the 100 Daniel E. Geer, “How Government Can Access Innovative Technology,” America’s Cyber Future: Security and Prosperity in the Information Age, Vol. II (Washington: Center for a New American Security, 2011) I-II vols.186. 101 Debora Plunkett, “The Atlantic’s and Government Executive’s First Annual Cybersecurity Forum” (Washington, 2010). 102 See supra note 37 at 238-255. 103 See supra note 37 at 247. 104 International Committee of the Red Cross, Protocol for the Prohibition of the Use of Asphyxiating, Poisonous or Other Gases, and of Bacteriological Methods of Warfare, 8 February 1928, 04 May 2011 <http://www.icrc.org/ihl.nsf/intro/280>. 105 See supra note 82 at 273.

21

Hague Convention as it passes from one neutral country to another.106 The Hague

Convention, argues Hughes, forbids the “movement of weapons” across a neutral

state.”107 Hughes argument is academic at the present time but not an implausible

reality for the future. The example elucidates the problems and properties of using

cyber weapons in what is now recognised as the “fifth domain” 108 and the

implications for human rights. In an effort to best rationalise cyber weapons and their

use in the scope of this brief argument, this paper will divide cyber attacks, used in

cyber war, into a taxonomy of two; kinetic and non-kinetic attacks. Kinetic cyber

attacks (KCA) result in physical damage, designed with the intent to manipulate the

data that controls machines causing them to function improperly in the physical

world. States are the usually targets of KCAs because as opposed to non-state actors,

they have infrastructure to target and damage. There is an increasing number of KCA

cases emerging in the cyber discourse. During the Cold War, the Central Intelligence

Agency planted a logic bomb in the computer software that managed a Russian

pipeline in Siberia, setting off a three-kiloton explosion, large enough to be seen from

outer space.109 This event demonstrated the potential a kinetic cyber attack could have

on civilian infrastructure. In a recent example from 2010, a sophisticated piece of

malware exploited four ‘zero-day’ attacks, known as Stuxnet, targeted the

programmable logic controller (PLC) at an Iranian nuclear facility, controlling its

uranium enriching centrifuges.110 By injecting malicious code into the PLC, Stuxnet

was able to increase the speed of the Iranian centrifuges up to a rate of 1,410Hz that

caused them severe damage.111 It is estimated that Stuxnet set back the Iranian nuclear

programme by two years and set a dangerous precedent in cyber warfare.112

Techniques used in the pipeline explosion and Stuxnet, resemble the type of kinetic

cyber attacks analysts fear will be used on civilian critical infrastructure,113

106 See supra note 75 at 112. 107 Ibid, 112. 108 The Economist, War in the fifth domain, 1 June 2010, 26 May 2011 <http://www.economist.com/node/16478792>. 109 Peter L. Levin, Wesley K. Clark, “Securing the Information Highway: How to Enhance the United States' Electronic Defenses,” Foreign Affairs 88.6 (2009): 4. 110 Kim Zetter, Next post How Digital Detectives Deciphered Stuxnet, the Most Menacing Malware in History, 2011 July 2011, 04 August 2011 <http://www.wired.com/threatlevel/2011/07/how-digital-detectives-deciphered-stuxnet/all/1>. 111 IISS Stratigic Comments, Stuxnet: targeting Iran's nuclear programme, Volume 17, Comment 6, The International Institute For Strategic Studies (London, 2011). 112 Ibid, IISS Stratigic Comments. 113 Examples of critical infrastructure sectors include, communications, emergency services, energy, finance, food, government, health, transport and water. These can all be affected by cyber attacks. See

22

specifically on supervisory control and data acquisitions (SCADA) systems that

control the machines that manage critical infrastructure in many industrialised

countries.114 These examples of kinetic cyber attacks on critical infrastructure

elucidate the impact these types of attacks can have on human rights and civil

liberties. To quote Lord Cameron of Dillington, the United Kingdom is “nine meals

away from anarchy” referencing the impact a cyber disruption to the food supply

chain on the “just-in-time” delivery method of supermarket chains.115 Ninety-five

percent of the food eaten in the United Kingdom is oil dependant, meaning the oil

supply to the nation is vital.116 A kinetic cyber attack that targeted either set of critical

infrastructure, the computer networks of the “just-in-time” system or the oil delivery

systems, would have a devastating impact the United Kingdom. The implications of

these scenarios demonstrate the severity of kinetic cyber attacks and importance in

framing some of these within international human rights law. The second types of

cyber attacks are non-kinetic attacks. These attacks are more problematic with

traditional the ‘actor-based threshold’ required to attribute an act as an ‘act of war.’

The LOAC establish that in war, when an attack has taken place, there must be

intentional “injury, death, damage or destruction” as a result of that attack.117 Kinetic

cyber attacks clearly fit within these qualifications but non-kinetic attacks elucidate

more problematic characteristics. Distributed Denial of Service (DDoS) attacks

represent “among the most visible and disruptive of cyber-attacks” according to Dr.

Jose Nazario, specialist in DDoS attacks.118 Estimates have suggested that three

months of sustained DDoS attacks on the United States would have the effect of “40

or 50 large hurricanes striking all at once.”119 DDoS attacks prima facie do not cause

'injury, death, damage or destruction,' it is the consequential externalities from these

attacks that can impart death and damage onto property. A DDoS attack works by

Cyber Security Strategy of the United Kingdom: safety, security and resilience in cyber space (London: The Stationery Office (TSO), 2009). 3. 114 See supra note 37 at 98. 115 See supra note 75 at 20. 116 Ibid. 20. 117 Ibid. 20. 118 Jose Nazario, “Politically Motivated Denial of Service Attacks,” Kenneth Geers Christian Czosseck, The Virtual Battlefield: Perspectives on Cyber Warfare (Amsterdam: IOS Press, 2009). 163. 119 Cyber Security Strategy of the United Kingdom: safety, security and resilience in cyber space (London: The Stationery Office (TSO), 2009). 4.

23

overwhelming the target computer’s bandwidth,120 so that it has no bandwidth for

those computers trying to ‘legitimately’ communicate with it.121 If communication is

disrupted between servers that run a website, then there is an infringement of freedom

of speech, assembly and potentially privacy if the website fails to display. If the

interrupted communication is with a computer that runs a national power grid, then

fundamental rights such as the right to life may be engaged by the shutting off of

systems dependant on electricity. Used by a state in a war capacity, these cyber

attacks would, at a minimum, violate one’s right to privacy, guaranteed by article 17

of the International Covenant on Civil and Political Rights122 and article 12 of the

Universal Declaration of Human Rights that states “…no one shall be subjected to

arbitrary interference with his privacy.”123 DDoS attacks, do not easily fit

qualifications of the ‘actor-based threshold’ refuted by Schmitt.

Resolving tensions: the consequence-based threshold

Returning to Schmitt’s argument, he advances that in order to apply existence

international legal norms to computer network attacks, requires accepting various

interpretive premises. That using a consequence-based threshold for determining what

“armed conflict” and “attack” is in cyber space the most adequate way to bridge cyber

attacks into an international legal regime. Schmitt contends,

“…humanitarian law principles apply whenever computer network attacks can be ascribed to a State are more than merely sporadic and isolated incidents and are either intended to cause injury, death, damage or destruction (and analogous effects), or such consequences are foreseeable.”124

Emphasis here needs to be placed on ‘consequences are foreseeable.’ Schmitt is

concerned with the consequence of a cyber attack, rather then the more difficult 120 Oxford Dictionary defines ‘bandwidth’ as “the transmission capacity of a computer network or other telecommunication system.” See Oxford Dictionaries, Bandwidth, 8 August 2011 <http://oxforddictionaries.com/definition/bandwidth>. 121 DDoS attacks thereby, are usually temporary and physically non-damaging to computer systems. See supra note 117. 122 See supra note 3 at 16. 123 United Nations, The Universal Declaration of Human Rights, 10 December 1948, 10 4 2010 <http://www.un.org/en/documents/udhr/>. 124 See supra note 89.

24

‘actor-based threshold’ that requires not only attribution of an actor but the

establishment of “armed force.” `In the context of the arguments contended in this

paper, Schmitt’s ‘consequence-based threshold’ would apply to the aforementioned

kinetic cyber attacks with their devastating effects, but would not apply to GhostNet

type of attacks that have no “foreseeable” consequences in terms of “injury, death,

damage or destruction.” This is beneficial to the complex environment of cyber

threats that can emerge from an array of actors, not just states. Schmitt’s

‘consequence-based threshold’ then, as a corollary, reduces the militarization of cyber

space that will be advanced, is a major threat to human rights and civil liberties.

There is one further contention to argue, in addition to Schmitt's ‘consequence-based

threshold.’ Analogous to Schmitt's paradigm, is an emerging body of customary law

that does not necessarily require the qualification of a state actor when it comes to

belligerent activity. Increasing legal precedent within international law, is binding

states to the actions of non-state actors within their territory. In The Republic of

Nicaragua v. The United States of America, the International Court of Justice ruled

that the United States violated international law but supporting the Contras in their

rebellion against the Nicaraguan government.125 This set the precedent that states

were liable for the actions of non-state actors if they “executed effective control over

such actors.”126 The threshold was lowered further when, in 2001, the United States

carried out Operation Enduring Freedom against the Taliban in Afghanistan, under

the legal presumption that the Taliban was harbouring and supporting al-Qaeda.127

The United States argued it was using self-defence in accordance with international

law, in response to events of September 11.128 These legal precedents in international

law, suggest that states cannot as easily used the aforementioned plausible deniability

to relinquish themselves from belligerent activity.129 Despite the advantages

articulated in Schmitt's ‘consequence-based threshold’ and customary law to

rectifying cyber war with international law, states, in absence of an international

125 International Court of Justice, Military and Paramilitary Activities in and against Nicaragua (Nicaragua v. United States of America), 27 June 1986, 5 July 2011 <http://www.icj-cij.org/docket/index.php?sum=367&code=nus&p1=3&p2=3&case=70&k=66&p3=5>. 126 See supra note 96 at 21. 127 Ibid. 21. 128 Ibid. 21. 129 The nation-state where the actor or actors are found to be working from when committing the attacks.

25

consensus, are demonstrating increasing 'war-like' behavior. This is leading to the

militarisation of the cyber domain and this poses a significant threat to human rights.

Militarisation of the global technological commons

Without an established international consensus on the LOAC in cyber war, the cyber

domain remains a warring and anarchical space. Ambiguities around cyber war lead

to an increase in the militarization of a shared civilian and military space. Travis

Sharp and Kristin Lord contend that

“…there is no analogous empty “space” and the activities of civil and military users are intertwined together. Non-state actors cannot flee the domain...except by unplugging and dismantling part of cyberspace itself."130

Internet and other forms cyber infrastructure have reached a level of ubiquity that

society in most developed nations, would be unable to function without it. Two billion

people ‘logged on’ globally and ten trillion dollars worth of electronic commerce

propagated through the internet in 2010.131 It is estimated by the end of 2010, there

will be 5.3 billion cellular subscriptions worldwide and nearly a billion subscriptions

to 3G services that allow mobile phones to gain high-speed access to the internet.132

Between 2005 and 2010 internet users globally have doubled, surpassing two billion

users.133 Half a billion people now have access to internet in their home, representing

29.5 percent of households worldwide, increasing to eighty percent in some

developed countries.134 While global dependency on cyber technologies increases,

vulnerability becomes increasingly acute. Government, emergence services, power

grids and other critical infrastructure are represented in these figures, suggesting the

severity of “unplugging” from cyber space or its militarisation. To an extent, the 130 Travis Sharp Kristin M. Lord, “Non-State Actors and Cyber Conflict,” Jason Healey Gregory J. Rattray, America’s Cyber Future: Security and Prosperity in the Information Age, Vol. II (Washington: Center for a New American Security, 2011) I-II vols. 67. 131 Travis Sharp Kristin M. Lord, America’s Cyber Future: Security and Prosperity in the Information Age, Volume I & II (Washington: Center for a New American Security, 2011). 24. 132 The World in 2010: ICT Facts and Figures, “Information and Communication Technology (ICT) Statistics,” 20 10 2011, International Telecommunications Union, 03 06 2011 <http://www.itu.int/ITU-D/ict/>. 5. 133 Ibid, 5. 134 Sweden, South Korea and the Netherlands all have over 80% internet access in households. Broadband access across the developed world remains low; slightly fewer than five percent, per one hundred inhabitants, have broadband and only one percent, on average, for those living on the African continent. See supra note 127.

26

cyber domain has already begun to be militarised. Former United States Defense

Secretary Robert Gates has escalated cyber space to be a ‘“fifth domain’ of military

operations, alongside land, sea, air and space,”135 followed one year later by President

Barak Obama’s International Strategy For Cyberspace signalling the cyber domain as

a “vital national asset” that the United States reserves the right to “defend.”136

Without geographical boarders, questions of the limits of sovereignty emerge.

Defending a nation-state in the cyber domain will inevitably include the global

technological commons. The United States military exercised its ‘right to defend’

during 2008 American cyber forces shut down a suspected high profile terrorist

website.137 Inadvertently, the military operations shut down 300 servers in the Middle

East, Germany and Texas, resulting in President Obama putting a moratorium on

these types of “network warfare” until further rules could be established.138 In another

incident, a dispute between China and the United States in the South China Sea,

resulted in the Californian power grid almost being “taken down.”139 With the rules of

cyber warfare not established, these incidences are likely to increase within the

international community of states. Continuation of these ‘war-like’ activities in the

technological commons threaten human rights and civil liberties, with no recourse to

effective international law. The United States, while a major cyber power, is not an

anomaly in approaching the technological commons as a battlefield. The United

Kingdom has also indicated the strategic importance of offensively acting in cyber

space, advancing in the first National Cyber Security Strategy, that offensive

capabilities are significant component of the county’s cyber defences.140 In June 2011,

it was reported that British intelligence officers (SIS) sabotaged an al-Qaeda online

‘webzine’ as a propaganda exercise.141 This ‘attack’ drew praise from U.S Cyber

Commander, General Keith Alexander, who argued, “…blocking the [online]

135 Misha Glenny, Who controls the internet?, 8 October 2010, 5 July 2011 <http://www.ft.com/cms/s/2/3e52897c-d0ee-11df-a426-00144feabdc0.html#axzz1VnJrbie1>. 136 The White House, International Strategy For Cyberspace: Prosperity, Security, and Openness in a Networked World, The United States of America (Washington, 2011). 12. 137 Ellen Nakashima, Pentagon considers preemptive strikes as part of cyber-defense strategy, 28 August 2010, 20 June 2011 <http://www.washingtonpost.com/wp-dyn/content/article/2010/08/28/AR2010082803849.html>. 138 Ibid. Nakashima. 139 Cyber Security Strategy of the United Kingdom: safety, security and resilience in cyber space (London: The Stationery Office (TSO), 2009). 4. 140 Ibid. 15. 141 Richard Norton-Taylor, British intelligence used cupcake recipes to ruin al-Qaida website, 2 June 2011, 24 July 2011 <http://www.guardian.co.uk/uk/2011/jun/02/british-intelligence-ruins-al-qaida-website?INTCMP=ILCNETTXT3487>.

27

magazine was a legitimate counter-terrorism target.”142 Securing the state through

proactive cyber security operations is a legitimate goal. Protecting website owners

and upholding principles of internet freedom and aforementioned U.N human rights,

freedom of speech, association and privacy, are also legitimate aims. By establishing

international “rules of engagement” and the LOAC in the cyber domain, these

competing goals can be balanced and proportionate in their application. Not all cyber

attacks are state-sponsored and thereby not all cyber security threats require a military

response. LulzSec and Anonymous hacker groups disrupted and temporary crippled a

number of high profile websites including the Central Intelligence Agency,

Mastercard and Visa, using a DDoS attack.143 These are annoyances in civil society,

but do not qualify as “acts of war” requiring a military response. Moreover, Mathias

Klang argues with qualifications, that DDoS attacks can be a form of political protest,

as he contends a form of civil disobedience or what he terms a “virtual sit-in.” 144

LulzSec and Anonymous have been argued to be exercising a new form of protest that

should be tolerated in a free society.145

142 Ibid. Norton-Taylor. 143 James Ball, By criminalising online dissent we put democracy in peril, 1 August 2011, 23 August 2011 <http://www.guardian.co.uk/commentisfree/2011/aug/01/online-dissent-democracy-hacking>. 144 Mathias Klang, “Virtual Sit-Ins, Civil Disobedience and Cyberterrorism,” Mathias Klang Andrew Murry, Human Rights in the Digital Age (London: Glasshouse Press, 2005) 1-234. It must be noted that Klang qualifies types of DDoS attacks that would constitute as civil disobedience. For example, use of botnets would not constitute as a legitimate form of civil disobedience but DDoS attacks using people and their own computers would. 145 See supra note 117.

28

Conclusion

This paper has explored an important academic lacuna within the discourses of human

rights and cyber security. Despite national cyber security strategies on both sides of

the Atlantic referencing the importance of framing security within liberties and rights,

they have provided little substance on the nature of this relationship or how it is to be

achieved. Moreover, a disproportionate amount of literature is aimed at strategic

cyber war, rather then ways of achieving cyber peace. Within human rights, a body of

research has emerged on internet freedoms but very little within a cyber security

framework. It has been argued, cyber security is at the fulcrum of any discussion on

human rights within the cyber domain; security and freedoms are analogous concepts.

As elucidated, dependency on the cyber domain, for all the benefits it brings society,

delivers equally, a precarious state of vulnerability. Dependency and the corollary of

vulnerability, is a reoccurring theme throughout this paper; without the former there

would be not cyber threat to human rights.

The arguments contended in this paper, have explored three key tensions between

human rights and state implemented cyber security. First, attribution versus

anonymity has advanced the tensions at the core of the debate around transparency on

the internet and protection of privacy. Lack of attribution has allowed for the

proliferation of malicious cyber attacks. Conversely, anonymity, provides dissents

and others freedom of speech and a cascade of subsequent human rights. Bridging

these prima facie goals was argued to be achievable through the proportionate and

systematic application of technology but only to a degree. Political acumen is required

as well. Authoritarian regimes, argued in the cases of Russia and China, are likely to

further impart their sovereignty in the cyber domain, further limiting human rights

and fragmenting the internet. The second argument advanced, contended that

competing cyber security norms, produce unease tensions that challenge international

human rights law and the principle of internet freedom. Cyber security norms conflict

with the United Nations conventions on human rights, amongst states, and between

nation-states and their citizens. Censorship, it was argued, is a concerning trend

amongst all states to varying degrees. Despite Finnemore’s attempts at rectifying

international cyber norms, it was contended these are severely incompatible, notably

at the unilateral state level. Thirdly, the preeminent cyber security concern, cyber war,

29

was addressed in context to its impact on human rights. Through Schmitt’s paradigm

of what constitutes cyber war, an ‘actor-based threshold’ or a ‘consequence-based

threshold,’ this paper teased out the problematic characteristics of applying

international human rights law to cyber war. It was argued that a ‘consequence-based

threshold’ is highly advantageous over its former and that rationalising cyber war in

this way provided a theoretical way of bridging the two aims of cyber war and human

rights together. Lastly, it was contended that the consequences of failing to unite

cyber war and international human rights law, is leading to a greater militarisation of

the technological commons. Militarisation of this space is at great detriment to the

citizens in the ‘information societies’ who depend solely on this space in every day

life.

To conclude, from the cyber domain a variety of challenges emerge between cyber

security and human rights. It has been argued, these challenges are in the form of

tensions between the competing social goals, of security and freedom. In some

instances these goals can be unified, benefiting state and citizen. In other cases, there

seems to be an increasing trend toward greater cyber security at the expense of human

rights. Balancing these goals are critical for information societies in the twenty-first

century and will ultimately protect society from the emergence of a tyrannical cyber

state or the devastating effects of cyber attacks.

30

Glossary

Cyberspace - a an electronic medium through which information is created, transmitted, received, stored, processed, and deleted. Cyber infrastructure - the aggregation of people, processes and systems that constitute cyberspace. Cyber services - are a range of data exchanges in cyberspace for the direct or indirect benefit of humans. Critical cyberspace - is cyber infrastructure and cyber services that are vital to preservation of public safety, economic stability, national security and international stability. Critical cyber infrastructure - is the cyber infrastructure that is essential to vital services for public safety, economic stability, national security, international stability and to the sustainability and restoration of critical cyberspace. Critical cyber services - are cyber services that are vital to preservation of public safety, economic stability, national security and international stability. Cyber crime - the use of cyberspace for criminal purposes as defined by national or international law. Cyber terrorism - the use of cyberspace for terrorist purposes as defined by national or international law. Cyber conflict - a tense situation between or among nation-states or organized groups where unwelcome cyber attacks result in retaliation. Cyber war - an escalated state of cyber conflict between or among states in which cyber attacks are carried out by state actors against cyber infrastructure as part of a military campaign

(i) Declared: that is formally declared by an authority of one of the parties. (ii) De Facto: with the absence of a declaration.

Cyber security - is a property of cyber space that is an ability to resist intentional and unintentional threats and respond and recover.* See discussion in definitional foundations for further clarity. Cyber warfare - cyber attacks that are authorized by state actors against cyber infrastructure in conjunction with a government campaign. Cyber attack - an offensive use of a cyber weapon intended to harm a designated target. Cyber counter-attack - the use of a cyber weapon intended to harm a designated

31

target in response to an attack. Cyber defensive countermeasure - the deployment of a specific cyber defensive capability to deflect or to redirect a cyber attack. Cyber defense - organized capabilities to protect against, mitigate from, and rapidly recover from the effects of cyber attack. Cyber defensive capability - a capability to effectively protect and repel against a cyber exploitation or cyber attack, that may be used as a cyber deterrent. Cyber offensive capability - a capability to initiate a cyber attack that may be used as a cyber deterrent. Cyber exploitation - taking advantage of an opportunity in cyber space to achieve an objective. Cyber deterrent - a declared mechanism that is presumed effective in discouraging cyber conflict or a threatening activity fin cyberspace. Technological commons – the cyber space shared by civilians and government.

32

Definitional foundations

The origins of the term ‘cyber’ are found in the Greek word κυβερνητικός, meaning “skilled in steering or governing” and influenced early usage of the word; the concept of sentient controls being administered.146 ‘Cybernetics’ was first coined and popularized by author Norbert Wiener in his book Cybernetics or Control and Communication in the Animal and the Machine, as a term used in the context of controlling ‘complex systems in the animal world;’147 the term was later appropriated by the medical community as a means to describe human or animal integration with machinery.148 More recently, the word ‘cyber’ has been used in conjunction with other words to describe the ‘other-than-physical’ virtual space and activities.149 Terms such as ‘cyberspace,’ ‘cyber warfare,’ ‘cyber security,’ ‘cyber services’ and ‘cyber infrastructure,’ all fall under this recent appropriation. In the recent report Russia-U.S Bilateral on Cybersecrity Critical Terminology Foundations, the argument is made that incorporating the term ‘cyber’ necessitates in some way “the technological representation of information” and that this is by electronic means.150 This understanding is a useful starting point as a foundational definition in describing ‘cyber’ and its usage with other words. Building on this, Daniel T. Kuehl work From Cyberspace to Cyberpower: Defining the Problem, defines ‘cyberspace’ or the ‘cyber domain’ as,

"a global domain within the information environment whose distinctive and unique character is framed by the use of electronics and the electromagnetic spectrum to create, store, modify, exchange, and exploit information via interdependent and interconnected networks using information-communication technologies.”151

This definition builds on the root word ‘cyber’ defined previously, incorporating the requirement of electromagnetism and the use of information technologies. It also suggests the root concept of “governing or steering” found in the original Greek meaning. To “create, store, modify or exchange” information, implies human sentience.152 The implications for human rights, in understanding “cyberspace” in these definitional terms, suggests that ‘cyber conjunctions’ mean something that is a human construct or artifact. Cyber space is engineered by humans, that are bound by laws and that are capable of recognising human rights, whether those laws are domestic or international. In contrast to rival definitions, ‘cyber’ or ‘cyberspace’ is not "[t]hat intangible place between computers where information

146 Ibid. P.20 147 Valery Yaschenko Karl, Frederick Rauscher, Russia-U.S. Bilateral on Cyber security: Critical Terminology Foundations, Worldwide Cyber security Initiative, EastWest Institute (New York: Moscow, 2011). P.20 148 Ibid. P.20 149 Ibid P.16 150 See supra note 12. During this bilateral agreement Russians posed the argument that ‘cyber’ included all information, not just electronic data – ranging from thoughts in your head to the information in books. Their argument did not win out but may prove to be more useful in the future when/if computing systems abandon their electromagnetic origins and use other forms of storing and transmitting information; biologically based or DNA computing for example. For the arguments advanced in this paper, the agreed upon definition stated above suffices. 151 Daniel T. Kuehl, “From Cyberspace to Cyberpower: Defining the Problem,” Stuart H. Starr, Larry K. Wentz Franklin D. Kramer, Cyberpower and national security (Washington: Potomac Books Inc, 2009) P.27 152 It could be argued that these tasks could be carried out by software with artificial intelligence. Sophisticated computer viruses carry out all the above functions stated in the definition, however, they still requires human programmers to create them. It is not unimaginable that future programs will be reach the level of ‘intelligence’ that they are able to program themselves, at which point cyber terminology may need redefining.

33

momentarily exists"..."the ethereal reality,"153 nor is it as William Gibson famously wrote in his 1984 book Neuromancer, "a consensual hallucination."154

Cyber security

‘Cyber security’ is a key term that requires attention. In the Chatham House report Cyberspace and the National Security of the United Kingdom: Threats and Responses, ‘cyber security’ is defined as “security in and from cyberspace.”155 This definition is useful in its brevity but critically, it does not establish the nature of ‘security’. Does ‘security’ dennote ‘protection’ and if it does, is it including offensive as well as defensive methods for ensuring ‘protection’? To use an analogy, police officers may adopt the use of bullet proof vests in dangerous neighbourhoods but also critical to their security they may argue, is the use of firearms to match the threat they face with offensive capablitiies. This understanding of ‘cyber security,’ as a term that incorporates both aspects of protection, is most previlent in cyberseurcrity literature.156 Taking the concept of protection suggested above into account, the Russian-U.S bilateral agreement on critical cyber security terminology, provides a useful definition, defining ‘cyber security’ as “…a property of cyberspace that is an ability to resist intentional and unintentional threats and respond and recover.”157 In the context of human rights, a ‘responsive’ cyber security policy can mitigate the impact on human rights. A cyber crime policing unit may disrupt and shut down an online paedophilia ring, thereby enforcing the UN Convention on the Rights of the Child.158 A government cyber security policy might enable lawmakers to arrest hackers, who limit others ability to exercise freedom of speech, by attacking and temporarily shutting down online services. Conversely, authoritarian regimes may use offensive cyber security measures in the opposite way.

‘Cyber security’ as argued here displays numerous characteristics; security, understood as protection, both offensive and defensive, along with placement in the more broad concept of “security in and from cyberspace, “ with connotations around cyberspace defined previously. Two terms within the U.S-Russian definition of cyber security not addressed, have been the use of the words “intentional and unintentional threats” and the concept of ‘recovery’. The former terms will be explored during discussion around the impact of cyber threats on human rights, Problems in Cyber security and Human Rights. The later term ‘recover’ is problematic in relation to a discussion around rights. ‘Recovery’ from a cyber attack might be possible in technological terms, however, if it has involved human rights violations, ‘recovery’ may not be satisfactory or even possible. It is not clear in the Russian-U.S bilateral agreement as to the specific meaning behind ‘recovery.’ It will be proposed that ‘recovery’ in the context of a cyber attack that has caused human rights violations, include a ‘recovery’ in legal recourse or policy and not just a technological restoration.

Human Rights

‘Human rights,’ as with the term ‘cyber,’ is used in a sweeping number of definitions. Depending on the questions being asked, definitional meanings of human rights can vary. Central to the arguments put forward in this paper are questions surrounding the state and its administration of cyber security against cyber threats and those implications on human rights. Although information within the cyber domain exists virtually, as has been argued, it is a human construct and consequently it is bound by human rights law. Given this corollary, it is

153 Winn Schwartau, Information Warfare: Chaos on the Electronic Superhighway Ibid P.26 154 William Gibson, Neuromancer (New York: Ace Books, 1984). P.51 155 See supra note 2. 156 See the UK National Cyber security Strategy. 157 See supra note 13. 158 Excepting Somalia and the United States who have yet to ratify this treaty. See, Child Rights Information Network, Convention on the Rights of the Child, 21 July 2011, <http://www.crin.org/resources/treaties/CRC.asp?catName=International+Treatie>.

34

appropriate that ‘human rights’ are understood within a legal framework. ‘Human rights’ and ‘human rights violations’ will be in context of international and domestic human rights law, including civil liberties that will be seen as a subsection of human rights.

Human rights outside of cyberspace have been used as a “rallying cry of the homeless and the dispossessed, the political program of revolutionaries… [by] greedy consumers of goods and culture [and] … the pleasure-seekers and playboys of the Western world,”159 and are now finding their representation in the cyber domain.

Overview of Internet Censorship160

Internet censorship and content restrictions can be enacted through a number of different strategies which we describe below. Internet filtering normally refers to the technical approaches to control access to information on the Internet, as embodied in the first two of the four approaches described below. 1) Technical blocking There are three commonly used techniques to block access to Internet sites: IP blocking, DNS tampering, and URL blocking using a proxy. These techniques are used to block access to specific WebPages, domains, or IP addresses. These methods are most frequently used where direct jurisdiction or control over websites are beyond the reach of authorities. Keyword blocking, which blocks access to websites based on the words found in URLs or blocks searches involving blacklisted terms, is a more advanced technique that a growing number of countries are employing. Filtering based on dynamic content analysis—effectively reading the content of requested websites—though theoretically possible, has not been observed in our research. Denial of service attacks produce the same end result as other technical blocking techniques—blocking access to certain websites—carried out through indirect means. 2) Search result removals In several instances, companies that provide Internet search services cooperate with governments to omit illegal or undesirable websites from search results. Rather than blocking access to the targeted sites, this strategy makes finding the sites more difficult. 3) Take-down Where regulators have direct access to and legal jurisdiction over web content hosts, the simplest strategy is to demand the removal of websites with inappropriate or illegal content. In several countries, a cease and desist notice sent from one private party to another, with the threat of subsequent legal action, is enough to convince web hosts to take down websites with sensitive content. Where authorities have control of domain name servers, officials can deregister a domain that is hosting restricted content, making the website invisible to the browsers of users seeking to access the site. 4) Induced self-censorship Another common and effective strategy to limit exposure to Internet content is by encouraging self-censorship both in browsing habits and in choosing content to post online. This may take place through the threat of legal action, the promotion of social norms, or

159 Costas Douzinas, The End of Human Rights: Critical Legal Thought at the Turn of the Century (Oxford and Portland: Hart Publishing, 2000). P.1 160 This content is taken from the, OpenNet Initiative, About Filtering, 05 June 2011 <http://opennet.net/about-filtering>.

35

informal methods of intimidation. Arrest and detention related to Internet offenses, or on unrelated charges, have been used in many instances to induce compliance with Internet content restrictions. In many cases, the content restrictions are neither spoken nor written. The perception that the government is engaged in the surveillance and monitoring of Internet activity, whether accurate or not, provides another strong incentive to avoid posting material or visiting sites that might draw the attention of authorities. Points of Control Internet filtration can occur at any or all of the following four nodes in network: 1) Internet backbone State-directed implementation of national content filtering schemes and blocking technologies may be carried out at the backbone level, affecting Internet access throughout an entire country. This is often carried out at the international gateway. 2) Internet Service Providers Government-mandated filtering is most commonly implemented by Internet Service Providers (ISPs) using any one or combination of the technical filtering techniques mentioned above. 3) Institutions Filtering of institutional level networks using technical blocking and/or induced self-censorship occurs in companies, government organizations, schools and cybercafés. In some countries, this takes place at the behest of the government. More commonly, institutional-level filtering is carried out to meet the internal objectives of the institution such as preventing the recreational use of workplace computers. 4) Individual computers Home or individual computer level filtering can be achieved through the installation of filtering software that restricts an individual computer’s ability to access certain sites. Countries have been known to order filtering at all of these levels, whether setting up filtration systems at the international gateway to eliminate access to content throughout the entire country, instructing ISPs to block access to certain sites, obligating schools to filter their networks, or requiring libraries to install filtration software on each individual computer they provide. Filtering's Inherent Flaws Filtering technologies, however, are prone to two simple inherent flaws: underblocking and overblocking. While technologies can be effective at blocking specific content such as high profile web sites, current technology is not able to accurately identify and target specific categorizes of content found on the billions of webpages and other Internet media including news groups, email lists, chat rooms and instant messaging. Underblocking refers to the failure of filtering to block access to all the content targeted for censorship. On the other hand, filtering technologies often block content they do not intend to block, also known as overblocking. Many blacklists are generated through a combination of manually designated web sites as well as automated searches and, thus, often contain websites that have been incorrectly classified. In addition, blunt filtering methods such as IP blocking can knock out large swaths of acceptable websites simply because they are hosted on the same IP address as a site with restricted content. The profusion of Internet content means that Internet filtering regimes that hope to comprehensively block access to certain types of content must rely on software providers with automated content identification methods. This effectively puts control over access in

36

the hands of private corporations that are not subject to the standards of review common in government mandates. In addition, because the filters are often proprietary, there is often no transparency in terms of the labeling and restricting of sites. The danger is most explicit when the corporations that produce content filtering technology work alongside undemocratic regimes in order to set-up nationwide content filtering schemes. Most states that implement content filtering and blocking augment commercially generated blocklists with customized lists that focus on topics and organizations that are nation or language-specific.

Bibliography

2010 Foundation Index. “Technology: 2010 Shift Index Measuring the forces of long-term change .” 01 01 2011. Deloitte. <http://www.deloitte.com/view/en_US/us/Industries/technology/ed1096761a34b210VgnVCM2000001b56f00aRCRD.htm>.

International Committee of the Red Cross. Convention (IV) relative to the Protection of Civilian Persons in Time of War. 27, Article. 12 August 1949. 20 June 2011 <http://www.icrc.org/ihl.nsf/385ec082b509e76c41256739003e636d/6756482d86146898c125641e004aa3c5>.

Ansfield, Jonathan. China Web Sites Seeking Users’ Names. 05 September 2009. 02 June 2011 <http://www.nytimes.com/2009/09/06/world/asia/06chinanet.html?pagewanted=1&hp>.

Arrest over social network site damage incitement. 14 August 2011. 17 August 2011 <http://www.bbc.co.uk/news/uk-england-tyne-14521031>.

Ball, James. By criminalising online dissent we put democracy in peril. 1 August 2011. 23 August 2011 <http://www.guardian.co.uk/commentisfree/2011/aug/01/online-dissent-democracy-hacking>.

Batty, David. LulzSec hackers claim breach of CIA website. 16 June 2011. 2 July 2011 <http://www.guardian.co.uk/technology/2011/jun/16/cia-website-lulzsec-hackers>.

Berners-Lee, Tim. Long Live the Web: A Call for Continued Open Standards and Neutrality. 22 November 2010. 04 April 2011 <http://www.scientificamerican.com/article.cfm?id=long-live-the-web>.

Blank, Stephen. “Web War I: Is Europe's First Information War a New Kind of War?” Comparative Strategy 27.3 (2008): 227-247.

British Broadcast Corporation. England riots: Government mulls social media controls. 11 August 2011. 15 August 2011 <http://www.bbc.co.uk/news/technology-14493497>.

British Broadcast Corpration.. US Pentagon to treat cyber-attacks as 'acts of war'. 1 June 2011. 12 June 2011 <http://www.bbc.co.uk/news/world-us-canada-13614125>.

Catherine A. Theohary, John Rollins. Terrorist Use of the Internet: Information Operations in Cyberspace. Report for Congress. Congressional Research Service. Washington, 2011.

37

Cyber Security Strategy of the United Kingdom: safety, security and resilience in cyber space. London: The Stationery Office (TSO), 2009.

David A. Gross, Nova J. Daly, M. Ethan Lucarelli, Roger H. Miksad. “Cyber Security Governance: Existing Structures, Internetional Approaches and the Private Sector.” America’s Cyber Future: Security and Prosperity in the Information Age. Vol. II. Washington: Center for a New American Security, 2011. I-II vols.

David D. Clark, Susan Landau. “Untangling Attribution.” Harvard National Security Journal 2 (2011): 1-30.

Detica and the Office of Cyber Security and Information Assurance in the U.K. Cabinet Office. The Cost of Cyber Crime. London, 2011.

Eneken Tikk, Kadri Kaska, Kristel Ru ̈nnimeri, Mari Kert, Anna-Maria Talihärm, Liis Vihul. Cyber Attacks Against Georgia: Legal Lessons Identified. NATO. Tallinn: Cooperative Cyber Defence Centre of Excellence, 2008.

Espionage Report: Merkel's China Visit Marred by Hacking Allegations. 27 August 2007. 04 March 2011 <http://www.spiegel.de/international/world/0,1518,502169,00.html>.

Figures, The World in 2010: ICT Facts and. “Information and Communication Technology (ICT) Statistics.” 20 10 2011. International Telecommunications Union. 03 06 2011 <http://www.itu.int/ITU-D/ict/>.

Finnemore, Martha. “Cultivating International Cyber Norms.” Kristin M. Lord, Travis Sharp. America’s Cyber Future: Security and Prosperity in the Information Age. Vol. II. Washington: Center for a New American Security, 2011. I-II vols.

Geer, Daniel E. “How Government Can Access Innovative Technology.” America’s Cyber Future: Security and Prosperity in the Information Age. Vol. II. Washington: Center for a New American Security, 2011. I-II vols. 185-200.

Glenny, Misha. Who controls the internet? 8 October 2010. 5 July 2011 <http://www.ft.com/cms/s/2/3e52897c-d0ee-11df-a426-00144feabdc0.html#axzz1VnJrbie1>.

Guardian. Oyster data use rises in crime clampdown. 13 March 2006. 05 April 2011 <http://www.guardian.co.uk/technology/2006/mar/13/news.freedomofinformation>.

Hughes, Rex. “Towards a Global Regime for Cyber Warfare.” Cozosseck, C, Geers K. The Virtual Battlefield: Perspectives on Cyber Warfare. Amsterdam: IOS Press, 2009. 106-116.

IISS Stratigic Comments. Stuxnet: targeting Iranʹs nuclear programme. Volume 17, Comment 6. The International Institute For Strategic Studies. London, 2011.

International Committee of the Red Cross. Convention (I) for the Amelioration of the Condition of the Wounded and Sick in Armed Forces in the Field. 12 August 1949. 8 June 2011 <http://www.icrc.org/ihl.nsf/COM/365-570005?OpenDocument>.

International Committee of the Red Cross. Protocol for the Prohibition of the Use of Asphyxiating, Poisonous or Other Gases, and of Bacteriological Methods of Warfare. 8 February 1928. 04 May 2011 <http://www.icrc.org/ihl.nsf/intro/280>.

International Court of Justice. Military and Paramilitary Activities in and against Nicaragua (Nicaragua v. United States of America). 27 June 1986. 5 July 2011 <http://www.icj-cij.org/docket/index.php?sum=367&code=nus&p1=3&p2=3&case=70&k=66&p3=5>.

38

OpenNet Intuitive. Italy: Internet Surveillance. 05 December 2010. 07 June 2011 <http://opennet.net/research/profiles/italy>.

Karl Frederick Rauscher, Andrey Korotkov. Working Towards Rules for Governing Cyber Conflict: Rendering the Geneva and Hague Conventions in Cyberspace. EastWest Institute. New York, 2011.

Karl Frederick Rauscher, Valery Yaschenko. Russia-U.S. Bilateral on Cybersecurity: Critical Terminology Foundations. Worldwide Cybersecurity Initiative. EastWest Institute. New York, 2011.

Klang, Mathias. “Virtual Sit-Ins, Civil Disobedience and Cyberterrorism.” Andrew Murry, Mathias Klang. Human Rights in the Digital Age. London: Glasshouse Press, 2005. 1-234.

Kristin M. Lord, Travis Sharp. “Non-State Actors and Cyber Conflict.” Gregory J. Rattray, Jason Healey. America’s Cyber Future: Security and Prosperity in the Information Age. Vol. II. Washington: Center for a New American Security, 2011. I-II vols. 67-84.

Lewis, James Andrew. Cyber Attacks, Real or Imagined, and Cyber War. 11 July 2011. 27 July 2011 <http://csis.org/publication/cyber-attacks-real-or-imagined-and-cyber-war>.

Libicki, Martin C. Cyberdeterrence and Cyberwar. Monograph. RAND Corporation. Santa Monica: RAND, 2009.

MacKinnon, Rebecca. “China’s “Networked Authoritarianism”.” Journal of Democracy (2011): 32-46.

Martinez, Jennifer. Feds want new ways to tap the Web. 7 March 2011. 26 April 2011 <http://www.politico.com/news/stories/0311/50755.html>.

Michael Evans, Daniel McGrory. Terrorists trained in Western methods will leave few clues. 12 July 2005. 22 May 2011 <http://www.timesonline.co.uk/tol/news/uk/article543004.ece>.

Mills, Elinor. Study: Cybercrime cost firms $1 trillion globally. 28 January 2009. 08 March 2011 <http://news.cnet.com/8301-1009_3-10152246-83.html>.

Nakashima, Ellen. Pentagon considers preemptive strikes as part of cyber-defense strategy. 28 August 2010. 20 June 2011 <http://www.washingtonpost.com/wp-dyn/content/article/2010/08/28/AR2010082803849.html>.

Nazario, Jose. “Politically Motivated Denial of Service Attacks.” Christian Czosseck, Kenneth Geers. The Virtual Battlefield: Perspectives on Cyber Warfare. Amsterdam: IOS Press, 2009. 328.

New York Times. Latest Developments: Facebook. 06 July 2011. 10 July 2011 <http://topics.nytimes.com/top/news/business/companies/facebook_inc/index.html>.

New York Times. Spy chief in Britain accuses China of cyber crime. 2 December 2007. 1 June 2011 <http://www.nytimes.com/2007/12/02/world/europe/02iht-cyber.1.8557238.html>.

Norton-Taylor, Richard. British intelligence used cupcake recipes to ruin al-Qaida website. 2 June 2011. 24 July 2011 <http://www.guardian.co.uk/uk/2011/jun/02/british-intelligence-ruins-al-qaida-website?INTCMP=ILCNETTXT3487>.

“Power and National Security in Cyberspace.” Nye, Joseph S. America’s Cyber Future. Vol. II. Washington: Center for a New American Security, 2011.

39

Omand, David. Securing the State. London: Hurst & Company, 2010.

OpenNet Intuitive. China: regional profiles. 15 June 2009. 11 July 2011 <http://opennet.net/research/profiles/china>.

OpenNet Inuitive. Russia. 19 December 2010. 21 January 2011 <http://opennet.net/research/profiles/russia>.

OpenNet Intuitive. YouTube Censored: A Recent History. 02 August 2011 <http://opennet.net/youtube-censored-a-recent-history>.

Oxford Dictionaries. Bandwidth. 8 August 2011 <http://oxforddictionaries.com/definition/bandwidth>.

Paul Cornish, David Livingstone, Dave Clemente, Claire Yorke. On Cyber Warfare. The Royal Institute of International Affairs. London: Latimer Trend and Co Ltd, 2010.

Paul Cornish, Rex Hughes, David Livingstone. Cyberspace and the National Security of the United Kingdom: Threats and Responses. A Chatham House Report. Royal Institute of International Affairs. London, 2009.

Peter Sommer, Ian Brown. Future Global Shocks: Reducing Systemic Cybersecurity Risk. OECD/IFP. London School of Economics and Oxford University. London: OECD, 2011.

Plunkett, Debora. “The Atlantic’s and Government Executive’s First Annual Cybersecurity Forum.” Washington, 2010.

Popper, Karl. The Open Society and Its Enemies . Vol. 1. Routledge , 1945.

Reporters Without Boarders. “The Enemies of the Internet.” 12 March 2011. World day against cyber-censorship. 08 August 2011 <http://march12.rsf.org/en/#ccenemies>.

Reuters. Arab Web clampdown hurts own economies: Google's Schmidt. 26 May 2011. 24 June 2011 <http://www.reuters.com/article/2011/05/26/us-g8-google-arab-idUSTRE74P4EO20110526>.

Richard Clarke, Robert Knake. Cyber War. New York: HarperCollins, 2010.

Richard Fontaine, Will Rogers. “Internet Freedom and Its Discontents: Navigating the Tensions with Cyber Security.” Kristin M. Lord, Travis Sharp. America’s Cyber Future: Security and Prosperity in the Information Age. Vol. II. Washington: Center for a New American Security, 2011. I-II vols.

Rohozinski, Rafal. Tracking GhostNet: Investigating a Cyber Espionage Network. Munk Centre for International Studies. Toronto: Information Warfare Monitor, 2009.

Schmitt, Michael N. “Wired warfare: Computer network attack and jus in bello.” International Review of the Red Cross 84.846 (2010): 365-399.

Singel, Ryan. Cyberwar Commander Survives Senate Hearing. 15 April 2010. 23 June 2011 <http://www.wired.com/threatlevel/2010/04/cyberwar-commander/>.

Symantec. “Symantec Global Internet Security Threat Report: Trends for 2009.” Volume XV, 2010.

The Economist. The meaning of Stuxnet. 2 October 2010. 25 May 2011 <http://www.economist.com/node/17147862>.

40

The Economist. War in the fifth domain. 1 June 2010. 26 May 2011 <http://www.economist.com/node/16478792>.

The White House. International Strategy For Cyberspace: Prosperity, Security, and Openness in a Networked World. The United States of America. Washington, 2011.

Tran, Tini. Activist Michael Anti Furious He Lost Facebook Account--While Zuckerberg's Dog Has Own Page . 03 March 2011. 23 April 2011 <http://www.huffingtonpost.com/2011/03/08/michael-anti-facebook_n_832771.html>.

United Nations. Charter of the United Nations: Chapter II Membership. 22 June 2011 <http://www.un.org/en/documents/charter/chapter2.shtml>.

—. “International Covenant on Civil and Political Rights.” 16 December 1966. 03 March 2011 <http://www2.ohchr.org/english/law/ccpr.htm>.

—. The Universal Declaration of Human Rights. 10 December 1948. 10 4 2010 <http://www.un.org/en/documents/udhr/>.

Walker, Jeffrey K. “The demise of the nation-state, the dawn of new paradigm warfare, and a future for the profession of arms.” Air Force Law Review (2001): 51.

Wesley K. Clark, Peter L. Levin. “Securing the Information Highway: How to Enhance the United States' Electronic Defenses.” Foreign Affairs 88.6 (2009): 2-10.

Wilmshurst, Elizabeth. Definition of Aggression General Assembly resolution 3314 (XXIX). 24 June 2011. <http://untreaty.un.org/cod/avl/ha/da/da.html>.

Wired. Cyberwar Hype Intended to Destroy the Open Internet. 01 March 2010. 03 December 2011 <http://www.wired.com/threatlevel/2010/03/cyber-war-hype/>.

York, Jillian C. Syria's electronic army . 15 August 2011. 16 August 2011 <http://english.aljazeera.net/indepth/opinion/2011/08/201181191530456997.html>.

Zetter, Kim. Next post How Digital Detectives Deciphered Stuxnet, the Most Menacing Malware in History. 2011 July 2011. 04 August 2011 <http://www.wired.com/threatlevel/2011/07/how-digital-detectives-deciphered-stuxnet/all/1>.

41