As the cyber domain is more active, and actively exploited, from around the world, experts in the cyber and international legal community believe that rightful authority in cyberspace will be an issue to be reckoned with in the near future.
“I think one of the next big areas that we need to look at is what is the meaning of ‘sovereignty’ in cyberspace,” Emily Goldman, a member of the Policy Planning Staff at the Department of State, leading the cyber and emerging technology portfolios, said at CyberCon Nov. 12.
Sovereignty — the notion that the affairs and entities within a territory are solely the business of that territory and no one outside — becomes far more complex when there are no physical lines. Complicating matters further, the digital domain allows for activity that impacts networks within recognized lands to take place remotely and in many cases undetected, unlike a massing of troops that threatens to forcefully penetrate an established border.
Goldman highlighted positions taken by key U.S. allies within the last year, adding the United States has not officially taken one yet.
The British attorney general acknowledged in May 2018 that a cyber operation, no matter how hostile, never violates sovereignty and the French outlined in September 2019 that remote cyber operations that cause effects are a violation of sovereignty.
International legal experts have expressed in the past that the British position potentially limits their ability to name and shame malicious actors for taking actions in cyberspace that may go against collectively agreed upon behavior. If Britain believes that there is no such thing as sovereignty in cyberspace, they have no credibility calling out others for similar actions, experts assert.
“This is something that is going to influence how seamlessly we can operate with our partners in a space that is inherently seamless and integrated even though we as political units and as geographic units are very segmented,” Goldman said.
Some in the U.S. military community also believe that diverging views on sovereignty can limit coordination.
“Sovereignty, we had significant diverging viewpoints … and I think that’s going to limit the number of countries that we are going to coordinate operate with for quite some time,” David Bailey, senior national security law advisor for Army Cyber Command, said at the CyCon U.S. conference in Arlington Nov. 19, noting that some inroads have been made with some nations.
“In my mind, at least as an operational attorney at the more tactical operational level, the idea of blue, gray and red space — in other words, our space, the in between space and then the adversary space — is increasingly irrelevant given the way that we operate … It’s like a soccer game. It’s always moving everywhere.”
Part of the problem is that the cyber domain is still so new the international community is still hashing out definitions and courses of action.
“In our world of cyberspace operations, we can’t even agree on what a use of force is … a tremendously important concept to us, but there’s no good definition,” Baily said. “We do have some statements from the United States in terms of public statements by our Department of State legal advisors Harold Koh and Brian Egan over the course of several years, which purport to lay out what the U.S. government thinks about these issues and use of force, but, again, no agreed definition or framework yet.”
Even on the operational front, the United States is still figuring things out.
“In our space, in CYBERCOM, there’s a lot that’s yet to be established. For most of the domains, you have thousands of years and millions of warriors contributing to the lessons that you’re now learning in your classes. We don’t have that in cyberspace,” Lt. Col. Kurt Sanger, chief judge advocate for national security law at U.S. Cyber Command, said at CyCon U.S.
Sanger described some of the challenges of the legal office at Cyber Command that don’t necessarily extend to the other combatant commands or domains of warfare. In one example, kept intentionally vague, he said the team determined action was absolutely legal under domestic and international law and Department of Defense regulations, but the question was raised how was the action different than what Russia or China is doing.
“That 100 mile-an-hour conversation ground to a halt. And, ultimately, that question was raised to our general officers. They took it incredibly seriously and it ended up shaping the way we conducted business at an operational standpoint,” Sanger said.
The United States and ‘defend forward’
In terms of U.S. policy, the directive from the Department of Defense to “defend forward,” described as getting as close to adversaries as possible to see what they’re planning as a means of informing others to prepare or take action themselves, has raised some eyebrows overseas.
This is the story of how, in two short years, a new cybersecurity strategy has forced the national security community to rethink cyber operations and how "persistent engagment" will work.
Massimiliano Signoretti, NATO Cooperative Cyber Defence Centre of Excellence office of the staff judge advocate, speaking at CyCon U.S., explained that the notion of positioning in adversary networks is difficult to square with sovereignty. He pointed to the French position that any penetration of French networks is considered a violation of sovereignty.
However, U.S. officials have tried to explain that defend forward is no different than what DoD has always done.
U.S. Cyber Command is using new authorities to gain insights and access to foreign networks to help better inform defense.
“Defending forward … it may sound like it’s more aggressive, but from a military standpoint, that is really only true if you do not link it to the way we have been conducting business, what our priorities have been in the past,” Sanger said.
Others described that the concept is largely defensive in nature.
“I think one of the misnomers is that defend forward is an aggressive and offensive strategy. Really, at the strategic level, it’s an inherently defensive one,” Erica Borghard, a professor at West Point and member of the U.S. Cyberspace Solarium Commission examining the issue of defend forward, said Nov. 20 at CyCon U.S. “The strategic objective of defend forward is to defend those critical parts of our economy and national security that are being corrosively threatened by this malicious” cyber threat.
While there are offensive elements to it, Borghard acknowledged that there needs to be a better job communicating to allies and partners what it is and what it seeks to achieve.
“It is a new concept for U.S. government for cyberspace, but forward defense has longstanding historical roots,” she said. “I think, especially, when the U.S. government communicates with allies and partners about what defend forward is and what it means, we need to do a better job of situating it in historical context. We did forward defense during the Cold War. It was an essential aspect of our extended deterrence and how we worked with NATO.”