Cyber conflict may not be new, but it is far from old. And as with any other major, disruptive global trend, there are vexing questions on which traditional international norms still apply, whether they apply but with modifications, or whether entirely new norms must be invented.
One of the most important norms has been for states to be able to remain neutral in response to international conflict, with rights and responsibilities guaranteed by the Hague Convention. Because of the nature of cyber conflict, such legal norm may be less useful than a modified norm of political neutrality.
The Internet protocols themselves route cyber attacks through any number of neutral countries, cyber conflicts are usually not so destructive to obviously trigger international law, and the identity or nationality of the belligerents may not be obvious.
Nations might (and probably should) accordingly come under political pressure to take reasonable steps to stop cyber attacks, regardless of whether or not it is a formal treaty obligation.
This paper explores this issue and ways a nation may be less than neutral, tying this to a ten-point spectrum of state responsibility to help determine just how responsible a nation might be in a cyber conflict. To illustrate potential new norms in action, the paper then describes a notional cyber conflict which shows how the nations’ rights and responsibilities are influenced by the four factors of severity, obviousness, “stoppability”, and duration.
The paper concludes with a short section on the commercial neutrality during cyber-conflict, given the critical role that the private sector has played in the creation and operation of cyberspace.
Read all the paper: