The Demilitarisation of Cyber Conflict
The debate about state behaviour in cyberspace may be set in the wrong legal key.
- Sergei Boeke & Dennis Broeders
- 20 November 2018
- Taylor & Francis online
Speculation over cyber war has moved beyond its initial poles of doomsday and dismissal. Some argued that ‘cybergeddon’ or a digital Pearl Harbor was looming, others that cyber war had never occurred and probably never would. The front line of the debate has since shifted to whether or not cyberspace has become militarised, if deterrence is possible in cyberspace, and, if the security dilemma applies, how it can be mitigated. In strategic studies, the debate focuses on whether cyber conflict reaches Clausewitzean thresholds of violence and damage. Legal scholars – for example through the Tallinn process – are attempting to define when cyber operations reach the level of an ‘armed attack’ and ‘the use of force’, triggering conventional legal reasoning under the framework of the Law of Armed Conflict. While states have agreed – some with regret – that international law applies in the digital world as it does in the offline one, there is no agreement on how. The last round of the United Nations Group of Governmental Experts failed to provide a consensus report in 2017, stalling the process to establish norms of responsible state behaviour in cyberspace. Both the academic debate on cyber conflict and the international policy process to agree to ‘rules of the road’ are nonetheless built on the same premise: that cyber operations fall under the normative and legal frameworks regulating military conduct during war and peace.
There are, however, good reasons to believe that the frameworks presumed applicable to cyber conflict are actually a bad fit. Two developments support the thesis that the militarisation of cyberspace may actually be the result of a demilitarisation of cyber conflict, as the main actors in cyber conflict are not actually military actors. Both the dominant role of foreign-intelligence and security agencies (as opposed to military actors) in cyber operations, and the use of proxies (either private contractors or other non-state actors) in cyber conflict, illustrate that, in practice, cyber conflict largely takes place outside the parameters of international humanitarian law. Other principles of international law still apply to interventions by intelligence services and proxies below the threshold of armed conflict. International law writ large is silent on espionage, but not on covert paramilitary actions or clandestine intelligence activities with disruptive effects. Many states use proxies precisely to render their potentially illegal actions deniable. Nevertheless, if state practice, both directly and indirectly, indicates that there are non-military actors and legal gaps in the cyber domain, the international debate about state behaviour in cyberspace may at least partially be set in the wrong legal key.