China, International Law, and Cyberspace
In a speech two weeks ago, Harold Koh stated that the United States government believes that cyberattacks can amount to armed attacks and are subject to international law. “International law principles do apply in cyberspace,” said Koh. “Cyber activities that proximately result in death, injury, or significant destruction would likely be viewed as a use of force.” Self-defense, proportionality, neutrality, and distinction should all apply in cyberspace, though there remain questions and ambiguities about defining the use of force, distinguishing between military and civilian-use networks, and the continuing problem of attribution.
This is not the first time the United States has made such an announcement—in 2004, for example, the U.S. and UK declared in a submission to the UN Secretary General that international humanitarian law covered the use of information and communication technologies. But as the New York Times noted, the speech is part of a greater willingness of the administration to speak about offensive cyber capabilities.
In his speech, Koh also noted that this view is not “universal”:
At least one country has questioned whether existing bodies of international law apply to the cutting edge issues presented by the Internet. Some have also said that existing international law is not up to the task, and that we need entirely new treaties to impose a unique set of rules on cyberspace.
China appears to be both “at least one country” and among the “some” who think new treaties are necessary. Given Chinese concerns about the free flow of information, Beijing’s opposition to the U.S. position stems in part because the focus is too narrow. The International Code of Conduct for Information Security, submitted to the UN by China and Russia along with Tajikistan and Uzbekistan, is much more expansive, allowing countries room to interpret the spread of rumors, gossip, and other malicious information through the use of communication technologies as a security threat. In addition, through the Shanghai Cooperation Organization, Beijing has suggested that a new treaty is needed to “curb proliferation and use of information weapons . . .”
Some Chinese analysts see extreme difficulties in applying the Law of Armed Conflict (LOAC) to new a domain. For example, Shi Haiming, a researcher at the National University of Defense Technology, argues that LOAC is not applicable because: cyberattacks, despite being acts of "aggression", do not threaten territorial integrity or sovereignty; there can be no neutrality in cyberspace since attacks would undoubtedly transit through neutral countries networks; it is impossible to distinguish between civilian and military assets; and the proportionality requirement is much more difficult in cyberspace because of the expanse and penetration of the Internet and the difficulty in containing unintended effects of attacks.
A failure to agree on these norms is destabilizing. One country may see its action as permissible, the other as an act of war. It is unclear how wedded Beijing is to its opposition to cyber and LOAC, and we could begin to see some modification of the Chinese position. Wang Tianlong of the China Center for International Economic Exchanges writing in the Shanghai Securities News last week argued “we should study the feasibility of applying the principles of the Law of Armed Conflict to cyberspace and push for the formulation of a code of conduct for cyberconflict.”
The United States has certainly upped its rhetorical pressure on China over the last year. The more open discussion of offensive cyber has been accompanied by the increasing number of U.S. government officials naming and shaming Chinese hackers (the most recent is Rear Admiral Samuel Cox stating that the pace of attack was actually increasing). Secretary Clinton and Secretary Panetta both raised cyber with their Chinese counterparts during recent meetings.
The most important driver may be that Beijing could soon find itself isolated. Russia has been much more receptive to discussing how LOAC applies to cyber, and has been less adamant about the International Code of Conduct in multilateral meetings recently. The United States needs to keep engaging Beijing on this issue, but, as with so many issues, it is likely to get better traction with China by scheduling more meetings in other countries’ capitals.