p. vContents

• List of figures ix

• List of tables x

• About the author xi

• Preface xiii

• Post script xvi

• List of abbreviations xvii

1. PART IBACKGROUND FOR CYBERSECURITY LAW
   1. 1Introduction: Cybersecurity and cybersecurity law 2
      1. 1.1Defining cybersecurity 2
      2. 1.2Cybersecurity law: Overview of the book 6
   1. 2Cyberspace, security, and law 11
      1. 2.1What is ‘security’ in ‘cyberspace’? 11
         1. 2.1.1What is the ‘internet’? 11
         2. 2.1.2What is ‘cyberspace’? 13
         3. 2.1.3What is ‘security’? 14
      2. 2.2What is internet governance? 17
      3. 2.3What is cybersecurity governance? 21
      4. 2.4What is the role of law in cybersecurity governance? 23
         1. 2.4.1The functions of law and technological change 23
         2. 2.4.2Domestic law and cybersecurity governance 24
         3. 2.4.3International law and cybersecurity governance 25

1. PART IIp. viCYBERSECURITY AND NON-STATE ACTORS: CRIME AND TERRORISM IN CYBERSPACE
   1. 3Cybercrime 30
      1. 3.1The cybercrime problem 30
      2. 3.2Cybercrime and domestic law 32
         1. 3.2.1Jurisdictional issues 33
         2. 3.2.2Substantive criminal law 34
         3. 3.2.3Criminal procedure and law-enforcement access to electronic data and communications 36
         4. 3.2.4Law enforcement, encryption, and ‘going dark’ 37
         5. 3.2.5‘Harden the target’ and ‘hacking back’: Cyber defence and cyber deterrence 39
      3. 3.3Cybercrime and international law 41
         1. 3.3.1Sovereignty, non-intervention, and jurisdiction to prescribe and enforce law 41
         2. 3.3.2Extradition and mutual legal assistance treaties 42
         3. 3.3.3Harmonizing domestic law and facilitating law-enforcement cooperation through cybercrime treaties 45
         4. 3.3.4International law and cybercrime: Cyber defence and cyber deterrence 49
   1. 4Cyber terrorism 55
      1. 4.1The cyber terrorism problem 55
      2. 4.2Cyber terrorism and criminal law 57
         1. 4.2.1Criminalizing acts of, support for, and glorification and incitement of terrorism 57
         2. 4.2.2International law and the criminalization of terrorism 60
         3. 4.2.3Criminal law, terrorism, and cyber terrorism 65
      3. 4.3Protecting critical infrastructure from terrorism 66
         1. 4.3.1Critical-infrastructure protection and domestic law 66
         2. 4.3.2Critical-infrastructure protection and international law 67
      4. 4.4Counterterrorism, electronic surveillance, and cybersecurity 69
         1. 4.4.1p. viiCounterterrorism, electronic surveillance, and domestic law 69
         2. 4.4.2Counterterrorism, electronic surveillance, and international law 72
      5. 4.5International law and state responsibility for combating terrorism 74

1. PART IIICYBERSECURITY AND STATE ACTORS: ESPIONAGE AND WAR IN CYBERSPACE
   1. 5Cyber espionage 78
      1. 5.1The cyber espionage problem 79
      2. 5.2Cyber espionage and international law 81
         1. 5.2.1The traditional approach to espionage under international law 81
         2. 5.2.2Cyber espionage and rethinking the traditional approach to espionage under international law 82
         3. 5.2.3Cyber espionage, economic cyber espionage, and the extraterritorial application of international law 84
      3. 5.3Domestic law and cyber espionage 90
         1. 5.3.1Conducting cyber espionage 91
         2. 5.3.2Defending against cyber espionage 93
         3. 5.3.3Balancing cyber offence and defence: The zero-day vulnerability problem 98
      4. 5.4Beyond cyber espionage: Covert cyber operations 101
   1. 6Cyber war 104
      1. 6.1The cyber war problem 105
      2. 6.2Going to war in cyberspace: Domestic law and war powers 108
         1. 6.2.1Stuxnet as a case study 109
         2. 6.2.2War powers in domestic law 110
      3. 6.3Going to war in cyberspace: International law on the use of force 112
         1. 6.3.1p. viiiThe prohibition of the use of force and the right to use force in self-defence 112
         2. 6.3.2Determining what is a ‘use of force’ and an ‘armed attack’ 114
         3. 6.3.3Responding to a use of force or an armed attack 116
         4. 6.3.4Anticipatory self-defence 117
         5. 6.3.5The principles on state responsibility 119
         6. 6.3.6The act and crime of aggression 120
         7. 6.3.7Security Council authorization of the use of force 121
         8. 6.3.8Humanitarian intervention 122
         9. 6.3.9Cyber operations not constituting uses of force 122
      4. 6.4Fighting armed conflict in cyberspace 127
         1. 6.4.1Background on international humanitarian law 127
         2. 6.4.2Cyber operations and armed conflict 129
         3. 6.4.3Cyber operations during international armed conflict 136
         4. 6.4.4Cyber operations during non-international armed conflict 137
      5. 6.5Arms control and cyber weapons 138
         1. 6.5.1Arms control strategies 138
         2. 6.5.2Confidence-building measures 140
         3. 6.5.3Export control strategies 140
2. 7Conclusion: Cybersecurity law in a divided world 142
   1. 7.1Taking stock of cybersecurity law 142
      1. 7.1.1Cybersecurity and non-state actors: Cybercrime and cyber terrorism 142
      2. 7.1.2Cybersecurity and state actors: Cyber espionage and cyber war 144
   2. 7.2Cybersecurity’s 20 years’ crisis 145
   3. 7.3The next decade in cybersecurity law 148
      1. 7.3.1International law 148
      2. 7.3.2Domestic law 149
   4. 7.4Final thoughts 150

• Index 152

p. ixFigures

1. 6.1The use-of-force and armed-attack thresholds in international law 114
2. 6.2The armed conflict and attack thresholds in international humanitarian law 129

p. xTables

1. 3.1Cybercrime treaties 45
2. 3.2Examples of provisions in cybercrime treaties 47
3. 6.1Principles of international humanitarian law applicable to cyberattacks in armed conflict 133

p. xiAbout the author

• Download Figure
• Download figure as PowerPoint slide

View Full Size

• Download Figure
• Download figure as PowerPoint slide

• Download Figure
• Download figure as PowerPoint slide

David P. Fidler is a senior fellow for cybersecurity and global health at the Council on Foreign Relations, USA. At CFR, he has contributed to Net Politics, the blog of CFR’s Digital and Cyberspace Policy Program and written reports on cybersecurity issues, including “Cybersecurity and the New Era of Space Activities,” CFR Cyber Brief (April 2018). He served as the chair of the International Law Association Study Group on Cybersecurity, Terrorism, and International Law (2014-16). He edited and contributed to The Snowden Reader (Indiana University Press, 2015). His recent publications include “Cyberspace and Human Rights,” p. xiiin Research Handbook on International Law and Cyberspace, 2nd ed. (Nicholas Tsagourias and Russell Buchan, eds.) (Edward Elgar, 2021), 130-51; “Foreign Election Interference and Open-Source Anarchy, “in Defending Democracies: Combating Foreign Election Interference in the Digital Age (Jens David Ohlin and Duncan Hollis, eds.) (Oxford University Press, 2021), 293-313; and “SolarWinds and Microsoft Exchange: Hacks Wrapped in a Cybersecurity Dilemma Inside a Cyberspace Crisis, “Georgetown Journal of International Affairs (April 2021). He holds degrees in law from Harvard Law School and the University of Oxford and in international relations from the University of Oxford.

p. xiiiPreface

In the late 1990s, concerns about ‘non-lethal’ weapons introduced me to the potential weaponization of internet-linked digital technologies. Initially, the possible development of other types of ‘non-lethal’ weapons preoccupied my attention, but, in the first decade of the new century, the significance of what came to be called ‘cybersecurity’ became more apparent. Governments began to grapple with cybercrime, terrorist use of the internet, cyber espionage, and the military potential of cyber technologies. But it was the Stuxnet operation exposed in 2010 that crystallized for me the policy and legal challenges that cybersecurity threats posed to governments, economies, societies, and individuals. Thereafter, cybersecurity became a core part of my endeavours as a professor at the Indiana University Maurer School of Law and my think-tank work with the Council on Foreign Relations.

This book derives from the materials I developed in teaching Cybersecurity Law and Policy for nearly a decade. As such, it benefits from the changes I made to my approach from interacting with students, learning from colleagues, and analysing the policy and legal implications of cybersecurity incidents and developments at home and abroad. In keeping with the purpose of Elgar Advanced Introductions, the book provides an accessible framework for understanding the field of cybersecurity and concise analysis of domestic and international law concerning each topic within the framework. The book also evaluates whether domestic and international law are proving effective against cybersecurity threats and identifies policy shifts made, and proposals offered, to improve cybersecurity within and among nations.

Given the diversity of national legal systems, the book’s sections on domestic law focus on patterns discernible across countries that arise p. xivfrom how governments deal with cybersecurity threats. Examples from various countries are given, but the sections on domestic law primarily provide a roadmap for guiding more detailed study of how domestic legal systems handle cybersecurity challenges.

By contrast, international law provides an overarching set of rules that applies to the interactions of all states, which permits more uniformity in analysing how states use international law in addressing cybersecurity problems. However, international law reflects a different kind of diversity. On some problems, such as cybercrime, states have developed many international legal instruments. In some areas of cybersecurity, such as armed conflict, countries rely on international law developed before the internet and cyberspace became global phenomena. On yet other issues, such as cyber espionage, little, if any, international law exists. In terms of general international legal rules, such as on sovereignty and non-intervention in the domestic affairs of other states, states agree that such rules apply in cyberspace but prove reticent to clarify how they apply to features or consequences of cyber operations.

As an advanced introduction, the book does not systematically cite the scholarship and policy writing on cybersecurity. Much of this analytical work dissects cybersecurity events, challenges traditional perspectives on cybersecurity, and offers new ways to think about this field. This dynamic has been particularly interesting, for example, in connection with international law and cyber espionage. The book identifies prominent cybersecurity incidents, new policy perspectives, and leading legal reform ideas to prime the reader’s exploration of additional material on specific cybersecurity episodes and different ways of countering cybersecurity threats. Where relevant, I point readers to chapters in the Research Handbook on International Law and Cyberspace (Edward Elgar, 2nd edn, 2021) to assist deeper study of issues raised in this book.

The book’s final chapter summarizes the past 20 years in cybersecurity policy and law and ponders the challenges the next decade might bring. Looking backward and peering ahead are sobering exercises. Past efforts have proved less effective than hoped. Future actions must navigate more difficult national and international environments, including the return of balance-of-power politics to the international system. What emerges in this darker context remains to be seen. But a decade from now, an advanced introduction to cybersecurity law will likely look different to p. xvthe one in your hands because you, perhaps, helped chart a new course for an area of policy and law that will only become more important with each passing day.

David P. Fidler

Clarendon Hills, Illinois, USA

15 October 2021

p. xviPost script

The Russian invasion of Ukraine in February 2022 occurred after this book’s production process was completed. The armed conflict between Russia and Ukraine involved military kinetic and cyber operations and provides an important episode relevant to the analysis in Chapter 6.--D.P.F.

p. xviiAbbreviations