Dave Bittner: [00:00:03:16] I'm Dave Bittner in Baltimore. Our podcast team is taking a break this week for the holidays, but don't fret, we'll be back next week with all new episodes of our show. In the meantime, this week we're revisiting some of our favorite interviews from 2016. Stay with us!
Dave Bittner: [00:00:24:17] Time for a message from our sponsor, Recorded Future. Recorded Future is the real time threat intelligence company, whose patented technology continuously analyzes the entire web to develop information security intelligence that gives analysts unmatched insight into emerging threats. And when analytical talent is as scarce and pricey as it is today, every enterprise can benefit from technology that makes your security teams more productive than ever. We at the CyberWire have long been subscribers to Recorded Future's Cyber Daily and, if it helps us, we're confident it will help you too. Subscribe today and stay a step or two ahead of the threat. Go to recordedfuture.com/intel and subscribe for free threat intelligence updates from Recorded Future. That's recordedfuture.com/intel, and we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:01:20:20] Tom Wingfield is Professor of Cyberspace Law at the National Defense University, and one of the authors of the Tallinn Manual, an academic study of how international law applies to cyber conflicts and cyber warfare. We interviewed Tom Wingfield back in October, on location at the 2016 ASUA meeting in Washington DC.
Dave Bittner: [00:01:41:10] We've encountered an increased co-mingling of kinetic and cyber warfare, and we've heard a number of times that the norms of cyber conflict remain immature. Do you agree with that?
Thomas C. Wingfield: [00:01:52:17] I agree with it up to a point. The norms of cyber conflict are immature, but the norms of conflict in general are very mature. Most countries agree on most norms, almost all of the time, and the trick is in applying those near-universal norms to these new cyber targets and these new cyber problems.
Dave Bittner: [00:02:14:10] You're one of the authors of the Tallinn Manual, which has acquired the reputation of being one of the more comprehensive and influential sources of the norms in conflict in cyberspace. So, how closely does the Tallinn Manual adhere to other earlier codifications of such international norms: the laws of armed conflict, the law of the sea, the just war tradition?
Thomas C. Wingfield: [00:02:35:02] Very closely. The whole point of the Tallinn Manual was not to write new law, but rather just take the core of existing law, that almost all of the countries agreed on, and apply it to a new battlefield. Just as we had the San Remo Manual apply law of armed conflict to naval operations, and the Air and Missile Warfare Manual do that for that area, it was just meant to take the part we agree on and apply that to cyber operations.
Dave Bittner: [00:03:02:13] Can you take me through the process, take us behind the scenes? What went into creating the Tallinn Manual?
Thomas C. Wingfield: [00:03:08:22] Well, absolutely. It actually had an unusual beginning. At the very beginning, right after the attacks on Estonia in 2007, I was asked to go out to the brand new CCDCOE there, and brainstorm some ideas. One of the ideas I had was, wouldn't it be great if we could get the 20 smartest law of armed conflict professors in the world together for a few years and have them write the San Remo Manual for cyber? And they thought it was a great idea, and they gave us the money, and I recruited 19 other professors and we did it over three years.
Dave Bittner: [00:03:48:02] I want to ask you about NATO's Article 5. Some of the newer members of the Atlantic Alliance have been on the receiving end of cyber offensive operations and, like you mentioned, we're thinking of Estonia here. Would the Alliance be likely to invoke Article 5 over a cyber incident?
Thomas C. Wingfield: [00:04:04:10] If it were a sufficiently a dangerous situation, if it caused sufficient damage, absolutely. We haven't seen anything in the purely cyber realm that would rise to what we'd call an armed attack, not even a mere use of force, so we're just in the very early stages. If it ever did get to the level of an armed attack, a smoking hole in the ground, significant loss of life, then there's not a doubt in my mind that Article 5 would be invoked.
Dave Bittner: [00:04:33:23] I want you to, if you would, talk us through how you see traditional just war theory finding its application in cyberspace.
Thomas C. Wingfield: [00:04:42:10] Yes. We see the traditional just war theory informing our policy and how we choose to use the instruments we have but, in reality, the 'jus ad bellum', the law of conflict management, the law that governs how we go to war, is actually much, much simpler than that. While we use the seven traditional Thomistic standards to inform our decision policy-wise, legally it's only a two-part test and it's pretty simple. The first part is, is the cyber event military in its quality? That is, not espionage, not diplomacy, not crime not politics, not something else, not economics, but is it military in its character, qualitatively?
Thomas C. Wingfield: [00:05:29:24] Once we've decided that, that it is a use of force and military, then we have to make a quantitative description of it to see if it's bad enough in its scale and effects - those are the two magic words - if, qualitatively, the scale and effects are serious enough to merit a military response. If it's true, we call that an armed attack, and that permits a unilateral response, no Security Council permission, and no requirement to use only cyber means to respond to a cyber attack.
Dave Bittner: [00:06:03:21] What about 'jus in bello' which is, you know, talking about discrimination and proportionality?
Thomas C. Wingfield: [00:06:10:00] Those four basic rules - discrimination or distinction, necessity, proportionality and chivalry - they apply in cyber the way they apply anywhere else. The standards are very straightforward, and so far not a single country in the world has come forward to say they do not apply in cyberspace. The Russians and Chinese are uncomfortable with the way 'jus cogens', known law, and customary law applies to cyber, they would prefer a treaty, but no country has come forward to say those four fundamental tenets of the 'jus in bello' do not apply to cyber operations.
Dave Bittner: [00:06:50:23] US policy with respect to cyber attacks has been to "impose costs", that's the phrase they use, whenever an actor can be identified, and those costs range from naming and shaming, to prosecution of individuals, to the imposition of sanctions. Do you have any thoughts on the efficacy of that approach? Do we need less, or do we need more, or is it about right?
Thomas C. Wingfield: [00:07:09:01] I think we need more. We're feeling our way because it's a new area, but using all of the instruments of national power, I think, is the solution. So, at the highest levels, orchestrating what we do in diplomacy with how we use our information, when necessary the military instrument, and especially economics. I'll give you a very quick example of that last one.
Thomas C. Wingfield: [00:07:30:04] The Computer Fraud and Abuse Act was designed for the government to prosecute domestic crimes against the federal government, but there is a component in it that gives a private cause of action to individuals and businesses that are victims of those seven federal cyber offenses to actually sue and get damages against the individuals, whether they're US or not, and they only have to meet the lower 51% 'mere preponderance' standard of evidence, much easier than a 'beyond a reasonable doubt' criminal prosecution.
Thomas C. Wingfield: [00:08:06:19] We haven't seen much of that, so if I had to make one legal guess for the future, I would see the government using that more, informing corporations and citizens more, that this is another potent weapon in our cyber arsenal, and I think that would go a long way toward deterrence on the front end and justice on the back end.
Dave Bittner: [00:08:27:04] I'm thinking of both rattling cages and also kind of testing your neighbors, that sort of thing. Where do you see things going? Where are the likely places where nations are going to be testing their neighbors, testing their adversaries to see where this new type of conflict can go?
Thomas C. Wingfield: [00:08:51:00] A year ago I would have told you that serious offensive cyber capabilities were the province of a handful of cyber powers, and we all know that handful of countries, but over the last year I've come to realize, in my travels and in talking with experts, that many smaller countries are looking for offensive cyber capabilities to serve as an inexpensive deterrent, that offense can be thought of as cheaper than a competent, system-wide defense. We may see many medium and even small size countries trying to gain an offensive capability in cyberspace, one way or another, to threaten those by whom they feel threatened. I'd be very surprised if we didn't see some of those countries testing some of those capabilities to calibrate their ability and see what they're able to do.
Dave Bittner: [00:09:46:24] What about attribution? Attribution is tricky and often tough when it comes to cyber attacks, but I could see it as being a way, because of that, nation states perhaps can feel as though they can get away with testing the waters if it's difficult to point the finger at them directly.
Thomas C. Wingfield: [00:10:04:23] Yes. Joseph Stalin once said that there were two permissible answers to him, you could either say, "Yes, sir," or "Up to a point, sir." So I'd say, up to a point, in that area.
Dave Bittner: [00:10:15:05] Okay! [LAUGHS]
Thomas C. Wingfield: [00:10:16:05] [LAUGHS] When it comes to attribution, there are really two separate ideas that we worry about and, at least, that lawyers in this area worry about. One is, how involved was a state in doing it? We know from international law that, if a state is merely providing some financing or some political cover, that's not enough to attribute a non-state actor, a hacktivist, terrorists, criminals, to their actions to a state against whom our deterrence could work, and some other things we could do would work. We also know, under international law that, if the state is the one picking the targets, almost all countries agree that that is enough for us to attribute the actions of non-state actors to a state, and then we have a wide range of tools we can use.
Thomas C. Wingfield: [00:11:06:10] There's a big gray area in between those two extremes, and different countries peg state attribution at different levels. The second thing we have to worry about is how certain are we? We can't wait for a 'beyond a reasonable doubt' standard, as we would in a courtroom. 99% certainty can't happen that fast in an area that we don't control the crime scene, so that's unrealistic to expect that level of certainty. But, with 'mere preponderance', 51%, that we have in civil cases, that's not good enough either if we're going to be doing some serious damage overseas.
Thomas C. Wingfield: [00:11:43:24] So, what we see from the Americans, from the British, even from NATO, are statements that now use the phrase, "We have clear and compelling evidence of X, Y and Z and, therefore, we are using force, whether it's cyber or kinetic." And, 'clear and compelling' is in between those two; it's about 75% sure. So, if we're about 75% sure that a state is doing more than providing mere low-end support, but enough support for attribution, then we check the two boxes and the lawyers say, "You may attribute it," and then it goes over to the policy people who have to decide what kind of tools we can use against the adversary.
Thomas C. Wingfield: [00:12:25:14] I think that there are two things that are very important, at least in the legal world. One is the need to have an overlap between what the lawyers understand and what operators do. That's why we're hoping, as the next Tallinn Manual 3.0, is going to be an operational law handbook, we hope, that would look at these problems, not from a law professor's perspective, but rather from the questions and problems that operators have now in this immature field, and we hope to be able to build the legal advice in cyber as the US Army does a great job of doing for the Operational Law Handbook for broad spectrum operations.
Thomas C. Wingfield: [00:13:05:06] The second thing, perhaps more interesting, is the rise of lethal artificial intelligence. We're legally responsible for what those agents do at cyber speed, and if they start causing serious damage, or perhaps even loss of life in the not too distant future, the last human in the loop, the operator, the commander, we would be on the hook for what those things did in our name. So, we would have to train them to know the cyber legal outer limits of what they could do, so we wouldn't end up as war criminals for releasing them into the wild.
Dave Bittner: [00:13:45:14] It reminds me of, you know, Asimov's Rules for Robotics.
Thomas C. Wingfield: [00:13:48:24] Absolutely! We would start there and then add on the rules we give to frightened 19 year-olds that we send into combat. The same rules would have to be taught and burned into our AI agents, so that whatever else they did while they're fighting at cyber speed, they would not go afield of the rules that define us as us.
Dave Bittner: [00:14:13:19] Alright. Thomas Wingfield, thanks for joining us.
Thomas C. Wingfield: [00:14:15:11] It's been my pleasure. Thanks for having me.
Dave Bittner: [00:14:20:06] And that's the CyberWire. If you find you're just itching to get that daily dose of cyber security news, don't worry. It's still available on our website, thecyberwire.com, and while you're there go ahead and subscribe to our Daily News Brief. It'll be delivered to your email every day.
Dave Bittner: [00:14:34:16] Thanks to our sponsor, Recorded Future, for making today's podcast possible. The CyberWire podcast is produced by Pratt Street Media. Our Editor is John Petrik; our Social Media Editor is Jennifer Eiben; our Technical Editor is Chris Russell; our Executive Editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.