ANALYSES POLICY REVIEWS OPINIONS - Cybersec Global 2020
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
VOLUME 2 (2016) ▪ ISSUE 2
EUROPEAN CYBERSECURITY JOURNAL
VOLUME 2 (2016) ▪ ISSUE 2
ANALYSES ▪ POLICY REVIEWS ▪ OPINIONS
VOLUME 2 (2016) | ISSUE 2
editorial
JOANNA ŚWIĄTKOWSKA
Chief Editor of the European Cybersecurity Journal
CYBERSEC Programme Director
Senior Research Fellow of the Kosciuszko Institute, Poland
The European Cybersecurity Journal is a new specialized quarterly publication devoted to cybersecurity. It will be
a platform of regular dialogue on the most strategic aspects of cybersecurity. The main goal of the Journal is to provide
concrete policy recommendations for European decision-makers and raise awareness on both issues and problem-solving
instruments.
EDITORIAL BOARD Cybersecurity and, more broadly, issues connected with cyberspace, have risen to the rank of strategic, global
challenges. On the one hand, over the last few decades we have witnessed unprecedented opportunities for general
Chief Editor: Dr Joanna Świątkowska The ECJ is a quarterly journal, published in January, development: economic, political, social, and individual. On the other, we are now facing completely new categories
CYBERSEC Programme Director and Senior Research Fellow of the April, July and October. of threats, with potentially catastrophic consequences. All stakeholders, even the non-governmental ones, who,
Kosciuszko Institute, Poland
in the past, had limited or no tools enabling them to effectively influence the world around, now have comparatively
easy access to technologies that may potentially impact entire international security systems. The Web has become
Honorary Member of the Board: Dr James Lewis a tremendous source of influence.
Director and Senior Fellow of the Strategic Technologies Program,
Center for Strategic and International Studies (CSIS), USA
Citations: This journal should be cited as follows: In order to safely use and develop the potential of cyberspace, global collaboration and engagement of all stakeholders
“European Cybersecurity Journal”, Volume 2 (2016), are absolutely necessary. Europe is an extremely important element of this ecosystem and should be actively engaged
Member of the Board: Alexander Klimburg
Nonresident Senior Fellow, Cyber Statecraft Initiative, Atlantic Issue 2, page reference in all processes affecting global cybersecurity. One of the key steps necessary for developing the best ideas and
Council ; Affiliate, Belfer Center of Harvard Kennedy School, USA the most practical solutions is to create a platform where different points of view can be presented, confronted, and
Published by: debated.
Member of the Board: Helena Raud The Kosciuszko Institute
Member of the Board of the European Cybersecurity Initiative, ul. Feldmana 4/9-10 The European Cybersecurity Journal offers different perspectives on cybersecurity management and related public
Estonia 31-130 Kraków, Poland policies. The main goal of the ECJ is to provide concrete policy recommendations for European decision-makers and
raise awareness on key issues and problem-solving instruments. The first edition of the quarterly will be officially
Member of the Board: Keir Giles Phone: 00 48 12 632 97 24 inaugurated during the European Cybersecurity Forum (CYBERSEC) – the project which aspires to become the most
Director of the Conflict Studies Research Centre (CSRC), UK E-mail: editor@cybersecforum.eu important European discussion platform for cybersecurity and related strategy challenges.
Editor Associate: Izabela Albrycht www.ik.org.pl Both the ECJ and CYBERSEC have been designed to support the general effort of increasing security and promoting
Chairperson of the Kosciuszko Institute, Poland www.cybersecforum.eu stable growth opportunities across cyberspace.
Executive Editor: Matylda Kuchnik Printed in Poland In the process, we have decided to include all key stakeholders: representatives of public entities, business leaders,
by Drukarnia Diament | diamentdruk.pl experts, scientists, and representatives of the civil society. Bringing together so many diverse points of view is our core
Designer: Paweł Walkowiak | perceptika.pl
value. It also makes us stand out when compared to other projects addressing this subject matter from, for example,
exclusively technological perspective.
Proofreading: DTP: Marcin Oroń
H&H Translations | hhtranslations.com.pl The first issue of our quarterly provides a clear illustration of this approach. It covers some of the boldest and most
innovative solutions, presented from a variety of perspectives. This unique approach ensures new levels of insight into
ISSN: 2450-21113 some of the most crucial cybersecurity issues, presented in the form of analyses, interviews, opinions and policy reviews.
It gives me great pleasure to share with you this very first edition of the ECJ. In it, I hope you will find valuable reading
material, useful practical information but also great many sources of inspiration. At the same time I would like to invite
you to contribute to the development of our journal. In line with the fundamental nature of the Internet itself, the value
that a multi-stakeholder approach creates, can only materialize if it is driven by a collective effort. This particular effort
offers a promise of a better, safer future, in which cyberspace continues to provide unprecedented development
opportunities, at personal as well as international level.
Disclaimer: The views expressed in articles are the authors’ and not necessarily those of the Kosciuszko Institute. Authors may have
consulting or other business relationships with the companies they discuss.
© 2015 The Kosciuszko Institute
All rights reserved. The publication, in whole or in part, may not be copied, reproduced, nor transmitted in any way without the written 3
permission of the publisher.
VOLUME 2 (2016) | ISSUE 2
CONTENTS
ANALYSIS
Militias, Volunteer Corps, Levée en Masse or Simply Civilians
Militias, Volunteer Corps, Levée en
5 Directly Participating in Hostilities? Certain Views on the Legal
Status of “Cyberwarriors” Under Law of Armed Conflict
Masse or Simply Civilians Directly
Participating in Hostilities?
Wiesław Goździewicz
18
Hackers, Hacktivists, and the Fight for Human Rights
in Cybersecurity Certain Views on the Legal Status
of “Cyberwarriors” Under Law
Dr Stefania Milan
22 of Armed Conflict
2015 – a year in review, as seen from the Security
Operations Center
Gaweł Mikołajczyk
WIESŁAW GOŹDZIEWICZ
Mr. Goździewicz is a Legal Adviser to the NATO Joint Force Training Centre in Bydgoszcz (Poland). He provides legal
advice and training on the practicalities of the application of international humanitarian law and legal aspects of military
28
Race on Talented People – Case Finland: What Kind of Skills operations. Mr. Goździewicz served at the Public International Law Division of the Legal Department of the Ministry
of National Defence. Commander Goździewicz (Polish Navy) joined the Armed Forces as a junior legal officer, at the 43rd
Are Needed? Naval Airbase in Gdynia. He is a graduate of the Faculty of Law and Administration of the University of Gdańsk.
Dr Antti Pelkonen, Dr Jarno Limnéll, Reijo Savola, Jarno Salonen
1. Introduction It is no secret that most militaries lack the expertise
38
in cyberarea, thus it is highly likely that civilian
2016 – Critical Year for EU Cybersecurity? Growing „civilianisation” of contemporary armed conflicts specialists (most probably contractors) would
is a fact. More and more civilians are present on or become the “first choice cyberwarriors.”
Jan Neutze
in vicinity of battlefields all over the world. Significant Also, because cyber operations are relatively
share of what used to be traditional military functions inexpensive, they may be considered particularly
is nowadays being outsourced. This is caused mainly attractive by non-state actors engaged
42
by two factors: gradual personnel reductions in most in asymmetric conflicts or hybrid warfare.
Incident Reporting in the Context of Critical Infrastructure of the armies and growing reliance of the militaries Depending on multiple factors, such as the type
Piotr Ciepiela, Leszek Mróz, Dr Tomasz Wilczyński
on modern technology. Civilians (sometimes contractors) of conflict, affiliation to state or non-state party,
are hired to perform multiple functions from catering and the nature of the relationship with the party
logistics, through force protection, to providing actual to the conflict, the status of “cyberwarriors”
combat force on the battlefield. Nowadays, it is not under the law of armed conflict (LOAC) may vary.
49 Gathering Identifier System and Cyberattack Threat Intelligence
Dave Piscitello
unusual to see civilian specialists operating or maintaining
military equipment, weapon systems etc. for which highly
specific knowledge, skillset and experience are required
that the military lacks.
The purpose of this short article is to shed some
light on the complicated, yet fascinating issue
of the status of persons engaged in cyberwarfare
and implications thereof. For the purpose of this
4 5
VOLUME 2 (2016) | ISSUE 2
article, let us assume that cyberwarfare is either conflict, entailing the application of LOAC3. Modern “First, despite the considerable increase in the number In the author’s view, this doesn’t mean that only
used in a broader armed conflict or independent means and methods of warfare do not evolve of subjects covered by the law of armed conflicts, the core principles of LOAC apply to cyberwarfare.
cyber operations amount to armed attacks, thus in a legal vacuum. Neither does legal vacuum and despite the detail of its codification, it is not It just means that there can be no excuse to non-
trigger the initiation of an armed conflict. exist in cyberspace4. To that end, it is worthwhile possible for any codification to be complete at any compliance with at least the core principles, even
to quote the so called Martens Clause: given moment; thus the Martens clause prevents if it is recognised that there is no specific LOAC
Firstly, we will examine the matter of if and how the assumption that anything which is not explicitly provisions governing for instance cyberwarfare,
Law of Armed Conflict (LOAC) applies to cyber “Until a more complete code of the laws of war has prohibited by the relevant treaties is therefore as opposed to explicit LOAC provisions restricting
hostilities (or cyberwarfare). Then, we will consider been issued, the High Contracting Parties deem permitted. Secondly, it should be seen as a dynamic or prohibiting the use of certain conventional
how the principal combatancy criteria as set forth it expedient to declare that, in cases not included factor proclaiming the applicability of the principles weapons, such as incendiary weapons, booby traps,
in Geneva Convention 3 and Additional Protocol in the Regulations adopted by them, the inhabitants mentioned regardless of subsequent developments laser weapons or expanding bullets.
1 to Geneva Conventions can be used in relation and the belligerents remain under the protection and of types of situation or technology7 .”
to “cyberwarriors.” Next, the notion of direct the rule of the principles of the law of nations, as they Apparently, there should be no doubt about
participation in hostilities and organised armed result from the usages established among civilized Nowadays, the international community observes LOAC applicability to cyberwarfare. The question
groups will be assessed in the cyber context peoples, from the laws of humanity, and the dictates rapid development in military technology and is rather how LOAC applies to cyberwarfare,
to culminate in an analysis of different possible of the public conscience5.” also the means and methods of warfare. It is in particular whether (or when) it could be applied
options for legal status of persons involved enough to mention the so called hybrid warfare, directly, or is there a need for mutatis mutandis
in the conduct of cyber hostilities. More recently, the Martens Clause was restated “internationalised non-international armed conflicts” application. In the following section, this question
in Additional Protocol I, Art. 1(2): “Recalling that, (e.g. ISAF), development of autonomous weapon will be answered with the example of combatancy
2. Applicability of LOAC to Cyberwarfare in cases not covered by the law in force, the human systems and, last but not least, the growing interest criteria, as applicable to conduct of hostilities
person remains under the protection of the principles in examining the potential of offensive application in cyberspace.
There should be no doubt that international law of humanity and the dictates of the public conscience.” of cybermeans and methods of warfare.
applies to cyberspace and operations conducted 3. Cyberwarriors as Combatants
therein. It has been recognised by the North In its commentary, the ICRC states that
Atlantic Treaty Organisation (NATO) in its Wales although the Martens Clause is considered Apparently, there should There is no simple definition of combatant.
Summit Declaration1 and confirmed by many to be part of customary international law6 , be no doubt about LOAC In fact, a number of IHL instruments contain
scholars and legal experts, to include the drafters the plenipotentiaries considered its inclusion applicability to cyberwarfare. different definitions of combatants. All of them
of the Tallinn Manual2. appropriate because: The question is rather how are consistent when it comes to the obvious:
granting combatant status to armed forces
LOAC applies to cyberwarfare,
Undoubtedly, LOAC applies whenever an armed conflict belonging to the party to the conflict. Differences
3 | Knut Dörmann, ‘The Applicability of the Additional Protocols
in particular whether (or when)
exists, regardless of whether parties to the conflict to Computer Network Attacks: an ICRC Approach’ in Karin Byström (although perhaps not fundamental) occur with
recognise its existence and regardless of whether
(ed.) International Expert Conference on Computer Network Attacks it could be applied directly, regards to other groups, militias, etc. belonging
the conflict is of international or non-international
and the Applicability of International Humanitarian Law: Proceeding of
or is there a need for mutatis to the party to the conflict. Let us, however, start
the Conference (Stockholm: Swedish National Defence College, 2004),
character, as provided for in Articles 2 and 3 common 142-143, http://www.icrc.org/eng/assets/files/other/applicabilityofi- mutandis application. with defining the notion of armed forces.
to the four Geneva Conventions. From that perspective, hltocna.pdf, visited 24 Jan 2016.
4 | No legal vacuum in cyber space, 16-08-2011 Interview with Cordula
if cyberactions cross the threshold of an armed attack, Drafting and adopting LOAC treaties obviously Additional Protocol I to Geneva Conventions
Droege, ICRC legal adviser, https://www.icrc.org/eng/resources/doc-
even if hostilities occurred only in cyberspace, without uments/interview/2011/cyber-warfare-interview-2011-08-16.htm,
cannot keep the pace with technological and in its Article 43(2) provides perhaps the most
resort to conventional (or rather – traditional) means visited 31 Jan 2016. doctrinal developments in the area of modern comprehensive and widely adopted definition
and methods of warfare, there will be an armed 5 | Preamble to the Convention (IV) respecting the Laws and Customs warfare, thus the Martens Clause provides a “safety which states: “The armed forces of a Party
of War on Land and its annex: Regulations concerning the Laws and
switch,” recognised as customary international law to a conflict consist of all organized armed forces,
Customs of War on Land. The Hague, 18 October 1907, https://www.
icrc.org/applic/ihl/ihl.nsf/ART/195-200001?OpenDocument, visited 31
that requires – should everything else fail – at least groups and units which are under a command
1 | Wales Summit Declaration Issued by the Heads of State and Gov- Jan 2016. the application of the core four LOAC principles responsible to that Party for the conduct of its
ernment participating in the meeting of the North Atlantic Council in 6 | Commentary on the Additional Protocols of 8 June 1977 to the to all and any types of hostilities or means and subordinates, even if that Party is represented
Wales, 5 September 2014, http://www.nato.int/cps/en/natohq/official_ Geneva Conventions of 12 August 1949, ICRC/Martinus Nijhoff
methods of warfare. by a government or an authority not recognized
texts_112964.htm?mode=pressrelease, visited 18 January 2016. Publishers, Dordrecht, 1987, p. 39, https://www.icrc.org/applic/ihl/ihl.
2 | Tallinn Manual on the International Law Applicable to Cyber Warfare, nsf/Comment.xsp?action=openDocument&documentId=7125D4CB-
by an adverse Party. Such armed forces shall be
general editor Michael N. Schmitt, Oxford University Press, 2013, p. 13. D57A70DDC12563CD0042F793 visited 03 Feb 2016. 7 | Ibidem, pp 38-39. subject to an internal disciplinary system which,
6 7
VOLUME 2 (2016) | ISSUE 2
inter alia, shall enforce compliance with the rules operations10” and should be granted prisoner in hostilities), except for members of organised groups carried out “at the request” of the state.
of international law applicable in armed conflict.” of war status upon capture. armed groups, who – similarly to members One of the key principles of international law is
Militias and volunteer corps, if incorporated of armed forces – can be targeted by virtue of their that states (rather than individuals) bear liability
into the armed forces, are subject to the same As criteria number one and four are rather status as members11. for violation of obligations under international
requirements, as applicable to regular armed uncontroversial (even in computer network binding upon that state, if the breach is
forces. It should be noted, however, that the legal operations), at least with regard to regular Today, modern means and methods allow a consequence of actions that can be attributed
regime and criteria governing membership or armed forces (who, by the way, will also remote conduct of hostilities. Computer network to that state. State will bear the responsibility
incorporation into the armed forces are generally always fulfil the requirement of “belonging operations or cyberattacks are no different to that for the actions of their bodies and government
contained in national legislation. to a party to the conflict,” thus simplify the issue end from unmanned combat aerial vehicles institutions (including the armed forces) that
of attribution if a cyberattack is conducted (UCAVs) or stand-off weapons, that significantly constitute violations of international law, but
Members of other (i.e. those not forming part by members of regular armed forces), let us stop reduce the prosper of capture of the person would also be liable for the actions of private
of armed forces) militias, volunteer corps, for a moment to analyse number 2 and 4 as crucial engaged in attack with the use of cybermeans, actors by order of state authorities, in accordance
organised resistance movements, levée en masse for compliance with the principle of distinction UCAV or stand-off weapons, yet make with the instructions of the state bodies under
can also be recognised as combatants, given (between combatants as lawful military objective the attackers practically invisible to the enemy the direction or control of the State (criterion
they fulfil certain criteria that armed forces are and civilians by default protected from attacks) in the course of an attack. This makes some of effective control as in the case of de facto
considered to fulfil ex lege8 . These criteria are and the obligation for combatants to distinguish of the scholars to consider the four criteria less commanders)13. The principle applies to all military
formulated differently in Additional Protocol themselves from civilians. Additional Protocol relevant for cyberwarriors than “conventional operations, conducted both by the regular armed
I, Geneva Convention III and the so called 1, Article 44(3) requires combatants to have fighters,” as opposed to the requirement to belong forces and other organised groups meeting
Hague Regulations9, however can be reduced a distinctive sign and carry arms openly while they to a party to the conflict12. the criteria of Art. 43 of the first Additional
to the following: are engaged in an attack or in a military operation Protocol, but is of particular importance
preparatory to an attack. Yet, recognising certain If a cyberattack is conducted by an entity that in the context of operations in cyberspace that
1) being commanded by a person responsible specificities of guerrilla warfare, where “[…] owing does not form a part of the armed forces, the issue would be outsourced to private entities.
for his subordinates; to the nature of the hostilities an armed combatant of affiliation to a party to the conflict becomes
2) having a fixed distinctive sign visible cannot so distinguish himself […],” AP I provides that somewhat challenging. Any governmental institution Affiliation with a party
at a distance; “[…] [such armed fighter] shall retain his status as meets the requirement of belonging to a party
to the conflict also involves
3) carrying arms openly; a combatant, provided that, in such situations, he to the conflict, but it is not so clear with respect
state responsibility
4) conducting operations in accordance with carries his arms openly: to e.g. private enterprise, to which a state has
the laws and customs of war. turned to have carried out a network attack
for the actions
a) during each military engagement, and because of their knowledge, skills and technical of armed groups carried out
If the four aforementioned criteria are fulfilled b) during such time as he is visible to the adversary capabilities. The requirement of affiliation may be “at the request” of the state.
cumulatively, even members of irregular while he is engaged in a military deployment met through a factual relationship, functional, which
formations that do not constitute parts of armed preceding the launching of an attack in which he is does not need to be formalised, but if such a link Even if the cyberattack qualifies as armed
forces, yet take part in hostilities, can enjoy to participate.” actually exists (e.g. in the form of a contract), it attack, that is, it is reasonable to assume that it
the benefits of combatant status, to include should be considered as satisfying the requirement would result in injuries to or death of persons
combatant immunity, i.e. “they shall not be called The reason for enforcing the obligation of belonging to a party to the conflict. or damage to or destruction of buildings,
to account for their participation in lawful military for belligerents to distinguish themselves in most cases, such an attack will be carried out
from civilians is the obligation to protect civilians Affiliation with a party to the conflict also involves from a remote location, without direct contact
from direct attack, “unless and for such time as they state responsibility for the actions of armed between the attacker and the attacked. This may
8 | Leslie C. Green, The Contemporary Law of Armed Conflict, Juris
take a direct part in hostilities.” As will be discussed suggest that the requirement for combatants
Publishing, Manchester University Press, Manchester 2000, pp. 34-35;
Jean-Marie Henckaerts, Louise Doswald-Beck, Customary International
in more detail in the following section, the possibility 11 | Sean Watts, Combatant Status and Computer Network Attack, in:
conducting a network attack to distinguish
Law. Volume I: Rules., International Committee of the Red Cross, Cam- to consider civilians as lawful military objectives is Virginia Journal of International Law, Vol. 50 – Issue 2, Virginia Journal themselves from civilians by wearing fixed
bridge University Press, Cambridge 2005, pp. 15-16. normally “conduct-based” (if they take direct part of International Law Association, 2010, p. 420; Of note, even being distinctive signs becomes less relevant,
9 | Regulations Respecting the Laws and Customs of War on Land an- considered a member of an organized armed group does not automat-
nexed to Convention (IV) respecting the Laws and Customs of War, The 10 | Knut Ipsen, Combatants and non-combatants in: The Handbook of ically entail combatant privileges or combatant immunity if the four
Hague, 18 October 1907, https://www.icrc.org/ihl/INTRO/195 access International Humanitarian Law, edited by Dieter Fleck, Oxford Univer- combatant criteria prescribed above are not met. 13 | Guenael Mettraux, The Law of Command Reposnsibility, Oxford
14 February 2016. sity Press, Oxford 2009, p. 95. 12 | Ibidem, pp. 337-441. University Press, Oxford 2009, s. 100-102, 110-113, 122-123.
8 9
VOLUME 2 (2016) | ISSUE 2
especially in situations in which the network 4. Direct Participation in Hostilities (DPH) and to DPH? In accordance with the ICRC guidance, direct20. The guidance recognises that CNAs,
attack is carried from within a military Organised Armed Groups (OAGs) in the Cyber these are: 1) threshold of harm, 2) direct causation despite their remoteness, will in most cases
objective, for which there is a separate Context and 3) belligerent nexus. meet the direct causation test21.
obligation to mark it (e.g. a warship or military
aircraft)14. Nevertheless, in the author’s view, Additional Protocol 1 Art. 51.(3) and Additional Threshold of harm – the act must be likely
1) 3) Belligerent nexus – an act must be specifically
the distinction requirement can be met by e.g. Protocol 2 Article 13.(3) provide that civilians are to adversely affect the military operations designed to directly cause the required threshold
using IP addresses that are clearly different immune from direct attack unless and for such time or military capacity of a party to an armed of harm in support of a party to the conflict
from those used by civilians or civilian entities as they take a direct part in hostilities. They lose this conflict or, alternatively, to inflict death, injury, and to the detriment of another (carried out
or at least – when hiding the IP address protection for the duration of each act amounting or destruction on persons or objects protected to gain definite military advantage). From
from the objective of the cyberattack (as to direct participation, however, this conduct-based against direct attack. Acting to the benefit that perspective, organised self-defence
a mean to avoid or hamper counteractions) – concept should only apply to civilians who are of one’s own party to the conflict the act of the civilian populace against pillaging or other
using such tools that are specific to the military neither members of armed forces (to include militias has to result or be likely to result in negative acts of violence towards the populace, even
and leave no room for allegations of feigning and volunteer corps incorporated into the armed consequences to the enemy’s military effort19. It if resulting in hostile acts against the party
civilian status which would be considered as forces) or organised groups nor participate in levée should be noted that adversely affecting military to the conflict that fulfil the other two criteria,
perfidy in accordance with AP I Art. 37(1).c15. en masse. For members, their membership alone operations or capacity of the other party does shall not be considered as DPH. Similarly, bank
is sufficient to determine their status as lawful not necessarily require causing physical damage. robbery (to include “cyber-robbery”) committed
Similar approach could be adopted with regards military objectives (although criteria of membership The ICRC guidance states that “[e]lectronic by belligerents for their personal gain (not
to the criterion of carrying arms openly. will differ, as will be discussed below), regardless interference with military computer networks could in support of the military operation of a party
Conventional (or “classical”) weapons are of whether they actually take direct part also suffice, whether through computer network to the conflict) should be considered a criminal
not used in computer network operations. It in hostilities at a given time. In an effort to define attacks (CNA) or computer network exploitation act rather than DPH22.
would be hardware or software, both either both the notion of DPH as well as membership (CNE).”
specifically developed or adjusted to carry in organised armed groups, International Committee The ICRC Guidance does not provide many
out cyberattacks. As it is difficult to expect of the Red Cross (ICRC) has issued its guidance17 Direct causation – there must be
2) examples of acts amounting to DPH in the cyber
“cyberwarriors” to carry their laptops marked as which, in fact, was the first comprehensive study a direct causal link between the act and context. Nevertheless, if a cyberattack can amount
weapons with special stickers, especially if they on this topic. Although controversial in many the harm likely to result either from that act, or to an armed attack, certain activities conducted
are sitting thousands of miles away from their aspects18, it actually provides good overview from a coordinated military operation of which in or through cyberspace will definitely fulfil criteria
targets, perhaps the use of specific malware, of the issue and served as a catalyst for in-depth that act constitutes an integral part. For of direct participation in hostilities. The following
not available “off the shelf” to any “hacker discussions of the practicalities of the DPH concept example, transporting weapons or other military three examples might be useful to illustrate
wannabe,” or “weaponised” software clearly and its application in contemporary armed conflicts, equipment may be considered to be directly the concept of DPH in the cyber domain.
distinct from its civilian analogues, is the vehicle most of which has been asymmetric over the last related to cause harm in military terms (and thus
to ensure the weapons carrying criterion is met, two decades. constitute DPH) only when it is executed as Scholars tend to agree that designing malware
except for cyber levée en masse (to be discussed an integral part of a specific military operation, (even for military purposes) would usually not fulfil
in more detail in Section 5 of this article), a) DPH Criteria planned to inflict appropriate amount of damage the three criteria of DPH, unless such malware
for which spontaneous “taking up arms” might (of sufficient degree of harm). Therefore, is specifically designed to exploit vulnerabilities
prevent the possibility to obtain militarised or What are the cumulative criteria that an act has training or recruiting militants for organised of particular target or modified (customised) to be
weaponised information technology (hardware to fulfil in order to be considered as amounting armed groups, although it is essential used in a specific cyberattack23.
or software), but which – arguably – cannot to the military capabilities of the group, will not
exist in borderless cyberconflicts16 . 17 | Nils Melzer, Interpretive Guidance on the Notion of Direct Partici- fulfil the direct causation criterion, unless it will 20 | Ibidem, p. 53. An example of training or recruitment that meets the
pation in Hostilities Under International Humanitarian Law, Internation- direct causation test might be to select volunteers to conduct suicidal
be carried out in order to prepare a pre-planned
al Committee of the Red Cross, Geneva 2009. IED attack, and to train them on the topography of the object of attack,
14 | Tallinn Manual, op. cit., pp. 99-100. 18 | See e.g. Michael Schmitt., The Interpretive Guidance on the Notion
specific military operation or hostile act. In this infiltration methods and vulnerabilities to be exploited in order to suc-
15 | Sean Watts, op. cit., p.442; see also Vijay M. Padmanabhan, Cyber of Direct Participation in Hostilities: A Critical Analysis in: Harvard Na- case, because the training or recruitment might cessfully execute the attack.
Warriors and the Jus in Bello in: International Law Studies vol. 89 tional Security Journal Vol. 1, May 5, Cambridge (Massachusetts) 2010; be considered an integral part of the operation, 21 | Ibidem, p. 55.
(2013), U.S. Naval War College, 2013, pp. 295-296. Kenneth Watkin, Opportunity Lost: Organised Armed Groups and the 22 | Ibidem, p. 62-63.
and the causal link to the operation will be
16 | David Wallace, Shane R. Reeves, The Law of Armed Conflict’s ICRC “Direct Participation in Hostilities” Interpretive Guidance, in: New 23 | Hanneke Piters, Cyber Warfare and the Concept of Direct Par-
“Wicked” Problem: Levée en Masse in Cyber Warfare, in: International York University School of Law Journal of International Law and Politics ticipation in Hostilities, in: NATO Legal Gazette Issue 35 (December
Law Studies vol. 89, op. cit, pp. 662-663. Vol. 42, No. 3, New York 2010. 19 | Nils Melcer, op. cit., p. 47. 2014), p. 54, http://www.act.nato.int/images/stories/media/doclibrary/
10 11
VOLUME 2 (2016) | ISSUE 2
Installation, servicing and maintenance of computer on the non-state party to the conflict, the term military operations and to implement [Additional more example of controversies behind the ICRC
systems or software would normally not amount “fighters” that encompasses both members Protocol II].” Putting aside the problematic question guidance: if there is no formalised joining criteria,
to DPH, especially if linked to passive (or reactive) of dissident armed forces and OAGs is being used of territory in cyberspace, let’s simplify the issue how is it possible to determine if resignation took place?
cyberdefence. If, however, the system (or software) despite not being reflected in LOAC treaties27. by adopting an assumption that there is an OAG
in question is being installed in preparation fulfilling the aforementioned criteria and focus Shifting to the cyberwarfare context, if the ICRC
for launching a cyberattack at a specific target, It should also be noted that in accordance with on the membership issue. guidance was taken into account literally, only
it would amount to DPH, because “[measures] Article 3 common to all four Geneva conventions, persons who joined an OAG in order to conduct
preparatory to the execution of a specific act of direct applicability of Geneva conventions to NIAC is very Membership in OAGs shall not be linked cyberattacks crossing the threshold of armed
participation in hostilities, as well as the deployment limited, therefore provisions of Geneva Convention to a formalised joining or recruitment. There will attacks or in other manner amounting to DPH as
to and the return from the location of its execution, III (relative to the Treatment of Prisoners of War) be no formal relationship or bond, no formalised illustrated above could be considered members
constitute an integral part of that act.24” dealing with combatancy and POW status will and common uniforms with distinctive signs and thus targetable throughout the duration
not apply, unless parties to the NIAC “[…] bring and no identification cards serving the purposes of their membership (however the duration
Lastly, operation of a computer system or software into force, by means of special agreements, all or of Geneva Convention III. In accordance with could be determined). Other persons affiliated
in the course of a cyberattack (fulfilling the criteria part of the other provisions […]” of the Convention. the ICRC Guidance, the only determining factor with a cyber-OAG could only be targeted
of an armed attack, as assumed in the beginning Neither will provisions of Additional Protocol will be the so called continuous combat function for the duration of each act amounting to DPH.
of this article) would in most cases amount to DPH, I apply and thus there are no combatants or POWs constituting the foundation of the functional Enjoying immunity from direct attack in military
regardless of whether the malware is to activate in NIACs, although enemy fighters will constitute relationship with an OAG. Assumption of this terms does not preclude facing criminal liability,
instantly or contains “delayed fuse” designed so lawful military objectives. continuous combat function is to be the objective though, as even Additional Protocol II, art. 6.(5)
that the malware took intended effects at a given As opposed to civilians who sporadically or indication of membership. seems to recognise that taking part in a NIAC
point in time25. Exploring general vulnerabilities spontaneously take direct part in hostilities and would violate criminal laws of the state party
in software operated by the enemy would not are considered “fighters” for the duration of each ICRC stated that continuous combat function to the conflict and – as opposed to members
amount to DPH, as opposed to exploiting such act amounting to DPH28, persons who qualify requires lasting integration with an OAG and of armed forces belonging to the state party –
vulnerabilities in preparations for a cyberattack as members of OAGs, become lawful military usually this function would be to take direct part fighters on the non-state side would not enjoy
or in support of a conventional attack, just as objectives for the duration of their membership, in hostilities, although persons whose functions combatant immunity.
collecting tactical intelligence would be considered allegedly in a manner similar to members involve preparing, conducting or commanding
DPH, whereas strategic intelligence activities of regular armed forces. This means that as long operations or actions amounting to DPH is believed From that perspective, hacktivists would normally
would not26. as the membership exists, these persons can be to have had continuous combat function. Persons, face penal consequences of their actions, however
targetable 24/7. who within an OAG fulfil non-combat functions members of hacker groups trained to conduct
b) Organised Armed Groups (OAGs) (administrative, political, logistic), in accordance cyberattacks amounting to DPH or crossing
OAGs should belong to the non-state with the ICRC guidance should not be considered the threshold of armed attack would fall within
Considerations on the subject of organised armed to the conflict (and the belonging could in fact members of that OAG, which has become the category of lawful military objectives, whose
groups should be started with a statement that mean even loose linkage materialised in following a point of friction, as – in the opinions of some “partial or total destruction, capture or neutralisation”
the concept of organised armed groups (OAGs) the directions and guidance of the non-state of the experts – it results in unequal treatment would be lawful, if offering a definite military
functions only in non-international armed conflicts party) and fulfil the criteria laid down in Article of regular armed forces and OAGs29. advantage in the circumstances ruling at the time30.
(NIACs), where the state party to the conflict 1(1) of Additional Protocol II, namely being under
is represented by governmental security forces responsible command and exercising “[…] such Also, a person who has been recruited, trained 5. Concluding Remarks – Lawful Options
(to include regular armed forces) and the non-state control over a part of [the state party’s] territory as and equipped by an OAG to repeatedly take direct for Cyberwarrior Formations
party is fought for by either dissident armed forces to enable them to carry out sustained and concerted part in hostilities may be considered a member
(mutinied part of the armed forces) or OAGs. As of this OAG (and thus a lawful military objective A natural conclusion can be drawn
27 | Michael N. Schmitt, Charles H.B. Garraway, Yoram Dinstein, The
the legal notion of combatants cannot be referred manual on the Law of Non-International Armed Conflict with Commen-
that may be subject of lethal targeting) even from the considerations above: the optimal solution
to with regard to persons engaged in hostilities tary, Martinus Nijhoff Publishers, Leiden/Boston 2006, pp. 4-5. before committing the first act amounting to DPH, for cyberwarriors is to be members of the armed
28 | This is one of the biggest controversies behind the ICRC Guidance, if upon completion of the training the person forces of a party to the conflict and there are
legal_gazette_35.pdf, access 16 February 2016. referred to by some scholars as the “revolving door concept” allowing
concerned does not “leave” the OAG. This is one
24 | Nils Melzer, op. cit, p.17. fighters to regain protected civilian status after committing DPH, per-
25 | Hanneke Piters, op. cit., pp. 55-56. fectly captured in the phrease “farmer by day, fighter by night”. See e.g. 30 | Jean-Marie Henckaerts, Louise Doswald-Beck, Customary Interna-
26 | Ibidem, pp. 34-35, 49, 52, 66-67. Kenneth Watkin, Opportunity lost…, op. cit. pp. 686-690. 29 | Michael Schmitt, The Interpretive Guidance…, op. cit., pp. 15, 22-23. tional Law…, op. cit., p. 29.
12 13
VOLUME 2 (2016) | ISSUE 2
several nations who have stood up their military of the Third Geneva Convention, with the addition It is obvious that vast majority of expertise employees or contractors performing combat
organisations or units to deal with cyber operations of organised resistance movements. Yet, with in cyber (defence) lies with the private (or civilian) functions (taking direct part in hostilities, engaged
(both defensive and offensive). Examples include the privileges of combatant immunity and the right sector. Some nations’ militaries didn’t develop in warfare), may be considered as mercenaries,
U.S. Cyber Command (CYBERCOM), Chinese to engage in hostilities, come the obligations their organic cyber capabilities, not to mention especially if their wages in order to be competitive
People’s Liberation Army General Staff 3rd for the non-regular parts of the armed forces forming cyber-specialised units. Some nations, compared to those offered by private sector are
Department and Unit 61398, Israeli Defence (i.e. militias, volunteer corps and organised due to regulatory restrictions, cannot offer their significantly higher than those paid to the military.
Forces Unit 8200 or Democratic People’s Republic resistance movements) to fulfil the four criteria uniformed personnel performing cyber duties Persons determined mercenaries are not entitled
of Korea Bureau 12131. of combatancy, as described in Section 3 above. emoluments that would be more attractive than to combatant privileges and thus – if captured –
It also requires incorporation into the armed those paid by big corporations, however they can do not enjoy POW status and may be prosecuted
forces that would enable the enforcement either hire civilian employees or outsource such for not only taking direct part in hostilities, but also
the optimal solution
of command and control and disciplinary regime capabilities from the private sector, as the military for the fact of being mercenaries, which is penalised
for cyberwarriors is to be that ensures compliance with LOAC. The same does in many other areas previously belonging by many national criminal legislations.
members of the armed forces requirement incorporation pertains to paramilitary to the military (e.g. logistics). What would be
of a party to the conflict organisations or armed law enforcement agencies the legal status of such civilian employees or With regard to other types of formations that may
that for the duration of an armed conflict may contractors under LOAC? be considered combatants under LOAC, basically
Members of armed forces are combatants, they become parts of the armed forces (e.g. U.S. Coast all of them raise significant questions to their
are entitled to participate in hostilities and they Guard or Polish Border Guards). Both civilians accompanying the force and contractors applicability in the cyber context. Firstly, levée en
enjoy combatant immunity for their actions do not form part of the armed forces33. And though masse defined as “the inhabitants of a country which
in the course of hostilities, as long as these actions Such incorporation would usually require a formal as a general rule, they are immune from direct attack, has not yet been occupied who, on the approach
do not violate LOAC. Combatant immunity is act, for example, an act of parliament that would they share the risks and dangers of war alongside of the enemy, spontaneously take up arms to resist
of particular importance to those, who engage define the membership criteria and requirements with the armed forces they accompany34. The ICRC the invading troops without having time to form
in offensive cyber operations or such cyberdefence in a manner similar to the military. In the absence Guidance provides that themselves into an armed force.” Although – as
activities that could be considered “acts of violence of formal incorporation, the status of such groups “[p]rivate contractors and employees of a party stated by some scholars37 – due to the nature
against the enemy”, as provided for in Article 49(1) could be based on the facts and in the light to an armed conflict who are civilians […] are entitled of cyberconflicts (no borders and no territories) –
of Additional Protocol I. of the criteria for defining armed forces32. to protection against direct attack unless and for such levée en masse would not exist in such conflicts, one
time as they take a direct part in hostilities. Their could imagine spontaneous creation of a cyber levée
However, is it only military units and their This incorporation is a perfect vehicle to make activities or location may, however, expose them en masse in reaction to an enemy invasion. It does,
personnel wearing uniforms that constitute armed voluntary defence organisations (defence leagues) to an increased risk of incidental death or injury even if however raise an issue of carrying arms openly. Even
forces? No, because as provided for in Article specialised in cyberdefence or cyberwarfare they do not take a direct part in hostilities.”35 If, however, the solution mentioned above, i.e. utilising unique
43(1) of Additional Protocol 1, “[t]he armed forces more generally, comprised of talented specialists civilians are employed or contractors outsourced IP addresses or non-civilian technologies to conceal
of a party to the conflict consist of all organised armed working as civilians on a daily basis, but to perform combat function that fulfils DPH criteria, the IP addresses, might be problematic, as it is
forces, groups and units which are under a command undertaking certain military training similar to include cyberattacks, they lose their protection impossible for the military to share the technologies
responsible to that party for the conduct of its to reservists, to fall under the protective umbrella from attack without gaining combatant privileges. with a spontaneously emerging group. Yet,
subordinates.” The quoted provision is considered of combatant status, should an armed conflict there might be options for cyber levée en masse
a reflection of customary international law, which occur. Such cyber specialists wouldn’t need to be Moreover, in certain circumstances, as defined to distinguish themselves from civilian network
state practice has confirmed over decades and mobilised as regular reservists, but the defence in Additional Protocol I, Art. 47(2)36, civilian users, by e.g. publically announcing that certain
is equally applicable to international and non- organisation to which they belong could be
international armed conflicts. In countries where incorporated into the armed forces as a whole, 33 | Jean-Marie Henckaerts, Louise Doswald-Beck, Customary Interna- rect part in the hostilities; 3) is motivated to take part in the hostilities
tional Law…, op. cit., p. 13. essentially by the desire for private gain and, in fact, is promised, by or
militia or volunteer corps (so-called “irregular” with its organisational structure, personnel and
34 | Commentary on the HPCR Manual on International Law Applicable on behalf of a Party to the conflict, material compensation substantially
armed forces) constitute the army, or form part equipment. Additional Protocol I requires a party to Air and Missile Warfare, ed. by Yoram Dinstein and Bruno Demey- in excess of that promised or paid to combatants of similar ranks and
of it, they are included under the denomination to the conflict to notify such incorporation ere, Program on Humanitarian Policy and Conflict Research at Harvard functions in the armed forces of that Party; 4) is neither a national of
“army”. This definition is also used in Article 4 to the other parties to the conflict. University, Version 2.1, Harvard University, Cambridge (Massachusetts) a Party to the conflict nor a resident of territory controlled by a Party
2010, pp. 270-271. to the conflict; 5) is not a member of the armed forces of a Party to the
35 | Nils Melzer, op. cit., p. 37. conflict; and 6) has not been sent by a State which is not a Party to the
31 | Paul Walker, Organizing for Cyberspace Operations: Selected 32 | Jean-Marie Henckaerts, Louise Doswald-Beck, Customary Interna- 36 | A mercenary is a person who: 1) is specially recruited locally or conflict on official duty as a member of its armed forces.
Issues, in: International Law Studies vol. 89, op. cit., pp. 342-343. tional Law…, op. cit., p. 17. abroad in order to fight in an armed conflict; 2) does, in fact, take a di- 37 | See supra note 16.
14 15
VOLUME 2 (2016) | ISSUE 2
sources of cyber actions or certain cyber tools are EU 2015 was establishment of voluntary civic
used solely by that cyber levée en masse. defence leagues composed of skilful and talented
individuals capable of employing cybermeans and
Similar issues arise with other irregular groups: methods of warfare effectively. In order for such
other (i.e. not belonging to nor incorporated into defence leagues to be entitled to lawfully take part
armed forces of a party to the conflict) militias in hostilities they could be either:
and volunteer corps and organised resistance
movements. As opposed to levée en masse, they 1) Offered and accepted up front to be
are required to fulfil all the four combatancy incorporated into the armed forces upon
criteria, as it assumes that they have sufficient time commencement of an armed conflict;
for organising themselves in a manner allowing such defence leagues would have to lobby
to develop responsible command and disciplinary for their governments to introduce appropriate
regime enabling to enforce compliance with LOAC, legislation (preferably before, not after
however fulfilment of the requirement to carry arms the conflict has started); should circumstances
openly may become equally problematic without require, military cyber technologies could be
access to typically military cyber technologies. made available in advance to such civic defence
leagues (to include appropriate training); or
6. Summary and a handful of recommendations
2) If not incorporated into the armed forces,
Full compliance with LOAC requirement they would have to ensure on their own that
in cyberwarfare might be challenging even they meet all the combatancy criteria; this
for regular armed forces, which by definition are might be more challenging, especially without
supposed to e.g. fulfil all the combatancy criteria. access to military technologies clearly distinct
It gets even more challenging for irregular fighting from cybermeans and capabilities available
groups, as hopefully has been proven above. to “regular” civilians.
Challenging doesn’t mean impossible, though,
and LOAC itself comes with assistance offered There are two principal ways
by the Martens Clause encouraging flexible of ensuring that “cyberwarriors”
approach to certain LOAC provisions. Adaptability lawfully engage in hostilities:
of LOAC is its great advantage and – as stressed
enrolment to the armed
in recommendations from the First European
forces or becoming member
Cybersecurity Forum – CYBERSEC.EU 2015, “[…]
legal framework governing the conduct of hostilities
of a militia or voluntary corps
in cyberspace is sufficient […] and the tendency to over- that complies with LOAC
regulate should be avoided38 .” criteria of combatancy.
There are two principal ways of ensuring that The former option – although initially more
“cyberwarriors” lawfully engage in hostilities: formalised and requiring adoption of respective
enrolment to the armed forces or becoming legislation – offers subsequent simplicity
member of a militia or voluntary corps that in implementation and execution, as well as full
complies with LOAC criteria of combatancy. compliance with LOAC requirements and perhaps
One of the recommendations from CYBERSEC. this is the option that should be pursued in order
to enable talented individuals who are civilians
38 | CYBERSEC 2015 Recommendations, p. 11, https://app.box.com/s/
in their regular life to become lawful cyberwarriors,
kb6zaq06v0uyhdh7pr13zk132uiwvu2u, access 21 February 2016. should homeland call to arms. ■
16 17
VOLUME 2 (2016) | ISSUE 2
OPINION
Hackers, Hacktivists, and the Fight for Human Rights in surveillance ‘amounts to a systemic interference
with the right to respect for the privacy
But the politicisation of hackers is somewhat
of a recent phenomenon. The first ‘computer
Cybersecurity of communications’ . It provocatively posits
hackers and hacktivists as the guardians
hackers’, who appeared in the 1970s around
the Massachusetts Institute of Technology
of human rights in cyberspace and of individual in Cambridge, MA, were intrinsically apolitical.
STEFANIA MILAN
Stefania Milan (stefaniamilan.net) is an assistant professor at the University of Amsterdam and the Principal Investigator freedoms of expression, and the right to privacy Highly skilled software writers, they enjoyed
of the DATACTIVE project, exploring the politics of massive data collection (European Research Council Starting Grant 639379). in particular. It explores a side of the hackerdom experimenting with the components of a system
She is also a research associate at the Tilburg Institute for Law, Technology and Society (Tilburg University) and at the Internet
Policy Observatory of Annenberg School of Communication (University of Pennsylvania). Her research explores cyberspace which is unknown to (or deliberately ignored by) with the aim of modifying and ameliorating it,
and cybersecurity governance, grassroots engagement with technology and data epistemologies. Stefania is the author of Social most cybersecurity policymakers – the politically and operated under a set of tacit values which
Movements and Their Technologies: Wiring Social Change (Palgrave Macmillan, 2013) and co-author of Media/Society (Sage, 2011).
motivated use of tech expertise to enhance soon became known as the ‘hacker ethics.’ Such
transparency, raise awareness and shield users ethical code included freedom of speech, access
1. Introduction their voice heard, and the use of encryption is from industry snooping and state monitoring. to information, world improvement and the non-
on the rise, the bulk of the citizenry ignores that interference with the functionality of a system
Edward Snowden, the US security contractor their civic rights are progressively being eroded 2. A question of vocabulary (‘leave no damage’ and ‘leave things as you found
turned whistleblower, has exposed blanket in the name of underspecified cybersecurity needs, them(or better)’). Around the same time, software
data surveillance programs targeting citizens spanning anything from the fight against global A rich mythology has flourished around developers and user communities started
indiscriminately, regardless of their criminal terrorism to the curbing of copyright infringement. the figure of the hacker, often pictured as advocating and practising freedom in managing
record or passport. The current surveillance Cybersecurity policymaking remains, to a large exceptionally talented individuals, perhaps and using computer technology, for instance
complex combines the state apparatus and extent, a grey area which is exclusive to security socially awkward and ready to provoke or exploit targeting software to individual needs. They
the industry in unprecedented tight alliances, agencies, top-level technocrats and the military. chaos in the digital realm. Hackers have been were the pioneers of what became known as
largely hidden to users and generally impermeable The state-industry alliance is rarely broken, and called many names, from heroes to criminals, the open source movement. Similarly to hackers,
to democratic safeguards1. In the same year, only when the manufacturers of the ‘tethered’ from cyber bandits to digital Robin Hoods, they promoted a hands-on attitude to computing
the United Nations (UN) Special Rapporteur devices3 that constitute the final link in the chain regardless of the enormous differences that and information more in general; but while
on the Promotion and Protection of the Right of surveillance publicly stand up against law exist within the worldwide hackerdom. In order hackers emphasised a ‘do not harm’ approach,
to Freedom of Opinion and Expression, Frank enforcement requests, as the recent Federal to position the core argument of this article, open source advocates championed collective
La Rue, has denounced threats this surveillance Bureau of Investigations vs. Apple case shows4. we ought to start from what is in a world, as it improvement and selfless collaboration.
frenzy represent for human rights. He argued But while from the perspective of the state can help us understand the connection between
that ‘Communications surveillance should be the imperatives of national security are perfectly hacking, ethics, and human rights – and position Since the 1970s, hacking, as well as the open
regarded as a highly intrusive act that potentially legitimate and dutiful, there remain some the variety of tactics hackers and hacktivists use source movement, went a long way. Commonly,
interferes with the rights to freedom of expression open questions for what concerns the human in the attempt to create a better cyberspace or we distinguish between ‘black hat’ hackers
and privacy, and threatens the foundations rights implications of (some of the) current safeguard online freedoms. who violate computer security with malicious
of a democracy society. He exposed, among cybersecurity arrangements, especially in light intents like fraud or data theft, and ‘white hat’
others, the unregulated access to communications of the government’s obligation to uphold and ‘Hackers are VERY serious about forbidden hackers, who on the contrary perform hacking
data, the lack of judicial oversight over massive protect human rights following from the Universal knowledge. They are possessed not merely duties in view of repairing bugs or ‘making things
data collection, the mandatory data retention Declaration of Human Rights (1948). by curiosity, but by a positive LUST TO KNOW,’ better.’ Between the two, a plethora of nuances
requirements imposed on manufacturers and wrote cyberpunk novelist Bruce Sterling back and variations can be found amongst the many
providers of electronic communication, the extra This article connects the current debate in 1993. He linked ‘these young technophilic people who self-identify as ‘hackers,’ including
territorial application of surveillance laws and on surveillance of communications with human denizens of the Information Age’ to ‘some basic civic hackers who use data and software
the extra-legal surveillance2. But if a variety rights. It departs from the assumption that mass shift in social values’ that emerge as ‘society to ameliorate the state output but often have
of non-governmental organisations has made lays more and more value on the possession, no particular programming skills and ‘ethical
3 | Zittrain, J. L. (2008). The future of the internett–And how to stop it. assimilation and retailing of INFORMATION as hackers’ who, for example, support security
1 | Deibert, R. (2013). Black Code: Inside the Battle for Cyberspace. New Haven and London: Yale University Press. a basic commodity of daily life’5. agencies in their fight against terrorism or
Toronto: Signal 4 | Kravets, D. (2016). ‘FBI vs. Apple is a security and privacy issue.
report vulnerabilities with the scope of helping
2 | United Nations General Assembly, A/HRC/23/40, 17 April 2013; What about civil rights?, ArsTechnica, 15 March; http://arstechnica. 5 | Sterling, B. (1993). The Hacker Crackdown. Law and Disorder on the
http://www.ohchr.org/Documents/HRBodies/HRCouncil/RegularSes- com/tech-policy/2016/03/fbi-v-apple-is-a-security-and-privacy-issue- Electronic Frontier. New York: Batham, http://cyber.eserver.org/ster-
an organisation fixing them.
sion/Session23/A.HRC.23.40_EN.pdf. what-about-civil-rights. ling/crackdwn.txt. Original capitals.
18 19You can also read
