In a new study by the EastWest Institute (EWI) entitled "Working towards Rules for Governing Cyber Conflict: Rendering the Geneva and Hague Conventions in Cyberspace," one of the recommendations addresses the issue of non-state actors in cyberspace. The report states, "Russia, the U.S., and other interested parties should assess how best to accommodate Convention principles with the new reality that cyber warriors may be non-state actors." This assessment on non-state actors indeed has not just surfaced in relation to cyberspace. The increasing importance of non-state actors is evident in all spheres of international relations.
Many books and studies have been written on the erosion of the current state paradigm, the Westphalia System, such as Martin van Creveld's book The State: Its Rise and Decline in which he argues that the decline of the Westphalia system may have started as early as 1945. His verdict is:
In the future, and to a growing extent, more and more of these organizations [i.e., non-state actors] can be expected to emancipate themselves from state control and to play an independent role. Playing an independent role, they will exercise growing power over members and non-members; e.g. by making their own laws, exercising their own justice, levying their own taxes, and even manufacturing their own money ....
Consequently, cyberspace in the proliferation of non-state actors is a "force multiplier", accelerating and amplifying a process that started decades ago. Non-state actors, however, pose a unique problem in cyberspace due to their nebulous, aloof character; the difficulty of tracking their movements; and the immense destructive power that skillful hackers can yield upon networks and other critical infrastructure. Paraphrasing the old saying on the Colt Revolver, it is indeed true that "God created man; cyberspace made them equal." Every expert agrees that if we do not want to have a cyber Wild West we need "rules of the road" and a sheriff enforcing these rules in our dealings with non-state actors.
The legal frameworks based on the Westphalia system, however, appear inadequate. As one of the principal authors of the EWI study, Karl Rauscher, states, "Today, nearly all critical civilian infrastructure is online from the electricity grids that support hospitals to the systems that guide passenger planes through the air. And, by and large, it is not protected by international norms."
To address this issue, the EWI report poses five distinct questions meant to act as a catalyst for first steps towards a broad dialogue on this topics and eventual new legal regimes:
- Can protected critical humanitarian infrastructure entities be "detangled" from non-protected entities in cyberspace?
Due to a lack of space, my focus is on one of the questions: Should we reinterpret convention principles in light of the fact that cyber warriors are often non-state actors? My answer would be that a reevaluation of principles is a starting point, but any new form of legislation based on the primacy of the state will only yield partial results. It is just as important to agree to an individual code of conduct - a set of rules to which hackers, script kiddies, and state-sponsored attackers hold themselves accountable. In short and without bathos, we need a personal code of chivalry for cyberspace. Returning to the European Middle Ages appears to be a far-fetched metaphor; however, other scholars have used Middle Ages metaphors before. Chris Demchak for examples states:
Rather, the modern cyberspace that critically sustains most of your living is more like an enormous, muddy, colorful, moderately chaotic, medieval annual fair. While offering great and new resources, it is also replete with tons of paupers (script kiddies), pickpockets (small time credit card thieves), con artists (phishers, social engineers, ID thieves), and organized competing gangs of muggers (huge professional botnet masters), along with occasional wholesale attacks by armed brigands (organized cyber gangs, national level covert cyber units).
During the Middle Ages, the Holy Roman Empire of German Nations and the church yielded tremendous legal and moral power on non-state warriors: the medieval knights. Both the Holy Roman Empire and the Roman Catholic Church (both also non-state actors) took an active interest in medieval warfare and instilled a code of conduct and rules into medieval warfare that found its way into the medieval code of chivalry. For example, although the precise nature of the verdict is now contested by some historians, Pope Innocent II during the Second Lateran Council banned the use of crossbows against Christians in battle. This was largely upheld during most of the middle ages. Long-range weapons during the High Middle Ages were frowned upon and very often not used in battle since their usage carried a dishonorable stigma.
With the difficult task of tracing culprits in cyberspace, the problems of installing common authentication mechanisms across borders, of deterring acts of aggression, and installing an individual sense of responsibility are crucial. Just like in the analogue world, we will never be able to guarantee peace and justice in cyberspace; we will always have criminals, scam artists, and aggressors. In the Middle Ages, the chivalrous code could not prohibit the outbreak of the plague, peasant revolts, the rape and pillage of the Crusades, or even the usage of cross and longbows during sieges. The code, however, did instill a basic sense of what is appropriate and inappropriate into the knights and warfare, and as the writing of St. Thomas Aquinas shows, inspired some fundamental philosophical deliberations on the justness and injustice of war and the conduct in war. Most medieval lords and knights (apart from their awe of God) upheld the code of chivalry because it guaranteed their standing in society. As the status of cyber warriors incrementally increases, they also will have a vested interest in vindicating their status.
Transferring a similar code of conduct to the individual cyber warrior in cyberspace can be tricky. It remains to be seen whether other major stakeholders will follow suit and form the critical mass necessary to impose a new set of self-regulating rules in cyberspace; however, the joint Russia-US initiative, led by experts of these two cyber superpowers in this field, may be the first stepping stone towards raising awareness of these complicated issues. There is no doubt that an updated version of the Geneva Convention will be needed to combat the lawlessness of cyberspace, and the EWI report is a sound basis for an initial discussion. As outlined above, however, readdressing the shortcomings of the Geneva and Hague Conventions without emphasizing the crucial importance of the individual in cyberspace will produce limited results.
Franz-Stefan Gady is a foreign policy analyst. The East West Institute will be hosting the Second World Wide Cybersecurity Summit on June 1-2, 2011 in London.