Seth Oppenheim explores the application of the law of war to cyber conflicts and why efforts should be made to shape its future now.
The summer blockbuster season presents the perfect opportunity to reflect on one of Hollywood’s biggest off-screen hits from 2014: North Korea’s alleged hack of Sony in response to The Interview, a buddy comedy about the assassination of Kim Jung-un. Because of the Sony hack, The Interview was ultimately given a limited theatrical release and made available through online streaming, grossing some $40 million to less than kind reviews. However, a Hollywood studio executive may one day convene a pitch session to consider turning the real-life events of this ‘movie within a headline’—Sony initially pulling the release of The Interview in response to North Korea’s threats for this act of cinematic lèse-majesté—into a sequel of sorts. That pitch session would likely revolve around the one thing missing from this story: a hero.
All feature films require at least three things: a protagonist, an antagonist, and conflict. The Sony hack had an antagonist (the Guardians of Peace, who allegedly carried out the hack, and the North Korean government, who was allegedly behind it) and conflict (Sony’s initial refusal to release The Interview after the Guardians of Peace leaked sensitive corporate information and North Korea vowing to attack movie theaters if the film were to show). As for a protagonist? Well, there were certainly victims (Sony), bystanders (George Clooney, aghast that a Hollywood studio would cave to such pressure), and supporting characters (President Obama, who chastised Sony and vowed retaliation for this act of “cyber vandalism”). But no hero.
How about a lawyer?
Let’s be honest. Lawyers rarely make movie heroes. They usually offer instead the comic relief, devoured by a T-Rex while cowering inside an outhouse as in Jurassic Park. But imagine a modern-day movie version of Francis Lieber, the Prussian lawyer whose Lieber Code, which was promulgated during the American Civil War to govern the conduct of Union forces, became the basis upon which future laws of war, such as the post-World War II Geneva Conventions, were based.
Although the target was a commercial entity, if the Sony hack indeed represents an act of aggression carried out by a nation state rather than, for instance, a criminally motivated cyber intrusion, a political statement by keyboard-for-hire hacktivists, or as President Obama indicated, an incident of cyber vandalism, the law of war applies. While the victims were largely limited to commercial and creative interests, this is precisely the circumstance to which the law of war is intended to apply: to ensure that attacks by a nation state are carried out in a manner that protects humanitarian interests as best as possible. Furthermore, it is not beyond the realm of Hollywood’s creativity that the next target in a state-sanctioned cyber conflict might not be a movie studio but a power grid, a mass transportation system, or a hospital in which lives, and not just commerce, is lost.
While the application of the law of war to cyber conflicts is novel, at issue is resolving key legal questions that are central to any law of war discussion: what sectors of a country may be targeted, how those attacks should take place, and what—and who—is off limits. Even under the law of war in a conventional conflict, power grids may be attacked if they are critical to the war effort, mass transportation systems may be bombed if used to move munitions, and hospitals may be targeted if combatants are housed within.
Cue the lawyers. The real-life versions of our cinematic law of war hero need to push these questions to the forefront of legal debates on cyber conflict, particularly as countries develop new cyber strategies as part of their broader national security platforms. For example, absent from the recent US Department of Defense Cyber Strategy is any discussion of the proposed legal limits that the Department of Defense would consider in employing cyber warfare. Admittedly, this strategy, which is largely intended to mitigate US vulnerabilities to cyber strikes, may not be the right forum for this debate. These discussions should not only take place at “a whole of government” level but also in international forums such that the international community can begin building consensus on those limits. Otherwise, despite the newness of cyber warfare, there is a real risk that the continued advent of cyber intrusion technologies will vastly outpace our ability to employ it responsibly.
Of course, as with any Hollywood movie, it is important to remember the target demographics. North Korea remains a pariah state that is unlikely to adhere to the law of war. Public international law is a symmetrical calling, after all: I choose to abide by the law because I know that you, my adversary, will also abide by it. However, it is incumbent upon nation states, particularly those that have been both the perpetrator and the victim of cyber conflict to decide today how best to shape the law of war governing tomorrow’s cyber warfare such that the rules will best protect non-combatants, be they civilians, companies, or movie studios. Otherwise, the Sony hack will be deserving of a sequel, and in the great tradition of Hollywood blockbusters, ‘Part II’ will be bigger, bloodier, and far more bombastic.
Seth Oppenheim, an alumnus of the Global Governance Futures program and a former Robert Bosch Foundation Fellow where he worked in the Office of the Legal Advisor of the German Federal Foreign Office, is an American lawyer working in the field of national security law. The views expressed in this editorial are entirely his own.