Challenges from the Cyber Domain: Cyber Security and Human Rights

Challenges from the Cyber Domain: Cyber Security and Human
Rights

Authored by Adam D Brown
London School of Economics and Political Science

2011

Copyright © 2011

1

“If we wish to remain human, then there is only one way, the way into the open
society. We must go on into the unknown, the uncertain and insecure, using what
reason we may have to plan as well as we can for both security and freedom.”
1
-- Karl Popper, The Open Society and Its Enemies

Developing countries frequently grace the pages of academic discourse on human
rights and civil liberties. Traditional human rights violations, by infamous
dictatorships that fail to apply Western universal principles of human rights, are a
common narrative. The arguments advanced in this paper spare the developing world,
at least for the present.2 Instead the arguments that follow indict the developed
‘information societies’ that are now heavily dependant on cyber technologies.
Dependency on the cyber domain, for all the benefits it brings society, delivers
equally, a precarious state of vulnerability. State-implemented cyber security can
provide an allegory of good government, of security and freedoms, or succumb to
repression and less desirable characteristics of human nature. United Nations Special
Rapporteur, Frank La Rue, has argued the internet is “one of the most powerful
instruments of the 21st century,” a machine for building democracy.3 It is necessary
then, to understanding this twenty-first century global machine and its two billion
human dependants.4

This paper explores the key tensions between human rights and state-implemented
cyber security. It will be argued that three central tensions exist between these two
prima facie competing goals. First, ‘attribution versus anonymity’ advances tensions
at the core of the debate around transparency on the internet and protection of privacy.
Second, competing cyber security norms amongst nation-states, produce unease
tensions that threaten both security and the principle of internet freedom. Finally,
looming cyber war threatens to erode the human rights and civil liberties enjoyed by
the global internet community. These three tensions comprise the first set of
arguments contended in this paper. The second argument advanced, within each

1
Karl Popper, The Open Society and Its Enemies , Vol. 1 (Routledge , 1945). P.201
2
It is acknowledged that depending on the definition of ‘developing world,’ some states have a
moderate IT infrastructure. This paper is concerned with states with heavy dependency on cyber
technologies. The ‘digital divide’ has left large regions of the world out of the ‘internet revolution.’ A
brief look at recent states demonstrates this divide. See supra note 133.
3
Frank La Rue, Report of the Special Rapporteur on the promotion and protection of the right to
freedom of opinion and expression, Human Rights Council (Geneva: United Nations, 2011).
4
There are now over a two billion people using the internet. See supra note 133.

2

chapter, purports to navigate these tensions, elucidating the shortfalls and points of
convergence between each competing tension. By balancing the goals of human rights
and cyber security, 'information societies' in the twenty-first century will ultimately be
protected from the emergence of a tyrannical cyber state or the devastating effects of
cyber attacks.

The emerging cyber lexicon is fraught with ambiguities and conflated language. This
paper endeavours to articulate key term meanings, when required, in the context of
the arguments being advanced but inevitability further definitional understanding may
be needed. Supplementary to the taxonomy used, is a glossary and a brief discussion
on the key foundational terms discussed within this paper.5

Attribution versus anonymity

Attribution

Discovered in 2008 by researchers at the Munk Centre for International Studies,
GhostNet was found propagating itself undetected through the internet using a trojan
attack called 'gh0st RAT' to hijack computers.6 By the end of 2009, GhostNet had
infiltrated 1,295 computers in 103 countries.7 Subversively mining data, GhostNet
recorded keystrokes and silently engaged computer visual and audio inputs of
unknowing users.8 Military attachés, diplomats, journalists and human rights
organisations were targeted; an estimated thirty percent of compromised computers
were considered to be of high diplomatic, political, economic or military value.9
Despite accusations in the media that China was responsible, researchers conclusively
stated they were unable to attribute any actor to these high profile attacks.10 The
inherent design of the internet, using an antiquated IPV4 system of address

5
Glossary on page 29 and a brief discussion on definitional foundations on page 31.
6
Rafal Rohozinski, Tracking GhostNet: Investigating a Cyber Espionage Network, Munk Centre for
International Studies (Toronto: Information Warfare Monitor, 2009).
7
Ibid, 5.
8
Ibid, 47.
9
Ibid, 47.
10
Ibid, 9

3

assignment had provided the malicious virus too many loopholes and methods for
masking data and administrator identity.11

By exploiting the characteristics of the internet that allow for anonymity, GhostNet
and other forms of cyber attacks have proliferated throughout the internet, allowing
nefarious actors to carry out their attacks “with almost complete anonymity and
relative impunity.”12 Conversely, dissents and those living under repressive
governments are able to use the same anonymitsing technologies, encryption and
other methods available on the internet, to facilitate the rights enjoyed in Western
democratic nations, freedom of speech and assembly. Internet ‘freedom’ is a central
tenant of the original creators of the World Wide Web but ‘freedom’ is a contentious
term. Karl Popper contends, there needs to be freedom with security.13 Sir David
Omand, former Director the Government Communications Headquarters (GCHQ),
argues in Securing the State, that not only is balancing security and human rights
important but that intelligence and security work needs to operate in a “framework of
human rights.”14 Given the rise in malicious cyber attacks, security practitioners are
arguing that the balance between anonymity, that facilitates free speech, is tilted too
far in one direction and that greater security on the internet is needed. In Chatham
House report, Cyberspace and the National Security of the United Kingdom, its
authors argue

“…the Internet could scarcely be improved upon as a medium for extremist
organization and activity. …[it] should be no surprise, therefore, that extremists
are also attracted to a system which offers inbuilt resilience and virtual
anonymity.”15
The diversity in methods and uses, employed by terrorists networks on the internet, is
increasing in complexity. Exploiting cryptography, internet protocol spoofing, secure
email and other features of the internet that allow for anonymity, terrorists are able to
collaborate, educate and carry out attacks, subverting detection from authorities.16

11
Ibid, 12.
12
David Livingstone, Dave Clemente, Claire Yorke, Paul Cornish, On Cyber Warfare, The Royal
Institute of International Affairs (London: Latimer Trend and Co Ltd, 2010). Vii.
13
See supra note 1.
14
David Omand, Securing the State (London: Hurst & Company, 2010). 321.
15
Rex Hughes, David Livingstone, Paul Cornish, Cyberspace and the National Security of the United
Kingdom: Threats and Responses, A Chatham House Report, Royal Institute of International Affairs
(London, 2009). 5.
16
Daniel McGrory Michael Evans, Terrorists trained in Western methods will leave few clues, 12 July
2005, 22 May 2011 <http://www.timesonline.co.uk/tol/news/uk/article543004.ece>.

4

Elements of crime and terrorism have merged online. John Rollins and Catherine
Theohary in a report for Congress, observe that ‘cyber crime’ “… has now surpassed
international drug trafficking as a terrorist financing enterprise...”17 McAfee, one of
the worlds largest cyber security companies, estimate one trillion dollars worth of
intellectual property was stolen via cyber attacks in 2008.18 In 2009, Symantec,
another large cyber security company, reported in one cyber attack alone, the theft of
130 million credit card numbers and in another incident, the same year, seventy-six
million personal identifications stolen.19 Detica and the Office of Cyber Security and
Information Assurance, reported in 2009, that cyber crime cost the United Kingdom
an estimated twenty-seven billion pounds per annum.20 The scale of cyber crime and
threats from non-actors in the cyber domain, indicate to cyber security analysts, that a
fundamental re-design of the internet is needed. Former Director of National
Intelligence, Mike McConnell, has argued “we need to re-engineer the Internet to
make attribution, geo-location, intelligence analysis and impact assessment – who did
it, from where, why and what was the result – more manageable.”21 Federal Bureau of
Investigation General Counsel Valerie Caproni, has argued in a case involving child
trafficking, that she lacked “the necessary technological capability to intercept the
electronic communications” that would have allowed for greater evidence against the
accused.22 Greater attribution on the internet aids law enforcement and facilitates
greater protection of rights.23 Greater attribution can also erode civil liberties such as
the right to privacy and ‘chill’ freedom of speech.

17
John Rollins, Catherine A. Theohary, Terrorist Use of the Internet: Information Operations in
Cyberspace, Report for Congress, Congressional Research Service (Washington, 2011). 2.
18
Respondents to McAfee’s report, comprised of 800 chief information officers, broke this figure
down by stating $4.6 billion was lost in data and spent about $600 million cleaning up after breaches.
See Elinor Mills, Study: Cybercrime cost firms $1 trillion globally, 28 January 2009, 08 March 2011
<http://news.cnet.com/8301-1009_3-10152246-83.html>.
19
Symantec, “Symantec Global Internet Security Threat Report: Trends for 2009,” Volume XV (2010).
28.
20
Detica and the Office of Cyber Security and Information Assurance in the U.K. Cabinet Office, The
Cost of Cyber Crime (London, 2011). 2.
21
Susan Landau, David D. Clark, “Untangling Attribution,” Harvard National Security Journal 2
(2011): 1.
22
Jennifer Martinez, Feds want new ways to tap the Web, 7 March 2011, 26 April 2011
<http://www.politico.com/news/stories/0311/50755.html>.
23
This is assuming that the state protects human rights within their legal framework.

5

Anonymity

Without ‘re-engineering’ the internet, business and government have devised alternate
ways of obtaining online identifications. Facebook, the largest social networking
website,24 has established a strict no pseudonym policy, requiring users to use their
government-authorised name.25 This policy, according to Facebook, leads to greater
accountability, safety and a “more trusted [online] environment” but human rights
campaigners have argued it limits their freedom of speech.26 Moreover, there are
consequences in the physical world to improving online identification. Law
enforcement officers in the United Kingdom have capitalised on Facebook’s policy
and used it to identify and apprehend suspected criminals in the physical world.27
More intrusive, have been the implementation of “real-name” systems in Italy, South
Korea and China.28 These require citizens to prove their identity before accessing
specific websites or ‘logging on’ at internet cafes.29 China compliments its cyber
security “real-name” system, with subversive internet monitoring tools. Rebecca
MacKinnon author of Networked Authoritarianism, identifies one monitoring system
named Green Dam Youth Escort (GDYE) that

“…not only censored political and religious content but also logged user
activity and sent this information back to a central computer server belonging to
the software developer’s company.”30
GDYE “aimed at protecting children from inappropriate content,” was widely
believed by Western observers to be affiliated with the Chinese government and used,

24
New York Times, Latest Developments: Facebook, 06 July 2011, 10 July 2011
<http://topics.nytimes.com/top/news/business/companies/facebook_inc/index.html>.
25
Tini Tran, Activist Michael Anti Furious He Lost Facebook Account--While Zuckerberg's Dog Has
Own Page , 03 March 2011, 23 April 2011 <http://www.huffingtonpost.com/2011/03/08/michael-anti-
facebook_n_832771.html>.
26
Ibid,Tran.
27
Arrest over social network site damage incitement, 14 August 2011, 17 August 2011
<http://www.bbc.co.uk/news/uk-england-tyne-14521031>.
28
These “real-name” systems, despite their attempts at greater attribution, have received criticism as
flawed and easily circumvented. Jonathan Ansfield, China Web Sites Seeking Users’ Names, 05
September 2009, 02 June 2011
29
Ibid. Ansfield.
<http://www.nytimes.com/2009/09/06/world/asia/06chinanet.html?pagewanted=1&hp>. Also see
information on Italy at Italy: Internet Surveillance, 05 December 2010, 07 June 2011
<http://opennet.net/research/profiles/italy>.
30
Rebecca MacKinnon, “China’s “Networked Authoritarianism”,” Journal of Democracy (2011): 40.

6

subversively to collect personal data on its citizens.31 Russia has implemented
measures to better identify Russian citizens in cyber space. In 2008 Russian Minister
of Communications, Leonid Reiman, reinstated obligations under SORM-II, legally
requiring that internet service providers (ISP) submit reports to Russia’s secret service
agency (FSB).32 These reports were required to provide “users’ names, telephone
numbers, e-mail addresses, one or more IP addresses, key words, user identification
numbers, and users’ ICQ number (instant messaging client), among others.”33 Under
orders of President Vladimir Putin, these details were made available to other
branches of government, raising privacy concerns amongst human rights advocates
and at the United Nations.34 China and Russia, in 2009, were within the top 10 most
prolific producers of malicious cyber attacks worldwide.35 These figures question the
cyber security methods used by Russia and China. They are either ineffective at
stopping cyber attacks or are used and designed for other purposes. The United
Nations report on The promotion and protection of the right to freedom of opinion
and expression, has specifically identified ISP liability as a danger to human rights.36
United Nations Special Rapporteur, Frank La Rue contends that a fundamental feature
of the World Wide Web, is that it “depends on intermediaries, or private
corporations” without government interference.37 ISPs that know they are being
monitored by the state, leads to “self-protective and over-broad private censorship”
that has a ‘chilling effect’ on freedom of speech and principles of internet freedom.
According to La Rue, ISP liability is a serious threat to human rights and appears to
becoming more prolific throughout the world.38

Moving forward

Prima facie tensions exist between the goals of increasing transparency on the World
Wide Web while maintaining privacy and anonymity. Bridging these conflicting aims

31
Ibid, 40.
32
OpenNet Initiative, Russia, 19 December 2010, 21 January 2011
<http://opennet.net/research/profiles/russia>.
33
Ibid, Russia.
34
Ibid, Russia.
35
See supra note 18 at 7.
36
37
38

7

requires a proportionate, balanced and systematic response. Richard Clarke and
Robert Knake argue a variety of technological-political solutions to advancing the
aims of both cyber security and human rights advocates.39 It is contended, two are
most important to the arguments advanced, “deep-packet inspection” and replacing
the “TCP/IP protocol.” Clarke and Knake argue an effective method of combating
cyber crime and malicious online activity is to install “deep-packet” inspection
systems on Tier 1 ISP networks.40 These systems would effectively scan data moving
through the network identifying malicious activity.41 Knake and Clarke refute the
argument that it is a “Big Brother” system, contending that the system would have
“real oversight mechanisms” and be run by a “Civil Liberties Protection Board” with
no affiliation to the government or ISPs.42 Moreover, data itself would not be read,
rather the “signatures” or identifying features of malicious cyber threats.43 This
system is in direct opposition to Frank La Rue’s aforementioned report that states
“…censorship measures should never be delegated to a private entity, and that no one
should be held liable for content on the Internet of which they are not the author.”44
La Rue’s report does not strike a proportionate balance between cyber security and
human rights. In the United Nations Universal Declaration of Human Rights and the
International Covenant on Civil and Political Rights, rights of freedom of speech,
assembly and privacy are all qualified.45 Given the significant threat from malicious
cyber attacks argued, that themselves violate human rights, Knake and Clarke provide
a more balanced and propionate response. While there is an inherent danger in Knake
and Clarke’s system of corruption, this is inherent in any democratic system;
defended against only through the continuous stewardship of human rights by citizens
themselves. Returning to Knake and Clarke’s second contention of resolving the
aforementioned problems of attribution and anonymity, is to replace the current
TCP/IP protocol with an encrypted military protocol.46 Knake and Clarke argue that a
military protocol would allow for better sorting of data travelling through the internet

39
Robert Knake, Richard Clarke, Cyber War (New York: HarperCollins, 2010). 161-162 and 273.
40
Tier 1 ISP networks are considered the “backbone” of national internet networks. Shutting a Tier 1
network, would result in many smaller networks becoming ‘detached’ from the internet and large
numbers of people being disconnected from the internet. See Ibid. 161.
41
42
See supra note 37 at 162-163.
43
Ibid, 162-163.
44
45
46

8

into various priorities and networks.47 It would include better encryption facilities, so
that, unlike today, most data could be secured. Advocates of greater anonymity could
use a network using this protocol, knowing their data was encrypted and was going to
reach the destination without interference. This second argument by Knake and
Clarke is problematic in the context of Human Rights. Sorting data raises a number of
dilemmas in a global network. Questions emerge around who decides what and how
data is sorted. A single` global standard of encryption raises problematic issues of
vulnerability and ‘backdoor’ access. Governments have historically been wary of
allowing encryption technologies without ‘backdoors’ that they can use, if that
technology were to be used by ‘criminals’ or ‘terrorists.’48 A global encryption
protocol moreover, would need to be very secure. Haystack software, used in 2010,
was developed by the United States to be used by Iranian dissents as a method of
evading Iranian government sensors.49 The software was soon ‘cracked’ by
independent experts who suggested that the Iranian regime might have done the same,
exposing all those dissents that used the software.50 Knake and Clarke address the
core tensions between cyber security and human rights. It is argued the later solution,
is less desirable then the former but both elucidate that bridging these competing
goals is achievable in varying degrees. As states continue to devised methods within
cyber security, emerging cyber security norms develop. These norms can have a
significant impact on international human rights law and the principles of internet
freedom.

Cyber security norms and human rights

Cyber security norms increasingly differ as states move to exert greater sovereignty in
the cyber domain. Lack of global governance and advancements in technology have
resulted in states enacting their own cyber security policies, a move that tests the

47
Ibid. 273.
48
Will Rogers Richard Fontaine, “Internet Freedom and Its Discontents: Navigating the Tensions with
Cyber Security,” Travis Sharp Kristin M. Lord, America’s Cyber Future: Security and Prosperity in the
Information Age, Vol. II (Washington: Center for a New American Security, 2011) I-II vols. 150-151.
49
Ibid. 151-152
50
Ibid. 151-152.

9

principles of those who advocate for a ‘free’ and ‘unfettered’ World Wide Web
(‘web’). Tim Berners-Lee, original architect of the hypertext protocol that governs the
World Wide Web, contends that like democracy, a “free” and “open” cyber space
needs to be continuously maintained against governments and corporations who may
succumb to more repressive cyber security tendencies.51

“The Web is now more critical to free speech than any other medium. It brings
principles established in the U.S. Constitution, the British Magna Carta and
other important documents into the network age: freedom from being snooped
on, filtered, censored and disconnected.”52
Here it is evident that there exists an analogous aim in both the internet freedom
principles described by Berners-Lee and international human rights legal norms of
freedom of speech and assembly.53 Berners-lee with his 'internet freedom principles'
echoes Frank La Rue, who argues that the transformative nature of the internet, as a
tool for building democracy, has been revolutionary and that it is a result of the
unique characteristic of free two-way communication.54 The right to freedom of
opinion, expression and the right “to hold opinions without interference” are
enshrined in Article 19 of the Universal Declaration of Human Rights and the
International Covenant on Civil and Political Rights.55 If there is any doubt, The
Covenant on Civil and Political Rights, states that freedom of opinion and expression
applies to those who “… seek, receive and impart information and ideas of all kinds,
regardless of frontiers, either orally, in writing or in print, in the form of art, or
through any other media of his choice;” with emphasis on “other media of his choice”
and “regardless of frontiers.”56 These United Nations conventions provide ample
fodder for advocates of a ‘free’ internet but they are not determinant. On further
reading of the Covenant on Civil and Political Rights, there resides, in Article 19,
sections 3 (a) and (b) qualifying statements to limit these rights.

“The exercise of the rights provided for in paragraph 2 of this article carries
with it special duties and responsibilities. It may therefore be subject to certain
51
Tim Berners-Lee, Long Live the Web: A Call for Continued Open Standards and Neutrality, 22
November 2010, 04 April 2011 <http://www.scientificamerican.com/article.cfm?id=long-live-the-
web>.
52
Ibid, Berners-Lee.
53
Given the level of abstraction argued in this paper, will contend that both the internet freedom
principle and human rights share principle aims and will be used interchangeably.
54
55
56
United Nations, “International Covenant on Civil and Political Rights,” Art.19. 16 December 1966,
03 March 2011 <http://www2.ohchr.org/english/law/ccpr.htm>.

10

restrictions, but these shall only be such as are provided by law and are
necessary:
(a) For respect of the rights or reputations of others;
(b) For the protection of national security or of public order (ordre public), or of
public health or morals.”57
It is not unforeseeable, that governments would validate their cyber security policy
using sections (a) or (b). Riots and civil unrest throughout the Middle East, during the
‘Arab Spring,’ led governments to temporary shut off internet access in, what was
argued, an effort to maintain public order.58 British Prime Minister David Cameron
employed the same reasoning during the August riots in London, advocating to
temporarily “turn-off” access social media networks.59 This suggests that democratic
regimes are not immune to bolstering their cyber security policy against human rights
concerns. These examples demonstrate tensions between international human rights
law and state cyber security measures. Cyber security norms are tenuous between
states as well.

Western universal principles of human rights when applied to the concept of ‘cyber
security’ are in tension with Eastern notions. In the Russia-U.S Bilateral on
Cybersecrity Critical Terminology Foundations, it emerged that the term ‘cyber
security’ carried different connotations for both parties.60 While both teams of
negotiators agreed that ‘cyber security’ denoted ‘protection’ and that it was analogous
with ‘information security,’ the Russian perspective was that ‘protection’ included
“protecting the population from terrorism” and that censorship was “… an essential
aspect of ‘information security.’”61 China to, views anti-government dissonance as a
threat and has adopted an analogous definition of cyber security as Russia.62 The
Russian and Chinese perspectives are incompatible with Western concepts of liberty
and international human rights law, having a fissiparous effect on cyber security

57
Ibid, 23.
58
Reuters, Arab Web clampdown hurts own economies: Google's Schmidt, 26 May 2011, 24 June
2011 <http://www.reuters.com/article/2011/05/26/us-g8-google-arab-idUSTRE74P4EO20110526>.
59
British Broadcast Corporation, England riots: Government mulls social media controls, 11 August
2011, 15 August 2011 <http://www.bbc.co.uk/news/technology-14493497>.
60
Valery Yaschenko Karl Frederick Rauscher, Russia-U.S. Bilateral on Cybersecurity: Critical
Terminology Foundations, Worldwide Cybersecurity Initiative, EastWest Institute (New York:
Moscow, 2011). 16.
61
Ibid,16.
62
Martha Finnemore, “Cultivating International Cyber Norms,” Travis Sharp Kristin M. Lord,
America’s Cyber Future: Security and Prosperity in the Information Age, Vol. II (Washington: Center
for a New American Security, 2011) I-II vols.P.89-90

11

norms with human rights. The Chinese and Russian interpretation of cyber security
leads to a third, consequential tension, with human rights; that between the state and
citizen.

Censorship is a formidable and increasingly used tool by state-implemented cyber
security regimes. Such is the threat of pervasive filtering or censorship that “Vinton
Cerf, popularly known as the ‘father of the Internet,” has suggested, “…if every
jurisdiction in the world insisted on some form of filtering for its particular
geographic territory, the web would stop functioning.”63 Cerf’s observation illustrates
the extent the internet requires international cooperation and importantly, the
establishment of carefully crafted censorship norms. China is a world leader in the use
of surveillance and censorship technologies, having “the largest and most
sophisticated filtering systems in the world.”64 Rebecca MacKinnon argues that the
refined and sophisticated methods used by the Chinese government, allow for prima
facie freedom of speech.65 MacKinnon describes that in China debate can be fierce
and passionate, “bringing injustices to national attention… [causing] genuine changes
in local-government policies or official behaviour.”66 These freedoms, to use a
security analogy from Karl Popper, are a chimera.67 As Mackinnon observes,

“in the networked authoritarian state, there is no guarantee of individual rights
and freedoms … the government has continued to monitor its people and to
censor and manipulate online conversations to such a degree that no one has
been able to organize a viable opposition movement.”68
Most concerning from MacKinnon’s observations, are the consequential political
repercussions of this censorship and surveillance. Reporters Without Boarders,
reported in 2010, that out of 119 ‘cyber dissidents’ imprisoned around the world as a
result of their online political dissonance, 77 were detained in China.69 These arrests
remind Chinese dissidents that the government is watching and this has a ‘chilling
effect’ on freedom of speech. These electronic intrusions by the Chinese government

63
Rex Hughes, David Livingstone Paul Cornish, Cyberspace and the National Security of the United
Kingdom: Threats and Responses, A Chatham House Report, Royal Institute of International Affairs
(London, 2009).P.17
64
OpenNet Initiative, China: regional profiles, 15 June 2009, 11 July 2011
<http://opennet.net/research/profiles/china>.
65
66
Ibid. MacKinnon.
67
68
See supra note 33.
69
Reporters Without Boarders, “The Enemies of the Internet,” 12 March 2011, World day against
cyber-censorship, 08 August 2011 P.5 <http://march12.rsf.org/en/#ccenemies>.

12

go against the aforementioned principles of internet freedom. China’s cyber security
methods are severe but China is not unique amongst states in censoring online
content. Censorship, to varying degrees has become a global norm, practiced by most
states, even democratic regimes. Government censorship on the internet is best
elucidated by The OpenNet Initiative’s report, documenting YouTube censorship
around the world. 70 Democratic and authoritarian governments are represented on the
report’s global map depicting where the YouTube website or its videos have been
censored. Evidently, it is clear that censorship is increasing in both intensity and in
proliferation around the world.71 While the practice of internet censorship is
becoming a global norm, the type of content being censored differs markedly. This
suggests that a secondary tension exists, between states with differing perceptions of
what “free speech” entails. Emblematic of this tension, is the Additional Protocol to
The European Convention on Cybercrime. It requires signatories to criminalise the
distribution of

“…distributing xenophobic or racist material through a computer system;
expressing denial,“ gross minimization” or approval of a genocide or crimes
against humanity through a computer; distributing insults to people because of
their race, color, religion, national or ethnic origin through a computer system
or aiding and abetting any of these acts.”72
As a signatory to this protocol, France bans publishing material that meets these
qualifications. Conversely, the United States, bound by its constitution, has not
ratified the protocol.73 In context of global cyber security norms and human rights,
this exemplifies the problematic nature of conflicting cyber security regimes. France’s
attempt to exert positive rights, conflicts directly with the United States attempt to
‘exert’ negative rights in cyber space. As a global technological commons, the
internet allows for these competing and paradoxical ‘universal’ conceptions of human
rights, adding further difficulties to resolving cyber security norms and international
human rights law. The current state of the international community and its response to
human rights in the discourse of cyber security is inadequate. It will be argued, there
needs to be greater unification of these norms at the international level.

70
OpenNet Initiative, YouTube Censored: A Recent History, 02 August 2011
<http://opennet.net/youtube-censored-a-recent-history>.
71
Ibid. OpenNet.
72
See supra note 48.
73
The United States has ratified the Convention, but not the protocol.

13

Cyber security norms and human rights unification

Altering and unifying international norms is the primary method of resolving the
tensions between human rights and cyber security norms. Author Martha Finnemore
argues that “norm cultivation” is a three-part process of promulgation and
articulation, disseminating the established norms and the internalization, at the state
level, of these norms.74 Finnemore is not naive to the tensions and difficulties of
establishing unified global cyber security norms. A nuanced and reasoned approach is
provided that moves beyond the scope contended in this paper, but key themes are
necessary to incorporate into the context of the arguments made in this chapter. Cyber
security, argues Finnemore, is analogous to other global issues such as protecting the
environment, stopping corruption and improving gender equality.75 Techniques used
to advances these causes can be used to greater promote the compatible features of
cyber security and human rights. An example can be drawn from China, where
although its cyber security policies are repressive from a Western perspective, there
are greater freedoms of speech, due to cyber technologies, now then past decades.76
Building on these movements through diplomatic pressure and encryption
technologies77 may bring China and other repressive nations into a cyber security
regime that reflects the United Nations conventions and aforementioned internet
freedoms. Finnemore further argues that given the stake private industry has with
keeping the internet unconstrained by national governments, they may play an
important part in harmonising global cyber security norms.78 Best practice corporate
policies may, as Finnemore contends, insulate companies from accusations of
subversive government agency.79 These arguments by Finnemore suggest there is
room for greater consensus on cyber security and human rights, although very little. It
is the contention of this paper, that the increasing trend in state censorship of the

74
Martha Finnemore, “Cultivating International Cyber Norms,” Travis Sharp Kristin M. Lord,
America’s Cyber Future: Security and Prosperity in the Information Age, Vol. II (Washington: Center
for a New American Security, 2011) I-II vols.p.93.
75
76
77
For a discussion on the potential of encryption devices being used to liberate those repressed under
authoritarianism, Richard Fontaine and Will Rogers article on internet freedom. See supra note 58 at
150.
78
79
See supra note 64.

14

internet and the ideological divergence amongst states on the meaning of liberty and
‘cyber security’ is of great concern. These indications suggest a trend toward states
imparting greater sovereignty within the cyber domain and a resulting fracturing of
the World Wide Web against the principles of internet freedom. Most significant in
terms of cyber security norms and human rights has not yet been argued. Cyber war,
as a cyber security issue, has not achieved international consensus in either the Laws
of Armed Conflict or humanitarian law.

15

Cyber war and human rights

“Because the entire law of war regime has been built upon a Westphalian
foundation, the transformative properties of cyber warfare are just as
breathtaking. We are left pondering some fundamental questions – what
constitutes force? What is a hostile act? When is self-defence justified in
response to a cyber attack? Is the Use of traditional means of force ever justified
in response to a cyber attack? These are not easy questions and the international
legal regime is lagging far behind the problems presented by the increasingly
sophisticate technological possibilities in the area.”80
-- Lieutenant Colonel Jeffrey K. Walker

Cyber war, as the preeminent cyber security issue, is destructive and politically
complicated. Nuclear war strategist, Joseph S. Nye, has likened cyber war in the
context of cyber security, to the dawn of the nuclear age, with opaque ‘adversarial
interactions’ and new, little understood weaponry.81 Cyber war analyists Andrey
Korotkov and Karl Rauscher, argue that the international community of states has not
developed “rules of engagment” in cyber warfare, despite the cyber domain being
“the linchpin of our mutual safety, stability and security.” 82 Without an international
consensus on what constitutes an ‘act of cyber war’ or the ‘conduct during cyber war,’
nation-states are in endanger of subverting human rights, while the cyber domain
becomes increasingly militarised. Establishing then, the applicability of the Laws of
Armed Conflict (LOAC) and international humanitarian law (IHL) reside at the
fulcrum of a discussion on cyber war and human rights. Navigating the arguments
advanced will be framed through Michael N. Schmitt’s paradigm of what constitutes
cyber war, an ‘actor-based threshold’ or a ‘consequence-based threshold.’
Rationalising cyber war in this way, teases out the problematic characteristics of
applying international human rights law to cyber war. Addressing first the ‘actor-
based threshold,’ exposes the tenuous relationship between cyber war and

80
This quote is borrowed from Dr Rex Hughes’ illustrative article on a global cyber warfare regime.
See Rex Hughes, “Towards a Global Regime for Cyber Warfare,” C, Geers K Cozosseck, The Virtual
Battlefield: Perspectives on Cyber Warfare (Amsterdam: IOS Press, 2009) P.106. The original quote
can be found at Jeffrey K. Walker, “The demise of the nation-state, the dawn of new paradigm warfare,
and a future for the profession of arms,” Air Force Law Review (2001): 51.
81
“Power and National Security in Cyberspace,” Joseph S. Nye, America’s Cyber Future, Vol. II
(Washington: Center for a New American Security, 2011). 7.
82
Andrey Korotkov Karl Frederick Rauscher, Working Towards Rules for Governing Cyber Conflict:
Rendering the Geneva and Hague Conventions in Cyberspace, EastWest Institute (New York, 2011).
iii.

16

international human rights law. Secondly, it will be argued that a ‘consequence-based
threshold’ is highly advantageous over its former and that rationalising cyber war in
this way provides a theoretical way of bridging the two aims of cyber war and human
rights together. Lastly, it will be contended that the consequences of failing to unite
cyber war and international human rights law, is leading to a greater militarisation of
the technological commons. Militarisation of this space is at great detriment to the
citizens in the ‘information societies’ who depend solely on this space in every day
life.

Dr. Rex Hughes, in his article Towards a Global Regime for Cyber Warfare, argues
that a war of aggression crime, in international law, is applicable to cyber war.83
Hughes argues that United Nations (UN) General Assembly Resolution 3314,84 the
‘Definition of Aggression,’ be applied to cyber attacks that disrupt national power
grids, health services, financial services and transportation links, among other sectors
of critical infrastructure (CI).85 Similarly, Richard Clarke contends that the Geneva
Convention on “Protection of Civilians” and the United Nations Convention on
“weapons with ‘Indiscriminate Effects’” be expanded to include cyber attacks on
critical infrastructure.86 Clarke argues that civilians, as opposed to the military, would
be most severely affected in a cyber attack and are thereby more venerable.87
Militaries are better prepared for emergencies with stockpiled food, backup power
systems and hospitals, while civilian infrastructure is less resilient.88 Attacks on these
critical sectors of civilian life, Clarke contends, could be no greater example of a
cyber war causing ‘indiscriminate effects’ and as a corollary, is thereby applicable
under humanitarian law.89 Hughes and Clarke suffice in framing the humanitarian
implications of cyber war, juxtaposed to an abstract level of international law, but
their arguments are founded on unanswered questions and untested assumptions.

83
Rex Hughes, “Towards a Global Regime for Cyber Warfare,” C, Geers K Cozosseck, The Virtual
Battlefield: Perspectives on Cyber Warfare (Amsterdam: IOS Press, 2009) 106-116.
84
U.N Resolution 3314 was originally drawn from U.N Charter, Article 2. See Elizabeth Wilmshurst,
Definition of Aggression General Assembly resolution 3314 (XXIX), 24 June 2011,
<http://untreaty.un.org/cod/avl/ha/da/da.html>. Article 2, paragraph 4 states: Members shall refrain in
their international relations from the threat or use of force against the territorial integrity or political
independence of any state, or in any other manner inconsistent with the Purposes of the United
Nations.”
85
Ibid, 112.
86
87
Ibid, 242.
88
Ibid, 242.
89
Ibid, 242.

17

Michael N. Schmitt, in Wired warfare: Computer network attack and jus in bello,
addresses these unanswered assumptions, by investigating the applicability of a
computer network attack (CNA) with the LOAC and HL.90 Schmitt’s contention is
that in order to apply existence international legal norms to computer network attacks,
will require accepting various interpretive premises. These premise can be addressed
in three arguments against the applicability of cyber war to international law; that
there is no direct legal instrument applicable to cyber war, that cyber war technologies
postdate treaties thus rendering them invalid and that question of 'armed force.'

Determining ‘cyber war:’ an actor-based threshold

Martens Clause, introduced in the 1899 Hague Convention, refutes those arguments
that stipulate international law is not directly applicable to cyber war.91 Martens
Clause states that

“…civilians and combatants remain under the protection and authority of the
principles of international law derived from established custom, from the
principles of humanity, and from the dictates of public conscience.”92

Schmitt contends that Martens Clause applies humanitarian law during armed conflict
leaving “no lawless void” amongst those humanitarian situations not covered by an
international agreement.93 Thereby, the Martens Clause norm in customary law does
cover all occurrences, even those arising from cyber war. The second contention
advanced, is that cyber technologies postdate the relevant HL legal instruments,
rendering them inapplicable to cyber war. Refuting this contention requires
recognising the International Court of Justice’s verdict on nuclear weapons in relation
to international human rights law. The Court noted that “[i]n the view of the vast
majority of States as well as writers there can be no doubt as to the applicability of

90
Schmitt’s argument focus on computer network attacks. This paper contends this argument can be
expanded to include all cyber technologies. See Michael N. Schmitt, “Wired warfare: Computer
network attack and jus in bello,” International Review of the Red Cross 84.846 (2010): 368-369.
91
Ibid. 369.
92
Ibid, 369.
93
Ibid. 369.

18

humanitarian law to nuclear weapons.”94 Cyber war attacks, given the gravity of their
destructive capabilities on civilian populations, are arguably analogous to nuclear
weapons, but even if this is dismissed, the underlying premise of the ICJ ruling holds
that technologies are within the ambit of international law, regardless of when they
come into being. This leaves one last point of contention, that cyber war is not
applicable to international human rights law, due to the qualification requiring ‘armed
conflict’ that is a present qualification in the Geneva and Hague conventions.95 The
International Committee of the Red Cross on the 1949 Geneva Conventions and the
1977 Additional Protocols, define armed conflict as “… [a]ny difference arising
between two States and leading to the intervention of armed force.”96 While cyber
attacks have consequential ‘war-like’ effects, this does not mean an ‘armed force’ has
carried them out. The Cooperative Cyber Defence Centre of Excellence (CCDCOE),
legal team, investigating the legality of cyber attacks on Georgia in 2007, investigated
this dilemma in an attempt to place cyber war within the ‘armed conflict’
qualification.97 Armed force in the physical world requires physical troops and
weapons that can, in contrast to cyber attacks, be more easily be verified and
attributed to a hostile nation-state. Circumstantial and technical means of attributing a
cyber attack can rarely conclusively tie an attack to an attacker.98 Attribution, prima
facie, in cyber war becomes an important characteristic in determining what
constitutes ‘armed force’ and as a corollary, what constitutes an ‘armed conflict.’

Attribution is an important characteristic in defining the ‘actor-based threshold’
required to define an ‘act of war.’ GhostNet, has not been recognised as an ‘act of
war’ by the international community but exemplifies the ‘actor-based threshold’
dilemma. Investigators responsible for uncovering GhostNet, contend that plausible
deniability allows states to officially distance themselves from attacks.”99 ‘Plausible
deniability’ benefits state actors carrying out attacks, given the geographic time and

94
Ibid. 370.
95
See supra note 89.
96
International Committee of the Red Cross, Convention (I) for the Amelioration of the Condition of
the Wounded and Sick in Armed Forces in the Field, 12 August 1949, 8 June 2011
<http://www.icrc.org/ihl.nsf/COM/365-570005?OpenDocument>.
97
Eneken Tikk, Kadri Kaska, Kristel Rünnimeri, Mari Kert, Anna-Maria Talihärm, Liis Vihul. Cyber
Attacks Against Georgia: Legal Lessons Identified. NATO. (Tallinn: Cooperative Cyber Defence
Centre of Excellence, 2008). 12.
98
Ibid, 12.

19

space required to carry out an investigation, versus the speed at which attacks can take
place and the range of geographical locations that may be involved.100 These
geographical locations then have political implications, particularly if there is little
technical evidence of the cyber attack. Senior National Security Agency official,
Debora Plunkett, argues, “ …[because cyber attacks] are hard to detect and quantify,
it is difficult to generate the political will required for effective solutions.”101
Moreover, whereas with traditional conflict, comprising of troops and kinetic
weaponry, it soon becomes obvious an attack has taken place and politicians are then
obliged act. With cyber attacks, these often involve the less obvious exploitation of a
computer system vulnerability and politicians may be reluctant to publicise them in
instances of national security.102 For these reasons, Richard Clarke has advocated for
an international organisation, similar to the International Atomic Energy Agency, to
impartially monitor cyber warfare attacks on states.103 As an institutional solution to
attribution of cyber attacks, this would be of benefit but it fails to resolve the technical
difficulties. These problematic characteristics of attribution, indicate that construing
‘armed force’ or ‘armed conflict’ from a cyber war is highly difficult.

The Geneva and Hague Conventions have, for decades, established the boundaries in
war. Prohibitions on asphyxiating the enemy, using poisonous gases or bacteriological
warfare, have been banned104 and restrictions placed on the most brutal weaponry.105
Cyber war and its weaponry provide their own challenges to IHL and the LOAC but
as with previously invented weaponry, should be accessed and if appropriate,
incorporated into humanitarian law. It is beyond the scope of this paper to assess the
entire ambit of cyber war strategy and weaponry in war but a focused analysis on
critical characteristics of cyber war conduct and weaponry elucidates the associated
human rights implications and 'actor-based approach.' Rex Hughes introduces the
‘cyber weapon’ as an electron travelling through the cyber domain violating the

100
Daniel E. Geer, “How Government Can Access Innovative Technology,” America’s Cyber Future:
Security and Prosperity in the Information Age, Vol. II (Washington: Center for a New American
Security, 2011) I-II vols.186.
101
Debora Plunkett, “The Atlantic’s and Government Executive’s First Annual Cybersecurity Forum”
(Washington, 2010).
102
103
104
International Committee of the Red Cross, Protocol for the Prohibition of the Use of Asphyxiating,
Poisonous or Other Gases, and of Bacteriological Methods of Warfare, 8 February 1928, 04 May 2011
<http://www.icrc.org/ihl.nsf/intro/280>.
105

20

Hague Convention as it passes from one neutral country to another.106 The Hague
Convention, argues Hughes, forbids the “movement of weapons” across a neutral
state.”107 Hughes argument is academic at the present time but not an implausible
reality for the future. The example elucidates the problems and properties of using
cyber weapons in what is now recognised as the “fifth domain” 108 and the
implications for human rights. In an effort to best rationalise cyber weapons and their
use in the scope of this brief argument, this paper will divide cyber attacks, used in
cyber war, into a taxonomy of two; kinetic and non-kinetic attacks. Kinetic cyber
attacks (KCA) result in physical damage, designed with the intent to manipulate the
data that controls machines causing them to function improperly in the physical
world. States are the usually targets of KCAs because as opposed to non-state actors,
they have infrastructure to target and damage. There is an increasing number of KCA
cases emerging in the cyber discourse. During the Cold War, the Central Intelligence
Agency planted a logic bomb in the computer software that managed a Russian
pipeline in Siberia, setting off a three-kiloton explosion, large enough to be seen from
outer space.109 This event demonstrated the potential a kinetic cyber attack could have
on civilian infrastructure. In a recent example from 2010, a sophisticated piece of
malware exploited four ‘zero-day’ attacks, known as Stuxnet, targeted the
programmable logic controller (PLC) at an Iranian nuclear facility, controlling its
uranium enriching centrifuges.110 By injecting malicious code into the PLC, Stuxnet
was able to increase the speed of the Iranian centrifuges up to a rate of 1,410Hz that
caused them severe damage.111 It is estimated that Stuxnet set back the Iranian nuclear
programme by two years and set a dangerous precedent in cyber warfare.112
Techniques used in the pipeline explosion and Stuxnet, resemble the type of kinetic
cyber attacks analysts fear will be used on civilian critical infrastructure,113

106
107
Ibid, 112.
108
The Economist, War in the fifth domain, 1 June 2010, 26 May 2011
<http://www.economist.com/node/16478792>.
109
Peter L. Levin, Wesley K. Clark, “Securing the Information Highway: How to Enhance the United
States' Electronic Defenses,” Foreign Affairs 88.6 (2009): 4.
110
Kim Zetter, Next post How Digital Detectives Deciphered Stuxnet, the Most Menacing Malware in
History, 2011 July 2011, 04 August 2011 <http://www.wired.com/threatlevel/2011/07/how-digital-
detectives-deciphered-stuxnet/all/1>.
111
IISS Stratigic Comments, Stuxnet: targeting Iran's nuclear programme, Volume 17, Comment 6,
The International Institute For Strategic Studies (London, 2011).
112
Ibid, IISS Stratigic Comments.
113
Examples of critical infrastructure sectors include, communications, emergency services, energy,
finance, food, government, health, transport and water. These can all be affected by cyber attacks. See

21

specifically on supervisory control and data acquisitions (SCADA) systems that
control the machines that manage critical infrastructure in many industrialised
countries.114 These examples of kinetic cyber attacks on critical infrastructure
elucidate the impact these types of attacks can have on human rights and civil
liberties. To quote Lord Cameron of Dillington, the United Kingdom is “nine meals
away from anarchy” referencing the impact a cyber disruption to the food supply
chain on the “just-in-time” delivery method of supermarket chains.115 Ninety-five
percent of the food eaten in the United Kingdom is oil dependant, meaning the oil
supply to the nation is vital.116 A kinetic cyber attack that targeted either set of critical
infrastructure, the computer networks of the “just-in-time” system or the oil delivery
systems, would have a devastating impact the United Kingdom. The implications of
these scenarios demonstrate the severity of kinetic cyber attacks and importance in
framing some of these within international human rights law. The second types of
cyber attacks are non-kinetic attacks. These attacks are more problematic with
traditional the ‘actor-based threshold’ required to attribute an act as an ‘act of war.’
The LOAC establish that in war, when an attack has taken place, there must be
intentional “injury, death, damage or destruction” as a result of that attack.117 Kinetic
cyber attacks clearly fit within these qualifications but non-kinetic attacks elucidate
more problematic characteristics. Distributed Denial of Service (DDoS) attacks
represent “among the most visible and disruptive of cyber-attacks” according to Dr.
Jose Nazario, specialist in DDoS attacks.118 Estimates have suggested that three
months of sustained DDoS attacks on the United States would have the effect of “40
or 50 large hurricanes striking all at once.”119 DDoS attacks prima facie do not cause
'injury, death, damage or destruction,' it is the consequential externalities from these
attacks that can impart death and damage onto property. A DDoS attack works by

Cyber Security Strategy of the United Kingdom: safety, security and resilience in cyber space (London:
The Stationery Office (TSO), 2009). 3.
114
115
116
Ibid. 20.
117
Ibid. 20.
118
Jose Nazario, “Politically Motivated Denial of Service Attacks,” Kenneth Geers Christian Czosseck,
The Virtual Battlefield: Perspectives on Cyber Warfare (Amsterdam: IOS Press, 2009). 163.
119
Cyber Security Strategy of the United Kingdom: safety, security and resilience in cyber space
(London: The Stationery Office (TSO), 2009). 4.

22

overwhelming the target computer’s bandwidth,120 so that it has no bandwidth for
those computers trying to ‘legitimately’ communicate with it.121 If communication is
disrupted between servers that run a website, then there is an infringement of freedom
of speech, assembly and potentially privacy if the website fails to display. If the
interrupted communication is with a computer that runs a national power grid, then
fundamental rights such as the right to life may be engaged by the shutting off of
systems dependant on electricity. Used by a state in a war capacity, these cyber
attacks would, at a minimum, violate one’s right to privacy, guaranteed by article 17
of the International Covenant on Civil and Political Rights122 and article 12 of the
Universal Declaration of Human Rights that states “…no one shall be subjected to
arbitrary interference with his privacy.”123 DDoS attacks, do not easily fit
qualifications of the ‘actor-based threshold’ refuted by Schmitt.

Resolving tensions: the consequence-based threshold

Returning to Schmitt’s argument, he advances that in order to apply existence
international legal norms to computer network attacks, requires accepting various
interpretive premises. That using a consequence-based threshold for determining what
“armed conflict” and “attack” is in cyber space the most adequate way to bridge cyber
attacks into an international legal regime. Schmitt contends,

“…humanitarian law principles apply whenever computer network attacks can
be ascribed to a State are more than merely sporadic and isolated incidents and
are either intended to cause injury, death, damage or destruction (and analogous
effects), or such consequences are foreseeable.”124

Emphasis here needs to be placed on ‘consequences are foreseeable.’ Schmitt is
concerned with the consequence of a cyber attack, rather then the more difficult

120
Oxford Dictionary defines ‘bandwidth’ as “the transmission capacity of a computer network or
other telecommunication system.” See Oxford Dictionaries, Bandwidth, 8 August 2011
<http://oxforddictionaries.com/definition/bandwidth>.
121
DDoS attacks thereby, are usually temporary and physically non-damaging to computer systems.
See supra note 117.
122
123
United Nations, The Universal Declaration of Human Rights, 10 December 1948, 10 4 2010
<http://www.un.org/en/documents/udhr/>.
124
See supra note 89.

23

‘actor-based threshold’ that requires not only attribution of an actor but the
establishment of “armed force.” `In the context of the arguments contended in this
paper, Schmitt’s ‘consequence-based threshold’ would apply to the aforementioned
kinetic cyber attacks with their devastating effects, but would not apply to GhostNet
type of attacks that have no “foreseeable” consequences in terms of “injury, death,
damage or destruction.” This is beneficial to the complex environment of cyber
threats that can emerge from an array of actors, not just states. Schmitt’s
‘consequence-based threshold’ then, as a corollary, reduces the militarization of cyber
space that will be advanced, is a major threat to human rights and civil liberties.

There is one further contention to argue, in addition to Schmitt's ‘consequence-based
threshold.’ Analogous to Schmitt's paradigm, is an emerging body of customary law
that does not necessarily require the qualification of a state actor when it comes to
belligerent activity. Increasing legal precedent within international law, is binding
states to the actions of non-state actors within their territory. In The Republic of
Nicaragua v. The United States of America, the International Court of Justice ruled
that the United States violated international law but supporting the Contras in their
rebellion against the Nicaraguan government.125 This set the precedent that states
were liable for the actions of non-state actors if they “executed effective control over
such actors.”126 The threshold was lowered further when, in 2001, the United States
carried out Operation Enduring Freedom against the Taliban in Afghanistan, under
the legal presumption that the Taliban was harbouring and supporting al-Qaeda.127
The United States argued it was using self-defence in accordance with international
law, in response to events of September 11.128 These legal precedents in international
law, suggest that states cannot as easily used the aforementioned plausible deniability
to relinquish themselves from belligerent activity.129 Despite the advantages
articulated in Schmitt's ‘consequence-based threshold’ and customary law to
rectifying cyber war with international law, states, in absence of an international

125
International Court of Justice, Military and Paramilitary Activities in and against Nicaragua
(Nicaragua v. United States of America), 27 June 1986, 5 July 2011 <http://www.icj-
cij.org/docket/index.php?sum=367&code=nus&p1=3&p2=3&case=70&k=66&p3=5>.
126
127
Ibid. 21.
128
Ibid. 21.
129
The nation-state where the actor or actors are found to be working from when committing the
attacks.

24

consensus, are demonstrating increasing 'war-like' behavior. This is leading to the
militarisation of the cyber domain and this poses a significant threat to human rights.

Militarisation of the global technological commons

Without an established international consensus on the LOAC in cyber war, the cyber
domain remains a warring and anarchical space. Ambiguities around cyber war lead
to an increase in the militarization of a shared civilian and military space. Travis
Sharp and Kristin Lord contend that

“…there is no analogous empty “space” and the activities of civil and military
users are intertwined together. Non-state actors cannot flee the domain...except
by unplugging and dismantling part of cyberspace itself."130
Internet and other forms cyber infrastructure have reached a level of ubiquity that
society in most developed nations, would be unable to function without it. Two billion
people ‘logged on’ globally and ten trillion dollars worth of electronic commerce
propagated through the internet in 2010.131 It is estimated by the end of 2010, there
will be 5.3 billion cellular subscriptions worldwide and nearly a billion subscriptions
to 3G services that allow mobile phones to gain high-speed access to the internet.132
Between 2005 and 2010 internet users globally have doubled, surpassing two billion
users.133 Half a billion people now have access to internet in their home, representing
29.5 percent of households worldwide, increasing to eighty percent in some
developed countries.134 While global dependency on cyber technologies increases,
vulnerability becomes increasingly acute. Government, emergence services, power
grids and other critical infrastructure are represented in these figures, suggesting the
severity of “unplugging” from cyber space or its militarisation. To an extent, the

130
Travis Sharp Kristin M. Lord, “Non-State Actors and Cyber Conflict,” Jason Healey Gregory J.
Rattray, America’s Cyber Future: Security and Prosperity in the Information Age, Vol. II (Washington:
Center for a New American Security, 2011) I-II vols. 67.
131
Travis Sharp Kristin M. Lord, America’s Cyber Future: Security and Prosperity in the Information
Age, Volume I & II (Washington: Center for a New American Security, 2011). 24.
132
The World in 2010: ICT Facts and Figures, “Information and Communication Technology (ICT)
Statistics,” 20 10 2011, International Telecommunications Union, 03 06 2011 <http://www.itu.int/ITU-
D/ict/>. 5.
133
Ibid, 5.
134
Sweden, South Korea and the Netherlands all have over 80% internet access in households.
Broadband access across the developed world remains low; slightly fewer than five percent, per one
hundred inhabitants, have broadband and only one percent, on average, for those living on the African
continent. See supra note 127.

25

cyber domain has already begun to be militarised. Former United States Defense
Secretary Robert Gates has escalated cyber space to be a ‘“fifth domain’ of military
operations, alongside land, sea, air and space,”135 followed one year later by President
Barak Obama’s International Strategy For Cyberspace signalling the cyber domain as
a “vital national asset” that the United States reserves the right to “defend.”136
Without geographical boarders, questions of the limits of sovereignty emerge.
Defending a nation-state in the cyber domain will inevitably include the global
technological commons. The United States military exercised its ‘right to defend’
during 2008 American cyber forces shut down a suspected high profile terrorist
website.137 Inadvertently, the military operations shut down 300 servers in the Middle
East, Germany and Texas, resulting in President Obama putting a moratorium on
these types of “network warfare” until further rules could be established.138 In another
incident, a dispute between China and the United States in the South China Sea,
resulted in the Californian power grid almost being “taken down.”139 With the rules of
cyber warfare not established, these incidences are likely to increase within the
international community of states. Continuation of these ‘war-like’ activities in the
technological commons threaten human rights and civil liberties, with no recourse to
effective international law. The United States, while a major cyber power, is not an
anomaly in approaching the technological commons as a battlefield. The United
Kingdom has also indicated the strategic importance of offensively acting in cyber
space, advancing in the first National Cyber Security Strategy, that offensive
capabilities are significant component of the county’s cyber defences.140 In June 2011,
it was reported that British intelligence officers (SIS) sabotaged an al-Qaeda online
‘webzine’ as a propaganda exercise.141 This ‘attack’ drew praise from U.S Cyber
Commander, General Keith Alexander, who argued, “…blocking the [online]

135
Misha Glenny, Who controls the internet?, 8 October 2010, 5 July 2011
<http://www.ft.com/cms/s/2/3e52897c-d0ee-11df-a426-00144feabdc0.html#axzz1VnJrbie1>.
136
The White House, International Strategy For Cyberspace: Prosperity, Security, and Openness in a
Networked World, The United States of America (Washington, 2011). 12.
137
Ellen Nakashima, Pentagon considers preemptive strikes as part of cyber-defense strategy, 28
August 2010, 20 June 2011 <http://www.washingtonpost.com/wp-
dyn/content/article/2010/08/28/AR2010082803849.html>.
138
Ibid. Nakashima.
139
Cyber Security Strategy of the United Kingdom: safety, security and resilience in cyber space
(London: The Stationery Office (TSO), 2009). 4.
140
Ibid. 15.
141
Richard Norton-Taylor, British intelligence used cupcake recipes to ruin al-Qaida website, 2 June
2011, 24 July 2011 <http://www.guardian.co.uk/uk/2011/jun/02/british-intelligence-ruins-al-qaida-
website?INTCMP=ILCNETTXT3487>.

26

magazine was a legitimate counter-terrorism target.”142 Securing the state through
proactive cyber security operations is a legitimate goal. Protecting website owners
and upholding principles of internet freedom and aforementioned U.N human rights,
freedom of speech, association and privacy, are also legitimate aims. By establishing
international “rules of engagement” and the LOAC in the cyber domain, these
competing goals can be balanced and proportionate in their application. Not all cyber
attacks are state-sponsored and thereby not all cyber security threats require a military
response. LulzSec and Anonymous hacker groups disrupted and temporary crippled a
number of high profile websites including the Central Intelligence Agency,
Mastercard and Visa, using a DDoS attack.143 These are annoyances in civil society,
but do not qualify as “acts of war” requiring a military response. Moreover, Mathias
Klang argues with qualifications, that DDoS attacks can be a form of political protest,
as he contends a form of civil disobedience or what he terms a “virtual sit-in.” 144
LulzSec and Anonymous have been argued to be exercising a new form of protest that
should be tolerated in a free society.145

142
Ibid. Norton-Taylor.
143
James Ball, By criminalising online dissent we put democracy in peril, 1 August 2011, 23 August
2011 <http://www.guardian.co.uk/commentisfree/2011/aug/01/online-dissent-democracy-hacking>.
144
Mathias Klang, “Virtual Sit-Ins, Civil Disobedience and Cyberterrorism,” Mathias Klang Andrew
Murry, Human Rights in the Digital Age (London: Glasshouse Press, 2005) 1-234. It must be noted
that Klang qualifies types of DDoS attacks that would constitute as civil disobedience. For example,
use of botnets would not constitute as a legitimate form of civil disobedience but DDoS attacks using
people and their own computers would.
145
See supra note 117.

27

Conclusion

This paper has explored an important academic lacuna within the discourses of human
rights and cyber security. Despite national cyber security strategies on both sides of
the Atlantic referencing the importance of framing security within liberties and rights,
they have provided little substance on the nature of this relationship or how it is to be
achieved. Moreover, a disproportionate amount of literature is aimed at strategic
cyber war, rather then ways of achieving cyber peace. Within human rights, a body of
research has emerged on internet freedoms but very little within a cyber security
framework. It has been argued, cyber security is at the fulcrum of any discussion on
human rights within the cyber domain; security and freedoms are analogous concepts.
As elucidated, dependency on the cyber domain, for all the benefits it brings society,
delivers equally, a precarious state of vulnerability. Dependency and the corollary of
vulnerability, is a reoccurring theme throughout this paper; without the former there
would be not cyber threat to human rights.

The arguments contended in this paper, have explored three key tensions between
human rights and state implemented cyber security. First, attribution versus
anonymity has advanced the tensions at the core of the debate around transparency on
the internet and protection of privacy. Lack of attribution has allowed for the
proliferation of malicious cyber attacks. Conversely, anonymity, provides dissents
and others freedom of speech and a cascade of subsequent human rights. Bridging
these prima facie goals was argued to be achievable through the proportionate and
systematic application of technology but only to a degree. Political acumen is required
as well. Authoritarian regimes, argued in the cases of Russia and China, are likely to
further impart their sovereignty in the cyber domain, further limiting human rights
and fragmenting the internet. The second argument advanced, contended that
competing cyber security norms, produce unease tensions that challenge international
human rights law and the principle of internet freedom. Cyber security norms conflict
with the United Nations conventions on human rights, amongst states, and between
nation-states and their citizens. Censorship, it was argued, is a concerning trend
amongst all states to varying degrees. Despite Finnemore’s attempts at rectifying
international cyber norms, it was contended these are severely incompatible, notably
at the unilateral state level. Thirdly, the preeminent cyber security concern, cyber war,

28

was addressed in context to its impact on human rights. Through Schmitt’s paradigm
of what constitutes cyber war, an ‘actor-based threshold’ or a ‘consequence-based
threshold,’ this paper teased out the problematic characteristics of applying
international human rights law to cyber war. It was argued that a ‘consequence-based
threshold’ is highly advantageous over its former and that rationalising cyber war in
this way provided a theoretical way of bridging the two aims of cyber war and human
rights together. Lastly, it was contended that the consequences of failing to unite
cyber war and international human rights law, is leading to a greater militarisation of
the technological commons. Militarisation of this space is at great detriment to the
citizens in the ‘information societies’ who depend solely on this space in every day
life.

To conclude, from the cyber domain a variety of challenges emerge between cyber
security and human rights. It has been argued, these challenges are in the form of
tensions between the competing social goals, of security and freedom. In some
instances these goals can be unified, benefiting state and citizen. In other cases, there
seems to be an increasing trend toward greater cyber security at the expense of human
rights. Balancing these goals are critical for information societies in the twenty-first
century and will ultimately protect society from the emergence of a tyrannical cyber
state or the devastating effects of cyber attacks.

29

Glossary

Cyberspace - a an electronic medium through which information is created, transmitted,
received, stored, processed, and deleted.

Cyber infrastructure - the aggregation of people, processes and systems that constitute
cyberspace.

Cyber services - are a range of data exchanges in cyberspace for the direct or indirect benefit
of humans.

Critical cyberspace - is cyber infrastructure and cyber services that are vital to preservation of
public safety, economic stability, national security and international stability.

Critical cyber infrastructure - is the cyber infrastructure that is essential to vital services for
public safety, economic stability, national security, international stability and to the
sustainability and restoration of critical cyberspace.

Critical cyber services - are cyber services that are vital to preservation of public safety,
economic stability, national security and international stability.

Cyber crime - the use of cyberspace for criminal purposes as defined by national or
international law.

Cyber terrorism - the use of cyberspace for terrorist purposes as defined by national or
international law.

Cyber conflict - a tense situation between or among nation-states or organized groups where
unwelcome cyber attacks result in retaliation.

Cyber war - an escalated state of cyber conflict between or among states in which cyber
attacks are carried out by state actors against cyber infrastructure as part of a military
campaign
(i) Declared: that is formally declared by an authority of one of the parties.
(ii) De Facto: with the absence of a declaration.

Cyber security - is a property of cyber space that is an ability to resist intentional and
unintentional threats and respond and recover.* See discussion in definitional foundations for
further clarity.

Cyber warfare - cyber attacks that are authorized by state actors against cyber infrastructure in
conjunction with a government campaign.

Cyber attack - an offensive use of a cyber weapon intended to harm a designated target.

Cyber counter-attack - the use of a cyber weapon intended to harm a designated

30

target in response to an attack.

Cyber defensive countermeasure - the deployment of a specific cyber defensive capability to
deflect or to redirect a cyber attack.

Cyber defense - organized capabilities to protect against, mitigate from, and rapidly recover
from the effects of cyber attack.

Cyber defensive capability - a capability to effectively protect and repel against a cyber
exploitation or cyber attack, that may be used as a cyber deterrent.

Cyber offensive capability - a capability to initiate a cyber attack that may be used as a cyber
deterrent.

Cyber exploitation - taking advantage of an opportunity in cyber space to achieve an
objective.

Cyber deterrent - a declared mechanism that is presumed effective in discouraging cyber
conflict or a threatening activity fin cyberspace.

Technological commons – the cyber space shared by civilians and government.

31

Definitional foundations

The origins of the term ‘cyber’ are found in the Greek word κυβερνητικός, meaning “skilled
in steering or governing” and influenced early usage of the word; the concept of sentient
controls being administered.146 ‘Cybernetics’ was first coined and popularized by author
Norbert Wiener in his book Cybernetics or Control and Communication in the Animal and
the Machine, as a term used in the context of controlling ‘complex systems in the animal
world;’147 the term was later appropriated by the medical community as a means to describe
human or animal integration with machinery.148 More recently, the word ‘cyber’ has been
used in conjunction with other words to describe the ‘other-than-physical’ virtual space and
activities.149 Terms such as ‘cyberspace,’ ‘cyber warfare,’ ‘cyber security,’ ‘cyber services’
and ‘cyber infrastructure,’ all fall under this recent appropriation. In the recent report Russia-
U.S Bilateral on Cybersecrity Critical Terminology Foundations, the argument is made that
incorporating the term ‘cyber’ necessitates in some way “the technological representation of
information” and that this is by electronic means.150 This understanding is a useful starting
point as a foundational definition in describing ‘cyber’ and its usage with other words.
Building on this, Daniel T. Kuehl work From Cyberspace to Cyberpower: Defining the
Problem, defines ‘cyberspace’ or the ‘cyber domain’ as,

"a global domain within the information environment whose distinctive and unique
character is framed by the use of electronics and the electromagnetic spectrum to
create, store, modify, exchange, and exploit information via interdependent and
interconnected networks using information-communication technologies.”151

This definition builds on the root word ‘cyber’ defined previously, incorporating the
requirement of electromagnetism and the use of information technologies. It also suggests the
root concept of “governing or steering” found in the original Greek meaning. To “create,
store, modify or exchange” information, implies human sentience.152 The implications for
human rights, in understanding “cyberspace” in these definitional terms, suggests that ‘cyber
conjunctions’ mean something that is a human construct or artifact. Cyber space is engineered
by humans, that are bound by laws and that are capable of recognising human rights, whether
those laws are domestic or international. In contrast to rival definitions, ‘cyber’ or
‘cyberspace’ is not "[t]hat intangible place between computers where information

146
Ibid. P.20
147
Valery Yaschenko Karl, Frederick Rauscher, Russia-U.S. Bilateral on Cyber security: Critical
Terminology Foundations, Worldwide Cyber security Initiative, EastWest Institute (New York:
Moscow, 2011). P.20
148
Ibid. P.20
149
Ibid P.16
150
See supra note 12. During this bilateral agreement Russians posed the argument that ‘cyber’
included all information, not just electronic data – ranging from thoughts in your head to the
information in books. Their argument did not win out but may prove to be more useful in the future
when/if computing systems abandon their electromagnetic origins and use other forms of storing and
transmitting information; biologically based or DNA computing for example. For the arguments
advanced in this paper, the agreed upon definition stated above suffices.
151
Daniel T. Kuehl, “From Cyberspace to Cyberpower: Defining the Problem,” Stuart H. Starr, Larry
K. Wentz Franklin D. Kramer, Cyberpower and national security (Washington: Potomac Books Inc,
2009) P.27
152
It could be argued that these tasks could be carried out by software with artificial intelligence.
Sophisticated computer viruses carry out all the above functions stated in the definition, however, they
still requires human programmers to create them. It is not unimaginable that future programs will be
reach the level of ‘intelligence’ that they are able to program themselves, at which point cyber
terminology may need redefining.

32

momentarily exists"..."the ethereal reality,"153 nor is it as William Gibson famously wrote in
his 1984 book Neuromancer, "a consensual hallucination."154

Cyber security

‘Cyber security’ is a key term that requires attention. In the Chatham House report
Cyberspace and the National Security of the United Kingdom: Threats and Responses, ‘cyber
security’ is defined as “security in and from cyberspace.”155 This definition is useful in its
brevity but critically, it does not establish the nature of ‘security’. Does ‘security’ dennote
‘protection’ and if it does, is it including offensive as well as defensive methods for ensuring
‘protection’? To use an analogy, police officers may adopt the use of bullet proof vests in
dangerous neighbourhoods but also critical to their security they may argue, is the use of
firearms to match the threat they face with offensive capablitiies. This understanding of
‘cyber security,’ as a term that incorporates both aspects of protection, is most previlent in
cyberseurcrity literature.156 Taking the concept of protection suggested above into account,
the Russian-U.S bilateral agreement on critical cyber security terminology, provides a useful
definition, defining ‘cyber security’ as “…a property of cyberspace that is an ability to resist
intentional and unintentional threats and respond and recover.”157 In the context of human
rights, a ‘responsive’ cyber security policy can mitigate the impact on human rights. A cyber
crime policing unit may disrupt and shut down an online paedophilia ring, thereby enforcing
the UN Convention on the Rights of the Child.158 A government cyber security policy might
enable lawmakers to arrest hackers, who limit others ability to exercise freedom of speech, by
attacking and temporarily shutting down online services. Conversely, authoritarian regimes
may use offensive cyber security measures in the opposite way.

‘Cyber security’ as argued here displays numerous characteristics; security, understood as
protection, both offensive and defensive, along with placement in the more broad concept of
“security in and from cyberspace, “ with connotations around cyberspace defined previously.
Two terms within the U.S-Russian definition of cyber security not addressed, have been the
use of the words “intentional and unintentional threats” and the concept of ‘recovery’. The
former terms will be explored during discussion around the impact of cyber threats on human
rights, Problems in Cyber security and Human Rights. The later term ‘recover’ is problematic
in relation to a discussion around rights. ‘Recovery’ from a cyber attack might be possible in
technological terms, however, if it has involved human rights violations, ‘recovery’ may not
be satisfactory or even possible. It is not clear in the Russian-U.S bilateral agreement as to the
specific meaning behind ‘recovery.’ It will be proposed that ‘recovery’ in the context of a
cyber attack that has caused human rights violations, include a ‘recovery’ in legal recourse or
policy and not just a technological restoration.

Human Rights

‘Human rights,’ as with the term ‘cyber,’ is used in a sweeping number of definitions.
Depending on the questions being asked, definitional meanings of human rights can vary.
Central to the arguments put forward in this paper are questions surrounding the state and its
administration of cyber security against cyber threats and those implications on human rights.
Although information within the cyber domain exists virtually, as has been argued, it is a
human construct and consequently it is bound by human rights law. Given this corollary, it is

153
Winn Schwartau, Information Warfare: Chaos on the Electronic Superhighway Ibid P.26
154
William Gibson, Neuromancer (New York: Ace Books, 1984). P.51
155
See supra note 2.
156
See the UK National Cyber security Strategy.
157
See supra note 13.
158
Excepting Somalia and the United States who have yet to ratify this treaty. See, Child Rights
Information Network, Convention on the Rights of the Child, 21 July 2011,
<http://www.crin.org/resources/treaties/CRC.asp?catName=International+Treatie>.

33

appropriate that ‘human rights’ are understood within a legal framework. ‘Human rights’ and
‘human rights violations’ will be in context of international and domestic human rights law,
including civil liberties that will be seen as a subsection of human rights.

Human rights outside of cyberspace have been used as a “rallying cry of the homeless and the
dispossessed, the political program of revolutionaries… [by] greedy consumers of goods and
culture [and] … the pleasure-seekers and playboys of the Western world,”159 and are now
finding their representation in the cyber domain.

Overview of Internet Censorship160

Internet censorship and content restrictions can be enacted through a number of different
strategies which we describe below. Internet filtering normally refers to the technical
approaches to control access to information on the Internet, as embodied in the first two of the
four approaches described below.

1) Technical blocking
There are three commonly used techniques to block access to Internet sites: IP blocking, DNS
tampering, and URL blocking using a proxy. These techniques are used to block access to
specific WebPages, domains, or IP addresses. These methods are most frequently used where
direct jurisdiction or control over websites are beyond the reach of authorities. Keyword
blocking, which blocks access to websites based on the words found in URLs or blocks
searches involving blacklisted terms, is a more advanced technique that a growing number of
countries are employing. Filtering based on dynamic content analysis—effectively reading
the content of requested websites—though theoretically possible, has not been observed in
our research. Denial of service attacks produce the same end result as other technical blocking
techniques—blocking access to certain websites—carried out through indirect means.

2) Search result removals
In several instances, companies that provide Internet search services cooperate with
governments to omit illegal or undesirable websites from search results. Rather than blocking
access to the targeted sites, this strategy makes finding the sites more difficult.

3) Take-down
Where regulators have direct access to and legal jurisdiction over web content hosts, the
simplest strategy is to demand the removal of websites with inappropriate or illegal content.
In several countries, a cease and desist notice sent from one private party to another, with the
threat of subsequent legal action, is enough to convince web hosts to take down websites with
sensitive content. Where authorities have control of domain name servers, officials can
deregister a domain that is hosting restricted content, making the website invisible to the
browsers of users seeking to access the site.

4) Induced self-censorship
Another common and effective strategy to limit exposure to Internet content is by
encouraging self-censorship both in browsing habits and in choosing content to post online.
This may take place through the threat of legal action, the promotion of social norms, or

159
Costas Douzinas, The End of Human Rights: Critical Legal Thought at the Turn of the Century
(Oxford and Portland: Hart Publishing, 2000). P.1
160
This content is taken from the, OpenNet Initiative, About Filtering, 05 June 2011
<http://opennet.net/about-filtering>.

34

informal methods of intimidation. Arrest and detention related to Internet offenses, or on
unrelated charges, have been used in many instances to induce compliance with Internet
content restrictions. In many cases, the content restrictions are neither spoken nor written. The
perception that the government is engaged in the surveillance and monitoring of Internet
activity, whether accurate or not, provides another strong incentive to avoid posting material
or visiting sites that might draw the attention of authorities.

Points of Control
Internet filtration can occur at any or all of the following four nodes in network:

1) Internet backbone
State-directed implementation of national content filtering schemes and blocking technologies
may be carried out at the backbone level, affecting Internet access throughout an entire
country. This is often carried out at the international gateway.

2) Internet Service Providers
Government-mandated filtering is most commonly implemented by Internet Service
Providers (ISPs) using any one or combination of the technical filtering techniques mentioned
above.

3) Institutions
Filtering of institutional level networks using technical blocking and/or induced self-
censorship occurs in companies, government organizations, schools and cybercafés. In some
countries, this takes place at the behest of the government. More commonly, institutional-
level filtering is carried out to meet the internal objectives of the institution such as
preventing the recreational use of workplace computers.

4) Individual computers
Home or individual computer level filtering can be achieved through the installation of
filtering software that restricts an individual computer’s ability to access certain sites.

Countries have been known to order filtering at all of these levels, whether setting up
filtration systems at the international gateway to eliminate access to content throughout the
entire country, instructing ISPs to block access to certain sites, obligating schools to filter
their networks, or requiring libraries to install filtration software on each individual computer
they provide.

Filtering's Inherent Flaws

Filtering technologies, however, are prone to two simple inherent flaws: underblocking and
overblocking. While technologies can be effective at blocking specific content such as high
profile web sites, current technology is not able to accurately identify and target specific
categorizes of content found on the billions of webpages and other Internet media including
news groups, email lists, chat rooms and instant messaging. Underblocking refers to the
failure of filtering to block access to all the content targeted for censorship. On the other
hand, filtering technologies often block content they do not intend to block, also known as
overblocking. Many blacklists are generated through a combination of manually designated
web sites as well as automated searches and, thus, often contain websites that have been
incorrectly classified. In addition, blunt filtering methods such as IP blocking can knock out
large swaths of acceptable websites simply because they are hosted on the same IP address as
a site with restricted content.

The profusion of Internet content means that Internet filtering regimes that hope to
comprehensively block access to certain types of content must rely on software providers
with automated content identification methods. This effectively puts control over access in

35

the hands of private corporations that are not subject to the standards of review common in
government mandates. In addition, because the filters are often proprietary, there is often no
transparency in terms of the labeling and restricting of sites. The danger is most explicit when
the corporations that produce content filtering technology work alongside undemocratic
regimes in order to set-up nationwide content filtering schemes. Most states that implement
content filtering and blocking augment commercially generated blocklists with customized
lists that focus on topics and organizations that are nation or language-specific.

Bibliography

2010 Foundation Index. “Technology: 2010 Shift Index Measuring the forces of long-term
change .” 01 01 2011. Deloitte.
<http://www.deloitte.com/view/en_US/us/Industries/technology/ed1096761a34b210VgnV
CM2000001b56f00aRCRD.htm>.

International Committee of the Red Cross. Convention (IV) relative to the Protection of
Civilian Persons in Time of War. 27, Article. 12 August 1949. 20 June 2011
<http://www.icrc.org/ihl.nsf/385ec082b509e76c41256739003e636d/6756482d86146898c
125641e004aa3c5>.

Ansfield, Jonathan. China Web Sites Seeking Users’ Names. 05 September 2009. 02 June
2011
<http://www.nytimes.com/2009/09/06/world/asia/06chinanet.html?pagewanted=1&hp>.

Arrest over social network site damage incitement. 14 August 2011. 17 August 2011
<http://www.bbc.co.uk/news/uk-england-tyne-14521031>.

Ball, James. By criminalising online dissent we put democracy in peril. 1 August 2011. 23
August 2011 <http://www.guardian.co.uk/commentisfree/2011/aug/01/online-dissent-
democracy-hacking>.

Batty, David. LulzSec hackers claim breach of CIA website. 16 June 2011. 2 July 2011
<http://www.guardian.co.uk/technology/2011/jun/16/cia-website-lulzsec-hackers>.

Berners-Lee, Tim. Long Live the Web: A Call for Continued Open Standards and Neutrality.
22 November 2010. 04 April 2011
<http://www.scientificamerican.com/article.cfm?id=long-live-the-web>.

Blank, Stephen. “Web War I: Is Europe's First Information War a New Kind of War?”
Comparative Strategy 27.3 (2008): 227-247.

British Broadcast Corporation. England riots: Government mulls social media controls. 11
August 2011. 15 August 2011 <http://www.bbc.co.uk/news/technology-14493497>.

British Broadcast Corpration.. US Pentagon to treat cyber-attacks as 'acts of war'. 1 June
2011. 12 June 2011 <http://www.bbc.co.uk/news/world-us-canada-13614125>.

Catherine A. Theohary, John Rollins. Terrorist Use of the Internet: Information Operations in
Cyberspace. Report for Congress. Congressional Research Service. Washington, 2011.

36

Cyber Security Strategy of the United Kingdom: safety, security and resilience in cyber
space. London: The Stationery Office (TSO), 2009.

David A. Gross, Nova J. Daly, M. Ethan Lucarelli, Roger H. Miksad. “Cyber Security
Governance: Existing Structures, Internetional Approaches and the Private Sector.”
America’s Cyber Future: Security and Prosperity in the Information Age. Vol. II.
Washington: Center for a New American Security, 2011. I-II vols.

David D. Clark, Susan Landau. “Untangling Attribution.” Harvard National Security Journal
2 (2011): 1-30.

Detica and the Office of Cyber Security and Information Assurance in the U.K. Cabinet
Office. The Cost of Cyber Crime. London, 2011.

Eneken Tikk, Kadri Kaska, Kristel Rünnimeri, Mari Kert, Anna-Maria Talihärm, Liis Vihul.
Cyber Attacks Against Georgia: Legal Lessons Identified. NATO. Tallinn: Cooperative
Cyber Defence Centre of Excellence, 2008.

Espionage Report: Merkel's China Visit Marred by Hacking Allegations. 27 August 2007. 04
March 2011 <http://www.spiegel.de/international/world/0,1518,502169,00.html>.

Figures, The World in 2010: ICT Facts and. “Information and Communication Technology
(ICT) Statistics.” 20 10 2011. International Telecommunications Union. 03 06 2011
<http://www.itu.int/ITU-D/ict/>.

Finnemore, Martha. “Cultivating International Cyber Norms.” Kristin M. Lord, Travis Sharp.
America’s Cyber Future: Security and Prosperity in the Information Age. Vol. II.
Washington: Center for a New American Security, 2011. I-II vols.

Geer, Daniel E. “How Government Can Access Innovative Technology.” America’s Cyber
Future: Security and Prosperity in the Information Age. Vol. II. Washington: Center for a
New American Security, 2011. I-II vols. 185-200.

Glenny, Misha. Who controls the internet? 8 October 2010. 5 July 2011
<http://www.ft.com/cms/s/2/3e52897c-d0ee-11df-a426-
00144feabdc0.html#axzz1VnJrbie1>.

Guardian. Oyster data use rises in crime clampdown. 13 March 2006. 05 April 2011
<http://www.guardian.co.uk/technology/2006/mar/13/news.freedomofinformation>.

Hughes, Rex. “Towards a Global Regime for Cyber Warfare.” Cozosseck, C, Geers K. The
Virtual Battlefield: Perspectives on Cyber Warfare. Amsterdam: IOS Press, 2009. 106-
116.

IISS Stratigic Comments. Stuxnet: targeting Iranʹs nuclear programme. Volume 17,
Comment 6. The International Institute For Strategic Studies. London, 2011.

International Committee of the Red Cross. Convention (I) for the Amelioration of the
Condition of the Wounded and Sick in Armed Forces in the Field. 12 August 1949. 8 June
2011 <http://www.icrc.org/ihl.nsf/COM/365-570005?OpenDocument>.

International Committee of the Red Cross. Protocol for the Prohibition of the Use of
Asphyxiating, Poisonous or Other Gases, and of Bacteriological Methods of Warfare. 8
February 1928. 04 May 2011 <http://www.icrc.org/ihl.nsf/intro/280>.

International Court of Justice. Military and Paramilitary Activities in and against Nicaragua
(Nicaragua v. United States of America). 27 June 1986. 5 July 2011 <http://www.icj-
cij.org/docket/index.php?sum=367&code=nus&p1=3&p2=3&case=70&k=66&p3=5>.

37

Challenges from the Cyber Domain: Cyber Security and Human Rights

Challenges from the Cyber Domain: Cyber Security and Human Rights

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (17)

En vedette

En vedette (6)

Similaire à Challenges from the Cyber Domain: Cyber Security and Human Rights

Similaire à Challenges from the Cyber Domain: Cyber Security and Human Rights (18)

Dernier

Dernier (8)

Challenges from the Cyber Domain: Cyber Security and Human Rights