1. Application of principles of international law to
computer network operations management
Adriana Dvoršak
1st international academic conference
on intelligence and security
Contemporary Intelligence Support Systems.

2. 1. Security of IP (concern of the IETF).
2. Security of networks (focus on CERT).
3. Security of business.
4. The individual's human rights (privacy)
5. National security (state sovereignty, national
interests, cyber warfare).
(Doria, 2007)
Providing security to individuals, business, state.
Concepts of cyber security

3. and law of armed conflict:
1. military necessity,
2. distinction,
3. proportionality,
4. perfidy,
5. neutrality, and
6. unnecessary suffering.
Principles of international law

4. (Kanuck, 2007)

5. CNO in operation Allied force
CNE - NATO, Serbia
CNA – NATO
CND – US (?)
Propaganda - Serbia
Military deception - Serbia
Learning points for NATO
Vulnerabilities
National decision making processes
State practice from the region

6. Offensive doctrine
Military foreign policy options are expanded
Small states with offensive foreign policy
Can Slovenia advocate cyber offensive?
Article 124 of Constitution: In the provision of security the state
proceeds principally from a policy of peace, and an ethic of
peace and non-aggression.
Legal conditions for CNA
Right for self-defense
Part of general and information warfare
Request from UNSC
Coalitions of the willing supported by UN Resolution
Cyber offensive

7. CNA CND
TARGET
IW AREAS
TACTICS
TACTICS
WEAPONS ATTRIBUTES
CONSEQUENCES
REACTIONS
perceptions,actions
RECOVERY
DECISION
CONTEXT
CONSIDERATIONS FOR
IW PLANNING
1 Legal,political,social
2 Skil levels, technical
3 Financial
reevaluation
CNO lifecycle model
Adapted from van Niekerk, 2011

8. The self-defence rule:
Everyone has the right to self-defence.
The cooperation rule:
The fact that a CNA has been conducted via information systems located in
a state’s territory creates a duty to cooperate with the victim state.
The access to information rule:
The public has a right to be informed about threats to their life, security
and well-being.
The mandate rule:
An organisation’s capacity to act (and regulate) derives from its mandate.
The data protection rule:
Information relating to an identified or identifiable natural person is
regarded as personal data.
(Tikk, 2011)
NATO 10 rules

9. The territoriality rule:
Information infrastructure located within a state’s territory is
subject to that state’s territorial sovereignty.
The responsibility rule:
Fact that CNA was launched from inf.system located in a state’s
territory is evidence that the act is attributable to that state.
The duty of care rule:
Everyone has the responsibility to implement a reasonable level
of security in their information infrastructure.
The early warning rule:
There is an obligation to notify potential victims about known,
upcoming cyber attacks.
The criminality rule:
Every nation has the responsibility to include the most common
cyber offences in its substantive criminal law.
NATO 10 rules

10. Member States required to have:
• national network and information security (NIS)
strategy;
• NIS cooperation plan;
• NIS competent national authority:
– technical expertise,
– international liasion,
– security breach reporting,
– CERT functions.
• Computer Emergency Response Team (CERT).
EU Directive on common level of NIS

11. Obligatory breach notification to the competent authority,
it determines which notification is in the public interest
(security intelligence?).
Competent authority requires market operators and public
administrations to:
– provide information needed to assess the security of their NIS;
– undergo a security audit and make the results available to the
competent authority;
– issues binding instructions to market operators and public
administrations.
(Articles 14 and 15)
EU Directive – competent authority

12. Difference Proposal for a Directive on network and info
security vs Cyber Security Strategy
Cyberdefence policy and capabilities related to Common
Security and Defence Policy (CSDP)
Aims:
– To concentrate on cyberdefence capability on detection,
response and recovery from sophisticated cyber threats;
– synergies between civilian and military approaches.
Cyber Security Strategy and CSDP

13. High Representative, MS, EDA will assess capability
development:
doctrine, leadership, organisation, personnel, training, technology,
infrastructure, logistics and interoperability.
Develop EU cyberdefence policy:
missions and operations, dynamic risk management, improved
threat analysis, information sharing, training and exercise for
militaries in the EU and multinational context.
Promote dialogue and coordination
– civilian and military actors in the EU,
– international partners, NATO, international organisations.
High Representative activities

14. National cyber security and cyber defense strategy.
Analysis of external environment
Pressure - normative dimension (EU Directive obligations, NATO
minimum requirements);
Threats.
Internal environment
Changes to legal framework (information society, criminal code,
privacy).
Stakeholders (military, police, academia, civil society,
business).
Synergies between national cyber incident capabilities, CERT,
and competent authority (EU Directive on network and info
security)
Way ahead for Slovenia

15. Centre vs. Periphery
Global North - Global South relations
Balkanization of CNE
1981 UNGA Declaration on Non-intervention: “the right of states
and peoples to have free access to information and to develop
fully, without interference, their system of information and
mass media, and to use their information media in order to
promote their political, social, economic, and cultural
interests and aspirations.”
Certain CNE amount to an unlawful intervention, e.g. cyber
propaganda activities aimed at fomenting civil upraising in a
target state, interference with elections.
Non-intervention

16. National assesement
Synergies between national needs and international
requirements
EU Directive
NATO requirements
New institutions
Conclusions

17. Appendix
Constitution of International Telecommunications Union (1992).
Doria, A. (2007). What do the Words »Internet Security« Mean? In Kleinwoechter (Ed.), The Power of
Ideas: Internet Governance in a Global Multi-Stakeholder Environment. Berlin
Kanuck, S. (2009). Sovereign Discourse on Cyber Conflict under International Law. Texas Law Review,
88.
van Niekerk, B., & Maharaj, M. S. (2011). The Information Warfare Life Cycle Model. SA Journal of
Information Management, Vol 13, No1
European Commission. (2013a). Cyber Security Strategy of the European Union: An Open, Safe and
Secure Cyberspace. Retrieved from http://ec.europa.eu/digital-agenda/en/news/eu-cybersecurity-
plan-protect-open-internet-and-online-freedom-and-opportunity-cyber-security.
European Commission. (2013b). Proposal for a Directive of the European Parliament and of the Council
concerning measures to ensure a high common level of network and information security across the
Union. (COM(2013) 48). Retrieved from http://ec.europa.eu/digital-agenda/en/news/eu-
cybersecurity-plan-protect-open-internet-and-online-freedom-and-opportunity-cyber-security.
Tikk, E. (2011). Ten Rules for Cyber Security. Survival: Global Politics and Strategy, 53(3).