The 2022 Mike Lewis Memorial Teleforum: Peace in Cyberspace: How it was Lost and How to Restore It

[Music]

 

Dean Reuter:  Welcome to Teleforum, a podcast of The Federalist Society's practice groups. I’m Dean Reuter, Vice President, General Counsel, and Director of Practice Groups at The Federalist Society. For exclusive access to live recordings of practice group Teleforum calls, become a Federalist Society member today at fedsoc.org.

 

 

Jack Capizzi:  Hello, and welcome to today's Federalist Society virtual event. This afternoon, September 28, 2022, we are honored to present the 2022 "Mike Lewis Memorial Teleforum: Peace in Cyberspace: How it was Lost and How to Restore It." My name is Jack Capizzi, and I'm an Assistant Director of Practice Groups at The Federalist Society. As always, please note that all expressions of opinion are those of the experts on today's call.

 

      After our speakers have given their remarks, we will turn to you, the audience, for any questions.  If you have a question, please just type it into the Q&A feature at the bottom of your screen, and we will handle those as we can, towards the end of today's program. With that, thank you all for being with us. And, Vince, the floor is yours.

 

Vincent Vitkowsky:  Thank you, Jack. Hello, and thank all of you for sharing part of your day with us. This is the Mike Lewis Memorial Teleforum, now termed "webinar." Mike was a naval aviator and then an international law professor. He took on some of the most controversial issues of the post-9/11 era with wisdom and grace and clear writing. Mike had an amazing generosity of spirit. He was a friend of almost everyone he met, all across the spectrum, and a great friend to The Federalist Society. So, tragically, Mike left us too soon, dying from cancer.  Every year, we honor his life, his work, and his spirit, in a memorial event.

 

So when the U.S. and other Western governments started to think about cyber aggression, their initial approach was to analogize to traditional war and the law of armed conflict. Back in 2012, one of the first principles the U.S. stated was that if a cyber attack had the same effect as a kinetic effect — one with bullets and bombs breaking things and hurting people — it would be considered a use of force under the UN Charter.

 

Now, under US doctrine, that would trigger a right of self-defense, including cyber and kinetic responses. NATO took a similar approach, and energetically analyzed how cyber attacks might be treated under the law of armed conflict. A group of academics have spent years drafting and refining something called the Tallinn Manual on International Law Applicable to Cyber Warfare.

 

Some commentators question whether this is the best framework. They argue that cyber-attacks are unique, and in the real world, the actual responses of states should comprise what will eventually become the controlling customary international law. Our panelists today are taking on a related question. Most nation-state cyber exploits do not, and are not likely to reach the level of a use of force. Still, they can be very disruptive and destructive. Yet most go without response and our adversaries are undeterred. What can we do about that?

 

Our speakers today, Lucas Kello and Eric Jensen, have some strong ideas on that subject. Lucas is an Associate Professor of International Relations at Oxford, and has too many other distinctions to mention. His upcoming book, Striking Back: The End of Peace in Cyberspace - And How to Restore It, will be published by Yale University Press next month.

 

Eric Jensen is a distinguished scholar and military practitioner. When in the Army, he was Chief of the International Law Branch, and he's the leading authority on cyber war. So, with that, I'll be quiet from now on, maybe, and turn it over to the panelists, starting with Eric.

 

Eric Jensen:  Don't be quiet, Vince. We like you engaged in these topics. And, Vince, thanks for inviting me to be here. It's a great honor to be here, particularly in this webinar honoring Mike Lewis. He was a great friend and colleague to me, so I'm grateful to have this chance to honor him.

 

And, Lucas, it's a great honor to be here with you. Unlike the rest of the world, I got a sneak peek at your book — the rest of them won't get it for another month — and I found it fascinating. And I hope, in our discussion, to maybe highlight some of the key points that you raise in your book. But maybe it's best just to start with the question of what is it that made you want to write this book?

 

Lucas Kello:  Yeah, that's a great question to start with, Eric. And let me, first of all, thank Vince for that very generous introduction. It's a real pleasure to speak to this forum today, not least on this memorial occasion. So thanks very much for having me here, and greetings to our audience from Oxford, England.

 

So, Eric, your question: what prompted me to write this book? It was, I think, a basic sense of frustration at the inability of existing Western security strategies to prevent significant cyber-attacks, or at least to reduce their number and intensity. So this is one of the central diagnoses that the book provides, is an analysis of this, of what I call the "conflict prevention puzzle."

 

It's the case – it has been the case for the last decade or more that Western nations' political, economic, and social interests have been repeatedly assailed through actions in cyberspace. The political leaderships in the United States, Britain, France, European Union, NATO, and elsewhere, have made it clear, quite unequivocally, that this activity is too harmful, despite what Vince was saying, quite accurately, about it not meeting the existing legal threshold for a use of force or armed attack.

 

      It's nevertheless too damaging, for political and other interests, to be tolerated. And yet, the offensive activity has continued unabated. So it seems to me that we have before us quite a spectacular case of conflict prevention failure. And so the awareness of that major shortcoming, in policy and strategy, prompted me to think quite seriously, over the last several years, about what the nature and the root of the problem is, and what could be done, in order to address it.

 

Eric Jensen:  That's fantastic. And, of course, none of us spend much time reading the news each day without hearing about some kind of cyber-aggression, either by private or by public parties, against very lucrative, sometimes, targets. One of the points you make very early in the book is this idea that one of the things that has transitioned this ability to conduct cyber activity so effectively is kind of the move from the private information sphere of maybe the Cold War era to the public information sphere that was brought about by the development and the use of the internet. Can you tell us a little bit more about that -- that transition from private to public, and why the internet makes them such a target-rich environment?

 

Lucas Kello:  So, can you say a little bit more, first, about that distinction between public and private?

 

Eric Jensen:  Well, so in your introduction to the book, you talk about how much of the information that states held really closely was private in nature. It was not open to the public. It wasn't accessible to the public, writ large. You'd have to break into some room and open up some secret locked cabinet and pull it out and sneak out of the building. But I think one of the points you made about this, and the benefit of the internet – it makes us all connected, but it also makes us all vulnerable. And that seems to be your argument.

 

Lucas Kello:  Right, as I understand it, yeah. Yeah, so, what has happened, quite extraordinarily, over the last two decades or so, is that enormous aspects of human activity — political, economic, commercial, military, and other — have become transmittable in a digital form. They've become capturable, through zeros and ones. All computer code reduces to zeros and ones, information stored as electrons.

 

Now, it's true, yeah, the internet has been around for a very long time. It used to be called the ARPANET. It's been around since 1969, but it really wasn't until the mid- and late 1990s that the internet became a broad social phenomenon, and sort of permeated all aspects of modern society. That's been increasingly the case just about everywhere in the world that you look.

 

And perhaps we don't have much time here to discuss those stages of development and expansion, but one of the most important ones has been the explosion of social media since the early 2000s. Because what that's done is it's created a digital platform for political discourse to take place. And so now, suddenly, people who could never communicate with each other are able to do so almost costlessly and effortlessly. And, moreover, it's become very difficult for various reasons, often, to attribute the identity of the participants in political discussion, and also their location. What does that mean?

 

That means that our central forums of political discussion in democracies, for whatever contentious issue that might arise —for example, in the context of the upcoming midterm elections in the United States — are now susceptible to intervention by all kinds of actors, including very remote, and often surreptitious actors that might have political or geopolitical motives that might not be known to us. So I think that one of the central challenges in carrying out security strategies in this space has been that broad, vast, opening of political discussion, as a result of the explosion of the medium.

 

Eric Jensen:  Right. This newly enriched target environment, where there's lots more targets, lots more ways to emphasize and to get your point across, even if you're a nefarious actor. I think it's a great point. So you are not a fan, though, of the current international law structure. So Vince introduced the idea of the Tallinn Manual. I was one of the experts in the Tallinn Manual group. I'm kind of a fan of international law. I teach international law.

 

But Lucas, you're not such a fan of international law, at least as a framework to deal with this current problem. Or maybe I'm misquoting you. But you at least think that over the past decade, international law, as a framework, has proven itself ineffective, maybe. Is that a better way to say it?

 

Lucas Kello:  Yeah.

 

Eric Jensen:  Tell me more about that. For those of us who are fans of the legal system, where is it failing?

 

Lucas Kello:  Yeah. It's a great question. And it's not that I'm not a fan of the legal system. Rather, it's that I think the legal system has become, in a way, inapplicable, or ineffective in dealing with the forms of technological aggression that we've witnessed an expansion of, as a consequence of the expansion of the internet and cyberspace. That's one of the central arguments of the book.

 

And so the main reason for that is that the legal system, much like security doctrine in Western nations — and this is a point where legal doctrine and security doctrine are quite closely aligned — the legal system has traditionally prioritized these binary notions of peace and war. So war has a very clear definition, under international law and the customs of diplomacy. It's customarily defined as a significant physical destruction of property and loss of life.

 

And international law currently supplies two related notions to capture that kind of activity -- armed attack and use of force. These are notions that are clearly codified in international treaties, such as the UN Charter and its various principles. And then, so you've got one set of situations in offensive and rivalrous activity, which is denoted by or captured by those two notions.

 

      And then, on the other side of the binary construct, you have peacetime competition. Now, the problem is that peace is not a concept that is clearly defined under international law. I think that's one of the problems of the international system, is that it doesn't really define peace. Now, customarily, what has that meant? It's meant that peace is essentially interpreted as the absence of war.

 

Eric Jensen:  The lack of war, right. Yeah.

 

Lucas Kello:  The lack of war. And you have political thinkers, going all the way back, at least to Thomas Hobbs, for example, who, indeed, described life in the international jungle as a state of war. Not because he meant that war always happens, but, rather, because even when there isn't a situation of war, it can, at any time, break out. That's one of the basic realities of the anarchic international system. So he and other political thinkers have described a world in which international affairs alternate between a situation in which war is switched on and war is switched off. So, again, reflective of this binary construction that the international system conveys.

 

      Here's the problem, though, Eric. The problem is that what we have seen is by way of the expansion of new technologies. We've seen the expansion of the middle of the spectrum of conflict. This is a term that I coined in my last book, The Virtual Weapon in International Order, which was published in 2017. And the term is "unpeace." What do I mean by that? I mean mid-spectrum activity that is not physically violent or fatal, and, therefore, isn't warlike, but that is too damaging to political, social, and economic interests to be traded as tolerable peacetime activity.

 

And, after all, the legal system allows all kinds of economic and other forms of competition to take place within peacetime -- things like economic sanctions. But now what these technologies have made possible, as I was indicating earlier, is direct intervention within democratic contexts in order to disrupt elections, to sow political and social divisions, to paralyze even the small economy and financial infrastructures of a small nation, like as we saw in the distributed denial-of-service attacks against Estonia in 2007, which was, by the way, the world's very first international cyber crisis.

 

And the problem, Eric, is that the legal system says very little about that middle of the spectrum. So it says a lot about how nations can react, under the principal, for example, of self-defense, within the UN Charter, to acts of armed attack or use of force. The domestic penal codes say a lot about what can be done within national jurisdictions, to penalize criminal activity, things like financial fraud or hacking into crypto-asset exchanges.

 

This is activity that is not deemed under international law to be war-like and that is quite clearly penalized within most domestic penal codes in the world. The problem, of course, is that if the perpetrators reside in a foreign jurisdiction and live under the protection of a foreign state whose interests and purposes they serve, then the domestic criminal code doesn't really help you out.

 

Eric Jensen:  Right.

 

Lucas Kello:  And so we're stuck — to summarize, to sum up this commentary — we're stuck in a situation that I think the CEO of Sony Pictures Entertainment, Michael Lynton, very aptly captured, in 2014, when, of course, that was the year that his company suffered a major hack by North Korea's Lazarus Group, and he said, look, if you are a CEO or a decision-maker, and you find yourself in this situation that I have described as "unpeace," then, his words, "there is no playbook." There's no clear playbook within the legal and normative system that prescribes clear actions for how to respond. And I think that is the essence of the problem that strategists face today.

 

Eric Jensen:  Right. So I think you hear strategists talking about this idea of great power competition, and that may be the way they would deal with the jungle, as such, of international community relations. But your point is that even in great power competition, the only legal paradigms are either the peace paradigm or the war paradigm, right? And so that as you ratchet closer and closer to that war paradigm, the legal regime doesn't necessarily change sufficiently to give you enough responses.

 

      Now, some might say, sympathizers to international law might say to you, Lucas, look, a lot of what goes on, though, cyber stuff, is really just espionage. It may be espionage by a different vehicle. It may be happening over the internet. I get that. But it's really still just espionage, and espionage has been going on for -- ever since the world was. And there is law to do with espionage, as some of the things you mentioned: sanctions, etc., diplomatic demarches and that kind of stuff, throwing diplomats out of countries. Why is that paradigm that has worked for millennia no longer sufficient?

 

Lucas Kello:   Another very good question. Analysts have grappled with it recently. It's a question that I also diagnose in the book. So I think that the conventional logic of espionage doesn't adequately capture the problem before us. And that has to do with the ways in which cyberspace and the internet have radically — I think, fundamentally — altered the very nature of espionage.

 

I mean, think about how espionage traditionally worked. You broke into the information space -- analogue information space of an adversary. You seized whatever prized military, industrial, or diplomatic secret that you were after, and you very quietly took it home and used it for whatever purpose it was useful for. And the whole idea was the secrecy behind it -- of your whole intrusion. Because once it became known that the information was compromised, or once the secrets are shared too widely, well, you get into the classic intelligence equities problem, and the stolen information that you have has lost value.

 

      Cyberspace and the internet have radically changed that. We saw that in 2016, very plainly, in the context of the very contentious presidential election in the United States. I'm referring here to the hack by the Russian GRU, which is a military unit, of the Democratic Party leadership's email records. So, if you recall, that election there were two quite contentious contests within the Democratic Party, for the party's nomination. We had Bernie Sanders and Hillary Clinton. There was suspicion within the Democratic Party that the leadership was secretly favoring Clinton over Sanders.

 

And what the Russians very, very, ably did was they released — three days before the Democratic Party convention — a trove of stolen emails of the DNC, proving, in fact, those suspicions correct. Now, it's unprovable. We'll never be able to know whether a sufficient number of disgruntled Bernie Sanders supporters did not show up on November 3 of that year to vote for Hillary Clinton, and, therefore, that's why Trump won that election. We can't prove that.

 

But let's recall that that was a very close election in the Electoral College. In some of the swing states, the election was lost by only a few tens of thousands of votes. So I think it's open to legitimate question. It's plausible that, had the Russians not carried out that leak of the emails, that Hillary Clinton could have won.

 

      Now, this, I think, takes us right back to the changing nature of espionage, because what we saw there — that's what the Russians called a "kompromat" operation _—  and what we saw there was a very different kind of espionage than the one that we see in the conventional world. We saw that the Russians seized this private and politically sensitive information, and instead of closely guarding those secrets, they publicly released them at a time, in a moment, that was calculated to cause maximum political impact in an adversary's political system.

 

      And that was exactly the point, to make a public spectacle of stolen information, which is why, I think, that the conventional logic of espionage doesn't take us far, because it doesn't really capture this new phenomenon.

 

Eric Jensen:  Okay. And I want to come back to that example and maybe ask you what you think the correct responses might have been by the United States that they didn't do. But before we do that, I want to just read one quote about "unpeace" from your book, because I -- again, this idea of "unpeace" I think, is really intriguing. You say, "'Unpeace' has become a more relevant force of change in international politics than war itself." That's a pretty strong statement.

 

"Nations can use cyberspace to achieve some of the political and strategic objectives of war, interfering with another nation's governmental institutions, disrupting its economy or financial system," some of the things you've mentioned before, "seizing its military and financial assets, crippling its public administration and communications infrastructure, disrupting its civilian power supply, and so on, all without firing a shot."

 

      I just wanted to note -- again, I want to come back to "unpeace," but I just want to note that "unpeace" doesn't just, or the situation of cyber doesn't just give that power to states, but it gives that power to individuals, to transnational criminal organizations, to terrorist organizations. So the difficulty you're highlighting doesn't only apply to Russia hacking the United States, it applies to lots of entities and individuals, who, because cyber devolves state-level violence to the individual level, can take some of these actions, right? Isn't that really part of your point here? That we should be worried on a much grander scale?

 

Lucas Kello:  No, absolutely. And I do have, I think, some comments in relation to what you were saying to the growing significance of what I call "unpeace," within international affairs and geopolitics, more broadly, but I think we really should touch upon, especially in light of what's going on in Ukraine with Russia.

 

But to answer your question here, no, I think absolutely. One of the truly, and perhaps, in a way, most transforming aspects of what I call, and others call the cyber revolution, is precisely the way that it has empowered actors that have traditionally been alien to the state system. I mean, if you look at the way that international diplomacy is architected: membership in the general assembly, the security council, the various committees, and subcommittees --

 

Eric Jensen:  [Crosstalk 00:25:27]

 

Lucas Kello:  -- it's been designed, since the middle of the last century, with, it seems, the explicit purpose of keeping non-state actors outside of the high tables of world affairs.  Now, that's a real problem in an age in which we live, because we live in an age in which at least the large multinational technology companies, whether they like it or not, are geopolitically relevant players. And I think one of the major challenges for CEOs and corporate leaderships today is coming to grips with that reality, which I think is an inescapable reality, because that doesn't mean that corporations like Microsoft, Google, Facebook, the semiconductor producers, and so forth, have to explicitly behave like nations or geopolitical actors.

 

That doesn't mean that they necessarily have to pick, explicitly, sides in large international contentions and conflicts, although some of them -- we've seen Microsoft carrying out some, I think, extremely informative reporting of events on the ground in Ukraine. It's been a real boon to us researchers. What it does mean, though, is that those companies do have a central role to play on the international scene.

 

Now, that presents problems, especially for democratic nations, because centralized political systems, like Russia's or China's, which, of course, have vibrant private sectors -- China's native technology industry has really burgeoned. China has pursued technological prowess during much of the last two or three decades, through things like industrial and commercial espionage. China doesn't really need to do that anymore, at least not as much as before. They really have vibrant, highly capable, technology industries of their own, companies like Huawei and others.

 

      But, within a centralized political system, the tools available to national security planners for aligning public- and private-sector interests, when they diverge, are much greater — and, of course, they include coercive tools — than one finds in democratic contests. We saw this very clearly in 2015, in the San Bernardino terrorist case, where the FBI presented Apple a court order to decrypt one of the deceased terrorists' iPhones, and Tim Cook, famously, got on the web and wrote two blog posts explaining why he wouldn't do that.

 

      Think about how extraordinary that situation was. For a moment, you had a multinational company dictating to the most powerful government in the world, which of two seemingly competing goods should prevail: a public good and the protection against terrorism, and a private good protecting the bottom line of the company and the interests of the Apple ecosystem. That, to me, was an extraordinary situation. And it's a situation that carries over to the protection of the voting infrastructure, largely owned and operated by the private sector, to the protection of the social media platforms that we were discussing, that are so prominent, within political discussion today.

 

And I can't think of a time in history, and I've thought long and far, where the private sector has played such an important role in the provision of national security, as in our own times. And so I think countries — again, especially democratic countries — have a lot of challenges on their hands, in terms of figuring out new and more effective relationships within the public and the private sector, in order to address the security problems that have been expanded.

 

Eric Jensen:  Yeah, great points. Kind of the other side of the coin of what you were saying, now some Western countries are unable to limit the role that these multinational corporations are playing in the conflict in Ukraine, for example. Some may be doing things that those countries wouldn't actually prefer that they do. So, I mean, the freedom with which these multinational corporations work in this space is, you're right, I think something that causes governments to pause.

 

      I want to go back now to the question I was going to ask earlier. And I see a hand by Steve Waxman (sp). I'm going to come to you after this, Steve, so get ready. So, Lucas, let's just assume that everything you're saying is right. What should the United States have done in response to the DNC hack that they didn't do? What should they have done?

 

Lucas Kello:  Well, let's begin the diagnosis with a brief analysis of what was done and why that was wrong, or at least ineffective. So what we saw happen was the expulsion of, I think it was a few dozen Russian diplomats, which, I suppose that's a big deal for those diplomats and their families. It carried quite a bit of symbolism within the world of diplomacy. Did it, however, achieve what the policy should have attempted to achieve, which was changing the calculus in Moscow in support of carrying out interventions of this kind?

 

      In other words, did it succeed at deterrence? Convincing the other side that the gains to be had from this kind of activity are less than the cost of carrying it out? And that cost includes, of course, and perhaps, centrally, the imposition of cost through some kind of punishment. And, again, so, this is where I think the diplomatic expulsions were not credible and unconvincing. And one can understand why it was so difficult for policymakers and decision makers in Washington to figure this out. Because recall, again, this was not a conventional use of force. And yet it was highly damaging — one could argue, I have argued — to the United States political interests.

 

      You can almost visualize a meeting of the National Security Council, the system makers, they turn to the international rulebook, they turn to their own internal doctrinal rulebooks. They look for a chapter within those rulebooks that prescribes a clear and proportionate response to a major political hacking event, and they don't find such a chapter. So it creates, I think, a situation of confusion and vagueness. What we also saw was a lot of noise about how these kinds of actions, and others like it, were against the rules-based international order. And there, again, we have a problem, because there is no rules-based international order or consensus when it comes to the interpretation of these actions.

 

And, again, that's one of the fundamental problems. So what that means, prescriptively, is that — and this gets more to your question — is that we should, perhaps, set aside the matter of law and norms, which I label "cyber legalism," because they're not going to be persuasive to regimes that do not share our political values, and have a very different interpretation of the applicability of international law and norm in this space. And, instead, as I argue in the book, what we should seek to do is affect a material interest of those geopolitical adversaries, in order to change that cost calculus.

 

      And there are various ways that one can do that, and I dedicate a whole chapter and others, too, in terms of applying it in different contexts, but what I suggest is this: I proposed this new doctrine of punctuated deterrence. And I can say a bit more about it here, but you can read all about it in the book.

 

Eric Jensen:  Nice teaser. I do want to get to punctuated deterrence, because I found that is a fascinating idea. And maybe we'll coax a little more out of you than you've given us so far. But I see, Steve, your hand is down. Does that mean you're ready to speak, or I misread your hand? If you've got a question, Steve, go ahead and unmute, and ask it.

 

Steve Waxman:  Yes, can you hear me?

 

Eric Jensen:  We can hear you, Steve. Go ahead, ask Lucas your question.

 

Steve Waxman:  Okay. My question, professor, is could we think of today's cyber activity and attacks by groups and even nation-states almost synonymous with previous -- like when you think of CIA covert activities in the past, with even up to and including regime change, there aren't any, really, any rules on that, so can't cyber hacks and those kinds of things be thought of along those lines?

 

Eric Jensen:  Yeah, it's a great point, Steve, great historical reference. Thanks. So, Lucas, what do you think?

 

Lucas Kello:  Yeah, that's a great question. And I began to answer it in my earlier comments about the logic of intelligence gathering, the problems of applying it in this space. So, I think, what I understand to be one of the premises of your question is correct. In other words, in this kind of thing — political intrusions into other countries' elections and governments and regimes, and so forth — is that new? It's been happening for a very long time. But what has fundamentally changed is the medium through which that kind of intrusion can happen.

 

      And many, vastly more opportunities for intrusion are available today. And when you think about the scope of the action that can take place, because we're talking about everything from -- well, one of the various ways that one could disrupt an election. You could hack into the voter registration systems in order to, for example, corrupt the data of a certain demographic that has been known, historically and according to polls, to support a particular candidate that you want to see lose -- you as a foreign intervener.

 

You could hack into the vote-counting machines in order to alter, directly, the tally of the votes. This concern prompted the Dutch authorities, for example, in March of 2017, to count every vote by hand in a national election that they had at the time in that country. You wouldn't even necessarily have to successfully alter or corrupt the data in the registries or in the vote-counting. If you simply demonstrate convincingly that a foreign actor has inserted itself into that infrastructure, that, in itself, could be sufficient, in our highly polarized times, to lead to all kinds of perceptions of illegitimacy in the outcome.

 

We're seeing this currently play out in Brazil, in the context of the presidential election in that country. A lot of concern about the hackability of the voting infrastructure there. And so, when I think about that kind of covert — and maybe not so covert — activity, and I compare it with traditional, say, CIA attempts to intervene in a foreign government, it seems to me that the scope and the scale and the remoteness of the action is not really comparable, and it represents not a difference in degree, but rather, a difference in kind. We are dealing with, I think, a fundamentally different kind of espionage activity than we saw previously.

 

Eric Jensen:  Okay. And I might just add that at least ABC reports that despite all that DNC hacking and everything that led up to it, the only time that President Obama called President Putin was when the FBI told him that they were hacking into voting machines where they could actually change the vote. So, at least for President Obama, that was where he was willing to draw the line, right? But I think your point that how we categorize this history may change how we view this, or may affect how we view our answer to that question.

 

      So, traditional legal types like myself might say, "Look, the reason -- you're focused too much on the medium, and we think that [inaudible 00:38:59] international law is focused on the effects, and that the effects of tampering with an election are the same, whether it's the covert CIA op, or whether it's the hack." Again, your differentiation of that would be the scale, the scope of what that cyber-platform brings, and how that affects and can increase, exponentially, the impact [inaudible 00:39:18].

 

Lucas Kello:  Yeah.  No, that's a great point, and it certainly is the case that international law, in terms of applying it, usually legal scholars and practitioners focus on the effects, rather than the modality of whatever action is being considered. And, Vince, in his introduction, referred to what is often labeled the "equivalence principle," the idea that if the effects, the physically destructive and fatal effects of a cyber attack meet the legal criteria of an armed attack or a use of force, then it doesn't matter that the action traveled through the virtual medium. It had effects that were consonant with a conventional act of war, and, therefore, according to international law and diplomacy, should be and can be treated that way.

 

      The problem is that we haven't seen yet, such a cyber-attack take place. If and when we do see it, it's going to be an easy case, in terms of the application of international law, for precisely the reasons you suggest in your question, Eric. Because that's when we can bring out our legal and doctrinal rulebooks and we can search for the chapter that prescribes a response to a use of force or an armed attack. But what we haven't yet seen is precisely that criteria being met within cyberspace.

 

      And I think this is something that the main geopolitical contenders of the United States, Britain, and other partner countries understand very well. And, as I argue in my book, I think they hold a doctrinal edge when it comes to understanding the realm of "unpeace" and how to maneuver within it. Because I think they understand two things better than we do. First, they understand the growing realm of possible action within this space. The Russians have been the masters of political subversion through cyberspace. They've shown that repeatedly. They're failing spectacularly on the conventional battlefield in Ukraine, but, within cyberspace, I think they've been very adept.

 

And they also, secondly, understand, I think, better than we do, our own limits. Because they know that no matter how damaging, politically or economically, their actions are, so long as those consequences don't pass the effects test that you mentioned, we, in western capitals, are going to really struggle to come up with a response. And so that's, I think, the situation that we're in, and why I argue that this doctrinal race of cyberspace is being won in Russia and in China, perhaps in other countries, even though, here in the West, we still have a technological edge.

 

Eric Jensen:  Okay, great. I want to drag you back to punctuated deterrence, because I really want to ask you about that. It's such an interesting idea. But we've got a question here from Adam. Adam, do you want to unmute and ask your question? Or do you want me just to read it out of the Q&A?

 

Adam:  Sure.

 

Eric Jensen:  Go ahead, Adam.

 

Adam:  Okay, great. I appreciate you taking the question. So the Tallinn Manual is predicated on the final principle of sovereignty. And, as I read it, not only territorial sovereignty, but also sovereignty to define internal norms and international responsibilities. By contrast, classical international law has long had a category for necessary international norms, which sovereigns are not competent to redefine, such as norms against theft, and rights to make justified reprisals, and limitations on those rights, and so forth.

 

So my question is, is the contemporary embrace of a comprehensive law-making sovereignty a problem, insofar as it enables states to deny their legal responsibilities for cyber conflict prevention, and refuse their consent to rules that would prohibit cyber aggression?

 

Lucas Kello:  Adam, are you an international lawyer?

 

Adam:  I'm just a law professor.

 

Eric Jensen:  Come on now, Adam.

 

Lucas Kello:  Okay, I gathered that a legal mind was at work here, in the articulation of that expert question. Let me address this problem of applying the principle of sovereignty in this space, because I think it's hugely problematic. The problem that I see is that when it comes to the principle of sovereignty, the international rulebook also prioritizes the physical over the virtual world. What do I mean by that? It prioritizes the violation of a country's geographic soil, things like the seizure of Crimea by Russian troops in 2014, the reinvasion of Ukraine earlier this year, so the physical presence of foreign troops within the recognized territory of another state.

 

      What it's much more ambiguous on is the question of whether intrusions, virtual ones, into the information space of other countries constitutes a violation of the sovereignty regime under international law. Here, again, we have a lot of disagreement, because what's interesting about the legal perspective of Russia and China so far, as I interpret it, is that they have been staunch proponents of cyber sovereignty, the idea that nations have a right to oversee, and control, even, their domestic information spaces, as they wish.

 

      So we see that Russia and China both operate a vast apparatus of internet surveillance and censorship, which is a reflection of a very strong reading of the notion of cyber sovereignty. But what they clearly haven't done is translated that doctrine into an understanding that they and other countries cannot intrude upon democratic elections abroad, because clearly they've been -- Russia, as I noted, has been a persistent actor in that regard. We're seeing increasing intrusions, within election contests, by Chinese actors within Asia Pacific, especially, unsurprisingly, in Taiwan. So China is growing more assertive in that regard, as well. It's taking pages of the Russian playbook in that regard.

 

      And so this is an interesting dichotomy within Russian and Chinese understanding of sovereignty in this space. Because, again, they're very restrictive when it comes to arguing that countries get to organize their domestic internet the way they want, free from the pressures of the foreign internet companies and foreign governments that push for the model of an open internet.

 

But they say very little in terms of curtailing intrusions by them into democratic contests. And the fact that those countries, Russia in particular, has been able to maneuver so expertly between these potentially contradictory positions, I think it really is a reflection of the mastery I think that they have over cyber activity.

 

Eric Jensen:  That's a great answer, Lucas. Okay, so it's not just China and Russia, right?  There's even disagreement on this in the West. The Dutch and the French have very strong statements about sovereignty. The UK is kind of taking a different approach, and said, "Violation of sovereignty is, in and of itself, a violation of international law." Instead, it has to be a prohibited intervention, which means some coercion against the domaine réservé. So there's disagreement about this in the West, which I think highlights, to some degree, your point, Lucas.

 

      Now, we've had a couple of great questions from the audience. Feel free if you have more questions to send them to the Q&A. And I'm hoping Vince will jump in here at some point, because he always has great questions. But, Lucas, I want to drag you back to punctuated deterrence. So, deterrence -- there's been lots of talk about deterrence in the cyber realm. We can't think of deterrence in the -- it's clear we can't think of deterrence in the cyber realm the same way we thought of it in the Cold War. That's just not going to be the way that deterrence is going to work.

 

But people have thrown out different ideas about resilience and agility and all these other ways to equate deterrence. You've got this idea of punctuated deterrence. Tell us what you're willing to -- without divulging too much from the book so your publisher schwacks you, but tell us what you can about this, because I think it's a really interesting point.

 

Lucas Kello:  So I began to outline the basic principles of punctuated deterrence in my last book, and I expound upon them much more extensively in this book. And punctuated deterrence is my attempt, prescriptively, to save the sick patient of deterrence within cyberspace, which some analysts are all too happy to declare dead, so, for example, the originators and advocates of the U.S. Doctrine of Persistent Engagement within the United States. It's one of the central doctrinal planks of the U.S. Cyber Command today. I think it represents a very important and positive development in the evolution of U.S. cyber strategy.

 

One problem that I see with it, though, is that some of the proponents see it as a replacement of deterrence, which they argue is unrescuable. So I, of course, disagree with that notion. And so what I argue in the book is that deterrence in cyberspace can work more effectively, more successfully, if we do two basic things. One is to carry out a sterner and more credible punishment, and I outline a series of principles about how that could be done.

 

One of them is the idea that you should treat the adversary's actions as a series of actions or campaigns, rather than as isolated incidents, which is what, if you look at the origins of deterrence theory in the nuclear era, teaches you to do. You treat single nuclear attacks or incidents on their own merit. That doesn't really make sense in a realm where you have so much activity, none of it, so far, meeting the threshold of traditional response, and yet having cumulatively significant effects for our political systems and economies.

 

And so what I prescribe in the book is that we have to sum up the accumulating effects of these cyber campaigns and then seek to respond to them in their totalities, rather than figuring out, how do we respond to individual incidents, which, if anything, is -- given the number of incidents, is a distributed denial of service attack on the civil service. And then, I also -- I don't have time to get into the details here, but I discuss how countries could try to carry out more effective and more creative issue linkage. So linking state behavior within cyberspace to, for example, negotiations for a conventional forces framework in Europe, even negotiations over nuclear arms limitation -- linking it to economic sanctions.

 

And here, I'm referring to what I call broad-spectrum economic sanctions. Not the kinds of targeted financial penalties that we've seen the Department of Justice issue against specific Russian operatives and organizations. I think — recalling my earlier comments about the domestic criminal code — I think those don't have much of a chance of succeeding. I also prescribe much greater attention to what I call the virtual integrity of the political system.

 

This is something of a puzzle, because we're not used to, in the West, of thinking about what the Russians and the Chinese call "information security," in other words, controlling the flow of domestic channels of information, especially over the internet, because we pride ourselves, very rightly, on the openness of the free exchange of ideas. And so, for us, it seems almost reprehensible to our values to think about information security. But what the DNC hack and other similar incidents have shown us is that we have to take information security very seriously, and come up with some kind of a regime of response.

 

Another thing, very briefly, that we could do, which goes beyond a sterner response to affect material interests, is smarter denial. In other words, coming up through the use of new technologies with techniques that decrease the attackers' and the intruders' expectations of success. So I devote a whole chapter to the Estonian experiment of data embassies, which is their attempt to create backup cloud services for essential government functions and registries, everything from the land registry to the population registry, tax systems, and so forth — Estonia, of course, is a highly digitized society — and creating backup servers in foreign jurisdictions, hence the label "data embassy."

 

So they set up data embassies. They're currently operating in Luxemburg. Other countries have started to think about this too. This, by the way, creates opportunities, very good ones, for the private sector to become involved in that effort. And so the idea is that if you can back up your essential government services and infrastructure in a foreign cloud, that could very well affect the expectation of foreign hackers to successfully interfere in your system.

 

Eric Jensen:  Great point. I loved your point about the accumulation theory. It's what Sean Watts calls "death by a thousand cyber pinpricks," right? This is a really classic method of attack. All right, so we've got, I think, time for one more question. This is from Victoria Sutton. If this is the Vicky Sutton who's my friend, this is going to be a really good question. Are you out there Victoria Sutton? All right, can you unmute and ask your question?

 

Victoria Sutton:  Hi, yes I am here.

 

Eric Jensen:  It is my friend.  Okay, go ahead and ask a great question.

 

Victoria Sutton:  Until we're able to attribute an attack to a state party, we're never going to get to an international forum for sanctions. For example, we have China always working through individuals. We can indict them, but we never get to the state actor. Isn't that true?

 

Eric Jensen:  Yeah, and I guess the fundamental question you're laying out there is does it do us any good if all we do is get the pawn, and the state gets off scot-free, right?

 

Victoria Sutton:  Exactly.

 

Eric Jensen:  Yeah. So Lucas, you've talked a little bit about that, but can you address that maybe a little more fully?

 

Lucas Kello:  Yeah, that's a very good point, and it's one of the other challenges in coming up with an effective, proportionate, and also legitimate response in this space. It's the attributional difficulties. It's the difficulty that one, as the victim of a major incident, often encounters in identifying the location and identity of the attacker. But here's the thing, Victoria. There is this other principle that we haven't yet discussed, but should, of state responsibility. It's a very well-established principle in international law. And it basically stipulates that governments are responsible for the harmful activity emanating from within their jurisdictions.

 

And so what that means is that, in principle, you don't necessarily need to prove that it was a Russian state actor who directly interfered in your elections or crippled one of your oil and gas infrastructures, or whatever it is. It's sufficient merely to prove, if you can do it forensically, that the actors were operating from within the jurisdiction of Russia or whatever country in question, and that the authorities — despite that knowledge which you, as the victim country, may well present to them — took no action, essentially tolerated it.

 

And so, under the principle of state responsibility, that makes that government at least partly responsible for the action and, therefore, susceptible to some kind of a punitive response. And here, Eric, I do want to -- I have an important note to add here about the punishment dimension of what I discussed. Because some people may very well misinterpret this book. And I was very careful not to write it as a manual for how to carry out offensive strategy in cyberspace, although some security planners and strategists might find insights for how to do that.

 

The book, rather, is an attempt to shore up the strategic defense. In other words, carrying out more credible responses and shoring up defenses through new technologies, in order to prevent cyber-attacks, or at least to reduce their number and diminish their intensity. So this is a book about increasing stability and restoring peace to at least some essential quarters of cyberspace. And I think that has to be emphasized in case my argument and intent is misread.

 

Eric Jensen:  Lucas, I'm glad you made that point at the end. And I loved your response to Vicky. It's hard for me to end on that, when you lay out that cyber due diligence is a part of the state responsibility issue, and I can't delve deeper into that. But Vince, I think our time is almost spent, so I'll pass it back over to you. And, Lucas, that was great. Thanks.

 

Vincent Vitkowsky:  Lucas and Eric, that was a terrific discussion about what's probably the most important issue in cybersecurity today. Thank you. Jack, anything?

 

Jack Capizzi:  Fantastic. Thank you all. Now, finally, on behalf of The Federalist Society, thank you all for joining us today. We always welcome listener feedback at [email protected]. As always, please keep an eye on our website for future events. And thanks again for joining us. We are adjourned.

 

[Music]

 

Dean Reuter:  Thank you for listening to this episode of Teleforum, a podcast of The Federalist Society’s practice groups. For more information about The Federalist Society, the practice groups, and to become a Federalist Society member, please visit our website at fedsoc.org.