This post isn't about — or isn't only about — the use of computer technology to commit crimes. It's more about the use of computer technology to commit war.
A few weeks ago, I was part of a conversation about the legal issues cyberwarfare raises. We were talking about various scenarios — e.g., a hostile nation-state uses cyberspace to attack the U.S. infrastructure by crippling or shutting down a power grid, air traffic control systems, financial system, etc.
Mostly, we were focusing on issues that went to the laws of war, such as how and when a nation-state that is the target of a cyberattack can determine the attack is war, rather than cybercrime or cyberterrorism. (As I noted in an earlier post, the distinction between the threats lies in the nature of the attacker: Cybercrime and cyberterrorism are carried out by civilians, while war is carried out exclusively by nation-states. For the purposes of the analysis in this post, I'm going to assume that war is the exclusive province of nation-states; in other words, I'm not going to consider scenarios in which civilians who are not affiliated with a nation-state launch what is, in effect, cyberwarfare.)
More precisely, we were discussing how a country that is under cyberattack — like the attacks that recently targeted U.S. sites or the ones that targeted Estonia in the 2007 — decides if it it is authorized to retaliate against the attacker (assuming it can identify the attacking nation-state with enough precision to justify launching a counterattack.) We were, in other words, focusing on the "Pearl Harbor moment," i.e., the point at which a nation-state can justifiably conclude it is the target of state-initiated cyberwarfare.
As we discussed those issues, someone raised a very interesting point, one that had never occurred to me. He pointed out that the signals used to launch the initial attacks and the signals that would be used to launch counterattacks would travel primarily, if not exclusively, over civilian-owned and — operated networks. He asked what would happen if the companies that operate the networks that constitute the Internet refused to carry the signals that would deliver the cyber-counterattack (and, I assume, any subsequent attacks by either side to this almost-war). I don't think any of us had a clue.
I still don't . . . but I thought I'd use this post to raise the issue and throw out a few ideas as to how it MIGHT be resolved. As I analyze the issues, I'm making two assumptions, both of which I think are accurate: One is that a cyberwarfare attack would necessarily travel primarily, if not exclusively, over civilian networks; the other is that the operators of those networks can, at least at some point, identify traffic as "war" traffic, as opposed to the "not-war" traffic they usually carry.
If those assumptions are, in fact, valid, then it seems the civilians who own and operate the constituent networks that create the Internet can, in effect, exercise a veto over cyberwarfare . . . or at least aspects of cyberwarfare. In the scenario that was implicit in the discussion I noted above, the operators of civilian networks could exercise their veto to prevent the attacked state from launching retaliatory cyberattacks and, I assume, to stop the attacking state from launching further offensive cyberattacks. In this scenario, the network operators are essentially neutral. They probably don't have to be, which means there's another, more unsettling scenario: The civilians who operate the networks could choose sides; so they might allow the signals being used in the attacking state's cyberattacks and prevent the defending state from launching its own counterattacks.
I, however, want to focus on the general issue: In the cyberwarfare context, it seems civilians have the capacity to control the battlefield or, perhaps more accurately, to control whether there will be a battlefield. I can't think of any historical instances in which civilians had the ability to exercise a veto power over nation-states' ability to carry out acts of war.
When the gentleman raised the issue of network operators' deciding not to facilitate cyberwarfare, the first thing I thought of was nationalization, as in nationalizing the networks. That led me to think about whether the U.S. government has ever had to do anything similar . . . and that led me to the United States Railroad Administration. As you may know (I didn't), President Wilson nationalized the railroads in 1917, after we declared war on Germany:
By proclamation dated December 26, 1917, the President of the United States, acting under the powers conferred on him by the Constitution and laws of the United States, by joint resolution of the Senate and House of Representatives, bearing dates of April 6 and December 7, 1917, . . . (said resolutions being respectively the resolutions declaring that a state of war existed between the United States and Germany, and between the United States and Austria-Hungary), and particularly under the powers conferred by section (1) of the act of Congress approved August 29, 1916, entitled 'An Act Making appropriations for the support of the Army for the fiscal year ending June thirtieth, nineteen hundred and seventeen, and for other purposes,' took . , , assumed control . . . as of December 31, 1917, of . . . railroads. . . .The principal railroads in the United States were so taken over, and a central and administrative board was. . .set up and known as the United States Railroad Administration, at the head of which was an officer appointed by the President, and known as the Director General of Railroads.
Chicago & North Western Railway Co. v. Commissioner of Internal Revenue, 22 B.T.A. 1407, 1931 WL 473 (U.S. Board of Tax Appeals 1931).
As Wikipedia explains, once the U.S. entered World War I in April, 1917, "the nation's railroads proved inadequate to the task of serving the nation's war efforts." Many of the companies were in bankruptcy, others were suffering financial difficulties because of the inflation that had "struck the American economy", the unions were threatening to strike and despite the railroad companies attempt to "join forces and coordinate their efforts [to] help the war effort", they failed. Wikipedia, supra.
In December 1917, the Interstate Commerce Commission "recommended federal control of the railroad industry" to improve its effectiveness and the President nationalized the railroads later that month. On March 21, 1918, the Railway Administration Act went into effect; among other things, it "guaranteed the return of the railroads to their former owners with 21 months of a peace treaty". Wikipedia, supra. On March 1, 1920, the "railroads were handed back to their original owners and the" United States Railroad Administration was shut down. Wikipedia, supra.
There is, then, U.S. precedent for taking over companies that provide services which constitute part of what we now call the country's critical infrastructure. Since no one seems to have challenged President Wilson's nationalizing the railroads, the Act that authorized his doing so is (was) at least presumptively valid. My point is that what President Wilson did with the railroads COULD provide a precedent for a contemporary President's nationalizing the networks that constitute, or contribute to the constitution of, the Internet. In this post, I'm not concerned with how viable it would be to do that in practice; I'm simply focusing on the legal issues that might be involved in an effort to do that, assuming it was practicable.
As Devil's advocate, I see certain differences between President Wilson's nationalizing the railroads and the hypothetical scenario in which a contemporary President somehow manages to nationalize the networks that create and sustain cyberspace. One lies in the justification for nationalization: President Wilson nationalized the railroads to improve their performance as a coordinated transportation system, the benefits of which would accrues to civilians as well as to the military; if a modern President nationalized the networks under the scenario(s) I outlined above, he/she would be nationalizing them to alter their performance, to shift their function from serving purely civilian ends to serving civilian and military ends.
In other words, I see nationalizing the networks as having a much more dramatic effect on the functioning of the networks than I suspect President Wilson's nationalizing the railroads did on the functioning of the railroads. Nationalizing the railroads was intended to improve their ability to efficiently transport military personnel and equipment within the territorial United States. Nationalizing the railroads in no way altered their function so that they became, at least to some extent, an implement of war. Their role was simply to support the military by transporting the men and material it needed to wage war outside the territorial boundaries of the United States.
That brings me to another, related difference I see between the railroad and network nationalization scenarios: Nationalizing the railroads did not transform them from purely civilian entities into civilian/military entities. Nationalizing the networks would, I think, transform them into civilian/military entities or even into a component of the military. It seems to me that nationalizing the networks so they can carry defensive and offensive cyberwarfare traffic is analogous to nationalizing the airlines so Boeing 777s and 747s can drop bombs on the enemy.
I'm not saying nationalizing of the networks isn't an option under the law, as it exists now or as it could exist. As far as law is concerned, I think nationalization of the networks clearly is an option. At this point, though, I'm not convinced it's a practicable option nor am I convinced it would be a particularly advisable one.
But, as always, I could be wrong. I've just started thinking about these issues, so I may change my mind as I get further into them.
|Data Center||Policy & Regulation|
|DNS Security||Regional Registries|
|Domain Names||Registry Services|
|Intellectual Property||Top-Level Domains|
|Internet of Things||Web|
|Internet Protocol||White Space|
Afilias - Mobile & Web Services
.eco launches globally at 16:00 UTC on April 25, 2017, when domains will be available on a first-come, first-serve basis. .eco is for businesses, non-profits and people committed to positive change for the planet. See list of registrars offering .eco more»