DATA DUPLICATION VILLAGE - A Beginner's Guide to Musical Scales of Cyberwar
This is a modal window.
Das Video konnte nicht geladen werden, da entweder ein Server- oder Netzwerkfehler auftrat oder das Format nicht unterstützt wird.
Formale Metadaten
| Titel |
| |
| Serientitel | ||
| Anzahl der Teile | 322 | |
| Autor | ||
| Lizenz | CC-Namensnennung 3.0 Unported: Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen. | |
| Identifikatoren | 10.5446/39880 (DOI) | |
| Herausgeber | ||
| Erscheinungsjahr | ||
| Sprache |
Inhaltliche Metadaten
| Fachgebiet | ||
| Genre | ||
| Abstract |
|
DEF CON 26100 / 322
18
27
28
40
130
134
164
173
177
178
184
190
192
202
203
218
219
224
231
233
234
235
237
249
252
255
268
274
287
289
290
295
297
298
299
302
306
309
312
315
316
00:00
MaßstabFormation <Mathematik>Elektronischer ProgrammführerNormierter RaumTrägheitsmomentFormale SpracheGesetz <Physik>BitGrundraumSchedulingSpeicherabzugTermZahlenbereichZentrische StreckungVersionsverwaltungCoxeter-GruppeCyberspaceWinkelverteilungFormation <Mathematik>PunktDomain-NameCybersexAnalogieschlussTabelleData MiningComputeranimation
01:51
CybersexGruppoidObjekt <Kategorie>SpeicherabzugInformationSoftwareProgrammierungExpertensystemDatenverarbeitungssystemPhysikalischer EffektGesetz <Physik>BildschirmmaskeErwartungswertGruppenoperationPhysikalismusBildverstehenNichtlinearer OperatorPunktspektrumCyberspaceDatenfeldPunktRichtungEinfügungsdämpfungSoundverarbeitungObjekt <Kategorie>MultiplikationsoperatorCybersexSchlussregelSoftwareentwicklerAnalytische FortsetzungFormation <Mathematik>NeuroinformatikWeb log
04:25
Operations ResearchCyberspaceQuellcodeCybersexSpeicherabzugInformationRechnernetzSystemprogrammierungProzess <Informatik>Domain <Netzwerk>AutorisierungInformationSoftwareAnalogieschlussAggregatzustandGarbentheorieGasströmungLeistung <Physik>ZeitzoneFlächeninhaltNichtlinearer OperatorFormation <Mathematik>SoundverarbeitungCybersexRechnernetzComputeranimation
05:27
AggregatzustandCodeWärmeleitfähigkeitMetropolitan area networkRechter WinkelSchnelltaste
06:01
SchnittmengeOktave <Mathematik>EntscheidungstheorieAuflösung <Mathematik>CybersexProtokoll <Datenverarbeitungssystem>KraftRechter WinkelRelation <Informatik>Konsistenz <Informatik>Stochastische AbhängigkeitQuellcodeComputersicherheitKatastrophentheorieNatürliche ZahlDeskriptive StatistikInzidenzalgebraPhasenumwandlungAusdruck <Logik>Gesetz <Physik>AnalogieschlussAggregatzustandBildschirmmaskeEnergieerhaltungForcingIndexberechnungLateinisches QuadratPhysikalische TheorieZentrische StreckungFlächeninhaltAutomatische HandlungsplanungNichtlinearer OperatorBasis <Mathematik>CASE <Informatik>CyberspaceOrdnungsbegriffFormation <Mathematik>Gemeinsamer SpeicherPunktSchnittmengeEin-AusgabeSystemzusammenbruchEinfügungsdämpfungSoundverarbeitungSchnelltasteEreignishorizontOktave <Mathematik>Rechter WinkelGamecontrollerThumbnailCybersexComputeranimation
09:54
Basis <Mathematik>Auflösung <Mathematik>Protokoll <Datenverarbeitungssystem>SchnittmengeOktave <Mathematik>EntscheidungstheorieCybersexMassestromSmith-DiagrammGravitationsgesetzExistenzsatzUnabhängige MengeAnalysisHackerTypentheorieMAPPhasenumwandlungGrenzschichtablösungKonfiguration <Informatik>Gesetz <Physik>AggregatzustandBildschirmmaskeForcingLeistung <Physik>TeilbarkeitExogene VariableBasis <Mathematik>CyberspaceATMPunktVarietät <Mathematik>Eigentliche AbbildungSichtenkonzeptSchwellwertverfahrenARM <Computerarchitektur>Auflösung <Mathematik>MultiplikationsoperatorCybersexCliquenweiteZentrische StreckungZweiComputeranimation
12:37
SchnittmengeOktave <Mathematik>CyberspaceAnalysisAttributierte GrammatikEntscheidungstheorieGesetz <Physik>AggregatzustandBeweistheorieForcingKomplex <Algebra>Zentrische StreckungDatensichtgerätVersionsverwaltungSpannweite <Stochastik>DissipationWort <Informatik>SchnelltasteDifferenteARM <Computerarchitektur>StandardabweichungMusterspracheLie-GruppeComputeranimation
14:03
Perfekte GruppeAttributierte GrammatikVarietät <Mathematik>Konstruktor <Informatik>InformationPetri-NetzSelbst organisierendes SystemTypentheorieEchtzeitsystemAggregatzustandAuswahlaxiomIdeal <Mathematik>Physikalisches SystemTermNichtlinearer OperatorPerfekte GruppeNetzadresseFramework <Informatik>SchnelltasteIn-System-ProgrammierungDifferenteFahne <Mathematik>MultiplikationsoperatorMessage-PassingDigitalisierungInternetworkingExistenzsatzProtokoll <Datenverarbeitungssystem>Trennschärfe <Statistik>Computeranimation
16:09
SchnittmengeOktave <Mathematik>CyberspaceOrdnung <Mathematik>ModallogikMAPGesetz <Physik>AggregatzustandArithmetisches MittelForcingGruppenoperationPhysikalische TheoriePhysikalisches SystemExogene VariableCyberspaceARM <Computerarchitektur>Auflösung <Mathematik>SoftwareschwachstelleComputeranimation
17:42
EinsAnalysisMAPProgrammierumgebungAggregatzustandBildschirmmaskeGasströmungGruppenoperationHill-DifferentialgleichungZentrische StreckungFlächeninhaltVersionsverwaltungExogene VariableSpannweite <Stochastik>Nichtlinearer OperatorStrategisches SpielComputersicherheitAdditionSoundverarbeitungOktave <Mathematik>MalwareARM <Computerarchitektur>Proxy ServerCybersexDoS-AttackeGamecontrollerSoftwareentwicklerLeistungsbewertungComputeranimation
20:07
AggregatzustandGruppenoperationSpannweite <Stochastik>GruppoidSystemprogrammierungCybersexMAPGesetz <Physik>AggregatzustandPhysikalisches SystemZentrische StreckungNichtlinearer OperatorCybersexKoroutine
20:48
KraftNichtlineares GleichungssystemCyberspaceCybersexÄquivalenzklasseSystemaufrufFormation <Mathematik>Computeranimation
21:49
ZeitzoneDimensionsanalyseAggregatzustandForcingCybersexOffice-PaketGesetz <Physik>LochkarteAnalogieschlussTermZeitzoneCyberspaceComputeranimation
22:42
ZeitzoneQuellcodeOperations ResearchMaßstabCASE <Informatik>RechnernetzE-MailCybersexInformationKonsistenz <Informatik>InformationOrdnung <Mathematik>SoftwareIntegralAggregatzustandLeckLeistung <Physik>MaßerweiterungMereologiePhysikalisches SystemZeitzoneZentrische StreckungE-MailVersionsverwaltungSystemprogrammExogene VariableNichtlinearer OperatorCASE <Informatik>Strategisches SpielCoxeter-GruppeVerkehrsinformationVerzweigungspunktObjekt <Kategorie>CybersexMehrrechnersystemMAPDienst <Informatik>Computeranimation
25:26
Lokales MinimumDatenstrukturFormale SpracheInformationKinematikPerspektiveExpertensystemTypentheorieGebäude <Mathematik>MAPKategorie <Mathematik>IntegralGesetz <Physik>AnalogieschlussAggregatzustandArithmetisches MittelBildschirmmaskeGrundraumGruppenoperationPhysikalische TheoriePhysikalisches SystemPhysikalismusRechenschieberResultanteTabelleVisualisierungZahlenbereichZeitzoneZentrische StreckungFlächeninhaltVersionsverwaltungStochastische AbhängigkeitNichtlinearer OperatorGewicht <Ausgleichsrechnung>NormalvektorCoxeter-GruppeCyberspaceLuenberger-BeobachterFormation <Mathematik>DistributionenraumPunktWort <Informatik>EinfügungsdämpfungBefehl <Informatik>SoundverarbeitungSchnelltasteSchwellwertverfahrenElektronischer ProgrammführerMultiplikationsoperatorCybersexStandardabweichungRechter WinkelSoftwareentwicklerDatensatzUltraschallEinfach zusammenhängender RaumExogene VariableAutomatische HandlungsplanungWeb-Seite
Transkript: Englisch(automatisch erzeugt)
00:00
So without any further ado, this is talk number two today. We have two more talks tomorrow. I'd like to introduce Zana. She's going to take care of our musical scales of cyberwarfare. Take it away. Welcome. My name is Zana, and I'd like to thank the Data Duplication Village for this opportunity to share my research with you on the law of war in cyberspace. But more importantly, I'd like to thank you for taking time out of your schedule today
00:23
from DEFCON to share that with me to learn about the musical scales of cyber warfare. So whether your background is in law, technology, policy, or academia, this is a beginner's guide to understanding the basic legal principles that drive cyber international conflict.
00:42
Now you might be wondering, why did she use a music analogy? Well, the American poet Longfellow wrote that music is the universal language of mankind. So by using that analogy here, I hope to engage a broader cross section of the community to discuss these issues. By bringing more participants, more cyber stakeholders to the table,
01:03
we can better strategize how to mitigate conflict in this domain and strategize for peace. Now, if you do have a basic understanding of how to play the piano, you will be at a slight advantage. But if you don't, that's perfectly fine. Not only will you walk away from this presentation with an understanding of the basic principles of war, but also a little bit on
01:25
how to play the piano. So only at DEFCON would you get both of those. In terms of my research work on this, I compiled this while working as a postdoctoral fellow at the Harvard Kennedy School Belfer Center cybersecurity project. This presentation will also draw upon my research work,
01:43
which I published with the Houston Law Review online. So with the preliminaries out of the way, let's dig in. Core terminology. Now the main takeaway point developed by a group of
02:17
government experts internationally offers under Rule 30 the following definition.
02:23
A cyber attack is a cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects. So what do we have here in this definition? We have the loss of human life and then some form of physical damage.
02:43
But what about data? I mean, this talk after all is for the data duplication village, it would seem remiss to not at least mention harm to this form. Other scholars have advocated for less of a preoccupation with direct physical effects and the broadening of that harm spectrum to include data. Specifically, Professor Matthew Waxman at Columbia Law University
03:06
had the following to say. He said that a cyber attack should include the effort to alter, disrupt, or destroy computer systems, networks, information, or programs on them. But to present to you the other side of the debate, there are others saying,
03:21
time out here. The problem isn't that we don't have an international legal definition of what is a cyber attack. The real problem is that we don't have a consensus on what misconduct in cyberspace needs to be stopped. And I'd like to read to you some comments from Senator Mark Warner that he offered several months ago at the National Security Agency's Law
03:44
Day, which are available on Lawfare's blog. Senator Warner bemoaned the lack of clarity on what cyber activities are tantamount to an attack. And he said that failing to articulate a clear policy and to set expectations about when and where we will respond
04:03
to a cyber attack isn't just bad policy, it's downright dangerous. So I highlight to you these different definitions, these different visions on what a cyber attack should be defined as to underscore the point that this field is very much still in development. And I commend you for taking the time today to learn the basic principles.
04:23
It'll be worth your time. Next up, cyber operations. Continuing with the music analogy, consider a cyber operation as one instrument in a grand symphony orchestra of power. The maestro, take your pick of a state actor or a non-state actor, cues the cyber section,
04:44
sometimes in conjunction with other sections to produce the right pitch. And that can be a political effect, a social effect, military effect, economic, it works together. Now the US Department of Defense categorizes cyber operations in three areas. There's offensive
05:03
cyber operations, which are about projecting power to your adversary. Then there's defensive cyber operations, which is about protecting data, networks, the information on them. Last but not least, you have Department of Defense information network operations. Now, if you're wondering how gray zones fit into this, hold on, we will get to that area.
05:24
It is very exciting. More to come on that. The US Supreme Court Justice Oliver Wendell Holmes Jr remarked that the right to swing my fist ends where the other man's nose begins. Now, apart from sounding like a code of conduct for an 18th century gentleman's fight club,
05:44
this is actually, and with that, we can finally turn to our first note on the piano keyboard.
06:07
We have middle C. So just as your first point when you're learning how to play a song on the piano, you place your thumb on middle C. Similarly here, your first starting point, the United Nations charter and customary international law. So I'll be building upon that
06:22
analogy. Now, I'm going to be caters or formula on what is a cyber attack,
07:24
correction please, on what is the use of force. We do have some clarity. We have some common examples, and I'd like to read to you Harold Koh's description of those three examples. He was a former legal advisor to the US State Department. Mr. Koh said that the following
07:41
constitutes a use of force in cyberspace. One, operations that trigger a nuclear plant meltdown. Two, operations that open a dam above a populated area causing destruction. And three, operations that disable air traffic control resulting in plane crashes. So what do these three examples share
08:04
in common? Will they all reference some form of loss of human life or catastrophic damage? Next, turning to the right of self-defense, how do we define an armed attack in this situation? Well, we need to turn to our first case law, which was decided in 1986 by the
08:23
International Court of Justice. It was a case called Nicaragua versus the United States. While the International Court of Justice did not explicitly define an armed attack, it did describe the general nature as the following. Acts which can be treated as constituting armed attacks. Specifically, if such operations because of its scale and effects,
08:45
those are the keywords and we'll be echoing them throughout this presentation. Because of its scale and effects would have been classified as an armed attack rather than as a mere frontier incident had it been carried out by regular armed forces. Thus,
09:01
the scale and effects of an operation are requisite inputs for evaluating an armed attack, which in turn provides the legal basis for the victim state to respond under Article 51. One point I'd like to highlight before we go any farther on the musical scale is that just like in music theory, you have a treble clef and a bass clef playing piano,
09:23
notes that guide the player on what notes to play. Here, we have two different legal regimes. We have the use ad bellum and the use and bello. Now, for those of you that are frightened by the Latin phrases, you could think of it as use one, that is the preliminary phase,
09:40
the right leading up to war. Then there's a triggering event and then we have the use and bello, the law governing how war is carried out. You can think of it as use two. With that, we are ready to move on to our first scale, octave set one, which is how states evaluate an armed response to an aggressive act in cyberspace. Step one, the victim state
10:05
needs to evaluate what type of harm was produced. Here, we have the de minimis damage or injury threshold. How I like to conceptualize it, which might be helpful for you, when I see de minimis damage or when I hear armed attack, I think high level destruction. It's an easy way just
10:23
to cut to the wick. Here, did the state suffer a de minimis damage high level destruction in the form of a cyber attack? Now, that analysis is going to take in a variety of factors. We're going to look at the time, place, manner, surrounding circumstances, and not all of it will be known at the time of the attack, so it is a flexible analysis.
10:44
But assuming that we have an act that does rise to that level of being an armed attack, next step, we need to be able to identify the proper legal basis under international law to respond with force. Now, if the US is performing this analysis, we also need to ground
11:01
it in domestic law, such as the War Powers Resolution Act. Now, one point I'd like to highlight here is that the majority view in international community, which is beautifully summarized by Michael Schmidt, who's a professor at the Naval War College, said that all
11:22
armed attacks are uses of force, but not all uses of force are armed attacks. The US, however, does not subscribe to this view. In the use ad bellum, the preliminary phase, we equate a use of force with an armed attack. So, with that said, if the state has
11:45
determined that there is not enough damage to rise to that level of being an armed attack, what are their options then? Well, they have two modes of recourse. They can appeal to the United Nations Security Council under Article 39, and they can employ non-forceable countermeasures.
12:04
And what I mean by that is economic sanctions, diplomatic efforts, and also legal sanctions. And we've seen this in practice. In January 2017, the US Department of Justice issued indictments against several Iranian hawkers for engaging in impermissible cyber activities
12:22
with ties imputed to the state. And also, we saw the Department of Justice issue sanctions and indictments against China, several Chinese hackers for engaging in commercial economic espionage. With that, we can move on to our second scale of anticipatory self-defense.
12:41
So, this scale in yellow, you'll notice a pattern that will be going out on the keyboard. Here, this scale displays the range of permissible activity when a state is evaluating how to respond anticipatory. Now, the US Army Law of Armed Conflict Desk Book defines it as follows. Its force that's justified anticipation of an imminent attack,
13:05
an imminent, that is the key word here to emphasize. The difference between a permissible act of anticipatory self-defense and an impermissible act of preventative self-defense lies in the state's ability to demonstrate a decision by the aggressor state to attack it.
13:25
For anticipatory self-defense to be lawful, there is a high standard of proof. And rightly so. This requirement goes beyond merely proffering evidence of a state's hostile intent, but also evidence of some pending attack. So, there's a temporal requirement there that
13:40
needs to be met. To that end, the complexities of pairing evidentiary standards with attribution in reality makes this a difficult analysis for the state to do in a timely manner when faced with an imminent attack. So, I will need to pivot here to discuss attribution. While this could be a talk in and of itself, there's a misconception that I'd like to clear up.
14:04
Attribution is not a plain vanilla construct. In fact, it comes in a variety of flavors. Now, these flavors, these frameworks, if you will, were developed by four different attribution
14:25
frameworks. And the reason why I'm taking the time to go over these is that the next time you hear the term bandied about, I want you to critically think about what type of attribution framework that speaker is referring to. Let's start with perfect attribution. Now,
14:40
in this type of system, the attribution challenge doesn't exist. Attributes of the sender and recipient are known to both in a timely fashion and at little cost to the investigating party. So, in this type of world, we can imagine a surveillance state being happy with this type of outcome and whistleblowers and activists being at a disadvantage because everything is knowable
15:03
in real time. Perfect non-attribution turning to the second one. It's the complete opposite of the first one. Here, we can imagine the whistleblowers and activists will be happy because they have the perfect non-attribution, the protections of anonymity, the surveillance state not being happy with that outcome. Third, perfect selective attribution. Here,
15:25
the actor wants attributes known to some entities, but not to others. So, there's a freedom of choice here that is key to the third system. And in this system, you can disclose to your intended party, your name, organization, your internet protocol address,
15:43
and also your ISP. Fourth, you have false attribution. This would be the ideal petri dish for waging false flag operations. So, here, it's overpopulated with digital straw men, or you can determine some attributes of the message or the actor, but can you really trust
16:01
it? Can you really go off on that information to be true? So, having highlighted those attribution frameworks, we're going to turn back to our keyboard and have an example of how this would work in theory. So, imagine, if you will, innocuous state i's electrical grid was attacked
16:24
by nefarious state n and accurately attributed to state n. Now, in order for state i to be entitled to a use of force against state n under international law, there are three requirements that must be met. So, let's take these in turn. One, the victim state's opponent must have decided
16:43
to actually exploit that system's vulnerabilities. Two, the strike is likely to generate consequences at the armed attack level. And three, the victim state must immediately act to defend itself, unless all three of these requirements are met, then state i's response would not be restricted to
17:04
only non-forceful responses, such as economic sanctions or legal action. Also, any act to defend yourself in cyberspace, if you are a state, has to be grounded in two principles of necessity and proportionality. Proportionality being that you can't escalate the amount of
17:23
force to counter that threat or that attack. And then you have necessity, which is doing your due diligence to ensure that you've exhausted all other peaceful means of resolution in order to protect yourself in cyberspace, to protect your state.
17:42
All right, with that, we're moving to octave set three. Now, this is the most difficult one to explain, and I'll explain why because it involves the doctrine of state responsibility. So with this, let's charge the hill. It does get easier from here. Now, this orange octave labeled here, this demonstrates the range of state action that may be somewhat purposeful.
18:05
And the reason why I'm emphasizing it and saying it like that is that the surrounding circumstances will, including the scale and effects of the operation and the legal status of the aggressor, will influence how the victim state can respond. And here are the range
18:21
of qualifying hostile cyber activity can range from writing and executing malicious code, launching a distributed denial of service attack, providing malware or other cyber tools to party of the conflict. And the state's analysis is further complicated when there are cyber proxy actors involved. In addition to that, that group might be clandestinely
18:44
receiving the financial support or other forms of support from a state entity. Now, turning to the doctrine of state responsibility, the 2018 U.S. Department of Defense's National Defense Strategy Summary makes clear that states are the principal actors
19:03
on the international stage. However, non-state actors also threaten the security environments with increasingly sophisticated capabilities. So here, armed attacks from non-state actors, how would a state evaluate that? Well, ultimately, the legal analysis hinges on the doctrine of
19:23
state responsibility and the International Court of Justice's analysis and recommendation has been to evaluate whether an armed attack, think high-level destruction, waged by a non-state actor can ultimately be imputed back to the state. Thus, if the state has effective control
19:43
over the cyber operation waged by a non-state actor, then responsibility can be imputed back. This is a flexible area that's still undergoing development. It's one of the most difficult to explain on the scale, but with some knowledge of how the doctrine of state responsibility operates, hopefully that provides us with a good groundwork to evaluate this
20:05
going forward. Last but not least, we have our final scale here. These are musical notes that you cannot play on the scale that you will not play. Preventative self-dispense employed to counter non-imminent threats is illegal under international law. You also have acts that don't
20:25
amount to high-level disruption and what Professor Gary Solis at Georgetown University Law Center has classified as cyber intrusions. It's a cyber operation short of an attack into another state's cyber systems. You can think of routine intelligence gathering, cyber theft, activities
20:44
that don't amount to the level of an armed attack. So putting this all together, you might
21:51
ask, that's all fine and well, but what if a state cyber punch doesn't amount to a use of force? Well, I'm no Rod Serling. I would say, we've entered into a fifth dimension, an
22:08
ahead. Again, I'm no Rod Serling. It's amazing what you learn in law school though. Okay, so I like to use this analogy of the twilight zone to help highlight the ambiguity
22:22
between the amorphous ground between peace and war, where you have an act in cyberspace that doesn't amount to a cyber punch in the face. It's not high-level destruction, but it's still disruptive. It's not intrusion, so it's that amorphous middle ground between the two. You might've heard the term gray zone or gray zone tactics. Now in 2015,
22:45
US army special operations commander Joseph Attell testified before the house armed services committee talking about gray zone tactics, describing them as tactics that actors leverage as part of a strategy campaign that seeks to secure their objectives while minimizing the scope
23:02
and scale. It's pretty brilliant when you come to think about it, where it doesn't toll that level of going past its minimus damage. However, it's still disruptive and it can still deal a blow to your opponent. Now, some case examples of this in 2014,
23:22
we're all very familiar with North Korea's intrusion into the networks of Sony Pictures Entertainment. Here are the perpetrators deleted critical information to the extent that it irreparably damaged some of Sony's infrastructure. And indeed the 2015 US Department of Defense's cyber strategy report references this Sony hack as an example of the political utility
23:45
of cyber operations. This case demonstrates how cyber operations can present an opportunity for revisionist state actors to challenge the geopolitical status quo. You can affect your opponent's psyche, you can deliver that blow with a relatively low risk of retribution and
24:04
financial cost. Another more recent example involves the July 2016 email leaks from the US Democratic National Committee and Russia's involvement in undermining the integrity of the 2016 US presidential election and disinformation campaigns. So what is the future of twilight zone
24:25
conflicts? Ultimately states that employ great tactics in cyber operations, you don't need to be successful in actually infiltrating the system in order to further your revisionist ambitions. Rather the sheer ramifications from the cyber act in and of itself has the power to disturb the
24:45
nation's psyche and to grab that international spotlight and attention to challenge the geopolitical status quo that you are a power to be listened to and reckoned with. Going forward a significant challenge for the United States and for other countries is how to develop tactics that can counter gray zone tactics. It's one that
25:07
we won't reach the answer to in this presentation but we've seen the United States at least respond by pursuing economic sanctions, legal indictments and other diplomatic efforts to damper gray zone tactics. But again it's one that is ongoing. Now
25:27
this is the visual summary of consequences to those actions and going back to Longfellow's
26:41
words that music is the universal language of mankind here it is the hope in this presentation by drawing on this analogy that a piece of it resonates with you and that by endeavoring to understand the basic principles of law through music we can collectively strategize for peace and also may the euphonious sound of peace always appeal to our ears. So I thank you for
27:05
your attention today. I have a handout on this musical piano legal guide that I will be distributing. I understand also that I am the last speaker of the day and I stand between you and a lovely dinner in Vegas which is quite dangerous. So by all means if you need to leave
27:20
I understand. If you have questions you're more than welcome to stay as well and I'll be passing out these handouts. Thank you for your attention. That's true. Sure. So the question
28:37
asked by the gentleman in blue was the the minimus damage threshold standard that we have
28:45
that there must be some high level form of destruction. Does that harm us? I'm capturing your question right. Does that harm us when we have an attack that is equally disruptive but you don't have a loss of human life or a physical structure wasn't damaged but you have the
29:00
degradation of data and it goes back to the the second slide that I had up there that the that the definition that currently carries weight is that it has to be tied to a loss of human life or physical kinetic effects and I agree with you that that type of notion of trying to shoe more kinetic damage into this new medium of warfare is harmful. We can see how that
29:29
scenario that you gave where attack on Wall Street would produce very harmful effects and while it doesn't result in the loss of human life it does have this cascading effect that can spill over into other sectors. I wouldn't be surprised if those areas of the US's
29:47
structures would be classified as protected critical infrastructure so that if attack were made upon that that signals that this was protected you attacked it now we will respond
30:01
in a time place and manner of our choosing. It wouldn't necessarily be confined to cyber but the US would respond to protect its critical infrastructure and in 2017 then DHS Secretary Jay Johnson classified election systems as critical infrastructure to signal to the international community. Thank you for your question. Thank you so that is an excellent
31:05
point and the piece on sovereignty the gentleman had asked what about acts in cyberspace that undermine political sovereignty or the the integrity or political independence of that state
31:23
and I think that's an excellent point that you've raised in article 2-4 could be a strong point to underscore that and granted this is all very flexible and still in development but that perspective needs to be heard. Thank you yes yeah very dynamic when I was conducting this
32:07
research the idea of gray zone tactics I hadn't considered when I first developed the the cyber scale so that's why I in now 2018 I tacked it on as a separate slide to describe
32:20
how this keyboard is still flexible to envelop that but also highlight that there's no international legal definition on what is a cyber attack and here we've kind of teased out the difficulties referencing what about cyber acts that undermine political sovereignty true there's no loss of human life there isn't high level destruction but it's still disruptive so how how can the
32:44
law be developed to embrace that unfortunately the law is very well I guess it's a mixed blessing actually the law is very slow and evolving to adapt to the pace of technology and that's your questions today that is why I developed this presentation so we can have that type
33:02
of dialogue because it's not being had here so this is this is perfect that we're we're each seeing a different piece of the elephant here and developing a legal definition or some other cyber doctrine that can account for these nuances but still be breathable to absorb new developments that's the goal so thank you yes not commenting politically on the statement
34:35
that you've raised I'd like to highlight a general principle that this is from Madeline
34:42
Albright in her book the mighty and the all the mighty and the almighty and she reasons that while countries often do take action outside the UN guidelines which you just raised despite such violations the standards in the charter remain relevant and she reasons that just as laws against murder remain relevant even though murderers are thank you so I understand
35:30
your question correctly you're asking about would psychological operations fallen yes so psychological operations would fall into gray zone so gray zone tactics subversion sabotage
35:41
economic coercion information warfare psychological operations yes that does fall into that category
36:55
thank you for that observation the observation that the gentleman made was that there's a group of international governmental experts that created the talon manual there's actually two is talon
37:05
manual point one and then point two the first one talking about cyber conflict in a war setting he had raised that while it's international you don't have participation from all international participation from all members of the international community all members of the united nation
37:24
charter how to bring them to the table I don't know it's too bad that we can't have participation from from everyone you can from a liberalist standpoint international theory we want to buy in from all countries to
37:43
develop these norms that will guide us towards peace but in reality if some players don't want to participate in this type of reform thinking that well if I do that I have more to lose potentially speaking hypothetically I don't know how you rebut this rebut that other than with facts and with a large number of states coming together hopefully there's a
38:09
this type of a dialogue and definition creation that's the first that I've heard of it so
38:51
it sounds like one fact Chinese faction decided to break off and develop their their own discussion on cyber norm building interesting we'll see what comes of that and you know one would
39:05
hope that in the spirit of international cooperation that when you have these states come together that they would stay committed to trying to develop some consensus I suppose it's inevitable that some groups will form off and create factions but thank you for for raising that
39:23
if there are no further questions again thank you all for your time I appreciate it