Various treaties could potentially be used in order to regulate the use of cyber attacks, but certainly none of them could serve as a satisfactory model for an International Cyber War Treaty, covering all the problematic spots and guarantying global consensus.
Instead, a multilateral treaty governing cyber security and regulating the use of information warfare would eliminate many of the existent problems and would set an internationally accepted legal framework, which could serve as a deterrent to those who would not hesitate to wage cyber attacks, as they are currently in a legal void.
International Law for Information Operations
Hollis presents an interesting idea, that one or more individual nation-states should produce something like a modern Lieber Code, thus slowly creating an international law for information operations, which he terms as ILIO. Which states, however, should be the ones to draft such a regime? The more vulnerable, already technologically advanced, which find it beneficial to completely ban information operations?
International Convention to Regulate the Use of Information Systems in Armed Conflict
In 2006, Davis Brown drafted ‘A Proposal for an International Convention to Regulate the Use of Information Systems in Armed Conflict’, inviting states to
‘consider this draft as a point of departure for adopting a comprehensive and meaningful standard of conduct for information warfare’.
In his proposal, Brown tabulates a detailed set of rules pertaining to rules of warfare, rights of states not party to an armed conflict and enforcement. It is very interesting that Brown suggests the International Court of Justice as a forum for the states to submit disputes and claims arising under his ‘Convention’.
International Criminal Court jurisdiction for Information Operations
Shulman proposes an international legal convention guiding the conduct of information operations, suggesting that
‘rather than creating new rules, the convention would work best if it codified customary international law and applied some of the facts to the existing constraints on warfare’.
Shulman proposes that such a convention confer jurisdiction upon the International Criminal Court under the war crimes clause.
However, vesting such a power to the ICC would create a series of problems, the most obvious being the very same problem that the ICC currently faces: difficulty of acceptance and recognition by all states.
Shulman proposes to overcome this problem in a rather peculiar way. According to him,
‘the proposed protocol does not contain a definition of an information operation. Instead of defining ‘military information operations’, the ICC (or an ad hoc judicial system) could built a body of case law that would allow for more flexible, fact- and context- sensitive interpretations much as has been done with crimes against humanity or the ‘just following orders’ defense. Should the day come when people can agree upon a definition, it could be added by judicial interpretation, in a dispute or in an advisory opinion.’
It is quite insipid to point out that the states who refuse to enter a regulatory regime due to a definition to which they are opposed, would not eventually be ‘lured’ to participate with the risky ‘bait’ of a future reach of a conclusion.
What should an international cyber war treaty regulate?
In any case, what should an international treaty regulate? When a recourse to ‘cyber force’ is permitted, what humanitarian rules should be respected during such an event, and finally, to impose a punishment mechanism for cases of a breach.
Who should impose the penalties and sanctions for the ‘disobedient’ states?
Shackelford suggests the creation of a Multinational Cyber Emergency Response Team (MCERT), to both investigate which nations are the perpetrators of cyber attacks, and to have a defensive expertise in order to respond fast when serious attacks occur.