The Department of Defense (DoD) official charged with integrating cyber activities across the department is no stranger to the international laws which govern the domain – he helped write them more than a decade ago.
Thomas Wingfield, a former law professor and a member of the drafting committee for the Tallinn Manual on the International Law applicable to Cyber Warfare, said this week that while some of the foundational international cyber laws are ones most countries can agree on, there is still plenty of work to do in expanding the body of law to further normalize international behavior in cyber space.
He separates cyber law into two categories – the “no-kidding law” and the “area of norms.”
“The position of the United States is that war crimes and crimes against humanity apply in cyber as they would apply anywhere else,” said Wingfield, deputy assistant secretary of defense for cyber policy at DoD. This is the kind of “no-kidding law” that Wingfield said “almost all countries follow, almost all of the time.”
“Beneath that level, we are trying to work with other countries to strengthen other norms that are more specific to cyber, below the level of armed conflict,” said Wingfield, speaking at the Defense One Tech Summit on June 18. He highlighted interference with computer emergency readiness teams and the targeting of civilian infrastructure in peace time as areas that need strengthening.
Another one of those areas is the targeting of the healthcare sector. The Geneva-based CyberPeace Institute, a non-governmental organization created in September 2019 that advocates for advancement of international law and norms in cyberspace, issued a call to end cyberattacks on the healthcare sector in late May.
Earlier that month, U.S. agencies issued a warning about the threat cyber actors affiliated with China pose to U.S. organizations conducting COVID-19-related research.
“We need to step back and start talking about international norms and standards,” said Sen. Angus King, Jr., I-Maine, on the same day as the warning. Sen. King co-chairs the Cyberspace Solarium Commission, a congressionally mandated group responsible for developing a national cyber strategy. The Commission has called for a National Cyber Director and a new cyber bureau at the Department of State, among other recommendations.
King called China “a long-range problem in cyberspace,” while Wingfield talked about his direct experience.
“The Russians and the Chinese had made a big effort to say that cyber is a law-free zone,” said Wingfield, of his work on the Tallinn Manual back in 2008 – the year after an alleged politically motivated Russian cyberattack on Estonia (who’s capital is Tallinn).
“Most of the countries that were represented when we put together the Tallinn Manual, we agreed pretty clearly on the existence of these principles,” said Wingfield. He said it was the “lesser area of norms, which are not rising to the level of treaty, law, or customary international law.” That is “where the development work really has to happen,” Wingfield said.