[defeated] Regulating Digital Warfare

[SherpDaWerp]

Global Disarmament | Significant | Co-authored by Greater Cesnica

The General Assembly;

Noting the proliferation of electronic attacks as an alternative to conventional warfare, capable of damaging nation-states’ critical infrastructure without great loss of life, and

Seeking to ensure that these attacks remain discriminate in their application,

Hereby:

1. Defines:
   
   1. "cyberattack" as any unauthorised disruption of a computer system where digital input is executed to destroy, deny service by, gain unauthorised access to, or otherwise compromise a computer system or related infrastructure, and
   2. "cyberwarfare" as any cyberattack or series of cyberattacks primarily made, sponsored, or encouraged by national, state, local or otherwise government-based actors;
2. Resolves that:
   
   1. member states must not conduct cyberwarfare on any legitimate medical institutions or civilian infrastructure,
      
   2. member states must not conduct cyberwarfare on any individual citizens of a nation, except where:
      
      1. the individual is a member of that nation’s military, or
      2. the individual is a member of that nation’s government or direct governmental staff, or
      3. the individual is actively involved in conducting attacks of any sort on the member state, its citizens, any of the member state's treatied allies, or any of the member state's treatied allies' citizens, or
      4. conducting cyberwarfare against that individual is absolutely necessary to prevent imminent loss of life, or
      5. conducting cyberwarfare against that individual constitutes enforcing extant WA legislation;
      and the information or infrastructure targeted by the member state's cyberwarfare is immediately relevant to the grounds for attacking that individual,
      
   3. member states must limit the damage caused by cyberwarfare they conduct, with the goal of limiting further cyberattacks or exploitation by opportunistic third parties, and
      
   4. member states must neither enable nor encourage non-compliant nations to conduct cyberwarfare.

[Tinhampton]

2b. member states must not conduct cyberwarfare on any individual citizens of a nation, except where:

1. the individual is a member of that nation’s military, or
2. the individual is a member of that nation’s government, or ...

Even if that military or government has not attacked (or is not apparently intent on attacking) that member state?

[SherpDaWerp]

"You'll forgive me for not being entirely on top of all current protections this body affords in physical war, but it strikes me as unlikely that the equivalent physical aggression - assassinating key figures in a nation's military or government - requires military conflict or a declaration of war beforehand. Indeed, I was unable to find any mention of war declarations or assassination in the archives, so if you're aware of a resolution, do tell."

"One would expect that nation-sponsored cyberattacks on important personnel would be treated in a similar manner to physical attacks of a similar nature - and a response, digital or otherwise, would be swift. I have, however, added clarification to 2-b-iii noting that an individual conducting cyberattacks on a member state's citizens provides just cause for a response."

[Tinhampton]

Alexander Smith, Tinhamptonian Delegate-Ambassador to the World Assembly: Resolution 2, on the Rights and Duties of WA States, proclaims that "WA Member States may engage in wars" for any or no reason - as the Umerian ambassador found out to his peril while trying to ban some of them a few months ago.

[SherpDaWerp]

"Wonderful, thank you for pointing that out; that said, I can't say it disagrees with my interpretation. I suppose one could construe cyberattacking citizens as 'fomenting civil strife' and thus subject to Rights and Duties' section 2 article 5, but the two are not necessarily equivalent."

[Morover]

Alexander Smith, Tinhamptonian Delegate-Ambassador to the World Assembly: Resolution 2, on the Rights and Duties of WA States, proclaims that "WA Member States may engage in wars" for any or no reason - as the Umerian ambassador found out to his peril while trying to ban some of them a few months ago.

However, the act in question also defines war as consensual, so that proclamation almost certainly holds little weight.

[SherpDaWerp]

I feel like it's been long enough that I can bump this.

[Hulldom]

This seems fine by me.

My two suggestions would maybe be to include "or cyberattacks" after "cyberwarfare" in 2(c) and "or commit cyberattacks" after "conduct cyberwarfare" in 2(a) and 2(d). Just being nitpicky about a single usage of "cyberattacks" though.

[Port Ames]

We support this draft in principle, and our comments are relatively minor. They are as follows:

i. the individual is a member of that nation’s military, or

Does this include members of the military such as reservists, who could be called up to serve and are members of the military? We believe, at the very-least, that the clause should be narrowed so as to only allow attacks on active-duty individuals. Even that, however, is not enough. I feel as though any resolution protecting most individuals from cyber-warfare should also protect low-level military service members. The average foot soldier should not have to deal with fending off a foreign power that wants to leak something embarrassing about them.

ii. the individual is a member of that nation’s government, or

This clause is over-broad for similar reasons. Public school teachers are members of the government. Some bureaucrat at the Department of Weights and Measures is a member of the government. The list goes on, but the point is that protection should be afforded to low-level government officials and bureaucrats.

the individual is actively involved in conducting cyberattacks on the member state or its citizens, or

Some notes on this:

• This clause should be expanded to all individuals engaged in attacks on the member state more generally. Member nations should be free to engage in cyberwarfare against terrorist networks for instance, even if these networks aren't engaged in cyber attacks.
  
  
• It should also be expanded to allow nations to conduct cyber operations on behalf of their treatied allies. Lower-income nations may not have the technological prowess to fight back against cyberwarfare conducted against them, but they may have allies able to help. The ally's hands shouldn't be tied in this circumstance.

[SherpDaWerp]

My two suggestions would maybe be to include "or cyberattacks" after "cyberwarfare" in 2(c) and "or commit cyberattacks" after "conduct cyberwarfare" in 2(a) and 2(d). Just being nitpicky about a single usage of "cyberattacks" though.

I'm not sure about that, purely because those clauses deal with member states, and if a member state commits a cyberattack then it is by definition, cyberwarfare. I understand your concerns about defining cyberattack with only one usage, though, so I've edited 2(c) to read "goal of limiting further cyberattacks and exploitation".

Public school teachers are members of the government. Some bureaucrat at the Department of Weights and Measures is a member of the government. The list goes on

I don't think this is the case. Bureaucrats, public school teachers, etc, are employees of the government, potentially part of the civil service, but I this doesn't mean they're members of the government. Unless a member state designs their civil service in such a way that every single bureaucrat is elected, this clause should restrict cyberattacks as intended. Such a restriction would be impossible to word in an effective manner, anyway, as different systems of government are commonplace.

I will, however, restrict cyberattacks on individuals to information related to their relevant employment. For instance, the average foot soldier should be exempt from "embarassing leaks" but not having their military credentials cracked.

This clause should be expanded to all individuals engaged in attacks on the member state more generally. Member nations should be free to engage in cyberwarfare against terrorist networks for instance, even if these networks aren't engaged in cyber attacks.

Agreed and edited. Although, this does re-raise the Hulldomian delegation's concerns that "cyberattack" is used only once.

It should also be expanded to allow nations to conduct cyber operations on behalf of their treatied allies. Lower-income nations may not have the technological prowess to fight back against cyberwarfare conducted against them, but they may have allies able to help. The ally's hands shouldn't be tied in this circumstance.

The resolution doesn't forbid any of this. Nations are allowed to engage in cyberwarfare against any of the permitted targets for any reason, which could easily include attacking nations on behalf of allies. The only hole there is 2(b)(iii), which I've edited to read "the member state, its citizens, the member states' treatied ally, or the treatied ally's citizens".

I also note that nations are permitted to enable their treatied allies to conduct cyberwarfare regardless, with the caveat that the ally must also be compliant with current GA legislation.

[Port Ames]

Thank you for these comments. I have a couple notes!

I don't think this is the case. Bureaucrats, public school teachers, etc, are employees of the government, potentially part of the civil service, but I this doesn't mean they're members of the government. Unless a member state designs their civil service in such a way that every single bureaucrat is elected, this clause should restrict cyberattacks as intended. Such a restriction would be impossible to word in an effective manner, anyway, as different systems of government are commonplace.

I will, however, restrict cyberattacks on individuals to information related to their relevant employment. For instance, the average foot soldier should be exempt from "embarassing leaks" but not having their military credentials cracked.

Being elected certainly doesn't equal being a member of the government. This is particularly true in autocratic countries. I think it couldn't hurt to clarify this clause to protect lower-level civil servants, in my view.

The resolution doesn't forbid any of this. Nations are allowed to engage in cyberwarfare against any of the permitted targets for any reason, which could easily include attacking nations on behalf of allies. The only hole there is 2(b)(iii), which I've edited to read "the member state, its citizens, the member states' treatied ally, or the treatied ally's citizens".

My concern was confined to 2b.iii. Thank you for the edit.

[SherpDaWerp]

I don't think this is the case. Bureaucrats, public school teachers, etc, are employees of the government, potentially part of the civil service, but I this doesn't mean they're members of the government. Unless a member state designs their civil service in such a way that every single bureaucrat is elected, this clause should restrict cyberattacks as intended. Such a restriction would be impossible to word in an effective manner, anyway, as different systems of government are commonplace.

I will, however, restrict cyberattacks on individuals to information related to their relevant employment. For instance, the average foot soldier should be exempt from "embarassing leaks" but not having their military credentials cracked.

Being elected certainly doesn't equal being a member of the government. This is particularly true in autocratic countries. I think it couldn't hurt to clarify this clause to protect lower-level civil servants, in my view.

No clarification I add could feasibly cover every scenario, every person, or every system of government across every nation in the multiverse. My co-author and I both think "member of government" is clear enough, although I welcome others' concerns or suggestions.

Note that immediately-employed governmental staff (the secretary to the Minister of Defense, for example) should ideally not be exempt from cyberwarfare either.

[SherpDaWerp]

"Ah. Ahem. I didn't forget about this, I promise!"

"Well, time to start wrapping this up for submission, I guess. Aside from feedback on proposal contents, I'm also interested in, firstly, who's toes I'm stepping on if I submit this soon-ish -- ideally no-one's -- and secondly, who doesn't get take kindly to quorum-campaign TGs -- I know 10KI doesn't like 'em, but I'm entirely unsure who else."

[Fachumonn]

"Ah. Ahem. I didn't forget about this, I promise!"

"Well, time to start wrapping this up for submission, I guess. Aside from feedback on proposal contents, I'm also interested in, firstly, who's toes I'm stepping on if I submit this soon-ish -- ideally no-one's -- and secondly, who doesn't get take kindly to quorum-campaign TGs -- I know 10KI doesn't like 'em, but I'm entirely unsure who else."

People who block them don't like them. So make sure you make it a campaign telegram. Otherwise the people who blocked them will get them and it will be considered spam. Other than that, youre fine. Just hit "this is a recruitment telegram, and select the drop down menu and hit "campaign".

[Hulldom]

Resolves that:

1. member states must not conduct cyberwarfare on any legitimate medical institutions or civilian infrastructure,
   
2. member states must not conduct cyberwarfare on any individual citizens of a nation, except where:
   
   1. the individual is a member of that nation’s military, or
   2. the individual is a member of that nation’s government or direct governmental staff, or
   3. the individual is actively involved in conducting attacks of any sort on the member state, its citizens, any of the member state's treatied allies, or any of the member state's treatied ally's citizens, or
   4. where conducting cyberwarfare against that individual is absolutely necessary to prevent imminent loss of life;

and the information or infrastructure targeted by the member state's cyberwarfare is immediately relevant to the grounds for attacking that individual,

Everything looks good, but I do question why the last bit outside of the last is outside of the list or why there's a "where" before "conducting" there.

[SherpDaWerp]

"Ah. Ahem. I didn't forget about this, I promise!"

"Well, time to start wrapping this up for submission, I guess. Aside from feedback on proposal contents, I'm also interested in, firstly, who's toes I'm stepping on if I submit this soon-ish -- ideally no-one's -- and secondly, who doesn't get take kindly to quorum-campaign TGs -- I know 10KI doesn't like 'em, but I'm entirely unsure who else."

People who block them don't like them. So make sure you make it a campaign telegram. Otherwise the people who blocked them will get them and it will be considered spam. Other than that, youre fine. Just hit "this is a recruitment telegram, and select the drop down menu and hit "campaign".

"Ah, I see. It seems a fair few of the missives I receive these days are stamped with Do Not Deliver to various delegates from around the world, so I was curious whether they ignore, block, or simply don't like receiving them. Blocking would of course be the best option, but I can imagine some strangely-administered region out there could take umbrage to receiving campaign messages without necessarily blocking them first."

Everything looks good, but I do question why the last bit outside of the last is outside of the list or why there's a "where" before "conducting" there.

"Wonderful. The "where" you mention has been removed, as well as a general final proofread, but the last segment exiting the list is deliberate. It's part of the second list item (marked b), but applies to everything in sub-list (marked with i through iv). The intention is to be read like so: requirement, except where i or ii or iii or iv, and with qualifier applying to all exceptions. Is that unclear?"

[Hulldom]

People who block them don't like them. So make sure you make it a campaign telegram. Otherwise the people who blocked them will get them and it will be considered spam. Other than that, youre fine. Just hit "this is a recruitment telegram, and select the drop down menu and hit "campaign".

"Ah, I see. It seems a fair few of the missives I receive these days are stamped with Do Not Deliver to various delegates from around the world, so I was curious whether they ignore, block, or simply don't like receiving them. Blocking would of course be the best option, but I can imagine some strangely-administered region out there could take umbrage to receiving campaign messages without necessarily blocking them first."

Everything looks good, but I do question why the last bit outside of the last is outside of the list or why there's a "where" before "conducting" there.

"Wonderful. The "where" you mention has been removed, as well as a general final proofread, but the last segment exiting the list is deliberate. It's part of the second list item (marked b), but applies to everything in sub-list (marked with i through iv). The intention is to be read like so: requirement, except where i or ii or iii or iv, and with qualifier applying to all exceptions. Is that unclear?"

"It does."

[SherpDaWerp]

"Ah, I see. It seems a fair few of the missives I receive these days are stamped with Do Not Deliver to various delegates from around the world, so I was curious whether they ignore, block, or simply don't like receiving them. Blocking would of course be the best option, but I can imagine some strangely-administered region out there could take umbrage to receiving campaign messages without necessarily blocking them first."


"Wonderful. The "where" you mention has been removed, as well as a general final proofread, but the last segment exiting the list is deliberate. It's part of the second list item (marked b), but applies to everything in sub-list (marked with i through iv). The intention is to be read like so: requirement, except where i or ii or iii or iv, and with qualifier applying to all exceptions. Is that unclear?"

"It does."

"It is? Well. I'm loathe to add a new item, especially when it would be a qualifier affecting other items, but would it make more sense to have it appear like this..." Trailing off, the ambassador poaches a nearby napkin to scribble some notes.

• Resolves that:
  • member states must not conduct cyberwarfare on any individual citizens of a nation, except where:
    • the individual is a member of that nation’s military, or
    • ...
  • when conducting cyberwarfare on an individual citizen, the information or infrastructure targeted by the member state must be immediately relevant to the grounds for attacking that individual,
  • ...

"...with the qualifier appearing as an additional requirement below clause 2b?"

[SherpDaWerp]

This has been submitted.

[SherpDaWerp]

"Subject to some concerns from the Wallenburgian delegation, clause 1b now reads "national, state, local or otherwise government-based actors;". This is a fix for a hole in which local or state governments were entirely exempt from this proposal."

"I'm not enamored with the new wording, as it strikes me as potentially allowing fairly uncharitable arguments against the proposal, but I fail to see an alternative. As I'm rather impatiently interested in finishing this draft -- and would rather not hold anyone's WA longer than necessary -- I will resubmit this later tonight, bar further criticisms."

[SherpDaWerp]

"Another exception has been added, Clause 2.b.v, with the express purpose of enabling cyberwarfare against individuals hosting content that the WA deems unsavory. This concern was brought to me again by Ogenbond, who disliked that nations were forbidden from conducting cyberwarfare against individuals hosting content that we have outlawed."

"I am aware of no further concerns, so this has been resubmitted."

[SherpDaWerp]

For full notice, I have wired a campaign with the following wording:

Greetings, delegates of the world!

In today's world, cyberwarfare is only growing in prevalence. We, the assembled nations of the WA, must act to regulate this practice, much as any warfare. Indiscriminately destroying civilian and medical infrastructure should not be legal only because the destruction happened electronically.

My proposal, Regulating Digital Warfare, aims to subject cyberwarfare to similar restrictions as ordinary war, prohibiting the targeting of civilian services, medical operations, or individual civilians. This will not remove any nation's capacity for cyberwarfare, merely restrict it to military or governmental targets, as is proper.

Please support this proposal, and prevent electronic attacks from replacing physical ones in disrupting hospitals and civilian services. Approve the proposal here: https://www.nationstates.net/page=UN_vi ... 1649672122

[Fachumonn]

This has been approved.

I will request the support of the WA members in my home region, the Libertarian Socialist Confederation.

[PotatoFarmers]

I must have missed this earlier, because this the regulation of cyberattacks is a topic which I have been working on for a bit of time before this. If I knew someone was working on it I would have raised questions earlier and/or abandoned my draft.

I guess the first main problem with this proposal is definitions. The current definition of cyberattacks fails to take into account attacks meant for the stealing of information & data. This could include personal medical history, secrets relating to the security of the state, military intelligence, or even commercial secrets. Considering that these cyberattacks don't cause disruption, they are not covered by your definition & therefore, this piece of legislation.

Secondly, because of the (lack of) definitions, clause wa come off as a little weird and awkward. What is defined as a medical facility? Does it refer to the physical building, or does it also include the computer infrastructure that the doctors rely on for patient records? Same thing for your use of "civilian infrastructure". Do you mean the physical infrastructure or the technological infrastructure?

Thirdly, there are a variety of loopholes that come as a result of certain phrasing of 2b. For example, 2bii excludes individuals which are "direct governmental staff" of a nation. What about teachers who are employed by the Education Ministry to teach in public schools? What about admin clerks, janitors and other service staff directly employed in the various ministries? Are they not protected? Same for 2bi - Admin staffers who are non-uniformed aren't protected because they are part of the military. Conversely, military subcontractors who produce machinary & technology are protected against cyberattacks. Is there a reason for that?

With all that reasons in mind, that is the reason why I think this proposal doesn't stand in its current state.

[SherpDaWerp]

The current definition of cyberattacks fails to take into account attacks meant for the stealing of information & data. This could include personal medical history, secrets relating to the security of the state, military intelligence, or even commercial secrets. Considering that these cyberattacks don't cause disruption, they are not covered by your definition & therefore, this piece of legislation.

My intention was that a "disruption" is any abnormal activity, even if said activity is not visible to the average user. Dictionary says "a break or interruption in the normal course or continuation of some activity, process, etc." - data being illegally removed from a server is not the normal course of that server running. Removing data would be, in my opinion, "an interruption in the normal course of a server's programming, where digital input is executed to (at minimum) gain unauthorised access to or otherwise compromise that server" - fitting the definition of a cyberattack. (having scrutineered this clause again, it was a bit silly of me to say "unauthorised" twice, but I don't believe that's really worth any definitional points against it)

Secondly, because of the (lack of) definitions, clause 2a come off as a little weird and awkward. What is defined as a medical facility? Does it refer to the physical building, or does it also include the computer infrastructure that the doctors rely on for patient records? Same thing for your use of "civilian infrastructure". Do you mean the physical infrastructure or the technological infrastructure?

I assumed the definition of cyberattack including "a computer system or related infrastructure" would have made this clear. Does it not?

Thirdly, there are a variety of loopholes that come as a result of certain phrasing of 2b. For example, 2bii excludes individuals which are "direct governmental staff" of a nation. What about teachers who are employed by the Education Ministry to teach in public schools? What about admin clerks, janitors and other service staff directly employed in the various ministries? Are they not protected? Same for 2bi - Admin staffers who are non-uniformed aren't protected because they are part of the military. Conversely, military subcontractors who produce machinary & technology are protected against cyberattacks. Is there a reason for that?

In general, teachers and other members of the civil service aren't directly employed by Ministeries but by government departments that receive funding based on decisions made by the Ministery. This was brought up in drafting; wording that makes this distinction explicitly clear will only introduce more loopholes. How do you define "staff of the government" in a way that accounts for a lottocratical nation? An autocratic one? A democratic one where ministerial staff are personally elected, or come with elected members, or even remain in place with different elected members in the lead?

As for admin clerks and janitors directly employed in the ministries or military - they are, and should be, valid targets, noting that 2b requires the cyberattack to be immediately relevant to the grounds for attacking that individual, so their access badges to enter ministerial offices are fair game, but personal social media accounts are not.

Military subcontractors and suppliers are tempting, however, companies regularly do many different things, and it would be unreasonable to expect every company that contracts for the military to be subject to nation-based cyberwarfare, right down to the company that sells their boots.