[defeated] Regulating Digital Warfare

[Kranostav]

I'm not sure how I feel about this proposal given its rather vague nature and cyberwarfare being such a broad method of engagement.

I am also unsure why you specifically picked out non-compliant nations when simply saying 'member nations' or 'all nations' would have sufficed.

[PotatoFarmers]

The current definition of cyberattacks fails to take into account attacks meant for the stealing of information & data. This could include personal medical history, secrets relating to the security of the state, military intelligence, or even commercial secrets. Considering that these cyberattacks don't cause disruption, they are not covered by your definition & therefore, this piece of legislation.

My intention was that a "disruption" is any abnormal activity, even if said activity is not visible to the average user. Dictionary says "a break or interruption in the normal course or continuation of some activity, process, etc." - data being illegally removed from a server is not the normal course of that server running. Removing data would be, in my opinion, "an interruption in the normal course of a server's programming, where digital input is executed to (at minimum) gain unauthorised access to or otherwise compromise that server" - fitting the definition of a cyberattack. (having scrutineered this clause again, it was a bit silly of me to say "unauthorised" twice, but I don't believe that's really worth any definitional points against it)

I don't quite agree that data stealing is an interruption in the normal course, since the processes of the government servers would probably be coming Especially since most of the time these data losses are done stealthily and unknowingly until further incidence response is done. In that case,

Secondly, because of the (lack of) definitions, clause 2a come off as a little weird and awkward. What is defined as a medical facility? Does it refer to the physical building, or does it also include the computer infrastructure that the doctors rely on for patient records? Same thing for your use of "civilian infrastructure". Do you mean the physical infrastructure or the technological infrastructure?

I assumed the definition of cyberattack including "a computer system or related infrastructure" would have made this clear. Does it not?

Nope, I don't think I can use a definition of a term to assume another term? Do I consider the water pumps or chlorine pumps in a water purification plant a computer system or a related infrastructure? Likely not. But what if I can disrupt the water pumps from working normally to stop the water from being pumped to households?

Thirdly, there are a variety of loopholes that come as a result of certain phrasing of 2b. For example, 2bii excludes individuals which are "direct governmental staff" of a nation. What about teachers who are employed by the Education Ministry to teach in public schools? What about admin clerks, janitors and other service staff directly employed in the various ministries? Are they not protected? Same for 2bi - Admin staffers who are non-uniformed aren't protected because they are part of the military. Conversely, military subcontractors who produce machinary & technology are protected against cyberattacks. Is there a reason for that?

In general, teachers and other members of the civil service aren't directly employed by Ministeries but by government departments that receive funding based on decisions made by the Ministery. This was brought up in drafting; wording that makes this distinction explicitly clear will only introduce more loopholes. How do you define "staff of the government" in a way that accounts for a lottocratical nation? An autocratic one? A democratic one where ministerial staff are personally elected, or come with elected members, or even remain in place with different elected members in the lead?

As for admin clerks and janitors directly employed in the ministries or military - they are, and should be, valid targets, noting that 2b requires the cyberattack to be immediately relevant to the grounds for attacking that individual, so their access badges to enter ministerial offices are fair game, but personal social media accounts are not.

Military subcontractors and suppliers are tempting, however, companies regularly do many different things, and it would be unreasonable to expect every company that contracts for the military to be subject to nation-based cyberwarfare, right down to the company that sells their boots.

3 points:

• I am pretty sure civil servants, by definition, are government officials. As such, I don't think a broad exemption on "government staff" would make any sense, that is what I am getting at
• Do you not agree that 2b, and the phrase "relevant to the grounds" is a little vague? Like what constitutes relevance? If I can steal the person's personal data so as to blackmail him into giving state secrets, isn't it relevant to the reason why I stole the personal data?
• The part on Military subcontractors make sense, though I was trying to cite that to as a comparison. The main question here is - why admin clerks and janitors are considered valid targets and others are not? How does this list come about?

[SherpDaWerp]

I'm not sure how I feel about this proposal given its rather vague nature and cyberwarfare being such a broad method of engagement.

If it was narrower, it would simply not cover everything. As it is, it seems there's things that it leaves out.

I am also unsure why you specifically picked out non-compliant nations when simply saying 'member nations' or 'all nations' would have sufficed.

Because member states enabling non-member protectorates or allies to conduct cyberwarfare should be fine (so it needs to include more than just "member nations") but members enabling actively non-compliant nations to conduct cyberwarfare shouldn't be (so it shouldn't include "all nations").

My intention was that a "disruption" is any abnormal activity, even if said activity is not visible to the average user. Dictionary says "a break or interruption in the normal course or continuation of some activity, process, etc." - data being illegally removed from a server is not the normal course of that server running. Removing data would be, in my opinion, "an interruption in the normal course of a server's programming, where digital input is executed to (at minimum) gain unauthorised access to or otherwise compromise that server" - fitting the definition of a cyberattack. (having scrutineered this clause again, it was a bit silly of me to say "unauthorised" twice, but I don't believe that's really worth any definitional points against it)

I don't quite agree that data stealing is an interruption in the normal course, since the processes of the government servers would probably be coming Especially since most of the time these data losses are done stealthily and unknowingly until further incidence response is done. In that case,

If the server is doing something abnormal... then that's an interruption in normality. I'm not sure what else to say. It doesn't matter to whom the interruption is visible, it's still an interruption.

I assumed the definition of cyberattack including "a computer system or related infrastructure" would have made this clear. Does it not?

Nope, I don't think I can use a definition of a term to assume another term? Do I consider the water pumps or chlorine pumps in a water purification plant a computer system or a related infrastructure? Likely not. But what if I can disrupt the water pumps from working normally to stop the water from being pumped to households?

Alright, I'll cop this one as needing work.

In general, teachers and other members of the civil service aren't directly employed by Ministeries but by government departments that receive funding based on decisions made by the Ministery. This was brought up in drafting; wording that makes this distinction explicitly clear will only introduce more loopholes. How do you define "staff of the government" in a way that accounts for a lottocratical nation? An autocratic one? A democratic one where ministerial staff are personally elected, or come with elected members, or even remain in place with different elected members in the lead?

As for admin clerks and janitors directly employed in the ministries or military - they are, and should be, valid targets, noting that 2b requires the cyberattack to be immediately relevant to the grounds for attacking that individual, so their access badges to enter ministerial offices are fair game, but personal social media accounts are not.

Military subcontractors and suppliers are tempting, however, companies regularly do many different things, and it would be unreasonable to expect every company that contracts for the military to be subject to nation-based cyberwarfare, right down to the company that sells their boots.

3 points:

• I am pretty sure civil servants, by definition, are government officials. As such, I don't think a broad exemption on "government staff" would make any sense, that is what I am getting at
• Do you not agree that 2b, and the phrase "relevant to the grounds" is a little vague? Like what constitutes relevance? If I can steal the person's personal data so as to blackmail him into giving state secrets, isn't it relevant to the reason why I stole the personal data?
• The part on Military subcontractors make sense, though I was trying to cite that to as a comparison. The main question here is - why admin clerks and janitors are considered valid targets and others are not? How does this list come about?

• I've never in my life heard anyone refer to a Department of Transport paper-pusher as a "government official". Nor "government staff". By definition (although this changes wildly from country to country, part of my struggle with this clause) civil servants are people who's employment survives an election, thus making them not "government" employees, but employees of the state. A government is the people who govern, and their staff and employees help them with that task. It's not reasonable (imo) to then say "teachers are government staff" when they are not employed by the people who govern, they are employed by the state in which they work.
• Key word: immediately relevant. Anything's relevant if you draw a link, but the definition of "immediately" is "in direct connection or relation". That clause, by definition, says "..is relevant in direct connection or relation to the grounds..." There's not any direct relevance between my facebook account and my employer. There is a direct connection between my staff ID card and my employer.
• Because they are employed in an organisation that is a valid target. Rather than spread the "load" of cyberwarfare between individual persons defined as relevant (regardless of their place of employment), I decided to concentrate them in organisations that should have the resources to adequately prepare for cyberattacks. I would not want to encourage cyberwarfare becoming an individual's responsibility to defend against; it would be much more sensible to define a (still very reasonable) list of valid targets such that they are all under the one roof. It also makes the line-in-the-sand much clearer, and avoids loopholes that may be introduced by including a broader definition of valid target.

[Eloren]

Forgive me in advance, since I've been out of the loop of the GA for a while. There are things I may be unaware of.

Cyberattacks are notorious for their difficulty in attribution. It is highly possible to target the wrong actor, due to sophisticated tactics. On first glance, anybody might say that an attack was originating from a certain domain or address, when in fact it's coming from another. Or in some cases, it's a rogue actor illegitimately using a network of an unsuspecting organization. What in this resolution would ensure that cyberattacks would not be carried out unless there was high certainty that the target was verified as an aggressor? Or to communicate with the appropriate party to notify them of a breach of security?

What's to deal with non-government actors (e.g. businesses, religious orders, non-profit orgs, etc) from responding to a cyberattack in kind (justified as it may be)? This is a particularly messy issue as it involves problems of attribution errors, tit-for-tat, and "fog of war" from multiple parties.

Or is there another existing resolution that already covers cyberattacks?

[Fachumonn]

After some deliberation, The Libertarian Socialist Confederation has voted FOR this proposal and warmly encourages others to do so as well.

[Untecna]

I have voted against upon review of both the proposal and arguments by other members and collective regions.

[Equai]

After the reviewing and a debate among the politicians in the Committee of Representatives, delegacy of the Federation of Equai has decided to vote for this proposal. We believe that war is terrible thing that can always be avoided. However, even in the case of war international community agreed on the conduit and codecs of the said war and we do not see why that cannot also be applied for the war in cyber-space. We hope that this proposal will be passed or, in case of not passing, be proposed again in one form or the other because we believe that cyber warfare need rules and regulations as such as it needs in the time of traditional war.

[Dogologo]

member states must not conduct cyberwarfare on any individual citizens of a nation, except where:

the individual is a member of that nation’s military, or

the individual is a member of that nation’s government or direct governmental staff, or

the individual is actively involved in conducting attacks of any sort on the member state, its citizens, any of the member state's treatied allies, or any of the member state's treatied allies' citizens, or

I May Be Wrong, But..... wouldn't an act of war against another nation's warmaking/managing/etc/whatever personnel........ be warfare....... Even If It's Not Called That

[PokemonGirl]

From the way this is worded it sounds like so long as the nation's government isn't actively committing cyber warfare, it's cooperating with the letter of the law. Which I'm for.

It does not explicitly state the government has a responsibility to stop random attacks from it's citizens or some sorta private hAx0rZ however, which I'm also for. Neckbeard mercenaries working for tendies

[Youtube Inc]

Just from a meta point of view it really seems like a lot of the members of the security council care very much so about things like net neutrality & restrictions on the internet being is minimum as possible I mean really most if our hacker or programers of some description, right?

[The Forest of Aeneas]

Personally, the only argument against this I have seen that I find compelling is "direct governmental staff" being too broad.

[SherpDaWerp]

What in this resolution would ensure that cyberattacks would not be carried out unless there was high certainty that the target was verified as an aggressor?

In general, I believe, requiring $x means you have to make a best-effort attempt to verify $x before acting. You can't just take one glance before retaliating. (Also worth noting I'm unaware of any APT groups, IRL, that haven't been identified as belonging to some country or another.)

What's to deal with non-government actors (e.g. businesses, religious orders, non-profit orgs, etc) from responding to a cyberattack in kind (justified as it may be)? This is a particularly messy issue as it involves problems of attribution errors, tit-for-tat, and "fog of war" from multiple parties.

Or is there another existing resolution that already covers cyberattacks?

This resolution makes no attempt to regulate cyberattacks, except where they're carried out by nations. Non-government actors, under this resolution, would be free to cyberattack whatever they want; I prefer the idea of this being a separate resolution so that it's explicitly clear what governments can do about cyberattacks and what everyone else can do about cyberattacks. There aren't any extant resolutions that regulate cyberattacks between NGOs, but the International Cybersecurity Convention proposed in this forum seems to want to fill that niche.

Neckbeard mercenaries working for tendies

Governments that hire mercenaries to do their "dirty work" are still sponsored and/or encouraged by national actors, and are subject to the provisions of this resolution.

Personally, the only argument against this I have seen that I find compelling is "direct governmental staff" being too broad.

The argument that 2a is read independently of the definitions in 1, and thus is unclear about what "medical institution or civilian infrastructure" actually means, is also reasonably compelling. Unfortunately it, to me, it seems these criticisms were only brought to me at the eleventh hour to make way for another nation to write a resolution on this topic.

[Alistia]

Voted against, I think that this proposal authorizes too many cyber attacks.

For instance, it permits cyber attacks against members of a nations military, but what if the said nation forces it's citizens to serve? I don't think it's fair to blankety allow cyber attacks of members of the military when said members may be forced to serve in that role. Similar situations arise within most of this clause.

[Toonela]

While I am sorry to hear that many of the relevant criticisms were not brought forth sooner (I'm afraid I've only recently become engaged with the Forum and so missed this in its drafting stage), I will also be voting against this resolution. I'm not particularly convinced that the definition of cyberattack isn't broad enough, as some others have stated; I can see how theft of state secrets may be within the umbrella of interruption set out here, however, I am fairly compelled by the argument that the definition of governmental staff used here allows for targets of cyberattacks to be individuals that are not intended to be targets.

That said, I'm not sure I have a particularly good suggestion as to how that exception might have been improved, due to the variety of roles various governments may or may not play within individual nations as employers of last resort, as purveyors of compulsory services, etc. etc.

[Vietstalia]

GET CYBER KILL SLAIN.

OPPOSED

[Ishtimbine]

It's a bit awkward looking at the details of this resolution when I have compulsive military service, and a complete socialist state with illegalized private industry. At the same time there's an exemption by absence which allows NGOs (which don't exist in my nation) to work unrestricted, while still allowing state actors to target most of my citizenry unimpeded.

[Orifna]

Our nation is currently in an incredibly hostile state right now with another nation, and it's turning nuclear, and electronic warfare isn't gonna change anything, so I'm opposing this.

[SherpDaWerp]

I would like to see this pass, still, so here's a new version. Hopefully this time I can garner some meaningful feedback pre-submission.

Changelog:

• New definition for "vulnerable system" to clarify what exactly constitutes the cyber-attack-able part of a "medical institution"
• Changed definition for "cyberattack" to be "any execution of digital input", rather than a "disruption... caused by execution of digital input", and added more examples to the list of outcomes
• Changed definition for "cyberwarfare", now reads nicer (and explicitly includes not-"government" public service)
• Changed 2a and 2b to fit the new "vulnerable system" definition
• Moved the qualifier on 2b to sit within the main clause, instead of below the list
• EDIT: forgot to mention, changed the "government staff" thing that caused such grief to be "involved in carrying out the standard functions of government in that nation". To preempt an argument: no, "teaching" is not a standard function of government, but "allocating funding for teaching" is a standard function of government.
• Changed 2biii to read nicer
• Added qualifier 2c, to cover the following scenario: terrorist (conducting attacks against @@name@@) uses an online messaging service to communicate with terrorist buddies. His account is directly relevant to the attacks he carries out. However, any attack on it counts twice: attack on vulnerable system (account) belonging to terrorist, and attack on vulnerable system (server) belonging to the service provider (electronic service). In this case the attack is not (but should be) legal, so 2c permits 2b overriding 2a in this case.

Also, just to be clear - this resolution isn't and never has been interested in regulating general cyberattacks, merely regulating what nations do with cyberattacks. There is still significant room for a resolution that establishes guidelines around dealing with cyberattacks, criminalising them, preventing them, etc.

[The Wallenburgian World Assembly Offices]

Please start a new thread instead of reusing one for an already defeated resolution.

[Cretox State]

Please start a new thread instead of reusing one for an already defeated resolution.

Why? It’s a new draft of the same proposal.

[Imperium Anglorum]

Please start a new thread instead of reusing one for an already defeated resolution.

Why? It’s a new draft of the same proposal.

We want a static record of the proposal that was defeated.

[SherpDaWerp]

Your static record is still in the OP, just spoilered. Should I restore it to being plainly visible in the OP when I make the new thread?

edit: signs point to yes. I've de-spoilered the voted-on version and [defeated] tag in the title. New thread will come when it comes. Lock and/or move this thread as needed.