Vigyata.AI
Is this your channel?

Is a Russian Cyberattacks on the U.S. an Act of War? Prof. Hollis Explains...

301 views· 5 likes· 5:12· Apr 13, 2022

🛍️ Products Mentioned (1)

Since the government has warned of escalated risks of Russian cyberattacks in the U.S. we asked a leading cybersecurity law expert when is a cyberattack treated like a military attack. Under international law the modern term for an act of war is a "use of force." Professor Duncan Hollis explains when a cyberattack constitutes a use of force. ► http://www.talksonlaw.com for more legal explainers and interviews with the titans of law. Outline: 00:03 When would a Russian cyberattack be considered a use of force against the U.S.? 00:33 The SolarWinds cyberattack 01:40 Defining uses of force — The U.N. Charter 02:31 The effects doctrine and classifying uses of force 02:47 Ransomware against critical infrastructure as a use of force 04:54 Thanking cybersecurity expert, Prof Duncan Hollis ____________________ TRANSCRIPT Joel Cohen (JC): Professor, given right now there's what many believe is an escalated risk of Russian cyber attack, I wonder if I could get your view, as a cyber security expert and law professor, would a cyber attack on U.S. infrastructure by the Russian government be considered a use of force, an attack on the United States? Duncan Hollis (DH): It really will depend on the effects of that kind of “attack.” If it's like say the SolarWinds operation that we saw disclosed at the end of 2020, beginning of 2021, which targeted a lot of U.S. government entities and major U.S. firms and was attributed to Russian military intelligence, I don't think that will be a use of force, right. So, they got into these systems but what they appear to have been doing was surveillance, exfiltrating data, intelligence gathering. They weren't causing harm. I think that what you would need to see for the use of force is that, as I said, affecting the integrity of the infrastructure or its availability, so shutting down the power for more than a few minutes, and a couple of hours maybe, maybe not, a couple of days or weeks. It begins targeting a water filtration facility, targeting a civilian nuclear power plant in ways that are more than just surveillance. I think the U.S. has made it clear that it would regard those as a use of force and use all available lawful responses to deal with it. JC: So, Professor, where would you look, where would legal scholars look, as a starting point in defining a use of force? DH: Well, so first of all, it's encapsulated in the United Nations Charter. Article 2 paragraph4 of the U.N. Charter is where we find this prohibition, and I think at the time the charter was negotiated, it was pretty clearly limited to military force, the idea was the sort of force we'd seen deployed in World War II that was to be off limits. And then the questions become since it was all about kinetic force what about a biological weapon or a chemical weapon? So we've seen the expansion of the definition of force evolved through other treaties and through practice. I think it's become much more a question of what we call the effects doctrine and basically the idea is if the effects of what occurs via cyber means are analogous to the things that we thought were a use of force in previous kinetic conflicts, that's enough. JC: How about, we already see significant ransomware coming out of Russia, what if we just saw a significant spike in ransomware and if those ransomware attacks actually were on critical infrastructure, like many are today, such as hospitals or power plants? DH: I think the challenge with ransomware is one, are you going to deal with it as kind of a public international law matter, are you going to bring in the law enforcement, transnational law enforcement, Interpol and the like, and try and deal with it that way? I think if it's a large enough spike, it absolutely becomes a matter for international discourse. I don't know that the ransomware itself, again unless we're starting to see people dying or the like, which we, by the way, we haven't really seen in the cyber context. There was a ransomware attack in Dusseldorf, Germany, I think about a year ago or more, and they had to reroute a patient who was in an ambulance, who was coming in to a different hospital that was a further 10 or 15 minute drive and the patient died on route to the second hospital. And there was a moment where I think the cyber security experts and journalists were like “is this our first kind of ransomware death?” And the German authorities ended up concluding no, that the person was already in such a physical state that 10 minutes would not have made the difference. But it's that sort of activity at a scale, right, that might, I think, lead to the U.S. kind of saying, first, this violates international law and then like beyond that, does it actually rise to the level of the use of force? But I think you have to look for the scale and effects in terms of kind of, you know death and destruction, are kind of the benchmarks for it. [Redacted due to YouTube limitations]

🎬 More from TALKSONLAW