CHAIRMAN OF THE JOINT CHIEFS OF STAFF

Strategy Essay Competition
     Essays 2001

Innocent Packets? Applying Navigational Regimes from the Law of the Sea Convention by Analogy to the Realm of Cyberspace

Steven M. Barney

Developments in information operations1 have provoked considerable debate in legal circles and raised concerns among operational commanders over the legal framework to be applied to information warfare. Some U.S. Government lawyers initially suggested that the application of modern information systems technology to military purposes was so new that no law applied.2 However, as lawyers and warfighters began working with the rapidly emerging technology, they recognized that many traditional military activities included under the umbrella of information operations were actually physical attacks on information systems by traditional military means.

Applying international law to information operations involving physical attacks is fairly simple for commanders and their lawyers because international law and customary practice have established the laws regulating traditional military operations. On the other hand, international law principles are more difficult to apply to information attacks that use electronic means to gain access to or change data in an enemy computer system without necessarily damaging the computer itself or the telecommunications infrastructure to which it is attached.3 This void in international law eventually may be remedied through development of treaties. However, one scholar has observed that "given Internet technology's exponential growth, it would seem extraordinarily useless to go through a lengthy treaty negotiation process to draft an agreement listing prohibited Internet behaviors or actions that would be as out of date as the computers that began to produce the treaty at the start of the drafting and negotiation process." 4 This logic, as well as the lack of widespread experience in cyberspace warfare, suggests that commanders and their lawyers must resort to drawing analogies from custom, treaties, and principles in land, sea, air, and space law to apply to information warfare.

If the realm of cyberspace is accepted as having a strong conceptual parallel to that of physical space, then the navigational regimes applied to physical space under the 1982 United Nations Convention on the Law of the Sea5 (UNCLOS III) can be a useful and familiar conceptual framework to apply to planning and conducting operations in cyberspace. This essay explores how the UNCLOS III navigational regimes can be applied by analogy to information operations. It suggests the rights of transit through cyberspace under those regimes and evaluates the advantages and disadvantages of applying the UNCLOS III concepts to information operations. Finally, it proposes that the UNCLOS III analogy can address problems with routing information operations through the telecommunications infrastructure of neutral states.

The discussion of the legal implications of computer network attack (CNA) begins with a scenario. It is 2005. The national command authorities of State A, responding to an unprovoked hostile act against its citizens by the armed forces of State Z, authorize the use of force in national self-defense, citing Article 51 of the Charter of the United Nations.6 Because State Z military forces remain a threat, the State A Joint Task Force commander is authorized by superiors to launch a computer network attack7 on a State Z military computer system. State A military forces launch the CNA from a military computer system in their own territory. The attack travels in electronic packets through the Internet, through communications networks in States B, C, D, E, F, and G before reaching the desired target in State Z (figure 1). As a result of the attack, State Z military commanders are denied the use of their computer networks to communicate with units in the field.8

Under international law, did State A have the right to use the international telecommunications infrastructure to transmit a CNA on State Z? Was the territorial sovereignty of intermediate states violated by the CNA passing through their national telecommunications infrastructure? Did an act of force take place within their territory? Was the neutrality of those states violated? Can State Z insist that neutral states prevent further CNAs from being routed through their telecommunications infrastructure? If the neutral states are willing but technologically unable to prevent the transmission of further CNAs without shutting down their entire telecommunications infrastructure, are the telecommunications nodes in those neutral states subject to attack by State Z? Discussion of these questions begins by examining how the purposes and language of UNCLOS III can be adapted to operations in cyberspace.

Purposes of UNCLOS III

The state parties to UNCLOS III desired to settle law of the sea issues "in a spirit of mutual understanding and cooperation [as an] important contribution to the maintenance of peace, justice, and progress for all peoples of the world." 9 The state parties sought to resolve "problems of ocean space" through a regime that provides "due regard for the sovereignty of all states, a legal order for the seas and oceans which will facilitate international communication, and will promote the peaceful uses of the seas and oceans, the equitable and efficient utilization of their resources, the conservation of their living resources, and the study, protection and preservation of the marine environment." 10 The state parties expressly intended that the Convention benefit not only coastal states but also landlocked states and "contribute to the realization of a just and equitable international economic order which takes into account the interests and needscof mankind as a whole and, in particular, the special interests and needs of developing countries." 11 The principles of the Convention were premised on a United Nations (UN) General Assembly resolution that "solemnly declared inter alia that the area of the seabed and the ocean floor and the subsoil thereof, beyond the limits of national jurisdiction, as well as its resources are the common heritage of mankind, the exploration and exploitation of which shall be carried out for the benefit of mankind as a whole, irrespective of the geographical location of States. . . . " 12


Figure 1: Hypothetical Computer Network Attack


From these ocean policy principles, UNCLOS III created a framework to balance and reaffirm the sovereignty of coastal states where necessary for safety and security while declaring international waters free for the use of all states. This notion of unimpeded high seas freedom of navigation is similar to the views of some who advocate similar rights for Internet users. But that freedom of cyberspace navigation must be balanced against important national interests:

Techno-purists feel that cyberspace is borderless; there are no national or regional boundaries to inhibit anyone from communicating with anyone by phone, across the network, or across the universe. And from one perspective we must agree: If cyberspace is "that place in between" the phones or the computers, then there are no borders. As we electronically project our essences across the network, we become temporary citizens of cyberspace, just like our fellow cybernauts. By exclusively accepting this view, however, we limit our ability to create effective national information policies and to define the economic security interests of our country.13

A sound policy that balances international freedoms in cyberspace with legitimate concerns about national security may be achieved by applying the navigational regimes of UNCLOS III to the medium of cyberspace. Borrowing from the language of the Convention, such global cyberspace policies, fairly applied, could:

  • make an important contribution to the maintenance of peace, justice, and progress
  • resolve problems of cyberspace
  • provide due regard for the sovereignty of all states
  • facilitate international communication
  • promote peaceful uses of cyberspace and the equitable and efficient utilization of its resources
  • aid the study, protection, and preservation of the cyberspace environment
  • contribute to the realization of a just and equitable economic order that takes into account the interests and needs of mankind as a whole and, in particular, the special interests and needs of developing countries
  • establish international cyberspace as beyond the limits of national jurisdiction, as a common heritage of mankind, the exploration and exploitation of which shall be carried out for the benefit of mankind as a whole irrespective of the geographical location of states.

Such an application of the underlying purposes of UNCLOS III to the cyberspace medium could have a positive effect on the international development of cyberspace. A test of the usefulness of this analogy in preserving national sovereignty would be how well two important access rights under UNCLOS III, innocent passage14 and transit passage,15 might be applied to military operations in cyberspace.

Dividing Cyberspace

The analogy is premised on identifying cyberspace navigational regimes similar to the maritime navigational regimes from UNCLOS III. To be recognized as valid, the cyberspace analogy must be consistent with the underlying policy embodied in UNCLOS III and be applied fairly, neither creating new rights for states nor infringing on existing ones. The analogy must use a balanced, rational approach to divide the intangible medium of cyberspace into areas in which sovereign rights of the individual state are preserved. It must also recognize that the Internet is part of an international telecommunication system in which freedom of access benefits all states and to which any artificially drawn boundaries would have to be consistent with legitimate issues of national sovereignty and customary international law. With those objectives in mind, the proposed analogy divides cyberspace into regimes called national cyberspace (figure 2)--consisting of internal cyberspace and territorial cyberspace--and international cyberspace.

National Cyberspace

National cyberspace is the region of cyberspace in which individual states require substantial sovereign rights to preserve the political and economic security of the state. The region is subdivided into internal and territorial cyberspace. Understanding the distinction between internal and territorial cyberspace is necessary to frame the overall rights and interests of sovereignty that a state may exercise in national cyberspace.

Figure 2: National Cyberspace

Internal Cyberspace

Internal cyberspace is the region in which a state may exercise complete sovereignty; it is the cyberspace equivalent to the land space, internal waters, and airspace above a state.16 Internal cyberspace is that medium serviced by the state's national telecommunications infrastructure17 that is normally accessible only to authorized users (persons with the specific permission of the computer system administrator). It includes the internal telecommunications systems of businesses and institutions that connect to the international telecommunications infrastructure by a combination of connections, including cables, wires, microwave transmitters, and satellite ground stations. The internal cyberspace of the United States includes sensitive government telecommunication infrastructure and computer networks (for example, the Secret Internet Protocol Router Network, a computer network used for classified communications within the Department of Defense) and the equivalent internal communication networks used by businesses and organizations. Such networks, described as critical infrastructure by President Willliam Clinton in Executive Order 13010, include infrastructures so vital that their incapacitation or destruction would have a debilitating impact on the defense or economic security of the United States.18 President Clinton acknowledged that, because so many of these critical infrastructures are owned and operated by the private sector, "it is essential that the government and private sector work together to develop a strategy for protecting them and assuring their continued operation." 19 For this reason, states may establish laws to prohibit unauthorized intrusion into internal cyberspace. Moreover, as a matter of national security, the protection of internal cyberspace requires the combined efforts of military and civil authorities to establish a robust defense.20

Because states have interests in protecting their critical information infrastructure, the commander must evaluate the political and military risks associated with information operations that intrude into the internal cyberspace of another state. Lawyers may provide guidance to the commander using analyses similar to those used when an intrusion of internal waters, land space, national airspace, or the territorial sea is contemplated. Depending on the circumstances of the operation, those lawyers would likely recommend a commander consult with superiors and seek permission, if possible, before intruding into another state's internal cyberspace.21 Generally, such an intrusion for the purpose of conducting military operations--including a use of force against that state to degrade, neutralize, or destroy a computer network--would be lawful if the underlying use of force is authorized under Article 2(4) or Article 51 of the Charter of the United Nations.22

A state would have more difficulty determining the appropriate response to an intrusion into its internal cyberspace by a foreign state. An intrusion for the limited purpose of collecting intelligence probably would not be considered a "use of force" that would immediately entitle the aggrieved state to respond with force in self-defense. In such a case, the most appropriate response by the aggrieved state would be to lodge a diplomatic protest of the unauthorized intrusion with the offending state, as is frequently done by nations that have discovered another state conducting espionage within their sovereign territory. However, if a state determines the intrusion constitutes a grave breach of its national security, use of force may be among the range of response options. An example of such a grave breach of national security would be the insertion of a computer virus into a military command and control computer network. Assuming the intruder could be identified, any response involving the use of force by the aggrieved state must be premised on self-defense and limited in scope to what is necessary and proportional to negate the danger posed by the intrusion.23

Without clear demarcation of borders or boundaries, determining when an information operation is at the point of intruding into internal cyberspace may be difficult. However, the practice among Internet users has begun to suggest virtual boundaries that may help avoid unintentional intrusions into internal cyberspace. For example, some Internet sites are restricted to authorized users who register, obtain a password, or pay a fee to view materials or buy products or services on the site. Commanders conducting information operations probably should consider these types of owner/operator restrictions as prima facie evidence that the site is within the internal cyberspace of a state. The decision to intrude upon the site without authorization should be subjected to the risk analysis described above. The mere use of a warning banner screen24 indicating that access to the site is limited to authorized users probably is not sufficient to indicate the site is within a state's internal cyberspace. However, the Department of Defense (DOD) Office of General Counsel suggests that it may be possible to specify certain information systems or Internet sites as "vital to national security." This designation would give those systems high priority for security measures or warn an intruder that an attack on the system could trigger an active defense that could damage the intruder's computer.25 A prudent commander will conduct a risk analysis based on the specific warning language on the site and consult with qualified counsel before authorizing the intrusion to determine whether an unauthorized intrusion, if detected, might trigger a defensive response or diplomatic protest.

Territorial Cyberspace

Territorial cyberspace is that portion of national cyberspace through which, and to which, governments, commercial enterprises, or private organizations allow generally unrestricted access. An example of territorial cyberspace of the U.S. Government is the new Internet site, www.FirstGov.gov.26 Developed as a single point of access to scores of Government Web sites, FirstGov.gov enables anyone with access to the World Wide Web to surf for information about Government agencies. A potential adversary lawfully could use this Web site's national intelligence capabilities to collect open-source intelligence (OSINT) information about the Government. Similarly, hundreds of thousands of businesses and noncommercial organizations maintain sites on the World Wide Web and provide access to users from all over the world. No restrictions currently exist on agents or employees of Government agencies, corporations, noncommercial organizations, and individual persons surfing those Web sites, sending e-mail, and transferring files and funds within the territorial cyberspace of a state.27

Internal and territorial cyberspace together comprise the national cyberspace of a state. Within this area, states may promulgate laws to govern access to national cyberspace and exercise police power, including the power to initiate criminal prosecution against individuals who violate state laws and who are subject to personal jurisdiction of the state.28 States may exercise judicial authority over activities in national cyberspace, including laws to prohibit criminal acts (such as threats to harm the person or property of another), promote consumer protection, and enforce commercial contracts (subject to the requirement of having jurisdiction over a party).29 Unlike OSINT activities in territorial cyberspace, which are lawful, a person who conducts intelligence collection activities that involve an unauthorized intrusion into internal cyberspace may be subject to criminal jurisdiction in the state where the penetration occurred.30

International Cyberspace

The regime of international cyberspace is more difficult to define because UNCLOS III does not specifically define a physical space counterpart. The Commander's Handbook on the Law of Naval Operations defines international waters "for operational purposes . . . [as] all ocean areas not subject to the territorial sovereignty of any nation." 31 Similarly, UNCLOS III identifies the high seas as comprising "all parts of the sea that are not included in the exclusive economic zone, in the territorial sea, or in the internal waters of a State." 32 The not subject and not included language in both definitions is significant in several respects. First, it reflects the primary approach taken in UNCLOS III to define those waters subject to the national jurisdiction of coastal states and leave all other waters outside the jurisdiction of any state. Second, by defining international waters and the high seas in the negative--not subject to, and not included in, coastal state jurisdiction, respectively--it reinforces the notion that, except for areas of the ocean in which coastal states have clearly identifiable and protected interests, no state has the right to declare jurisdiction over international waters. Finally, it suggests that the approach advocated for defining navigational regimes in cyberspace is consistent with the intent of UNCLOS III because it reinforces the underlying principle that, outside national cyberspace, commanders may move cyberforces without restrictions by other states, giving due regard to the rights of others.33 Therefore, international cyberspace is not a physical place; it is a characteristicof cyberspace by which a data packet is not physically present anywhere but is merely in transit within the international telecommunications infrastructure and therefore not subject to the territorial sovereignty of any state.34

In light of this analogy, because states could exercise jurisdiction over national cyberspace, they may be able to close their national cyberspace to information operations. Although this outcome is possible, it is not probable because one of the characteristics of the Internet is that no single organization controls access to the World Wide Web, "nor is there any centralized point from which individual Web sites or services can be blocked from the web." 35 To close national cyberspace would require the state to cut off almost all access to its own domestic telecommunications network, a measure that would be extremely disruptive and unsuitable except in the most grave threats to national security. However, if access to national cyberspace is merely restricted and telecommunication nodes are still accessible to international cyberspace, then the UNCLOS III analogy provides two exceptions to the sovereignty of coastal states over national waters: innocent passage and transit passage.36 These transit rights could be exercised to "move" cyberforces through national cyberspace without the obligation to notify the state or any intermediate states, as suggested in the hypothetical scenario at the beginning of this essay.

Innocent Passage and Transit Passage in Cyberspace

The rights of both innocent passage and transit passage under UNCLOS III are exceptions to the general rule that coastal states may limit access by foreign ships to national waters. While warships may exercise both innocent passage and transit passage, both passage rights have specific limitations that must be considered by the operational planner seeking to employ either or both as a legal basis to move forces through physical space. Cyberspace transit passage is the preferred, though not the exclusive, mode that could be employed for cyberspace navigation. The following brief analysis demonstrates that the right of transit passage gives the commander more flexibility than does the right of innocent passage.

The right of innocent passage gives the ships of all states the right to traverse the territorial sea in a continuous and expeditious manner, so long as that passage is not prejudicial to the peace, good order, or security of the coastal state. Certain actions by a warship or state vessel may be considered "not innocent" and thus inconsistent with the right of innocent passage through the territorial sea of a coastal state under Article 19 of the Convention. Those limitations, coupled with the right of coastal states to suspend temporarily the right of innocent passage when necessary for their security, reduce the value of innocent passage to the operational planner. Applying those same limitations to the right of innocent passage through territorial cyberspace (figure 3), an operational planner may be unable to rely on unfettered use of cyberspace innocent passage if the cyberforce could be characterized as violating any of the proscribed activities listed in Article 19 of the Convention.37

Analysis of the factors that the Convention labels "prejudicial to the peace, good order or security of the coastal State" if conducted in the territorial sea suggests that any right of innocent passage would be at least as limited in territorial cyberspace. In particular, restrictions under Article 19(2)(a) and (k) could directly affect a military operation involving CNA if the effect of the threat or use of force actually interferes with communications, facilities, or installations of the transited state.38 However, if no action or use of force is intended against the transited state, then cyberspace innocent passage may be authorized.

Figure 3: Cyberspace Innocent Passage, State B

A thornier problem with using innocent passage to justify movement of force through cyberspace is the proscription against "any threat or use of force against the sovereignty, territorial integrity, or political independence of the coastal state, or in any other manner in violation of the principles of international law embodied in the charter of the United Nations." Even assuming no threat or use of force is directed against the transited state, the issue remains whether innocent passage through cyberspace may be limited if the use of force is targeted against a third state. The U.S. view of military use of innocent passage has been that "cargo, destination, or purpose of the voyage can not be used as a criterion for determining that the passage is not innocent" and that "possession of passive characteristics, such as the innate combat capabilities of a warship, do not constitute 'activity'" within the territorial sea in regard to the enumerated list.39 Applying that rationale to cyberspace innocent passage, the fact that a cyberspace transmission contains an information weapon with destructive capability does not render passage non-innocent.

Therefore, the maritime navigational regime of transit passage provides significantly greater flexibility to the commander than does innocent passage and, when applied by analogy to cyberspace operations, more closely matches how the international telecommunications infrastructure supports information operations (figure 4). In maritime navigation, the right of transit passage allows all ships and aircraft freedom of navigation and overflight solely for the purpose of continuous and expeditious transit of the international strait from one part of the high seas or an exclusive economic zone to another. Ships and aircraft exercising the right of transit passage may proceed without delay through or over the strait, in their normal mode of operations, and must refrain from the threat or use of force against the sovereignty, territorial integrity, or independence of states bordering the strait.40 Therefore, the rights of all states to exercise transit passage would be violated if, for example, Spain or Morocco closed the Strait of Gibraltar to ships and aircraft transiting between the Atlantic Ocean and the Mediterranean Sea. The right of transit passage through these physical international straits is important to the international economy, communications, and national and collective self-defense. Similarly, states and their people must use their national telecommunications infrastructure to access international cyberspace. Therefore, the state's national telecommunications infrastructure is the cyberspace equivalent of an international strait.

Figure 4: Cyberspace Transit Passage

When navigating cyberspace international straits, users behave much like ships and aircraft engaged in transit passage: they proceed without delay, in the normal mode of continuous and expeditious transit, and refrain from any threat or use of force against the national cyberspace through which their communication is routed. The nature of telecommunications means cyberforces transit cyberspace almost instantaneously and without delay, except as limited by system bandwidth during periods of peak demand. The high speed of transmission is valuable to the commander as well as the state through which the cyberforce is transmitted. The combination of speed and volume of Internet traffic means most states have limited capability to intercept and monitor cyberúpace communications. This limited interception and monitoring capacity is important to maintaining the neutrality of states that are mere intermediaries in information warfare because the transited state is unlikely to be aware of the transmission.

In summary, transit passage provides the commander two major advantages over innocent passage: forces may transit in their normal mode of operation,41 and bordering states may not suspend the right of transit passage through international straits. The proscription against suspending transit passage is a strong argument for applying UNCLOS III to cyberspace. Governments, corporations, and private organizations may choose to suspend access to their internal cyberspace for various reasons, but as global economies become more dependent on the international telecommunications infrastructure, states probably could not or would not entirely close national cyberspace. Even if a state tried to close national cyberspace, the ability to transfer CNA packets through international cyberspace would hardly be affected because packets are automatically rerouted if intermediate routers are not available. Finally, the mere act of a belligerent state specifically routing a CNA through the cyberspace of a neutral intermediate state would not violate the neutrality of the transited state according to the cyberspace transit passage analogy.

Neutrality in the Era of Cyberwarfare

Codification of the navigational regimes in UNCLOS III had an immediate impact on the application of customary international law of armed conflict to the maritime environment. Rear Admiral Horace B. Robertson, USN (Ret.), observed that the navigational Wegimes of UNCLOS III directly affected the rights of neutral states. Robertson noted:

One of the advantages of the new transit passage concept is that it keeps the littoral states bordering straits with great strategic value out of the vicious circle of escalation in times of tension and crisis. If transit through such straits were subject to the discretion of the coastal states, they would unavoidably become involved even if the discretionary power were to be exercised evenhandedly. . . . The escalation-preventing quality of transit passage in times of tension and crisis--that is, in time of fragile peace--[is] even more important for neutral states in times of armed conflict.42

This advantage is beneficial to states that are neutral in international armed conflict and is equally applicable to both traditional military operations and information operations.

The right of states to remain neutral in international armed conflict is well established under international law. The Hague Convention No. XIII, Concerning the Rights and Duties of Neutral Powers in Naval War,43 is the latest expression in treaty form of the respective rights and duties of neutrals and belligerents concerning hostile activities within neutral maritime territory (internal waters and the territorial sea). Therefore, the Convention is a useful starting point for discussion of these issues for our UNCLOS III analogy.44

UNCLOS III and the international law of armed conflict created special challenges for neutral states that must be reconciled with Hague XIII.45 Hague XIII uses the terms neutral waters or waters within its jurisdiction; other references are made "either to the internal waters or the territorial waters (territorial sea) of the neutral state," since those were the only areas of the oceans recognized at that time as being within the jurisdiction or sovereignty of the coastal state.46 The cardinal principle of the law of neutrality is that belligerents may not conduct hostilities in or on neutral territory, land, or sea. Neutral states are obligated to conduct surveillance of their waters to ensure that belligerents do not violate their neutrality and to take preventive or corrective action if they detect such violations.47 As the application of the law of neutrals has evolved through state practice over time, so too the changes in technology, including information warfare, do not cause states to discard those aspects of international law concerning neutrals that have become customary.

Robertson concluded that since the same rules apply to the post-UNCLOS III territorial sea that formerly applied in the narrow territorial sea, "as a matter of principle belligerents are bound to respect the sovereignty of neutral powers and to abstain, in neutral territory or neutral waters from any act of warfare. Any act of hostility, including capture and the exercise of the right of search, committed by belligerent warships in the territorial waters of a neutral power, constitutes a violation of neutrality and is strictly forbidden." 48

Counterbalancing this requirement for belligerents to refrain from violating neutrality is the obligation of the neutral state to conduct surveillance in its territorial waters to ensure belligerents comply. In an observation that illustrates the difficu‚ty of conducting surveillance of national cyberspace, Robertson noted the perils created for the neutral state under UNCLOS III:

The emergence of a "new" peacetime regime for the oceans, with its expansion of existing zones subject to national jurisdiction and the creation of new zones also subject to the same or similar forms of jurisdiction, has created problems of adaptation of the traditional rules of armed conflict at sea to these new developments. . . . As has been suggested by the foregoing analysis, however, the geographic and operational factors that determine the nature and scope of naval operations in time of armed conflict, and, in particular, the relationships between belligerent and neutral forces, render it uncertain as to whether such mechanical application of prior rules to new or expanded areas of national jurisdiction serves the best interests of either neutrals or belligerents or the humanitarian objectives of the rules. Massive expanses of waters that are denied to belligerents for hostile operations and for which neutral States have burdensome duties of surveillance and control are likely to increase beyond belligerents' power to resist the temptation to violate such waters and to overtax the capabilities of neutral States to enforce their duties within them. The result may well be increased tension between neutral and belligerent States with the consequent danger of widening the area of conflict and drawing neutral States into it.49

Robertson's recommendations for reformulating the rules of naval warfare that are affected by the emergence of new zones in the "new" law of the sea could serve as a useful policy to protect the rights of neutrals. This protection could be achieved by guaranteeing that the mere transit of a computer network attack through a neutral state's national cyberspace would not cause the loss of neutral status. Commanders and their lawyers readily could adapt these recommendations (see appendix) to the emerging requirements for the new zones of cyberspace described in this essay.50

Conclusion

This essay has proposed that the navigational regimes under the 1982 UN Law of the Sea Convention could apply to information operations involving a computer network attack. The computer network attack described in the opening scenario could be lawfully transmitted through the international telecommunications infrastructure, including Internet routers physically located in neutral states, by applying cyberspace analogies of innocent passage or transit passage. The concept of cyberspace transit passage gives commanders greater flexibility for information operations than does cyberspace innocent passage because UNCLOS III gives states the right to suspend innocent passage temporarily. During the immediate transmission of a CNA to the intended target in the hypothetical example, the attack passed through international cyberspace. Therefore, the territorial sovereignty of those intermediate states was not violated, nor did an act of force take place within their territory. For that reason, and because most states lack the technological means to detect, intercept, and identify the CNA as it passes through the Internet, those neutral states had no obligation to prevent the transit of their national cyberspace, and their status as neutrals was not violated This analogy could provide a future Joint Task Force commander with the conceptual tools needed to plan more effectively and conduct operations in and through cyberspace with greater certainty that the courses of action involving the use of force in cyberspace will comply with international law.51

Appendix

A Proposal to Adapt Selected Principles from The Hague Convention No. XIII, Concerning the Rights and Duties of Neutral Powers in Naval War, to Information Operations

 3. Neutral [cyberspace] consists of the internal [cyberspace], territorial [cyberspace], and where applicable, the [national cyberspace], of a state which is not a party to the armed conflict.
 
 4. Within neutral [cyberspace], hostile acts by belligerent forces are forbidden. A neutral state must exercise such surveillance and enforcement measures as the means at its disposal allow to prevent violation of its neutral [cyberspace] by belligerent forces.
 
 5. Hostile acts within the meaning of paragraph 4 include . . . use [of neutral cyberspace] as a base of operations.
 
 6. Subject to the duty of impartiality, and under such regulation as it may establish, a neutral State may, without jeopardizing its neutrality, permit the following acts within its neutral [cyberspace]:
 
a. Innocent passage . . .

 7. A belligerent [may not cause a transmission with offensive information operation capability to] extend its stay in neutral [cyberspace].
 
 8. Belligerent [states] may exercise the right of transit passage through neutral international straits [in cyberspace]. While within neutral [cyberspace] comprising an international strait . . . belligerent . . . forces are forbidden to carry out any hostile act.
 
 9. Should a neutral state be unable or unwilling to enforce its neutral obligations with respect to hostile military activities by belligerent . . . forces within its neutral [cyberspace], the opposing belligerent may use such force as is necessary within such neutral [cyberspace] to protect its own forces and to terminate the violation of neutral [cyberspace].
 
10. A neutral state shall not be considered to have jeopardized its neutral status by exercising any of the foregoing neutral rights nor by allowing a belligerent State to exercise any of the privileges permitted to a belligerent state.
Source: Horace B. Robertson, The "New" Law of the Sea and the Law of Armed Conflict at Sea (Newport, RI: Center for Naval War Studies, Naval War College), 302-304.

Notes

 1. Joint Chiefs of Staff, Joint Doctrine for Information Operations, Joint Publication 3-13 (Washington, DC: Joint Chiefs of Staff, 1998). "Information Operations (IO) involve actions taken to affect adversary information and information systems while defending one's own information and information systems. Information Warfare (IW) is IO conducted during time of crisis or conflict (including war) to achieve or promote specific objectives over a specific adversary or adversaries. . . . Major capabilities to conduct IO include, but are not limited to, OPSEC [operations security], PSYOP [psychological operations], military deception, EW [electronic warfare], and physical attack/destruction, and could include computer network attack. IO related activities include, but are not limited to, public affairs (PA) and civil affairs (CA) activities" (I.1.a). [BACK]
 
 2. Walter Gary Sharp, Sr., Cyberspace and the Use of Force (Falls Church, VA: Aegis Research Corporation, 1999), 5. [BACK]
 
 3.  Department of Defense, Office of General Counsel, An Assessment of International Legal Issues in Information Operations, 2d ed. (Washington, DC: Government Printing Office, 1999), 4. [BACK]
 
 4. George K. Walker, "Information Warfare and Neutrality," Vanderbilt Journal of Transnational Law 33, no. 5 (November 2000), 1187. [BACK]
 
 5. The 1982 UN Convention on the Law of the Sea, the third UN convention on this subject, opened for signature on December 10, 1982, and came into force November 16, 1994. U.S. Naval War College, Oceans Law and Policy Department, Annotated Supplement to the Commander's Handbook on the Law of Naval Operations, NWP 1-14M (Newport, RI: Naval War College, 1997), 1.1, 1-3. [BACK]
 
 6. Article 51 recognizes the "inherent right of individual or collective self defense" if an armed attack occurs against a member of the United Nations. [BACK]

 7. Joint Doctrine for Information Operations, GL-5. A computer network attack comprises "operations to disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves." [BACK]

 8. Further assume that the use of force in self-defense by State A was lawful under the attendant circumstances, that disrupting State Z's computer network achieved a definite military advantage, and the use of force did not exceed what was necessary to prevent further attacks. [BACK]
 
 9. UN Convention on the Law of the Sea, Preamble. [BACK]
 
10. Ibid. [BACK]
 
11. Ibid. [BACK]
 
12. Ibid. [BACK]
 
13. Winn Schwartau, Information Warfare: Chaos on the Electronic Super Highway (New York: Thunder's Mouth Press, 1994), 327. [BACK]
 
14. Ibid., part II, sec. 3. [BACK]
 
15. Ibid., part III, sec. 2. [BACK]
 
16. The 1982 UNCLOS III Convention declares national airspace to extend seaward from the land to the limit of the territorial sea. [BACK]
 
17. The term national telecommunications infrastructure should be understood, in this context, to include both government and private telecommunications systems and not solely systems administered by and for the exclusive use of the state. [BACK]
 
18. Signed on July 15, 1996, Executive Order 13010 divided the critical infrastructure into eight categories: telecommunications; electrical power systems; gas and oil storage and transportation; banking and finance; transportation; water supply systems; medical, police, fire, and rescue services; and continuity of government. [BACK]
 
19. Sharp, 198. [BACK]
 
20. For an extensive discussion of operational considerations for computer network defense, see James P. Terry, "Responding to Attacks on Critical Computer Infrastructure: What Targets? What Rules of Engagement?" Naval Law Review 46, 1999. [BACK]
 
21. For guidance on the use of force, see Joint Chiefs of Staff, Chairman of the Joint Chiefs of Staff Standing Rules of Engagement For U.S. Forces, CJCSI 3121.01, Enclosure A (Washington, DC: Joint Chiefs of Staff, 2000). [BACK]
 
22. Article 2(4) expressly prohibits the use of force in international relations except as authorized by the UN Security Council under Chapter VII, or in national or collective self-defense under Article 51. [BACK]
 
23. Sharp, 100. [BACK]
 
24. U.S. Government Web sites normally include a banner screen both greeting and alerting users and intruders that they are entering a Government Web site and advising of the penalties for unauthorized access. [BACK]
 
25. An Assessment of International Legal Issues in Information Operations, 47. [BACK]
 
26. http://www.FirstGov.gov. Visitors to the Web site are welcomed with the following notice: "Welcome to FirstGov--the first-ever government website to provide the public with easy, one-stop access to all online U.S. Federal Government resources. This cutting-edge site gives the American people the 'Information Age' government they deserve. By using the wonders of information technology to bring government closer to the American people, we can expand the reach of democracy and make government more responsive to citizens." [BACK]
 
27. The possible economic restriction, that a user must first have a computer with a connection to the Internet, does not change the fact that once connected to the Internet, the user is free to go anywhere. [BACK]
 
28. Under criminal law, for a person to be tried by a court he or she must be physically present within the jurisdiction of the court. This concept is called in personam, or personal jurisdiction. [BACK]
 
29. The question of personal jurisdiction for activity in cyberspace is beyond the scope of this essay. The discussion of jurisdiction is intended merely to show the extent of national sovereignty that a state may exercise over activities conducted in national cyberspace. [BACK]
 
30. While international law does not prohibit states from conducting espionage, states may prosecute an individual who conducts espionage if he or she is found within the physical territorial jurisdiction of the state. See Roger D. Scott, "Territorially Intrusive Intelligence Collection and International Law," Naval War College International Law Studies 68, 1978-1994 (1995). [BACK]
 
31. Commander's Handbook, at 1.5. Italics in original. For the purposes of this essay, the term nation in the Commander's Handbook is the equivalent of state. [BACK]
 
32. UNCLOS III, part VII, sec. 1, Article 86. Italics added. The regime of exclusive economic zones (EEZs) is unique to physical space. Although coastal states retain specific rights over the resources found within the water column in the EEZ, those rights do not otherwise restrict the freedom of all states within the international waters, provided those freedoms are exercised with due regard to the rights of the coastal state. See idem, Article 58. [BACK]
 
33. Sharp, 15. [BACK]
 
34. Walker, 1104. [BACK]
 
35. Ibid., 1099. [BACK]
 
36. Horace B. Robertson, The "New" Law of the Sea and the Law of Armed Conflict at Sea (Newport, RI: Center for Naval War Studies, Naval War College), 286. Discussing the EEZ, quoting Ambassador Elliott Richardson, "In the group which negotiated this language it was understood that the freedoms in question . . . must be qualitatively and quantitatively the same as the traditional high-seas freedoms recognized by international law: they must be qualitatively the same in the sense that the nature and extent of the right is the same as the traditional high-seas freedoms; they must be quantitatively the same in the sense that the included uses of the sea must embrace a range no less complete--and allow for the future uses no less inclusive--than traditional high-seas freedoms" (119). [BACK]
 
37. The activities proscribed under Article 19 include:

(a) any threat or use of force against the sovereignty, territorial integrity, or political independence of the coastal state, or in any other manner in violation of the principles of international law embodied in the Charter of the United Nations;

(b) any exercise or practice with weapons of any kind;

(c) any act aimed at collecting information to the prejudice of the defense or security of the coastal State;

(d) any act of propaganda aimed at affecting the defense or security of the coastal state; . . .

(f) the launching, landing, or taking on board of any military device;

(g) the loading or unloading of any commodity, currency, or person contrary to the customs, fiscal, immigration, or sanitary laws and regulations of the coastal state;

(h) the act of willful and serious pollution contrary to this Convention; . . .

(j) the carrying out of research or survey activities;

(k) any act aimed at interfering with any systems of communication or any other facilities or installations of the coastal state;

(l) any other activity not having a direct bearing on passage. [BACK]

 
38. It may be argued that the remainder of the limitations under Article 19(2) could further limit the right of innocent passage in cyberspace, but a complete discussion of those limitations is beyond the scope of this article. Some problem areas include the following subarticles:

(a) the question of when a military operation in cyberspace constitutes a use of force requires applying the legal restraints on the use of force imposed by Article 2(4) of the Charter of the United Nations. See Sharp, "What constitutes a prohibited 'threat or use of force' in cyberspace and elsewhere is a question of fact that must be subjectively analyzed in each and every case in the context or all relevant law and circumstances" (137). . . .

(c) the ordinary use of the Internet to collect open-source intelligence (OSINT); . . .

(g) the loading or unloading of a computer sniffer program, virus, logic bomb, or Trojan horse as a "commodity" contrary to the laws and regulations of the coastal state;

(h) any action, willfully targeted toward another state, that results in serious pollution contrary to the Convention, affecting the coastal state; . . .

(j) research or survey activities intended to identify features and vulnerabilities of the telecommunications infrastructure of the state;

(k) the broad proscription on interfering with "any systems of communication" of the coastal state may be invoked if actions directed against a third state have a foreseeable collateral effect on the coastal state;

(l) the "other activity not having a direct bearing on passage" language points to the underlying assumption of innocent passage, which is specifically a limited waiver of territorial sovereignty only when passing through the territorial sea or cyberspace. [BACK]

 
39. Commander's Handbook, Sec. 2.3.2.1, 2-8, footnote 27, summarizing testimony of Professor (Rear Admiral) H.B. Robertson, House Merchant Marine and Fisheries Committee, 97th Congress, hearing on the status of the Law of the Sea Treaty negotiations, July 27, 1982, Ser. 97-29, at 413-14, and Professor Bernard H. Oxman, paragraph 2.1.1, note 2 (2-1), at 853, respectively. [BACK]
 
40. UNCLOS III, part III, sec. 1, articles 34-39. [BACK]
 
41. For submarines, submerged; for aircraft carriers, while conducting flight operations; for aircraft, while flying defensive cover for transiting surface ships. [BACK]
 
42. Robertson, 282, quoting Elmer Rauch, The Protocol Additional to the Geneva Conventions for the Protection of Victims of International Armed Conflicts and the United Nations Convention on the Law of the Sea: Repercussions on the Law of Naval Warfare (Berlin: Duncker and Humblot, 1984). [BACK]
 
43. Hague Convention No. XIII, The Hague, October 18, 1907, 36 Stat. 2415, 2 Am. J. International L. (Supp) 202. Hague XIII has not received universal ratification, but most of its provisions are considered a statement of customary international law. [BACK]
 
44. Robertson, 276, footnote omitted. [BACK]
 
45. The significant provisions of the Hague Convention No. XIII are as follows:

Article 1. Belligerents are required to respect the sovereign rights of neutral states and to abstain from acts that would constitute a violation of neutrality; . . .

Article 5. Belligerents cannot use neutral ports or waters as a base of operations nor erect any apparatus to communicate with belligerent forces at sea; . . .

Article 8. A neutral government must employ the means at its disposal to prevent the fitting out or arming of vessels within its jurisdiction which it believes are intended for cruising or engaging in hostile operations and to prevent departure from its jurisdiction of such vessels;

Article 9. A neutral state must apply its rules and restrictions impartially to the belligerents and may forbid the entry of vessels that have violated its rules or its neutrality;

Article 10. The mere passage of belligerent warships or prizes through a neutral's territorial sea does not affect the neutral's neutrality; . . .

Article 12. Unless the neutral's regulations provide otherwise, belligerent warships may remain in neutral ports, roadsteads, or territorial waters no more than 24 hours; . . .

Article 25. A neutral state must exercise such surveillance "as the means at its disposal allow" to prevent violation of its territorial waters; and

Article 26. The exercise of its rights under the Convention by a neutral cannot be considered an unfriendly act by a belligerent. [BACK]

 
46. Ibid. [BACK]
 
47. Ibid., 278, footnote omitted. [BACK]
 
48. Ibid., 279, citing Rauch. [BACK]
 
49. Ibid., 302. [BACK]
 
50. The author has substituted the cyberspace terminology developed in this essay for the traditional UNCLOS III maritime terms and eliminated those sections of Rear Admiral Robertson's analysis that do not apply to this analogy, such as maritime zones of archipelagic waters and exclusive economic zones. [BACK]
 
51. A prudent commander will seek and obtain the assistance of qualified legal counsel at the earliest planning stages. Qualified counsel must be consulted to determine whether, if at all, the analogy proposed in this essay comports with customary international law under the specific circumstances. [BACK]
Lieutenant Commander Steven M. Barney, USN, won first place with this essay, written while attending the College of Naval Command and Staff. He has been the staff judge advocate, special U.S. attorney, and defense counsel at several naval stations. He is currently assigned to Cruiser Destroyer Group Eight.
 
 
Table of Contents  I  Chapter Two