Hays Parks’s Influence on Cyberspace Operations Capabilities

by , | Dec 10, 2021

Cyber Capabilities

The recent Articles of War series honoring Hays Parks was a fitting tribute to a great American lawyer that reintroduced his work to the military legal community and its newest generations. The series referenced a seminal paper in which he addressed international legal requirements to review weapons. Though his paper focused on a weapon that had been in use for hundreds of years, the paper later played a significant role when the authors of this post drafted a command instruction addressing cyber weapons.

Recapping his legal review of the Joint Service Combat Shotgun Program in the October 1997 edition of The Army Lawyer, Colonel Parks developed the gold standard for weapons review. His article has since become an indispensable tool for attorneys reviewing the legality of all weapons used by U.S. forces. As a natural starting point for any similar analysis, Parks’s framework also provided a reference point for the assessment of cyber capabilities, the range of effects they can achieve, and the circumstances under which international law would require a legal review of those capabilities.

 The Joint Service Shotgun Program Legal Review

The Joint Service Combat Shotgun Program paper is remarkable for its thoroughness and structure as much as for its substance. Parks began his review by discussing the sources of weapons review requirements, including customary and conventional international law. He noted the Department of Defense’s (DoD) regulatory requirements as well. He identified the values to be protected by the review including compliance with international law.

Parks then provided a detailed history of the shotgun, reaching back to the 1500s , and traced its development and use through the 1990s. He cited the types of World War II fights in which the shotgun was effective (not “the open European battlefields,” but “invaluable in the dense jungle battlefields of the Pacific…”). Parks also discussed the many types of shotgun loads (the musket ball, birdshot, buckshot), their differing effects, and the operational circumstances under which each was preferred.

Parks next explored in depth the legal questions presented and definitions of essential terms (or the lack thereof), and applied the law to the Shotgun Program. The specific questions raised by the Shotgun Program included whether the shotgun caused superfluous injury (violating Hague Convention IV Respecting the Laws and Customs of War on Land of 18 October 1907) and whether buckshot projectiles expanded or flattened easily (violating the Hague Declaration Concerning Expanding Bullets of 29 July 1899). He discussed the difficulties associated with the absence of standard definitions, such as the case with the term “superfluous injury.” And, under circumstances in which most violence and violent effects are legally excused, he identified the scope of damages and injuries that are nevertheless prohibited during armed conflict.

Reviewing Cyber Capabilities

In assessing whether there was an international legal requirement to review cyber capabilities, and how to account for a capability if it were not a weapon, Parks’s analysis provided an outstanding benchmark. Even where his analysis was not practically suited to assessing cyber capabilities, use of his guidance was revealing and informative. While Parks’s work was not the only document the authors looked to when drafting the related instruction, the Joint Service Combat Shotgun Program highlighted the difficulties of applying traditional frameworks to the unique features of cyberspace.

The elements of the Parks framework included an analysis of the sources of the law, the applicable definitions, the values to be protected, the history of the tool under assessment, the variations and advancement of the tool, and the types of effects the tool can create. Without drafting a full analysis here, these are some of the considerations that arise when applying Parks’s framework to cyberspace capabilities:

Sources of International Law Regarding Cyberspace

International laws and norms applicable to cyberspace are unsettled. Some States have publicized their positions on the applicability of international law to cyberspace operations. A few have detailed how they believe international law applies, but most have not done either. Regardless, and unlike many kinetic operations, it is nearly impossible to determine whether States’ cyberspace operations comply with their own legal standards, or any others, from an outside perspective. The secrecy with which such operations are executed, the lack of access the public has to most networks, and the expertise needed to understand what is observable are all obstacles to meaningful critiques of States’ cyber weapon legal reviews.

The same obstacles can complicate development of customary international law concerning cyber weapon reviews. Opinio juris, one of two foundational elements of binding custom, has little chance to  develop in the face of such opacity. Additionally, while the law of armed conflict always applies when its thresholds are met and when a cyber capability causes death, human injury, or requisite property destruction, most cyberspace operations do not reach these limits or cause these effects. The precise application of laws that apply in circumstances that do not take place in armed conflict have yet to crystalize broadly across the international community.

Definitions Related to Cyberspace Operations

Specific terms particular to armed conflict have been debated, translated, litigated, and re-litigated in multiple languages over the course of centuries. Yet many terms have not developed consensus definitions among many States. As cyberspace’s lexicon matures, doctrinal definitions have proved difficult to establish, even among the organizations in a single national government. The term Parks dealt with, “superfluous injury,” could be evaluated in light of centuries worth of warfare’s practice with tangible objects. Cyberspace, for now, offers no such historical frame of reference.

Values to Be Protected During Cyberspace Operations

Like any military operational activity, important values to be protected include the protection of civilians and non-military property. Cyberspace operations are no exception. In addition to the customary requirements of necessity, distinction, and proportionality, those planning cyberspace operations must account for the precedents they create. Most norms that regulate kinetic activity are long established and have matured and evolved through precedents established in State practice.

Similarly, cyberspace operations that are likely to come to the public’s attention must be evaluated in light of the doors they open, perhaps providing legal or moral basis for other actors to conduct similar activity. For example, there exists much debate about whether data, an intangible item, constitutes an object such that it may, under appropriate circumstances, be classified as a military objective vice a civilian object. Cyber operations that target data must therefore consider both the merits of the data-as-object question as well as the precedent set by the adopted approach. Cyber operations undertaken against data, depending upon the specific data set in question, including the infrastructure where the data is stored and the manner in which the effect will be achieved, can produce both wide-ranging impacts and precedential effects.

History of Cyberspace Operations

The history Parks drew upon for the Shotgun Program helped frame its acceptable use and legality at the time of his review. In contrast, even if all the details of States’ cyber operations were known to the public, there are only a few decades of such operations upon which to draw a history. This limited record of acceptable and unacceptable uses of cyber capabilities is not enough to comprehensively inform the development and application of international law.

One need not imagine the shotgun’s effects to evaluate its legal uses, but imagination is indispensable to cyberspace operations’ legal evaluation. This is a direct result of the significant scope and scale of potential cyberspace capabilities. Increased transparency in operations and the legal analysis supporting those operations is critical to developing the comprehensive historical view necessary to develop international law. However, the need for legal evolution may be outweighed by the need for operational secrecy, further stunting development of opinio juris or the hope of conventional international legal development.

Variations/Advancements in Cyberspace Operations Capabilities

Some exploration of varied cyberspace capabilities and advancements can be considered. For the reasons described above, however, history does not offer much by way of experience, and new developments go largely unseen by the public. Of greater significance, and explored more fully below, are the variety of effects that can be achieved through cyber capabilities. While shotguns can only be changed so much before they become a different weapon entirely, cyberspace capabilities can be modified based on operational needs.  For example, it may be relatively easy to convert a particular persistent access and exploitation capability (i.e., something used for espionage) into a capability that denies communications, degrades system performance, or destroys data (e.g., deletes) through a simple modification of the underlying code of the capability, thus significantly altering the capability and its planned use.

Cyber Effects

It is not hyperbole to say the range of effects that can be created in cyberspace are limitless. Unlike a shotgun, which can have different effects based on its target but can only be used to cause damage, cyber capabilities, can be tailored to create minimum or maximum impact based on the capacities of targets and the desires of the capability’s developer. It is generally impossible to know the full scope of a cyber capability and the effects it may generate in isolation; it is not until that capability is paired with a target and an associated network that the capability’s potential effects are explorable.

While there is value in performing a legal review early in the process, the characteristics of cyberspace capabilities requires more in-depth knowledge than is usually available at that stage. The appropriate time to perform analysis of a capability is when sufficient facts are known so that the review is truly meaningful.

Furthermore, unlike the physical domain, cyberspace can change substantially in a short period of time. Consider how quickly one can set up a new network or connect additional devices to an existing network. A full review of operational and legal issues requires in-depth analysis of the capability, the target, and the surrounding environment proximate in time to the capability’s planned use. In other words, a faithful assessment requires exquisite and routinely updated intelligence.

Further highlighting the complication of applying Parks’s analysis to cyberspace capabilities, there is no internationally established definition of what constitutes a weapon or weapon system in the kinetic sphere. Transposing this framework on cyberspace capabilities further highlights the complexities of this domain.

Conclusion

In applying Parks’s framework to capabilities that barely existed when authored, it is clear that his methodology will be useful as technology advances and the range of potential effects dramatically increases in all phases of competition. In the case of cyber capabilities, the Parks framework revealed that international law is unlikely to be triggered at the time of a cyber capability’s procurement or development. Rather, the appropriate time to evaluate the legality of cyber capabilities is once they are paired with targets and networks during operational planning. A that time an operational legal review is required regardless of the capability involved. Hays Parks will be remembered as a colleague for decades, but we suspect he will be cited as a military legal authority for far longer.

***

LtCol Kurt Sanger, U.S. Marine Corps, is assigned to U.S. Cyber Command.

CAPT Peter Pascucci, U.S. Navy, is the Sensitive Programs Counsel in the Office of the Judge Advocate General of the Navy.