Centre for Internet & Society

In a guest post in relation to CIS’s recently held roundtable onIndia’s cyber defense strategy, Pukhraj Singh looks at the critical fissures – at the technical and policy levels – in global normative efforts to secure cyberspace. By charting out the key vectors and power asymmetries among key stakeholders – both leading state actors and private actors like Microsoft – Singh posits that there is much to be done before we circumscribe cyber operations within legal strictures.


By: Pukhraj Singh
Reviewed and Edited by: Elonnai Hickok, Arindrajit Basu, and Karan Saini

The ongoing decoupling of norms 

In September 2019, the French ministry of defense published a document stating its views on the applicability of international law to cyber operations. While it makes an unequivocal espousal of the rules-based order in cyberspace, some of the distinctions made by the paper within the ambit of international law could be of interest to technical experts. 

The document makes two key contributions. First, it addresses two modes of power projection within cyberspace: cyber operations acting as a force multiplier in a hot war that is strictly delineated by kinetic and geographical redlines; and below-threshold, single-domain “dematerialized” operations leveraging cyber intrusions. Secondly, the document has made an attempt to gently decouple itself from the Tallinn Manual on some aspects.

In an unrelated development, Microsoft joined hands with a group of peers within the technology industry, civil society and government to set up the CyberPeace Institute – a private sector initiative to strengthen the rules-based order. 

It is an outcome of the sustained, unrelenting effort of Microsoft in thwarting what it believes to be the unchecked weaponization of cyberspace. Suffering a major reputational loss after the Snowden leaks, the company has gradually cultivated fiercely contrarian positions on issues like state-enabled surveillance. 

Microsoft’s daring contests and cases against the US government have been intimately recorded in the recently released book Tools and Weapons, authored by its chief legal officer Brad Smith.

Seen through the lens of the future, the aforementioned developments highlight the ongoing readjustment of the legal discourse on cyber operations to account for its incongruous technical dynamics. 

As the structures of cyber power are peeled layer-by-layer, the need to address this technical divergence in the overly legal interpretations of cyber norms would only increase.

Disanalogy & disintermediation

Take the case of two fundamental dimensions – disanalogy and disintermediation – which have the potential to alter our understanding of how power is wedded with cyberspace.

Disanalogy is a logical postulation that challenges the primacy of “reasoning by analogy” using which international law is mapped to cyber conflict. Disintermediation highlights how the power dynamics of cyberspace have disrupted statism. 

Understanding when and how the realization that international law is reasonably applicable to cyber operations dawned upon the international community leads one to an unending maze. It becomes a cyclical process where one set of initiatives only cross-reference the others, in a self-fulfilling sort of way. 

The notes of the 2013 session of the United Nations’ Governmental Group of Experts, affirming the sanctity of international law in cyberspace, look like an exercise in teleology. 

Not to be distracted by the deeply philosophical nature of war, Kubo Mačák of the University of Exeter did point out that “the unique teleological underpinning of the law of war” should be considered before it is exported to new normative frameworks.

The deductive process inspired by reasoning by analogy that lies at the heart of the cyber norms discourse has not undergone much scrutiny. 

In his 2013 talk at NATO’s CCDCOE, Selmer Bringsjord, cognitive sciences professor at the Rensselaer Polytechnic Institute, introduced the idea of disanalogy. Citing the general schema of an analogical argument, Bringsjord arrived at a disproof divorcing the source domain (the just war theory for conventional war) and target domain (just war theory for cyberwar). 

He mapped jus in bello in a conventional war across the dimensions of Control, Proportionality, Accessibility, and Discrimination. 

Bringsjord further added that these source attributes would not be evident in the target domain for two reasons: the inevitable digitization of every analog object and its interfaces; and the inherent propensity of artificial intelligence to wage attacks on its own.

In a supporting paper, he exhorts that while “Augustine and Aquinas (and their predecessors) had a stunningly long run…today’s world, based as it is on digital information and increasingly intelligent information-processing, points the way to a beast so big and so radically different, that the core of this duo’s insights needs to be radically extended.”

Celebrated malware reverse engineer Thomas Dullien, too, is of the opinion that machine learning and artificial intelligence are more suited for cyber offence as it has remained a “stable-in-time distribution.”

Brandon Valeriano of the Marine Corps University has drawn upon the case of incendiary balloons to question the overreliance on reasoning by analogy. Sadly, such viewpoints remain outliers.

Senior computer scientist David Aucsmith wrote in Bytes, Bombs and Spies that “one of the major challenges in cyberspace is the disintermediation of government.” He adds that while cyberspace has become the “global center of gravity for all aspects of national power,” it further removes the government from the “traditional functions of safety and security.”

The commercialized nature of the Internet is obvious to many. But steadily over the years, the private sector has also acquired vast swathes of cyber power in a manner that strangely mirrors the military concepts of counterintelligence, defense and deterrence. 

In Tools and Weapons, Brad Smith recalls a meeting of top technology executives at the White House. As the executives pushed for surveillance reform after the Snowden leaks, Obama defensively retorted that “the companies at the table collectively had far more data than the government.” The “signals intelligence” capabilities of Google and Microsoft rival that of a nation state. 

Former deputy director of the NSA Chris Inglis writes in Bytes, Bombs and Spies: 

In cyberspace, a small change in configuration of the target machine, system, or network can often negate the effectiveness of a cyber weapon against it. This is not true with weapons in other physical domains…The nature of target-weapon interaction with kinetic weapons can usually be estimated on the basis of physics experimentation and calculation. Not so with cyber weapons. For offensive cyber operations, this extreme “target dependence” means that intelligence information on target characteristics must be precise, high-volume, high-quality, current, and available at the time of the weapon’s use.

Inglis argues that fielding “ubiquitous, real-time and persistent” intelligence, surveillance and reconnaissance (ISR) frameworks is crucial for mustering the ability to produce cyber effects at a place and time of choosing. 

Daniel Moore of King’s College London broadly categorizes cyber operations into event-based and presence-based.

The ISR framework envisioned by Inglis pre-positions implants with presence-based operations to make sure that the adversarial infrastructure -- perpetually in a state of flux -- remains primed for event-based operations. Falling prey to an analogy, this is as challenging as a group of river-rafters trying to keep their raft still at one position in a raging torrent of water.

However, it is worthy to note that a major component of such an ISR framework would manifest over privately-owned infrastructure. 

It is exactly why the commercial threat intelligence industry lead by the likes of Fireeye, Kaspersky and Crowdstrike has flourished the way it has. 

Joe Slowik, principal adversary hunter at Dragos, Inc., corroborates it: “An entire ecosystem of defense and security developed within the private space…essentially, private (defensive) ‘armies’ grew up and proliferated in the cyber security space over the course of many years.”

Jason Healey of Columbia’s School of International and Public Affairs has another way of looking at it: “In counterinsurgency, host nation must take lead & U.S. role is to provide aid & support. USG not seen as legitimate, may lack the local & cultural knowledge, & lack sufficient resources. In cyberspace, the private sector, esp tech & security companies, are the host nation (sic)”.

Initiatives like the CyberPeace Institute and Cybersecurity Tech Accord are to be seen as emerging geopolitical formations pivoted around the power vacuum created by growing disintermediation.

While Microsoft avows the applicability of international law, the decreasing technological dependence on it to enforce the rules-based order may herald data-driven normative frameworks solely originating from the private sector.

Take the specific case of fashionable “black-letter rules” – like barring cyber actors from hacking into adversary’s election infrastructure – variedly promulgated by the Tallinn Manual, Microsoft and Global Commission on the Stability of Cyberspace. They could very well act as impediments to the success of the norms process.

Cyber actors can be variedly be divided into various capability tiers: A, B, C or D Teams, etc. Such categorizations could be derived from multiple variables like operational structure, concept of operations, capabilities and toolchains, and operating budget, etc. 

In what may sound paradoxical, mindless enforcement of such rules creates an inherently inequitable environment where actors would be compelled to flout them. Targeting and target discrimination are possibly the most expensive components of the cyber offensive toolchain. As intelligence analyst Grugq said, “You need a lot of people to have a small numbers of hackers hacking.”

The ability to avoid a vulnerable target or an attack surface without sacrificing the initiative is a luxury that only an A-team could afford, further disincentivizing smaller players from participating in confidence-building measures.

In such cases, the private sector could lead the way in the neutral and transparent interpretation of the dynamics and thresholds of power projection in cyberspace. Companies, not countries, have the vantage point and commercial interest to create a level playing field. 

Taking the original case of France’s new dossier on cyber operations, its gradual rollback from the strictly black-and-white world of, say, the Tallinn Manual hints at a larger devolution of legally interpreted cyber operations, influenced by technical incongruities like disanalogy and disintermediation. 

While the said document answers many questions relating to the applicability of international law to cyber operations with uncanny confidence, the devil still lies in the details. 

For example, it talks about creating militaristic cyber effects by altering the confidentiality and availability of data on adversarial systems, but skirts around integrity – as if the three dimensions of data security are not symbiotic. Such picket-fencing may be trying to carefully avoid the legal ambiguity on information operations, post-ICJ US vs Nicaragua. 

Ask any cyber operator, can a cyber operation proceed without sabotaging the integrity of log artifacts or other such stealthy or deceptive maneuvering?

It also postulates the export of “non-international armed conflict” to the territory of consenting nation states, as if such factors are completely controllable. 

Discussed earlier, a majority of the cyber-ISR frameworks manifest over globally scattered private infrastructure. And almost every layer of the computing architecture is now network-enabled. 

In cyberspace, the ‘territory’ of a nation state expands and contracts in real time. It may exist online as the sum of all the global information flows, across the many millions of interfaces, associated with it at any given moment. The sheer emergent complexity of this organism has baffled many.

The adversarial environment fluxes at such a rapid pace that taking “territorial” sanctity into account during an ongoing operation is nigh impossible. This, in fact, is the very premise of Defend Forward.

The French document is a good attempt at decoupling cyber operations from legal strictures, but it should be seen as the mere beginning of that process.

Cognitive cyber offence

Lastly, the complete absence of the cognitive dimension in the norms process is something that should be outrightly addressed. 

Keith Dear, a research fellow at Oxford’s Changing Character of War Program, feels that war – as “a continuation of politics by other means” – is essentially persuasive and has predominantly psychological effects. They get aggravated more so by the scale and speed of cyber-enabled behavioral modelling.

The threat landscape is at a stage where we are going to see the increasing exploitation of cyber-cognitive attack surfaces – the cost-benefits are now heavily tilted towards their side. It is like what conventional cyber operations used to be 20 years ago: cheap and easy over scale and speed.

The cyber norms community only considers the first or second order effects of cyberattacks. The reality is that causation could be separated by many, many degrees – also missing out on the fact that a cyberattack is generally an indiscernible mixture of not just effects, but also perceptions. Every cyber operation could be deemed as an information operation even after full denouement. 

We have only begun to understand the significance of the cognitive dimension. Leading thinkers like former Secretary of the Navy Richard Danzig had for long proposed perceptive instead of spatial redlines for cyber conflict, aptly capturing its emergent properties.

His suggested baseline was: “The United States cannot allow the insecurity of our cyber systems to reach a point where weaknesses in those systems would likely render the United States unwilling to make a decision or unable to act on a decision fundamental to our national security.”

Danzig’s paradigm neatly fits into the Defend Forward philosophy of the US Cyber Command. Former director of the NSA Michael Hayden once said that Stuxnet had the “whiff of August 1945,” while former NSA exploitation engineer Dave Aitel labelled it as the “announcement of a team.” The theatres of war, frameworks for deterrence and parameters for proportional response may turn out to be purely perceptive in nature.

As the cyber option gets increasingly expended by militaries, we have come to understand that the esoteric cognitive parameters of digital conflict could be crucial enough to decide victory or defeat.


As the United Nations’ Governmental Group of Experts’ dialogue came to a grinding halt in 2016, Michelle Markoff, former deputy coordinator for Cyber Issues in the US State Department, gave a candid account of what went wrong. 

She also went on to recommend “interleaving strategies” like defence, declaratory policies, alliance activities, and norms of behaviour. It is interesting to note all the four dimensions proffered by her neatly fit into the remit of the private sector when it comes to fostering cyber stability. 

The threat intelligence industry, by its indirect participation in the great power play, is already carving a rudimentary framework for declaratory signaling. Private sector alliances – by being more open and neutral about attack attribution, adversarial intent and capabilities, and targeting criteria – may lower the incentives while increasing the costs of cyber actions. That may force various actors to the negotiating table.

The emergence of customary international law in cyberspace, as a precursor to effective normative frameworks, is a necessity that may squarely fall on the shoulders of corporations. In that sense, diplomatic initiatives and alliance activities by Microsoft and others must be keenly observed.



Pukhraj Singh is a cyber threat intelligence analyst who has worked with the Indian government and security response teams of global companies. He blogs at www.pukhraj.me. Views posited are the author’s alone.

The views and opinions expressed on this page are those of their individual authors. Unless the opposite is explicitly stated, or unless the opposite may be reasonably inferred, CIS does not subscribe to these views and opinions which belong to their individual authors. CIS does not accept any responsibility, legal or otherwise, for the views and opinions of these individual authors. For an official statement from CIS on a particular issue, please contact us directly.