Armed Conflict Cybersecurity & Tech

Lawfare Daily: CYBERCOM Legal Conference: The Role of the Private Sector in Conflict

Natalie K. Orpett, Jonathan Horowitz, Laurie Blank, Adam Hickey
Wednesday, April 24, 2024, 9:00 AM
A panel discussion from the annual U.S. Cyber Command Legal Conference

Published by The Lawfare Institute
in Cooperation With
Brookings

The annual U.S. Cyber Command (USCYBERCOM) Legal Conference convenes lawyers across government and the private sector working on cyber issues. This year’s conference focused on the power of partnerships. Executive Editor Natalie Orpett moderated a panel, titled “The Business of Battle: Navigating the Role of the Private Sector in Conflict,” featuring Jonathan Horowitz of the International Committee for the Red Cross, Laurie Blank of the Defense Department’s Office of the General Counsel, and Adam Hickey of the law firm Mayer Brown. They talked about how government and private sector actors bring different frames of reference and different equities when faced with a conflict, and how they can work together to address it.

To receive ad-free podcasts, become a Lawfare Material Supporter at www.patreon.com/lawfare. You can also support Lawfare by making a one-time donation at https://givebutter.com/c/trumptrials.

Click the button below to view a transcript of this podcast. Please note that the transcript was auto-generated and may contain errors.

 

Transcript

[Audio Excerpt]

Adam Hickey

Is there a good guy and a bad guy or is this an incredibly complicated situation where whichever move we make is going to tee off a significant chunk of our constituency? That will matter to reputational risk.

Natalie Orpett

It's the Lawfare Podcast. I'm Natalie Orpett, Executive Editor of Lawfare with Jonathan Horowitz, Laurie Blank, and Adam Hickey.

Jonathan Horowitz

Private technology company provides goods or services to a belligerent in a party-torn armed conflict, such that their infrastructure might qualify as a military objective. And do company executives know that? And do their lawyers know that?

[Main Podcast]

Natalie Orpett

Today we're bringing you a panel discussion I moderated at the U.S. CYBERCOM’s Legal Conference on April 9th. The title of the panel was “The Business of Battle: Navigating The Role of The Private Sector in Conflict.”

So the premise that we have here for this panel is that there will need to be rapid fire communication and partnership between the private sector and government in times of conflict. But before we even get there, I think it's clear to most of us that private sector and government actors sometimes speak quite different languages. And so, it's useful to understand each other's vocabulary, understand each other's frame of reference. So I want to get started there. Let me first introduce this illustrious panel before me. So we have Jonathan Horowitz, who is a Legal Advisor for the International Committee for the Red Cross. He focuses on new and emerging technologies in armed conflict, urban warfare, and partnered operations. Then we have Laurie Blank, who is currently serving as Special Counsel to OGC at DOD. See, I'm using acronyms too, even though I'm a civilian. She's on leave from her job as professor at Emory Law School, where she directs the Center for International and Comparative Law and is the Director of the International Humanitarian Law Clinic. And then we have Adam Hickey who is a partner at the law firm Mayer Brown in the Cybersecurity, National Security, and Government Investigations Practice Groups. He was previously Deputy Assistant Attorney General at the National Security Division of DOJ and before that an AUSA in the Southern District of New York.

So, to get us started, I think we should start with the private sector given our audience here. And I want to just talk about, as I said, the baseline. We're in a pre-conflict, pre-crisis moment. I want to talk about what private sector actors, who may become very important for the purpose of partnerships in a time of conflict, what are they dealing with? What is their frame of reference? And what are the key pieces of vocabulary that they're using? Because it's not necessarily going to be obvious that the people later gathered around a boardroom table, thinking about how to deal with a request that just came in from CYBERCOM are going to have just finished a conversation about an 8k or the GDPR.

Adam Hickey

So thanks Natalie, and thanks to Cyber Command for having us here today. And I like the way you're introducing this, as let's think about what normal looks like. What normal looks like I think for most companies, there are probably established information sharing relationships that may be with law enforcement that may be with the intel community. There may be highlighting of threats that are seen through telemetry. There may be sharing with the public. This is a very small piece, I think, of what most companies are thinking about day to day. There are some technical legal restrictions on how you share information with the government, the Store Communications Act, and the like. But there are usually ways to work through them, and companies find a way to share information when they need to, and requests that come in from the government can be handled in the ordinary course.

That's just a small piece of what you're thinking about if you're in-house legal. What you're really thinking about most of the time is an incredible intersecting patchwork of requirements, depending on how you're regulated. The largest chunk of them have to do with incident reporting and thinking through when you have an obligation to tell some regulator or some state about a data breach or some foreign data protection authority. You're thinking about enforcement actions that target individuals like CISOs. And so now the environment of monitoring for a data breach and thinking about your response, now there's a sort of personal liability sometime at stake or viewed that way. And you're thinking about bad publicity, class action lawsuits, shareholder derivative suits, and that's just the legal part.

You're also thinking about reputational concerns. You're thinking about how the products you sell or what you're doing relate to cooperation with the government and whether cooperation with the government could theoretically make it harder to sell those products or services, say in Europe. You're thinking about skepticism in Europe and other parts of the world about the data you hold and where you get it and how you share it with the U.S. government or other governments.

And so, during the steady state period, I would say there are companies, maybe I'd bucket into two camps. There are those that have established normal steady state information sharing relationships, and that can be pursuant to legal process or something else. And then the rest of the companies that don't ordinarily think about this problem. And so, as we talk about the shifting in perspectives, I'll be interested in whether we're thinking about the companies like the large tech companies that already have those relationships or are we thinking about someone who's getting a request completely out of the blue because of where they happen to be located geographically or the product they happen to make.

Another consideration, reputational results of the attitudes of the workforce. Periodically you will see innovative companies with workforces concerned about just how is our product going to be used and how does that company navigate wanting to participate at the cutting edge of technological development and be part of the procurement chain, while at the same time having to deal with workforce concerns where people don't necessarily feel comfortable making weapons because they don't think that's what their job is.

And so I'll just, I'll give you an example of what happened during steady state that I think is not the way to solicit cooperation. So imagine a circumstance where a three-letter agency is interested in records a company holds related to proliferation, the shipping of some sensitive equipment somewhere else in the world. And approaches a business leader in a company and asks to have a confidential, even classified, relationship so that person can share information with a three-letter agency. And the business executive signs an NDA, feels very cool, shares the records, and months pass. And then later the company gets a subpoena, apparently related to a counterproliferation investigation from DOJ. The GC has no idea about this confidential relationship. It has to pull teeth to figure out who is sending what to where in the government. The government, because this is a sensitive relationship, doesn't want to own up to what they were asking for or why they were asking for it.

And there's the, at least the optic, two things are of concern. One, did this subpoena have something to do with the information we shared? And are we worse off because of our cooperation? And two, if word got out that we are secretly sharing information of this kind with the government, what would our corporate affiliates think around the world? What would our customers think? What would other governments think? Yes, we only shared certain information, but what if people thought that our relationship was cozier and that we were somehow providing access that allowed for surveillance or the like, even though there's nothing in the record to suggest that. So, cutting out legal, for example, would be my number one advice for what not to do if you're looking for cooperation.

Natalie Orpett

Okay. Thank you. Laurie, I want to come to you with the sort of broad question from the frame of reference that you bring, both in your capacity as a scholar and now at DoD, in the pre-conflict, pre even crisis point moment, what are the key sectors in the private sector and the key issues of concern to you?

Laurie Blank

So first, thanks very much for having me. And I do need to start by saying that I'm speaking in my personal capacity and not on behalf of DoD or anybody else. So I think, when we think about the—and I'm chuckling when you said pre-crisis, because I'm trying to imagine what, something that's not crisis.

Natalie Orpett

Imagine a land.

Laurie Blank

Imagine a land far away where fairies flit about. But just thinking about it in the international law space, a lot of the—and we're going to end up talking about thresholds and definitions and et cetera—but those frameworks in international law are essentially there to provide stability, predictability, clarity maybe, not usually, but possibly. And ultimately, laws I like to think about it as about expectation. So if this happens, then this is the parameter of responses that I, state or other actor, have in my quiver of arrows in my toolbox. And that's the sort of parameter of options that I would expect a, I'm not going to say an adversary, but another actor in this magical pre-crisis land that we live in might have. And those are generally designed, predominantly, to keep us in that pre-crisis space.

So we have, if another state engages in an unfriendly act, okay, you can do a retortion, etc. If you think you've been the victim of an internationally wrongful act, but it's not at a level of a use of force, you might be able to take countermeasures. If there's a use of force, if you're the victim of an armed attack, we have all of these thresholds, and ultimately those are about keeping us in an environment in which we have some sense of what the rules or the reactions might be. And what that does is create that world of expectation, that world of predictability, even if we don't know what the result's going to be. The predictability is in the sense of, this is the world in which it could happen. This is the general framing.

And I think that's a really, for me, important sort of story about the international law piece. I think that's obviously relevant, I'll defer to Adam on the domestic side, but also for companies in thinking about what—it's like a chess game. If I make this move, these are the things that could happen or might happen or would, should not happen. And that's how we try to avoid moving up that scale that you're going to take us up through. And then things happen that bust us through those barriers.

But I think that framing and so part of, I think one thing that's useful in thinking about this public-private sector partnership et cetera is whether it's education, whether it's communication, whether it's partnership, awareness, whatever the right word is, is that there is a common language for that, or at least a common awareness, so that you're not operating in silos where one entity, those in the public sphere, the states, et cetera, have a certain set of expectations, but their potential or erstwhile partner is not living in that world and so doesn't see those same sets of thresholds, expectations, potential reactions.

Natalie Orpett

Great. Thank you. Jonathan, I guess same question to you. And also, I think just as a starting point, I think most people when they think of the ICRC are not necessarily thinking of engagement with the private sector in a pre-crisis. We're not talking about jus in bello, for sure, at least not yet in our conversation. So tell us about what your concerns are in this period and especially, I think, the paper that you wrote recently about educating private sector actors about international law I think speaks very much to what Laurie was just saying.

Jonathan Horowitz

Thank you for the question. Thank you to U.S. Cyber Command for the invitation. It's great to be on a panel with everyone. So let me, if I can, for all of you, just give a little bit of perspective of where the ICRC approaches this issue, whether it's in situations of armed conflict or more to your questions, outside of situations of armed conflict. And it's not going to be anything particularly surprising. But ultimately, it's an environment where civilians, governments, governance, municipal institutions are just highly connected to the digital environment for everything. For essential services, for transport, for agriculture, for distribution of food, for voting, whatever it may be.

And what we're also seeing is as that is moving forward, we also realize there's considerable reliance on all those access points with the private sector in terms of digital infrastructure governance, essential services. And we also see that that relationship and that partnership is building and building and building, and there's nothing wrong with that. In fact, it seems like it's a logical trajectory of how the technology is working, how society is working, how governments are working and the types of relationships that they are building with the digital tech sector, with the private sector writ large.

At the same time though, we're realizing that that also increases, the vulnerability of all of us to different types of cyber intrusion, cyber disruptions, and things like that. So things are becoming very connected across both, in peacetime we would say people and governance, but of course if we talk about moving into situations of armed conflict, we're talking about a lot of interconnectivity between now we're moving over to civilian stuff and military stuff.

And so what the ICRC is seeing is that we're seeing an environment where things are getting increasingly tangled up with one another for purposes of cost effectiveness, resilience, things like that in peacetime. And then we're starting to not only imagine, but actually see what happens when that runs into a situation of armed conflict where you have different norms, different standards, but different legal obligations in different legal frameworks. And so that's one of the reasons why either as a somewhat preventative measure or as a reactive measure, the ICRC is taking increased interest in speaking to the private sector about these issues.

So the ICRC has been around for 161 years now. We've become pretty comfortable talking to folks who are here sitting with us in military uniform to professional military institutions. Very normal. We've seen a proliferation of non-state armed groups over the years. I think we're at a count of 2021 of about 600-plus. We've engaged with around 400-plus of those non-state armed groups. The private sector is still a part of the battlefield landscape, is still an actor that's increasingly in that landscape that the ICRC is trying to, to Laurie’s point, learn how to communicate their interests with our concerns, our concerns with their interests. And that's something that is a project that's ongoing, but we see it as one that will continue to be relevant over time, not one that is a blip in history that will go away at any particular moment in the near future.

Natalie Orpett

Okay, so let's move into our crisis phase. And I think we can hear, think about, as a preliminary matter, in a world of cyber activity, policing the line between armed conflict and not armed conflict seems particularly complicated. And not only complicated, but perhaps not a matter of consensus among different decision makers. So let's talk about the phase at which it's very clear that tensions are reaching a boiling point.

Just to throw out a couple of examples, say that a social media platform is being used to coordinate an armed attack, what seems like it will become an armed attack and then we see actual activity on the ground. Imagine that a data broker is unwittingly selling data to an adversary or someone who will soon become an adversary. What are the things that you are thinking about and that need to be coordinated between the private sector and government actors at this phase? Laurie, you want to start?

Laurie Blank

One thing we haven't raised yet, but I think is the, it's not really the elephant in the room, but it's certainly a significant issue, is state responsibility. And so, anytime we're talking about this phase of tensions increasing, as you're giving examples, I'm thinking to myself, the immediate question has to be, did some threshold get crossed? What is the range of options? If you're thinking as a legal advisor, this is your left and right limits, then the policymaker has to decide just because I can do something doesn't mean I should do something. Hopefully it doesn't go the other way.

But, so one piece of this is trying to assess what action that I'm either absorbing, that I'm watching develop, that I am concerned about developing, et cetera, do any of these trigger certain reactions that I might be able to take, again, as a state. And that's assuming that you're on the receiving end of such activity. And so then we're thinking about things like prohibited intervention. We're thinking about whether or not some act that might trigger the authority to use countermeasures has taken place. We might be thinking about whether a use of force has happened, or you mentioned possibly an armed attack.

The essential piece of that then is, of course, who is responsible for this conduct?  And trying to then assess, okay, is it a state actor? Is it a, we've been talking about, quote, “our sides,” commercial, private sector. But we have to remember there's a commercial and private sector and there are private actors that are “that side,” again, if we're now in a crisis phase, we start to have sides. So who is responsible within the international law construct for that? And is there a state that bears responsibility? In which case, as a state, I might have certain available avenues of action. Or is it a non-state entity, and I cannot make the attribution connection, but then I would have other avenues. Maybe there are sanctions, maybe there's criminal law avenues, maybe there's any number of possibilities there. And so that's one piece of it, is understanding the attribution piece.

The flip side of that attribution question is when are the actions or activities of the folks we've been talking about engaging with now, somehow be attributable to the state on our side. And that's an equally important piece, and that I think gets very much into some of the discussion that we've been having about understanding the relationship, about building awareness, education, training, and that goes both ways, right? It's not just the, hey, commercial entity. Let me share with you how international law works, or how we view this question, or this is what happens. But it's also understanding, what is the nature of this commercial entity's activities, and deepening our understanding of the connection between those activities and the government and the state or perhaps linkages with partners and allies. And so trying to understand that and knowing when, okay, I've been busy thinking about my own activities, but I have to be aware of what commercial actor is doing.

Let's take an example that is the more extreme example here, which is space. We've been thinking about cyber, but they're integrally linked. And in space, we have an entirely different regime of state responsibility. We're not just talking about the idea of acting under the direction and control of, which we might, the kind of general rules and attribution we see in the draft articles. But in space, we have a regime from the Outer Space Treaty, which says that states bear international responsibility for national activities in space. And all of a sudden, most things that happen either on your territory or by actors in your territory become either definitely the responsibility of the state or potentially the responsibility of the state, depending again on how you understand what national activities is and all these other questions.

To the extent that cyber and space have a very symbiotic relationship, which in many ways they do, it's important to understand all of those pieces and to know what those different, domestic commercial actors are doing, so you know how to plan and how to foresee what's coming.

Natalie Orpett

Yeah. And which state is responsible for a multinational corporation that is in space. Adam, I'd like to pick up with you because Laurie spoke about acting as an attorney in the government and coming up with the left and right parameters, what's doable, and then needing to turn to the policymaker to make the decisions. And really, in the private sector, at least when you're talking about corporations, the person that they, that the lawyer, is consulting with is not a policymaker or isn't, I suppose in some sense, but is really someone who's charged with being concerned with business risk and with some of the other considerations that you mentioned earlier. So can you talk about how that differs?

Adam Hickey

Yeah, I guess I would say the mission is a little simpler, maybe, in the private sector because if you have shareholders, your prime directive is to maximize value to them. And then as we enter crisis, what that means, I think, becomes more complicated. So I think, since at least, the DDoS attacks on the banks in 2012 and 2013 and probably well before that, companies came to understand that cyberspace was going to be an area where they might face the brunt of retaliation for frustration with U.S. government policy. So I think there is very much a sense that even if they do nothing at all or have nothing to do with the crisis as it develops, they might end up feeling the consequences of it.

So internally, if you see storm clouds blew brewing, one, it's going to matter whether is the U.S. a part of this or not? Are we over here and picking a side to help or not help or just stay out of the way? Or is this actually implicating the homeland in the U.S. government? Because I do think that will make a difference. Second, is there a good guy and a bad guy, or is this an incredibly complicated situation where whichever move we make is going to tee off a significant chunk of our constituency? That will matter to reputational risk. Third, how are we as a company exposed? Where are our personnel? What are our supply chains? What is our network exposure? And do we need to reposition or rethink what we're doing or how we're doing it just to stay out of the way, so that we aren't—this isn't primarily our problem. So how do we just keep maximizing value without being caught in the middle of this? Is there a risk of retaliation to our employees at some point because of where they're physically located? What is the U.S. government going to use sanctions authority for and do we need to be ready to divest or get out of the way quickly because something may be illegal for us to continue to do business in the way we're doing business? That, I think, is the short list of things that would occur to me on day one of crisis, depending on where the company's doing business.

Natalie Orpett

And Jonathan, I think this is really the moment at which I suspect with, at least with smaller or less sophisticated private sector actors, they may all of a sudden realize they really need Jonathan Horowitz to come and talk to them and explain. What is on your mind at this moment and what are you going to be advising them?

Jonathan Horowitz

I feel like I should be wearing a mask and a cape or something with that description. Thank you. No, I think what the ICRC is finding, and it really blends nicely what was just mentioned, is that while there's a natural understanding of some of the security risks involved in situations of armed conflict, naturally, that there's not always a full understanding of what the legal frameworks are that apply, right?

And so a lot of companies, and I would say it's not even only in relation to small or medium, but I think it really depends on the personalities involved and lawyers that are in the companies trying to be aware and understand that there is a legal framework that is in many ways so abnormal to what it is that they think about on a day-to-day and trying to comprehend what to do about that, either from a risk management or from how to engage in contracts with partners is really something that the ICRC is trying to drive at.

So what's the types of examples that I'm talking about? The types of examples that I'm talking about are things like where a private technology company provides goods or services to a belligerent in a party to an armed conflict, such that their infrastructure might qualify as a military objective. And do company executives know that? And do their lawyers know that? That is the issue that I think is very much on our minds. It's been in the public. These are not abstract theoretical discussions. Yes, I wrote a law journal article on it. It was based on things that the ICRC was operationally seeing in the environments that we're working on.

At the extreme end of this set of examples has to do with employees. Are employees of technology companies engaging in activities that would, in some way, shape, or form, constitute direct participation in hostilities? Now the ICRC has its views on how to interpret the definition of direct participation of hostilities. States disagree with each other on what constitutes direct participation in hostilities. But the concept everyone agrees exists. And there's a large agreement on the criteria for direct participation in hostilities for civilians, at which point, of course, we all know it means they lose protection for such time as they do that from even a kinetic attack. So it could be a life-or-death conversation or consideration. That is also something that the ICRC thinks should at least be part of the risk management, risk assessment, risk evaluation.

Now that does not mean that we think that all other risk management and assessment models should be tossed out the window because IHL is a prevailing legal framework that all companies must automatically drop everything and pay attention to. But it's a blind spot if company lawyers and leadership are unaware of that dynamic, if they're unaware that the international humanitarian law rules and principles allow for that possibility of company property qualifying as a military objective, and therefore losing what the ICRC regards as otherwise its default status as a civilian object. And from civilian employees, which is how the ICRC regards technology company employees, lose under these exceptional circumstances, their protection because they are directly participating in the hostilities for such time as they do so. That's the space that we're entering into.

It is going to be more relevant for some companies than others. It is going to be an immediate point of relevance for some companies, and it may be one that is a future relevance for other companies depending on where they're physically located, where they want to be physically located. So there's a lot to do here, but we're trying to put a flag in the sand to register some concerns that are based on real life operational circumstances that we're seeing across, and it's not just one or two armed conflicts but across several.

Natalie Orpett

It does seem to me that if you are talking to a private sector actor for whom you can say, actually, this law is really important to you because you may be converted to a military actor and therefore become legally targetable, it's more likely to get someone's attention.

So let's switch into our armed conflict. Our IHL hat is on. We are in our full-fledged armed conflict. So let's talk about Adam, to start with you, what kinds of questions your clients will be asking you, and I think just as salient, what questions you expect that they may not even think to ask along the lines of what Jonathan was describing.

Adam Hickey

So I struggled a bit in preparing for this because I don't know what the ask is from the U.S. government in this hypothetical. Here are three basic categories of asks, right? Are you buying a product from me? Is it the standard procurement federal services, you want a service that the military or the government will rely on that's analogous to what I provide off the shelf or is for military anyways. I feel like that's an easier bucket because the companies that sell that are used to thinking about their role in conflict to begin with. Are you asking for tips or leads or information sharing outside the context of process, like a more sort of soft cooperation? And there I think you start thinking about things like—and here, maybe it's not the U.S. government asking, maybe it's a sympathetic country. But you're thinking about how will the information I provide be used? Will it be used to commit a violation of IHL? Which is something you have to think about a little bit. You do think about whether you're getting drawn into a conflict with that. You also think about the laws that govern sharing with the U.S. government and the like. And so that's one second type of ask.

And the third type of ask, which is, I'll just call it the weird ask. So it's the surreptitious access to the company's network or products or something that's secret, not paid for, not procured. And it's an under-the-table cooperation, which I can't even really imagine the full range of things, but I can imagine happening in conflict. And there, I think, is the highest level of risk for the company because there's what you're doing and then there's what could maybe become public at one point. What the claim is for retaliation that's justified. What other customers are, I mentioned the Europeans and so forth, what they're going to think about this.

So I guess to answer your question, I need to know what the ask is, and it gets progressively harder the more we walk down that road. But the basic categories of legal questions would be, is it prohibited? Are we asked for something that somehow a violation of either this law or another domestic law? Then you think about the bucket of retaliatory or reputational risks. And I would fold IHL a little bit into that, although I'll be candid that I don't feel like some of our adversaries are really consulting with Jonathan on when the targets are legitimate or not. So I would be inclined to approach this a little more guerrilla-like. I think the clients would think less about whether they've crossed the line in some legal sense to warrant retaliation as a more basic, am I going to get tagged with this and is it going to come back to bite me? Whether the law says it can or not, if that makes sense.

Natalie Orpett

Laurie, you've been eager to get to our conflict moment. But let me ask you, also, under international law, the role of the private sector and the way in which cooperation happens has very different implications both for the risk exposure of the private actor as well as the potential liability, legal or otherwise, of the U.S. government. So can you talk a little bit about that?

Laurie Blank

I actually wanted to add a couple of buckets to your buckets.

Adam Hickey

Please do. I forgot to mention insurance, but we can come back to that.

Laurie Blank

I definitely was not going to mention insurance. Try never to mention insurance. I would add in too that things that are not as obviously driven by a relationship between the company and the government or potential relationship between them. And so activities that are part of the company's business, say the provision of satellite services or the provision of any number of services, to perhaps other private actors, to any number of other groups, we see that it is not a new story that states are not the monopolistic actor during armed conflict anymore. So that would be one, one piece. You develop an app that you intend it to be used for X, and during conflict, enterprising, innovative, creative people figure out they can use it for Y. And all of a sudden, what does that mean both for your company? What does it mean for the way the government is going to think about your company? And we have lots of examples from Ukraine about both the actual deliberate development of apps for the purpose of providing information and so on, but also just the use of other things of crowdsourcing information about violations. And so, if you're a company that somehow that's sort of part of the services that you provide in the pre-conflict stage and now it gets used, what does that mean?

And the other one I think is driven by the everyday, unremarkable, ordinary level of integration and redundancy between civilian and military networks, right? I think there's some, I don't remember, a statistic I saw that was cited several years ago was something like 98 percent overlap between military and civilian networks. I have no idea what the actual number is. I just was like, in doing some reading, for this, I saw that. I thought that's a pretty high number. So what does that mean in terms of if the company uses those same pathways of communication? Maybe even an easier example is a satellite bus with multiple payloads on it. One of those payloads is military. One of those is your company's to do whatever—maybe you provide weather forecasting, any number of things. Just understanding the exposure that your company's assets, that your company's services, that your company's people have by dint of being essentially cheek-by-jowl with military capabilities and military assets and military objects. That's also critically important.

You may have nothing to do with the conflict. You may be trying to stay far away from it, but just the nature of our current system of communication and cyber space and everything is that you can't escape it, right? You're trying to get away and you're intimately tangled together.

Adam Hickey

Companies, I think, have an easier time dealing with misdirection or misuse of their products, right? Let's imagine the conflict is over there and my app is being misused in that way. I can take that on board and I can use the same framework I use to think about sanctions, export controls, or any number of content on the platform, what do I do about that? Terrorist use of the internet, so forth and so on. There's a framework of okay, I don't want my thing to be used that way anymore, and you can deal with that. I think the harder piece is the last bucket you mentioned, where I don't fully appreciate who I'm riding along with, and I may be not be fully prepared for the disruption of—I may not even be a target—but I'm not prepared for the operational disruption that comes with being in cyberspace or physically located in a particular zone.

Nor do I think companies are used to—we haven't dealt with a situation where the U.S. is in conflict and making extraordinary ask for the private sector. And I can't really predict how that will go. And I think that is the elephant in the room is like, what if the conflict involves us and another power that we are exposed to as a company in their market? That is going to be much more complicated and how to work through that. Because some of your questions, Natalie, in advance were related to legal authorities and I was in a lot of meetings in government where people were throwing around statutes written many years ago. But I think don't quite let you do that. And the DOJ guy, me, would be like, shut up.

But I just think we're not used to thinking through because we don't have a command economy. It's going to be very interesting how we get to the right place. It's not going to be, I think, by hard law. It's going to be through clear communication by the government to the companies of what the ask is and them thinking through our what are our risks and how we're going to approach that ask.

And then there's insurance by the way. So to what extent when you say yes are you implicating not only the risk of retaliation but also are tripping up something that would otherwise pay you back, help reimburse you for cost because you've suddenly made yourself a combatant in a way that voids your policy.

Laurie Blank

And just to jump in really quick on the insurance piece, and I don't have the statutes and things at my fingertips, but understanding what it means when a statute says, “at war,” when it has these war-related phrases in it that all of a sudden trip up what your expectations are of your insurance coverage, I think is also important.

Jonathan Horowitz

One thing that I would reflect on is that the issue of bridges, airports, roadways, hills being used by civilians and being used by militaries have long plagued legal advisors providing advice to whoever they need to provide advice to on how the rules of international humanitarian law apply. It might be slightly on steroids a little bit with regard to the digital ecosystem where that's happening, but these are not unique issues to the battle space or to international humanitarian law. I think they are unique issues to the private sector that hasn't operated in a conflict environment where they raise tricky questions. And in so much as there are hot debates around what constitutes an attack under international humanitarian law and what protections international humanitarian law afford civilian data, and whether it's the same protections that's afforded to civilian objects are live issues. The ICRC has positions on them. Some states have positions on them. Some states differ on their positions. Some states have decided not to take a position on them.

So I don't want to say that everything's easy and it's just a matter of transferring what we know from the more conventional kinetic world of international humanitarian law into the cyber context. But it means that those struggles have been there for a long time. And the reason why I say this is because I think some people who their contact point with international humanitarian law for the first time is a very complicated issue, will immediately go to their comfort zone of other legal frameworks. And I guess what we're trying to say is there are already legal frameworks in place. They do provide operational legal challenges. That is true for cyberspace, but that is not new to cyberspace. And we were talking about a tagline, and I think “that is true to cyberspace, but that is not new to cyberspace” is maybe one that I'll go with.

But that's a big reflection point for the ICRC, right? Our point is you don't need to go reinventing the wheel. Don't go making new international humanitarian law unless you're certain there's a gap there. IHL does a lot of work with regard to military cyber operations, but it does require socializing, disseminating, explaining, and working through difficult questions that have existed long before the difficult questions that we’re discussing on this panel.

Laurie Blank

Jonathan, what you're talking about raises, brings us all the way back to the initial conversation about the importance of communication and awareness and so on. Because when you're talking about, we've been thinking about these questions about when a hill or a bridge, et cetera. The difference, of course, is that. You can see the bridge, you can see the hill, you can see military activity potentially happening there, et cetera. You can't see when there's overlap in the cyber world. Now obviously there will be both government and commercial actors who have significant visibility into the space where they're operating and who else is operating there. But you still don't have, particularly if we step back from those big actors into other private actors, as an individual user, you probably have absolutely no idea what the level of overlap or integration might be between the network on which I send my emails, or just to be oversimplified, and a network on which the military might be sending comms during a conflict. And now I think my email is going to get to mom, but it has actually, that data is, if it can be considered data, all those arguments, right? It's now incidentally harmed in some way. I've taken liberties with the law there, but you understand the point.

And so, I think that's one piece that kind of emphasizes the need for whatever conversations are helpful to increase this level of awareness is because you can't see literally, visually those overlaps, those things. And as you were saying, you might not even be thinking about that because you're busy thinking about your own lane and it's not in your face that, whoa, there's military activity happening right there. Whereas if you were a factory and you saw troops exercising before deployment on the next field over, again, to be super simplified, you might say, huh, we're really close to those people. Maybe that doesn't seem like the safest thing, right? That would be a very obvious visual manifestation of it, but we don't have that. And I think that actually is somewhat consequential.

Natalie Orpett

Thanks. I want to take some questions and, in the meantime, I will invite the three of you to think about coming out of this discussion if the goal here is to build durable partnerships to have clear and successful means of coordinating between private and government, what would be the sort of top one or two things that you would advise that are really necessary for getting those into place? Now I will open it up for questions.

Question

So it sounds like we've all agreed that some sort of pre-crisis land of milk and honey education is required, with all interested parties. I guess the question then, if that is the case, for a better understanding across the board pre-crisis, is the current allocation of responsibility between public and private sector adequate? Is it correct? Does it put the responsibility on the right party to begin the conversation, to continue the conversation, and who should bear that burden?

Adam Hickey

I'll come back. I don't know. I don't still know what the ask is. I'll tell you, so take procurement out, right? So if the government wants something and it can buy it, there's a way of handling that. There's a policy process in a company. So take procurement out. Okay. So then what's left is something that's hard to predict, but some kind of cooperation between the government or warning. I would just say the best examples I can point to are ones where, and this has often been in the law enforcement context where I've seen it, law enforcement goes to a company, proposes, say, a disruption operation or a takedown or a cyber operation, use whatever term you want. And it's pretty transparent about what it wants to do and how it wants to do it. Sometimes gets a court order, so there's a transparency, and it eventually becomes public. It's easier for a company to think through that and make an informed decision.

What I would suggest to you is not what we cannot do now, because no one here is saying what company will be asked to do what outside of procurement is plan in advance for that moment. So I don't know how you have the shifting of the burden from the public to the private sector or the like until there's a very clear understanding of, okay, what are you exactly asking me to be ready for? And I've been in many conversations where the government's ask is not, because of the sensitivity of it, not made clearly. And so the recipient doesn't really understand what the government's trying to do or why they're trying to do it. And I would just say, if you're planning for the future, plan to communicate transparently in the crisis or in conflict. It's going to have to look a lot different from the fairly vague, I can only tell you so much, that comes over in steady state periods sometimes, outside of procurement.

Jonathan Horowitz

Can I just add to that? The other thing that we've been observing, which should be obvious but isn't always, is that different companies provide different goods and services, which means the legal ramifications are completely different, right? So social media platforms compared to cloud computing services compared to different types of information technology providers are going to engage with risks around situations of armed conflict and they're going to engage with the rules of international humanitarian law very, very differently. And so I think this goes to the point that there also needs to be, and I don't mean transparent in the sense of publicly available, but transparent in the sense of what is the government specifically asking the private sector to do? And then at least with my international humanitarian law-ICRC hat on, what are the legal implications that can pose particular risks, whether from a targeting perspective, or confiscation of property perspective, or worker safety perspective, we're talking about direct participation of hostilities, that those questions and that conversation needs to be a transparent one between the service provider and in this case we're talking about a belligerent, a party to an armed conflict. So that's a government private sector dialogue that has to happen.

I think generally there's a broader dissemination conversation. That's what this is. That's why I'm so pleased that this panel was part of U.S. Cyber Command's annual legal conference. I think that is part of the road to success on trying to explore these issues that are not, in my estimation, at least, going away any time soon.

And then I think it is going to be incumbent, perhaps, even before some of those conversations with governments for technology companies to look inwards. They're probably not going to, again, want to do it publicly, to do their own self-evaluation, self-assessment. What is our infrastructure? What are our goods and services being used for? They've covered a lot of risks. The insurers forced them to, regulators forced them to think about these things. But that's largely absent from these issues that we've been talking about today in terms of targetability, whether it has to do with property or personnel.

So I think there are a number of different entry points to have a conversation, and I think they can go in a lot of different directions depending on what the issue is that you're trying to resolve and what question you're being asked.

Natalie Orpett

Okay, another question? Please.

Question

Mr. Horowitz, among the core principles of the ICRC are impartiality and neutrality. Given the evolving nature of the battlefield, cyber activities and such, and technology, have there been, or do you foresee instances in which the ICRC would withhold or limit that assistance to victims on a battlefield?

Jonathan Horowitz

Thank you for the question. Is that, am I right that is not a cyber specific-related question?

Question

No, it's just when I see the term business of battle, I just have connotations of how it's changing, evolving. When we think of armed conflict, it's evolving into something now where we can have conflict that's not geographically isolated to a particular region. It can be cyber-attacks that are conducted from outside the region. And when I think of the ICRC's traditional assistance of providing that humanitarian aid to victims on the battlefield, but with cyber activities, you don't know who's the belligerent anymore. I think, if I’m correct, you began your presentation by mentioning there are some 600 non-state actors of which ICRC has assisted about 400 or at least are aware of about 400.

Are there some of those non-state actors, for example, that you would not support because it might be a breach of your core principles of impartiality and neutrality?

Jonathan Horowitz

Great. Thank you for taking the time to clarify that. The ICRC is going to engage with any party to an armed conflict because every party to an armed conflict has legal obligations under international humanitarian law. If a government is particularly unhappy with a non-state armed group, labels them a criminal gang, labels them a terrorist organization, as a legal matter under international humanitarian law, the ICRC sees them through the lens of a party to an armed conflict who has legal obligations under international humanitarian law. They have an obligation to respect and ensure respect for those obligations. And so we are going to engage with them.

There's a separate question around how we provide humanitarian assistance, right? So those are two different things. Those are operational dialogues. That's the first thing that I was mentioning. And then there are questions around providing humanitarian assistance. The bulk of what we do is going to be for civilian populations. including those who are under the control of parties to an armed conflict, whether they're a non-state armed group or whether they're a part of a government military.

I do not see what's happening with regard to the digital ecosystem in conflict changing how the ICRC would approach its neutrality, impartiality, and independence. I'm not sure if that gets to the question you're asking, but I appreciate being asked. Thank you.

Natalie Orpett

We are running up against time. My challenge to you has gone up in ante, and now you must have a bumper sticker explanation of what your main takeaways would be of how to promote cooperation and partnerships. Adam, you do you want to start?

Adam Hickey

I used it on the question. That's my bumper sticker.

Laurie Blank

My bumper sticker would be beware of the line between engaging and all of a sudden bearing attribution and responsibility for. So be careful or think about where that line is in engaging with the private sector and yet not having them operating under your direction and control.

Natalie Orpett

Jonathan?

Jonathan Horowitz

Private sector has protections under international humanitarian law. It can lose those protections and it also has obligations. Read the Geneva Conventions, read the Additional Protocols, and give the ICRC a call if you have any questions.

Natalie Orpett

Excellent. Thank you so much.

The Lawfare Podcast is produced in cooperation with the Brookings Institution. You can get ad-free versions of this and other Lawfare podcasts by becoming a Lawfare material supporter at our website, lawfaremedia.org/support. You'll also get access to special events and other content available only to our supporters. Please rate and review us wherever you get your podcasts.

Look out for our other podcasts, including Rational Security, Chatter, Allies, and The Aftermath, our latest Lawfare Presents podcast series on the government's response to January 6th. Check out our written work at lawfaremedia.org.

The podcast is edited by Jen Patja and your audio engineer this episode was Cara Shillenn of Goat Rodeo. Our theme music is from Alibi Music. As always, thank you for listening.


Natalie Orpett is the executive editor of Lawfare and deputy general counsel of the Lawfare Institute. She was previously an attorney at the law firm Jenner & Block, where she focused on investigations and government controversies, and also maintained an active pro bono practice. She served as civilian counsel to a defendant in the Guantanamo Military Commissions for more than eight years. She also served as counsel to the National Security and Foreign Policy Legal Team of the Biden-Harris Transition Team.
Jonathan Horowitz is a legal advisor at the International Committee of the Red Cross’s regional delegation in Washington DC.
Laurie R. Blank serves in the Defense Department’s Office of the General Counsel and is a clinical professor of law and director of the International Humanitarian Law Clinic at Emory University School of Law, where she teaches international humanitarian law and works directly with students to provide assistance to international tribunals, non-governmental organizations, and law firms around the world on cutting-edge issues in humanitarian law and human rights.
Adam Hickey works at the law firm Mayer Brown and specializes in cybersecurity, sanctions, export controls, the Foreign Agents Registration Act (FARA), CFIUS, and other national security authorities.

Subscribe to Lawfare