Educational Program: Can We Ever Stop Cyber Threats? An Interview with Duncan B. Hollis

Foreign journalists can learn, in this Educational Program, how international laws apply to cyberspace and how countries and civil society are organizing themselves in order to prevent cyber attacks. In an interview conducted by journalist Patricia Vasconcellos, a Board member of the Club of the Association of Foreign Press Correspondents in the United States (AFPC-USA) and White House Correspondent for the Brazilian network SBT, Duncan B. Hollis, expert on treaties and the application of international law to cyberspace, dove in and explained to foreign journalists the legal norms regarding cyber threats. He also talked about the United Nations’ open-ended working group, which meets at United Nations Headquarters to adopt recommendations to the General Assembly. This educational program was held on March 11.

Hollis is Laura H. Carnell Professor of Law at Temple University’s Beasley School of Law and also co-directs the University’s Institute for Law, Innovation & Technology. He is currently a non-resident Scholar at the Carnegie Endowment for International Peace and an elected member of the American Law Institute, where he serves as an Adviser on its project to draft a Fourth Restatement on the Foreign Relations Law of the United States. 

Professor Hollis’s research focuses on public international law, the law of treaties, interpretation, and global cybersecurity. He is the editor of the Oxford Guide to Treaties (Oxford University Press, 2012, 2nd edition, 2020), which was awarded the 2013 ASIL Certificate of Merit for high technical craftsmanship and utility to practicing lawyers. His cyber-related research examines international law’s role in regulating cyberthreats, the construction of cybernorms, and the application of humanitarian principles to global cybersecurity.

Hollis is also the co-author with Professors Allen Weiner and Chimene Keitner of a leading textbook, International Law (8th ed., 2023) and (with Jens Ohlin) Defending Democracies: Combatting Foreign Election Interference in a Digital Age (OUP, 2020). His more than 30 articles and book chapters have appeared in various publications, including the American Journal of International Law, Texas Law Review, Southern California Law Review, Harvard Journal of International Law, and Virginia Journal of International Law. 

Previously, Professor Hollis served as an attorney-adviser in the Office of the Legal Adviser at the U.S. Department of State, where he participated in various bilateral and multilateral treaty negotiations as well as the litigation of two cases before the International Court of Justice.

AFPC-USA is solely responsible for the content of this educational program. Below, readers will find a summary of some of the most important takeaways from the presentation.

ON HOW CYBER THREATS IMPACT OUR DAILY LIVES

• Hollis discusses the challenges posed by cyber threats and their evolving nature. The impact is outlined in three forms: confidentiality losses, where sensitive information is exposed; availability losses, exemplified by ransomware attacks that encrypt data; and integrity losses, raising concerns about cyber operations affecting critical infrastructure like power grids and posing risks to life and property. 

• Hollis acknowledges that while confidentiality losses are more frequent, the potential for integrity losses, such as threats to power systems, raises significant concerns and keeps people apprehensive.

ON THE RULES THAT DEFINE HOW STATES SHOULD BEHAVE WHEN CYBER ATTACKS HAPPEN

• Hollis explains that most nation states have enacted domestic criminal laws to address cyber attacks, targeting both private hackers and state actors. The global nature of the internet, however, raises questions about the applicability of international law. Around 2013, consensus reports emerged, asserting that international law, including human rights, applies to cyberspace. This consensus has become the dominant position, with acknowledgment that existing international law rules are applicable.

• Hollis highlights the shift from cyber attacks being primarily attributed to private actors to the emergence of nation states building cyber capacities for intelligence and military purposes. The focus has shifted to understanding how international law applies, especially as state-sponsored cyber operations become more prevalent. He says: “It's no longer a domain where if you're hacked, you know that it's some private [individual], it's no longer the teenager in the basement. It's no longer necessarily a group of cyber criminals. You have to take account of the possibility that it might be a nation state or a proxy of a nation state that's engaging in the operation.”

ON WHETHER THE UNITED NATIONS IS THE “RIGHT” PLACE TO DISCUSS THESE ISSUES TODAY

• Hollis discusses the suitability of the UN and its open-ended working group (OEWG) as a platform for discussions on cyber attacks and cyber issues. He notes the historical development of the internet, initially governed by private and academic entities, evolving into a multi-stakeholder model involving private actors, industry, civil society, and governments. The OEWG, established to address national security threats in cyberspace, serves as a multilateral forum for discussions on rules, norms, international law, capacity building, and confidence-building measures related to cybersecurity.

• Hollis acknowledges the contested nature of whether the UN is the ideal place for these discussions but highlights the OEWG's role in facilitating multilateral conversations. He explains the OEWG's mandate, which had an initial five-year period, and ongoing considerations about extending it. He notes that one advantage “has been in that it's open, so that all UN member states can participate, whereas the previous group of governmental experts  had to apply.”

• The open nature of the OEWG allows all UN member states to participate, promoting inclusivity. However, challenges persist as not all stakeholders have equal access, and government vetoes can exclude certain participants. Hollis recognizes the ongoing debate between multi-stakeholder and multilateral governance, emphasizing the potential need for a combination of both in the future.

ON CASES WHERE CYBER THREATS HAVE BEEN SUCCESSFULLY ADDRESSED

• Hollis discusses the incremental successes in addressing cyber threats, particularly focusing on achievements of the OEWG. He emphasizes the establishment of a global point of contact, enabling governments to coordinate and communicate 24/7 in case of cyber incidents. This initiative enhances transparency and facilitates swift responses to emerging cyber challenges.

• Another notable success highlighted by Hollis is the OEWG's contribution to clarifying the application of existing international law rules to cyberspace. He mentions the concern that different interpretations of lawful behavior in cyberspace could lead to unintended armed conflicts. The OEWG addresses this by encouraging governments and regional organizations to provide guidance on how international law, particularly the prohibition on the use of force, operates in the context of cyberspace. 

• Hollis explains that this effort aims to prevent misunderstandings and mitigate the risk of unintentional escalation to armed conflicts in response to cyber operations. Overall, Hollis emphasizes the importance of these small steps and incremental progress in enhancing global cybersecurity.

ON WHETHER HACKING IS CONSIDERED AN ACT OF “ESPIONAGE” AS OPPOSED TO AN “ACT OF WAR”

• Hollis provides a nuanced response, noting that the classification depends on the severity of the cyber operation. There is widespread, though not universal, agreement that a sufficiently serious cyber operation, such as one causing a prolonged power grid outage or compromising a civilian nuclear power plant, could be deemed a use of force and trigger international law rules related to armed conflicts.

• On the issue of espionage, Hollis highlights that international law historically tolerated or ignored espionage, lacking explicit rules prohibiting it. However, he acknowledges the evolving landscape, especially with the increased scale of cyber espionage. The SolarWinds hack, which targeted thousands of victims, raised questions about the costs incurred by private industries and civil society.

• Hollis suggests exploring mechanisms to regulate espionage, drawing parallels to the limitations imposed on warfare by international humanitarian law. He proposes the idea of establishing "bumpers" or constraints to govern espionage, similar to the regulations applied in armed conflicts to protect civilians and critical infrastructure. The goal is to address the asymmetry in the current situation where private entities bear significant costs due to cyber operations.

ON WHETHER SOCIETY IS PREPARED TO DEAL WITH ISSUES SUCH AS CYBER ATTACKS ON SATELLITES

• Hollis acknowledges that society is making efforts to prepare for cyber threats, including potential attacks on satellites, but emphasizes that there is a regulatory catch-up underway. Despite two decades of work on cybersecurity, incorporating outer space issues and artificial intelligence has created challenges. Hollis expresses concern that both industries and malicious actors might outpace regulatory capacity.

• While international law applies to regulate state behavior, there is a recognition that it may not be entirely effective in addressing current challenges. Hollis points to the ongoing struggle in stopping ransomware and regulating attacks on the supply chain, highlighting the difficulty in ensuring that software updates are free from malicious intent. He notes the growing awareness of national security, economic, and humanitarian risks posed by cyber threats, leading to the establishment of cyber bureaus and ambassadors in various governments. However, he emphasizes that despite these efforts, the tide has not yet turned, and cyber threats continue to outnumber successes.

ON HOW WE CAN DEFEND DEMOCRACIES AMID CYBER THREAT CHALLENGES

• Hollis underscores the evolving focus in cybersecurity from a catastrophic cyber event to the easier and cheaper spread of misinformation and disinformation. He notes that the potential for deceiving both domestic and foreign populations is a significant concern, particularly in disrupting elections. Hollis highlights the risk of using technologies like robocalls or artificial intelligence to disseminate false information, potentially leading people to miss the actual election day.

• Hollis mentions industry awakening to this threat, citing the recent Tech Accord Munich Compact where tech companies committed to opposing the use of malicious AI online, specifically in ways that could impact elections. Governments, including the G20, are also making commitments to prevent foreign election interference. 

• However, Hollis acknowledges the challenge in defining the line between legitimate expression of opinions and malicious activities, such as pretending to be citizens, organizing fake events, and manipulating public opinions in ways that warrant regulation.

ON WHAT LED HIM TO WRITE HIS BOOK, DEFENDING DEMOCRACIES

• Hollis explains that the inspiration for his book stemmed from the aftermath of the 2016 US election when it was revealed that the Russian government used a troll farm to influence public opinion online. Recognizing the need for interdisciplinary perspectives, he collaborated with the dean of Cornell Law School to create a comprehensive volume. The book aimed to establish a research agenda on how to address foreign and domestic election interference, involving experts in international relations, political science, and social science.

• He notes that while there is widespread agreement on the importance of preventing foreign election interference, the challenge lies in defining and implementing specific steps. Hollis suggests that building resiliency within the domestic population is crucial, ensuring that people are aware of manipulative tactics like deepfakes. He highlights the ongoing challenge of regulating such issues in a political context without disrupting democratic processes like elections.

ON HOW FOREIGN JOURNALISTS CAN EDUCATE THEMSELVES ON THESE ISSUES

• Hollis suggests various resources for foreign journalists to educate themselves on cybersecurity and related issues. He mentions the Munich Security Conference and the Munich Compact as valuable sources that can be found through search engines. Emphasizing the importance of learning about cybersecurity threats, he discusses efforts like the annual bootcamp in Valencia, where journalists, diplomats, and academics gather to understand cyber threats and receive technical training.

• Hollis also highlights Cyber Law International, the Oxford Process on international law protections in cyberspace, and the TALIN Manual on International Law on cyber operations as additional resources. He encourages journalists to seek out experts in industry or academia who can explain concepts like AI, machine learning, and different types of cyber attacks. Understanding these technologies is crucial for journalists to effectively inform the public about cybersecurity threats, election interference, and potential solutions, enabling the population to make informed evaluations.

ON HOW ARTIFICIAL INTELLIGENCE CAN BE EMPLOYED TO AMPLIFY CYBER THREATS

• Hollis emphasizes the autonomy of AI technology, which can operate independently of human control. In the context of cyber threats, he mentions the historical example of Stuxnet, a malware allegedly created by the US and Israel to target Iranian nuclear facilities. Stuxnet inadvertently spread globally, affecting Siemens programmable logic controllers (PLCs) worldwide.

• Hollis suggests that AI could potentially enhance the speed and scale at which cyber threats operate. There is speculation that AI might be capable of autonomously generating new malware and adapting it in response to encountered defenses. He notes that AI could be employed both offensively and defensively, with the ability to detect patterns and anomalies in data that may go unnoticed by humans. Balancing the role of humans in cybersecurity, particularly in recognizing unusual behaviors and managing AI, poses challenges that need to be addressed in the development and deployment of AI technologies.

ON WHETHER CYBER THREATS CAN BE STOPPED

• Hollis acknowledges that cyber threats will likely persist, characterizing it as a "cat and mouse game." However, he emphasizes that efforts can still be made to enhance the stability and security of cyberspace. He advocates for a more rights-respecting approach, suggesting the need for regulations that prioritize the protection of individuals rather than just state security. 

Hollis expresses support for an international treaty to safeguard people from state-sponsored hacking, emphasizing the importance of setting limits on state actions. He underscores that addressing cyber threats requires a comprehensive approach involving both government and societal responses. In this context, he encourages journalists to play a crucial role in contributing to these efforts.