The Anarchy of Cyberspace
Both in specifically the realm of cyber-conflicts, but also in internet law cases in general, I see the debate over whether or not the internet deserves its own set of governing factors hinges upon the innate impossibility, at least for now, of enforcing laws in cyberspace. In this sense, I say that there is anarchy, not in the sense of chaos, but in the sense that, at least for the determined, it is easy to go unpunished. This arises from the combination of two factors: anonymity and scale.
The internet provides a platform through which it is much more difficult to identify users than it is in the physical world. Often, with fairly simple steps involving proxies etc., tracing some illegal action to its perpetrator can be prohibitively more expensive than even the harm done by the crime itself. In the world of cyber-warfare, it is extremely difficult to trace a virus to its source; again, Stuxnet took a team of dedicated, high-level researchers a full year and a half, despite the exceptionally high priority level assigned by the security community to a virus of this magnitude. Compared to many physical world crimes, in which catching a criminal in the act makes ‘finding’ them trivial, identification is never trivial in cyberspace. It is simple, even for everyday users, to avoid region-specific blocks to certain media content, for example US netizens using VPN services to watch the Olympics for free through the BBC. This demonstrates the difficulty of automating a process by which to identify even just the nation from which a user is accessing the internet, while manual identification methods for the same purpose are rendered insufficient by the second factor, scale.
Computers allow users to commit transgressions with minimal planning, cost, and risk to themselves. To download a torrent from the Pirate Bay takes simply a few mouse clicks and a torrent client (which is perfectly legal). Hackers can quickly and cheaply submit several orders of magnitudes of requests to a server in trying to breach its safeguards. If we compare internet crimes to their real-world counterparts, in general they are massively easier to plot and execute. It is enormously more difficult to carry out any kind of real-world theft, while in the internet, it takes but moments. This imbalance leads to a sheer volume of internet infringements which cannot be compared to those of the kinetic world: this is the second factor in the difficulties surrounding the enforcement of internet law.
I think the reason why internet law demands special attention beyond the extent to which cyberspace infringements are accounted for within existing bodies is precisely because of the exceptional difficulty in law enforcement. The problem is that people continue to torrent illegally uploaded intellectual property without a real risk of penalty, not that we would not know how to punish them once they are caught. The existing body of law, while it can be interpreted to include the realm of cyberspace, is simply not enforceable. Thus, until such methods are created which allow us to identify and prosecute criminals with the same ease as we do in the physical world, until the risk of punishment becomes sufficient to deter a larger volume of crime, we are forced to either accept such criminal activity or create new legislature to account for it. Looking specifically at the realm of larger scale cyber-conflict between a nation and a terrorist/vigilante group or other nation, the same applies. We know that the sheer volume of attacks received by the United States is colossal; to catch each one, identify its origin, and respond appropriately is not something that is currently within our capability. Hence the collaboration with the private sector – it is not because there is something fundamentally sound about our government relying upon the private sector to defend our nation, or that it should be the role of the government to provide private companies with security systems, but because this is one of few ways to address the extent to which law enforcement is losing to criminals. This is why, going back to the piracy issue, methods such as the involvement of internet service providers, which are private companies, is considered for the sake of blocking internet service to those who are found guilty of copyright infringement. This is not a policy for which any physical world analogue would be appropriate – for example, we would not agree with the government mandating that gas stations refuse to fuel cars driven by those with traffic violations, yet it is seriously considered, given the technology of today, simply because it makes enforcement easier.
There is currently an enormous gap between the effectiveness of physical and cyber law enforcement in the world. Internet law exists not because it lies outside the jurisdiction of existing legislature, but simply in order to address this gap. Internet law is an artifact of enforcement technology lagging behind that used by criminals: I think that it will be rendered obsolete when the technology gap disappears.