A Background Guide for the

Legal Committee

Harvard Model United Nations India

August 12 - 15, 2018

 Table of Contents

Letter from the Secretary-General................................................................................ 3

Letter from the Under-Secretary-General.................................................................... 4
Letter from the Director.............................................................................................. 5
Introduction................................................................................................................ 6
History of the Committee........................................................................................... 7
Summary of the Problem............................................................................................. 9
Prevention and Treatment......................................................................................... 12
Current Situation...................................................................................................... 15
Bloc Positions............................................................................................................ 18
Position Papers.......................................................................................................... 18
Suggestions for Further Research............................................................................... 18
Endnotes................................................................................................................... 19
 Harvard Model United Nations India
A LETTER FROM THE SECRETARY-GENERAL

Dear Delegates,

It is my pleasure to welcome you to the eighth session of the Harvard Model United Nations India,
to be held at the Hyderabad International Convention Centre from Sunday, August 12 to Wednes-
Eliza Ennis day, August 15, 2018.
Secretary-General Over the past seven years, HMUN India has witnessed the participation of over 8,000 high school
students representing some of the best schools from over 40 cities across 20 countries. Following
the success of the previous years as well as over 60 years of experience in hosting the Harvard Model
United Nations for high school students from around the world in Boston, we are excited to return
to India for HMUN India 2018. In partnership with our local host, Worldview Education Services
JingJing Zhu Pvt. Ltd, we will bring the conference to life through sixteen dynamic committees, an exceptional ar-
Director-General ray of speakers, and the beloved tradition of vibrant social events such as HMUN India’s GotTalent.
Since its inception, HMUN India has strived to create a community of ambitious and talented
delegates from all corners of the globe who feel passionately about our future and recognize their
power to mold it. HMUN India is driven by an educational mission that intends to shed light on the
Larry Liang
importance of collaboration, the art of diplomacy and the value of key skills such as research, public
Under-Secretary-General
speaking, debate and negotiation. Above all, we hope that the lessons learned from HMUN India will
Administration
inspire and empower delegates to form a voice beyond the committee room. We hope this experience
will challenge students to think critically about policy and to drive change in their own communities.
The theme of the 2018 conference is Act to Impact, and we hope to see delegates make an impact in
Adil Bhatia the committee room and beyond this year!
Under-Secretary-General At the core of HMUN India are its committees. To help you prepare, our directors work tirelessly
Operations to prepare the guide you will find over the following pages. This committee guide will provide you
information about the history, context, events, implications, problems, and solutions that you will be
asked to tackle at HMUN India. In addition, we have a Guide to Delegate Preparation on the web-
Jenna Wong site, a series of webinars released throughout the summer, and a tailored preparation program called
Under-Secretary-General RESOLVE that will be released in early May. All of these will help you in your path to committee in
Committees August. Yet, we also encourage you to do research of your own, learning more about your country
position or individual policies. If you have any questions about any part of the preparation process,
you should feel free to reach out to your director or any member of secretariat.
I wish you the best in your preparation efforts, and please do not hesistate to reach out with any
questions or concerns. I cannot wait to see you at conference in Hyderbad!

Sincerely,

Eliza R. Ennis
Secretary-General
Harvard Model United Nations India 2018
secgen@hmunindia.org

59 Shepard Street, Box 205

Cambridge, MA 02138
Email: info@hmunindia.org
www.hmunindia.org
Harvard Model United Nations India is co-produced by the Harvard International Relations Council and
Worldview Education Services, Ltd.
 Harvard Model United Nations India
A LETTER FROM THE UNDER-SECRETARY-GENERAL
FOR COMMITTEES
Dear Delegates,

It is my honor and privilege to welcome you to the eighth session of Harvard Model United
Nations India! My name is Jenna Wong, and I will be serving as your Under-Secretary-
Eliza Ennis General for Committees. I am currently a third year student at Harvard, studying Social
Secretary-General Studies, Psychology, and Spanish.Outside of my academics, I spend most of my time working
for the International Relations Council, competing as Head Delegate of our travel model
United Nations team and chairing at our conferences in Boston and China.

I could not be more proud of the slate of committees that HMUN India is offering this year.
JingJing Zhu From rewriting the Declaration of Human Rights to combatting migrant smuggling, debate
Director-General
in the General Assemblies will push delegates to think beyond their own country’s interests
to create international frameworks to protect vulnerable communities. In the Economic and
Social Councils, you will be pushed to establish labor codes to protect women in Southeast
Larry Liang Asia, to combat the effects of climate change, and to guarantee rights to those with special
Under-Secretary-General
needs. In this committees, delegates thus will be challenged to look at a diverse array of issues
Administration
from new perspectives.

Your directors have worked tirelessly to make these committees memorable, challenging, and
incredibly rewarding, and they cannot wait to share their hard work with you. As you prepare
Adil Bhatia for committee, please remember that HMUN India aims to simulate situations requiring
Under-Secretary-General
international diplomacy. For that reason, you must research for your committee as if you
Operations
were actually preparing to represent your country—or, in the case of several committees,
your actor—in a negotiation.
Jenna Wong What are your main goals? What compromises are you willing to make? Who might you
Under-Secretary-General collaborate with? Thinking about these questions as you move into committee will allow for
Committees more substantive and productive debate because, ultimately, your goal is to produce the most
innovative and effective solutions as a committee, not to simply reiterate what the problems
are or prove that your country is best.

As you read through your background guide and then move into further research and
preparation, know that I am here for you along the way. Ultimately, my goal is to make your
committee experience the most enjoyable and rewarding possible, so please reach out if you
have any questions or concerns before or during conference.

Sincerely,

Jenna M. Wong

Under-Secretary-General for Committees

Harvard Model United Nations India 2018

59 Shepard Street, Box 205
Cambridge, MA 02138 committees@hmunindia.org
Email: info@hmunindia.org
Harvard Model United Nations India is co-produced by the Harvard International Relations Council and
Worldview Education Services, Ltd.
 Harvard Model United Nations India
A LETTER FROM THE DIRECTOR

Dear Delegates,

I’m Dylan Parker, and I’ll be directing the Legal Committee this year at HMUN India.
I originally hail from Pittsford, NY. Academically speaking, I’m a sophomore studying
Eliza Ennis Computer Science and Statistics.
Secretary-General
I’m particularly passionate about our topic, Cybersecurity and Cyberwarfare, because
of these interests in computer science, statistics, and national security. But more than that,
I think that there has been a critical lack of cooperation between scientists who refuse to
engage in politics and politicians who do not understand science. Given the defining role of
science and technology in 21st century politics, this divide must be bridged. I hope that you
JingJing Zhu all will take on these responsibilities at HMUN India this year, crafting solutions that are
Director-General
both scientifically prudent and politically feasible.

That said, do not be deterred if science isn’t your bread and butter. We will discuss a lot of
Larry Liang cool and revolutionary technologies, but my goal is to make the topic accessible to everyone.
Under-Secretary-General Moreover, many of the most difficult issues in cybersecurity and cyberwarfare do not require
Administration extensive knowledge of the underlying technologies; it is more important to know what is
possible than it is to know exactly how a particular technology is implemented.

Adil Bhatia Since we will be debating just a single topic, you will be able to really delve into the many
Under-Secretary-General sub-issues pertaining to Cybersecurity and Cyberwarfare. To succeed in this committee,
Operations therefore, you will have to consider every dimension of this issue. For instance, some of
your subtopics will compel you to shrewdly negotiate and navigate contentious political
issues Others subtopics, however, will require that you understand the fundamental concepts
Jenna Wong behind the technology that will define 21st century cyber-politics. Approaching global issues
Under-Secretary-General from this dual scientific-political perspective is something at which the world’s leaders have
Committees largely failed, so I’m excited to see the leadership, insight, and innovation you all bring to
committee.

I check my email compulsively and am super passionate about these issues, so please reach
out to me if you have any questions, concerns, or points of confusion as you prepare for
committee. I cannot put into words how excited I am for HMUN India, and I really look
forward to meeting you all!

Sincerely,

Dylan Parker

Director, Legal Committee

legal@hmunindia.org
59 Shepard Street, Box 205
Cambridge, MA 02138
Email: info@hmunindia.org
www.hmunindia.org
Harvard Model United Nations India is co-produced by the Harvard International Relations Council and
Worldview Education Services, Ltd.
6 Legal Committee
Introduction to the Topic
On February 19, 2018, the newly-elected
Secretary-General of the United Nations,
Antonio Guterres, was speaking at the University
of Lisbon. During his talk, he was asked about
the prospect of war in the 21st century. This was
his response:
“I am absolutely convinced that, differently
from the great battles of the past, which opened
with a barrage of artillery or aerial bombardment,
the next war will begin with a massive cyber-
attack to destroy military capacity…and paralyze
basic infrastructure such as the electric networks.”
It has been estimated that cybercrime costs
the global economy $1 trillion per year. Perhaps
even more stunning is the fact that much of this
cybercrime occurs at the hands of small groups
of hackers working independently or on behalf of
rogue nations with few resources. It is, therefore,
nearly unimaginable how devastating a cyber-
attack by Russia, China, or the United States
could be to a nation’s infrastructure. In Lisbon,
Secretary-General Guterres emphasized his fear of
such a catastrophe, noting that international law
and nations defense systems are unprepared for
and have done little to mitigate the possibility of
a major cyber-attack:
“Episodes of cyber-warfare between states
already exist. What is worse is that there is no
regulatory scheme for that type of warfare, it
is not clear how the Geneva Convention or
international humanitarian law applies to it.”
Unfortunately, similar warnings about the
tremendous threat cyber-warfare poses to global
economies, infrastructure, and peace have often
fallen on deaf ears. Over the past decade, dozens
of attempted treaties and agreements on cyber-
security have fallen apart. For instance, the UN
Group of Government Experts (GGE) held a
series of negotiations from 2004 until late 2017
with the objective of establishing standards for
cyber self-defense, curbing the militarization of
cyberspace, and proposing sanctions for to deter
acts of aggression. However, diplomats abandoned
the 13-year-old talks in late August, resolving that
insurmountable differences in national policies
would make it impossible to reach an agreement.
Nations like Russia, China, and Cuba resolved
that the Western countries had more to lose from
the current chaos in cyberspace. Western nations
like the US and UK, on the other hand, were
only willing to accept an agreement that imposed
harsh sanctions against, unambiguous restrictions
on, and the right to retaliate against aggressive
acts in cyberspace. Another major roadblock was
the matter of accountability, as it is often difficult
to prove that hackers responsible for attacks
were being directed by a particular government.
Together, these difficulties forced diplomats
to discard over a decade of negotiation. But as
Secretary-General Guterres warned in Lisbon,
the danger of a major cyberattack has only grown
over the past year. The issues mentioned above
will indeed be difficult to overcome, but they are
by no means insurmountable. Through diligent
study, debate, and negotiation, there is no doubt
that the UN Legal Committee can succeed where
the GGE failed. Our aim in this committee
will not necessarily be preventing cyberwarfare.
Rather, we first must establish rules with which
international bodies can govern and control
cyberspace. Armed with this legal framework,
the nations of the world will be better equipped
to police each other, cooperate, and deter future
cyber-attacks. In particular, we will focus on the
following three issues:
Definition of a Cyberattack. What constitutes a
cyberattack? Must it be an attack on government or
public institutions, or would an attack on a private
military contractor by a foreign government
count as a cyberattack? How large must it be in
scale? What must a nation to do prove that it
has been the victim of a cyberattack? In order to
address any issue related to cyberwarfare, we must
 Harvard Model United Nations India 2018 7

first answer these (and many other) questions and involve a physical or kinetic confrontation (e.g.
establish a universal definition of a cyberattack. nation A directs a cyberattack toward nation B,
and nation B responds by bombing nation A)?
The Prohibition of Force. Article 2(4) of the UN What constitutes a “proportional response”?
Charter prohibits the use of force: “All Members It might be difficult to imagine retaliating to a
shall refrain in their international relations from cyberattack with kinetic warfare, but it sounds
the threat or use of force against the territorial much more reasonable when one considers the
integrity or political independence of any state, fact that a major cyberattack could be much more
or in any other manner inconsistent with the devastating than a bombing, ground assault, or
Purposes of the United Nations.”1 When should other tool of traditional warfare.
cyber-attacks be considered the use or threat of
force? What criteria should be used to evaluate The descriptions above just scrape the surface of
whether a cyber-attack rises to this level? Without these incredibly complex issues. As the questions
strong definitions and clear criteria, it will be up accompanying each issue hopefully suggested,
to the individual nations to decide when a cyber- many of the controversies we will consider may
attack constitutes an illegal use of force. seem simple at first, but they become significantly
more complex when one attempts to put them
The Right to Self-Defense. Article 51 of the into writing. For instance, we might all think
UN Charter endows nations with the right to we intuitively know what a cyberattack is, but
self-defense: “Nothing in the present Charter establishing a strong, all-encompassing, legal
shall impair the inherent right of individual or definition of a cyberattack is a monumental
collective self-defense if an armed attack occurs task. Therefore, as you continue reading this
against a Member of the United Nations.”2 But background guide, be sure to constantly question
when does a cyber-attack rise to the level of an your immediate conclusions, as the issues we
armed attack? Legal precedent has made it clear consider will often turn out to be far more
that not all uses of force are also armed attacks. As complicated than they originally seem.
we will see, there are multiple schools of thought
and sets of criteria for determining whether a Both in this background guide and during
cyber-attack constitutes an armed attack. It will committee, the staff of the Legal committee will
be the responsibility of the Legal Committee to do everything we can to assist you in meeting
establish universal, unambiguous, and widely- these objectives and expectations. Note that
accepted criteria for this purpose. HMUN India has a unique format and set of
expectations as compared to other conferences
Necessity, Proportionality, and National in South Asia. Therefore, be sure to brush up
Accountability. To what extent should nations on the general differences between HMUN and
be held responsible for the operations of their other conferences by referring to the HMUN
hackers? How does the international community India website, in particular the page devoted
decide that it was in fact the national government, to delegate preparation. However, the staff of
not simply a rogue group of hackers, that directed the Legal Committee also has a specific set of
a cyberattack? This is perhaps the most difficult expectations, objectives, and plans for committee
issue we will address, as it is nearly impossible to that we would like to emphasize in this guide.
prove that a government was directly responsible As we have and will state repeatedly throughout
for the actions of group of hackers. As for this guide, we are looking for delegates to come
necessity and proportionality, must retaliation prepared with workable, in-depth, and specific
be contained to the cyber realm, or can it solutions to the issues described in this guide.
1 UN Charter We have intentionally limited the scope of this
2 UN Charter
guide to just three principle issues. Therefore, we
8 Legal Committee

hope that you will be able to research and propose and most importantly the specificity, creativity,
very specific and well-thought solutions to each and feasibility of your solutions.
of the three subtopics. We cannot emphasize how
much we want you to be specific and creative
in crafting your proposals. It is far preferable for
you to address one subtopic in great detail in
your resolution than to address all the sub-topics
superficially. During committee, we will do our
best as a staff to give you every opportunity to
discuss your proposals with your fellow delegates
and work together to craft detailed resolutions.
Therefore, we will frequently provide you with
opportunities to engage in unmoderated caucuses
and cooperate with other delegates. These will be
balanced with more formal moderated caucuses
and speakers lists, which you should use as an
opportunity to describe what is special about your
proposals. Delegates will distinguish themselves
by producing and describing proposals that are
of greater depth or include new and creative
solutions, not by repeating the same speeches
that every other delegate has made. For instance,
if you are speaking about the definition of a
cyberattack, then you should not just say that we
need a definition of what constitutes a cyberattack
and give a broad outline of some ideas. Surely
other delegates will have already said this, so it
will not add much to the debate. Instead, it might
be advisable to give a more specific proposal,
such as raising a specific example that the current
definition of a cyberattack does not encompass
and that should be included in the committee’s
resolution. After proposing this in the moderated
caucus, you could then use a moderated caucus
to make this proposal a reality. This is just an
example, but hopefully it gives you a general idea
of how to approach moderated and unmoderated
caucuses.
Finally, we would like to note that the staff
of the Legal Committee will evaluate delegates
holistically when we are determining awards. We
will consider the quality of your working paper,
your efficacy in advocating your specific solutions
in moderated caucuses, your adherence to
national policy, your leadership of your bloc, your
cooperation and diplomacy with other delegates,
 Harvard Model United Nations India 2018 9

Subtopic I: Definitions in Cyberspace

Introduction, Background, and Examples the Russian government denies that it directed
these attacks, but it is widely believed that Russian
Before the international community of officials instigated, funded, and coordinated the
diplomats and legal scholars puts forth laws to operations in hope of influencing the 2016 US
govern cyberspace, it must first reach a consensus Presidential Election.
on a few terms that will underpin any agreements
that are made. For instance, it does not matter The four examples above are some of the
that a treaty prescribes a harsh punishment most famous cyber operations conducted in
for nations that engage in cyber-attacks if the recent memory. However, analysts fear that these
international community cannot agree on what a constitute the beginning of a period of pervasive
cyber-attack even is; without strong definitions, cyber operations and even all-out cyber war. Such
it will be near impossible to enforce international events could include a bug that incapacitates the
law in cyberspace. Before we begin considering stock market and therefore the global economy,3
the terms we must define, we will first provide a an infiltration that wrongly causes a dam to open
few examples of cyber-attacks that have occurred or a chemical or nuclear plant to malfunction,4
in the past, as well as potential cyber-attacks and a virus that disrupts air traffic control (leading
that experts fear could lead to future geopolitical to crashes, misrouting, and general chaos).5 In
crises. Hopefully this will give you an intuitive this background guide we will also consider a
understanding of how conflict in cyberspace plays number of other forms of cyber-attacks, such as
out. operations directed against military targets (e.g.
mission control and air defense systems) and
Perhaps the most successful cyber operation civilian targets (e.g. the release of large amounts
in history was the Stuxnet bug, which American of personal financial data). Hopefully, though, the
hackers used to derail Iran’s nuclear program.* examples above give you an idea of the type of
Months later, an uncommon cyber power, the operations we are considering.
government of Burma, unleashed an attack
against its own citizens; the ruling military junta
used a “distributed denial of service” operation NATO and the Shanghai Cooperation
to essentially take down the internet just before Organization
a national election (Hathaway). In 2011, it was
As you can see, cyber-attacks can adopt
revealed that China’s military “had engaged in a
many different forms. It will be the aim of this
years-long cyber-attack program aimed at a range
committee to determine a strong definition
of governments, U.S. corporations, and United
of what constitutes a cyber-attack. This is
Nations groups” (Hathaway). It is worth noting
incredibly important because, as we will see
that the Chinese government has and continues
to vigorously deny these allegations. However, we 3 Duncan B. Hollis, Why States Need an Inter-
can be confident in saying that it is widely believed national Law for Information Operations, 11 LEWIS &
CLARK L. REV. 1023, 1042 (2007).

that the Chinese military was responsible for these
attacks, especially after a Chinese government 4 Barton Gellman, Cyber Attacks by Al Qaeda
documentary inadvertently caught an attack on Feared; Terrorists at Threshold of Using Internet as
Tool of Bloodshed, Experts Say, WASH. POST, June 27,
an Alabama website in-progress. Finally, the 2002, at A01.

2016 hacking of the US Democratic National
5 General Accounting Office, Air Traffic
Committee by Russian groups amounts to the Control: Weak Computer Security Practices Jeopardize
largest and most recent cyber operation. Again, Flight Safety (May 1998).
10 Legal Committee
later in the guide, the way we define a cyber-
attack determines whether, how, and against
whom a nation is allowed to respond to a cyber
operation. This is a very difficult issue, so we will
attempt to understand the fundamental issues
that must be taken into account by examining
proposed definitions of cyber-attacks and their
shortcomings. We will first consider the definition
of a cyber-attack put forth by the U.S. National
Research Council, which classifies cyber-attacks
as “deliberate actions to alter, disrupt, deceive,
degrade, or destroy computer systems or networks
or the information and/or programs resident in
or transiting these systems or networks.”6 This
definition focuses on the objectives of a cyber-
attack as opposed to the method of execution,
which makes sense since broad objectives are
sometimes easier to ascertain than the exact bug
or virus used to disrupt the computer network.
However, according to legal scholar Oona A.
Hathaway’s article in the California Law Review
on cyber warfare, this definition falls short because
it “fails to distinguish between a simple cyber-
crime and a cyber-attack.” Instead, Hathaway
proposes the development of a “simpler, uniform
definition [that] would avoid ambiguity, overlap,
and coverage gaps; facilitate a cleaner delineation
between cyber-attack and cyber-crime; and
promote greater inter-agency cooperation.”7
The Shanghai Cooperation Organization
has expressed similar dissatisfaction with the
definitions advanced by the US and other NATO
nations. For reference, the Shanghai Cooperation
Organization includes China, Russia, Iran,
Pakistan, and many Central Asian nations. The
SCO nations have often been diametrically
opposed to NATO’s cyber policies, which generally
6 COMM. ON OFFENSIVE INFORMATION
WARFARE, ET. AL., NAT’L RES. COUNCIL, TECH-
NOLOGY, POLICY LAW AND ETHICS REGARD-
ING U.S. ACQUISITION AND USE OF CYBERAT-
TACK CAPABILITIES (WILLIAM A. OWENS, ET.
AL. EDS., 2009).
7 Hathaway
call for stricter definitions and stronger rights of
retaliation. Moreover, conflicts in cyberspace have
frequently pitted one nation from the SCO against
a NATO nation; the Stuxnet bug and the Russia
DNC hack are each examples of such a conflict.
This has caused many experts to liken the state of
affairs in cyberspace to the Cold War, when the US
and its Western allies faced off against the Soviet
Union, China, and the Communist Bloc. In terms
of the definition of cyber-attacks, SCO nations
“have adopted an expansive vision of cyber-
attacks to include the use of cyber-technology to
undermine political stability.”8 According to the
Shanghai Cooperation Agreement, the founding
document of the SCO, one of the greatest cyber
threats posed is the spread of information that
is dangerous to “social and political, social and
economic systems, as well as spiritual, moral and
cultural spheres of other states.”9 As you might
imagine, NATO nations have not welcomed
such a definition of a cyber-attack, as they fear it
will lend legal legitimacy to Chinese and Russian
efforts to suppress free expression and minority
groups. China and Russia, on the other hand,
see this clause as protection against Western
interference in their affairs.
A Universal Definition
Both the NATO and SCO nations have
expressed valid concerns when it comes to the
definition of a cyber-attack. The Legal Committee,
therefore, will have to appease both blocs and
craft a consensus-based definition. Between
2009 and 2012, an international group of legal
experts at the NATO Cooperative Cyber Defense
Center for Excellence attempted to do just that.
However, even though SCO nations were invited
to and sent representatives to the talks, they
eventually abandoned the discussions on account
of irreconcilable differences with NATO officials.
As a result, the experts’ final product, called the
8 Hathaway
9 Shanghai Cooperation Agreement, Annex I, at
209.

Tallinn Manual, incorporated both NATO and
SCO opinions, but adopted primarily Western
positions on divisive issues. The Tallinn Manual
defined a cyber-attack as “a cyber operation,
whether offensive or defensive, that is reasonably
expected to cause injury or death to persons or
damage or destruction to objects.”10 This simple
definition seems reasonable, but it has a few
critical shortcomings. First, as we might have
expected, it does not include the dissemination of
information dangerous to a foreign government as
a cyber-attack, which is very important for China,
Russia, and other SCO nations. (Note that the
definition we produce in the Legal Committee
does not necessarily have to include this; as we
saw above, including such a clause would make
it difficult for the definition to appeal to Western
nations. However, because this is so important to
some SCO nations, delegates should recognize
that significant concessions will be necessary to
SCO nations if the clause is not included and to
NATO nations if the clause is included).
Beyond raising controversy, the Tallinn Manual
definition also raises a number of questions. A
cyber-attack must be “expected to cause injury
or death to persons or damage or destruction to
objects.” But what counts as an object? Obviously
physical structures, such as power generating
infrastructure, would be covered under this
definition. What about software, data, websites,
or code? Would they classify as objects? The
Tallinn Manual also fails to define what classifies
as damage. Again, physical damage to physical
objects would certainly be covered by this
definition. But what about damage to intangible
objects in cyberspace? Would manipulation
of government data count as damage? Would
destroying software responsible for the national
grid be included under this definition? Would
the disabling of a large network be considered a
cyberattack? These questions may seem trivial,
but they are incredibly important. For instance,
if only cyber operations that caused physical
damage to some object or person were considered
10 Tallinn Manual
Harvard Model United Nations India 2018 11
cyber-attacks, then a large-scale denial of service
attack that took down the internet, but caused
no physical damage, would not be a cyber-attack.
The greater implication of this is that the victim
of the attack would not be entitled to retaliation
or self-defense under the UN Charter, as we will
discuss later in the guide.
The Tallinn definition also forces to question
the implications of the use of the word “expect.”
This would potentially include cyber-attacks that
were expected to cause pervasive damage, but
somehow floundered. On the other hand, the use
of “expect” in the definition means that attacks
with large unintended consequences might not be
included as cyber-attacks. The second implication
in particular seems problematic, since it is
straightforward to show that a cyber-operation
caused significant harm, but more difficult to
prove that it was expected to cause such damage.
As you can see, the definition this committee
produces will be examined in great detail, word
by word—and every word will have immense
implications. Therefore, even though the
definition we eventually propose may only be one
sentence, it will likely require an entire working
paper to explain. As an aside, recall that no matter
the definition you propose, it will be important
to differentiate between cyber operations that
constitute attacks between nations and cyber
operations that are better classified as cyber-
terrorism or cyber-crime. In preparing their
definitions, delegates should consider all the
questions raised above, as well as issues that their
specific definitions raise. If you were writing a
working paper that proposed the Tallinn Manual
definition, for instance, then you would first
write the definition itself. Then, you would need
to explain what exactly you mean by “expect”
(e.g. Would an attack with large unintended
consequences still count as a cyberattack? Must
nations prove that the aggressor anticipated the
attack would cause large-scale damage? Would
attacks that were intended to be very harmful, but
failed, still classify as cyber-attacks and provoke
retaliation?). You would also need to explain
12 Legal Committee

what classifies as an object, as well as what the of the examples and counterexamples she explores,
definition means by damage to an object. For each the depth of her explanations, and the way she
of these explanations, it will likely be useful to breaks down the definition clause by clause. Since
give examples that illustrate the threshold (e.g. an it is an appendix, you are not required to read it,
example of something that would be considered but we do believe that it will be very useful—so
an object and an example of something that would useful, in fact, that we recommend you skip to the
not be considered an object in the definition, a appendix and read it now instead of waiting until
consequence that would be considered sufficient you finish the rest of the background guide.
damage for the operation to be considered a
cyber-attack and a consequence that would be
considered insufficient damage for the operation
to be considered a cyber-attack, etc.).
Clarifying the definition with examples and
explanations will be a very difficult process, which
is why we have devoted a third of this background
guide to the definition of a cyber-attack and
expositions of proposed definitions. As you
hopefully have noticed, each definition sounds
reasonable until you unpack what each word
means, what is included and what is excluded
under the definition, and how the definition
would classify examples like Stuxnet and the DNA
hack. This is where most of the controversy will
arise in committee; it is easy to agree on a vaguely
worded definition, but not as easy to agree on a
definition accompanied detailed explanations
and many examples that demonstrate what the
words in the definition truly mean. Nonetheless,
the committee must produce such a definition,
as every law we write will depend on a strong,
consistent, and universal definition of a cyber-
attack.
Although it is far too long to include in the body
of this background guide, previously-mentioned
legal scholar Oona A. Hathaway proposed a
definition of what constitutes a cyber-attack in
2012. The definition itself has its strengths and
weaknesses. However, the level of detail devoted
to explaining every word in the definition and
providing countless examples makes the definition
very strong and clear. The Legal Committee should
strive to craft a definition of equal strength and
clarity. Therefore, we have included her definition
and exposition as an appendix to this section. We
highly recommend that you study it, taking note
 Harvard Model United Nations India 2018 13

Subtopic II: The Prohibition of Force

The Latin phrase jus ad bellum translates to political perspective. Historically, the obvious
“right to war.” In international law, jus ad bellum problem is that Article 2(4) was written in
refers to the body of laws that govern when a 1945—the last thing that the authors of the UN
nation may engage in conflict with another nation. Charter were thinking of was a global network of
(In the next subtopic, we will examine jus in bello, computers dominating economics and politics
which translates to “right in war” and refers to the in the 21st century. Combined with the fact that
body of laws that limit the actions nations may cyber-warfare is unlike any other form of conflict,
take while engaged in conflict.) This subtopic will this means that the UN Charter itself provides
be divided into two subsections: the prohibition little direction as to how we should incorporate
of force and exceptions to the prohibition of cyber-warfare into the current legal norms.
force. We will begin each of the subsections by
introducing a tenet of international law and then Politically, no matter how the Legal Committee
examining it with regard to cyber-attacks and extends Article 2(4) to cyberspace, it will likely
cyber-warfare. The first of these core principles is prove controversial. This is because cyber-warfare
Article 2(4) of the UN Charter: is a paradigm shift for international conflict and
the balance of power. For centuries, the nations
All Members shall refrain in their international with the largest, most expensive militaries have
relations from the threat or use of force against dominated international politics. But cyber-
the territorial integrity or political independence warfare completely changes this; the most powerful
of any state, or in any other manner inconsistent nations today are also the most reliant on expansive
with the Purposes of the United Nations. computer networks. In the US, for instance,
computers control the financial system, air-traffic
This is the main justification for the illegality control, offensive and defensive nuclear weapon
of the use of force in international relations, and facilities, and nearly every aspect of civilian and
it has also given rise to the legal norm of non- military communication. A widespread denial of
intervention. Different member-states have service attack could cripple the US economy and
adopted different interpretations of Article 2(4). military, rendering a global hegemon obsolete and
While the US, as well as most Western nations, defenseless in a matter of minutes. Thus, cyber-
contend that this clause only prohibits the use warfare presents an incredibly powerful way to
of physical or armed force, some nations in the check the power of developed nations cheaply; it
SCO argue that it also bans political, social, would require billions of dollars to compete with
and economic coercion. Such an interpretation the US navy at sea, but only a skilled team of
is particularly distasteful to NATO nations, hackers and a little luck to incapacitate the US
which often use these tactics to pressure rogue military using a few computers across the world.
or oppressive regimes. It is worth noting that the
more limited, NATO-supported interpretation This is why experts call cyber-warfare a paradigm
that Article 2(4) only applies to kinetic force has shift. It is also why the application of Article 2(4)
generally prevailed in international courts. It is, to cyberspace is so controversial. NATO nations,
therefore, the current legal norm. in contrast to their more limited interpretation of
Article 2(4) with respect to physical force, prefer a
Since Article 2(4) is a foundational principle of broader extension of Article 2(4) that classifies all
just ad bellum, the laws governing international cyber-operations in foreign nations as “the threat
conflict, it must be extended to the fifth realm or use of force against the territorial integrity or
of warfare: cyberspace. However, this has proven political independence of any state.” This would
incredibly difficult from both a historical and mean that, legally, a cyber-operation would be
14 Legal Committee

equivalent to a physical, armed operation against of harmful information to the government as a

another state. The perpetrator of a cyber-attack violation of Article 2(4), which aligns with their
would then be subject to the same punishments interpretation that the article should include
as the perpetrator of a kinetic attack (e.g. UN political, social, and economic coercion in
Security Council sanctions), as well as perhaps a addition to kinetic operations as “force.” As you
retaliatory strike by the victim of the attack (which can see, some of these controversies are very
we will discuss in greater detail in the second part similar to the issues you will consider in crafting
of this section). NATO nations and other more the definition of a cyber-attack. Therefore, it will
developed nations favor this interpretation, as be important for you to leverage the definition you
they have the most to lose from the rise of cyber- have established when considering the application
warfare and the new balance of power it would of Article 2(4) to cyber-attacks.
bring. In fact, NATO has already extended the
NATO treaty to address cyber-attacks in this It will likely be beneficial for you to adopt a
way; in 2008, the NATO nations resolved that similar format for this subtopic as for the first
cyber-attacks trigger Article 4 of the NATO subtopic. The extension you write to Article 2(4)
treaty,11 which states that “The Parties will consult might be short. However, the explanation of and
together whenever, in the opinion of any of them, examples that illustrate your extension to 2(4)
the territorial integrity, political independence will likely be much longer. The fundamental
or security of any of the Parties is threatened.”12 question you should keep in mind as you amend
In 2014, faced with increasingly frequent cyber- Article 2(4) should be: When should a cyber-
attacks from Russia and China, NATO announced attack be classified as “force” under Article 2(4)?
that cyber-attacks could trigger Article 5 of the More specifically, when does a cyber-attack count
NATO treaty, which is given below: as the use of force “against the territorial integrity
or political independence of any state”? What do
The Parties agree that an armed attack against territorial integrity and political independence
one or more of them in Europe or North America mean in cyberspace? Remember, any cyber-
shall be considered an attack against them all and operation that you classify as “the threat or
consequently they agree that, if such an armed use of force against the territorial integrity or
attack occurs, each of them…will assist the Party political independence of any state” will violate
or Parties so attacked by taking forthwith…such international law and trigger the same legal
action as it deems necessary, including the use of countermeasures an armed assault would trigger.
armed force.13
You should also answer the following question:
As you can see, the question of whether cyber- how should we address the threat of a cyber-
attacks should be classified as uses of armed force attack? Article 2(4) states that the threat of force
has profound implications and is therefore highly is equivalent to the use of force. Should the threat
controversial. In contrast to the NATO position, of cyber-attacks be equivalent to the use of cyber-
SCO nations will likely prefer a looser extension attacks? If so, what exactly should be included as
of Article 2(4) to cyberspace. On the other hand, a threat of a cyber-attack? Would a nation have
they might also look to include the dissemination to administer a literal threat in words? Would
covertly planning a cyber-attack be included as a
11 NATO Agrees on Common Approach to Cyber
threat of force?
Defence, EURACTIV.COM, Apr. 4, 2008, available at
http://www.euractiv.com/en/infosociety/nato-agrees- The questions above are by no means an
common-approachcyber- defence/article-171377.
 exhaustive list, but they should give you an idea of
what you should address when extending Article
12 NATO Treaty
2(4) to cyberspace. Remember, our objective
13 NATO Treaty
 Harvard Model United Nations India 2018 15

is to craft an unambiguous legal framework for

cyber-warfare; you should unpack every word of
Article 2(4) and consider how it would apply to
cyber-attacks, giving explanations and examples
as necessary.
16 Legal Committee
Subtopic III: The Right to Self-Defense
There are exceptions to every rule—including
the prohibition of force in international law.
The first exception refers to the right of the UN
Security Council to “determine the existence of
any threat to the peace, breach of the peace, or act
of aggression, and [to] make recommendations, or
decide what measures shall be taken . . . to maintain
or restore international peace and security.”14 This
will not be the focus of the committee. Instead,
we will consider the second exception. Article 51
of the UN Charter states the following:
Nothing in the present Charter shall impair
the inherent right of individual or collective
self-defense if an armed attack occurs against a
Member of the United Nations, until the Security
Council has taken measures necessary to maintain
international peace and security. Measures taken
by Members in exercise of this right of self-defense
shall be immediately reported to the Security
Council.15
The key phrase is that a nation may engage in
self-defense “if an armed attack occurs” against it.
The main objective of the Legal Committee will
be determining what, if any, cyber-operations
should be considered armed attacks and trigger
the right to self-defense under Article 51. Note
that “armed attack” is distinct from the wording
of Article 2(4), which bans the threat or use of
force. Indeed, in a famous case between Nicaragua
and the United States, the International Court of
Justice (ICJ) has ruled that there are threats or uses
of force that are not considered armed attacks and
thus do not allow the victim to invoke the right
to self-defense. Armed attacks only include the
“most grave forms of the use of force.”16 Border
intrusions, for instance, have been classified
14 UN Charter
15 UN Charter
16 Military and Paramilitary Activities in and
Against Nicaragua (Nicar. v. U.S.), 1986 ICJ 14, para.
191 (June 27).
 18 Hathaway
as “frontier incidents” not sufficiently grave to
trigger Article 51.17
Just as the ICJ established which kinetic
uses of force are included as armed attacks, the
Legal Committee ought to determine which, if
any, cyber-attacks should be classified as armed
attacks and trigger the right to self-defense.
This is a difficult task, but luckily three schools
of thought have emerged that may guide your
approach to classifying cyber-attacks.
The most traditional position is the instrument-
based approach. According to scholars at the Yale
School of Law, the instrument-based approach
“treats a cyber-attack as an armed attack only if
it uses military weapons. For example, bombing
computer servers or Internet cables could meet
the requirements of an armed attack if the strike
was of sufficient gravity.”18 Depending on how
the Legal Committee decides to define a cyber-
attack, bombings of servers or cables might not
even be classified as cyber-attacks since they are
kinetic assaults against cyber-related facilities.
The instrument-based approach, therefore,
includes very few (if any) cyber-attacks as armed
attacks. This has the clear disadvantage that
victims of cyber-attacks do not have the right
to self-defense, even though cyber-attacks can
be far more damaging than bombings or other
physical assaults. However, the severity problem
is highly dependent on the definition of the use
of force. For instance, if the committee adopts the
instrument-based approach and does not include
cyber-attacks as uses or threats of force, then—
even though the victim of a cyber-attack will not
be entitled to self-defense under Article 51—the
victim would be permitted to engage in retaliatory
cyber-attacks that are not classified as uses of
force (since only uses or threats of force are illegal
17 Military and Paramilitary Activities in and
Against Nicaragua (Nicar. v. U.S.), 1986 ICJ 14, para.
195 (June 27)

under Article 2(4)). (You should read the previous
sentence again. It can be quite confusing, but it is
incredibly important. If you can understand that
sentence, it means that you have a solid grasp on
the issues involved with defining a cyber-attack,
determining whether cyber-attacks are uses of
force, and classifying cyber-attacks as armed
attacks or lesser offenses). Article 41 of the UN
Charter supports the instrument-based approach,
stating that “partial or complete interruption…
of…telegraphic, radio, and other means of
communication” are “measures not involving the
use of armed force.”19 Any delegates proposing
the instrument-based approach should answer
the following questions, among others: what
classifies as a military instrument? Is there any
cyber-attack, as you have defined a cyber-attack,
that would make use of a military instrument, as
you have defined a military instrument? What
recourse should be available to nations that are
victims of cyber-attacks that did not employ
military instruments and thus do not trigger the
right to self-defense? How does your classification
of when cyber-attacks reach the level of armed-
attacks fit with your classification of when cyber-
attacks reach the level of uses of force?
The second school of thought is called the
target-based approach. Sean Condron, one of the
most outspoken proponents of the target-based
approach, has described in depth when cyber-
attacks should constitute armed attacks under the
target-based approach:
When the attack targets the state’s critical
infrastructure, the state should be able to exercise
active defense measures...states should be required
to maintain a publicly available list of critical
infrastructure, which a state may protect with
active defense measures and, if the identified
critical infrastructure were subjected to a cyber
attack, a state could respond in cyberspace without
first attributing or characterizing the attack.20
19 UN Charter
20 Sean M. Condron, Getting it Right: Protect-
ing American Critical Infrastructure in Cyberspace, 20
Harvard Model United Nations India 2018 17
Nations that advocate strong rights to
defend oneself from a cyber-attack—mostly
industrialized nations that have the most to lose
from a cyber-attack—also tend to prefer the
target-based approach. Opponents of the target-
based approach argue that, because it sanctions
aggressive defense of critical infrastructure, it
will allow nations to use small breaches of critical
infrastructure as justification massive cyber
or kinetic counterattacks against the original
offender; Chinese and Russian officials in particular
fear that the US will launch disproportionate
retaliatory attacks in response to minor cyber-
operations. Delegates supporting the target-based
approach should be sure to answer the following
questions, among others: What is classified as
critical infrastructure? If nations have the right to
choose what exactly they would like to classify as
critical infrastructure, what would prevent them
from listing everything as critical infrastructure?
Are there any small-scale penetrations of critical
infrastructure that should not trigger the right to
self-defense? If so, how do you differentiate those
from attacks that should trigger the right to self-
defense?
The third perspective on the right to
self-defense is called the effects-based approach,
which is a compromise between the instrument-
and target-based approaches and “classifies a
cyber-attack based on the gravity of its effects.”21
The target-based approach is the most widely held
position, but, in the eyes of the Legal Committee
dias, this is mainly because the target-based
approach is also the most vague definition of an
armed-attack. It is very sensible to classify an attack
based on its gravity, but, if the Legal Committee
decides to adopt the target-based approach, it
must establish the level of gravity that triggers the
right to self-defense. Experts have offered several
different systems for assessing the gravity of an
attack. There are far too many to include in this
guide, so we will mention only a few prominent
schools of thought and describe even fewer.
HARV. J.L. & TECH. 403, 415-16 (2007)
21 Hathaway
18 Legal Committee

Delegates proposing the effects-based approach

are highly encouraged to research and look for
inspiration in the perspectives we mention but
do not have space to describe. Michael Schmitt
offered six criteria for assessing gravity, including
the timing of the attack, the long-term damage
caused, the scale of the attack, etc. However,
with so many criteria, each of which requires a
subjective judgement, it would be difficult for the
international community to reach a consensus
as to whether a specific cyber-attack should be
considered an armed-attack. On the other hand,
CIA official Dean Silver has proposed that cyber-
attacks only reach the level of armed attacks “if
its foreseeable consequence is to cause physical
injury or property damage and...the severity
of the foreseeable consequences resembles the
consequences that are associated with armed
coercion.”22 This definition is difficult to object
to, but it is also vague. What does it mean for
something to be a foreseeable consequence? What
if a cyber-attack disables an electronic air defense
system? Would the foreseeable consequence of
that attack be to cause physical injury? These are
all questions that delegates using this definition or
a similar definition will have to address.
The specific questions you must answer in
your working papers and resolutions will depend
on the definitions you propose. However, it will
again be the case that even if your definition
of when a cyber-attack is classified as an armed
attack is relatively short, you should follow it
with a length explanation that unpacks the
meaning of every word in your definition. You
should also consider many different examples of
cyber-attacks, determine whether they would be
classified as armed attacks using your definition,
and explain why that is the case.

22

Subtopic IV: The Exercise of Self Defense
Necessity and Proportionality
There are two final principles of jus ad
bellum we have yet to describe: necessity and
proportionality. Intuitively, these principles check
the right to self-defense; necessity requires that
the use of force in response to an armed-attack be
necessary, meaning that there are no diplomatic
alternatives available to repel the initial attack,
and proportionality requires the retaliatory use
of force to resemble the severity and scope of the
original aggression. It will be the responsibility
of the Legal Committee to extend the concepts
of necessity and proportionality to cyber-warfare
and determine what actions a state may take in
response to a cyber-attack.
It is particularly difficult to extend the
principle of necessity to cyberspace. According
to Nils Melzer of the University of Zurich and
the International Committee of the Red Cross,
necessity means that the action “be objectively
necessary to avert or repel an armed attack...
[meaning] self-defensive action may not lawfully
be carried out before it has actually become
necessary to repel an armed attack, nor when it
no longer is necessary for that purpose.”23 This
is problematic because cyber-warfare is unique.
Experts at the Yale Law School recently described
the distinction between cyber-warfare and kinetic
warfare that complicates the law of necessity:
The speed, unpredictability and clandestine
nature of most cyber operations severely hamper
the defending state’s ability to react in time to
detect and prevent or repel an imminent or
ongoing attack, which may well be designed and
timed to produce its harmful effects only months
after the attacker’s intrusion.24
Generally speaking, cyber-attacks just happen.
Once hackers have infected a system with a
23 Melzer
24 Melzer
Harvard Model United Nations India 2018 19
computer virus, launching a retaliatory cyber-
attack against the hackers will not affect the spread
of the virus. Therefore, responses to cyber-attacks
are not necessary to repel an armed attack. It is
possible that they could, however, be considered
necessary to avert an armed attack. This raises the
question as to whether international law should
permit anticipatory self-defense in cyberspace.
In terms of proportionality, the Legal
Committee must determine how nations are
permitted respond to a cyber-attack. Should
responses to cyber-attacks also be cyber-attacks?
May a nation engage in a kinetic response to a
cyber-attack? On one hand, we would not want a
nation bombing the capital of another nation that
engaged in a cyber-attack. But on the other hand,
a cyber-attack can be far more damaging than a
convention, kinetic attack, so some scholars argue
that nations should be permitted to respond to
cyber-attacks with physical force. Furthermore,
the victim of the cyber-attack may not have the
technical resources to engage in a counterattack
in cyberspace, meaning that physical force
would be the only option. How should the Legal
Committee weight these considerations? Should
a response in cyberspace be the preferred method
of retaliation, with physical force being used only
as a last resort?
The questions of necessity and proportionality
will be particularly difficult to extend to
cyberspace. They will also be controversial; the
US and its NATO allies will likely prefer fewer
restrictions on the right of self-defense, whereas
SCO nations will prefer stronger checks on the
actions nations may take in response to a cyber-
attack. The Legal Committee should aim to find
a mutually acceptable solution that answers, in
detail, each of the questions raised above. As with
previous subtopics, it will be important to give
examples of responses that would be considered
necessary and proportional, as well as responses
that would not be considered as such.
20 Legal Committee
National Accountability
We have now answered the questions “When
is a nation entitled to self-defense?” and “What
measures may a nation take in self-defense?” One
question remains to be addressed: Against whom
may a nation exercise its right to self-defense? In
kinetic warfare, the answer is obvious; an invaded
nation, for instance, may take up arms and repel
the invader. There is rarely any question as to the
invader’s identity. However, cyberspace cloaks
offenders in a veil of secrecy. It can be incredibly
difficult to determine where a cyber-attack
originated, and even more difficult to determine
who ordered the attack to occur. This section of
the background guide will address this question
of national accountability.
Consider the following scenario. Bankers in the
United States wake up one morning to a flurry of
news reports. New York Stock Exchange, which
depends on algorithmic trading through expansive
computer networks, has been taken offline by a
group of hackers. Chaos immediately engulfs the
US economy; within hours, the stock market has
tumbled 30% and the President has ordered stock
exchanges across the nation to be shut down. The
US Federal Bureau of Investigation traces the
virus that infected the stock exchange computers
to Italy, and from there to Morocco, and from
there to Bangladesh, and from there to China.
They determine that the virus originated in China,
about 45 kilometers outside of Shanghai. The
US Military Cyber-Command and the National
Security Agency prepare a cyber counterstrike
against critical Chinese infrastructure while
the US Delegate to the United Nations calls an
emergency meeting the Security Council and
invokes the right to self-defense. What should the
UNSC do? Should it rule that the US does indeed
have the right to self-defense (let’s ignore the fact
that China has veto power)? The problem is that
the Chinese government denies responsibility
for the attack. While it originated in Chinese
territory, there is no evidence that Chinese officials
provided support to the hackers or directed their
activities.
The example above illustrates one of the most
fundamental problems with the implementation
of cyber-laws: it is very difficult to determine who
is accountable and link national governments to
groups of hackers. The Legal Committee must
establish reasonable requirements for evidence
such that nations cannot offload their cyber-
attacks to “independent” groups of hackers and
skirt international law. However, the committee
should also be mindful of the fact that rogue
groups of hackers, particularly in China and the
US, exist and do not reflect the priorities of their
governments. Striking this balance will be very
difficult, particularly because this issue is highly
contentious among China, Russia, and the US;
the US has expressed dissatisfaction with frequent
cyber-attacks by Chinese and Russian hackers,
whom US experts are confident operated under
the orders of government officials. However, it
is near impossible to prove that this was the case
under current international law.
Benjamin Brake, an international affairs fellow
at the Council on Foreign Relations, recently
wrote an article that exposed the fundamental
problems with the current requirements for
assigning national responsibility:
A state is accountable for the actions of
individuals acting under its “effective control”
...The International Court of Justice has ruled that
violations of the law of armed conflict by private
individuals can be attributed to a state only if it
could be shown the state “directed or enforced” an
operation...A victim of a cyberattack would likely
have to prove more than an adversary supplied
a cyber weapon to a non-state actor. A victim
would instead have to show the state ordered
or had “effective control” over all aspects of the
cyberattack. Without such evidence, a victim’s
lawful response options may be limited to actions
against the non-state actors—cold comfort for a
nation reeling from a cyberattack perpetrated by
hackers financed, organized, trained, supplied,
and equipped by a nation-state adversary.25
25 Benjamin Brake. “Cyberspace’s Other At-
tribution Problem.” Council on Foreign Relations, 5
 Harvard Model United Nations India 2018 21

Obviously, this state of affairs is unacceptable; evidence that would meet the proposed threshold
it is essentially impossible to achieve the burden for state responsibility?
of proof required by the law of state responsibility.
Without more reasonable requirements, none of
the definitions or laws the Legal Committee writes
will be of any use; offenders will circumvent them
by pointing out that the law of state responsibility
has not been met and they cannot be held
accountable for the efforts of “independent”
hackers working inside their nations.
One potential solution is to loosen the
requirement that a government must direct or
enforce an operation. Instead, a government can be
held responsible for any operation that it financed,
organized, trained, supplied, equipped, directed,
or enforced. A bolder and more controversial
proposal would hold governments responsible for
any operations they were aware of. The law could
also stipulate that any operations a government
becomes aware of should be immediately
combatted and reported to the intended target.
The US and other NATO nations would likely
strongly support these requirements, which, in
their opinion, would eliminate a major loophole
in international law that has absolved the Chinese
and Russian governments of responsibility for
their hackers. SCO nations would likely oppose
the lighter burden of proof, arguing that it would
give the US an easy excuse to conduct cyber-
operations against international rivals—most
likely Russia, China, and other members of the
SCO. There are several potential improvements to
the law of state responsibility, but any proposal is
likely to be controversial. For delegates crafting
working papers and resolutions dealing with
the law of state responsibility, it will again be
important to provide a wealth of examples.
Delegates should answer the following questions,
among others: What amendments to the law of
state responsibility do you propose? What exactly
counts as equipping, directing, financing, etc. a
group of hackers? What are examples of evidence
that would not meet the proposed threshold
for state responsibility? What are examples of

Aug. 2015. Web. 17 Mar. 2018.

22 Legal Committee

Logistics: Resolutions, Position Papers, Blocs, and Research

Resolutions and Working Papers also the source of most debate about solutions to
global issues.
This and the following sections outline non-
substantive, but very important, aspects of the If you keep in mind the suggestions above, we
topic and committee. Working papers and draft are more than confident that you will leverage
resolutions are obviously some of the most your expertise of the situation to produce excellent
important parts of committee, so it is critical to working papers. We also understand that it is
understand what the staff will be looking for. As always useful to have examples. For your reference,
mentioned previously, the staff will place a high here is a working paper that we would consider
value on the specificity, depth, and quality of your too superficial (it’s actually a resolution, but the
proposed solutions; we would rather you address point still holds): http://www.unausa.org/global-
one issue effectively than address everything classrooms-model-un/how-to-participate/model-
superficially. The issues surrounding cybersecurity un-preparation/resolutions/sample-resolution.
and cyberwarfare are incredibly complex, so they
Speaking of resolutions, since you will be
will not be met by a single two-page working
crafting very specific working papers, we expect
paper. Therefore, we encourage you to use the
you to use the draft resolution stage as an
working paper stage to deeply explore one aspect
opportunity to merge working papers into more
of the situation and then look to merge with other
comprehensive solutions. If indeed you only
working papers that explore other subtopics.
address a few topics in great depth in your working
We cannot emphasize enough how important
papers, then there should be little conflict between
cooperation will be.
working papers and this merging stage should
Also, remember that it is often easy to figure out be relatively straightforward. The discussion
what to do, but much more difficult to determine on working papers should make it clear what a
how to do it. Because of this, we hope that you take draft resolution should look like: a collection of
time to consider how to execute your proposed in-depth working papers, weaved together into a
solutions and describe this in your working paper. comprehensive plan that retains the same level of
Suppose you are crafting a working paper to specificity as the working papers.
establish a proper definition of what constitutes a
cyberattack. This would be an excellent scope for Questions a Resolution Must Answer
a working paper—it is not too broad, but still very
important. The working paper should not only Any resolution should answer the following
include what would be the literal definition of a questions. However, we cannot begin to
cyberattack (which should still take up a decent emphasize that this list of questions should only
amount of space), but it should also address the give a broad sense of the topics a resolution
related issues of implementation. For instance, should address. Answering any one of these
who will be in charge of determining whether an questions requires answering at least five to
attack falls under the definition of a cyberattack? ten more specific questions, which have been
Will an international body be tasked with this given to you throughout the guide. We highly
responsibility or will it be up to individual nations recommend going back through the background
to decide, perhaps under the supervision of the guide and highlighting every question that was
UNSC? These details about how your solutions asked. Your resolution should answer every one
will be accomplished are arguably the most of these questions (or at least every question
important part of your working paper. They are that is applicable to your proposals). Below are

a few general questions that summarize the four
subtopics this committee should address:
What constitutes a cyber-attack?
When should a cyber-attack be classified as the
threat or use of force?
When, if ever, is a cyber-attack an armed attack
that triggers the right to self-defense?
How can the principles of necessity and
proportionality be extended to address responses
to cyber-attacks?
How should the law of national accountability be
applied to or adjusted for cyber-attacks?
Suggestions for Further Research
With a topic as widely-known and broad as
cyberwarfare, research can be overwhelming;
there are so many resources out there, so it can be
quite difficult to parse through them and decide
on a reasonable research strategy. In this section,
we will hopefully be able to assuage any fears
you have about researching and give you some
pointers as you dive into the topics more deeply.
First and most importantly, if you are reading
this, then you are already doing an excellent job
researching! This background guide was pretty long
and detailed, so reading it carefully will hopefully
provide you with the foundational knowledge you
need in order to succeed in committee. However,
additional research is always an excellent idea. One
way to go about this is to google the resources that
this background guide has cited. These guided the
scope of the background guide and played a large
role in informing the staff about the topic, so they
are an excellent source for additional research. Do
note, though, that some of these resources are long
guides and policy reports that are fairly dense and
not broadly applicable. We would recommend
that you stay away from these. Instead, we would
advise you to begin your research by reading the
news articles we cited in the background guide.
These are often more user-friendly in terms of the
Harvard Model United Nations India 2018 23
density of information, and many of them contain
links to related articles and studies that should
provide you with even more useful information.
Beginning with the news articles and using the
articles that they cite to guide your research into
the topic is a highly advisable way to conduct
additional research.
Another excellent resource is the United
Nations itself, as well as governmental research
bodies whose reports may be more digestible
after you have read the background guide and
some news articles about cyberwarfare. Many of
these organizations have fact sheets and other
reports that will provide you with the essence of
the problem, without the “fluff” of some news
articles. Therefore, we also recommend that you
look through the websites of these organizations
for information related to the topic (e.g. google
“US congressional report on cyberwarfare”).
Finally, the Legal staff is always here to assist
you. Since we are expecting you to have a solid
understanding of the topic and produce excellent,
detailed solutions, it is only reasonable that we
do everything we can to help you achieve these
objectives. So, if you have any questions, please
reach out to us. For example, if you are having
difficulty finding information about issues
surrounding national accountability, just shoot us
an email and we will do our best to help you find
resources and guide you in the right direction for
further research.
Position Papers
This section is very important, as we are
requesting that you use a special format for
your position papers. Writing your position
paper will help you understand the topics being
discussed, forcing you to think creatively and
originally about complex problems and your
country’s position on them. You may not always
find a concise statement of your country’s actual
position on all of these issues – but we hope you
24 Legal Committee
can look at the facts and think rationally about
what would be in your nation’s interest. We will
not penalize delegates for taking a slightly different
approach than their assigned country has in the
past – issues surrounding trade, development, and
international economics are evolving quickly and
new political pressures arise all the time. Provided
you can justify a change in policy by pointing
out political and economic developments at a
national level, we would view such a change very
favorably, as better reflecting the actual context of
the committee.
Traditionally, position papers have three parts:
a summary of the problem, how the issue affects
your country, and what your country proposes
as a solution. While there is nothing wrong with
this format, we strongly encourage you to use
the format described herein for your position
papers. While you are permitted to begin your
position paper with a general introduction
describing the issue and how it affects your
country, this is not necessary; we are already
familiar with the topic and its consequences,
so only include such a description if you feel it
will benefit you personally. Most importantly,
organize the body of your position paper
by subtopic and focus on describing your
SOLUTIONS TO THE PROBLEMS IN
DEPTH, not the problems themselves. (Note
that I have italicized, bolded, and capitalized
the worlds “solutions to the problems.” I cannot
possibly emphasize how important this is. The
whole purpose of this committee is to propose
workable solutions to the topics we are discussing.
Therefore, even if you know the issues in incredible
depth, you will not be in a strong position to
contribute to committee unless you are ready to
propose in-depth and feasible solutions. In other
words, the most important question to ask is not
“what is going on with cyberwarfare?”, but rather
“what are we going to do about cyberwarfare?”
Make sure you come to committee ready to answer
this question in depth.) Begin your position
paper discussing definitions of cyberwarfare and
describe the definition you support or propose.
Then, proceed to discussing how your country
believes the international community should deal
with the issue of national accountability. Finally,
address the right to retaliate at the same level of
detail as the topics above. For each subtopic, you
are welcome to include descriptions of the main
issues and how those issues affect your country,
but you are only expected to include these items
if they are key to supporting the rationale behind
your proposed solutions. As you proceed with
this discussion, push yourself to be as detailed as
possible. We’ve said it before and we will say it
again—the staff places a very high value on the
depth of your proposed solutions, rather than on
their breadth! Therefore, it is acceptable if you
decide to focus on a few aspects of each subtopic
in your solutions, so long as you make sure that
you still understand the topic as a whole.
Finally, remember that these position papers
are representation of a nation’s position and not
a statement of your personal opinion. Therefore,
they should be written formally and in third
person. For example, a paper written from the
perspective of Nigeria should read, “Nigeria
believes that…” Position papers should be at
least two single-spaced pages in size 12 font, with
one-inch margins. Please follow the guidelines
on HMUN India’s website for the heading of the
position paper.
Closing Remarks
Thank you for reading this background guide. I
understand that it is quite long, so I truly cannot
say how much I appreciate and are impressed
that you have taken the time to read it (unless
you skipped to this section, in which case I
hope that my heartfelt thank you inspired you
to return to the beginning). Over the course of
researching and learning more about this issue, I
have become very passionate about it, and I hope
that you will have a similar experience. While I
have attempted to make this background guide as
exhaustive as possible, I was not able to include
everything relevant to the issue at hand. After
all, it is a guide, meaning that it should guide
 Harvard Model United Nations India 2018 25

your additional research into the topic. I cannot

emphasize how important this will be. I have
deliberately limited the scope of the committee
to a few fundamental issues, so I very much
hope that you seize the opportunity to research
these topics in great depth. Remember that it is
preferable to put forth a few detailed and feasible
solutions than it is to have many lofty and broad
proposals. On that note, I cannot wait to listen to
the solutions you propose and the discussions and
debates that ensue during committee. I hope that
you will leverage your new knowledge of the crisis
to implement novel solutions. I am really looking
forward to meeting you this winter, listening to
your ideas in committee, and watching you put
them into action. If you have any questions or
concerns, or if you are just bored and want to talk,
do not hesitate to reach out to me. I’m more than
happy to help, and I cannot wait to meet you all!

Sincerely,
Dylan Parker
Director, Legal Committee
Harvard Model United Nations India 2018