Part 6 (1/2)
As this book is primarily intended to address the technical aspects of cyber warfare, the purpose of this chapter is to provide readers with a basic understanding of the law of war as it relates to cyber warfare and to demonstrate that there is a sound legal basis for states to respond to cyber attacks in self-defense. For a more detailed legal discussion filled with legal citations and factual research, I suggest reading my article on cyber warfare in the Fall 2009 edition of the Military Law Review. Furthermore, there are a number of policymaking implications that naturally flow from the conclusions of this chapter, which shall not be fully addressed here.
This chapter is broken down into several sections for ease of reading. First, it reviews the legal problems that states encounter when dealing with cyber attacks, and why current interpretations of the law of war actually endanger states. Second, it lays out the basic framework for a.n.a.lyzing armed attacks. Third, it explores the challenges that nonstate actors present to the basic framework of the law of war. Fourth, it a.n.a.lyzes cyber attacks under the law of war and demonstrates that victim-states have a right to respond with force against host-states that neglect their duty to prevent cyber attacks. Finally, it examines the choice to use force, explains why active defenses are the most appropriate use of force under the law of war, and describes the legal problems that states will face when using active defenses.
The Legal Dilemma.
Given the potentially catastrophic consequences that cyber attacks can cause, it is imperative for states to be able to effectively defend their critical infrastructure from attack. The most effective way to ward off cyber attacks is to use a layered defense of active and pa.s.sive defenses. Unfortunately, states intentionally choose to confine their computer defenses to pa.s.sive defenses alone, in part out of fear that using active defenses violates the law of war.
Right now, no comprehensive international treaty exists to regulate cyber attacks. Consequently, states must practice law by a.n.a.logy: either equating cyber attacks to traditional armed attacks and responding to them under the law of war or equating them to criminal activity and dealing with them under domestic criminal laws. The prevailing view of states and legal scholars is that states must treat cyber attacks as a criminal matter (1) out of uncertainty over whether a cyberattack can even qualify as an armed attack, and (2) because the law of war requires states to attribute an armed attack to a foreign government or its agents before responding with force.
This limited view of the law of war is problematic for two reasons. First, because active defenses are a form of electronic force, it confines state computer defenses to pa.s.sive defenses alone, which weakens state defense posture. Second, it forces states to rely on domestic criminal laws to deter cyber attacks, which are ineffective because several major states are unwilling to extradite or prosecute their attackers. Given these problems with the prevailing view of the law of war, states find themselves in a ”response crisis” during a cyber attack, forced to decide between effective, but arguably illegal, active defenses, and the less effective, but legal, pa.s.sive defenses and criminal laws.
More than anything else, the attribution requirement perpetuates the response crisis because it is virtually impossible to attribute cyber attacks during an attack. Although states can trace cyber attacks back to computer servers in another state, conclusively ascertaining the ident.i.ty of the attacker requires intensive, time-consuming investigation with the a.s.sistance of the state of origin. Given the prohibition on responding with force until an attack has been attributed to a state or its agents, coupled with the fact that the vast majority of cyber attacks are conducted by nonstate actors, it should come as no surprise that states are reluctant to treat cyber attacks as acts of war and risk violating international law. This ”attribution problem” locks states into the response crisis.
Treating cyber attacks as a criminal matter would not be problematic if pa.s.sive defenses and criminal laws provided sufficient protection from them. Unfortunately, neither is adequate. While pa.s.sive defenses are always the first line of defense and reduce the chances of a successful cyber attack, states cannot rely on them to completely secure their critical information systems. Furthermore, pa.s.sive defenses do little to dissuade attackers from attempting their attacks in the first place. Deterrence comes from criminal laws and the penalties a.s.sociated with them. However, criminal laws have proven to be impotent to deter international cyber attacks because several major states, such as China and Russia, allow their attackers to operate with impunity when their attackers target rival states.
The Road Ahead: A Proposal to Use Active Defenses.
To escape this dilemma, states must use active defenses. Not only will active defenses greatly improve state cyber defenses, but it logically follows that using them will serve as a deterrent to cyber attacks since attackers will not want to subject themselves to counterattack.
As we'll review in further detail later in this chapter, the legal authority for states to use active defenses flows from the longstanding duty that states have to prevent nonstate actors from using their territory to commit cross-border attacks. Traditionally, this duty only required states to prevent illegal acts that the state knew about beforehand; however, this duty has evolved in response to international terrorism and now requires states to act against groups generally known to carry out illegal acts. In the realm of cyber warfare, this duty should be interpreted to require states to enact and enforce criminal laws to deter cross-border cyber attacks. Otherwise, the current situation that states face with China and Russia will continue to exist. Requiring states to enact and enforce criminal laws against cyber attacks will solve the current crisis in one of two ways: either states will live up to their duty and start enforcing criminal laws against attackers, or states will violate their duty, which will create a legal pathway for victim-states to hold them legally responsible for an attack without having to attribute it first. In effect, repeated failure by a state to take criminal action against its attackers will result in it being declared a ”sanctuary state,” allowing other states to use active defenses against cyber attacks originating from within its borders.
Given the importance of using active defenses, it would be best if international law could provide parameters regarding their proper use. After all, one of the purposes of international law is to get states to behave in predictable ways that are acceptable to the international community. Thus, unless the international community wants to risk unpredictable and unacceptable responses to cyber attacks, international law must provide guidelines for the use of active defenses. Luckily, the law of war is robust enough to provide guidance to states; one only needs to fully examine it.*[3] The views expressed in this chapter are those of the author and do not necessarily represent the views of the Department of Defense. The author would like to thank Major J. Jeremy Marsh, Judge Advocate General's Corps, US Air Force, for his invaluable a.s.sistance during his research into cyber warfare.
[4] Active defenses are electronic countermeasures designed to strike attacking computer systems and shut down cyber attacks midstream. Security professionals can set up active defenses to automatically respond to attacks against critical systems, or they can carry them out manually. For the most part, active defenses are cla.s.sified, though programs that send destructive viruses back to the perpetrator's machine or packet-flood the intruder's machine have entered the public domain. Pa.s.sive defenses are the traditional forms of computer security used to defend computer networks, such as system access controls, data access controls, security administration, and secure system design.
The Law of War.
The law of war is divided into two princ.i.p.al areas, jus ad bellum and jus in bello. Jus ad bellum, also known as the law of conflict management, is the legal regime governing the transition from peace to war. It basically lays out when states may lawfully resort to armed conflict. Jus in bello, also known as the law of armed conflict, governs the actual use of force during war. The a.n.a.lysis of whether states can respond to cyber attacks with active defenses predominantly falls under jus ad bellum, since jus ad bellum sets forth the thresholds that cyber attacks must cross to be considered acts of war.
Historically, the transition from peace to war fell under the prerogative of the sovereign; however, it came under international law following World War II with the ratification of the UN Charter. Although the UN Charter is not the only source of jus ad bellum, it is the starting point for all jus ad bellum a.n.a.lysis. The relevant articles of the UN Charter are Articles 2(4), 39, and 51, which provide the framework for modern jus ad bellum a.n.a.lysis.
General Prohibition on the Use of Force.
Article 2(4) prohibits states from employing ”the threat or use of force against the territorial integrity or political independence of [another] state, or in any other manner inconsistent with the Purposes of the United Nations.” In effect, it criminalizes both the aggressive use of force and the threat of the aggressive use of force by states as crimes against international peace and security. Although the UN Charter's protections apply only to states that are parties to it, the prohibitions of Article 2(4) are so widely followed that they have come to be recognized as customary international law, binding on all states across the globe.
Thus, states may not threaten to use or actually use force against another state unless an exception is carved out within the UN Charter. This position is further supported by Article 2(3), which requires states to ”settle their international disputes by peaceful means in such a manner that international peace and security, and justice, are not endangered.” Only two exceptions exist to this seemingly all-encompa.s.sing renunciation on the use of force: actions authorized by the UN Security Council and self-defense.
The First Exception: UN Security Council Actions.
The first exception to the general prohibition on the use of force is actions authorized by the UN Security Council. Article 42 of the UN Charter allows the Security Council to use military force to restore international peace and security. However, while the UN Charter grants the Security Council power to use military force, the Security Council cannot do so until it has met the conditions of Articles 39, 41, and 42.
Article 39 is the first threshold that the Security Council must cross before it can authorize the use of force. It requires the Security Council to determine that a ”threat to the peace, breach of the peace, or act of aggression” exists. Once the Security Council determines that this threshold has been met, it can attempt to restore international peace and security in accordance with Articles 41 and 42 of the UN Charter.
Article 41, the use of nonmilitary measures, is the Charter's preferred method for restoring international peace and security. Under it, the Security Council can direct states to use nonmilitary measures to coerce an offending state into ceasing its aggression. The nonmilitary measures are implemented by UN member states and may include the ”complete or partial interruption of economic relations...and other means of communication, and the severance of diplomatic relations.”
When the Security Council determines that Article 41 measures are would be pointless to try or have proven unsuccessful, it may authorize military measures under Article 42. However, unlike its Article 41 powers, the Security Council may only authorize member states to take military action; it cannot compel them to do so.
The Second Exception: Self-Defense.
The second exception to the general prohibition on the use of force is self-defense. This right is enshrined in Article 51 of the UN Charter, which proclaims that ”[n]othing in the present Charter shall impair the inherent right of [states to engage in] individual or collective self-defense” in response to an ”armed attack.” As the text of Article 51 implies, the right of self-defense existed long before the UN Charter, and it has been reaffirmed by the Charter as an inherent right under customary international law. Self-defense essentially stands for the proposition that states have a fundamental right to survive, and they may use force to protect themselves and their citizens. Because this right exists independently from the UN Charter, self-defense a.n.a.lysis draws on both the provisions of Article 51 of the UN Charter and the principles of customary international law.
The bedrock principle of self-defense is that it may be invoked in response to an armed attack. Unfortunately, although this cornerstone is universally recognized under international law, ambiguity over the meaning of ”armed attack” has led to an ongoing debate about when states may invoke self-defense. This is because the Charter never defines ”armed attack.” Since the timing of self-defense is contingent on when an armed attack occurs, it is critical to resolve what const.i.tutes an armed attack. This debate has become even more p.r.o.nounced regarding cyber attacks, which are far more difficult to cla.s.sify than traditional attacks with conventional weapons.
Self-defense a.n.a.lysis is further complicated because of competing theories among legal scholars on the interplay between the UN Charter and customary international law. Some commentators place heavier emphasis on the UN Charter, arguing that Article 51 limits self-defense to responses against actual armed attacks. Others place more emphasis on customary international law, arguing that the historical right of states to treat imminent armed attacks as armed attacks is also lawful. Imminent armed attacks are addressed later in this chapter, but for now, it is worth noting that although there are different theories about the definition of an armed attack, once a state is targeted with an armed attack by another state, everyone agrees the victim-state and its allies are legally authorized to use force against the aggressor.
Self-defense responses must comply with international law. Just because an armed attack has occurred against a victim-state does not mean that the victim-state has a blank check to wage unlimited war against the aggressor. Self-defense responses must be necessary and proportional. Necessity means that self-defense is actually required under the circ.u.mstances because a reasonable settlement could not be attained through peaceful means. Proportionality requires self-defense actions to be limited to the amount of force necessary to defeat an ongoing attack or deter future aggression. This principle does not require the size and scope of defensive actions to be similar to those of the attack. A defensive action may need to employ significantly greater force than the attacker used to successfully repel the attacker. The key is to determine the amount of force needed to either defeat the current attack or deter future attacks. These two principles define the legal boundaries to self-defense responses.
A Subset of Self-Defense: Antic.i.p.atory Self-Defense.
Antic.i.p.atory self-defense is a subset of self-defense and a longstanding tenet of international law. It allows states to defend themselves against imminent armed attacks, rather than forcing them to wait until their enemies cross their borders.