Part 7 (1/2)
This s.h.i.+ft began with the International Tribunal for the former Yugoslavia's seminal opinion on state responsibility in the Tadic case, in which it revised the direct control test to impute host-state responsibility for the actions of groups of nonstate actors over when a state exercised ”overall control” of the group, even though the state may not have directed the particular act in question.[10] Although overall control is still a form of direct control, the opinion marked a significant relaxation of the standard for state responsibility.
The s.h.i.+ft to indirect responsibility continued through the middle of 2001, with a general consensus emerging that any breach of a state's international obligations to other states, whether from treaty law or customary law, and whether the result of a state's acts or its failures to act, resulted in international responsibility for the state.[11] This consensus solidified following the 9/11 terrorist attacks on the United States, bringing us to today's framework for state responsibility.
September 11, 2001, marked the culmination of the s.h.i.+ft of state responsibility from the paradigm of direct control to indirect responsibility. On that date, Al Qaeda terrorists hijacked four airplanes, flew three of them into buildings in the United States, and killed more than three thousand US citizens in what was widely recognized as an armed attack. Al Qaeda was based in Afghanistan, which at the time was ruled by the Taliban. While the Taliban harbored Al Qaeda and occasionally provided it limited logistical support, the Taliban did not exercise effective or even overall control over Al Qaeda. Further distancing the Taliban from 9/11 is the lack of evidence suggesting that the Taliban knew of the 9/11 attacks beforehand, or even endorsed them after the fact. Yet despite all of this, it was internationally accepted that Al Qaeda's acts were legally imputable to the Taliban, and thus to Afghanistan, because it had harbored and sheltered Al Qaeda, and refused to stop doing so, even after being warned to stop.
Thus, following 9/11, state responsibility may be implied based on a state's failure to fulfill its international duty to prevent nonstate actors from using its territory to attack other states. As such, there need not be a causal link between a wrongdoer and a state; rather, only a failure of a state to uphold its duty to prevent attacks from its territory into another state. ”Hence, a state's pa.s.siveness or indifference toward [a non-state actor's] agendas within its own territory might trigger its responsibility, possibly on the same scale as though it had actively partic.i.p.ated in the planning.”[12] Much of the legal a.n.a.lysis of whether a state is responsible will ”turn on an ex-post facto a.n.a.lysis of whether the state could have put more effort into preventing the...attack.”[13]
However, even when state responsibility is imputed for the armed attacks of nonstate actors, states may still be forbidden from responding with force. The final step in the legal a.n.a.lysis ends with the legality of cross-border operations against other states.
Cross-Border Operations.
Cross-border operations into the territory of an offending state are the natural consequence of imputed state responsibility for the armed attacks of nonstate actors. However, states must meet a number of legal requirements before they may pursue a nonstate aggressor into another state in self-defense. To understand the rationale behind why states may breach a host-state's general right to territorial integrity in self-defense and the requirements states must meet in order to do so, one must first look to the UUN Charter's general prohibition on using force against another state.
The right of territorial integrity generally gives way to the right of self-defense. The principle underlying this balancing act is that when one state violates another state's territorial integrity, it forfeits its own right to territorial integrity. This principle evolved out of state-on-state attacks, but it also may be applied in a similar manner when states are indirectly responsible for the violations of another state's territorial integrity by nonstate actors. The key is whether the host-state tried to prevent its territory from being used to commit criminal acts against the victim-state.
As always, before a state resorts to self-defense, it must ensure that it meets the criteria of necessity, proportionality, and, if using the subset of antic.i.p.atory self-defense, imminency. Effectively, a state must have no viable alternatives to the use of force, and it must limit its use of force to securing its defensive objectives.
The application of these requirements may vary depending on whether the acts of the nonstate actors were imputed based on direct control or indirect attribution. In cases of direct control, the victim-state may immediately impute responsibility to the host-state and act in self-defense against it and the nonstate actors inside it. In cases of indirect attribution, a victim-state must overcome another hurdle before conducting cross-border operations, and ensure that it has properly linked the actions of the nonstate actors to the host-state. This may be done by issuing an ultimatum to the sanctuary state to comply with its international obligations or else.
The sanctuary state must then either act against the nonstate actors, or willingly allow the victim-state to enter its territory and mount operations against the nonstate actors. Otherwise the victim-state can impute responsibility and conduct its cross-border operations into the host-state. However, in doing so, the victim-state must limit its targets to the nonstate actors, unless the host-state uses force to oppose the lawful cross-border operations.
Based on the foregoing a.n.a.lysis, it is evident that victim-states may forcibly respond to armed attacks by nonstate actors located in another state when host-states violate their duty to prevent those attacks. With cyber attacks, imputing state responsibility in this manner provides states a legal path to utilize active defenses without having to conclusively attribute an attack to a state or its agents. In effect, imputing responsibility is the equivalent of attributing the attack to the state or its agents. Thus, imputing responsibility provides states a way around the attribution problem and response crisis. However, just because there is a legal pathway to get around the requirement that armed attacks be attributable to a state or its agents does not mean that cyber attacks by nonstate actors lend themselves to this framework. As a result, it is imperative to explain why cyber attacks const.i.tute armed attacks, what a state's duty to prevent cyber attacks means, and the factual circ.u.mstances that would allow a victim-state to forcibly respond to a cyber attack.
[7] Schmitt, supra note 2, at 54041 (quoting John Ba.s.set Moore in S.S. Lotus [Fr. v. Turk.] 1927 P.C.I.J. [ser. A] No. 10, at 4, 88 [Moore, J., dissenting]).
[8] Corfu Channel case (Merits), 1949 I.C.J. Rep. 4, 22 (Apr. 9).
[9] Case Concerning United States Diplomatic and Consular Staff in Tehran, 1980 I.C.J. Rep. 3, 3233, 44 (May 24).
[10] Prosecutor v. Tadic, Case No. IT-94-1-A, I.C.T.Y. App. Ch., at 49 (July 15, 1999).
[11] See 2001 Draft Articles on the Responsibility of States for Internationally Wrongful Acts, UN Doc. A/CN.4/L.602/Rev. 1 (2001). The draft articles were later commended to state governments in 2001 and 2004. See G.A. Res. 56/83, UN Doc. A/RES/56/83 (Jan. 28, 2002); G.A. Res. 59/35, UN Doc. A/RES/59/35 (Dec. 16, 2004).
[12] Proulx, Vincent-Joel. 2005. ”Babysitting Terrorists: Should States Be Strictly Liable for Failing to Prevent Transborder Attacks?” Berkeley Journal of International Law: 23, 61524.
[13] Id. at 66364.
a.n.a.lyzing Cyber Attacks under Jus ad Bellum.
Cyber attacks represent a conundrum for legal scholars. Cyber attacks come in many different forms, their destructive potential limited only by the creativity and skill of the attackers behind them. Although it may seem intuitive that cyber attacks can const.i.tute armed attacks, especially in light of their ability to injure or kill, the legal community has been reluctant to adopt this approach because cyber attacks do not resemble traditional armed attacks with conventional weapons. Further clouding the legal waters is the erroneous view of states and scholars alike on the need for states to attribute cyber attacks to a state or its agents before responding with force. Although it is true that cyber attacks do not resemble traditional armed attacks, and that cyber attacks are difficult to attribute, neither of these characteristics should preclude states from responding with force. This section explores different a.n.a.lytical models for a.s.sessing armed attacks, the logical meaning of the duty of prevention as it relates to cyber attacks, and the technological capacity of trace programs to trace attacks back to their point of origin. After all of these issues are examined, it becomes clear that states may legally use active defenses against cyber attacks originating from states that violate their duty to prevent them.
Cyber Attacks as Armed Attacks.
Victim-states must be able to cla.s.sify a cyber attack as an armed attack or imminent armed attack before responding with active defenses because, as we discussed earlier in this chapter, armed attacks and imminent armed attacks are the triggers that allow states to respond in self-defense or antic.i.p.atory self-defense. Ideally, there would be clear rules for cla.s.sifying cyber attacks as armed attacks, imminent armed attacks, or lesser uses of force. Unfortunately, since cyber attacks are a relatively new attack form, international efforts to cla.s.sify them are still in their infancy, even though the core legal principles governing armed attacks are well settled. Consequently, whether cyber attacks can qualify as armed attacks and which cyber attacks should be considered armed attacks are left as open questions in international law. To answer these questions, this subsection examines the core legal principles governing armed attacks, applies them to cyber attacks, explains why cyber attacks can qualify as armed attacks, and attempts to provide some insight into which cyber attacks should be considered armed attacks.
”Armed attack” is not defined by any international convention. As a result, its meaning has been left open to interpretation by states and scholars. Although this might sound problematic, it is not. The framework for a.n.a.lyzing armed attacks is relatively well-settled, as are the core legal principles governing its meaning. The international community generally accepts Jean S. Pictet's scope, duration, and intensity test as the starting point for evaluating whether a particular use of force const.i.tutes an armed attack. Under Pictet's test, a use of force is an armed attack when it is of sufficient scope, duration, and intensity. Of course, as is the case with many international legal concepts, states, nongovernmental organizations, and scholars all interpret the scope, duration, and intensity test differently.
State declarations help flesh out which uses of force are of sufficient scope, duration, and intensity to const.i.tute an armed attack. Harkening back to the French-language version of the UN Charter, which refers to ”armed aggression” rather than an ”armed attack,” the UN General a.s.sembly pa.s.sed the Definition of Aggression resolution in 1974. The resolution requires an attack to be of ”sufficient gravity” before it is considered an armed attack. The resolution never defines armed attacks, but it does provide examples that are widely accepted by the international community. Although the resolution has helped settle the meaning of armed attacks for conventional attacks, the more technology has advanced, the more attacks have come in forms not previously covered by state declarations and practices. Consequently, states recognize that unconventional uses of force may warrant treatment as an armed attack when their scope, duration, and intensity are of sufficient gravity. As a result, states are continually making proclamations about new methods of warfare, slowly shaping the paradigm for cla.s.sifying armed attacks.
Scholars have advanced several a.n.a.lytical models to deal with unconventional attacks, such as cyber attacks, to help ease attack cla.s.sification and put the scope, duration, and intensity a.n.a.lysis into more concrete terms. These models are especially relevant to cyber attacks because they straddle the line between criminal activity and armed warfare. There are three main a.n.a.lytical models for dealing with unconventional attacks. The first model is an instrument-based approach, which checks to see whether the damage caused by a new attack method previously could have been achieved only with a kinetic attack.[14] The second is an effects-based approach, sometimes called a consequence-based approach, in which the attack's similarity to a kinetic attack is irrelevant and the focus s.h.i.+fts to the overall effect that the cyber attack has on a victim-state.[15] The third is a strict liability approach, in which cyber attacks against critical infrastructure are automatically treated as armed attacks, due to the severe consequences that can result from disabling those systems.[16]
Of these three approaches, the effects-based approach is the best a.n.a.lytical model for dealing with cyber attacks. Not only does effects-based a.n.a.lysis account for everything that an instrument-based approach covers, but it also provides an a.n.a.lytical framework for situations that do not neatly equate to kinetic attacks.[17] Effects-based a.n.a.lysis is also superior to strict liability because responses to cyber attacks under an effects-based approach comport with internationally accepted legal norms and customs, whereas a strict liability approach may cause victim-states to violate the law of war.[18]
Of all of the scholars who advocate effects-based models, Michael N. Schmitt has advanced the most useful a.n.a.lytical framework for evaluating cyber attacks. In his seminal article ”Computer Network Attack and the Use of Force in International Law: Thoughts on a Normative Framework,” Schmitt lays out six criteria for evaluating cyber attacks as armed attacks.[19] These criteria are severity, immediacy, directness, invasiveness, measurability, and presumptive legitimacy. Taken together, they allow states to measure cyber attacks along several different axes. While no one criterion is dispositive, cyber attacks satisfy enough criteria to be characterized as armed attacks. Since their publication, Schmitt's criteria have gained traction in the legal community, with several prominent legal scholars advocating for their use. Many hope that Schmitt's criteria will help bring some uniformity to state efforts to cla.s.sify cyber attacks. However, until Schmitt's criteria gain wider acceptance, states are likely to cla.s.sify cyber attacks differently, depending on their understanding of armed attacks as well as their conception of vital national interest.
Cla.s.sifying cyber attacks will be difficult for states to do in practice.[20] Although the initial decision to respond to cyber attacks under the law of war as a matter of policy will have to be made by state policymakers, the actual decision to use active defenses will have to be pushed down to the system administrators who actually operate computer networks. One of the challenges policymakers will face is translating international law into concise, understandable rules for their system administrators to follow, so that a state's agents comply with international law while protecting its vital computer networks. However, cla.s.sifying cyber attacks as armed attacks or imminent armed attacks is only the first hurdle system administrators must clear before responding with active defenses. The second and equally important hurdle is establis.h.i.+ng state responsibility for the attack.
Schmitt's Six Criteria The meaning of these criteria are as follows: Severity looks at the scope and intensity of an attack. a.n.a.lysis under this criterion examines the number of people killed, size of the area attacked, and amount of property damage done. The greater the damage, the more powerful the argument becomes for treating the cyber attack as an armed attack.
Immediacy looks at the duration of a cyber attack, as well as other timing factors. a.n.a.lysis under this criterion examines the amount of time the cyber attack lasted and the duration of time that the effects were felt. The longer the duration and effects of an attack, the stronger the argument that it was an armed attack.
Directness looks at the harm caused. If the attack was the proximate cause of the harm, it strengthens the argument that the cyber attack was an armed attack. If the harm was caused in full or in part by other parallel attacks, the weaker the argument that the cyber attack was an armed attack.
Invasiveness looks at the locus of the attack. An invasive attack is one that physically crosses state borders, or electronically crosses borders and causes harm within the victim-state. The more invasive the cyber attack, the more it looks like an armed attack.
Measurability tries to quantify the damage done by the cyber attack. Quantifiable harm is generally treated more seriously in the international community. The more a state can quantify the harm done to it, the more the cyber attack looks like an armed attack. Speculative harm generally makes a weak case that a cyber attack was an armed attack.