Part 7 (2/2)
Presumptive legitimacy focuses on state practice and the accepted norms of behavior in the international community. Actions may gain legitimacy under the law when the international community accepts certain behavior as legitimate. The less a cyber attack looks like accepted state practice, the stronger the argument that it is an illegal use of force or an armed attack.
See Schmitt, supra note 16, at 91315; see also Wingfield, T. 2000. The Law of Information Conflict: National Security Law in Cybers.p.a.ce. Ageis Research Corp. 12427 (examining Schmitt's use of force a.n.a.lysis).
Establis.h.i.+ng State Responsibility for Cyber Attacks.
States cannot respond to a cross-border cyber attack with force without establis.h.i.+ng state responsibility for the attack. Although historically this meant that an attack had to be attributed to a state or its agents, direct control of an attack is no longer a requirement for state responsibility. Today, international law bases a state's responsibility on its failure to meet its international duties.
This s.h.i.+ft is especially important for cyber attacks because the prevailing view that states must treat cross-border cyber attacks as a criminal matter, rather than as a national security matter, seems to be based on the historic view of state responsibility. This limited view of state responsibility locks states into the response crisis by requiring states to attribute cyber attacks to a state or its agents before responding with active defenses, even though the likelihood of successfully attributing an attack is extremely remote. Consequently, states find themselves in the response crisis during a cyber attack, laboring under the false a.s.sumption that they must decide between effective, but illegal, active defenses, and the less effective, but legal, path of pa.s.sive defenses and domestic criminal laws.
Given the s.h.i.+ft in the law of state responsibility, states should determine whether a cyber attack can be imputed to the state of origin rather than trying to conclusively attribute it. Once a cyber attack is imputed to a state and that state refuses to return to compliance with its international duties, the legal barriers to acting in self-defense disappear.
While neither state practice nor the publications of legal scholars supports this view regarding cyber attacks yet, the accepted principles of customary jus ad bellum support imputing state responsibility for armed attacks by nonstate actors when the attacks originate from a state that allows nonstate actors to conduct criminal operations within their borders. States that allow nonstate actors to conduct those operations breach their duty to prevent attacks against other states, and are known as sanctuary states. This is extremely important to the victim-states of cyber attacks because when a cyber attack originates from a sanctuary state, a victim-state may employ active defenses and avert the response crisis.
It is thus necessary to understand the answers to two key questions: What is a state's duty to prevent cyber attacks?
What must a state do to violate its duty of prevention?
The answers are the legal keys that will establish the basis for imputing state responsibility for cyber attacks and unlock the restraints that states have placed on themselves by following the prevailing view of state responsibility for cyber attacks.
The Duty to Prevent Cyber Attacks.
States have an affirmative duty to prevent cyber attacks from their territory against other states. This duty actually encompa.s.ses several smaller duties to prevent cyber attacks, including pa.s.sing stringent criminal laws, conducting vigorous law enforcement investigations, prosecuting attackers, and, during the investigation and prosecution, cooperating with the victim-states of cyber attacks. These are the duties of all states and, as you will see in this subsection, are binding as customary international law. The authority for these duties comes from all three sources of customary international law-international conventions, international custom, and the general principles of law common to civilized nations, as also evidenced by judicial decisions and the teachings of the most highly qualified international legal scholars.
Support from International Conventions.
The only international treaty directly on point is the European Convention on Cybercrime.[21] Although the treaty is only a regional agreement, it is still very influential on customary international law because of the importance of the states that have ratified it under the specially affected states doctrine.[22] Furthermore, it demonstrates state recognition of both the need to criminalize cyber attacks, and the duty of states to prevent their territory from being used by nonstate actors to conduct cyber attacks against other states.[23] The Convention is also significant because it recognizes that cyber attacks cannot be interdicted during the middle of an attack, and that the only way to prevent them is through aggressive law enforcement, coupled with state cooperation.
International treaties to criminalize terrorism provide further support, albeit indirectly, for the duty to prevent cyber attacks. The international community recognizes terrorism as a threat to international peace and security, but cannot agree on a definition. As a result, states have adopted the approach of outlawing specific terrorist acts each time terrorists adopt new attack methods, rather than outlawing terrorism itself.[24] These treaties impose several common requirements on states with regard to terrorist attack methods, such as taking all practicable measures for the purpose of preventing these attacks, criminalizing the attacks, submitting cases to competent authorities for prosecution, and forcing states to cooperate with each other throughout the criminal proceedings. Although these treaties do not address cyber attacks, the principles contained in them help influence state requirements under customary international law with regard to terrorism. Since there is growing evidence that cyber attacks will soon be a weapon of choice for terrorists, states should refer to the common principles found in these treaties as opinio juris when cyber attacks are used as a terrorist weapon.
Support from State Practice.
State treatment of cyber attacks under their criminal laws also evidence recognition of the duty to prevent cyber attacks under customary international law. Numerous states criminalize and prosecute cyber attacks to deter attackers from conducting them, on the basis that vigorous law enforcement is the only way to protect and prevent harm to their computer systems. This lends credence to the notion that, unlike a conventional attack, which can be stopped after detection, cyber attacks can be stopped only by establis.h.i.+ng ex ante barriers that attackers are fearful of crossing. Furthermore, these practices demonstrate a growing recognition among states that cyber attacks must be stopped, and that the way to do so is through vigorous law enforcement.
State responses to transnational terrorist attacks further support recognition of a duty to prevent cyber attacks under customary international law. After the 9/11 terrorist attacks, states across the world condemned terrorism as a threat to international peace and security, and provided various forms of support to the United States in its war against Al Qaeda. Ensuring that terrorism will forever be legally recognized as a threat to international peace and security, the Security Council pa.s.sed Resolution 1373, which reaffirmed that acts of international terrorism are threats to international peace and security and called on states to work together to prevent and suppress terrorism. The resolution further directed states to ”refrain from providing any form of support” to terrorists through act or omission, to ”deny safe haven” to those who commit terrorist acts, and ”afford one another the greatest measure of a.s.sistance in connection with criminal investigations...[or] proceedings” related to terrorism.
The international community's response to terrorism does not directly define customary international law regarding cyber attacks, but it is persuasive on several fronts. First, it shows that states have a duty to prevent threats to international peace and security. Second, it demonstrates that pa.s.sive acquiescence to threats to international peace and security will not be tolerated. Finally, it demonstrates that states must work together to prevent and suppress threats to international peace and security. The more cyber attacks resemble terrorism, the more easily they will fit into the paradigm constructed to deal with transnational terrorism. However, no matter their purpose, cyber attacks represent a threat to international peace and security and should be dealt with like other recognized transnational threats.
Numerous UN declarations about international crime also support recognizing the duty to prevent cyber attacks. These declarations urge states to take affirmative steps to prevent nonstate actors from using their territory to commit acts that cause civil strife in another state.[25] Furthermore, these declarations also support the duty of states to cooperate with one another to eliminate transnational crime, which lends credence to the duty to cooperate with victim-states during the criminal investigation and prosecution of cyber attacks.[26]
Focusing specifically on cyber attacks, states have made declarations themselves, and used the UN General a.s.sembly to make numerous declarations about the importance of preventing cyber attacks. For instance, the UN General a.s.sembly has called on states to criminalize cyber attacks[27] and to deny their territory from being used as a safe haven to conduct cyber attacks through state practice.[28]
The General a.s.sembly has also called on states to cooperate with each other during the investigation and prosecution of international cyber attacks.[29] Even China's Premier Wen Jiabao has admitted that China should take firm and effective action to prevent all hacking attacks that threaten computer systems.
Furthermore, states are starting to recognize the threat that cyber attacks pose to international peace and security, with some states and the General a.s.sembly directly recognizing cyber attacks as a danger to international peace and security.[30] These declarations all evidence recognition that states have a duty to prevent cyber attacks as a matter of law, to include the lesser duties of pa.s.sing stringent criminal laws, vigorously investigating cyber attacks, prosecuting attackers, and having the host-states cooperate with victim-states during the investigation and prosecution of cases.
Support from the General Principles of Law.
The general principles of law common to civilized nations also support recognition of a duty to prevent cyber attacks. It is a well-established principle under the domestic laws of most states that individuals should be responsible for acts or omissions that have a causal link to harm suffered by another individual. While international law is not obligated to follow the domestic laws of states, international law may be derived from the general principles common to the major legal systems of the world. Most states use causation as a principle for establis.h.i.+ng individual responsibility, lending credence to the idea that a state's responsibility also should also be based on causation.
Thus, if a state failed to pa.s.s stringent criminal laws, did not investigate international cyber attacks, or did not prosecute attackers, it should be held responsible for international cyber attacks against another state because its omission helped create a safe haven for attackers to attack other states. Furthermore, as evidenced in the Corfu Channel case, the general duty to prevent attacks already allows states to be held accountable for causation to some degree, which supports using causation a.n.a.logies from domestic laws when interpreting the customary duty to prevent cyber attacks.
Support from Judicial Opinions.
Finally, judicial opinions further support recognition of a state's affirmative duty to prevent cyber attacks from its territory against other states. In Tellini, a special committee of jurists held that a state may be held responsible for the criminal acts of nonstate actors when it ”neglect[s] to take all reasonable measures for the prevention of the crime and pursuit, arrest and bringing to justice of the criminal.”[31] In S.S. Lotus, the Permanent Court of International Justice held that ”a state is bound to use due diligence to prevent the commission within its dominions of criminal acts against another nation or its people.”[32]
In Corfu Channel, the International Court of Justice held that states have a duty ”not to allow knowingly its territory to be used for acts contrary to the rights of other states.”[33] Although these are older cases, their principles still stand for and support the notion that states have a duty to prevent their territory from being used to commit criminal acts against another state, as well as a duty to pursue, arrest, and bring to justice criminals who have conducted cross-border attacks on other states.
Fully Defining a State's Duty to Prevent Cyber Attacks.
A state's duty to prevent cyber attacks should not be based on a state's knowledge of a particular cyber attack before it occurs, but rather on its actions to prevent cyber attacks in general. Cyber attacks are extremely difficult for states to detect prior to the commission of a specific attack, and are often committed by individuals or groups who are not even on a state's radar. However, just because cyber attacks are difficult to prevent does not mean that states can breach their duty to prevent them. Stringent criminal laws and vigorous law enforcement will deter cyber attacks. States that do not enact such laws fail to live up to their duty to prevent cyber attacks.
Likewise, even when a state has stringent criminal laws, if it looks the other way when cyber attacks are conducted against rival states, it effectively breaches its duty to prevent them through its unwillingness to do anything to stop them, just as if it had approved the attacks. In other words, a state's pa.s.siveness and indifference toward cyber attacks make it a sanctuary state, from where attackers can safely operate. When viewed in this light, it becomes apparent that a state can be held indirectly responsible for cyber attacks under the established principles of customary international law.
Sanctuary States and the Practices That Lead to State Responsibility.
<script>