Part 8 (1/2)

Determining whether a state is acting as a sanctuary state is extremely fact-dependent. When considering this question, victim-states must look at a host-state's criminal laws, law enforcement practices, and track record of cooperation with the victim-states of cyber attacks that originate from within its borders. In effect, host-states will be judged on their efforts to catch and prosecute attackers who have committed cyber attacks, which is probably the only way that states can deter and prevent future attacks. Since victim-states will end up judging whether a host-state has lived up to its international duties, host-states must cooperate with victim-states to ensure transparency. Cooperation will necessarily entail a host-state showing its criminal investigations to a victim-state so that victim-states can correctly judge host-state action.

Furthermore, when a host-state lacks the technical capacity to track down attackers, international law should require it to work together with law enforcement officials from the victim-state to jointly track them down.[34] These two measures will prevent host-states from being perceived as uncooperative and complicit in the use of their networks for attacks against other states. States that deny involvement in a cyber attack but refuse to open their investigative records to the victim-state cannot expect to be treated as living up to its international duties. In effect, host-states that refuse to cooperate with victim-states are stating their unwillingness to prevent cyber attacks and have declared themselves as sanctuary states.

Once a host-state demonstrates that it is a sanctuary state through its inaction, other states can impute responsibility to it. At that point, the host-state becomes liable for the cyber attack that triggered an initial call for investigation, as well as for all future cyber attacks originating from it. This opens the door for a victim-state to use active defenses against the computer servers in that state during a cyber attack.

[14] For instance, under an instrument-based approach, a cyber attack used to shut down a power grid is an armed attack. This is because shutting down a power grid typically required dropping a bomb on a power station or some other kinetic use of force to incapacitate the grid. Since conventional munitions were previously required to achieve the result, under the instrument-based approach the cyber attack is therefore treated the same way.

[15] For instance, under an effects-based approach, a cyber attack that manipulated information across a state's banking and financial inst.i.tutions to seriously disrupt commerce in the state is an armed attack. Although the manipulation of information does not resemble a kinetic attack, as required under an instrument-based approach, the disruptive effects that the attack had on the state's economy is a severe enough overall consequence that it warrants treatment as an armed attack.

[16] It is important to note that this third a.n.a.lytical model for dealing with cyber attacks is intended to justify antic.i.p.atory self-defense before any harm actually results. Walter Gary Sharp Sr. proposed this model due to the speed with which a computer penetration can transition into a destructive attack against defense critical infrastructure. His reasoning is that once a penetration has occurred, an imminent threat exists with the ability to cause harm of extreme scope, duration, and intensity, thereby justifying antic.i.p.atory self-defense. See Walter Gary Sharp Sr. 1999. Cybers.p.a.ce and the Use of Force. Ageis Research Corp. 12931.

[17] For instance, a cyber attack might shut down a system, rendering it inoperable for some time, or a cyber attack might cause an explosion at a chemical plant by tampering with the computers that control the feed mixture rates. The results of those attacks mirror the results of conventional armed attacks, previously only achievable through kinetic force, thus satisfying the instrument-based approach.Unfortunately, cyber attacks can also cause extreme harm that does not mirror the results of conventional armed attacks. For instance, coordinated cyber attacks could bring financial markets to their knees without ever employing anything that looked remotely like a kinetic attack, or altered data on a ma.s.sive scale could disrupt banking, financial transactions, and the general underpinnings of the economy, sowing confusion throughout the victim-state for some time. Under an effects-based approach, the scope, duration, and intensity of this attack would equate to an armed attack, despite the fact that it was not previously achievable only through kinetic force.

[18] The proponents of a strict liability approach advocate automatically responding to cyber attacks on critical infrastructure with active defenses. However, automatically responding to cyber attacks in this manner can easily lead a victim-state to counter-attack a state with a long history of doing everything within its power to prevent cyber attacks and prosecute its attackers. Were a victim-state to respond with active defenses against a nonsanctuary state, it would violate jus ad bellum. This is because there is no way to impute state responsibility to such a state, directly or indirectly, even though the cyber attack may const.i.tute an armed attack.

[19] Schmitt, M. 1999. ”Computer Network Attack and the Use of Force in International Law: Thoughts on a Normative Framework.” Columbia Journal of Transnational Law 37: 885, 91315.

[20] But there is no doubt that some cyber attacks will qualify as armed attacks, and should be dealt with using self-defense and antic.i.p.atory self-defense legal principles as a justification for using active defenses.Some will undoubtedly critique this conclusion. However, those who argue do miss the way that states have cla.s.sified unconventional attacks in the past. New attack methods frequently fall outside the accepted definitions of armed attacks. This does not mean that the attacks are not armed attacks, merely that the attacks don't fit traditional cla.s.sifications. Furthermore, anyone who argues that cyber attacks cannot rise to the level of armed attacks misses an important facet of international law-reprisals, which can be used as an alternate basis to authorize active defenses against cyber attacks. This is because at a minimum, cyber attacks are an illegal use of force, and their use would then allow states to use another illegal use of force, short of armed force, to deter sanctuary states from allowing attackers to commit them.

[21] Council of Europe, Convention on Cybercrime, opened for signature Nov. 23, 2001, 41 I.L.M. 282 (hereinafter Convention on Cybercrime).

[22] Customary international law does not require state practice to be universal, and general practices can satisfy the requirements of customary international law. The test for when state practices become customary international law is when the practice is extensive and representative of rules that states feel bound to follow. Within this framework, there is a doctrine for states whose interests are especially affected by a rule, and their practices carry more weight in contributing to customary international law than other states. See North Sea Continental Shelf (F.R.G. v. Den.; F.R.G. v. Neth.), 1969 I.C.J 3, 43 (Feb. 20).To date, 26 states have ratified the Convention on Cybercrime, the majority of which are major western powers, three of which hold permanent Security Council seats, and five of which place among the twenty states with the most Internet users in the world-France, Germany, Italy, the United Kingdom, and the United States. Together, these five states combine for 25 percent of the Internet users in the world. Furthermore, while not yet parties to the treaty, Canada, j.a.pan, Spain, and Poland are all signatories to it, and are expected to ratify it soon. These four states are among the remaining twenty states with the most Internet users in the world, and their ratification would greatly move state practice to the standards set forth in the convention. See Council of Europe, Convention on Cybercrime, Chart of Signatures and Ratifications, conventions.coe.int/Treaty/Commun/ChercheSig.asp?NT=185&CM=8&DF=18/06/04&CL=ENG (listing the 46 signatories and 26 parties to the Convention on Cybercrime; last visited Sept. 2, 2009) and Top 20 Countries with the Highest Number of Internet Users, /top20.htm (last visited Sept. 2, 2009).

[23] The Convention on Cybercrime requires parties to it to establish criminal offenses for almost every conceivable type of cyber attack under their domestic laws. See Convention on Cybercrime, supra note 19, arts. 211, at 28487. It also recognizes the importance of prosecuting attackers, and requires states to extend their jurisdiction to cover all cyber attacks conducted from within their territory or conducted by their citizens, regardless of their location at the time of attack. See id. art. 22, at 29192. Finally, the convention recognizes the importance of state cooperation, and requires states to provide ”mutual a.s.sistance to the widest extent possible for the purpose of investigations or proceedings concerning criminal offences.” See id. arts. 2325, at 29293.

[24] These treaties include the 1963 Tokyo Convention on Offences and Certain Other Acts Committed on Board Aircraft, the 1970 Hague Convention for the Suppression of Unlawful Seizure of Aircraft, the 1971 Montreal Convention for the Suppression of Unlawful Acts Against the Safety of Civil Aviation, the 1979 International Convention Against the Taking of Hostages, the 1988 Convention for the Suppression of Unlawful Acts Against the Safety of Maritime Navigation, the 1988 Montreal Protocol on the Suppression of Unlawful Acts of Violence at Airports Serving International Civil Aviation, the 1997 International Convention for the Suppression of Terrorist Bombings, the 1999 International Convention for the Suppression of the Financing of Terrorism, and the 2005 International Convention for the Suppression of Acts of Nuclear Terrorism.

[25] 1970 Declaration on Friendly Relations, G.A. Res. 2625, 1, UN GAOR, 25th Sess., Annex, Agenda Item 85, UN Doc. A/Res/2625 (Oct. 24, 1970); 2000 Vienna Declaration on Crime and Justice: Meeting the Challenges of the Twenty-First Century, G.A. Res. 55/59, Annex, 18, UN Doc. A/RES/55/59/Annex (Jan.17, 2001); 2001 Articles on the Responsibility of States for Internationally Wrongful Acts, UN Doc. A/CN.4/L.602/Rev. 1 (2001).

[26] G.A. Res. 2625, supra note 23, 1; Secretary-General, Report of the High-Panel on Threats, Challenges and Change, 17, 24, delivered to the General a.s.sembly, UN Doc A/59/565 (Dec. 2, 2004).

[27] G.A. Res. 45/121, 3, UN Doc. A/RES/45/121 (Dec. 14, 1990); G.A. Res. 55/63, 1, UN Doc. A/RES/55/63 (Jan. 22, 2001); see also Eighth United Nations Congress on the Prevention of Crime and the Treatment of Offenders, Havana, Cuba, Aug. 27Sept. 7, 1990, report prepared by the Secretariat, at 14043, UN Doc. A/CONF.144/28/Rev.1 (1991).

[28] G.A. Res. 55/63, supra note 25, 1.

[29] G.A. Res. 45/121, supra note 25, 3 (embracing the principles adopted by the Eighth United Nations Congress on the Prevention of Crime and the Treatment of Offenders, and inviting states to follow them); G.A. Res. 55/63, supra note 25, 1; see also Eighth United Nations Congress on the Prevention of Crime and the Treatment of Offenders, Havana, Cuba, Aug. 27Sept. 7, 1990, report prepared by the Secretariat, at 14043, UNUN Doc. A/CONF.144/28/Rev.1 (1991).

[30] The White House, The National Strategy to Secure Cybers.p.a.ce (2003); Convention on Cybercrime, supra note 19; Huw Jones, Estonia Calls for EU Law to Combat cyber attacks, Reuters, Mar. 12, 2008, /article/reutersEdge/idUSL1164404620080312 (reporting Estonia's call to fight cyber attacks as a threat to international peace and security); G.A. Res. 53/70, UNUN Doc. A/RES/53/70 (Jan. 4, 1999); G.A. Res. 54/49, 2, UN Doc. A/RES/54/49 (Dec. 23, 1999); G.A. Res. 55/28, UN Doc. A/RES/55/28 (Dec. 20, 2000); G.A. Res. 56/19, UN Doc. A/RES/56/19 (Jan. 7, 2002); G.A. Res. 56/121, UN Doc. A/RES/56/121 (Jan. 23, 2002); G.A. Res. 57/53, UN Doc. A/RES/57/53 (Dec. 30, 2002); G.A. Res. 57/239, 15, UN Doc. A/RES/57/239 (Jan. 31, 2003); G.A. Res. 58/32, UN Doc. A/RES/58/32 (Dec. 18, 2003); G.A. Res. 58/199, 16, UN Doc. A/RES/58/199 (Jan. 30, 2004); G.A. Res. 59/61, UN Doc. A/RES/59/61 (Dec. 16, 2004); G.A. Res. 59/220, 4, UN Doc. A/RES/59/220 (Feb. 11, 2005); G.A. Res. 60/45, UN Doc. A/RES/60/45 (Jan. 6, 2006); G.A. Res. 60/252, 8, UN Doc. A/RES/60/252 (Apr. 27, 2006); G.A. Res. 61/54, UN Doc. A/RES/61/54 (Dec. 19, 2006).

[31] Tellini case, 4 League of Nations O.J. 524 (1924).

[32] S.S. Lotus (Fr. v. Turk.) 1927 P.C.I.J. (ser. A) No. 10, at 4, 88 (Moore, J., dissenting).

[33] Corfu Channel Case (Merits), 1949 I.C.J. 4, 22 (Apr. 9).

[34] This position is supported by numerous UN General a.s.sembly Resolutions, the European Convention on Cybercrime, and other UN doc.u.ments, which all urge states to cooperate in investigating and prosecuting the criminal misuse of information technologies. See supra notes 24, 27 and accompanying text; United Nations Manual on the Prevention and Control of Computer Related Crime, 26873 (1995).

The Choice to Use Active Defenses.

Although this chapter urges states to use active defenses to protect their computer networks, states that choose to use them will find themselves confronted with difficult legal decisions as a result of the limits of technology. Technological limitations will place states in a position where a timely decision to use active defenses requires states to decide to use them with imperfect knowledge. Since forcible responses to cyber attacks must comply with both princ.i.p.al areas of the law of war-jus ad bellum and jus in bello-the decision to use active defenses raises several other questions of law resulting from these technical limitations. From a practical standpoint, this will affect state decision-making at the highest and lowest levels of government. State policymakers will need to account for these limitations when setting policy, whereas state system administrators will need to account for these limitations when responding to actual cyber attacks.

This section a.n.a.lyzes these issues. First, it addresses the technological limitations that are likely to affect state jus ad bellum a.n.a.lysis. Next, it moves on to jus in bello issues. Jus in bello a.n.a.lysis will begin with the decision to use force, a.n.a.lyzing why active defenses are the most appropriate forceful responses to cyber attacks. Finally, jus in bello a.n.a.lysis will conclude with the impact that technological limitations are likely to have on state decisions to use force. Once this is complete, it will be clear that active defenses are a viable way for states to protect themselves, despite the fact that technological limitations will complicate state decision-making.

Technological Limitations and Jus ad Bellum a.n.a.lysis.

While cyber attack a.n.a.lysis is greatly simplified by looking at whether a state of origin has violated its duty to prevent, rather than having to attribute an attack, states are still likely to find cyber attacks difficult to deal with in practice. Jus ad bellum requires states to carefully a.n.a.lyze a cyber attack and ensure that (1) the attack const.i.tutes an armed attack or imminent armed attack; and (2) the attack originates from a sanctuary state. Both of these conditions must exist before a state can lawfully respond with active defenses under jus ad bellum.

Cyber attack a.n.a.lysis will be conducted by system administrators, whose position puts them at the forefront of computer defense. System administrators can use various computer programs to facilitate their a.n.a.lysis. Automated detection and warning programs can help detect intrusions, cla.s.sify attacks, and flag intrusions for administrator action. Automated or administrator-operated trace programs can trace attacks back to their point of origin. These programs can help system administrators cla.s.sify cyber attacks as armed attacks or lesser uses of force and evaluate whether attacks originate from a state previously declared a sanctuary state. When attacks meet the appropriate legal thresholds, system administrators may use active defenses to protect their networks.

Unfortunately, technological limitations on attack detection, attack cla.s.sification, and attack traces are likely to further complicate state decision-making during cyber attack a.n.a.lysis. Ideally, attacks would be easy to detect, cla.s.sify, and trace. Unfortunately, this is not the case. This section a.n.a.lyzes the technological limits of these programs and explores their likely impact on state decision makers and system administrators.

Limitations on attack detection.

Early detection and warning programs can help catch cyber attacks before they reach their culminating point, but even the best programs are unable to detect all cyber attacks. As a result, cyber attacks are bound to harm states. From a legal perspective, the failure to catch an attack until after its completion has both an upside and a downside. On the upside, states would gain the luxury of time to evaluate an attack, since the threat of danger will have already pa.s.sed. On the downside, tracing an attack back to its source becomes more difficult the further removed the trace becomes from the time of attack.

Furthermore, even when it turns out that an armed cyber attack originates from a sanctuary state, state policymakers would need to think long and hard about using active defenses as a matter of policy. The longer it takes to detect an attack, the less compelling the need for states to use active defenses, especially when the attack seems truly complete. On the other hand, when an attack that has reached completion is seen as part of a series of ongoing attacks, the need to use active defenses to deter future attacks is more compelling.