7
Legal and Ethical Perspectives on Cyberattack

7.1
THE BASIC FRAMEWORK

In the context of this chapter, international law refers to treaties (written agreements among states governed by international law) and customary international law (general and consistent practices of states followed from a sense of legal obligation). Domestic law refers to the Constitution of the United States, federal statutes, and self-executing treaties1 and can constrain the actions of government and of private individuals.

This chapter focuses on the implications of existing international and domestic law as well as relevant ethical regimes for the use of cyberattack by the United States. (It is thus not intended to address legal issues that arise mostly in the context of the United States defending against cyberattack.) Compared to kinetic weapons, weapons for cyberattack are a relatively recent addition to the arsenals that nations and other parties can command as they engage in conflict with one another. Thus, the availability of cyberattack weapons for use by national governments naturally raises questions about the extent to which existing legal and ethical perspectives on war and conflict and international relations—which affect

1

In 2008, the Supreme Court explained that a self-executing treaty is one that “operates of itself without the aid of any legislative provision,” and added that a treaty is “not domestic law unless Congress has either enacted implementing statutes or the treaty itself conveys an intention that it be ‘self-executing’ and is ratified on these terms.” See Medellin v. Texas, 128 S.Ct. 1346, 1356 (2008) (citations and internal quotations omitted).



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 239
7 Legal and Ethical Perspectives on Cyberattack 7.1 THE BASIC FRAMEWORK In the context of this chapter, international law refers to treaties (writ- ten agreements among states governed by international law) and custom- ary international law (general and consistent practices of states followed from a sense of legal obligation). Domestic law refers to the Constitution of the United States, federal statutes, and self-executing treaties1 and can constrain the actions of government and of private individuals. This chapter focuses on the implications of existing international and domestic law as well as relevant ethical regimes for the use of cyberat- tack by the United States. (It is thus not intended to address legal issues that arise mostly in the context of the United States defending against cyberattack.) Compared to kinetic weapons, weapons for cyberattack are a relatively recent addition to the arsenals that nations and other par- ties can command as they engage in conflict with one another. Thus, the availability of cyberattack weapons for use by national governments natu- rally raises questions about the extent to which existing legal and ethical perspectives on war and conflict and international relations—which affect 1 In 2008, the Supreme Court explained that a self-executing treaty is one that “oper- ates of itself without the aid of any legislative provision,” and added that a treaty is “not domestic law unless Congress has either enacted implementing statutes or the treaty itself conveys an intention that it be ‘self-executing’ and is ratified on these terms.” See Medellin . Texas, 128 S.Ct. 1346, 1356 (2008) (citations and internal quotations omitted). 

OCR for page 239
40 TECHNOLOGY, POLICY, LAW, AND ETHICS OF U.S. CYbERATTACK CAPAbILITIES considerations of how and when such weapons might be used—could require reinterpretation or revision. Some analysts have responded to these questions in the negative, arguing that cyberweapons are no different than any other weapons and thus that no new legal or ethical analysis is needed to understand their proper use.2 Others have taken the opposite view, arguing that cyber- weapons are so different from kinetic weapons that new legal regimes are needed to govern their use.3 Further, some argue that it is much easier to place substantive constraints on new military technologies before they have been integrated into the doctrine and structure of a nation’s armed forces. And still others have taken the view that although cyberweap- ons do raise some new issues, the basic principles underlying existing legal and ethical regimes continue to be valid even though analytical work is needed to understand how these principles do/should apply to cyberweapons. As is indicated below in this chapter, the committee’s perspective is most similar to the last one articulated above. Furthermore, the commit- tee observes that in no small measure, the range of opinions and conclu- sions about the need for new regimes comes from the fact that as indicated in Chapter 2, the notion of cyberattack spans an enormous range of scale, impact, and complexity. Some specification of a cyberattack’s range, scope, and purpose must be presented if analytical clarity is to be achieved. This chapter does not attempt to provide a comprehensive norma- tive analysis. Instead, it reviews the current international and domestic legal regimes, and suggests where existing regimes may be inadequate or ambiguous when the use of cyberweapons is contemplated. In addition, it explores issues that cyberattack may raise outside the realm of the rel- evant legal regimes. In all instances, the emphasis is on raising questions, exploring ambiguities, and stimulating thought. Although this report takes a Western perspective on ethics and human rights, the committee acknowledges that these views are not universal. That is, other religious and ethnic cultures have other ethical and human rights traditions and practices that overlap only partially with those of the United States or the West, and their ethical and human rights traditions may lead nations associated with these cultures to take a different per- spective on ethical, human rights, and legal issues regarding cyberattack. Perhaps most importantly, other nations may take a more expansive or a 2 This point of view was expressed in presentations to the committee by the USAF Cyberspace Task Force (briefing of LTC Forrest Hare, January 27, 2007). 3 See, for example, Christopher C. Joyner and Catherine Lotrionte, “Information War- fare as International Coercion: Elements of a Legal Framework,” European Journal of Interna- tional Law 12(5):825-865, 2001.

OCR for page 239
4 LEGAL AND ETHICAL PERSPECTIVES ON CYbERATTACK more restricted view of how the law of armed conflict constrains activities related to cyberattack. Finally, it should be noted that legal considerations are only one set of factors that decision makers must take into account in deciding how to proceed in any given instance. There will no doubt be many circum- stances in which the United States (or any other nation) would have a legal right to undertake a certain action, but might choose not to do so because that action would not be politically supportable or would be regarded as unproductive, unethical, or even harmful. 7.2 INTERNATIONAL LAW International obligations flow from two sources: treaties (in this con- text, the Charter of the United Nations, the Hague and Geneva Conven- tions with their associated protocols, and the Cybercrime Convention) and customary international law. Defined as the customary practices of nations that are followed from a sense of legal obligation, customary inter- national law has the same force under international law as a treaty. Provisions of international law are sometimes enacted into national laws that are enforceable by domestic institutions (such as the President and courts). For example, Title 18, Section 2441 of the U.S. Code criminal- izes the commission of war crimes and defines war crimes as acts that constitute grave breaches of the Geneva or Hague Conventions. Such laws impose penalties on individuals who violate the relevant provisions of international law. When nations violate international law, the recourse mechanisms available are far less robust than in domestic law. For example, the Inter- national Court of Justice has held specific nations in violation of inter- national law from time to time, but it lacks a coercive mechanism to penalize nations for such violations. In principle, the UN Security Council can call for coercive military action that forces a violator to comply with its resolutions, but the viability of such options in practice is subject to considerable debate. 7.2.1 The Law of Armed Conflict To understand the legal context surrounding cyberattack as an instru- ment that one nation might deploy and use against another, it is helpful to start with existing law—that is, the international law of armed conflict (LOAC). Today’s international law of armed conflict generally reflects two

OCR for page 239
4 TECHNOLOGY, POLICY, LAW, AND ETHICS OF U.S. CYbERATTACK CAPAbILITIES central ethical principles.4 First, a state that uses force or violence against another state must have “good” reasons for doing so, and indeed, through- out most of history, states that have initiated violence against other states have sought to justify their behavior. Second, even if violent conflict between nations is inevitable from time to time, unnecessary human suf- fering should be minimized. LOAC addresses two separate questions. First, when is it legal for a nation to use force against another nation? This body of law is known as jus ad bellum. Second, what are the rules that govern the behavior of combatants who are engaged in armed conflict? Known as jus in bello, this body of law is separate and distinct from jus ad bellum. 7.2.1.1 Jus ad Bellum Jus ad bellum is governed by the UN Charter, interpretations of the UN Charter, and some customary international law that has developed in connection with and sometimes prior to the UN Charter. Article 2(4) of the UN Charter prohibits every nation from using “the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations.” Nations appear to agree that a vari- ety of unfriendly actions, including unfavorable trade decisions, space- based surveillance, boycotts, severance of diplomatic relations, denial of communications, espionage, economic competition or sanctions, and economic and political coercion, do not rise to the threshold of a “use of force,” regardless of the scale of their effects. As for the “threats of force” prohibited by Article 2(4), Professor Thomas Wingfield of the U.S. Army Command and General Staff College testified to the committee that such threats might plausibly include verbal threats, initial troop movements, initial movement of ballistic missiles, massing of troops on a border, use of fire control radars, and interference with early warning or command and control systems. The UN Charter also contains two exceptions to this prohibition on the use of force. First, Articles 39 and 42 permit the Security Council to authorize uses of force in response to “any threat to the peace, breach of the peace, or act of aggression” in order “to maintain or restore interna- tional peace and security.” 4 The law of armed conflict is also sometimes known as international humanitarian law. A number of legal scholars, though not all by any means, view international humanitar- ian law as including human rights law, and thus argue that the law of armed conflict also includes human rights law. For purposes of this chapter and this report, the law of armed conflict does not include human rights law.

OCR for page 239
4 LEGAL AND ETHICAL PERSPECTIVES ON CYbERATTACK Second, Article 51 provides as follows: “Nothing in the present Char- ter shall impair the inherent right of individual or collective self-defense if an armed attack occurs against a Member of the United Nations, until the Security Council has taken measures necessary to maintain international peace and security.” The self-defense contemplated by Article 51 does not require Security Council authorization. Professor Wingfield argued that armed attack would include declared war, de facto hostilities, occupation of territory, a blockade, the destruction of electronic warfare or command and control systems, or the use of armed force against territory, military forces, or civilians abroad. In addition, there is debate over whether the right of self-defense is limited by Article 51, or whether Article 51 simply recognizes a continuation of the preexisting (“inherent”) right of self- defense. Box 7.1 elaborates on notions of self-defense and self-help. An important aspect of the interpretation of Article 51 involves the question of imminent attack. It is widely accepted that a nation facing unambiguous imminent attack is also entitled to invoke its inherent right of self-defense without having to wait for the blow to fall. (Self-defense undertaken under threat of imminent attack is generally called “antici- patory self-defense.”) For example, Oppenheim’s International Law: Ninth Edition states that:5 The development of the law, particularly in the light of more recent state practice, . . . suggests that action, even if it involves the use of armed force and the violation of another state’s territory, can be justified as self- defence under international law where: a) an armed attack is launched, or is immediately threatened, against a state’s territory or forces (and probably its nationals); b) there is an urgent necessity for defensive action against that attack; c) there is no practicable alternative to action in self-defence, and in particular another state or other authority which has the legal powers to stop or prevent the infringement does not, or cannot, use them to that effect; d) the action taken by way of self-defense is limited to what is necessary to stop or prevent the infringement, i.e., to the needs of defence. When are these conditions met? The facts and circumstances in any given situation may not lead to clear determinations—indeed, the threat- ened party is likely to have a rather different perception of such facts and circumstances than the threatening state. The mere fact that Zendia possesses destructive capabilities that could be used against Ruritania cannot be sufficient to indicate imminent attack— 5 Oppenheim’s International Law: Ninth Edition, 1991, p. 412.

OCR for page 239
44 TECHNOLOGY, POLICY, LAW, AND ETHICS OF U.S. CYbERATTACK CAPAbILITIES BOX 7.1 Self-defense and Self-help Article 51 acknowledges the right of a nation to engage in the use of armed force for self-defense, including the situation in which the nation is the target of an armed attack, even without Security Council authorization. (The issue of whether a nation may respond militarily without Security Council authorization if it is the target of a use of force short of an armed attack is less clear, with evidence to support both sides of this position.1) Although the term “self-defense” is undefined in the UN Charter, it is convenient to consider three different types of actions, all of which involve the use of force in response to an attack. • A Type 1 action is a use of force taken to halt or curb an attack in prog- ress or to mitigate its effects. Type 1 actions do not apply after the attack ceases, because all of the harm that the attack can cause has already been caused at that point. • A Type 2 action is a use of force in which a nation is the first to use force because it has good reason to conclude that it is about to be attacked and that there is no other alternative that will forestall such an action. Type 2 actions are sometimes called actions of anticipatory self-defense.2 • A Type 3 action is a use of force aimed at reducing the likelihood that the original attacker will continue its attacks in the future. Type 3 actions are predicated on the assumption that the original attacker has in mind a set of attacks, only one of which has occurred, and can be regarded as a kind of anticipatory self-defense against these likely future attacks. An example of a Type 3 action is the 1986 El Dorado Canyon bombing on Libya, which was justified as an act of self-defense against a continuing Libyan-sponsored terrorist threat against U.S. citizens.3 (Note that under domestic law as it applies to private persons, Type 3 actions are gener- ally not legal, though Type 1 actions taken in self-defense are sometimes justified under common law, as indicated in Section 5.2.) Many nations, including the United States, have asserted rights under the UN Charter to all three types of action under the rubric of self-defense. At the same time, other nations (especially including the target of such action) have claimed that a Type 3 action is really an illegal reprisal—that is, an act of punishment or revenge. In the context of cyberattack and active defense, a Type 1 action corresponds to active threat neutralization—a cyberattack launched in response to an incoming cyberattack that is intended to neutralize the threat and to stop further damage from occurring. A Type 3 action corresponds to a cyberattack that is intended to dissuade the attacker from launching further attacks in the future. The difference between Type 1 and Type 3 actions is significant because a Type 3 action is technically easier to conduct than a Type 1 action under some circumstances. For example, it may easily come to pass that an incoming cyberat- tack can be identified as emanating from Zendia and that the Zendian national

OCR for page 239
4 LEGAL AND ETHICAL PERSPECTIVES ON CYbERATTACK authorities should be held responsible for it. A Type 3 action could then take the form of any kind of attack, cyber or kinetic, against Zendia—without the enormous difficulty of identifying a specific access path to the controllers behind the attack (necessary for a Type 1 action). In addition and depending on the circumstances, a Type 1 action could be followed by a Type 3 action. That is, a policy decision might be made to take a Type 3 action to ensure that no more hostile actions were taken in the future. Self-defense actions are clearly permissible when a nation or its forces have experienced an armed attack. Under standing rules of engagement, a missile fired on a U.S. fighter plane or a fire-control radar locked on the airplane would count as an armed attack, and self-defense actions (e.g., bombing the missile site or the radar) would be allowable. In a similar vein, cyberattacks that compromise the ability of units of the DOD to perform the DOD’s mission might well be regarded as an armed attack, and indeed STRATCOM has the authority to conduct response actions to neutralize such threats (Chapter 3). If a nation has been the target of a use of force (a cyberattack) that does not rise to the threshold of an armed attack, responses made by the victimized nation fall into the category of self-help. What self-help actions are permissible under the UN Charter? Certainly any action that does not amount to a use of force is legal under the UN Charter as long as it does not violate some existing treaty obligation. An example of such an action might well be non-cooperative but non-destructive in- telligence gathering about the attacking system. In addition, a small-scale Type 1 action to neutralize an incoming cyberattack aimed at a single system is likely to be permissible. (An analogy from physical space might be the small-scale use of force to shoot armed border crossers.) 1 Department of Defense, Office of General Counsel, An Assessment of International Legal Issues in Information Operations, Second Edition, November 1999. 2 See, for example, Oppenheim’s International Law: Ninth Edition, 1991, p. 412. 3 The raid was the culmination of increasing tensions between the United States and Libya. Since 1973, Muammar Qadhafi asserted Libyan control over the Gulf of Sidra, a claim not recognized under international law (which recognizes only a 12-mile-from-shore claim for national waters). In 1981, the United States conducted naval exercises in the area claimed by Libya, with the result that two Libyan fighter-bombers sent to challenge the United States presence were shot down. Tensions continued to increase, and in March 1986, Libya launched six SA-5 missiles against the U.S. Sixth Fleet, then operating nearby in the Mediterranean. In subsequent action, the United States destroyed two Libyan vessels. In early April 1986, a bomb exploded in a Berlin discotheque, killing a U.S. soldier and injuring 63 U.S. soldiers, among others. The United States asserted that it had communications intercepts proving Libyan sponsorship of the bombing, and Operation El Dorado Canyon occurred shortly thereafter, as the United States had at the time no reason to expect such attacks to cease. In May 2001, Qadhafi acknowledged to a German newspaper that Libya had been behind the discotheque bombing 15 years earlier, which was carried out apparently in retaliation for the U.S. sinking of the two vessels in March 1986.

OCR for page 239
4 TECHNOLOGY, POLICY, LAW, AND ETHICS OF U.S. CYbERATTACK CAPAbILITIES otherwise, the mere existence of armed forces of an adversary would be sufficient justification. But if Zendia can use these capabilities effectively against Ruritania and with serious consequences without warning, and Zendia has indicated hostile intent toward Ruritania in other (perhaps non-military) ways, outside observers may indeed be more likely to judge that the conditions for anticipatory self-defense have been met. 7.2.1.2 Jus in Bello Once armed conflict has begun, the conduct of a nation’s armed forces is subject to a variety of constraints. Jus in bello is governed largely by the Hague Conferences of 1899 and 1907, the Geneva Conventions, and customary international law. • Military necessity. Valid targets are limited to those that make a direct contribution to the enemy’s war effort, or those whose damage or destruction would produce a military advantage because of their nature, location, purpose, or use. Thus, enemy military forces (and their equip- ment and stores) may be attacked at will, as is also true for civilians and civilian property that make a direct contribution to the war effort. Assets that do not contribute to the war effort or whose destruction would pro- vide no significant military advantage may not be deliberately targeted by cyber or kinetic means. LOAC also provides for a category of specially and (in theory) universally protected facilities such as hospitals and reli- gious facilities. • Proportionality. It is understood that attacks on valid military tar- gets may result in collateral injury and damage to civilian assets or people. Some degree of collateral damage is allowable, but not if the foreseeable collateral damage is disproportionate compared to the military advantage likely to be gained from the attack. In the event that military and nonmili- tary assets are circumstantially commingled (e.g., the use of a common electric grid to power both military and civilian facilities), the attacker must make a proportionality judgment. But in instances when the enemy has deliberately intermingled military and non-military assets or people, the enemy must then assume some responsibility for the collateral dam- age that may result. Put differently, LOAC always obligates a would-be attacker to make reasonable proportionality judgments. What is less clear, and may depend on circumstances, are the conditions under which the enemy has a legal responsibility to refrain from deliberately commingling military assets with non-military assets or more generally to separate such assets. For example, the enemy may have deliberately placed “human shields” around military targets. In such a case, the enemy is clearly in violation

OCR for page 239
4 LEGAL AND ETHICAL PERSPECTIVES ON CYbERATTACK of LOAC and bears the responsibility for any injury to the hostages if the target is attacked. However, in an extreme case where the likely deaths and injuries among the hostages are disproportionate to the military advantage to the attacker, the attacker is obligated to take into account the presence and likely deaths of those human shields in making a pro- portionality judgment about a possible attack. A common misperception about proportionality as a rule of jus in bello is that it requires the victim of an attack to respond only in ways that cause the original attacker approximately the same amount or degree of pain that the victim experienced. This kind of response is generally char- acterized as a commensurate response, and although commensuration and commensurate response are often used by policy makers as guide- posts in formulating responses to external attack, they are not required by LOAC. • Perfidy. Acts of perfidy seek to deceive an enemy into believing that he is obligated under the law of armed conflict to extend special protection to a friendly asset when such is not the case. For example, by convention and customary law, certain persons and property may not be legitimately attacked, including prisoners of war and prisoners-of-war camps, the wounded and sick, and medical personnel, vehicles, aircraft, and vessels. Persons and property in this category must be identified with visual and electronic symbols, and misuse of these symbols to prevent a legitimate military target from being attacked constitutes the war crime of perfidy. In addition, it is unlawful to feign surrender, illness, or death to gain an advantage in combat, or to broadcast a false report that both sides had agreed to a cease-fire or armistice. At the same time, ruses of war are explicitly permissible. A ruse of war is intended to mislead an adversary or to induce him to act recklessly but its use infringes no rule of international law applicable in armed conflict and does not mislead the adversary into believing that he is entitled to special protection. Camouflage, decoys, mock operations, and misinformation are all permitted ruses. • Distinction. Distinction requires armed forces to make reasonable efforts to distinguish between military and civilian assets and between military personnel and civilians, and to refrain from deliberately attack- ing civilians or civilian assets. However, there are two important classes of civilians or civilian assets—those that have been compromised and used (illegally) to shield the actions of a party to the conflict and those that suffer inadvertent or accidental consequences (“collateral damage”) of an attack. Responsibility for harm is apportioned differently depending on the class to which a given civilian or civilian asset belongs (Box 7.2). • Neutrality. A nation may declare itself to be neutral, and is entitled to immunity from attack by either side at war, as long as the neutral nation does not assist either side militarily and acts to prevent its territory

OCR for page 239
4 TECHNOLOGY, POLICY, LAW, AND ETHICS OF U.S. CYbERATTACK CAPAbILITIES BOX 7.2 Avoiding Harm to Innocent Parties The principle of distinction requires military forces to minimize harm to inno- cent parties—that is, non-combatants that are not actively engaged in helping to prosecute the war. But three categories of “innocent parties” must be distinguished, especially in the cyber context. • Category A—An innocent party that is compromised by an adversary and then used to shield the adversary’s actions. For example, an adversary (Zendia) that uses human civilians as shields to protect its antiaircraft sites is using this kind of innocent party. Zendia would also be doing so if it launched a cyberattack against Ruritania through the use of a compromised and innocent third-party computer (e.g., one belonging to civilians). • Category B—An innocent party that is caught up in some effect that was unpredicted or could not have been expected. For example, a Zendian civilian truck in the desert is struck inadvertently by the empty drop tanks of a Ruritanian fighter-bomber en route to its target, and all those inside the truck are killed. Or, a Ruritanian cyberattack strikes a Zendian generator powering the Zendian ministry of defense, leading to a cascading power failure that disables hospitals in which Zendian patients then die. • Category C—An innocent party that is granted special protection under the Geneva Convention, such as a hospital, and is then used as a facility from which to launch attacks. For example, the Zendian adversary that places mortars on the roof of a hospital is using Category C innocent parties. Or, Zendia launches a cyberattack on Ruritania using the servers and Internet connections of a Zendian hospital. Distinguishing between these kinds of innocent parties is important because the categories of parties harmed have different implications for responsibility. If from being so used. Accordingly, there exists a right for a threatened state “to use force to neutralize a continuing threat located in the territory of a neutral state, but not acting on its behalf, when the neutral state is unable or unwilling to fulfill its responsibility to prevent the use of its territory as a base or sanctuary for attacks on another nation.”6 Note also that under item 3 of UN Security Council Resolution 1368 (adopted on September 12, 2001),7 which calls on all member states “to work together urgently to bring to justice the perpetrators, organizers and sponsors of these terror- ist attacks” and stresses that “those responsible for aiding, supporting, or harboring the perpetrators, organizers and sponsors of these acts will be 6 Department of Defense, Office of General Counsel, An Assessment of International Legal Issues in Information Operations, Second Edition, November 1999. 7 United Nations Security Council Resolution 1368 (2001), accessed at http://daccessdds. un.org/doc/UNDOC/GEN/N01/533/82/PDF/N0153382.pdf?OpenElement.

OCR for page 239
4 LEGAL AND ETHICAL PERSPECTIVES ON CYbERATTACK Category A innocent parties are harmed, some responsibility attaches to Zendia for placing innocent parties in harm’s way. Some degree of responsibility may attach to Ruritania if the attack did not meet the requirements of proportionality— that is, if the military value of the target shielded was small by comparison to the loss of Zendian civilian life. If Category B innocent parties are harmed, the respon- sibility does not fall on Zendia, and if Ruritania took reasonable care in route plan- ning, no responsibility attaches to Ruritania either. If Category C innocent parties are harmed, the legal responsibility for those consequences falls entirely on the Zendian adversary under LOAC. In active defense scenarios calling for threat neutralization, there are many valid concerns about a counterstrike that does harm to some innocent party. But at least in some scenarios involving innocent third-party computers (that is, in Category A), a Ruritanian response against those compromised computers could be conducted within the bounds of LOAC, and the harm resulting to those third parties would be the responsibility of Zendia and not Ruritania. Of course, Ruritania would have to address several other concerns before feeling confident in the legality and wisdom of a counterstrike. First, even if a counterstrike is entirely legal, it may come with other costs, such as those associ- ated with public opinion or ethical considerations. If a counterstrike disables the hospital computer and deaths result, there may be censure for Ruritania, even if the counterstrike was within Ruritania’s legal rights to conduct. Second, Ruritania would have to take reasonable care to determine that the incoming cyberattack was indeed coming from the computer in question, because Zendia might have also planted evidence so as to prompt a counterstrike against a computer that was not involved in the attack at all. Third, Ruritania would still have to make reasonable efforts to ensure that its attack on the hospital computer did not have unintended cascading effects (e.g., beyond the particular node on the hospital network from which the attack was emanating). held accountable,” and under related developments in international law, even neutral states have affirmative obligations to refrain from harboring perpetrators of terrorist attacks. The United States has asserted the right of self-defense in this context on a number of occasions, including the 1998 cruise missile attack against a terrorist training camp in Afghanistan and a chemical plant in Sudan in which the United States asserted that chemical weapons had been manufactured; the 1993 cruise missile attack against the Iraqi intelligence service headquarters which the United States held responsible for a conspiracy to assassinate President George H.W. Bush; and the 1986 bombing raid against Libya in response to Libya’s continuing support for terrorism against U.S. military forces and other U.S. interests. • Discrimination. Nations have agreed to refrain from using cer- tain weapons, such as biological and chemical weapons, at least in part

OCR for page 239
 TECHNOLOGY, POLICY, LAW, AND ETHICS OF U.S. CYbERATTACK CAPAbILITIES Article 19 (protecting rights to seek information) might speak to cyberat - tacks intended to prevent citizens from obtaining access to the Internet or other telecommunications media. A variety of other rights, such as the right to life, are potentially relevant as well, although they do not seem as closely tied to the cyber domain. Respecting these other rights would suggest, for example, that a cyberattack intended to enforce economic sanctions would still have to allow transactions related to the acquisition of food and medicine. 7.2.6 Reciprocity Although U.S. policy will be based on an analysis of what future legal regime would best serve the interests of the United States (includ- ing whatever political value can be found in asserting the stance), that analysis must take into account the extent and nature of the effects of such regimes on other parties, both other nation-states and subnational entities, and the likelihood that these other parties might feel obligated to comply with such a regime. For example, the United States may decide that an expansive defini- tion of “use of force” prohibiting most uses of cyberattack would help to protect the viability of the U.S. information technology infrastructure in the face of international threats. But such a definition would also prohibit most prekinetic conflict uses of cyberattack by the United States as well. Alternatively, it may decide that other key nations would not comply with an expansive definition,38 and thus that a restrictive definition might better serve U.S. interests by allowing most uses of cyberattack. 7.3 DOMESTIC LAW As noted in Section 7.1, domestic law (which includes the Constitu- tion of the United States, federal statutes, and self-executing treaties) constrains both government institutions and private individuals. For example, U.S. domestic law regulates the division of labor regarding operational activities between the DOD and the intelligence agencies for reasons of government accountability and oversight. Generally, activities of the Department of Defense (DOD) are governed by Title 10 of the U.S. Code, and activities of the intelligence community (IC) by several sections of Title 50. U.S. domestic law also provides substantive law governing 38 Many analysts believe that China is an example of a nation that might well be unwill- ing to give up a cyberattack-based avenue of asymmetric confrontation against the United States. See for example, Timothy Thomas, Decoding the Virtual Dragon, Foreign Military Studies Office, Fort Leavenworth, Kans., 2007.

OCR for page 239
 LEGAL AND ETHICAL PERSPECTIVES ON CYbERATTACK what private parties can and cannot do, both through highly cyber-spe- cific statutes and more general laws on property, self-defense, and so on. In general, a state is entitled to use any method for law enforcement within its territory or with respect to its citizens that is consistent with its domestic law. Within the United States, domestic law regulates police conduct and electronic surveillance, and imposes limits on searches or arrests without probable cause and on the unreasonable use of force in making lawful arrests or during other enforcement activities. Under international law, a state must avoid conduct that amounts to torture, genocide, or other blatant and generalized violations of human rights described in the ICCPR. 7.3.1 Covert Action and Military Activity Chapter 4 addresses some of the operational and policy consider- ations underlying covert action. But the legal framework governing covert action is also important. As noted in Chapter 4, covert action has a statutory definition. How- ever, the 1991 Intelligence Authorization Act also included a provision, now codifed at 50 USC 413b, that distinguished between covert actions and “traditional military activities,” “traditional counterintelligence activi- ties,” “traditional diplomatic activities,” and “traditional law enforcement activities.” The legislation does not define any of the traditional activities, but the conference report stated the intent of the conferees that:39 “traditional military activities” include activities by military personnel under the direction and control of a United States military commander (whether or not the U.S. sponsorship of such activities is apparent or later to be acknowledged) preceding and related to hostilities which are either anticipated (meaning approval has been given by the National Command Authorities for the activities and for operational planning for hostilities) to involve U.S. military forces, or where such hostilities in- volving United States military forces are ongoing, and, where the fact of the U.S. role in the overall operation is apparent or to be acknowledged publicly. In this regard, the conferees intend to draw a line between ac- tivities that are and are not under the direction and control of the military commander. Activities that are not under the direction and control of a military commander should not be considered as “traditional military activities.” Covert action requires a written presidential finding in advance of the action that the action is necessary to support identifiable foreign policy 39 Conference Report on H.R. 1455 (House of Representatives), July 25, 1991, available at http://www.fas.org/irp/congress/1991_cr/h910725-ia.htm.

OCR for page 239
4 TECHNOLOGY, POLICY, LAW, AND ETHICS OF U.S. CYbERATTACK CAPAbILITIES objectives of the United States, submission of the finding to the chairmen of the congressional intelligence oversight committees, and notification of congressional leaders of the action. By contrast, no findings, special approval, or notification are needed for conducting any of the tradi- tional military activities, although activities conducted by the uniformed military are subject to the guidance of and restrictions imposed by the law of armed conflict, and, in practice, many highly sensitive military operations—if conducted outside the framework of a general armed con- flict—have been brought to the attention of congressional leadership. Finally, 50 USC 413b(f) states that “no covert action may be conducted which is intended to influence United States political processes, public opinion, policies, or media.” In practice, U.S. decision makers have some- times interpreted this provision to mean that no covert action may be conducted that is likely to have such an effect in the United States. Under this interpretation, the use of cyberattack to disseminate false information as part of a covert action might be illegal if such information made it back to the U.S. news media. The matter is complicated by the fact that for certain kinds of covert action, DOD assets will be needed to execute the applicable plans. Under such circumstances, it is less clear whether the planned action is or is not subject to notification as covert action. In addition, because the mecha- nism for covert action authorization calls generally for the notification of the appropriate congressional leaders, delay in execution may be possible and negotiation about its terms may be necessary if these leaders object to the action. The domestic legal requirements for undertaking a covert action require only that the President personally find that the action supports identifiable foreign policy objectives of the United States and that the action is important to the national security of the United States. Thus, as a legal matter, the requirements for a finding regarding an action employ- ing lethal force are the same as for a finding not employing lethal force, and a covert action may use enough lethal force (or destructive force) that it would clearly be a “use of force,” where “use of force” is used in the sense of the UN Charter. Nevertheless, as a practical matter, congressional overseers and executive branch managers of covert actions are more likely to pay more attention to actions that result (or could result) in death and destruction than those that do not. The same is true for covert actions that are likely to be disclosed, or likely to result in failure, or in friendly personnel being captured. Given this legal environment, it is not surprising that executive branch decision makers have adopted an expansive view of actions that might be considered traditional military activities, and that includes actions that have a very direct military effect on potential military adversaries—even

OCR for page 239
 LEGAL AND ETHICAL PERSPECTIVES ON CYbERATTACK if such actions would constitute covert action if undertaken by the intel - ligence community. Indeed, in recent years (that is, since the terrorist attacks of September 11, 2001), the dividing line between covert action (undertaken by the intelligence community) and military operations (undertaken by the Department of Defense) has become increasingly blurred. Consider, for example, the large amount of intelligence information about adversary systems that is needed to conduct cyberattacks against them. In a targeting context, military collection of the information needed for a cyberattack is essentially indistinguishable from traditional intelli- gence collection. At the same time, a covert operation undertaken by the intelligence community to influence events in another country may well look like a military operation. Even intelligence collection and exploita- tion operations may entail some attack activity (and hence appear mili- tary-like) in order to gain or preserve access. Collection activities—presumably including activities requiring cyber- attack in some form for their successful execution—would not constitute covert action. Both tapping an adversary’s underwater cable to obtain mil- itary traffic flows and planting a Trojan horse key logger in an adversary computer system in its ministry of defense would constitute intelligence collection activities, even if such activities were very sensitive. On the other hand, activities that are intended to influence the con- duct, behavior, or actions of an adversary without the involvement of the United States becoming known are covert actions requiring findings if they are not traditional intelligence activities or otherwise exempt, and the dividing line between activities that should be regarded as covert action and those that should not becomes unclear. For example: • Intelligence preparation of the battlefield is a traditional military activity and thus does not constitute covert action. But a cyberattack may be designed to alter the functionality of an adversary’s tactical command and control systems long in advance of actual hostilities on the ground, and thus may be regarded as a covert action. • Strategic deception conducted under the U.S. military chain of command is a traditional military activity and thus does not constitute covert action. (An example of strategic deception is the attempt to per- suade an adversary that an attack will occur in one place when it will actually occur in another.) But a cyberattack may be developed that alters the data streams on which an adversary’s intelligence and surveillance capabilities rely, and thus may be regarded as a covert action. • Collecting telemetry on experimental missile launches is a tradi- tional intelligence collection activity. But a cyberattack may be designed to corrupt or alter the telemetry received by the adversary receiving stations

OCR for page 239
 TECHNOLOGY, POLICY, LAW, AND ETHICS OF U.S. CYbERATTACK CAPAbILITIES so that the adversary must redo the test or, even worse, inadvertently use bad data in its R&D efforts, and thus may be regarded as a covert action. From an administrative or organizational standpoint, command struc- tures may blur the lines between Title 10 authorities (governing the armed forces) and Title 50 authorities (governing the intelligence community). For example, as noted in Chapter 3, the U.S. Strategic Command has responsibility for network warfare—and the Joint Functional Component Command for Network Warfare is commanded by the director of the National Security Agency, an element of the intelligence community. Such blurring requires those in the command structure to be careful about the roles they are playing when they take any given action. Perhaps the most important point about the distinction between covert action and traditional military activities is that the distinction is essentially irrelevant outside a domestic context. Nations that are the target or subject of an act that they regard as hostile are not likely to care whether the United States classifies it as a covert action or as a military activity. Thus, the entire discussion above relates only to decisions within the U.S. government about how it should organize itself to conduct vari- ous activities. 7.3.2 Title III and the Foreign Intelligence Surveillance Act Domestic electronic surveillance conducted in the United States for purposes of criminal investigation related to any of a list of specifically enumerated offenses is regulated under the federal Wiretap Act of 1968 as amended (also known as “Title III”). Under Title III, law enforcement authorities may seek court authorization to conduct real-time surveillance of electronic communications for these purposes. The court authorization must be issued by a judge who concludes that there is probable cause to believe that a crime relating to one of these enumerated offenses has been, is being, or is about to be committed. Originally enacted in 1978, the Foreign Intelligence Surveillance Act (FISA) established a framework for the use of “electronic surveil- lance” conducted to obtain “foreign intelligence information” (defined as information about a foreign power or foreign territory that relates to the national defense, the security, or the conduct of the foreign affairs of the

OCR for page 239
 LEGAL AND ETHICAL PERSPECTIVES ON CYbERATTACK United States).40 For any such surveillance, the statute requires the attor- ney general and related law enforcement authorities to seek and secure a warrant from a special court known as the Foreign Intelligence Surveil- lance Court (FISC). A FISC order must specify (among other things) a statement of the means by which the surveillance will be conducted and an indication of the period of time for which the electronic surveillance must be maintained. Since 1978, FISA has been repeatedly amended to account for new technologies and new concerns about terrorism and civil liberties. The most recent amendments came in 2008. The new statute allows the attor- ney general and the director of national intelligence to jointly authorize the “targeting of persons reasonably believed to be located outside the United States to acquire foreign intelligence information.” The statute requires the government to adopt “targeting procedures” to meet this goal and “minimization procedures” to avoid the retention or distribution of information concerning U.S. citizens that is obtained from such surveil- lance. The statute imposes no probable cause requirement for such sur- veillance, but more restrictive provisions apply when the person targeted overseas is a U.S. national. Certain cyberexploitations may be regarded as forms of electronic surveillance, and if conducted against U.S. persons or in the United States may under some circumstances be subject to FISA or Title III regulation. Such a cyberexploitation might, for example, require the implantation of software payloads to exfiltrate information surreptitiously. Such infor- mation may include important documents relevant for exploitation or information such as login names and passwords that might be useful for conducting a later cyberattack. It is difficult to speculate on how FISA might be relevant to cyberat- tacks. But there is at least one documented case of a court-approved Title III warrant being used to authorize a cyberexploitation.41 On June 12, 2007, an FBI agent filed an affidavit to a magistrate judge in support of an application for court authorization to send a message to a computer used to administer a specific MySpace.com user account. The message was designed to cause this computer to transmit back to the FBI technical data identifying the computer and/or the users of the computer. Whether 40 More detailed descriptions of FISA and its impact on intelligence gathering can be found in Elizabeth Bazan, The Foreign Intelligence Sureillance Act: An Oeriew of Selected Issues, Congressional Research Service, Washington D.C., July 7, 2008 (available at www. fas.org/sgp/crs/intel/RL34279.pdf); Elizabeth B. Bazan (ed.), The Foreign Intelligence Sur- eillance Act: Oeriew and Modifications, Nova Science Publishers, Hauppauge, N.Y., 2008; and Whitfield Diffie and Susan Landau, Priacy on the Line: The Politics of Wiretapping and Encryption, Updated and Expanded Edition, MIT Press, Cambridge, Mass., 2007. 41 See http://politechbot.com/docs/fbi.cipav.sanders.affidavit.071607.pdf.

OCR for page 239
 TECHNOLOGY, POLICY, LAW, AND ETHICS OF U.S. CYbERATTACK CAPAbILITIES and how often the FISC has approved the use of cyberexploitation, or the nature of such exploitation (if any), is not known from information that is publicly available. 7.3.3 Posse Comitatus The Posse Comitatus Act (codified at 18 USC 1385), along with admin- istrative action and other related law, prohibits the U.S. armed forces from executing domestic law, unless such actions are explicitly authorized by statute or the U.S. Constitution. (For example, Title 10, Sections 371-381 of the U.S. Code explicitly allow the Department of Defense to provide federal, state, and local police with information (including surveillance and reconnaissance), equipment, and training/expertise. Other legisla- tion has allowed the DOD to assist in matters related to counterterrorism, weapons of mass destruction, and drug trafficking.) Questions arise most often in the context of assistance to civilian police. Under the Posse Comitatus Act, the Department of Defense would appear to be forbidden from conducting either cyberattack or cyber- exploitation in support of domestic law enforcement to enforce domestic law in any context where there was no specific statutory exemption, but would have the authority to conduct such operations domestically if they were part of the exercise of presidential authority to act as commander- in-chief under Article II. 7.3.4 The Computer Fraud and Abuse Act and Other Federal Law A variety of federal laws, including 18 USC 1030 (the Computer Fraud and Abuse Act, described in Section 5.2) and 18 USC 1029 (dealing with fraud and related activity in connection with access devices), prohibit individuals and corporations from undertaking cyberattack activities. Neither of the statutes mentioned above exempts military agencies from their prohibitions, although the legislative history of each does not sug- gest that Congress intended it to apply to military operations abroad. However, the Computer Fraud and Abuse Act may be relevant to possible military cyberattack activities because the various technologies of cyberattack often involve the compromise of third-party computers in order to conceal and otherwise support attack activities against an adver- sary computer system or network. A party launching a cyberattack—such as the United States—may wish to conceal its identity in such an action. Or, it may wish to augment the computing resources available to it for such purposes at little additional cost. The issue of public appropriation of private resources depends on whether those private resources are owned by individuals or corporations

OCR for page 239
 LEGAL AND ETHICAL PERSPECTIVES ON CYbERATTACK in the United States. The law in this area is voluminous and mixed, and the current status of the law about the government’s rights to use private computers of Americans without owner permission in the conduct of a cyberattack is quite unclear. A different analysis, although still murky, applies to the use of private resources owned by individuals or corporations outside the United States. Subsection (f) of 18 USC 1030 (the Computer Fraud and Abuse Act) explic- itly states that Section 1030 “does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States.” In this context, an activity might be “lawfully authorized” explicitly (as through a warrant granted by the FISC) or implicitly authorized by being undertaken under the legal authority of the President, the bounds of which are evolving and thus not precisely known. On the presumption that there is no other relevant legislative author- ity, there appears to be no domestic legislative impediment for the U.S. government to commandeer the computers of private citizens abroad to create a cyberattack capacity for use by the government, perhaps for use in a botnet or perhaps in any attempt to conduct a cyberattack with plausible deniability. Whether such commandeering is legitimate under the international laws of armed conflict is not clear, although the fact that the “zombification” of a computer can leave the computer almost entirely intact and whole for the user’s purposes is surely relevant to a LOAC analysis. (As always, whether such actions would be wise or appropriate on policy grounds is an entirely separate matter—this paragraph speaks only to the legal aspect of the issue.) If none of these approaches worked to allow the U.S. government to assemble a network of computers for a powerful and hard-to-trace cyber- attack, there would be the theoretical option to obtain the needed access to large numbers of third-party computers by “renting” them from a private source. But botnets for hire are, as a practical matter, available only from criminals, since it is a criminal act to assemble a botnet in the first place. And although it is not without precedent,42 cooperating with or paying criminals to conduct operations relevant to national security is highly problematic, is politically controversial, and may itself be illegal. Given the leverage available with using third-party computers for cyberattack, government may wish to find other avenues for clarifying the legal landscape for doing so. One approach would be for the U.S. 42 One such example of U.S. government cooperation with criminals was the CIA use of Mafia assistance in the attempt to assassinate Fidel Castro in 1960. See “Trying to Kill Fidel Castro,” Washington Post, June 27, 2007, p. A06.

OCR for page 239
0 TECHNOLOGY, POLICY, LAW, AND ETHICS OF U.S. CYbERATTACK CAPAbILITIES government to simply ask owners of personal computers for permission to use their computers, or to pay a fee to owners willing to make their computers available for such use.43 Such approaches would obviously eliminate the clandestine nature of such use, but it might well place at the disposal of the U.S. government resources far in excess of what it would otherwise have available. In any event, the committee recognizes that such approaches would be contro- versial, and it is not advocating them in any way. 7.3.5 The War Powers Resolution The War Powers Resolution of 1973 was intended to be an assertion of congressional authority relevant to warmaking. A more detailed discus- sion of the War Powers Resolution is contained in Section 6.2.1. 7.3.6 Executive Order 12333 (United States Intelligence Activities) Initially promulgated on December 4, 1981, and amended a number of times since then (most recently in July 2008), Executive Order 12333 regulates the conduct of U.S. intelligence activities.44 Section 2.2 of Execu- tive Order 12333 sets forth “certain general principles that, in addition to and consistent with applicable laws, are intended to achieve the proper balance between the acquisition of essential information and protection of individual interests.” Using a definition of “United States person” specified in Section 3.4(i) of this order (a United States person is “a United States citizen, an alien known by the intelligence agency concerned to be a permanent resident alien, an unincorporated association substantially composed of United States citizens or permanent resident aliens, or a corporation incorporated in the United States, except for a corporation directed and controlled by a foreign government or governments”), Sec- tion 2.3 of Executive Order 12333 establishes constraints on procedures for agencies within the intelligence community to collect, retain or dissemi- nate information concerning United States persons. Section 2.5 requires the attorney general to find probable cause to believe that the U.S. person who is the target of the surveillance is an agent of a foreign power. 43 A partial precedent for using civilian assets for military purposes can be found in the Civil Reserve Air Fleet (CRAF). Under the CRAF program, civilian airlines commit to mak- ing available some of their aircraft for military airlift purposes when DOD military aircraft are inadequate to meet a given demand. In return, the government makes peacetime airlift business available to these civilian airlines. See U.S. Air Force Fact Sheet, Ciil Resere Air Fleet, available at http://www.af.mil/factsheets/factsheet.asp?id=173. 44 The full text of Executive Order 12333 as of July 2008 is available at http://www. tscm.com/EO12333.html.whitehouse.gov/infocus/nationalsecurity/amended12333.pdf.

OCR for page 239
 LEGAL AND ETHICAL PERSPECTIVES ON CYbERATTACK U.S. law (including FISA, Title III, state wiretap law, the Electronic Communications Privacy Act, and Executive Order 12333) may restrict the ability of government agencies to collect information within the United States on cyberattacks, just as it places such restrictions on collection on other subjects, including collection of stored information found on the networks of victims, perpetrators, or “hop” sites, as well as collection through wiretapping of communications. The significance of this point is that when a system or network in the United States is the target of a cyberattack, and the perpetrator of that attack is unknown to U.S. authori- ties (as is almost always the case), collection of that information must be done in accordance with the appropriate and necessary legal authorities. Absent the consent of the network owners to government collection of the information described above, the legal authorities for law enforcement and (in certain circumstances) counterintelligence provide the broadest basis for such collection. Thus, responsibility for collecting the informa- tion required for attack assessment and attribution will normally rest with the FBI (which uniquely possesses both federal law enforcement and counterintelligence collection authorities (including FISA)) and other domestic law enforcement agencies. (Analysis of that information can be—and under the National Infrastructure Protection Center prior to the establishment of the Department of Homeland Security, was—performed jointly by law enforcement, the intelligence community, and military per- sonnel (and by private sector parties if necessary).) Such information is necessary to characterize the nature of an incoming cyberattack, and is of course necessary if any kind of counter-counterattack is to be launched. In addition, Executive Order 12333 regulates the conduct of covert action by stipulating that “no agency except the CIA (or the Armed Forces of the United States in time of war declared by Congress or during any period covered by a report from the President to the Congress under the War Powers Resolution (87 Stat. 855)1) may conduct any special activ- ity unless the President determines that another agency is more likely to achieve a particular objective,” where “special activities” are defined as “activities conducted in support of national foreign policy objectives abroad which are planned and executed so that the role of the United States Government is not apparent or acknowledged publicly, and func- tions in support of such activities, but which are not intended to influence United States political processes, public opinion, policies, or media and do not include diplomatic activities or the collection and production of intelligence or related support functions.”

OCR for page 239
 TECHNOLOGY, POLICY, LAW, AND ETHICS OF U.S. CYbERATTACK CAPAbILITIES 7.4 FOREIGN DOMESTIC LAW Foreign nations are governed by their own domestic laws governing destructive (that is, attack) computer actions. U.S. cyberattack activities that terminate or transit foreign nations may be subject to such law, though enforcement of those laws may be as a practical matter difficult. Foreign domestic law also has an impact on the ability of the United States to trace the origin of cyberattacks or cyberexploitations directed against the United States—for example, if a certain cyber action is not criminal- ized in Zendia, Zendian law enforcement agencies may not have the legal authority to investigate it, even if the action is relevant to a cyberattack action against the United States routed by Ruritania through Zendia.