influence an election, instigate conflict between political factions, harass disfavored leaders or entities, or divert money.
For intelligence gathering, cyberexploitation of an adversary’s computer systems might yield valuable information. For example, U.S. intelligence agencies might learn useful information about an adversary’s intentions and capabilities from a penetration of its classified government networks. Alternatively, they might obtain useful economic information from penetrating the computer systems of a competing nation’s major industrial firms.
In the committee’s view, the essential framework for the legal analysis of cyberattack is based on the principle that notions related to “use of force” and “armed attack” (terms of special relevance to the Charter of the United Nations) should be judged primarily by the effects of an action rather than its modality. That is, the fact that an attack is carried out through the use of cyberweapons rather than kinetic weapons is far less significant than the effects that result from such use, where “effects” are understood to include both direct and indirect effects.
Furthermore, the committee believes that the principles of the law of armed conflict (LOAC) and the Charter of the United Nations—including both law governing the legality of going to war (jus ad bellum) and law governing behavior during war (jus in bello)—do apply to cyberattack, although new analytical work may be needed to understand how these principles do or should apply to cyberweapons. That is, some types of cyberattack are difficult to analyze within the traditional LOAC structure. Among the more problematic cases are the following:
The presumption of nation-to-nation conflict between national military forces,
The exception for espionage, and
The emphasis on notions of territorial integrity.
The escalatory dynamics of armed conflict are thought to be understood as the result of many years of thinking about the subject, but the dynamics of cyberconflict are poorly understood. This report speculates on some of the factors that might influence the evolution of a cyberconflict.