Cover Image

PAPERBACK
$78.50



View/Hide Left Panel
Click for next page ( 152


The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 151
Cyber Operations in International Law: The Use of Force, Collective Security, Self-Defense, and Armed Conflicts Michael N. Schmitt durham Uniersity law School, United kingdom INTRODuCTION In April and May 2007, Estonia was victimized by massive computer network attacks. 1 The incident began with rioting incited by ethnic Russian cyber agitators in response to the government’s decision to move a Soviet war memorial from the center of Tallinn to a military cemetery on the outskirts of the capital. Subsequent actions included direct cyber attacks against Estonian targets, including government and commercial Internet infrastructure and information systems such as the those of the President, Prime Minister, Parliament, State Audit Office, ministries, political parties, banks, news agencies, and Internet service providers. They involved denial of service (DoS), distributed denial of service (DDoS), defacement and destruction. Because Estonia had invested heavily in networking following independence, the attacks proved devastating. By 2007, the country relied on information services for everything from banking and filing tax returns to paying for parking and public transportation. Internet services covered all of Estonia, with half the population enjoying access from their homes. Most of the attacks emanated from outside the country, principally Russia. Their origin was also traced to at least 177 other countries.2 Initially, they came from private IP addresses, although experts tracked a number to Russian government institutions. It remains uncertain whether the latter were launched with the government’s knowledge. As the cyber attacks unfolded, they became increasingly sophisticated, evidencing considerable organization and command and control. While various pro-Rus - sian activist groups apparently executed some of the second wave operations, there is no firm evidence that the Russian government either conducted or orchestrated them. The impact of the cyber assault proved dramatic; government activities such as the provision of State benefits and the collection of taxes ground to a halt, private and public communications were disrupted and confidence in the economy plummeted. Was this “war”? After all, the scope and scale of the consequences far exceeded those that might have been caused by, for instance, a small-scale air 1 For an excellent discussion of the attacks, see Eneken Tikk, Kadri Kaska, and Liis Vihul, international Cyber incidents: legal Considerations 14-33 (Tallinn: Cooperative Cyber Defence Centre of Excellence 2010). 2 Charles Clover, “Kremlin-backed Group behind Estonia Cyber Blitz,” Financial times, March 11, 2009. 11

OCR for page 151
12 PRoCEEdingS oF A woRkSHoP on dEtERRing CYBERAttACkS attack or a commando raid, both of which would signal the initiation of a “war” between Estonia and the State responsible for their execution. Historically, the initiation of a war depended upon a formal act of State, generally a “declaration of war.” It neither required hostilities, nor did hostilities alone amount to war. This traditional under - standing of war has fallen into desuetude, replaced by a complex admixture of legal concepts. In the aftermath of the Second World War, the international community crafted a new normative scheme in the form of the United Nations Charter, which includes both a prohibition on the use of force in inter- national relations and a system for enforcing the prescription. Today, the Charter, together with related customary international law norms,3 governs how and when force may be employed by States. The carnage of the Second World War also prompted a reexamination of the rules applicable during war- fare. During that process, the requirement for a declaration of war as the threshold for application of the “law of war” was abandoned.4 Henceforth, this body of law (relabeled the “law of armed conflict” and usually referred to as “international humanitarian law” or IHL) would come into play whenever “armed conflict” occurred. This article explores the contemporary international law governing cyber operations. In particular, it asks four questions, which together have supplanted the previous notion of “war”: (1) When does a cyber operation constitute a wrongful “use of force” in violation of Article 2(4) of the United Nations Charter and customary international law?; (2) When does a cyber operation amount to a “threat to the peace, breach of the peace, or act of aggression,” such that the Security Council may authorize a response thereto?; (3) When does a cyber operation constitute an “armed attack,” such that the victim-State may defend itself, even kinetically, pursuant to the right of self-defense set forth in Article 51 of the UN Charter and customary international law?; and (4) When does a cyber operation rise to the level of an “armed conflict,” such that IHL governs the actions of belligerents? The attacks against Estonia, similar ones against Georgia during its armed conflict with Russia in 2008,5 and the thousands of others directed against government, corporate and private systems worldwide on a daily basis aptly demonstrate the reality, immediacy and scale of the threat. It is one well-recognized by States. The May 2010 United States National Security Strategy cites cyber security threats as “one of the most serious national security, public safety, and economic challenges we face as a nation.”6 Similarly, the analysis and recommendations on NATO’s new Strategic Concept prepared by a group of distinguished experts led by former U.S. Secretary of State Madeleine Albright singled out “cyber assaults of varying degrees of severity” as one of the three likeliest threats the NATO Allies will face in the next decade.7 Unfortunately, the existing legal norms do not offer a clear and comprehensive framework within which States can shape policy responses to the threat of hostile cyber operations. In particular, international law 3 See fn 13 and accompanying text for a brief explanation of customary international law. 4 Common Article 2 to the four 1949 Geneva Conventions provides that the treaties “shall apply to all cases of declared war or of any other armed conflict which may arise between two or more of the High Contracting Parties, even if a state of war is not recognized by one of them.” Geneva Convention for the Amelioration of the Condition of the Wounded and Sick in Armed Forces in the Field, art. 2, Aug. 12, 1949, 6 UST. 3114, 75 U.N.T.S. 31; Geneva Convention for the Amelioration of the Condition of Wounded, Sick and Shipwrecked Members of Armed Forces at Sea, art. 2, Aug. 12, 1949, 6 UST. 3217, 75 U.N.T.S. 85; Geneva Convention Relative to the Treatment of Prisoners of War, art. 2, Aug. 12, 1949, 6 UST. 3316, 75 U.N.T.S. 135 ; Geneva Convention Relative to the Protection of Civilian Persons in Time of War, art. 2, Aug. 12, 1949, 6 UST. 3516, 75 U.N.T.S. 287 [hereinafter GC I–IV respectively]. 5 See Tikk, supra note 1, at 66-90. 6 President Barack Obama, national Security Strategy 27 (May 2010). 7 Group of Experts on a New Strategic Concept. nAto 2020: Assured Security; dynamic Engagement (May 17, 2010) 17. The others are an attack by a ballistic missile and strikes by international terrorist groups.

OCR for page 151
1 miCHAEl n. SCHmitt as traditionally understood departs at times from what the international community would presumably demand in the cyber context. To some extent, this divergence can be accommodated through reasonable interpretation of the relevant norms. Where it cannot, the law would seem to require attention, either through treaty action or through the development of new understandings of the prevailing legal concepts.8 CybER OPERATIONS AS A “uSE OF FORCE” The United Nations Charter, in Article 2(4), states that “[a]ll Members [of the United Nations] shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations.” Despite the reference to territorial integrity and political independence, it is now widely understood that the prohibition applies to any use of force not otherwise permitted by the terms of the Charter, specifically uses of force authorized by the Security Council and defensive operations, each discussed separately below.9 Article 2(4) was revolutionary in its extension to threats. Of course, only those threats of a use of force that would otherwise be unlawful qualify.10 For instance, threatening destructive defensive cyber attacks against another State’s military infrastructure if that State unlawfully mounts unlawful cross- border operations would not breach the norm. However, threats of destructive cyber operations against another State’s critical infrastructure unless that State cedes territory would do so. The prohibition applies only to an explicit or implied communication of a threat; its essence is coer - cive effect. It does not reach actions which simply threaten the security of the target State, but which are not communicative in nature. Thus, the introduction into a State’s cyber systems of vulnerabilities which are capable of destructive activation at some later date would not constitute a threat of the use of force unless their presence is known to the target State and the originating State exploits them for some coercive purpose.11 It is generally accepted that the prohibition on the threat or use of force represents customary inter- national law.12 Resultantly, it binds all States regardless of membership in the United Nations. Article 38 of the Statute of the International Court of Justice (ICJ) defines customary law as “general practice accepted as law.”13 It requires the coexistence of State practice and opinio juris sie necessitatis, a belief that the practice is engaged in, or refrained from, out of a sense of legal obligation (rather than practical or policy reasons). Although simple in formulation, the norm is complex in substantive composition. It poses two key questions: “What is a use of force?” and “To whom does the prohibition apply?” Both bear heavily on the legality of cyber operations, which did not exist when the UN Charter was adopted by States in 1945. The difficulty of applying a legal provision which did not contemplate a particular type of opera - tion is apparent. 8 For book length treatment of these issues, see Thomas C. Wingfield. the law of information Conflict (Washington: Aegis Research Corporation 2000); Michael N. Schmitt and Brian O’Donnell, eds. Computer network Attack and international law (Newport: U.S. Naval War College International Law Studies, vol. 76, 1999); and the collected articles in 64 Air Force Law Review (2009). 9 In its original form, the draft Charter contained no reference to territorial integrity or political independence, and their subse - quent inclusion was controversial. The “other manner” language was inserted to make clear that their inclusion was not meant to limit the reach of the provision. See Doc. 1123, I/8, 6 U.N.C.I.O. Docs. 65 (1945); Doc. 784, I/1/27, 6 U.N.C.I.O. Docs. 336 (1945); Doc. 885, I/1/34, 6 U.N.C.I.O. Docs 387 (1945). 10 This point was made by the International Court of Justice in Legality of the Threat or Use of Nuclear Weapons, Advisory Opinion, 1996 ICJ Rep. 226, ¶ 47 (July 8). 11Although a threat must be coercive in some sense, there is no requirement that a specific “demand” accompany the threat. 12 See discussion of the issue by the International Court of Justice in Military and Paramilitary Activities in and Against Nica - ragua (Nicar. v. US), 1986 ICJ Rep. 14, ¶¶ 187-191 (June 27) [hereinafter Nicaragua]. 13 Statute of the International Court of Justice, art. 38, June 26, 1945, 59 Stat. 1055, 33 U.N.T.S. 993. On customary law, see Yoram Dinstein, “The Interaction between Customary International Law and Treaties,” Collected Courses of the Hague Academy of inter- national law 322 (Martinus Nijhoff, 2007).

OCR for page 151
1 PRoCEEdingS oF A woRkSHoP on dEtERRing CYBERAttACkS Finally, it must be borne in mind that neither Article 2(4) nor its customary counterpart is remedial in nature. Rather, they merely set a threshold for breach of international law. The nature of the response to a wrongful use of force is instead determined by the law of State responsibility, the scope of authority of the Security Council and the law of self-defense. Each is addressed below. uses of Force Do cyber operations constitute a “use of force” as that phrase is understood in relation to the prohibi- tion? The interpretive dilemma is that the drafters of the Charter took a cognitive short cut by framing the treaty’s prohibition in terms of the instrument of coercion employed—force. Thus, the norm did not outlaw economic and political coercion, but disallowed military force, at least absent an express Charter exception. Yet, it is seldom the instrument employed, but instead the consequences suffered, that matter to States. At the time the Charter was drafted an instrument based-approach made sense, for prior to the advent of cyber operations the consequences that Sates sought to avoid usually comported with instrument-based categories. Cyber operations do not fit neatly into this paradigm because although they are “non-forceful” (that is, non-kinetic), their consequences can range from mere annoyance to death. Resultantly, as the Commander of U.S. Cyber Command noted during his confirmation hearings, policy makers must understand that “[t]here is no international consensus on a precise definition of a use of force, in or out of cyberspace. Consequently, individual nations may assert different definitions, and may apply different thresholds for what constitutes a use of force.” 14 That the term “use of force” encompasses resort to armed force by a State, especially force levied by the military is self-evident. Armed force thus includes kinetic force—dropping bombs, firing artillery, and so forth. It would be no less absurd to suggest that cyber operations which generate consequences analogous to those caused by kinetic force lie beyond the prohibition’s reach, than to exclude other destructive non-kinetic actions, such as biological or radiological warfare. Accordingly, cyber operations that directly result (or are likely to result) in physical harm to individuals or tangible objects equate to armed force, and are therefore “uses of force.” For instance, those targeting an air traffic control system or a water treatment facility clearly endanger individuals and property. But cyber operations are usually mounted without causing such consequences, as illustrated by the case of Estonia. Are such operations nonetheless barred by the use of force prohibition? The starting point for any interpretive endeavor in law is the treaty text in question.15 In this regard, note that the adjective “armed” does not appear with reference to “force” in Article 2(4). By contrast, the Charter preamble cites the purpose of ensuring that “armed force shall not be used, save in the common interest.” Similarly, the Charter excludes “armed force” from the non-forceful measures the Security Council may authorize under Article 41 and mentions planning for “armed force” with regard to forceful Article 42 measures.16 And the Charter only allows forceful defensive actions in the face of an “armed attack.”17 This textual distinction suggests an interpretation of “force” that is broader in scope than the common understanding of the term. When text is ambiguous, recourse may be had to “the preparatory work of [a] treaty and the circum - stances of its conclusion.”18 The Charter’s traaux preparatoires, indicate that during the drafting of the 14 Unclassified Senate Testimony by Lieutenant General Keith Alexander, USA, Nominee for Commander, United States Cyber Command, April 15, 2010, www.senate.gov/~armed_services/statemnt/2010/04%20April/Alexander%2004-15-10.pdf. 15According to the Vienna Convention on the Law of Treaties, “[a] treaty shall be interpreted in good faith in accordance with the ordinary meaning to be given to these terms of the treaty in their context and in light of its object and purpose” which can be gleaned from the text, “including its preamble and annexes . . . .” May 23, 1969, art. 31(1)-(2), 1155 U.N.T.S. 331. The United States is not a party to the Vienna Convention, but treats most of its provisions as reflective of customary international law. 16 The reference to planning is found in U.N. Charter, art. 46. 17 U.N. Charter, art. 51. 18 Vienna Convention, supra note 15, art. 32.

OCR for page 151
1 miCHAEl n. SCHmitt instrument a proposal to extend the reach of Article 2(4) to economic coercion was decisively defeated. 19 A quarter century later, the issue again arose during proceeding leading to the UN General Assembly’s Declaration on Friendly Relations.20 The question of whether “force” included “all forms of pressure, including those of a political or economic character, which have the effect of threatening the territorial integrity or political independence of any State” was answered in the negative.21 Whatever force is, then, it is not economic or political pressure. Therefore, a cyber operation that involves such coercion is defi - nitely not a prohibited use of force. Psychological cyber operations (assuming they are non-destructive) intended solely to undermine confidence in a government or economy illustrate such actions. Suggestions to limit “force” to “armed force,” or even the force required to amount to an “armed attack,” were likewise rejected during the proceedings.22 This seemed to indicate that “force” was not coterminous with “armed” force, thereby strengthening the significance of the absence of the term “armed” in Article 2(4). In the nicaragua case, the ICJ expressly characterized certain actions which were non-kinetic in nature as uses of force. [W]hile arming and training of the contras can certainly be said to involve the threat or use of force against Nicaragua, that is not necessarily so in respect of all assistance given by the United States Government. In particular, the Court considers that the mere supply of funds to the contras, while undoubtedly an act of intervention in the internal affairs of Nicaragua . . . does not itself amount to a use of force.23 The determination that a use of force can embrace acts, like arming or training guerillas, which fall short of armed force leaves open the possibility that non-physically destructive cyber operations may fall within the term’s ambit. The threshold for a use of force must therefore lie somewhere along the continuum between economic and political coercion on the one hand and acts which cause physical harm on the other. Unfortunately, unequivocal State practice in characterizing particular cyber attacks as (or not as) uses of force is lacking. In part this is because the Article 2(4) prohibition extends solely to acts of States, and very few States have definitively been identified as the initiator of a cyber operation which might amount to a use of force. Moreover, States may well hesitate to label a cyber operation as a use of force out of concern that doing so would escalate matters or otherwise destabilize the situation. Therefore, one can only speculate as to future State practice regarding the characterization of cyber operations. Over a decade ago, this author identified a number of factors that would likely influence assess - ments by States as to whether particular cyber operations amounted to a use of force. 24 They are based on a recognition that while States generally want to preserve their freedom of action (a motivation to keep the threshold high), they equally want to avoid any harmful consequences caused by the actions of others (a motivation to keep the threshold low). States will seek to balance these conflicting objectives through consideration of factors such as those set forth below. The approach has generally withstood the test of time. (1) Seerity: Consequences involving physical harm to individuals or property will alone amount to a use of force. Those generating only minor inconvenience or irritation will never do so. Between the extremes, the more consequences impinge on critical national interests, the more they will contribute 19 See Doc. 2, G/7(e)(4), 3 U.N.C.I.O. Docs. 251, 253-54 (1945). Economic coercion, which typically involves trade sanctions, must be distinguished from “blockade,” which has the effect of cutting off trade, but employs military force to do so. It has historically been accepted that imposition of a blockade is an “act of war.” 20 Declaration on Principles of International Law Concerning Friendly Relations and Cooperation Among States in Accordance with the Charter of the United Nations, G.A. Res. 2625 (XXV), U.N. Doc. A/8082 (1970). 21 U.N. GAOR Special Comm. on Friendly Relations, U.N. Doc. A/AC.125/SR.114 (1970); See also Report of the Special Commit- tee on Friendly Relations, U.N. Doc. A/7619 (1969). The draft declaration contained text tracking that of Charter Article 2(4). 22 Ibid. 23 Nicaragua, supra note 12, ¶ 228. 24 Michael N. Schmitt, “Computer Network Attack and Use of Force in International Law: Thoughts on a Normative Frame - work,” 37 Columbia Journal of transnational law 885, 914-16 (1999).

OCR for page 151
1 PRoCEEdingS oF A woRkSHoP on dEtERRing CYBERAttACkS to the depiction of a cyber operation as a use of force. In this regard, the scale, scope and duration of the consequences will have great bearing on the appraisal of their severity. Severity is self-evidently the most significant factor in the analysis. (2) immediacy: The sooner consequences manifest, the less opportunity States have to seek peace - ful accommodation of a dispute or to otherwise forestall their harmful effects. Therefore, States harbor a greater concern about immediate consequences than those which are delayed or build slowly over time. (3) directness: The greater the attenuation between the initial act and the resulting consequences, the less likely States will be to deem the actor responsible for violating the prohibition on the use of force. Whereas the immediacy factor focused on the temporal aspect of the consequences in question, directness examines the chain of causation. For instance, the eventual consequences of economic coer- cion (economic downturn) are determined by market forces, access to markets, and so forth. The causal connection between the initial acts and their effects tends to be indirect. In armed actions, by contrast, cause and effect are closely related—an explosion, for example, directly harms people or objects. (4) inasieness: The more secure a targeted system, the greater the concern as to its penetration. By way of illustration, economic coercion may involve no intrusion at all (trade with the target state is simply cut off), whereas in combat the forces of one State cross into another in violation of its sover- eignty. The former is undeniably not a use of force, whereas the latter always qualifies as such (absent legal justification, such as evacuation of nationals abroad during times of unrest). In the cyber context, this factor must be cautiously applied. In particular, cyber exploitation is a pervasive tool of modern espionage. Although highly invasive, espionage does not constitute a use of force (or armed attack) under international law absent a nonconsensual physical penetration of the target-State’s territory, as in the case of a warship or military aircraft which collects intelligence from within its territorial sea or airspace. Thus, actions such as disabling cyber security mechanisms to monitor keystrokes would, despite their invasiveness, be unlikely to be seen as a use of force. (5) measurability: The more quantifiable and identifiable a set of consequences, the more a State’s interest will be deemed to have been affected. On the one hand, international law does not view economic coercion as a use of force even though it may cause significant suffering. On the other, a military attack which causes only a limited degree of destruction clearly qualifies. It is difficult to identify or quantify the harm caused by the former (e.g., economic opportunity costs), while doing so is straightforward in the latter (x deaths, y buildings destroyed, etc). (6) Presumptie legitimacy: At the risk of oversimplification, international law is generally prohibi - tory in nature. In other words, acts which are not forbidden are permitted; absent an express prohibition, an act is presumptively legitimate.25 For instance, it is well accepted that the international law governing the use of force does not prohibit propaganda, psychological warfare or espionage. To the extent such activities are conducted through cyber operations, they are presumptively legitimate. (7) Responsibility: The law of State responsibility (discussed below) governs when a State will be responsible for cyber operations. But it must be understood that responsibility lies along a continuum from operations conducted by a State itself to those in which it is merely involved in some fashion. The closer the nexus between a State and the operations, the more likely other States will be to characterize them as uses of force, for the greater the risk posed to international stability. The case of the Estonian cyber attacks can be used to illustrate application of the approach. Although they caused no deaths, injury or physical damage, the attacks fundamentally affected the operation of the entire Estonian society. Government functions and services were severely disrupted, 25 I n the Case of the S.S. “lotus,” the Permanent Court of International Justice famously asserted that “[t]he rules of law bind - ing upon States . . . emanate from their own free will as expressed in conventions or by usages generally accepted as expressing principles of law and established in order to regulate the relations between these co-existing independent communities or with a view to the achievement of common aims.” S.S. “Lotus” (Fr. v. Turk.), 1927 P.C.I.J. (ser. A) No. 10, at 14 (Sept. 7).

OCR for page 151
1 miCHAEl n. SCHmitt the economy was thrown into turmoil, and daily life for the Estonian people was negatively affected. The consequences far exceeded mere inconvenience or irritation. The effects were immediate and, in the case of confidence in government and economic activity, wide-spread and long-term. They were also direct, as with the inability to access funds and interference with the distribution of government benefits. Since some of the targeted systems were designed to be secure, the operations were highly invasive. While the consequences were severe, they were difficult to quantify, since most involved denial of service, rather than destruction of data. Although political and economic actions are pre - sumptively legitimate in use of force terms, these operations constituted more than merely pressuring the target State. Instead, they involved intentionally frustrating governmental and economic functions. Taken together as a single “cyber operation,” the incident arguably reached the use of force threshold. Had Russia been responsible for them under international law, it is likely that the international com - munity would (or should have) have treated them as a use of force in violation of the UN Charter and customary international law. The criteria are admittedly imprecise, thereby permitting States significant latitude in characterizing a cyber operation as a use of force, or not. In light of the increasing frequency and severity of cyber operations, a tendency towards resolving grey areas in favor of finding a use of force can be expected to emerge. This State practice will over time clarify the norm and its attendant threshold. Applicability of the Prohibition By its own express terms, Article 2(4) applies solely to members of the United Nations. As discussed, the prohibition extends to non-Members by virtue of customary law. That is the limit of applicability. Non-State actors, including individuals, organized groups and terrorist organizations, cannot violate the norm absent a clear relationship with a State. Their actions may be unlawful under international and domestic law, but not as a violation of the prohibition on the use of force. Thus, in the Estonian case, and barring any evidence of Russian government involvement, none of those individuals or groups conducting the operations violated the Article 2(4) prohibition. But when can the conduct of individuals or groups be attributed to a State, such that the State is legally responsible for their actions? The law of State responsibility governs such situations.26 Obviously, States are legally responsible for the conduct of their governmental organs or entities. 27 This principle extends to unauthorized acts.28 Accordingly, any cyber operation rising to the level of an unlawful use of force will entail responsibility on the part of the State when launched by its agents, even when they are acting ultra ires. The fact that a State did not itself conduct the cyber operations at hand does not mean that it escapes responsibility altogether. States are also responsible for “the conduct of a person or group of persons . . . if the person or group of persons is in fact acting on the instructions of, or under the direction or control of, that State in carrying out the conduct.”29 The ICJ addressed the degree of control necessary for attribution in the nicaragua case. There the Court considered attribution of the acts of the Nicaraguan Contras (a rebel group supported by the United States) to the United States, such that the United States would be responsible for breaches of IHL committed by the group. While finding the United States responsible for its own “planning, direction and support” of the Contras,30 the Court limited responsibil- ity for the Contra actions to those in which the United States exercised “ effectie control of the military or 26 This law is set forth, in non-binding form, in the International Law Commission’s Draft Articles on Responsibility of States for Internationally Wrongful Acts, in Report of the International Law Commission on the Work of Its Fifty-third Session, UN Doc. A/56/10 (2001). 27 Draft Articles on State Responsibility, supra, art. 4. 28 Ibid., art. 7. 29 Ibid., art. 8. 30 Nicaragua, supra note 12, ¶ 86.

OCR for page 151
1 PRoCEEdingS oF A woRkSHoP on dEtERRing CYBERAttACkS paramilitary operations in the course of which the alleged violations were committed.” 31 Mere support for their activities did not suffice. The Appeals Chamber of the International Criminal Tribunal for the Former Yugoslavia (ICTY) took a different tack in the tadic case, where it held that the authority of the government of the Federal Republic of Yugoslavia over the Bosnia Serb armed groups “required by international law for consid - ering the armed conflict to be international was oerall control going beyond the mere financing and equipping of such forces and involving also participation in the planning and supervision of military operations.”32 It is essential to note that although the Tribunal expressly rejected the higher nicaragua threshold of effective control, the technical legal issue was not State responsibility, but rather the nature of the armed conflict. Thus, while tadic brings nicaragua into question by proffering a lower threshold, it does not necessarily supplant the effective control test. It remains unclear whether effective control, overall control or some other test governs in international law, although the ICJ has twice reaffirmed its version.33 In the cyber context, then, States will be responsible for violating the prohibition on the use of force to the extent they either direct private individuals or groups to conduct the operations or are heavily involved in them. Determinations will be made on a case-by-case basis looking to the extent and nature of involvement by the State with the group and in the particular operations. Even if conduct is not attributable to a State as under its control, it will nevertheless “be considered an act of that State . . . if and to the extent that the State acknowledges and adopts the conduct in ques - tion as its own.”34 The ICJ addressed this situation in the Hostage case, which involved seizure of the United States Embassy by Iranian militants in 1979. The Iranian government was uninvolved in the initial seizure, but later passed a decree which accepted and maintained the occupation of the embassy. According to the Court, “[t]he approval given to [the occupation of the Embassy] by the Ayatollah Kho - meini and other organs of the Iranian State, and the decision to perpetuate them, translated continuing occupation of the Embassy and detention of the hostages into acts of that State.” 35 It should be cautioned that mere expressions of approval do not suffice for attribution; rather, the State must somehow subsequently embrace the actions as its own, for instance, by tangibly supporting their continuance, failing to take actions to suppress them, or otherwise adopting them. Adoption may either be express, as in the Hostages case, or implied, as when a State engages in conduct that undeniably constitutes adoption. In the Estonian case, had Russia publically encouraged further attacks, it would have borne responsibility not only for the subsequent attacks, but also those in the initial wave. A State may also be held responsible for the effects of unlawful acts of private individuals or groups on its territory when it fails to take reasonably available measures to stop such acts in breach of its obli - gations to other States. In this situation, its violation is of the duty owed to other states, but its respon - sibility extends to the effects of the act itself. Applying this standard in the Hostages case, the ICJ found that the Iranian government failed to take required steps to prevent the seizure of the U.S. Embassy or regain control over it, in breach of its obligation to safeguard diplomatic premises.36 The key to such responsibility lies in the existence of a separate legal duty to forestall the act in question, and an ability to comply with said duty. The ICJ articulated this principle in its very first case, Corfu Channel, where it held that every State has an “obligation to not allow knowingly its territory to be used for acts contrary to the rights of other States.”37 Of the many obligations States owe each other, ensuring their territory 31 Ibid., ¶ 115. See also discussion in ¶ 109. 32 Prosecutor v. Tadic, Case No. IT-94-1-A, Appeals Chamber Judgment, ¶ 145 (July 15, 1999). 33Armed Activities on the Territory of the Congo (Dem. Rep. Congo v. Uganda), 2005 ICJ General List No. 116, at 53 (Dec. 19) ; Application of the Convention on the Prevention and Punishment of the Crime of Genocide (Bosn. & Herz. v. Serb. & Mont.), at 391-392 (Judgment of Feb. 26, 2007). 34 Draft Articles on State Responsibility, supra note 26, art. 11. 35 United States Diplomatic and Consular Staff in Teheran, 1980 ICJ Rep. 3, ¶ 74 (May 24). 36 Ibid., arts. 76-78. 37 Corfu Channel Case (Merits), 1949 ICJ Rep. 4, 22.

OCR for page 151
1 miCHAEl n. SCHmitt is not a launching pad for the use of force or armed attacks (see discussion below) against other States certainly ranks among the most important. The fact that a use of force consists of cyber operations rather than traditional armed force would not diminish the responsibility of the State involved. Finally, consider a situation in which the effects of a cyber operation extend to other than the tar- geted State. This is an especially relevant scenario in the cyber context, for networking and other forms of interconnectivity mean that a cyber use of force by State A against State B may have consequences in State C that would rise to the level of a use of force if directed against C. The causation of such effects would not amount to a violation of Article 2(4) vis-à-vis C. Article 2(4)’s requirement that Members “refrain in their international relations” from the use of force implies an element of purposely engaging in some action in respect of another specified State. Inadvertent effects caused in a State other than the target States do not constitute a form of “international relations.” However, even if the State did not intend such effects, it is clear that it bears responsibility for them. As noted in the Draft Articles of State Responsibility, “[t]here is an internationally wrongful act of a State when conduct consisting of an action or omission: (a) is attributable to the State under international law; and (2) constitutes a breach of an international obligation of the State.” 38 In the envisaged case, since State A conducted the cyber operation, the action is directly attributable to it. Further, the wrongful use of force against B would constitute a breach of A’s international obligation to refrain from the use of force. That the intended “victim” was B matters not. The criterion has been met once the breach of an international obligation has occurred. This is so even if the effects in C were unintended. As noted in the International Law Commission’s Commentary to the relevant article: A related question is whether fault constitutes a necessary element of the internationally wrongful act of a State. This is certainly not the case if by “fault” one understands the existence, for example, of an intention to harm. In the absence of any specific requirement of a mental element in terms of the primary obligation, it is only the act of a State that matters, independently of any intention. 39 Remedies for violation In the event of State responsibility for an unlawful act, the victim-State is entitled to reparation, which can take the form of restitution, compensation, or satisfaction.40 With regard to cyber operations amounting to a use of force, compensation could be claimed for any reasonably foreseeable physical or financial losses. A State may also take any responsive actions that neither amount to a use of force nor breach an existing treaty or customary law obligation. As an example, a State may chose to block incoming cyber transmissions emanating from the State that has used force against it. Additionally, the victim-State may take “countermeasures” in response to a use of force. 41 Coun- termeasures are “measures which would otherwise be contrary to the international obligations of the injured State is-à-is the responsible State if they were not taken by the former in response to an internationally wrongful act by the latter in order to procure cessation and reparation.” 42 They are dis- tinguished from retorsion, which is the taking of unfriendly but lawful actions, such as the expulsion of diplomats. The wrong in question has to be ongoing at the time of the countermeasures, since their purpose is not to punish or provide retribution, but instead to compel the other Party to desist in its unlawful activi- 38 Draft Articles of State Responsibility, supra note 26, art. 2. 39 James Crawford, the international law Commission’s Articles on State Responsibility: introduction, text and Commentaries 84 (Cambridge UP 2002). 40 Draft Articles on State Responsibility, supra note 26, arts. 34-37. Restitution is reestablishing “the situation which existed before the wrongful act was committed” (art. 35); compensation is covering any financially assessable damage not made good by restitu - tion (art. 36); satisfaction is “an acknowledgement of the breach, an expression of regret, a formal apology or another appropriate modality” that responds to shortfalls in restitution and compensation when making good the injury caused (art. 37). 41Ibid., art. 49.1. See also Nicaragua, supra 12, ¶ 249; Gabcikovo-Nagymaros Project (Hung. V. Slovk.) 1997 ICJ 7, 55-56 (Sep. 25). 42 Report of the International Law Commission, supra note 26, at 128.

OCR for page 151
10 PRoCEEdingS oF A woRkSHoP on dEtERRing CYBERAttACkS ties.43 Countermeasures must be proportionate to the injury suffered,44 and the victim-State is required to have called on the State committing the wrong to refrain from the conduct (and make reparations if necessary), or, in the case of acts emanating from its territory, take measures to stop them. 45 Unlike collective self-defense (discussed below), countermeasures may only be taken by the State suffering the wrong.46 Countermeasures involving cyber operations would be particularly appropriate as a response to a cyber use of force, although the strict limitations placed on countermeasures weaken their viability in situations demanding an immediate reaction. On the other hand, it would be improper to respond with a cyber operation that rose to the level of a use of force, for “[c]ountermeasures shall not affect . . . the obligation to refrain from the threat or use of force as embodied in the Charter of the United Nations.”47 Responses amounting to a use of force are only permissible when falling within the two recognized exceptions to the prohibition on the use of force—action authorized by the Security Council and self-defense. Although the limitation of countermeasures to non-forceful measures is widely accepted, in a separate opinion to the ICJ’s oil Platforms judgment, Judge Simma argued for what might be labeled “self-defense lite” in the face of an “unlawful use of force ‘short of’ an armed attack within the mean - ing of Article 51.”48 For Judge Simma, such “defensive military action ‘short of’ full scale self-defence” is of a “more limited range and quality of response” than that which is lawful in response to an armed attack in the self-defense context. The key difference with classic self-defense is that Judge Simma would exclude collective actions.49 Reduced to basics, he is arguing for normative acceptance of force- ful countermeasures. The core problem with the approach is that it posits a tiered forceful response scheme. However, because the intensity of a defensive response is already governed, as will be discussed below, by the principle of proportionality, all that is really occurring is a relaxation of the threshold for engaging in forceful defensive actions. Such an approach is counter-textual, for the combined effect of Article 2(4) and 51 of the UN Charter is to rule out forcible responses by States against actions other than “armed attacks.” Nevertheless, acceptance of such an approach by States would be significant in the cyber con - text because by it cyber operations which themselves would be a use of force under Article 2(4) may be launched in reaction to a cyber use of force that did not rise to the level of an armed attack under Article 51. AuTHORIzATION by THE SECuRITy COuNCIL Pursuant to Article 39 of the UN Charter, the Security Council is empowered to determine that a particular situation amounts to a “threat to the peace, breach of the peace or act of aggression.” When it does, the Council “shall make recommendations, or decide what measures shall be taken in accordance with Articles 41 and 42, to maintain or restore international peace and security.” Articles 41 and 42 set forth, respectively, non-forceful and forceful options for responding to such situations. The scope of the phrase “threat to the peace, breach of the peace or act of aggression” has been the subject of much attention in international law. Breach of the peace would seemingly require the outbreak of violence; cyber operations harming individuals or property would reasonably qualify, but whether those falling short of this level would do so is uncertain. As to aggression, in 1974 the General Assem - bly adopted a resolution in which it characterized aggression as ranging from the “use of armed force” 43 Draft Articles on State Responsibility, supra note 26, art. 52.3(a). 44 Ibid., art. 51. 45 Ibid., art. 52.1. 46 Nicaragua, supra note 12, ¶¶ 211 & 252. 47 Draft Articles on State Responsibility, supra note 26, art. 50.1(a). 48 Oil Platforms (Iran v. US), 2003 ICJ Rep. 161, Separate Opinion of Judge Simma, ¶ 12. 49 Ibid., ¶ 12-13.

OCR for page 151
11 miCHAEl n. SCHmitt and blockade to allowing one’s territory to be used by another state to commit an act of aggression and sending armed bands against another State.50 A cyber operation causing significant physical harm in another state would certainly rise to this level; whether others would is unclear. This ambiguity is essentially irrelevant in light of the “threat to the peace” criterion. Little guidance exists on those acts which qualify, although they must be conceptually distinguished from activities constituting threats of the use of force in contravention of Article 2(4). In tadic the ICTY opined that a threat to the peace should be assessed with regard to the Purposes of the United Nations delineated in Article 1 and the Principles set forth in Article 2.51 This is a singularly unhelpful proposition, since said purposes and principles include such intangibles as developing friendly relations and solving social problems. In fact, a finding that a situation is a “threat to the peace” is a political decision, not a legal one. It signals the Security Council’s willingness to involve itself in a particular matter. There are no territorial limits on situations which may constitute threats to the peace, although they logically tend to be viewed as those which transcend borders, or risk doing so. Nor is there a limitation to acts conducted by or at the behest of States; for instance, the Council has repeatedly found transnational terrorism to be a threat to the peace.52 No violence or other harmful act need have occurred before the Council may make a threat to the peace determination. Most importantly, since there is no mechanism for reviewing threat to the peace determinations, the Council’s authority in this regard is unfettered. Simply put, a threat to the peace is whatever the Council deems it to be. This being so, the Council may label any cyber operation a threat to the peace (or breach of peace or act of aggression), no matter how insignificant. Once it does, the Security Council may, under Article 41, authorize measures “not involving the use of armed force” necessary to maintain or restore international peace and security. Article 41 offers a number of examples, including “complete or partial interruption of economic relations and of rail, sea, air, postal, telegraphic, radio or other means of communication.” Interruption of cyber communications would necessarily be included. An interruption could be broad in scope, as in blocking cyber traffic to or from a country, or surgical, as in denying a particular group access to the internet. Any other cyber operations judged necessary would likewise be permissible. Given the qualifier “armed force,” opera - tions resulting in physical harm to persons or objects could not be authorized pursuant to Article 41. Should the Council determine that Article 41 measures are proving ineffective, or if before autho - rizing them it decides that such measures would be fruitless, it may, pursuant to Article 42, “take such action by air, sea, or land forces as may be necessary to maintain or restore international peace and security.” The reference to operations by “air, sea, or land forces” plainly contemplates forceful military action, although a Security Council resolution authorizing the use of force will typically be framed in terms of taking “all necessary measures.” To the extent that military force can be authorized, it is self- evident that cyber operations may be as well. It would be lawful to launch them alone or as an aspect of a broader traditional military operation. The sole limiting factors would be the requirement to comply with other norms of international law, such as the IHL prohibition on attacking the civilian population, 53 and the requirement to restrict operations to those within the scope of the particular authorization or mandate issued by the Council. Article 42 actions are not limited territorially or with regard to subject of the sanctions. For example, it would undoubtedly be within the power of the Council to authorize cyber attacks against transnational terrorist groups (e.g., in order to disrupt logistics or command and 50 G.A. Res. 3314 (XXIX), annex, art. 3 (Dec. 14, 1974) (“Definition of Aggression”). 51 Prosecutor v. Tadic, Appeals Chamber Decision on the Defence Motion for Interlocutory Appeal on Jurisdiction, ¶ 29 (Oct. 2, 1995). 52 See, e.g., S.C. Res. 1377 (Nov. 12, 2001); S.C. Res. 1438 (Oct. 14, 2002); S.C. Res. 1440 (Oct. 24, 2002); S.C. Res. 1450 (Dec. 13, 2002); S.C. Res. 1465 (Feb. 13, 2003); S.C. Res. 1516 (Nov. 20, 2003); S.C. Res. 1530 (Mar. 11, 2004); S.C. Res. 1611 (July 7, 2005); S.C. Res. 1618 (Aug. 4, 2005). 53 Protocol Additional to the Geneva Conventions of 12 August 1949, and Relating to the Protection of Victims of International Armed Conflicts arts. 48, 51 & 52, June 8, 1977, 1125 U.N.T.S. 3 [hereinafter AP I].

OCR for page 151
1 PRoCEEdingS oF A woRkSHoP on dEtERRing CYBERAttACkS launched it, may be an IP address or other machine discernable data. And the speed by which cyber operations proceed dramatically compresses the time available to make such determinations. How cer- tain must the target State be as to the identity of its attacker before responding in self-defense? Although international law sets no specific evidentiary standard for drawing conclusions as to the originator of an armed attack, a potentially useful formula was contained in the U.S. notification to the Security Council that it was acting in self-defense when it launched its October 2001 attacks against the Taliban and Al Qaeda in Afghanistan. There, U.S. Ambassador Negroponte stated that “my Government has obtained clear and compelling information that the Al-Qaeda organization, which is supported by the Taliban regime in Afghanistan, had a central role in the attacks.”75 NATO Secretary-General Lord Robertson used the same language when announcing that the attacks of 9/11 fell within the ambit of the collective defense provisions of Article V of the North Atlantic Treaty. 76 “Clear and compelling” is a threshold higher than the preponderance of the evidence (more likely than not) standard used in certain civil and administrative proceedings and lower than criminal law’s “beyond a reasonable doubt.” In essence, it obliges a State to act reasonably, that is, in a fashion consis - tent with the normal State practice in same or similar circumstances. Reasonable States neither respond precipitously on the basis of sketchy indications of who has attacked them nor sit back passively until they have gathered unassailable evidence. So long as the victim-State has taken reasonable steps to iden - tify the perpetrator of an armed attack, cyber or kinetic, and has drawn reasonable conclusions based on the results of those efforts, it may respond forcefully in self-defense. That the State in fact drew the wrong conclusion is of no direct relevance to the question of whether it acted lawfully in self-defense. 77 Its responses are assessed as of the time it took action, not ex post facto. Although the temporal aspect cannot be ignored, the time available to make the determination is merely one factor bearing on the reasonableness of any conclusion. In particular, automatic “hack-back” systems that might involve a response amounting to a use of force are neither necessarily lawful nor unlawful. Their use must be judged in light of many factors, such as the reliability of the determination of origin, the damage caused by the attack, and the range of available response options. An analogous standard of reasonableness would apply in the case of anticipatory self-defense against an imminent cyber attack. International law does not require either certainty or absolute preci - sion in anticipating another State’s (or non-State actor’s) future actions. Rather, it requires reasonable - ness in concluding that a potential attacker has decided to attack and wields the capability to carry out said attack, and that it must act defensively in anticipation of the attack lest it lose the opportunity to effectively defend itself. States could not possibly countenance a higher threshold, for such a standard would deprive them of a meaningful right of self-defense. Admittedly, ascertaining a possible adversary’s intentions in the cyber environment is likely to be demanding. Aside from the difficulties of accurately pinpointing identity discussed above, it will be challenging in the context of anticipatory self-defense to identify the purpose behind a particular cyber operation. For instance, is a cyber probe of a State’s air defense designed merely to gather intelligence or instead to locate vulnerabilities in anticipation of an attack which is about to be launched? Obvi - ously, such determinations must be made contextually, considering factors such as the importance of the matter in contention, degree of political tensions, statements by military and political leaders, military activities like deployments, exercises and mobilizations, failed efforts to resolve a contentious situation diplomatically, and so forth. The speed with which the defender may have to make such an assessment to effectively defend itself further complicates matters. Despite the factual and practical complexity, 75 Letter dated 7 October 2001 from the Permanent Representative of the United States of America to the United Nations Ad - dressed to the President of the Security Council, U.N. Doc. S/2001/946 (Oct. 7, 2001). 76 Statement by NATO Secretary General Lord Robertson, NATO Headquarters (Oct. 2, 2001), http://www.nato.int/docu/ speech/2001/s011002a.htm. 77 Note by way of analogy to international criminal law, that pursuant to the Statute of the International Criminal Court, a mis - take of fact is grounds for excluding criminal responsibility when the mistake negates the mental element required by the crime. Rome Statute of the International Criminal Court, art. 32.1, July 17, 1998, 2187 U.N.T.S. 90.

OCR for page 151
1 miCHAEl n. SCHmitt the legal standard is clear; a State acting anticipatorily in self-defense must do so reasonably. In other words, States in the same or similar circumstances would react defensively. When a State asserts that it is acting in self-defense, it bears the burden of proof. In the oil Platforms case, the ICJ noted that the United States had failed to present evidence sufficient to “justify its using force in self-defense.”78 Specifically, it could not demonstrate that Iran was responsible for a 1987 missile attack against an oil tanker sailing under U.S. flag or the 1988 mining of a U.S. warship during the Iran- Iraq “tanker war,” to which the United States responded by attacking Iranian oil platforms. The Court rejected evidence offered by the United States which was merely “suggestive,” looking instead for “direct evidence” or, reframed, “conclusive evidence.”79 “Clear and compelling” evidence would meet these requirements. Thus, States responding to a cyber armed attack must be prepared to present evidence of this quality as to the source and nature of an impending attack, while those acting in anticipation of an attack must do likewise with regard to the potential attacker’s intent and capability. Collective Responses Unlike countermeasures, defensive actions may be collective. This possibility is explicitly provided for in Article 51’s reference to “individual or collective self-defense.” Collective self-defense may be mounted together by States which have all been attacked or individually by a State (or States) which has not, but comes to the defense of another. Although the basic norm is clear in theory, it is complex in application. As noted in the Experts Report on the new NATO Strategic Concept, “there may well be doubts about whether an unconventional danger—such as a cyber attack or evidence that terrorists are planning a strike—triggers the collective defence mechanisms of Article V (the North Atlantic Treaty implementation of Article 51).”80 The mere fact of an armed attack allows for collective defensive action; no authorization from the Security Council is necessary. But there are legal limits on exercise of the right. In the nicaragua case, the ICJ suggested that only the victim-State is empowered to determine whether an armed attack has occurred, and it must request assistance before others act on its behalf.81 Absent such a determination and request, collective actions would themselves amount to unlawful uses of force, and, depending on their nature, even armed attacks (paradoxically, against the State launching the initial armed attack). These requirements are designed to prevent States from claiming to act in collective self-defense as a subterfuge for aggression. Given the practical difficulties of identifying a cyber operation’s originator, this is a sensible limita - tion. It must be noted that some distinguished commentators challenge the strict application of these requirements. They argue that in cases where the collective defense actions occur outside the territory of the victim-State, other States may be entitled to act on the basis of their own right to ensure their security. The right arguably derives from breach of the duty to refrain from armed attack that the State initiating the armed attack bears.82 This latter scenario is particularly germane in the cyber context since the effects of cyber armed attacks could easily spread through networks, thereby endangering States other than those which are the intended target. The prevailing view is nevertheless that there must be a request from the victim-State before the right of collective self-defense matures. In many cases, a pre-existing treaty contemplates collective defense. Article 52(1) of the UN Char- ter provides that “nothing in the present Charter precludes the existence of regional arrangements or agencies for dealing with such matters relating to the maintenance of international peace and security 78 Oil Platform, supra note 48, ¶ 57. 79 Ibid.,¶¶ 59, 69. 80 NATO 2020, supra note 7, at 20. 81 Nicaragua, supra note 12, ¶ 199; The Court reiterated this position in the Oil Platforms case of 2003. Oil Platforms, supra note 48, ¶ 55. 82 See discussion in Dinstein, supra note 62, at 270. This was the position adopted in Judge Jenning’s dissent in Nicaragua. Ni - caragua, Dissenting Opinion of Judge Sir Robert Jennings, supra note 12, at 544-46.

OCR for page 151
10 PRoCEEdingS oF A woRkSHoP on dEtERRing CYBERAttACkS as are appropriate for regional action. . . .” Despite the reference to “regional” arrangements, the agree - ments need not be limited to States in a particular region or to actions occurring in a defined area. Such arrangements may take multiple forms, For instance, bilateral and multilateral mutual assistance trea - ties typically provide that the Parties will treat an armed attack against one of them as an armed attack against all.83 As a practical matter, the effectiveness of collective defense provisions usually depends on the willingness of the treaty partners to come to each other’s aid. A State that does not see collective defensive action as in its national interest may be expected to contest characterization of a cyber opera - tion as an armed attack. Military alliances based on the right to engage in collective defense also exist, the paradigmatic example being NATO. Pursuant to Article V of the treaty, Member States “agree that an armed attack that against one or more of them in Europe or North America shall be considered an attack against them all and consequently they agree that, if such an armed attack occurs, each of them, in exercise of the right of individual or collective self-defence recognised by Article 51 of the Charter of the United Nations, will assist the Party or Parties so attacked by taking forthwith, individually and in concert with the other Parties, such action as it deems necessary, including the use of armed force, to restore and maintain the security of the North Atlantic area.”84 The benefit of alliances is that they generally involve a degree of advanced planning for combined operations in the event of armed attack, and, as with NATO, military structures are often set up to coordinate and direct military operations. Preplanning and the existence of collective mechanisms for managing joint and combined action are especially valuable with regard to defending against cyber attacks. However, like mutual assistance treaties, alliance arrangements are subject to the reality that they are composed of States, which can be expected to act pursuant to their own national interests. In the case of NATO, for instance, decisions to act are taken by consensus in the North Atlantic Council; a single member State can therefore block NATO collective action. Indeed, had the cyber operations against Estonia risen to the level of an armed attack, it is not altogether certain that NATO would have come to its defense militarily, especially in light of Russia’s place in the European security environment and the countervailing commitments of NATO allies elsewhere, especially Afghanistan and Iraq. State Sponsorship of Attacks by Non-State Actors The issue of State sponsorship of cyber operations was addressed earlier in the context of the responsibility of States for uses of force by non-State actors. There the question was when does a State violate the use of force prohibition by virtue of its relationship with others who conduct cyber opera - tions? However, the issue of State sponsorship in the self-defense context is much more momentous. It asks when may forceful defensive actions, even kinetic ones, be taken against a State which has not engaged in cyber operations, but which has “sponsored” them? In other words, when is an armed attack attributable to a State such that the State may be treated as if it had itself launched the attack? Until the transnational attacks of September 11, 2001, the generally accepted standard was set forth in the nicaragua case. There the ICJ stated that “an armed attack must be understood as including not merely action by regular forces across an international border, but also ‘the sending by or on behalf of a state of armed bands, groups, irregulars or mercenaries, which carry out acts of armed force against another state of such gravity as to amount to’ (inter alia) an actual armed attack conducted by regular forces, ‘or its substantial involvement therein.’ ”85 The Court noted that the activities involved should 83 For instance, the Japan-United States mutual defense treaty provides that “[e]ach Party recognizes that an armed attack against either Party in the territories under the administration of Japan would be dangerous to its own peace and safety and declares that it would act to meet the common danger in accordance with its constitutional provisions and processes.” Treaty of Mutual Cooperation and Security Between Japan and the United States of America, Regarding Facilities and Areas and the Status of United States Armed Forces in Japan, art. V, Jan. 19, 1960, 373 U.N.T.S. 207. 84 North Atlantic Treaty, art. V, Apr. 4, 1949, 34 U.N.T.S. 243. 85 Nicaragua, supra note 12, ¶ 195.

OCR for page 151
11 miCHAEl n. SCHmitt be of a “scale and effects” that would equate to an armed attack if carried out by the State’s military. Thus, “acts by armed bands where such attacks occur on a significant scale” would qualify, but “a mere frontier incident would not.”86 By this standard, attribution requires (1) acts qualifying as an armed attack and (2) that the State dis - patched the non-State actors or was substantially involved in the operations. As noted earlier, the ICTY took a more relaxed view of the degree of control necessary, accepting “overall control” as sufficient. 87 The events of 9/11 brought the issue of threshold to light in a dramatic way. Assistance provided by the Taliban to Al Qaeda met neither the nicaragua nor tadic standards, since the Taliban merely provided sanctuary to Al Qaeda. The cyber analogy would be doing nothing to put an end to the activities of cyber “terrorists” or other malicious hackers operating from a State’s territory when it is within its capability, legal and practical, to do so. Even though there was seemingly no legal basis for attribution to Afghanistan, when the Coalition responded with armed force against both Al Qaeda and the governing Taliban, no objection was raised. On the contrary, the Security Council condemned the Taliban “for allowing Afghanistan to be used as a base for the export of terrorism by the Al-Qaida network and other terrorist groups and for providing safe haven to Usama Bin laden, Al-Qaida and others associated with them.” 88 It seems that the inter- national community had lowered the normative bar of attribution measurably. While the underlying operations must still amount to an armed attack, it is arguable that today much less support is required for attribution than envisaged in either nicaragua or tadic. Far from being counter-legal, this process of reinterpretation is natural; understandings of international legal norms inevitably evolve in response to new threats to the global order. In that cyber operations resemble terrorism in many regards, States may equally be willing to countenance attribution of a cyber armed attack to a State which willingly provides sanctuary to non-State actors conducting them. Armed Attacks by Non-State Actors Although most cyber operations are launched by individuals such as the anti-Estonian “hacktivists,” concern is mounting about the prospect that transnational terrorist organizations and other non-State groups will turn to cyber operations as a means of attacking States.89 The concern is well-founded. Al Qaeda computers have been seized that contain hacker tools, the membership of such groups is increas - ingly computer-literate, and the technology to conduct cyber operations is readily available. In one case, a seized Al Qaeda computer contained models of dams, a lucrative cyber attack target, and the computer programs required to analyze them.90 International lawyers have traditionally, albeit not universally, characterized Article 51 and the customary law of self-defense as applicable solely to armed attacks mounted by one State against another. Violent actions by non-State actors fell within the criminal law paradigm. Nonetheless, the international community treated the 9/11 attacks by Al Qaeda as armed attacks under the law of self-defense. The Security Council adopted numerous resolutions recognizing the applicabil- ity of the right of self-defense. 91 International organizations such as NATO and many individual States took the same approach.92 The United States claimed the right to act forcefully in self- 86 Ibid. 87 Itmust be emphasized that the legal issue involved in that case was not attribution of an armed attack, but rather the exist - exist- ence of an international armed conflict. 88 S.C. Res. 1378, pmbl. (Nov. 14, 2001). 89 This threat is cited in both the 2010 National Security Strategy ( supra note 6, at 27) and NATO 2020 (supra note 7, at 17). 90 Clay Wilson, Computer Attack and Cyber Terrorism: Vulnerabilities and Policy Issues for Congress, Congressional Research Service Report RL32114, Oct. 17, 2003, at 11-13. 91 See, e.g., S.C. Res 1368 (Sept. 11, 2001); S.C. Res. 1373 (Sept. 28, 2001). 92 See, e.g., Press Release, NATO, Statement by the North Atlantic Council (Sept. 12, 2001); Terrorist Threat to the Americas, Res. 1, Twenty-fourth Meeting of Consultation of Ministers of Foreign Affairs, Terrorist Threat to the Americas, OAS Doc. RC.24/ RES.1/01 (Sept. 21, 2001); Brendan Pearson, Pm Commits to mutual defence, Australian Financial Review, Sept. 15, 2001, at 9.

OCR for page 151
12 PRoCEEdingS oF A woRkSHoP on dEtERRing CYBERAttACkS defense,93 and no State objected to the assertion. Lest this approach be dismissed as simply an emo - tive reaction to the horrific attacks of 9/11, it must be noted that when Israel launched operations into Lebanon in response to Hezbollah’s 2006 terrorism, the international community again seemed to accept a country’s right to defend itself against armed attacks mounted by non-State actors. 94 Despite acceptance by States of the premise that non-State actors may qualify as the originators of an armed attack, the ICJ seems to have taken a step backwards in two post-9/11 cases. In the wall advisory opinion and the Congo case, the Court refrained from considering claims of self-defense against actions by non-State actors, noting that no assertion had been made that the relevant actions were imputable to a State.95 Although the Court’s reasoning was nuanced and fact-specific, it has nevertheless been widely criticized as inattentive to contemporary understandings of the relevant law. In particular, in the wall case three judges expressly departed from the majority’s approach on the bases that it ignored the fact that Article 51 makes no mention of the originator of an attack (while Article 2(4) specifically addresses uses of force by States) and that the Security Council had deliberately treated terrorist attacks as armed attacks in the aftermath of the 9/11.96 The Court’s hesitancy to embrace the notion of armed attack by non-State actors is understandable in light of the risk of abuse. States might well apply it to engage in robust military operations against groups in situations in which law enforcement is the more normatively appropriate response. For instance, significant concerns have been raised regarding counterterrorist operations occurring outside an armed conflict mounted in States which do not consent to them. Such concerns are likely to be even more acute in relation to cyber operations, which are conducted not by armed members of groups resembling classic military forces, but rather by cyber experts equipped with computers. Nevertheless, as a matter of law, States seem comfortable with applying the concept of armed attacks to situations involving non-State actors. Should such groups launch cyber attacks meeting the threshold criteria for an armed attack, States would likely respond within the framework of the law of self-defense. The point that the attacks must meet the threshold criteria cannot be overemphasized. There is no State practice supporting extension of the concept to the actions of isolated individuals, such as hacktiv - ists or patriotic hackers. Further, the cyber operations must be severe enough to qualify as armed attacks, that is, they have to result in damage to or destruction of property or injury to or death of individuals. Finally, as the debate over minor border incursions demonstrates, it is uncertain whether attacks which meet the aforementioned threshold, but are not of significant scale, would qualify. As an example, a cyber attack that caused a single plant’s generator to overheat, thereby temporarily interrupting service until it could be repaired, would presumably not, by the more restrictive standard, qualify as an armed attack. Rather, it would be the cyber equivalent of a border incursion. Cross-border Operations When armed attacks by non-State actors emanate from outside a State, may that State take defen - sive actions against its perpetrators in the territory of the State where they are based? This question has been raised recently in the context of unmanned aerial vehicle strikes against terrorists in Pakistan 93 “Inresponse to these attacks, and in accordance with the inherent right of individual and collective self-defense, United States forces have initiated actions designed to prevent and deter further attacks on the United States. These actions include measures against Al-Qaeda terrorist training camps and military installations of the Taliban regime in Afghanistan. . . .” Letter from the Permanent Representative, supra note 75. 94 See generally, Michael N. Schmitt, “’Change Direction’ 2006: Israeli Operations in Lebanon and the International Law of Self-Defense,” 29 michigan Journal of international law 127 (2008). Many commentators and States saw the actions as violating the proportionality criterion discussed above. 95 Legal Consequences of the Construction of a Wall in the Occupied Palestinian Territory, Advisory Opinion, 2004 ICJ Rep. 136, ¶ 139 (July 9); Congo, supra note 33, at 53. 96 Wall, supra note 95, Sep. Op. Judge Higgins, ¶ 33; Sep. Op. Judge Koojmans, ¶ 35; Decl. Judge Buergenthal, ¶ 6.

OCR for page 151
1 miCHAEl n. SCHmitt and elsewhere. It is no less pertinent to situations involving cyber armed attacks launched by non-State actors from abroad. It is indisputable that one State may employ force in another with the consent of the territorial State. t For instance, a State may grant others the right to enter its territory to conduct counterterrorist opera - tions, as often occurs in Pakistan, or a State embroiled in an internal conflict with insurgents may request external assistance in restoring order, as with ISAF operations in Afghanistan or USF in Iraq. A State subjected to an armed attack, whether cyber or kinetic, could, with the acquiescence of the territorial State, equally launch cyber defensive operations into the State from which the attacks emanated. The legal dilemma arises when operations are conducted without territorial State approval. By the principle of sovereignty (and the derivative notion of territorial integrity), a State enjoys near absolute control over access to its territory. In affirmation, the UN General Assembly has cited the use of force by a State on the territory of another as an act of aggression.97 Yet, the right of States to use force in self-defense is no less foundational. When terrorists or insurgents seek sanctuary in a State other than that in which they are conducting operations, they bring the territorial State’s right of sovereignty into conflict with the victim-State’s right of self-defense. Fortunately, international law does not require an either-or resolution when norms clash. Instead, it seeks to balance them by fashioning a compromise which best achieves their respective underlying pur- poses. In this case, such a balance would ensure that the territorial State need not suffer unconstrained violations of its sovereignty, but nor would the victim-State have to remain passive as non-State groups attack it with impunity from abroad. The resulting compromise is as follows. The victim-State must first demand the territorial State fulfill its legal duty to ensure actions on or from its territory do not harm other States and afford the territorial State an opportunity to comply.98 If that State subsequently takes effective steps to remove the threat, then penetration of its territory by the victim-State, whether kinetically or by cyber means, is impermissible. But if the territorial State fails to take appropriate and timely action, either because it lacks the capability to conduct the operations or simply chooses not to do so (e.g., out of sympathy for the non-State actors or because its domestic laws preclude action), the victim-State may act in self-defense to put an end to the non-State actor’s attacks. It matters not whether the actions are kinetic or cyber in nature, as long as they comply with the principles of proportionality and necessity. ARMED CONFLICT The jus in bello notion of “armed conflict” must be distinguished from the jus ad bellum concepts of use of force, threat to the peace, breach of the peace, act of aggression and armed attack. The jus ad The bellum determines when a State has violated the international law governing the resort to force, and sets forth a normative flow plan for individually or collectively responding to such violations. By contrast, under the jus in bello, the applicability of IHL depends on the existence of an “armed conflict.” This law is set forth in such treaties as the four 1949 Geneva Conventions and the two 1977 Protocols Additional (Protocol I for international and Protocol II for non-international armed conflict), and in customary international law.99 In determining whether IHL rules like distinction (the requirement to distinguish combatants from civilians and military objectives from civilian objects), proportionality (the prohibi - tion on attacks expected to cause harm to civilians and civilian object which is excessive relative to the military advantage anticipated to accrue from the attack), or direct participation (the loss by civilians of their protections when they take a direct part in hostilities) apply to cyber operations, the threshold question is whether an armed conflict is underway.100 97 Definition of Aggression Resolution, supra note 50, art. 3(a). 98 On the duty to police one’s own territory, see Corfu Channel (U.K. v. Alb.), 1949 ICJ Rep. 4 (Apr. 9). 99 GC I-IV, supra note 4; AP I, supra note 53; Protocol Additional to the Geneva Conventions of 12 August 1949, and Relating to the Protection of Victims of Non-International Armed Conflicts, June 8, 1977, 1125 U.N.T.S. 609 [hereinafter AP II]. 100AP I, supra note 53, arts. 48, 51.5(b), 51.3.

OCR for page 151
1 PRoCEEdingS oF A woRkSHoP on dEtERRing CYBERAttACkS There are two forms of armed conflict, international and non-international. The first refers to conflicts between States, whereas the second implies either conflicts between a State and a non-State organized armed group or those between such groups. Determining when a conflict is international or non- international is a highly complex matter, particularly in light of hostilties between States and non-State transnational actors, such as global terrorist groups. As an example of the uncertainty, consider that while the Israeli Supreme Court has characterized Israel’s conflicts with terrorist groups such as Hamas and Hezbollah to be international, in part because they transcend Israeli territory, the U.S. Supreme Court has labeled the conflict with transnational terrorist groups like Al Qaeda as “not of an international character.”101 Although a full exploration of the characterization of conflict issue lies beyond the scope of this article, it is useful to examine the concepts in a general manner. International Armed Conflict Article 2 Common to the four Geneva Conventions states that they “apply to all cases of declared war or to any other armed conflict which may arise between two or more of the High Contracting parties.”102 This begs the question of the nature and scope of the referenced conflict. The International Committee of the Red Cross’ official commentary to the provision provides that “any difference arising between two States and leading to the intervention of members of the armed forces is an armed conflict within the meaning of Article 2, even if one of the Parties denies the existence of a state of war. It makes no difference how long the conflict lasts, how much slaughter takes place, or how numerous are the participating forces.”103 Similarly, the ICTY has opined that “an armed conflict exists whenever there is resort to force between States.”104 It is essential to distinguish states of “armed conflict” under the jus in bello from instances of jus ad bellum “armed attacks,” for, as noted, some experts assert that minor incidents do not amount to the latter. Moreover, in the traditional treatment of the legal concept of “war,” minor armed incidents did not necessarily signal the commencement of a war between States.105 But so long as there is an armed exchange between the armed forces of two States, an “international armed conflict” exists. Actions by non-State actors operating under State control would also qualify, although actions by individuals or independent group would not. Hostilities need not even exist. By Article 2, the conventions apply in cases of “partial or total occupation . . ., even if said occupation meets with no armed resistance.”106 And it is equally accepted that there is an armed conflict if the forces of one State detain individuals protected by IHL, such as combatants.107 It is irrelevant whether the parties to the armed conflict con - sider themselves to be “at war.” This leads to two alternative conclusions with regard to cyber operations standing alone. First, they must be the functional equivalent of a clash of arms between States. Applying the approach adopted in the context of the jus ad bellum, relevant actions must be likely to result in injury, death, damage or destruction to comprise an international armed conflict. Non-destructive computer network exploitation, espionage, denial of service attacks and other actions would not initiate an armed conflict, although they might, depending on the circumstances, qualify as a use of force. This is the mainstream approach among IHL experts, one focusing on the adjective “armed” in the phrase armed conflict. However, the fact that an armed conflict can occur in the absence of combat arguably provides inter- pretive leeway. This is especially so in light of an ongoing debate among experts as to whether a cyber 101 HCJ [High Court of Justice] 796/02, Public Committee against Torture in Israel et al. v. Government of Israel et al., ¶ 21(Dec. 13, 2006); Hamdan v. Rumsfeld, 126 S.Ct. 2749, 2795-96 (2006). 102 Common art. 2 to GC I-IV, supra note 4. 103 Commentary to the third genea Conention relatie to the treatment of Prisoners of war 23 (ICRC, Jean Pictet ed., 1960). 104 Tadic, Appeals Chamber Decision on the Defence Motion for Interlocutory Appeal on Jurisdiction, supra note 51, ¶ 70. 105 Dinstein, supra note 62, at 11-13. 106 Common art. 2(1) to GC I-IV, supra note 4. 107 Pictet, supra note 103, at 23.

OCR for page 151
1 miCHAEl n. SCHmitt operation can amount to an “attack,” as that term is used in IHL (e.g., the prohibition on “attacking” civilians and civilian objects).108 The law defines attacks as “acts of violence,”109 leading one school of thought to argue that only operations resulting in injury, death, damage or destruction are attacks to which the prohibitions apply.110 Advocates would therefore likely accept the aforementioned limitation. A second school argues that the essence of such prohibitions is directing military operations against protected persons and places.111 If this is so, then IHL would apply to certain non-destructive cyber operations against protected persons and objects, and, by extension, an international armed conflict would commence once a State or those under its control launched them. The problem is that proponents of the second approach offer no criteria for distinguishing non- destructive “attacks” from non-destructive military operations that clearly do not qualify as attacks, such as lawful psychological operations. Presumably, consequence severity would be a key criterion, but how might that be determined (financial loss, disruption of essential State functions, etc.)? Indeterminacy may be acceptable in the context of identifying a use of force, for the issue there is merely whether a violation of law has occurred (and countermeasures cannot involve the use of force). By contrast, the consequences of finding an “armed conflict” are much more dramatic. Armed conflict renders violent actions by combatants lawful unless they breach a particular IHL norm, even when the initial resort to force by the belligerent State was unlawful. In other words, while IHL limits violence, it also legitimizes it. This interpretation is obviously problematic. Non-International Armed Conflict Determining when a non-international armed conflict exists is even more problematic. The relevant IHL is found primarily in customary international law, Common Article 3 to the Geneva Conventions and, for States party, Additional Protocol II (AP II). Although there is much controversy over the precise content of the customary law and the extent to which certain customary IHL norms apply in both inter- national and non-international armed conflicts, it is undeniably a less detailed and less comprehensive body of law than that applicable in international armed conflict. Common Article 3 to the Geneva Conventions defines non-international armed conflicts in the nega - tive as those which are “not of an international character,” a characterization reflective of customary international law.112 There are two generally accepted criteria for such conflicts. First, Article 3 employs the phrase “each Party to the conflict.” The term “Party” is commonly understood to refer to either States or to groups which have a certain degree of organization and command structure. Thus, cyber violence of any intensity engaged in by isolated individuals or by unorganized mobs, even if directed against the government, does not qualify. It would not amount to an armed conflict, and therefore would be governed by criminal law and human rights law, not IHL. The vast majority of the cyber operations conducted against Estonia would fall into this category. The second criterion is intensity. It is generally agreed that a non-international armed conflict requires violence of a higher degree of intensity than international armed conflict. “Internal disturbances and tensions, such as riots, isolated and sporadic acts of violence and other acts of a similar nature” 108AP I, supra note 53, arts. 51 and 52. 109 Ibid., art. 49. 110 See, e.g., Michael N. Schmitt, “Warfare: Computer Network Attack and International Law,” 84 (No. 846) international Reiew of the Red Cross 365 (June 2002). 111 Knut Dörmann, Applicability of Additional Protocols to Computer Network Attack, Paper delivered at the International Ex - pert Conference on Computer Network Attacks and the Applicability of International Humanitarian Law, Stockholm, November 17-19, 2004, http://www.icrc.org/web/eng/siteeng0.nsf/htmlall/68lg92?opendocument. 112 Common art. 3 to GC I-IV, supra note 4 (“In the case of armed conflict not of an international character occurring in the ter - ritory of one of the High Contracting Parties, each Party to the conflict shall be bound to apply, as a minimum, the following provisions. . . .”).

OCR for page 151
1 PRoCEEdingS oF A woRkSHoP on dEtERRing CYBERAttACkS fall short of the threshold.113 In non-normative terms, the criterion suggests that unrest which can be handled primarily by law enforcement entities, without resort to the armed forces, does not constitute non-international armed conflict even if carried out by armed groups. Along these lines, the ICTY has characterized non-international armed conflicts as involving “protracted armed violence between governmental authorities and organized armed groups or between such groups within a State,” 114 a formula adopted by the International Criminal Tribunal for Rwanda and in the Statute of the Interna - tional Criminal Court.115 For parties to the instrument (the United States is not), AP II sets forth significant additional IHL norms. However, the threshold of applicability for this instrument is set at an even higher level than that of customary law and Common Article 3. In the case of AP II non-international armed conflicts, the non-State party to the conflict has to “exercise such control over a part of” a State’s territory that it can “carry out sustained and concerted military operations.” 116 It would be exceptionally difficult for cyber operations standing alone to rise to the level of non- international armed conflict. First, operations launched by individuals and unorganized groups are not encompassed in the category, no matter how destructive. Second, the cyber operations would have to be protracted, that is, occur over a period of time. Sporadic attacks would not qualify, regardless of their destructiveness. Third, the requirement of intensity would augur against arguments that actions which are not destructive can sometimes meet the test, a weak argument even in the case of international armed conflict. Combined, the criteria mean that only significantly destructive attacks taking place over some period of time and conducted by a group that is well-organized initiate a non-international armed conflict. Finally, as noted earlier, significant controversy surrounds the question of whether attacks by trans- national non-State actors are international or non-international in character. The debate derives from the fact that non-international armed conflicts are typically seen as conflicts between a State and “rebels,” in other words, civil wars. AP II seemingly makes this requirement explicit in its reference to conflicts taking place “in the territory of a State . . . between its armed forces and dissident armed forces or other organized armed groups.”117 Although Common Article 3 contains no such restriction, its reference to conflicts “occurring in the territory” of a Party to the 1949 Geneva Conventions has sometimes also been construed as excluding conflicts that transcend national borders. Thus, by one interpretation, such conflicts are international because they cross borders.118 By an alternative interpretation, they are non-international because they do not involve States in opposition to each other, which has tradition - ally been the distinguisher for international armed conflict. Accordingly, they are conflicts which are “not of an international character.”119 It has also been argued that they are a new form of armed conflict to which only the general norms applicable to all armed conflicts, such as the principle of distinction, apply. This form of conflict has been labeled “transnational.”120 Finally, it might be argued that there is no armed conflict at all, but rather mere criminality. In fact, a strict reading of the law would suggest as much. However, this last approach begs the question of what law applies in the event of an armed attack (in the ad bellum context) to which a State responds forcefully, since absent an armed conflict, IHL is inapplicable. Whatever the correct characterization, it would apply equally to groups conducting cyber operations of the intensity required to constitute an armed conflict. 113AP II, supra note 99, art. 1.2, generally deemed to equally reflect the standard applicable to Common Article 3 and customary international law. See, e.g., Rome Statute, supra note 77, art. 8(2)(f). 114 Tadic, Appeals Chamber Decision on the Defence Motion for Interlocutory Appeal on Jurisdiction, supra note 51, ¶ 70. 115 Prosecutor v. Akeyesu, Case No. ICTR-96-4-T, Judgment, ¶ 619 (Sept. 2, 1998); Rome Statute, supra note 77, art. 8(2)(f). 116AP II, supra note 99, art. 1(1). It must also be able to implement the provisions of the Protocol. 117 See text at fn 112. 118 HCJ [High Court of Justice] 796/02, Public Committee against Torture in Israel et al. v. Government of Israel et al., ¶ 21(Dec. 13, 2006). 119 Hamdan v. Rumsfeld, 126 S.Ct. 2749, 2795-96 (2006). 120 See, e.g., Geoff Corn, “Hamdan, Lebanon, and the Regulation of Armed Conflict: The Need to Recognize a Hybrid Category of Armed Conflict,” 40 vanderbilt transnational law Journal 295 (2006).

OCR for page 151
1 miCHAEl n. SCHmitt FAuLT LINES IN THE LAW The legal analysis set forth above should strike most readers as unsatisfactory. Clear fault lines in the law governing the use of force have appeared because it is a body of law that predates the advent of cyber operations. The normative scheme made sense when close congruity existed between the coercive instruments of international relations, particularly military force, and their effects. To the extent one State disrupted order in the international community, it usually did so by using force to harm objects and per- sons. Resultantly, instrument-based normative shorthand (use of force, armed attack, and armed conflict) was employed as a means of precluding those effects (death, injury, destruction and damage) which were perceived as most disruptive of community stability, and as most threatening to State security. Debates such as whether actions short of military operations are uses of force or whether minor border incursions qualify as armed attacks demonstrate that the foundational concerns were actually consequence-based, for both reflect recognition that the instrument-based approach is not perfectly calibrated. The advent of cyber operations threw the instrument-based approach into disarray by creating the possibility of dramatically destabilizing effects caused by other than kinetic actions. They weakened the natural congruency between the normative shorthand employed in the law governing resort to force and those consequences which the law sought to avoid as disruptive. Conceptually, the “qualitative” scheme, by which prohibitions were expressed in terms of types of activities (use of the military and other destructive instruments as distinguished from non-destructive ones) no longer sufficed to preclude those effects about which States had become most concerned. A non-kinetic, non-destructive means of generating effects which States cannot possibly countenance now existed; the qualitative shorthand no longer tracked the quantitative concerns of States. The prohibition on the use of force has proven somewhat adaptable to this new reality because it has long been understood to extend beyond the application of kinetic force. Thus, it is reasonable to employ the criteria suggested in this article to identify situations in which non-kinetic actions will result in quan- titatively unacceptable, and therefore prohibited, consequences. The UN Charter mechanism for Security Council-based responses to threats to the peace, breaches of the peace and acts of aggression is likewise adaptable because by it threats to the peace include, simply put, whatever the Council wishes. However, the textual precision of the “armed attack” component of the individual and collective self-defense norm leaves little room for interpretive reshaping. By its own terms, “armed attack” does not reach many cyber-generated consequences to which States will wish to respond in self-defense. To a lesser extent, the same is true with regard to the notion of “armed conflict.” It seems incongruent that a minor firefight would initiate an armed conflict, but a major non-physically destructive cyber attack against the cyber infrastructure of a State would not. Evidence of disquiet abounds. In a recent report by the National Research Council, examples of armed attack included “cyberattacks on the controlling information technology for a nation’s infra - structure (whether or not it caused immediate large-scale death or destruction of property)” and “a cyberattack against the stock exchanges that occurs repeatedly and continuously, so that trading is disrupted for an extended period of time (e.g., days or weeks).”121 As a matter of law, they would likely qualify as uses of force, but not, by a strict interpretation of the self-defense norm, as armed attacks (or as initiating an armed conflict). The problem is that most States would surely treat them as such. In other words, the National Research Council report has misconstrued the law, but accurately identified probable State behavior. When State expectations as to the “rules of the game” deviate from those that actually govern their actions, new norms can emerge. One method by which this can occur is through new treaty law. However, it is highly unlikely that any meaningful treaty will be negotiated to govern cyber operations in the foreseeable future. The greatest obstacle is that those States which are most vulnerable to cyber operations tend to be those which are also most capable of conducting them. Such tension will cause 121 Technology, Policy, Law, and Ethics, supra note 63, at 254-55.

OCR for page 151
1 PRoCEEdingS oF A woRkSHoP on dEtERRing CYBERAttACkS such States to hesitate before agreeing to prohibitions designed to protect them which may also defini - tively limit their freedom of action. This is especially so in light of the nascent nature of cyber warfare and the lack of experience of most States in these operations. In international relations, States are often comfortable with a degree of vagueness. Much more likely is the emergence of new understandings of the existing treaty law which are responsive to the realities of cyber operations. While only subsequent treaty action can technically alter a treaty’s terms, State practice can inform their interpretation over time. A well-known example involves veto action by Permanent Members of the Security Council. The UN Charter provides that a binding resolution of the Council requires the affirmative vote of all five Permanent Members. 122 However, State practice has been to treat the provision as blocking action only when a member of the “P5” vetoes a proposed resolution. This counter-textual interpretation is now accepted as the law. 123 The recent exten- sion of the notion of armed attack to actions by non-State actors similarly illustrates normative evolution prompted by shifting State expectations. In due course, similar evolution in the how the concept of armed attack is understood should be anticipated, as States increasingly accept the proposition that armed attacks must be judged qualita - tively and quantitatively. Consequences will remain the focus of concern, but they will be assessed both in terms of nature and as to their impact on affected States. In this regard, the seven criteria proffered above in the use of force context can serve as useful indicators of whether States are likely to characterize particular cyber operations as armed attacks (or as initiating an armed conflict), and thus suggest the probable vector of the law. However, for the moment the existing law remains intact; it will be left to States to articulate the expectations and engage in practices that can serve to fuel the normative process necessary to transform lex ferenda into lex lata.124 122 U.N.Charter, art. 27.3. 123 See discussion in Bruno Simma, Stefan Brunner & Hans-Peter Kaul, Article 2, in I the Charter of the United nations: A Com- mentary 476, 493-98 (Bruno Simma ed., 2d ed. 2002). The veto principle does not apply to votes on procedural matters. 124 The law as it should be and the law that is, respectively.