Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
7 Legal and Ethical Perspectives on Cyberattack 7.1â The Basic Framework Â In the context of this chapter, international law refers to treaties (writ- ten agreements among states governed by international law) and custom- ary international law (general and consistent practices of states followed from a sense of legal obligation). Domestic law refers to the Constitution of the United States, federal statutes, and self-executing treaties and can constrain the actions of government and of private individuals. This chapter focuses on the implications of existing international and domestic law as well as relevant ethical regimes for the use of cyberat- tack by the United States.Â (It is thus not intended to address legal issues that arise mostly in the context of the United States defending against cyberattack.)Â Compared to kinetic weapons, weapons for cyberattack are a relatively recent addition to the arsenals that nations and other par- ties can command as they engage in conflict with one another.Â Thus, the availability of cyberattack weapons for use by national governments natu- rally raises questions about the extent to which existing legal and ethical perspectives on war and conflict and international relationsâwhich affect In 2008, the Supreme Court explained that a self-executing treaty is one that âoper- ates of itself without the aid of any legislative provision,â and added that a treaty is ânot domestic law unless Congress has either enacted implementing statutes or the treaty itself conveys an intention that it be âself-executingâ and is ratified on these terms.â See Medellin v. Texas, 128 S.Ct. 1346, 1356 (2008) (citations and internal quotations omitted). 239
240 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES considerations of how and when such weapons might be usedâcould require reinterpretation or revision.Â Some analysts have responded to these questions in the negative, arguing that cyberweapons are no different than any other weapons and thus that no new legal or ethical analysis is needed to understand their proper use.Â Others have taken the opposite view, arguing that cyber- weapons are so different from kinetic weapons that new legal regimes are needed to govern their use. Further, some argue that it is much easier to place substantive constraintsÂ on new military technologies before they have been integrated into the doctrine and structure of a nationâs armed forces. And still others have taken the view that although cyberweap- ons do raise some new issues, the basic principles underlying existing legal and ethical regimes continue to be valid even though analytical work is needed to understand how these principles do/should apply to cyberweapons. As is indicated below in this chapter, the committeeâs perspective is most similar to the last one articulated above.Â Furthermore, the commit- tee observes that in no small measure, the range of opinions and conclu- sions about the need for new regimes comes from the fact that as indicated in Chapter 2, the notion of cyberattack spans an enormous range of scale, impact, and complexity. Some specification of a cyberattackâs range, scope, and purpose must be presented if analytical clarity is to be achieved. This chapter does not attempt to provide a comprehensive norma- tive analysis.Â Instead, it reviews the current international and domestic legal regimes, and suggests where existing regimes may be inadequate or ambiguous when the use of cyberweapons is contemplated.Â In addition, it explores issues that cyberattack may raise outside the realm of the rel- evant legal regimes.Â In all instances, the emphasis is on raising questions, exploring ambiguities, and stimulating thought. Although this report takes a Western perspective on ethics and human rights, the committee acknowledges that these views are not universal. That is, other religious and ethnic cultures have other ethical and human rights traditions and practices that overlap only partially with those of the United States or the West, and their ethical and human rights traditions may lead nations associated with these cultures to take a different per- spective on ethical, human rights, and legal issues regarding cyberattack. Perhaps most importantly, other nations may take a more expansive or a This point of view was expressed in presentations to the committee by the USAF Cyberspace Task Force (briefing of LTC Forrest Hare, January 27, 2007). See, for example, Christopher C. Joyner and Catherine Lotrionte, âInformation War- fare as International Coercion: Elements of a Legal Framework,â European Journal of Interna- tional Law 12(5):825-865, 2001.
LEGAL AND ETHICAL PERSPECTIVES ON CYBERATTACK 241 more restricted view of how the law of armed conflict constrains activities related to cyberattack. Finally, it should be noted that legal considerations are only one set of factors that decision makers must take into account in deciding how to proceed in any given instance. There will no doubt be many circum- stances in which the United States (or any other nation) would have a legal right to undertake a certain action, but might choose not to do so because that action would not be politically supportable or would be regarded as unproductive, unethical, or even harmful. 7.2â International law International obligations flow from two sources: treaties (in this con- text, the Charter of the United Nations, the Hague and Geneva Conven- tions with their associated protocols, and the Cybercrime Convention) and customary international law. Defined as the customary practices of nations that are followed from a sense of legal obligation, customary inter- national law has the same force under international law as a treaty. Provisions of international law are sometimes enacted into national laws that are enforceable by domestic institutions (such as the President and courts). For example, Title 18, Section 2441 of the U.S. Code criminal- izes the commission of war crimes and defines war crimes as acts that constitute grave breaches of the Geneva or Hague Conventions. Such laws impose penalties on individuals who violate the relevant provisions of international law. When nations violate international law, the recourse mechanisms available are far less robust than in domestic law. For example, the Inter- national Court of Justice has held specific nations in violation of inter- national law from time to time, but it lacks a coercive mechanism to penalize nations for such violations. In principle, the UN Security Council can call for coercive military action that forces a violator to comply with its resolutions, but the viability of such options in practice is subject to considerable debate. 7.2.1â The Law of Armed Conflict To understand the legal context surrounding cyberattack as an instru- ment that one nation might deploy and use against another, it is helpful to start with existing lawâthat is, the international law of armed conflict (LOAC). Todayâs international law of armed conflict generally reflects two
242 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES centralÂ ethical principles.Â First, a state that uses force or violence against another state must have âgoodâ reasons for doing so, and indeed, through- out most of history, states that have initiated violence against other states have sought to justify their behavior.Â Second, even if violent conflict between nations is inevitable from time to time, unnecessary human suf- fering should be minimized. LOAC addresses two separate questions. First, when is it legal for a nation to use force against another nation? This body of law is known as jus ad bellum. Second, what are the rules that govern the behavior of combatants who are engaged in armed conflict? Known as jus in bello, this body of law is separate and distinct from jus ad bellum. 22.214.171.124â Jus ad Bellum Jus ad bellum is governed by the UN Charter, interpretations of the UN Charter, and some customary international law that has developed in connection with and sometimes prior to the UN Charter. Â Article 2(4) of the UN Charter prohibits every nation from using âthe threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations.â Nations appear to agree that a vari- ety of unfriendly actions, including unfavorable trade decisions, space- based surveillance, boycotts, severance of diplomatic relations, denial of communications, espionage, economic competition or sanctions, and economic and political coercion, do not rise to the threshold of a âuse of force,â regardless of the scale of their effects. As for the âthreats of forceâ prohibited by Article 2(4), Professor Thomas Wingfield of the U.S. Army Command and General Staff College testified to the committee that such threats might plausibly include verbal threats, initial troop movements, initial movement of ballistic missiles, massing of troops on a border, use of fire control radars, and interference with early warning or command and control systems. Â The UN Charter also contains two exceptions to this prohibition on the use of force. First, Articles 39 and 42 permit the Security Council to authorize uses of force in response to âany threat to the peace, breach of the peace, or act of aggressionâ in order âto maintain or restore interna- tional peace and security.â The law of armed conflict is also sometimes known as international humanitarian law. A number of legal scholars, though not all by any means, view international humanitar- ian law as including human rights law, and thus argue that the law of armed conflict also includes human rights law. For purposes of this chapter and this report, the law of armed conflict does not include human rights law.
LEGAL AND ETHICAL PERSPECTIVES ON CYBERATTACK 243 Second, Article 51 provides as follows: âNothing in the present Char- ter shall impair the inherent right of individual or collective self-defense if an armed attack occurs against a Member of the United Nations, until the Security Council has taken measures necessary to maintain international peace and security.â The self-defense contemplated by Article 51 does not require Security Council authorization. Professor Wingfield argued that armed attack would include declared war, de facto hostilities, occupation of territory, a blockade, the destruction of electronic warfare or command and control systems, or the use of armed force against territory, military forces, or civilians abroad. In addition, there is debate over whether the right of self-defense is limited by Article 51, or whether Article 51 simply recognizes a continuation of the preexisting (âinherentâ) right of self- defense. Box 7.1 elaborates on notions of self-defense and self-help. An important aspect of the interpretation of Article 51 involves the question of imminent attack. It is widely accepted that a nation facing unambiguous imminent attack is also entitled to invoke its inherent right of self-defense without having to wait for the blow to fall. (Self-defense undertaken under threat of imminent attack is generally called âantici- patory self-defense.â) For example, Oppenheimâs International Law: Ninth Edition states that: The development of the law, particularly in the light of more recent state practice, . . . suggests that action, even if it involves the use of armed force and the violation of another stateâs territory, can be justified as self- defence under international law where: a)â armed attack is launched, or is immediately threatened, against a an stateâs territory or forces (and probably its nationals); b)â there is an urgent necessity for defensive action against that attack; c) â there is no practicable alternative to action in self-defence, and in particular another state or other authority which has the legal powers to stop or prevent the infringement does not, or cannot, use them to that effect; d)â action taken by way of self-defense is limited to what is necessary the to stop or prevent the infringement, i.e., to the needs of defence. When are these conditions met? The facts and circumstances in any given situation may not lead to clear determinationsâindeed, the threat- ened party is likely to have a rather different perception of such facts and circumstances than the threatening state. The mere fact that Zendia possesses destructive capabilities that could be used against Ruritania cannot be sufficient to indicate imminent attackâ Oppenheimâs International Law: Ninth Edition, 1991, p. 412.
244 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES BOX 7.1â Self-defense and Self-help Article 51 acknowledges the right of a nation to engage in the use of armed force for self-defense, including the situation in which the nation is the target of an armed attack, even without Security Council authorization. (The issue of whether a nation may respond militarily without Security Council authorization if it is the target of a use of force short of an armed attack is less clear, with evidence to support both sides of this position.1) Although the term âself-defenseâ is undefined in the UN Charter, it is convenient to consider three different types of actions, all of which involve the use of force in response to an attack. â¢ A Type 1 action is a use of force taken to halt or curb an attack in prog- ress or to mitigate its effects. Type 1 actions do not apply after the attack ceases, because all of the harm that the attack can cause has already been caused at that point. â¢ A Type 2 action is a use of force in which a nation is the first to use force because it has good reason to conclude that it is about to be attacked and that there is no other alternative that will forestall such an action. Type 2 actions are sometimes called actions of anticipatory self-defense.2 â¢ A Type 3 action is a use of force aimed at reducing the likelihood that the original attacker will continue its attacks in the future. Type 3 actions are predicated on the assumption that the original attacker has in mind a set of attacks, only one of which has occurred, and can be regarded as a kind of anticipatory self-defense against these likely future attacks. An example of a Type 3 action is the 1986 El Dorado Canyon bombing on Libya, which was justified as an act of self-defense against a continuing Libyan-sponsored terrorist threat against U.S. citizens.3 (Note that under domestic law as it applies to private persons, Type 3 actions are gener- ally not legal, though Type 1 actions taken in self-defense are sometimes justified under common law, as indicated in Section 5.2.) Many nations, including the United States, have asserted rights under the UN Charter to all three types of action under the rubric of self-defense. At the same time, other nations (especially including the target of such action) have claimed that a Type 3 action is really an illegal reprisalâthat is, an act of punishment or revenge. In the context of cyberattack and active defense, a Type 1 action corresponds to active threat neutralizationâa cyberattack launched in response to an incoming cyberattack that is intended to neutralize the threat and to stop further damage from occurring. A Type 3 action corresponds to a cyberattack that is intended to dissuade the attacker from launching further attacks in the future. The difference between Type 1 and Type 3 actions is significant because a Type 3 action is technically easier to conduct than a Type 1 action under some circumstances. For example, it may easily come to pass that an incoming cyberat- tack can be identified as emanating from Zendia and that the Zendian national
LEGAL AND ETHICAL PERSPECTIVES ON CYBERATTACK 245 authorities should be held responsible for it. A Type 3 action could then take the form of any kind of attack, cyber or kinetic, against Zendiaâwithout the enormous difficulty of identifying a specific access path to the controllers behind the attack (necessary for a Type 1 action). In addition and depending on the circumstances, a Type 1 action could be followed by a Type 3 action. That is, a policy decision might be made to take a Type 3 action to ensure that no more hostile actions were taken in the future. Self-defense actions are clearly permissible when a nation or its forces have experienced an armed attack. Under standing rules of engagement, a missile fired on a U.S. fighter plane or a fire-control radar locked on the airplane would count as an armed attack, and self-defense actions (e.g., bombing the missile site or the radar) would be allowable. In a similar vein, cyberattacks that compromise the ability of units of the DOD to perform the DODâs mission might well be regarded as an armed attack, and indeed STRATCOM has the authority to conduct response actions to neutralize such threats (Chapter 3). If a nation has been the target of a use of force (a cyberattack) that does not rise to the threshold of an armed attack, responses made by the victimized nation fall into the category of self-help. What self-help actions are permissible under the UN Charter? Certainly any action that does not amount to a use of force is legal under the UN Charter as long as it does not violate some existing treaty obligation. An example of such an action might well be non-cooperative but non-destructive in- telligence gathering about the attacking system. In addition, a small-scale Type 1 action to neutralize an incoming cyberattack aimed at a single system is likely to be permissible. (An analogy from physical space might be the small-scale use of force to shoot armed border crossers.) 1 Department of Defense, Office of General Counsel, An Assessment of International Legal Issues in Information Operations, Second Edition, November 1999. 2 See, for example, Oppenheimâs International Law: Ninth Edition, 1991, p. 412. 3 The raid was the culmination of increasing tensions between the United States and Libya. Since 1973, Muammar Qadhafi asserted Libyan control over the Gulf of Sidra, a claim not recognized under international law (which recognizes only a 12-mile-from-shore claim for national waters). In 1981, the United States conducted naval exercises in the area claimed by Libya, with the result that two Libyan fighter-bombers sent to challenge the United States presence were shot down. Tensions continued to increase, and in March 1986, Libya launched six SA-5 missiles against the U.S. Sixth Fleet, then operating nearby in the Mediterranean. In subsequent action, the United States destroyed two Libyan vessels. In early April 1986, a bomb exploded in a Berlin discotheque, killing a U.S. soldier and injuring 63 U.S. soldiers, among others. The United States asserted that it had communications intercepts proving Libyan sponsorship of the bombing, and Operation El Dorado Canyon occurred shortly thereafter, as the United States had at the time no reason to expect such attacks to cease. In May 2001, Qadhafi acknowledged to a German newspaper that Libya had been behind the discotheque bombing 15 years earlier, which was carried out apparently in retaliation for the U.S. sinking of the two vessels in March 1986.
246 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES otherwise, the mere existence of armed forces of an adversary would be sufficient justification. But if Zendia can use these capabilities effectively against Ruritania and with serious consequences without warning, and Zendia has indicated hostile intent toward Ruritania in other (perhaps non-military) ways, outside observers may indeed be more likely to judge that the conditions for anticipatory self-defense have been met. 126.96.36.199â Jus in Bello Once armed conflict has begun, the conduct of a nationâs armed forces is subject to a variety of constraints. Jus in bello is governed largely by the Hague Conferences of 1899 and 1907, the Geneva Conventions, and customary international law. â¢ Military necessity. Valid targets are limited to those that make a direct contribution to the enemyâs war effort, or those whose damage or destruction would produce a military advantage because of their nature, location, purpose, or use. Thus, enemy military forces (and their equip- ment and stores) may be attacked at will, as is also true for civilians and civilian property that make a direct contribution to the war effort. Assets that do not contribute to the war effort or whose destruction would pro- vide no significant military advantage may not be deliberately targeted by cyber or kinetic means. LOAC also provides for a category of specially and (in theory) universally protected facilities such as hospitals and reli- gious facilities. â¢ Proportionality. It is understood that attacks on valid military tar- gets may result in collateral injury and damage to civilian assets or people. Some degree of collateral damage is allowable, but not if the foreseeable collateral damage is disproportionate compared to the military advantage likely to be gained from the attack. In the event that military and nonmili- tary assets are circumstantially commingled (e.g., the use of a common electric grid to power both military and civilian facilities), the attacker must make a proportionality judgment. But in instances when the enemy has deliberately intermingled military and non-military assets or people, the enemy must then assume some responsibility for the collateral dam- age that may result. Put differently, LOAC always obligates a would-be attacker to make reasonable proportionality judgments. What is less clear, and may depend on circumstances, are the conditions under which the enemy has a legal responsibility to refrain from deliberately commingling military assets with non-military assets or more generally to separate such assets. For example, the enemy mayÂ have deliberately placed âhuman shieldsâ around military targets.Â Â In such a case, the enemy isÂ clearly in violation
LEGAL AND ETHICAL PERSPECTIVES ON CYBERATTACK 247 of LOAC and bears the responsibility for any injury to the hostages if the target is attacked.Â However, in an extreme caseÂ where the likely deaths and injuries among the hostages are disproportionate to the military advantageÂ to the attacker,Â the attacker isÂ obligated to take into account the presence and likely deaths of those human shields in making a pro- portionality judgment about a possible attack. A common misperception about proportionality as a rule of jus in bello is that it requires the victim of an attack to respond only in ways that cause the original attacker approximately the same amount or degree of pain that the victim experienced. This kind of response is generally char- acterized as a commensurate response, and although commensuration and commensurate response are often used by policy makers as guide- posts in formulating responses to external attack, they are not required by LOAC. â¢ Perfidy. Acts of perfidy seek to deceive an enemy into believing that he is obligated under the law of armed conflict to extend special protection to a friendly asset when such is not the case. For example, by convention and customary law, certain persons and property may not be legitimately attacked, including prisoners of war and prisoners-of-war camps, the wounded and sick, and medical personnel, vehicles, aircraft, and vessels. Persons and property in this category must be identified with visual and electronic symbols, and misuse of these symbols to prevent a legitimate military target from being attacked constitutes the war crime of perfidy. In addition, it is unlawful to feign surrender, illness, or death to gain an advantage in combat, or to broadcast a false report that both sides had agreed to a cease-fire or armistice. At the same time, ruses of war are explicitly permissible. A ruse of war is intended to mislead an adversary or to induce him to act recklessly but its use infringes no rule of international law applicable in armed conflict and does not mislead the adversary into believing that he is entitled to special protection. Camouflage, decoys, mock operations, and misinformation are all permitted ruses. â¢ Distinction. Distinction requires armed forces to make reasonable efforts to distinguish between military and civilian assets and between military personnel and civilians, and to refrain from deliberately attack- ing civilians or civilian assets. However, there are two important classes of civilians or civilian assetsâthose that have been compromised and used (illegally) to shield the actions of a party to the conflict and those that suffer inadvertent or accidental consequences (âcollateral damageâ) of an attack. Responsibility for harm is apportioned differently depending on the class to which a given civilian or civilian asset belongs (Box 7.2). â¢ Neutrality. A nation may declare itself to be neutral, and is entitled to immunity from attack by either side at war, as long as the neutral nation does not assist either side militarily and acts to prevent its territory
248 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES BOX 7.2â Avoiding Harm to Innocent Parties The principle of distinction requires military forces to minimize harm to inno- cent partiesâthat is, non-combatants that are not actively engaged in helping to prosecute the war. But three categories of âinnocent partiesâ must be distinguished, especially in the cyber context. â¢ Category AâAn innocent party that is compromised by an adversary and then used to shield the adversaryâs actions. For example, an adversary (Zendia) that uses human civilians as shields to protect its antiaircraft sites is using this kind of innocent party. Zendia would also be doing so if it launched a cyberattack against Ruritania through the use of a compromised and innocent third-party computer (e.g., one belonging to civilians). â¢ Category BâAn innocent party that is caught up in some effect that was unpredicted or could not have been expected. For example, a Zendian civilian truck in the desert is struck inadvertently by the empty drop tanks of a Ruritanian fighter-bomber en route to its target, and all those inside the truck are killed. Or, a Ruritanian cyberattack strikes a Zendian generator powering the Zendian ministry of defense, leading to a cascading power failure that disables hospitals in which Zendian patients then die. â¢ Category CâAn innocent party that is granted special protection under the Geneva Convention, such as a hospital, and is then used as a facility from which to launch attacks. For example, the Zendian adversary that places mortars on the roof of a hospital is using Category C innocent parties. Or, Zendia launches a cyberattack on Ruritania using the servers and Internet connections of a Zendian hospital. Distinguishing between these kinds of innocent parties is important because the categories of parties harmed have different implications for responsibility. If from being so used. Accordingly, there exists a right for a threatened state âto use force to neutralize a continuing threat located in the territory of a neutral state, but not acting on its behalf, when the neutral state is unable or unwilling to fulfill its responsibility to prevent the use of its territory as a base or sanctuary for attacks on another nation.â Note also that under item 3 of UN Security Council Resolution 1368 (adopted on September 12, 2001), which calls on all member states âto work together urgently to bring to justice the perpetrators, organizers and sponsors of these terror- ist attacksâ and stresses that âthose responsible for aiding, supporting, or harboring the perpetrators, organizers and sponsors of these acts will be Department of Defense, Office of General Counsel, An Assessment of International Legal Issues in Information Operations, Second Edition, November 1999. United Nations Security Council Resolution 1368 (2001), accessed at http://Âdaccessdds. un.org/doc/UNDOC/GEN/N01/533/82/PDF/N0153382.pdf?OpenElement.
LEGAL AND ETHICAL PERSPECTIVES ON CYBERATTACK 249 C Â ategory A innocent parties are harmed, some responsibility attaches to Zendia for placing innocent parties in harmâs way. Some degree of responsibility may a Â ttach to Ruritania if the attack did not meet the requirements of Âproportionalityâ that is, if the military value of the target shielded was small by comparison to the loss of Zendian civilian life. If Category B innocent parties are harmed, the respon- sibility does not fall on Zendia, and if Ruritania took reasonable care in route plan- ning, no responsibility attaches to Ruritania either. If Category C innocent parties are harmed, the legal responsibility for those consequences falls entirely on the Z Â endian adversary under LOAC. In active defense scenarios calling for threat neutralization, there are many valid concerns about a counterstrike that does harm to some innocent party. But at least in some scenarios involving innocent third-party computers (that is, in Category A), a Ruritanian response against those compromised computers could be conducted within the bounds of LOAC, and the harm resulting to those third parties would be the responsibility of Zendia and not Ruritania. Of course, Ruritania would have to address several other concerns before feeling confident in the legality and wisdom of a counterstrike. First, even if a counterstrike is entirely legal, it may come with other costs, such as those associ- ated with public opinion or ethical considerations. If a counterstrike disables the hospital computer and deaths result, there may be censure for Ruritania, even if the counterstrike was within Ruritaniaâs legal rights to conduct. Second, Ruritania would have to take reasonable care to determine that the incoming cyberattack was indeed coming from the computer in question, because Zendia might have also planted evidence so as to prompt a counterstrike against a computer that was not involved in the attack at all. Third, Ruritania would still have to make reasonable efforts to ensure that its attack on the hospital computer did not have unintended cascading effects (e.g., beyond the particular node on the hospital network from which the attack was emanating). held accountable,â and under related developments in international law, even neutral states have affirmative obligations to refrain from harboring perpetrators of terrorist attacks. The United States has asserted the right of self-defense in this context on a number of occasions, including the 1998 cruise missile attack against a terrorist training camp in Afghanistan and a chemical plant in Sudan in which the United States asserted that chemical weapons had been manufactured; the 1993 cruise missile attack against the Iraqi intelligence service headquarters which the United States held responsible for a conspiracy to assassinate President George H.W. Bush; and the 1986 bombing raid against Libya in response to Libyaâs continuing support for terrorism against U.S. military forces and other U.S. interests. â¢ Discrimination. Nations have agreed to refrain from using cer- tain weapons, such as biological and chemical weapons, at least in part
250 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES because they are inherently indiscriminate weapons (that is, they cannot be directed against combatants only). However, there is no ban as such on indiscriminate weapons per seâthe harm to non-combatants is mini- mized through adherence to requirements of proportionality. It is worth emphasizing that jus ad bellum and jus in bello are two dif- ferent bodies of law, applicable at different times. Once armed conflict has started (whether or not jus ad bellum has been followed in the starting of that conflict), jus in bello is the body of law that applies. 7.2.2â Applying the Law of Armed Conflict to Cyberattack This section addresses some of the issues that might arise in apply- ing international law to cyberattack. Some issues arise when a nation is the target of a cyberattack and must consider legal issues in formulat- ing an appropriate and effective responseâand its decision depends on (among other things) whether it is in an ongoing state of hostilities with the perpetrator of that cyberattack. Other issues arise when a nation may wish to launch a cyberattack against another party prior to the outbreak of hostilities but without intending to give the other side a legal basis for regarding its action as starting a general state of hostilities. Still other issues arise when cyberattack is conducted in the context of an ongo- ing conflictâthat is, while hostilities are in progress. And a different set of standards and legal regimes may govern responses to cyberattacks launched by non-state actors. To be fair, many or most of the same issues addressed below arise when kinetic weapons are used in conflict. But cyberweapons are newer and have certain characteristics not shared with kinetic weapons, which implies that fewer precedents and analyses are available and that the application of LOAC principles may not be as straightforward as they are when kinetic weapons are involved. On the broad question regarding cyberattack, the committee starts with two basic premises that guide subsequent discussion: Department of Defense, Office of General Counsel, An Assessment of International Legal Issues in Information Operations, Second Edition, November 1999. These points are addressed in a number of legal analyses, including Michael Schmitt, âComputer Network Attack and the Use of Force in International Law: Thoughts on a Normative Framework,â Columbia Journal of Transnational Law 37:885-937, 1999; Duncan B. Hollis, âNew Tools, New Rules: International Law and Information Operations,â pp. 59-72 in Ideas As Weapons: Influence and Perception in Modern Warfare, G. David and T. McKeldin, eds., Potomac Books, Inc., 2009; and Jason Barkham, âInformation Warfare and International Law on the Use of Force,â New York University International Law and Politics 34:57-113, 2001. Schmittâs and Hollisâs analyses are summarized in Appendix D.
LEGAL AND ETHICAL PERSPECTIVES ON CYBERATTACK 251 â¢ Cyberattack cannot be regarded as a more âbenignâ form of war- fare or as always falling short of âarmed attackâ or âuse of forceâ simply because a cyberattack targets computers and networks. The magnitude, scale, and nature of a cyberattackâs effects, both direct and indirect, have to be taken into account in ascertaining its significance, and it is not sim- ply the modality of the attack that matters.10 â¢ Despite the fact that cyberattack is a relatively new form of weapon, acknowledged armed conflict involving the use of cyberweapons is sub- ject to LOAC and UN Charter law. That is, LOACâs precepts regarding jus ad bellum and jus in bello continue to have validity in a cyberattack context. Nevertheless, because of the novelty of such weapons, there will be uncertainties in how LOAC and UN Charter law might apply in any given instance. An effects-based analysis suggests that the ambiguities are fewest when cyberattacks cause physical damage to property and loss of life in ways that are comparable to kinetic attacks and traditional war is involved, because traditional LOAC provides various relevant precedents and analogies. The ambiguities multiply in number and complexity when the effects do not entail physical damage or loss of life but do have other negative effects on another nation.11 Appendix D summarizes several other views on cyberattack as a use of force. Also, as Hollis notes,12 traditional LOAC and the UN Charter are largely silent on how to address conflict involving non-state actors, even though non-state actors (in particular, terrorist groups) are playing larger roles in the security environment today. This point is addressed in Section 188.8.131.52 (on terrorists), Section 184.108.40.206 (on multinational corporations), and Section 220.127.116.11 (on individuals). 18.104.22.168â Prior to the Outbreak of HostilitiesâApplying Jus ad Bellum An important question of jus ad bellum in this report is whether, or more precisely, when, a given cyberattack constitutes a âuse of forceâ or an âarmed attack.â But as a number of analysts have noted,13 the relevant 10 Department of Defense, Office of General Counsel, An Assessment of International Legal Issues in Information Operations, Second Edition, November, 1999. 11 See Jason Barkham, âInformation Warfare and International Law on the Use of Force,â New York University International Law and Politics 34:57-113, 2001. 12 Duncan B. Hollis, âNew Tools, New Rules: International Law and Information Op- erations,â pp. 59-72 in Ideas As Weapons: Influence and Perception in Modern Warfare, G. David and T. McKeldin, eds., Potomac Books, Inc., 2009. 13 Michael Schmitt, âComputer Network Attack and the Use of Force in International Law: Thoughts on a Normative Framework,â Columbia Journal of Transnational Law 37:885-
252 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES question is not so much whether a cyberattack constitutes a âuse of forceâ but rather whether a cyberattack with a specified effect constitutes a âuse of force.â That is, the effects of a given cyberattack are the appropriate point of departure for an analysis of this question, rather than the specific mechanism used to achieve these effects. 22.214.171.124.1â The Uncertainties in Identification and Attribution Application of LOAC in a cyber context requires identification of the party responsible for an act of cyber aggression. But as noted in Chapter 2, it may be difficult even to know when a cyberattack has begun, who the attacker is, and what the purpose and effects of the cyberattack are/were. Indeed, it may be difficult to identify even the nature of the involved party (e.g., a government, a terrorist group, an individual), let alone the name of the country or the terrorist group or the individual. Knowing the nature of the party is an important element in determining the appropri- ate response.14 And, of course, knowing which country, terrorist group, or individual is in fact responsible is essential if any specific response involving attack is deemed appropriate. â¢ What, if any, is the responsibility of an attacking nation to ascertain the physical location of a computer or network that it attacks? Where kinetic weapons are involved, attacking a particular target requires knowledge of the targetâs physical location. But it is often possible for a cyberweapon to attack a target whose location is known only as an IP address or some other machine-readable address that does not Ânecessarily correspond to a specific or a known physical location. Yet physical loca- tion may matter (a point that relates to notions of territorial integrity) in determining whether a given cyber target belongs to or is under the control of an adversary. â¢ What degree of certainty about the identity of an attacker is needed legally before a cyberattack may be launched to neutralize it? How, if at all, does this differ from what is needed for policy purposes? Box 7.3 provides some scenarios in which such questions arise. 937, 1999; Jason Barkham, âInformation Warfare and International Law on the Use of Force,â New York University Journal of International Law and Politics 34:57-113, 2001; Department of Defense, Office of General Counsel, An Assessment of International Legal Issues in Information Operations, Second Edition, November 1999. An exposition by Brownlie in 1963 discusses a âresults-orientedâ approach, but of course without reference to cyberattack per se. See Ian Brownlie, International Law and the Use of Force by States, 1963. 14 Sections 2.4.2 and 2.4.3 describe some of the issues involved in making such a determination.
LEGAL AND ETHICAL PERSPECTIVES ON CYBERATTACK 253 BOX 7.3â Uncertainties in Identification and Attributionâ Possible Examples The following examples illustrate possible scenarios in which uncertainties in identification and attribution arise. â¢ During conflict between the United States and Zendia, a U.S. cyberattack is launched on a computer controlling a Zendian air defense network. A normally reliable human informant passes on a message to the United States, but the mes- sage is unfortunately incomplete, and the only information passed along is the computerâs electronic identifier, such as an IP address or a MAC (Media Access Control) address; its physical location is unknown. The open question is whether this computer is a valid military target for a U.S. cyberattack and the extent to which the United States has an obligation to ascertain its physical location prior to such an attack. â¢ During a time of international tension (say, U.S. forces are on an elevated alert status), the United States experiences a cyberattack on its military communi- cations that is seriously disruptive. The United States must restore its communica- tions quickly but lacks the intelligence information to make a definitive assessment of the ultimate source of the attack. The open question is whether it can lawfully act against the proximate sources of the attack in order to terminate the threat and restore its communications capability, even though it is by no means certain that the âproximate sourceâ is actually the ultimate source and may simply have been exploited by the ultimate source. (A proximate source might be a neutral nation, or a nation whose relations with the United States are not particularly good. If the latter, a U.S. attempt to neutralize the attack might thus exacerbate tensions with that nation.) One practical consequence of these uncertainties is that a nation seek- ing UN action in response to a cyberattack would be unlikely to see rapid action, since much of the necessary information might not be avail- able promptly. (Indeed, consider as a benchmark the history of long and extended Security Council debate on authorizations for armed conflict involving kinetic force.) 126.96.36.199.2â Criteria for Defining âUse of Forceâ and âArmed Attackâ15 Traditional LOAC emphasizes death or physical injury to people and destruction of physical property as criteria for the definitions of âuse of forceâ and âarmed attack.â But modern society depends on the existence 15 A related perspective can be found in Jason Barkham, âInformation Warfare and International Law on the Use of Force,â New York University International Law and Politics 34:57-113, 2001.
254 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES and proper functioning of an extensive infrastructure that itself is increas- ingly controlled by information technology. Actions that significantly interfere with the functionality of that infrastructure can reasonably be regarded as uses of force, whether or not they cause immediate physical damage. Thus, cyberattacks on the controlling information technology for a nationâs infrastructure that had a significant impact on the function- ing of that infrastructure (whether or not it caused immediate large-scale death or destruction of property) would be an armed attack for Article 51 purposes, just as would a kinetic attack that somehow managed to shut down the system without such immediate secondary effects. How far would a cyberattack on a nationâs infrastructure have to go before it was regarded as a use of force or an armed attack? Scale of effect is one important factor in distinguishing between an armed attack and a use of force. For example, an armed attack would presumably involve a use of force that resulted in a large scale of effect. It is unclear if there are other differentiating factors in addition to scale of effect. (Neither âarmed attackâ nor âuse of forceâ necessarily requires the use of traditional kinetic weapons.) Schmittâs examples of cyberattacks that do and do not qualify as a use of force are useful for establishing a continuum of scale.16 At one end, Schmitt argues that a cyberattack on an air traffic control system resulting in a plane crash and many deaths clearly does qualify as a use of force, whereas a computer network attack on a single university computer net- work designed to disrupt military-related research occurring in campus laboratories does not. In between these two ends of the spectrum are a number of problematic cases (Box 7.4) that raise a number of questions. â¢ What is the minimum length of time, if any, for which a serious disruption to critical infrastructure must last for it to be regarded as a use of force or an armed attack? (This is not to say that time is the only vari- able involved in such an assessment.) â¢ Under what circumstances, if any, can a non-lethal and continuing but reversible cyberattack that interferes with the functionality of a target network (e.g., against a photo reconnaissance satellite) be regarded as a use of force or an armed attack? â¢ Under what circumstances, if any, can a cyberattack (e.g., against a stock marketâs data, against a factory process) whose disruptive but not actually destructive effects build slowly and gradually be regarded as a use of force or an armed attack? 16 Michael Schmitt, âComputer Network Attack and the Use of Force in International Law: Thoughts on a Normative Framework,â Columbia Journal of Transnational Law 37:885- 937, 1999.
LEGAL AND ETHICAL PERSPECTIVES ON CYBERATTACK 255 BOX 7.4â Cyberattacks as a Possible âUse of Forceâ The following examples illustrate possible scenarios that raise questions about the appropriate definition of the âuse of force.â â¢ A cyberattack temporarily disrupts Zendiaâs stock exchanges and makes trading impossible for a short period. Bombs dropped on Zendiaâs stock exchanges (at night, so that casualties were minimized) would be regarded as a use of force or an armed attack by most observers, even if physical backup facilities were promptly available so that actual trading was disrupted only for a short time (e.g., a few hours). The posited cyberattack could have the same economic effects, except that the buildings themselves would not be destroyed. In this case, the cyberattack may be less likely to be regarded as a use of force than a kinetic attack with the same (temporary) economic effect, simply because the lack of physical destruction would reduce the scale of the damage caused. However, a cyberattack against the stock exchanges that occurs repeatedly and continuously, so that trading is disrupted for an extended period of time (e.g., days or weeks), would surely constitute a use of force or even an armed attack, even if no buildings were destroyed. â¢ A cyberattack is launched against the ground station of a Zendian military photo-reconnaissance satellite. Neither the satellite nor the ground station is physi- cally damaged, but Zendia is temporarily unable to download imagery. The open question is whether such an act might plausibly be interpreted as a use of force, based on the argument that the inability to download imagery might be a prelude to an attack on Zendia, even if no (permanent) damage has been done to Zendia. â¢ A cyberattack has effects that build slowly and gradually. For example, a cyberattack against a stock exchange might corrupt the data used to make trades. Again, no physical damage occurs to buildings, and in addition trading continues, albeit in a misinformed manner. Over time, the effects of such an attack could wreak havoc with the market if continued over that time.1 If and when the effects were discovered, public confidence in the market could well plummet, and economic chaos could result. An open question is the degree of economic loss, chaos, and reduction in public confidence that would make such an attack a use of force. â¢ A cyberattack is aimed at corrupting a manufacturing process. In this scenario, the manufacturing process is altered in such a way that certain flaws are introduced into a product that do not show up on initial acceptance testing but manifest themselves many months later in the form of reduced reliability, oc- casional catastrophic failure, significant insurance losses, and a few deaths. Here, one open question relates to the significance of the effects of the attack, recogniz- ing the âboiling the frogâ phenomenonâa sudden change may be recognized as significant, but a gradual change of the same magnitude may not be. 1 As a demonstration that slowly accumulating error can have large consequences, consider that the Vancouver stock exchange index introduced in 1982 was undervalued by 48 percent 22 months later compared to its âtrueâ valueâthe reported value of the index was 524.881, whereas the correctly calculated value should have been 1009.811. This discrepancy was the result of roundoff error, accumulated over time. See B.D. McCullough and H.D. Vinod, âThe Numerical Reliability of Econometric Software,â Journal of Economic Literature 37(2):633-665, June 1999.
256 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES The question of scale above points to a more general problemâthe inability to distinguish at the point of discovery that a cyberattack is taking place between one that seeks to cause large-scale damage (which would almost certainly constitute an armed attack) and one that seeks to cause only very limited damage (which might constitute a use of force if not an armed attack). The problem of a nation figuring out when a given act that may appear to be hostile isâor is notâa precursor to more serious hostile actions that will create additional damage is not unique to cyberattack, as illustrated by the Tonkin Gulf incident (in which the United States was arguably too quick to see a grave provocation) and Stalinâs refusal to believe reports of Nazi preparations and initial incur- sions in June 1941. Similarly, an airplane penetrating a nationâs airspace without authorization may simply be off course, or it may instead be carrying nuclear weapons with hostile intent. The nation in question has an obligation to try to determine if the airplane represents a true threat, but it surely has a right to shoot down the airplane if it reasonably makes such a determination. The open question is what the nation can do if it is uncertain about the threatening nature of the airplane. Although waiting to see what the attack does is the only certain way to determine the scale and extent of its effects, waiting may not be a viable option for decision makers when they are notified that a cyberattack on their nation is underway. In addition, leaders of a state often wish to cali- brate a response to an attack to be of the same scale as that attackâand if decision makers do not know the scale of the attack, how are they to calibrate a response?17 The scale question also raises the issue of whether there is, or should be, a class of âhostileâ cyber actions (that is, certain kinds of cyberattack) that are recognized as not so immediately destructive as to be clear acts of âuses of forceâ or âarmed attack,â but that nonetheless entitle the target to some measure of immediate real-time responseâcommensurate self- defenseâthat goes beyond just trying to protect the immediate target. (Such a regime might have some counter-escalation effects, because a potential aggressor would not be assured of immunity from a response from its victim.) A regime designed with an overriding priority to discour- age escalation of cyberconflict would not recognize the existence of such a class but rather obligate the target to accept the initial consequences of those hostile cyber actions and respond (whether by force or otherwise) only afterward. 17 Jason Barkham, âInformation Warfare and International Law on the Use of Force,â New York University International Law and Politics 34:57-113, 2001.
LEGAL AND ETHICAL PERSPECTIVES ON CYBERATTACK 257 188.8.131.52.3â Definition of âThreat of Forceâ Article 2(4) prohibits nations from threatening the use of force. When the coercive instruments are traditional weapons, a threat generally takes the form of âWe will do destructive act X if you do not take action Y (that is, trying to compel the adversary to take action Y) or if you do take action Z (that is, trying to deter the adversary from taking action Z).â â¢ Does a threat to use existing vulnerabilities in an adversary com- puter system or network constitute a threat of the use of force under the UN Charter? Because an existing vulnerability can be used for cyberattack (which can be a use of force) or cyberexploitation (which is not considered a use of force, as discussed in Section 184.108.40.206.5), the answer is not clear. â¢ Does it matter how those vulnerabilities got there? Does introduc- ing vulnerabilities into an adversaryâs system or network constitute a threat of force, especially if they remain unused for the moment? Box 7.5 provides examples illustrating how such questions might arise. 220.127.116.11.4â Distinctions Between Economic Sanctions and Blockades18 Under international law, economic sanctions appear not to constitute a use of force, even if they result in death and destruction on a scale that would have constituted a use of force if they were caused by traditional military forces, although this interpretation is often questioned by the nation targeted by the sanctions. Article 41 of the UN Charter gives the Security Council authority to decide what measures count as ânot involv- ing the use of armed force,â and it explicitly recognizes that measures not involving the use of armed force include the âcomplete or partial inter- ruption of economic relations.â19 In this instance, international law does appear to differentiate between different means used to accomplish the same end. That is, economic sanc- tions and blockades could easily result in similar outcomes, but there are two key differences. First, sanctions are, by definition, a refusal of participating nations to trade with the targeted party, either unilaterally (by virtue of a national choice) or collectively (by virtue of agreement to adhere to UN mandates regarding sanctions). That is, sanctions involve refraining from engaging in a trading relationship that is not obligatory. By contrast, blockades interfere with trade involving any and all parties, 18 See also Jason Barkham, âInformation Warfare and International Law on the Use of Force,â New York University International Law and Politics 34:57-113, 2001, whose analysis roughly parallels the argument of this subsection. 19 See http://www.un.org/aboutun/charter/chapter7.htm.
258 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES BOX 7.5â Threats of ForceâPossible Examples The following examples illustrate possible scenarios that raise questions about the definition of the âthreat of force.â â¢ Zendia introduces cyber vulnerabilities into the critical infrastructure of its adversary Ruritania, but does not take advantage of them. Since Ruritania suffers no ill effects from the fact that its infrastructure now has a number of vulnerabili- ties, no armed attack or even use of force has occurred. Ruritania learns of the Zendian penetration because its cybersecurity experts have detected it technically. Does the Zendian action of introducing cyber vulnerabilities constitute a threat of force against Ruritania? Does it make a difference if these vulnerabilities could be used equally well for cyberexploitation as for cyberattack? Does the possibility that Zendia could take advantage of those agents on a momentâs notice make a cyberattack on Ruritania imminent, and if so, does it justify a Ruritanian strike on Zendia (cyber or otherwise) as an act of anticipatory self-defense? A possibly helpful analogy is that of digging a tunnel underneath a border that terminates underneath a military facility. If Zendia digs such a tunnel under the Zendia-Ruritania border, and Ruritania discovers it, Ruritania may well regard it as a hostile act. But whether the tunnel amounts to an indication of imminent hostilities that would justify a Ruritanian strike on Zendia depends on many other factors. â¢ Zendia discovers cyber vulnerabilities in the critical infrastructure of its adversary Ruritania, but does not take advantage of them. These vulnerabilities are found in software used by both Zendia and Ruritania and supplied by a third-nation vendor. If Zendia notifies Ruritania of these vulnerabilities during a time of tension between the two nations, has Zendia threatened to use force against Ruritania? willing and unwilling. Second, effective economic sanctions generally require coordinated multilateral actions, whereas blockades can be con- ducted unilaterally, though the coordination mechanism may or may not be tied to UN actions.20 From the standpoint of effects-based analysis, traditional LOAC thus has some inconsistencies embedded within it regarding means used for 20 Some economic sanctions can be imposed unilaterally and still be effective. For ex- ample, if the Zendian armed forces use a sophisticated weapons system that was originally produced in the United States, spare parts for that system may only be available from the United States. The United States could unilaterally choose to refrain from selling spare parts for that system to Zendia without violating LOAC, and such an action could have significant effects on the Zendian armed forces as the weapons system deteriorated due to a lack of spare parts. In addition, multilateral sanctions need not necessarily involve the United Na- tions, as demonstrated by the Arab boycott of Israel, the Arab oil embargo of 1973, and the 2008 financial sanctions against Iran.
LEGAL AND ETHICAL PERSPECTIVES ON CYBERATTACK 259 economic coercion, even if cyberattack is not involved. At the very least, it draws distinctions that are not entirely clear-cut. Accordingly, it is not surprising that such inconsistencies might emerge if cyberattack is used for economic coercion without the immediate loss of life or property. Legal analysts must thus determine the appropriate analogy that should guide national thinking about cyberattacks that result in severe economic dislocation. In particular, are such cyberattacks more like economic sanc- tions or a blockade (or even some form of kinetic attack, such as the min- ing of a harbor)? This question is particularly salient in the context of Internet-enabled commerce. The UN Security Council could decide to impose economic sanctions on a nation in order to compel that nation to follow some directive, and in principle those sanctions can be quite broad and sweep- ing. If a large part of the target nationâs commerce was enabled through international Internet connections, the omission of such commerce from the sanctions regime might be a serious loophole.21 On the other hand, cyberattacks against the target nation might be required to prevent such commerce from taking place in a manner analogous to the UNâs use of naval and air forces to enforce certain past economic sanctions. Box 7.6 provides some scenarios in which the question of the most appropriate analogy arises. One last caveat regarding the economic dimension of cyberattack: It is possible to imagine cyberattack as a tool for pursuing goals related to economic competition and/or economic warfare. It is clear that the laws of armed conflict and the UN Charter prohibit the use of forceâcyber as well as kinetic forceâin pursuit of purely economic or territorial gain. But the legitimacy of cyberattacks that do not constitute a use of force for eco- nomic gain is not entirely clear. (As noted in Section 2.6.2, some nations do conduct espionage for economic purposes (an activity not prohibited by international law), and cyberattack might well be used to conduct espionage. And, as noted in Section 4.2.2, destructive cyberattacks might be used to gain economic advantage.) 18.104.22.168.5â The De Facto Exception for Espionage Espionage is an illegal activity under the domestic laws of virtually all nations, but not under international law. For example, Hays Parks has written: 21 As a practical matter, many of the nations that are subject to sanctions are often not heavily dependent on Internet commerce, or at least they are not today. In addition, sanc- tions are often not generalized but rather are targeted at specific goods such as arms.
260 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES BOX 7.6â Cyberattack as Blockades or Sanctionsâ Possible Examples The following examples illustrate possible scenarios that raise questions about whether to treat a cyberattack as a blockade or an economic sanction. â¢ A continuing cyberattack that effectively disconnects Zendiaâs access to the global Internet, when Zendia is the target of UN economic sanctions. In the modern era, a nationâs economic relations with the outside world may be more dependent on the Internet than a nation was dependent on maritime shipping in the mid-20th century. Should this type of cyberattackâperhaps performed openly by a permanent member of the UN Security Councilâbe regarded as a blockade enforced through electronic means or as the enforcement of economic sanctions? Does it matter if the cyberattack targets only the Zendian connections to the out- side world versus targeting internal communications nodes and routers? â¢ A cyberattack that shuts down a key industry or segment of the armed forces of the targeted nation. Economic sanctions and blockades can be narrowly tailored to affect only certain industries. For example, sanctions and blockades could prevent the sale or distribution of spare parts necessary for the continuing operation of a certain industry. The same is true for spare parts needed to maintain and operate certain weapons systems. But a cyberattack could also have similar effectsâand in particular could be carried out in such a way that the industry or military segment targeted was degraded slowly over time in a manner similar to its degradation due to the lack of spare parts. Thus, this kind of cyberattack could have effects identical to that of either blockades or economic sanctions, though one is regarded as a use of force and the other not. Each nation endeavors to deny intelligence gathering within its territory through domestic laws . . . . Prosecution under domestic law (or the threat thereof) constitutes a form of denial of information rather than the assertion of a per se violation of international law; domestic laws are promulgated in such a way to deny foreign intelligence collection efforts within a nationâs territory without inhibiting that nationâs efforts to col- lect intelligence about other nations. No serious proposal has ever been made within the international community to prohibit intelligence collec- tion as a violation of international law because of the tacit acknowledge- ment by nations that it is important to all, and practiced by each. 22 22 W. Hays Parks, âThe International Law of Intelligence Collection,â pp. 433-434 in National Security Law, John Norton Moore et al., eds., 1990, cited in Roger D. Scott, âTerritorially Intrusive Intelligence Collection and International Law, Air Force Law Review 46:217-226, 1999, available at http://permanent.access.gpo.gov/lps28111/Vol.46 (1999)/ scottfx4.doc.
LEGAL AND ETHICAL PERSPECTIVES ON CYBERATTACK 261 If this legal approach is accepted, espionage conducted by or through the use of a computerâthat is, cyberexploitationsâis permissible under the LOAC regime, even if techniques are used that could also be used for destructive cyberattack. For example, cyberattacks may be used to disable cybersecurity mechanisms on a computer of interest so that a keystroke monitor can be placed on that computer. Nevertheless, espionage may raise LOAC issues if a clear distinction cannot be drawn between a given act of espionage and the use of force. For example, Roger Scott notes that certain forms of espionageâfor instance involving ships, submarines, or aircraft as the collection platformsâhave indeed been seen as military threats and have been treated as matters of armed aggression permitting a military response rather than domestic crimes demanding a law enforcement response.23 One common thread here appears to be that the collection platform is or appears to be a military assetâa plane, a ship, a submarineâthat could, in principle, conduct kinetic actions against the targeted nation. In all of these cases, the question of intent is central to the targeted nation at the time the potentially hostile platform is detected. Furthermore, the distinction between a cyberattack and a cyberexploitation may be very hard to draw from a technical standpoint, since both start with taking advantage of a vulnerability. â¢ Does the introduction into an adversary system of a software agent with capabilities for both exploitation and destructive action constitute a use of force? It may be relevant to consider as an analogy the insertion into a potential adversary of a human agent skilled both in espionage and in sabotage. â¢ Does the introduction of a remotely reprogrammable software agent into an adversary system constitute a use of force? A possible analogy in this case may be a preplanted mine that can be detonated by remote control from a long distance away. â¢ Does a non-destructive probe of an adversaryâs computer network for intelligence-gathering purposes to support a later cyberattack itself constitute a use of force? (An analogy might be drawn to the act of fly- ing near an adversaryâs borders without violating its airspace in order to trigger radar coverage and then to gather intelligence on the technical operating characteristics of the adversaryâs air defense radars. Though such an act might not be regarded as friendly, it almost certainly does not count as a use of force.) 23 Cited in Roger D. Scott, âTerritorially Intrusive Intelligence Collection and Interna- tional Law, Air Force Law Review 46:217-226, 1999; available at http://permanent.access.gpo. gov/lps28111/Vol.46 (1999)/scottfx4.doc.
262 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES Box 7.7 provides some scenarios in which such questions arise. 22.214.171.124â During Ongoing HostilitiesâApplying Jus in Bello If an armed conflict is ongoing, cyberattacks on any military target (e.g., military command and control systems or an adversaryâs defense industrial base) would satisfy the condition of military necessity. At the same time, the legality of such use would be subject to the jus in bello conditions regarding proportionality, distinction, and so on, just as they would affect decisions involving the use of kinetic weapons in any given instance. Note also that the attack/defense distinctionâcentral to apply- ing jus ad bellumâis not relevant in the midst of armed conflict and in the context of jus in bello. Some of the issues raised by jus in bello for cyberat- tack are described below. 126.96.36.199.1â Proportionality of Military Action The proportionality requirement stipulates that military actions be conducted in a way that the military gain likely from an attack outweighs the collateral damage of that attack. For example, the electric power grid is often discussed as a likely target for cyberattack. In a full-scale nation- wide mobilization, the electric power grid supports a nationâs war effort, and thus it might appear to constitute valid military targets in a conflict. But for an attack on it to be regarded as proportional, a judgment would have to made that the harm to the civilian population from disrupting electrical service was not disproportionate to the military advantage that might ensue from attacking the grid. Several characteristics of cyberattack affect proportionality judgments. â¢ Predicting and understanding the actual outcome of a cyberattack is very intelligence-intensiveâestimates of likely collateral damage and likely intended damage will depend on myriad factors (as discussed in Section 2.3.5). And much of this intelligence will be difficult to obtain, especially on short notice. Thus, the a priori predictions of outcome and actual outcomes will often be highly uncertain. Of course, commanders must proceed even in the face of many uncertainties about the charac- teristics of the target in both kinetic and cyber targeting, and they are not required to take into account outcomes and effects that are known to be very unlikely. But the open question is how commanders should account for uncertainties in outcome that are significantly greater than those usually associated with kinetic attacks in the sense that there may not be an analytic or experiential basis for estimating uncertainties at all. Under such circumstances, how is the proportionality judgment to be
LEGAL AND ETHICAL PERSPECTIVES ON CYBERATTACK 263 BOX 7.7â The LOAC Exception for Espionageâ Possible Examples The following examples illustrate possible scenarios that pose questions about whether a given cyber offensive action should be treated as cyberattack or cyberexploitation. â¢ A cyber offensive action introduces a two-part software agent into an adversary system. The software agent is designed with two parts. One part is used for cyberexploitation, monitoring traffic through the system and passing the traffic along to a collection point. A second part is potentially used for cyberat- tack, awaiting an instruction to âdetonate,â at which point it destroys the read-only memory controlling the boot sequence of the machine where it resides. Until the agent detonates, no damage has been caused to the system, and no use of force has occurred. On the other hand, the potential to do damage has been planted, and perhaps the act of planting the agent with a destructive component can be regarded as a threat of force. Under what circumstances, if any, does this offensive action constitute a use of force or the threat of force? The clandestine nature of the agent complicates matters furtherâan essential dimension of âthreatâ is that it must be known to the party being threatened, and there is a strong likelihood that the system owner will not know of the agentâs existence. Still, the owner could discover it on its own, and might well feel threatened after that point. â¢ A cyber offensive action introduces an upgradeable software agent into an adversary system. As introduced, the agent is an agent for cyberexploitation, monitoring traffic through the system and passing it along to a collection point. But through a software upgrade transmitted to the agent by clandestine means, the agent can then take destructive action, such as destroying the read-only memory controlling the boot sequence of the machine where it resides. A similar analysis applies in this instanceâthe agent as introduced does not constitute a use of force, as it has no destructive potential. But it can easily be turned into a destructive agent, and perhaps the act of upgrading the agent with a destructive component can be regarded as a threat of force or an imminent attack. Under what circum- stances, if any, does this offensive action constitute a use of force or the threat of force? â¢ A probe is launched to map an adversaryâs computer network. As such, this operation is a cyberexploitationâit is gathering intelligence on the network. Such an attack causes no damage to the network but provides the attacker with valuable information that can be used to support a subsequent cyberattack. made? What is clearly the wrong way to account for such uncertainties is to ignore them. Although it is a natural human tendency to ignore factors whose significance is unknown, in practice such behavior amounts to assigning zero weight to them. â¢ Because the outcome of a cyberattack may depend on very small details known only to the party attacked, such parties may have greater
264 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES opportunity to claim collateral damage from a cyberattack when in fact no such damage occurred. And the attacking party might well have a dif- ficult time refuting such claims, even if it were willing to divulge details about the precise nature of the cyberattack in question. So, for example, a cyberattack against an air defense network might lead to claims that the attack also shut down electric power to a hospital. The possibility of false claims exists with kinetic attacks as well, but claims about collateral damage from a cyberattack are likely to be even more difficult to refute. â¢ The damage assessment of a cyberattack necessarily includes indi- rect as well as direct effects, just as it does when kinetic weapons are involved. These indirect effects, if they relate to effects on civilians, count in the proportionality judgment. Thus, for example, if a cyberattack to dis- able a dual-use telephone switching station for several hours is contem- plated, the fact that medical patient lives may be lost because the station serves a hospital must be factored into the judgment about whether the attack meets the proportionality requirement if such an outcome can be reasonably foreseen. â¢ Some cyberattacks are potentially reversible. To the extent that the damage caused is reversible, a lesser amount of collateral damage should also be expected, and thus the calculation of weighing the military utility against collateral damage of a given cyberattack will be tilted more in favor of proceeding rather than refraining from the attackâthat is, revers- ibility will make the action more likely to be proportional, and could result in a cyberattack being preferred to a kinetic attack with all else being equal. (Indeed, even if the military effect is somewhat less, there may still be a LOAC obligation to use the less damaging cyberweapon if the collateral damage would be substantially lower.) As an example, consider an electric power grid that serves both military and civilian purposes. The grid could be a legitimate military target, even if the civilian use is extensive, as long as the military use is very important to the enemyâs war effort. If the gridâs control centers are bombed, it may take a very long time to restore service when the war is over, but if they can be shut down by cyberattacks, it may be possible to restore service much more quickly. The military gain is achieved even by a short-term disruption (at least if the cyberattack can be repeated as needed), while in terms of impact on the civilian population there is a big difference between a loss extending for a few weeks or even longer during hostilities and one stretching long into the postconflict reconstruction phase.
LEGAL AND ETHICAL PERSPECTIVES ON CYBERATTACK 265 188.8.131.52.2â Distinctions Between Military, Civilian, and Dual-Purpose Assets Under traditional LOAC jus in bello, only a nationâs military forces are allowed to engage in armed hostilities with another nation. In addition, a nation is entitled to attack combatants but must refrain from attacking non-combatants as long as the latter avoid any participation in the con- flict. Cyberattacks raise a number of questions in this context: â¢ Does compromising the computers of non-combatants violate pro- hibitions against attacking non-combatants? â¢ Under what circumstances does a cyberattack on national infra- structure that affects both civilian and military assets constitute a LOAC violation? â¢ What responsibilities does a nation have to separate civilian and military computer systems and networks? â¢ Must military computer systems and networks be made identifi- able as such to a potential attacker if a nation is to claim immunity for civilian systems and networks? Box 7.8 provides some possible scenarios in which such questions arise. 184.108.40.206.3â Distinctions Between Military and Civilian Personnel The LOAC principle of distinction also confers different rights and responsibilities on combatants and non-combatants. Combatants are the only parties who are entitled to use force against the enemy. Combatants must also be trained in the law of war, serve under effective discipline, and be under the command of officers responsible for their conduct. 24 Whenever they are engaged in combat operations (and subject to the permissibility of employing a legitimate ruse de guerre), they must be identifiable (usually by carrying arms openly and wearing a distinctive uniform) as combatants. Lawful combatants captured by the enemy may not be punished for their combatant acts so long as they complied with the law of war; must be treated in accordance with agreed standards for the treatment of prisoners of war; and must be released promptly at the cessation of hostilities. The enemy is also entitled to target lawful combatants deliberately. Non-combatants have an affirmative duty to 24 Put differently, accountability mechanisms under LOAC are established through the doctrine of superior orders (i.e., someone higher in the chain of command has responsibility for the known or likely actions of someone lower in the chain of command) and the obliga- tion to disobey manifestly illegal orders (someone lower in the chain of command has an obligation to obey lawful orders and a concomitant obligation to refuse to obey orders that are outside the scope of international standards).
266 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES BOX 7.8â Ambiguities Raised by Cyberattack Against Dual-Purpose AssetsâPossible Examples The following examples illustrate possible scenarios that raise questions re- lated to attacks on dual-purpose assets. â¢ A cyberattack can be routed to its ultimate target through intermediary computers. If the United States wishes to conduct a cyberattack on Zendia, it may wish to route its attack through the personal computers owned and operated by Zendian citizens. (For example, a botnet used to attack Zendia may well use such computers.) Does the compromise of the Zendian citizen computers constitute an âattackâ on Zendian citizens? One important point is that not all actions that harm the Zendian citizens constitute an attack for LOAC purposes. In the case of a personal computer being compromised for launching a cyberattack against Zendia, the harm to its Zendian owner is minimal, because that computer is likely just as useful to its owner as before. Even if it is not, it is hard to imagine that the owner might die as a result of the compromised computer, or even that the property damage suffered is signifi- cant, and, on the assumption that the attack has a proper military objective, any damage to civilian interests would be acceptable as collateral damage. On the other hand, if the cyberattack was deemed to be a use of force or an armed attack against Zendia, the compromise of Zendian citizen computers to prosecute the attack might be regarded in the same veinâthus making the attacker responsible for attacking civilians. In addition, the Zendian government might well take action against Zendian citizens, with unknown consequences for them (and possibly implicating human rights law, as discussed in Section 7.2.5). â¢ A cyberattack can be directed against dual-use assets with both civilian and military uses. Traditional LOAC allows attacks on dual-use targets if the condi- tions of military necessity, proportionality, distinction, and discrimination are met. The principle of distinction requires that the attacker distinguish between military and civilian targets and refrain from attacking the latter. In traditional armed conflict, a combination of visual identification and geog- raphy often suffices to identify a valid military targetâfor example, a tank is easily refrain from participating in combatant activities, and are legally immune from deliberate targeting;25 non-combatants who engage in combatant activities are subject both to military action and, if captured, to criminal prosecution. Today, there is a growing dependence of the modern military on 25 Note, however, that the systems used to launch cyberattacks are legitimate military targets, and civilians who qualify for the narrow category of âcivilians accompanying the armed forcesâ (presumably those who operate and maintain those systems)âeven if they do not actually press the button that launches a cyberattackâare both eligible for prisoner- of-war status and also legitimate military targets for the enemy.
LEGAL AND ETHICAL PERSPECTIVES ON CYBERATTACK 267 recognizable as a military vehicle and, if it is located behind enemy lines, can reasonably be presumed to be an enemy vehicle. But a computer is not so easily recognized, as both its functionality and geographic location are often not easily available to a would-be attacker. For example, the commingling of civilian and military communications chan- nels on media such as the Internet or the public switched telephone network might provide an adversary with a plausible military rationale for attacking facilities associated with these media. Moreover, given that civilian and military computer systems can be difficult to distinguish, a question arises as to whether a nation that does not provide machine-readable indications of a computerâs status (military or civilian) would have the right to challenge the legality of a cyberattack that dam- aged or destroyed a civilian computer. â¢ A large-scale cyberattack can be directed against (elements of) the critical infrastructure of a nation. As noted earlier, restraints on the use of biological and chemical weapons exist in part because they are inherently non-Âdiscriminating weapons. Although there is no specific ban on the use of non-discriminating weap- ons per se, the proportionality requirement means that the military value of a given attack must be weighed against collateral damage. LOAC requires military forces to refrain from using a non-discriminating weapon when a more discriminating weapon would be equally effective, and also to refrain from attacking a military target when the only available means to do so is likely to cause disproportionate civilian damage. In a cyberattack context, this prohibition appears likely to apply to attacks that cannot be limited to specific (military) targets. Thus, a computer network attack based on the Morris worm, for example, might be prohibited, because its effects were wholly indiscriminate and no effort was made to discriminate between ap- propriate and inappropriate targets. The open question is whether the harm caused to civilians rises to a level that qualifies as disproportionate. Mere inconveniences would not, but death on a large scale would. In between are cases such as the inability to conduct financial transactions electronically, periodic interruptions in electrical power, major disruptions in travel and transportation schedules, and outages in communications capability. civilians and civilian-provided services and expertise that blurs tradi- tional distinctions between military and civilian activity and personnel. As a legal matter, civilians formally attached to the armed forces (e.g., as contractors) are entitled to some of the privileges of combatants (such as prisoner-of-war status if captured). Civilians engaged in self-help activi- ties (which might resemble combatant activities) are subject to the regular criminal laws. In light of the often-specialized expertise needed to launch computer network attacks (expertise that may be provided by civilians), an impor- tant question is thus raised about what it means to âlaunchâ an attack or
268 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES BOX 7.9â Drawing the LOAC Line for Civilian Immunityâ Possible Examples In a war involving the United States, civilians working in a U.S. munitions plant are likely not to enjoy LOAC protection from attack, as they are making a direct contribution to the U.S. war effort. In a cyber context, one can imagine several gradations of civilian involvement in launching a cyberattack, and where the line of LOAC protection should be drawn is an open question. That is, in which of the following scenarios is the civilian entitled to LOAC protection? â¢ civilian posts a vulnerability notice for the open source Linux operating A system that a U.S. cyberattack exploits. â¢ civilian contractor for the DOD identifies the presence of this vulner- A ability on a Zendian system. â¢ civilian exploits the vulnerability by introducing a hostile agent into the A Zendian system that does not damage it but that can be directed to cause damage at a subsequent time. â¢ civilian dictates to a military officer the precise set of commands needed A to activate the hostile agent. to âuse force against an enemy.â26 Box 7.9 describes a possible continuum of civilian involvement in cyberattack. In addition, the instruments of cyberattackâcyberweaponsâare eas- ily available to private groups and individuals as well as governments, thus raising the possibility that private groups and individuals could join a conflict nominally prosecuted between nation-states. This point is further discussed in Section 220.127.116.11 below. 18.104.22.168.4â Neutrality in a Cyberattack A cyberattack that is conducted at a distance, especially one con- ducted over the Internet, is likely to involve message traffic that physi- cally transits a number of different nations. A cyberattack on Zendia initiated by the U.S. government may first be transmitted to Ruritania and then to Armpitia and finally to Zendia. Moreover, it is entirely possible, likely even, that neither Ruritania nor Armpitia would be aware of the fact that they were carrying attack traffic at all. 26 Such a question applies in many other contexts, such as civilians flying missile-armed drones remotely, designing nuclear weapons, or working in an ammunition or uniform- making factory.
LEGAL AND ETHICAL PERSPECTIVES ON CYBERATTACK 269 â¢ Given that a computer of military significance can be located any- where in the world, under what circumstancesâif anyâis it entitled to protection under LOAC provisions for neutrality? â¢ What, if any, are the obligations of neutral nations to prevent cyber- attacks from emanating from their territory? (âEmanating from Xâ means that X is an intermediate node in the attack pathway.) â¢ What, if any, are the obligations of belligerents to avoid routing cyberattacks through the computers of neutral nations? Box 7.10 provides some scenarios in which such questions arise. A paper by George Walker addresses some of the issues that arise in scenarios similar to those described in Box 7.10.27 Walker notes that legal guidance regarding information warfare (cyberattack) and neutrality will have to be found by analogy to existing international law, since existing law on neutrality does not address issues related to cyberwarfare. He argues that some LOAC principles, such as those related to telegraphy, will apply to Internet messages and more conventional communications, and further that there are many principlesâprimarily in the law of naval warfare but also some from the law of land and air warfareâthat may be cited by analogy in cyberwarfare involving neutrals. His reasoning is based on the premise that aerial warfare and especially naval warfare are conducted in âfluidâ mediums, much like the Internetâs electronic path- ways that are, like the high seas, no nationâs property. He also points to a relatively well-developed set of rules or general principles in the law of the sea, the law of naval warfare, and the law of air warfare, from which useful analogies for information warfare may be drawn. As an example of a useful analogy from the law of naval warfare, Walker suggests that a nation aggrieved by cyberattacks should have the right to take such actions as are necessary in the territory of a neutral that is unable (or perhaps unwilling) to counter enemy cyberattacks making unlawful use of that territory. A contrary conclusion might be drawn by an analogy to telephone and telegraph communications as they were handled in the Hague Conven- tion of 1907. Section 5, Article 8 of that convention stipulates that a neutral nation need not âforbid or restrict the use on behalf of the belligerents of telegraph or telephone cables or of wireless telegraphy apparatus belonging to it or to companies or private individuals.â28 If there is no obligation of the neutral to stop the transit, there is no right of the belligerents to act against the transit. If the analogy between telegraph/telephone communications 27 George K. Walker, âInformation Warfare and Neutrality,â Vanderbilt Journal of Trans- national Law 33(5):1079-1200, November 2000. 28 See http://avalon.law.yale.edu/20th_century/hague05.asp#art5.
270 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES BOX 7.10â Cyberattack and NeutralityâPossible Examples The following examples illustrate possible scenarios that raise questions related to neutrality in a cyberattack context. â¢ A cyberattack is launched against Zendia that requires transit through Ruritania, a declared neutral nation. In this instance, the open question is whether the transiting of a cyberattack is more like an overflight by military airplanes (in which case the intermediate nation has an obligation to stop such overflights or allow the other belligerent to do so) or more like the use of telephone and telegraph cables that are provided impartially to both sides (in which case the 1907 Hague Convention explicitly states that the intermediate nation is not obligated to prevent such use).1 â¢ During conflict between the United States and Zendia, a U.S. cyberat- tack is launched on a computer controlling production in a Zendian defense plant. However, the computer itself is located in Ruritania, a declared neutral nation that provides computerized production control services to any nation willing to pay for them. A question arises because the effects of attacking a given computer may not be felt at all in the immediate geographic vicinity of the computer, thus raising the question of which geographic location is relevant to the determination of legitimacy for attack. That is, is the computer operating in Ruritania a valid military target? â¢ A cyberattack is launched against the United States by an unknown party that depends on the use of compromised computers belonging to citizens and companies of Ruritania, a declared neutral nation. Under the doctrine of âself- d Â efense in neutral territory,â Ruritania must take action that eliminates the threat (in this case, the cyberattack) emanating from its territory,2 allow or assist the United States to do so itself, or possibly face the consequences of a response from the United States. Complications arise regarding the sequencing of a self-defense response, because in the time that it takes to make a determination that Ruritania is unwilling or unable to stop the cyberattack, the damage to the United States may have been done, or the opportunity for an effective self-defense response lost. 1 Note an interesting side effect of a policy decision to avoid routing through neutral nations. If U.S. policy required avoidance of routing through neutrals, and if a target nation knew that policy, then said target could effectively shield itself from U.S. cyber operations by peering only with neutrals. 2 At the very least, such action would require the government of the putatively neutral nation to have the legal standing to stop such behavior and to demonstrate some plausible degree of cooperation in doing so. and packet-switched Internet communications is valid (in both cases, the country transited has no real way of knowing the ultimate destination of transiting messages, and selective interference with the communications of belligerents is not practical), an analyst might conclude that belligerents do not have the right to interfere with nodes located in the neutral nation.
LEGAL AND ETHICAL PERSPECTIVES ON CYBERATTACK 271 22.214.171.124.5â Covert Action Covert action is statutorily defined in the United States as âan activ- ity or activities of the United States Government to influence political, economic, or military conditions abroad, where it is intended that the role of the United States Government will not be apparent or acknowledged publicly.â29 As discussed in Section 7.3.1, U.S. domestic law addresses agency responsibilities within the U.S. governmentâcovert action is the responsibility of the intelligence agencies, whereas military activities are the responsibility of the Department of Defense. At the same time, international law is not sensitive to which agencies of a given government take action. This fact has at least two implications. First, jus ad bellum and the UN Charter apply to covert actionâand an action with a scale of effect that would constitute a use of force or an armed attack if performed by U.S. military forces would be regarded in the same way even if it were designated as covert action by the President of the United States. Second, jus in bello would apply to any U.S. covert action involving the use of cyberattack during armed conflict. 126.96.36.199.6â An Operational NoteâJus in Bello in Practice U.S. military commanders undergo formal training in the laws of armed conflict so that they can appropriately direct their forces during combat. In most cases, senior commanders have the assistance of lawyers who can and do review a proposed course of action (such as an air tasking order) for LOAC compliance. Operating under combat conditions, commanders with significant experience in a particular kind of situation and with particular weapons have a good intuition for the outcome of a legal review of a proposed course of action. A LOAC review may result in adjusting the parameters of an attack at the margins, but the outcome of the review is largely a given (that is, the proposed action will be allowed) because the com- mander with a certain amount of accumulated experience is unlikely to propose a course of action that is far outside the boundaries of what a legal review would allow. Under such circumstances (that is, in a kinetic war), the LOAC review process can be expedited if and when the com- mander and the lawyers have both internalized the same general outline of what is and is not allowable under their shared legal paradigm. But when there is little or no experience on which to draw, the con- gruence between the course of action proposed by commanders and what 29 50 USC 413b(e). See also Joint Explanatory Statement of the Committee of Confer- ence, H.R. 1455, July 25, 1991, Intelligence Authorization Act of FY 1991.
272 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES the lawyers would say is more likely to break down. This is particularly relevant if cyberweaponsâwhich have been used much less often in com- bat compared to kinetic weaponsâare to be used. Today, relatively few commanders have substantial experience with cyberattack, and relatively few military lawyers have experience in rendering LOAC judgments about cyberattack (and lawyers are often reluctant to set new precedents in practice). Thus, where cyberattack is concerned, it is less likely that commanders and lawyers will have internalized similar boundaries of what is and is not acceptable. One important consequence of this state of affairs is that one might expect LOAC review of cyberattack plans to be more challenging than review of kinetic attack plans. Consistent with this point, James Miller, former deputy assistant secretary of defense for requirements, plans and counterproliferation reported to the committee that because of the potential for unintended effects in cyber networks and sensitivity to the vulnerability of U.S. networks as well as the precedent-setting nature of decisions, LOAC review for cyber operations in Kosovo was indeed very challenging. 188.8.131.52â A Summary of Applying LOAC to Cyberattack During acknowledged armed conflict (notably when kinetic and other means are also being used against the same target nation), cyberattack is governed by all the standard LOAC criteria of jus in belloâmilitary neces- sity, proportionality, distinction, and so on, although the legal analysis in any given situation involving cyberattack may be more uncertain because of its novelty relative to kinetic weapons. In other cases (that is, in less than acknowledged armed conflict), the legal status of a cyberattack is judged primarily by its effects, regardless of the means, according to the criteria of jus ad bellum and of the Charter of the United Nations. Therefore, if the effects (including both direct and indirect effects) to be produced by a cyberattack would, if produced by other means, constitute an armed attack in the sense of Article 51 of the UN Charter, it is likely that such a cyberattack would be treated as an armed attack. Similarly, if a cyberattack had the same effects and was otherwise similar to governmentally initiated coercive/harmful actions that are traditionally and generally not treated as the âuse of forceâ (e.g., economic sanctions, espionage, or covert actions such as planting infor- mation or influencing elections), such a cyberattack would likely not be regarded as an action justifying a use of force in response.
LEGAL AND ETHICAL PERSPECTIVES ON CYBERATTACK 273 7.2.3â International Law and Non-state Actors International law binds nations, and only in exceptional cases binds non-state actors such as corporations, individuals, or terrorist groups. However, there are both domestic and international legal doctrines that restrict, and in most cases prohibit, non-state actors from actions that would be international use of force if undertaken by nation-states, and nations do have obligations in some circumstances to prevent these actors from acting in such ways that violate international law.30 184.108.40.206â International Law and Non-state ActorsâTerrorists Traditional LOAC emerged from the need to regulate nation-to-nation conflict between national military forces. But other forms of conflict in the 1990s and 2000s (such as terrorism) have blurred many of the distinctions between the LOAC and domestic law enforcement. In such instances, both military and civilian dimensions are relevant and raise questions about the applicability of LOAC and law enforcement approaches.31 The difficulties arising are hard enough to resolve when the aggressive act is a tangible actionâthat is, the use of deadly force to harm persons or destroy property. But they are compounded when the aggressive act is in cyberspace and its harm can only be assessed by con- sequences that are not fully knowable except with the passage of time. These issues come to the fore in an international security environ- ment involving subnational groups and non-state actors. In this new 30 Even prior to the September 11, 2001, attacks on the United States, a nation-state was responsible for the acts of private groups inside its territory over which it exercised âeffective control.â (See, for example, Article 8 of the ILC (International Law Commission) State Responsibility Articles, available at http://untreaty.un.org/ilc/texts/instruments/ english/commentaries/9_6_2001.pdf, pp. 47 ff; and the ICJ (International Court of Justice) Nicaragua decision (arguing for âeffective controlâ) and the ICTY (International Criminal Tribunal for Yugoslavia) Tadic decision (arguing for âoverall controlâ).) In the aftermath of those attacks, the United States took the position that the mere harboring of these actors, even in the absence of control over them, suffices to make the state where the terrorists are located responsible for their actions (UN Security Council, âLetter Dated 7 October 2001 From the Permanent Representative of the United States of America to the United Nations Addressed to the President of the Security Council,â UN Doc. No. S/2001/946 (2001)), and many parts of the international community, including the UN Security Council, concurred with this position (see Derek Jinks, âState Responsibility for the Acts of Private Armed Groups,â Chicago Journal of International Law 4(1):83-96, Spring 2003). 31 Human rights advocates sometimes assert that human rights law also applies even when LOAC applies. Although this assertion is categorically rejected by the U.S. govern- ment, the political reality is that this argument is likely to resonate with some outside ob- servers and thereby raise the level of world scrutiny for all U.S. uses of military force, thus adding to the political pressures on the United States in a crisis.
274 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES environment, questions have arisen as to whether terrorists are subject to LOAC, to criminal law, or to some other body of law that has yet to be established. Although the Supreme Court held that common Article 3 of the 1949 Geneva Conventions applied to the conflict against Al Qaeda and the Taliban authorized by Congress on September 14, 2001 (Hamdan v. Rumsfeld), it is generally fair to say that the details of how LOAC does and does not apply in a conflict with terrorists are far less developed and clear than in a conflict between nation-states. Nevertheless, a number of practical considerations arise in dealing with non-state actors given that these actors (call them terrorists for now) will almost surely be operating from the territory of some nation-state. Therefore, any action taken against them may raise issues about violating the sovereignty of that nation and its rights and obligations with respect to terrorist operations from or through its territory. All of the above issues apply in contemplating cyberattacks as they might be conducted by terrorists. Cyberattack weapons are inexpensive and easily available but may have the potential to cause widespread damage and destruction, characteristics that may make such weapons attractive to terrorists. The important question is whether, when, and why a cyberattack by a non-state actor should be treated primarily as a law enforcement matter, a national security matter, or a mix of the two. (The first manifestations of a cyberattack are likely to require investigation to determine its source. But once such a determination has been made, this threshold question will inevitably arise.) One relevant question in making such a determination is whether the attack has serious enough consequences (death or destruction) that it would qualify as a use of force or an armed attack on the United States had it been carried out with kinetic means. A second question concerns the geographic origin of the attack. A third question may be the nature of the party responsible for the attack (e.g., national government, ter- rorist group). As a factual matter, none of these pieces of information may be known at the time the attack becomes known (as discussed in Section 2.4.1 on tactical warning and attack assessment); nevertheless, these questions will be prominent in the minds of senior decision makers because the answers may have profound implications for the legitimacy of a response. If and when the geographic origin of the attack becomes known (call it Zendia), Zendia may have one of several stances toward cooperation with the United States. At one extreme, Zendia may cooperate fully with the United States in stopping the attack emanating from its soil, where full cooperation can mean anything from placing Zendian law enforcement
LEGAL AND ETHICAL PERSPECTIVES ON CYBERATTACK 275 and security services at U.S. disposal to giving permission for the United States to act as it sees fit in its response to the attack. At the other extreme, Zendia may simply refuse outright any and all U.S. requests for assistance and cooperation. And Zendiaâs cooperation may fall onto any point along this spectrum, raising a variety of legal and policy issues. For example: â¢ Even if Zendia wishes to cooperate fully, it may not have the legal authority to address the hostile activity in question. That is, the activity may not violate any Zendian law. If Zendia is a signatory to the Cyber- crime Convention, it is obligated to extend such cooperation if the cyber activity emanating from Zendian soil is considered a criminal matter under Zendian law. Nevertheless, not all nations are signatories to the convention, and the convention itself is oriented toward a law enforce- ment approach (that is, investigation, arrest, prosecution, and legal due process) that is often too slow given how rapidly a cyberattack can unfold. Finally, âpermissionâ can be ambiguous, as in those instances when there is some doubt or question about who speaks for the âlegitimateâ govern- ment of Zendia. â¢ If Zendia explicitly refuses to cooperate, the United States could assert the right of self-defense in neutral territory discussed in Section 220.127.116.11. To be sure, such a decision would be a policy decision and would depend on a host of factors such the scope and nature of the proposed U.S. action, whether Zendia is capable of resisting unilateral U.S. actions taken in response, and other areas of U.S.-Zendian cooperation or contention. (For example, if Zendia has nuclear weapons capable of reaching U.S. targets, the decision-making calculus for policy may change considerably though the legal issues do not.) â¢ Perhaps the most problematic response is a posture of limited, grudging, or excessively slow Zendian cooperation, or words that indicate cooperation but are unaccompanied by matching actions. For example, permission for the United States to undertake various actions might be slow in being granted, or unduly circumscribed in a way that impeded further investigation or action; information provided to the United States might be incomplete. Under these circumstances, the Zendian response could conceivably take a very long time and would be unlikely to be fully satisfactory to the United States. Yet even if the response is inadequate for U.S. purposes, it might still be enough to sway the court of world opinion against an aggressive U.S. response and perhaps even to forestall it. Even though a deliberate stalling is probably equivalent to an outright refusal to cooperate, making the determination that Zendia is being delib- erately uncooperative may be problematic in the absence of an explicit statement.
276 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES 18.104.22.168â International Law and Non-state ActorsâMultinational Corporations Barkham32 notes that many multinational corporations exercise power and influence that at times rivals those of small nation-states. Interna- tional law (including LOAC) also does not directly constrain the actions of such corporations to any significant extent. On the other hand, they are subject to the laws of those nations in which they have a presence, and sometimes those laws result from government-to-government agreements (of which the Convention on Cybercrime (discussed below in Section 7.2.4) is an example). Of significance to this report is the fact that certain multinational cor- porations will have both expertise and resources to launch cyberattacks of a significant scale should they choose to do so. If they did, such mul- tinational corporations might threaten cyberattacks against weak nation- states to gain concessions or launch cyberattacks against economic com- petitors to place them at a competitive disadvantage (e.g., by disrupting production). 22.214.171.124â International Law and Non-state ActorsâPatriotic Hackers LOAC presumes that armed conflict is initiated only at the direc- tion of government, only by its authorized military agents, and specifi- cally not by private groups or individuals. Thus, governments maintain armed forces to participate in armed conflict, under the governmentâs direction. But in the Internet era, another type of non-state actor that compli- cates the legal landscape for cyberattack is the âhacktivistâ or patriotic hacker. During times of conflict (or even tension) with another nation, some members of a nationâs citizenry may be motivated to support their countryâs war effort or political stance by taking direct action (Box 7.11). Hacktivists or patriotic hackers are private citizens with some skills in the use of cyberattack weapons, and they may well launch cyberattacks on the adversary nation on their own initiative, that is, without the blessing and not under the direction or control of the government of their nation. Apart from their possible operational interference with other, govern- ment-authorized actions, the actions of these patriotic hackers may greatly complicate the conduct of diplomatic action. For example, if Zendian patriotic hackers launch cyberattacks against the United States, the United States is entitled to respond as though the Zendian government were 32 Jason Barkham, âInformation Warfare and International Law on the Use of Force,â New York University International Law and Politics 34:57-113, 2001.
LEGAL AND ETHICAL PERSPECTIVES ON CYBERATTACK 277 responsible. Whether it should do so is a policy question.33 What if the patriotic hackers are part of the Zendian diaspora and are located in ter- ritories other than Zendia? What actions should the United States take to respond to Zendian patriotic hackers if the Zendian government says in response to a U.S. inquiry, âWe do not endorse or encourage these attacks by our citizens, but at the same time, they are not doing anything that we have the ability (or perhaps the legal authority) to stop, so the best thing for you to do is to cease your aggressive actions against Zendia.â? Note the similarity of this situation involving Zendian patriotic hackers to the situation discussed in Section 126.96.36.199 involving cyberterrorists operating from Zendian soil. As noted in Section 188.8.131.52, states likely have affirmative obligations to refrain from harboring perpetrators of terrorist attacks. To the extent that Zendia supports patriotic hackers in their activities, other nations targeted by these parties may have a legitimate complaint to bring forward in an appropriate international tribunal by asserting that Zendia is indeed har- boring perpetrators of terrorist activityâindeed, these other nations may well be entitled to invoke inherent rights of self-defense consistent with Article 51. One significant question in this regard is whether a failure to suppress the activities of patriotic hackers should count as support for them. 7.2.4â The Convention on Cybercrime The Convention on Cybercrime commits signatories to the adoption of âa common criminal policy aimed at the protection of society against cyber- crime . . . by adopting appropriate legislation and fostering international co-operation.â34 The convention establishes a common minimum standard of relevant offenses to be applied at the national level in several areas. Five criminal offenses are specifically defined to protect the confidentiality, integrity, and availability of computer data and systems, namely: â¢ Illegal accessâintentional access to the whole or any part of a com- puter system without right, where the offence may be considered to have 33 As a precedent, the International Court of Justice held in the 1980 U.S. v. Iran case that the actions of a stateâs citizens can be attributed to the government if the citizens âacted on behalf on [sic] the State, having been charged by some competent organ of the Iranian State to carry out a specific operation.â Further, the court found that the Iranian government was responsible because it was aware of its obligations under [international law] to protect the U.S. embassy and its staff, was aware of the embassyâs need for help, had the means to assist the embassy, and failed to comply with its obligations. See United States Diplomatic and Consular Staff in Tehran (U.S. v. Iran), 1980 I.C.J. 3, 29 (May 24). Cited in Barkham, 2001. 34 Council of Europe, Convention on Cybercrime, November 23, 2001.
278 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES BOX 7.11â Hacktivism During International Conflict and Tension A number of incidents of privately undertaken cyberattacks have been publicized: â¢ Immediately after the start of the second intifada in Israel in late Septem- ber 2000, Palestinian and Israeli hackers conducted a variety of cyberattacks on each otherâs national web presences on the Internet.1 â¢ In the aftermath of the early 2001 incident between the United States and China in which a U.S. EP-3 reconnaissance aircraft collided with a Chinese F-8 interceptor, both Chinese and U.S. hackers attacked the web presence of the other nation. In both cases, attacks were aimed mostly at website defacement and denial of service.2 â¢ In the wake of the May 1999 bombing by the United States of the Chinese embassy in Belgrade, the U.S. National Infrastructure Protection Center issued an advisory (NIPC Advisory 99-007) noting âmultiple reports of recent hacking and cyber activity directed at U.S. government computer networks, in response to the accidental bombing of the Chinese embassy in Belgrade. . . . Reported activity include[d] replacing official web pages with protest material and offensive language, posting similar language in chat rooms and news groups, and denial of service e-mail attacks.â3 â¢ American hackers have been known to attack jihadist websites. For ex- ample, an American was reported by Wired to have hijacked www.alneda.com, a widely used website for jihadist recruitment.4 His motive for doing so was said to be a decision made after the September 11 attacks: âI was going to use every skill I had to screw up the terroristsâ communication in any way I could.â occurred if security measures are infringed with the intent of obtaining computer data or other dishonest intent or where computer systems are networked. â¢ Illegal interceptionâintentional interception without right, made by technical means, of non-public transmissions of computer data to, from, or within a computer system, including electromagnetic emissions from a computer system carrying such computer data. â¢ Data interferenceâintentional damage, deletion, deterioration, alteration, or suppression of computer data without right. â¢ System interferenceâintentional serious hindering without right of the functioning of a computer system by inputting, transmitting, damag- ing, deleting, deteriorating, altering, or suppressing computer data. â¢ Misuse of devicesâintentional production, sale, procurement for use, import, distribution, or possession of a computer password, access code, or device, including a computer program, designed or adapted primarily for the purpose of committing any of the other four offenses.
LEGAL AND ETHICAL PERSPECTIVES ON CYBERATTACK 279 â¢ Russian hackers are widely reported to have been responsible for the cy- berattacks on Estonia in 2007 (see Box 3.4 in Chapter 3) and Georgia in 2008.5 Allen and Demchak generalize from experiences such as these to predict that future conflicts between nations may involve: â¢ Spontaneous attack action in cyberspace by âpatriotsâ on each side. â¢ Rapid escalation of their actions to a broad range of targets on the other side. Allen and Demchak posit that because âhacktivistsâ are interested in making a statement, they will simply attack sites until they find vulnerable ones. â¢ Involvement of sympathetic individuals from other nations supporting the primary antagonists. 1 Associated Press, âCyberwar Also Rages in Mideast,â October 26, 2000, available at http://www.wired.com/politics/law/news/2000/10/39766. 2 Michelle Delio, âA Chinese Call to Hack U.S.,â Wired, April 11, 2001, available at http://www. wired.com/news/politics/0,1283,42982,00.html. 3 See NIPC Advisory 99-007, available at http://www.merit.edu/mail.archives/netsec/1999- 05/msg00013.html. 4 Patrick Di Justo, âHow Al-Qaida Site Was Hijacked,â Wired, August 10, 2002, available at http://www.wired.com/culture/lifestyle/news/2002/08/54455. 5 âExpert: Cyber-attacks on Georgia Websites Tied to Mob, Russian Government,â Los Ange- les Times, August 13, 2008, available at http://latimesblogs.latimes.com/technology/2008/08/ experts-debate.html. SOURCE: Adapted largely from Patrick D. Allen and Chris C. Demchak, âThe Palestinian-Israel: Cyberwar,â Military Review 83(2), March-April 2003. Criminal possession may be defined as the possession of a number of such devices. No criminal liability is imposed where the intent is for reasons other than to commit any of the other four offenses. The Convention on Cybercrime also identifies a number of ordinary crimes that are often committed through the use of computer systems, including forgery and fraud. The convention defines a computer system to be âany device or a group of interconnected or related devices, one or more of which, pursu- ant to a program, performs automatic processing of data.â Computer data is defined to be âany representation of facts, information or concepts in a form suitable for processing in a computer system, including a program suitable to cause a computer system to perform a function.â The convention calls for signatories to adopt domestic laws that crimi- nalize the above offenses, to provide domestic law enforcement agen- cies with the authorities and powers necessary for the investigation and
280 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES prosecution of such offenses (as well as other offenses committed using a computer system), and to establish an effective regime of international co- operation, including provisions for extradition and mutual law enforce- ment assistance. Notably, the convention does not establish espionage as an act that violates international law. As of December 21, 2007, 43 nations had signed the Convention on Cybercrime, of which 21 have ratified it.35 The U.S. Senate ratified the convention in August 2006 and took the view that prior U.S. legislation provided for all that the convention required of the United States. Many but not all European nations have also ratified the treaty. The convention is significant to the extent that it commits the parties to regard the commission of the various listed offenses as matters that are actionable for the law enforcement authorities of the nation in whose jurisdiction the offenses were committed. (The convention is silent on what actions may be taken by the nation of the victim of such offenses.) That is, if these offenses are committed within the jurisdiction of a signa- tory nation, that nation is obligated to respond to them as criminal actsâ and in particular is required to establish mechanisms for law enforcement cooperation to investigate and prosecute these acts should they occur. Thus, if a cyberattack is launched on the United States in a way that involves another signatory to the Convention on Cybercrime, that nation is obligated to cooperate with the United States in trying to identify the perpetrator. Of course, not all of the nations of the world have signed on to the Convention on Cybercrime, and a nationâs prosecution of cybercriminals and/or its cooperation with an attacked state may be less than zealous. Indeed, the convention also allows a signatory to refuse to provide assis- tance if the request for assistance concerns an offense that the signatory considers a political offense or if carrying out the request is likely to preju- dice the signatoryâs sovereignty, security, public order, or other essential interests.36 The signatory may also postpone action on a request if such action would prejudice criminal investigations or proceedings conducted by its authorities.37 In short, a signatory nation may decline to cooperate with its obliga- tions under the convention on fairly broad grounds, and the convention lacks an enforcement mechanism to assure that signatories will indeed cooperate in accordance with their obligations. Even in the case of a fully cooperative nation, it may still take a long time to identify a perpetrator 35 See http://conventions.coe.int/Treaty/Commun/ChercheSig.asp?NT=185&CM= 8&DF=&CL=ENG. 36 Council of Europe, Convention on Cybercrime, Article 27(4). 37 Council of Europe, Convention on Cybercrime, Article 27(5).
LEGAL AND ETHICAL PERSPECTIVES ON CYBERATTACK 281 and to use legal means to shut down his/her/its criminal cyber activity. Thus, the Convention on Cybercrime would appear to have limited util- ity in addressing hostile cyberattacks on a prompt time scale, and none at all if a nation refuses to cooperate on any of the broad grounds described above. 7.2.5â Human Rights Law Human rights are restraints on the actions of governments with respect to the people under their jurisdiction. They can be national in origin (i.e., the civil and political rights under the U.S. Constitution), they may be contained in an international human rights treaty (i.e., the Con- vention on the Elimination of Discrimination Against Women), or they may be inherent in customary international law. A central point of contention in human rights law today is the extent of its applicability in situations in which the law of armed conflict is operative, that is, in acknowledged armed conflict or hostilities. The posi- tion of the U.S. government is that the moral and ethical imperatives of minimizing unnecessary human suffering are met by the requirements of LOAC (jus in bello), and thus that human rights law should not place additional constraints on the actions of its armed forces. By contrast, many human rights observers and non-government organizations would argue that human rights law can and should apply as well as LOAC (jus in bello) in acknowledged armed conflict. As for the governing regime prior to armed conflict, the relevant ques- tion is the extent to which human rights law applies before the consider- ations of jus ad bellum are addressed, that is, before combat. The major treaty relevant to human rights law is the International Covenant on Civil and Political Rights (ICCPR), ratified by the United States in September 1992. Although a variety of human rights organiza- tions strongly disagree, the United States has argued that the ICCPR does not apply extraterritorially, and so it would not regulate U.S. behavior in other countries. This position is based on the text of Article 2 of the ICCPR (the Covenant applies to â. . . all individuals within its territory and sub- ject to its jurisdiction . . . â) and supported by the negotiating history. If the U.S. position is accepted, cyberattacks that do not rise to the level of armed conflict have no implications from an ICCPR/human rights perspective. If the contrary position is accepted, then two of the rights enumerated in the ICCPR may be relevant to the cyber domain in particular. Article 17 (protecting privacy and reputation) might speak to cyberattacks intended to harm the reputation of an individual, e.g., by falsifying computer-based records about transactions in which he or she had engaged, or to uncover private information about an individual.
282 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES Article 19 (protecting rights to seek information) might speak to cyberat- tacks intended to prevent citizens from obtaining access to the Internet or other telecommunications media. A variety of other rights, such as the right to life, are potentially relevant as well, although they do not seem as closely tied to the cyber domain. Respecting these other rights would suggest, for example, that a cyberattack intended to enforce economic sanctions would still have to allow transactions related to the acquisition of food and medicine. 7.2.6â Reciprocity Although U.S. policy will be based on an analysis of what future legal regime would best serve the interests of the United States (includ- ing whatever political value can be found in asserting the stance), that analysis must take into account the extent and nature of the effects of such regimes on other parties, both other nation-states and subnational entities, and the likelihood that these other parties might feel obligated to comply with such a regime. For example, the United States may decide that an expansive defini- tion of âuse of forceâ prohibiting most uses of cyberattack would help to protect the viability of the U.S. information technology infrastructure in the face of international threats. But such a definition would also prohibit most prekinetic conflict uses of cyberattack by the United States as well. Alternatively, it may decide that other key nations would not comply with an expansive definition,38 and thus that a restrictive definition might b Â etter serve U.S. interests by allowing most uses of cyberattack. 7.3â Domestic law As noted in Section 7.1, domestic law (which includes the Constitu- tion of the United States, federal statutes, and self-executing treaties) constrains both government institutions and private individuals. For example, U.S. domestic law regulates the division of labor regarding operational activities between the DOD and the intelligence agencies for reasons of government accountability and oversight. Generally, activities of the Department of Defense (DOD) are governed by Title 10 of the U.S. Code, and activities of the intelligence community (IC) by several sections of Title 50. U.S. domestic law also provides substantive law governing 38 Many analysts believe that China is an example of a nation that might well be unwill- ing to give up a cyberattack-based avenue of asymmetric confrontation against the United States. See for example, Timothy Thomas, Decoding the Virtual Dragon, Foreign Military Studies Office, Fort Leavenworth, Kans., 2007.
LEGAL AND ETHICAL PERSPECTIVES ON CYBERATTACK 283 what private parties can and cannot do, both through highly cyber-spe- cific statutes and more general laws on property, self-defense, and so on. In general, a state is entitled to use any method for law enforcement within its territory or with respect to its citizens that is consistent with its domestic law. Within the United States, domestic law regulates police conduct and electronic surveillance, and imposes limits on searches or arrests without probable cause and on the unreasonable use of force in making lawful arrests or during other enforcement activities. Under international law, a state must avoid conduct that amounts to torture, genocide, or other blatant and generalized violations of human rights described in the ICCPR. 7.3.1â Covert Action and Military Activity Chapter 4 addresses some of the operational and policy consider- ations underlying covert action. But the legal framework governing covert action is also important. As noted in Chapter 4, covert action has a statutory definition. How- ever, the 1991 Intelligence Authorization Act also included a provision, now codifed at 50 USC 413b, that distinguished between covert actions and âtraditional military activities,â âtraditional counterintelligence activi- ties,â âtraditional diplomatic activities,â and âtraditional law enforcement activities.â The legislation does not define any of the traditional activities, but the conference report stated the intent of the conferees that:39 âtraditional military activitiesâ include activities by military personnel under the direction and control of a United States military commander (whether or not the U.S. sponsorship of such activities is apparent or later to be acknowledged) preceding and related to hostilities which are either anticipated (meaning approval has been given by the National Command Authorities for the activities and for operational planning for hostilities) to involve U.S. military forces, or where such hostilities in- volving United States military forces are ongoing, and, where the fact of the U.S. role in the overall operation is apparent or to be acknowledged publicly. In this regard, the conferees intend to draw a line between ac- tivities that are and are not under the direction and control of the military commander. Activities that are not under the direction and control of a military commander should not be considered as âtraditional military activities.â Covert action requires a written presidential finding in advance of the action that the action is necessary to support identifiable foreign policy 39 Conference Report on H.R. 1455 (House of Representatives), July 25, 1991, available at http://www.fas.org/irp/congress/1991_cr/h910725-ia.htm.
284 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES objectives of the United States, submission of the finding to the chairmen of the congressional intelligence oversight committees, and notification of congressional leaders of the action. By contrast, no findings, special approval, or notification are needed for conducting any of the tradi- tional military activities, although activities conducted by the uniformed military are subject to the guidance of and restrictions imposed by the law of armed conflict, and, in practice, many highly sensitive military operationsâif conducted outside the framework of a general armed con- flictâhave been brought to the attention of congressional leadership. Finally, 50 USC 413b(f) states that âno covert action may be conducted which is intended to influence United States political processes, public opinion, policies, or media.â In practice, U.S. decision makers have some- times interpreted this provision to mean that no covert action may be conducted that is likely to have such an effect in the United States. Under this interpretation, the use of cyberattack to disseminate false information as part of a covert action might be illegal if such information made it back to the U.S. news media. The matter is complicated by the fact that for certain kinds of covert action, DOD assets will be needed to execute the applicable plans. Under such circumstances, it is less clear whether the planned action is or is not subject to notification as covert action. In addition, because the mecha- nism for covert action authorization calls generally for the notification of the appropriate congressional leaders, delay in execution may be possible and negotiation about its terms may be necessary if these leaders object to the action. The domestic legal requirements for undertaking a covert action require only that the President personally find that the action supports identifiable foreign policy objectives of the United States and that the action is important to the national security of the United States. Thus, as a legal matter, the requirements for a finding regarding an action employ- ing lethal force are the same as for a finding not employing lethal force, and a covert action may use enough lethal force (or destructive force) that it would clearly be a âuse of force,â where âuse of forceâ is used in the sense of the UN Charter. Nevertheless, as a practical matter, congressional overseers and executive branch managers of covert actions are more likely to pay more attention to actions that result (or could result) in death and destruction than those that do not. The same is true for covert actions that are likely to be disclosed, or likely to result in failure, or in friendly personnel being captured. Given this legal environment, it is not surprising that executive branch decision makers have adopted an expansive view of actions that might be considered traditional military activities, and that includes actions that have a very direct military effect on potential military adversariesâeven
LEGAL AND ETHICAL PERSPECTIVES ON CYBERATTACK 285 if such actions would constitute covert action if undertaken by the intel- ligence community. Indeed, in recent years (that is, since the terrorist attacks of September 11, 2001), the dividing line between covert action (undertaken by the intelligence community) and military operations (undertaken by the Department of Defense) has become increasingly blurred. Consider, for example, the large amount of intelligence information about adversary systems that is needed to conduct cyberattacks against them. In a targeting context, military collection of the information needed for a cyberattack is essentially indistinguishable from traditional intelli- gence collection. At the same time, a covert operation undertaken by the intelligence community to influence events in another country may well look like a military operation. Even intelligence collection and exploita- tion operations may entail some attack activity (and hence appear mili- tary-like) in order to gain or preserve access. Collection activitiesâpresumably including activities requiring cyber- attack in some form for their successful executionâwould not constitute covert action. Both tapping an adversaryâs underwater cable to obtain mil- itary traffic flows and planting a Trojan horse key logger in an adversary computer system in its ministry of defense would constitute intelligence collection activities, even if such activities were very sensitive. On the other hand, activities that are intended to influence the con- duct, behavior, or actions of an adversary without the involvement of the United States becoming known are covert actions requiring findings if they are not traditional intelligence activities or otherwise exempt, and the dividing line between activities that should be regarded as covert action and those that should not becomes unclear. For example: â¢ Intelligence preparation of the battlefield is a traditional military activity and thus does not constitute covert action. But a cyberattack may be designed to alter the functionality of an adversaryâs tactical command and control systems long in advance of actual hostilities on the ground, and thus may be regarded as a covert action. â¢ Strategic deception conducted under the U.S. military chain of command is a traditional military activity and thus does not constitute covert action. (An example of strategic deception is the attempt to per- suade an adversary that an attack will occur in one place when it will actually occur in another.) But a cyberattack may be developed that alters the data streams on which an adversaryâs intelligence and surveillance capabilities rely, and thus may be regarded as a covert action. â¢ Collecting telemetry on experimental missile launches is a tradi- tional intelligence collection activity. But a cyberattack may be designed to corrupt or alter the telemetry received by the adversary receiving stations
286 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES so that the adversary must redo the test or, even worse, inadvertently use bad data in its R&D efforts, and thus may be regarded as a covert action. From an administrative or organizational standpoint, command struc- tures may blur the lines between Title 10 authorities (governing the armed forces) and Title 50 authorities (governing the intelligence community). For example, as noted in Chapter 3, the U.S. Strategic Command has responsibility for network warfareâand the Joint Functional Component Command for Network Warfare is commanded by the director of the National Security Agency, an element of the intelligence community. Such blurring requires those in the command structure to be careful about the roles they are playing when they take any given action. Perhaps the most important point about the distinction between covert action and traditional military activities is that the distinction is essentially irrelevant outside a domestic context. Nations that are the target or subject of an act that they regard as hostile are not likely to care whether the United States classifies it as a covert action or as a military activity. Thus, the entire discussion above relates only to decisions within the U.S. government about how it should organize itself to conduct vari- ous activities. 7.3.2â Title III and the Foreign Intelligence Surveillance Act Domestic electronic surveillance conducted in the United States for purposes of criminal investigation related to any of a list of specifically enumerated offenses is regulated under the federal Wiretap Act of 1968 as amended (also known as âTitle IIIâ). Under Title III, law enforcement authorities may seek court authorization to conduct real-time surveillance of electronic communications for these purposes. The court authorization must be issued by a judge who concludes that there is probable cause to believe that a crime relating to one of these enumerated offenses has been, is being, or is about to be committed. Originally enacted in 1978, the Foreign Intelligence Surveillance Act (FISA) established a framework for the use of âelectronic surveil- lanceâ conducted to obtain âforeign intelligence informationâ (defined as information about a foreign power or foreign territory that relates to the national defense, the security, or the conduct of the foreign affairs of the
LEGAL AND ETHICAL PERSPECTIVES ON CYBERATTACK 287 United States).40 For any such surveillance, the statute requires the attor- ney general and related law enforcement authorities to seek and secure a warrant from a special court known as the Foreign Intelligence Surveil- lance Court (FISC). A FISC order must specify (among other things) a statement of the means by which the surveillance will be conducted and an indication of the period of time for which the electronic surveillance must be maintained. Â Since 1978, FISA has been repeatedly amended to account for new technologies and new concerns about terrorism and civil liberties. The most recent amendments came in 2008. The new statute allows the attor- ney general and the director of national intelligence to jointly authorize the âtargeting of persons reasonably believed to be located outside the United States to acquire foreign intelligence information.â The statute requires the government to adopt âtargeting proceduresâ to meet this goal and âminimization proceduresâ to avoid the retention or distribution of information concerning U.S. citizens that is obtained from such surveil- lance. The statute imposes no probable cause requirement for such sur- veillance, but more restrictive provisions apply when the person targeted overseas is a U.S. national. Certain cyberexploitations may be regarded as forms of electronic surveillance, and if conducted against U.S. persons or in the United States may under some circumstances be subject to FISA or Title III regulation. Such a cyberexploitation might, for example, require the implantation of software payloads to exfiltrate information surreptitiously. Such infor- mation may include important documents relevant for exploitation or information such as login names and passwords that might be useful for conducting a later cyberattack. It is difficult to speculate on how FISA might be relevant to cyberat- tacks. But there is at least one documented case of a court-approved Title III warrant being used to authorize a cyberexploitation.41 On June 12, 2007, an FBI agent filed an affidavit to a magistrate judge in support of an application for court authorization to send a message to a computer used to administer a specific MySpace.com user account. The message was designed to cause this computer to transmit back to the FBI technical data identifying the computer and/or the users of the computer. Whether 40 More detailed descriptions of FISA and its impact on intelligence gathering can be found in Elizabeth Bazan, The Foreign Intelligence Surveillance Act: An Overview of Selected Issues, Congressional Research Service, Washington D.C., July 7, 2008 (available at www. fas.org/sgp/crs/intel/RL34279.pdf); Elizabeth B. Bazan (ed.), The Foreign Intelligence Sur- veillance Act: Overview and Modifications, Nova Science Publishers, Hauppauge, N.Y., 2008; and Whitfield Diffie and Susan Landau, Privacy on the Line: The Politics of Wiretapping and Encryption, Updated and Expanded Edition, MIT Press, Cambridge, Mass., 2007. 41 See http://politechbot.com/docs/fbi.cipav.sanders.affidavit.071607.pdf.
288 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES and how often the FISC has approved the use of cyberexploitation, or the nature of such exploitation (if any), is not known from information that is publicly available. 7.3.3â Posse Comitatus The Posse Comitatus Act (codified at 18 USC 1385), along with admin- istrative action and other related law, prohibits the U.S. armed forces from executing domestic law, unless such actions are explicitly authorized by statute or the U.S. Constitution. (For example, Title 10, Sections 371-381 of the U.S. Code explicitly allow the Department of Defense to provide federal, state, and local police with information (including surveillance and reconnaissance), equipment, and training/expertise. Other legisla- tion has allowed the DOD to assist in matters related to counterterrorism, weapons of mass destruction, and drug trafficking.) Questions arise most often in the context of assistance to civilian police. Under the Posse Comitatus Act, the Department of Defense would appear to be forbidden from conducting either cyberattack or cyberÂ exploitation in support of domestic law enforcement to enforce domestic law in any context where there was no specific statutory exemption, but would have the authority to conduct such operations domestically if they were part of the exercise of presidential authority to act as commander- in-chief under Article II. 7.3.4â The Computer Fraud and Abuse Act and Other Federal Law A variety of federal laws, including 18 USC 1030 (the Computer Fraud and Abuse Act, described in Section 5.2) and 18 USC 1029 (dealing with fraud and related activity in connection with access devices), prohibit individuals and corporations from undertaking cyberattack activities. Neither of the statutes mentioned above exempts military agencies from their prohibitions, although the legislative history of each does not sug- gest that Congress intended it to apply to military operations abroad. However, the Computer Fraud and Abuse Act may be relevant to possible military cyberattack activities because the various technologies of cyberattack often involve the compromise of third-party computers in order to conceal and otherwise support attack activities against an adver- sary computer system or network. A party launching a cyberattackâsuch as the United Statesâmay wish to conceal its identity in such an action. Or, it may wish to augment the computing resources available to it for such purposes at little additional cost. The issue of public appropriation of private resources depends on whether those private resources are owned by individuals or corporations
LEGAL AND ETHICAL PERSPECTIVES ON CYBERATTACK 289 in the United States. The law in this area is voluminous and mixed, and the current status of the law about the governmentâs rights to use private computers of Americans without owner permission in the conduct of a cyberattack is quite unclear. A different analysis, although still murky, applies to the use of private resources owned by individuals or corporations outside the United States. Subsection (f) of 18 USC 1030 (the Computer Fraud and Abuse Act) explic- itly states that Section 1030 âdoes not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States.â In this context, an activity might be âlawfully authorizedâ explicitly (as through a warrant granted by the FISC) or implicitly authorized by being undertaken under the legal authority of the President, the bounds of which are evolving and thus not precisely known. On the presumption that there is no other relevant legislative author- ity, there appears to be no domestic legislative impediment for the U.S. government to commandeer the computers of private citizens abroad to create a cyberattack capacity for use by the government, perhaps for use in a botnet or perhaps in any attempt to conduct a cyberattack with plausible deniability. Whether such commandeering is legitimate under the international laws of armed conflict is not clear, although the fact that the âzombificationâ of a computer can leave the computer almost entirely intact and whole for the userâs purposes is surely relevant to a LOAC analysis. (As always, whether such actions would be wise or appropriate on policy grounds is an entirely separate matterâthis paragraph speaks only to the legal aspect of the issue.) If none of these approaches worked to allow the U.S. government to assemble a network of computers for a powerful and hard-to-trace cyber- attack, there would be the theoretical option to obtain the needed access to large numbers of third-party computers by ârentingâ them from a private source. But botnets for hire are, as a practical matter, available only from criminals, since it is a criminal act to assemble a botnet in the first place. And although it is not without precedent,42 cooperating with or paying criminals to conduct operations relevant to national security is highly problematic, is politically controversial, and may itself be illegal. Given the leverage available with using third-party computers for cyberattack, government may wish to find other avenues for clarifying the legal landscape for doing so. One approach would be for the U.S. 42 One such example of U.S. government cooperation with criminals was the CIA use of Mafia assistance in the attempt to assassinate Fidel Castro in 1960. See âTrying to Kill Fidel Castro,â Washington Post, June 27, 2007, p. A06.
290 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES government to simply ask owners of personal computers for permission to use their computers, or to pay a fee to owners willing to make their computers available for such use.43 Such approaches would obviously eliminate the clandestine nature of such use, but it might well place at the disposal of the U.S. government resources far in excess of what it would otherwise have available. In any event, the committee recognizes that such approaches would be contro- versial, and it is not advocating them in any way. 7.3.5â The War Powers Resolution The War Powers Resolution of 1973 was intended to be an assertion of congressional authority relevant to warmaking. A more detailed discus- sion of the War Powers Resolution is contained in Section 6.2.1. 7.3.6â Executive Order 12333 (United States Intelligence Activities) Initially promulgated on December 4, 1981, and amended a number of times since then (most recently in July 2008), Executive Order 12333 regulates the conduct of U.S. intelligence activities.44 Section 2.2 of Execu- tive Order 12333 sets forth âcertain general principles that, in addition to and consistent with applicable laws, are intended to achieve the proper balance between the acquisition of essential information and protection of individual interests.â Using a definition of âUnited States personâ specified in Section 3.4(i) of this order (a United States person is âa United States citizen, an alien known by the intelligence agency concerned to be a permanent resident alien, an unincorporated association substantially composed of United States citizens or permanent resident aliens, or a corporation incorporated in the United States, except for a corporation directed and controlled by a foreign government or governmentsâ), Sec- tion 2.3 of Executive Order 12333 establishes constraints on procedures for agencies within the intelligence community to collect, retain or dissemi- nate information concerning United States persons. Section 2.5 requires the attorney general to find probable cause to believe that the U.S. person who is the target of the surveillance is an agent of a foreign power. 43 A partial precedent for using civilian assets for military purposes can be found in the Civil Reserve Air Fleet (CRAF). Under the CRAF program, civilian airlines commit to mak- ing available some of their aircraft for military airlift purposes when DOD military aircraft are inadequate to meet a given demand. In return, the government makes peacetime airlift business available to these civilian airlines. See U.S. Air Force Fact Sheet, Civil Reserve Air Fleet, available at http://www.af.mil/factsheets/factsheet.asp?id=173. 44 The full text of Executive Order 12333 as of July 2008 is available at http://www. tscm.com/EO12333.html.whitehouse.gov/infocus/nationalsecurity/amended12333.pdf.
LEGAL AND ETHICAL PERSPECTIVES ON CYBERATTACK 291 U.S. law (including FISA, Title III, state wiretap law, the Electronic Communications Privacy Act, and Executive Order 12333) may restrict the ability of government agencies to collect information within the United States on cyberattacks, just as it places such restrictions on collection on other subjects, including collection of stored information found on the networks of victims, perpetrators, or âhopâ sites, as well as collection through wiretapping of communications. The significance of this point is that when a system or network in the United States is the target of a cyberattack, and the perpetrator of that attack is unknown to U.S. authori- ties (as is almost always the case), collection of that information must be done in accordance with the appropriate and necessary legal authorities. Absent the consent of the network owners to government collection of the information described above, the legal authorities for law enforcement and (in certain circumstances) counterintelligence provide the broadest basis for such collection. Thus, responsibility for collecting the informa- tion required for attack assessment and attribution will normally rest with the FBI (which uniquely possesses both federal law enforcement and counterintelligence collection authorities (including FISA)) and other domestic law enforcement agencies. (Analysis of that information can beâand under the National Infrastructure Protection Center prior to the establishment of the Department of Homeland Security, wasâperformed jointly by law enforcement, the intelligence community, and military per- sonnel (and by private sector parties if necessary).) Such information is necessary to characterize the nature of an incoming cyberattack, and is of course necessary if any kind of counter-counterattack is to be launched. In addition, Executive Order 12333 regulates the conduct of covert action by stipulating that âno agency except the CIA (or the Armed Forces of the United States in time of war declared by Congress or during any period covered by a report from the President to the Congress under the War Powers Resolution (87 Stat. 855)1) may conduct any special activ- ity unless the President determines that another agency is more likely to achieve a particular objective,â where âspecial activitiesâ are defined as âactivities conducted in support of national foreign policy objectives abroad which are planned and executed so that the role of the United States Government is not apparent or acknowledged publicly, and func- tions in support of such activities, but which are not intended to influence United States political processes, public opinion, policies, or media and do not include diplomatic activities or the collection and production of intelligence or related support functions.â
292 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES 7.4â Foreign Domestic Law Foreign nations are governed by their own domestic laws governing destructive (that is, attack) computer actions. U.S. cyberattack activities that terminate or transit foreign nations may be subject to such law, though enforcement of those laws may be as a practical matter difficult. Foreign domestic law also has an impact on the ability of the United States to trace the origin of cyberattacks or cyberexploitations directed against the United Statesâfor example, if a certain cyber action is not criminal- ized in Zendia, Zendian law enforcement agencies may not have the legal authority to investigate it, even if the action is relevant to a cyberattack action against the United States routed by Ruritania through Zendia.