As this book is primarily intended to address the technical aspects of cyber warfare, the purpose of this chapter is to provide readers with a basic understanding of the law of war as it relates to cyber warfare and to demonstrate that there is a sound legal basis for states to respond to cyber attacks in self-defense. For a more detailed legal discussion filled with legal citations and factual research, I suggest reading my article on cyber warfare in the Fall 2009 edition of the Military Law Review. Furthermore, there are a number of policymaking implications that naturally flow from the conclusions of this chapter, which shall not be fully addressed here.
This chapter is broken down into several sections for ease of reading. First, it reviews the legal problems that states encounter when dealing with cyber attacks, and why current interpretations of the law of war actually endanger states. Second, it lays out the basic framework for a.n.a.lyzing armed attacks. Third, it explores the challenges that nonstate actors present to the basic framework of the law of war. Fourth, it a.n.a.lyzes cyber attacks under the law of war and demonstrates that victim-states have a right to respond with force against host-states that neglect their duty to prevent cyber attacks. Finally, it examines the choice to use force, explains why active defenses are the most appropriate use of force under the law of war, and describes the legal problems that states will face when using active defenses.
The Legal Dilemma.
Given the potentially catastrophic consequences that cyber attacks can cause, it is imperative for states to be able to effectively defend their critical infrastructure from attack. The most effective way to ward off cyber attacks is to use a layered defense of active and pa.s.sive defenses. Unfortunately, states intentionally choose to confine their computer defenses to pa.s.sive defenses alone, in part out of fear that using active defenses violates the law of war.
Right now, no comprehensive international treaty exists to regulate cyber attacks. Consequently, states must practice law by a.n.a.logy: either equating cyber attacks to traditional armed attacks and responding to them under the law of war or equating them to criminal activity and dealing with them under domestic criminal laws. The prevailing view of states and legal scholars is that states must treat cyber attacks as a criminal matter (1) out of uncertainty over whether a cyberattack can even qualify as an armed attack, and (2) because the law of war requires states to attribute an armed attack to a foreign government or its agents before responding with force.
This limited view of the law of war is problematic for two reasons. First, because active defenses are a form of electronic force, it confines state computer defenses to pa.s.sive defenses alone, which weakens state defense posture. Second, it forces states to rely on domestic criminal laws to deter cyber attacks, which are ineffective because several major states are unwilling to extradite or prosecute their attackers. Given these problems with the prevailing view of the law of war, states find themselves in a "response crisis" during a cyber attack, forced to decide between effective, but arguably illegal, active defenses, and the less effective, but legal, pa.s.sive defenses and criminal laws.
More than anything else, the attribution requirement perpetuates the response crisis because it is virtually impossible to attribute cyber attacks during an attack. Although states can trace cyber attacks back to computer servers in another state, conclusively ascertaining the ident.i.ty of the attacker requires intensive, time-consuming investigation with the a.s.sistance of the state of origin. Given the prohibition on responding with force until an attack has been attributed to a state or its agents, coupled with the fact that the vast majority of cyber attacks are conducted by nonstate actors, it should come as no surprise that states are reluctant to treat cyber attacks as acts of war and risk violating international law. This "attribution problem" locks states into the response crisis.
Treating cyber attacks as a criminal matter would not be problematic if pa.s.sive defenses and criminal laws provided sufficient protection from them. Unfortunately, neither is adequate. While pa.s.sive defenses are always the first line of defense and reduce the chances of a successful cyber attack, states cannot rely on them to completely secure their critical information systems. Furthermore, pa.s.sive defenses do little to dissuade attackers from attempting their attacks in the first place. Deterrence comes from criminal laws and the penalties a.s.sociated with them. However, criminal laws have proven to be impotent to deter international cyber attacks because several major states, such as China and Russia, allow their attackers to operate with impunity when their attackers target rival states.
The Road Ahead: A Proposal to Use Active Defenses.
To escape this dilemma, states must use active defenses. Not only will active defenses greatly improve state cyber defenses, but it logically follows that using them will serve as a deterrent to cyber attacks since attackers will not want to subject themselves to counterattack.
As we"ll review in further detail later in this chapter, the legal authority for states to use active defenses flows from the longstanding duty that states have to prevent nonstate actors from using their territory to commit cross-border attacks. Traditionally, this duty only required states to prevent illegal acts that the state knew about beforehand; however, this duty has evolved in response to international terrorism and now requires states to act against groups generally known to carry out illegal acts. In the realm of cyber warfare, this duty should be interpreted to require states to enact and enforce criminal laws to deter cross-border cyber attacks. Otherwise, the current situation that states face with China and Russia will continue to exist. Requiring states to enact and enforce criminal laws against cyber attacks will solve the current crisis in one of two ways: either states will live up to their duty and start enforcing criminal laws against attackers, or states will violate their duty, which will create a legal pathway for victim-states to hold them legally responsible for an attack without having to attribute it first. In effect, repeated failure by a state to take criminal action against its attackers will result in it being declared a "sanctuary state," allowing other states to use active defenses against cyber attacks originating from within its borders.
Given the importance of using active defenses, it would be best if international law could provide parameters regarding their proper use. After all, one of the purposes of international law is to get states to behave in predictable ways that are acceptable to the international community. Thus, unless the international community wants to risk unpredictable and unacceptable responses to cyber attacks, international law must provide guidelines for the use of active defenses. Luckily, the law of war is robust enough to provide guidance to states; one only needs to fully examine it.*[3] The views expressed in this chapter are those of the author and do not necessarily represent the views of the Department of Defense. The author would like to thank Major J. Jeremy Marsh, Judge Advocate General"s Corps, US Air Force, for his invaluable a.s.sistance during his research into cyber warfare.
[4] Active defenses are electronic countermeasures designed to strike attacking computer systems and shut down cyber attacks midstream. Security professionals can set up active defenses to automatically respond to attacks against critical systems, or they can carry them out manually. For the most part, active defenses are cla.s.sified, though programs that send destructive viruses back to the perpetrator"s machine or packet-flood the intruder"s machine have entered the public domain. Pa.s.sive defenses are the traditional forms of computer security used to defend computer networks, such as system access controls, data access controls, security administration, and secure system design.
The Law of War.
The law of war is divided into two princ.i.p.al areas, jus ad bellum and jus in bello. Jus ad bellum, also known as the law of conflict management, is the legal regime governing the transition from peace to war. It basically lays out when states may lawfully resort to armed conflict. Jus in bello, also known as the law of armed conflict, governs the actual use of force during war. The a.n.a.lysis of whether states can respond to cyber attacks with active defenses predominantly falls under jus ad bellum, since jus ad bellum sets forth the thresholds that cyber attacks must cross to be considered acts of war.
Historically, the transition from peace to war fell under the prerogative of the sovereign; however, it came under international law following World War II with the ratification of the UN Charter. Although the UN Charter is not the only source of jus ad bellum, it is the starting point for all jus ad bellum a.n.a.lysis. The relevant articles of the UN Charter are Articles 2(4), 39, and 51, which provide the framework for modern jus ad bellum a.n.a.lysis.
General Prohibition on the Use of Force.
Article 2(4) prohibits states from employing "the threat or use of force against the territorial integrity or political independence of [another] state, or in any other manner inconsistent with the Purposes of the United Nations." In effect, it criminalizes both the aggressive use of force and the threat of the aggressive use of force by states as crimes against international peace and security. Although the UN Charter"s protections apply only to states that are parties to it, the prohibitions of Article 2(4) are so widely followed that they have come to be recognized as customary international law, binding on all states across the globe.
Thus, states may not threaten to use or actually use force against another state unless an exception is carved out within the UN Charter. This position is further supported by Article 2(3), which requires states to "settle their international disputes by peaceful means in such a manner that international peace and security, and justice, are not endangered." Only two exceptions exist to this seemingly all-encompa.s.sing renunciation on the use of force: actions authorized by the UN Security Council and self-defense.
The First Exception: UN Security Council Actions.
The first exception to the general prohibition on the use of force is actions authorized by the UN Security Council. Article 42 of the UN Charter allows the Security Council to use military force to restore international peace and security. However, while the UN Charter grants the Security Council power to use military force, the Security Council cannot do so until it has met the conditions of Articles 39, 41, and 42.
Article 39 is the first threshold that the Security Council must cross before it can authorize the use of force. It requires the Security Council to determine that a "threat to the peace, breach of the peace, or act of aggression" exists. Once the Security Council determines that this threshold has been met, it can attempt to restore international peace and security in accordance with Articles 41 and 42 of the UN Charter.
Article 41, the use of nonmilitary measures, is the Charter"s preferred method for restoring international peace and security. Under it, the Security Council can direct states to use nonmilitary measures to coerce an offending state into ceasing its aggression. The nonmilitary measures are implemented by UN member states and may include the "complete or partial interruption of economic relations...and other means of communication, and the severance of diplomatic relations."
When the Security Council determines that Article 41 measures are would be pointless to try or have proven unsuccessful, it may authorize military measures under Article 42. However, unlike its Article 41 powers, the Security Council may only authorize member states to take military action; it cannot compel them to do so.
The Second Exception: Self-Defense.
The second exception to the general prohibition on the use of force is self-defense. This right is enshrined in Article 51 of the UN Charter, which proclaims that "[n]othing in the present Charter shall impair the inherent right of [states to engage in] individual or collective self-defense" in response to an "armed attack." As the text of Article 51 implies, the right of self-defense existed long before the UN Charter, and it has been reaffirmed by the Charter as an inherent right under customary international law. Self-defense essentially stands for the proposition that states have a fundamental right to survive, and they may use force to protect themselves and their citizens. Because this right exists independently from the UN Charter, self-defense a.n.a.lysis draws on both the provisions of Article 51 of the UN Charter and the principles of customary international law.
The bedrock principle of self-defense is that it may be invoked in response to an armed attack. Unfortunately, although this cornerstone is universally recognized under international law, ambiguity over the meaning of "armed attack" has led to an ongoing debate about when states may invoke self-defense. This is because the Charter never defines "armed attack." Since the timing of self-defense is contingent on when an armed attack occurs, it is critical to resolve what const.i.tutes an armed attack. This debate has become even more p.r.o.nounced regarding cyber attacks, which are far more difficult to cla.s.sify than traditional attacks with conventional weapons.
Self-defense a.n.a.lysis is further complicated because of competing theories among legal scholars on the interplay between the UN Charter and customary international law. Some commentators place heavier emphasis on the UN Charter, arguing that Article 51 limits self-defense to responses against actual armed attacks. Others place more emphasis on customary international law, arguing that the historical right of states to treat imminent armed attacks as armed attacks is also lawful. Imminent armed attacks are addressed later in this chapter, but for now, it is worth noting that although there are different theories about the definition of an armed attack, once a state is targeted with an armed attack by another state, everyone agrees the victim-state and its allies are legally authorized to use force against the aggressor.
Self-defense responses must comply with international law. Just because an armed attack has occurred against a victim-state does not mean that the victim-state has a blank check to wage unlimited war against the aggressor. Self-defense responses must be necessary and proportional. Necessity means that self-defense is actually required under the circ.u.mstances because a reasonable settlement could not be attained through peaceful means. Proportionality requires self-defense actions to be limited to the amount of force necessary to defeat an ongoing attack or deter future aggression. This principle does not require the size and scope of defensive actions to be similar to those of the attack. A defensive action may need to employ significantly greater force than the attacker used to successfully repel the attacker. The key is to determine the amount of force needed to either defeat the current attack or deter future attacks. These two principles define the legal boundaries to self-defense responses.
A Subset of Self-Defense: Antic.i.p.atory Self-Defense.
Antic.i.p.atory self-defense is a subset of self-defense and a longstanding tenet of international law. It allows states to defend themselves against imminent armed attacks, rather than forcing them to wait until their enemies cross their borders.
The legality of antic.i.p.atory self-defense rests on the imminency of an attack. Initially, imminency restricted antic.i.p.atory self-defense to situations immediately before an attack, where an attack was detected, but there was no time to deliberate about other ways to prevent the attack short of self-defense. The principle effectively balanced the victim-state"s right to ward off violence against its obligation to find peaceful means to resolve disputes. However, due to changes in the nature of warfare, imminency has evolved significantly.
Today, imminency allows states to legally employ force in advance of an attack, at the point when (1) evidence shows that an aggressor has committed itself to an armed attack and (2) delaying a response would hinder the defender"s ability to mount a meaningful defense. Thus, imminency is actually a relative concept, which operates as follows: Weak States may lawfully act sooner than strong ones in the face of identical threats because they are at greater risk as time pa.s.ses. In the same vein, it may be necessary to conduct defensive operations against a terrorist group long before a planned attack because there is unlikely to be another opportunity to target terrorists before they strike. ... In other words, each situation presents a case-specific window of opportunity within which a State can foil an impending attack.[5]
Finally, just because a single attack may be complete does not mean that future attacks are not imminent. When evidence suggests that an attack is part of an ongoing campaign against a state, such as the terrorist attacks against the United States on 9/11, future armed attacks will be considered imminent and antic.i.p.atory self-defense will be authorized.
An Alternate Basis for Using Active Defenses: Reprisals.
Reprisals, also known as proportionate countermeasures, provide another way for states to address illegal uses of force against them. As discussed earlier, no consensus exists as to what const.i.tutes an armed attack, meaning that a cyber attack could be seen as a use of force below the armed attack threshold. As a result, it is important to explore the rights that states have to react to illegal uses of force against them that fall short of an armed attack.
Reprisals are an exception to the general rule that states are required to solve their disputes peacefully. Reprisals allow victim-states to take normally unlawful actions against another state, when the other state is violating its international obligations with respect to the victim-state. Reprisals must comply with three criteria. These are: In the first place [countermeasures] must be taken in response to a previous international wrongful act of another State and must be directed against that State.
Secondly, the injured State must have called upon the State committing the wrongful act to discontinue its wrongful conduct or to make reparation for it.
Third, the effects of a countermeasure must be commensurate with the injury suffered.[6]
Since states may not use force contrary to Article 2(4) of the UN Charter, economic and political coercion are the two main forms of reprisals. However, the consensus among international scholars is that this really only amounts to a prohibition against armed force. Therefore, reprisals could also include the use of limited cyber attacks. Although this chapter contends that states should deal with cyber attacks using self-defense and antic.i.p.atory self-defense legal principles, reprisals provide an important alternate theory for dealing with cyber attacks to those who contend that cyber attacks fall short of the armed attack threshold.
The general framework of jus ad bellum discussed so far has primarily evolved in response to state-on-state attacks. When attacks are carried out by nonstate actors across state borders, it complicates the framework governing state responses to the attacks. Since most cyber attacks are carried out by nonstate actors, this chapter will explore jus ad bellum in greater depth and explain the intricacies of state responses to attacks by nonstate actors.
[5] Schmitt, M. 2003. "Preemptive Strategies in International Law." Michigan Journal of International Law: 24, 51334.
[6] Gabcikovo-Nagymaros Project (Hung. v. Slovk.), 1997 I.C.J. 7, 5556 (Sept. 25) (Merits).
Nonstate Actors and the Law of War.
As a general rule, international law treats each state as sovereign and forbids each state from waging war against or intervening in the domestic affairs of another. While a state gives up these rights when it attacks another state, it cannot be said to give up these rights just because individuals located within it choose to commit criminal acts against another state. Consequently, international attacks by nonstate actors complicate the general framework of jus ad bellum.
Although jus ad bellum has always provided some guidance for attacks by nonstate actors, historically the guidance it provided was scant. However, the rise of transnational terrorism challenged traditional norms of jus ad bellum and forced states to expand traditional norms to cope with attacks by nonstate actors. Today, jus ad bellum provides states with a robust framework for a.n.a.lyzing attacks by nonstate actors.
To understand whether states can respond to cyber attacks against them with force, an a.n.a.lysis of the underlying law governing attacks by nonstate actors must be undertaken. It starts with an a.n.a.lysis of whether armed attacks by nonstate actors fall under the law of war, continues with the duties states have to one another concerning nonstate actors within their territory, then moves on to ways to impute state responsibility for the acts of nonstate actors, and ends with the legality of cross-border operations against states.
Armed Attacks by Nonstate Actors.
Although the issue of armed attacks by nonstate actors was not envisioned in the drafting of the UN Charter, customary international law has evolved to allow states to apply the law of self-defense to attacks by nonstate actors. The international community"s response to the 9/11 terrorist attacks crystallized the validity of this principle.
Following the 9/11 attacks, the UN Security Council pa.s.sed Resolution 1368, which reaffirmed the United States" inherent right to engage in self-defense in accordance with Article 51 of the Charter. Two weeks later, when it was clear that Al Qaeda was behind the attacks, the Security Council pa.s.sed Resolution 1373, once again reaffirming the United States" inherent right of self-defense. These resolutions are particularly significant because the 9/11 attacks could have been dealt with under Article 42 of the Charter, but instead were dealt with under Article 51, even though the attacks were committed by nonstate actors.
Additionally, the North Atlantic Treaty Organization, the Organization of American States, and Australia all invoked the collective self-defense provisions of their mutual defense treaties to a.s.sist the United States in its response to the 9/11 attacks. Finally, scores of other states declared their support for the United States to respond in self-defense to Al Qaeda. Given the universal outpouring of support to treat the 9/11 attacks as acts of war, it is now incontrovertible that states may apply self-defense law to armed attacks by nonstate actors.
However, while attacks by nonstate actors fall under the law of war, the law of war allows states to forcibly respond to these attacks only when the attacks are imputable to a state, meaning the state also bears some responsibility for the actions of the nonstate actors. The next step of the a.n.a.lysis toward imputing state responsibility for an attack is, therefore, to examine the duties that states have concerning nonstate actors within their territory.
Duties between States.
It is a long established principle of international law that "a State is bound to use due diligence to prevent the commission within its dominions of criminal acts against another nation or its people."[7]
This principle is reflected in numerous state declarations, judicial opinions, and publications from leading scholars. State declarations that support this principle include the 1970 Declaration on Friendly Relations, which urges states to "refrain from...acquiescing [to] organized activities within [their] territory directed towards the commission of [civil strife or terrorism in another state"; the 1994 Declaration on Measures to Eliminate Terrorism; and the 1996 Declaration on the Strengthening of International Security, which says that states "must refrain from organizing, instigating, a.s.sisting or partic.i.p.ating in terrorist acts in territories of other states, or from acquiescing in or encouraging activities within their territories directed towards the commission of such acts." International case law also supports this principle.
In Corfu Channel, the International Court of Justice held that states have a duty "not to allow knowingly its territory to be used for acts contrary to the rights of other States."[8] In Tehran, it reaffirmed that states "are required under international law to take appropriate acts in order to protect the interests" of other states from nonstate actors within their borders.[9]
In short, it is clear from state practice and opinio juris, the two bases for customary international law, that states have an affirmative duty to prevent nonstate actors within their borders from committing armed attacks on other states. Toleration of such attacks const.i.tutes a crime under international law.
Thus, when a host-state has the ability to prevent an armed attack by nonstate actors within its territory but fails to do so, it violates its duty under international law. However, since it is not realistic to expect states to completely prevent armed attacks by nonstate actors, the dispositive factor in evaluating state conduct is what a state does to address potential threats and whether it takes realistic steps to prevent the attack from occurring.
In and of itself, the duty to prevent attacks does not make states responsible for every cross-border attack by nonstate actors that emanates from their territory. However, it does bridge the gap between the actions of nonstate actors and the state. The next section completes the a.n.a.lysis of imputing state responsibility for the cross-border attacks of nonstate actors.
Imputing State Responsibility for Acts by Nonstate Actors.
The question of a state"s legal responsibility for the acts of nonstate actors has evolved significantly over the past few decades. Before 1972, states were generally not viewed as legally responsible for the acts of private or nonstate actors. Only the actions of a host-state"s organs were imputable to it, and state responsibility arose only from acts by qualifying "agents" of the state. Qualified agents amounted to actors over whom a state exercised direct authority, and whom the state directed to conduct the acts. As time pa.s.sed, international law shifted away from a direct control approach and moved toward an indirect responsibility approach regarding the acts of nonstate actors.