Chapter 4. Responding to International Cyber Attacks As Acts of War
Introduction by Jeffrey Carr
Whereas the previous chapter discussed some of the legal questions and strategies being debated among the international community of legal scholars, this chapter focuses on one strategy in particular that addresses the fuzzy role of non-state actors in cyber conflicts between nation states, that is, assigning states’ responsibility for their non-action and enacting consequences because of it.
I want to thank Lt. Cdr. Matt Sklerov for laboriously rewriting his 111-page thesis so that I could include it in this book.[2] In my opinion, Matt is one of the rising stars of the Department of Defense, and I feel privileged that he has consented to have his work republished here. Although there are still unresolved issues with Active Defense (such as confusion around attribution), he makes his case so thoroughly and persuasively that I believe it will serve as an excellent platform for further discussion, not just in the U.S. Government, but in governments and military commands around the world.
Introduction
By Lieutenant Commander Matthew J. Sklerov
One of the most heavily debated issues in international law is when states may lawfully respond to cyber attacks in self-defense. While the law of war is comprised of well-known and widely accepted principles, applying these principles to cyber attacks is a difficult task. This difficulty arises out of the fact that the law of war developed, for the most part, in response to conventional wars between states. When evaluating armed attacks in that paradigm, it was easy to assess the scope of an attack and the identity of an attacker. Unfortunately, when a cyber attack is in progress, it becomes difficult for states to assess the scope of an attack or figure out who is responsible for it. These difficulties have made states reluctant to respond to cyber attacks in self-defense for fear of violating the law of war, and they have turned cyber warfare into one of the hottest topics in international law.
This chapter explores the unique challenges that cyber attacks pose to the law of war and provides an analytical framework for dealing with them. Once the current state of the law of war is fully explored, this chapter will demonstrate that states have a right under international law to:
View and respond to cyber attacks as acts of war and not solely as criminal matters.
Use active, not just passive, defenses[3] against the computer networks in other states, that may or may not have initiated an attack, but have neglected their duty to prevent cyber attacks from within their borders.
As this book is primarily intended to address the technical aspects of cyber warfare, the purpose of this chapter is to provide readers with a basic understanding of the law of war as it relates to cyber warfare and to demonstrate that there is a sound legal basis for states to respond to cyber attacks in self-defense. For a more detailed legal discussion filled with legal citations and factual research, I suggest reading my article on cyber warfare in the Fall 2009 edition of the Military Law Review. Furthermore, there are a number of policy-making implications that naturally flow from the conclusions of this chapter, which shall not be fully addressed here.
This chapter is broken down into several sections for ease of reading. First, it reviews the legal problems that states encounter when dealing with cyber attacks, and why current interpretations of the law of war actually endanger states. Second, it lays out the basic framework for analyzing armed attacks. Third, it explores the challenges that non-state actors present to the basic framework of the law of war. Fourth, it analyzes cyber attacks under the law of war and demonstrates that victim-states have a right to respond with force against host-states that neglect their duty to prevent cyber attacks. Finally, it examines the choice to use force, explains why active defenses are the most appropriate use of force under the law of war, and describes the legal problems that states will face when using active defenses.
The Legal Dilemma
Given the potentially catastrophic consequences that cyber attacks can cause, it is imperative for states to be able to effectively defend their critical infrastructure from attack. The most effective way to ward off cyber attacks is to use a layered defense of active and passive defenses. Unfortunately, states intentionally choose to confine their computer defenses to passive defenses alone, in part out of fear that using active defenses violates the law of war.
Right now, no comprehensive international treaty exists to regulate cyber attacks. Consequently, states must practice law by analogy: either equating cyber attacks to traditional armed attacks and responding to them under the law of war or equating them to criminal activity and dealing with them under domestic criminal laws. The prevailing view of states and legal scholars is that states must treat cyber attacks as a criminal matter (1) out of uncertainty over whether a cyberattack can even qualify as an armed attack, and (2) because the law of war requires states to attribute an armed attack to a foreign government or its agents before responding with force.
This limited view of the law of war is problematic for two reasons. First, because active defenses are a form of electronic force, it confines state computer defenses to passive defenses alone, which weakens state defense posture. Second, it forces states to rely on domestic criminal laws to deter cyber attacks, which are ineffective because several major states are unwilling to extradite or prosecute their attackers. Given these problems with the prevailing view of the law of war, states find themselves in a “response crisis” during a cyber attack, forced to decide between effective, but arguably illegal, active defenses, and the less effective, but legal, passive defenses and criminal laws.
More than anything else, the attribution requirement perpetuates the response crisis because it is virtually impossible to attribute cyber attacks during an attack. Although states can trace cyber attacks back to computer servers in another state, conclusively ascertaining the identity of the attacker requires intensive, time-consuming investigation with the assistance of the state of origin. Given the prohibition on responding with force until an attack has been attributed to a state or its agents, coupled with the fact that the vast majority of cyber attacks are conducted by non-state actors, it should come as no surprise that states are reluctant to treat cyber attacks as acts of war and risk violating international law. This “attribution problem” locks states into the response crisis.
Treating cyber attacks as a criminal matter would not be problematic if passive defenses and criminal laws provided sufficient protection from them. Unfortunately, neither is adequate. While passive defenses are always the first line of defense and reduce the chances of a successful cyber attack, states cannot rely on them to completely secure their critical information systems. Furthermore, passive defenses do little to dissuade attackers from attempting their attacks in the first place. Deterrence comes from criminal laws and the penalties associated with them. However, criminal laws have proven to be impotent to deter international cyber attacks because several major states, such as China and Russia, allow their attackers to operate with impunity when their attackers target rival states.
The Road Ahead: A Proposal to Use Active Defenses
To escape this dilemma, states must use active defenses. Not only will active defenses greatly improve state cyber defenses, but it logically follows that using them will serve as a deterrent to cyber attacks since attackers will not want to subject themselves to counterattack.
As we’ll review in further detail later in this chapter, the legal authority for states to use active defenses flows from the longstanding duty that states have to prevent non-state actors from using their territory to commit cross-border attacks. Traditionally, this duty only required states to prevent illegal acts that the state knew about beforehand; however, this duty has evolved in response to international terrorism and now requires states to act against groups generally known to carry out illegal acts. In the realm of cyber warfare, this duty should be interpreted to require states to enact and enforce criminal laws to deter cross-border cyber attacks. Otherwise, the current situation that states face with China and Russia will continue to exist. Requiring states to enact and enforce criminal laws against cyber attacks will solve the current crisis in one of two ways: either states will live up to their duty and start enforcing criminal laws against attackers, or states will violate their duty, which will create a legal pathway for victim-states to hold them legally responsible for an attack without having to attribute it first. In effect, repeated failure by a state to take criminal action against its attackers will result in it being declared a “sanctuary state,” allowing other states to use active defenses against cyber attacks originating from within its borders.
Given the importance of using active defenses, it would be best if international law could provide parameters regarding their proper use. After all, one of the purposes of international law is to get states to behave in predictable ways that are acceptable to the international community. Thus, unless the international community wants to risk unpredictable and unacceptable responses to cyber attacks, international law must provide guidelines for the use of active defenses. Luckily, the law of war is robust enough to provide guidance to states; one only needs to fully examine it.
The Law of War
The law of war is divided into two principal areas, jus ad bellum and jus in bello. Jus ad bellum, also known as the law of conflict management, is the legal regime governing the transition from peace to war. It basically lays out when states may lawfully resort to armed conflict. Jus in bello, also known as the law of armed conflict, governs the actual use of force during war. The analysis of whether states can respond to cyber attacks with active defenses predominantly falls under jus ad bellum, since jus ad bellum sets forth the thresholds that cyber attacks must cross to be considered acts of war.
Historically, the transition from peace to war fell under the prerogative of the sovereign; however, it came under international law following World War II with the ratification of the UN Charter. Although the UN Charter is not the only source of jus ad bellum, it is the starting point for all jus ad bellum analysis. The relevant articles of the UN Charter are Articles 2(4), 39, and 51, which provide the framework for modern jus ad bellum analysis.
General Prohibition on the Use of Force
Article 2(4) prohibits states from employing “the threat or use of force against the territorial integrity or political independence of [another] state, or in any other manner inconsistent with the Purposes of the United Nations.” In effect, it criminalizes both the aggressive use of force and the threat of the aggressive use of force by states as crimes against international peace and security. Although the UN Charter’s protections apply only to states that are parties to it, the prohibitions of Article 2(4) are so widely followed that they have come to be recognized as customary international law, binding on all states across the globe.
Thus, states may not threaten to use or actually use force against another state unless an exception is carved out within the UN Charter. This position is further supported by Article 2(3), which requires states to “settle their international disputes by peaceful means in such a manner that international peace and security, and justice, are not endangered.” Only two exceptions exist to this seemingly all-encompassing renunciation on the use of force: actions authorized by the UN Security Council and self-defense.
The First Exception: UN Security Council Actions
The first exception to the general prohibition on the use of force is actions authorized by the UN Security Council. Article 42 of the UN Charter allows the Security Council to use military force to restore international peace and security. However, while the UN Charter grants the Security Council power to use military force, the Security Council cannot do so until it has met the conditions of Articles 39, 41, and 42.
Article 39 is the first threshold that the Security Council must cross before it can authorize the use of force. It requires the Security Council to determine that a “threat to the peace, breach of the peace, or act of aggression” exists. Once the Security Council determines that this threshold has been met, it can attempt to restore international peace and security in accordance with Articles 41 and 42 of the UN Charter.
Article 41, the use of non-military measures, is the Charter’s preferred method for restoring international peace and security. Under it, the Security Council can direct states to use non-military measures to coerce an offending state into ceasing its aggression. The non-military measures are implemented by UN member states and may include the “complete or partial interruption of economic relations…and other means of communication, and the severance of diplomatic relations.”
When the Security Council determines that Article 41 measures are would be pointless to try or have proven unsuccessful, it may authorize military measures under Article 42. However, unlike its Article 41 powers, the Security Council may only authorize member states to take military action; it cannot compel them to do so.
The Second Exception: Self-Defense
The second exception to the general prohibition on the use of force is self-defense. This right is enshrined in Article 51 of the UN Charter, which proclaims that “[n]othing in the present Charter shall impair the inherent right of [states to engage in] individual or collective self-defense” in response to an “armed attack.” As the text of Article 51 implies, the right of self-defense existed long before the UN Charter, and it has been reaffirmed by the Charter as an inherent right under customary international law. Self-defense essentially stands for the proposition that states have a fundamental right to survive, and they may use force to protect themselves and their citizens. Because this right exists independently from the UN Charter, self-defense analysis draws on both the provisions of Article 51 of the UN Charter and the principles of customary international law.
The bedrock principle of self-defense is that it may be invoked in response to an armed attack. Unfortunately, although this cornerstone is universally recognized under international law, ambiguity over the meaning of “armed attack” has led to an ongoing debate about when states may invoke self-defense. This is because the Charter never defines “armed attack.” Since the timing of self-defense is contingent on when an armed attack occurs, it is critical to resolve what constitutes an armed attack. This debate has become even more pronounced regarding cyber attacks, which are far more difficult to classify than traditional attacks with conventional weapons.
Self-defense analysis is further complicated because of competing theories among legal scholars on the interplay between the UN Charter and customary international law. Some commentators place heavier emphasis on the UN Charter, arguing that Article 51 limits self-defense to responses against actual armed attacks. Others place more emphasis on customary international law, arguing that the historical right of states to treat imminent armed attacks as armed attacks is also lawful. Imminent armed attacks are addressed later in this chapter, but for now, it is worth noting that although there are different theories about the definition of an armed attack, once a state is targeted with an armed attack by another state, everyone agrees the victim-state and its allies are legally authorized to use force against the aggressor.
Self-defense responses must comply with international law. Just because an armed attack has occurred against a victim-state does not mean that the victim-state has a blank check to wage unlimited war against the aggressor. Self-defense responses must be necessary and proportional. Necessity means that self-defense is actually required under the circumstances because a reasonable settlement could not be attained through peaceful means. Proportionality requires self-defense actions to be limited to the amount of force necessary to defeat an ongoing attack or deter future aggression. This principle does not require the size and scope of defensive actions to be similar to those of the attack. A defensive action may need to employ significantly greater force than the attacker used to successfully repel the attacker. The key is to determine the amount of force needed to either defeat the current attack or deter future attacks. These two principles define the legal boundaries to self-defense responses.
A Subset of Self-Defense: Anticipatory Self-Defense
Anticipatory self-defense is a subset of self-defense and a longstanding tenet of international law. It allows states to defend themselves against imminent armed attacks, rather than forcing them to wait until their enemies cross their borders.
The legality of anticipatory self-defense rests on the imminency of an attack. Initially, imminency restricted anticipatory self-defense to situations immediately before an attack, where an attack was detected, but there was no time to deliberate about other ways to prevent the attack short of self-defense. The principle effectively balanced the victim-state’s right to ward off violence against its obligation to find peaceful means to resolve disputes. However, due to changes in the nature of warfare, imminency has evolved significantly.
Today, imminency allows states to legally employ force in advance of an attack, at the point when (1) evidence shows that an aggressor has committed itself to an armed attack and (2) delaying a response would hinder the defender’s ability to mount a meaningful defense. Thus, imminency is actually a relative concept, which operates as follows:
Weak States may lawfully act sooner than strong ones in the face of identical threats because they are at greater risk as time passes. In the same vein, it may be necessary to conduct defensive operations against a terrorist group long before a planned attack because there is unlikely to be another opportunity to target terrorists before they strike…. In other words, each situation presents a case-specific window of opportunity within which a State can foil an impending attack.[4]
Finally, just because a single attack may be complete does not mean that future attacks are not imminent. When evidence suggests that an attack is part of an ongoing campaign against a state, such as the terrorist attacks against the United States on 9/11, future armed attacks will be considered imminent and anticipatory self-defense will be authorized.
An Alternate Basis for Using Active Defenses: Reprisals
Reprisals, also known as proportionate countermeasures, provide another way for states to address illegal uses of force against them. As discussed in earlier, no consensus exists as to what constitutes an armed attack, meaning that a cyber attack could be seen as a use of force below the armed attack threshold. As a result, it is important to explore the rights that states have to react to illegal uses of force against them that fall short of an armed attack.
Reprisals are an exception to the general rule that states are required to solve their disputes peacefully. Reprisals allow victim-states to take normally unlawful actions against another state, when the other state is violating its international obligations with respect to the victim-state. Reprisals must comply with three criteria. These are:
In the first place [countermeasures] must be taken in response to a previous international wrongful act of another State and must be directed against that State.
Secondly, the injured State must have called upon the State committing the wrongful act to discontinue its wrongful conduct or to make reparation for it.
Third, the effects of a countermeasure must be commensurate with the injury suffered.[5]
Since states may not use force contrary to Article 2(4) of the UUN Charter, economic and political coercion are the two main forms of reprisals. However, the consensus among international scholars is that this really only amounts to a prohibition against armed force. Therefore, reprisals could also include the use of limited cyber attacks. Although this chapter contends that states should deal with cyber attacks using self-defense and anticipatory self-defense legal principles, reprisals provide an important alternate theory for dealing with cyber attacks to those who contend that cyber attacks fall short of the armed attack threshold.
The general framework of jus ad bellum discussed so far has primarily evolved in response to state-on-state attacks. When attacks are carried out by non-state actors across state borders, it complicates the framework governing state responses to the attacks. Since most cyber attacks are carried out by non-state actors, this chapter will explore jus ad bellum in greater depth and explain the intricacies of state responses to attacks by non-state actors.
Non-State Actors and the Law of War
As a general rule, international law treats each state as a sovereign and forbids other states from waging war against them or intervening in their domestic affairs. While a state gives up these rights when it attacks another state, it cannot be said to give up these rights just because individuals located within it choose to commit criminal acts against another state. Consequently, international attacks by non-state actors complicate the general framework of jus ad bellum.
Although jus ad bellum has always provided some guidance for attacks by non-state actors, historically the guidance it provided was scant. However, the rise of transnational terrorism challenged traditional norms of jus ad bellum and forced states to expand traditional norms to cope with attacks by non-state actors. Today, jus ad bellum provides states with a robust framework for analyzing attacks by non-state actors.
To understand whether states can respond to cyber attacks against them with force, an analysis of the underlying law governing attacks by non-state actors must be undertaken. It starts with an analysis of whether armed attacks by non-state actors fall under the law of war, continues with the duties states have to one another concerning non-state actors within their territory, then moves on to ways to impute state responsibility for the acts of non-state actors, and ends with the legality of cross-border operations against states.
Armed Attacks by Non-State Actors
Although the issue of armed attacks by non-state actors was not envisioned in the drafting of the UN Charter, customary international law has evolved to allow states to apply the law of self-defense to attacks by non-state actors. The international community’s response to the terrorist attacks of September 11, 2001, (9/11) crystallized the validity of this principle.
Following the 9/11 attacks, the UN Security Council passed Resolution 1368, reaffirming the United States’ inherent right to engage in self-defense in accordance with Article 51 of the Charter. Two weeks later, when it was clear that Al Qaeda was behind the attacks, the Security Council passed Resolution 1373, once again reaffirming the United States’ inherent right of self-defense. These resolutions are particularly significant because the 9/11 attacks could have been dealt with under Article 42 of the Charter, but instead were dealt with under Article 51, even though the attacks were committed by non-state actors.
Additionally, the North Atlantic Treaty Organization, the Organization of American States, and Australia all invoked the collective self-defense provisions of their mutual defense treaties to assist the United States in its response to the 9/11 attacks. Finally, scores of other states declared their support for the United States to respond in self-defense to Al Qaeda. Given the universal outpouring of support to treat the 9/11 attacks as acts of war, it is now incontrovertible that states may apply self-defense law to armed attacks by non-state actors.
However, while attacks by non-state actors fall under the law of war, the law of war allows states to forcibly respond to these attacks only when the attacks are imputable to a state, meaning the state also bears some responsibility for the actions of the non-state actors. The next step of the analysis toward imputing state responsibility for an attack is, therefore, to examine the duties that states have concerning non-state actors within their territory.
Duties Between States
It is a long established principle of international law that “a State is bound to use due diligence to prevent the commission within its dominions of criminal acts against another nation or its people.”[6]
This principle is reflected in numerous state declarations, judicial opinions, and publications from leading scholars. State declarations that support this principle include the 1970 Declaration on Friendly Relations, which urges states to “refrain from…acquiescing [to] organized activities within [their] territory directed towards the commission of [civil strife or terrorism in another state”; the 1994 Declaration on Measures to Eliminate Terrorism; and the 1996 Declaration on the Strengthening of International Security, which says that states “must refrain from organizing, instigating, assisting or participating in terrorist acts in territories of other states, or from acquiescing in or encouraging activities within their territories directed towards the commission of such acts.” International case law also supports this principle.
In Corfu Channel, the International Court of Justice held that states have a duty “not to allow knowingly its territory to be used for acts contrary to the rights of other States.”[7] In Tehran, it reaffirmed that states “are required under international law to take appropriate acts in order to protect the interests” of other states from non-state actors within their borders.[8]
In short, it is clear from state practice and opinio juris, the two bases for customary international law, that states have an affirmative duty to prevent non-state actors within their borders from committing armed attacks on other states. Toleration of such attacks constitutes a crime under international law.
Thus, when a host-state has the ability to prevent an armed attack by non-state actors within its territory but fails to do so, it violates its duty under international law. However, since it is not realistic to expect states to completely prevent armed attacks by non-state actors, the dispositive factor in evaluating state conduct is what a state does to address potential threats and whether it takes realistic steps to prevent the attack from occurring.
In and of itself, the duty to prevent attacks does not make states responsible for every cross-border attack by non-state actors that emanates from their territory. However, it does bridge the gap between the actions of non-state actors and the state. The next section completes the analysis of imputing state responsibility for the cross-border attacks of non-state actors.
Imputing State Responsibility for Acts by Non-State Actors
The question of a state’s legal responsibility for the acts of non-state actors has evolved significantly over the past few decades. Before 1972, states were generally not viewed as legally responsible for the acts of private or non-state actors. Only the actions of a host-state’s organs were imputable to it, and state responsibility arose only from acts by qualifying “agents” of the state. Qualified agents amounted to actors over whom a state exercised direct authority, and whom the state directed to conduct the acts. As time passed, international law shifted away from a direct control approach and moved toward an indirect responsibility approach regarding the acts of non-state actors.
This shift began with the International Tribunal for the former Yugoslavia’s seminal opinion on state responsibility in the Tadic case, in which it revised the direct control test to impute host-state responsibility for the actions of groups of non-state actors over when a state exercised “overall control” of the group, even though the state may not have directed the particular act in question.[9] Although overall control is still a form of direct control, the opinion marked a significant relaxation of the standard for state responsibility.
The shift to indirect responsibility continued through the middle of 2001, with a general consensus emerging that any breach of a state’s international obligations to other states, whether from treaty law or customary law, and whether the result of a state’s acts or its failures to act, resulted in international responsibility for the state.[10] This consensus solidified following the 9/11 terrorist attacks on the United States, bringing us to today’s framework for state responsibility.
September 11, 2001, marked the culmination of the shift of state responsibility from the paradigm of direct control to indirect responsibility. On that date, Al Qaeda terrorists hijacked four airplanes, flew three of them into buildings in the United States, and killed more than three thousand U.S. citizens in what was widely recognized as an armed attack. Al Qaeda was based in Afghanistan, which at the time was ruled by the Taliban. While the Taliban harbored Al Qaeda and occasionally provided it limited logistical support, the Taliban did not exercise effective or even overall control over Al Qaeda. Further distancing the Taliban from 9/11 is the lack of evidence suggesting that the Taliban knew of the 9/11 attacks beforehand, or even endorsed them after the fact. Yet despite all of this, it was internationally accepted that Al Qaeda’s acts were legally imputable to the Taliban, and thus to Afghanistan, because it had harbored and sheltered Al Qaeda, and refused to stop doing so, even after being warned to stop.
Thus, following 9/11, state responsibility may be implied based on a state’s failure to fulfill its international duty to prevent non-state actors from using its territory to attack other states. As such, there need not be a causal link between a wrongdoer and a state; rather, only a failure of a state to uphold its duty to prevent attacks from its territory into another state. “Hence, a state’s passiveness or indifference toward [a non-state actor’s] agendas within its own territory might trigger its responsibility, possibly on the same scale as though it had actively participated in the planning.”[11] Much of the legal analysis of whether a state is responsible will “turn on an ex-post facto analysis of whether the state could have put more effort into preventing the…attack.”[12]
However, even when state responsibility is imputed for the armed attacks of non-state actors, states may still be forbidden from responding with force. The final step in the legal analysis ends with the legality of cross-border operations against other states.
Cross-Border Operations
Cross-border operations into the territory of an offending state are the natural consequence of imputed state responsibility for the armed attacks of non-state actors. However, states must meet a number of legal requirements before they may pursue a non-state aggressor into another state in self-defense. To understand the rationale behind why states may breach a host-state’s general right to territorial integrity in self-defense and the requirements states must meet in order to do so, one must first look to the UUN Charter’s general prohibition on using force against another state.
The right of territorial integrity generally gives way to the right of self-defense. The principle underlying this balancing act is that when one state violates another state’s territorial integrity, it forfeits its own right to territorial integrity. This principle evolved out of state-on-state attacks, but it also may be applied in a similar manner when states are indirectly responsible for the violations of another state’s territorial integrity by non-state actors. The key is whether the host-state tried to prevent its territory from being used to commit criminal acts against the victim-state.
As always, before a state resorts to self-defense, it must ensure that it meets the criteria of necessity, proportionality, and, if using the subset of anticipatory self-defense, imminency. Effectively, a state must have no viable alternatives to the use of force, and it must limit its use of force to securing its defensive objectives.
The application of these requirements may vary depending on whether the acts of the non-state actors were imputed based on direct control or indirect attribution. In cases of direct control, the victim-state may immediately impute responsibility to the host-state and act in self-defense against it and the non-state actors inside it. In cases of indirect attribution, a victim-state must overcome another hurdle before conducting cross-border operations, and ensure that it has properly linked the actions of the non-state actors to the host-state. This may be done by issuing an ultimatum to the sanctuary state to comply with its international obligations or else.
The sanctuary state must then either act against the non-state actors, or willingly allow the victim-state to enter its territory and mount operations against the non-state actors. Otherwise the victim-state can impute responsibility and conduct its cross-border operations into the host-state. However, in doing so, the victim-state must limit its targets to the non-state actors, unless the host-state uses force to oppose the lawful cross-border operations.
Based on the foregoing analysis, it is evident that victim-states may forcibly respond to armed attacks by non-state actors located in another state when host-states violate their duty to prevent those attacks. With cyber attacks, imputing state responsibility in this manner provides states a legal path to utilize active defenses without having to conclusively attribute an attack to a state or its agents. In effect, imputing responsibility is the equivalent of attributing the attack to the state or its agents. Thus, imputing responsibility provides states a way around the attribution problem and response crisis. However, just because there is a legal pathway to get around the requirement that armed attacks be attributable to a state or its agents does not mean that cyber attacks by non-state actors lend themselves to this framework. As a result, it is imperative to explain why cyber attacks constitute armed attacks, what a state’s duty to prevent cyber attacks means, and the factual circumstances that would allow a victim-state to forcibly respond to a cyber attack.
Analyzing Cyber Attacks Under Jus ad Bellum
Cyber attacks represent a conundrum for legal scholars. Cyber attacks come in many different forms, their destructive potential limited only by the creativity and skill of the attackers behind them. Although it may seem intuitive that cyber attacks can constitute armed attacks, especially in light of their ability to injure or kill, the legal community has been reluctant to adopt this approach because cyber attacks do not resemble traditional armed attacks with conventional weapons. Further clouding the legal waters is the erroneous view of states and scholars alike on the need for states to attribute cyber attacks to a state or its agents before responding with force. Although it is true that cyber attacks do not resemble traditional armed attacks, and that cyber attacks are difficult to attribute, neither of these characteristics should preclude states from responding with force. This section explores different analytical models for assessing armed attacks, the logical meaning of the duty of prevention as it relates to cyber attacks, and the technological capacity of trace programs to trace attacks back to their point of origin. After all of these issues are examined, it becomes clear that states may legally use active defenses against cyber attacks originating from states that violate their duty to prevent them.
Cyber Attacks As Armed Attacks
Victim-states must be able to classify a cyber attack as an armed attack or imminent armed attack before responding with active defenses because, as we discussed earlier in this chapter, armed attacks and imminent armed attacks are the triggers that allow states to respond in self-defense or anticipatory self-defense. Ideally, there would be clear rules for classifying cyber attacks as armed attacks, imminent armed attacks, or lesser uses of force. Unfortunately, since cyber attacks are a relatively new attack form, international efforts to classify them are still in their infancy, even though the core legal principles governing armed attacks are well settled. Consequently, whether cyber attacks can qualify as armed attacks and which cyber attacks should be considered armed attacks are left as open questions in international law. To answer these questions, this subsection examines the core legal principles governing armed attacks, applies them to cyber attacks, explains why cyber attacks can qualify as armed attacks, and attempts to provide some insight into which cyber attacks should be considered armed attacks.
“Armed attack” is not defined by any international convention. As a result, its meaning has been left open to interpretation by states and scholars. Although this might sound problematic, it is not. The framework for analyzing armed attacks is relatively well-settled, as are the core legal principles governing its meaning. The international community generally accepts Jean S. Pictet’s scope, duration, and intensity test as the starting point for evaluating whether a particular use of force constitutes an armed attack. Under Pictet’s test, a use of force is an armed attack when it is of sufficient scope, duration, and intensity. Of course, as is the case with many international legal concepts, states, non-governmental organizations, and scholars all interpret the scope, duration, and intensity test differently.
State declarations help flesh out which uses of force are of sufficient scope, duration, and intensity to constitute an armed attack. Harkening back to the French-language version of the UN Charter, which refers to “armed aggression” rather than an “armed attack,” the UN General Assembly passed the Definition of Aggression resolution in 1974. The resolution requires an attack to be of “sufficient gravity” before it is considered an armed attack. The resolution never defines armed attacks, but it does provide examples that are widely accepted by the international community. Although the resolution has helped settle the meaning of armed attacks for conventional attacks, the more technology has advanced, the more attacks have come in forms not previously covered by state declarations and practices. Consequently, states recognize that unconventional uses of force may warrant treatment as an armed attack when their scope, duration, and intensity are of sufficient gravity. As a result, states are continually making proclamations about new methods of warfare, slowly shaping the paradigm for classifying armed attacks.
Scholars have advanced several analytical models to deal with unconventional attacks, such as cyber attacks, to help ease attack classification and put the scope, duration, and intensity analysis into more concrete terms. These models are especially relevant to cyber attacks because they straddle the line between criminal activity and armed warfare. There are three main analytical models for dealing with unconventional attacks. The first model is an instrument-based approach, which checks to see whether the damage caused by a new attack method previously could have been achieved only with a kinetic attack.[13] The second is an effects-based approach, sometimes called a consequence-based approach, in which the attack’s similarity to a kinetic attack is irrelevant and the focus shifts to the overall effect that the cyber attack has on a victim-state.[14] The third is a strict liability approach, in which cyber attacks against critical infrastructure are automatically treated as armed attacks, due to the severe consequences that can result from disabling those systems.[15]
Of these three approaches, the effects-based approach is the best analytical model for dealing with cyber attacks. Not only does effects-based analysis account for everything that an instrument-based approach covers, but it also provides an analytical framework for situations that do not neatly equate to kinetic attacks.[16] Effects-based analysis is also superior to strict liability because responses to cyber attacks under an effects-based approach comport with internationally accepted legal norms and customs, whereas a strict liability approach may cause victim-states to violate the law of war.[17]
Of all of the scholars who advocate effects-based models, Michael N. Schmitt has advanced the most useful analytical framework for evaluating cyber attacks. In his seminal article “Computer Network Attack and the Use of Force in International Law: Thoughts on a Normative Framework,” Schmitt lays out six criteria for evaluating cyber attacks as armed attacks.[18] These criteria are severity, immediacy, directness, invasiveness, measurability, and presumptive legitimacy. Taken together, they allow states to measure cyber attacks along several different axes. While no one criterion is dispositive, cyber attacks satisfy enough criteria to be characterized as armed attacks. Since their publication, Schmitt’s criteria have gained traction in the legal community, with several prominent legal scholars advocating for their use. Many hope that Schmitt’s criteria will help bring some uniformity to state efforts to classify cyber attacks. However, until Schmitt’s criteria gain wider acceptance, states are likely to classify cyber attacks differently, depending on their understanding of armed attacks as well as their conception of vital national interest.
Classifying cyber attacks will be difficult for states to do in practice.[19] Although the initial decision to respond to cyber attacks under the law of war as a matter of policy will have to be made by state policy makers, the actual decision to use active defenses will have to be pushed down to the system administrators who actually operate computer networks. One of the challenges policy makers will face is translating international law into concise, understandable rules for their system administrators to follow, so that a state’s agents comply with international law while protecting its vital computer networks. However, classifying cyber attacks as armed attacks or imminent armed attacks is only the first hurdle system administrators must clear before responding with active defenses. The second and equally important hurdle is establishing state responsibility for the attack.
Establishing State Responsibility for Cyber Attacks
States cannot respond to a cross-border cyber attack with force without establishing state responsibility for the attack. Although historically this meant that an attack had to be attributed to a state or its agents, direct control of an attack is no longer a requirement for state responsibility. Today, international law bases a state’s responsibility on its failure to meet its international duties.
This shift is especially important for cyber attacks because the prevailing view that states must treat cross-border cyber attacks as a criminal matter, rather than as a national security matter, seems to be based on the historic view of state responsibility. This limited view of state responsibility locks states into the response crisis by requiring states to attribute cyber attacks to a state or its agents before responding with active defenses, even though the likelihood of successfully attributing an attack is extremely remote. Consequently, states find themselves in the response crisis during a cyber attack, laboring under the false assumption that they must decide between effective, but illegal, active defenses, and the less effective, but legal, path of passive defenses and domestic criminal laws.
Given the shift in the law of state responsibility, states should determine whether a cyber attack can be imputed to the state of origin rather than trying to conclusively attribute it. Once a cyber attack is imputed to a state and that state refuses to return to compliance with its international duties, the legal barriers to acting in self-defense disappear.
While neither state practice nor the publications of legal scholars supports this view regarding cyber attacks yet, the accepted principles of customary jus ad bellum support imputing state responsibility for armed attacks by non-state actors when the attacks originate from a state that allows non-state actors to conduct criminal operations within their borders. States that allow non-state actors to conduct those operations breach their duty to prevent attacks against other states, and are known as sanctuary states. This is extremely important to the victim-states of cyber attacks because when a cyber attack originates from a sanctuary state, a victim-state may employ active defenses and avert the response crisis.
It is thus necessary to understand the answers to two key questions:
What is a state’s duty to prevent cyber attacks?
What must a state do to violate its duty of prevention?
The answers are the legal keys that will establish the basis for imputing state responsibility for cyber attacks and unlock the restraints that states have placed on themselves by following the prevailing view of state responsibility for cyber attacks.
The Duty to Prevent Cyber Attacks
States have an affirmative duty to prevent cyber attacks from their territory against other states. This duty actually encompasses several smaller duties to prevent cyber attacks, including passing stringent criminal laws, conducting vigorous law enforcement investigations, prosecuting attackers, and, during the investigation and prosecution, cooperating with the victim-states of cyber attacks. These are the duties of all states and, as you will see in this subsection, are binding as customary international law. The authority for these duties comes from all three sources of customary international law—international conventions, international custom, and the general principles of law common to civilized nations, as also evidenced by judicial decisions and the teachings of the most highly qualified international legal scholars.
Support from International Conventions
The only international treaty directly on point is the European Convention on Cybercrime.[20]Although the treaty is only a regional agreement, it is still very influential on customary international law because of the importance of the states that have ratified it under the specially affected states doctrine.[21] Furthermore, it demonstrates state recognition of both the need to criminalize cyber attacks, and the duty of states to prevent their territory from being used by non-state actors to conduct cyber attacks against other states.[22] The Convention is also significant because it recognizes that cyber attacks cannot be interdicted during the middle of an attack, and that the only way to prevent them is through aggressive law enforcement, coupled with state cooperation.
International treaties to criminalize terrorism provide further support, albeit indirectly, for the duty to prevent cyber attacks. The international community recognizes terrorism as a threat to international peace and security, but cannot agree on a definition. As a result, states have adopted the approach of outlawing specific terrorist acts each time terrorists adopt new attack methods, rather than outlawing terrorism itself.[23] These treaties impose several common requirements on states with regard to terrorist attack methods, such as taking all practicable measures for the purpose of preventing these attacks, criminalizing the attacks, submitting cases to competent authorities for prosecution, and forcing states to cooperate with each other throughout the criminal proceedings. Although these treaties do not address cyber attacks, the principles contained in them help influence state requirements under customary international law with regard to terrorism. Since there is growing evidence that cyber attacks will soon be a weapon of choice for terrorists, states should refer to the common principles found in these treaties as opinio juris when cyber attacks are used as a terrorist weapon.
Support from State Practice
State treatment of cyber attacks under their criminal laws also evidence recognition of the duty to prevent cyber attacks under customary international law. Numerous states criminalize and prosecute cyber attacks to deter attackers from conducting them, on the basis that vigorous law enforcement is the only way to protect and prevent harm to their computer systems. This lends credence to the notion that, unlike a conventional attack, which can be stopped after detection, cyber attacks can be stopped only by establishing ex ante barriers that attackers are fearful of crossing. Furthermore, these practices demonstrate a growing recognition among states that cyber attacks must be stopped, and that the way to do so is through vigorous law enforcement.
State responses to transnational terrorist attacks further support recognition of a duty to prevent cyber attacks under customary international law. After the 9/11 terrorist attacks, states across the world condemned terrorism as a threat to international peace and security, and provided various forms of support to the United States in its war against Al Qaeda. Ensuring that terrorism will forever be legally recognized as a threat to international peace and security, the Security Council passed Resolution 1373, which reaffirmed that acts of international terrorism are threats to international peace and security and called on states to work together to prevent and suppress terrorism. The resolution further directed states to “refrain from providing any form of support” to terrorists through act or omission, to “deny safe haven” to those who commit terrorist acts, and “afford one another the greatest measure of assistance in connection with criminal investigations…[or] proceedings” related to terrorism.
The international community’s response to terrorism does not directly define customary international law regarding cyber attacks, but it is persuasive on several fronts. First, it shows that states have a duty to prevent threats to international peace and security. Second, it demonstrates that passive acquiescence to threats to international peace and security will not be tolerated. Finally, it demonstrates that states must work together to prevent and suppress threats to international peace and security. The more cyber attacks resemble terrorism, the more easily they will fit into the paradigm constructed to deal with transnational terrorism. However, no matter their purpose, cyber attacks represent a threat to international peace and security and should be dealt with like other recognized transnational threats.
Numerous UN declarations about international crime also support recognizing the duty to prevent cyber attacks. These declarations urge states to take affirmative steps to prevent non-state actors from using their territory to commit acts that cause civil strife in another state.[24] Furthermore, these declarations also support the duty of states to cooperate with one another to eliminate transnational crime, which lends credence to the duty to cooperate with victim-states during the criminal investigation and prosecution of cyber attacks.[25]
Focusing specifically on cyber attacks, states have made declarations themselves, and used the UN General Assembly to make numerous declarations about the importance of preventing cyber attacks. For instance, the UN General Assembly has called on states to criminalize cyber attacks[26] and to deny their territory from being used as a safe haven to conduct cyber attacks through state practice.[27]
The General Assembly has also called on states to cooperate with each other during the investigation and prosecution of international cyber attacks.[28] Even China’s Premier Wen Jiabao has admitted that China should take firm and effective action to prevent all hacking attacks that threaten computer systems.
Furthermore, states are starting to recognize the threat that cyber attacks pose to international peace and security, with some states and the General Assembly directly recognizing cyber attacks as a danger to international peace and security.[29] These declarations all evidence recognition that states have a duty to prevent cyber attacks as a matter of law, to include the lesser duties of passing stringent criminal laws, vigorously investigating cyber attacks, prosecuting attackers, and having the host-states cooperate with victim-states during the investigation and prosecution of cases.
Support from the General Principles of Law
The general principles of law common to civilized nations also support recognition of a duty to prevent cyber attacks. It is a well-established principle under the domestic laws of most states that individuals should be responsible for acts or omissions that have a causal link to harm suffered by another individual. While international law is not obligated to follow the domestic laws of states, international law may be derived from the general principles common to the major legal systems of the world. Most states use causation as a principle for establishing individual responsibility, lending credence to the idea that a state’s responsibility also should also be based on causation.
Thus, if a state failed to pass stringent criminal laws, did not investigate international cyber attacks, or did not prosecute attackers, it should be held responsible for international cyber attacks against another state because its omission helped create a safe haven for attackers to attack other states. Furthermore, as evidenced in the Corfu Channel case, the general duty to prevent attacks already allows states to be held accountable for causation to some degree, which supports using causation analogies from domestic laws when interpreting the customary duty to prevent cyber attacks.
Support from Judicial Opinions
Finally, judicial opinions further support recognition of a state’s affirmative duty to prevent cyber attacks from its territory against other states. In Tellini, a special committee of jurists held that a state may be held responsible for the criminal acts of non-state actors when it “neglect[s] to take all reasonable measures for the prevention of the crime and pursuit, arrest and bringing to justice of the criminal.”[30] In S.S. Lotus, the Permanent Court of International Justice held that “a state is bound to use due diligence to prevent the commission within its dominions of criminal acts against another nation or its people.”[31]
In Corfu Channel, the International Court of Justice held that states have a duty “not to allow knowingly its territory to be used for acts contrary to the rights of other states.”[32]Although these are older cases, their principles still stand for and support the notion that states have a duty to prevent their territory from being used to commit criminal acts against another state, as well as a duty to pursue, arrest, and bring to justice criminals who have conducted cross-border attacks on other states.
Fully Defining a State’s Duty to Prevent Cyber Attacks
A state’s duty to prevent cyber attacks should not be based on a state’s knowledge of a particular cyber attack before it occurs, but rather on its actions to prevent cyber attacks in general. Cyber attacks are extremely difficult for states to detect prior to the commission of a specific attack, and are often committed by individuals or groups who are not even on a state’s radar. However, just because cyber attacks are difficult to prevent does not mean that states can breach their duty to prevent them. Stringent criminal laws and vigorous law enforcement will deter cyber attacks. States that do not enact such laws fail to live up to their duty to prevent cyber attacks.
Likewise, even when a state has stringent criminal laws, if it looks the other way when cyber attacks are conducted against rival states, it effectively breaches its duty to prevent them through its unwillingness to do anything to stop them, just as if it had approved the attacks. In other words, a state’s passiveness and indifference toward cyber attacks make it a sanctuary state, from where attackers can safely operate. When viewed in this light, it becomes apparent that a state can be held indirectly responsible for cyber attacks under the established principles of customary international law.
Sanctuary States and the Practices That Lead to State Responsibility
Determining whether a state is acting as a sanctuary state is extremely fact-dependent. When considering this question, victim-states must look at a host-state’s criminal laws, law enforcement practices, and track record of cooperation with the victim-states of cyber attacks that originate from within its borders. In effect, host-states will be judged on their efforts to catch and prosecute attackers who have committed cyber attacks, which is probably the only way that states can deter and prevent future attacks. Since victim-states will end up judging whether a host-state has lived up to its international duties, host-states must cooperate with victim-states to ensure transparency. Cooperation will necessarily entail a host-state showing its criminal investigations to a victim-state so that victim-states can correctly judge host-state action.
Furthermore, when a host-state lacks the technical capacity to track down attackers, international law should require it to work together with law enforcement officials from the victim-state to jointly track them down.[33] These two measures will prevent host-states from being perceived as uncooperative and complicit in the use of their networks for attacks against other states. States that deny involvement in a cyber attack but refuse to open their investigative records to the victim-state cannot expect to be treated as living up to its international duties. In effect, host-states that refuse to cooperate with victim-states are stating their unwillingness to prevent cyber attacks and have declared themselves as sanctuary states.
Once a host-state demonstrates that it is a sanctuary state through its inaction, other states can impute responsibility to it. At that point, the host-state becomes liable for the cyber attack that triggered an initial call for investigation, as well as for all future cyber attacks originating from it. This opens the door for a victim-state to use active defenses against the computer servers in that state during a cyber attack.
The Choice to Use Active Defenses
Although this chapter urges states to use active defenses to protect their computer networks, states that choose to use them will find themselves confronted with difficult legal decisions as a result of the limits of technology. Technological limitations will place states in a position where a timely decision to use active defenses requires states to decide to use them with imperfect knowledge. Since forcible responses to cyber attacks must comply with both principal areas of the law of war—jus ad bellum and jus in bello—the decision to use active defenses raises several other questions of law resulting from these technical limitations. From a practical standpoint, this will affect state decision-making at the highest and lowest levels of government. State policy makers will need to account for these limitations when setting policy, whereas state system administrators will need to account for these limitations when responding to actual cyber attacks.
This section analyzes these issues. First, it addresses the technological limitations that are likely to affect state jus ad bellum analysis. Next, it moves on to jus in bello issues. Jus in bello analysis will begin with the decision to use force, analyzing why active defenses are the most appropriate forceful responses to cyber attacks. Finally, jus in bello analysis will conclude with the impact that technological limitations are likely to have on state decisions to use force. Once this is complete, it will be clear that active defenses are a viable way for states to protect themselves, despite the fact that technological limitations will complicate state decision-making.
Technological Limitations and Jus ad Bellum Analysis
While cyber attack analysis is greatly simplified by looking at whether a state of origin has violated its duty to prevent, rather than having to attribute an attack, states are still likely to find cyber attacks difficult to deal with in practice. Jus ad bellum requires states to carefully analyze a cyber attack and ensure that (1) the attack constitutes an armed attack or imminent armed attack; and (2) the attack originates from a sanctuary state. Both of these conditions must exist before a state can lawfully respond with active defenses under jus ad bellum.
Cyber attack analysis will be conducted by system administrators, whose position puts them at the forefront of computer defense. System administrators can use various computer programs to facilitate their analysis. Automated detection and warning programs can help detect intrusions, classify attacks, and flag intrusions for administrator action. Automated or administrator-operated trace programs can trace attacks back to their point of origin. These programs can help system administrators classify cyber attacks as armed attacks or lesser uses of force and evaluate whether attacks originate from a state previously declared a sanctuary state. When attacks meet the appropriate legal thresholds, system administrators may use active defenses to protect their networks.
Unfortunately, technological limitations on attack detection, attack classification, and attack traces are likely to further complicate state decision-making during cyber attack analysis. Ideally, attacks would be easy to detect, classify, and trace. Unfortunately, this is not the case. This section analyzes the technological limits of these programs and explores their likely impact on state decision makers and system administrators.
Limitations on attack detection
Early detection and warning programs can help catch cyber attacks before they reach their culminating point, but even the best programs are unable to detect all cyber attacks. As a result, cyber attacks are bound to harm states. From a legal perspective, the failure to catch an attack until after its completion has both an upside and a downside. On the upside, states would gain the luxury of time to evaluate an attack, since the threat of danger will have already passed. On the downside, tracing an attack back to its source becomes more difficult the further removed the trace becomes from the time of attack.
Furthermore, even when it turns out that an armed cyber attack originates from a sanctuary state, state policy makers would need to think long and hard about using active defenses as a matter of policy. The longer it takes to detect an attack, the less compelling the need for states to use active defenses, especially when the attack seems truly complete. On the other hand, when an attack that has reached completion is seen as part of a series of ongoing attacks, the need to use active defenses to deter future attacks is more compelling.
Limitations on attack classification
Early detection and warning programs will detect many cyber attacks mid-attack. However, detecting an attack before its culmination makes it harder to classify. Naturally, a system administrator will immediately attempt to shut down a cyber attack with passive defenses as soon as it is detected, but that is not the full extent of his job. The system administrator must also assess the damage that has been done, as well as any likely future damage, so that an informed decision can be made about whether to use active defenses.[34]
When an ongoing cyber attack has already caused severe, immediate, invasive, direct, and measurable damage, it can safely be classified as an armed attack, even though it is still ongoing. On the other hand, when an attack has not caused such damage, a system administrator will need to look at (1) the immediacy of future harm and (2) the likelihood of fending off the attack with purely defensive measures to determine whether the attack should be classified as an imminent armed attack. Given the lightning speeds with which computer codes can execute, this will be very difficult to do, as delaying the use of active defenses increases the likelihood of harm to a state.
The limitations on attack classification should give system administrators pause before deciding to use active defenses in anticipatory self-defense. While it is lawful to make a decision based on their best analysis of the facts, such determinations will be highly speculative due to the shadowy nature of cyber attacks. Most likely, when a computer intrusion is detected, the purpose of the attack will be difficult to discern without dissecting a program’s code or reviewing the audit logs of an attacker’s activity. Furthermore, the speed with which cyber attacks execute will force system administrators to make their best guess, even though they will probably be missing critical information. Given the speculative nature of any such calculus, state policy makers may want to direct their system administrators to respond to cyber attacks in anticipatory self-defense only as an act of last resort, to prevent an escalation of hostilities between states.
Limitations on attack traces
Cyber attacks are frequently conducted through intermediate computer systems to disguise the true identity of the attacker. Although trace programs are capable of penetrating intermediate disguises back to their electronic source, their success rate is not perfect. Thus, trace programs run the risk of incorrectly identifying the true source of an attack. This creates an apparent problem because an attack could be incorrectly perceived as coming from a state that is not the actual state of origin. However, this is not as big a problem as it appears. State responsibility should still be judged on the facts at hand, even if it results in misattribution. First, as long as a state assesses an attack to the best of its technical capability and acts in good faith on the information on hand, it has met its international obligations. Second, states that refuse to comply with their international duty to prevent their territory from being used to commit cyber attacks have chosen to risk being held indirectly responsible by accident. After all, a state can avoid being the target of active defenses, even when attacks originate from it, by taking affirmative steps to prevent cyber attacks, such as enacting stringent criminal laws, enforcing those laws, and cooperating with victim-states to bring attackers to justice.
Jus in Bello Issues Related to the Use of Active Defenses
Decisions to use force are governed by jus in bello. Jus in bello stands for the proposition that states do not have a right to use unlimited force against other states during war.[35] At its core, jus in bello uses four basic principles to regulate the conduct of states during warfare. These are: distinction, necessity, humanity, and proportionality.
Active defenses: The most appropriate forceful response
Although this chapter advocates the use of active defenses in response to cyber attacks, once one accepts that states are legally authorized to respond to cyber attacks with force, the necessary consequence is that states may use force to the extent authorized under jus in bello. In other words, unless jus in bello stops states from using conventional weapons, forcible responses are not limited to active defenses. Therefore, it is worth explaining why policy makers should choose to use active defenses as the most appropriate response to cyber attacks.
Active defenses are the most appropriate type of force to use against cyber attacks in light of the principles of jus in bello. First, in terms of military necessity, active defenses probably represent all the force needed to accomplish the mission of defending against a cyber attack. Active defenses can trace an attack back to its source and immediately disrupt it, whereas kinetic weapons will be slower and less effective than the lightning speed of a hack-back. Therefore, employing kinetic weapons over active defenses will not only be less effective, but will also violate the principle of necessity by employing force purely for destruction’s sake. Second, in terms of proportionality, active defenses are less likely to cause disproportionate collateral damage than kinetic weapons. The traceback capabilities of active defenses allow them to target only the source of a cyber attack. Although collateral damage may still result because the originating computer system may serve multiple functions, unless an attacker uses critical information systems to conduct the attack, damage should be fairly limited from the use of active defenses.
Furthermore, since the majority of cyber attacks are conducted by non-state actors, it seems unlikely that many attacks will be launched from the computers that serve as components of a state’s critical infrastructure. Thus, active defenses provide states a way to surgically strike at their attacker with minimal risks of severe collateral damage to the host-state, thereby meeting the proportional requirement to select the weapon least likely to cause excessive collateral damage or incidental injury.
Finally, while not stemming from jus in bello, choosing active defenses versus kinetic weapons should reduce the chance of escalating these situations into full-scale armed conflicts between states.
Technological limitations and jus in bello analysis
Unfortunately, despite the increased security that active defenses provide, using them is not without legal risk. Technological limitations may prevent states from conducting the surgical strikes envisioned with active defenses. The more an attacker routes his attack through intermediary systems, the more difficult it is to trace.
Furthermore, complex traces take time, which is not always available during a moment of crisis. Adding to these difficulties, trace programs often have problems pinpointing the source of an attack once an attacker terminates his electronic connection. Sometimes these difficulties will simply result in a failure to identify the source of an attack; other times it may result in the incorrect identification of an intermediary system as the source of an attack. Even when the source of an attack is correctly identified, the victim-state’s system administrator must map out the attacking computer system to distinguish its functions and the likely consequences that will result from shutting it down. However, system mapping takes time, often more time than a state has to make an informed decision. Sometimes an administrator will be able to map a system quickly, allowing states to make informed decisions about likely collateral damage. But other times a state will be forced to predict the likely consequences of using active defenses without having fully mapped a system. As a result, any state that employs active defenses runs the risk of accidentally targeting innocent systems and causing unintended, excessive collateral damage.
To ensure the lawful use of active defenses in accordance with the principles of distinction and proportionality, states must try to mitigate these risks. In the realm of active defenses, this means doing everything feasible to identify (1) the computer system that launched the initial attack and (2) the probable collateral damage that will result from using active defenses against that system. Once a state does everything feasible to ensure it has the right information and acts in good faith in accordance with jus in bello, it is legally protected from erroneous calculations, even when it targets civilian systems or causes excessive collateral damage in relation to its military objective. Thus, states may still act with imperfect information, based on the way facts appear at the time, when the potential danger forces them to act. The real test will be whether danger to the victim-state’s systems justified the use of active defenses in light of the likely collateral damage to the host-state.
Although an in-depth discussion is beyond the scope of this chapter, there are several issues worthy of consideration before a state decides to implement active defenses. First, due to the compressed timelines of cyber attacks, a state may need to automate its active defenses so that it can respond in a timely manner. However, using automated defenses will increase the likelihood of violating the principles of distinction and proportionality. As a result, defenses should probably be automated only for detection purposes, requiring human analysis and approval before actually counter-striking.
Second, just because it is legal to use active defenses under the circumstances described here, that does not mean it is sound policy. States must decide whether the diplomatic fallout is worth the risk. Unfortunately, technological limitations can cause state calculations to be erroneous at times and civilian systems to be targeted or excessively damaged. States must decide that the second-guessing that other states will engage in is worth the benefit gained from protecting their computer systems.
Third, there is the chance that the servers from which the initial attacks originate are intimately tied to important systems in the host-state, and if turned off could have devastating effects and cause unnecessary suffering. This possibility must be factored into the state’s evaluation of military necessity versus probable collateral damage, especially if a state responds with active defenses without fully mapping an attacking system.
Fourth, states should carefully design their active defenses. Poorly coded active defense programs run the risk of self-propagating in cyberspace beyond their initial purpose, and can run the risk of evolving from a defensive program into a computer virus or worm whose damage goes far beyond its intended design. Since active defenses represent a new frontier in cyber warfare, their initial use will be controversial, no matter the situation. States should expect public scrutiny and diplomatic protests until such time as active defenses are recognized as a lawful method of self-defense under international law.
Conclusion
Cyber attacks are one of the greatest threats to international peace and security in the 21st century. Securing cyberspace is an absolute imperative. In an ideal world, states would work together to eliminate the cyber threat. Unfortunately, our world is no utopia, nor is it likely to become one. Global cooperation may be a reality one day, but unless something changes to pressure sanctuary states into changing their behavior, there is no impetus for them to do so.
The way to achieve this reality is to use active defenses against cyber attacks originating from sanctuary states. Not only will this allow victim-states to better protect themselves from cyber attacks, but it should also deter aggression and push sanctuary states into taking their international duty seriously. After all, no state wants another state using force within its borders, even electronically. Thus, the possibility that cyber attacks will be met with a forceful response is the hammer that can drive some sense into sanctuary states.
Since states do not currently use active defenses, any decision to use them will be a controversial change to state practice. Like any proposal that changes the way states do business, it is bound to be met with criticism on a number of fronts. However, there is sound legal authority to use active defenses against states that violate their duty to prevent cyber attacks. States that violate this duty and refuse to change their practices should be held responsible for all further attacks originating from within their borders in accordance with the law of war. At a time when cyber attacks threaten global security and states are scrambling to find ways to improve their cyber defenses, there is no reason to shield sanctuary states from the lawful use of active defenses by victim-states, and every reason to enhance state defenses to cyber attacks by using them.
[2] The views expressed in this chapter are those of the author and do not necessarily represent the views of the Department of Defense. The author would like to thank Major J. Jeremy Marsh, Judge Advocate General’s Corps, U.S. Air Force, for his invaluable assistance during his research into cyber warfare.
[3] Active defenses are electronic countermeasures designed to strike attacking computer systems and shut down cyber attacks midstream. Security professionals can set up active defenses to automatically respond to attacks against critical systems, or they can carry them out manually. For the most part, active defenses are classified, though programs that send destructive viruses back to the perpetrator’s machine or packet-flood the intruder’s machine have entered the public domain. Passive defenses are the traditional forms of computer security used to defend computer networks, such as system access controls, data access controls, security administration, and secure system design.
[4] Schmitt, M. 2003. “Preemptive Strategies in International Law.” Michigan Journal of International Law: 24, 513–34.
[5] Gabcikovo-Nagymaros Project (Hung. v. Slovk.), 1997 I.C.J. 7, 55–56 (Sept. 25) (Merits).
[6] Schmitt, supra note 2, at 540–41 (quoting John Basset Moore in S.S. Lotus [Fr. v. Turk.] 1927 P.C.I.J. [ser. A] No. 10, at 4, 88 [Moore, J., dissenting]).
[7] Corfu Channel case (Merits), 1949 I.C.J. Rep. 4, 22 (Apr. 9).
[8] Case Concerning United States Diplomatic and Consular Staff in Tehran, 1980 I.C.J. Rep. 3, 32–33, 44 (May 24).
[9] Prosecutor v. Tadic, Case No. IT-94-1-A, I.C.T.Y. App. Ch., at 49 (July 15, 1999).
[10] See 2001 Draft Articles on the Responsibility of States for Internationally Wrongful Acts, UN Doc. A/CN.4/L.602/Rev. 1 (2001). The draft articles were later commended to state governments in 2001 and 2004. See G.A. Res. 56/83, UN Doc. A/RES/56/83 (Jan. 28, 2002); G.A. Res. 59/35, UN Doc. A/RES/59/35 (Dec. 16, 2004).
[11] Proulx, Vincent-Joel. 2005. “Babysitting Terrorists: Should States Be Strictly Liable for Failing to Prevent Transborder Attacks?” Berkeley Journal of International Law: 23, 615–24.
[12] Id. at 663–64.
[13] For instance, under an instrument-based approach, a cyber attack used to shut down a power grid is an armed attack. This is because shutting down a power grid typically required dropping a bomb on a power station or some other kinetic use of force to incapacitate the grid. Since conventional munitions were previously required to achieve the result, under the instrument-based approach the cyber attack is therefore treated the same way.
[14] For instance, under an effects-based approach, a cyber attack that manipulated information across a state’s banking and financial institutions to seriously disrupt commerce in the state is an armed attack. Although the manipulation of information does not resemble a kinetic attack, as required under an instrument-based approach, the disruptive effects that the attack had on the state’s economy is a severe enough overall consequence that it warrants treatment as an armed attack.
[15] It is important to note that this third analytical model for dealing with cyber attacks is intended to justify anticipatory self-defense before any harm actually results. Walter Gary Sharp Sr. proposed this model due to the speed with which a computer penetration can transition into a destructive attack against defense critical infrastructure. His reasoning is that once a penetration has occurred, an imminent threat exists with the ability to cause harm of extreme scope, duration, and intensity, thereby justifying anticipatory self-defense. See Walter Gary Sharp Sr. 1999. CyberSpace and the Use of Force. Ageis Research Corp. 129–31.
[16] For instance, a cyber attack might shut down a system, rendering it inoperable for some time, or a cyber attack might cause an explosion at a chemical plant by tampering with the computers that control the feed mixture rates. The results of those attacks mirror the results of conventional armed attacks, previously only achievable through kinetic force, thus satisfying the instrument-based approach.
Unfortunately, cyber attacks can also cause extreme harm that does not mirror the results of conventional armed attacks. For instance, coordinated cyber attacks could bring financial markets to their knees without ever employing anything that looked remotely like a kinetic attack, or altered data on a massive scale could disrupt banking, financial transactions, and the general underpinnings of the economy, sowing confusion throughout the victim-state for some time. Under an effects-based approach, the scope, duration, and intensity of this attack would equate to an armed attack, despite the fact that it was not previously achievable only through kinetic force.
[17] The proponents of a strict liability approach advocate automatically responding to cyber attacks on critical infrastructure with active defenses. However, automatically responding to cyber attacks in this manner can easily lead a victim-state to counter-attack a state with a long history of doing everything within its power to prevent cyber attacks and prosecute its attackers. Were a victim-state to respond with active defenses against a non-sanctuary state, it would violate jus ad bellum. This is because there is no way to impute state responsibility to such a state, directly or indirectly, even though the cyber attack may constitute an armed attack.
[18] Schmitt, M. 1999. “Computer Network Attack and the Use of Force in International Law: Thoughts on a Normative Framework.” Columbia Journal of Transnational Law 37: 885, 913–15.
[19] But there is no doubt that some cyber attacks will qualify as armed attacks, and should be dealt with using self-defense and anticipatory self-defense legal principles as a justification for using active defenses.
Some will undoubtedly critique this conclusion. However, those who argue do miss the way that states have classified unconventional attacks in the past. New attack methods frequently fall outside the accepted definitions of armed attacks. This does not mean that the attacks are not armed attacks, merely that the attacks don’t fit traditional classifications. Furthermore, anyone who argues that cyber attacks cannot rise to the level of armed attacks misses an important facet of international law—reprisals, which can be used as an alternate basis to authorize active defenses against cyber attacks. This is because at a minimum, cyber attacks are an illegal use of force, and their use would then allow states to use another illegal use of force, short of armed force, to deter sanctuary states from allowing attackers to commit them.
[20] Council of Europe, Convention on Cybercrime, opened for signature Nov. 23, 2001, 41 I.L.M. 282 (hereinafter Convention on Cybercrime).
[21] Customary international law does not require state practice to be universal, and general practices can satisfy the requirements of customary international law. The test for when state practices become customary international law is when the practice is extensive and representative of rules that states feel bound to follow. Within this framework, there is a doctrine for states whose interests are especially affected by a rule, and their practices carry more weight in contributing to customary international law than other states. See North Sea Continental Shelf (F.R.G. v. Den.; F.R.G. v. Neth.), 1969 I.C.J 3, 43 (Feb. 20).
To date, 26 states have ratified the Convention on Cybercrime, the majority of which are major western powers, three of which hold permanent Security Council seats, and five of which place among the twenty states with the most Internet users in the world—France, Germany, Italy, the United Kingdom, and the United States. Together, these five states combine for 25 percent of the Internet users in the world. Furthermore, while not yet parties to the treaty, Canada, Japan, Spain, and Poland are all signatories to it, and are expected to ratify it soon. These four states are among the remaining twenty states with the most Internet users in the world, and their ratification would greatly move state practice to the standards set forth in the convention. See Council of Europe, Convention on Cybercrime, Chart of Signatures and Ratifications, http://conventions.coe.int/Treaty/Commun/ChercheSig.asp?NT=185&CM=8&DF=18/06/04&CL=ENG (listing the 46 signatories and 26 parties to the Convention on Cybercrime; last visited Sept. 2, 2009) and Top 20 Countries with the Highest Number of Internet Users, http://www.internetworldstats.com/top20.htm (last visited Sept. 2, 2009).
[22] The Convention on Cybercrime requires parties to it to establish criminal offenses for almost every conceivable type of cyber attack under their domestic laws. See Convention on Cybercrime, supra note 19, arts. 2–11, at 284–87. It also recognizes the importance of prosecuting attackers, and requires states to extend their jurisdiction to cover all cyber attacks conducted from within their territory or conducted by their citizens, regardless of their location at the time of attack. See id. art. 22, at 291–92. Finally, the convention recognizes the importance of state cooperation, and requires states to provide “mutual assistance to the widest extent possible for the purpose of investigations or proceedings concerning criminal offences.” See id. arts. 23–25, at 292–93.
[23] These treaties include the 1963 Tokyo Convention on Offences and Certain Other Acts Committed on Board Aircraft, the 1970 Hague Convention for the Suppression of Unlawful Seizure of Aircraft, the 1971 Montreal Convention for the Suppression of Unlawful Acts Against the Safety of Civil Aviation, the 1979 International Convention Against the Taking of Hostages, the 1988 Convention for the Suppression of Unlawful Acts Against the Safety of Maritime Navigation, the 1988 Montreal Protocol on the Suppression of Unlawful Acts of Violence at Airports Serving International Civil Aviation, the 1997 International Convention for the Suppression of Terrorist Bombings, the 1999 International Convention for the Suppression of the Financing of Terrorism, and the 2005 International Convention for the Suppression of Acts of Nuclear Terrorism.
[24] 1970 Declaration on Friendly Relations, G.A. Res. 2625, ¶ 1, UN GAOR, 25th Sess., Annex, Agenda Item 85, UN Doc. A/Res/2625 (Oct. 24, 1970); 2000 Vienna Declaration on Crime and Justice: Meeting the Challenges of the Twenty-First Century, G.A. Res. 55/59, Annex, ¶ 18, UN Doc. A/RES/55/59/Annex (Jan.17, 2001); 2001 Articles on the Responsibility of States for Internationally Wrongful Acts, UN Doc. A/CN.4/L.602/Rev. 1 (2001).
[25] G.A. Res. 2625, supra note 23, ¶ 1; Secretary-General, Report of the High-Panel on Threats, Challenges and Change, ¶ 17, 24, delivered to the General Assembly, UN Doc A/59/565 (Dec. 2, 2004).
[26] G.A. Res. 45/121, ¶ 3, UN Doc. A/RES/45/121 (Dec. 14, 1990); G.A. Res. 55/63, ¶ 1, UN Doc. A/RES/55/63 (Jan. 22, 2001); see also Eighth United Nations Congress on the Prevention of Crime and the Treatment of Offenders, Havana, Cuba, Aug. 27–Sept. 7, 1990, report prepared by the Secretariat, at 140–43, UN Doc. A/CONF.144/28/Rev.1 (1991).
[27] G.A. Res. 55/63, supra note 25, ¶ 1.
[28] G.A. Res. 45/121, supra note 25, ¶ 3 (embracing the principles adopted by the Eighth United Nations Congress on the Prevention of Crime and the Treatment of Offenders, and inviting states to follow them); G.A. Res. 55/63, supra note 25, ¶ 1; see also Eighth United Nations Congress on the Prevention of Crime and the Treatment of Offenders, Havana, Cuba, Aug. 27–Sept. 7, 1990, report prepared by the Secretariat, at 140–43, UNUN Doc. A/CONF.144/28/Rev.1 (1991).
[29] The White House, The National Strategy to Secure Cyberspace (2003); Convention on Cybercrime, supra note 19; Huw Jones, Estonia Calls for EU Law to Combat cyber attacks, Reuters, Mar. 12, 2008, http://www.reuters.com/article/reutersEdge/idUSL1164404620080312 (reporting Estonia’s call to fight cyber attacks as a threat to international peace and security); G.A. Res. 53/70, UNUN Doc. A/RES/53/70 (Jan. 4, 1999); G.A. Res. 54/49, ¶ 2, UN Doc. A/RES/54/49 (Dec. 23, 1999); G.A. Res. 55/28, UN Doc. A/RES/55/28 (Dec. 20, 2000); G.A. Res. 56/19, UN Doc. A/RES/56/19 (Jan. 7, 2002); G.A. Res. 56/121, UN Doc. A/RES/56/121 (Jan. 23, 2002); G.A. Res. 57/53, UN Doc. A/RES/57/53 (Dec. 30, 2002); G.A. Res. 57/239, ¶ 1–5, UN Doc. A/RES/57/239 (Jan. 31, 2003); G.A. Res. 58/32, UN Doc. A/RES/58/32 (Dec. 18, 2003); G.A. Res. 58/199, ¶ 1–6, UN Doc. A/RES/58/199 (Jan. 30, 2004); G.A. Res. 59/61, UN Doc. A/RES/59/61 (Dec. 16, 2004); G.A. Res. 59/220, ¶ 4, UN Doc. A/RES/59/220 (Feb. 11, 2005); G.A. Res. 60/45, UN Doc. A/RES/60/45 (Jan. 6, 2006); G.A. Res. 60/252, ¶ 8, UN Doc. A/RES/60/252 (Apr. 27, 2006); G.A. Res. 61/54, UN Doc. A/RES/61/54 (Dec. 19, 2006).
[30] Tellini case, 4 League of Nations O.J. 524 (1924).
[31] S.S. Lotus (Fr. v. Turk.) 1927 P.C.I.J. (ser. A) No. 10, at 4, 88 (Moore, J., dissenting).
[32] Corfu Channel Case (Merits), 1949 I.C.J. 4, 22 (Apr. 9).
[33] This position is supported by numerous UN General Assembly Resolutions, the European Convention on Cybercrime, and other UN documents, which all urge states to cooperate in investigating and prosecuting the criminal misuse of information technologies. See supra notes 24, 27 and accompanying text; United Nations Manual on the Prevention and Control of Computer Related Crime, 268–73 (1995).
[34] These decisions will, no doubt, be based on guidelines promulgated by the victim-state before the attack ever occurs. These rules would simplify the legal framework into a set of rules more easily understood by the layperson, similar to the rules of engagement that military personnel follow.
[35] This proposition is derived from Hague Convention IV, Annex, Article 22, which states “[t]he right of belligerents to adopt means of injuring the enemy is not unlimited.” Hague Convention IV Respecting the Laws and Customs of War on Land and its Annex (Regulations), Oct. 18, 1907, 36 Stat. 2277, 1 Bevans 631 [hereinafter Hague IV].
Get Inside Cyber Warfare now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.