“Criminals and states that want to attack organisations can now choose from vast catalogues of pre-made malware, . . . meaning that although the number of attacks is not increasing, they are becoming increasingly sophisticated.”[i]
The New (Inter)Face of War
Developed nations are increasingly growing more reliant on computer systems, which increase opportunities for adversaries to turn to cyberspace to strike inexpensively, remotely, and effectively with little risk.[ii] Laws of armed conflict (LOAC) have historically interpreted “armed conflict” in the context of conventional military weapons in order to respond proportionally and as necessary to stop the threat,[iii] but the advancement of technology has brought warfare into cyberspace. Can a cyber strike amount to an “armed” attack triggering a state’s right to self-defense? Would responding with a ballistic missile be proportional and necessary? Because LOAC does not specifically address cyber attacks, it is not always clear how a state should respond and as such, many people believe cyber warfare falls into a legal void.[iv]
What is Cyber Warfare?
Currently, there is no universal definition of what constitutes cyber warfare. In the US, the Department of Defense defines cyber warfare as “[t]he premeditated use of disruptive activities, or the threat thereof, against computers and/or networks to cause harm.”[v] This is in contrast to cyber exploitation, which is the “use of deliberate cyber action that seeks to extract confidential information from an adversary’s computer system of network.”[vi] Thus, cyber exploitation is the gathering of information, a form of espionage not illegal under international law.[vii]
Current Legal Framework
The current laws are insufficient to provide clear guidance on cyber attacks, however they are still useful for determining how to respond to cyber warfare until the world reaches a better form of uniformity. For example, international law does not differentiate between hand-to-hand combat and intercontinental ballistic missiles, so cyberspace should similarly not be treated any differently.[viii]
Because the purpose of regulating armed conflict is not to eliminate it but to enable effective military operations that minimize unnecessary suffering and protect civilians,[ix] the type of weapon is immaterial. Whether it is a small-scale bombing or technological disruption, LOAC primarily looks to the scale of the attack and the harm it could present to its citizens. The challenge therefore, is not whether cyber attacks are covered by LOAC, it is how to estimate the damage a cyber attack can cause to necessitate a defensive response: did it cause a mere inconvenience or is it capable of destroying substantial property or causing the loss of lives?
In 2007, Republic of Estonia suffered a cyber attack that shut down emergency lines for ambulances and fire trucks for an hour.[x] NATO did little in response, claiming it lacked a comprehensive response strategy at the time, but the event did trigger the 2008 Bucharest Summit to formally address cyber attacks and aimed to centralize cyber capabilities.[xi]
Another challenge is when non-state actors commit cyber attacks, private citizens motivated by their nationalistic or personal ideals. After the 9/11 attacks, customary international law validated states responding with force to non-state actors. [xii] Civilians are not granted absolute immunity and can lose their protected status if they participate in direct hostilities.[xiii]
While cyber warfare may initially look like it falls into a legal void, it does not. Rather, it is just a new concept, but a concept that fits within the breadth of LOAC, even if its direct application lacks some clarity. Many nations have even established military cyber units to create a centralized defense.[xiv] Each shift in time brings new ways to engage in war, and the laws have continuously evolved to encompass new tactics, extend geographical boundaries, and apply to new types of “soldiers.” For example, during the Middle Ages, the Code of Chivalry was a code of conduct that applied exclusively for knights because they were the traditional combatants. The code declined when hired mercenaries entered the scene and viewed war as a means for private gain and did not distinguish themselves between combatant and civilian. Soldiers were no longer those knighted by the crown but a profession a countryside civilian could pursue.[xv] The definition of combatants shifted from knights to civilian mercenaries and now it needs to shift to encompass hackers, whether civilian or military soldier, on a new cyber battlefield. And with this shift, comes a need to provide a new framework of measuring the scale of cyber attacks and for nations to achieve a new form of uniformity in LOAC.
[i] 5 Quotes that Sum up Cyber Security in 2015, Business Reporter (Apr. 20, 2015), http://business-reporter.co.uk/2015/04/20/5-quotes-that-sum-up-cyber-security-in-2015/.
[ii] Michael Gervais, Cyber Attacks and the Laws of War, 30 Berkeley J. Int’l L. 525, 531 (2012).
[iii] Oona A. Hathaway & Rebecca Crootof, Faculty Scholarship Series: The Law of Cyber-Attack 849-50 (2012). In addition to conforming to the U.N. Charter and customary international law, a state acts within the principles of Jus Ad Bellum and Jus Ad Bello. Jus Ad Bellum governs when a state can resort to force, mainly as a last resort. Once force has been implemented, regardless of it being justified under Jus Ad Bellum, a state’s action is guided under Jus Ad Bello, where states attack with necessity, proportionality, distinction, and neutrality. Id.
[iv] Aram Roston, U.S. Laws of War Apply to Cyber Attacks, Army Times (Sep. 18, 2012), http://archive.armytimes.com/article/20120918/NEWS/209180311/U-S-Laws-war-apply-cyber-attacks.
[v] Gervais, supra note 2, at 533 (emphasis added).
[vi] Communication on Offensive Information, Warfare, National Research Council, Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities 81 (William A. Owens et al. eds., 2009).
[vii] Id. at 533.
[viii] Id. at 532.
[ix] Laurie R. Blank & Gregory P. Noone, International Law and Armed Conflict 3 (2013).
[x] Hathaway, supra note 3, at 837.
[xi] Id. at 861-62.
[xii] Gervais, supra note 2, at 542.
[xv] Blank, supra note 9, at 61-62.