Cyber Threats and the Law of War
Full Title of Reference
Cyber Threats and the Law of War
Graham, David E., Cyber Threats and the Law of War. Journal of National Security Law & Policy, August 13, 2010, Vol.4(1), p.87-102. Web
- Resource by Type: Journal Article
- Threats and Actors: States
- Issues: Cyberwar
- Approaches: International Law (including Laws of War)
Computer Crimes -- Military Aspects, Regulations And Rules, War (International law) -- Laws
This article examines how the existing Law of War (LOW) and conflict management principles might be applied to cyber threats. Broadly, Graham analyzes the categories of Jus ad Bellum (i.e. circumstances in which a state might legally use “force” in responding to what it perceives to be “cyber attacks”) and Jus in Bello (i.e. the appropriate use of active defense measures in response to a cyber attack). He concludes this discussion stating that active defenses, rather than kinetic weaponry, are more likely to comply with the basic principles of LOW.
In his analysis of Jus ad Bellum, Graham begins by considering, and then dismissing, the possibility of a state pursuing a Security Council authorization for the use of force in response to a cyber attack. Noting the “nuanced and nebulous nature of cyber attacks” he asserts that states will choose to deal with attacks under the rubric of self-defense (formalized in Article 51 of the U.N Charter). Graham focuses on two principles of customary international law (CIL)—“necessity” and “proportionality.” “Necessity” is established if a state cannot achieve a reasonable settlement of a dispute through peaceful means. “Proportionality” requires limiting self-defense actions to defeat an ongoing attack or to deter a future attack. Anticipatory self-defense requires a sufficient demonstration of imminent attack. Graham asserts that it would be difficult, if not impossible, to sufficiently establish imminence within the cyber context.
Graham then considers the question of whether a cyber attack (or a continuous series of attacks) constitutes an armed attack. He offers three analytical models to make this determination
- “Instrument-based approach”—an assessment would be made as to whether the damage caused by a cyber attack could previously have been achieved only by a kinetic attack (e.g. shutting down a power grid);
- “Effects-based approach”—would assess the overall effect of the cyber attack on the victim state;
- “Strict liability” model—any cyber attack against critical national infrastructure would automatically be considered an armed attack.
Whichever model a state chooses to use for evaluating cyber attacks, the conclusion is that under all three, certain cyber attacks can constitute armed attacks.
Graham then turns to the significant issue of attribution, and the need to establish another state’s responsibility for the cyber attack. Traditional international law dictates that a state attributes an attack directly and conclusively to another state or agents under that state’s direct control before it employs self-defense measures. However, Graham points out that the cyber context requires a transition into “imputed attribution” rather than “conclusive attribution.” Imputed attribution would apply to all non-state actors who launch a cyber attack from within a state’s territory.
Imputed responsibility also implies an affirmative duty of states to prevent their territories from being used as launching pads for such attacks. These include obligations to:
- Enact stringent criminal laws against the commission of international cyber attacks from within national boundaries.
- Conduct meaningful, detailed investigations into cyber attacks.
- Prosecute those who have engaged in these attacks.
- Cooperate with the victim state’s own investigations and prosecutions of those responsible for the attacks.
Graham concludes his discussion of imputed responsibility by highlighting the fact that the responsibility to make key determinations associated with the deployment of active defenses is as yet unassigned.
Graham’s main argument regarding cyber attacks and the Law of War is that active defenses (electronic countermeasures designed to strike an attacking computer system, shut it down, and halt an attack) are a better choice then kinetic force from the standpoint of Law of War compliance. However, due to the anonymous nature of attacks in the cyber domain, identifying the source of an attack is often time consuming and misidentification can occur. Thus, the decision to employ active defenses poses legal risks.
Additional Notes and Highlights
- Outline of Article:
- I. It’s Not Just the Law of War: Enter Jus ad Bellum
- A. Security Council Authorizations of the Use of Force
- B. Self-Defense Measures
- C. Can a Cyber Attack Constitute an Armed Attack?
- D. State Responsibility for Cyber Attacks
- E. The Duty To Prevent Cyber Attacks
- F. Violation of the Duty To Prevent Cyber Attacks: Becoming a Sanctuary State
- G. Imputing Responsibility for Cyber Attacks by Non-State Actors
- H. Who Makes the Critical Decisions?
- II. Jus in Bello and Cyber Attacks
- In FTNT 1, Graham recommends the following works which explore the application of existing LOW to cyber threats in greater detail, including:
- Sklerov, Matthew J., Solving the Dilemma of State Responses to Cyberattacks: A Justification for the Use of Active Defenses Against States Which Neglect Their Duty to Prevent. 201 Mil. L. Rev. 1 (2009).
- Sharp, Walter Gary, Sr., Cyberspace and the Use of Force. 1999.
- Condron, Sean. Getting it Right: Protecting American Critical Infrastructure in Cyberspace. 20 Harv. J. L. & Tech. 404 (2007).
- Dinstein, Yoram, Computer Network Attacks and Self-Defense, in Computer Network Attack and International Law 99 (Michael N. Schmitt & Brian T. O’Donnell eds., 2002).
- Jensen, Eric, Computer Attacks on Critical National Infrastructure: A Use of Force Invoking the Right of Self-Defense, 38 Stan. J. Int’l L. 207 (2002).
- This article is based on notes Graham originally made at a workshop sponsored by the American Bar Association Standing Committee on Law and National Security, the McCormick Foundation, and the National Strategy Forum in June 2009, titled “National Security Threats in Cyberspace.” The workshop’s purpose was to examine first principles in the development of American cybersecurity policy. The Workshop Report, written by Paul Rosenzweig, can be found |here (PDF).