Computer Network Attack and the Use of Force in International Law

From Cybersecurity Wiki
Jump to navigation Jump to search

Full Title of Reference

Computer Network Attack and the Use of Force in International Law: Thoughts on a Normative Framework

Full Citation

Michael N. Schmitt, Computer Network Attack and the Use of Force in International Law. Thoughts on a Normative Framework., 37 Colum. J. Transnat'l L. 885 (1999). Web SSRN

BibTeX

Categorization

Key Words

Computer Network Attack, Cyber Warfare, Information Operations, Interdependencies, National Security, Lawfare, Laws of War

Synopsis

This Article explores the acceptability under the jus ad bellum, that body of international law governing the resort to force as an instrument of national policy, of computer network attack. Analysis centers on the United Nations Charter’s prohibition of the use of force in Article 2(4), its Chapter VII security scheme, and the inherent right to self-defense codified in Article 51. Concluding that traditional applications of the use of force prohibition fail to adequately safeguard shared community values threatened by CNA, the Article proposes an alternative normative framework based on scrutiny of the consequences caused by such operations. By contrast, the Chapter VII security regime is assessed as sufficiently flexible to adapt to the new threats represented by CNA. Finally, the Article argues for a rather restricted understanding of the right to self-defense, suggesting that it be limited to operations which are de facto armed attacks, or imminently preparatory thereto. The net result is a limitation on both state resort to CNA techniques which might threaten global stability and on individual responses which might themselves prove destabilizing.

Understanding Computer Network Attack

Computer network attack is but one form of a relatively new category of warfare, information operations (“IO”). Information operations comprise “[a]ctions taken to affect adversary information and information systems while defending one’s own information and information systems.” The term must be understood very expansively: information operations would encompass, among an array of other activities, virtually any nonconsensual actions intended to discover, alter, destroy, disrupt, or transfer data stored in a computer, manipulated by a computer, or transmitted through a computer network.

IO is subdivided into defensive and offensive information operations. CNA lies within the latter grouping, together with such varied activities as military deception, psychological operations, electronic warfare, physical attack, and special information operations:

  • the defining aspect of CNA is that it operates on data existing in computers or computer networks.
  • CNA is a technique, rather than a particular genre of objective.
  • CNA operations can be used to facilitate strategic, operational, and tactical ends. CNA techniques vary widely.
  • Because physical destruction seldom results from CNA, decision-makers find it a particularly attractive option in situations short of armed conflict.

Computer Network Attack as a Use of Force

Any number of purposes might motivate a state to conduct computer network attacks. It can be used to:

  • lay the groundwork for a subsequent conventional attack or,
  • as a stand alone, to cause damage and disruption without any desire to facilitate latter traditional military operations.

Regardless of its aim, normative evaluation of the actions that occur will center on whether or not the actions constituted a wrongful use of force, or threat thereof, in violation of international law. Different situations are discussed in the article.

Responding to Computer Network Attacks with Force

The authors notes that the framework for appropriate uses of force generally resides within the UN Charter. The Charter admits of only two situations flexible to adapt to the new threats represented by CNA. Finally, the Article argues for a rather restricted understanding of the right to self-defense, suggesting that it be limited to operations which are de facto armed attacks, or imminently preparatory thereto. The net result is a limitation on both state resort to CNA techniques which might threaten global stability and on individual responses which might themselves prove destabilizing.

Understanding Computer Network Attack

Computer network attack is but one form of a relatively new category of warfare, information operations (“IO”). Information operations comprise “[a]ctions taken to affect adversary information and information systems while defending one’s own information and information systems.” The term must be understood very expansively: information operations would encompass, among an array of other activities, virallowing the use of force—Security Council authorized operations pursuant to Chapter VII and self-defense in accordance with Article 51.

The article outlines that the right to respond forcefully in self-defense to a computer network attack that does not in and of itself constitute an armed attack arises upon the confluence of three factors:

  • The CNA is part of an overall operation culminating in armed attack;
  • The CNA is an irrevocable step in an imminent (near-term) and probably unavoidable attack; and
  • The defender is reacting in advance of the attack itself during the last possible window of opportunity available to effectively counter the attack.

Concluding Thoughts on the Appropriate Normative Framework

Computer network attack represents a new tool of coercion in the international arena, one that is fundamentally different from those previously available. Arguably, its distinctiveness merits consideration of a new and unique normative framework to specifically address computer network attack or, more broadly, information operations. However, consensus on the need for such an effort, let alone its substantive content, is unlikely to be achieved at any time in the near future.

Additional Notes and Highlights

Expertise Require: Law - High

 Introduction
 I. Understanding Computer Network Attack
 II. Computer Network Attack as a Use of Force
 III. Responding to Computer Network Attacks with Force
 IV. Concluding Thoughts on the Appropriate Normative Framework
 Endnotes