Armed Attack in Cyberspace
Full Title of Reference
Armed Attack In Cyberspace. Deterring Asymmetric Warfare With An Asymmetric Definition
Graham H. Todd, Armed Attack In Cyberspace. Deterring Asymmetric Warfare With An Asymmetric Definition 64 A.F. L. Rev. 65 (2009). Web
- Threats and Actors: Financial Institutions and Networks; Military Networks (.mil); Public Data Networks; Telephone; Terrorists
- Issues: Economics of Cybersecurity; Espionage; Incentives; Government to Government; Cybercrime; Cyberwar
- Approaches: Regulation/Liability
The article will first examine cyberspace and how current approaches have attempted to apply international law to armed attacks in cyberspace. Looking through the lens of current international laws will highlight how the unique attributes of cyberspace could increase the likelihood of international conflict.
The article will then transition from current international laws to examine whether current criminal law definitions and methodologies can fill the gap and provide realistic definitions of weapons and armed attacks in cyberspace. Lastly, the article will put these proposed definitions to the test against the most challenging aspects of cyberspace: attribution and espionage.
On the criminal front, law enforcement agencies are swamped with allegations ranging from identity theft to theft of corporate data, while armed with only a marginally effective process to investigate, extradite, and prosecute international cyberspace criminals. However, the conduct of military operations in and through cyberspace, with potentially greater global implications, is bypassing the currently inadequate mire of international law. What if international law could provide a framework capable of enabling deterrence in cyberspace?
Introduction: Cyberwarfare is not traditional warfare
Simply put, information is fundamentally different than the traditional tools of war; bits and bytes bear no physical resemblance to bullets and bombs.
Michael Schmitt noted that cyberspace threats differ in four ways from traditional threats: (1) computer networks are a new target category, with computer network attacks capable of providing the same results as striking the traditional target with a kinetic weapon; (2) an attack does not have to use kinetic force and can solely involve a command from one computer to the target system; (3) the intended results are often not kinetic and could simply involve the manipulation of data or disruption of a service; and (4) cybersconstrained by political boundaries or geography.
The ineptitude of jus ad bellum
There is currently no international, legally binding instrument that would address cyberspace attacks as threats to national security.
There is no consensus regarding how to define attacks in cyberspace under international law. Law, especially international law, failed to keep pace with the new applications of existing technologies. The unique qualities of operations in cyberspace will make this the most difficult domain in which to resolve international disputes and conflict.
New legal approaches to cyberthreats are needed
Before discussing the benefits of the criminal law approach, however, one must first understand how most commentators are currently applying international law to actions in cyberspace. A review of current scholarship on this issue will show the difficulty in applying decades old terms and norms to actions in cyberspace. As a starting point, Article 2(4) of the U.N. Charter provides that “[a]ll Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any State, or in any other manner inconsistent with the Purposes of the United Nations.”
The asymmetric nature of operations in cyberspace now allows any party to possess the capability to swiftly act in self-defense with incredible lethality. The “bully” could soon be extinct and a new era of conflict could unfold, where the appearance of parity could inspire more breaches of the peace. Law in this area must move forward.
The inadequacies of international law and of the Geneva Conventions as means of deterring or prosecuting cyberattacks
The official commentary for Protocol I (Geneva Conventions) states that "attack" “refers simply to the use of armed force to carry out a military operation.” Note that because this definition requires the use of armed force, non-military personnel hacking into the New York Stock Exchange and causing substantial economic harm would not be an attack.
What exactly constitutes war ?
In cyberspace, what may appear as a “minor attack” could evolve into something much more destructive to a nation state, taking days or months to cause observable, significant harm. Weapons of mass destruction, terrorist attacks, and cyberspace attacks are quite different from the traditional methods of massing forces and building up logistics trains and lines of communication. States can much more easily identify preparation for a kinetic invasion versus a cyberspace onslaught.
Asymmetric warfare may require asymmetric application of the law to provide the clarity and enforceability capable of promoting peace. The development of international law related to activities in cyberspace should not be delayed any longer.
Weapons and war - what exactly constitutes a cyberweapon ?
The use of a weapon of some kind is the true genesis of an attack. In fact, the types of weapons available to a state determine the possible attack methodologies
From the above, we see that in its most simple terms, the definition of a weapon is “something that causes damage.” Applying the definition of damage from Section 1030, I propose the following definition of a cyberspace weapon: Any capability, device, or combination of capabilities and techniques, which if used for its intended purpose, is likely to impair the integrity or availability of data, a program, or information located on a computer or information processing system.