Perspectives for Cyber Strategists on Law for Cyberwar

From Cybersecurity Wiki
Jump to navigation Jump to search

Full Title of Reference

Perspectives for Cyber Strategists on Law for Cyberwar

Full Citation

Maj. Gen. Charles J. Dunlap, Jr., Perspectives for Cyber Strategists on Law for Cyberwar, Strategic Studies Quarterly (Spring 2011). Web


Key Words


Cybersizing LoAC

Against the backdrop of growing rhetoric that suggests that law in inadequate or lacking entirely within the cybersecurity context, Charles Dunlap argues that the basic tenets of existing Law of Armed Conflict (LoAC) to cyber issues are currently sufficient to address important issues of cyberwar. Despite the recommendations of cyberstrategists who argue that the creation of a new legal regime designed for cyberwar is urgent, Dunlap contends that any new agreement or international norm is unlikely in the foreseeable future. Therefore, they must turn to existing legal standards.

The “Act of War” Conundrum

A fundamental concern of policymakers centers on the issue of whether or not a cyber event constitutes an act of war; the answer to this question the options available to national decision makers. If it is truly “war,” then a response under a national-security legal regime is possible; if not, then treating the matter as a law enforcement issue is appropriate.

The United Nations Charter provides for two cases in which the use of force is authorized by nation-states: (1) when the Security Council authorizes force, and (2) when a nation acts in self-defense. Regarding self-defense, Article 51 states that nothing in the Charter shall “impair the inherent right of individual or collective self-defense if an armed attack occurs.” For classifying an armed attack in the cyber realm, the leading view focuses on an effects-based analysis of a particular cyber incident, with an incident being classified as an “armed attack” if its consequences extend to at least temporary damage of some kind.

However, in interpreting Article 51, it is important to recognize that the UN Charter governs relations between nation-states, not individuals. For actions against individual actors, states typically requests action from the state from whose territory the cyber attack was carried out. If it becomes evident that the state is “unwilling or unable to prevent a recurrence,” the aggrieved state’s actions in self-defense are typically justified.

A State of War

The presence—or absence—of a state of armed conflict carries significance, because during armed conflict the actions of belligerents are usually governed by the LoAC, not the more-restrictive rules applicable to law enforcement situations.

When a state of armed conflict exists, the rules applied to kinetic targeting (distinction and proportionality) should be applied in the cyber domain. In regards to targeting personnel, international law permits the targeting of civilians as long as they are directly participating in hostilities. It may help for cyber strategists to consider what activities of the enemy they would consider so intrinsic to a particular cyber process that they would warrant targeting as a matter of military necessity.

Generally, only members of the armed forces can wage war with the protection of the “combatant privilege.” Therefore as Richard Clark states in Cyberwar, “It will have to be . . . military personnel [who] enter the keystrokes to take down enemy systems.” If cyber operations are conducted by unauthorized persons, their government may be in violation of the law of war.

Cybering and the Citizenry

Because the NSA possesses unique technical expertise in the U.S. government, it (and thus the DoD) continues to be pushed into domestic cyber activities, despite the military intelligence apparatus being designed to focus on external threats. In October 2010, a section of the NSA was placed under the DHS for domestic cybersecurity, but it seems unlikely that the DHS will be able to effectively oversee the Defense Department.

With the continued role of the NSA in domestic cyber defense, experts recommend requiring the NSA to obtain “independent approval . . . from the FISA court or a FISA-type court” prior to employing advanced cyber security measures domestically. Additionally with the authoritarian nature of the armed forces, their involvement in the domestic civilian cyber sector should be limited, as it is a space where the public rightly expects freedom and rights to flourish.

Additional Notes and Highlights

  • An exchange between Charles Dunlap and Stewart Baker regarding the role of lawyers in a cyberware can be found here (web).
  • A video of Major General Charles Dunlap speaking to many points found in this paper at the 2010 McCain Conference can be found here (web).