Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.
OCR for page 356
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities Appendix D Views on the Use of Force in Cyberspace COMPUTER NETWORK ATTACK AND THE USE OF FORCE IN INTERNATIONAL LAW In 1999, Michael Schmitt addressed the issue of cyberattack as a use of force.1 Focusing on computer network attack (CNA) (remote-access attack, as described in Chapter 2), Schmitt argued that CNA should be understood in terms of its effects and said that the consequences of a CNA rather than its specific modality were the most important factor in its categorization. He focused on the consequences of a CNA because of their potentially broad range: “CNA spans the spectrum of consequentiality. Its effects freely range from mere inconvenience (e.g., shutting down an academic network temporarily) to physical destruction (e.g., as in creating a hammering phenomenon in oil pipelines so as to cause them to burst) to death (e.g., shutting down power to a hospital with no backup generators).” Thus, for example, Schmitt argued that “CNA specifically intended to directly cause physical damage to tangible property or injury or death to human beings is reasonably characterized as a use of armed force,” and so “pipeline destruction and the shutting of power to the hospital are examples of CNA which the actor knows can, and intends to, directly cause destruction and serious injury.” He further noted that “armed coercion 1 Michael Schmitt, “Computer Network Attack and the Use of Force in International Law: Thoughts on a Normative Framework,” Columbia Journal of Transnational Law 37:885-937, 1999.
OCR for page 357
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities is not defined by whether or not kinetic energy is employed or released, but rather by the nature of the direct results caused, specifically physical damage and human injury.” On the other hand, Schmitt noted that economic coercion is not generally regarded as rising to the level of a “use of force,” so that a CNA that seeks economic coercion cannot be considered a use of force. For a CNA to be considered a use of force, he argued that it must be more consequential than simple economic coercion but does not necessarily have to meet the threshold of being considered a use of “armed force” as described in the previous paragraph. He thus argues that “the use of force line must lie somewhere between economic coercion and the use of armed force.” Schmitt then offered a seven-element framework for categorizing computer network attack as a use of force: Severity. If people are killed or there is extensive property damage, the action is probably military; the less damage, the less likely the action is a use of force. Immediacy. When the effects are seen within seconds to minutes—such as when a bomb explodes—the operation is probably military; if the effects take weeks or months to appear, it is more likely diplomatic or economic. Directness. If the action taken is the sole cause of the result, it is more likely to be viewed as a use of force; as the link between cause and effect attenuates, so does the military nature of the act. Invasiveness. A violated border is still an indicator of military operations; actions that are mounted from outside a target nation’s borders are probably more diplomatic or economic. Measurability. If the effect can be quantified immediately—such as photographing a “smoking hole” where the target used to be—the operation has a strong military character; the more subjective the process for evaluating the damage, the more diplomatic or economic. Presumptive legitimacy. State actors have a monopoly on the legitimate use of kinetic force, while other non-kinetic actions—attacks through or in cyberspace—are often permissible in a wider set of circumstances; actions that have not been the sole province of nation-states are less likely to be viewed as military. Responsibility. If a state takes visible responsibility for any destructive act, it is more likely to be characterized as a traditional military operation; ambiguous responsibility militates for a non-military label. Schmitt provided two examples, each presumably premised on a state of non-hostilities existing prior to a computer network attack. In the first example, he posited computer network attacks that disable an air traffic
OCR for page 358
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities control (ATC) system during bad weather, resulting in the crash of an airliner and many civilian deaths. Although no kinetic force was used to destroy the airliner, CNA was the cause of the tragedy, as the airliner would have been likely to survive bad weather with a functional ATC system. The consequences are both severe and manifestly obvious, and the action (the CNA) and desired result (the airliner crash) were temporally proximate. For these reasons, this CNA can be regarded as the use of force. In the second example, he posited a CNA on a university computer network designed to disrupt military-related research in campus laboratories. In this attack, no physical damage or suffering occurs, and the desired outcome—diminished capability on the battlefield—is both remote from the act and also depends on many other factors (e.g., the ability of researchers to regenerate data, the possible existence of other similar research efforts, and so on). In this instance, the CNA should not be regarded as the use of force. NEW TOOLS, NEW RULES: INTERNATIONAL LAW AND INFORMATION OPERATIONS Another more recent analysis by Duncan Hollis argued against extending traditional laws of armed conflict (LOAC) to apply to cyberattack and other information operations.2 Though Hollis accepts the fundamental underlying rationale and intent of traditional LOAC (e.g., to minimize human suffering, to support reciprocity between states, to prevent morally reprehensible behavior), he argued that the interpretation of traditional LOAC vis-à-vis cyberattack suffers from two major problems. First, Hollis argued that even in the context of state-on-state warfare, extension of the traditional LOAC suffers from serious “translation” problems about how these laws apply to cyberattack. For example, a cyberattack on a stock exchange might cause considerable economic damage but may not cause immediate death or destruction—should such an attack count as a use of force? In addition, preserving the distinction between civilian entities and valid military targets is extraordinarily difficult when cyberattack is concerned. He made the further point that Article 41 of the UN Charter defines “measures not involving the use of armed force” to include “complete or partial interruption of … telegraphic, radio, and other means of communication.” (Note, of course, that the UN Charter was ratified in 1945, long before the Internet and modern information 2 Duncan B. Hollis, “New Tools, New Rules: International Law and Information Operations,” pp. 59-72 in Ideas As Weapons: Influence and Perception in Modern Warfare, G. David and T. McKeldin, eds., Potomac Books, Inc., 2009.
OCR for page 359
Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities technologies were contemplated and before it could be imagined that the medium of an attack on a nation might well be an altogether new and different medium.) Second, he argued that in focusing primarily on state-on-state conflict, traditional LOAC ignores many of the most important issues that arise in today’s security environment—the issue of states acting against non-state actors and subnational entities. Hollis points out that the legal regimes governing such conflict are already in a state of flux (e.g., there is no doctrine comparable to the “use of force” or the self-defense provisions of the UN Charter). And when cyberattacks may be launched by non-state actors from the territories of nation-states, the relevant legal regime is even murkier. For example, in the absence of state sponsorship, a cyberattack—even a very destructive one, conducted by a terrorist or criminal organization—does not qualify as an armed attack. A self-defense response is thus not sanctioned under the UN Charter. Even if the origin of the cyberattack can be traced to a specific state, a military or law enforcement response against an entity within that state cannot be undertaken unilaterally without violating that state’s sovereignty. Only if the state in question is unable or unwilling to stop the cyberattack may the attacked state take countermeasures on its own. Hollis concluded from his analysis that the translation difficulties and the insufficiency of traditional LOAC with respect to subnational actors call for a new legal framework for governing cyberattack and other information operations.