Questions? Call 800-624-6242
|
|
|
|
Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter.
Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.
OCR for page 151
Cyber Operations in International Law:
The Use of Force, Collective Security,
Self-Defense, and Armed Conflicts
Michael N. Schmitt
durham Uni�ersity law School, United kingdom
INTRODuCTION
In April and May 2007, Estonia was victimized by massive computer network attacks. 1 The incident
began with rioting incited by ethnic Russian cyber agitators in response to the government’s decision
to move a Soviet war memorial from the center of Tallinn to a military cemetery on the outskirts of the
capital. Subsequent actions included direct cyber attacks against Estonian targets, including government
and commercial Internet infrastructure and information systems such as the those of the President,
Prime Minister, Parliament, State Audit Office, ministries, political parties, banks, news agencies, and
Internet service providers. They involved denial of service (DoS), distributed denial of service (DDoS),
defacement and destruction.
Because Estonia had invested heavily in networking following independence, the attacks proved
devastating. By 2007, the country relied on information services for everything from banking and filing
tax returns to paying for parking and public transportation. Internet services covered all of Estonia, with
half the population enjoying access from their homes.
Most of the attacks emanated from outside the country, principally Russia. Their origin was also
traced to at least 177 other countries.2 Initially, they came from private IP addresses, although experts
tracked a number to Russian government institutions. It remains uncertain whether the latter were
launched with the government’s knowledge. As the cyber attacks unfolded, they became increasingly
sophisticated, evidencing considerable organization and command and control. While various pro-Rus -
sian activist groups apparently executed some of the second wave operations, there is no firm evidence
that the Russian government either conducted or orchestrated them.
The impact of the cyber assault proved dramatic; government activities such as the provision of
State benefits and the collection of taxes ground to a halt, private and public communications were
disrupted and confidence in the economy plummeted. Was this “war”? After all, the scope and scale
of the consequences far exceeded those that might have been caused by, for instance, a small-scale air
1 For an excellent discussion of the attacks, see Eneken Tikk, Kadri Kaska, and Liis Vihul, international Cyber incidents: legal
Considerations 14-33 (Tallinn: Cooperative Cyber Defence Centre of Excellence 2010).
2 Charles Clover, “Kremlin-backed Group behind Estonia Cyber Blitz,” Financial times, March 11, 2009.
1�1
OCR for page 152
1�2 PRoCEEdingS oF A woRkSHoP on dEtERRing CYBERAttACkS
attack or a commando raid, both of which would signal the initiation of a “war” between Estonia and
the State responsible for their execution.
Historically, the initiation of a war depended upon a formal act of State, generally a “declaration
of war.” It neither required hostilities, nor did hostilities alone amount to war. This traditional under -
standing of war has fallen into desuetude, replaced by a complex admixture of legal concepts. In the
aftermath of the Second World War, the international community crafted a new normative scheme in
the form of the United Nations Charter, which includes both a prohibition on the use of force in inter-
national relations and a system for enforcing the prescription. Today, the Charter, together with related
customary international law norms,3 governs how and when force may be employed by States. The
carnage of the Second World War also prompted a reexamination of the rules applicable during war-
fare. During that process, the requirement for a declaration of war as the threshold for application of
the “law of war” was abandoned.4 Henceforth, this body of law (relabeled the “law of armed conflict”
and usually referred to as “international humanitarian law” or IHL) would come into play whenever
“armed conflict” occurred.
This article explores the contemporary international law governing cyber operations. In particular,
it asks four questions, which together have supplanted the previous notion of “war”:
(1) When does a cyber operation constitute a wrongful “use of force” in violation of Article 2(4) of
the United Nations Charter and customary international law?;
(2) When does a cyber operation amount to a “threat to the peace, breach of the peace, or act of
aggression,” such that the Security Council may authorize a response thereto?;
(3) When does a cyber operation constitute an “armed attack,” such that the victim-State may
defend itself, even kinetically, pursuant to the right of self-defense set forth in Article 51 of the UN
Charter and customary international law?; and
(4) When does a cyber operation rise to the level of an “armed conflict,” such that IHL governs the
actions of belligerents?
The attacks against Estonia, similar ones against Georgia during its armed conflict with Russia
in 2008,5 and the thousands of others directed against government, corporate and private systems
worldwide on a daily basis aptly demonstrate the reality, immediacy and scale of the threat. It is one
well-recognized by States. The May 2010 United States National Security Strategy cites cyber security
threats as “one of the most serious national security, public safety, and economic challenges we face as
a nation.”6 Similarly, the analysis and recommendations on NATO’s new Strategic Concept prepared
by a group of distinguished experts led by former U.S. Secretary of State Madeleine Albright singled
out “cyber assaults of varying degrees of severity” as one of the three likeliest threats the NATO Allies
will face in the next decade.7
Unfortunately, the existing legal norms do not offer a clear and comprehensive framework within which
States can shape policy responses to the threat of hostile cyber operations. In particular, international law
3 See fn 13 and accompanying text for a brief explanation of customary international law.
4 Common Article 2 to the four 1949 Geneva Conventions provides that the treaties “shall apply to all cases of declared war
or of any other armed conflict which may arise between two or more of the High Contracting Parties, even if a state of war is
not recognized by one of them.” Geneva Convention for the Amelioration of the Condition of the Wounded and Sick in Armed
Forces in the Field, art. 2, Aug. 12, 1949, 6 UST. 3114, 75 U.N.T.S. 31; Geneva Convention for the Amelioration of the Condition
of Wounded, Sick and Shipwrecked Members of Armed Forces at Sea, art. 2, Aug. 12, 1949, 6 UST. 3217, 75 U.N.T.S. 85; Geneva
Convention Relative to the Treatment of Prisoners of War, art. 2, Aug. 12, 1949, 6 UST. 3316, 75 U.N.T.S. 135 ; Geneva Convention
Relative to the Protection of Civilian Persons in Time of War, art. 2, Aug. 12, 1949, 6 UST. 3516, 75 U.N.T.S. 287 [hereinafter GC
I–IV respectively].
5 See Tikk, supra note 1, at 66-90.
6 President Barack Obama, national Security Strategy 27 (May 2010).
7 Group of Experts on a New Strategic Concept. nAto 2020: Assured Security; dynamic Engagement (May 17, 2010) 17. The others
are an attack by a ballistic missile and strikes by international terrorist groups.
OCR for page 153
1��
miCHAEl n. SCHmitt
as traditionally understood departs at times from what the international community would presumably
demand in the cyber context. To some extent, this divergence can be accommodated through reasonable
interpretation of the relevant norms. Where it cannot, the law would seem to require attention, either through
treaty action or through the development of new understandings of the prevailing legal concepts.8
CybER OPERATIONS AS A “uSE OF FORCE”
The United Nations Charter, in Article 2(4), states that “[a]ll Members [of the United Nations] shall
refrain in their international relations from the threat or use of force against the territorial integrity or
political independence of any state, or in any other manner inconsistent with the Purposes of the United
Nations.” Despite the reference to territorial integrity and political independence, it is now widely
understood that the prohibition applies to any use of force not otherwise permitted by the terms of the
Charter, specifically uses of force authorized by the Security Council and defensive operations, each
discussed separately below.9
Article 2(4) was revolutionary in its extension to threats. Of course, only those threats of a use of
force that would otherwise be unlawful qualify.10 For instance, threatening destructive defensive cyber
attacks against another State’s military infrastructure if that State unlawfully mounts unlawful cross-
border operations would not breach the norm. However, threats of destructive cyber operations against
another State’s critical infrastructure unless that State cedes territory would do so.
The prohibition applies only to an explicit or implied communication of a threat; its essence is coer -
cive effect. It does not reach actions which simply threaten the security of the target State, but which
are not communicative in nature. Thus, the introduction into a State’s cyber systems of vulnerabilities
which are capable of destructive activation at some later date would not constitute a threat of the use
of force unless their presence is known to the target State and the originating State exploits them for
some coercive purpose.11
It is generally accepted that the prohibition on the threat or use of force represents customary inter-
national law.12 Resultantly, it binds all States regardless of membership in the United Nations. Article
38 of the Statute of the International Court of Justice (ICJ) defines customary law as “general practice
accepted as law.”13 It requires the coexistence of State practice and opinio juris si�e necessitatis, a belief
that the practice is engaged in, or refrained from, out of a sense of legal obligation (rather than practical
or policy reasons).
Although simple in formulation, the norm is complex in substantive composition. It poses two key
questions: “What is a use of force?” and “To whom does the prohibition apply?” Both bear heavily on
the legality of cyber operations, which did not exist when the UN Charter was adopted by States in
1945. The difficulty of applying a legal provision which did not contemplate a particular type of opera -
tion is apparent.
8 For book length treatment of these issues, see Thomas C. Wingfield. the law of information Conflict (Washington: Aegis Research
Corporation 2000); Michael N. Schmitt and Brian O’Donnell, eds. Computer network Attack and international law (Newport: U.S.
Naval War College International Law Studies, vol. 76, 1999); and the collected articles in 64 Air Force Law Review (2009).
9 In its original form, the draft Charter contained no reference to territorial integrity or political independence, and their subse -
quent inclusion was controversial. The “other manner” language was inserted to make clear that their inclusion was not meant to
limit the reach of the provision. See Doc. 1123, I/8, 6 U.N.C.I.O. Docs. 65 (1945); Doc. 784, I/1/27, 6 U.N.C.I.O. Docs. 336 (1945);
Doc. 885, I/1/34, 6 U.N.C.I.O. Docs 387 (1945).
10 This point was made by the International Court of Justice in Legality of the Threat or Use of Nuclear Weapons, Advisory
Opinion, 1996 ICJ Rep. 226, ¶ 47 (July 8).
11Although a threat must be coercive in some sense, there is no requirement that a specific “demand” accompany the threat.
12 See discussion of the issue by the International Court of Justice in Military and Paramilitary Activities in and Against Nica -
ragua (Nicar. v. US), 1986 ICJ Rep. 14, ¶¶ 187-191 (June 27) [hereinafter Nicaragua].
13 Statute of the International Court of Justice, art. 38, June 26, 1945, 59 Stat. 1055, 33 U.N.T.S. 993. On customary law, see Yoram
Dinstein, “The Interaction between Customary International Law and Treaties,” Collected Courses of the Hague Academy of inter-
national law 322 (Martinus Nijhoff, 2007).
OCR for page 154
1�� PRoCEEdingS oF A woRkSHoP on dEtERRing CYBERAttACkS
Finally, it must be borne in mind that neither Article 2(4) nor its customary counterpart is remedial
in nature. Rather, they merely set a threshold for breach of international law. The nature of the response
to a wrongful use of force is instead determined by the law of State responsibility, the scope of authority
of the Security Council and the law of self-defense. Each is addressed below.
uses of Force
Do cyber operations constitute a “use of force” as that phrase is understood in relation to the prohibi-
tion? The interpretive dilemma is that the drafters of the Charter took a cognitive short cut by framing
the treaty’s prohibition in terms of the instrument of coercion employed—force. Thus, the norm did not
outlaw economic and political coercion, but disallowed military force, at least absent an express Charter
exception. Yet, it is seldom the instrument employed, but instead the consequences suffered, that matter
to States. At the time the Charter was drafted an instrument based-approach made sense, for prior to
the advent of cyber operations the consequences that Sates sought to avoid usually comported with
instrument-based categories. Cyber operations do not fit neatly into this paradigm because although
they are “non-forceful” (that is, non-kinetic), their consequences can range from mere annoyance to
death. Resultantly, as the Commander of U.S. Cyber Command noted during his confirmation hearings,
policy makers must understand that “[t]here is no international consensus on a precise definition of a
use of force, in or out of cyberspace. Consequently, individual nations may assert different definitions,
and may apply different thresholds for what constitutes a use of force.” 14
That the term “use of force” encompasses resort to armed force by a State, especially force levied by
the military is self-evident. Armed force thus includes kinetic force—dropping bombs, firing artillery,
and so forth. It would be no less absurd to suggest that cyber operations which generate consequences
analogous to those caused by kinetic force lie beyond the prohibition’s reach, than to exclude other
destructive non-kinetic actions, such as biological or radiological warfare. Accordingly, cyber operations
that directly result (or are likely to result) in physical harm to individuals or tangible objects equate to
armed force, and are therefore “uses of force.” For instance, those targeting an air traffic control system
or a water treatment facility clearly endanger individuals and property. But cyber operations are usually
mounted without causing such consequences, as illustrated by the case of Estonia. Are such operations
nonetheless barred by the use of force prohibition?
The starting point for any interpretive endeavor in law is the treaty text in question.15 In this regard,
note that the adjective “armed” does not appear with reference to “force” in Article 2(4). By contrast,
the Charter preamble cites the purpose of ensuring that “armed force shall not be used, save in the
common interest.” Similarly, the Charter excludes “armed force” from the non-forceful measures the
Security Council may authorize under Article 41 and mentions planning for “armed force” with regard
to forceful Article 42 measures.16 And the Charter only allows forceful defensive actions in the face of an
“armed attack.”17 This textual distinction suggests an interpretation of “force” that is broader in scope
than the common understanding of the term.
When text is ambiguous, recourse may be had to “the preparatory work of [a] treaty and the circum -
stances of its conclusion.”18 The Charter’s tra�aux preparatoires, indicate that during the drafting of the
14 Unclassified Senate Testimony by Lieutenant General Keith Alexander, USA, Nominee for Commander, United States Cyber
Command, April 15, 2010, www.senate.gov/~armed_services/statemnt/2010/04%20April/Alexander%2004-15-10.pdf.
15According to the Vienna Convention on the Law of Treaties, “[a] treaty shall be interpreted in good faith in accordance with
the ordinary meaning to be given to these terms of the treaty in their context and in light of its object and purpose” which can be
gleaned from the text, “including its preamble and annexes . . . .” May 23, 1969, art. 31(1)-(2), 1155 U.N.T.S. 331. The United States
is not a party to the Vienna Convention, but treats most of its provisions as reflective of customary international law.
16 The reference to planning is found in U.N. Charter, art. 46.
17 U.N. Charter, art. 51.
18 Vienna Convention, supra note 15, art. 32.
OCR for page 155
1��
miCHAEl n. SCHmitt
instrument a proposal to extend the reach of Article 2(4) to economic coercion was decisively defeated. 19
A quarter century later, the issue again arose during proceeding leading to the UN General Assembly’s
Declaration on Friendly Relations.20 The question of whether “force” included “all forms of pressure,
including those of a political or economic character, which have the effect of threatening the territorial
integrity or political independence of any State” was answered in the negative.21 Whatever force is, then,
it is not economic or political pressure. Therefore, a cyber operation that involves such coercion is defi -
nitely not a prohibited use of force. Psychological cyber operations (assuming they are non-destructive)
intended solely to undermine confidence in a government or economy illustrate such actions.
Suggestions to limit “force” to “armed force,” or even the force required to amount to an “armed
attack,” were likewise rejected during the proceedings.22 This seemed to indicate that “force” was not
coterminous with “armed” force, thereby strengthening the significance of the absence of the term
“armed” in Article 2(4). In the nicaragua case, the ICJ expressly characterized certain actions which were
non-kinetic in nature as uses of force.
[W]hile arming and training of the contras can certainly be said to involve the threat or use of force against
Nicaragua, that is not necessarily so in respect of all assistance given by the United States Government. In
particular, the Court considers that the mere supply of funds to the contras, while undoubtedly an act of
intervention in the internal affairs of Nicaragua . . . does not itself amount to a use of force.23
The determination that a use of force can embrace acts, like arming or training guerillas, which fall
short of armed force leaves open the possibility that non-physically destructive cyber operations may
fall within the term’s ambit. The threshold for a use of force must therefore lie somewhere along the
continuum between economic and political coercion on the one hand and acts which cause physical
harm on the other.
Unfortunately, unequivocal State practice in characterizing particular cyber attacks as (or not as)
uses of force is lacking. In part this is because the Article 2(4) prohibition extends solely to acts of States,
and very few States have definitively been identified as the initiator of a cyber operation which might
amount to a use of force. Moreover, States may well hesitate to label a cyber operation as a use of force
out of concern that doing so would escalate matters or otherwise destabilize the situation. Therefore,
one can only speculate as to future State practice regarding the characterization of cyber operations.
Over a decade ago, this author identified a number of factors that would likely influence assess -
ments by States as to whether particular cyber operations amounted to a use of force. 24 They are based
on a recognition that while States generally want to preserve their freedom of action (a motivation to
keep the threshold high), they equally want to avoid any harmful consequences caused by the actions
of others (a motivation to keep the threshold low). States will seek to balance these conflicting objectives
through consideration of factors such as those set forth below. The approach has generally withstood
the test of time.
(1) Se�erity: Consequences involving physical harm to individuals or property will alone amount
to a use of force. Those generating only minor inconvenience or irritation will never do so. Between the
extremes, the more consequences impinge on critical national interests, the more they will contribute
19 See Doc. 2, G/7(e)(4), 3 U.N.C.I.O. Docs. 251, 253-54 (1945). Economic coercion, which typically involves trade sanctions, must
be distinguished from “blockade,” which has the effect of cutting off trade, but employs military force to do so. It has historically
been accepted that imposition of a blockade is an “act of war.”
20 Declaration on Principles of International Law Concerning Friendly Relations and Cooperation Among States in Accordance
with the Charter of the United Nations, G.A. Res. 2625 (XXV), U.N. Doc. A/8082 (1970).
21 U.N. GAOR Special Comm. on Friendly Relations, U.N. Doc. A/AC.125/SR.114 (1970); See also Report of the Special Commit-
tee on Friendly Relations, U.N. Doc. A/7619 (1969). The draft declaration contained text tracking that of Charter Article 2(4).
22 Ibid.
23 Nicaragua, supra note 12, ¶ 228.
24 Michael N. Schmitt, “Computer Network Attack and Use of Force in International Law: Thoughts on a Normative Frame -
work,” 37 Columbia Journal of transnational law 885, 914-16 (1999).
OCR for page 156
1�� PRoCEEdingS oF A woRkSHoP on dEtERRing CYBERAttACkS
to the depiction of a cyber operation as a use of force. In this regard, the scale, scope and duration of
the consequences will have great bearing on the appraisal of their severity. Severity is self-evidently the
most significant factor in the analysis.
(2) immediacy: The sooner consequences manifest, the less opportunity States have to seek peace -
ful accommodation of a dispute or to otherwise forestall their harmful effects. Therefore, States harbor
a greater concern about immediate consequences than those which are delayed or build slowly over
time.
(3) directness: The greater the attenuation between the initial act and the resulting consequences,
the less likely States will be to deem the actor responsible for violating the prohibition on the use of
force. Whereas the immediacy factor focused on the temporal aspect of the consequences in question,
directness examines the chain of causation. For instance, the eventual consequences of economic coer-
cion (economic downturn) are determined by market forces, access to markets, and so forth. The causal
connection between the initial acts and their effects tends to be indirect. In armed actions, by contrast,
cause and effect are closely related—an explosion, for example, directly harms people or objects.
(4) in�asi�eness: The more secure a targeted system, the greater the concern as to its penetration.
By way of illustration, economic coercion may involve no intrusion at all (trade with the target state is
simply cut off), whereas in combat the forces of one State cross into another in violation of its sover-
eignty. The former is undeniably not a use of force, whereas the latter always qualifies as such (absent
legal justification, such as evacuation of nationals abroad during times of unrest). In the cyber context,
this factor must be cautiously applied. In particular, cyber exploitation is a pervasive tool of modern
espionage. Although highly invasive, espionage does not constitute a use of force (or armed attack)
under international law absent a nonconsensual physical penetration of the target-State’s territory, as
in the case of a warship or military aircraft which collects intelligence from within its territorial sea
or airspace. Thus, actions such as disabling cyber security mechanisms to monitor keystrokes would,
despite their invasiveness, be unlikely to be seen as a use of force.
(5) measurability: The more quantifiable and identifiable a set of consequences, the more a State’s
interest will be deemed to have been affected. On the one hand, international law does not view economic
coercion as a use of force even though it may cause significant suffering. On the other, a military attack
which causes only a limited degree of destruction clearly qualifies. It is difficult to identify or quantify
the harm caused by the former (e.g., economic opportunity costs), while doing so is straightforward in
the latter (x deaths, y buildings destroyed, etc).
(6) Presumpti�e legitimacy: At the risk of oversimplification, international law is generally prohibi -
tory in nature. In other words, acts which are not forbidden are permitted; absent an express prohibition,
an act is presumptively legitimate.25 For instance, it is well accepted that the international law governing
the use of force does not prohibit propaganda, psychological warfare or espionage. To the extent such
activities are conducted through cyber operations, they are presumptively legitimate.
(7) Responsibility: The law of State responsibility (discussed below) governs when a State will be
responsible for cyber operations. But it must be understood that responsibility lies along a continuum
from operations conducted by a State itself to those in which it is merely involved in some fashion. The
closer the nexus between a State and the operations, the more likely other States will be to characterize
them as uses of force, for the greater the risk posed to international stability.
The case of the Estonian cyber attacks can be used to illustrate application of the approach.
Although they caused no deaths, injury or physical damage, the attacks fundamentally affected the
operation of the entire Estonian society. Government functions and services were severely disrupted,
25 I n
the Case of the S.S. “lotus,” the Permanent Court of International Justice famously asserted that “[t]he rules of law bind -
ing upon States . . . emanate from their own free will as expressed in conventions or by usages generally accepted as expressing
principles of law and established in order to regulate the relations between these co-existing independent communities or with a
view to the achievement of common aims.” S.S. “Lotus” (Fr. v. Turk.), 1927 P.C.I.J. (ser. A) No. 10, at 14 (Sept. 7).
OCR for page 157
1��
miCHAEl n. SCHmitt
the economy was thrown into turmoil, and daily life for the Estonian people was negatively affected.
The consequences far exceeded mere inconvenience or irritation. The effects were immediate and, in
the case of confidence in government and economic activity, wide-spread and long-term. They were
also direct, as with the inability to access funds and interference with the distribution of government
benefits. Since some of the targeted systems were designed to be secure, the operations were highly
invasive. While the consequences were severe, they were difficult to quantify, since most involved
denial of service, rather than destruction of data. Although political and economic actions are pre -
sumptively legitimate in use of force terms, these operations constituted more than merely pressuring
the target State. Instead, they involved intentionally frustrating governmental and economic functions.
Taken together as a single “cyber operation,” the incident arguably reached the use of force threshold.
Had Russia been responsible for them under international law, it is likely that the international com -
munity would (or should have) have treated them as a use of force in violation of the UN Charter and
customary international law.
The criteria are admittedly imprecise, thereby permitting States significant latitude in characterizing
a cyber operation as a use of force, or not. In light of the increasing frequency and severity of cyber
operations, a tendency towards resolving grey areas in favor of finding a use of force can be expected
to emerge. This State practice will over time clarify the norm and its attendant threshold.
Applicability of the Prohibition
By its own express terms, Article 2(4) applies solely to members of the United Nations. As discussed,
the prohibition extends to non-Members by virtue of customary law. That is the limit of applicability.
Non-State actors, including individuals, organized groups and terrorist organizations, cannot violate the
norm absent a clear relationship with a State. Their actions may be unlawful under international and
domestic law, but not as a violation of the prohibition on the use of force. Thus, in the Estonian case,
and barring any evidence of Russian government involvement, none of those individuals or groups
conducting the operations violated the Article 2(4) prohibition. But when can the conduct of individuals
or groups be attributed to a State, such that the State is legally responsible for their actions? The law of
State responsibility governs such situations.26
Obviously, States are legally responsible for the conduct of their governmental organs or entities. 27
This principle extends to unauthorized acts.28 Accordingly, any cyber operation rising to the level of
an unlawful use of force will entail responsibility on the part of the State when launched by its agents,
even when they are acting ultra �ires.
The fact that a State did not itself conduct the cyber operations at hand does not mean that it escapes
responsibility altogether. States are also responsible for “the conduct of a person or group of persons
. . . if the person or group of persons is in fact acting on the instructions of, or under the direction or
control of, that State in carrying out the conduct.”29 The ICJ addressed the degree of control necessary
for attribution in the nicaragua case. There the Court considered attribution of the acts of the Nicaraguan
Contras (a rebel group supported by the United States) to the United States, such that the United States
would be responsible for breaches of IHL committed by the group. While finding the United States
responsible for its own “planning, direction and support” of the Contras,30 the Court limited responsibil-
ity for the Contra actions to those in which the United States exercised “ effecti�e control of the military or
26 This law is set forth, in non-binding form, in the International Law Commission’s Draft Articles on Responsibility of States
for Internationally Wrongful Acts, in Report of the International Law Commission on the Work of Its Fifty-third Session, UN Doc.
A/56/10 (2001).
27 Draft Articles on State Responsibility, supra, art. 4.
28 Ibid., art. 7.
29 Ibid., art. 8.
30 Nicaragua, supra note 12, ¶ 86.
OCR for page 158
1�� PRoCEEdingS oF A woRkSHoP on dEtERRing CYBERAttACkS
paramilitary operations in the course of which the alleged violations were committed.” 31 Mere support
for their activities did not suffice.
The Appeals Chamber of the International Criminal Tribunal for the Former Yugoslavia (ICTY)
took a different tack in the tadic case, where it held that the authority of the government of the Federal
Republic of Yugoslavia over the Bosnia Serb armed groups “required by international law for consid -
ering the armed conflict to be international was o�erall control going beyond the mere financing and
equipping of such forces and involving also participation in the planning and supervision of military
operations.”32 It is essential to note that although the Tribunal expressly rejected the higher nicaragua
threshold of effective control, the technical legal issue was not State responsibility, but rather the nature
of the armed conflict. Thus, while tadic brings nicaragua into question by proffering a lower threshold,
it does not necessarily supplant the effective control test. It remains unclear whether effective control,
overall control or some other test governs in international law, although the ICJ has twice reaffirmed
its version.33
In the cyber context, then, States will be responsible for violating the prohibition on the use of force
to the extent they either direct private individuals or groups to conduct the operations or are heavily
involved in them. Determinations will be made on a case-by-case basis looking to the extent and nature
of involvement by the State with the group and in the particular operations.
Even if conduct is not attributable to a State as under its control, it will nevertheless “be considered
an act of that State . . . if and to the extent that the State acknowledges and adopts the conduct in ques -
tion as its own.”34 The ICJ addressed this situation in the Hostage case, which involved seizure of the
United States Embassy by Iranian militants in 1979. The Iranian government was uninvolved in the
initial seizure, but later passed a decree which accepted and maintained the occupation of the embassy.
According to the Court, “[t]he approval given to [the occupation of the Embassy] by the Ayatollah Kho -
meini and other organs of the Iranian State, and the decision to perpetuate them, translated continuing
occupation of the Embassy and detention of the hostages into acts of that State.” 35
It should be cautioned that mere expressions of approval do not suffice for attribution; rather, the
State must somehow subsequently embrace the actions as its own, for instance, by tangibly supporting
their continuance, failing to take actions to suppress them, or otherwise adopting them. Adoption may
either be express, as in the Hostages case, or implied, as when a State engages in conduct that undeniably
constitutes adoption. In the Estonian case, had Russia publically encouraged further attacks, it would
have borne responsibility not only for the subsequent attacks, but also those in the initial wave.
A State may also be held responsible for the effects of unlawful acts of private individuals or groups
on its territory when it fails to take reasonably available measures to stop such acts in breach of its obli -
gations to other States. In this situation, its violation is of the duty owed to other states, but its respon -
sibility extends to the effects of the act itself. Applying this standard in the Hostages case, the ICJ found
that the Iranian government failed to take required steps to prevent the seizure of the U.S. Embassy or
regain control over it, in breach of its obligation to safeguard diplomatic premises.36 The key to such
responsibility lies in the existence of a separate legal duty to forestall the act in question, and an ability
to comply with said duty. The ICJ articulated this principle in its very first case, Corfu Channel, where it
held that every State has an “obligation to not allow knowingly its territory to be used for acts contrary
to the rights of other States.”37 Of the many obligations States owe each other, ensuring their territory
31 Ibid., ¶ 115. See also discussion in ¶ 109.
32 Prosecutor v. Tadic, Case No. IT-94-1-A, Appeals Chamber Judgment, ¶ 145 (July 15, 1999).
33Armed Activities on the Territory of the Congo (Dem. Rep. Congo v. Uganda), 2005 ICJ General List No. 116, at 53 (Dec. 19) ;
Application of the Convention on the Prevention and Punishment of the Crime of Genocide (Bosn. & Herz. v. Serb. & Mont.), at
391-392 (Judgment of Feb. 26, 2007).
34 Draft Articles on State Responsibility, supra note 26, art. 11.
35 United States Diplomatic and Consular Staff in Teheran, 1980 ICJ Rep. 3, ¶ 74 (May 24).
36 Ibid., arts. 76-78.
37 Corfu Channel Case (Merits), 1949 ICJ Rep. 4, 22.
OCR for page 159
1��
miCHAEl n. SCHmitt
is not a launching pad for the use of force or armed attacks (see discussion below) against other States
certainly ranks among the most important. The fact that a use of force consists of cyber operations rather
than traditional armed force would not diminish the responsibility of the State involved.
Finally, consider a situation in which the effects of a cyber operation extend to other than the tar-
geted State. This is an especially relevant scenario in the cyber context, for networking and other forms
of interconnectivity mean that a cyber use of force by State A against State B may have consequences in
State C that would rise to the level of a use of force if directed against C. The causation of such effects
would not amount to a violation of Article 2(4) vis-à-vis C. Article 2(4)’s requirement that Members
“refrain in their international relations” from the use of force implies an element of purposely engaging
in some action in respect of another specified State. Inadvertent effects caused in a State other than the
target States do not constitute a form of “international relations.”
However, even if the State did not intend such effects, it is clear that it bears responsibility for them.
As noted in the Draft Articles of State Responsibility, “[t]here is an internationally wrongful act of a State
when conduct consisting of an action or omission: (a) is attributable to the State under international law;
and (2) constitutes a breach of an international obligation of the State.” 38 In the envisaged case, since
State A conducted the cyber operation, the action is directly attributable to it. Further, the wrongful use
of force against B would constitute a breach of A’s international obligation to refrain from the use of
force. That the intended “victim” was B matters not. The criterion has been met once the breach of an
international obligation has occurred. This is so even if the effects in C were unintended. As noted in
the International Law Commission’s Commentary to the relevant article:
A related question is whether fault constitutes a necessary element of the internationally wrongful act of a
State. This is certainly not the case if by “fault” one understands the existence, for example, of an intention
to harm. In the absence of any specific requirement of a mental element in terms of the primary obligation,
it is only the act of a State that matters, independently of any intention. 39
Remedies for violation
In the event of State responsibility for an unlawful act, the victim-State is entitled to reparation,
which can take the form of restitution, compensation, or satisfaction.40 With regard to cyber operations
amounting to a use of force, compensation could be claimed for any reasonably foreseeable physical
or financial losses. A State may also take any responsive actions that neither amount to a use of force
nor breach an existing treaty or customary law obligation. As an example, a State may chose to block
incoming cyber transmissions emanating from the State that has used force against it.
Additionally, the victim-State may take “countermeasures” in response to a use of force. 41 Coun-
termeasures are “measures which would otherwise be contrary to the international obligations of
the injured State �is-à-�is the responsible State if they were not taken by the former in response to an
internationally wrongful act by the latter in order to procure cessation and reparation.” 42 They are dis-
tinguished from retorsion, which is the taking of unfriendly but lawful actions, such as the expulsion
of diplomats.
The wrong in question has to be ongoing at the time of the countermeasures, since their purpose is
not to punish or provide retribution, but instead to compel the other Party to desist in its unlawful activi-
38 Draft Articles of State Responsibility, supra note 26, art. 2.
39 James Crawford, the international law Commission’s Articles on State Responsibility: introduction, text and Commentaries 84
(Cambridge UP 2002).
40 Draft Articles on State Responsibility, supra note 26, arts. 34-37. Restitution is reestablishing “the situation which existed before
the wrongful act was committed” (art. 35); compensation is covering any financially assessable damage not made good by restitu -
tion (art. 36); satisfaction is “an acknowledgement of the breach, an expression of regret, a formal apology or another appropriate
modality” that responds to shortfalls in restitution and compensation when making good the injury caused (art. 37).
41Ibid., art. 49.1. See also Nicaragua, supra 12, ¶ 249; Gabcikovo-Nagymaros Project (Hung. V. Slovk.) 1997 ICJ 7, 55-56 (Sep. 25).
42 Report of the International Law Commission, supra note 26, at 128.
OCR for page 160
1�0 PRoCEEdingS oF A woRkSHoP on dEtERRing CYBERAttACkS
ties.43 Countermeasures must be proportionate to the injury suffered,44 and the victim-State is required
to have called on the State committing the wrong to refrain from the conduct (and make reparations
if necessary), or, in the case of acts emanating from its territory, take measures to stop them. 45 Unlike
collective self-defense (discussed below), countermeasures may only be taken by the State suffering
the wrong.46
Countermeasures involving cyber operations would be particularly appropriate as a response to
a cyber use of force, although the strict limitations placed on countermeasures weaken their viability
in situations demanding an immediate reaction. On the other hand, it would be improper to respond
with a cyber operation that rose to the level of a use of force, for “[c]ountermeasures shall not affect
. . . the obligation to refrain from the threat or use of force as embodied in the Charter of the United
Nations.”47 Responses amounting to a use of force are only permissible when falling within the two
recognized exceptions to the prohibition on the use of force—action authorized by the Security Council
and self-defense.
Although the limitation of countermeasures to non-forceful measures is widely accepted, in a
separate opinion to the ICJ’s oil Platforms judgment, Judge Simma argued for what might be labeled
“self-defense lite” in the face of an “unlawful use of force ‘short of’ an armed attack within the mean -
ing of Article 51.”48 For Judge Simma, such “defensive military action ‘short of’ full scale self-defence”
is of a “more limited range and quality of response” than that which is lawful in response to an armed
attack in the self-defense context. The key difference with classic self-defense is that Judge Simma
would exclude collective actions.49 Reduced to basics, he is arguing for normative acceptance of force-
ful countermeasures.
The core problem with the approach is that it posits a tiered forceful response scheme. However,
because the intensity of a defensive response is already governed, as will be discussed below, by the
principle of proportionality, all that is really occurring is a relaxation of the threshold for engaging in
forceful defensive actions. Such an approach is counter-textual, for the combined effect of Article 2(4)
and 51 of the UN Charter is to rule out forcible responses by States against actions other than “armed
attacks.” Nevertheless, acceptance of such an approach by States would be significant in the cyber con -
text because by it cyber operations which themselves would be a use of force under Article 2(4) may
be launched in reaction to a cyber use of force that did not rise to the level of an armed attack under
Article 51.
AuTHORIzATION by THE SECuRITy COuNCIL
Pursuant to Article 39 of the UN Charter, the Security Council is empowered to determine that a
particular situation amounts to a “threat to the peace, breach of the peace or act of aggression.” When it
does, the Council “shall make recommendations, or decide what measures shall be taken in accordance
with Articles 41 and 42, to maintain or restore international peace and security.” Articles 41 and 42 set
forth, respectively, non-forceful and forceful options for responding to such situations.
The scope of the phrase “threat to the peace, breach of the peace or act of aggression” has been the
subject of much attention in international law. Breach of the peace would seemingly require the outbreak
of violence; cyber operations harming individuals or property would reasonably qualify, but whether
those falling short of this level would do so is uncertain. As to aggression, in 1974 the General Assem -
bly adopted a resolution in which it characterized aggression as ranging from the “use of armed force”
43 Draft Articles on State Responsibility, supra note 26, art. 52.3(a).
44 Ibid., art. 51.
45 Ibid., art. 52.1.
46 Nicaragua, supra note 12, ¶¶ 211 & 252.
47 Draft Articles on State Responsibility, supra note 26, art. 50.1(a).
48 Oil Platforms (Iran v. US), 2003 ICJ Rep. 161, Separate Opinion of Judge Simma, ¶ 12.
49 Ibid., ¶ 12-13.
OCR for page 161
1�1
miCHAEl n. SCHmitt
and blockade to allowing one’s territory to be used by another state to commit an act of aggression and
sending armed bands against another State.50 A cyber operation causing significant physical harm in
another state would certainly rise to this level; whether others would is unclear.
This ambiguity is essentially irrelevant in light of the “threat to the peace” criterion. Little guidance
exists on those acts which qualify, although they must be conceptually distinguished from activities
constituting threats of the use of force in contravention of Article 2(4). In tadic the ICTY opined that a
threat to the peace should be assessed with regard to the Purposes of the United Nations delineated in
Article 1 and the Principles set forth in Article 2.51 This is a singularly unhelpful proposition, since said
purposes and principles include such intangibles as developing friendly relations and solving social
problems.
In fact, a finding that a situation is a “threat to the peace” is a political decision, not a legal one. It
signals the Security Council’s willingness to involve itself in a particular matter. There are no territorial
limits on situations which may constitute threats to the peace, although they logically tend to be viewed
as those which transcend borders, or risk doing so. Nor is there a limitation to acts conducted by or at the
behest of States; for instance, the Council has repeatedly found transnational terrorism to be a threat to
the peace.52 No violence or other harmful act need have occurred before the Council may make a threat
to the peace determination. Most importantly, since there is no mechanism for reviewing threat to the
peace determinations, the Council’s authority in this regard is unfettered. Simply put, a threat to the
peace is whatever the Council deems it to be. This being so, the Council may label any cyber operation
a threat to the peace (or breach of peace or act of aggression), no matter how insignificant.
Once it does, the Security Council may, under Article 41, authorize measures “not involving the
use of armed force” necessary to maintain or restore international peace and security. Article 41 offers a
number of examples, including “complete or partial interruption of economic relations and of rail, sea,
air, postal, telegraphic, radio or other means of communication.” Interruption of cyber communications
would necessarily be included. An interruption could be broad in scope, as in blocking cyber traffic to
or from a country, or surgical, as in denying a particular group access to the internet. Any other cyber
operations judged necessary would likewise be permissible. Given the qualifier “armed force,” opera -
tions resulting in physical harm to persons or objects could not be authorized pursuant to Article 41.
Should the Council determine that Article 41 measures are proving ineffective, or if before autho -
rizing them it decides that such measures would be fruitless, it may, pursuant to Article 42, “take such
action by air, sea, or land forces as may be necessary to maintain or restore international peace and
security.” The reference to operations by “air, sea, or land forces” plainly contemplates forceful military
action, although a Security Council resolution authorizing the use of force will typically be framed in
terms of taking “all necessary measures.” To the extent that military force can be authorized, it is self-
evident that cyber operations may be as well. It would be lawful to launch them alone or as an aspect of
a broader traditional military operation. The sole limiting factors would be the requirement to comply
with other norms of international law, such as the IHL prohibition on attacking the civilian population, 53
and the requirement to restrict operations to those within the scope of the particular authorization or
mandate issued by the Council. Article 42 actions are not limited territorially or with regard to subject
of the sanctions. For example, it would undoubtedly be within the power of the Council to authorize
cyber attacks against transnational terrorist groups (e.g., in order to disrupt logistics or command and
50 G.A. Res. 3314 (XXIX), annex, art. 3 (Dec. 14, 1974) (“Definition of Aggression”).
51 Prosecutor v. Tadic, Appeals Chamber Decision on the Defence Motion for Interlocutory Appeal on Jurisdiction, ¶ 29 (Oct.
2, 1995).
52 See, e.g., S.C. Res. 1377 (Nov. 12, 2001); S.C. Res. 1438 (Oct. 14, 2002); S.C. Res. 1440 (Oct. 24, 2002); S.C. Res. 1450 (Dec. 13,
2002); S.C. Res. 1465 (Feb. 13, 2003); S.C. Res. 1516 (Nov. 20, 2003); S.C. Res. 1530 (Mar. 11, 2004); S.C. Res. 1611 (July 7, 2005); S.C.
Res. 1618 (Aug. 4, 2005).
53 Protocol Additional to the Geneva Conventions of 12 August 1949, and Relating to the Protection of Victims of International
Armed Conflicts arts. 48, 51 & 52, June 8, 1977, 1125 U.N.T.S. 3 [hereinafter AP I].
OCR for page 168
1�� PRoCEEdingS oF A woRkSHoP on dEtERRing CYBERAttACkS
launched it, may be an IP address or other machine discernable data. And the speed by which cyber
operations proceed dramatically compresses the time available to make such determinations. How cer-
tain must the target State be as to the identity of its attacker before responding in self-defense?
Although international law sets no specific evidentiary standard for drawing conclusions as to the
originator of an armed attack, a potentially useful formula was contained in the U.S. notification to the
Security Council that it was acting in self-defense when it launched its October 2001 attacks against the
Taliban and Al Qaeda in Afghanistan. There, U.S. Ambassador Negroponte stated that “my Government
has obtained clear and compelling information that the Al-Qaeda organization, which is supported by
the Taliban regime in Afghanistan, had a central role in the attacks.”75 NATO Secretary-General Lord
Robertson used the same language when announcing that the attacks of 9/11 fell within the ambit of
the collective defense provisions of Article V of the North Atlantic Treaty. 76
“Clear and compelling” is a threshold higher than the preponderance of the evidence (more likely
than not) standard used in certain civil and administrative proceedings and lower than criminal law’s
“beyond a reasonable doubt.” In essence, it obliges a State to act reasonably, that is, in a fashion consis -
tent with the normal State practice in same or similar circumstances. Reasonable States neither respond
precipitously on the basis of sketchy indications of who has attacked them nor sit back passively until
they have gathered unassailable evidence. So long as the victim-State has taken reasonable steps to iden -
tify the perpetrator of an armed attack, cyber or kinetic, and has drawn reasonable conclusions based
on the results of those efforts, it may respond forcefully in self-defense. That the State in fact drew the
wrong conclusion is of no direct relevance to the question of whether it acted lawfully in self-defense. 77
Its responses are assessed as of the time it took action, not ex post facto.
Although the temporal aspect cannot be ignored, the time available to make the determination is
merely one factor bearing on the reasonableness of any conclusion. In particular, automatic “hack-back”
systems that might involve a response amounting to a use of force are neither necessarily lawful nor
unlawful. Their use must be judged in light of many factors, such as the reliability of the determination
of origin, the damage caused by the attack, and the range of available response options.
An analogous standard of reasonableness would apply in the case of anticipatory self-defense
against an imminent cyber attack. International law does not require either certainty or absolute preci -
sion in anticipating another State’s (or non-State actor’s) future actions. Rather, it requires reasonable -
ness in concluding that a potential attacker has decided to attack and wields the capability to carry out
said attack, and that it must act defensively in anticipation of the attack lest it lose the opportunity to
effectively defend itself. States could not possibly countenance a higher threshold, for such a standard
would deprive them of a meaningful right of self-defense.
Admittedly, ascertaining a possible adversary’s intentions in the cyber environment is likely to be
demanding. Aside from the difficulties of accurately pinpointing identity discussed above, it will be
challenging in the context of anticipatory self-defense to identify the purpose behind a particular cyber
operation. For instance, is a cyber probe of a State’s air defense designed merely to gather intelligence
or instead to locate vulnerabilities in anticipation of an attack which is about to be launched? Obvi -
ously, such determinations must be made contextually, considering factors such as the importance of the
matter in contention, degree of political tensions, statements by military and political leaders, military
activities like deployments, exercises and mobilizations, failed efforts to resolve a contentious situation
diplomatically, and so forth. The speed with which the defender may have to make such an assessment
to effectively defend itself further complicates matters. Despite the factual and practical complexity,
75 Letter dated 7 October 2001 from the Permanent Representative of the United States of America to the United Nations Ad -
dressed to the President of the Security Council, U.N. Doc. S/2001/946 (Oct. 7, 2001).
76 Statement by NATO Secretary General Lord Robertson, NATO Headquarters (Oct. 2, 2001), http://www.nato.int/docu/
speech/2001/s011002a.htm.
77 Note by way of analogy to international criminal law, that pursuant to the Statute of the International Criminal Court, a mis -
take of fact is grounds for excluding criminal responsibility when the mistake negates the mental element required by the crime.
Rome Statute of the International Criminal Court, art. 32.1, July 17, 1998, 2187 U.N.T.S. 90.
OCR for page 169
1��
miCHAEl n. SCHmitt
the legal standard is clear; a State acting anticipatorily in self-defense must do so reasonably. In other
words, States in the same or similar circumstances would react defensively.
When a State asserts that it is acting in self-defense, it bears the burden of proof. In the oil Platforms
case, the ICJ noted that the United States had failed to present evidence sufficient to “justify its using
force in self-defense.”78 Specifically, it could not demonstrate that Iran was responsible for a 1987 missile
attack against an oil tanker sailing under U.S. flag or the 1988 mining of a U.S. warship during the Iran-
Iraq “tanker war,” to which the United States responded by attacking Iranian oil platforms. The Court
rejected evidence offered by the United States which was merely “suggestive,” looking instead for “direct
evidence” or, reframed, “conclusive evidence.”79 “Clear and compelling” evidence would meet these
requirements. Thus, States responding to a cyber armed attack must be prepared to present evidence of
this quality as to the source and nature of an impending attack, while those acting in anticipation of an
attack must do likewise with regard to the potential attacker’s intent and capability.
Collective Responses
Unlike countermeasures, defensive actions may be collective. This possibility is explicitly provided
for in Article 51’s reference to “individual or collective self-defense.” Collective self-defense may be
mounted together by States which have all been attacked or individually by a State (or States) which
has not, but comes to the defense of another. Although the basic norm is clear in theory, it is complex
in application. As noted in the Experts Report on the new NATO Strategic Concept, “there may well be
doubts about whether an unconventional danger—such as a cyber attack or evidence that terrorists are
planning a strike—triggers the collective defence mechanisms of Article V (the North Atlantic Treaty
implementation of Article 51).”80
The mere fact of an armed attack allows for collective defensive action; no authorization from the
Security Council is necessary. But there are legal limits on exercise of the right. In the nicaragua case,
the ICJ suggested that only the victim-State is empowered to determine whether an armed attack has
occurred, and it must request assistance before others act on its behalf.81 Absent such a determination
and request, collective actions would themselves amount to unlawful uses of force, and, depending on
their nature, even armed attacks (paradoxically, against the State launching the initial armed attack).
These requirements are designed to prevent States from claiming to act in collective self-defense as a
subterfuge for aggression.
Given the practical difficulties of identifying a cyber operation’s originator, this is a sensible limita -
tion. It must be noted that some distinguished commentators challenge the strict application of these
requirements. They argue that in cases where the collective defense actions occur outside the territory
of the victim-State, other States may be entitled to act on the basis of their own right to ensure their
security. The right arguably derives from breach of the duty to refrain from armed attack that the State
initiating the armed attack bears.82 This latter scenario is particularly germane in the cyber context since
the effects of cyber armed attacks could easily spread through networks, thereby endangering States
other than those which are the intended target. The prevailing view is nevertheless that there must be
a request from the victim-State before the right of collective self-defense matures.
In many cases, a pre-existing treaty contemplates collective defense. Article 52(1) of the UN Char-
ter provides that “nothing in the present Charter precludes the existence of regional arrangements or
agencies for dealing with such matters relating to the maintenance of international peace and security
78 Oil Platform, supra note 48, ¶ 57.
79 Ibid.,¶¶ 59, 69.
80 NATO 2020, supra note 7, at 20.
81 Nicaragua, supra note 12, ¶ 199; The Court reiterated this position in the Oil Platforms case of 2003. Oil Platforms, supra note
48, ¶ 55.
82 See discussion in Dinstein, supra note 62, at 270. This was the position adopted in Judge Jenning’s dissent in Nicaragua. Ni -
caragua, Dissenting Opinion of Judge Sir Robert Jennings, supra note 12, at 544-46.
OCR for page 170
1�0 PRoCEEdingS oF A woRkSHoP on dEtERRing CYBERAttACkS
as are appropriate for regional action. . . .” Despite the reference to “regional” arrangements, the agree -
ments need not be limited to States in a particular region or to actions occurring in a defined area. Such
arrangements may take multiple forms, For instance, bilateral and multilateral mutual assistance trea -
ties typically provide that the Parties will treat an armed attack against one of them as an armed attack
against all.83 As a practical matter, the effectiveness of collective defense provisions usually depends
on the willingness of the treaty partners to come to each other’s aid. A State that does not see collective
defensive action as in its national interest may be expected to contest characterization of a cyber opera -
tion as an armed attack.
Military alliances based on the right to engage in collective defense also exist, the paradigmatic
example being NATO. Pursuant to Article V of the treaty, Member States “agree that an armed attack
that
against one or more of them in Europe or North America shall be considered an attack against them all
and consequently they agree that, if such an armed attack occurs, each of them, in exercise of the right
of individual or collective self-defence recognised by Article 51 of the Charter of the United Nations,
will assist the Party or Parties so attacked by taking forthwith, individually and in concert with the other
Parties, such action as it deems necessary, including the use of armed force, to restore and maintain the
security of the North Atlantic area.”84
The benefit of alliances is that they generally involve a degree of advanced planning for combined
operations in the event of armed attack, and, as with NATO, military structures are often set up to
coordinate and direct military operations. Preplanning and the existence of collective mechanisms for
managing joint and combined action are especially valuable with regard to defending against cyber
attacks. However, like mutual assistance treaties, alliance arrangements are subject to the reality that
they are composed of States, which can be expected to act pursuant to their own national interests. In
the case of NATO, for instance, decisions to act are taken by consensus in the North Atlantic Council;
a single member State can therefore block NATO collective action. Indeed, had the cyber operations
against Estonia risen to the level of an armed attack, it is not altogether certain that NATO would have
come to its defense militarily, especially in light of Russia’s place in the European security environment
and the countervailing commitments of NATO allies elsewhere, especially Afghanistan and Iraq.
State Sponsorship of Attacks by Non-State Actors
The issue of State sponsorship of cyber operations was addressed earlier in the context of the
responsibility of States for uses of force by non-State actors. There the question was when does a State
violate the use of force prohibition by virtue of its relationship with others who conduct cyber opera -
tions? However, the issue of State sponsorship in the self-defense context is much more momentous.
It asks when may forceful defensive actions, even kinetic ones, be taken against a State which has not
engaged in cyber operations, but which has “sponsored” them? In other words, when is an armed attack
attributable to a State such that the State may be treated as if it had itself launched the attack?
Until the transnational attacks of September 11, 2001, the generally accepted standard was set forth
in the nicaragua case. There the ICJ stated that “an armed attack must be understood as including not
merely action by regular forces across an international border, but also ‘the sending by or on behalf of
a state of armed bands, groups, irregulars or mercenaries, which carry out acts of armed force against
another state of such gravity as to amount to’ (inter alia) an actual armed attack conducted by regular
forces, ‘or its substantial involvement therein.’ ”85 The Court noted that the activities involved should
83 For instance, the Japan-United States mutual defense treaty provides that “[e]ach Party recognizes that an armed attack against
either Party in the territories under the administration of Japan would be dangerous to its own peace and safety and declares
that it would act to meet the common danger in accordance with its constitutional provisions and processes.” Treaty of Mutual
Cooperation and Security Between Japan and the United States of America, Regarding Facilities and Areas and the Status of
United States Armed Forces in Japan, art. V, Jan. 19, 1960, 373 U.N.T.S. 207.
84 North Atlantic Treaty, art. V, Apr. 4, 1949, 34 U.N.T.S. 243.
85 Nicaragua, supra note 12, ¶ 195.
OCR for page 171
1�1
miCHAEl n. SCHmitt
be of a “scale and effects” that would equate to an armed attack if carried out by the State’s military.
Thus, “acts by armed bands where such attacks occur on a significant scale” would qualify, but “a mere
frontier incident would not.”86
By this standard, attribution requires (1) acts qualifying as an armed attack and (2) that the State dis -
patched the non-State actors or was substantially involved in the operations. As noted earlier, the ICTY
took a more relaxed view of the degree of control necessary, accepting “overall control” as sufficient. 87
The events of 9/11 brought the issue of threshold to light in a dramatic way. Assistance provided by the
Taliban to Al Qaeda met neither the nicaragua nor tadic standards, since the Taliban merely provided
sanctuary to Al Qaeda. The cyber analogy would be doing nothing to put an end to the activities of cyber
“terrorists” or other malicious hackers operating from a State’s territory when it is within its capability,
legal and practical, to do so.
Even though there was seemingly no legal basis for attribution to Afghanistan, when the Coalition
responded with armed force against both Al Qaeda and the governing Taliban, no objection was raised.
On the contrary, the Security Council condemned the Taliban “for allowing Afghanistan to be used as a
base for the export of terrorism by the Al-Qaida network and other terrorist groups and for providing
safe haven to Usama Bin laden, Al-Qaida and others associated with them.” 88 It seems that the inter-
national community had lowered the normative bar of attribution measurably. While the underlying
operations must still amount to an armed attack, it is arguable that today much less support is required
for attribution than envisaged in either nicaragua or tadic. Far from being counter-legal, this process of
reinterpretation is natural; understandings of international legal norms inevitably evolve in response
to new threats to the global order. In that cyber operations resemble terrorism in many regards, States
may equally be willing to countenance attribution of a cyber armed attack to a State which willingly
provides sanctuary to non-State actors conducting them.
Armed Attacks by Non-State Actors
Although most cyber operations are launched by individuals such as the anti-Estonian “hacktivists,”
concern is mounting about the prospect that transnational terrorist organizations and other non-State
groups will turn to cyber operations as a means of attacking States.89 The concern is well-founded. Al
Qaeda computers have been seized that contain hacker tools, the membership of such groups is increas -
ingly computer-literate, and the technology to conduct cyber operations is readily available. In one case,
a seized Al Qaeda computer contained models of dams, a lucrative cyber attack target, and the computer
programs required to analyze them.90
International lawyers have traditionally, albeit not universally, characterized Article 51 and the
customary law of self-defense as applicable solely to armed attacks mounted by one State against
another. Violent actions by non-State actors fell within the criminal law paradigm. Nonetheless,
the international community treated the 9/11 attacks by Al Qaeda as armed attacks under the
law of self-defense. The Security Council adopted numerous resolutions recognizing the applicabil-
ity of the right of self-defense. 91 International organizations such as NATO and many individual
States took the same approach.92 The United States claimed the right to act forcefully in self-
86 Ibid.
87 Itmust be emphasized that the legal issue involved in that case was not attribution of an armed attack, but rather the exist -
exist-
ence of an international armed conflict.
88 S.C. Res. 1378, pmbl. (Nov. 14, 2001).
89 This threat is cited in both the 2010 National Security Strategy ( supra note 6, at 27) and NATO 2020 (supra note 7, at 17).
90 Clay Wilson, Computer Attack and Cyber Terrorism: Vulnerabilities and Policy Issues for Congress, Congressional Research
Service Report RL32114, Oct. 17, 2003, at 11-13.
91 See, e.g., S.C. Res 1368 (Sept. 11, 2001); S.C. Res. 1373 (Sept. 28, 2001).
92 See, e.g., Press Release, NATO, Statement by the North Atlantic Council (Sept. 12, 2001); Terrorist Threat to the Americas,
Res. 1, Twenty-fourth Meeting of Consultation of Ministers of Foreign Affairs, Terrorist Threat to the Americas, OAS Doc. RC.24/
RES.1/01 (Sept. 21, 2001); Brendan Pearson, Pm Commits to mutual defence, Australian Financial Review, Sept. 15, 2001, at 9.
OCR for page 172
1�2 PRoCEEdingS oF A woRkSHoP on dEtERRing CYBERAttACkS
defense,93 and no State objected to the assertion. Lest this approach be dismissed as simply an emo -
tive reaction to the horrific attacks of 9/11, it must be noted that when Israel launched operations
into Lebanon in response to Hezbollah’s 2006 terrorism, the international community again seemed
to accept a country’s right to defend itself against armed attacks mounted by non-State actors. 94
Despite acceptance by States of the premise that non-State actors may qualify as the originators of an
armed attack, the ICJ seems to have taken a step backwards in two post-9/11 cases. In the wall advisory
opinion and the Congo case, the Court refrained from considering claims of self-defense against actions
by non-State actors, noting that no assertion had been made that the relevant actions were imputable to
a State.95 Although the Court’s reasoning was nuanced and fact-specific, it has nevertheless been widely
criticized as inattentive to contemporary understandings of the relevant law. In particular, in the wall
case three judges expressly departed from the majority’s approach on the bases that it ignored the fact
that Article 51 makes no mention of the originator of an attack (while Article 2(4) specifically addresses
uses of force by States) and that the Security Council had deliberately treated terrorist attacks as armed
attacks in the aftermath of the 9/11.96
The Court’s hesitancy to embrace the notion of armed attack by non-State actors is understandable
in light of the risk of abuse. States might well apply it to engage in robust military operations against
groups in situations in which law enforcement is the more normatively appropriate response. For
instance, significant concerns have been raised regarding counterterrorist operations occurring outside
an armed conflict mounted in States which do not consent to them. Such concerns are likely to be even
more acute in relation to cyber operations, which are conducted not by armed members of groups
resembling classic military forces, but rather by cyber experts equipped with computers. Nevertheless,
as a matter of law, States seem comfortable with applying the concept of armed attacks to situations
involving non-State actors. Should such groups launch cyber attacks meeting the threshold criteria for
an armed attack, States would likely respond within the framework of the law of self-defense.
The point that the attacks must meet the threshold criteria cannot be overemphasized. There is no
State practice supporting extension of the concept to the actions of isolated individuals, such as hacktiv -
ists or patriotic hackers. Further, the cyber operations must be severe enough to qualify as armed attacks,
that is, they have to result in damage to or destruction of property or injury to or death of individuals.
Finally, as the debate over minor border incursions demonstrates, it is uncertain whether attacks which
meet the aforementioned threshold, but are not of significant scale, would qualify. As an example, a
cyber attack that caused a single plant’s generator to overheat, thereby temporarily interrupting service
until it could be repaired, would presumably not, by the more restrictive standard, qualify as an armed
attack. Rather, it would be the cyber equivalent of a border incursion.
Cross-border Operations
When armed attacks by non-State actors emanate from outside a State, may that State take defen -
sive actions against its perpetrators in the territory of the State where they are based? This question
has been raised recently in the context of unmanned aerial vehicle strikes against terrorists in Pakistan
93 “Inresponse to these attacks, and in accordance with the inherent right of individual and collective self-defense, United States
forces have initiated actions designed to prevent and deter further attacks on the United States. These actions include measures
against Al-Qaeda terrorist training camps and military installations of the Taliban regime in Afghanistan. . . .” Letter from the
Permanent Representative, supra note 75.
94 See generally, Michael N. Schmitt, “’Change Direction’ 2006: Israeli Operations in Lebanon and the International Law of
Self-Defense,” 29 michigan Journal of international law 127 (2008). Many commentators and States saw the actions as violating the
proportionality criterion discussed above.
95 Legal Consequences of the Construction of a Wall in the Occupied Palestinian Territory, Advisory Opinion, 2004 ICJ Rep. 136,
¶ 139 (July 9); Congo, supra note 33, at 53.
96 Wall, supra note 95, Sep. Op. Judge Higgins, ¶ 33; Sep. Op. Judge Koojmans, ¶ 35; Decl. Judge Buergenthal, ¶ 6.
OCR for page 173
1��
miCHAEl n. SCHmitt
and elsewhere. It is no less pertinent to situations involving cyber armed attacks launched by non-State
actors from abroad.
It is indisputable that one State may employ force in another with the consent of the territorial State.
t
For instance, a State may grant others the right to enter its territory to conduct counterterrorist opera -
tions, as often occurs in Pakistan, or a State embroiled in an internal conflict with insurgents may request
external assistance in restoring order, as with ISAF operations in Afghanistan or USF in Iraq. A State
subjected to an armed attack, whether cyber or kinetic, could, with the acquiescence of the territorial
State, equally launch cyber defensive operations into the State from which the attacks emanated.
The legal dilemma arises when operations are conducted without territorial State approval. By the
principle of sovereignty (and the derivative notion of territorial integrity), a State enjoys near absolute
control over access to its territory. In affirmation, the UN General Assembly has cited the use of force
by a State on the territory of another as an act of aggression.97 Yet, the right of States to use force in
self-defense is no less foundational. When terrorists or insurgents seek sanctuary in a State other than
that in which they are conducting operations, they bring the territorial State’s right of sovereignty into
conflict with the victim-State’s right of self-defense.
Fortunately, international law does not require an either-or resolution when norms clash. Instead, it
seeks to balance them by fashioning a compromise which best achieves their respective underlying pur-
poses. In this case, such a balance would ensure that the territorial State need not suffer unconstrained
violations of its sovereignty, but nor would the victim-State have to remain passive as non-State groups
attack it with impunity from abroad. The resulting compromise is as follows. The victim-State must
first demand the territorial State fulfill its legal duty to ensure actions on or from its territory do not
harm other States and afford the territorial State an opportunity to comply.98 If that State subsequently
takes effective steps to remove the threat, then penetration of its territory by the victim-State, whether
kinetically or by cyber means, is impermissible. But if the territorial State fails to take appropriate and
timely action, either because it lacks the capability to conduct the operations or simply chooses not to
do so (e.g., out of sympathy for the non-State actors or because its domestic laws preclude action), the
victim-State may act in self-defense to put an end to the non-State actor’s attacks. It matters not whether
the actions are kinetic or cyber in nature, as long as they comply with the principles of proportionality
and necessity.
ARMED CONFLICT
The jus in bello notion of “armed conflict” must be distinguished from the jus ad bellum concepts
of use of force, threat to the peace, breach of the peace, act of aggression and armed attack. The jus ad
The
bellum determines when a State has violated the international law governing the resort to force, and sets
forth a normative flow plan for individually or collectively responding to such violations. By contrast,
under the jus in bello, the applicability of IHL depends on the existence of an “armed conflict.” This law
is set forth in such treaties as the four 1949 Geneva Conventions and the two 1977 Protocols Additional
(Protocol I for international and Protocol II for non-international armed conflict), and in customary
international law.99 In determining whether IHL rules like distinction (the requirement to distinguish
combatants from civilians and military objectives from civilian objects), proportionality (the prohibi -
tion on attacks expected to cause harm to civilians and civilian object which is excessive relative to the
military advantage anticipated to accrue from the attack), or direct participation (the loss by civilians
of their protections when they take a direct part in hostilities) apply to cyber operations, the threshold
question is whether an armed conflict is underway.100
97 Definition of Aggression Resolution, supra note 50, art. 3(a).
98 On the duty to police one’s own territory, see Corfu Channel (U.K. v. Alb.), 1949 ICJ Rep. 4 (Apr. 9).
99 GC I-IV, supra note 4; AP I, supra note 53; Protocol Additional to the Geneva Conventions of 12 August 1949, and Relating to
the Protection of Victims of Non-International Armed Conflicts, June 8, 1977, 1125 U.N.T.S. 609 [hereinafter AP II].
100AP I, supra note 53, arts. 48, 51.5(b), 51.3.
OCR for page 174
1�� PRoCEEdingS oF A woRkSHoP on dEtERRing CYBERAttACkS
There are two forms of armed conflict, international and non-international. The first refers to conflicts
between States, whereas the second implies either conflicts between a State and a non-State organized
armed group or those between such groups. Determining when a conflict is international or non-
international is a highly complex matter, particularly in light of hostilties between States and non-State
transnational actors, such as global terrorist groups. As an example of the uncertainty, consider that while
the Israeli Supreme Court has characterized Israel’s conflicts with terrorist groups such as Hamas and
Hezbollah to be international, in part because they transcend Israeli territory, the U.S. Supreme Court
has labeled the conflict with transnational terrorist groups like Al Qaeda as “not of an international
character.”101 Although a full exploration of the characterization of conflict issue lies beyond the scope
of this article, it is useful to examine the concepts in a general manner.
International Armed Conflict
Article 2 Common to the four Geneva Conventions states that they “apply to all cases of declared
war or to any other armed conflict which may arise between two or more of the High Contracting
parties.”102 This begs the question of the nature and scope of the referenced conflict. The International
Committee of the Red Cross’ official commentary to the provision provides that “any difference arising
between two States and leading to the intervention of members of the armed forces is an armed conflict
within the meaning of Article 2, even if one of the Parties denies the existence of a state of war. It makes
no difference how long the conflict lasts, how much slaughter takes place, or how numerous are the
participating forces.”103 Similarly, the ICTY has opined that “an armed conflict exists whenever there is
resort to force between States.”104
It is essential to distinguish states of “armed conflict” under the jus in bello from instances of jus ad
bellum “armed attacks,” for, as noted, some experts assert that minor incidents do not amount to the
latter. Moreover, in the traditional treatment of the legal concept of “war,” minor armed incidents did
not necessarily signal the commencement of a war between States.105 But so long as there is an armed
exchange between the armed forces of two States, an “international armed conflict” exists. Actions by
non-State actors operating under State control would also qualify, although actions by individuals or
independent group would not. Hostilities need not even exist. By Article 2, the conventions apply in
cases of “partial or total occupation . . ., even if said occupation meets with no armed resistance.”106
And it is equally accepted that there is an armed conflict if the forces of one State detain individuals
protected by IHL, such as combatants.107 It is irrelevant whether the parties to the armed conflict con -
sider themselves to be “at war.”
This leads to two alternative conclusions with regard to cyber operations standing alone. First, they
must be the functional equivalent of a clash of arms between States. Applying the approach adopted
in the context of the jus ad bellum, relevant actions must be likely to result in injury, death, damage or
destruction to comprise an international armed conflict. Non-destructive computer network exploitation,
espionage, denial of service attacks and other actions would not initiate an armed conflict, although
they might, depending on the circumstances, qualify as a use of force. This is the mainstream approach
among IHL experts, one focusing on the adjective “armed” in the phrase armed conflict.
However, the fact that an armed conflict can occur in the absence of combat arguably provides inter-
pretive leeway. This is especially so in light of an ongoing debate among experts as to whether a cyber
101 HCJ [High Court of Justice] 796/02, Public Committee against Torture in Israel et al. v. Government of Israel et al., ¶ 21(Dec.
13, 2006); Hamdan v. Rumsfeld, 126 S.Ct. 2749, 2795-96 (2006).
102 Common art. 2 to GC I-IV, supra note 4.
103 Commentary to the third gene�a Con�ention relati�e to the treatment of Prisoners of war 23 (ICRC, Jean Pictet ed., 1960).
104 Tadic, Appeals Chamber Decision on the Defence Motion for Interlocutory Appeal on Jurisdiction, supra note 51, ¶ 70.
105 Dinstein, supra note 62, at 11-13.
106 Common art. 2(1) to GC I-IV, supra note 4.
107 Pictet, supra note 103, at 23.
OCR for page 175
1��
miCHAEl n. SCHmitt
operation can amount to an “attack,” as that term is used in IHL (e.g., the prohibition on “attacking”
civilians and civilian objects).108 The law defines attacks as “acts of violence,”109 leading one school of
thought to argue that only operations resulting in injury, death, damage or destruction are attacks to
which the prohibitions apply.110 Advocates would therefore likely accept the aforementioned limitation.
A second school argues that the essence of such prohibitions is directing military operations against
protected persons and places.111 If this is so, then IHL would apply to certain non-destructive cyber
operations against protected persons and objects, and, by extension, an international armed conflict
would commence once a State or those under its control launched them.
The problem is that proponents of the second approach offer no criteria for distinguishing non-
destructive “attacks” from non-destructive military operations that clearly do not qualify as attacks, such
as lawful psychological operations. Presumably, consequence severity would be a key criterion, but how
might that be determined (financial loss, disruption of essential State functions, etc.)? Indeterminacy
may be acceptable in the context of identifying a use of force, for the issue there is merely whether a
violation of law has occurred (and countermeasures cannot involve the use of force). By contrast, the
consequences of finding an “armed conflict” are much more dramatic. Armed conflict renders violent
actions by combatants lawful unless they breach a particular IHL norm, even when the initial resort to
force by the belligerent State was unlawful. In other words, while IHL limits violence, it also legitimizes
it. This interpretation is obviously problematic.
Non-International Armed Conflict
Determining when a non-international armed conflict exists is even more problematic. The relevant
IHL is found primarily in customary international law, Common Article 3 to the Geneva Conventions
and, for States party, Additional Protocol II (AP II). Although there is much controversy over the precise
content of the customary law and the extent to which certain customary IHL norms apply in both inter-
national and non-international armed conflicts, it is undeniably a less detailed and less comprehensive
body of law than that applicable in international armed conflict.
Common Article 3 to the Geneva Conventions defines non-international armed conflicts in the nega -
tive as those which are “not of an international character,” a characterization reflective of customary
international law.112 There are two generally accepted criteria for such conflicts. First, Article 3 employs
the phrase “each Party to the conflict.” The term “Party” is commonly understood to refer to either
States or to groups which have a certain degree of organization and command structure. Thus, cyber
violence of any intensity engaged in by isolated individuals or by unorganized mobs, even if directed
against the government, does not qualify. It would not amount to an armed conflict, and therefore would
be governed by criminal law and human rights law, not IHL. The vast majority of the cyber operations
conducted against Estonia would fall into this category.
The second criterion is intensity. It is generally agreed that a non-international armed conflict
requires violence of a higher degree of intensity than international armed conflict. “Internal disturbances
and tensions, such as riots, isolated and sporadic acts of violence and other acts of a similar nature”
108AP I, supra note 53, arts. 51 and 52.
109 Ibid., art. 49.
110 See, e.g., Michael N. Schmitt, “Warfare: Computer Network Attack and International Law,” 84 (No. 846) international Re�iew
of the Red Cross 365 (June 2002).
111 Knut Dörmann, Applicability of Additional Protocols to Computer Network Attack, Paper delivered at the International Ex -
pert Conference on Computer Network Attacks and the Applicability of International Humanitarian Law, Stockholm, November
17-19, 2004, http://www.icrc.org/web/eng/siteeng0.nsf/htmlall/68lg92?opendocument.
112 Common art. 3 to GC I-IV, supra note 4 (“In the case of armed conflict not of an international character occurring in the ter -
ritory of one of the High Contracting Parties, each Party to the conflict shall be bound to apply, as a minimum, the following
provisions. . . .”).
OCR for page 176
1�� PRoCEEdingS oF A woRkSHoP on dEtERRing CYBERAttACkS
fall short of the threshold.113 In non-normative terms, the criterion suggests that unrest which can be
handled primarily by law enforcement entities, without resort to the armed forces, does not constitute
non-international armed conflict even if carried out by armed groups. Along these lines, the ICTY
has characterized non-international armed conflicts as involving “protracted armed violence between
governmental authorities and organized armed groups or between such groups within a State,” 114 a
formula adopted by the International Criminal Tribunal for Rwanda and in the Statute of the Interna -
tional Criminal Court.115
For parties to the instrument (the United States is not), AP II sets forth significant additional IHL
norms. However, the threshold of applicability for this instrument is set at an even higher level than
that of customary law and Common Article 3. In the case of AP II non-international armed conflicts,
the non-State party to the conflict has to “exercise such control over a part of” a State’s territory that it
can “carry out sustained and concerted military operations.” 116
It would be exceptionally difficult for cyber operations standing alone to rise to the level of non-
international armed conflict. First, operations launched by individuals and unorganized groups are
not encompassed in the category, no matter how destructive. Second, the cyber operations would have
to be protracted, that is, occur over a period of time. Sporadic attacks would not qualify, regardless of
their destructiveness. Third, the requirement of intensity would augur against arguments that actions
which are not destructive can sometimes meet the test, a weak argument even in the case of international
armed conflict. Combined, the criteria mean that only significantly destructive attacks taking place
over some period of time and conducted by a group that is well-organized initiate a non-international
armed conflict.
Finally, as noted earlier, significant controversy surrounds the question of whether attacks by trans-
national non-State actors are international or non-international in character. The debate derives from the
fact that non-international armed conflicts are typically seen as conflicts between a State and “rebels,”
in other words, civil wars. AP II seemingly makes this requirement explicit in its reference to conflicts
taking place “in the territory of a State . . . between its armed forces and dissident armed forces or other
organized armed groups.”117 Although Common Article 3 contains no such restriction, its reference to
conflicts “occurring in the territory” of a Party to the 1949 Geneva Conventions has sometimes also
been construed as excluding conflicts that transcend national borders. Thus, by one interpretation,
such conflicts are international because they cross borders.118 By an alternative interpretation, they are
non-international because they do not involve States in opposition to each other, which has tradition -
ally been the distinguisher for international armed conflict. Accordingly, they are conflicts which are
“not of an international character.”119 It has also been argued that they are a new form of armed conflict
to which only the general norms applicable to all armed conflicts, such as the principle of distinction,
apply. This form of conflict has been labeled “transnational.”120 Finally, it might be argued that there is
no armed conflict at all, but rather mere criminality. In fact, a strict reading of the law would suggest
as much. However, this last approach begs the question of what law applies in the event of an armed
attack (in the ad bellum context) to which a State responds forcefully, since absent an armed conflict,
IHL is inapplicable. Whatever the correct characterization, it would apply equally to groups conducting
cyber operations of the intensity required to constitute an armed conflict.
113AP II, supra note 99, art. 1.2, generally deemed to equally reflect the standard applicable to Common Article 3 and customary
international law. See, e.g., Rome Statute, supra note 77, art. 8(2)(f).
114 Tadic, Appeals Chamber Decision on the Defence Motion for Interlocutory Appeal on Jurisdiction, supra note 51, ¶ 70.
115 Prosecutor v. Akeyesu, Case No. ICTR-96-4-T, Judgment, ¶ 619 (Sept. 2, 1998); Rome Statute, supra note 77, art. 8(2)(f).
116AP II, supra note 99, art. 1(1). It must also be able to implement the provisions of the Protocol.
117 See text at fn 112.
118 HCJ [High Court of Justice] 796/02, Public Committee against Torture in Israel et al. v. Government of Israel et al., ¶ 21(Dec.
13, 2006).
119 Hamdan v. Rumsfeld, 126 S.Ct. 2749, 2795-96 (2006).
120 See, e.g., Geoff Corn, “Hamdan, Lebanon, and the Regulation of Armed Conflict: The Need to Recognize a Hybrid Category
of Armed Conflict,” 40 vanderbilt transnational law Journal 295 (2006).
OCR for page 177
1��
miCHAEl n. SCHmitt
FAuLT LINES IN THE LAW
The legal analysis set forth above should strike most readers as unsatisfactory. Clear fault lines in
the law governing the use of force have appeared because it is a body of law that predates the advent of
cyber operations. The normative scheme made sense when close congruity existed between the coercive
instruments of international relations, particularly military force, and their effects. To the extent one State
disrupted order in the international community, it usually did so by using force to harm objects and per-
sons. Resultantly, instrument-based normative shorthand (use of force, armed attack, and armed conflict)
was employed as a means of precluding those effects (death, injury, destruction and damage) which were
perceived as most disruptive of community stability, and as most threatening to State security. Debates
such as whether actions short of military operations are uses of force or whether minor border incursions
qualify as armed attacks demonstrate that the foundational concerns were actually consequence-based,
for both reflect recognition that the instrument-based approach is not perfectly calibrated.
The advent of cyber operations threw the instrument-based approach into disarray by creating the
possibility of dramatically destabilizing effects caused by other than kinetic actions. They weakened the
natural congruency between the normative shorthand employed in the law governing resort to force
and those consequences which the law sought to avoid as disruptive. Conceptually, the “qualitative”
scheme, by which prohibitions were expressed in terms of types of activities (use of the military and
other destructive instruments as distinguished from non-destructive ones) no longer sufficed to preclude
those effects about which States had become most concerned. A non-kinetic, non-destructive means of
generating effects which States cannot possibly countenance now existed; the qualitative shorthand no
longer tracked the quantitative concerns of States.
The prohibition on the use of force has proven somewhat adaptable to this new reality because it has
long been understood to extend beyond the application of kinetic force. Thus, it is reasonable to employ
the criteria suggested in this article to identify situations in which non-kinetic actions will result in quan-
titatively unacceptable, and therefore prohibited, consequences. The UN Charter mechanism for Security
Council-based responses to threats to the peace, breaches of the peace and acts of aggression is likewise
adaptable because by it threats to the peace include, simply put, whatever the Council wishes.
However, the textual precision of the “armed attack” component of the individual and collective
self-defense norm leaves little room for interpretive reshaping. By its own terms, “armed attack” does
not reach many cyber-generated consequences to which States will wish to respond in self-defense. To
a lesser extent, the same is true with regard to the notion of “armed conflict.” It seems incongruent that
a minor firefight would initiate an armed conflict, but a major non-physically destructive cyber attack
against the cyber infrastructure of a State would not.
Evidence of disquiet abounds. In a recent report by the National Research Council, examples of
armed attack included “cyberattacks on the controlling information technology for a nation’s infra -
structure (whether or not it caused immediate large-scale death or destruction of property)” and “a
cyberattack against the stock exchanges that occurs repeatedly and continuously, so that trading is
disrupted for an extended period of time (e.g., days or weeks).”121 As a matter of law, they would likely
qualify as uses of force, but not, by a strict interpretation of the self-defense norm, as armed attacks
(or as initiating an armed conflict). The problem is that most States would surely treat them as such. In
other words, the National Research Council report has misconstrued the law, but accurately identified
probable State behavior.
When State expectations as to the “rules of the game” deviate from those that actually govern
their actions, new norms can emerge. One method by which this can occur is through new treaty law.
However, it is highly unlikely that any meaningful treaty will be negotiated to govern cyber operations
in the foreseeable future. The greatest obstacle is that those States which are most vulnerable to cyber
operations tend to be those which are also most capable of conducting them. Such tension will cause
121 Technology, Policy, Law, and Ethics, supra note 63, at 254-55.
OCR for page 178
1�� PRoCEEdingS oF A woRkSHoP on dEtERRing CYBERAttACkS
such States to hesitate before agreeing to prohibitions designed to protect them which may also defini -
tively limit their freedom of action. This is especially so in light of the nascent nature of cyber warfare
and the lack of experience of most States in these operations. In international relations, States are often
comfortable with a degree of vagueness.
Much more likely is the emergence of new understandings of the existing treaty law which are
responsive to the realities of cyber operations. While only subsequent treaty action can technically alter
a treaty’s terms, State practice can inform their interpretation over time. A well-known example involves
veto action by Permanent Members of the Security Council. The UN Charter provides that a binding
resolution of the Council requires the affirmative vote of all five Permanent Members. 122 However, State
practice has been to treat the provision as blocking action only when a member of the “P5” vetoes a
proposed resolution. This counter-textual interpretation is now accepted as the law. 123 The recent exten-
sion of the notion of armed attack to actions by non-State actors similarly illustrates normative evolution
prompted by shifting State expectations.
In due course, similar evolution in the how the concept of armed attack is understood should be
anticipated, as States increasingly accept the proposition that armed attacks must be judged qualita -
tively and quantitatively. Consequences will remain the focus of concern, but they will be assessed both
in terms of nature and as to their impact on affected States. In this regard, the seven criteria proffered
above in the use of force context can serve as useful indicators of whether States are likely to characterize
particular cyber operations as armed attacks (or as initiating an armed conflict), and thus suggest the
probable vector of the law. However, for the moment the existing law remains intact; it will be left to
States to articulate the expectations and engage in practices that can serve to fuel the normative process
necessary to transform lex ferenda into lex lata.124
122 U.N.Charter, art. 27.3.
123 See
discussion in Bruno Simma, Stefan Brunner & Hans-Peter Kaul, Article 2�, in I the Charter of the United nations: A Com-
mentary 476, 493-98 (Bruno Simma ed., 2d ed. 2002). The veto principle does not apply to votes on procedural matters.
124 The law as it should be and the law that is, respectively.
