I.
Introduction
International cyber warfare
is an ever growing, concern particularly with the growth of technology during
this age of information in the 21st century.[1] By means of a computer,
critical infrastructure and critical infrastructure systems may become subject
to cyber-attacks, that could have potentially devastating first, second, and
third order affects.[2] It is difficult to imagine how an attack
is made obvious by means of cyber warfare.[3] The very nature of the
cyber-attack is to be secretive and is very often even designed to be
undetectable and untraceable to its source.[4] The nature of the cyber threat,
as it exists in the digital realm, certainly does not make the notion of a
cyber-attack intuitively recognizable in the physical
world.[5]
There have
been numerous cyber-attacks targeting U.S. natural resources, including U.S.
water supply systems and energy resource systems.[6] The use of cyber operations among state actors has
significantly increased in the past ten years, and is very much recognized as
the future of warfare in the 21st century.[7] China, today’s second largest economy has the intent of
expanding its military capabilities including its
cyber operational capabilities, with a focus on information extraction and
exploitation, not merely for military purposes.[8] In most recent years, Iran has
gained some notoriety for acquiring and developing a formidable “cyber army,” which many experts believe is attributed to its own
experience of dealing with cyber breaches.[9] Cyber activities are a key part of North Korea’s war
strategy, and it seeks to make significant advances in its ability to harass
and affect its adversaries by means of carefully crafted cyber-attacks.[10] North Korea in recent years has
conducted significant cyber-attacks to both the US
and its allies.[11]
This paper
will begin by defining the various concepts that exits in the cyberworld and
the different modes of cyberattacks that can occur. Latter it will set the
domestic and international legal framework, recognizing the issues that must be
taken in consideration in regarding a possible response to a cyberattack or
cyberterrorism. At the paper will address the different
conflicts that can exits with targeting in Cyberwarfare.
II.
Defining the concepts of the Cyberworld:
The most interesting questions regarding cyberwar are 1)
the current destructive capacity possesses by a non-state, (especially criminal
and terrorist) actors, and their ability to attack economic, infrastructure,
civil government, military and intelligent targets
with the relative effectives and impunity and 2) distinguishing such private
attacks from and defining causus belli, when the attack is made by
an actor subject to military rather than criminal response.
Cyberspace
may be defined as “a global domain within the
information environment consisting of interdependent networks of information
technology infrastructures and resident data, including the Internet,
telecommunications, networks, computer systems, and embedded processors and
controllers.”[12] A 2005 Congressional Research
Service Report (CRS) (Creating a National Framework for Cybersecurity: An
Analysis of Issues and Options) referred to cyberspace as “the combination of the virtual structure
the physical component that support it, the information
that it contains, and the flow of the information that information within it.”[13] The 2008 Department of Defense Dictionary of Military and
Associated Terms defines cyberspace as: “A global domain within the information
environment consisting of the independent network of
information technology infrastructures, including the Internet,
telecommunications networks, computer systems, and embedded processors and
controllers.”[14] Before entering in the complex
world of cyberterrorism we have to try to define de difficult
concept of terrorism. Similar to obtaining universal agreement on defining the
term “terrorism,” there is no generally accepted definition for cyberterrorism.
International
attempts to define terrorism trace back to the beginning of the century. The League of Nations, the predecessor for the
United Nations, proposed a definition of act of terrorism as “all criminal acts
directed against a State and intended or calculated to create a state of terror
in the minds of particular persons or a group of
persons in the general public.”[15] International Law Commission’s
1954 Draft Code of Offense Against the Peace and Security of Mankind contained
the following proposed language Article 25 to define terrorism: “The
undertaking or encouragement by the authorities of
each State terrorist activity in another State, or the toleration by the
authorities of a State organized activities calculated to carry out terrorist
acts in another State.”[16] The latest attempt by the United
Nations Sub-Commission on Human Rights to come up
with a definition of terrorism met several troubles. The first draft report of
February 2001 listed three essential elements of terrorism. A terrorist act: 1)
must be illegal, violating national or international
law; 2) must be intended to harm the State for
political reasons; 3) must be capable of generating a state of fear in general
population.[17] In 1957 the United Nations General Assembly failed to
establish a firm international definition of the word “terrorism” in the
resolution defining aggression in relation when a
nation may engaged in self-defense under Article 51 of the United Nations
Charter.[18] The United Nations chose to classify the activities of the
States to “send, organized,
or support “armed band, groups, irregulars, or mercenaries,
which carry out acts of armed force against a State,” as simply engaging in
unlawful aggression in direct violation of the U.N. Charter. Thus, any cyber-attack made by the support of any State can be
classified as an aggression and a direct violation of
the U.N. Charter. There are twelve international conventions related to
terrorism and ten criminal acts identified as terrorism in various United
Nations conventions and protocols. The identified acts are hijacking,[19] aviation sabotage,[20] acts of violence at airports,[21] acts of violence regarding maritime navigation,[22] acts and used of nuclear materials,[23] hostage taking,[24] terrorist bombings,[25] and supporting from organizations serving as financial
conduits for terrorist groups.[26]
The word
“terrorism” can evoke many images from the past few
decades: the hostage crisis in the Munich Olympic Village; the hijacking of the
cruise ship Achille Lauro and myriad airliners around
the world; guerilla warfare at the jungles of Latin America; the interminable conflict between the Israelis and Palestinians;
lethal attacks on the London Underground; commuter trains in Madrid, and
restaurant and entertainment venues; and, on September 11, 2001, the airplanes
flying into the World Trade Center towers. Although
terrorism has become part of a new modern reality, the underlying concepts
trace back to antiquity. In the fourth century B.C Chinese military strategist
Wu Ch’i said that “one man willing to throw away his life is enough to
terrorize a thousand.”[27] In Western history, terrorism as
political violence was integral to the bloody rule of the Jacobins during the
French Revolution. “Terror is nothing but justice, prompt, sever and inflexible,”
declared revolutionary leader Maximilien Robespierre.[28] Given the long history of terrorism, one might assume that
the term has obtained a degree of clarity in meaning. The expectation would be
reinforced by the legal implications from classifying incidents as terrorism
and individuals or groups as terrorist. Interested
parties have struggle mightily in the pursuit of a mutually acceptable
understanding under terrorism. Consider the following
definitions formulated by terrorism academics and experts:
“Combining crime and armed combat, terrorism is an illegal form of clandestine warfare that its carried out by a
sub-state group to challenge the policies, personnel, structure, or ideology of
a government, or to influence the actions of another part of the population-
one with enough self-identity to respond to selective
violence.”[29]
“Terrorism is the deliberate creation
and exploitation of fear
through violence of the threat or violence in the pursuit of political change. All terrorist acts involve violence
or the threat of violence.
Terrorism is specifically designed to have far-reaching psychological effects beyond the
immediate victims or object of the terrorist attack. It is meant to instill
fear within, and thereby intimidate, a wider ‘target audience’ that might
include a rival ethnic or
religious group, an entire country, a national government or political party, or public opinion in general. Terrorism is designed to
create power where there is none or to consolidate power where there is very
little. Through the publicity generated by their
violence, terrorist seek to obtain the leverage, influence, and power they
otherwise lack to effect political change on either a local or an international
scale.”[30]
“Terrorism is the peacetime equivalent
of war crimes: acts that would, if carried out by
government in war, violate the Geneva Conventions.”[31]
“Terrorism is an anxiety- inspired
method of repeated violent action, employed by semi-clandestine individual,
group or state actors, for idiosyncratic, criminal or political reasons,
whereby – in contrast to assassination- the direct
targets of violence are not the main targets. The immediate human victims of
violence are generally chosen randomly (targets of opportunity) or selectively
(representative or symbolic targets) from a target population and serve as message generators. Threat and violence-based
communication processes between terrorist (organization), (imperiled) victims,
and main targets are used to manipulate the main target (audience(s)), turning
it into a target of terror, a target of demands, a
target of attention, depending on whether intimidation, coercion, or propaganda
is primarily sought.”[32]
Nations
around the world have enacted terrorism-related legislation, either in
fulfillment of transnational obligations or on their own initiative. For example, the United Kingdom defines
terrorism as acts or threats “designed to influence the government or an
international government organization or to intimidate the public or a section
of the public… made for the purpose of advancing a political,
racial, or ideological cause.”[33] According to the British law, the acts or threats must
involve serious violence against a person, serious damage to property or
interference with an electronic system, or the creation of a serious risk to
public health or safety. French law eschews any
motivational requirement, with a penal code provision defining particular
crimes as acts of terrorism when “committed intentionally in connection with an
individual or collective undertaking the purpose which is seriously to disturb public order through intimidation and
terror.” The predicate crimes include attacks on another life or personal
integrity, kidnapping, hijacking, certain property and computer crimes,
offenses committed by disbanded organizations and movements, various crimes involving weapons and explosives, money laundering
and insider trading, and contamination of food or water.[34]
The United
Nations has never adopted a definition of terrorism. In
2005, the Secretary General of the United Nations Kofi Annan offered the following definition:
“Any action constitutes terrorism if it
is intended to cause death or seriously bodily harm to civilians or
non-combatants, with the purpose of intimidating a population or compelling a
Government of an international organization to do so
or abstain from doing an act.”[35]
Adopting
the general definitional theme of terrorism set above, cyberterrorism is the
improper us of various computing technology to engage in terrorist activity.
Thus, the terror motivated cyber-attack would most
likely be against the critical infrastructure of a nation to intimidate or
coerce another in furtherance of specific political
objective.[36] The term cyberterrorism can be
found in a 2005 CRS Report where the authors present cyberterrorism in two related categories: 1) effects based and 2)
intent based. In effects-based cyberterrorism exits when computer attacks
result in the effects that are disruptive enough to generate fear comparable to
a traditional act of terrorism, even if done by
criminals as opposed to terrorist.[37] Intent based effects cyberterrorism exits when unlawful or
politically motivated computer attacks are done to intimidate or coerce a
government or people to further a political objective, or to cause grave harm or severe economic damage.[38]
The
discussion of cyberterrorism must then be center in the doubt that a
cyber-attack can target one or more nation’s critical infrastructures. Section
1016 (b)(2) of the Critical Infrastructures Protection Act (CIPA) of 2001
identifies as critical infrastructures
“telecommunications, energy, financial services, water, transportation sectors”
all which have physical and cyber components.[39] Cyber components are of huge importance in infrastructure
because they are run by SCADA[40]. Section 1016(e) of CIPA expands
the concept of critical infrastructure to mean all “systems and assets, whether
physical or virtual, so vital to the United States that the incapacity of the
destruction of such systems and assets would have a debilitating impact on security, national economic security, national public
health and safety or any composition of those matters.”[41]
Supervisory
Control and Data Acquisition (SCADA) systems, or the equivalent system in
function such as distributed control systems or programmable logic control systems.[42] SCADA systems digitalizes and automate almost every
imaginable task associated with a certain infrastructure.[43] Since SCADA systems provide the brain power to manage
critical infrastructures a successful cyberterrorist attacks on even a single SCADA could cause massive economic and
physical damage across the whole United States.[44] The cyberspace vulnerability presents an open door for a
terrorist with the necessary skills to hack into
SCADA and for example, shutdown an entire electrical
power grid. A cyberattack could employ different types of attacks like: 1)
Spamming[45]; 2) Phishing[46]; 3) Spoofing[47]; 4) Pharming[48]; 5) Denial of Service Attack[49]; 6) Distributed denial of service[50]; 7) Bolt[51] and some others.[52] The most common type of cyber-attack is service disruption or the distributed denial of service attack (DDoS), which aims to flood target computer with data
packets or connection requests, thereby making it unavailable to the use or, in
the case of a website, unavailable to the website’s
visitors. Another similar cyber-attack is designed to
capture and then control certain elements of the cyberspace in order to use
them as actual weapons. A cyberattack can also manifest itself in a
conventional explosive attack in a physical structure,
such as a building that houses a SCADA.
III.International Legal Framework
A. Jus ad Bellum versus Jus in Bellum:
Jus as Bellum (“the law before the war”)
refers to the legality of an armed conflict under international law. Jus in Bellum is the law governing the actual content of the
hostilities.[53] Both bodies apply to the use of force, but in separate and
different ways. The legality of cyber activity in this research will be examine
as they relate to jus ad bellum notions of “use of force”
and “armed attack”.
“Jus ad bellum refers to the conditions
under which the States may resort to war or the used of armed force in general.
The prohibition against the use of force amongst the States and the exception
is (self-defense and the UN authorization for the use
of force), set out in the United Nations Charter of 1945, are the core
ingredients of jus ad bellum. Jus in bello regulates
the conduct of parties engaged in an armed conflict.”
[54]
The modern
incarnation of jus ad bellum has its origins in the 1919
Covenant of Covenant of the League of Nations, the 1928 Kellogg-Brand Pact and
the United Nations Charter. The U.N Charter prohibits the use of force of one
state against another. Article 2(3) requires that, “all Members shall settle their
international disputes by peaceful means in such a manner that international
peace and security, and
justice are not endangered.”[55] Article 2(4) of the U.N. Charter
states: “All members shall refrain in their international relations from the threat or use of force against the territorial
integrity or political independence of any state, or in any other matter
inconsistent with the Purposes of the United Nations.”
International
law provides only two justifications that rebut the presumption
against the use of force. Thus, any use of cyberattack falling within a use of
force, not falling within any of the legal justifications, violates article
2(4) and the fundamental prohibition of the use of force by any State against
another. The U.N Charter provides for the exceptions
of the use of force: the multinational use of force authorized by the Security
Council under Chapter VII (Article 42)[56] and the inherent right of self-defense in response to an
armed attack (Article 51). Article 39 gives power to the U.N Security Council to determine that a
particular situation constitutes a threat to international peace and security
and to decide what measures shall be taken under Article 41 and 42 to maintain
or restore peace and security.[57] If non-forceful measures
recommender under Article 41have failed or are nor adequate to deter or end the crisis,
Article 42 authorizes the Security Council to “take such action by air, sea, or
land forces as may be necessary to maintain or restore international peace and security… including
operational by air, sea, or land forces of Members of the United Nations”[58]
States may
use force as an act of individual or collective self-defense in response to an armed attack in accordance with Article
51 of the U.N. Charter. This justifications for the
use of force builds on and establishes in the basic framework of the jus ad bellum. Article 51 states:
“Nothing in the present
Charter shall impair the inherent right of individual or collective
self-defense if an armed attack against a Member of
the United Nations, until the Security Council has taken the measures necessary
to maintain international peace and security. Measures taken by the Members in
the exercise of self-defense shall be immediately reported to the Security Council and shall in not any way affect the authority
and responsibility of the Security Council under the present Charter to take at
any time such action as it deems necessary in order to maintain or restore
international peace and security.”
B.
What is an
armed cyber-attack?
The International Court of Justice has stated that
Articles 2(4) and 51 of the United Charter, regarding the prohibition of the
use of force and self-defense respectively, apply to any “any use of force,
regardless of the weapons employed.”[59] The
prohibition is undoubtedly a norm of customary international law.[60] Defining a cyber “armed attack”
is especially difficult, in part because of the intermediate international
consensus on the definition on what constitutes an armed attack, in the physical realm. The ambiguity in the
physical real has carried into the cyber domain. In the cyber domain there are
three schools of thought regarding when a cyber-attack might be viewed to an
armed attack (assuming always that we have been able
to determine that the event, was in fact, an “attack” using cyber means.[61]
One school of thought looks at whether the damaged caused
by such an attack could previously have been achieved only by kinetic attack.[62] For example, using this model, a cyber-attack conducted for the purpose of shutting down a power
grid would be deemed an armed attack. A second school looks at the scope and
magnitude of the effects of the cyber-attack on a victim-State, rather than
attempting to compare the effects of any form of
kinetic attack.[63] For example, consider the disablement of a financial
network. With real effects, but no physical harm, this would be seen as
equivalent to an armed attack, despite the fact that nothing was broken or
destroyed, only some digital financial records were
disrupted. A third view is akin to a strict liability
rule. Any attack on a State’s critical national infrastructure, even if
unsuccessful, would be deemed an armed attack perse, and thus, would cover
attempted instructions that had no consequences. It
may also include any preparatory intrusions that fell short of an armed attack
but could be viewed as “preparing the battlefield” for latter success.[64] The Tallinn Manual says that an “armed attack”
in the cyber domain occurs where “the effects of a
cyber operation, as distinct from the means used to achieve those effects, were
analogous to those who would result from an action otherwise qualifying as a
kinetic armed attack.”[65]
It is worth
noting that the legal conclusion an “armed attack” has occurred brings with it
some legal implications. The logical consequence of applying the laws of armed
conflict to the cyber domain is to authorize the United States military to use
any weapon in its arsenal in response (provided it does so in a lawful manner.)[66] This
could include offensive cyber operations against does who are deemed
responsible for an attack, but it could also include the full panoply of other
military options. Another legal implications derived from the analysis is that
it affects our treaty obligations. In June 2014, for example, NATO update its
cyber defense policy to make it clear that a cyber-attack can be treated as the
equivalent of an attack with conventional weapons for the purposes of NATO
obligation. NATO has now expressed the view that a cyber-attack on a member
state is covered by Article 5, the collective defense clause of the NATO
treaty. As a result, NATO members have agreed to take action against a cyber
aggressor, up to and potentially including the use of force, to restore
security.[67]
It is an
interesting question to consider whether the Stuxnet instruction on Iran’s
nuclear program met the definition of an armed attack. It certainly had
requisite physical effect. But its scope and duration were relative narrow,
modest and short lived. Nevertheless, Iran could have make a plausible argument
that it was entitled to respond with armed force against the Stuxnet attacker. Some
observers have argued that the Iranian attack in Saudi Aramco[68] and the
failed Iranian assassination attempt against Saudi Arabia ambassador were
motivated in part, by the Iranian conclusion that Saudi Arabia was complicit in
the Stuxnet virus attack.[69]
C.
Proportionality and Jus In Bello Requirements
As a matter of
policy, the views of the traditional laws of war apply to a cyber conflict. Yet
traditional rules don’t translate well to the cyber domain and are of
problematic application. As with the application of jus ad bello, there are more questions than answers.[70] The
most basic requirement of jus in bello
is that of proportionality. To determine the proportionality, we turn to a
multi-factored analysis. Those advising on this matter will be obligated to
determine whether a planned response is excessive when balanced against the
value of the military objective sought to be gained. Considerations must also
be given whether it adequately distinguishes between military objectives and
civilian property. Questions like these, about proportionality, are why nuclear
response to a hack is simply unfeasible, nobody would think that it was a
proportionate response.[71]
These questions
are particularly indeterminate in the cyber context. We can see these
uncertainties cause in the Department of Defense’s 2011 report to Congress.[72] For the
first time ever the United States announced that they were going to use
cyber-offensive weapons in self-defense. Jack Goldsmith of Harvard pointed out,[73] this
policy is limited to retaliation of “significant” or “crippling” cyber attacks.
Small scale insurgency attacks or other forms of espionage are immune from
retaliation. This might be proportionate, but it also means that those forms of
intrusion are not capable of being deterred.
The laws of armed
conflict require a nation to avoid collateral damage where possible and to
minimize it where it its unavoidable, to uncertainty of cyber effects from an
attack make offensive cyber weapons particularly problematic. Those response we
can imagine (hacking back into an adversary’s system, for example) might cause
collateral damage to civilian property or systems that is disproportionate in
nature (often because, in the cyber realm, they are inextricably interwind).
More to the point, unlike kinetic weapons, where collateral damage predictions
are readily calculated, in the cyber domain we have yet to develop an adequate
methodology for making that sort of assessment. It was precisely the
considerations of this sort that caused the Bush Administration to shelve plans
to launch cyber attack on Irak- they had no idea what the collateral
consequences of the attack might be.[74]
Likewise, the same sort of concerns were part of the calculus that led the
United States to eschew a cyber attack against Libya in connection with the
NATO- led military operation in 2011.[75]
D.
Non-International Armed
Conflict, Non-State Actors and Sub-War Acts
Questions of jus ad bellum and jus in bello barely begin to delimit the scope of legal questions
relating to the nature of the cyber conflict in this new domain. Few, if any,
of the conflict we can imagine will involve actions that rise to the level of
an armed attack sufficient to trigger the application of international
humanitarian law. More to the point, even fewer of the conflicts will involve
armed actions between the military of nation states. Even if the looks used
rise to the level of sufficient significance to merit classification as an armed
attack, the likely combatants may be non-state actors. To be sure, a true cyber
war between nation states may occur, but it most likely to occur in the context
of a kinetic armed conflict.
As a consequence,
much of the application of international humanitarian law to cyber seems rather
misfocused on events that are unlikely to occur. Instead, we can imagine any
number of far more plausible conflicts that involve a nation state and a group
of non-state actors (whether those actors are organized groups or ad hoc amalgams of individuals, and
whether those groups are motivated by profit, pride, or politics) and we can
equally imagine conflicts were the tools of choice involve activity that is
below the level of an armed attack in international law- acts we might call
“sub war” acts, involving the degradation of information, the disruption of
communications, or even the destruction of capabilities. How should we
characterize these types of activities as a legal matter and what, if any,
international law governs the conduct of these activities? The answer to these
questions requires, in the first instance, that we develop a taxonomy of cyber
conflict, in effect scoping the domain. An effective taxonomy allows for two
useful and interrelated definitional questions to be identified. First, it
permits us to understand the domain of certain applicable laws and identify
those domains for which applicable laws have yet to developed. Second, it
allows us to specify the boundary questions between domains-boundaries that
often require legal, as well as practical definition.
A related issue
in the analysis is the issue of State-sponsorship. The law of war recognizes
acts of self-defense in the context of acts of a hostile nation-state, not of
individual actors or groups of individuals that act in the private capacity.
The expectation is that the aggrieved State will notify the nation-state is
unwilling or unable to provide assistance and cooperation, them the aggrieved
State may be justified to use forces as was the case with the United States vis-á-vis the Taliban’s support for the
terrorist al-Qa’eda network in Afghanistan. On the other hand, if the cyber
attack cannot be trace to a nation-state, the matter of retaliation is greatly
limited. Clearly, the international laws associated with the use of force are
woefully inadequate in terms of addressing the threat of cyberwarfare. Without
a clear set of rules addressing cyberwarfare, individual nation-states will no
doubt operate within the framework of existing legal norms by extrapolation,
much like the North Atlantic Treaty Organization (NATO) did when it invoked the
NATO collective self-defense clause under Article 5 of its Charter, declaring
the terror attacks of 9/11 constituted an “armed attack” under international law
despite the fact that al-Qa’eda is not a nation-state.
E. Targeting in Cyberwar
The U.S.
Department of Defense has a conservative and reasonable analysis of targeting
in cyberwar, applying inter alia, the standard principles of proportionality,
military necessity and distinction. In particular, it emphasizes the need to
reduce harm to civilian populations. The Department of Defense states:
“Parties to a conflict must
take feasible precautions to reduce the risk of incidental harm to the civilian
population and other protected persons and objects. Parties to the conflict
that employ cyber operations should take precautions to minimize the harm of
their cyber activities on civilian infrastructure and users. The obligation to
take feasible precautions may be greater relevance in cyber operations than
other law of war rules because this obligation applies to a broader set of
activities than those to which other law od rule apply.” [76]
Interestingly,
the Manual also notes that, as with Autonomous Fighting Vehicles and Precision
Munitions, “cyber operations that result in non-kinetic or reversible effects
might offer options that help minimize unnecessary harm to civilians… because
their effects may be reversible, and they may hold the potential to accomplish
military goals without any destructive kinetic effect at all.”[77] The
targeting dilemma is complicated by the reality that, in cyberwarfare, an
attack may reveal the means and methods which prevent future attacks. President
Barack Obama was confronted with that problem in deciding how to respond to
Russian cyberattacks on the U.S. governance and elections:
“The National Security
Agency and its military cousin, the United States Cyber Command, which is
responsible for the computer-network warfare, have worked up other ideas,
officials said, though some have been rejected by the Pentagon.
Those plans could deploy
the world-class arsenal of cyberweapons assembled at a cost of billions of
dollars during Mr. Obama’s tenure to expose or neutralize some of the hacking
tools favored by Russia’s spies- the digital equivalent of a pre-emptive
strike. But the selection of targets by Americans and the accuracy of that
retaliation could also expose software implants that the United States has
patiently inserted and nurtured in Russian networks, in case of future cyber
conflicts.
The president has reached
two conclusions, senior officials report: The only thing worse than not using a
weapon is using it ineffectively, and if he does choose to retaliate, he has
insisted on maintaining what is known as escalation dominance, the ability to
ensure you can end a conflict on your terms.”[78]
One of the
interesting questions is the use of the kinetic weapons to target cyber
operations, attacking, for example, servers, computer centers or individuals
engaged in cyberwarfare. While the standard legal analysis is applicable, their
application may be to an entirely new set of arguably civilian targets
previously not necessarily considered. In addition, as is discussed below, many
potential targets may be dual use sites, the destruction of which will
adversely affect non-military interests, and questions of proportionality will
have to be clearly considered. That is one of the many issues which, while
subject to general analysis, are unique in their application. Three issues seem
of particular interest: 1) the ability to identify attacking enemies; 2) the
very often dual nature of potential targets, and 3) the problem of the effect
on neutrals of warfare in cyberspace.
Recent events in
the United States’ 2016 national election demonstrate that even when a powerful
nation’s intelligence agencies identify a state actor engaged in activity which
arguably constitutes causus belli,
the State may respond in ways which are nor obvious to the general public as
open warfare. The problem is exacerbated when there is no certainty about the
attacking entity. Accordingly, as the U.S. Department of Defense notes:
“The same technical
protocols of the Internet have facilitated the explosive growth of cyberspace
also provide some measure of anonymity. Our potential adversaries, both nations
and non-state actors, clearly understand this dynamic and seek to use the
challenge of attribution to the strategic advantage. The Department recognizes
that deterring malicious actors from conducting cyber attacks is complicated by
the difficulty of verifying the location from which an attack was launched and
by the need to identify the attacker among a wide variety and high number of
potential actors.” [79]
The potential for
mischief in this area is very high. If a State can convince two of its
adversaries to engage in hostilities, the benefits might be highly tempting.
The concept is certainly not a new one. So called “black propaganda” was a
standard tactic in the 20th century:
“During the early phase of
World War II the Nazis operated at least three radio stations that sought to
give the impression that they were broadcasting somewhere in Britain. One of
the stations was called Radio Free Caledonia and claimed to be the voice of
Scottish nationalism; another referred to itself as the Workers’ Challenge
Station and disseminated unorthodox left-wing views; a third, the New British
Broadcasting Station, provided news bulletins and comments in the style of the
BBC but with a concealed pro-German bias. None of these stations reached large
audiences and they only broadcast for a few hours a day. The aim of this black
propaganda was to undermine the morale of the British people-particularly
during the Battle of Britain.” [80]
At the same time,
the caution inherent in the military forces of democracies and their civilian
leadership tends to avoid direct attacks until absolute certainly is obtained.
The entire problem points to the need for robust intelligence operations to
penetrate cyberattack facilities of potential adversaries and give relative
assurance when from an attack will be launched. Under the limited time
requirements in cyberwar, it may be well that such intelligence gathering is,
in effect, legally necessary to allow accurate targeting of enemy facilities in
an effective fashion. As the DoD Manual
notes, “cyber operations may include reconnaissance (mapping a network), seizure
of supporting position (securing access to key network system or nodes), and
pre-emplacement of capabilities or weapons (implanting cyber access tools or
malicious code).”[81]
Except for purely
military networks which are highly unlikely to be the direct source of attacks
(unless, like Stuxnet, the attacker wishes to be identified as a threat of
future and more severe action), it is more likely that cyber-attacks may
emanate from civilian servers or involuntarily linked computer networks. As the
U.S. Department of Defense has pointed out:
“In applying the
proportionality rule to cyber operations, it might be important to assess the
potential effects of a cyber attack on computers that are not military
objectives, such as a private, civilian computers that hold no military
significance, but that may be networked to computers that are valid military
objectives.” [82]
In fact, numerous potential
military targets, including electrical grids, means of transmitting
information, transportations systems such as highway and air traffic controls,
manufacturing facilities and stores of vital raw materials, may be also essential
to the health and welfare of the civilian population. Accordingly, any attack
will have to be closely analyzed for military necessity and proportionality in
order to limit harm to civilians to the maximum extent possible.
The Tallinn Manual explains:
“A cyber armed attack by
State A against State B may have bleed-over effects in State C. If those
attacks meet the scale and effects criteria for an armed attack, the majority
of the Experts would conclude that State C is entitled to resort to the use of force
in self-defense, so long as the defensive action complied with the necessity
and proportionality criteria…” [83]
The neutrality
problem may, in fact, arise in two contexts; 1) belligerent use of severs in
neutral states, or 2) attacks against an enemy network which adversely affect
computer operations in a neutral. The first is the more legally problematic. To
the extent that an enemy is operating from a third state, a belligerent has the
right to take such acts in self-defense as are necessary to protect its
interest in the most limited way available. Thus, for example, while a kinetic
attack on an enemy server in its homeland might well be an appropriate method
of warfare, the physical destruction of a neutral server might be excessive
when it could be temporarily disabled or blocked.
The situation is
complicated by the obligation of neutrals to prevent enemy activity within
their borders, and by the very highly probability that the neutral power will
be unaware of the action taken. Accordingly, responses to the enemy activity
from neutral servers will have to be closely monitored for legal compliance,
and the need for advance intelligence is equally high. The second issue, what
the Tallinn Experts call
“bleed-over,” is an easier one. The State attacking an enemy server is under a
legal obligation to do its utmost to ensure a neutral’s infrastructure and
population are not inadvertently attacked. The possibility of such impacts
means questions of proportionality and necessity will require even closer scrutiny
before a decision is made to completely destroy or disable an enemy server
facility.
IV. Domestic Legal Framework
The advances in
technology have caused a shift in law enforcement techniques that are
stretching the protections of the Constitution’s Fourth Amendment (unreasonable
search and seizure).[84] The
primary law enforcement mechanism to deal with attacks on computers is the 1984
Counterfeit Access Device & Computer Fraud Abuse Act.[85] It was
amended in 1994,1996, and in 2001 by the USA PATRIOT Act. The Counterfeit
Access Device & Computer Fraud and Abuse Act makes it a federal crime to
gain unauthorizes access to, damage, or use illegally, certain “protected”
computer and computer systems. The term protected applies to those computer
systems used by the nation’s financial institutions, a federal government
entity, or for interstate and foreign commerce. In addition to addressing acts
of trafficking in passwords, espionage and fraud, the Counterfeit Access Device
& Computer Fraud and Abuse Act also covers damage to such protected
computers by the use of a virus, worm or other device.
Under the § 218,
the USA PATRIOT Act increased the scope and penalties associates with hackers
where violators only need to intent to cause damage generally, and a second
offense is punishable by up to a 20 year prison sentence. The USA PATRIOT Act
also enlarged the definition of criminal acts associated with terrorism[86] to
include intentionally damaging a protected computer if the offense involves
either impairing medical care, causing physical injury, threatening public
health or safety, or damaging a governmental justice, national defense, or
national security computer system. Other federal statutes address illegal wire
fraud[87],
aggravated identity theft[88], fraud
in connection with identification documents, authentication features and
information[89], intentional interference
with computer-related systems used in interstate commerce[90],
deceptive practices affecting commerce[91], and
installing “sniffer” software to record keystroke and computer traffic.[92]
In U.S. v. Mitra[93], United
States District Court for the Western District of Wisconsin, defendant was
convicted of two counts of intentional interference with computer-related
systems used in interstate commerce, in violation of 18 U.S.C. § 1030(a)(5).
The judge in the case noted that even though the statute violated does not
directly address the acts committed by the defendant, that Congress had written
a general statute not intended to list each and every particular forbidden act.
The judge explained that: “electronics and communication can change rapidly,
while each legislator’s imagination is limited.” The conviction was upheld on
appeal.
A 2007 report
issued by the Government Accountability Office (GAO) noted that the government
and private sectors face a number of obstacles in securing cyberspace
particularly in the context of law enforcement and operational security. The
four main categories of concern in the GAO report touched on cyber crime: 1) accurately
reporting cyber crime to law enforcement; 2) ensuring adequate law enforcement
analytical and technical capabilities: obtaining and retaining investigators,
prosecutors, and cyber forensics examiners and keeping up to date with current
technology and criminal techniques; 3) working in a borderless environment with
the laws of multiple jurisdictions; 4) protecting information and information
systems and raising awareness about criminal behavior.[94]
Individual states
have also enacted laws associated with cyberterrorism concerns. These laws
address a wide range of issues from improving security measures for wireless
networks to criminalizing the installation of software on another’s computer
which is then used in deceptive methods.
In addition to criminal laws, civil actions based on commercial code
unfair competition prohibitions can also serve to punish hackers. The fear of cyberterrorism as a destructive
force has caused at least 48 States to pass non-release provisions to their
State open government laws- State freedom of information laws (patterned after
the federal Freedom of Information Act) and State Sunshine laws (providing for
public access to government meetings). An examination of the legislative trust
of these provisions is to deny protentional terrorist access to certain
information that could aid them in conducting a disabling physical o cyber
attack on the critical infrastructure.[95]
V. Conclusion:
United States’ technological
advances in cyber technology can also prove to be a critical weakness. United
States’ dependency on the cyber world opens new vulnerabilities to a different
type of terrorist act. A cyber attack can target an actual computer networking
system that can cripple a critical infrastructure. It can also manifest itself
in a conventional explosive attack on physical structures. A cyber threat must
be met with the same recognition and gravity as a physical terrorist attack.
The United States must listen carefully all these warnings.
[1] Cyber Warfare in the 21st Century; Threats,
Challenges, and Opportunities, 150th Cong. 7 (2017).
[2] Mary L. Kelly, Rules
for Cyberwarfare Still Unclear Even As U.S. Engages In It, National Public
Radio (April 20, 2016).
[3] Id.
[4] Vince Farhat, Cyber
Attacks: Prevention and Proactive Responses, Thomson Reuters Practical Law (2017).
[5] Id.
[6] Cyber Warfare in the 21st Century; Threats,
Challenges, and Opportunities, 150th Cong. 6-7 (2017).
[7] Id. at. 9.
[8] John R. Lindsay, Tai Ming Cheung, and Derek S.
Reveron, China and Cybersecurity:
Espionage, Strategy, and Politics in the Digital Domain 7 (2015).
[9] Cyber Warfare in the 21th Century; Threats,
Challenges, and Opportunities, 150th Cong. 4-5 (2017).
[10] Id.
[11] Id. at. 25.
[12] Jeffrey F. Addicott, Terrorism Law: Materials, Cases, Comments, 7th Edition.
[14] D.O.D. Manual,
Chapter 16.1.1.
[15] Convention for the Prevention and Punishment of
Terrorism, Nov. 16, 1937, 19 L.N.T.S. 23. The draft convention failed to muster
support, and work on a consensus definition will not begin until the 1970s.
[16] Jeffrey F. Addicott, Terrorism Law: Materials, Cases, Comments, 7th Edition.
[17] Id.
[18] Id.
[19]
Convention on Offences and Certain Other Acts Committed on
Board Aircraft (1963) United Nations, Treaty Series, vol. 704, p. 218.
Available at
[20]
Convention for the Suppression of Unlawful Seizure of
Aircraft (1970) The Convention for the Suppression of Unlawful Seizure of
Aircraft was signed at The Hague on 16 December 1970 and entered into force on 14 October 1971. Available at
[21]
Protocol for the Suppression of Unlawful Acts of Violence
at Airports Serving International Civil Aviation,
Supplementary to the Convention for the Suppression of Unlawful Acts against
the Safety of Civil Aviation (1988)The Protocol for the Suppression of Unlawful
Acts of Violence at Airports Serving International Civil Aviation, supplementary to the Convention for the
Suppression of Unlawful Acts against the Safety of Civil Aviation was signed at
Montreal on 24 February 1988 and entered into force on 6 August 1989. Available
at
[22]
Convention for the Suppression of Unlawful Acts against the
Safety of Maritime Navigation (1988) The Convention for the Suppression of
Unlawful Acts against the Safety of Maritime Navigation was adopted on 10 March
1988 and entered into force on 1 March 1992.
Available at http://untreaty.un.org/English/Terrorism/Conv8.pdf.
[23]
Convention on the Physical Protection of Nuclear Material
(1980). United Nations, Treaty Series, vol. 1456, No. 24631. Available at http://untreaty.un.org/English/Terrorism/Conv6.pdf.
[24]
International Convention against the Taking of Hostages
(1979) United Nations, Treaty Series vol. 1316, No. 21931. Available at http://untreaty.un.org/English/Terrorism/Conv5.pdf.
[25]
International Convention for the
Suppression of Terrorist Bombings (1997) General Assembly resolution 52/164, annex. Available at
[26]
International Convention for the Suppression of the
Financing of Terrorism (1999) General Assembly resolution 54/109, annex.
Available at www.un.org/law/cod/finterr.htm
[27] Sun Tzu, The Art of War 168 (Samuel B. Griffith
trans. 1963).
[28] R. R. Palmer, The Age of Democratic Revolution: The
Struggle 26 (1970).
[29] Phillip Heymann, Terrorism
and America: A Common Sense Strategy
for a Democratic Society 9 (1998).
[30] Bruce Hoffman, Inside
Terrorism 40-41 (2006).
[31] Alex P. Schmid & Ronald D. Crelinsten, Western Responses to Terrorism 13
(1993).
[32] Alex P. Schmid & Albert J. Jongman, Political Terrorism: A New Guide to Actors,
Authors, Concepts, Data Bases, Theories and Literature 28 (2nd
ed. 2005).
[33] Terrorism Act, 2000, c. 11 §1(1) (Eng.)
[34] Code Pénal (C. PÉN.) art. 421-1 (Fr).
[35]Jeffrey F. Addicott, Terrorism Law: Materials, Cases,
Comments, 7th Edition.
[36] Id.
[37] Id.
[38] Id.
[39] Id.
[40] Id.
[41] Id.
[42] Id.
[43] Id.
[44] Approximately 85% of the nation’s critical
infrastructures are owned and operated by private business where the
predominate emphasis for SCADA is on maintaining system reliability and
efficiency.
[45] Sending unsolicited commercial email advertising for
products, services, and websites. Spam can also be used as a delivery mechanism
for malware and other cyber threats.
[46] A high-tech scam that frequently uses spam or pop-up
messages to deceive people into disclosing their credit card numbers, bank
account information, Social Security numbers, passwords, or other sensitive
information.
[47] Creating a fraudulent website to mimic an actual,
well-known website run by another party. Email spoofing occurs when the sender
address and other parts of an email-heather are altered to appear as though the
email originated from a different source.
[48] A method used by phishers to deceive the users into
believing that they are communicating with a legitimate website. Pharming uses
a variety of technical methods to redirect a user to a fraudulent or spoofed
website when the user types in a legitimate web address.
[49] An attack in which one user takes up so much of share
resource that none of the resource is left for other users.
[50] A variant that uses a coordinated attack from a
distributed system of computers rather than from a single source. It often
makes use of worms to spread multiple computers that can then attack the
target.
[51] A network of remotely controlled systems used to
coordinate attacks and distribute welfare, spam, and phishing scams. Are
programs that are covertly install on a targeted system allowing an
unauthorized user to remotely control the compromise computer for a variety of
malicious purposes.
[52] Viruses, Trojan Horse, Worm, Malware, Spyware.
[53] Laurie R. Blank, Gregory P. Noone, International Law and Armed Conflict:
Fundamental Principles and Contemporary Challenges in the Law of War, p.
15-22 (2013).
[55] Supra n.
50.
[56] Id.
[57] Id.
[58] Id.
[59] Legality of the
Threat or Use of Nuclear Weapons
advisory opinion (1996), p. 22 http://www.icj-cij.org/files/case-related/95/095-19960708-ADV-01-00-EN.pdf.
[60] Nicaragua v. United States of America
(1986), p. 89-90 http://www.icj-cij.org/files/case-related/70/070-19860627-JUD-01-00-EN.pdf.
[61] John Norton Moore, Guy B. Roberts, Robert F. Turner, National Security Law & Policy, p.
545 (3rd edition)
[62] Id.
[63] Id.
[64] Id.
[65] Tallin Manual,
Rule 13 Commentary 4.
[66] Ellen Nakashima, List
of Cyber-weapons Developed by Pentagon to Streamline Computer Warfare,
Washington Post, June 1, 2011.
[67] Steve Ranger, NATO
Updates Cyber Defense Policy as Digital Attacks Become a Standard Part of
Conflict, ZDNet, https://www.zdnet.com/article/nato-updates-cyber-defence-policy-as-digital-attacks-become-a-standard-part-of-conflict/.
[68] Known as the “Shamoon” virus.
[69] David E. Sanger, America’s
Deadly Dynamics with Iran, New York Times, November 6, 2011. https://www.nytimes.com/2011/11/06/sunday-review/the-secret-war-with-iran.html?mtrref=www.google.com&gwh=320A1233E70285BED0061615D1D95570&gwt=pay&assetType=opinion.
[70] Thomas C. Wingfield, Legal Aspects of Offensive Information Operation in Space http://www.au.af.mil/au/awc/awcgate/dod-io-legal/wingfield.pdf
[71] Tallinn Manual
2.0 Rule 51: “a cyber attack that may be expected to cause incidental loss
of civilian live, injury to civilians, damage to civilian objects, or a
combination of thereof, which would be excessive in relation to the concrete
and direct military advantage anticipated its prohibited.”
[72] Department of Defense Cyberspace Policy Report
(November 2011) https://nsarchive2.gwu.edu/NSAEBB/NSAEBB424/docs/Cyber-059.pdf.
[74] John Markoff and Thom Shanker, Halted 03 Iraq Plan Illustrates Fear of Cyber Risk, New York Times,
August 2, 2009. https://www.nytimes.com/2009/08/02/us/politics/02cyber.html.
[75] Eric Schmitt and Thom Shanker, Us Debated Cyberwarfare Against Libya, New York Times, October 17,
2011. https://www.nytimes.com/2011/10/18/world/africa/cyber-warfare-against-libya-was-debated-by-us.html.
[76] Department of Defense, Law of War Manual § 16.5.3.
[77] Id. at. §
16.5.3.1.
[78] David E. Sanger, Obama
Confronts Complexity of Using a Mighty Cyberarsenal Against Russia, New
York Times, December 17, 2016.
[79] Department of Defense, Cyberspace Policy Report: A Report to Congress Pursuant to the National
Defense Authorization Act for Fiscal Year 2011, Section 934, 4 (Nov. 2011).
[81] Department of Defense, Law of War Manual § 16.2.1.
[82] DoD Manual
§ 16.5.1.1.
[83] Tallinn Manual,
Comment 12 to Rule 13.
[84] See. Riley v. California, 134 S.Ct. 247
(2014). Recently de Supreme Court
heard oral arguments in a case regarding the question of whether the government
violates the Fourth Amendment to the United States Constitution by accessing an
individual's historical cellphone locations records without a warrant. See Carpenter v. United States oral
arguments. https://www.oyez.org/cases/2017/16-402.
[85] 18 U.S.C. § 1030.
[86] 18 U.S.C. § 2332b(g)(5)(B).
[87] 18 U.S.C. § 1343.
[88] 18 U.S.C. § 1028A.
[89] 18 U.S.C. § 1028.
[90] 18 U.S.C. § 130(a)(5).
[91] 15 U.S.C § 45(a)(1).
[92] 18 U.S.C. § 2510-2421.
[93] U.S. v. Mitra,
405 F.3d 492 (2005).
[95] Ohio Revised Code § 149.433 (A)(2); Ohio Revised Code
§149.433 (A)(1); Ohio Revised Code § 2909.21.
No hay comentarios.:
Publicar un comentario