Inside Cyber Warfare - Jeffrey Carr [164]
[224] US Department of Defense, Department of Defense Strategy for Operating in Cyberspace, July 2011.
[225] Bruce Hoffman, “The Use of the Internet by Islamic Extremists,” Testimony presented to the House Permanent Select Committee on Intelligence on May 4, 2006, Santa Monica, CA: RAND, 2006; David A. Fulghum, “Digits of Doom,” Aviation Week & Space Technology 167, no. 12, September 24, 2007.
[226] Ellen Nakashima, “List of cyber-weapons developed by Pentagon to streamline computer warfare,” Washington Post, May 31, 2011.
[227] P. D. Allen, “The Palestinian-Israeli Cyber War,” Military Review (March–April 2003): 52–59, 52.
[228] National Security Act of 1947, 50 U.S.C. section 413(b)(e)(2006).
[229] Id. section 413b(e)(1).
[230] Id. section 413b(e)(2) (this does not preclude the NSA from being the sole agency responsible for a cyber covert action).
[231] Executive Order No. 12333, section 1.8(e), 3 C.F.R. 200, 205 (1982) (providing that no agency other than the CIA may conduct covert action “unless the President determines that another agency is more likely to achieve a particular objective”).
Cyber Active Defense Under International Law
Cyber capabilities and vulnerabilities raise tremendously important international legal questions. What are permissible uses of offensive cyber capabilities? What legal authority do states have to respond to cyber attacks or cyber threats by states or nonstate actors? Can states legally employ third parties to conduct cyber operations in self-defense of the state? In order to know when the United States may legally use active defensive measures against an adversary, it is necessary to have a clear understanding of the legal regime and norms governing a nation’s use of force to launch a counterattack against a cyber aggressor. In defining the legal issue, it is important to determine what constitutes an adversarial “armed attack” in cyberspace. While there is no clear statement in international law that outlines legally acceptable or unacceptable cyber defensive actions, there are legal principles and past state practices that establish the right to counter a cyber attack as a valid legal response to acts of aggression.
Since 1945 when the UN Charter was ratified, the international legal regulation of the use of force has been based on Article 2(4) of the UN Charter. This provision directs that “all Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations.”[232] Article 51 of the UN Charter provides that “nothing in the present Charter shall impair the inherent right of individual or collective self-defence if an armed attack occurs against a Member of the United Nations.”[233] Although there is debate about the scope of the Article 51 right of defense, it is generally accepted that Article 51 establishes an exception to the absolute prohibition on the use of force set forth in Article 2(4).[234] Furthermore, it is widely accepted that “armed attack” is understood to be something that rises beyond the threshold of a use of force as meant in Article 2(4).[235] With respect to active cyber defense and the UN Charter, therefore, two major issues emerge. First, for purposes of Article 2(4), are there cyber attacks that rise to the level of a use of force? Second, for purposes of Article 51, can cyber attacks be equivalent to an armed attack that would give rise to a state’s right to use lethal force in response? This latter question relates to the issue of what remedies are available to a state that is the victim of a cyber attack or that faces the imminent threat of a cyber attack.
Among international legal scholars there have been disagreements as to the exact meaning of the terms “use of force” and “armed attack” within the UN Charter.[236] Especially within the context of cyber activities, there will likely remain different interpretations of these key phrases, where cyber attacks can range