Inside Cyber Warfare - Jeffrey Carr [166]
Cyber Active Defenses as Covert Action Under International Law
At times states have determined that, when faced with an aggressive adversary, overt military engagement against the adversary would not be the best, most effective, or appropriate means to counter the threat. If diplomatic efforts have failed and military engagement is ruled out, covert measures may provide policymakers with a third option that would be legally justified and effective in countering the threat and protecting national security. If, for example, the United States was the victim of ongoing cyber attacks from a foreign adversary, and the president determined that the attacks were of such a scope, duration, or intensity that the country needed to act in self-defense, he could authorize the use of covert action to neutralize the threat. This would be done without initiating overt military hostilities against the adversary. Such offensive measures conducted during a time of peace (i.e., no acknowledged armed conflict) would be justified under a self-defense argument under Article 51 of the UN Charter.
According to press reports, the US government may have already considered the use of “preemptive cyber-strikes” designed under certain circumstances to knock out adversaries’ computer systems and networks that are perceived as hostile.[243] In 2009 the Stuxnet worm that targeted Iranian nuclear facilities and caused the shutdown of 1,000 centrifuges at Iran’s Natanz nuclear fuel enrichment plant may be the most recent and controversial example of a defensive “preemptive cyber-strike” against a perceived threat. The legality of the use of the Stuxnet worm that targeted the SCADA systems of Iran would depend on the factual basis for the justification to use force against Iran, and whether the use of the Stuxnet worm (i.e., its consequences) was proportionate to the threat. Knowing the consequences of a cyber strike in advance to assess proportionality may be challenging because of the highly interconnectedness of information systems, which can make indirect secondary or tertiary effects of cyber attacks more consequential than the direct ones.[244]
Looking beyond the legal analysis of the Stuxnet worm to its cumulative effect, it clearly sent a signal to Iran that its development of nuclear weapons is perceived as an aggressive action that is not condoned. Importantly, the Stuxnet worm was a covert defensive step, avoiding the need to use military force against a nuclear plant and potentially escalating conflict. As former NSA General Counsel Stewart Baker stated, “It’s the first time we’ve actually seen a weapon created by a state to achieve a goal that you would otherwise have used multiple cruise missiles to achieve.”[245] Furthermore, where the factual basis for asserting a violation of Article 2(4) and justifying self-defense against cyber attacks may be subject to uncertainty, debate, and lack of verifiability, states may find it more effective to act in self-defense in a covert manner, avoiding the challenges of publicly defending their actions.
There are some basic principles we can devise about the legality of cyber covert action. First, the international laws related to the recourse to the use of force and the UN Charter applies to covert action in cyberspace (regardless of which US government entity is conducting the covert action). Second, the laws of armed conflict, which regulate the manner in which hostilities can legally be waged, also apply to any US covert action involving the use of cyber attacks during armed conflict. During an acknowledged armed conflict, the laws and customs of armed conflict would govern cyber covert action: military necessity, proportionality, distinction, discrimination, chivalry. In other circumstances where a cyber covert action was conducted in less than acknowledged armed conflict, the legal status of a cyber attack would be judged primarily by its effects, regardless of the means or which entity conducted