Inside Cyber Warfare - Jeffrey Carr [22]
Chapter 3. The Legal Status of Cyber Warfare
Although cyber warfare has been around for a decade or so, it still has not been well defined. As of this writing, there is no international treaty in place that establishes a legal definition for an act of cyber aggression. In fact, the entire field of international cyber law is still murky.
The NATO Cooperative Cyber Defense Centre of Excellence (CCDCOE) published a paper on the subject in November 2008 entitled “Cyber Attacks Against Georgia: Legal Lessons Identified.” In it, the authors discuss possible applicability of the Law of Armed Conflict (LOAC) to the cyber attacks that occurred during the Russia-Georgia War of August 2008.
LOAC, also known as the International Humanitarian Law, relies on two primary rule groups: jus ad bellum and jus ad bello, which is Latin for “justice to war” and “justice in war,” respectively. In other words, there are rules for how a country proceeds to a state of war and, once there, for how it conducts its war effort.
On May 8, 2009, the head of the US Strategic Command, US Air Force General Kevin P. Chilton, was quoted in Stars and Stripes as saying “[t]he Law of Armed Conflict will apply to this domain.” It is still unclear how many other nations will adopt that same approach, particularly the Russian Federation and the People’s Republic of China.
Amit Sharma, deputy director of India’s Ministry of Defense—Defense Research and Development Organization, prefers a different approach, one styled after the Mutually Assured Destruction (MAD) model of nuclear deterrence:
You can talk endlessly about the law of armed conflict, but a treaty would not be achieved. ... The only viable solution is one of cyber deterrence.
According to a June 27, 2009, New York Times article entitled “US and Russia Differ on a Treaty for Cyberspace”:
Russia favors an international treaty along the lines of those negotiated for chemical weapons and has pushed for that approach at a series of meetings this year and in public statements by a high-ranking official.
The United States argues that a treaty is unnecessary. It instead advocates improved cooperation among international law enforcement groups. If these groups cooperate to make cyberspace more secure against criminal intrusions, their work will also make cyberspace more secure against military campaigns, American officials say.
These areas of dispute are reflected in the multiple faces of cyber aggression:
Cyber attacks against government or critical civilian websites or networks without accompanying military force
Cyber attacks against government or critical civilian websites or networks with accompanying military force
Cyber attacks against internal political opponents
Cyber intrusions into critical infrastructure and networks
Acts of cyber espionage
How many of these real-world attacks should be considered acts of cyber warfare? All? None? Only those that can be attributed directly to a nation-state?
The first thing to realize is that legally there is no such concept as an act of war, cyber or otherwise. The UN Charter lays out when a nation-state can use force in self-defense against an act of aggression, but it refers entirely to armed conflict. Other treaties may provide a better framework for establishing definitions for cyber aggression, and these are thoroughly examined in a 2009 paper by Scott Shackleford entitled “From Nuclear War to Net War: Analogizing Cyber Attacks in International Law,” published in the Berkeley Journal of International Law (BJIL), Vol 25 No 3.
Shackleford lists a few treaty regimes that may be useful in constructing an international cyber treaty:
Nuclear nonproliferation treaties
The Antarctic Treaty System and Space law
United Nations Convention on the Law of the Sea (UNCLOS)
Mutual Legal Assistance Treaties (MLAT)
Nuclear Nonproliferation Treaties
Nuclear nonproliferation treaties are designed to limit the spread of nuclear weapons at the very earliest stages of development, i.e.,