Inside Cyber Warfare - Jeffrey Carr [30]
—Jeffrey Carr
By Lieutenant Commander Matthew J. Sklerov
One of the most heavily debated issues in international law is when states may lawfully respond to cyber attacks in self-defense. While the law of war is comprised of well-known and widely accepted principles, applying these principles to cyber attacks is a difficult task. This difficulty arises out of the fact that the law of war developed, for the most part, in response to conventional wars between states. When evaluating armed attacks in that paradigm, it was easy to assess the scope of an attack and the identity of an attacker. Unfortunately, when a cyber attack is in progress, it becomes difficult for states to assess the scope of an attack or figure out who is responsible for it. These difficulties have made states reluctant to respond to cyber attacks in self-defense for fear of violating the law of war, and they have turned cyber warfare into one of the hottest topics in international law.
This chapter explores the unique challenges that cyber attacks pose to the law of war and provides an analytical framework for dealing with them. Once the current state of the law of war is fully explored, this chapter will demonstrate that states have a right under international law to:
View and respond to cyber attacks as acts of war and not solely as criminal matters.
Use active, not just passive, defenses[4] against the computer networks in other states, that may or may not have initiated an attack, but have neglected their duty to prevent cyber attacks from within their borders.
As this book is primarily intended to address the technical aspects of cyber warfare, the purpose of this chapter is to provide readers with a basic understanding of the law of war as it relates to cyber warfare and to demonstrate that there is a sound legal basis for states to respond to cyber attacks in self-defense. For a more detailed legal discussion filled with legal citations and factual research, I suggest reading my article on cyber warfare in the Fall 2009 edition of the Military Law Review. Furthermore, there are a number of policymaking implications that naturally flow from the conclusions of this chapter, which shall not be fully addressed here.
This chapter is broken down into several sections for ease of reading. First, it reviews the legal problems that states encounter when dealing with cyber attacks, and why current interpretations of the law of war actually endanger states. Second, it lays out the basic framework for analyzing armed attacks. Third, it explores the challenges that nonstate actors present to the basic framework of the law of war. Fourth, it analyzes cyber attacks under the law of war and demonstrates that victim-states have a right to respond with force against host-states that neglect their duty to prevent cyber attacks. Finally, it examines the choice to use force, explains why active defenses are the most appropriate use of force under the law of war, and describes the legal problems that states will face when using active defenses.
The Legal Dilemma
Given the potentially catastrophic consequences that cyber attacks can cause, it is imperative for states to be able to effectively defend their critical infrastructure from attack. The most effective way to ward off cyber attacks is to use a layered defense of active and passive defenses. Unfortunately, states intentionally choose to confine their computer defenses to passive defenses alone, in part out of fear that using active defenses violates the law of war.
Right now, no comprehensive international treaty exists to regulate cyber attacks. Consequently, states must practice law by analogy: either equating cyber attacks to traditional armed attacks and responding to them under the