Inside Cyber Warfare - Jeffrey Carr [39]
[13] Id. at 663–64.
Analyzing Cyber Attacks under Jus ad Bellum
Cyber attacks represent a conundrum for legal scholars. Cyber attacks come in many different forms, their destructive potential limited only by the creativity and skill of the attackers behind them. Although it may seem intuitive that cyber attacks can constitute armed attacks, especially in light of their ability to injure or kill, the legal community has been reluctant to adopt this approach because cyber attacks do not resemble traditional armed attacks with conventional weapons. Further clouding the legal waters is the erroneous view of states and scholars alike on the need for states to attribute cyber attacks to a state or its agents before responding with force. Although it is true that cyber attacks do not resemble traditional armed attacks, and that cyber attacks are difficult to attribute, neither of these characteristics should preclude states from responding with force. This section explores different analytical models for assessing armed attacks, the logical meaning of the duty of prevention as it relates to cyber attacks, and the technological capacity of trace programs to trace attacks back to their point of origin. After all of these issues are examined, it becomes clear that states may legally use active defenses against cyber attacks originating from states that violate their duty to prevent them.
Cyber Attacks as Armed Attacks
Victim-states must be able to classify a cyber attack as an armed attack or imminent armed attack before responding with active defenses because, as we discussed earlier in this chapter, armed attacks and imminent armed attacks are the triggers that allow states to respond in self-defense or anticipatory self-defense. Ideally, there would be clear rules for classifying cyber attacks as armed attacks, imminent armed attacks, or lesser uses of force. Unfortunately, since cyber attacks are a relatively new attack form, international efforts to classify them are still in their infancy, even though the core legal principles governing armed attacks are well settled. Consequently, whether cyber attacks can qualify as armed attacks and which cyber attacks should be considered armed attacks are left as open questions in international law. To answer these questions, this subsection examines the core legal principles governing armed attacks, applies them to cyber attacks, explains why cyber attacks can qualify as armed attacks, and attempts to provide some insight into which cyber attacks should be considered armed attacks.
“Armed attack” is not defined by any international convention. As a result, its meaning has been left open to interpretation by states and scholars. Although this might sound problematic, it is not. The framework for analyzing armed attacks is relatively well-settled, as are the core legal principles governing its meaning. The international community generally accepts Jean S. Pictet’s scope, duration, and intensity test as the starting point for evaluating whether a particular use of force constitutes an armed attack. Under Pictet’s test, a use of force is an armed attack when it is of sufficient scope, duration, and intensity. Of course, as is the case with many international legal concepts, states, nongovernmental organizations, and scholars all interpret the scope, duration, and intensity test differently.
State declarations help flesh out which uses of force are of sufficient scope, duration, and intensity to constitute an armed attack. Harkening back to the French-language version of the UN Charter, which refers to “armed aggression” rather than an “armed attack,” the UN General Assembly passed the Definition of Aggression resolution in 1974. The resolution requires an attack to be of “sufficient gravity” before it is considered an armed attack. The resolution never defines armed attacks, but it does provide examples that are widely accepted by the international community. Although the