Inside Cyber Warfare - Jeffrey Carr [40]
Scholars have advanced several analytical models to deal with unconventional attacks, such as cyber attacks, to help ease attack classification and put the scope, duration, and intensity analysis into more concrete terms. These models are especially relevant to cyber attacks because they straddle the line between criminal activity and armed warfare. There are three main analytical models for dealing with unconventional attacks. The first model is an instrument-based approach, which checks to see whether the damage caused by a new attack method previously could have been achieved only with a kinetic attack.[14] The second is an effects-based approach, sometimes called a consequence-based approach, in which the attack’s similarity to a kinetic attack is irrelevant and the focus shifts to the overall effect that the cyber attack has on a victim-state.[15] The third is a strict liability approach, in which cyber attacks against critical infrastructure are automatically treated as armed attacks, due to the severe consequences that can result from disabling those systems.[16]
Of these three approaches, the effects-based approach is the best analytical model for dealing with cyber attacks. Not only does effects-based analysis account for everything that an instrument-based approach covers, but it also provides an analytical framework for situations that do not neatly equate to kinetic attacks.[17] Effects-based analysis is also superior to strict liability because responses to cyber attacks under an effects-based approach comport with internationally accepted legal norms and customs, whereas a strict liability approach may cause victim-states to violate the law of war.[18]
Of all of the scholars who advocate effects-based models, Michael N. Schmitt has advanced the most useful analytical framework for evaluating cyber attacks. In his seminal article “Computer Network Attack and the Use of Force in International Law: Thoughts on a Normative Framework,” Schmitt lays out six criteria for evaluating cyber attacks as armed attacks.[19] These criteria are severity, immediacy, directness, invasiveness, measurability, and presumptive legitimacy. Taken together, they allow states to measure cyber attacks along several different axes. While no one criterion is dispositive, cyber attacks satisfy enough criteria to be characterized as armed attacks. Since their publication, Schmitt’s criteria have gained traction in the legal community, with several prominent legal scholars advocating for their use. Many hope that Schmitt’s criteria will help bring some uniformity to state efforts to classify cyber attacks. However, until Schmitt’s criteria gain wider acceptance, states are likely to classify cyber attacks differently, depending on their understanding of armed attacks as well as their conception of vital national interest.
Classifying cyber attacks will be difficult for states to do in practice.[20] Although the initial decision to respond to cyber attacks under the law of war as a matter of policy will have to be made by state policymakers, the actual decision to use active defenses will have to be pushed down to the system administrators who actually operate computer networks. One of the challenges policymakers will face is translating international law into concise, understandable rules for their system administrators to follow, so that a state’s agents comply with international law while protecting its vital computer networks. However, classifying cyber attacks as armed attacks or imminent armed attacks is