Inside Cyber Warfare - Jeffrey Carr [41]
SCHMITT’S SIX CRITERIA
The meaning of these criteria are as follows:
Severity looks at the scope and intensity of an attack. Analysis under this criterion examines the number of people killed, size of the area attacked, and amount of property damage done. The greater the damage, the more powerful the argument becomes for treating the cyber attack as an armed attack.
Immediacy looks at the duration of a cyber attack, as well as other timing factors. Analysis under this criterion examines the amount of time the cyber attack lasted and the duration of time that the effects were felt. The longer the duration and effects of an attack, the stronger the argument that it was an armed attack.
Directness looks at the harm caused. If the attack was the proximate cause of the harm, it strengthens the argument that the cyber attack was an armed attack. If the harm was caused in full or in part by other parallel attacks, the weaker the argument that the cyber attack was an armed attack.
Invasiveness looks at the locus of the attack. An invasive attack is one that physically crosses state borders, or electronically crosses borders and causes harm within the victim-state. The more invasive the cyber attack, the more it looks like an armed attack.
Measurability tries to quantify the damage done by the cyber attack. Quantifiable harm is generally treated more seriously in the international community. The more a state can quantify the harm done to it, the more the cyber attack looks like an armed attack. Speculative harm generally makes a weak case that a cyber attack was an armed attack.
Presumptive legitimacy focuses on state practice and the accepted norms of behavior in the international community. Actions may gain legitimacy under the law when the international community accepts certain behavior as legitimate. The less a cyber attack looks like accepted state practice, the stronger the argument that it is an illegal use of force or an armed attack.
See Schmitt, supra note 16, at 913–15; see also Wingfield, T. 2000. The Law of Information Conflict: National Security Law in Cyberspace. Ageis Research Corp. 124–27 (examining Schmitt’s use of force analysis).
Establishing State Responsibility for Cyber Attacks
States cannot respond to a cross-border cyber attack with force without establishing state responsibility for the attack. Although historically this meant that an attack had to be attributed to a state or its agents, direct control of an attack is no longer a requirement for state responsibility. Today, international law bases a state’s responsibility on its failure to meet its international duties.
This shift is especially important for cyber attacks because the prevailing view that states must treat cross-border cyber attacks as a criminal matter, rather than as a national security matter, seems to be based on the historic view of state responsibility. This limited view of state responsibility locks states into the response crisis by requiring states to attribute cyber attacks to a state or its agents before responding with active defenses, even though the likelihood of successfully attributing an attack is extremely remote. Consequently, states find themselves in the response crisis during a cyber attack, laboring under the false assumption that they must decide between effective, but illegal, active defenses, and the less effective, but legal, path of passive defenses and domestic criminal laws.
Given the shift in the law of state responsibility, states should determine whether a cyber attack can be imputed to the state of origin rather than trying to conclusively attribute it. Once a cyber attack is imputed to a state and that state refuses to return to compliance with its international duties, the legal barriers to acting in self-defense disappear.
While neither state practice nor the publications