Inside Cyber Warfare - Jeffrey Carr [42]
It is thus necessary to understand the answers to two key questions:
What is a state’s duty to prevent cyber attacks?
What must a state do to violate its duty of prevention?
The answers are the legal keys that will establish the basis for imputing state responsibility for cyber attacks and unlock the restraints that states have placed on themselves by following the prevailing view of state responsibility for cyber attacks.
The Duty to Prevent Cyber Attacks
States have an affirmative duty to prevent cyber attacks from their territory against other states. This duty actually encompasses several smaller duties to prevent cyber attacks, including passing stringent criminal laws, conducting vigorous law enforcement investigations, prosecuting attackers, and, during the investigation and prosecution, cooperating with the victim-states of cyber attacks. These are the duties of all states and, as you will see in this subsection, are binding as customary international law. The authority for these duties comes from all three sources of customary international law—international conventions, international custom, and the general principles of law common to civilized nations, as also evidenced by judicial decisions and the teachings of the most highly qualified international legal scholars.
Support from International Conventions
The only international treaty directly on point is the European Convention on Cybercrime.[21] Although the treaty is only a regional agreement, it is still very influential on customary international law because of the importance of the states that have ratified it under the specially affected states doctrine.[22] Furthermore, it demonstrates state recognition of both the need to criminalize cyber attacks, and the duty of states to prevent their territory from being used by nonstate actors to conduct cyber attacks against other states.[23] The Convention is also significant because it recognizes that cyber attacks cannot be interdicted during the middle of an attack, and that the only way to prevent them is through aggressive law enforcement, coupled with state cooperation.
International treaties to criminalize terrorism provide further support, albeit indirectly, for the duty to prevent cyber attacks. The international community recognizes terrorism as a threat to international peace and security, but cannot agree on a definition. As a result, states have adopted the approach of outlawing specific terrorist acts each time terrorists adopt new attack methods, rather than outlawing terrorism itself.[24] These treaties impose several common requirements on states with regard to terrorist attack methods, such as taking all practicable measures for the purpose of preventing these attacks, criminalizing the attacks, submitting cases to competent authorities for prosecution, and forcing states to cooperate with each other throughout the criminal proceedings. Although these treaties do not address cyber attacks, the principles contained in them help influence state requirements under customary international law with regard to terrorism. Since there is growing evidence that cyber attacks will soon be a weapon of choice for terrorists, states should refer to the common principles found in these treaties as opinio juris when cyber attacks are used as a terrorist weapon.
Support from State Practice
State treatment of cyber attacks