Inside Cyber Warfare - Jeffrey Carr [45]
Sanctuary States and the Practices That Lead to State Responsibility
Determining whether a state is acting as a sanctuary state is extremely fact-dependent. When considering this question, victim-states must look at a host-state’s criminal laws, law enforcement practices, and track record of cooperation with the victim-states of cyber attacks that originate from within its borders. In effect, host-states will be judged on their efforts to catch and prosecute attackers who have committed cyber attacks, which is probably the only way that states can deter and prevent future attacks. Since victim-states will end up judging whether a host-state has lived up to its international duties, host-states must cooperate with victim-states to ensure transparency. Cooperation will necessarily entail a host-state showing its criminal investigations to a victim-state so that victim-states can correctly judge host-state action.
Furthermore, when a host-state lacks the technical capacity to track down attackers, international law should require it to work together with law enforcement officials from the victim-state to jointly track them down.[34] These two measures will prevent host-states from being perceived as uncooperative and complicit in the use of their networks for attacks against other states. States that deny involvement in a cyber attack but refuse to open their investigative records to the victim-state cannot expect to be treated as living up to its international duties. In effect, host-states that refuse to cooperate with victim-states are stating their unwillingness to prevent cyber attacks and have declared themselves as sanctuary states.
Once a host-state demonstrates that it is a sanctuary state through its inaction, other states can impute responsibility to it. At that point, the host-state becomes liable for the cyber attack that triggered an initial call for investigation, as well as for all future cyber attacks originating from it. This opens the door for a victim-state to use active defenses against the computer servers in that state during a cyber attack.
* * *
[14] For instance, under an instrument-based approach, a cyber attack used to shut down a power grid is an armed attack. This is because shutting down a power grid typically required dropping a bomb on a power station or some other kinetic use of force to incapacitate the grid. Since conventional munitions were previously required to achieve the result, under the instrument-based approach the cyber attack is therefore treated the same way.
[15] For instance, under an effects-based approach, a cyber attack that manipulated information across a state’s banking and financial institutions to seriously disrupt commerce in the state is an armed attack. Although the manipulation of information does not resemble a kinetic attack, as required under an instrument-based approach, the disruptive effects that the attack had on the state’s economy is a severe enough overall consequence that it warrants treatment as an armed attack.
[16] It is important to note that this third analytical model for dealing with cyber attacks is intended to justify anticipatory self-defense before any harm actually results. Walter Gary Sharp Sr. proposed this model due to the speed with which a computer penetration can transition into a destructive attack against defense critical infrastructure. His reasoning is that once a penetration has occurred, an imminent threat exists with the ability to cause harm of extreme scope, duration, and intensity, thereby justifying anticipatory self-defense. See Walter Gary Sharp Sr. 1999. CyberSpace and the Use of Force. Ageis Research Corp. 129–31.
[17] For instance, a cyber attack might shut down a system, rendering it inoperable for some time, or a cyber attack might cause an explosion at a chemical plant by tampering with the computers that control the feed mixture rates. The results of those attacks mirror the results of conventional