Inside Cyber Warfare - Jeffrey Carr [46]
[18] The proponents of a strict liability approach advocate automatically responding to cyber attacks on critical infrastructure with active defenses. However, automatically responding to cyber attacks in this manner can easily lead a victim-state to counter-attack a state with a long history of doing everything within its power to prevent cyber attacks and prosecute its attackers. Were a victim-state to respond with active defenses against a nonsanctuary state, it would violate jus ad bellum. This is because there is no way to impute state responsibility to such a state, directly or indirectly, even though the cyber attack may constitute an armed attack.
[19] Schmitt, M. 1999. “Computer Network Attack and the Use of Force in International Law: Thoughts on a Normative Framework.” Columbia Journal of Transnational Law 37: 885, 913–15.
[20] But there is no doubt that some cyber attacks will qualify as armed attacks, and should be dealt with using self-defense and anticipatory self-defense legal principles as a justification for using active defenses.Some will undoubtedly critique this conclusion. However, those who argue do miss the way that states have classified unconventional attacks in the past. New attack methods frequently fall outside the accepted definitions of armed attacks. This does not mean that the attacks are not armed attacks, merely that the attacks don’t fit traditional classifications. Furthermore, anyone who argues that cyber attacks cannot rise to the level of armed attacks misses an important facet of international law—reprisals, which can be used as an alternate basis to authorize active defenses against cyber attacks. This is because at a minimum, cyber attacks are an illegal use of force, and their use would then allow states to use another illegal use of force, short of armed force, to deter sanctuary states from allowing attackers to commit them.
[21] Council of Europe, Convention on Cybercrime, opened for signature Nov. 23, 2001, 41 I.L.M. 282 (hereinafter Convention on Cybercrime).
[22] Customary international law does not require state practice to be universal, and general practices can satisfy the requirements of customary international law. The test for when state practices become customary international law is when the practice is extensive and representative of rules that states feel bound to follow. Within this framework, there is a doctrine for states whose interests are especially affected by a rule, and their practices carry more weight in contributing to customary international law than other states. See North Sea Continental Shelf (F.R.G. v. Den.; F.R.G. v. Neth.), 1969 I.C.J 3, 43 (Feb. 20).To date, 26 states have ratified the Convention on Cybercrime, the majority of which are major western powers, three of which hold permanent Security Council seats, and five of which place among the twenty states with the most Internet users in the world—France, Germany, Italy, the United Kingdom, and the United States. Together, these five states combine for 25 percent of the Internet users in the world. Furthermore, while not yet parties to the treaty, Canada, Japan, Spain, and Poland are all signatories to it, and are expected to ratify it soon. These four states are among the remaining twenty states with the most Internet users