Inside Cyber Warfare - Jeffrey Carr [50]
Limitations on attack traces
Cyber attacks are frequently conducted through intermediate computer systems to disguise the true identity of the attacker. Although trace programs are capable of penetrating intermediate disguises back to their electronic source, their success rate is not perfect. Thus, trace programs run the risk of incorrectly identifying the true source of an attack. This creates an apparent problem because an attack could be incorrectly perceived as coming from a state that is not the actual state of origin. However, this is not as big a problem as it appears. State responsibility should still be judged on the facts at hand, even if it results in misattribution. First, as long as a state assesses an attack to the best of its technical capability and acts in good faith on the information on hand, it has met its international obligations. Second, states that refuse to comply with their international duty to prevent their territory from being used to commit cyber attacks have chosen to risk being held indirectly responsible by accident. After all, a state can avoid being the target of active defenses, even when attacks originate from it, by taking affirmative steps to prevent cyber attacks, such as enacting stringent criminal laws, enforcing those laws, and cooperating with victim-states to bring attackers to justice.
Jus in Bello Issues Related to the Use of Active Defenses
Decisions to use force are governed by jus in bello. Jus in bello stands for the proposition that states do not have a right to use unlimited force against other states during war.[36] At its core, jus in bello uses four basic principles to regulate the conduct of states during warfare. These are: distinction, necessity, humanity, and proportionality.
THE FOUR PRINCIPLES OF JUS IN BELLO
Distinction is the requirement that “[p]arties to the conflict shall at all times distinguish between the civilian population and combatants and...shall direct their operations only against military objectives.” Protocol Additional to the Geneva Conventions of August 12, 1949, and Relating to the Protection of Victims of International Armed Conflicts, June 8, 1977, 1125 UNT.S. 3 [hereinafter Additional Protocol I]. However, distinction does not protect civilians who directly participate in hostilities. Id., art. 51(3).
Necessity limits the amount of force a state can use against legitimate targets to the amount “necessary to accomplish a valid military objective,” and forbids using force purely for the sake of causing “unnecessary human misery and physical destruction.” US Dep’t of Navy, NWP 1–14M, The Commander’s Handbook on the Law of Naval Operations § 5.3.1 (2007).
Humanity prohibits the use of weapons designed “to cause unnecessary suffering.” Hague IV, supra note 34.
Proportionality protects civilians and their property the same way necessity and humanity protect lawful targets from excessive uses of force. Understanding that attacks on legitimate targets will often cause incidental damage beyond the lawful target itself, proportionality limits the use of force to situations in which the expected military advantage outweighs the expected collateral damage to civilians and their property. This principle is derived from Additional Protocol I, Article 51(5)(b), which states that it is prohibited to use force that “may be expected to cause incidental loss of civilian life, injury to civilians, damage to civilian objects, or a combination thereof, which would be excessive in relation to the concrete and direct military advantage anticipated.” Additional Protocol I, supra note 35.
Active defenses: The most appropriate forceful response
Although this chapter advocates the use of active defenses in response to cyber attacks, once one accepts that states are legally authorized to respond to cyber attacks with force, the necessary consequence is that states may use force to the extent authorized under jus in bello. In other words, unless jus in bello stops