Inside Cyber Warfare - Jeffrey Carr [52]
Although an in-depth discussion is beyond the scope of this chapter, there are several issues worthy of consideration before a state decides to implement active defenses. First, due to the compressed timelines of cyber attacks, a state may need to automate its active defenses so that it can respond in a timely manner. However, using automated defenses will increase the likelihood of violating the principles of distinction and proportionality. As a result, defenses should probably be automated only for detection purposes, requiring human analysis and approval before actually counter-striking.
Second, just because it is legal to use active defenses under the circumstances described here, that does not mean it is sound policy. States must decide whether the diplomatic fallout is worth the risk. Unfortunately, technological limitations can cause state calculations to be erroneous at times and civilian systems to be targeted or excessively damaged. States must decide that the second-guessing that other states will engage in is worth the benefit gained from protecting their computer systems.
Third, there is the chance that the servers from which the initial attacks originate are intimately tied to important systems in the host-state, and if turned off could have devastating effects and cause unnecessary suffering. This possibility must be factored into the state’s evaluation of military necessity versus probable collateral damage, especially if a state responds with active defenses without fully mapping an attacking system.
Fourth, states should carefully design their active defenses. Poorly coded active defense programs run the risk of self-propagating in cyberspace beyond their initial purpose, and can run the risk of evolving from a defensive program into a computer virus or worm whose damage goes far beyond its intended design. Since active defenses represent a new frontier in cyber warfare, their initial use will be controversial, no matter the situation. States should expect public scrutiny and diplomatic protests until such time as active defenses are recognized as a lawful method of self-defense under international law.
* * *
[35] These decisions will, no doubt, be based on guidelines promulgated by the victim-state before the attack ever occurs. These rules would simplify the legal framework into a set of rules more easily understood by the layperson, similar to the rules of engagement that military personnel follow.
[36] This proposition is derived from Hague Convention IV, Annex, Article 22, which states “[t]he right of belligerents to adopt means of injuring the enemy is not unlimited.” Hague Convention IV Respecting the Laws and Customs of War on Land and its Annex (Regulations), Oct. 18, 1907, 36 Stat. 2277, 1 Bevans 631 [hereinafter Hague IV].
Conclusion
Cyber attacks are one of the greatest threats to international peace and security in the 21st century. Securing cyberspace is an absolute imperative. In an ideal world, states would work together to eliminate the cyber threat. Unfortunately, our world is no utopia, nor is it likely to become one. Global cooperation may be a reality one day, but unless something changes to pressure sanctuary states into changing their behavior, there is no impetus for them to do so.
The way to achieve this reality is to use active defenses against cyber attacks originating from sanctuary states. Not only will this allow victim-states to better