Inside Cyber Warfare Part 7

This s.h.i.+ft began with the International Tribunal for the former Yugoslavia's seminal opinion on state responsibility in the Tadic case, in which it revised the direct control test to impute host-state responsibility for the actions of groups of nonstate actors over when a state exercised "overall control" of the group, even though the state may not have directed the particular act in question.[10] Although overall control is still a form of direct control, the opinion marked a significant relaxation of the standard for state responsibility.

The s.h.i.+ft to indirect responsibility continued through the middle of 2001, with a general consensus emerging that any breach of a state's international obligations to other states, whether from treaty law or customary law, and whether the result of a state's acts or its failures to act, resulted in international responsibility for the state.[11] This consensus solidified following the 9/11 terrorist attacks on the United States, bringing us to today's framework for state responsibility.

September 11, 2001, marked the culmination of the s.h.i.+ft of state responsibility from the paradigm of direct control to indirect responsibility. On that date, Al Qaeda terrorists hijacked four airplanes, flew three of them into buildings in the United States, and killed more than three thousand US citizens in what was widely recognized as an armed attack. Al Qaeda was based in Afghanistan, which at the time was ruled by the Taliban. While the Taliban harbored Al Qaeda and occasionally provided it limited logistical support, the Taliban did not exercise effective or even overall control over Al Qaeda. Further distancing the Taliban from 9/11 is the lack of evidence suggesting that the Taliban knew of the 9/11 attacks beforehand, or even endorsed them after the fact. Yet despite all of this, it was internationally accepted that Al Qaeda's acts were legally imputable to the Taliban, and thus to Afghanistan, because it had harbored and sheltered Al Qaeda, and refused to stop doing so, even after being warned to stop.

Thus, following 9/11, state responsibility may be implied based on a state's failure to fulfill its international duty to prevent nonstate actors from using its territory to attack other states. As such, there need not be a causal link between a wrongdoer and a state; rather, only a failure of a state to uphold its duty to prevent attacks from its territory into another state. "Hence, a state's pa.s.siveness or indifference toward [a non-state actor's] agendas within its own territory might trigger its responsibility, possibly on the same scale as though it had actively partic.i.p.ated in the planning."[12] Much of the legal a.n.a.lysis of whether a state is responsible will "turn on an ex-post facto a.n.a.lysis of whether the state could have put more effort into preventing the...attack."[13]

However, even when state responsibility is imputed for the armed attacks of nonstate actors, states may still be forbidden from responding with force. The final step in the legal a.n.a.lysis ends with the legality of cross-border operations against other states.

Cross-Border Operations.

Cross-border operations into the territory of an offending state are the natural consequence of imputed state responsibility for the armed attacks of nonstate actors. However, states must meet a number of legal requirements before they may pursue a nonstate aggressor into another state in self-defense. To understand the rationale behind why states may breach a host-state's general right to territorial integrity in self-defense and the requirements states must meet in order to do so, one must first look to the UUN Charter's general prohibition on using force against another state.

The right of territorial integrity generally gives way to the right of self-defense. The principle underlying this balancing act is that when one state violates another state's territorial integrity, it forfeits its own right to territorial integrity. This principle evolved out of state-on-state attacks, but it also may be applied in a similar manner when states are indirectly responsible for the violations of another state's territorial integrity by nonstate actors. The key is whether the host-state tried to prevent its territory from being used to commit criminal acts against the victim-state.

As always, before a state resorts to self-defense, it must ensure that it meets the criteria of necessity, proportionality, and, if using the subset of antic.i.p.atory self-defense, imminency. Effectively, a state must have no viable alternatives to the use of force, and it must limit its use of force to securing its defensive objectives.

The application of these requirements may vary depending on whether the acts of the nonstate actors were imputed based on direct control or indirect attribution. In cases of direct control, the victim-state may immediately impute responsibility to the host-state and act in self-defense against it and the nonstate actors inside it. In cases of indirect attribution, a victim-state must overcome another hurdle before conducting cross-border operations, and ensure that it has properly linked the actions of the nonstate actors to the host-state. This may be done by issuing an ultimatum to the sanctuary state to comply with its international obligations or else.

The sanctuary state must then either act against the nonstate actors, or willingly allow the victim-state to enter its territory and mount operations against the nonstate actors. Otherwise the victim-state can impute responsibility and conduct its cross-border operations into the host-state. However, in doing so, the victim-state must limit its targets to the nonstate actors, unless the host-state uses force to oppose the lawful cross-border operations.

Based on the foregoing a.n.a.lysis, it is evident that victim-states may forcibly respond to armed attacks by nonstate actors located in another state when host-states violate their duty to prevent those attacks. With cyber attacks, imputing state responsibility in this manner provides states a legal path to utilize active defenses without having to conclusively attribute an attack to a state or its agents. In effect, imputing responsibility is the equivalent of attributing the attack to the state or its agents. Thus, imputing responsibility provides states a way around the attribution problem and response crisis. However, just because there is a legal pathway to get around the requirement that armed attacks be attributable to a state or its agents does not mean that cyber attacks by nonstate actors lend themselves to this framework. As a result, it is imperative to explain why cyber attacks const.i.tute armed attacks, what a state's duty to prevent cyber attacks means, and the factual circ.u.mstances that would allow a victim-state to forcibly respond to a cyber attack.

[7] Schmitt, supra note 2, at 54041 (quoting John Ba.s.set Moore in S.S. Lotus [Fr. v. Turk.] 1927 P.C.I.J. [ser. A] No. 10, at 4, 88 [Moore, J., dissenting]).

[8] Corfu Channel case (Merits), 1949 I.C.J. Rep. 4, 22 (Apr. 9).

[9] Case Concerning United States Diplomatic and Consular Staff in Tehran, 1980 I.C.J. Rep. 3, 3233, 44 (May 24).

[10] Prosecutor v. Tadic, Case No. IT-94-1-A, I.C.T.Y. App. Ch., at 49 (July 15, 1999).

[11] See 2001 Draft Articles on the Responsibility of States for Internationally Wrongful Acts, UN Doc. A/CN.4/L.602/Rev. 1 (2001). The draft articles were later commended to state governments in 2001 and 2004. See G.A. Res. 56/83, UN Doc. A/RES/56/83 (Jan. 28, 2002); G.A. Res. 59/35, UN Doc. A/RES/59/35 (Dec. 16, 2004).

[12] Proulx, Vincent-Joel. 2005. "Babysitting Terrorists: Should States Be Strictly Liable for Failing to Prevent Transborder Attacks?" Berkeley Journal of International Law: 23, 61524.

[13] Id. at 66364.

a.n.a.lyzing Cyber Attacks under Jus ad Bellum.

Cyber attacks represent a conundrum for legal scholars. Cyber attacks come in many different forms, their destructive potential limited only by the creativity and skill of the attackers behind them. Although it may seem intuitive that cyber attacks can const.i.tute armed attacks, especially in light of their ability to injure or kill, the legal community has been reluctant to adopt this approach because cyber attacks do not resemble traditional armed attacks with conventional weapons. Further clouding the legal waters is the erroneous view of states and scholars alike on the need for states to attribute cyber attacks to a state or its agents before responding with force. Although it is true that cyber attacks do not resemble traditional armed attacks, and that cyber attacks are difficult to attribute, neither of these characteristics should preclude states from responding with force. This section explores different a.n.a.lytical models for a.s.sessing armed attacks, the logical meaning of the duty of prevention as it relates to cyber attacks, and the technological capacity of trace programs to trace attacks back to their point of origin. After all of these issues are examined, it becomes clear that states may legally use active defenses against cyber attacks originating from states that violate their duty to prevent them.

Cyber Attacks as Armed Attacks.

Victim-states must be able to cla.s.sify a cyber attack as an armed attack or imminent armed attack before responding with active defenses because, as we discussed earlier in this chapter, armed attacks and imminent armed attacks are the triggers that allow states to respond in self-defense or antic.i.p.atory self-defense. Ideally, there would be clear rules for cla.s.sifying cyber attacks as armed attacks, imminent armed attacks, or lesser uses of force. Unfortunately, since cyber attacks are a relatively new attack form, international efforts to cla.s.sify them are still in their infancy, even though the core legal principles governing armed attacks are well settled. Consequently, whether cyber attacks can qualify as armed attacks and which cyber attacks should be considered armed attacks are left as open questions in international law. To answer these questions, this subsection examines the core legal principles governing armed attacks, applies them to cyber attacks, explains why cyber attacks can qualify as armed attacks, and attempts to provide some insight into which cyber attacks should be considered armed attacks.

"Armed attack" is not defined by any international convention. As a result, its meaning has been left open to interpretation by states and scholars. Although this might sound problematic, it is not. The framework for a.n.a.lyzing armed attacks is relatively well-settled, as are the core legal principles governing its meaning. The international community generally accepts Jean S. Pictet's scope, duration, and intensity test as the starting point for evaluating whether a particular use of force const.i.tutes an armed attack. Under Pictet's test, a use of force is an armed attack when it is of sufficient scope, duration, and intensity. Of course, as is the case with many international legal concepts, states, nongovernmental organizations, and scholars all interpret the scope, duration, and intensity test differently.

State declarations help flesh out which uses of force are of sufficient scope, duration, and intensity to const.i.tute an armed attack. Harkening back to the French-language version of the UN Charter, which refers to "armed aggression" rather than an "armed attack," the UN General a.s.sembly pa.s.sed the Definition of Aggression resolution in 1974. The resolution requires an attack to be of "sufficient gravity" before it is considered an armed attack. The resolution never defines armed attacks, but it does provide examples that are widely accepted by the international community. Although the resolution has helped settle the meaning of armed attacks for conventional attacks, the more technology has advanced, the more attacks have come in forms not previously covered by state declarations and practices. Consequently, states recognize that unconventional uses of force may warrant treatment as an armed attack when their scope, duration, and intensity are of sufficient gravity. As a result, states are continually making proclamations about new methods of warfare, slowly shaping the paradigm for cla.s.sifying armed attacks.

Scholars have advanced several a.n.a.lytical models to deal with unconventional attacks, such as cyber attacks, to help ease attack cla.s.sification and put the scope, duration, and intensity a.n.a.lysis into more concrete terms. These models are especially relevant to cyber attacks because they straddle the line between criminal activity and armed warfare. There are three main a.n.a.lytical models for dealing with unconventional attacks. The first model is an instrument-based approach, which checks to see whether the damage caused by a new attack method previously could have been achieved only with a kinetic attack.[14] The second is an effects-based approach, sometimes called a consequence-based approach, in which the attack's similarity to a kinetic attack is irrelevant and the focus s.h.i.+fts to the overall effect that the cyber attack has on a victim-state.[15] The third is a strict liability approach, in which cyber attacks against critical infrastructure are automatically treated as armed attacks, due to the severe consequences that can result from disabling those systems.[16]

Of these three approaches, the effects-based approach is the best a.n.a.lytical model for dealing with cyber attacks. Not only does effects-based a.n.a.lysis account for everything that an instrument-based approach covers, but it also provides an a.n.a.lytical framework for situations that do not neatly equate to kinetic attacks.[17] Effects-based a.n.a.lysis is also superior to strict liability because responses to cyber attacks under an effects-based approach comport with internationally accepted legal norms and customs, whereas a strict liability approach may cause victim-states to violate the law of war.[18]

Of all of the scholars who advocate effects-based models, Michael N. Schmitt has advanced the most useful a.n.a.lytical framework for evaluating cyber attacks. In his seminal article "Computer Network Attack and the Use of Force in International Law: Thoughts on a Normative Framework," Schmitt lays out six criteria for evaluating cyber attacks as armed attacks.[19] These criteria are severity, immediacy, directness, invasiveness, measurability, and presumptive legitimacy. Taken together, they allow states to measure cyber attacks along several different axes. While no one criterion is dispositive, cyber attacks satisfy enough criteria to be characterized as armed attacks. Since their publication, Schmitt's criteria have gained traction in the legal community, with several prominent legal scholars advocating for their use. Many hope that Schmitt's criteria will help bring some uniformity to state efforts to cla.s.sify cyber attacks. However, until Schmitt's criteria gain wider acceptance, states are likely to cla.s.sify cyber attacks differently, depending on their understanding of armed attacks as well as their conception of vital national interest.

Cla.s.sifying cyber attacks will be difficult for states to do in practice.[20] Although the initial decision to respond to cyber attacks under the law of war as a matter of policy will have to be made by state policymakers, the actual decision to use active defenses will have to be pushed down to the system administrators who actually operate computer networks. One of the challenges policymakers will face is translating international law into concise, understandable rules for their system administrators to follow, so that a state's agents comply with international law while protecting its vital computer networks. However, cla.s.sifying cyber attacks as armed attacks or imminent armed attacks is only the first hurdle system administrators must clear before responding with active defenses. The second and equally important hurdle is establis.h.i.+ng state responsibility for the attack.

Schmitt's Six Criteria The meaning of these criteria are as follows: Severity looks at the scope and intensity of an attack. a.n.a.lysis under this criterion examines the number of people killed, size of the area attacked, and amount of property damage done. The greater the damage, the more powerful the argument becomes for treating the cyber attack as an armed attack.

Immediacy looks at the duration of a cyber attack, as well as other timing factors. a.n.a.lysis under this criterion examines the amount of time the cyber attack lasted and the duration of time that the effects were felt. The longer the duration and effects of an attack, the stronger the argument that it was an armed attack.

Directness looks at the harm caused. If the attack was the proximate cause of the harm, it strengthens the argument that the cyber attack was an armed attack. If the harm was caused in full or in part by other parallel attacks, the weaker the argument that the cyber attack was an armed attack.

Invasiveness looks at the locus of the attack. An invasive attack is one that physically crosses state borders, or electronically crosses borders and causes harm within the victim-state. The more invasive the cyber attack, the more it looks like an armed attack.

Measurability tries to quantify the damage done by the cyber attack. Quantifiable harm is generally treated more seriously in the international community. The more a state can quantify the harm done to it, the more the cyber attack looks like an armed attack. Speculative harm generally makes a weak case that a cyber attack was an armed attack.

Presumptive legitimacy focuses on state practice and the accepted norms of behavior in the international community. Actions may gain legitimacy under the law when the international community accepts certain behavior as legitimate. The less a cyber attack looks like accepted state practice, the stronger the argument that it is an illegal use of force or an armed attack.

See Schmitt, supra note 16, at 91315; see also Wingfield, T. 2000. The Law of Information Conflict: National Security Law in Cybers.p.a.ce. Ageis Research Corp. 12427 (examining Schmitt's use of force a.n.a.lysis).

Establis.h.i.+ng State Responsibility for Cyber Attacks.

States cannot respond to a cross-border cyber attack with force without establis.h.i.+ng state responsibility for the attack. Although historically this meant that an attack had to be attributed to a state or its agents, direct control of an attack is no longer a requirement for state responsibility. Today, international law bases a state's responsibility on its failure to meet its international duties.

This s.h.i.+ft is especially important for cyber attacks because the prevailing view that states must treat cross-border cyber attacks as a criminal matter, rather than as a national security matter, seems to be based on the historic view of state responsibility. This limited view of state responsibility locks states into the response crisis by requiring states to attribute cyber attacks to a state or its agents before responding with active defenses, even though the likelihood of successfully attributing an attack is extremely remote. Consequently, states find themselves in the response crisis during a cyber attack, laboring under the false a.s.sumption that they must decide between effective, but illegal, active defenses, and the less effective, but legal, path of pa.s.sive defenses and domestic criminal laws.

Given the s.h.i.+ft in the law of state responsibility, states should determine whether a cyber attack can be imputed to the state of origin rather than trying to conclusively attribute it. Once a cyber attack is imputed to a state and that state refuses to return to compliance with its international duties, the legal barriers to acting in self-defense disappear.

While neither state practice nor the publications of legal scholars supports this view regarding cyber attacks yet, the accepted principles of customary jus ad bellum support imputing state responsibility for armed attacks by nonstate actors when the attacks originate from a state that allows nonstate actors to conduct criminal operations within their borders. States that allow nonstate actors to conduct those operations breach their duty to prevent attacks against other states, and are known as sanctuary states. This is extremely important to the victim-states of cyber attacks because when a cyber attack originates from a sanctuary state, a victim-state may employ active defenses and avert the response crisis.

It is thus necessary to understand the answers to two key questions: What is a state's duty to prevent cyber attacks?

What must a state do to violate its duty of prevention?

The answers are the legal keys that will establish the basis for imputing state responsibility for cyber attacks and unlock the restraints that states have placed on themselves by following the prevailing view of state responsibility for cyber attacks.

The Duty to Prevent Cyber Attacks.

States have an affirmative duty to prevent cyber attacks from their territory against other states. This duty actually encompa.s.ses several smaller duties to prevent cyber attacks, including pa.s.sing stringent criminal laws, conducting vigorous law enforcement investigations, prosecuting attackers, and, during the investigation and prosecution, cooperating with the victim-states of cyber attacks. These are the duties of all states and, as you will see in this subsection, are binding as customary international law. The authority for these duties comes from all three sources of customary international law-international conventions, international custom, and the general principles of law common to civilized nations, as also evidenced by judicial decisions and the teachings of the most highly qualified international legal scholars.

Support from International Conventions.

The only international treaty directly on point is the European Convention on Cybercrime.[21] Although the treaty is only a regional agreement, it is still very influential on customary international law because of the importance of the states that have ratified it under the specially affected states doctrine.[22] Furthermore, it demonstrates state recognition of both the need to criminalize cyber attacks, and the duty of states to prevent their territory from being used by nonstate actors to conduct cyber attacks against other states.[23] The Convention is also significant because it recognizes that cyber attacks cannot be interdicted during the middle of an attack, and that the only way to prevent them is through aggressive law enforcement, coupled with state cooperation.

International treaties to criminalize terrorism provide further support, albeit indirectly, for the duty to prevent cyber attacks. The international community recognizes terrorism as a threat to international peace and security, but cannot agree on a definition. As a result, states have adopted the approach of outlawing specific terrorist acts each time terrorists adopt new attack methods, rather than outlawing terrorism itself.[24] These treaties impose several common requirements on states with regard to terrorist attack methods, such as taking all practicable measures for the purpose of preventing these attacks, criminalizing the attacks, submitting cases to competent authorities for prosecution, and forcing states to cooperate with each other throughout the criminal proceedings. Although these treaties do not address cyber attacks, the principles contained in them help influence state requirements under customary international law with regard to terrorism. Since there is growing evidence that cyber attacks will soon be a weapon of choice for terrorists, states should refer to the common principles found in these treaties as opinio juris when cyber attacks are used as a terrorist weapon.

Support from State Practice.

State treatment of cyber attacks under their criminal laws also evidence recognition of the duty to prevent cyber attacks under customary international law. Numerous states criminalize and prosecute cyber attacks to deter attackers from conducting them, on the basis that vigorous law enforcement is the only way to protect and prevent harm to their computer systems. This lends credence to the notion that, unlike a conventional attack, which can be stopped after detection, cyber attacks can be stopped only by establis.h.i.+ng ex ante barriers that attackers are fearful of crossing. Furthermore, these practices demonstrate a growing recognition among states that cyber attacks must be stopped, and that the way to do so is through vigorous law enforcement.

State responses to transnational terrorist attacks further support recognition of a duty to prevent cyber attacks under customary international law. After the 9/11 terrorist attacks, states across the world condemned terrorism as a threat to international peace and security, and provided various forms of support to the United States in its war against Al Qaeda. Ensuring that terrorism will forever be legally recognized as a threat to international peace and security, the Security Council pa.s.sed Resolution 1373, which reaffirmed that acts of international terrorism are threats to international peace and security and called on states to work together to prevent and suppress terrorism. The resolution further directed states to "refrain from providing any form of support" to terrorists through act or omission, to "deny safe haven" to those who commit terrorist acts, and "afford one another the greatest measure of a.s.sistance in connection with criminal investigations...[or] proceedings" related to terrorism.

The international community's response to terrorism does not directly define customary international law regarding cyber attacks, but it is persuasive on several fronts. First, it shows that states have a duty to prevent threats to international peace and security. Second, it demonstrates that pa.s.sive acquiescence to threats to international peace and security will not be tolerated. Finally, it demonstrates that states must work together to prevent and suppress threats to international peace and security. The more cyber attacks resemble terrorism, the more easily they will fit into the paradigm constructed to deal with transnational terrorism. However, no matter their purpose, cyber attacks represent a threat to international peace and security and should be dealt with like other recognized transnational threats.

Numerous UN declarations about international crime also support recognizing the duty to prevent cyber attacks. These declarations urge states to take affirmative steps to prevent nonstate actors from using their territory to commit acts that cause civil strife in another state.[25] Furthermore, these declarations also support the duty of states to cooperate with one another to eliminate transnational crime, which lends credence to the duty to cooperate with victim-states during the criminal investigation and prosecution of cyber attacks.[26]

Focusing specifically on cyber attacks, states have made declarations themselves, and used the UN General a.s.sembly to make numerous declarations about the importance of preventing cyber attacks. For instance, the UN General a.s.sembly has called on states to criminalize cyber attacks[27] and to deny their territory from being used as a safe haven to conduct cyber attacks through state practice.[28]

The General a.s.sembly has also called on states to cooperate with each other during the investigation and prosecution of international cyber attacks.[29] Even China's Premier Wen Jiabao has admitted that China should take firm and effective action to prevent all hacking attacks that threaten computer systems.

Furthermore, states are starting to recognize the threat that cyber attacks pose to international peace and security, with some states and the General a.s.sembly directly recognizing cyber attacks as a danger to international peace and security.[30] These declarations all evidence recognition that states have a duty to prevent cyber attacks as a matter of law, to include the lesser duties of pa.s.sing stringent criminal laws, vigorously investigating cyber attacks, prosecuting attackers, and having the host-states cooperate with victim-states during the investigation and prosecution of cases.

Support from the General Principles of Law.

The general principles of law common to civilized nations also support recognition of a duty to prevent cyber attacks. It is a well-established principle under the domestic laws of most states that individuals should be responsible for acts or omissions that have a causal link to harm suffered by another individual. While international law is not obligated to follow the domestic laws of states, international law may be derived from the general principles common to the major legal systems of the world. Most states use causation as a principle for establis.h.i.+ng individual responsibility, lending credence to the idea that a state's responsibility also should also be based on causation.

Thus, if a state failed to pa.s.s stringent criminal laws, did not investigate international cyber attacks, or did not prosecute attackers, it should be held responsible for international cyber attacks against another state because its omission helped create a safe haven for attackers to attack other states. Furthermore, as evidenced in the Corfu Channel case, the general duty to prevent attacks already allows states to be held accountable for causation to some degree, which supports using causation a.n.a.logies from domestic laws when interpreting the customary duty to prevent cyber attacks.

Support from Judicial Opinions.

Finally, judicial opinions further support recognition of a state's affirmative duty to prevent cyber attacks from its territory against other states. In Tellini, a special committee of jurists held that a state may be held responsible for the criminal acts of nonstate actors when it "neglect[s] to take all reasonable measures for the prevention of the crime and pursuit, arrest and bringing to justice of the criminal."[31] In S.S. Lotus, the Permanent Court of International Justice held that "a state is bound to use due diligence to prevent the commission within its dominions of criminal acts against another nation or its people."[32]

In Corfu Channel, the International Court of Justice held that states have a duty "not to allow knowingly its territory to be used for acts contrary to the rights of other states."[33] Although these are older cases, their principles still stand for and support the notion that states have a duty to prevent their territory from being used to commit criminal acts against another state, as well as a duty to pursue, arrest, and bring to justice criminals who have conducted cross-border attacks on other states.

Fully Defining a State's Duty to Prevent Cyber Attacks.

A state's duty to prevent cyber attacks should not be based on a state's knowledge of a particular cyber attack before it occurs, but rather on its actions to prevent cyber attacks in general. Cyber attacks are extremely difficult for states to detect prior to the commission of a specific attack, and are often committed by individuals or groups who are not even on a state's radar. However, just because cyber attacks are difficult to prevent does not mean that states can breach their duty to prevent them. Stringent criminal laws and vigorous law enforcement will deter cyber attacks. States that do not enact such laws fail to live up to their duty to prevent cyber attacks.

Likewise, even when a state has stringent criminal laws, if it looks the other way when cyber attacks are conducted against rival states, it effectively breaches its duty to prevent them through its unwillingness to do anything to stop them, just as if it had approved the attacks. In other words, a state's pa.s.siveness and indifference toward cyber attacks make it a sanctuary state, from where attackers can safely operate. When viewed in this light, it becomes apparent that a state can be held indirectly responsible for cyber attacks under the established principles of customary international law.

Sanctuary States and the Practices That Lead to State Responsibility.