Spot the Hacker: Combating Cyberwarfare under the International Rule of Law
By Bradley Cho, From Volume 2, Issue 1
The days when cyber attacks were discredited as minor nuisances are rapidly coming to an end. In July 2010, a malware program, known as “Stuxnet,” sabotaged
computer systems that monitored Iran’s covert uranium enrichment program. On June 12, 2011, hackers breached the computer systems of the International Monetary Fund (IMF) and acquired sensitive economic data worth billions of dollars. Cyberwarfare is a new form of waging war that chal- lenges both governments and conventional theories of war in developing appropriate responses.
President Obama has declared America’s digital infrastruc- ture to be a “strategic national asset,”1 and the Pentagon has now designated cyberspace as an official domain of warfare under its jurisdiction.2 Yet, it remains unclear what the appro- priate responses to such
attacks should be. How does a nation adequately respond to acts of aggres- sion that are non-lethal and committed by elusive perpetrators? Proper de- fense measures are tough to decide on, because cyberwarfare escapes the traditional Law of Armed Conflict (LOAC) as outlined in Article 51 of the United Nations Charter, and does not fulfill the conventional criteria for employing self-defense: military ne- cessity, distinction, and proportionality. These traditional definitions of conflict severely hinder current cyber defense laws and tactics in pro- viding an effective solu- tion to cyberwarfare.
Challenges to Current Theories of Self-Defense
Until the advent of cyberwarfare, the universal pattern of open warfare was one of physical aggression and re- taliation, whether it was a conflict in the Bronze Age or the Cold War. An armed attack justified a proportionate response, and usually, the identity and motivation of the aggressor were fairly clear. In cyberspace, however, this dynamic has become distorted to the disadvantage of the defender. Attacks can be planned secretly over a significant period of time, with no warning until the attack is well underway, and the aggressor’s identity and motivation are much more difficult to discern. Because of the new nature of cyberwarfare, a victim nation of a cyber attack has to realize that the conventional criteria of necessity, distinc- tion, and proportionality fail to provide a straightforward response.
Necessity. At its core, the principle of neces- sity determines whether a forceful response is warranted in a given situation. The Lieber Code of 1863 defines military necessity as limited to “those measures which are indis- pensable for securing the ends of the war.”3 Given that cyber attacks are non-violent in nature, and that the perpetrators are difficult to identify, the principle of necessity runs into two problems: First, it is difficult to justify rea- sons for a military response to an attack that did not destroy any physical property. Second, in cyberwarfare, a military counter-response must fall short of fulfilling the principle of ne- cessity because a military offensive is unlikely to deter or defeat the source of the cyber at- tacks.
Cyberwarfare is an asymmetrical conflict, conducted by the aggressor with minimal resources and oversight, and pinpointing the exact culprits in a heavily networked ad- versarial nation is virtually impossible. The Hague Convention of 1907 bars the destruc- tion of enemy property unless it is “impera- tively demanded by the necessities of war,”4 so it can be argued that any response that exceeds the pur- pose of disabling cyber attacks would be causing unneces- sary suffering or damage, thus overstepping the limitations of military necessity.
Distinction. Distinction between combatants and civil- ians is one of the most fundamental concepts in interna- tional humanitarian law. The 1949 Geneva Convention directly states that “combatants are obliged to distinguish themselves from the civilian population.”5 In cyberwarfare, however, distinction becomes problematic. Nations with cyber offensive capabilities are often accused of masking their attacks by hiring “digital privateers”: Authorities unof- ficially contract civilians to attack or steal information from specific targets, as in the case of suspected Chinese hackers infiltrating the US military’s $300 billion fighter program in 2009. With such little definitive evidence, aggressor na- tions can plausibly deny involvement in a cyber attack if implicated in an investigation. The ambiguous identity of combatants is one of the key challenges in effectively stop- ping digital attacks.
The distinction principle rests on the assumption that, in any conflict, military entities are the only legitimate tar- gets of attack while every effort must be made to mini- mize civilian casualties. Aggressors in cyberwarfare, too, actively violate the distinction principle, as the majority of cyber attacks directly infect a large number of civilian computers as “zombie devices,” machines compromised by hackers to avoid detection or execute large scale at- tacks. The collateral damage of civilian property is often unavoidable and deliberately anticipated, violating the fundamental principle of distinguishing civilians from in- tentional targeting.
Proportionality. Although the United States has threat- ened an active military response to cyber attacks that pose a serious danger to the nation’s infrastructure,6 international law dictates that the amount of force used in retaliation must be proportionate to the suffered harm. Under the current in- ternational law, this generally means that a country may only respond with force to an attack that qualifies as “armed.” No cyber attack to date has met the standards of an “armed attack,” which limits the range of available defensive coun- termeasures.
Even in the case of a serious cyber attack, proportionality does not give license to a quid pro quo response. For exam- ple, the crippling of a nation’s banking system does not legal- ly justify the harmed nation to launch a similar counterattack on the aggressor’s own banking system. Given the difficulty of tracking down the culprits and the near impossibility of permanently disabling their systems, cyberwarfare currently remains a battlefield where a proportionate response is gross- ly ineffective, while any step further constitutes an illegal re- sponse.
Solutions to Cyberwarfare
As of yet, there is no answer in sight for the ongoing trend of ambiguous cyberwarfare between nation states. Even as national governments race to develop digital weapons and self-contained “turtle defenses,”7 non-governmental institutions, such as the IMF, become increasingly vulner- able. Digital attacks on these supposedly secure systems have caused billions of dollars in damage, leaked confi- dential information, and strained international relations. Ultimately, defense against cyberwarfare cannot come from unilateral policies or from the efforts of individual nations. The unique nature of digital warfare requires a new, cooperative approach from the international com- munity.
First and foremost, there is a pressing need for a global framework that establishes a standardized code of legal be- havior within cyberspace. Similar guidelines exist in other transnational fields, such as commerce, communications, and transportation. Transnational agencies such as the World Intellectual Property Organization and the Inter- national Maritime Organization are only two examples of successful international cooperation in regulating certain specialized fields. Similarly, an international agency could be formed under the auspices of the United Nations to oversee this framework in response to cyberwarfare, as well as ensure the peaceful application of digital network technologies and provide safeguards against their misuse. It could also function as an inter-governmental forum to diplomatically resolve hostile network incidents and fa- cilitate cooperation against international cybercrime and terrorism. With such an organization in place, blatant or repeated violations of the new digital network agreement would be subject to UN scrutiny, open to UN Resolutions, and subject to the rulings of the International Court of Justice. While the relative anonymity of assailants will con- tinue to be an ongoing concern, stronger dialogue and in- ternational cooperation would help stamp out privateering in the digital world, just as it was phased out in the high seas.
Furthermore, the existing Law of Armed Conflict (LOAC) must be clarified and expanded to account for the unique developments of the digital age. Since the ad- vent of the World Wide Web, states have attempted to ap- ply traditional armed conflict laws to cyberwarfare—with limited and frustrating results. Because the terms of Ar- ticle 51 of the Geneva Convention only vaguely capture cyberwarfare, a new international convention must be established. Such a convention should strive to limit the excessively injurious or indiscriminate practices of cyber- warfare, such as the development of programs that target a large number of civilian computers as proxies, and the preemptive deployment of dormant malware into critical systems. The convention must also ban digital espionage in times of peace and prohibit civilians from participating in hostilities.
As the world continues to grow increasingly interconnected through digital networks, renegade nations will continue to have incentives to engage in covert cyber attacks. The num- ber of state-sponsored cyber attacks has grown dramatically in recent years,8 as some governments begin to recognize their value as low-cost means of war in an asymmetric set- ting. Nations constrained under the limitations of interna- tional law have found it difficult to protect their citizens or effectively respond to these acts of aggression, as the tradi- tional criteria for an armed response – necessity, distinction, and proportionality – are largely inapplicable to cyberwar- fare. A solution to this problem can only come from close international cooperation, bringing the “final frontier” under the rule of law.
1. Barack Obama, “Remarks by the President on Securing Our Nation’s Cyber Infrastructure” (speech, White House, Washington, D.C., May 29, 2009).
2. United States Department of Defense. “Department of Defense Strategy for Operating in Cyberspace” July 14, 2011. 3. Francis Lieber, Instructions for the Government of Ar- mies of the United States in the Field. (New York, 1863), pg. 7.
4. The Hague Convention (IV) Respecting the Laws and Customs of War on Land and Its Annex: Regulations Con- cerning the Laws and Customs of War on Land, Art. 23 (1907).
5. Protocol Additional to the Geneva Conventions of 12 August 1949, and relating to the Protection of Victims of International Armed Conflicts. Art. 44. (1977) 6. Siobhan Gorman, “Cyber Combat: Act of War,” Wall Street Journal (New York), May 31, 2011
7. Turtle defenses are tactics by which national organiza- tions such as the U.S. Department of Defense increasingly press for non-integrated networks. This includes hesitance in purchasing foreign-made components for use in their computer systems.
8. Andrew Erickson and Gabe Collins. “Did China Tip Cy- ber War Hand?” The Diplomat. August 25, 2011.