Spot the Hacker: Combating Cyberwarfare under the International Rule of Law

Spot the Hacker: Combating Cyberwarfare under the International Rule of Law

by Bradley Cho

The days when cyber attacks were discredited as minor nuisances are rapidly coming to an end. In July 2010, a malware program, known as “Stuxnet,” sabotaged computer systems that monitored Iran’s covert uranium enrichment program. On June 12, 2011, hackers breached the computer systems of the International Monetary Fund (IMF), and acquired sensitive economic data worth billions of dollars. Cyberwarfare is a new form of waging war that challenges both governments and conventional theories of war to develop appropriate responses.
President Obama has declared America’s digital infrastructure to be a “strategic national asset,”1 and the Pentagon has now designated cyberspace as an official domain of warfare under its jurisdiction.2 Yet, it remains unclear what the appropriate responses to such attacks should be. How does a nation adequately respond to acts of aggression that are non-lethal and committed by elusive perpetrators? Proper defense measures are tough to decide on, because cyberwarfare escapes the traditional Law of Armed Conflict (LOAC) as outlined in Article 51 of the United Nations Charter, and it does not fulfill the conventional criteria for employing self-defense: military necessity, distinction, and proportionality. These traditional definitions of conflict severely hinder current cyber defense laws and tactics in providing an effective solution to cyberwarfare.

Challenges Presented by the Current Conventions of Self-Defense
Until the advent of cyberwarfare, the universal pattern of open warfare was one of physical aggression and retaliation, whether it is a conflict in the Bronze Age or the Cold War. An armed attack justified a proportionate response, and usually, the identity and motivation of the aggressor were fairly clear. In cyberspace, however, this dynamic has become distorted to the disadvantage of the defender. Attacks can be planned secretly over a significant period of time, with no warning until the attack is well underway, and the aggressor’s identity and motivation are much more difficult to discern. Because of the new nature of cyberwarfare, a victim nation of a cyber attack has to realize that the conventional criteria of necessity, distinction, and proportionality fail to provide a straightforward response.

Necessity At its core, the principle of necessity determines whether a forceful response is warranted in a given situation. The Lieber Code of 1863 defines military necessity as limited to “those measures which are indispensable for securing the ends of the war.”3 Given that cyber attacks are non-violent in nature, and that the perpetrators are difficult to identify, the principle of necessity runs into two problems. First, it is difficult to justify reasons for a military response to an attack that did not destroy any physical property. Second, in cyberwarfare, a military counterresponse must fall short of fulfilling the principle of necessity because a military offensive is unlikely to deter or defeat the source of the cyber attacks.
Cyberwarfare is an asymmetrical conflict, conducted by the aggressor with minimal resources and oversight, and pinpointing the exact culprits in a heavily networked adversarial nation is virtually impossible. The Hague Convention of 1907 bars the destruction of enemy property unless it is “imperatively demanded by the necessities of war,”4 so it can be argued that any response that exceeds the purpose of disabling cyber attacks would be causing unnecessary suffering or damage, thus overstepping the limitations of military necessity.

Distinction between combatants and civilians is one of the most fundamental concepts in international humanitarian law. The 1949 Geneva Convention directly orders that “combatants are obliged to distinguish themselves from the civilian population.”5 In cyberwarfare, however, distinction becomes problematic. Nations with cyber offensive capabilities are often accused of masking their attacks by hiring “digital privateers”: Authorities unofficially contract civilians to attack or steal information from specific targets, as in the case of suspected Chinese hackers infiltrating the US military’s $300 billion fighter program in 2009. With such little definitive evidence, aggressor nations can plausibly deny involvement in a cyber attack if implicated in an investigation. The ambiguous identity of combatants is one of the key challenges in effectively stopping digital attacks.
The distinction principle rests on the assumption that, in any conflict, military entities are the only legitimate targets of attack while every effort must be made to minimize civilian casualties. Aggressors in cyberwarfare, too, actively violate the distinction principle, as the majority of cyber attacks directly infect a large number of civilian computers as “zombie devices,” machines compromised by hackers to avoid detection or execute large scale attacks. The collateral damage of civilian property is often unavoidable and deliberately anticipated, violating the fundamental principle of distinguishing civilians from intentional targeting.

Proportionality. Although the United States has threatened an active military response to cyber attacks that pose a serious danger to the nation’s infrastructure,6 international law dictates that the amount of force used in retaliation must be proportionate to the suffered harm. Under the current international law, this generally means that a country may only respond with force to an attack that qualifies as “armed.” No cyber attack to date has met the standards of an “armed attack,” which limits the range of available defensive countermeasures.
Even in the case of a serious cyber attack, proportionality does not give license to a quid pro quo response. For example, the crippling of a nation’s banking system does not legally justify the harmed nation to launch a similar counterattack on the aggressor’s own banking system. Given the difficulty of tracking down the culprits and the near impossibility of permanently disabling their systems, cyberwarfare currently remains a battlefield where a proportionate response is grossly ineffective while any step further constitutes an illegal response.

Possible Solutions to the Problems of Cyberwarfare
As of yet, there is no answer in sight for the ongoing trend of ambiguous cyberwarfare between nation states. Even as national governments race to develop digital weapons and self-contained “turtle defenses,”7 non-governmental institutions, such as the IMF, become increasingly vulnerable. Digital attacks on these supposedly secure systems have caused billions of dollars in damage, leaked confidential information, and strained international relations. Ultimately, defense against cyberwarfare cannot come from unilateral policies or from the efforts of individual nations. The unique nature of digital warfare requires a new, cooperative approach from the international community.

First and foremost, there is a pressing need for a global framework that establishes a standardized code of legal behavior within cyberspace. Similar guidelines exist in other transnational fields, such as commerce, communications, and transportation. Transnational agencies such as the World Intellectual Property Organization and the International Maritime Organization are only two examples of successful international cooperation in regulating certain specialized fields. Similarly, an international agency could be formed under the auspices of the United Nations to oversee this framework in response to cyberwarfare. This agency would ensure the peaceful application of digital network technologies and provide safeguards against their misuse. Such an agency could also function as an inter-governmental forum to diplomatically resolve hostile network incidents and facilitate cooperation against international cybercrime and terrorism. With such an organization in place, blatant or repeated violations of the new digital network agreement would be subject to UN scrutiny, open to UN Resolutions, and subject to the rulings of the International Court of Justice. While the relative anonymity of assailants will continue to be an ongoing concern, stronger dialogue and international cooperation can help stamp out digital privateering, just as it was phased out in the high seas.

Furthermore, the existing Law of Armed Conflict (LOAC) must be clarified and expanded to account for the unique developments of the digital age. Since the advent of the World Wide Web, states have attempted to apply traditional armed conflict laws to cyberwarfare—with limited and frustrating results. Because the terms of Article 51 of the Geneva Convention only vaguely capture cyberwarfare, a new international convention must be established. Such a convention should strive to limit the excessively injurious or indiscriminate practices of cyberwarfare, such as the development of programs that target a large number of civilian computers as proxies, and the preemptive deployment of dormant malware into critical systems. The convention must also ban digital espionage in times of peace and prohibit civilians from participating in hostilities.

As the world continues to grow increasingly interconnected through digital networks, renegade nations will continue to have incentives to engage in covert cyber attacks. The number of state-sponsored cyber attacks has grown dramatically in recent years,8 as some governments have begun to recognize their value as low-cost means of war in an asymmetric setting. Nations constrained under the limitations of international law have found it difficult to protect their citizens or effectively respond to these acts of aggression, as the traditional criteria for an armed response – necessity, distinction, and proportionality – are largely inapplicable to cyberwarfare. A solution to this problem can only come from close international cooperation, bringing the “final frontier” under the rule of law.

Bradley Cho is a junior in Jonathan Edwards College.
1 Barack, Obama. “Remarks by the president on securing our nation’s cyber infrastructure”. The White House, Washington, D.C. May 29, 2009.
2 United States Department of Defense. “Department of Defense Strategy for Operating in Cyberspace” July 14, 2011.
3 Francis Lieber. Instructions for the Government of Armies of the United States, in the Field (New York, D. van Nostrand, 1863)
4 Hague Conventions IV Annex (HR) Article 23 (1907)
5 Protocol Additional to the Geneva Conventions of 12 August 1949, and relating to the Protection of Victims of International Armed Conflicts. Article 44. (June 1977)
6 Siobhan Gorman. “Cyber Combat: Act of War”. Wall Street Journal. May 31, 2011. 
7 Turtle defenses are tactics by national organizations such as the US Department of Defense to increasingly press for non-integrated networks. Part of this tactic is to hesitate to purchase foreign-made components for use in their computer systems. 
8 Andrew Erickson and Gabe Collins. “Did China Tip Cyber War Hand?” The Diplomat. August 25, 2011 August 25, 2011.

Leave a Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>