The law of cyber warfare: quo vadis?

• Author: Schmitt, Michael N.

INTRODUCTION I. NORMATIVE EVOLUTION II. SOVEREIGNTY III. THE JUS AD BELLUM A. The Use of Force B. Self-Defense IV. THE JUS IN BELLO A. Conflict Characterization B. Attacks CONCLUDING THOUGHTS INTRODUCTION

In the mid-1990s, international security affairs specialists began to consider the possibility of cyber warfare, (1) both as an element of classic armed conflict and as a stand-alone proposition. However, the subject faded from the security agenda following the 9/11 attacks. That would change in 2007 when NATO Member State Estonia suffered massive cyber attacks, primarily from ethnic Russian non-state actors. The next year, cyber operations figured prominently in the international armed conflict between Russia and Georgia. (2) In response to

these and other cyber incidents, the NATO Cooperative Cyber Defence Centre of Excellence launched a major research project in late 2009 to examine the public international law governing cyber warfare. Twenty world-class academics and legal practitioners (the "International Group of Experts") spent the next three years drafting the Tallinn Manual on the International Law Applicable to Cyber Warfare, (3) for which the author served as project director. In light of the relative infancy of cyber operations and paucity of state practice, the Experts agreed to confine themselves to the lex later, lex ferenda was strictly off limits, as was speculation regarding the likely development of the law. (4) This Article discards those self-imposed restraints by offering one participant's thoughts as to how the law of cyber warfare may mature in the coming decades.

Of course, the threshold issue for the International Group of Experts was whether international law applied in cyberspace at all. The Experts unanimously agreed that it did, (5) a position that the United States (6) and other key members of the international community have since adopted. (7) Members of the Group also -unanimously agreed on 95 "Black Letter Rules" of cyber warfare that were meant to restate the existing law. However, the interpretation of these rules sometimes evoked ardent and nuanced debate. (8) The commentary accompanying each Rule captures these debates and highlights those which remain unresolved. Adding to the uncertainty regarding the precise legal parameters of cyber warfare is the fact that public international law is by nature a dynamic creature. As will be explained below, its content, interpretation, and application evolve over time in response to transformation of the security environment in which it applies.

Such ambiguity makes it inconceivable that the extant law of cyber warfare, which responds to cyber operations that are still in their relative technological infancy, will survive intact. This reality begs the question, quo vadis the law of cyber warfare? (9) It is a question that the International Group of Experts consciously avoided, but which was always the unspoken elephant in the room. This Article takes the Group's analysis a step further by reflecting on key Tallinn Manual norms that are most vulnerable to pressure for future interpretive adaptation. It sets the stage by offering a few brief thoughts on the process of normative evolution. The piece then identifies certain aspects of the law of sovereignty, the jus ad helium, and the jus in hello which will have to acclimate to the growing threat cyberterrorists, cyberspies, cyberthieves, cyberwarriors, cyber hacktivists, and malicious hackers pose. (10) For each, the current law will be described, the rationale for anticipating interpretive adaptation will be offered, and the probable vector of any change will be indicated. The endeavor is admittedly speculative. However, knowing where such fault lines lie should prove useful as states craft national cyberspace policies and issue rules of engagement, international organizations launch projects designed to achieve normative compatibility in cyberspace, and scholars explore the theoretical foundation for the future law of cyber warfare.

1. NORMATIVE EVOLUTION

   If law is to remain effective over time, it must be responsive to context. This axiom is no less true in cyberspace than in the kinetic environment. When significant contextual transformation takes place, new norms emerge, old norms expire or pass into desuetude, and interpretation shifts. The vector and speed of this evolutionary process are the products of influence emanating from many sources--non-governmental advocacy groups, international organizations, international tribunals, domestic constituencies, political action groups, religious leaders, etc. (11)

   But states still drive this process. (12) Conceived broadly, international law represents consensus among states as to the rules of the game that govern their interactions. They consent thereto either by opting into treaty regimes or by engaging in practices out of a sense of legal obligation (opinio juris) that, combined with similar practice by other states, eventually crystallizes into customary international law. (13)

   A state's national interests undergird its consent or conduct, and, thus, the development of international law. These interests can be selfish or ignoble. States might seek, for example, to maximize power and influence at the expense of other states or pursue exploitative control over its citizenry and national assets. Yet, states also act out of principled motivations that reflect their core values. In the field of IHL, states have agreed to limitations on their battlefield freedom of action in order to achieve humanitarian ends, sometimes when doing so is militarily counter-productive. (14) Whatever the case may be, the state is the engine of normative evolution.

   A turbulent period should be expected vis-a-vis the law of cyber warfare as current international legal norms adjust to the changing national interests of states in cyberspace. Today, information and computer technology "is ubiquitous and relied upon for government services, corporate business processes, and individual professional and personal pursuits--almost every facet of modern life." (15) The near absolute dependence of critical infrastructure on cyberspace looms particularly large as a security concern. (16) Similarly, most contemporary military activities of the United States and other advanced nations, which range from naval warfare, air campaigns and ground attacks to counter-terrorist strikes and Special Forces "black operations," would be hobbled by the loss of cyber related assets and capabilities. (17)

   As states become ever more dependent on cyber activities, they will increasingly value their access to, and ability to exploit, cyberspace. To protect these values, states will assuredly employ their cyber capabilities to safeguard the cyber infrastructure and cyber activities upon which they rely. However, success will necessitate departure from the received norms that have been set forth by the International Group of Experts in the Tallinn Manual. These norms fall into three categories: sovereignty, the jus ad helium, and the jus in hello.

2. SOVEREIGNTY

   Over the course of the Tallinn Manual project, the International Group of Experts realized the need to examine the law of sovereignty in order to afford a more complete picture of state obligations vis-a-vis cyber activities, as well as the response options available to states targeted by cyber operations. Foremost among the resulting rules on the subject is the right of states to "exercise control over cyber infrastructure and activities within [their] sovereign territory." (18) It allows states "to exercise ... to the exclusion of any other State, the functions of a State" on their territory. (19) Effectively, this means that states may regulate all cyber activities taking place on their territory, control the use of any cyber infrastructure located there, and exercise legal jurisdiction over such activities. (20)

   As noted by the International Court of Justice (ICJ) in Nicaragua, "[b]etween independent States, respect for territorial sovereignty is an essential foundation of international relations." (21) Consequently, hostile cyber operations directed against cyber infrastructure located on another state's territory, whether government owned or not, constitute, inter alia, a violation of that state's sovereignty whenever they cause physical damage or injury. (22) Even if the operations result in no damage or injury, they will qualify as an unlawful "intervention" if they are intended to coerce (as distinct from lawfully influence) the targeted state's government in matters reserved to that state (e.g., by using cyber means to interfere with election results). (23)

   A crucial unresolved issue with respect to these sovereign rights and obligations is whether cyber operations that neither cause physical damage nor amount to an intervention nevertheless violate the targeted state's sovereignty. Consider a situation in which State A wishes to monitor certain cyber activities by State B. It has three options for doing so: 1) monitoring the activities by intercepting the signals as they pass through servers on its own territory; 2) sending malware into the target network remotely; or 3) implanting the malware through a spy's use of a memory stick. The first option poses no legal obstacles because international law does not prohibit espionage and the operation is physically harmless and involves no coercive intent. (24) The third is a clear violation of the targeted state's sovereignty because the operation occurs on its territory without its consent. The second option, however, is legally ambiguous. Does the remote implantation of the malware into State B's cyber systems, as distinct from the fact that State A is monitoring its activities, violate State B's sovereignty? Other examples falling into this category include State A remotely conducting denial of service attacks that interrupt cyber transmissions in State B or...