Applying the law of proportionality to cyber conflict: suggestions for practitioners.

• Author: Boylan, Eric

ABSTRACT

This Note examines the applicability of the law of armed conflict, and particularly the concept of proportionality, to cyber attacks. After exploring deviations in terminology that may lead to confusion in the field, it considers the difficulties associated with applying an area of law first implemented in the post-World War II era to technologies that have only become vitally important in recent years. Delving into some of the facets of cyber technology that make it unique as a potential battleground, this Note examines why those qualities make the law of proportionality particularly difficult to apply. Acknowledging that the law of armed conflict, although perhaps inapt, is nonetheless compulsory, this Note ends with several suggestions that may assist military commanders in conducting cyber operations in a way that comports with the law as it exists today.

TABLE OF CONTENTS I. INTRODUCTION II. BACKGROUND: CYBER ATTACKS AND PROPORTIONALITY A. Defining Cyber Attack B. Defining Proportionality III. ANALYSIS A. The Applicability of Proportionality and the Law of Armed Conflict to Cyber Warfare B. Difficulties in the Application of Proportionality to Cyber Attacks 1. Dual-Use Systems a. Increased Impact on Civilian Infrastructure b. Difficulties in Discerning Civilian from Military 2. Knock-on Effects IV. SOLUTIONS FOR MILITARY PRACTITIONERS A. Conduct a Thorough Analysis Before the Attack B. Retain a Specialist C. Conduct the Attack in a Way That Is Not an "Attack" V. CONCLUSION: A SOLUTION THROUGH INTERNATIONAL AGREEMENT I. INTRODUCTION

In early 2007, the Baltic nation of Estonia was well on the way to earning its recently acquired nickname, "eStonia": the country had used computer networks to automate and integrate nearly every aspect of its governance and society. (1) Estonian citizens banked, voted in parliamentary elections, and even paid for parking using interconnected computer systems. (2) The internet phone company Skype headquartered there. (3) The nation was a veritable utopia of the burgeoning internet culture and a "window into the future." (4)

All of that changed on April 27, 2007, when the nation suffered what was then the most widespread cyber attack in history, and possibly the first instance of international cyber war. (5) In only a few hours, the nation's media websites, banking sites, and government computers all suffered black outs. (6) Attackers targeted all of Estonia's major commercial banks, telecoms, media outlets, and some essential servers. (7) Using Distributed Denial-of-Service (DDos) attacks, the assaults lasted twenty-two days and effectively crippled the nation's electronic infrastructure. (8) By flooding the Estonian computer systems with an enormous number of requests, the attackers were able to effectively overload the systems and thereby deny service to legitimate users. (9) Nearly every Estonian citizen felt the impact, and the populace reacted with hostility (10) Rioting and social upheaval followed. The unrest resulted in one death and injuries to 150 people. (11)

Some believe the Russian government was responsible for the attack, although Estonia's neighbor to the east has never accepted responsibility for the events, and the allegations have not been proven. (12) Given the state of political tension that existed between the two nations preceding the attacks--Russian officials bristled at the Estonian government's displacement of a Soviet-era war statue, among other perceived transgressions--and considering the difficulty in identifying individuals over computer networks, this theory remains a possibility. (13) Others have firmly held that no link to the Russian government exists and that "numerous, albeit unaffiliated, hackers" perpetrated the attacks. (14)

It was the first major cyber attack aimed against a state, and possibly the first instance of international cyber war, if Russia was in fact to blame. The attack alerted the world to what kinds of damage and destruction would be possible without an enemy force ever setting foot on a rival nation's soil. (15) Perhaps most surprisingly to those in elements of the international security community, Estonia's attackers affected all of this chaos solely through computer networks. (16) The attack caused reverberations throughout the international community and provided the impetus for numerous changes in policy and practice for many international entities. (17) The North Atlantic Treaty Organization (NATO), for instance, established a Cooperative Cyber Defence Centre of Excellence and headquartered it in Tallinn, the capitol of Estonia. (18)

The Estonia example shows the potential power of cyber warfare operations. (19) In an incredibly short amount of time, a hostile force with relatively little technological capability or funding can cripple a nation's infrastructure, impede the effective use of civilian and military systems, and completely alter the state of affairs on an international level. (20) If the world did not know it before, one fact became strikingly clear after the Estonia attacks: cyber attacks can be powerful tools. (21)

This does not mean, however, that cyber operations need always be used to perpetrate chaos. Although the Estonia example shows what deleterious events can unfold when malicious actors implement cyber attacks against a civilian population, cyber operations can provide an equally powerful and legitimate tool when used by nations with righteous motivations. Many nations have begun to develop these tools as parts of their military repertoire. (22) The American military, for example, has started to build a robust program of offensive and defensive cyber capabilities. (23) Those who would see themselves as "the good guys," however, can only be good if they operate within the boundaries of the law. Nations must operate within the requirements the international community has agreed upon to denote the limits of acceptable practice: the law of armed conflict. This Note attempts to provide some insight into the difficulties of applying the law of armed conflict to cyber warfare, and to provide some suggestions to military commanders who wish to engage in cyber operations within the bounds of lawful combat.

Much of the law of cyber warfare today is governed by the application of laws--largely by analogy--that were written before the advent of modern computing technology. (24) The absence of laws specifically written or designed to deal with the nuances of cyber warfare, combined with the prevalent application of other fields that are only tangentially related, leads to a host of issues for practitioners in the realm of cyber warfare. (25) The difficulty in applying laws that were written before the concept of cyber warfare existed is that it may hinder military practitioners who engage, or seek to engage, enemy forces through the use of cyber attacks. (26)

In Part II, this Note provides a background on both cyber warfare as it is conceived today and on the law of proportionality. It discusses first the definition of the term "cyber attack" as it has been suggested by multiple sources, and the differences in those suggestions, along with the difficulties in reconciling them. It then reviews the idea of "proportionality" and its importance in the law of armed conflict.

In Part III, this Note analyzes the application of the proportionality rule to cyber attacks and the difficulties associated with this application. These include difficulties arising from the prevalence of dual-use systems (both because of the increased impact on civilian infrastructure and because of the complications in discerning what is military from what is civilian) and the difficulties presented by the requirement to predict knock-on effects.

In Part IV, this Note offers three suggestions that may assist a military commander who is considering using a cyber attack as a form of military engagement, so that the commander may be in compliance with current international law. First, a thorough analysis should be conducted prior to the attack. Second, a specialist in the realm of computer technology should be retained and consulted for the purposes of advisement. Finally, the cyber attack may be conducted in a way that is not an "attack," and thus not be susceptible to the law of armed conflict.

2. BACKGROUND: CYBER ATTACKS AND PROPORTIONALITY

   The international legal community first began to take note of cyber operations in the late 1990S. (27) After the United States Naval War College held the first major legal conference on the subject in 1999, the world began to see the breadth of cyber operations' impact in the Estonia attack in 2007, (28) attacks against Georgia during its war with Russia in 2008, and the Stuxnet worm in 2010,29 among other smaller events. (30)

   The law of international armed conflict, much older than the cyber operations that it arguably governs, has its roots in the Hague Conventions of 1899 and 1907 and the Geneva Conventions. (31) Specifically, the concept of proportionality dates back to Additional Protocol I, signed in 1977. (32) Although the definitions of both "cyber attack" and "proportionality," may vary in a given context, some discussion of each, as it stands on its own, may be useful before an exploration of their interaction and compatibility, or lack thereof.

   1. Defining Cyber Attack

      The terminology that surrounds cyber warfare remains in a nascent state partly because cyber warfare is a relatively new field. (33) Legal experts, institutions, and military practitioners have offered a number of definitions of various terms to describe technologies that are often in flux. This undeveloped terminology includes one definition central to the practice: what is a cyber attack?

      There are several reasons why arriving at a concise terminology should be of importance to the international legal community. First, the legal regime should keep pace with the technological realm it seeks to...