International Law Studies 2013
The Cyber Road Ahead: Merging
Lanes and Legal Challenges
t is a bit daunting to think about the “road ahead” when the concept of
cyber warfare is just entering the public discourse. Fueled first by cyber “at-
tacks” in Estonia and then in Georgia,
the dialogue has gotten louder with
revelations about a cyber conflict occurring as part of the “covert” cam-
paign to disrupt the nuclear program of Iran.
Terms such as “Stuxnet,”
“Duqu” and “Flame” have now entered the public cyber lexicon.
international law should regulate the use of this technologically advanced
domain with regard to the recourse to war (the jus ad bellum), and as method
* Brigadier-General, Canadian Forces (Ret.); Former Judge Advocate General for the
Canadian Forces; 2011–12 Charles H. Stockton Professor of International Law a t the U.S.
Naval War College.
. For an outline of cyber warfare in the twentieth and twenty -first centuries involving
Israel, Chechnya, Estonia, Georgia, North Korea, Iran and the United States , see JEFFREY
CARR, CYBER WARFARE 2–3 (2009).
. Gary D. Brown, Why Iran Didn't Admit Stuxnet Was an Attack, 63 JOINT FORCE
QUARTERLY 70 (2011), available at http://www.ndu.edu/press/w hy-iran-didnt-admit-
. Nicole Perlroth, Researchers Find Clues in Malware, NEW YORK TIMES , May 31, 2012,
at B1, available at http://www. nytimes.com/2012/05/31/technology/researchers-link-
The Cyber Road Ahead Vol. 89
and means of warfare (the jus in bello) has become the subject of substantial
The contemporary discussion of cyber threats speaks not only of dan-
ger, but often also of catastrophe. In this regard it is not uncommon to
hear of cyber “Pearl Harbors”
and for cyber “weapons” to be equated to
implements of mass destruction based on what has been termed a “micro-
force,” similar to chemical and biological armaments.
In addition, it has
been suggested that “[t]he conventions and applicable case law on nuclear
warfare are relevant to controlling the scope and tools of [information war-
The use of the term “information warfare” reflects an almost
schizophrenic discussion that includes soft concepts like preserving or ex-
ploiting information, and bellicose words, such as attacks.
As a microforce, cyber presents a significant communication challenge
for anyone attempting to explain how it works and why anyone should be
worried about its capabilities. It is difficult to suggest that cyber is a threat
of exceptional proportions when cyber means are trending in the opposite
direction with ever shrinking hardware. Explanations of the cyber domain
often result in a dialogue wrapped in a mysterious language of “clouds,”
“viruses” and “botnets.” Reflecting its nascent status in terms of regulation,
the language of cyber incorporates a breathtaking range of seemingly un-
. See TALLINN MANUAL ON THE LAW APPLICABLE TO CYBER WARFARE (Michael N.
Schmitt ed., 2013); CYBER WARFARE: CRITICAL PERSPECTIVES (Paul Ducheine et. al. eds.,
. Jason Ryan, CI A Director Leon Panetta Warns of Possible Cy ber-Pearl Harbor, ABC
NEWS (Feb. 11, 2011), http://abcnews.go.com/ News/cia-director-leon-panetta-warns-
. In assessing “digital warfare,” one the author notes:
Compared to other types of military force, digital warfare represents a type of micro-
force. The distinction is analogous to the difference drawn between conventional military
forces employing chemical explosives or kinetic energy as their primary means of achiev-
ing effect versus the me gaforce unleashed by nuclear weapons based on the fission or fu-
sion of atoms. At issue here is the amount of energy unleashed by a given weapon at the
time of attack. Weapons across the micro-conventional-mega force spectrum can all cause
very significant impacts. Chemical or biological weapons are referred to as weapons of
mass destruction, not because of the amount of destructive energy released when they are
deployed but because of the number of d eaths they can cause. . . . Despite the microforce
nature of information attacks, disruption of the digital control systems of a nuclear power
plant could cause similarly large-scale effects.
GREGORY RATTRAY, STRATEGIC WARFARE IN CYBERSPACE 20 (2001)
. See also Scott J. Shackleford, From Nuclear War to Net War: Analogizing Cyber Attacks
in International Law, 27 BERKLEY JOURNAL OF INTERNATIONAL LAW 191, 217 (2009).
. Id. at 198–99.
International Law Studies 2013
connected concepts that appear more closely aligned to advertising, science
fiction and biological threats, although it can also take on a more bellicose
connotation in its reference to attacks. This language can be problematic
for those seeking to come to grips with the domain and, importantly,
communicate its dangers within governments and to the broader public.
At times, there can be an overriding sense that the public is only now
learning what States are being forced to reveal.
Cyber is a creature of tech-
nological advancement. As often occurs, the technology has developed well
ahead of the limiting framework States use to keep its advances in check.
In this regard, the road ahead appears to be one with two merging lanes.
One path is a technological, with advances occurring at apparently prodi-
gious speed. Such developments are limited, it would seem, only by the im-
agination of their creators. The other lane is one where the policy, ethical
and ultimately legal constraints of society are being test driven even as they
are being developed. In a sense this is a phenomenon that has been seen
before as society struggled to control the development of chemical and nu-
clear weapons and air warfare following World Wars I and II.
However, there is a fundamental difference in the twenty-first century.
At no point were the twentieth century weapons readily available to the
world’s population. It was estimated in 2008 there were one billion person-
al computer users worldwide, a figure expected to double by 2014.
Among those users are teenagers keen on social networking or testing their
ability to challenge the rules imposed on them by society. It is a world that
also includes hacktivists, like the group Anonymous, whose penetration of
government, business and organizational websites raises security concerns,
but is not readily associated with legal concepts such as armed attack and
. Scott Shane, Cyberwarfare Emerges From Shadows for Public Discussion by U.S. Officials,
NEW YORK TIMES, Sept. 27, 2012, at A10, available at http://www.nytimes
(“Just as drone-fired missiles have never been a secret to those on the ground, so cyberat-
tacks have consequences that cannot be hidden, even if their origin may be initially uncer-
. Computers in us e pass 1 billion mark: Gartner, REUTERS (June 23, 2008), http://www.
reuters.com/article/2008/06/23/us-computers-statistics-idUSL2324525420 080623 .
. Devlin Barret, Retaliation Fears Spur Anonymity in Internet Case , WALL STREET JOUR-
NAL, Jan. 28, 2012, at A3, available at http://online.wsj.com /article/SB10001424052970
203363504577185364 230417098.html (“Anonymous is a loose affiliation of hackers and
activists who are self-proclaimed protectors of Internet freedom. To the Justice Depart-
ment, the group is something more sinister. More than a dozen alleged members have