Cyber Warfare

• Author: Gary D. Solis
• Pages: 1-52

MILITARY LAW REVIEW

Volume 219 Spring 2014

CYBER WARFARE

GARY D. SOLIS

I. Introduction

This discussion is out of date. Cyber warfare policy, techniques, and

strategies, along with their associated laws of armed conflict (LOAC),

are evolving so rapidly that it is difficult to stay current. A snapshot of

the topic must suffice.

Much has been made of the revolution in LOAC necessitated by the

advent of cyber warfare. But, “this is by no means the first time in the

history of [LOAC] that the introduction of a new weapon has created the

misleading impression that great legal transmutations are afoot…viz., the

submarine.”1 Hannibal’s elephants also elicited a similar erroneous

impression. In fact, cyber warfare issues may be resolved in terms of

traditional law of war concepts, although there is scant demonstration of

its application because, so far, instances of cyber warfare have been rare.

Nevertheless, although cyber questions are many, the law of war offers

as many answers.

A threshold question: does existing LOAC apply to cyber issues?

Yes, it does. The International Court of Justice (ICJ), in its 1996 Nuclear

Weapons Advisory Opinion, notes that LOAC applies to “any use of

 Lieutenant Colonel, U.S. Marine Corps (Retired). J.D., University of California at

Davis; L.L.M. (Criminal Law) George Washington University Law School; Ph.D., The

London School of Economics & Political Science (Law of War); Professor of Law, U.S.

Military Academy (Retired). Professor Solis currently teaches the law of armed conflict

at Georgetown University Law Center and George Washington University Law School.

1 Yoram Dinstein, Concluding Remarks, in 89 INTERNATIONAL LAW STUDIES: CYBER

WAR AND INTERNATIONAL LAW 276, 286 (Naval War C. 2013).

2 MILITARY LAW REVIEW [Vol. 219

force, regardless of the weapons employed.”2 Whether a 500-pound

bomb or a computer is used to effect death and destruction, a weapon is a

weapon. The U.S. position is made clear in the 2011 International

Strategy for Operating in Cyberspace, when it says, “The development

of norms for State conduct in cyberspace does not require a reinvention

of customary international law, nor does it render existing international

norms obsolete. Long-standing international norms guiding State

behavior – in times of peace and conflict – also apply in cyberspace.”3

Internationally, Article 36 of 1977 Additional Protocol I, requiring

testing of new weapons and weapons systems for conformance with

LOAC, illustrates that the law of war and international humanitarian law

(IHL) rules apply to new technologies.

Defining many aspects of cyber warfare is problematic because there

is no multi-national treaty that directly deals with cyber warfare. So far,

many aspects of cyber war are not agreed upon. The law of war, as well

as customary international law, lacks cyber-specific norms, and state

practice in regard to the interpretation of applicable norms is slow to

evolve. There is not even agreement as to whether cyber attack is one or

two words. What can be said is that the jus ad bellum and jus in bello

apply to cyber operations and it is safe to follow existing LOAC/IHL, as

the United States’ International Strategy for Operating in Cyberspace

urges.

What is cyber warfare? It is not cybercrime—the use of computers

in violation of domestic law for criminal purposes. In the United States,

the Computer Fraud and Abuse Act defines Internet criminal acts.4

European Union members of the NATO alliance have domestic laws

implementing the 1995 E.U. Data Privacy Directive. Typical

cybercrimes include access offenses, the impairment of data, misuse of

devices, and interception of data offenses. Traditional criminal offenses

such as fraud, child pornography, and copyright infringement may be

facilitated through Internet access.5 On an international level,

cybercrime is addressed by the Council of Europe’s 2001 Convention on

Cybercrime, currently the only multinational treaty addressing the

2 Legality of the Threat or Use of Nuclear Weapons, Advisory Opinion, 1995, I.C.J. 226–

67, ¶ 39 (July 8).

3 White House, International Strategy for Cyberspace: Prosperity, Security, and

Openness in a Networked World 9 (May, 2011), available at http://www.slideshare.

net/DepartmentofDefense/department-of-defense-strategy-for-operating-in-cyberspace.

4 10 U.S.C. § 1030 (2014).

5 JONATHAN CLOUGH, PRINCIPLES OF CYBERCRIME (Cambridge Univ. Press 2010). .

2014] CYBER WARFARE 3

criminal cyber problem. Nevertheless, cyber warfare and cyber crime

should not be confused.

The word “cyber” is not found in the 1949 Geneva Conventions or

the 1977 Additional Protocols. In common usage, “cyber” relates to

computers and computer networks; not only the Internet but all computer

networks in the world, including everything they connect with and

control. Cyber warfare may be defined as “warfare waged in space,

including defending information and computer networks, deterring

information attacks, as well as denying an adversary’s ability to do the

same. It can include offensive information operations mounted against

an adversary…”6 Cyber warfare, then, includes defense, offense, and

deterrence.

Cyber warfare may be engaged in by states, by agents of states, and

by non-state actors or groups. It does not necessarily constitute

terrorism, but it may, depending on one’s definition of terrorism. The

U.S. Federal Emergency Management Agency defines cyber terrorism as

“unlawful attacks and threats of attack against computers, networks, and

the information stored therein when done to intimidate or coerce a

government or its people in furtherance of political or social objectives.”7

Cyber terrorism is a relatively minor threat today, but its potential is

obvious.

II. The Internet as Battlefield

The importance of the Internet to military, government, commercial,

and private interests requires no discussion. We daily read and hear of

cyber breaches and cyber incidents involving critical national

6 STEVEN A. HILDRETH, CONG. RESEARCH SERV., RL30735, CYBERWARFARE 16 (2001)

(emphasis in original). There is no definition of cyber warfare in Joint Publication 1-02,

Department of Defense Dictionary of Military and Associated Terms (amended through

October 15, 2013). Another definition is offered by the International Committee of the

Red Cross (ICRC): “[M]eans and methods of warfare that consist of cyber operations

amounting to or conducted in the context of an armed conflict within the meaning of IHL

. . .” Cordula Droege, Get Off My Cloud: Cyber Warfare, International Humanitarian

Law, and the Protection of Civilians, 94/886 INT’L REV. RED CROSS, 533, 538 (Summer,

2012).

7 CLAY WILSON, CONG. RESEARCH SERV., RL32114, BOTNETS, CYBERCRIME, AND

CYBERTERRORISM: VULNERABILITIES AND POLICY ISSUES FOR CONGRESS 3 (2008)

(citations omitted).