Solving the Dilemma of State Responses to Cyberattacks: A Justification for the Use of Active Defenses Against States Who Neglect Their Duty to Prevent

• Author: Lieutenant Commander Matthew J. Sklerov
• Pages: 03

MILITARY LAW REVIEW

Volume 201 Fall 2009

SOLVING THE DILEMMA OF STATE RESPONSES TO CYBERATTACKS:

A JUSTIFICATION FOR THE USE OF ACTIVE DEFENSES

AGAINST STATES WHO NEGLECT THEIR DUTY TO PREVENT

LIEUTENANT COMMANDER MATTHEW J. SKLEROV*

How do you account for your discoveries? Through intuition or inspiration?1

Both. . . . I'm enough of an artist to draw freely on my imagination, which I think is more important than knowledge. Knowledge is limited, imagination encircles the world.2

1. Introduction

   The greatest advances in law, like those in science, come through imagination. When scientific knowledge fails to explain new discoveries

   about the universe, scientists advance new theories to account for their discoveries-so too with the law. Revolutions in technology, like the Internet, challenge the framework that regulates international armed conflict. Legal scholars must use imagination to find ways to tackle this problem. If not, the law will become obsolete and meaningless to the states that need its guidance.

   Man has long sought to regulate warfare. From the Chivalric Code to the Charter of the United Nations (U.N. Charter), man has placed restraints on the times one can resort to war and the methods with which it is conducted. To generalize, regulations are the response to perceived problems with the state of war at a given time. Sometimes these perceptions are the result of shifts in the social conscience. At other times, values have not changed, but problems arise due to radical changes in the way war is waged.

   As warfare changes, so must the law, and warfare is changing fast. Traditionally, the instruments of war were controlled only by states. However, in today's world of globally interconnected computer systems, non-state actors with a laptop computer and an Internet connection can attack the critical infrastructure3 of another state from across the world. This is a major paradigm shift, which the law of war today fails to adequately address.

   This article will explore the unique challenges that cyberattacks4

   pose to the law of war and provide an analytical framework for dealing with them. Once the current state of the law of war is fully explored, this article will conclude that states have a right under international law to (1) view and respond to cyberattacks as acts of war and not solely as criminal matters, and (2) use active, not just passive, defenses5 against

   the computer networks in other states, that may or may not have initiated an attack, but have neglected their duty to prevent cyberattacks from within their borders.

   These conclusions are demonstrated over the next seven parts of this article. Part II provides background on the threat that international cyberattacks pose to states, the legal problems that states encounter when dealing with them, and why current interpretations of the law of war actually endanger states. Part III describes cyberattack methods, destructive capabilities, and defenses. Part IV lays out the basic framework for analyzing armed attacks. Part V explores the challenges that non-state actors present to the basic framework of the law of war. Part VI analyzes cyberattacks under the law of war. It demonstrates that cyberattacks can qualify as acts of war, that states have a duty to prevent cyberattacks, and that victim-states have a right to use active defenses against host-states that neglect their duty to prevent cyberattacks. Part VII examines the choice to use active defenses. It explains why states should use active defenses against cyberattacks, describes the technological limits to detecting, classifying and tracing cyberattacks, and explores the impact these technological limitations will have on state decision making. Finally, Part VIII urges states to start using active defenses to protect themselves from cyberattacks originating from states that neglect their duty to prevent them.

2. Cyberattacks, a Growing International Threat

   The Internet is essential to every modern country in the world. It is a cornerstone of commerce.6 Strategic government activities are directed through it.7 Energy production and distribution, water treatment facilities, mass transit, and emergency services are controlled through it.8

   The more developed a country is, the more it depends on it.9 Indeed,

   networked computers have become the nervous system of modern society.10

   Global connectivity, however, is a double-edged sword. While it provides tremendous benefits to states, it also opens the door to state and non-state actors who wish to attack and disrupt a state's critical information systems.11 Furthermore, these attacks can have catastrophic consequences, such as bringing a state's economy to its knees, weakening its national defense posture, or causing the loss of life.12

   While these doomsday scenarios may seem farfetched, the reality is that catastrophic cyberattacks are more likely to occur as states grow more reliant on the Internet,13 as terrorists increasingly look to use cyberattacks against states,14 and as cyberattacks become more frequent and potent.15

   No state is safe from cyberattacks. Recent high-profile cyberattacks highlight such vulnerability. In July 2008, shortly before armed conflict broke out between Russia and Georgia, hackers barraged Georgia's

   Internet infrastructure with coordinated cyberattacks.16 The attacks overloaded and shut down many of Georgia's computer servers, and impaired Georgia's ability to disseminate information to its citizens during its armed conflict with Russia.17 In June 2007, Chinese hackers disabled 1500 Pentagon computers, including those of the Secretary of Defense.18 In April 2007, cyberattacks from Russia crippled the Estonian government and commercial computer networks.19 These attacks lasted approximately three weeks, disrupted Estonia's ability to govern, harmed Estonia's economy, and damaged their networks so badly that Estonia had to reach out to its NATO allies for help recovering.20 These are some of the more egregious international cyberattacks; however, there have been numerous others, often with severe consequences to the victim-states.21 Given the potentially

   catastrophic consequences of cyberattacks, it is imperative for states to be able to effectively defend themselves.

   A. The Legal Dilemma of State Responses to Cyberattacks

   Unfortunately, state responses to cyberattacks are governed by an anachronistic legal regime that impairs a state's ability to defend itself. No comprehensive treaty exists to regulate international cyberattacks.22

   Consequently, states must practice law by analogy: either equating cyberattacks to traditional armed attacks and responding to them under the law of war or equating them to criminal activity and dealing with them as a criminal matter.23 The prevailing view of states and legal scholars is that states must treat international cyberattacks as a criminal matter because the law of war forbids states from responding with force unless an attack can be attributed to a foreign state or its agents.24 This limited view of the law of war is problematic for two reasons. First, it confines state computer defenses to passive defenses, which reduce a

   state's ability to stop cyberattacks.25 Second, it forces states to rely on criminal laws to deter cyberattacks, which are ineffective because several major states are unwilling to extradite or prosecute their attackers.26

   Given these problems with the prevailing view, states will undoubtedly find themselves in a "response crisis"27 during a cyberattack, forced to decide between effective, but arguably illegal, active defenses, and the less effective, but legal, path of passive defenses and criminal laws.28

   The current legal paradigm, which requires attribution to a state or its agents, perpetuates the response crisis because it is virtually impossible to attribute a cyberattack during an attack. Although states can trace the cyberattack back to a computer server in another state, conclusively ascertaining the identity of the attacker requires an intensive, time-consuming investigation with assistance from the state of origin.29 Given the prohibition on responding with force until an attack has been attributed to a state or its agents, coupled with the fact that the vast majority of cyberattacks are conducted by non-state actors,30 it should come as no surprise that states treat cyberattacks as a criminal matter.31

   This "attribution problem"32 locks states into the response crisis.

   The high-profile cyberattacks discussed earlier highlight the link between the attribution problem and response crisis. In 2008, Georgia traced the cyberattacks against it back to Russia, but could not pin them on its government.33 Similarly, U.S. officials believed that China sponsored the 2007 cyberattacks against the Pentagon, but could not prove the link.34 Following a familiar pattern, Estonia traced the 2007 attacks back to Russia, but could not tie them to the Russian government.35 Ultimately, in each of these cases, states were unable to solve the attribution problem, which legally limited them from using active defenses and forced them to rely on passive defenses and criminal laws.

   Treating cyberattacks as a criminal matter would not be problematic if passive defenses and criminal laws provided sufficient protection from cyberattacks. Unfortunately, neither is adequate. While passive defenses are always the first line of defense and reduce the chances of a successful cyberattack,36 states cannot rely on them to completely secure their critical information systems.37 Furthermore, passive defenses do little to dissuade attackers38 from attempting their attacks in the first place.39

   Deterrence comes from criminal laws and the penalties associated with them.40 However, when states fail to pass stringent criminal laws or look the other way when attackers strike rival states, criminal laws are rendered impotent.41

   Unfortunately, several major states refuse to take...