International Law and Cyber Threats from Non-State Actors

• Author: Laurie R. Blank
• Position: Director, International Humanitarian Law Clinic, Emory University School of Law
• Pages: 406-437

International Law Studies 2013

406

T

International Law and Cyber Threats

from Non-State Actors

Laurie R. Blank*

I. INTRODUCTION

he so-called “virtual” world, that of the Internet, computer networks and

cyberspace in general, is now very firmly part of the “real world,” especially

in the areas of national security and military strategy. Revolutionary ad-

vances in technology now enable both militaries and civilians to engage in

cyber activity to achieve objectives, whether related to protest and revolu-

tion, crime, terrorism, espionage or military operations. At one end of the

spectrum both governments and private companies face a nearly constant

onslaught of cyber activity seeking to access information, undermine or

damage systems, or otherwise gain a financial, political or strategic ad-

vantage of some kind. At the other end of the spectrum are acts that some

commentators call “cyber war” or “cyber attacks,” including the cyber op-

erations in Georgia during the 2008 conflict between Russia and Georgia,

the Stuxnet virus or the comprehensive computer network operations

launched against the Estonian government in the summer of 2007. Gov-

ernments and companies alike have established both formal and informal

mechanisms for countering these rapidly developing threats and operations

in cyberspace, including, for example, U.S. Cyber Command, China’s Peo-

* Director, International Humanitarian Law Clinic, Emory University School of Law.

Lawful Targets in Cyber Operations Vol. 89

407

ple’s Liberation Army General Staff Department’s 3rd Department, Iranian

Sun-Army and Cyber Army, Israel’s Unit 8200, and the Russian Federal

Security Service’s 16th Directorate.

Rhetoric has matched these developments as well. We now read about

a wide range of cyber “things:” cyber crime, cybersecurity, cyber espionage,

cyber threats, cyber attacks, cyber war or warfare, cyber terrorism and so

on. A look at news coverage of these issues in recent years demonstrates

the growing focus across a range of countries, industries and disciplines,

with the number of news stories mentioning either “cyber war,” “cyber

warfare” or “cyber attack” in 2010 or 2011 more than triple that of any

previous year before 2009.

1

The number of scholarly articles, academic

conferences, policy discussions and other events addressing cyber issues is

further evidence of the extent of the current discourse.

Within the realm of law applicable to and governing cyber activity, a

host of legal regimes are relevant, including, most notably, domestic crimi-

nal law, national security law and international law. Just as examples, the

U.S. Congress has engaged in extensive debate over various forms of cy-

bersecurity legislation

2

and international experts have devoted—and con-

tinue to devote—significant energy to examining the extent and nature of

the application of international law to cyber war and related activities.

3

In

addition, the nature of cyber operations, computer networks, the Internet

and related components of the cyber arena mean that a veritable plethora

of actors are and can be involved in cyber activities. Among these are mili-

taries, other government agencies, private companies, terrorist groups and

individuals acting on a range of different motivations, often referred to as

“hacktivists.” The nature of today’s globalized and interconnected world

combined with the extensive reliance on technology, computer systems and

Internet connectivity means that non-State actors, whether individuals or

groups of some kind, can have a significant impact through cyber activity.

1

. A brief Lexis-Nexis search of major newspapers shows 944 and 965 hits for the

term “cyber attack” in 2010 and 2011, respectively, compared to approximately 200 or

fewer for any year before 2009. The same general pattern holds true for the terms “cyber

war” and “cyber warfare.” Based on the first few months of 2012, news coverage looks to

be comparable to that of the previous two years.

2

. See, e.g., Paul Rosenzwe ig, The Politics of th e Cyber-Legislation Debate, LAWFARE (Apr.

19, 2012, 11:48 AM), http://www.lawfareblog.com/2012/04/the-politics-of-the-cyber-

legislation-debate/.

3

. See TALLINN MANUAL ON THE INTERNATIONAL LAW APPLICABLE TO CYBER

WARFARE (Michael N. Schmitt ed., 2013).

International Law Studies 2013

408

At the same time, the complexity of cyber operations—in terms of

characterizing the nature of the operations, identifying the main players and

developing appropriate options in response—opens up an equally complex

legal environment for analyzing the parameters of and framework for such

responses. This legal environment includes the law of armed conflict

(LOAC), the law governing the resort to force (jus ad bellum) and human

rights law, along with national security law and domestic criminal law.

Cyber operations can be used both in armed conflict and in the absence of

armed conflict, which is, of course, part of the complex nature of the legal

inquiry. A host of interesting questions arise from the use of cyber capabili-

ties by States and non-State actors, including when cyber acts trigger the

international law regime governing the use of force and/or LOAC and the

nature of self-defense in response to cyber acts, in particular, against non-

State actors, and the contours of a cyber battlespace, to name a few. Fur-

thermore, both jus ad bellum and LOAC pose challenging questions regard-

ing the appropriate application of the law and the parameters of the legal

paradigm at issue. This article will focus on the international legal frame-

work that governs defense against cyber threats from non-State actors,

specifically LOAC and the law governing the resort to force. In doing so, it

will identify both essential paradigms for understanding options for re-

sponse to cyber threats from non-State actors and key challenges in those

paradigms. Section II addresses jus ad bellum and how it applies to and pro-

vides guidance for State responses to cyber actions by non-State actors.

Section III analyzes when and how LOAC applies to non-State cyber acts

and examines some of the specific challenges cyber acts pose for such anal-

ysis. Finally, Section IV highlights broader crosscutting issues, such as the

challenges of multiple overlapping legal paradigms and the role and power

of rhetoric, in exploring how States can and do respond to cyber threats

from non-State actors.

The current discourse about cyber war suggests a look back at the dis-

course surrounding appropriate responses to terrorist attacks and terrorist

groups in the aftermath of the September 11 attacks. Questions abounded,

for example, regarding whether responses to terrorists fell within a law en-

forcement paradigm or a war paradigm, whether the same international law

that governed hostilities and law enforcement in other situations should

also guide responses to terrorists, and whether terrorists were entitled to

basic rights under either human rights law or LOAC. The debate and dis-

course about cyber war are in many ways wholly different: extensive legal

analysis and debate are preceding action and few commentators or policy-