International Law and Cyber Threats from Non-State Actors

Author:Laurie R. Blank
Position:Director, International Humanitarian Law Clinic, Emory University School of Law
International Law Studies 2013
International Law and Cyber Threats
from Non-State Actors
Laurie R. Blank*
he so-called “virtual” world, that of the Internet, computer networks and
cyberspace in general, is now very firmly part of the “real world,” especially
in the areas of national security and military strategy. Revolutionary ad-
vances in technology now enable both militaries and civilians to engage in
cyber activity to achieve objectives, whether related to protest and revolu-
tion, crime, terrorism, espionage or military operations. At one end of the
spectrum both governments and private companies face a nearly constant
onslaught of cyber activity seeking to access information, undermine or
damage systems, or otherwise gain a financial, political or strategic ad-
vantage of some kind. At the other end of the spectrum are acts that some
commentators call “cyber war” or “cyber attacks,” including the cyber op-
erations in Georgia during the 2008 conflict between Russia and Georgia,
the Stuxnet virus or the comprehensive computer network operations
launched against the Estonian government in the summer of 2007. Gov-
ernments and companies alike have established both formal and informal
mechanisms for countering these rapidly developing threats and operations
in cyberspace, including, for example, U.S. Cyber Command, China’s Peo-
* Director, International Humanitarian Law Clinic, Emory University School of Law.
Lawful Targets in Cyber Operations Vol. 89
ple’s Liberation Army General Staff Department’s 3rd Department, Iranian
Sun-Army and Cyber Army, Israel’s Unit 8200, and the Russian Federal
Security Service’s 16th Directorate.
Rhetoric has matched these developments as well. We now read about
a wide range of cyber “things:” cyber crime, cybersecurity, cyber espionage,
cyber threats, cyber attacks, cyber war or warfare, cyber terrorism and so
on. A look at news coverage of these issues in recent years demonstrates
the growing focus across a range of countries, industries and disciplines,
with the number of news stories mentioning either “cyber war,” “cyber
warfare” or “cyber attack” in 2010 or 2011 more than triple that of any
previous year before 2009.
The number of scholarly articles, academic
conferences, policy discussions and other events addressing cyber issues is
further evidence of the extent of the current discourse.
Within the realm of law applicable to and governing cyber activity, a
host of legal regimes are relevant, including, most notably, domestic crimi-
nal law, national security law and international law. Just as examples, the
U.S. Congress has engaged in extensive debate over various forms of cy-
bersecurity legislation
and international experts have devotedand con-
tinue to devotesignificant energy to examining the extent and nature of
the application of international law to cyber war and related activities.
addition, the nature of cyber operations, computer networks, the Internet
and related components of the cyber arena mean that a veritable plethora
of actors are and can be involved in cyber activities. Among these are mili-
taries, other government agencies, private companies, terrorist groups and
individuals acting on a range of different motivations, often referred to as
“hacktivists.” The nature of today’s globalized and interconnected world
combined with the extensive reliance on technology, computer systems and
Internet connectivity means that non-State actors, whether individuals or
groups of some kind, can have a significant impact through cyber activity.
. A brief Lexis-Nexis search of major newspapers shows 944 and 965 hits for the
term “cyber attack” in 2010 and 2011, respectively, compared to approximately 200 or
fewer for any year before 2009. The same general pattern holds true for the terms “cyber
war” and “cyber warfare.” Based on the first few months of 2012, news coverage looks to
be comparable to that of the previous two years.
. See, e.g., Paul Rosenzwe ig, The Politics of th e Cyber-Legislation Debate, LAWFARE (Apr.
19, 2012, 11:48 AM),
WARFARE (Michael N. Schmitt ed., 2013).
International Law Studies 2013
At the same time, the complexity of cyber operationsin terms of
characterizing the nature of the operations, identifying the main players and
developing appropriate options in responseopens up an equally complex
legal environment for analyzing the parameters of and framework for such
responses. This legal environment includes the law of armed conflict
(LOAC), the law governing the resort to force (jus ad bellum) and human
rights law, along with national security law and domestic criminal law.
Cyber operations can be used both in armed conflict and in the absence of
armed conflict, which is, of course, part of the complex nature of the legal
inquiry. A host of interesting questions arise from the use of cyber capabili-
ties by States and non-State actors, including when cyber acts trigger the
international law regime governing the use of force and/or LOAC and the
nature of self-defense in response to cyber acts, in particular, against non-
State actors, and the contours of a cyber battlespace, to name a few. Fur-
thermore, both jus ad bellum and LOAC pose challenging questions regard-
ing the appropriate application of the law and the parameters of the legal
paradigm at issue. This article will focus on the international legal frame-
work that governs defense against cyber threats from non-State actors,
specifically LOAC and the law governing the resort to force. In doing so, it
will identify both essential paradigms for understanding options for re-
sponse to cyber threats from non-State actors and key challenges in those
paradigms. Section II addresses jus ad bellum and how it applies to and pro-
vides guidance for State responses to cyber actions by non-State actors.
Section III analyzes when and how LOAC applies to non-State cyber acts
and examines some of the specific challenges cyber acts pose for such anal-
ysis. Finally, Section IV highlights broader crosscutting issues, such as the
challenges of multiple overlapping legal paradigms and the role and power
of rhetoric, in exploring how States can and do respond to cyber threats
from non-State actors.
The current discourse about cyber war suggests a look back at the dis-
course surrounding appropriate responses to terrorist attacks and terrorist
groups in the aftermath of the September 11 attacks. Questions abounded,
for example, regarding whether responses to terrorists fell within a law en-
forcement paradigm or a war paradigm, whether the same international law
that governed hostilities and law enforcement in other situations should
also guide responses to terrorists, and whether terrorists were entitled to
basic rights under either human rights law or LOAC. The debate and dis-
course about cyber war are in many ways wholly different: extensive legal
analysis and debate are preceding action and few commentators or policy-

To continue reading