Sharon Stevens is a practicing attorney. She received her JD and LLM at The University of Iowa College of Law. She specializes in criminal and international law.
Imagine that the year is 2015 and some unknown person or group has used the Internet to attack the computer system for air traffic control at London's Heathrow Airport. This attack does not shut down computers; it feeds the controllers misinformation. The resulting confusion causes several near collisions. Before the airport can be shut down, two planes collide, killing hundreds of people. One of the fatalities is the Prime Minister of Israel, who is traveling to Europe to participate in peace talks. The British and Israeli governments scramble to trace the source of the attack. Within days, a source is identified, and Great Britain and Israel launch an Internet version of a reprisal, attacking the computers identified as the source of the Heathrow attack. These computers are located in China and operated by the Chinese military. The British/Israeli reprisal infects the Chinese computers with a virus that makes them inoperable. The Chinese respond in kind, and so begins a cyberspace skirmish that involves Internet attacks on critical infrastructure such as power grids, water treatment plants, the financial sector and other vital services. In the end, a terrorist group headquartered in the Middle East claims responsibility for the Heathrow attack, announcing that its hackers were able to make it appear that the attack originated in China.
Now, imagine that the Heathrow computer attack occurs and creates the same havoc and loss of life, but instead of resorting to self-defense, the British and Israeli governments launch a criminal investigation. This investigation is based upon an international agreement that identifies certain acts as Internet war crimes, and provides procedures for the investigation and prosecution of the criminals. With the assistance of the Chinese government, the culprits are identified and arrested. The accused stand trial before an international ad hoc tribunal, they are found guilty, sentenced, and punished.
The foregoing represents the worst- and best-case scenarios concerning cyber attacks and highlights the potential for future achievements in international law regarding the Internet. The technology exists today to execute these kinds of attacks. The question then becomes: what law applies to both public and private actors who use this technology? This Article will describe the technology, focusing on the Internet in general and cyber attacks in particular. It will outline existing international law concerning the use of force and describe the approaches advocated by various commentators on the subject of cyber warfare. Last, this Article will argue that current international law is insufficiently developed to properly address cyber attacks and that new law should be created through international cooperation. An Page 659 international agreement is necessary to clearly identify what is forbidden as a war crime in cyber attacks and what cyber activities are allowed by the military during a time of war.
In order to understand the need for new law on the subject of cyber attacks, it is important to understand some of the history and functions of the Internet and to see the scope of the interconnections and vulnerabilities of modern civilization. The Internet was born, so to speak, of the U.S. military.1Its initial purpose was not to function as a weapon2 but to facilitate communication.3 In fact, the Internet was meant to assist researchers who, in the 1960s, were competing against the Soviet Union for technological superiority in a variety of contexts, including the space race.4 The agency overseeing this work was called the Advanced Research Projects Agency ("ARPA").5 ARPA needed a vehicle that would allow researchers to share access to these larger computers.6 These researchers were spread throughout the country. Many of them were teaching at universities, and not all of them had access to powerful computers.7 The researchers conceived of a network that would link the ARPA researchers together, pooling their resources.8 The realization of this vision came in 1969 with the ARPANET original four-node network, connecting four universities in California and Utah into a single network.9
The early ARPANET used a principle still employed today called "packet switching," which breaks all communication into packets, sends them through the Internet via different routes, and reassembles them at their destination.10 This allows for faster travel speeds, a higher volume of information, and permits the system to withstand additional stresses. 11During the 1970s, the ARPANET began to interface with other "nets," the ALOHANET and the SATNET.12 The popularity of these networks grew once Page 660 the Transmission Control Protocol ("TCP") technology was developed, allowing for complete consistency between the packets of information, making it possible for these different nets to interface.13
The capacity of the Internet to interface is sometimes called "transparency" or referred to as the "end-to-end principle."14 As Lawrence Solum describes this architectural function of the Internet, "[i]n short, the principle calls for a 'stupid network' and 'smart applications.' The network simply forwards or routes the data packets and does not-and cannot by its architecture-discriminate or differentiate traffic generated by different applications."15 Thus, the information, whether in the form of an e-mail, web page, or MP3 file, is broken up into packets that, to the Internet, all look the same. The only apparent difference between these packets is where they originated and where they are going. The content of a packet while en route is meaningless because it has no software application attached to it and is only a portion of the whole. This aspect of the Internet's architecture is analogous to the system used by transport carriers that use transport containers hauled by trucks, ships, or railroads. Because these containers have a standard size and shape, the transport is relatively simple, even though the contents of the containers can be very different. Similarly, the Internet simply transports the information packets with complete disregard for content.
Two important characteristics that contributed to the early Internet's popularity were packet-switching and the capacity to interface. By 1990, a large number of networks had linked about 200 sites. 16 At that time, the ARPANET program was disbanded, and the networks that replaced it represented universities, research institutions, and colleges in several different countries.17 These networks were not government-run.18 In fact, the creators of these networks and technology used surprisingly libertarian guiding principles to operate the networks. "[T]he initial topology of the Internet corresponded with a libertarian bias against governmental intervention. This ideology was in turn reflected by a network 'architecture [that] has embedded rules for information flow that advance self-regulation Page 661 and free market choice over public decision-making.'"19 This self-regulating network of researchers initially eschewed the participation of commercial enterprises.20 This changed in the 1990s with the creation of HTTP technology (allowing for the creation of websites) and with major upgrades enhancing network capacity.21 By 1994, cyberspace saw its first commercial website.22
In less than fifteen years, the United States has gone from having a single commercial website to a nation that has integrated the Internet into virtually every important aspect of its infrastructure, both critical and mundane. It is crucial to account for the integration of the world's critical infrastructure into the Internet in order to assess the risks of cyber attacks. According to the U.S. Department of Homeland Security ("DHS"), the level of integration is high:
Our economy and national security are fully dependent upon information technology and the information infrastructure. At the core of the information infrastructure upon which we depend is the Internet, a system originally designed to share unclassified research among scientists who were assumed to be uninterested in abusing the network. It is that same Internet that today connects millions of other computer networks making most of the nation's essential services and infrastructures work. These computer networks also control physical objects such as...