The Lawfulness of Attacking Computer Networks in Armed Conflict and in Self-Defense in Periods Short of Armed Conflict: What are the Targeting Constraints?

• Author: James P. Terry
• Pages: 02

70 MILITARY LAW REVIEW [Vol. 169

THE LAWFULNESS OF ATTACKING COMPUTER NETWORKS IN ARMED CONFLICT AND IN SELF-DEFENSE IN PERIODS SHORT OF ARMED CONFLICT:

WHAT ARE THE TARGETING CONSTRAINTS?

JAMES P. TERRY1

I. Introduction

When President Clinton signed the Fiscal Year 2000 version of the Unified Command Plan (UCP) on 29 September 1999, it marked a new era in operational planning for information warfare, to include the possible targeting of an adversary's computer networks where necessary to protect vital U.S. or allied interests.2 The UCP provides planning guidance and requirements for the operational commands within the Department of Defense (DOD).3 In the latest version, responsibility for maintaining and managing the Joint Information Operations Center (JIOC), located in San Antonio, Texas, was transferred to the U.S. Space Command (USSPACECOM) at Petersen Air Force Base, Colorado.4

The JIOC, formerly known as the Joint Command and Control Warfare Center, provides "full-spectrum" information warfare (IW) and information operations (IO) support to U.S. operational commanders worldwide. That is, the JIOC provides support in planning, coordination, and execution of all DOD IW and IO missions, as well as assistance in the development of IO doctrine, tactics and procedures.

What makes the transfer of the JIOC significant is the recent enhancement of its missions. In August 1999, the mission of the JIOC was broa

ened from command and control to include operations support. The enhanced operations support now required includes psychological operations, security, electronic warfare, targeting of command and control facilities, military deception, computer network defense, civil and public affairs, and, significantly, computer network attack.5

For the first time in the UCP, computer network attack was specifically identified in the planning requirements for unified commanders.6 This is significant because, by implication, the planning requirements now recognize the legality of targeting critical foreign computer infrastructure when vital U.S. or allied national interests are threatened.

II. Defining the Debate

The renewed emphasis on considering critical computer infrastructure as a legitimate target arises from recent incidents where critical U.S. infrastructure has been threatened by government-sponsored intrusions or by individual hackers using sophisticated software. From these incidents, the United States has recognized that electronic or physical elimination of this threat may be necessary to protect our defense capability or to ensure the continued effective operation of other critical computer infrastructure.

Several incidents are significant. In February 1998, two California teenagers were able to breach computer systems at eleven Air Force and Navy bases, causing a series of "denials of service" and forcing defense officials to reassess the security of their networks.7 The investigation of this incident, code named Solar Sunrise, however, pales in comparison with "Moonlight Maze," the code name for the investigation of an early 1999 electronic assault involving hackers based in Russia. In this attack, intruders accessed sensitive DOD science and technology information.8

Computer tracing determined that the Moonlight Maze attack originated from the Russian Academy of Science, a government organization that interacts closely with the Russian military.9 This raises the possibility of an asymmetrical attack sponsored by a nation-state.

Nor has this been the first state-sponsored intrusion into our critical computer infrastructure. In 1996, U.S. authorities detected the introduction of a program, called a "sniffer," into computers at NASA's Goddard Space Flight Center, permitting the perpetrator to download a large volume of complex telemetry information transmitted from satellites. The Deputy Attorney General reported that the "sniffer" had remained in place for a significant period of time.10 Of equal concern, a Federal Bureau of Investigation (FBI) report completed in 1999 detailed efforts of the People's Republic of China to attack U.S. Government information systems, including the White House network.11

These incidents raise important issues for defense planning. How can these threats be discovered and eliminated? What is the interplay between the role of an investigating agency and that of an operational planner? It is clear that while the targeting of these threats may require a military component, the gathering of indicators of an imminent threat requires a far broader participation. It is for this reason that the Clinton Administration established the National Infrastructure Protection Center (NIPC) in February 1998.12

The NIPC's mission is to serve as the government's focal point for threat assessment, warning, investigation, and response to threats or attacks against our critical infrastructures. These critical infrastructures include our defense communication networks, telecommunications sy

tems, energy grids, banking and finance organizations, water systems, government operations apparatus and emergency services organizations.13

The NIPC is organized with both an indication and warning arm and an operational arm. The Analysis and Warning Section (AWS) provides analytical support during computer intrusion investigations and long-term analysis of vulnerability and threat trends. The Computer Investigations and Operations Section (CIOS) is the operational arm of the NIPC. This section manages computer intrusion investigations conducted by FBI field offices throughout the country; provides subject matter experts, equipment, and technical support to investigators in federal, state, and local government agencies involved in critical infrastructure protection; and provides an emergency response capability to help resolve a cyber incident.14

Neither the JIOC at USSPACECOM nor the NIPC possess the capability to eliminate a hostile cyber threat. Only the operational assets assigned to the various unified commands within the Department of Defense (DOD) possess that unique capability, and they may only be employed when the strict parameters of the law of armed conflict are satisfied.

III. Legal Constraints on Attacks on Critical Infrastructure

1. United Nations Charter System

   The legal regime available to authorize actions in lawful self-defense, and specifically for attacks on critical enemy infrastructure, includes the U.N. Charter system and customary international law. The basic provision restricting the threat or use of force in international relations is Article 2, paragraph 4, of the United Nations Charter. That provision states: "All Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any

   state, or in any manner inconsistent with the Purposes of the United Nations."15

   The underlying purpose of Article 2, paragraph 4, to regulate aggressive behavior between states, is identical to that of its precursor in the Covenant of the League of Nations. Article 12 of the Covenant stated that League members were obliged not to "resort to war."16 This terminology, however, left unmentioned actions that, although clearly hostile, could not be considered to constitute acts of war. The drafters of the U.N. Charter wished to ensure the legal niceties of a conflict's status did not preclude cognizance by the international body. Thus, in drafting Article 2, paragraph 4, the term "war" was replaced by the phrase "threat or use of force." The wording was interpreted as prohibiting a broad range of hostile activities including not only "war" and other equally destructive conflicts, but also applications of force of a lesser intensity or magnitude.17 This distinction may be all-important, for example, when a nation's commercial infrastructure is attacked, and actions in lawful self-defense are contemplated which include targeting critical infrastructure of the adversary, an element of which may have been used in the initial attack.

2. U.N. General Assembly Resolution 2625

   The United Nations General Assembly has clarified the scope of Article 2 in two important resolutions, both adopted unanimously.18 Resolution 2625, the Declaration on Friendly Relations, describes behavior that constitutes the "unlawful threat or use of force" and enumerates standards of conduct by which states must abide.19 Contravention of any of these standards of conduct is declared to be in violation of Article 2, paragraph 4, and would likely authorize a response in self-defense.20

3. U.N. General Assembly Resolution 3314

   Resolution 3314, The Definition of Aggression, provides a detailed statement on the meaning of "aggression" and defines it as "the use of armed force by a State against the sovereignty, territorial integrity or political integrity or political independence of another State, or in any manner inconsistent with the Charter of the United Nations."21 This resolution

   contains a list of acts that qualify as acts of aggression. Included in the list is "the use of any weapon by a State against the territory of another State."22 The resolution provides that the state that commits an act of aggression violates international law as embodied in the U.N. Charter.23

   The actions of states or their surrogates-in supporting or taking part in acts of aggression, which threaten vital national interests of a state or states-clearly fall within the scope of Article 2, paragraph 4 and authorize a response sufficient to end the violence and deter future aggression.24

   This responding coercion might include, for example, disruption of military information downlinks in satellites, sabotage of vital computer networks, or infiltration of electronic commercial transmission systems, where proportional to the original attack and where necessary to preclude future aggression.

4. The Right of Self-Defense

   When the U.N. Charter was drafted in 1945, the right of...