Legal phantoms in cyberspace: the problematic status of information as a weapon and a target under international humanitarian law.

• Author: Beard, Jack M.
• Position: III. Information as a Target through V. Conclusion, with footnotes, p. 112-144

3. INFORMATION AS A TARGET: THE PROBLEM OF EXPLOITATION AND CHALLENGES TO CONSEQUENCE-BASED LEGAL THRESHOLDS

   1. Exploitation: A Harmful--But Problematic--Act

      While legal concerns related to the observance of key IHL rules and principles, such as proportionality, distinction, and precautionary measures, in an attack are important, they are dependent on the larger threshold IHL problems presented by the use of information as a weapon and target. As noted, hostile uses of information can give rise to challenging, fundamental questions regarding the applicability of IHL itself. No actions highlight these questions more clearly than those encompassed within the concept of information "exploitation." (179)

      The threshold question of whether the IHL regime applies to particular events in cyberspace is greatly complicated, if not dominated, by the nature of information itself and the problems presented by its content. Unlike other types of "targets" that may be attacked, information may have an intrinsic value that can be stolen or replicated through cyber methodologies and techniques. For this reason, the unauthorized exploitation of information by both state and nonstate actors is currently the most common and highly damaging type of unfriendly cyber action around the world. (180)

      It has long been obvious that criminals can profit from exploiting valuable information that they access in computer systems and networks and that these illegal cyber activities have been extraordinarily costly for individuals and businesses. (181) Yet early fears expressed by U.S. officials about protecting cyberspace from cyber attacks tended to focus on the disastrous physical consequences of hypothetical, catastrophic cyber actions, while the damage from hostile cyber actions to this point has instead proven to be informational. (182)

      Notwithstanding the obvious damage caused by physical forces, informational damages may be highly significant. (183) There is no doubt that the exploitation of information--including military secrets and other classified information, intellectual property, financial records, and commercial data--in cyberspace is a growing and serious threat to both states and businesses. (184)

      While state-sponsored efforts to access, steal, copy, or otherwise exploit critical information in an adversary state's computer systems and networks may constitute a new and important chapter in the long history of espionage, such acts are unlikely to violate any obligations under international law. (185) Furthermore, under the IHL framework itself, "information-gathering activities" have long been explicitly recognized as legitimate actions by military forces. (186)

      Information can, however, be exploited in ways that cause great damage to states, even if such exploitation or cyber espionage does not amount to "war." (187) The acquisition and misuse of a state's most highly classified information regarding its deployed forces, military facilities, planned military operations, strategic policies, weapons capabilities, personnel records, intelligence activities, and key defensive vulnerabilities can all result in disastrous tactical and strategic consequences for that state, including events that may involve great loss of life and destruction of property.

      Devastating consequences alone, however, cannot serve as the basis for imposition of the IHL framework on such acts. The nature of the act itself--the exploitation of information--is not the type of conduct that was intended to be subject to IHL restrictions, regardless of its highly damaging effects.

      The exploitation of information thus serves to illustrate how analogies drawn between harmful cyber techniques and conventional weapon systems may be misplaced, particularly to the extent that they focus primarily on their harmful consequences. For purposes of the IHL regime, damaging acts of information exploitation--which are often described as some form of cyber espionage--are legal phantoms: examples of varied, sometimes highly damaging, extralegal actions in cyberspace.

      Cyber espionage and other forms of data exploitation are routinely addressed by states as criminal matters. (188) They further bear little resemblance to conventional methods and means of warfare, although they may have highly damaging consequences. This paradox appropriately focuses attention on the legal thresholds that must be met in order to apply the IHL framework to hostile cyber acts. As noted, writers who emphasize the importance of consequences generally view cyber acts of disruption and denial as inappropriate candidates for the IHL framework because of their limited or temporary effects. The highly damaging consequences of acts of cyber exploitation, however, necessarily focus attention on the legal significance of the underlying acts.

   2. Information Exploitation, Legal Thresholds, and Consequentialist Approaches to the Jus ad Bellum

      The unusual characteristics of cyber weapons have, as noted, given rise to considerable discussion among scholars regarding the question of whether cyber actions alone could ever qualify as an armed attack for purposes of the jus ad bellum and the use of armed force in self-defense under the UN Charter. In spite of the clear focus in the text of the UN Charter on a specific act (an armed attack) as the legal basis for a state's right to use force in self-defense, some scholars and experts have instead emphasized the destructive consequences of the act. (189)

      This consequentialist or effects-based analysis has been described as "the leading view" among legal experts in determining whether a hostile cyber act constitutes an armed attack for purposes of the jus ad bellum, and, by extension, whether threshold requirements are also met for the application of the IHL regime. (190) Other analytical approaches that equate various hostile cyber acts with conventional armed attacks, such as the "strict liability approach" and even some interpretations of the "instrument-based approach," also draw heavily, if not exclusively, on assessments of the consequences of cyber acts. (191)

      Although the U.S. government has not definitively set forth criteria for determining the legal status of hostile cyber actions under the jus ad bellum, a consequentialist approach nonetheless prevails in much of its analysis. (192) Such an approach is also reflected in reported discussions of responses to cyber acts under the doctrine of "equivalence." (193)

      However, a legal approach that focuses only on the consequences of cyber acts fails to account for the many ways in which information can be used to cause great damage to an enemy, even though the underlying acts clearly remain outside the recognized legal boundaries of armed conflict and the jus ad bellum. In this regard, cyber espionage and other increasingly varied, sophisticated, and damaging forms of cyber exploitation deserve special attention.

      As noted above, exploiting the most highly classified military secrets of an adversary can cause destruction, defeats, and losses of monumental significance. One need only look at the intelligence activities of the Allies in World War II to appreciate the importance--and destructiveness--of intercepting, stealing, and otherwise exploiting critical information, particularly signals and secret codes. (194) The older, conventional underlying methods of espionage and intelligence gathering--which included electronic surveillance, code-breaking efforts, and various types of covert actions--have been supplemented and dramatically improved by modern cyber espionage techniques, sometimes with devastating consequences. (195)

      Damaging acts of espionage and other unfriendly forms of information exploitation abound in modern international relations, along with other destructive, nonphysical acts designed to exert economic or political coercion. Because of the frequency, nature, and diversity of these unfriendly acts, imposing the jus ad bellum on all of them would diminish restrictions on the use of force, thereby significantly weakening key safeguards upon which the international community relies and undermining the UN Charter's central purpose of maintaining international peace and security. (196)

      Such concerns influenced the drafters of the UN Charter as they grappled with jus ad bellum issues. Although they understood that many acts in the international arena can cause great harm to states, they decided that the UN Charter's central prohibition in Article 2(4) should be against the "threat or use of force." (197)

      While the focus in Article 2(4) is on physical armed force, the phrase "use of force" is not defined in the UN Charter itself. It is nonetheless possible to identify some important, widely accepted parameters of the phrase. For example, efforts by a few states to explicitly include one important type of destructive, nonphysical conduct in the Article 2(4) prohibition against force--acts of economic coercion--were rejected. (198)

      Thus, the consequences of unfriendly acts by states have not dominated the development of legal frameworks regarding recourse to force adopted by the international community. Instead, the consensus that emerged in framing the UN Charter, despite the objections of a small number of states, was that Article 2(4) should not be extended to include some important and damaging actions states may employ against each other, including acts involving destructive economic coercion. (199)

      Although it is generally accepted that acts of economic coercion--like other hostile acts not involving physical armed force--lie outside the scope of Article 2(4), the effects of the most serious economically coercive measures may still be significant and highly damaging to the targeted states. Nonetheless, such damaging acts, and many other "non-military techniques of coercion," are generally classified by the international community not as illegal uses of force but instead as violations of the...