Low-Intensity Computer Network Attack and Self-Defense

Author:Sean Watts
Position:Associate Professor, Creighton University Law School
Low-Intensity Computer Network Attack and
Sean Watts*
I. Introduction
In May 2010, the United States Department of Defense activated the US Cyber
Command,1consolidating leadership ofsix previously dispersed military orga-
nizations devoted to cyber operations.2To its supporters, Cyber Command repre-
sented asignificant accomplishment as congressional misgivings over the
command's mission, its effects on American citizens' privacy and ambiguous lim-
its on its authority had delayed activation for nearly ayear.3
These concerns featured prominently in the confirmation of Lieutenant Gen-
eral Keith Alexander, the President's nominee to lead Cyber Command. In written
interrogatories, the Senate Armed Services Committee asked, "Is there asubstan-
tial mismatch between the ability of the United States to conduct operations in
cyberspace and the level of development of policies governing such operations?"4
General Alexander's response identified agap "between our technical capabilities
to conduct operations and the governing laws ...."5However, he later observed,
"Given current operations, there are sufficient law, policy, and authorities to gov-
ern DOD cyberspace operations."6
*Associate Professor, Creighton University Law School; Assistant Department Chair, Interna-
tional &Operational Law Department, The Judge Advocate General's School, United States
Army Reserve.
Low-Intensity Computer Network Attack and Self-Defense
General Alexander's responses often struck such dissonant tones. And while his
unclassified responses generally offered little legal reflection, he commented in de-
tail on international self-defense law and cyber operations.7His responses por-
trayed existing law under the UN Charter as adequate to defend US interests from
cyber attack. Further, he indicated the United States would evaluate threats and at-
tacks in the cyber domain exactly as it would in other security realms.8Yet, the
same section of responses noted alack of international legal consensus concerning
which cyber events violate the prohibition on the use of force or activate the right
of self-defense, suggesting aless than coherent structure to this important interna-
tional legal regime.9
Meanwhile, cyber attacks have rapidly migrated from the realm of tech-sawy
doomsayers to the forefront of national security consciousness. 10 One need no lon-
ger be an experienced programmer or use much imagination to appreciate the
threat posed by cyber attacks. Incidents such as the disruptions experienced in Es-
tonia in 2007 and Georgia in 2008 provide concrete examples of practices, trends
and potential harm posed by future cyber events. 11
Similarly, cyber conflict theorists paint an increasingly lucid picture of the strat-
egy and tactics that will inspire future attacks and shape defensive efforts. Cyber
strategy is evolving rapidly, as threat capabilities and tactics shift to exploit newly
discovered vulnerabilities. While defending against massive cyber catastrophes re-
mains apriority for planners, agrowing contingent of cyber theorists concludes
that campaigns of diffuse, low-intensity attacks offer an increasingly effective strat-
egy for cyber insurgents and State actors alike. Operating below both the focus of
defensive schemes and the legal threshold of States' authority to respond with
force, low-intensity cyber attacks may prove to be afuture attack strategy of choice
in cyberspace.
The confluence of Cyber Command's activation with publication of details of
recent cyber incidents, as well as insight into emerging cyber strategy, provides an
opportunity to critically evaluate General Alexander's assessment of the interna-
tional law of self-defense as well as the overall significance of the events in Estonia
and Georgia. Specifically, it is worthwhile to consider whether the bargain govern-
ing use of force reflected in the 1945 UN Charter is adequate for the threats facing
States today and for the future of cyberspace. Put differently, will the letter of the
Charter's use-of- force regime operate as an effective regulation of States' efforts to
secure cyberspace from one another and from non-State threats?
This article argues that the above-mentioned developments in cyber conflict
will greatly strain the existing self-defense legal regime and cast past computer net-
work attacks (CNA), such as the Estonian and Georgian incidents, in anew light.
First, gaps in the law's response structure will prove highly susceptible to

To continue reading