Faced with the increased propensity for cyber tools to damage state computer networks and power grids with the click of a mouse, politicians and academics from around the world have called for the creation of a Geneva Convention equivalent in cyberspace. Yet, members of United Nations Security Council continue to disagree as to what cyber activities might rise to the level of an armed attack under the existing Law of Armed Conflict. Activities once limited to cyber espionage, and outside the reach of international law, are now the very same tools utilized in cyber operations to disable state communications and wreak havoc on state infrastructure. Wars, traditionally waged between nations and clearly defined groups, can now be fought behind the veil of anonymity inherent of the Internet. While acts of war have yet to happen openly on the Internet, accusations have already been made against Russia for the 2007 cyber attacks on Estonia and against Israel for the Stuxnet worm unleashed on Iran's nuclear reactors. Just as aerial bombing and nuclear arms revolutionized the battlefield, cyber attacks, and the mechanisms behind them, stand poised as the next evolution in weapons of war and any multilateral treaty must take these facts into consideration.
Throughout history, technology has revolutionized the manner in which wars are fought. In the eighteenth century, gunpowder brought an end to the days of castles and knights, ushering in a period of battalions and infantrymen. Two hundred years later, the invention of the aircraft gave rise to the Hague Rules of Air Warfare after the widespread destruction caused by strategic bombing campaigns during the First World War. The atrocities wrought by the atom bomb at Hiroshima and Nagasaki still burn in the memories of many and is responsible for the proliferation of espionage and intelligence gathering continuing to this day in our international community. Now, at the dawn of the twenty-first century, information technology stands to once again change the landscape of war. While the Internet transformed society in the nineties by allowing computer users to access information across the globe with the click of a mouse, the spread of information technology comes at a cost. The more people become dependent on the Internet, and the more data we move from paper to digital format, then the more vulnerable our society becomes to a cyber attack.
Formerly the substance of science fiction, cyber warfare is one of the most serious national security threats in recent years. Cyber warfare covers the doctrine regarding the tactics, techniques, and procedures of Computer Network Operations (CNO) including attacks, defense, and exploitation, plus the new aspect of social engineering. (1) While the technology used in cyber warfare has been traditionally characteristic of espionage activities in the last twenty years, this same technology is capable of creating real damage to a nation-state. In 2007, Estonia suffered the first ever reported state-wide incident of cyber assault when Estonia's banks, online newspapers, and government communications were shut down for two weeks by a group of Russian hackers who were believed to be tied to the Kremlin. (2) One of the most wired societies in the world, the people of Estonia quickly turned to the streets in riot, leaving at least one person dead and 150 people injured. (3) Similar attacks predated the weeks leading up to the 2008 Georgian bombings by Russia, but it was not until the United States Department of Defense ("DoD") suffered a massive compromise of military defense networks that the United States issued a Cyberspace Policy Review and established the United States Cyber Command ("USCYBERCOM") to protect DoD networks. (4)
Despite various initial steps to deter a massive cyber attack on DoD networks, the United States is largely unprepared to respond to an act of cyber warfare. In fact, the United States military does not even have a definition for cyber warfare nor does the legal community understand how it applies to legal norms, specifically the Law of Armed Conflict. (5) The lack of a definition of cyber warfare is especially problematic as the President, in responding to a cyber attack must first determine whether such an attack rises to the level of an "armed attack," and thus justifies self-defense. However, much of what transpires in the cyber realm does not resemble traditional military threats. Whether it is appropriate to characterize cyber attacks as "weapons, means or methods of warfare" and subject them to legal review is an issue because the legal architecture for the Law of Armed Conflict is founded on the concept of traditional military threats.
This paper focuses not only on the current state of the law regarding cyber warfare, but also what cyber warfare could and should be. Part I looks at the nature and history of cyber attacks to provide an understanding of their capabilities as weapons of war as compared to espionage. Part II examines the applicability of the Law of Armed Conflict to cyber attacks, including how the elements of proportionality, attribution, and necessity apply to the most common forms of cyber attacks. Part III discusses how cyber warfare is currently being addressed by the United States, the recent proposals for an international treaty on cyber warfare, and the obstacles to establishing a multilateral international treaty. Finally, Part IV looks ahead to the future of American civil liberties post-normalization of cyber warfare.
THE NATURE AND HISTORY OF CYBER ATTACKS: WEAPONS OF WAR OR ESPIONAGE?
In the last decade, the rate of cyber attacks increased exponentially, along with their propensity for actual harms. Faced with the growing reality of cyber attacks from foreign state actors, talk of a Geneva Convention equivalent for cyber space made headlines in the news and at academic conferences in 2010 and 2011. (6) Politicians and academics alike agree that a treaty would lessen the chance of a real cyber war, arguing the world is now in the early stages of a Cyber Arms Race. (7) In evaluating how domestic and international law might be used by the United States in response to cyber attacks, the international legal community must first discern the nature, purpose, and scope of cyber attacks. While the use of terms like "war" and "attacks" espouse an offensive military nature, threats to our national computer systems frequently fall under the category of espionage due to their data gathering nature. (8) Espionage, while punishable under domestic laws, is not listed as a crime by the International Court of Justice. Rather, the International Court of Justice reserves the term crime against international law for acts of aggressive war, serious war crimes or crimes against humanity, all of which presume harm to citizens to a nation-state. (9) The establishment of any sort of international regime, consequently, turns on delineating cyber activities that are used as weapons versus those limited to state espionage.
Although cyber tools used for espionage activities are often the same tools used to attack a nation's computer networks, acts of cyber warfare deviate from their espionage counterparts by going beyond compromising a computer network. (10) Rather than passively monitor state activities on a computer network or copy data, (11) a cyber attack actively "penetrates another nation's computer systems or networks for the purposes of causing damage or disruption." (12) While the United States military has yet to settle on official definitions for both cyber attacks and cyber warfare, (13) the DoD recently adopted an effects-based approach, or consequence-based model, for determining when a cyber activity becomes a cyber attack. (14) Under the current approach by the DoD, the damage caused by the activity to computer networks and infrastructure is compared with the consequences of traditional armed attacks. (15) In other words, when the effect of a cyber attack is analogous to those that would invoke U.N. Charter terms of "armed attack," then the cyber operation rises to the level of an armed attack. For example, if a cyber attack takes critical state infrastructure, such as an electricity grid offline or a dam, offline and collateral damage spills over into the civilian realm, then the cyber attack would likely count as an armed attack. (16) On the other hand, a cyber operation that interferes with intelligence activities shares more similarities with espionage activities than the kinetic effects of armed attacks. Recently, NATO also adopted the effects-approach, concluding in an expert report led by Madeline Albright that a cyber attack on the critical infrastructure of a NATO country may equate to an armed attack and justifies retaliation. (17) Despite support of this approach by the United States and NATO, Russia and China have both rejected the effects-approach in favor of a broad definition of cyber warfare that encompasses any use of a computer technology to wage an attack on another country, including online acts to undermine the political and social harmony of the state. (18) Although Russia, China and the United States began official talks nearly two years ago, (19) state representatives have yet to reach a consensus as to when a cyber attack rises to the level of an armed attack and, in turn, when a cyber attack violates international law. (20)
Just as the definitions of cyber attacks vary among nations, the variety of hostile activities capable of being carried out over computer networks is equally vast, ranging from malicious defacement of websites to large-scale destruction of SCADA (21) infrastructures that civilians depend upon. The most common cyber tools employed by private and state hackers are Structured Query Language ("SQL") code injection, Distributed Denial of Service ("DDoS"), and Worms. While many of these cyber tools characterize recent...