Should cyber exploitation ever constitute a demonstration of hostile intent that may violate UN Charter provisions prohibiting the threat or use of force?

• Author: Wortham, Anna

1. INTRODUCTION II. CYBER ATTACK AND CYBER EXPLOITATION A. Difference Between Cyber Attacks and Cyber Exploitations Generally B. Comparison of Cyber Attacks and Cyber Exploitations III. LOAC AND THE UN CHARTER A. Laws That Apply to Cyber Attack and Cyber Exploitation Generally B. The Law of Armed Conflict 1. Jus Ad Bellum and Jus In Bello 2. Specific Laws Governing Jus Ad Bellum IV. DIFFICULTIES APPLYING LOAC AND UN CHARTER PROVISIONS A. Physical Injury and Destruction vs. Infrastructure Controlled by Technology B. Cyber Attack Weapons Are Readily Available, Not Just Available to Governments C. Presumption of Nation-to-Nation Conflict Between National Military Forces D. The Interconnection of Military and Civilian Information Technology E. The Exception for Espionaget F. The Problem of Attribution V. CYBER EXPLOITATION AS A THREAT OR USE OF FORCE A. Cyber Exploitation as a "Use of Force" Under Current Laws B. Cyber Exploitation as a Threat of Force Under Current Laws C. Cyber Exploitation and Anticipatory Self-Defense Under Current Laws VI. NEW LAWS FOR CYBER THREATS: CYBER EXPLOITATION AS ESPIONAGE? A. Espionage Generally B. Differences Between Cyber Exploitation and Traditional Espionage 1. Access to Much Larger Breadth of Material 2. Much Easier and Less Expensive Access 3. Unknown Effects, Spread to Unintended Targets 4. Attribution Is Near Impossible 5. Long Time to Investigate, Few Conclusive Answers VII. CONCLUSION I. INTRODUCTION

   As the United States and other countries rely more and more on complex infrastructures that are primarily controlled by information technology, and cyber threats against nations become a reality, clear international laws on cyber threats become a necessity. In light of the fact that the United States and other nations may use cyber capabilities offensively as well as defensively, it is even more important that the laws for engaging in such cyber conflict are clear. This is especially true in the case of cyber exploitation because the effects of such exploitations can be far-reaching, but the international law regarding these exploitations is far from clear. Currently, it seems unlikely that cyber exploitation can ever be regarded as a threat or use of force under the UN Charter because it is typically regarded as espionage, which is permissible internationally.

   This Note first analyzes whether it is the case that cyber exploitation cannot constitute a threat or use of force and then analyzes whether that should be the case. Section II focuses on cyber attack and cyber exploitation generally, explaining the differences between the two threats and the similarities in the ways the two threats are carried out. Section III discusses what body of law is applicable to cyber attack and cyber exploitation when a nation engages in or defends against one of these threats, specifically the Laws of Armed Conflict ("LOAC") and the UN Charter. Section IV discusses some of the primary difficulties in applying LOAC and the UN Charter to cyber threats. Section V analyzes whether cyber exploitation, under current governing law, can ever constitute a use of force, constitute a threat of force, or justify anticipatory self-defense. This section concludes that cyber exploitation, by itself, likely cannot constitute a threat or use of force under current law. Section VI then analyzes whether cyber exploitation should continue to be treated similar to traditional espionage in the international setting, which would result in it never being considered a threat or use of force. This section argues that cyber exploitation should be treated differently than traditional espionage and lays out several reasons why this should be the case. Ultimately, this Note concludes that because cyber exploitation is so different from traditional espionage, cyber exploitation should be able to constitute a threat or use of force by itself in some cases. In situations where it does not rise to the level of threat or use of force, it should still be prohibited internationally because it can be so much more destructive than traditional espionage.

   While this Note primarily focuses on the questions surrounding cyber exploitation, the similarities between cyber attack and cyber exploitation make the discussion of cyber attack in this paper requisite. Because there has not been much written on the subject of cyber exploitation or cyber attacks and how they should be dealt with in an international "armed conflict" sense, the majority of the background information in this Note is founded on information presented in the 2009 National Research Council Report ("NRC Report"). (1)

2. CYBER ATTACK AND CYBER EXPLOITATION

   1. Difference Between Cyber Attacks and Cyber Exploitations Generally

      Cyber attacks and cyber exploitations are the two forms of hostile actions that may be taken against a computer system or network. (2) While many people lump these two categories together under the title of cyber attacks, cyber attack and cyber exploitation are two distinct actions. According to the NRC Report, "[c]yber attack refers to deliberate actions to alter, disrupt, deceive, degrade, or destroy computer systems or networks or the information and/or programs resident in or transiting these systems or networks." (3) The purpose of a cyber attack is to make adversary computer systems and networks less useful to the adversary by making them unavailable or untrustworthy. (4) Cyber exploitation, on the other hand, refers to "the use of cyber offensive actions ... usually for the purpose of obtaining information resident on or transiting through an adversary's computer systems or networks." (5) The main difference between cyber attack and cyber exploitation is that cyber attack is destructive in nature while cyber exploitation is focused on intelligence gathering and, in order to be covert, purposely does not try to affect the normal processes of the computer or network exploited.

   2. Comparison of Cyber Attacks and Cyber Exploitations

      With regard to operational considerations, cyber exploitation and cyber attack are very similar. Both cyber attack and cyber exploitation require a vulnerability, access to the vulnerability, and a payload to be executed. (6) The payload to be executed, though, differs between the two. Cyber exploitation requires that the execution of the payload be accomplished clandestinely, while secrecy is often far less important with cyber attacks because the effects of the cyber attack are often readily apparent to the target. (7)

      The process of intelligence gathering necessary to penetrate an adversary's computer or network is almost identical for both cyber exploitation and cyber attack. (8) Both cyber attack and cyber exploitation use the same kind of access paths to reach their targets and also "take advantage of the same vulnerabilities to deliver their payloads." (9) Because of the aforementioned similarities, an adversary's intent is often extremely difficult, if not impossible, to determine. (10) This topic will be revisited later in this Note.

3. LOAC AND THE UN CHARTER

   1. Laws That Apply to Cyber Attack and Cyber Exploitation Generally

      The rules that apply when a nation engages in or defends against a cyber attack or cyber exploitation are not entirely clear. Although cyberspecific rules have been created in many instances for cybercrime, nations have not created cyber-specific rules for the actions they take against other nations. (11) Therefore, most international laws have to be applied by analogy. The main body of relevant international laws, and the body of laws most pertinent for the discussion of this Note, is the LOAC.

   2. The Law of Armed Conflict

      1. Jus Ad Bellum and Jus In Bello

         LOAC addresses two questions: (1) "[W]hen is it legal for a nation to use force against another nation?" and (2) "[W]hat are the rules that govern the behavior of combatants who are engaged in armed conflict?" (12) The law governing when a nation can use force against another nation is known as jus ad bellum. (13) Jus ad bellum refers to "those established 'conflict management' norms and procedures that dictate when a state may--and may not--legitimately use force as an instrument of dispute resolution." (14) The law governing when nations are involved in armed conflict, which is separate and distinct from jus ad bellum, is known as jus in bello. (15) Because this Note focuses on whether or not cyber exploitations can ever constitute a "threat or use of force" that would permit a targeted nation to retaliate, jus ad bellum is the relevant body of law.

      2. Specific Laws Governing Jus Ad Bellum

         According to the NRC Report, "[j]us ad bellum is governed by the UN Charter, interpretations of the UN Charter, and some customary international law that has developed in connection with and sometimes prior to the UN Charter." (16) Jus ad bellum and the UN Charter specifically apply to covert action such as cyber exploitation. (17) The UN Charter provisions most applicable to jus ad helium are Articles 2(4), 39, 41, 42, and 51. (18)

         The aforementioned articles of the UN Charter lay out the basic framework of jus ad bellum...