Unarmed Attacks: Cyber Combatants and the Right to Defend

• Publication year: 2018
• Author: Anna C. Mourlam*

UNARMED ATTACKS: CYBER COMBATANTS AND THE RIGHT TO DEFEND

Anna C. Mourlam*

I. INTRODUCTION

Cyber-based attacks have distinct advantages over physical attacks: they can be conducted remotely, anonymously and cheaply. They do not require significant investment in weapons, explosives or personnel. And yet, their effects can be both widespread and profound. As of 2000, Interpol estimated that there were as many as 30,000 websites that provided automated hacking tools and software downloads.¹ As of 2002, 19 million individuals had the knowledge necessary to launch cyber attacks.² And as of 2008, the Defense Department estimated more than three million attacks occur annually.³Worldwide aggregate damage from these attacks is now measured in billions of U.S. dollars annually.⁴

Little specialized equipment is needed: the basic attack tools consist of a laptop, modem, telephone and software used daily by countless professionals.⁵ Recently, the attacks have shifted from espionage to destruction; nations are actively testing how far they can go before the state will respond.⁶ For example, following reports of infiltration by foreign spies, the U.S. government did little more than admit that the nation's power grid is vulnerable to cyber attack.⁷ Alarmingly, the software left behind in these attacks reportedly had the capability of shutting down the country's electric grid.⁸ Former CIA operative, Robert Baer, stated that these types of attacks are not uncommon:

[Other countries'] foreign intelligence service has been probing our computers, our defense computers, our defense contractors, our power grids, our telephone system ... I just came from a speech at the national defense university and they were hit by the Chinese trying to get into their systems. They are testing and have gotten in portals. It's a serious threat.⁹

Cyber attacks that are reasonably expected to cause injury or death to persons, or damage or destruction to objects, are generally illegal under international law. However, such an attack may be permissible if: (1) the attack is undertaken by the armed forces of the state; (2) the attack effectively distinguishes between military and civilian personnel and objects; (3) the attack respects the jus in bello principles of necessity and proportionality; and (4) the attack occurs during an armed conflict. Part II will examine the question of attribution for cyber attacks, while Part III will emphasize the controlling factors for the legality of cyber attacks in the context of an armed conflict. Finally, Part IV argues that cyber attacks attributable to the state that are reasonably expected to cause injury or death to persons or damage or destruction to objects are impermissible under international law outside of a recognized armed conflict, with perhaps an exception for self-defense under Article 51 of the Charter of the United Nations.

II. ATTRIBUTION OF CYBER ATTACKS

A. Definition of a Cyber Attack

The first question to address is what, exactly, constitutes a cyber attack? The Stanford Draft International Convention to Enhance Protection from Cyber Crime and Terrorism defines cyber attacks as: "[The] intentional use or threat of use, without legally recognized authority, of violence, disruption or interference against cyber systems, when it is likely that such use would result in death or injury of a person or persons, substantial damage to physical property, civil disorder, or significant economic harm."¹⁰ A broader definition of cyber attacks may be found in the U.S. Department of Defense's Dictionary of Military Terms, which defines a "computer network attack" as "[a]ctions taken through the use of computer networks to disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves."¹¹ By comparison, the Tallinn Manual on the International Law Applicable to Cyber Warfare contains a narrow definition: it defines a cyber attack as "a cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects."¹²

[Page 19]

The characterization under the Tallinn Manual—limiting the scope to any resulting "injury or death" and "destruction to objects," while excluding purely economic harm—is the most applicable to customary international law on the use of force.¹³Although all of the incidents described by the Stanford Draft International Convention and the Dictionary of Military Terms compromise the security of a computer network, mere cyber-espionage or cyber-exploitation does not constitute a cyber-attack for the purposes of this analysis.

After the act is defined, the next problem is whether the cyber attack is attributable to the state. There are two possible scenarios in which a cyber attack is attributable to a state: (1) when a state permissively allows its territory to be used to carry out the attack (such as when a state offers safe haven to a terrorist organization that conducts a cyber attack); or (2) when a state overtly or implicitly directs the acting party engaging in the particular conduct (such as when a state orders its armed forces to undertake a cyber attack).

B. Territorial Attribution of a Cyber Attack

It is well established in international law that the "effects principle" permits the extraterritorial regulation of activities that impact a state's territory.¹⁴ For example, the Third Restatement of Foreign Relations Law states that international law recognizes that a nation may provide rules with respect to "conduct outside its territory that has or is intended to have substantial effect within its territory."¹⁵ Although this type of territorial integrity is a fundamental principle of international law and relations, it is difficult to apply to "commons" such as cyberspace.¹⁶ Hence, although a state may establish domestic cyber law, imposing it is another matter.

And although the existence and enforcement of domestic law criminalizing cyber attacks is one way to lessen the liability of a state for attacks independently perpetrated by private actors, based on the effects principle, even those acts not sanctioned by the state's domestic law may still be considered attributable to that state. If the state knew or should have known its territories were being used for acts against other states, it may be in violation of the law.¹⁷

The attributable conduct can consist of both actions or omissions: in the Corfu Channel case, for example, the International Court of Justice (ICJ) held that it was a sufficient basis for Albanian responsibility that it knew, or must have known, of the presence of mines in its territorial waters and did nothing to warn other states of their presence.¹⁸ Similarly, the 1986 Libya precedent demonstrates that states that unwittingly, or permissively, allow their territory to be used to carry out attacks are guilty of committing an act of aggression themselves.¹⁹ In that case, the U.S. intercepted messages between Tripoli and Libyan agents in Europe in which the Libyan leader, Colonel Gaddafi, allegedly ordered an attack in West Berlin that killed two U.S. servicemen.²⁰ In the trial that followed, the Berlin court held that Libya was to a large extent responsible for the attack, as the attack had been planned and carried out by members of the Libyan secret service in the Libyan Embassy in East Berlin.²¹

Yet the analysis cannot end by simply determining the point of origin. Unlike Corfu Channel or the Libyan precedent, the fact that a cyber operation has been launched or otherwise originates from governmental cyber infrastructure is not sufficient evidence in and of itself to attribute the operation to that state;²² often, attacks are routed through multiple nations before the intended target is reached. The transnational realities of cyberspace are such that satisfactory territorial attribution depends largely on the actual knowledge of the state.²³

A good example is the United States Diplomatic and Consular Staff in Tehran: in that case, fifty-two U.S. diplomats and citizens were held hostage for 444 days after a group of Iranian students belonging to the Muslim Student Followers of the Imam's Line, who were supporting the Iranian Revolution, took over the U.S. Embassy in Tehran.²⁴ There, the ICJ held that the Islamic Republic of Iran was responsible due to the "inaction" of its authorities, which "failed to take appropriate steps" in circumstances where such steps were evidently called for.²⁵ The court concluded that the actions of a state's citizens could be attributed to the government if the citizens "acted on behalf on [sic] the State, having been charged by some competent organ of the Iranian State to carry out a specific operation."²⁶

While the court did not obtain enough evidence to attribute the actions of the citizens to the government in that specific instance, the ICJ did determine that the Iranian government was nonetheless responsible on the grounds that it was aware of its obligations under the 1961 Vienna Convention on Diplomatic Relations and the 1963 Convention on Consular Relations to protect the U.S. embassy and its staff, and failed to comply with its obligations.²⁷ In other words, if there is insufficient evidence to find attribution outright, then governmental awareness may be sufficient to establish a violation of law.²⁸Thus, in the context of a cyber attack, a state may be held in violation of international law by permissiveness established by its awareness of—and inaction towards—an illegal act or acts originating in its territory.

[Page 20]

C. Organizational Attribution of a Cyber Attack

As to the second scenario, there are situations in which a state may have overtly or implicitly directed the party engaging in the disputed conduct. The simplest example, of course, would be if the armed forces of a state (as compared to unaffiliated citizens) acted under government command. In that case, attribution to the state for...