Cyberwarfare: Challenges to International Law
Global networking opens new opportunities for prosperity, education and democratic participation. At the same time, new threat horizons open in cyberspace. Recent years have seen a considerable increase in both the volume and sophistication of cyberattacks. One need only recall the 2007 denial-of-service attacks in Estonia, or the manipulation of Iranian nuclear facilities by Stuxnet in 2010. Fueled by a strategic prioritization of military cyber capacities – especially in the United States and China, who are unanimous in classifying cyberspace as a new domain of warfare1 – these cyberattacks have triggered a controversial debate over the application of international law, notably the right of (military) self-defense in cyberspace and the applicability of the law of war in connection with future cyber conflicts (cyberwarfare).
Meanwhile the question of whether international law – relevant portions of which are based on treaties agreed at a time when the idea of cyberspace was beyond anyone’s powers of imagination – is even applicable to events in cyberspace can now be regarded as settled. At least in respect of this initial question, nations today are in agreement: There is no vacuum of (international) law in cyberspace. As hitherto applicable, international law also applies in principle in respect of activities in cyberspace. The greatest challenge, therefore, is to determine how conventional rules of international law can be applied within the special technical structure of cyberspace and how any gaps or loopholes can be closed in a way that serves the legitimate interests of all parties through a dynamic interpretation or if necessary a reform of the existing legal framework. To examine these questions is the aim of this article, which in keeping with the thematic focus of this series of articles limits itself to questions of principle in international law in connection with the military dimension of cyberspace.
The right of self-defense under international law in cyberspace
The international law debate initially focused mainly on cyberattacks which could trigger the right of (military) self-defense enshrined in Article 51 of the UN Charter. Specifically, the issue was when does a cyberattack reach the threshold of an “armed attack” within the meaning of Article 51 of the UN Charter, since it is then – and only then – that self-defense first comes into consideration. Within the bounds of proportionality, however, this could involve a conventional military response. Traditionally, this threshold has been set very high. If the general prohibition of force laid down in the UN Charter is to be upheld, the right of self-defense must remain an absolutely exceptional right. This must also and particularly apply to any cyberattacks. Only if a cyberattack produces consequences which in their extent and severity are comparable to those of a conventional armed attack can it be assumed that such an attack would trigger the right of self-defense. Technical experts agree that a cyberattack can indeed reach this high threshold, for instance if industrial facilities or air traffic control and other traffic guidance systems are manipulated and actually cause death and destruction. The NATO countries recently confirmed their agreement with this opinion in their cyber defense policy of June 2014.2 So far, however, none of the cyberattacks which have become publicly known have reached the threshold of such an attack. This is true even of the Stuxnet attack in 2010, which, of all the cyberattacks that have become known so far, probably came closest to the attack threshold in view of its physical impacts on the Iranian nuclear program. A further issue of particular controversy is whether a cyberattack on Wall Street or the Frankfurt Stock Exchange might not also reach the threshold of an attack that triggers the right of self-defense. One reason that it might is that any such cyberattack could have devastating consequences. However, according to conventional interpretations there is agreement that economically damaging acts do not constitute an “armed attack” within the meaning of Article 51 of the UN Charter. This does not mean that a country has to stand by and watch such events take place. Even below the “armed attack” threshold, international law permits countermeasures as a response to internationally wrongful acts, depending on the severity of the attack. Nor is it entirely out of the question that international law in this area will change in the future, for example if countries were to decide that in globally networked financial and economic systems, the economic harm caused by acts such as cyberattacks could reach a completely new and potentially existential level of threat. So far, however, there has been no indication of any such change in opinion among the international community.
Yet aside from the threshold discussion, the technical characteristics of cyberspace offer another reason why, in many cases, an invocation of the right of self-defense does not come into consideration: Self-defense always requires clear identification of the attacker. The International Court of Justice in The Hague has expressly prohibited self-defense where there is no clearly defined adversary. But in cyberspace it is often extremely difficult to sufficiently identify the attacker and produce the required evidence. At any rate during the limited window of opportunity constituting the only time when self-defense against an armed attack comes into question, this will often prove impossible. The possibilities for concealing or manipulating the origins of an attack in the virtual realm appear to be virtually unlimited, especially for militarily experienced countries.
Military cyber operations in the context of (future) armed conflicts
Apart from the discussion concerning the right of self-defense, another focus of debate is whether International Humanitarian Law is capable of adequately containing military cyber operations in future armed conflicts in keeping with its humanitarian objectives. With regard to certain types of military cyber operations, the International Humanitarian Law assessment is already clear. If a cyberattack is launched against a clearly identified, purely military target – e.g. a cyberattack which seeks to disable a military command center – there are no international humanitarian law concerns. According to applicable international law, such acts are legal in the context of an armed conflict. It is equally clear, for example, that malicious software which spreads in an uncontrolled fashion akin to a biological weapon, causing damage to civilian as well as military facilities, is unequivocally prohibited. On the whole, most scenarios will be covered by applicable international law in which, like the air in an aerial attack, cyberspace is ultimately used only as a medium for carrying out an attack against a physical target. At any rate, such scenarios do not raise any fundamentally new issues.
In contrast, it would appear much more difficult to assess the legal situation when components (hardware and software) of cyber infrastructure are themselves to be made into a strategic target. To the extent that countries are developing their capacities to wage war in cyberspace, this scenario is becoming increasingly relevant. A considerable and worrying legal gray area still exists here.
The networked structure of cyberspace makes it more difficult to apply the principle of distinction which is fundamental to International Humanitarian Law. This principle states that in an armed conflict, a distinction must always be made between military (attackable) objectives and civilians (who are protected from direct attack). In the globally networked realm of cyberspace, it may not be possible to uphold this principle, and there is a danger that all manner of cyber infrastructure components could be far too easily deemed targets for military attack. This would turn the logic of International Humanitarian Law on its head. The problem here is that under current law, any object used for military purposes in an armed conflict is in principle considered to be a legitimate target for attack for the duration of its military use. While the number of such “dual-use” objects (i.e. civilian objects that can be used for military purposes) was limited in traditional conflicts, the situation in cyberspace is different. Worldwide civilian cyber infrastructure is not only potentially suited to civilian and military use, it is already used on a large scale (simultaneously) for military purposes.3 In the event of an armed conflict, this could lead technologically advanced countries in particular to follow an interpretation which affords the greatest possible scope for action and intervention – also in military respects. In view of the enormous hunger for data on the part of the National Security Agency (NSA) – even in peacetime – this fear appears to be in no way unfounded. European countries should take a clearer stance than they have done thus far in support of a narrow interpretation.
Furthermore, in view of the extensive interconnectedness of cyberspace, military attacks on key components of cyber infrastructure could have far-reaching and unpredictable impacts on civilians and civilian applications. The International Committee of the Red Cross has insistently drawn attention to this issue.4 Since the NATO states in their Wales Summit Declaration have just recently acknowledged that cyberattacks will become more sophisticated, common and potentially damaging in the future,5 in this respect too a more thorough investigation of the problem at national level would seem appropriate, and a clear positioning desirable with regard to the application and interpretation of the principle of proportionality under international humanitarian law – which sets an important limit on impacts on the civilian population – in cyberspace. The U.S. Department of State recently issued some initial proposals in this regard which are a step in the right direction.6
To sum up: The right of self-defense exists in cyberspace too. In view of the considerable evidential difficulties in the virtual realm, the greatest restraint should be exercised in any future invocation of this right in connection with cyberattacks. In the field of International Humanitarian Law, there are many issues requiring clarification in connection with potential impacts on the civilian population, which could be particularly serious in countries where economic and social life are reliant to an ever greater degree on a functioning cyberspace. The debate must therefore advance beyond the mere declaration that cyberspace is not a vacuum of international law.
Finally it should be pointed out that the virtual realm presents many other potential threats aside from the military dimension, which are only gradually receiving more attention (in the context of international law). In particular, this applies to the threat to privacy and freedom of expression which has become apparent in connection with the NSA affair, as a result of the merging of traditional intelligence activities with the mass surveillance of private citizens, but also in respect of industrial espionage and the broad spectrum of cybercrime. While the discussion of the military dimension of cyberspace is a forward-looking debate, which in the absence of any corresponding (discernible) established practice among states is based in part on speculation about military capabilities in cyberspace, mass surveillance, industrial espionage and cybercrime are already no longer hypothetical but extremely real threat scenarios.
1 See e.g. The Economist, War in the Fifth Domain, July 1, 2010, available at: www.economist.com/node/16478792.
2 NATO, Wales Summit Declaration, September 4-5, 2014, margin nos. 72 et seq., available at: www.nato.int/cps/en/natohq/official_texts_112964.htm.
3 U.S. Department of State, International Law in Cyberspace, September 18, 2012, available at: www.state.gov/s/l/releases/remarks/197924.htm.
4 ICRC, What limits does the law of war impose on cyber-attacks?, June 28, 2013, available at: www.state.gov/s/l/releases/remarks/197924.htmhttps://www.icrc.org/eng/resources/documents/faq/130628-cyber-warfare-q-and-a-eng.htm.
5 NATO, Wales Summit Declaration, September 4-5, 2014, margin nos. 72 et seq., available at: www.nato.int/cps/en/natohq/official_texts_112964.htm.
6 U.S. Department of State, International Law in Cyberspace, September 18, 2012, available at: www.state.gov/s/l/releases/remarks/197924.htm.
Prof. Dr. Robin Geiß is Professor of International Law and Security at the University of Glasgow and head of the research project “Charting the International Legal Framework for Security Governance by external Actors in Areas of Limited Statehood” in Berlin. Previously he was Professor of International and European Law at the University of Potsdam and worked as a UN delegate and legal adviser to the “International Committee of the Red Cross” (ICRC) in Geneva and New York. He is managing editor of the “Yearbook of International Humanitarian Law” and rapporteur of the International Law Association’s study group on the challenges of asymmetrical armed conflicts. He was also a member of the international group of experts that drafted the “Tallinn Manual” on cyberwarfare at the NATO “Cooperative Cyber Defence Centre of Excellence” (CCDCOE) in Tallinn.