Enable breadcrumbs token at /includes/pageheader.html.twig

Cyberwarfare and International Law

Myths, misperceptions and complicated terminology befoul an already difficult topic.

“Many authors and pundits boldly masquerade legal innovations as accepted understandings of IHL [international humanitarian law]. Even more troubling is the fact that many scholars lacking the appropriate education or experiential background have responded to the fact that IHL is a topic au courant by claiming IHL expert status. Their work product misstates basic principles and rules with distressing frequency, and they are too often set forth in an ad hominem manner. All of these contributions, from the superb to the sub-standard, exert informal but real pressure on the shape of IHL.”

This is the opinion of professor Michael N. Schmitt in the Texas International law Journal. This also is my beef, but I cannot state the case as eloquently as Schmitt. This challenge, having too many “experts” in international humanitarian law, is not limited to attorneys who practice in this specific area. It is reaching farther to lawyers and non-lawyers, all of whom would like you to believe that they are cyber experts. Moreover, given that cyber is extremely diverse, many “experts” are writing, advocating, and/or caterwauling in all directions.

For example, a recent description of a new book stated, “In 2011, the United States government declared a cyber attack as equal to an act of war.” No, the United States did not. I searched the 2011 Defense Department Strategy for Operating in Cyberspace for the term “act of war,” and it is not in there. Why? Terminology—which, I grant you, the U.S. government has been in the forefront of screwing up since it went away from computer network operations, security, defense, exploitation and attack. The first time a “cyber attack” was declared as such was Homeland Security Secretary Jeh Johnson describing the 2014 Sony hack. So, back in 2011, the U.S. government was not declaring cyber attacks as acts of war. As a matter of fact, the U.S. government has moved away from declaring anything an act of war since the last war we declared—World War II.

Similarly, other published articles espouse that cyber espionage will escalate conflict and lead to havoc for the United States. Therefore we must improve cyberdefenses; improve attribution; define and enhance the “lanes in the road” for various cyber government entities and agencies; and retaliate in kind when hit by cyber attacks.

Fortunately, many of these worries above were answered by the Defense Department almost four years ago. This is explained in the Department of Defense Cyberspace Policy Report: A Report to Congress Pursuant to the National Defense Authorization Act for Fiscal Year 2011, Section 934, November 2011. And the short of it is, we will treat cyberspace like we would the other domains and apply the law of armed conflict.

So let’s look at a couple concerns.

The cyber espionage myth expresses worries that victim nations will misinterpret espionage, particularly during heightened states, and improperly escalate the conflict. It assumes victims will not distinguish between cyber espionage and cyber preparation for a cyber attack. Yet the law of armed conflict requires victim nations to accurately evaluate both kinetic and cyber incidents that occur. This accurate evaluation insures that a state does not improperly escalate or respond with force where not warranted.

For example, if a victim state discovers code, and its forensics reveal it is solely used for exfiltration of documents and materials and the code contains no “payload” or harmful effects, then the victim nation is aware of the exploit and can take steps to mitigate it, removing any potential threat from that code. Additionally, should the victim state discover that the code used to exfiltrate data also contains a payload, again, it can take steps to mitigate the code and remove the threat of both exfiltration and harmful “attack” possibilities. That particular code no longer poses any threat. However, should the victim nation determine that this is part of a larger campaign, then, yes, now the state may have a self-defense option available to it should all the requirements be met.

Attribution is the same for the physical world as it is for the virtual. People seem to want to assume attribution is harder for cyberspace activities and then just stop there. Still, several well-placed sniper rifle shots into a power substation in California caused a serious amount of damage, and attribution is still not complete. The point is attribution is hard no matter what the domain, and it is the responsibility of the president to determine the sufficiency of that attribution should he decide to exercise his self-defense authorities and respond to ongoing cyber activity. The president determines the scope, intensity and duration of the incident. Moreover, no precise definition exists for what is a use of force either inside of or outside cyberspace, and nations reach these determinations differently.

So while many published articles are correct that the cyber domain adds another element to geopolitical considerations, a lot of factors add to geopolitical events. All of them must be evaluated appropriately so as not to escalate conflict improperly. Accordingly, this elevates the importance of spying. Under international law, nations must take steps to mitigate collateral damage. One way to do this is collecting intelligence, the more a state collects, the better it can evaluate an adversary’s intent, and moreover, insure the actions the state executes minimizes collateral damages and complies with the law of armed conflict.

Robert Clark is an Army Cyber Institute fellow for cyber law at West Point, the U.S. Military Academy.