Letter to the Editor: Incoming, January 2015
In this Letter to the Editor, Michael Schmitt responds to the latest Incoming column regarding the definition of cyber attack. Do you agree or disagree? Let us know in the comments.
Editor, SIGNAL:
I read Adm. Stravidis’ thoughtful piece on “Cyber Attacks” with great interest, for I directed the Tallinn Manual project to which he referred. Unfortunately, the admiral misstates the position taken by the “International Group of Experts” that prepared the manual during a three-year project sponsored by the NATO Cooperative Cyber Defence Center of Excellence.
First, allow me a correction. The Tallinn Manual definition cited by the admiral is incorrect. It refers to our definition in Rule 30 of the term “attack" as used in a completely different body of law (humanitarian law) than the one he is discussing in his article (the law governing the use of force). The former deals with how operations may be conducted once States are already involved in an armed conflict (cyber operations during a war); the latter sets forth the rules regarding when States may resort to force in the first place (self-defense). So, the Tallinn Manual definition he criticizes has nothing to do with the subject he raises. Instead, we discussed the meaning of “armed attack” in Rule 13.
Second, a clear understanding of our position is essential for policy makers because if a cyber operation qualifies as an “armed attack”, the victim state may respond with force, whether kinetic or cyber in nature. The Tallinn Manual never limited the definition of cyber armed attacks to those that caused physical damage or injury. Instead, we said that whether a cyber operation is an armed attack depends on its "scale and effects,” a phrase borrowed from an International Court of Justice judgement. We agreed that "any use of force that injures or kills persons or damages or destroys property would satisfy the scale and effects requirement” and that “acts of cyber intelligence gathering and cyber theft, as well as cyber operations that involve brief or periodic interruption of non-essential cyber services, do not qualify as armed attacks.” But we go on to clearly state that, "The case of actions that do not result in injury, death, damage, or destruction, but which otherwise have extensive negative effects, is unsettled.” Indeed, the commentary raised many of the very points the admiral highlighted.
Third, I am unconvinced his proposed definition adds any clarity to the subject The devil is in the details. For example, it is unimaginable that the international community would treat any cyber operation having economic consequences or creating cultural instability (however that vague term may be defined) as an armed attack allowing the victim state to use force in response. That is simply not the law, and has never been. A definition that fails to set a clear threshold of economic harm is over broad, inconsistent with the current law, and not horribly useful to those who have to deal with the nuances of individual cyber operations.
Finally, the admiral’s comments seem to reflect a general sense that if the cyber operation does not rise to the level of an armed attack, the victim state is left defenseless. On the contrary, international law already addresses many of the concerns he has. For example, the "law of intervention" addresses certain operations that might create political or cultural instability. The "law of countermeasures" provides a fairly robust means of responding to cyber operations that are non-destructive in nature (e.g., in the Sony case, certain U.S. cyber operations against North Korea would have been lawful). The "law of state responsibility" governs when states are legally responsible for their cyber operations or those conducted at their behest. States have a wide array of means to respond to malicious cyber operations. They just need to think though how to do so before the operations are mounted.
—Michael Schmitt
Charles H. Stockton Professor & Director, Stockton Center for the Study of International Law, U.S. Naval War College
Professor of Public International Law, University of Exeter School of Law
Fellow, Harvard Law School Program on International Law and Armed Conflict
Senior Fellow, NATO Cooperative Cyber Defence Centre of Excellence
The views expressed are those of the author in his personal capacity.
