The Right of Self-Defense Includes “Offensive” Cyber Attacks

The Right of Self-Defense Includes “Offensive” Cyber Attacks

That very trendy and useful legal concept – the right of self-defense — is not just for targeting U.S. citizens to be killed. The U.S. military’s new “Cyber Command” chief has asserted that the U.S. government’s right of self-defense almost certainly permits it to take offensive “cyber” attacks.

… commanders have clear rights to self-defense, he said. He added that while “this right has not been specifically established by legal precedent to apply to attacks in cyberspace, it is reasonable to assume that returning fire in cyberspace, as long as it complied with law of war principles … would be lawful.”

Is the law of war the right paradigm? I suppose so.  I await further thoughts from our “resident” cyberwar expert. Prof Hollis?

Print Friendly, PDF & Email
Topics
National Security Law
Notify of
Duncan B. Hollis

I think the Government is correct here that offensive cyber-operations can be deployed as a lawful means of self-defense in response to an armed attack (assuming that they are deployed in ways that comply with the jus in bello, such as proportionality, civilian distinction, etc.).  BUT, there are two problems in implementing that principle. 

First, it’s unclear whether there’s any agreement on what will constitute an armed attack in cyberspace triggering a right of self-defense.  I worry that what we may think of as an armed attack may not be viewed as such by an attacker, thereby risking an unintended escalation of a cyber-exchange into a real conflict, perhaps even kinetic warfare. 

Second, it’s also unclear how the jus in bello regulates offensive cyberoperations (e.g., what cyberattacks constitute legitimate ruses vs. which ones would involve perfidy).  In other words, I think cyberspace remains subject to the traditional rules on the use of force and the law of war.  But, I’m less sanguine that we have sufficient consensus on when and how those rules do apply.  Moreover, I have real reservations about what paradigm to apply to situations of cyberattacks by the United States or others that fall short of an armed attack, but nonetheless lie beyond the bounds of existing criminal law paradigms.