New Rules for Cyberwar?

by Duncan Hollis

More than a decade ago, the U.S. Defense Department’s Office of General Counsel (DoD OGC) released a detailed analysis of the way international law would operate to guide U.S. military activity in cyberspace.  It was an impressive effort and is still worth reading today despite all the intervening, and dramatic, changes in the technology and the geopolitical landscape.  At the same time, the DoD OGC memo was ultimately an exercise in issue-spotting rather than rule-clarification.  Indeed, as I’ve noted for some time, international law may clearly govern military activities in cyberspace (whether in terms of the jus ad bellum or the jus in bello), but the content of those rules is far from clear; and where there are identifiable rules, they tend to derive from too many overlapping legal regimes while not adequately regulating the very areas (e.g., non-state actor attacks) most in need of regulation.   As a result, cyber-specific rules of international law are clearly needed.

Now, international law can be created through a wide array of pathways.  The most prevalent modern method would be treaty-making.  As a result, the idea of a global treaty on cyberwar has become popular in various quarters, whether in the form of something like the Geneva Conventions, Russian proposals to regulate the proliferation of “cyberweapons,” or the Council of Europe’s efforts to combat cybercrime.  Critics have questioned whether such an effort could succeed (while others continue to insist it is not necessary).

For proponents of international regulation, however, it is important to recognize that international law can come from sources other than treaties; customary international law remains possible, even prevalent, in much of international humanitarian law.  And, custom comes from state practice.  Indeed, it’s worth remembering that much of the modern law of war began with the effort by a single state–the United States–to draft regulations for its armed forces in their conduct of the Civil War with the Confederacy: General Orders No. 100, better known as the Leiber Code for its author, Columbia Professor Francis Leiber.

It’s with the Leiber Code in mind, therefore, that I am interested in seeing the Executive Orders President Obama signed last month, detailing what the U.S. military and intelligence agencies can do in cyberspace. The U.S. government has yet to put out any unclassified versions of its strategy or specific rules in this area.  But, the Wall Street Journal noted last month that the United States will now regard certain cyber-attacks as acts of war.  And, today, the AP is reporting further details.  Here’s the meat of the most recent story:

As an example, the new White House guidelines would allow the military to transmit computer code to another country’s network to test the route and make sure connections work — much like using satellites to take pictures of a location to scout out missile sites or other military capabilities.

The digital code would be passive and could not include a virus or worm that could be triggered to do harm at a later date. But if the U.S. ever got involved in a conflict with that country, the code would have mapped out a path for any offensive cyberattack to take, if approved by the president.

The guidelines also make clear that when under attack, the U.S. can defend itself by blocking cyber
intrusions and taking down servers in another country. And, as in cases of mortar or missile attacks, the U.S. has the right to pursue attackers across national boundaries — even if those are virtual network lines.

Under the new Pentagon guidelines, it would be unacceptable to deliberately route a cyberattack through another country if that nation has not given permission — much like U.S. fighter jets need permission to fly through another nation’s airspace.

Uri Friedman over at the Atlantic Wire distills this to suggest the new Executive Orders will (1) regulate peacetime use of cyberespionage, (2) permit military retaliation to a cyberattack that constitutes an attack, and (3) prohibit deliberate (but not inadvertent) use of neutral networks in military cyberactivites.

I am really interested to see what the White House or the Pentagon papers will actually say about these three points. Working backwards, neutrality is a complicated (and frankly a bit esoteric) area of international humanitarian law in which the United States has already taken contested positions in its global efforts to combat Al Qaeda.  Military retaliation, aka self-defense, is not a terribly controversial idea if in response to something that rises to the level of an armed attack; the trick will be to see if the Pentagon lays out clearly what that threshold will be.

The cyber-espionage point, however, is a bit more difficult than the AP describes it.  It is true that cyberexploitations (where you simply gather unauthorized access to data from another computer system or network) are different than cyberattacks (where you deny, disrupt or degrade the computer system’s integrity, authenticity or availability).  And, it is also true that international law has not prohibited espionage (although virtually every state has criminalized such acts).  The problem is that some States may not be willing to equate the most extreme cyberexploitations with traditional acts of espionage.  The scale of a cyberexploitation can be stunning if it can access all data resident within a military computer network or one, say, that controls a nuclear power plant.  Depending on the target or scale of the exploit, it could compromise a nation’s security in ways that outstrip what human intelligence or satellite imagery has been capable of to date.  As a result, while many states may regard most cyberexploitation as falling within the espionage status quo, I’m not as certain that all cyberexploitations will be regarded that way.

More importantly, while the United States can always say that it is only going to engage in peacetime cyberexploitations as distinct from cyberattacks, it is not clear if other states will accept that distinction.  The reality is that for victims who identify a cyberexploitation, it may not be immediately apparent if the exploit is simply mapping the victim’s system or network, gathering data, or if it is also carrying some more nefarious cyberattack that could cause actual harm to the computer system or any infrastructure it supports.  And if cyberexploitations cannot be distinguished from cyberattacks, that leaves open the risk that a U.S. cyberexploit might be treated as a cyberattack and subject to a military response (which could involve the very acts that the U.S. has suggested would justify military retaliation, and suddenly we’ve escalated the situation into a conflict).  Now, to be clear, I’m not saying that all cyberexploitations can or should be regulated or banned.  I’m just saying that it’s not as easy as the AP suggests for the United States to pursue a “peacetime” cyberexploitation strategy without any fear of unanticipated consequences.  Given the anonymity that currently characterizes most cyberoperations, moreover, there is the added risk of mis-attribution, which only further complicates the picture. That’s why I’m very interested to see what the Pentagon or the White House has to say on these matters.  Hopefully, we’ll get actual text to look at it in the coming days that detail what the United States thinks are the rules for cyberwar.

8 Responses

  1. Can we all agree, however, that the United States along with the U.K. – the authors of the Stuxnet computer worm – in deliberately attacking Iran’s state infrastructure with that cyberweapon, have already breached existing and nascent rules of the jus ad bellum and cyberweapon specific rules?
    I am 100% certain that, were the roles reversed, the United States would consider such a use of a cyberweapon by Iran to be a breach of international law and an act of war.
    Dan Joyner

  2. This is a fascinating area of law. The increasing reliance on electronic information systems in almost every sphere of modern life has also brought a corresponding increase in vulnerability to cyber attacks.For example, a hacking attack on the electricity grid of a nation can conceivably result in greater damage than a bombing.
    As a consequence, there is a real need to consider the constraints ICL places on such cyber attacks.
    However, I would not be surprised to see the ‘powerful’ nations’ ability to inflict damage on those who conflict with their interests to be constrained.

  3. Just an arrogant and self-righteous editing comment.
    “Leiber code” is a typo. It is Lieber code.
    Thank you and sorry for this wise-a.. attitude o’mine.

  4. Really? Is noone going to comment on or challenge my statement opening this thread?  I guess that’s Q.E.D. through silence! Hooray!

  5. Professor Joyner,

    I’ll have a go. You refer to the ‘authors of the Stuxnet computer worm’. (emphasis added) I suggest the more relevant act is who deployed the code, not who developed it.

  6. Hi Ian,
    As far as I know, there was no distinction as between the actors who developed the worm and those who deployed it. Both acts were performed at the order and through the instrumentality of the agents of the US and UK. Do you know of any source that makes such a distinction? I would be interested to see it.

  7. I have only a passing familiarity with the facts. I just thought I would take up your challenge.

    The point I was hoping to make is that in the interesting world of cyber, it seems to me perhaps attribution should attach to the State that deploys the code (similar to firing a weapon) rather than the State (if it was State sponsored) that developed the code (similar to manafacturing a weapon).

    The counter to my own argument might be where the code-developing-State is not developing code in a general sense but has been approached by the soon-to-be code-deploying-State to create to create code in the knowledge that it will be used in a manner contrary to international law.

  8. I’m coming a little late to the party but Dan, yours is the first comment I have seen linking the UK to Stuxnet – the usual suspects being Israel and the US (in that order). I do agree that this probably constitutes a use of force, but the attribution issue means that unless you can prove it was a State, it exists as a crime only. Personally I do not believe that this was of sufficient scale and effect to constitute an armed attack, although quite clearly an internationally wrongful act. Like Duncan’s initial post, I am eagerly awaiting the Pentagon’s unclassified paper (although unlike Duncan, I am sceptical of the need for, or ability to get meaningful agreement on, a new treaty). 

Trackbacks and Pingbacks

  1. There are no trackbacks or pingbacks associated with this post at this time.