Is a Use of Force the same as an Armed Attack in Cyberspace?

by Duncan Hollis

I’m just back from the U.S. Naval Academy and a great conference put on by the Stockdale Center for Ethical Leadership:  Warfare in a New Domain: The Ethics of Military Cyber Operations. Ed Barrett pulled together a truly impressive group of technologists, international lawyers, philosophers, ethicists, active duty military personnel and US Government officials to weigh in on existing cyberthreats and the appropriate legal and ethical frameworks for responding to them.  I may blog more of the details later, but here are three quick take-aways from our two day conversation:

1) Cyber is hot.  When I first started writing in this area, I frequently had to fend off charges that this was just fodder for international lawyers who happened to like science fiction.  We’ve come a long way since those days.  Cybersecurity is front and center in Congress, and cyberthreats and cyber-capacities have moved into the front seat in national security circles.  Although I’m not sure everyone agrees with the cyber-arms race idea, it is true that the technological capacity is on a steep upward trajectory and the actors involved are constantly expanding (I’m told, for example, that Zimbabwe is the latest in a long list of States to get together its own cyberforce).

2) We don’t agree on why cyber is hot.  Over the course of the conference, there were dissonant voices on what the cyberthreat really is.  First, there’s what we might call the “Digital Pearl Harbor” crowd — folks worried about, and looking to head off, a massive, large-scale cyberattack with significant effects on the civilian populace (think — shutting down the U.S. power grid).  A related view, are those clearly worried about how nation States will deploy cyber in armed conflicts, and what methods exist to deter escalation to such conflicts.  In contrast, there is a growing, and vocal group, who say that to focus on cyberwar or the most dangerous cyberthreats is to ignore the real problem — China.  This is the “China’s eating our lunch” crowd, who blame cyberespionage by China and its proxies for the theft of petabytes of data, including intellectual property, business plans, R&D, etc from the private sector in what some call the greatest wealth transfer in history.  Finally, there are those who view the cyberthreat as more diffuse, although perhaps no less dangerous.  This view may best be summarized by the idea of a “death by thousand cuts”; that is, we shouldn’t expect drama in cyberspace so much as low-level but systemic attacks and threats that in the aggregate may significantly impact the United States as a nation.

3) We don’t know how law should deal with State cyber operations.  For starters, we are seeing (just as we have in the terrorism context) claims that lawyers and law are getting in the way; that States need to operate in this new environment without rules. For those of you who’ve not seen it, I recommend this recent exchange between Stewart Baker and Charlie Dunlap on the relative merits (and demerits) of this idea.

Then, even among those willing to concede a role for law and lawyers, there are significant differences of opinion on the relevant legal frameworks.  The US and like-minded States have taken the position that the Law of Armed Conflict (LOAC) can apply in cyberspace; Russia agrees, but insists other new norms must be applied to limit “information” that is destabilizing as well.  For its part though, China says they’re not sure the LOAC has any role to play at all, leaving the issue to law enforcement or organizations like the ITU.

Finally, even on the more specific legal and ethical issues that formed the core of the McCain Conference this year — namely military cyber operations — it seems we’re still trying to figure out how to analogize existing rules into cyberspace.  We’ve been doing that for some time now, but I must say I’m surprised to see how little progress has occurred.  For example, I was struck by how many reasonable people disagreed on the question of whether Stuxnet constituted a use of force or an armed attack.

Which brings me to my last point, and one that was quite contested at this conference — whether there is a gap between a prohibited use of force under UN Charter Article 2(4) and an armed attack sufficient to trigger an Article 51 right of self-defense.  Although I’d always understood that simply because something constituted a use of force, that didn’t mean that it rose to the level of an armed attack for self-defense purposes.  In other words, there is a gap between armed attack and force.  But at least one US government lawyer suggested at this conference that there is no such gap in cyberspace, and that this may even be the official US Government position for cyberspace.  I’d be interested in what readers make of this position, both as to the original kinetic understanding of the relationship between Article 2(4) and 51 and how it translates to cyber.  Simply put, are all uses of force in cyberspace armed attacks?

8 Responses

  1. I think there should be this threshold in the light of which we should decide whether an armed attack has taken place or not!
    If e.g. individuals (like those in hospitals) are being killed or injured after the deliberate silencing of the whole electricity system of a state, then this is surely to be counted as an armed attack!

  2. Response…
    I understand the question to involve choice regarding whether there should be a certain level or force or intensity before one concludes that an “armed attack” on a state or its nationals, etc. has occurred.
    I would keep the level very low, e.g., a few rockets fired across the border by a non-state actor should constitute an “armed attack” by the non-state actor that triggers the inherent right of self-defense in response.
    I also suspect that within the question is a query whether a cyber attack can constitue an “armed” attack.  The dictionaries are helpful in allowing recognition that “armed” can relate to use of a “weapon.”  Use of a cyber weapon might, therefore, be use of “armed.”  Is cyber hacking into CIA files use of a cyber “weapon”?
    Quite clearly, if use of the cyber weapon causes kinetic injury or destruction (not merely hacking into secret files), such as the burning or explosion of an electric transformer, etc., most would conclude that an “armed” attack has occurred.
    And then there are the questions involving responsive measures — of what type? and with the principle of distinction and the principle of proportionality? (I would say yes re: the last two re: any use of art. 51 self-defense responsive force).  Can the U.S. use a missile to target the gradstudents in a Chinese “education” institute who are hacking into CIA files? causing cyber and kinetic attacks on power grids in the U.S.?

  3. Response…
    p.s.  It seems obvious that some uses of force in violation of the third unnumbered portion of Article 2(4) of the Charter (i.e., use of force inconsistent with the purposes of the Charter — e.g., some combination of peace, security, self-determination of peoples, and human rights) will not necessarily constitute an “armed attack” on a member state or its embassies, military, or other nationals abroad.  Perhaps a use of force of the second type (i.e., “against” the “political independence” of a state) will not constitute an armed attack on that state, etc.
    If so, some uses of a cyber weapon may violate 2(4) but not trigger a right of self-defense under 51.

  4. I would not agree with the US government lawyer, for at least two reasons.
    1) Equalising ‘uses of force’ with ‘armed attacks’ clearly runs against the letter of the UN Charter (if we think it applies to cyber attacks, of course).
    2) This opinion is also dangerous, as it might lead to an unnecessary escalation of hostilities through the use of self-defence – exactly what the UN drafters wanted to avoid by creating a gap in the scope of application of Article 2 (4) and Article 51.

    In my view, not only are uses of force different from armed attacks in cyber space, I would also argue that there is a threshold of gravity required for a cyber ‘use of force’ to be a cyber ‘armed attack’ higher than that for kinetic attacks. The fact that Iran did not use self-defence language in relation to the Stuxnet attack seem to suggest just that.

  5. One wonders whether the U.S. lawyer would be so keen to equate any use of force in cyberspace as an armed attack if it was the U.S. that would have had the greatest capability to engage in a cyber space attack. The very reason we are seeing a resort to lowering the threshold of an armed attack here is that the U.S. (and other “like-minded states”) fear that other states, such as China – for example, have better or will have better ability to engage in cyber attacks. If the “cyber-edge” resided with Western powers, it is quite realistic that they would try to heighten, rather than lower, the international law threshold of what constitutes an armed attack in cyber-space!

  6. There seems to me to be a prior question to the question whether a cyber armed attack constitutes the use of force. The prior question, which I am yet to see sufficiently questioned or resolved anywhere is, what is a cyber armed attack? We know with relative certainty what will constitute an ‘armed attack’ in the traditional sense, but what constitutes an armed attack on the cyber plane? E.g. If country A fires rockets at country B, hitting a small village in the process, knocking down a few houses & injuring civilians, then that’s clearly an armed attack. But if individual X in country A performs a DDOS attack on a small hospital/civilian target in country B, potentially causing a loss of life or injuries through a reduction in services available to civilians in country B, is *that* an armed attack?

    In other words, we can’t tell whether a cyber attack constitutes a use of force, until we have some clear idea of what a cyber attack actually is. This is where I also think one has to involve lawyers and legal experts. If we’re trying to use legal language & apply traditional legal concepts to the cyber sphere, then we can’t avoid legalising these issues.

  7. Although I am not 100% convinced that an “armed attack” for purposes of Art. 2(4) is identical in all cases to an “armed attack” that justifies the use of Art. 51 self-defense, I do not think that Iran’s forbearance after Stuxnet tells us anything.  To the extent that Iran was capable of identifying its attacker (the attribution problem remains far and away the most difficult obstacle to creating effective “law” in cyber warfare) through the Stuxnet worm, I think most people would agree that Iran had the right to use kinetic force against that attacker employing its Art. 51 self-defense rights.  Reportedly over 1000 centrifuges were destroyed.  Similar kinetic damage to our research facilities would certainly trigger our right to a response.

  8. Don’t forget that the threshold under art. 2(4) UN Charter is lower than that under art. 51 UN Charter. In other words, a particular cyber attack might breach art. 2(4) but not rise to the threshold of allowing a State to invoke self-defence under art. 51 — so it would have to rely on other remedies.

Trackbacks and Pingbacks

  1. There are no trackbacks or pingbacks associated with this post at this time.