The state of cyber warfare law

As yet, there is no specific convention or treaty to regulate cyber warfare and seriously address its unique characteristics.

Cyber warfare 370 (photo credit: Rick Wilking/Reuters)
Cyber warfare 370
(photo credit: Rick Wilking/Reuters)
Cyber warfare is a perplexing problem for nations, for theorists and for military lawyers. It is hotly debated how existing principles of the law of armed conflict should apply to the relatively new phenomenon.
Some think the best solution would be a new international convention on cyber crime and warfare, but many commentators think this is unlikely to happen.
Last month, The Jerusalem Post reported that the IDF’s Information Security Branch had identified an increase in attempts by foreign hostile intelligence entities to listen in on army communications and gain access to military computers.
The increased threat includes a major attempt to eavesdrop on cellphones used by the IDF, as well as hacking attacks directed at army computer networks.
Sources from the Information Security Branch did not name who specifically was behind the efforts, but said they expected the stepped-up threat to continue into 2013.
A few weeks ago, The New York Times cited US security officials as saying that Iran was behind a string of online attacks against American banks. The officials said the denial-of-service attacks on the banks were sophisticated and beyond the scope of amateurs.
All of this (some have called it “payback”) follows general acknowledgement by the US and Israel over the last year or so that they have utilized offensive cyber warfare tactics against adversaries such as Iran.
Now that the US and Israel are “out of the closet” and are experiencing more aggressive attacks as well, it is worth revisiting to what extent there are any legal norms regarding the issue.
Most leading commentators agree that the law of armed conflict applies, but there is hot debate, based on the unique nature of cyber warfare, as to whether to apply the law narrowly or broadly.
One school of thought proposed by leading law of armed conflict expert Prof. Michael Schmitt, among others, says that cyber warfare and operations are only considered an “attack” under Protocol I to the Geneva Conventions if physical harm results from the cyber operation.
Under this concept, it might be that none of the above examples – sabotage of Iran’s nuclear program or spying and sabotage of US and Israel’s militaries and US banks – are considered “attacks” under the law of armed conflict.
Cyber operations might cause significant technological inconvenience and defacement of websites; they might be considered a form of psychological pressure and might be prosecutable under domestic criminal law if a perpetrator could be arrested. But none of those descriptions imply physical harm under the laws of armed conflict.
Under an alternate school of thought promoted by Dr. Knut Dormann of the International Red Cross’s legal division, many of the above incidents could be categorized as “attacks.”
The alternate concept states that damage, destruction and death are not minimum result requirements for an “attack.”
Rather, any operation which targets civilians or civilian objects would qualify as an “attack,” regardless of the result.
The advantages of the second approach are that it covers some of the severe nonphysical harm that cyber operations can cause and addresses concerns that the first approach is too narrow.
On the other hand, the first approach is often viewed as more realistic in terms of “state practice” – what states actually do and will even consider limiting themselves to.
In other words, most states, including the US, Israel and many others, currently view interference and disruption of broadcasts, websites and other electronic media, which can also impact civilians, as a crucial part of psychological operations and gaining the element of surprise over an adversary.
But all of the above debate is just attempts at applying general principles of the law of armed conflict that apply to land, sea and air warfare, land mines, chemical weapons and all forms of warfare to cyber operations.
The above debate does not delve into creating a specific convention or treaty to regulate cyber warfare and seriously address its unique characteristics.
For example, chemical and nuclear weapons, when they came on the scene in many areas, uprooted all traditional notions of the law of armed conflict because of their unique characteristics, such as that their use can eliminate the question of what responses are permitted as they can potentially eliminate a party and its ability to respond.
Cyber warfare poses at least as much confusion.
For example, even as intelligence agencies and states publicize their conclusions about who hit them with a cyber operation, it could be nearly impossible to prove who perpetrated a cyber operation to a criminal standard of beyond a reasonable doubt.
Even if it is possible to pinpoint a country, as Georgia pinpointed Russia for a wave of attacks in 2008, the state can deny any sanctioned state involvement and claim (possibly even truthfully) that the operations were initiated by a group of vigilantes.
Who cares what the law is if a perpetrator can’t be traced? There have been some limited initial efforts at a cybercrime convention that would address criminal cyber issues as well as some cyber warfare issues.
The Council of Europe ratified a Cybercrime Convention in 2001. But this convention was only ratified by two-thirds of European states (not including the UK, Poland and many others) and the US.
Separately, Russia, China and a small number of Asian countries under the Shanghai Cooperation Organization (SCO) have ratified the International Information Security Agreement.
The disparity in how the two agreements treat the issues and the interests of the major nations behind them make it unlikely that there will be any agreements between East and the West in the near future.
For example, the SCO agreement lists as major threats the “dominant position in the information space” of Western nations and the “dissemination of information harmful to the socio-political systems, spiritual, moral and cultural environment” of the Asian states.
Many commentators view recent Western proposals, such as that of past US government terrorism and cyber warfare experts Richard Clarke and Robert Knake, to regulate attacks on civilians without banning cyber operations against military targets or for espionage purposes as dead-on-arrival for nations like China, Iran or North Korea – the countries Western nations care about regulating the most.
Clarke and Knake propose a ban on cyber operations against banks. In theory, no country should oppose such a ban, as every nation would like its own banks to be more secure.
But that isn’t how the interests appear to line up.
The US, for example, does not attack banks and loses nothing by promising not to.
But experts say that China is committed to deploying cyber agents inside the critical infrastructure of the US and other nations, including banks, to make up for its relative weakness in military capabilities.
Some non-democratic nations, like China, also have better security over their banks than some Western nations do.
In the same vein, Iran or North Korea might want to maintain the threat of shutting down the US or Israel’s electricity grid or some other crucial aspect of infrastructure to preserve an asymmetrical threat and response in the face of US and Israeli superiority in other areas.
It is also worth noting that many key nations have either not ratified the Nuclear Non-Proliferation treaty or ratified it, but flout its provisions openly. One such nation is Iran.
So even as US and Israeli cyber attacks on Iran and others, and attacks against Israel and other Western nations, get more aggressive, it is unlikely that a major convention will get off the ground to regulate the issue.
A separate initiative is for different militaries’ legal teams to quietly put together some agreed-upon customary or suggested standards to try to start better regulating cyber warfare.
In the meantime, until some of the key nations get hit with a cyber attack that they view as too costly, aggressive competition with some self-limiting by general principles of the law of armed conflict is probably as far as international law will go in terms of regulating cyber warfare.