Technology, relationships between nations, and the abilities of non-state actors to affect the international stage, are all changing rapidly and are considered a double-edged sword. While war is not a new topic, the battleground is moving from a physical location to a visual one. Future wars will be through the use of cyber force; remotely fighting our enemies through the use of a new class of weapons, including computer viruses and programs to damage machinery, shut down important operations, control remote weapons (nuclear weapons) or use it against the state itself, shutting down power in entire nations and holding them hostage, etc. According to Jeffrey Carr (cyber security analyst and expert), author of “Inside Cyber Warfare,” any state can wage cyberwar on any other state, irrespective of resources, because most military forces are network-centric and connected to the Internet, which is not secure. For the same reason, non-governmental groups and individuals could also launch cyber warfare attacks. Carr likens the Internet’s enabling potential to that of the handgun, which became known as “the great equalizer.” The world has, already, witnessed many cases of cyber attacks in the recent years; Wikileaks, Estonian case, Russian-Georgian war, the hacking of South Korean government and the company of Sony by North Korea, and finally, Anonymous (the group).
by Daniel Garrie
Cyberwarfare is unique in that it is not covered by any existing legal framework and it often inspires more questions than we are yet capable of answering. Since the establishment of the UN and according to customary international law, wars of aggression and the use of force between states have been prohibited. The main question raised here is the legality of using cyber force, and if it rises to level of an “armed attack”. We will be reconciling the UN Charter as a source of jus ad bellum.
There are some efforts to regulate the use of cyber force. For example, following the Russian cyber attacks, in 2007, using over a million computers to bring down Estonian government, business and media websites across the country through the use of “botnets”, NATO established the Cooperative Cyber Defence Centre of Excellence (May 2008) in Tallinn. An important point to make is that interstate computer attacks are regulated by international law, while cyber crimes (done by private entities) are a matter of domestic criminal law and law enforcement. However, the European Cybercrime Convention is trying to form a common policy on cyber crime on an intergovernmental level.
Article 2(4) of the UN Charter states that “All Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations.” But, do cyber operations constitute an exercise of “force” in order to be prohibited? “Force”, interpreted in good faith, will include both armed and unarmed forms of coercion. Moreover, according to the International Court of Justice, “any [illegal] use of force, regardless of the weapons employed” is prohibited. Cyber operations are able to cause the destruction of objects and infrastructure, which can cause different types of damage to persons (death or injuries). For example, shutting down power grids in a country will cause the inability of hospitals to function, therefore the deaths of thousands of people. But, what about cyber operations that do not cause destruction, death or injury, at least not directly?
Article 41 under chapter VII of the UN Charter mentions that the Security Council may authorize measures that “.. may include complete or partial interruption of […] means of communication ..” without involving the use of armed force. Therefore, by analyzing this article, we can see that the UN Charter divides force into three types: armed, economic, and political. The use of any one of them is a violation of international law and the principle of non-intervention. However, only force of an armed nature can violate the norm expressed in article 2(4), which constitutes a use of force in the “technical” sense. Taking into consideration that, especially Western countries did not approve adding the other types of force when the issue was raised in the General Assembly mainly by African and Asian states.
Another kind of interpretation is that under the law, acts are qualified according to the type of tool that is used (armed, economic, political) not its consequences. The jus ad bellum remains silent on the issue of armed force and authorized weapons. But, scholars define armed force to consist of two elements, military and physical. Article 2(4) is not keeping pace with rapid rate of technology and new forms of warfare. But, in 2009, Defense Secretary Gates ordered the creation of US Cyber Command, which supports the argument of computers becoming a “weapon”. Then, moving to the “physical” part, it is argued that it does not need to be “literally” physically harmful. For example, interstate computer network exploitation for purposes of intelligence gathering, or intrusion into archives, documents and correspondence of a foreign diplomatic mission are all acts violating international law. Thus, the requirement of physical force could be fulfilled by observing the consequences caused by the act; whether it is harmful to human beings or property. In addition, the use of force is illegal under article 2(4) and the threat to use it is also illegal. Because cases are not always clear to be defined as armed force, economic or political coercion and their consequences, Professor Michael N. Schmitt proposed a number of criteria, which if met by a cyber operation could amount to armed force under the article 2(4). Those requirements are: 1) severity (physical injury or destruction)
2) immediacy (high degree of immediacy of consequences)
3) directness (consequences closely linked to the act of force)
4) invasiveness (high level of intrusion on the rights of the targeted state)
5) measurability (consequences easily ascertainable)
6) presumptive legitimacy (presumption of impermissibility until proof of self-defense)
Schmitt’s model is the clearest way of addressing the legality of cyber attacks under the jus ad bellum, however it is still not perfect. Meaning that some cyber operations would not fulfill all the requirements of the criteria, etc.
Moving on to article 51 of the UN Charter that states “Nothing in the present Charter shall impair the inherent right of individual or collective self-defense if an armed attack occurs against a Member of the United Nations, until the Security Council has taken measures necessary to maintain international peace and security. (…)”. Cyber attacks must, first, be considered an armed attack, if they do, then the state has the right to self-defense under article 51. Because a “normal” attack can be a violation of 2(4) without creating a right to self-defense. One argument claims that if a cyber attack targets and damages critical infrastructure that would justify self-defense. However, states can abuse this theory because they have the full power of determining “critical infrastructure”.
This case is a very hard one, the use of cyber force remains in the grey area; it can be argued both ways whether it falls under articles 2(4) and 51 or not. From a different point of view, computer attacks could be very destructive in different ways. However, they are not as destructive as military armed attacks; they cause less loss of life and infrastructure. So, is it a smart move to not directly integrate it under international law as an armed force and just deal with each case on its own?
Cyber force is still an illegal intervention because it violates article 2(7) of the UN Charter. A treaty tackling the issue could be a logical solution to all parties. Legislators and jurists often lack a firm grasp of the technology, yet we are relying upon them to develop the legal framework. Part of the challenge with creating laws around cyber warfare is getting leaders from around the world to agree on the laws. Governments around the globe have started focusing on establishing and training special groups to focus on cyber warfare. Anatoly Kapustin “President of the Russian Association of International Law” says, “Legal norms in cyberspace are not currently applied as much as they should be. Which affect the interests of individuals, states. […] States try to resolve this through national legislation. But internationally, this is still quite a challenging task”. Some believe that a unified approach is unlikely to happen without a wake-up call by a crucial event.