Extending the Law of War to Cyberspace

The possibility of cyber attacks against states, either by rogue hackers or governments, has become a very real threat. It is now commonplace that essential services - such as water, electricity and mass transit - are reliant on computer systems, and therefore vulnerable. This raises the question of whether such attacks could be considered acts of aggression - and if so, are they regulated by the laws of war? Efforts to implement an international agreement regulating 'cyberwar' are undermined by government agenda focused on controlling information, rather than protecting civilians.

By Tom Gjelten

September 22, 2010

First of two parts: Extending the Law of War to Cyberspace

It may come as a surprise to some war victims, but there actually is a body of international law that establishes when and how nations can legally engage in armed conflict.

Various treaties and the United Nations Charter and the Hague and Geneva conventions are able to draw official distinctions between victims and aggressors. They serve as guidelines that, when honored, provide some protection to civilians. Professional militaries train with the rules of war in mind, recognizing that abiding by them works to their benefit as much as to the enemy's.

It is no surprise, then, that many legal experts, diplomats and military commanders around the world are now debating how to extend the law of war to cyberspace. The emergence of electronic and cyberwar-fighting capabilities is the most important military development in decades, but it is not yet clear how existing treaties and conventions might apply in this new domain of conflict.

Uncertainty about the legal and ethical limits of state behavior in cyberspace could have disastrous consequences.

"If nations don't know what the rules are, all sorts of accidental problems might arise," says Harvard law professor Jack Goldsmith. "One nation might do something that another nation takes to be an act of war, even when the first nation did not intend it to be an act of war."

Under the U.N. Charter, states have the right to go to war if they come under an "armed attack" from another state. But there is no consensus yet on what that right means in the event of an attack on a country's computer networks.

One important consideration is whether the attack is the work of a lone hacker, a criminal group or a government. The law of war applies primarily to conflict between states, so truly rogue actions would not normally be covered.

The purpose of the activity is also relevant. Michael Hayden, having directed both the National Security Agency and the CIA, would not include an effort by one country to break into another country's computer system to steal information or plans.


Cyberwar Or Simply Espionage?

"We don't call that an attack," Hayden said at a recent conference on hacking. "We don't call that cyberwar. That's exploitation. That's espionage. States do that all the time."

Cyberwar, Hayden and others argue, involves a deliberate attempt to disable or destroy another country's computer networks. But how much damage must be done before a cyber operation could be considered an act of war under the U.N. Charter - and thus justify the use of force in response?

"We don't know when or if a cyberattack rises to the level of an 'armed attack,' " says Daniel Ryan, who teaches cyber law and the law of war at the U.S. military's National Defense University.

International law is also somewhat unclear when it comes to how states could use cyberweapons in wartime. The Hague and Geneva conventions require militaries to minimize the damage to civilians in wartime. So in a cyber conflict, military targets would presumably have to be distinguished from civilian targets, with civilian computer networks off limits.

"A direct attack on a civilian infrastructure that caused damage, even loss of life of civilians, would, I think, be a war crime," Ryan says.

The civilian computer infrastructure would include the networks that control an air traffic control system or a water supply, for example. But distinguishing civilian and military cybertargets is not necessarily so simple.


Private Networks

"Computers don't always have signs over them that say, 'I'm a military target' [or] 'I'm a civilian target,' " says Harvard's Goldsmith. "Also, the two things are intermixed. Ninety to 95 percent of U.S. military and intelligence communications travel over private networks."

One danger is that an attacking military may set out to hit a military target but then hurt civilians in the process. This could happen if the attack is disproportionate to the military objective.

The law of war requires "proportionality." You can't level a city to destroy a single military unit located there. In the cyberworld, this rule means you couldn't plan a massive computer attack, even on a military network, without regard for the civilian computer networks that would be affected by that attack.

But with computer networks so highly interlinked, it will be harder to adhere to the proportionality rule in a cyber conflict than in a conventional war.

"The U.S. government, when they're dropping a bomb, they have all sorts of computer algorithms and studies that they use to show exactly what the consequences are going to be from dropping this bomb from this angle on this building," Goldsmith says. "Those consequential analyses are much harder in cyberspace, and so it's hard to apply the proportionality test."

Given all the indirect effects that might flow from a cyberattack, cyberwar planners could easily be confounded by the legal considerations.


Looking For The 'Right Answer'

"Since we can't predict what the unintended consequences of the use of cyber might be, that would say, you can't attack at all in cyberspace," Ryan says. "That can't possibly be the right answer."

To Ryan, the "right answer" is that commanders should have to consider those effects of a cyberattack they are able to consider, but not those consequences that can't be anticipated.

Former CIA Director Hayden, a retired Air Force general, suggests using common sense. One example of an attack that should be illegal, he says, would be the insertion of damaging software into an electrical grid.

"Overall, finance is so dependent upon investor confidence that cyberpenetration of any electrical grid, for whatever transient advantage it might create for the aggressor state, is so harmful to the international financial system that we should just all agree: These are like chemical weapons; we're just not going to use them," Hayden said in July.

Yet another troublesome issue is how the rules of war could be enforced in cyberspace. Skeptics point out that even if governments could agree on what is illegal, it wouldn't necessarily mean they would honor those agreements.

"It is a near certainty that the United States will scrupulously obey whatever is written down, and it is almost as certain that no one else will," says Stewart Baker, a former NSA general counsel and an assistant secretary of homeland security under President George W. Bush.


'No One Is Going To Get Caught'

If anything, it would be harder to enforce the law of war in the cyberworld than in other domains of warfighting. The amount of anonymity in cyberspace means that a devastating attack might leave no "signature" or trace of its origin.

"Since we know that that's going to happen all the time," Baker says, "and no one is going to get caught, to say that [a cyberattack] is a violation of the law of war, is simply to make the law of war irrelevant."

But whether war crimes are prosecuted or not, military commanders like to know the rules under which they are supposed to fight. "There is a great deal of discussion going on right now about this," says Daniel Ryan, whose students at the National Defense University include senior U.S. military and government officials.

Discussion of the legal and ethical issues around cyberwar is also a popular and controversial subject at the United Nations; the upcoming session of the U.N. General Assembly is likely to feature renewed debate over the issue.


Second of two parts : Seeing the Internet as an 'Information Weapon'

The United States and other world powers have agreed to arms control measures in recent years that limit the deployment and use of nuclear, biological and chemical weapons, as well as tanks and other artillery pieces.

So why is there no arms control measure that would apply to the use of cyberweapons?

It is not for lack of attention to the issue. Government and military leaders around the world have warned that the next world war is likely to be fought at least partly in cyberspace, and cyber "disarmament" discussions have been under way at the United Nations for more than a decade and more recently at the International Telecommunications Union, the leading U.N. agency for information technology issues.

The problem is that governments have widely varying ideas of what constitutes a "cyberweapon" - and what a "cyberwar" might look like.

Advanced industrial democracies are likely to see a cyberattack as an assault on the computer infrastructure that underlies power, telecommunications, transportation and financial systems.

But many developing countries see cyberwar in political terms.

The Russian government, the leading advocate for a cyber-arms-control agreement, prefers the term "information war" and describes the threat in terms that make cyber conflict sound like a battle of ideas.

Each year since 1998, Russia has introduced a resolution at the United Nations calling for an international agreement to combat what it calls "information terrorism." Russian leaders worry that the Internet makes it so easy for people to communicate that a government could use the Internet to challenge another country's political system. Some Russian diplomats have actually revived an old Soviet term - "ideological aggression" - to describe what governments could do to each other via the Internet.

At a U.N. disarmament conference in 2008, Sergei Korotkov of the Russian Defense Ministry argued that anytime a government promotes ideas on the Internet with the goal of subverting another country's government - even in the name of democratic reform - it should qualify as "aggression." And that, in turn, would make it illegal under the U.N. Charter.

"Practically any information operation conducted by a state or a number of states against another state would be qualified as an interference into internal affairs," Korotkov said through an interpreter. So any good cause, like [the] promotion of democracy, cannot be used as a justification for such actions."

The United States has consistently opposed efforts to limit Internet communication, but the Russians are not alone in their interpretation of the "information" threat. James Lewis, who has advised the U.N. Institute for Disarmament Research, says he's heard similar views from several governments.

"The thing that really unites them is their desire to control information, to control content," Lewis says. "They see information as a weapon. An official from one of those countries told me [that] Twitter is an American plot to destabilize foreign governments. That's what they think. And so they're asking, 'How do we get laws that control the information weapon?' "

Last year, Russia successfully sponsored an even sharper version of its cyber disarmament proposal at a summit of the Shanghai Cooperation Organization, which includes China and four Central Asian countries as well as Russia. The accord defined "information war," in part, as an effort by a state to undermine another's "political, economic, and social systems."

Using the term "mass psychologic [sic] brainwashing," the agreement said that the dissemination of information "harmful to the spiritual, moral and cultural spheres of other states" should be considered a "security threat."

U.S. diplomats suspect the Russians view the Shanghai accord as a blueprint for the kind of cyber disarmament agreement they would like to see approved at the U.N.

Given the open nature of the Internet, the implementation of content controls in the name of cyberpeace may require some changes in the way the Internet is governed.

In recent months, the debate over Internet governance and cyber-arms control has moved to the International Telecommunications Union. The ITU secretary-general, Hamadoun Toure, has even suggested that his organization could "broker" a cyber disarmament accord.

"My dream is to have a cyberpeace treaty," Toure said in London earlier this month.

U.S. officials are wary of Toure's agenda, in part because he has linked his cyber disarmament ideas to proposals for restructuring Internet governance in ways that would boost government controls. But his ideas have considerable support in the developing world.

"India feels this way. Brazil feels this way. China feels this way," says Lewis, who directs the Technology and Public Policy program at the Center for Strategic and International Studies. "They want a bigger role for government on the Internet."

Harvard law professor Jack Goldsmith, author of Who Controls the Internet, sees a parallel between broad geopolitical trends and the changing international lineup on cyber governance. Just as emerging economic powers are redefining the global economy, he says, those same countries are also trying to influence the Internet.

"How could it be any other way?" Goldsmith says. "[The Internet] is a hugely important [and] consequential political, social and economic tool. And powerful nations are going to try to wield it and shape it to reflect their interests. The network will increasingly, I fear, look like what they want it to look like."

The desire of many countries to see more regulation in cyberspace has prompted the Obama administration to work with Russia and other governments to establish some norms of "appropriate government behavior" in cyberspace.

But the United States would not support information controls - and continuing disagreements over the definition of cyberweapons are likely to complicate any effort to reach international agreement on a broad cyber disarmament accord.