Inside Cyber Warfare

Jeffrey Carr

Part 8

Report Chapter

Determining whether a state is acting as a sanctuary state is extremely fact-dependent. When considering this question, victim-states must look at a host-state's criminal laws, law enforcement practices, and track record of cooperation with the victim-states of cyber attacks that originate from within its borders. In effect, host-states will be judged on their efforts to catch and prosecute attackers who have committed cyber attacks, which is probably the only way that states can deter and prevent future attacks. Since victim-states will end up judging whether a host-state has lived up to its international duties, host-states must cooperate with victim-states to ensure transparency. Cooperation will necessarily entail a host-state showing its criminal investigations to a victim-state so that victim-states can correctly judge host-state action.

Furthermore, when a host-state lacks the technical capacity to track down attackers, international law should require it to work together with law enforcement officials from the victim-state to jointly track them down.[34] These two measures will prevent host-states from being perceived as uncooperative and complicit in the use of their networks for attacks against other states. States that deny involvement in a cyber attack but refuse to open their investigative records to the victim-state cannot expect to be treated as living up to its international duties. In effect, host-states that refuse to cooperate with victim-states are stating their unwillingness to prevent cyber attacks and have declared themselves as sanctuary states.

Once a host-state demonstrates that it is a sanctuary state through its inaction, other states can impute responsibility to it. At that point, the host-state becomes liable for the cyber attack that triggered an initial call for investigation, as well as for all future cyber attacks originating from it. This opens the door for a victim-state to use active defenses against the computer servers in that state during a cyber attack.

[14] For instance, under an instrument-based approach, a cyber attack used to shut down a power grid is an armed attack. This is because shutting down a power grid typically required dropping a bomb on a power station or some other kinetic use of force to incapacitate the grid. Since conventional munitions were previously required to achieve the result, under the instrument-based approach the cyber attack is therefore treated the same way.

[15] For instance, under an effects-based approach, a cyber attack that manipulated information across a state's banking and financial inst.i.tutions to seriously disrupt commerce in the state is an armed attack. Although the manipulation of information does not resemble a kinetic attack, as required under an instrument-based approach, the disruptive effects that the attack had on the state's economy is a severe enough overall consequence that it warrants treatment as an armed attack.

[16] It is important to note that this third a.n.a.lytical model for dealing with cyber attacks is intended to justify antic.i.p.atory self-defense before any harm actually results. Walter Gary Sharp Sr. proposed this model due to the speed with which a computer penetration can transition into a destructive attack against defense critical infrastructure. His reasoning is that once a penetration has occurred, an imminent threat exists with the ability to cause harm of extreme scope, duration, and intensity, thereby justifying antic.i.p.atory self-defense. See Walter Gary Sharp Sr. 1999. Cybers.p.a.ce and the Use of Force. Ageis Research Corp. 12931.

[17] For instance, a cyber attack might shut down a system, rendering it inoperable for some time, or a cyber attack might cause an explosion at a chemical plant by tampering with the computers that control the feed mixture rates. The results of those attacks mirror the results of conventional armed attacks, previously only achievable through kinetic force, thus satisfying the instrument-based approach.Unfortunately, cyber attacks can also cause extreme harm that does not mirror the results of conventional armed attacks. For instance, coordinated cyber attacks could bring financial markets to their knees without ever employing anything that looked remotely like a kinetic attack, or altered data on a ma.s.sive scale could disrupt banking, financial transactions, and the general underpinnings of the economy, sowing confusion throughout the victim-state for some time. Under an effects-based approach, the scope, duration, and intensity of this attack would equate to an armed attack, despite the fact that it was not previously achievable only through kinetic force.

[18] The proponents of a strict liability approach advocate automatically responding to cyber attacks on critical infrastructure with active defenses. However, automatically responding to cyber attacks in this manner can easily lead a victim-state to counter-attack a state with a long history of doing everything within its power to prevent cyber attacks and prosecute its attackers. Were a victim-state to respond with active defenses against a nonsanctuary state, it would violate jus ad bellum. This is because there is no way to impute state responsibility to such a state, directly or indirectly, even though the cyber attack may const.i.tute an armed attack.

[19] Schmitt, M. 1999. "Computer Network Attack and the Use of Force in International Law: Thoughts on a Normative Framework." Columbia Journal of Transnational Law 37: 885, 91315.

[20] But there is no doubt that some cyber attacks will qualify as armed attacks, and should be dealt with using self-defense and antic.i.p.atory self-defense legal principles as a justification for using active defenses.Some will undoubtedly critique this conclusion. However, those who argue do miss the way that states have cla.s.sified unconventional attacks in the past. New attack methods frequently fall outside the accepted definitions of armed attacks. This does not mean that the attacks are not armed attacks, merely that the attacks don't fit traditional cla.s.sifications. Furthermore, anyone who argues that cyber attacks cannot rise to the level of armed attacks misses an important facet of international law-reprisals, which can be used as an alternate basis to authorize active defenses against cyber attacks. This is because at a minimum, cyber attacks are an illegal use of force, and their use would then allow states to use another illegal use of force, short of armed force, to deter sanctuary states from allowing attackers to commit them.

[21] Council of Europe, Convention on Cybercrime, opened for signature Nov. 23, 2001, 41 I.L.M. 282 (hereinafter Convention on Cybercrime).

[22] Customary international law does not require state practice to be universal, and general practices can satisfy the requirements of customary international law. The test for when state practices become customary international law is when the practice is extensive and representative of rules that states feel bound to follow. Within this framework, there is a doctrine for states whose interests are especially affected by a rule, and their practices carry more weight in contributing to customary international law than other states. See North Sea Continental Shelf (F.R.G. v. Den.; F.R.G. v. Neth.), 1969 I.C.J 3, 43 (Feb. 20).To date, 26 states have ratified the Convention on Cybercrime, the majority of which are major western powers, three of which hold permanent Security Council seats, and five of which place among the twenty states with the most Internet users in the world-France, Germany, Italy, the United Kingdom, and the United States. Together, these five states combine for 25 percent of the Internet users in the world. Furthermore, while not yet parties to the treaty, Canada, j.a.pan, Spain, and Poland are all signatories to it, and are expected to ratify it soon. These four states are among the remaining twenty states with the most Internet users in the world, and their ratification would greatly move state practice to the standards set forth in the convention. See Council of Europe, Convention on Cybercrime, Chart of Signatures and Ratifications, (listing the 46 signatories and 26 parties to the Convention on Cybercrime; last visited Sept. 2, 2009) and Top 20 Countries with the Highest Number of Internet Users, (last visited Sept. 2, 2009).

[23] The Convention on Cybercrime requires parties to it to establish criminal offenses for almost every conceivable type of cyber attack under their domestic laws. See Convention on Cybercrime, supra note 19, arts. 211, at 28487. It also recognizes the importance of prosecuting attackers, and requires states to extend their jurisdiction to cover all cyber attacks conducted from within their territory or conducted by their citizens, regardless of their location at the time of attack. See id. art. 22, at 29192. Finally, the convention recognizes the importance of state cooperation, and requires states to provide "mutual a.s.sistance to the widest extent possible for the purpose of investigations or proceedings concerning criminal offences." See id. arts. 2325, at 29293.

[24] These treaties include the 1963 Tokyo Convention on Offences and Certain Other Acts Committed on Board Aircraft, the 1970 Hague Convention for the Suppression of Unlawful Seizure of Aircraft, the 1971 Montreal Convention for the Suppression of Unlawful Acts Against the Safety of Civil Aviation, the 1979 International Convention Against the Taking of Hostages, the 1988 Convention for the Suppression of Unlawful Acts Against the Safety of Maritime Navigation, the 1988 Montreal Protocol on the Suppression of Unlawful Acts of Violence at Airports Serving International Civil Aviation, the 1997 International Convention for the Suppression of Terrorist Bombings, the 1999 International Convention for the Suppression of the Financing of Terrorism, and the 2005 International Convention for the Suppression of Acts of Nuclear Terrorism.

[25] 1970 Declaration on Friendly Relations, G.A. Res. 2625, 1, UN GAOR, 25th Sess., Annex, Agenda Item 85, UN Doc. A/Res/2625 (Oct. 24, 1970); 2000 Vienna Declaration on Crime and Justice: Meeting the Challenges of the Twenty-First Century, G.A. Res. 55/59, Annex, 18, UN Doc. A/RES/55/59/Annex (Jan.17, 2001); 2001 Articles on the Responsibility of States for Internationally Wrongful Acts, UN Doc. A/CN.4/L.602/Rev. 1 (2001).

[26] G.A. Res. 2625, supra note 23, 1; Secretary-General, Report of the High-Panel on Threats, Challenges and Change, 17, 24, delivered to the General a.s.sembly, UN Doc A/59/565 (Dec. 2, 2004).

[27] G.A. Res. 45/121, 3, UN Doc. A/RES/45/121 (Dec. 14, 1990); G.A. Res. 55/63, 1, UN Doc. A/RES/55/63 (Jan. 22, 2001); see also Eighth United Nations Congress on the Prevention of Crime and the Treatment of Offenders, Havana, Cuba, Aug. 27Sept. 7, 1990, report prepared by the Secretariat, at 14043, UN Doc. A/CONF.144/28/Rev.1 (1991).

[28] G.A. Res. 55/63, supra note 25, 1.

[29] G.A. Res. 45/121, supra note 25, 3 (embracing the principles adopted by the Eighth United Nations Congress on the Prevention of Crime and the Treatment of Offenders, and inviting states to follow them); G.A. Res. 55/63, supra note 25, 1; see also Eighth United Nations Congress on the Prevention of Crime and the Treatment of Offenders, Havana, Cuba, Aug. 27Sept. 7, 1990, report prepared by the Secretariat, at 14043, UNUN Doc. A/CONF.144/28/Rev.1 (1991).

[30] The White House, The National Strategy to Secure Cybers.p.a.ce (2003); Convention on Cybercrime, supra note 19; Huw Jones, Estonia Calls for EU Law to Combat cyber attacks, Reuters, Mar. 12, 2008, (reporting Estonia's call to fight cyber attacks as a threat to international peace and security); G.A. Res. 53/70, UNUN Doc. A/RES/53/70 (Jan. 4, 1999); G.A. Res. 54/49, 2, UN Doc. A/RES/54/49 (Dec. 23, 1999); G.A. Res. 55/28, UN Doc. A/RES/55/28 (Dec. 20, 2000); G.A. Res. 56/19, UN Doc. A/RES/56/19 (Jan. 7, 2002); G.A. Res. 56/121, UN Doc. A/RES/56/121 (Jan. 23, 2002); G.A. Res. 57/53, UN Doc. A/RES/57/53 (Dec. 30, 2002); G.A. Res. 57/239, 15, UN Doc. A/RES/57/239 (Jan. 31, 2003); G.A. Res. 58/32, UN Doc. A/RES/58/32 (Dec. 18, 2003); G.A. Res. 58/199, 16, UN Doc. A/RES/58/199 (Jan. 30, 2004); G.A. Res. 59/61, UN Doc. A/RES/59/61 (Dec. 16, 2004); G.A. Res. 59/220, 4, UN Doc. A/RES/59/220 (Feb. 11, 2005); G.A. Res. 60/45, UN Doc. A/RES/60/45 (Jan. 6, 2006); G.A. Res. 60/252, 8, UN Doc. A/RES/60/252 (Apr. 27, 2006); G.A. Res. 61/54, UN Doc. A/RES/61/54 (Dec. 19, 2006).

[31] Tellini case, 4 League of Nations O.J. 524 (1924).

[32] S.S. Lotus (Fr. v. Turk.) 1927 P.C.I.J. (ser. A) No. 10, at 4, 88 (Moore, J., dissenting).

[33] Corfu Channel Case (Merits), 1949 I.C.J. 4, 22 (Apr. 9).

[34] This position is supported by numerous UN General a.s.sembly Resolutions, the European Convention on Cybercrime, and other UN doc.u.ments, which all urge states to cooperate in investigating and prosecuting the criminal misuse of information technologies. See supra notes 24, 27 and accompanying text; United Nations Manual on the Prevention and Control of Computer Related Crime, 26873 (1995).

The Choice to Use Active Defenses.

Although this chapter urges states to use active defenses to protect their computer networks, states that choose to use them will find themselves confronted with difficult legal decisions as a result of the limits of technology. Technological limitations will place states in a position where a timely decision to use active defenses requires states to decide to use them with imperfect knowledge. Since forcible responses to cyber attacks must comply with both areas of the law of war-jus ad bellum and jus in bello-the decision to use active defenses raises several other questions of law resulting from these technical limitations. From a practical standpoint, this will affect state decision-making at the highest and lowest levels of government. State policymakers will need to account for these limitations when setting policy, whereas state system administrators will need to account for these limitations when responding to actual cyber attacks.

This section a.n.a.lyzes these issues. First, it addresses the technological limitations that are likely to affect state jus ad bellum a.n.a.lysis. Next, it moves on to jus in bello issues. Jus in bello a.n.a.lysis will begin with the decision to use force, a.n.a.lyzing why active defenses are the most appropriate forceful responses to cyber attacks. Finally, jus in bello a.n.a.lysis will conclude with the impact that technological limitations are likely to have on state decisions to use force. Once this is complete, it will be clear that active defenses are a viable way for states to protect themselves, despite the fact that technological limitations will complicate state decision-making.

Technological Limitations and Jus ad Bellum a.n.a.lysis.

While cyber attack a.n.a.lysis is greatly simplified by looking at whether a state of origin has violated its duty to prevent, rather than having to attribute an attack, states are still likely to find cyber attacks difficult to deal with in practice. Jus ad bellum requires states to carefully a.n.a.lyze a cyber attack and ensure that (1) the attack const.i.tutes an armed attack or imminent armed attack; and (2) the attack originates from a sanctuary state. Both of these conditions must exist before a state can lawfully respond with active defenses under jus ad bellum.

Cyber attack a.n.a.lysis will be conducted by system administrators, whose position puts them at the forefront of computer defense. System administrators can use various computer programs to facilitate their a.n.a.lysis. Automated detection and warning programs can help detect intrusions, cla.s.sify attacks, and flag intrusions for administrator action. Automated or administrator-operated trace programs can trace attacks back to their point of origin. These programs can help system administrators cla.s.sify cyber attacks as armed attacks or lesser uses of force and evaluate whether attacks originate from a state previously declared a sanctuary state. When attacks meet the appropriate legal thresholds, system administrators may use active defenses to protect their networks.

Unfortunately, technological limitations on attack detection, attack cla.s.sification, and attack traces are likely to further complicate state decision-making during cyber attack a.n.a.lysis. Ideally, attacks would be easy to detect, cla.s.sify, and trace. Unfortunately, this is not the case. This section a.n.a.lyzes the technological limits of these programs and explores their likely impact on state decision makers and system administrators.

Limitations on attack detection.

Early detection and warning programs can help catch cyber attacks before they reach their culminating point, but even the best programs are unable to detect all cyber attacks. As a result, cyber attacks are bound to harm states. From a legal perspective, the failure to catch an attack until after its completion has both an upside and a downside. On the upside, states would gain the luxury of time to evaluate an attack, since the threat of danger will have already pa.s.sed. On the downside, tracing an attack back to its source becomes more difficult the further removed the trace becomes from the time of attack.

Furthermore, even when it turns out that an armed cyber attack originates from a sanctuary state, state policymakers would need to think long and hard about using active defenses as a matter of policy. The longer it takes to detect an attack, the less compelling the need for states to use active defenses, especially when the attack seems truly complete. On the other hand, when an attack that has reached completion is seen as part of a series of ongoing attacks, the need to use active defenses to deter future attacks is more compelling.

*** You are reading on ***

Limitations on attack cla.s.sification.

Technological limitations and jus in bello a.n.a.lysis.

Unfortunately, despite the increased security that active defenses provide, using them is not without legal risk. Technological limitations may prevent states from conducting the surgical strikes envisioned with active defenses. The more an attacker routes his attack through intermediary systems, the more difficult it is to trace.

Furthermore, complex traces take time, which is not always available during a moment of crisis. Adding to these difficulties, trace programs often have problems pinpointing the source of an attack once an attacker terminates his electronic connection. Sometimes these difficulties will simply result in a failure to identify the source of an attack; other times it may result in the incorrect identification of an intermediary system as the source of an attack. Even when the source of an attack is correctly identified, the victim-state's system administrator must map out the attacking computer system to distinguish its functions and the likely consequences that will result from shutting it down. However, system mapping takes time, often more time than a state has to make an informed decision. Sometimes an administrator will be able to map a system quickly, allowing states to make informed decisions about likely collateral damage. But other times a state will be forced to predict the likely consequences of using active defenses without having fully mapped a system. As a result, any state that employs active defenses runs the risk of accidentally targeting innocent systems and causing unintended, excessive collateral damage.

To ensure the lawful use of active defenses in accordance with the principles of distinction and proportionality, states must try to mitigate these risks. In the realm of active defenses, this means doing everything feasible to identify (1) the computer system that launched the initial attack and (2) the probable collateral damage that will result from using active defenses against that system. Once a state does everything feasible to ensure it has the right information and acts in good faith in accordance with jus in bello, it is legally protected from erroneous calculations, even when it targets civilian systems or causes excessive collateral damage in relation to its military objective. Thus, states may still act with imperfect information, based on the way facts appear at the time, when the potential danger forces them to act. The real test will be whether danger to the victim-state's systems justified the use of active defenses in light of the likely collateral damage to the host-state.

Although an in-depth discussion is beyond the scope of this chapter, there are several issues worthy of consideration before a state decides to implement active defenses. First, due to the compressed timelines of cyber attacks, a state may need to automate its active defenses so that it can respond in a timely manner. However, using automated defenses will increase the likelihood of violating the principles of distinction and proportionality. As a result, defenses should probably be automated only for detection purposes, requiring human a.n.a.lysis and approval before actually counter-striking.

Second, just because it is legal to use active defenses under the circ.u.mstances described here, that does not mean it is sound policy. States must decide whether the diplomatic fallout is worth the risk. Unfortunately, technological limitations can cause state calculations to be erroneous at times and civilian systems to be targeted or excessively damaged. States must decide that the second-guessing that other states will engage in is worth the benefit gained from protecting their computer systems.

Third, there is the chance that the servers from which the initial attacks originate are intimately tied to important systems in the host-state, and if turned off could have devastating effects and cause unnecessary suffering. This possibility must be factored into the state's evaluation of military necessity versus probable collateral damage, especially if a state responds with active defenses without fully mapping an attacking system.

Fourth, states should carefully design their active defenses. Poorly coded active defense programs run the risk of self-propagating in cybers.p.a.ce beyond their initial purpose, and can run the risk of evolving from a defensive program into a computer virus or worm whose damage goes far beyond its intended design. Since active defenses represent a new frontier in cyber warfare, their initial use will be controversial, no matter the situation. States should expect public scrutiny and diplomatic protests until such time as active defenses are recognized as a lawful method of self-defense under international law.

[35] These decisions will, no doubt, be based on guidelines promulgated by the victim-state before the attack ever occurs. These rules would simplify the legal framework into a set of rules more easily understood by the layperson, similar to the rules of engagement that military personnel follow.

[36] This proposition is derived from Hague Convention IV, Annex, Article 22, which states "[t]he right of belligerents to adopt means of injuring the enemy is not unlimited." Hague Convention IV Respecting the Laws and Customs of War on Land and its Annex (Regulations), Oct. 18, 1907, 36 Stat. 2277, 1 Bevans 631 [hereinafter Hague IV].


Cyber attacks are one of the greatest threats to international peace and security in the 21st century. Securing cybers.p.a.ce is an absolute imperative. In an ideal world, states would work together to eliminate the cyber threat. Unfortunately, our world is no utopia, nor is it likely to become one. Global cooperation may be a reality one day, but unless something changes to pressure sanctuary states into changing their behavior, there is no impetus for them to do so.

The way to achieve this reality is to use active defenses against cyber attacks originating from sanctuary states. Not only will this allow victim-states to better protect themselves from cyber attacks, but it should also deter aggression and push sanctuary states into taking their international duty seriously. After all, no state wants another state using force within its borders, even electronically. Thus, the possibility that cyber attacks will be met with a forceful response is the hammer that can drive some sense into sanctuary states.

Since states do not currently use active defenses, any decision to use them will be a controversial change to state practice. Like any proposal that changes the way states do business, it is bound to be met with criticism on a number of fronts. However, there is sound legal authority to use active defenses against states that violate their duty to prevent cyber attacks. States that violate this duty and refuse to change their practices should be held responsible for all further attacks originating from within their borders in accordance with the law of war. At a time when cyber attacks threaten global security and states are scrambling to find ways to improve their cyber defenses, there is no reason to shield sanctuary states from the lawful use of active defenses by victim-states, and every reason to enhance state defenses to cyber attacks by using them.

Chapter 5. The Intelligence Component to Cyber Warfare.

There are various models of intelligence collection and a.n.a.lysis that are in use by the professionals employed within the 16 agencies that comprise the US intelligence community (IC). These legacy approaches served the government well while threats were emanating from the physical domain.

*** You are reading on ***

Popular Novel