CYBER-WARFARE FROM THE PERSPECTIVE OF INTERNATIONAL LAW Vasileios Makris, Hellenic MoD, Mil. Justice Directorate Mil. Judge Grade B’ 02 June, ''ATHENA '11'' Mil.J. Gr.B' V.G. Makris 1 Definitions: • • • • “Information Operations” “Information Warfare” Cyber-Warfare Computer Network Attacks – CNAs: they may be cyber-warfare or just ‘’info ops’’. “cyber-warfare” /”cyber-operations” (cyber-ops), in the context of jus ad bellum 02 June, ''ATHENA '11'' Mil.J. Gr.B' V.G. Makris 2 The computer /computer network as a WEAPON: Most used methods /techniques: • Corruption of hardware (by chip-level actions – “chipping”) • Corruption of software : • Denial of Service (DoS) & Distributed DoS (DDoS) attacks • Trojans, viruses, worms, time & logic bombs, etc • Various combinations of the above 02 June, ''ATHENA '11'' Mil.J. Gr.B' V.G. Makris 3 The prohibition of the use of inter-State force • International customary law • The Charter of the United Nations Nowadays there are only two cases in which international law permits the use of inter-State force: (a) collective security (art. 39 et seq. of the UN Charter) and (b) self-defence (art. 51). 02 June, ''ATHENA '11'' Mil.J. Gr.B' V.G. Makris 4 UN Charter, art. 2(4) “All Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations.” 02 June, ''ATHENA '11'' Mil.J. Gr.B' V.G. Makris 5 UN Charter, art. 39 “The Security Council shall determine the existence of any threat to the peace, breach of the peace, or act of aggression and shall make recommendations, or decide what measures shall be taken in accordance with Articles 4 and 42, to maintain or restore international peace and security.” 02 June, ''ATHENA '11'' Mil.J. Gr.B' V.G. Makris 6 UN Charter, art. 51 “Nothing in the present Charter shall impair the inherent right of individual or collective self-defence if an armed attack occurs against a Member of the UN, until the Security Council has taken measures necessary to maintain international peace and security. …” 02 June, ''ATHENA '11'' Mil.J. Gr.B' V.G. Makris 7 The purpose of the presentation: To provide answers to the following questions: • ?-When cyber-ops constitute use of force outlawed by art. 2(4) of the Charter. • ?-When cyber-ops constitute threat to the peace, breach of the peace or act of aggression (art. 39 of the Charter). • ?-When cyber-ops amount to armed attack against which a state can recourse to selfdefence (art. 51 of the Charter). 02 June, ''ATHENA '11'' Mil.J. Gr.B' V.G. Makris 8 The purpose of the presentation: • We will not examine cyber-ops from the perspective of jus in bello • We will not examine “cyber-crime”, ‘’cyberespionage”, “cyber-sabotage” etc. • We will not look into cases like Stuxnet either (isolated /small scale). The threshold of CYBER-FORCE (cyber-warfare) between states is higher… 02 June, ''ATHENA '11'' Mil.J. Gr.B' V.G. Makris 9 ΝΑΤΟ Strategic Concept, 2010 US National Security Strategy, 2010 [The Heads of State and Government of the NATO nations will] “…develop further our ability to prevent, detect, defend against and recover from cyber-attacks,…” Cyber-security threats: “…one of the most serious national security, public safety and economic challenges we face as a nation”. 02 June, ''ATHENA '11'' Mil.J. Gr.B' V.G. Makris 10 United Nations A series of General Assembly Resolutions… World Summit on the Information Society (Geneva 2003, Tunis 2005). 02 June, ''ATHENA '11'' Mil.J. Gr.B' V.G. Makris 11 Real life cases … 02 June, ''ATHENA '11'' Mil.J. Gr.B' V.G. Makris 12 Estonia 2007 • From 27 Apr. 2007 and for 3 weeks Estonia was victimized by massive computer network attacks (: mainly DoS and DDos attacks, defacement of websites, attacks against DNS servers etc). • All government websites went down (the PM’s office incl.), to be followed by the websites of newspapers, TV stations, banks, public utilities etc. 02 June, ''ATHENA '11'' Mil.J. Gr.B' V.G. Makris 13 Estonia 2007 • The same fate was shared by the websites of the Parliament, hospitals, newspapers, electronic media, ISPs, universities, the telephone network etc. • It is estimated that over 1.000.000 computers were used against Estonia (a number of them from within Estonia itself), linked with the technique of “botnets”… [= ro(bot) computer (net)works] 02 June, ''ATHENA '11'' Mil.J. Gr.B' V.G. Makris 14 Estonia 2007 • Estonian officials claimed that their country was the victim of a new kind of war and named specific sources as the attackers. • Estonia, as a NATO member-country, asked for help by the Organization. • NATO did not find any grounds to implement the provisions of art.V of the NATO Charter. It just sent experts on the spot… 02 June, ''ATHENA '11'' Mil.J. Gr.B' V.G. Makris 15 Georgia 2008 • On Aug. 9, 2008 Georgia invaded the semiautonomous S. Osetia. The Russian Federation responded with arms. • At the same time Georgia became the target of systematic and extended cyber-attacks (DDoS, defacement, malicious software distribution, etc). • The first phase of these attacks is believed to have started on 19 July, 2008! (two weeks earlier!!) 02 June, ''ATHENA '11'' Mil.J. Gr.B' V.G. Makris 16 A bizarre incident… • Mumbai, India, Nov. 2008: Terrorist organization Lashkar-e-Taiba (LeT), allegedly based in Pakistan: attacks against luxurious hotels -- over 500 casualties (179 dead) -- VoIP technology with the call server located in the US(!) -- 60 GPS devices -- Google Earth maps, etc… 02 June, ''ATHENA '11'' Mil.J. Gr.B' V.G. Makris 17 Cyber-warfare as a use of force under art. 2(4) of the Charter 02 June, ''ATHENA '11'' Mil.J. Gr.B' V.G. Makris 18 Cyber-warfare as a use of force under art. 2(4) of the Charter • It is generally accepted that the prohibition of the threat /use of force represents customary international law (also). • It binds all States, regardless of membership in the UN. However, at the time of drafting of the Charter, cyber-ops simply did not exist and could not even be contemplated upon. 02 June, ''ATHENA '11'' Mil.J. Gr.B' V.G. Makris 19 Cyber-warfare as a use of force under art. 2(4) of the Charter • The prohibition of art. 2(4) is framed in terms of the instrument of coercion employed: force (the drafters meant military and ‘kinetic’ force). That was something absolutely logical and presumable for the 1940s… • Yet, what matters for States are the consequences suffered by the use of a weapon or anything that can be used as such! 02 June, ''ATHENA '11'' Mil.J. Gr.B' V.G. Makris 20 Cyber-warfare as a use of force under art. 2(4) of the Charter • Cyber-ops are ‘non-forceful’, that is nonkinetic… • Yet, computers /networks can be used with hostile intent as WEAPONS and their consequences can range from mere annoyance to death and severe property damages. 02 June, ''ATHENA '11'' Mil.J. Gr.B' V.G. Makris 21 Cyber-warfare as a use of force under art. 2(4) of the Charter • Given the above fact and also that, for example, there is no doubt that biological or radiological or chemical modes of warfare, which are also ‘non-kinetic’, are accepted to constitute, nevertheless, ‘uses of force’… 02 June, ''ATHENA '11'' Mil.J. Gr.B' V.G. Makris 22 Cyber-warfare as a use of force under art. 2(4) of the Charter • Many analysts are beginning to accept that cyber-ops that directly cause death and /or property damages may constitute use of force! • The above mentioned do not apply to cyber-ops which cause economic and /or political consequences only, irrespective of how severe they may be. 02 June, ''ATHENA '11'' Mil.J. Gr.B' V.G. Makris 23 Cyber-warfare as a use of force under art. 2(4) of the Charter • The International Court of Justice (ICJ) accepts that art. 2(4), 42 and 51 of the Charter do NOT refer to specific weapons. • They apply to any use of force, regardless of the weapon employed (Nuclear Weapons Advisory Opinion, 1996) • The ICJ has also recognized that the use of nonkinetic weapons can lead to a violation of art. 2(4) (Nicaragua case, 1986, arming & training of the contras). 02 June, ''ATHENA '11'' Mil.J. Gr.B' V.G. Makris 24 Cyber-warfare as a use of force under art. 2(4) of the Charter For cyber attacks that do not cause death /property damage directly, prof. Schmitt proposed seven criteria in 1999 to help determine a possible use of force. The seven ‘Schmitt criteria’: • Severity • Immediacy • Directness • Invasiveness 02 June, ''ATHENA '11'' Mil.J. Gr.B' V.G. Makris 25 Cyber-warfare as a use of force under art. 2(4) of the Charter ( cont.) ‘Schmitt criteria’: • Measurability • Presumptive legitimacy (for example, cyber espionage, cyber propaganda or psychological ops are legal by int. law) • Responsibility (: causal nexus to some state). [Not all theorists accept the above criteria] 02 June, ''ATHENA '11'' Mil.J. Gr.B' V.G. Makris 26 Cyber-warfare as a use of force under art. 2(4) of the Charter • Art. 2(4) is binding upon states. • Not upon individual persons (e.g. ‘patriotic hackers’) or other “non-state actors”, like groups, terrorist (or other) organizations, organized hacker groups etc. • Unless… 02 June, ''ATHENA '11'' Mil.J. Gr.B' V.G. Makris 27 Cyber-warfare as a use of force under art. 2(4) of the Charter Unless … • (ICJ, “Nicaragua Case”, 1986): “effective control”. • (ITFY, Appeals Chamber, “Tadić Case”, 1999): “overall control”. • ICJ, “Congo vs Uganda”, 2005, “Bosnia & Herzegovina vs Serbia & Montenegro”, 2007: “effective control” yet again. 02 June, ''ATHENA '11'' Mil.J. Gr.B' V.G. Makris 28 Cyber-warfare as a use of force under art. 2(4) of the Charter • The same apply to cyber-ops. The “effective control’’ criterion is more suitable to cyber-ops (and safer) because their origin is very hard and time consuming to locate. Note also that: even if a conduct is not directly attributable to a state it will nevertheless be considered an act of that state if : • The state acknowledges and adopts cyber-ops conducted by some non-state actor. • Possesses concrete information that cyber attacks emanate from its territory and does nothing to stop them. 02 June, ''ATHENA '11'' Mil.J. Gr.B' V.G. Makris 29 Remedies against cyber-attacks: (Assuming that the victim-state is able to identify the origin of cyber-force and attribute the conduct to a state) • • • • Resort to the UN Security Council (S.C.) Resort to a competent International Tribunal. Adopt retortions. Ask for some kind of reparation according to international law (: satisfaction, restitution, compensation). • Resort to non-forceful countermeasures. • Use armed force in self-defence if the criteria of art. 51 of the Charter are fulfilled. 02 June, ''ATHENA '11'' Mil.J. Gr.B' V.G. Makris 30 Cyber-warfare as threat to the peace, breach of the peace or act of aggression (art. 39) 02 June, ''ATHENA '11'' Mil.J. Gr.B' V.G. Makris 31 Cyber-warfare as threat to the peace, breach of the peace or act of aggression • The assessment of the situation rests with the S.C. of the U.N. • The S.C. uses mainly POLITICAL criteria. • A cyber-attack may be judged to fit into one of the three above cases, irrespective of its scale and effects. • The S.C. --as a response to such a situation-may decide measures not involving or involving the use of force (art. 41 and 42). 02 June, ''ATHENA '11'' Mil.J. Gr.B' V.G. Makris 32 Cyber-ops as ‘armed attack’ justifying self-defence (art. 51 of the UN Charter) 02 June, ''ATHENA '11'' Mil.J. Gr.B' V.G. Makris 33 Cyber-ops as ‘armed attack’ justifying self-defence The scope of self-defence as a right: • Self-defence (individual or collective) is only permitted against “armed attack”. • Every armed attack is, at the same time, a use of force. The opposite is not always true. • No prior authorization from the S.C. is required in order for a state to exercise self-defence ! 02 June, ''ATHENA '11'' Mil.J. Gr.B' V.G. Makris 34 Cyber-ops as ‘armed attack’ justifying self-defence The scope of self-defence as a right: • Only the victim-state may judge that it is under an armed attack. • The victim-state must first ask for help. Only after this may third states offer their help (: collective self-defence). • Three principles apply: necessity, proportionality, immediacy. 02 June, ''ATHENA '11'' Mil.J. Gr.B' V.G. Makris 35 Cyber-ops as ‘armed attack’ justifying self-defence The scope of self-defence as a right: All the above are especially crucial in the context of cyber-ops, because it is very difficult and time-consuming to locate the source of a cyber-attack and, at the same time, “bleed-over” effects might be caused, which make it even harder and time consuming to locate the perpetrator! 02 June, ''ATHENA '11'' Mil.J. Gr.B' V.G. Makris 36 Cyber-ops as ‘armed attack’ justifying self-defence • The drafters of the Charter used the “instrument-based” approach to the issue of self-defence also (: the Charter requires prior ‘’armed attack’’). • The phrase “armed attack” is more restrictive than the phrase “use of force” (something more is needed in order to have “armed attack” and not mere “force”). 02 June, ''ATHENA '11'' Mil.J. Gr.B' V.G. Makris 37 Cyber-ops as ‘armed attack’ justifying self-defence • Nevertheless, the hard core of an armed attack is the infliction of death to persons and severe property damages. • It is neither the designation of a device, nor its normal use, which make it a WEAPON, but the intent with which it is used and its effect. 02 June, ''ATHENA '11'' Mil.J. Gr.B' V.G. Makris 38 Cyber-ops as ‘armed attack’ justifying self-defence • Thus, many analysts are starting to accept that an armed attack does not have to be conducted the classic military way at all times provided that its consequences are analogous to those caused by ordinary military force. • If the above is not the case, then a cyber-attack, irrespective of its scale, can not be judged as an “armed attack” justifying self-defence. Of course, it may constitute an instance of mere “use of force”… 02 June, ''ATHENA '11'' Mil.J. Gr.B' V.G. Makris 39 Cyber-ops as ‘armed attack’ justifying self-defence • The mere destruction, corruption or disruption etc of data (in computers, networks etc) is not enough, no matter how widespread it may be. • It must be accompanied by “physical consequences” (: death /physical damages to persons /property). 02 June, ''ATHENA '11'' Mil.J. Gr.B' V.G. Makris 40 Cyber-ops as ‘armed attack’ justifying self-defence • This legal structure is not entirely satisfactory… • Yet it is the only one we have and as far as modern international law has gone up to this date… 02 June, ''ATHENA '11'' Mil.J. Gr.B' V.G. Makris 41 … don’t forget that: • International law is not necessarily a “just” and equitable law in all its aspects. • “International law is the law that the wicked are unwilling to enforce and the weak and righteous are unable to enforce”! 02 June, ''ATHENA '11'' Mil.J. Gr.B' V.G. Makris 42 Cyber-ops as ‘armed attack’ justifying self-defence • The ‘’threshold’’ of armed attack is not prescribed in any legal text or rule. The ICJ alluded to it in the “Nicaragua Case” (: most grave forms of the use of force vs less grave forms). • In the “Oil Platforms Case” (Iran vs US, 2003), the ICJ accepted that the attack with sea mines against one ship could constitute armed attack justifying self-defence. • The same can apply to computer network attacks /cyber attacks. 02 June, ''ATHENA '11'' Mil.J. Gr.B' V.G. Makris 43 Cyber-ops as ‘armed attack’ justifying self-defence • In a fashion analogous to --e.g., isolated border incidents-- a cyber-attack may be judged as a “non-armed attack”, if it causes death /damages but not of a “significant scale”… (it will constitute “force” though). 02 June, ''ATHENA '11'' Mil.J. Gr.B' V.G. Makris 44 Cyber-ops as ‘armed attack’ justifying self-defence • Cyber-ops that are part of military ops of the classic type or constitute the initial stage thereof, are less problematic (e.g. Georgia, 2008). • The same apply to cyber-ops that are part of a legitimate military response to the use of (military – kinetic) force (armed attack). 02 June, ''ATHENA '11'' Mil.J. Gr.B' V.G. Makris 45 Cyber-ops as ‘armed attack’ justifying self-defence ?-When a cyber-attack by “non-state actors” can be attributed to a state? • ICJ /ITFY criteria: “effective control” -“overall control”. 02 June, ''ATHENA '11'' Mil.J. Gr.B' V.G. Makris 46 What will come next? • ?-Will an ad hoc new rule of customary international law develop to prohibit cyberattacks as “illegal” use of force? • ?-Will, perhaps, a new treaty be drafted? 02 June, ''ATHENA '11'' Mil.J. Gr.B' V.G. Makris 47 What will come next? • Cyber-warfare is a reality and cyber-attacks are as old as computer networks themselves (at least 30 years old). • Recent state practice so far (USA, UK, Russian Federation, NATO, etc) shows that a new int. customary law is in the process of crystallization. The outcome is still difficult to predict. • The need for an int. treaty prohibiting the use of cyber-force is also in debate. Many states, though, still hesitate to commit themselves to specific restrictions. 02 June, ''ATHENA '11'' Mil.J. Gr.B' V.G. Makris 48