mod adversaries

advertisement

1

CYBER-WARFARE FROM THE

PERSPECTIVE OF INTERNATIONAL LAW

By Mil. Judge Grade B’ Vasileios G. Makris,

Hellenic MoD, Mil. Justice Directorate

(The text that follows is based on a presentation given by the author on 02 June, 2011 in

Thessaloniki during the “Athena ‘11” Crisis Management Conference organized by the HNDGS under the auspices of the Hellenic MoD. Although it contains most of the necessary details on the subject, it is a short version of a dissertation paper that will be presented for evaluation by the author in the near future at the Law School of the Democritus University of Thrace.)

1. INTRODUCTION

Cyberwarfare is a way (a mode) of conducting “Information Operations”.

“Information operations” (info ops) is a broad category of operations that includes information-warfare and cyberwarfare. “Info ops” is the integrated employment of the core capabilities of electronic warfare, computer network ops, psychological ops, military deception and operational security, with the purpose to influence, disrupt, corrupt, or usurp adversarial human and automated decision making while protecting our own. Computer Network Attacks – CNAs may constitute cyberwarfare or just ‘’info ops’’.

In this presentation we will examine in a very brief fashion

 due to time limitations

, computer network operations that go beyond mere exploitation of adversarial systems and are accompanied by a hostile intent and are thus in effect a mode of use of inter-state force. We will stay in the jus ad bellum context, that is up to the stage after which a full fledged armed conflict begins and not beyond this. We will be using throughout the text that follows the terms “cyber-warfare”,

“cyber-ops” or “computer network attacks”, to denote the use of force between states.

2. TECHNIQUES OF CYBER-WARFARE

From the above mentioned it is already evident that the computer /computer network may be used as a kind of weapon . The most used methods /techniques are the following:

Corruption of hardware by chip-level actions – “chipping”. Chipping means integrating computer chips (microprocessors) with built-in weaknesses or flaws in order to destroy or cause problems to adversary networks. (Many analysts believe

2 that the “Farewell case’’ of 1982 and the incapacitation of the air defences of Syria a few years ago by Israel, constitute chipping cases.)

Corruption of software: Denial of Service (DoS) attacks, Distributed Denial of Service attacks (DDoS), Trojans, viruses, worms, time & logic bombs, various combinations of the above.

3. THE PROHIBITION OF THE USE OF INTER-STATE FORCE

Modern international law strictly forbids the use of “inter-state” force, that is the use of force in the (international) relations between states. This international law consists of:

• International customary law

• The Charter of the United Nations

Nowadays there are only two cases in which international law permits the use of inter-State force: (a) collective security (art. 39 et seq. of the UN Charter) and (b) self-defence (art. 51).

The texts of the relevant articles of the UN Charter are the following:

Art. 2(4): “All Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations.” 

Art. 39: “The Security Council shall determine the existence of any threat to the peace, breach of the peace, or act of aggression and shall make recommendations, or decide what measures shall be taken in accordance with

Articles 4 and 42, to maintain or restore international peace and security.” 

Art. 51: “Nothing in the present Charter shall impair the inherent right of individual or collective self-defence if an armed attack occurs against a Member of the

[U.N.], until the Security Council has taken measures necessary to maintain international peace and security. …”.

4. THE PURPOSE OF THIS ARTICLE

The purpose of this short article on the issue of cyber-warfare from the perspective of international law is to provide answers to the following key questions:

• When cyber-ops constitute use of force outlawed by art. 2(4) of the

Charter?

• When cyber-ops constitute threat to the peace, breach of the peace or act of aggression (art. 39 of the Charter)?

3

• When cyber-ops amount to armed attack against which a state can recourse to self-defence (art. 51 of the Charter)?

We will not examine cyber-ops from the perspective of jus in bello.

( Jus in bello is the (international) law that applies after armed hostilities have begun.) We will not examine either “cyber-crime”, ‘’cyber-espionage”, “cyber-sabotage”,

‘’cyber-propaganda’’ etc. (Have in mind that cyber-espionage and cyberpropaganda, for example, are legal under international law.)

We will not look into cases like the Stuxnet malicious software either, which is a rather isolated /small scale event. The threshold of cyber-force (cyber-warfare) between states is much higher.

Most states attach high importance on the issue of cyber-attacks and cyberwarfare. It is hardly needed to remind you that i n the frame of the ΝΑΤΟ Strategic

Concept, 2010 (Lisbon) [the Heads of State and Government of the NATO nations decided that they will] “…develop further our ability to prevent, detect, defend against and recover from cyberattacks…”.

Also in the frame of the US National

Security Strategy, 2010 cyber-security threats were named as “…one of the most serious national security, public safety and economic challenges we face as a nation” .

On the level of the U.N. the General Assembly (G.A.) with a series of

Resolutions has emphasized, among other things, that information technologies can potentially be used for purposes that are inconsistent with the objectives of maintaining international stability and security. The G.A. also endorsed the holding of a World Summit on the Info Society that took place in two phases in Geneva,

2003 and Tunis, 2005.

5. TWO REAL LIFE CASES

At this point it would be very helpful to examine two prominent real life cases of ‘’cyber-attacks’’.

The Estonian case, 2007

From 27 Apr. 2007 and for 3 weeks Estonia was victimized by massive computer network attacks (mainly DoS and DDos attacks, defacement of websites, attacks against DNS servers etc). All government websites went down

(the Prime Minister’s Office included), to be followed by the websites of newspapers, TV stations, banks, public utilities etc. The same fate was shared by the websites of the Parliament, hospitals, newspapers, electronic media, ISPs, universities, the telephone network etc. It is estimated that over 1.000.000 computers were used against Estonia (a number of them from within Estonia itself), linked with the technique of “botnets”. (A “botnet” is a ro(bot) computer

(net)work).

4

Estonian officials claimed that their country was the victim of a new kind of war and named specific sources as the attackers. Estonia, as a NATO membercountry, asked for help by the Organization also. NATO did not find any grounds to implement the provisions of art. V of the NATO Charter. It just sent experts on the spot to study the incident and provide help.

The case of Georgia, 2008

On Aug. 9, 2008 Georgia invaded the semi-autonomous South Osetia. The

Russian Federation responded with arms. At the same time Georgia became the target of systematic and extended cyber-attacks (DDoS, defacement, malicious software distribution, etc). The first phase of these attacks is believed to have started on 19 July, 2008, that is two weeks earlier!

The impressive thing about the cyber-attacks in Georgia is that they severed almost all Georgian communications with the rest of the world

“bloodlessly” and in this way they accomplished what NATO managed to do by attacking the TV Tower in Belgrade in the Former Yugoslavia by kinetic weapons, killing 16 people and delivering results for a few hours only…

A bizarre hightech incident…

In Mumbai, India, in Nov. 2008, the terrorist organization Lashkar-e-Taiba

(LeT), allegedly based in Pakistan, carried out a series of attacks against luxurious hotels which caused over 500 casualties (179 dead). The planners of the attacks and the members who executed them, in order to achieve best co-ordination amongst them, used VoIP technology with the call server located in the US(!), 60

GPS devices, Google Earth maps and other high-tech gadgets (hardware & software). This incident no matter how grave it may seem or be, it cannot be labeled as “use of force between states”. It shows, nevertheless, the dangers of the uses or misuses of the new technologies and introduces us to another facet of the problem: the possibility of attributing the deeds of non-state actors to states themselves. The latter we will discuss briefly a little later.

6. CYBER-WARFARE AS A USE OF FORCE UNDER ART. 2(4) OF THE

CHARTER

It is generally accepted that the prohibition of the threat /use of force represents customary international law (also). It binds all States, regardless of membership in the UN. However, at the time of drafting of the Charter, cyber-ops simply did not exist and could not even be contemplated upon.

The prohibition of art. 2(4) is framed in terms of the instrument of coercion employed: force (the drafters meant military and ‘kinetic’ force). That was something absolutely logical and presumable for the 1940s. Yet, what matters for

States are the consequences suffered by the use of a weapon or anything that

5 can be used as such! Cyberops are ‘non-forceful’, that is non-kinetic yet computers /networks can be used with hostile intent as weapons and their consequences can range from mere annoyance to death and severe property damages.

Given the above fact and also that, for example, there is no doubt that biological or radiological or chemical modes of warfare, which are also ‘nonkinetic’, are accepted to constitute, nevertheless, ‘uses of force’, many analysts are beginning to accept that cyber-ops that directly cause death and /or property damages may constitute use of force! The above mentioned do not apply to cyberops which cause economic and /or political consequences only, irrespective of how severe they may be. This seems to be the case with the Estonian incident.

The International Court of Justice (ICJ) accepts that articles 2(4), 42 and 51 of the Charter do not refer to specific weapons. They apply to any use of force, regardless of the weapon employed (Nuclear Weapons Advisory Opinion, 1996).

The ICJ has also recognized that the use of non-kinetic weapons can lead to a violation of art. 2(4) (Nicaragua case, 1986, where the arming & training of the contras is in fact referred to as “weapon”).

For cyber attacks that do not cause death /property damage directly, law professor Michael Schmitt proposed seven criteria in 1999 to help determine a possible use of force. The seven ‘Schmitt criteria’ are:

• Severity

• Immediacy

• Directness

• Invasiveness (: the level of security and protection of the systems attacked)

• Measurability

• Presumptive legitimacy (for example, cyber espionage, cyber propaganda or psychological ops are legal by international law and thus cannot be ‘use of force’)

• Responsibility (: causal nexus to some state, that is the attribution of the attack to a state)

[Not all legal theorists accept the above criteria]

Art. 2(4) is binding upon states. Not upon individual persons (e.g. ‘patriotic hackers’) or other “non-state actors”, like groups, terrorist (or other) organizations, organized ha cker groups etc. Unless an ‘effective control’ of the state on the group can be proved or established: this is what was said by the ICJ in the “Nicaragua

6

Case”, 1986. The International Tribunal for the Former Yugoslavia (ITFY), Appeals

Chamber, in the “Tadić Case”, 1999, accepted the ‘overall control’ criterion of the state over the non-state actor (group). The first criterion (effective control) is higher than the second (overall control).

(The ICJ in the “Congo vs Uganda” case,

2005, and in the “Bosnia & Herzegovina vs Serbia & Montenegro” case, 2007, spoke again of the ‘effective control’ criterion.)

The same can apply to cyber-ops. The ‘effective control’ criterion (which is higher than the ‘overall control’ criterion) is more suitable to cyber-ops (and safer) because the origin of cyber-ops is very hard and time consuming to determine.

Note also that even if a conduct is not directly attributable to a state it will nevertheless be considered an act of that state if the state acknowledges and adopts cyber-ops conducted by some non-state actor against another state, or if it possesses concrete information that cyber attacks emanate from its territory and does nothing to stop them.

7. REMEDIES OF A VICTIM-STATE AGAINST CYBER-ATTACKS

(Assuming that the victim-state is able to identify the origin of cyber-force and attribute the conduct to a state-aggressor)

• Resort to the UN Security Council (S.C.)

• Resort to a competent International Tribunal. (Such a tribunal could be the

ICJ or a tribunal set up by a specific international treaty, for example an arbitration tribunal.)

• Adoption of retortions. (Retortions are unfriendly acts not involving any breach of international law, e.g. the severance of diplomatic relations.)

• Demand for some kind of reparation (: satisfaction, restitution, compensation)

• Resort to non-forceful countermeasures. (Countermeasures is a conduct inconsistent with a state’s international obligations (e.g. to shut down all internet traffic through the state), in response to a prior violation of international law by another state.)

• Use armed force in self-defence if the criteria of art. 51 of the Charter are fulfilled.

8. CYBER-WARFARE AS A THREAT TO THE PEACE, BREACH OF THE

PEACE OR ACT OF AGGRESSION (ART. 39)

The assessment of the situation rests with the S.C. of the U.N. The S.C. may decide to examine an instance of use of cyber-force or a specific case may

7 be brought before it. The S.C. uses mainly political criteria as it is a deeply political organ and not tribunal.

A cyber-attack may be judged to fit into one of the three above cases, irrespective of its scale and effects. The S.C.

 as a response to such a situation

may decide measures not involving or involving the use of force (art. 41 and 42) or nothing at all.

9. CYBER-OPS AS ‘ARMED ATTACK’ JUSTIFYING SELF-DEFENCE

(ART. 51 OF THE UN CHARTER)

First it is essential that we clarify a few things about the essence and the outer margins (the scope) of “self-defence” as an international law right.

• Self-defence (individual or collective) is only per mitted against “armed attack” not against mere use of force.

• Every armed attack is, at the same time, a use of force. The opposite is not always true.

• No prior authorization from the S.C. is required in order for a state to exercise self-defence.

• Only the victim-state may judge that it is under an armed attack.

• The victim-state must first ask for help. Only after this may third states offer their help (collective self-defence).

• Three principles apply: necessity, proportionality, immediacy.

All the above and especially the three principles are crucial in the context of cyber-ops, because it is very difficult and time-consuming to locate the source of a cyberattack and, at the same time, ‘bleed-over’ effects might be caused, which make it even harder and time consuming to locate the perpetrator! If self-defence is done against the wrong entity, then it is an illegal act by itself, against which self-defence may be done!

The drafters of the Charter used the “instrument-based” approach to the issue of self-defence also (: the Charter requires prior ‘’armed attack’’ ). The phrase “armed attack” is more restrictive than the phrase “use of force”

(something more is needed in order to have “armed attack” and not mere “force”.

Nevertheless, the hard core of an armed attack is the infliction of death to persons and severe property damages. It is neither the designation of a device, nor its normal use, which make it a weapon, but the intent with which it is used and its effect.

8

The use of any device which results in considerable loss of life and /or extensive destruction of property (: ‘scale & effects’ above a required minimum degree), must therefore be deemed to fulfill the conditions of an armed attack.

Thus, many analysts are starting to accept that an armed attack does not have to be conducted the classic military way at all times

 provided that its consequences are analogous to those caused by ordinary military force. It is obvious then that a computer network attack can be an armed attack if it has scale and effects analogous to a classic military (armed) attack.

If the above is not the case, then a cyber-attack, irrespective of its scale, can not be judged as an “armed attack” justifying self-defence. Of course, it may constitute an instance of mere “use of force”. The mere destruction, corruption or disruption etc of data (in computers, networks etc) is not enough, no matter how widespread it may be. It must be accompanied by “physical consequences”

(: death /physical damages to persons /property).

This legal structure is not entirely satisfactory yet it is the only one we have and as far as modern international law has gone up to this date.

The ‘’threshold’’ of armed attack is not prescribed in any legal text or rule.

The ICJ alluded to it in the “Nicaragua Case” (: most grave forms of the use of force vs less grave forms). In the “Oil Platforms Case” (Iran vs US, 2003), the ICJ accepted that the attack with sea mines against just one ship could constitute armed attack justifying self-defence. The same can apply to computer network attacks /cyber attacks, but of course a lot of ambiguity and gray space still remains. (In a fashion analogous to e.g. ‘isolated border incidents’ a cyber-attack may be judged as a “non-armed attack”, if it causes death /damages but not of a

“significant scale”… (it will constitute “force” though)).

Cyber-ops that are part of military ops of the classic type or constitute the initial stage thereof are less problematic (e.g. Georgia, 2008). The same apply to cyber-ops that are part of a legitimate military response to the use of kinetic force

(armed attack).

And finally a question relevant to the one already posed above in the section on the use of force: when a cyberattack by “non-state actors” can be attributed to a state? The ICJ – ITFY criteria of “effective control” and “overall control” can apply here as well, with the first being the most preferable for the reasons mentioned already above.

10. WHAT WILL COME NEXT?

Will an ad hoc new rule of customary international law develop to prohibit cyberattacks as “illegal” use of force? 

Will, perhaps, a new treaty be drafted?

9

Cyber-warfare is a reality and cyber-attacks are as old as computer networks themselves (at least 30 years old). Many states and various organizations have long been ta king the stance, in various ways, that “statesponsored cyber-attacks may well generate the right of selfdefence”. Recent state practice so far (USA, UK, Russian Federation, NATO, etc) shows that a new international customary law is in the process of crystallization. No rule has crystallized so far and the outcome is still difficult to predict.

On the other hand the need for an international treaty prohibiting the use of cyber-force is also in debate. Many states, though, still hesitate to commit themselves to specific restrictions. There is a good explanation for this: states tend to avoid committing themselves to rules that restrict their freedom of movement but, on the contrary, they want their adversaries and /or enemies to be restricted by rules._



Download