Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities (2009)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Appendix D Views on the Use of Force in Cyberspace Computer Network Attack and the Use of Force in International Law In 1999, Michael Schmitt addressed the issue of cyberattack as a use of force. Focusing on computer network attack (CNA) (remote-access attack, as described in Chapter 2), Schmitt argued that CNA should be understood in terms of its effects and said that the consequences of a CNA rather than its specific modality were the most important factor in its categorization. He focused on the consequences of a CNA because of their potentially broad range: “CNA spans the spectrum of consequential- ity. Its effects freely range from mere inconvenience (e.g., shutting down an academic network temporarily) to physical destruction (e.g., as in creating a hammering phenomenon in oil pipelines so as to cause them to burst) to death (e.g., shutting down power to a hospital with no back- up generators).” Thus, for example, Schmitt argued that “CNA specifically intended to directly cause physical damage to tangible property or injury or death to human beings is reasonably characterized as a use of armed force,” and so “pipeline destruction and the shutting of power to the hospital are exam- ples of CNA which the actor knows can, and intends to, directly cause destruction and serious injury.” He further noted that “armed coercion  Michael Schmitt, “Computer Network Attack and the Use of Force in International Law: Thoughts on a Normative Framework,” Columbia Journal of Transnational Law 37:885- 937, 1999. 356 

APPENDIX D 357 is not defined by whether or not kinetic energy is employed or released, but rather by the nature of the direct results caused, specifically physical damage and human injury.” On the other hand, Schmitt noted that economic coercion is not gener- ally regarded as rising to the level of a “use of force,” so that a CNA that seeks economic coercion cannot be considered a use of force. For a CNA to be considered a use of force, he argued that it must be more consequential than simple economic coercion but does not necessarily have to meet the threshold of being considered a use of “armed force” as described in the previous paragraph. He thus argues that “the use of force line must lie somewhere between economic coercion and the use of armed force.” Schmitt then offered a seven-element framework for categorizing computer network attack as a use of force: • Severity. If people are killed or there is extensive property damage, the action is probably military; the less damage, the less likely the action is a use of force. • Immediacy. When the effects are seen within seconds to minutes— such as when a bomb explodes—the operation is probably military; if the effects take weeks or months to appear, it is more likely diplomatic or economic. • Directness. If the action taken is the sole cause of the result, it is more likely to be viewed as a use of force; as the link between cause and effect attenuates, so does the military nature of the act. • Invasiveness. A violated border is still an indicator of military opera- tions; actions that are mounted from outside a target nation’s borders are probably more diplomatic or economic. • Measurability. If the effect can be quantified immediately—such as photographing a “smoking hole” where the target used to be—the opera- tion has a strong military character; the more subjective the process for evaluating the damage, the more diplomatic or economic. • Presumptive legitimacy. State actors have a monopoly on the legiti- mate use of kinetic force, while other non-kinetic actions—attacks through or in cyberspace—are often permissible in a wider set of circumstances; actions that have not been the sole province of nation-states are less likely to be viewed as military. • Responsibility. If a state takes visible responsibility for any destruc- tive act, it is more likely to be characterized as a traditional military opera- tion; ambiguous responsibility militates for a non-military label. Schmitt provided two examples, each presumably premised on a state of non-hostilities existing prior to a computer network attack. In the first example, he posited computer network attacks that disable an air traffic 

358 Technology, Policy, Law, And Ethics Of U.s. Cyberattack CapabiliTIES control (ATC) system during bad weather, resulting in the crash of an airliner and many civilian deaths. Although no kinetic force was used to destroy the airliner, CNA was the cause of the tragedy, as the airliner would have been likely to survive bad weather with a functional ATC system. The consequences are both severe and manifestly obvious, and the action (the CNA) and desired result (the airliner crash) were tempo- rally proximate. For these reasons, this CNA can be regarded as the use of force. In the second example, he posited a CNA on a university computer network designed to disrupt military-related research in campus lab- oratories. In this attack, no physical damage or suffering occurs, and the desired outcome—diminished capability on the battlefield—is both remote from the act and also depends on many other factors (e.g., the ability of researchers to regenerate data, the possible existence of other similar research efforts, and so on). In this instance, the CNA should not be regarded as the use of force. New Tools, New Rules: International Law and Information Operations Another more recent analysis by Duncan Hollis argued against extend- ing traditional laws of armed conflict (LOAC) to apply to cyberattack and other information operations. Though Hollis accepts the fundamental underlying rationale and intent of traditional LOAC (e.g., to minimize human suffering, to support reciprocity between states, to prevent mor- ally reprehensible behavior), he argued that the interpretation of tradi- tional LOAC vis-à-vis cyberattack suffers from two major problems. First, Hollis argued that even in the context of state-on-state warfare, extension of the traditional LOAC suffers from serious “translation” prob- lems about how these laws apply to cyberattack. For example, a cyberat- tack on a stock exchange might cause considerable economic damage but may not cause immediate death or destruction—should such an attack count as a use of force? In addition, preserving the distinction between civilian entities and valid military targets is extraordinarily difficult when cyberattack is concerned. He made the further point that Article 41 of the UN Charter defines “measures not involving the use of armed force” to include “complete or partial interruption of . . . telegraphic, radio, and other means of communication.” (Note, of course, that the UN Charter was ratified in 1945, long before the Internet and modern information  Duncan B. Hollis, “New Tools, New Rules: International Law and Information Opera- tions,” pp. 59-72 in Ideas As Weapons: Influence and Perception in Modern Warfare, G. David and T. McKeldin, eds., Potomac Books, Inc., 2009. 

APPENDIX D 359 technologies were contemplated and before it could be imagined that the medium of an attack on a nation might well be an altogether new and different medium.) Second, he argued that in focusing primarily on state-on-state con- flict, traditional LOAC ignores many of the most important issues that arise in today’s security environment—the issue of states acting against non-state actors and subnational entities. Hollis points out that the legal regimes governing such conflict are already in a state of flux (e.g., there is no doctrine comparable to the “use of force” or the self-defense provi- sions of the UN Charter). And when cyberattacks may be launched by non-state actors from the territories of nation-states, the relevant legal regime is even murkier. For example, in the absence of state sponsorship, a cyberattack—even a very destructive one, conducted by a terrorist or criminal organization— does not qualify as an armed attack. A self-defense response is thus not sanctioned under the UN Charter. Even if the origin of the cyberattack can be traced to a specific state, a military or law enforcement response against an entity within that state cannot be undertaken unilaterally with- out violating that state’s sovereignty. Only if the state in question is unable or unwilling to stop the cyberattack may the attacked state take countermeasures on its own. Hollis concluded from his analysis that the translation difficulties and the insufficiency of traditional LOAC with respect to subnational actors call for a new legal framework for governing cyberattack and other infor- mation operations.