Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Cyber Operations in International Law: The Use of Force, Collective Security, Self-Defense, and Armed Conflicts Michael N. Schmitt durham Uniersity law School, United kingdom INTRODuCTION In April and May 2007, Estonia was victimized by massive computer network attacks. 1 The incident began with rioting incited by ethnic Russian cyber agitators in response to the governmentâs decision to move a Soviet war memorial from the center of Tallinn to a military cemetery on the outskirts of the capital. Subsequent actions included direct cyber attacks against Estonian targets, including government and commercial Internet infrastructure and information systems such as the those of the President, Prime Minister, Parliament, State Audit Office, ministries, political parties, banks, news agencies, and Internet service providers. They involved denial of service (DoS), distributed denial of service (DDoS), defacement and destruction. Because Estonia had invested heavily in networking following independence, the attacks proved devastating. By 2007, the country relied on information services for everything from banking and filing tax returns to paying for parking and public transportation. Internet services covered all of Estonia, with half the population enjoying access from their homes. Most of the attacks emanated from outside the country, principally Russia. Their origin was also traced to at least 177 other countries.2 Initially, they came from private IP addresses, although experts tracked a number to Russian government institutions. It remains uncertain whether the latter were launched with the governmentâs knowledge. As the cyber attacks unfolded, they became increasingly sophisticated, evidencing considerable organization and command and control. While various pro-Rus - sian activist groups apparently executed some of the second wave operations, there is no firm evidence that the Russian government either conducted or orchestrated them. The impact of the cyber assault proved dramatic; government activities such as the provision of State benefits and the collection of taxes ground to a halt, private and public communications were disrupted and confidence in the economy plummeted. Was this âwarâ? After all, the scope and scale of the consequences far exceeded those that might have been caused by, for instance, a small-scale air 1 For an excellent discussion of the attacks, see Eneken Tikk, Kadri Kaska, and Liis Vihul, international Cyber incidents: legal Considerations 14-33 (Tallinn: Cooperative Cyber Defence Centre of Excellence 2010). 2 Charles Clover, âKremlin-backed Group behind Estonia Cyber Blitz,â Financial times, March 11, 2009. 11
12 PRoCEEdingS oF A woRkSHoP on dEtERRing CYBERAttACkS attack or a commando raid, both of which would signal the initiation of a âwarâ between Estonia and the State responsible for their execution. Historically, the initiation of a war depended upon a formal act of State, generally a âdeclaration of war.â It neither required hostilities, nor did hostilities alone amount to war. This traditional under - standing of war has fallen into desuetude, replaced by a complex admixture of legal concepts. In the aftermath of the Second World War, the international community crafted a new normative scheme in the form of the United Nations Charter, which includes both a prohibition on the use of force in inter- national relations and a system for enforcing the prescription. Today, the Charter, together with related customary international law norms,3 governs how and when force may be employed by States. The carnage of the Second World War also prompted a reexamination of the rules applicable during war- fare. During that process, the requirement for a declaration of war as the threshold for application of the âlaw of warâ was abandoned.4 Henceforth, this body of law (relabeled the âlaw of armed conflictâ and usually referred to as âinternational humanitarian lawâ or IHL) would come into play whenever âarmed conflictâ occurred. This article explores the contemporary international law governing cyber operations. In particular, it asks four questions, which together have supplanted the previous notion of âwarâ: (1) When does a cyber operation constitute a wrongful âuse of forceâ in violation of Article 2(4) of the United Nations Charter and customary international law?; (2) When does a cyber operation amount to a âthreat to the peace, breach of the peace, or act of aggression,â such that the Security Council may authorize a response thereto?; (3) When does a cyber operation constitute an âarmed attack,â such that the victim-State may defend itself, even kinetically, pursuant to the right of self-defense set forth in Article 51 of the UN Charter and customary international law?; and (4) When does a cyber operation rise to the level of an âarmed conflict,â such that IHL governs the actions of belligerents? The attacks against Estonia, similar ones against Georgia during its armed conflict with Russia in 2008,5 and the thousands of others directed against government, corporate and private systems worldwide on a daily basis aptly demonstrate the reality, immediacy and scale of the threat. It is one well-recognized by States. The May 2010 United States National Security Strategy cites cyber security threats as âone of the most serious national security, public safety, and economic challenges we face as a nation.â6 Similarly, the analysis and recommendations on NATOâs new Strategic Concept prepared by a group of distinguished experts led by former U.S. Secretary of State Madeleine Albright singled out âcyber assaults of varying degrees of severityâ as one of the three likeliest threats the NATO Allies will face in the next decade.7 Unfortunately, the existing legal norms do not offer a clear and comprehensive framework within which States can shape policy responses to the threat of hostile cyber operations. In particular, international law 3 See fn 13 and accompanying text for a brief explanation of customary international law. 4 Common Article 2 to the four 1949 Geneva Conventions provides that the treaties âshall apply to all cases of declared war or of any other armed conflict which may arise between two or more of the High Contracting Parties, even if a state of war is not recognized by one of them.â Geneva Convention for the Amelioration of the Condition of the Wounded and Sick in Armed Forces in the Field, art. 2, Aug. 12, 1949, 6 UST. 3114, 75 U.N.T.S. 31; Geneva Convention for the Amelioration of the Condition of Wounded, Sick and Shipwrecked Members of Armed Forces at Sea, art. 2, Aug. 12, 1949, 6 UST. 3217, 75 U.N.T.S. 85; Geneva Convention Relative to the Treatment of Prisoners of War, art. 2, Aug. 12, 1949, 6 UST. 3316, 75 U.N.T.S. 135 ; Geneva Convention Relative to the Protection of Civilian Persons in Time of War, art. 2, Aug. 12, 1949, 6 UST. 3516, 75 U.N.T.S. 287 [hereinafter GC IâIV respectively]. 5 See Tikk, supra note 1, at 66-90. 6 President Barack Obama, national Security Strategy 27 (May 2010). 7 Group of Experts on a New Strategic Concept. nAto 2020: Assured Security; dynamic Engagement (May 17, 2010) 17. The others are an attack by a ballistic missile and strikes by international terrorist groups.
1 miCHAEl n. SCHmitt as traditionally understood departs at times from what the international community would presumably demand in the cyber context. To some extent, this divergence can be accommodated through reasonable interpretation of the relevant norms. Where it cannot, the law would seem to require attention, either through treaty action or through the development of new understandings of the prevailing legal concepts.8 CybER OPERATIONS AS A âuSE OF FORCEâ The United Nations Charter, in Article 2(4), states that â[a]ll Members [of the United Nations] shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations.â Despite the reference to territorial integrity and political independence, it is now widely understood that the prohibition applies to any use of force not otherwise permitted by the terms of the Charter, specifically uses of force authorized by the Security Council and defensive operations, each discussed separately below.9 Article 2(4) was revolutionary in its extension to threats. Of course, only those threats of a use of force that would otherwise be unlawful qualify.10 For instance, threatening destructive defensive cyber attacks against another Stateâs military infrastructure if that State unlawfully mounts unlawful cross- border operations would not breach the norm. However, threats of destructive cyber operations against another Stateâs critical infrastructure unless that State cedes territory would do so. The prohibition applies only to an explicit or implied communication of a threat; its essence is coer - cive effect. It does not reach actions which simply threaten the security of the target State, but which are not communicative in nature. Thus, the introduction into a Stateâs cyber systems of vulnerabilities which are capable of destructive activation at some later date would not constitute a threat of the use of force unless their presence is known to the target State and the originating State exploits them for some coercive purpose.11 It is generally accepted that the prohibition on the threat or use of force represents customary inter- national law.12 Resultantly, it binds all States regardless of membership in the United Nations. Article 38 of the Statute of the International Court of Justice (ICJ) defines customary law as âgeneral practice accepted as law.â13 It requires the coexistence of State practice and opinio juris sie necessitatis, a belief that the practice is engaged in, or refrained from, out of a sense of legal obligation (rather than practical or policy reasons). Although simple in formulation, the norm is complex in substantive composition. It poses two key questions: âWhat is a use of force?â and âTo whom does the prohibition apply?â Both bear heavily on the legality of cyber operations, which did not exist when the UN Charter was adopted by States in 1945. The difficulty of applying a legal provision which did not contemplate a particular type of opera - tion is apparent. 8 For book length treatment of these issues, see Thomas C. Wingfield. the law of information Conflict (Washington: Aegis Research Corporation 2000); Michael N. Schmitt and Brian OâDonnell, eds. Computer network Attack and international law (Newport: U.S. Naval War College International Law Studies, vol. 76, 1999); and the collected articles in 64 Air Force Law Review (2009). 9 In its original form, the draft Charter contained no reference to territorial integrity or political independence, and their subse - quent inclusion was controversial. The âother mannerâ language was inserted to make clear that their inclusion was not meant to limit the reach of the provision. See Doc. 1123, I/8, 6 U.N.C.I.O. Docs. 65 (1945); Doc. 784, I/1/27, 6 U.N.C.I.O. Docs. 336 (1945); Doc. 885, I/1/34, 6 U.N.C.I.O. Docs 387 (1945). 10 This point was made by the International Court of Justice in Legality of the Threat or Use of Nuclear Weapons, Advisory Opinion, 1996 ICJ Rep. 226, Â¶ 47 (July 8). 11Although a threat must be coercive in some sense, there is no requirement that a specific âdemandâ accompany the threat. 12 See discussion of the issue by the International Court of Justice in Military and Paramilitary Activities in and Against Nica - ragua (Nicar. v. US), 1986 ICJ Rep. 14, Â¶Â¶ 187-191 (June 27) [hereinafter Nicaragua]. 13 Statute of the International Court of Justice, art. 38, June 26, 1945, 59 Stat. 1055, 33 U.N.T.S. 993. On customary law, see Yoram Dinstein, âThe Interaction between Customary International Law and Treaties,â Collected Courses of the Hague Academy of inter- national law 322 (Martinus Nijhoff, 2007).
1 PRoCEEdingS oF A woRkSHoP on dEtERRing CYBERAttACkS Finally, it must be borne in mind that neither Article 2(4) nor its customary counterpart is remedial in nature. Rather, they merely set a threshold for breach of international law. The nature of the response to a wrongful use of force is instead determined by the law of State responsibility, the scope of authority of the Security Council and the law of self-defense. Each is addressed below. uses of Force Do cyber operations constitute a âuse of forceâ as that phrase is understood in relation to the prohibi- tion? The interpretive dilemma is that the drafters of the Charter took a cognitive short cut by framing the treatyâs prohibition in terms of the instrument of coercion employedâforce. Thus, the norm did not outlaw economic and political coercion, but disallowed military force, at least absent an express Charter exception. Yet, it is seldom the instrument employed, but instead the consequences suffered, that matter to States. At the time the Charter was drafted an instrument based-approach made sense, for prior to the advent of cyber operations the consequences that Sates sought to avoid usually comported with instrument-based categories. Cyber operations do not fit neatly into this paradigm because although they are ânon-forcefulâ (that is, non-kinetic), their consequences can range from mere annoyance to death. Resultantly, as the Commander of U.S. Cyber Command noted during his confirmation hearings, policy makers must understand that â[t]here is no international consensus on a precise definition of a use of force, in or out of cyberspace. Consequently, individual nations may assert different definitions, and may apply different thresholds for what constitutes a use of force.â 14 That the term âuse of forceâ encompasses resort to armed force by a State, especially force levied by the military is self-evident. Armed force thus includes kinetic forceâdropping bombs, firing artillery, and so forth. It would be no less absurd to suggest that cyber operations which generate consequences analogous to those caused by kinetic force lie beyond the prohibitionâs reach, than to exclude other destructive non-kinetic actions, such as biological or radiological warfare. Accordingly, cyber operations that directly result (or are likely to result) in physical harm to individuals or tangible objects equate to armed force, and are therefore âuses of force.â For instance, those targeting an air traffic control system or a water treatment facility clearly endanger individuals and property. But cyber operations are usually mounted without causing such consequences, as illustrated by the case of Estonia. Are such operations nonetheless barred by the use of force prohibition? The starting point for any interpretive endeavor in law is the treaty text in question.15 In this regard, note that the adjective âarmedâ does not appear with reference to âforceâ in Article 2(4). By contrast, the Charter preamble cites the purpose of ensuring that âarmed force shall not be used, save in the common interest.â Similarly, the Charter excludes âarmed forceâ from the non-forceful measures the Security Council may authorize under Article 41 and mentions planning for âarmed forceâ with regard to forceful Article 42 measures.16 And the Charter only allows forceful defensive actions in the face of an âarmed attack.â17 This textual distinction suggests an interpretation of âforceâ that is broader in scope than the common understanding of the term. When text is ambiguous, recourse may be had to âthe preparatory work of [a] treaty and the circum - stances of its conclusion.â18 The Charterâs traaux preparatoires, indicate that during the drafting of the 14 Unclassified Senate Testimony by Lieutenant General Keith Alexander, USA, Nominee for Commander, United States Cyber Command, April 15, 2010, www.senate.gov/~armed_services/statemnt/2010/04%20April/Alexander%2004-15-10.pdf. 15According to the Vienna Convention on the Law of Treaties, â[a] treaty shall be interpreted in good faith in accordance with the ordinary meaning to be given to these terms of the treaty in their context and in light of its object and purposeâ which can be gleaned from the text, âincluding its preamble and annexes . . . .â May 23, 1969, art. 31(1)-(2), 1155 U.N.T.S. 331. The United States is not a party to the Vienna Convention, but treats most of its provisions as reflective of customary international law. 16 The reference to planning is found in U.N. Charter, art. 46. 17 U.N. Charter, art. 51. 18 Vienna Convention, supra note 15, art. 32.
1 miCHAEl n. SCHmitt instrument a proposal to extend the reach of Article 2(4) to economic coercion was decisively defeated. 19 A quarter century later, the issue again arose during proceeding leading to the UN General Assemblyâs Declaration on Friendly Relations.20 The question of whether âforceâ included âall forms of pressure, including those of a political or economic character, which have the effect of threatening the territorial integrity or political independence of any Stateâ was answered in the negative.21 Whatever force is, then, it is not economic or political pressure. Therefore, a cyber operation that involves such coercion is defi - nitely not a prohibited use of force. Psychological cyber operations (assuming they are non-destructive) intended solely to undermine confidence in a government or economy illustrate such actions. Suggestions to limit âforceâ to âarmed force,â or even the force required to amount to an âarmed attack,â were likewise rejected during the proceedings.22 This seemed to indicate that âforceâ was not coterminous with âarmedâ force, thereby strengthening the significance of the absence of the term âarmedâ in Article 2(4). In the nicaragua case, the ICJ expressly characterized certain actions which were non-kinetic in nature as uses of force. [W]hile arming and training of the contras can certainly be said to involve the threat or use of force against Nicaragua, that is not necessarily so in respect of all assistance given by the United States Government. In particular, the Court considers that the mere supply of funds to the contras, while undoubtedly an act of intervention in the internal affairs of Nicaragua . . . does not itself amount to a use of force.23 The determination that a use of force can embrace acts, like arming or training guerillas, which fall short of armed force leaves open the possibility that non-physically destructive cyber operations may fall within the termâs ambit. The threshold for a use of force must therefore lie somewhere along the continuum between economic and political coercion on the one hand and acts which cause physical harm on the other. Unfortunately, unequivocal State practice in characterizing particular cyber attacks as (or not as) uses of force is lacking. In part this is because the Article 2(4) prohibition extends solely to acts of States, and very few States have definitively been identified as the initiator of a cyber operation which might amount to a use of force. Moreover, States may well hesitate to label a cyber operation as a use of force out of concern that doing so would escalate matters or otherwise destabilize the situation. Therefore, one can only speculate as to future State practice regarding the characterization of cyber operations. Over a decade ago, this author identified a number of factors that would likely influence assess - ments by States as to whether particular cyber operations amounted to a use of force. 24 They are based on a recognition that while States generally want to preserve their freedom of action (a motivation to keep the threshold high), they equally want to avoid any harmful consequences caused by the actions of others (a motivation to keep the threshold low). States will seek to balance these conflicting objectives through consideration of factors such as those set forth below. The approach has generally withstood the test of time. (1) Seerity: Consequences involving physical harm to individuals or property will alone amount to a use of force. Those generating only minor inconvenience or irritation will never do so. Between the extremes, the more consequences impinge on critical national interests, the more they will contribute 19 See Doc. 2, G/7(e)(4), 3 U.N.C.I.O. Docs. 251, 253-54 (1945). Economic coercion, which typically involves trade sanctions, must be distinguished from âblockade,â which has the effect of cutting off trade, but employs military force to do so. It has historically been accepted that imposition of a blockade is an âact of war.â 20 Declaration on Principles of International Law Concerning Friendly Relations and Cooperation Among States in Accordance with the Charter of the United Nations, G.A. Res. 2625 (XXV), U.N. Doc. A/8082 (1970). 21 U.N. GAOR Special Comm. on Friendly Relations, U.N. Doc. A/AC.125/SR.114 (1970); See also Report of the Special Commit- tee on Friendly Relations, U.N. Doc. A/7619 (1969). The draft declaration contained text tracking that of Charter Article 2(4). 22 Ibid. 23 Nicaragua, supra note 12, Â¶ 228. 24 Michael N. Schmitt, âComputer Network Attack and Use of Force in International Law: Thoughts on a Normative Frame - work,â 37 Columbia Journal of transnational law 885, 914-16 (1999).
1 PRoCEEdingS oF A woRkSHoP on dEtERRing CYBERAttACkS to the depiction of a cyber operation as a use of force. In this regard, the scale, scope and duration of the consequences will have great bearing on the appraisal of their severity. Severity is self-evidently the most significant factor in the analysis. (2) immediacy: The sooner consequences manifest, the less opportunity States have to seek peace - ful accommodation of a dispute or to otherwise forestall their harmful effects. Therefore, States harbor a greater concern about immediate consequences than those which are delayed or build slowly over time. (3) directness: The greater the attenuation between the initial act and the resulting consequences, the less likely States will be to deem the actor responsible for violating the prohibition on the use of force. Whereas the immediacy factor focused on the temporal aspect of the consequences in question, directness examines the chain of causation. For instance, the eventual consequences of economic coer- cion (economic downturn) are determined by market forces, access to markets, and so forth. The causal connection between the initial acts and their effects tends to be indirect. In armed actions, by contrast, cause and effect are closely relatedâan explosion, for example, directly harms people or objects. (4) inasieness: The more secure a targeted system, the greater the concern as to its penetration. By way of illustration, economic coercion may involve no intrusion at all (trade with the target state is simply cut off), whereas in combat the forces of one State cross into another in violation of its sover- eignty. The former is undeniably not a use of force, whereas the latter always qualifies as such (absent legal justification, such as evacuation of nationals abroad during times of unrest). In the cyber context, this factor must be cautiously applied. In particular, cyber exploitation is a pervasive tool of modern espionage. Although highly invasive, espionage does not constitute a use of force (or armed attack) under international law absent a nonconsensual physical penetration of the target-Stateâs territory, as in the case of a warship or military aircraft which collects intelligence from within its territorial sea or airspace. Thus, actions such as disabling cyber security mechanisms to monitor keystrokes would, despite their invasiveness, be unlikely to be seen as a use of force. (5) measurability: The more quantifiable and identifiable a set of consequences, the more a Stateâs interest will be deemed to have been affected. On the one hand, international law does not view economic coercion as a use of force even though it may cause significant suffering. On the other, a military attack which causes only a limited degree of destruction clearly qualifies. It is difficult to identify or quantify the harm caused by the former (e.g., economic opportunity costs), while doing so is straightforward in the latter (x deaths, y buildings destroyed, etc). (6) Presumptie legitimacy: At the risk of oversimplification, international law is generally prohibi - tory in nature. In other words, acts which are not forbidden are permitted; absent an express prohibition, an act is presumptively legitimate.25 For instance, it is well accepted that the international law governing the use of force does not prohibit propaganda, psychological warfare or espionage. To the extent such activities are conducted through cyber operations, they are presumptively legitimate. (7) Responsibility: The law of State responsibility (discussed below) governs when a State will be responsible for cyber operations. But it must be understood that responsibility lies along a continuum from operations conducted by a State itself to those in which it is merely involved in some fashion. The closer the nexus between a State and the operations, the more likely other States will be to characterize them as uses of force, for the greater the risk posed to international stability. The case of the Estonian cyber attacks can be used to illustrate application of the approach. Although they caused no deaths, injury or physical damage, the attacks fundamentally affected the operation of the entire Estonian society. Government functions and services were severely disrupted, 25 I n the Case of the S.S. âlotus,â the Permanent Court of International Justice famously asserted that â[t]he rules of law bind - ing upon States . . . emanate from their own free will as expressed in conventions or by usages generally accepted as expressing principles of law and established in order to regulate the relations between these co-existing independent communities or with a view to the achievement of common aims.â S.S. âLotusâ (Fr. v. Turk.), 1927 P.C.I.J. (ser. A) No. 10, at 14 (Sept. 7).
1 miCHAEl n. SCHmitt the economy was thrown into turmoil, and daily life for the Estonian people was negatively affected. The consequences far exceeded mere inconvenience or irritation. The effects were immediate and, in the case of confidence in government and economic activity, wide-spread and long-term. They were also direct, as with the inability to access funds and interference with the distribution of government benefits. Since some of the targeted systems were designed to be secure, the operations were highly invasive. While the consequences were severe, they were difficult to quantify, since most involved denial of service, rather than destruction of data. Although political and economic actions are pre - sumptively legitimate in use of force terms, these operations constituted more than merely pressuring the target State. Instead, they involved intentionally frustrating governmental and economic functions. Taken together as a single âcyber operation,â the incident arguably reached the use of force threshold. Had Russia been responsible for them under international law, it is likely that the international com - munity would (or should have) have treated them as a use of force in violation of the UN Charter and customary international law. The criteria are admittedly imprecise, thereby permitting States significant latitude in characterizing a cyber operation as a use of force, or not. In light of the increasing frequency and severity of cyber operations, a tendency towards resolving grey areas in favor of finding a use of force can be expected to emerge. This State practice will over time clarify the norm and its attendant threshold. Applicability of the Prohibition By its own express terms, Article 2(4) applies solely to members of the United Nations. As discussed, the prohibition extends to non-Members by virtue of customary law. That is the limit of applicability. Non-State actors, including individuals, organized groups and terrorist organizations, cannot violate the norm absent a clear relationship with a State. Their actions may be unlawful under international and domestic law, but not as a violation of the prohibition on the use of force. Thus, in the Estonian case, and barring any evidence of Russian government involvement, none of those individuals or groups conducting the operations violated the Article 2(4) prohibition. But when can the conduct of individuals or groups be attributed to a State, such that the State is legally responsible for their actions? The law of State responsibility governs such situations.26 Obviously, States are legally responsible for the conduct of their governmental organs or entities. 27 This principle extends to unauthorized acts.28 Accordingly, any cyber operation rising to the level of an unlawful use of force will entail responsibility on the part of the State when launched by its agents, even when they are acting ultra ires. The fact that a State did not itself conduct the cyber operations at hand does not mean that it escapes responsibility altogether. States are also responsible for âthe conduct of a person or group of persons . . . if the person or group of persons is in fact acting on the instructions of, or under the direction or control of, that State in carrying out the conduct.â29 The ICJ addressed the degree of control necessary for attribution in the nicaragua case. There the Court considered attribution of the acts of the Nicaraguan Contras (a rebel group supported by the United States) to the United States, such that the United States would be responsible for breaches of IHL committed by the group. While finding the United States responsible for its own âplanning, direction and supportâ of the Contras,30 the Court limited responsibil- ity for the Contra actions to those in which the United States exercised â effectie control of the military or 26 This law is set forth, in non-binding form, in the International Law Commissionâs Draft Articles on Responsibility of States for Internationally Wrongful Acts, in Report of the International Law Commission on the Work of Its Fifty-third Session, UN Doc. A/56/10 (2001). 27 Draft Articles on State Responsibility, supra, art. 4. 28 Ibid., art. 7. 29 Ibid., art. 8. 30 Nicaragua, supra note 12, Â¶ 86.
1 PRoCEEdingS oF A woRkSHoP on dEtERRing CYBERAttACkS paramilitary operations in the course of which the alleged violations were committed.â 31 Mere support for their activities did not suffice. The Appeals Chamber of the International Criminal Tribunal for the Former Yugoslavia (ICTY) took a different tack in the tadic case, where it held that the authority of the government of the Federal Republic of Yugoslavia over the Bosnia Serb armed groups ârequired by international law for consid - ering the armed conflict to be international was oerall control going beyond the mere financing and equipping of such forces and involving also participation in the planning and supervision of military operations.â32 It is essential to note that although the Tribunal expressly rejected the higher nicaragua threshold of effective control, the technical legal issue was not State responsibility, but rather the nature of the armed conflict. Thus, while tadic brings nicaragua into question by proffering a lower threshold, it does not necessarily supplant the effective control test. It remains unclear whether effective control, overall control or some other test governs in international law, although the ICJ has twice reaffirmed its version.33 In the cyber context, then, States will be responsible for violating the prohibition on the use of force to the extent they either direct private individuals or groups to conduct the operations or are heavily involved in them. Determinations will be made on a case-by-case basis looking to the extent and nature of involvement by the State with the group and in the particular operations. Even if conduct is not attributable to a State as under its control, it will nevertheless âbe considered an act of that State . . . if and to the extent that the State acknowledges and adopts the conduct in ques - tion as its own.â34 The ICJ addressed this situation in the Hostage case, which involved seizure of the United States Embassy by Iranian militants in 1979. The Iranian government was uninvolved in the initial seizure, but later passed a decree which accepted and maintained the occupation of the embassy. According to the Court, â[t]he approval given to [the occupation of the Embassy] by the Ayatollah Kho - meini and other organs of the Iranian State, and the decision to perpetuate them, translated continuing occupation of the Embassy and detention of the hostages into acts of that State.â 35 It should be cautioned that mere expressions of approval do not suffice for attribution; rather, the State must somehow subsequently embrace the actions as its own, for instance, by tangibly supporting their continuance, failing to take actions to suppress them, or otherwise adopting them. Adoption may either be express, as in the Hostages case, or implied, as when a State engages in conduct that undeniably constitutes adoption. In the Estonian case, had Russia publically encouraged further attacks, it would have borne responsibility not only for the subsequent attacks, but also those in the initial wave. A State may also be held responsible for the effects of unlawful acts of private individuals or groups on its territory when it fails to take reasonably available measures to stop such acts in breach of its obli - gations to other States. In this situation, its violation is of the duty owed to other states, but its respon - sibility extends to the effects of the act itself. Applying this standard in the Hostages case, the ICJ found that the Iranian government failed to take required steps to prevent the seizure of the U.S. Embassy or regain control over it, in breach of its obligation to safeguard diplomatic premises.36 The key to such responsibility lies in the existence of a separate legal duty to forestall the act in question, and an ability to comply with said duty. The ICJ articulated this principle in its very first case, Corfu Channel, where it held that every State has an âobligation to not allow knowingly its territory to be used for acts contrary to the rights of other States.â37 Of the many obligations States owe each other, ensuring their territory 31 Ibid., Â¶ 115. See also discussion in Â¶ 109. 32 Prosecutor v. Tadic, Case No. IT-94-1-A, Appeals Chamber Judgment, Â¶ 145 (July 15, 1999). 33Armed Activities on the Territory of the Congo (Dem. Rep. Congo v. Uganda), 2005 ICJ General List No. 116, at 53 (Dec. 19) ; Application of the Convention on the Prevention and Punishment of the Crime of Genocide (Bosn. & Herz. v. Serb. & Mont.), at 391-392 (Judgment of Feb. 26, 2007). 34 Draft Articles on State Responsibility, supra note 26, art. 11. 35 United States Diplomatic and Consular Staff in Teheran, 1980 ICJ Rep. 3, Â¶ 74 (May 24). 36 Ibid., arts. 76-78. 37 Corfu Channel Case (Merits), 1949 ICJ Rep. 4, 22.
1 miCHAEl n. SCHmitt is not a launching pad for the use of force or armed attacks (see discussion below) against other States certainly ranks among the most important. The fact that a use of force consists of cyber operations rather than traditional armed force would not diminish the responsibility of the State involved. Finally, consider a situation in which the effects of a cyber operation extend to other than the tar- geted State. This is an especially relevant scenario in the cyber context, for networking and other forms of interconnectivity mean that a cyber use of force by State A against State B may have consequences in State C that would rise to the level of a use of force if directed against C. The causation of such effects would not amount to a violation of Article 2(4) vis-Ã -vis C. Article 2(4)âs requirement that Members ârefrain in their international relationsâ from the use of force implies an element of purposely engaging in some action in respect of another specified State. Inadvertent effects caused in a State other than the target States do not constitute a form of âinternational relations.â However, even if the State did not intend such effects, it is clear that it bears responsibility for them. As noted in the Draft Articles of State Responsibility, â[t]here is an internationally wrongful act of a State when conduct consisting of an action or omission: (a) is attributable to the State under international law; and (2) constitutes a breach of an international obligation of the State.â 38 In the envisaged case, since State A conducted the cyber operation, the action is directly attributable to it. Further, the wrongful use of force against B would constitute a breach of Aâs international obligation to refrain from the use of force. That the intended âvictimâ was B matters not. The criterion has been met once the breach of an international obligation has occurred. This is so even if the effects in C were unintended. As noted in the International Law Commissionâs Commentary to the relevant article: A related question is whether fault constitutes a necessary element of the internationally wrongful act of a State. This is certainly not the case if by âfaultâ one understands the existence, for example, of an intention to harm. In the absence of any specific requirement of a mental element in terms of the primary obligation, it is only the act of a State that matters, independently of any intention. 39 Remedies for violation In the event of State responsibility for an unlawful act, the victim-State is entitled to reparation, which can take the form of restitution, compensation, or satisfaction.40 With regard to cyber operations amounting to a use of force, compensation could be claimed for any reasonably foreseeable physical or financial losses. A State may also take any responsive actions that neither amount to a use of force nor breach an existing treaty or customary law obligation. As an example, a State may chose to block incoming cyber transmissions emanating from the State that has used force against it. Additionally, the victim-State may take âcountermeasuresâ in response to a use of force. 41 Coun- termeasures are âmeasures which would otherwise be contrary to the international obligations of the injured State is-Ã -is the responsible State if they were not taken by the former in response to an internationally wrongful act by the latter in order to procure cessation and reparation.â 42 They are dis- tinguished from retorsion, which is the taking of unfriendly but lawful actions, such as the expulsion of diplomats. The wrong in question has to be ongoing at the time of the countermeasures, since their purpose is not to punish or provide retribution, but instead to compel the other Party to desist in its unlawful activi- 38 Draft Articles of State Responsibility, supra note 26, art. 2. 39 James Crawford, the international law Commissionâs Articles on State Responsibility: introduction, text and Commentaries 84 (Cambridge UP 2002). 40 Draft Articles on State Responsibility, supra note 26, arts. 34-37. Restitution is reestablishing âthe situation which existed before the wrongful act was committedâ (art. 35); compensation is covering any financially assessable damage not made good by restitu - tion (art. 36); satisfaction is âan acknowledgement of the breach, an expression of regret, a formal apology or another appropriate modalityâ that responds to shortfalls in restitution and compensation when making good the injury caused (art. 37). 41Ibid., art. 49.1. See also Nicaragua, supra 12, Â¶ 249; Gabcikovo-Nagymaros Project (Hung. V. Slovk.) 1997 ICJ 7, 55-56 (Sep. 25). 42 Report of the International Law Commission, supra note 26, at 128.
10 PRoCEEdingS oF A woRkSHoP on dEtERRing CYBERAttACkS ties.43 Countermeasures must be proportionate to the injury suffered,44 and the victim-State is required to have called on the State committing the wrong to refrain from the conduct (and make reparations if necessary), or, in the case of acts emanating from its territory, take measures to stop them. 45 Unlike collective self-defense (discussed below), countermeasures may only be taken by the State suffering the wrong.46 Countermeasures involving cyber operations would be particularly appropriate as a response to a cyber use of force, although the strict limitations placed on countermeasures weaken their viability in situations demanding an immediate reaction. On the other hand, it would be improper to respond with a cyber operation that rose to the level of a use of force, for â[c]ountermeasures shall not affect . . . the obligation to refrain from the threat or use of force as embodied in the Charter of the United Nations.â47 Responses amounting to a use of force are only permissible when falling within the two recognized exceptions to the prohibition on the use of forceâaction authorized by the Security Council and self-defense. Although the limitation of countermeasures to non-forceful measures is widely accepted, in a separate opinion to the ICJâs oil Platforms judgment, Judge Simma argued for what might be labeled âself-defense liteâ in the face of an âunlawful use of force âshort ofâ an armed attack within the mean - ing of Article 51.â48 For Judge Simma, such âdefensive military action âshort ofâ full scale self-defenceâ is of a âmore limited range and quality of responseâ than that which is lawful in response to an armed attack in the self-defense context. The key difference with classic self-defense is that Judge Simma would exclude collective actions.49 Reduced to basics, he is arguing for normative acceptance of force- ful countermeasures. The core problem with the approach is that it posits a tiered forceful response scheme. However, because the intensity of a defensive response is already governed, as will be discussed below, by the principle of proportionality, all that is really occurring is a relaxation of the threshold for engaging in forceful defensive actions. Such an approach is counter-textual, for the combined effect of Article 2(4) and 51 of the UN Charter is to rule out forcible responses by States against actions other than âarmed attacks.â Nevertheless, acceptance of such an approach by States would be significant in the cyber con - text because by it cyber operations which themselves would be a use of force under Article 2(4) may be launched in reaction to a cyber use of force that did not rise to the level of an armed attack under Article 51. AuTHORIzATION by THE SECuRITy COuNCIL Pursuant to Article 39 of the UN Charter, the Security Council is empowered to determine that a particular situation amounts to a âthreat to the peace, breach of the peace or act of aggression.â When it does, the Council âshall make recommendations, or decide what measures shall be taken in accordance with Articles 41 and 42, to maintain or restore international peace and security.â Articles 41 and 42 set forth, respectively, non-forceful and forceful options for responding to such situations. The scope of the phrase âthreat to the peace, breach of the peace or act of aggressionâ has been the subject of much attention in international law. Breach of the peace would seemingly require the outbreak of violence; cyber operations harming individuals or property would reasonably qualify, but whether those falling short of this level would do so is uncertain. As to aggression, in 1974 the General Assem - bly adopted a resolution in which it characterized aggression as ranging from the âuse of armed forceâ 43 Draft Articles on State Responsibility, supra note 26, art. 52.3(a). 44 Ibid., art. 51. 45 Ibid., art. 52.1. 46 Nicaragua, supra note 12, Â¶Â¶ 211 & 252. 47 Draft Articles on State Responsibility, supra note 26, art. 50.1(a). 48 Oil Platforms (Iran v. US), 2003 ICJ Rep. 161, Separate Opinion of Judge Simma, Â¶ 12. 49 Ibid., Â¶ 12-13.
11 miCHAEl n. SCHmitt and blockade to allowing oneâs territory to be used by another state to commit an act of aggression and sending armed bands against another State.50 A cyber operation causing significant physical harm in another state would certainly rise to this level; whether others would is unclear. This ambiguity is essentially irrelevant in light of the âthreat to the peaceâ criterion. Little guidance exists on those acts which qualify, although they must be conceptually distinguished from activities constituting threats of the use of force in contravention of Article 2(4). In tadic the ICTY opined that a threat to the peace should be assessed with regard to the Purposes of the United Nations delineated in Article 1 and the Principles set forth in Article 2.51 This is a singularly unhelpful proposition, since said purposes and principles include such intangibles as developing friendly relations and solving social problems. In fact, a finding that a situation is a âthreat to the peaceâ is a political decision, not a legal one. It signals the Security Councilâs willingness to involve itself in a particular matter. There are no territorial limits on situations which may constitute threats to the peace, although they logically tend to be viewed as those which transcend borders, or risk doing so. Nor is there a limitation to acts conducted by or at the behest of States; for instance, the Council has repeatedly found transnational terrorism to be a threat to the peace.52 No violence or other harmful act need have occurred before the Council may make a threat to the peace determination. Most importantly, since there is no mechanism for reviewing threat to the peace determinations, the Councilâs authority in this regard is unfettered. Simply put, a threat to the peace is whatever the Council deems it to be. This being so, the Council may label any cyber operation a threat to the peace (or breach of peace or act of aggression), no matter how insignificant. Once it does, the Security Council may, under Article 41, authorize measures ânot involving the use of armed forceâ necessary to maintain or restore international peace and security. Article 41 offers a number of examples, including âcomplete or partial interruption of economic relations and of rail, sea, air, postal, telegraphic, radio or other means of communication.â Interruption of cyber communications would necessarily be included. An interruption could be broad in scope, as in blocking cyber traffic to or from a country, or surgical, as in denying a particular group access to the internet. Any other cyber operations judged necessary would likewise be permissible. Given the qualifier âarmed force,â opera - tions resulting in physical harm to persons or objects could not be authorized pursuant to Article 41. Should the Council determine that Article 41 measures are proving ineffective, or if before autho - rizing them it decides that such measures would be fruitless, it may, pursuant to Article 42, âtake such action by air, sea, or land forces as may be necessary to maintain or restore international peace and security.â The reference to operations by âair, sea, or land forcesâ plainly contemplates forceful military action, although a Security Council resolution authorizing the use of force will typically be framed in terms of taking âall necessary measures.â To the extent that military force can be authorized, it is self- evident that cyber operations may be as well. It would be lawful to launch them alone or as an aspect of a broader traditional military operation. The sole limiting factors would be the requirement to comply with other norms of international law, such as the IHL prohibition on attacking the civilian population, 53 and the requirement to restrict operations to those within the scope of the particular authorization or mandate issued by the Council. Article 42 actions are not limited territorially or with regard to subject of the sanctions. For example, it would undoubtedly be within the power of the Council to authorize cyber attacks against transnational terrorist groups (e.g., in order to disrupt logistics or command and 50 G.A. Res. 3314 (XXIX), annex, art. 3 (Dec. 14, 1974) (âDefinition of Aggressionâ). 51 Prosecutor v. Tadic, Appeals Chamber Decision on the Defence Motion for Interlocutory Appeal on Jurisdiction, Â¶ 29 (Oct. 2, 1995). 52 See, e.g., S.C. Res. 1377 (Nov. 12, 2001); S.C. Res. 1438 (Oct. 14, 2002); S.C. Res. 1440 (Oct. 24, 2002); S.C. Res. 1450 (Dec. 13, 2002); S.C. Res. 1465 (Feb. 13, 2003); S.C. Res. 1516 (Nov. 20, 2003); S.C. Res. 1530 (Mar. 11, 2004); S.C. Res. 1611 (July 7, 2005); S.C. Res. 1618 (Aug. 4, 2005). 53 Protocol Additional to the Geneva Conventions of 12 August 1949, and Relating to the Protection of Victims of International Armed Conflicts arts. 48, 51 & 52, June 8, 1977, 1125 U.N.T.S. 3 [hereinafter AP I].
12 PRoCEEdingS oF A woRkSHoP on dEtERRing CYBERAttACkS control). It is important to emphasize that the measures only extend to restoring peace if breached, or maintaining it when threatened. No authority exists for taking punitive measures. Pursuant to Article 25 of the Charter, UN members âagree to accept and carry out the decisions of the Security Council in accordance with the present Charter.â This obligation applies even in the face of conflicting domestic or international legal obligations.54 Consequently, if the Council ordered restric- tions, for example, on cyber communications, individual States would be obligated to abide by them and ensure, to the extent feasible, their enforcement on their territory. How they do so is not the concern of the Council, so long as its decision is respected. Since the United Nations does not itself control cyber networks or have the capability to mount cyber operations, it would have to rely on States to effectuate any cyber related resolutions. Originally, it was envisioned that the Security Council would have dedicated forces at its disposal to conduct Article 42 operations pursuant to âspecial arrangementsâ with contributing countries. 55 Such arrangements have never been executed. The Council has instead relied upon authorizations granted to individual States, ad hoc coalitions of States, security organizations such as NATO or UN forces consisting of troop con - tributions from its members. State practice has established that no obligation exists for States to provide military forces or finance specific operations that have been authorized. Therefore, if the Council were to endorse specific defensive or offensive cyber operations under Article 42, it would be wholly dependent on the willingness of States to provide the necessary cyber assets and forces to execute them. Finally, it must be recalled that the entire UN collective security system depends on the readiness of the five Permanent Members of the Security Council (P5) to allow for action by refraining from exercise of their veto right.56 In light of Russia and Chinaâs presence on the Council (cyber operations regularly emanate from their territory), this limitation may well prove the greatest obstacle to effective UN action in the face of those cyber operations which would in some fashion endanger international stability. SELF-DEFENSE The second recognized exception to the prohibition on the use of force is the right of States to take forceful actions to defend themselves. This customary international law right is codified in Article 51 of the UN Charter. In relevant part, it provides that â[n]othing in the present Charter shall impair the inherent right of individual or collective self-defence if an armed attack occurs against a Member of the United Nations, until the Security Council has taken measures necessary to maintain international peace and security.â The article is the conditio sine qua non of the Charter, for although Articles 41 and 42 provide Member States some degree of protection from attack, their provisions rely upon implemen - tation by the Security Council. Article 51 represents an essential safeguard in the event the collective security mechanism fails (or proves insufficiently timely), for it provides a means of defense requiring no Security Council approval. In practice, the right of self-defense has proven the principal means by which States ensure their security. The right of self-defense bears solely on the remedies available to the victim of an armed attack, since all such attacks are âuses of forceâ in the context of Article 2(4) and customary law, with their legal - ity determined by reference to those norms. By contrast, the issue in self-defense is the lawfulness of a forceful defensive response (including its nature, intensity, duration and scope) that would otherwise constitute an unlawful use of force by a State. This being so, it has no bearing on passive cyber defenses, which merely block attacks; all such defenses are lawful. It is only in the case of active defenses, whether kinetic or cyber in nature, that the law of self-defense comes into play by directly imposing physical costs on the group or State launching an attack.57 54 U.N. Charter, art. 103. 55 Ibid., art. 43. 56 Ibid., art. 27.3. 57 Note that one of the recommendations of the experts in NATO 2020 was that âNATO should plan to mount a fully adequate array of cyber defence capabilities, including passive and active elements.â NATO 2020, supra note 7, at 45.
1 miCHAEl n. SCHmitt Further, States alone enjoy the right of self-defense. Private entities, such as a corporation that has been subjected to a hostile cyber attack, cannot respond pursuant to the law of self-defense regardless of its severity. Their responses would be governed by domestic and international criminal law norms. However, cyber attacks against a Stateâs nationals may qualify as an armed attack on the State itself; there is no requirement in international law that State property or organizations be targeted. In such a case, the State may respond forcefully in self-defense should it choose to do so. Armed Attack The key text in Article 51, and the foundational concept of the customary law right of self-defense, is âarmed attack.â But for an armed attack, States enjoy no right to respond forcefully to a cyber opera - tion directed against them, even if that operation amounts to an unlawful use of force. This dichotomy was intentional, for it comports with the general presumption permeating the Charter scheme against the use of force, especially unilateral action. In the nicaragua case, the ICJ acknowledged the existence of this gap between the notions of use of force and armed attack when it recognized that there are âmeasures which do not constitute an armed attack but may nevertheless involve a use of forceâ and distinguished âthe most grave forms of the use of force from other less grave forms.â 58 Recall that the Court specifically excluded the supply of weapons and logistical support to rebels from the ambit of armed attack, but noted that such actions might constitute uses of force. 59 Simply put, all armed attacks are uses of force, but not all uses of force qualify as armed attacks. As a result of the gap, the remedies for a use of force not meeting the threshold of armed attack are limited to lawful non-forceful actions, countermeasures or recourse to the Security Council. What this means in practical terms is that, absent Security Council authorization, a State subjected to a use of force may not respond in kind unless the use of force rises to the level of an armed attack. In light of the difficulties of identifying the source of a cyber operation, this cautious two-tiered system is especially appropriate in the cyber context. It is important to emphasize, however, that once it is established that an armed attack has occurred, no authorization from the Security Council is necessary before defensive actions, including those involving destructive cyber operations, may be mounted. Consistent with the âuse of forceâ prohibition, the Charter drafters elected an instrument-based approach to articulating the right of self-defense. And as with that norm, the intent was to preclude certain consequences (in this case, a premature forceful reaction by a State threatened with harm that would itself threaten community stability), while nevertheless allowing States to react forcefully when the consequences justified as much. But, again, the possibility of devastating consequences caused by a non-kinetic cyber attack was obviously not considered during the drafting process. Had it been, the drafters would surely have allowed for defense in the face of the severe consequences that can be caused by such attacks. There is a problem in extending the notion of armed attack to address cyber attacks operations of this magnitude. The facts that the use of force language in Article 2(4) is not qualified by the term âarmedâ and that the phrase âuse of forceâ has been authoritatively interpreted as not necessarily implying a kinetic action allow for interpretive leeway, and the resulting application of the seven factors set forth above. By contrast, the phrase âarmed attackâ tolerates little interpretive latitude. Clearly, an armed attack includes kinetic military force. Applying the consequence-based approach, armed attack must also be understood in terms of the effects typically associated with the term âarmed.â The essence of an âarmedâ operation is the causation, or risk thereof, of death of or injury to persons or damage to or destruction of property and other tangible objects. Therefore, while an âarmed attackâ need not be carried out through the instrument of classic military force, its consequences (or likely conse - quences but for successful defensive action) must be analogous to those resulting from its employment. 58 Nicaragua, supra note 12, Â¶Â¶ 191 & 210. See also Oil Platforms, supra note 48, at Â¶ 51. 59 Nicaragua, supra note 12, Â¶ 195.
1 PRoCEEdingS oF A woRkSHoP on dEtERRing CYBERAttACkS A cyber operation that does not risk these results may qualify as an unlawful use of force, but will not comprise an armed attack permitting forceful defensive action. In light of the grave consequences that cyber operations can cause without physically harming per- sons or objects, this interpretation may seem wholly unsatisfactory. Nevertheless, it is the extant law. It must be acknowledged that States victimized by massive cyber attacks, similar to or more aggravated than those suffered by Estonia, may choose to treat them as justifying a forceful response. If State practice along these lines became widespread and well-accepted, the Article 51 norm would shift accordingly through the natural process by which existing international law remains current. For the moment, that has not occurred. Cyber operations that accompany military action otherwise constituting an armed attack have no bearing on the nature of the attack. For instance, cyber attacks would likely be conducted against enemy command and control or air defense systems as an element of a broader military operation. They can be responded to forcefully, regardless of whether they independently qualify as an armed attack, because they are a component of the overall military action. Similarly, cyber operations that are part of a lawful military response to an armed attack are obviously permissible so long as they comply with IHL, such as the prohibition on attacking civilians or civilian objects.60 On the other hand, cyber operations need not accompany classic military operations. A cyber attack standing alone will comprise an armed attack when the consequence threshold is reached. Equally, States subjected to an armed attack may elect to respond solely with cyber operations. In the nicaragua case, the ICJ noted that not all attacks qualify as âarmed attacks,â citing the case of âa mere frontier incident.â61 According to the Court, an armed attack must exhibit certain âscale and effects.â Unfortunately, the Court failed to prescribe criteria by which to resolve whether an attack meets the armed attack threshold. Not only has this proposition been fairly criticized, but in the oil Platforms case the Court itself admitted that the mining of even a single ship could amount to an armed attack giving rise to the right of self-defense.62 Consequently, by contemporary international law, qualitative indicators of attack (death, injury, damage or destruction) are more reliable in identifying those actions likely to be characterized as an armed attack than quantitative ones (number of deaths or extent of destruction). So long as a cyber operation is likely to result in the requisite consequences, it is an armed attack. With regard to cyber operations, it must be cautioned that the mere destruction or damage (altera - tion) of data would not suffice. Were it to, the armed attack threshold would be so reduced that the vast majority of cyber operations would qualify as armed attacks. Rather, to comport with the accepted understanding of âarmed attack,â the destruction of or damage to the data would have to result in physical consequences, as in causing a generator to overheat and catch fire or rendering a train or subway uncontrollable such that it crashed. Destruction of data designed to be immediately convert - ible into tangible objects, like banking data, could also be reasonably encompassed within the scope of âarmed attacks.â But the destruction of or damage to data, standing alone, would not rise to the level of an armed attack. It is sometimes argued that a cyber operation directed against a nationâs military capability neces - sarily constitutes an armed attack. If the attack is physically destructive, there is no question that this is so. But the mere fact that cyber operations âcompromise the ability of units of the DOD to perform DODâs missionâ does not alone suffice.63 Only when non-destructive cyber operations indicate that an attack is imminent (âpreparing the battlefieldâ) or represent the first step in an attack that is underway (as in bringing down an air defense radar network to facilitate penetration of enemy airspace) are force - 60AP I, supra note 53, arts. 48, 51 & 52. 61 Nicaragua, supra note 12, Â¶ 195. 62 Oil Platforms, supra note 48, Â¶ 72. See also, Yoram Dinstein, war, Aggression and Self-defence 194-196 (Cambridge UP, 4th. ed. 2005); William Taft, âSelf-defense and the Oil Platforms Decision,â 29 Yale Journal of international law 295, 300 (2004). 63 National Research Council, technology, Policy, law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities 245 (William Owens, Kenneth Dam & Herbert Lin eds., National Academies Press, 2009).
1 miCHAEl n. SCHmitt ful actions in self-defense permissible. Obviously, it may be difficult to determine whether a particular cyber operation against military assets is either an indication or a component of attack; yet, that is a practical problem which does not affect the norm itself. As with the challenge of identifying an attacker or determining when attack is imminent (discussed below), the legal issue is whether the defenderâs conclusion is reasonable in the circumstances. Finally, a cyber use of force by State A against State B may generate âbleed overâ effects in State C. This situation does not, as noted earlier, constitute a use of force against C, although A would neverthe - less be responsible for the consequences caused. However, if the effects in C rise to the level of those qualifying as an armed attack, C may respond in self-defense against A, even though C was not the intended target of the attack.64 The distinction arises from the fact that while the use of force prohibition solely pertains to the issue of whether there has been a particular violation of international law, the law of self-defense addresses whether a victim-State enjoys the right to employ force to protect itself. It would be incongruous to sug - gest that a State was barred from acting defensively when subjected to such effects. From its perspective (the correct vantage point in interpreting the law of self-defense), what matters is deterring or stopping the harmful actions; the intention of the actor is but a secondary consideration. Of course, the defensive actions must meet the criteria of self-defense set forth below, in particular the requirement that a forceful response be ânecessary.â Since C was not the intended target of the attack, it may suffice to simply notify A that it is suffering effects from the attack on B and demand that A takes steps to arrest them. Anticipatory Self-Defense Textually, Article 51 addresses only those situations where an armed attack is underway. Never- theless, it is well-accepted that a State need not sit idly by as the enemy prepares to attack; instead, a State may defend itself once attack is âimminent.â65 The generally accepted standard of imminency was articulated in the 19th century by Secretary of State Daniel Webster following the famous Caroline incident. In correspondence with his British counterpart regarding an incursion into U.S. territory to attack Canadian rebels during the Mackenzie Rebellion, Webster opined that the right of self-defense applied only when âthe necessity of that self-defense is instant, overwhelming, and leaving no moment for deliberation.â66 Although the incident actually had nothing to do with actions taken in anticipation of attack (the attacks in question were ongoing), Websterâs formulation has survived as the classic expres - sion of the temporal threshold for anticipatory defensive actions;67 indeed, the Nuremberg Tribunal cited the Caroline case with approval.68 Following the events of September 11th, 2001, the United States suggested that a new self-defense paradigm was needed. As President Bush noted in his 2002 National Security Strategy, 64As the right of self-defense extends to armed attacks by non-State actors, an identical conclusion would apply to actions they undertake against one State having effects in another. 65Acceptance of the standard is not universal. For instance, Professor Yoram Dinstein argues against its existence, suggesting instead that such actions are better seen as âinterceptive self-defense.â He notes that âan interceptive strike counters an armed attack which is in progress, even if it is still incipient: the blow is âimminentâ and practically âunavoidable.â â Dinstein, supra note 62, at 191. It might also be noted that whereas the notion of âarmed attackâ was interpreted with fidelity to the Charter text, this article accepts an interpretation of self-defense which runs contrary to the precise text of the UN Charter. The apparent incon - sistency can be justified in a number of ways. Note that Article 51 refers to the âinherentâ right of self-defense, which has been interpreted as either pre-existing (and thereby maintained in the Charter) or as inherent in the illogic of requiring States to suffer a potentially devastating strike before acting in self-defense. Additionally, Article 2 of the Definition of Aggression Resolution provides that the first use of force is merely prima facie evidence of an act of aggression. Definition of Aggression, supra note 50, art. 2. As such, it contemplates the possibility of a first use which does not qualify as an armed attack and which, therefore, can only be justified in terms of anticipatory self-defense. 66 Letter from Daniel Webster to Lord Ashburton (Aug. 6, 1842), reprinted in 2 John Moore, Digest of International Law 411-12 (1906). 67 See, e.g., Thomas M. Franck, Recourse to Force: State Action against threats and Armed Attacks 97 (2002). 68 International Military Tribunal (Nuremberg), Judgment and Sentences, 41 AJIL 172, 205 (1947).
1 PRoCEEdingS oF A woRkSHoP on dEtERRing CYBERAttACkS For centuries, international law recognized that nations need not suffer an attack before they can lawfully take action to defend themselves against forces that present an imminent danger of attack. Legal scholars and international jurists often conditioned the legitimacy of pre-emption on the existence of an imminent threat-most often a visible mobilization of armies, navies, and air forces preparing to attack. We must adapt the concept of imminent threat to the capabilities and objectives of todayâs adversaries. Rogue states and terrorists do not seek to attack us using conventional means. They know such attacks would fail. Instead, they rely on acts of terror and, potentially, the use of weapons of mass destruction-weapons that can be easily concealed, delivered covertly, and used without warning . . . 69 His conclusion was that the âgreater the threat, the greater is the risk of inactionâand the more compel - ling the case for taking anticipatory action to defend ourselves, even if uncertainty remains as to the time and place of the enemyâs attack.â70 The United States has maintained this approach to the present. 71 Despite being characterized by some as revolutionary, even unlawful, the pre-emption doctrine represented a reasonable accommodation to the changed circumstances cited by the President. Indeed, it is arguable that the approach represented a de minimus departure from existing law. The underlying premise of anticipatory self-defense is that to effectively defend themselves, States must sometimes act before an aggressive blow falls. Traditionally, a standard requiring temporal proximity to the armed attack had been employed to assess the need. The underlying intent of the standard was to allow as much opportunity as possible for non-forceful measures to work in alleviating the crisis. Yet, as correctly noted in the National Security Strategy, the modus operandi of terrorists is to strike without warning, thereby denuding the opportunity the victim-State has to anticipatorily defend itself. In such circumstances, the most reasonable accommodation of the law of self-defense to both the changed threat and to international lawâs rebuttable presumption against the legality of using force lies in restricting the victim-State from acting forcefully in self-defense until the point at which its window of opportunity to mount a effective defense is about to close. The imminency criterion should therefore not be measured by reference to the moment of armed attack, but rather with regard to the point at which a State must act defensively, lest it be too late.72 The âlast feasible window of opportunityâ standard must not be interpreted as permitting preentie strikes, that is, those against a prospective attacker who lacks either the means to carry out an attack or the intent to do so. The fact that an overtly hostile State is capable of launching cyber attacksâeven devastating onesâdoes not alone entitle a potential victim to act defensively with force. Such hostility must mature into an actual decision to attack. The decision may be evidenced by, for example, prepara - tory cyber operations amounting to a demonstration of âhostile intent.â 73 Moreover, the circumstances must be such that the pending attack has to be responded to immediately if the victim-State is to have any reasonable hope of fending it off. Consider a Stateâs introduction of cyber vulnerabilities into another Stateâs critical infrastructure. Such an action might amount to a use of force, but the victim-State may not react forcefully until it reasonably concludes that (1) its opponent has decided to actually exploit those vulnerabilities; (2) the strike is likely to generate consequences at the armed attack level; and (3) it must act immediately to defend itself. Until arriving at these conclusions, the victim-Stateâs response would be limited to non-forceful measures, including countermeasures, and referral of the matter to the Security Council. 69 The White House, the national Security Strategy of the United States of America 15 (Sept. 2002). 70 Ibid. 71 See,e.g., The White House, the national Security Strategy of the United States of America 18 (March 2006). The Obama National Security Strategy does not expressly adopt the doctrine of pre-emption, but nor is it rejected. It specifically reserves the right to act unilaterally. 2010 National Security Strategy, supra note 6, at 22. 72 For a fuller discussion, see Michael N. Schmitt, Responding to transnational terrorism under the Jus ad Bellum: A normatie Framework, 56 Naval law Review 1, 16-19 (2008). 73 The U.S. Standing Rules of Engagement define hostile intent as âthe threat of imminent use of force against the United States, the U.S. forces, or other designated persons or property. It also includes the threat of force to preclude or impede the mission and/or duties of U.S. forces, including the recovery of U.S. personnel or vital USG property.â CJCSI 3121.01B, June 13, 2005, at A-4.
1 miCHAEl n. SCHmitt Although, transnational terrorism represents the obvious justification for the approach, cyber operations present many of the same challenges to application of the traditional temporal criterion. Like terrorism, cyber operations are typically launched without any warning that attack is imminent. The time between launch of an operation and impact is measured in seconds at most, thereby often depriving the victim of an opportunity to foil the initial attack as it is unfolding; viable defenses could resultantly be limited to passive measures, such as firewalls and antivirus software. Moreover, although the immediate severity of a cyber armed attack may not reach the level of attacks with weapons of mass destruction, cyber operations have the potential, because of a networking, to affect many more individuals and activities. In light of these reali- ties, an approach centering on a Stateâs opportunity to defend itself is no less suitable in the context of cyber operations than in that of terrorism. Cyber or kinetic operations designed to foil an attack which has been approved, and which qualifies as an armed attack, would therefore be lawful when it reasonably appears that failure to act promptly will deprive the target State of any viable opportunity to defend itself. Criteria for Engaging in Self-Defense Actions in self-defense must meet two legal criteriaânecessity and proportionality. The ICJ acknowl- -defense must acknowl- edged both in the nicaragua case, and later confirmed them in its oil Platforms judgement.74 Necessity requires that there be no reasonable option other than force to effectively deter an imminent attack or defeat one that is underway. This does not mean that force need represent the only available response; it merely requires that defense necessitate actions that are forceful in nature as a component of an overall defense necessitate response, which may well also include non-forceful measures such as diplomacy, economic sanctions or law enforcement measures. Proportionality, by contrast, addresses the issue of how much force is permissible once it is deemed necessary. The criterion limits the scale, scope, duration and intensity of the defensive response to that which is required to neutralize a prospective attack or repel one that is underway. It does not restrict the amount of force used to that employed in the armed attack, since more force may be needed to suc - cessfully conduct a defense, or less may suffice. In addition, there is no requirement that the defensive force be of the same nature as that constituting the armed attack. Cyber operations may be responded to with kinetic operations and vice versa. The point of reference is the need to effectively defend oneself, not the character of the armed attack. The key to the necessity analysis in the cyber context is the existence, or lack thereof, of alternative non-forceful courses of action. Should passive cyber defenses be adequate to thwart a cyber armed attack, forceful defensive measures would be disallowed. Similarly, if active cyber operations not rising to the level of force are adequate to deter armed attacks (prospective or ongoing), forceful alternatives, whether cyber or kinetic, would be barred. However, when non-forceful measures alone cannot reason - ably be expected to defeat an armed attack and prevent subsequent ones, destructive cyber and kinetic operations are permissible under the law of self-defense. Any forceful defensive cyber or kinetic operations must equally be proportionate. The victim of a cyber armed attack does not have a carte blanche to conduct its cyber or kinetic defense. Rather, the extent and nature of its response are limited to ensuring the victim-State is no longer subject to attack. The requirement should not be overstated. It may be that the source of the cyber armed attack is relatively invulnerable to cyber operations. This would not preclude kinetic or cyber defensive operations against other targets in an effort to compel the attacker to desist, although they must be scaled to that purpose. Evidentiary Issues Identification of an âattackerâ poses particular problems in the cyber context. For instance, it is pos - sible to âspoofâ the origin of attack. Or the lone indication of where an attack originated from, or who 74 Nicaragua, supra note 12, Â¶ 194; Oil Platforms, supra note 48, Â¶Â¶ 43, 73-74 & 76.
1 PRoCEEdingS oF A woRkSHoP on dEtERRing CYBERAttACkS launched it, may be an IP address or other machine discernable data. And the speed by which cyber operations proceed dramatically compresses the time available to make such determinations. How cer- tain must the target State be as to the identity of its attacker before responding in self-defense? Although international law sets no specific evidentiary standard for drawing conclusions as to the originator of an armed attack, a potentially useful formula was contained in the U.S. notification to the Security Council that it was acting in self-defense when it launched its October 2001 attacks against the Taliban and Al Qaeda in Afghanistan. There, U.S. Ambassador Negroponte stated that âmy Government has obtained clear and compelling information that the Al-Qaeda organization, which is supported by the Taliban regime in Afghanistan, had a central role in the attacks.â75 NATO Secretary-General Lord Robertson used the same language when announcing that the attacks of 9/11 fell within the ambit of the collective defense provisions of Article V of the North Atlantic Treaty. 76 âClear and compellingâ is a threshold higher than the preponderance of the evidence (more likely than not) standard used in certain civil and administrative proceedings and lower than criminal lawâs âbeyond a reasonable doubt.â In essence, it obliges a State to act reasonably, that is, in a fashion consis - tent with the normal State practice in same or similar circumstances. Reasonable States neither respond precipitously on the basis of sketchy indications of who has attacked them nor sit back passively until they have gathered unassailable evidence. So long as the victim-State has taken reasonable steps to iden - tify the perpetrator of an armed attack, cyber or kinetic, and has drawn reasonable conclusions based on the results of those efforts, it may respond forcefully in self-defense. That the State in fact drew the wrong conclusion is of no direct relevance to the question of whether it acted lawfully in self-defense. 77 Its responses are assessed as of the time it took action, not ex post facto. Although the temporal aspect cannot be ignored, the time available to make the determination is merely one factor bearing on the reasonableness of any conclusion. In particular, automatic âhack-backâ systems that might involve a response amounting to a use of force are neither necessarily lawful nor unlawful. Their use must be judged in light of many factors, such as the reliability of the determination of origin, the damage caused by the attack, and the range of available response options. An analogous standard of reasonableness would apply in the case of anticipatory self-defense against an imminent cyber attack. International law does not require either certainty or absolute preci - sion in anticipating another Stateâs (or non-State actorâs) future actions. Rather, it requires reasonable - ness in concluding that a potential attacker has decided to attack and wields the capability to carry out said attack, and that it must act defensively in anticipation of the attack lest it lose the opportunity to effectively defend itself. States could not possibly countenance a higher threshold, for such a standard would deprive them of a meaningful right of self-defense. Admittedly, ascertaining a possible adversaryâs intentions in the cyber environment is likely to be demanding. Aside from the difficulties of accurately pinpointing identity discussed above, it will be challenging in the context of anticipatory self-defense to identify the purpose behind a particular cyber operation. For instance, is a cyber probe of a Stateâs air defense designed merely to gather intelligence or instead to locate vulnerabilities in anticipation of an attack which is about to be launched? Obvi - ously, such determinations must be made contextually, considering factors such as the importance of the matter in contention, degree of political tensions, statements by military and political leaders, military activities like deployments, exercises and mobilizations, failed efforts to resolve a contentious situation diplomatically, and so forth. The speed with which the defender may have to make such an assessment to effectively defend itself further complicates matters. Despite the factual and practical complexity, 75 Letter dated 7 October 2001 from the Permanent Representative of the United States of America to the United Nations Ad - dressed to the President of the Security Council, U.N. Doc. S/2001/946 (Oct. 7, 2001). 76 Statement by NATO Secretary General Lord Robertson, NATO Headquarters (Oct. 2, 2001), http://www.nato.int/docu/ speech/2001/s011002a.htm. 77 Note by way of analogy to international criminal law, that pursuant to the Statute of the International Criminal Court, a mis - take of fact is grounds for excluding criminal responsibility when the mistake negates the mental element required by the crime. Rome Statute of the International Criminal Court, art. 32.1, July 17, 1998, 2187 U.N.T.S. 90.
1 miCHAEl n. SCHmitt the legal standard is clear; a State acting anticipatorily in self-defense must do so reasonably. In other words, States in the same or similar circumstances would react defensively. When a State asserts that it is acting in self-defense, it bears the burden of proof. In the oil Platforms case, the ICJ noted that the United States had failed to present evidence sufficient to âjustify its using force in self-defense.â78 Specifically, it could not demonstrate that Iran was responsible for a 1987 missile attack against an oil tanker sailing under U.S. flag or the 1988 mining of a U.S. warship during the Iran- Iraq âtanker war,â to which the United States responded by attacking Iranian oil platforms. The Court rejected evidence offered by the United States which was merely âsuggestive,â looking instead for âdirect evidenceâ or, reframed, âconclusive evidence.â79 âClear and compellingâ evidence would meet these requirements. Thus, States responding to a cyber armed attack must be prepared to present evidence of this quality as to the source and nature of an impending attack, while those acting in anticipation of an attack must do likewise with regard to the potential attackerâs intent and capability. Collective Responses Unlike countermeasures, defensive actions may be collective. This possibility is explicitly provided for in Article 51âs reference to âindividual or collective self-defense.â Collective self-defense may be mounted together by States which have all been attacked or individually by a State (or States) which has not, but comes to the defense of another. Although the basic norm is clear in theory, it is complex in application. As noted in the Experts Report on the new NATO Strategic Concept, âthere may well be doubts about whether an unconventional dangerâsuch as a cyber attack or evidence that terrorists are planning a strikeâtriggers the collective defence mechanisms of Article V (the North Atlantic Treaty implementation of Article 51).â80 The mere fact of an armed attack allows for collective defensive action; no authorization from the Security Council is necessary. But there are legal limits on exercise of the right. In the nicaragua case, the ICJ suggested that only the victim-State is empowered to determine whether an armed attack has occurred, and it must request assistance before others act on its behalf.81 Absent such a determination and request, collective actions would themselves amount to unlawful uses of force, and, depending on their nature, even armed attacks (paradoxically, against the State launching the initial armed attack). These requirements are designed to prevent States from claiming to act in collective self-defense as a subterfuge for aggression. Given the practical difficulties of identifying a cyber operationâs originator, this is a sensible limita - tion. It must be noted that some distinguished commentators challenge the strict application of these requirements. They argue that in cases where the collective defense actions occur outside the territory of the victim-State, other States may be entitled to act on the basis of their own right to ensure their security. The right arguably derives from breach of the duty to refrain from armed attack that the State initiating the armed attack bears.82 This latter scenario is particularly germane in the cyber context since the effects of cyber armed attacks could easily spread through networks, thereby endangering States other than those which are the intended target. The prevailing view is nevertheless that there must be a request from the victim-State before the right of collective self-defense matures. In many cases, a pre-existing treaty contemplates collective defense. Article 52(1) of the UN Char- ter provides that ânothing in the present Charter precludes the existence of regional arrangements or agencies for dealing with such matters relating to the maintenance of international peace and security 78 Oil Platform, supra note 48, Â¶ 57. 79 Ibid.,Â¶Â¶ 59, 69. 80 NATO 2020, supra note 7, at 20. 81 Nicaragua, supra note 12, Â¶ 199; The Court reiterated this position in the Oil Platforms case of 2003. Oil Platforms, supra note 48, Â¶ 55. 82 See discussion in Dinstein, supra note 62, at 270. This was the position adopted in Judge Jenningâs dissent in Nicaragua. Ni - caragua, Dissenting Opinion of Judge Sir Robert Jennings, supra note 12, at 544-46.
10 PRoCEEdingS oF A woRkSHoP on dEtERRing CYBERAttACkS as are appropriate for regional action. . . .â Despite the reference to âregionalâ arrangements, the agree - ments need not be limited to States in a particular region or to actions occurring in a defined area. Such arrangements may take multiple forms, For instance, bilateral and multilateral mutual assistance trea - ties typically provide that the Parties will treat an armed attack against one of them as an armed attack against all.83 As a practical matter, the effectiveness of collective defense provisions usually depends on the willingness of the treaty partners to come to each otherâs aid. A State that does not see collective defensive action as in its national interest may be expected to contest characterization of a cyber opera - tion as an armed attack. Military alliances based on the right to engage in collective defense also exist, the paradigmatic example being NATO. Pursuant to Article V of the treaty, Member States âagree that an armed attack that against one or more of them in Europe or North America shall be considered an attack against them all and consequently they agree that, if such an armed attack occurs, each of them, in exercise of the right of individual or collective self-defence recognised by Article 51 of the Charter of the United Nations, will assist the Party or Parties so attacked by taking forthwith, individually and in concert with the other Parties, such action as it deems necessary, including the use of armed force, to restore and maintain the security of the North Atlantic area.â84 The benefit of alliances is that they generally involve a degree of advanced planning for combined operations in the event of armed attack, and, as with NATO, military structures are often set up to coordinate and direct military operations. Preplanning and the existence of collective mechanisms for managing joint and combined action are especially valuable with regard to defending against cyber attacks. However, like mutual assistance treaties, alliance arrangements are subject to the reality that they are composed of States, which can be expected to act pursuant to their own national interests. In the case of NATO, for instance, decisions to act are taken by consensus in the North Atlantic Council; a single member State can therefore block NATO collective action. Indeed, had the cyber operations against Estonia risen to the level of an armed attack, it is not altogether certain that NATO would have come to its defense militarily, especially in light of Russiaâs place in the European security environment and the countervailing commitments of NATO allies elsewhere, especially Afghanistan and Iraq. State Sponsorship of Attacks by Non-State Actors The issue of State sponsorship of cyber operations was addressed earlier in the context of the responsibility of States for uses of force by non-State actors. There the question was when does a State violate the use of force prohibition by virtue of its relationship with others who conduct cyber opera - tions? However, the issue of State sponsorship in the self-defense context is much more momentous. It asks when may forceful defensive actions, even kinetic ones, be taken against a State which has not engaged in cyber operations, but which has âsponsoredâ them? In other words, when is an armed attack attributable to a State such that the State may be treated as if it had itself launched the attack? Until the transnational attacks of September 11, 2001, the generally accepted standard was set forth in the nicaragua case. There the ICJ stated that âan armed attack must be understood as including not merely action by regular forces across an international border, but also âthe sending by or on behalf of a state of armed bands, groups, irregulars or mercenaries, which carry out acts of armed force against another state of such gravity as to amount toâ (inter alia) an actual armed attack conducted by regular forces, âor its substantial involvement therein.â â85 The Court noted that the activities involved should 83 For instance, the Japan-United States mutual defense treaty provides that â[e]ach Party recognizes that an armed attack against either Party in the territories under the administration of Japan would be dangerous to its own peace and safety and declares that it would act to meet the common danger in accordance with its constitutional provisions and processes.â Treaty of Mutual Cooperation and Security Between Japan and the United States of America, Regarding Facilities and Areas and the Status of United States Armed Forces in Japan, art. V, Jan. 19, 1960, 373 U.N.T.S. 207. 84 North Atlantic Treaty, art. V, Apr. 4, 1949, 34 U.N.T.S. 243. 85 Nicaragua, supra note 12, Â¶ 195.
11 miCHAEl n. SCHmitt be of a âscale and effectsâ that would equate to an armed attack if carried out by the Stateâs military. Thus, âacts by armed bands where such attacks occur on a significant scaleâ would qualify, but âa mere frontier incident would not.â86 By this standard, attribution requires (1) acts qualifying as an armed attack and (2) that the State dis - patched the non-State actors or was substantially involved in the operations. As noted earlier, the ICTY took a more relaxed view of the degree of control necessary, accepting âoverall controlâ as sufficient. 87 The events of 9/11 brought the issue of threshold to light in a dramatic way. Assistance provided by the Taliban to Al Qaeda met neither the nicaragua nor tadic standards, since the Taliban merely provided sanctuary to Al Qaeda. The cyber analogy would be doing nothing to put an end to the activities of cyber âterroristsâ or other malicious hackers operating from a Stateâs territory when it is within its capability, legal and practical, to do so. Even though there was seemingly no legal basis for attribution to Afghanistan, when the Coalition responded with armed force against both Al Qaeda and the governing Taliban, no objection was raised. On the contrary, the Security Council condemned the Taliban âfor allowing Afghanistan to be used as a base for the export of terrorism by the Al-Qaida network and other terrorist groups and for providing safe haven to Usama Bin laden, Al-Qaida and others associated with them.â 88 It seems that the inter- national community had lowered the normative bar of attribution measurably. While the underlying operations must still amount to an armed attack, it is arguable that today much less support is required for attribution than envisaged in either nicaragua or tadic. Far from being counter-legal, this process of reinterpretation is natural; understandings of international legal norms inevitably evolve in response to new threats to the global order. In that cyber operations resemble terrorism in many regards, States may equally be willing to countenance attribution of a cyber armed attack to a State which willingly provides sanctuary to non-State actors conducting them. Armed Attacks by Non-State Actors Although most cyber operations are launched by individuals such as the anti-Estonian âhacktivists,â concern is mounting about the prospect that transnational terrorist organizations and other non-State groups will turn to cyber operations as a means of attacking States.89 The concern is well-founded. Al Qaeda computers have been seized that contain hacker tools, the membership of such groups is increas - ingly computer-literate, and the technology to conduct cyber operations is readily available. In one case, a seized Al Qaeda computer contained models of dams, a lucrative cyber attack target, and the computer programs required to analyze them.90 International lawyers have traditionally, albeit not universally, characterized Article 51 and the customary law of self-defense as applicable solely to armed attacks mounted by one State against another. Violent actions by non-State actors fell within the criminal law paradigm. Nonetheless, the international community treated the 9/11 attacks by Al Qaeda as armed attacks under the law of self-defense. The Security Council adopted numerous resolutions recognizing the applicabil- ity of the right of self-defense. 91 International organizations such as NATO and many individual States took the same approach.92 The United States claimed the right to act forcefully in self- 86 Ibid. 87 Itmust be emphasized that the legal issue involved in that case was not attribution of an armed attack, but rather the exist - exist- ence of an international armed conflict. 88 S.C. Res. 1378, pmbl. (Nov. 14, 2001). 89 This threat is cited in both the 2010 National Security Strategy ( supra note 6, at 27) and NATO 2020 (supra note 7, at 17). 90 Clay Wilson, Computer Attack and Cyber Terrorism: Vulnerabilities and Policy Issues for Congress, Congressional Research Service Report RL32114, Oct. 17, 2003, at 11-13. 91 See, e.g., S.C. Res 1368 (Sept. 11, 2001); S.C. Res. 1373 (Sept. 28, 2001). 92 See, e.g., Press Release, NATO, Statement by the North Atlantic Council (Sept. 12, 2001); Terrorist Threat to the Americas, Res. 1, Twenty-fourth Meeting of Consultation of Ministers of Foreign Affairs, Terrorist Threat to the Americas, OAS Doc. RC.24/ RES.1/01 (Sept. 21, 2001); Brendan Pearson, Pm Commits to mutual defence, Australian Financial Review, Sept. 15, 2001, at 9.
12 PRoCEEdingS oF A woRkSHoP on dEtERRing CYBERAttACkS defense,93 and no State objected to the assertion. Lest this approach be dismissed as simply an emo - tive reaction to the horrific attacks of 9/11, it must be noted that when Israel launched operations into Lebanon in response to Hezbollahâs 2006 terrorism, the international community again seemed to accept a countryâs right to defend itself against armed attacks mounted by non-State actors. 94 Despite acceptance by States of the premise that non-State actors may qualify as the originators of an armed attack, the ICJ seems to have taken a step backwards in two post-9/11 cases. In the wall advisory opinion and the Congo case, the Court refrained from considering claims of self-defense against actions by non-State actors, noting that no assertion had been made that the relevant actions were imputable to a State.95 Although the Courtâs reasoning was nuanced and fact-specific, it has nevertheless been widely criticized as inattentive to contemporary understandings of the relevant law. In particular, in the wall case three judges expressly departed from the majorityâs approach on the bases that it ignored the fact that Article 51 makes no mention of the originator of an attack (while Article 2(4) specifically addresses uses of force by States) and that the Security Council had deliberately treated terrorist attacks as armed attacks in the aftermath of the 9/11.96 The Courtâs hesitancy to embrace the notion of armed attack by non-State actors is understandable in light of the risk of abuse. States might well apply it to engage in robust military operations against groups in situations in which law enforcement is the more normatively appropriate response. For instance, significant concerns have been raised regarding counterterrorist operations occurring outside an armed conflict mounted in States which do not consent to them. Such concerns are likely to be even more acute in relation to cyber operations, which are conducted not by armed members of groups resembling classic military forces, but rather by cyber experts equipped with computers. Nevertheless, as a matter of law, States seem comfortable with applying the concept of armed attacks to situations involving non-State actors. Should such groups launch cyber attacks meeting the threshold criteria for an armed attack, States would likely respond within the framework of the law of self-defense. The point that the attacks must meet the threshold criteria cannot be overemphasized. There is no State practice supporting extension of the concept to the actions of isolated individuals, such as hacktiv - ists or patriotic hackers. Further, the cyber operations must be severe enough to qualify as armed attacks, that is, they have to result in damage to or destruction of property or injury to or death of individuals. Finally, as the debate over minor border incursions demonstrates, it is uncertain whether attacks which meet the aforementioned threshold, but are not of significant scale, would qualify. As an example, a cyber attack that caused a single plantâs generator to overheat, thereby temporarily interrupting service until it could be repaired, would presumably not, by the more restrictive standard, qualify as an armed attack. Rather, it would be the cyber equivalent of a border incursion. Cross-border Operations When armed attacks by non-State actors emanate from outside a State, may that State take defen - sive actions against its perpetrators in the territory of the State where they are based? This question has been raised recently in the context of unmanned aerial vehicle strikes against terrorists in Pakistan 93 âInresponse to these attacks, and in accordance with the inherent right of individual and collective self-defense, United States forces have initiated actions designed to prevent and deter further attacks on the United States. These actions include measures against Al-Qaeda terrorist training camps and military installations of the Taliban regime in Afghanistan. . . .â Letter from the Permanent Representative, supra note 75. 94 See generally, Michael N. Schmitt, ââChange Directionâ 2006: Israeli Operations in Lebanon and the International Law of Self-Defense,â 29 michigan Journal of international law 127 (2008). Many commentators and States saw the actions as violating the proportionality criterion discussed above. 95 Legal Consequences of the Construction of a Wall in the Occupied Palestinian Territory, Advisory Opinion, 2004 ICJ Rep. 136, Â¶ 139 (July 9); Congo, supra note 33, at 53. 96 Wall, supra note 95, Sep. Op. Judge Higgins, Â¶ 33; Sep. Op. Judge Koojmans, Â¶ 35; Decl. Judge Buergenthal, Â¶ 6.
1 miCHAEl n. SCHmitt and elsewhere. It is no less pertinent to situations involving cyber armed attacks launched by non-State actors from abroad. It is indisputable that one State may employ force in another with the consent of the territorial State. t For instance, a State may grant others the right to enter its territory to conduct counterterrorist opera - tions, as often occurs in Pakistan, or a State embroiled in an internal conflict with insurgents may request external assistance in restoring order, as with ISAF operations in Afghanistan or USF in Iraq. A State subjected to an armed attack, whether cyber or kinetic, could, with the acquiescence of the territorial State, equally launch cyber defensive operations into the State from which the attacks emanated. The legal dilemma arises when operations are conducted without territorial State approval. By the principle of sovereignty (and the derivative notion of territorial integrity), a State enjoys near absolute control over access to its territory. In affirmation, the UN General Assembly has cited the use of force by a State on the territory of another as an act of aggression.97 Yet, the right of States to use force in self-defense is no less foundational. When terrorists or insurgents seek sanctuary in a State other than that in which they are conducting operations, they bring the territorial Stateâs right of sovereignty into conflict with the victim-Stateâs right of self-defense. Fortunately, international law does not require an either-or resolution when norms clash. Instead, it seeks to balance them by fashioning a compromise which best achieves their respective underlying pur- poses. In this case, such a balance would ensure that the territorial State need not suffer unconstrained violations of its sovereignty, but nor would the victim-State have to remain passive as non-State groups attack it with impunity from abroad. The resulting compromise is as follows. The victim-State must first demand the territorial State fulfill its legal duty to ensure actions on or from its territory do not harm other States and afford the territorial State an opportunity to comply.98 If that State subsequently takes effective steps to remove the threat, then penetration of its territory by the victim-State, whether kinetically or by cyber means, is impermissible. But if the territorial State fails to take appropriate and timely action, either because it lacks the capability to conduct the operations or simply chooses not to do so (e.g., out of sympathy for the non-State actors or because its domestic laws preclude action), the victim-State may act in self-defense to put an end to the non-State actorâs attacks. It matters not whether the actions are kinetic or cyber in nature, as long as they comply with the principles of proportionality and necessity. ARMED CONFLICT The jus in bello notion of âarmed conflictâ must be distinguished from the jus ad bellum concepts of use of force, threat to the peace, breach of the peace, act of aggression and armed attack. The jus ad The bellum determines when a State has violated the international law governing the resort to force, and sets forth a normative flow plan for individually or collectively responding to such violations. By contrast, under the jus in bello, the applicability of IHL depends on the existence of an âarmed conflict.â This law is set forth in such treaties as the four 1949 Geneva Conventions and the two 1977 Protocols Additional (Protocol I for international and Protocol II for non-international armed conflict), and in customary international law.99 In determining whether IHL rules like distinction (the requirement to distinguish combatants from civilians and military objectives from civilian objects), proportionality (the prohibi - tion on attacks expected to cause harm to civilians and civilian object which is excessive relative to the military advantage anticipated to accrue from the attack), or direct participation (the loss by civilians of their protections when they take a direct part in hostilities) apply to cyber operations, the threshold question is whether an armed conflict is underway.100 97 Definition of Aggression Resolution, supra note 50, art. 3(a). 98 On the duty to police oneâs own territory, see Corfu Channel (U.K. v. Alb.), 1949 ICJ Rep. 4 (Apr. 9). 99 GC I-IV, supra note 4; AP I, supra note 53; Protocol Additional to the Geneva Conventions of 12 August 1949, and Relating to the Protection of Victims of Non-International Armed Conflicts, June 8, 1977, 1125 U.N.T.S. 609 [hereinafter AP II]. 100AP I, supra note 53, arts. 48, 51.5(b), 51.3.
1 PRoCEEdingS oF A woRkSHoP on dEtERRing CYBERAttACkS There are two forms of armed conflict, international and non-international. The first refers to conflicts between States, whereas the second implies either conflicts between a State and a non-State organized armed group or those between such groups. Determining when a conflict is international or non- international is a highly complex matter, particularly in light of hostilties between States and non-State transnational actors, such as global terrorist groups. As an example of the uncertainty, consider that while the Israeli Supreme Court has characterized Israelâs conflicts with terrorist groups such as Hamas and Hezbollah to be international, in part because they transcend Israeli territory, the U.S. Supreme Court has labeled the conflict with transnational terrorist groups like Al Qaeda as ânot of an international character.â101 Although a full exploration of the characterization of conflict issue lies beyond the scope of this article, it is useful to examine the concepts in a general manner. International Armed Conflict Article 2 Common to the four Geneva Conventions states that they âapply to all cases of declared war or to any other armed conflict which may arise between two or more of the High Contracting parties.â102 This begs the question of the nature and scope of the referenced conflict. The International Committee of the Red Crossâ official commentary to the provision provides that âany difference arising between two States and leading to the intervention of members of the armed forces is an armed conflict within the meaning of Article 2, even if one of the Parties denies the existence of a state of war. It makes no difference how long the conflict lasts, how much slaughter takes place, or how numerous are the participating forces.â103 Similarly, the ICTY has opined that âan armed conflict exists whenever there is resort to force between States.â104 It is essential to distinguish states of âarmed conflictâ under the jus in bello from instances of jus ad bellum âarmed attacks,â for, as noted, some experts assert that minor incidents do not amount to the latter. Moreover, in the traditional treatment of the legal concept of âwar,â minor armed incidents did not necessarily signal the commencement of a war between States.105 But so long as there is an armed exchange between the armed forces of two States, an âinternational armed conflictâ exists. Actions by non-State actors operating under State control would also qualify, although actions by individuals or independent group would not. Hostilities need not even exist. By Article 2, the conventions apply in cases of âpartial or total occupation . . ., even if said occupation meets with no armed resistance.â106 And it is equally accepted that there is an armed conflict if the forces of one State detain individuals protected by IHL, such as combatants.107 It is irrelevant whether the parties to the armed conflict con - sider themselves to be âat war.â This leads to two alternative conclusions with regard to cyber operations standing alone. First, they must be the functional equivalent of a clash of arms between States. Applying the approach adopted in the context of the jus ad bellum, relevant actions must be likely to result in injury, death, damage or destruction to comprise an international armed conflict. Non-destructive computer network exploitation, espionage, denial of service attacks and other actions would not initiate an armed conflict, although they might, depending on the circumstances, qualify as a use of force. This is the mainstream approach among IHL experts, one focusing on the adjective âarmedâ in the phrase armed conflict. However, the fact that an armed conflict can occur in the absence of combat arguably provides inter- pretive leeway. This is especially so in light of an ongoing debate among experts as to whether a cyber 101 HCJ [High Court of Justice] 796/02, Public Committee against Torture in Israel et al. v. Government of Israel et al., Â¶ 21(Dec. 13, 2006); Hamdan v. Rumsfeld, 126 S.Ct. 2749, 2795-96 (2006). 102 Common art. 2 to GC I-IV, supra note 4. 103 Commentary to the third genea Conention relatie to the treatment of Prisoners of war 23 (ICRC, Jean Pictet ed., 1960). 104 Tadic, Appeals Chamber Decision on the Defence Motion for Interlocutory Appeal on Jurisdiction, supra note 51, Â¶ 70. 105 Dinstein, supra note 62, at 11-13. 106 Common art. 2(1) to GC I-IV, supra note 4. 107 Pictet, supra note 103, at 23.
1 miCHAEl n. SCHmitt operation can amount to an âattack,â as that term is used in IHL (e.g., the prohibition on âattackingâ civilians and civilian objects).108 The law defines attacks as âacts of violence,â109 leading one school of thought to argue that only operations resulting in injury, death, damage or destruction are attacks to which the prohibitions apply.110 Advocates would therefore likely accept the aforementioned limitation. A second school argues that the essence of such prohibitions is directing military operations against protected persons and places.111 If this is so, then IHL would apply to certain non-destructive cyber operations against protected persons and objects, and, by extension, an international armed conflict would commence once a State or those under its control launched them. The problem is that proponents of the second approach offer no criteria for distinguishing non- destructive âattacksâ from non-destructive military operations that clearly do not qualify as attacks, such as lawful psychological operations. Presumably, consequence severity would be a key criterion, but how might that be determined (financial loss, disruption of essential State functions, etc.)? Indeterminacy may be acceptable in the context of identifying a use of force, for the issue there is merely whether a violation of law has occurred (and countermeasures cannot involve the use of force). By contrast, the consequences of finding an âarmed conflictâ are much more dramatic. Armed conflict renders violent actions by combatants lawful unless they breach a particular IHL norm, even when the initial resort to force by the belligerent State was unlawful. In other words, while IHL limits violence, it also legitimizes it. This interpretation is obviously problematic. Non-International Armed Conflict Determining when a non-international armed conflict exists is even more problematic. The relevant IHL is found primarily in customary international law, Common Article 3 to the Geneva Conventions and, for States party, Additional Protocol II (AP II). Although there is much controversy over the precise content of the customary law and the extent to which certain customary IHL norms apply in both inter- national and non-international armed conflicts, it is undeniably a less detailed and less comprehensive body of law than that applicable in international armed conflict. Common Article 3 to the Geneva Conventions defines non-international armed conflicts in the nega - tive as those which are ânot of an international character,â a characterization reflective of customary international law.112 There are two generally accepted criteria for such conflicts. First, Article 3 employs the phrase âeach Party to the conflict.â The term âPartyâ is commonly understood to refer to either States or to groups which have a certain degree of organization and command structure. Thus, cyber violence of any intensity engaged in by isolated individuals or by unorganized mobs, even if directed against the government, does not qualify. It would not amount to an armed conflict, and therefore would be governed by criminal law and human rights law, not IHL. The vast majority of the cyber operations conducted against Estonia would fall into this category. The second criterion is intensity. It is generally agreed that a non-international armed conflict requires violence of a higher degree of intensity than international armed conflict. âInternal disturbances and tensions, such as riots, isolated and sporadic acts of violence and other acts of a similar natureâ 108AP I, supra note 53, arts. 51 and 52. 109 Ibid., art. 49. 110 See, e.g., Michael N. Schmitt, âWarfare: Computer Network Attack and International Law,â 84 (No. 846) international Reiew of the Red Cross 365 (June 2002). 111 Knut DÃ¶rmann, Applicability of Additional Protocols to Computer Network Attack, Paper delivered at the International Ex - pert Conference on Computer Network Attacks and the Applicability of International Humanitarian Law, Stockholm, November 17-19, 2004, http://www.icrc.org/web/eng/siteeng0.nsf/htmlall/68lg92?opendocument. 112 Common art. 3 to GC I-IV, supra note 4 (âIn the case of armed conflict not of an international character occurring in the ter - ritory of one of the High Contracting Parties, each Party to the conflict shall be bound to apply, as a minimum, the following provisions. . . .â).
1 PRoCEEdingS oF A woRkSHoP on dEtERRing CYBERAttACkS fall short of the threshold.113 In non-normative terms, the criterion suggests that unrest which can be handled primarily by law enforcement entities, without resort to the armed forces, does not constitute non-international armed conflict even if carried out by armed groups. Along these lines, the ICTY has characterized non-international armed conflicts as involving âprotracted armed violence between governmental authorities and organized armed groups or between such groups within a State,â 114 a formula adopted by the International Criminal Tribunal for Rwanda and in the Statute of the Interna - tional Criminal Court.115 For parties to the instrument (the United States is not), AP II sets forth significant additional IHL norms. However, the threshold of applicability for this instrument is set at an even higher level than that of customary law and Common Article 3. In the case of AP II non-international armed conflicts, the non-State party to the conflict has to âexercise such control over a part ofâ a Stateâs territory that it can âcarry out sustained and concerted military operations.â 116 It would be exceptionally difficult for cyber operations standing alone to rise to the level of non- international armed conflict. First, operations launched by individuals and unorganized groups are not encompassed in the category, no matter how destructive. Second, the cyber operations would have to be protracted, that is, occur over a period of time. Sporadic attacks would not qualify, regardless of their destructiveness. Third, the requirement of intensity would augur against arguments that actions which are not destructive can sometimes meet the test, a weak argument even in the case of international armed conflict. Combined, the criteria mean that only significantly destructive attacks taking place over some period of time and conducted by a group that is well-organized initiate a non-international armed conflict. Finally, as noted earlier, significant controversy surrounds the question of whether attacks by trans- national non-State actors are international or non-international in character. The debate derives from the fact that non-international armed conflicts are typically seen as conflicts between a State and ârebels,â in other words, civil wars. AP II seemingly makes this requirement explicit in its reference to conflicts taking place âin the territory of a State . . . between its armed forces and dissident armed forces or other organized armed groups.â117 Although Common Article 3 contains no such restriction, its reference to conflicts âoccurring in the territoryâ of a Party to the 1949 Geneva Conventions has sometimes also been construed as excluding conflicts that transcend national borders. Thus, by one interpretation, such conflicts are international because they cross borders.118 By an alternative interpretation, they are non-international because they do not involve States in opposition to each other, which has tradition - ally been the distinguisher for international armed conflict. Accordingly, they are conflicts which are ânot of an international character.â119 It has also been argued that they are a new form of armed conflict to which only the general norms applicable to all armed conflicts, such as the principle of distinction, apply. This form of conflict has been labeled âtransnational.â120 Finally, it might be argued that there is no armed conflict at all, but rather mere criminality. In fact, a strict reading of the law would suggest as much. However, this last approach begs the question of what law applies in the event of an armed attack (in the ad bellum context) to which a State responds forcefully, since absent an armed conflict, IHL is inapplicable. Whatever the correct characterization, it would apply equally to groups conducting cyber operations of the intensity required to constitute an armed conflict. 113AP II, supra note 99, art. 1.2, generally deemed to equally reflect the standard applicable to Common Article 3 and customary international law. See, e.g., Rome Statute, supra note 77, art. 8(2)(f). 114 Tadic, Appeals Chamber Decision on the Defence Motion for Interlocutory Appeal on Jurisdiction, supra note 51, Â¶ 70. 115 Prosecutor v. Akeyesu, Case No. ICTR-96-4-T, Judgment, Â¶ 619 (Sept. 2, 1998); Rome Statute, supra note 77, art. 8(2)(f). 116AP II, supra note 99, art. 1(1). It must also be able to implement the provisions of the Protocol. 117 See text at fn 112. 118 HCJ [High Court of Justice] 796/02, Public Committee against Torture in Israel et al. v. Government of Israel et al., Â¶ 21(Dec. 13, 2006). 119 Hamdan v. Rumsfeld, 126 S.Ct. 2749, 2795-96 (2006). 120 See, e.g., Geoff Corn, âHamdan, Lebanon, and the Regulation of Armed Conflict: The Need to Recognize a Hybrid Category of Armed Conflict,â 40 vanderbilt transnational law Journal 295 (2006).
1 miCHAEl n. SCHmitt FAuLT LINES IN THE LAW The legal analysis set forth above should strike most readers as unsatisfactory. Clear fault lines in the law governing the use of force have appeared because it is a body of law that predates the advent of cyber operations. The normative scheme made sense when close congruity existed between the coercive instruments of international relations, particularly military force, and their effects. To the extent one State disrupted order in the international community, it usually did so by using force to harm objects and per- sons. Resultantly, instrument-based normative shorthand (use of force, armed attack, and armed conflict) was employed as a means of precluding those effects (death, injury, destruction and damage) which were perceived as most disruptive of community stability, and as most threatening to State security. Debates such as whether actions short of military operations are uses of force or whether minor border incursions qualify as armed attacks demonstrate that the foundational concerns were actually consequence-based, for both reflect recognition that the instrument-based approach is not perfectly calibrated. The advent of cyber operations threw the instrument-based approach into disarray by creating the possibility of dramatically destabilizing effects caused by other than kinetic actions. They weakened the natural congruency between the normative shorthand employed in the law governing resort to force and those consequences which the law sought to avoid as disruptive. Conceptually, the âqualitativeâ scheme, by which prohibitions were expressed in terms of types of activities (use of the military and other destructive instruments as distinguished from non-destructive ones) no longer sufficed to preclude those effects about which States had become most concerned. A non-kinetic, non-destructive means of generating effects which States cannot possibly countenance now existed; the qualitative shorthand no longer tracked the quantitative concerns of States. The prohibition on the use of force has proven somewhat adaptable to this new reality because it has long been understood to extend beyond the application of kinetic force. Thus, it is reasonable to employ the criteria suggested in this article to identify situations in which non-kinetic actions will result in quan- titatively unacceptable, and therefore prohibited, consequences. The UN Charter mechanism for Security Council-based responses to threats to the peace, breaches of the peace and acts of aggression is likewise adaptable because by it threats to the peace include, simply put, whatever the Council wishes. However, the textual precision of the âarmed attackâ component of the individual and collective self-defense norm leaves little room for interpretive reshaping. By its own terms, âarmed attackâ does not reach many cyber-generated consequences to which States will wish to respond in self-defense. To a lesser extent, the same is true with regard to the notion of âarmed conflict.â It seems incongruent that a minor firefight would initiate an armed conflict, but a major non-physically destructive cyber attack against the cyber infrastructure of a State would not. Evidence of disquiet abounds. In a recent report by the National Research Council, examples of armed attack included âcyberattacks on the controlling information technology for a nationâs infra - structure (whether or not it caused immediate large-scale death or destruction of property)â and âa cyberattack against the stock exchanges that occurs repeatedly and continuously, so that trading is disrupted for an extended period of time (e.g., days or weeks).â121 As a matter of law, they would likely qualify as uses of force, but not, by a strict interpretation of the self-defense norm, as armed attacks (or as initiating an armed conflict). The problem is that most States would surely treat them as such. In other words, the National Research Council report has misconstrued the law, but accurately identified probable State behavior. When State expectations as to the ârules of the gameâ deviate from those that actually govern their actions, new norms can emerge. One method by which this can occur is through new treaty law. However, it is highly unlikely that any meaningful treaty will be negotiated to govern cyber operations in the foreseeable future. The greatest obstacle is that those States which are most vulnerable to cyber operations tend to be those which are also most capable of conducting them. Such tension will cause 121 Technology, Policy, Law, and Ethics, supra note 63, at 254-55.
1 PRoCEEdingS oF A woRkSHoP on dEtERRing CYBERAttACkS such States to hesitate before agreeing to prohibitions designed to protect them which may also defini - tively limit their freedom of action. This is especially so in light of the nascent nature of cyber warfare and the lack of experience of most States in these operations. In international relations, States are often comfortable with a degree of vagueness. Much more likely is the emergence of new understandings of the existing treaty law which are responsive to the realities of cyber operations. While only subsequent treaty action can technically alter a treatyâs terms, State practice can inform their interpretation over time. A well-known example involves veto action by Permanent Members of the Security Council. The UN Charter provides that a binding resolution of the Council requires the affirmative vote of all five Permanent Members. 122 However, State practice has been to treat the provision as blocking action only when a member of the âP5â vetoes a proposed resolution. This counter-textual interpretation is now accepted as the law. 123 The recent exten- sion of the notion of armed attack to actions by non-State actors similarly illustrates normative evolution prompted by shifting State expectations. In due course, similar evolution in the how the concept of armed attack is understood should be anticipated, as States increasingly accept the proposition that armed attacks must be judged qualita - tively and quantitatively. Consequences will remain the focus of concern, but they will be assessed both in terms of nature and as to their impact on affected States. In this regard, the seven criteria proffered above in the use of force context can serve as useful indicators of whether States are likely to characterize particular cyber operations as armed attacks (or as initiating an armed conflict), and thus suggest the probable vector of the law. However, for the moment the existing law remains intact; it will be left to States to articulate the expectations and engage in practices that can serve to fuel the normative process necessary to transform lex ferenda into lex lata.124 122 U.N.Charter, art. 27.3. 123 See discussion in Bruno Simma, Stefan Brunner & Hans-Peter Kaul, Article 2, in I the Charter of the United nations: A Com- mentary 476, 493-98 (Bruno Simma ed., 2d ed. 2002). The veto principle does not apply to votes on procedural matters. 124 The law as it should be and the law that is, respectively.