Skip to main content

Currently Skimming:

7 Legal and Ethical Perspectives on Cyberattack
Pages 239-292

The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.


From page 239...
... This chapter focuses on the implications of existing international and domestic law as well as relevant ethical regimes for the use of cyberattack by the United States. (It is thus not intended to address legal issues that arise mostly in the context of the United States defending against cyberattack.)   Compared to kinetic weapons, weapons for cyberattack are a relatively recent addition to the arsenals that nations and other parties can command as they engage in conflict with one another.  Thus, the availability of cyberattack weapons for use by national governments naturally raises questions about the extent to which existing legal and ethical perspectives on war and conflict and international relations -- which affect  In 2008, the Supreme Court explained that a self-executing treaty is one that "operates of itself without the aid of any legislative provision," and added that a treaty is "not domestic law unless Congress has either enacted implementing statutes or the treaty itself conveys an intention that it be ‘self-executing' and is ratified on these terms." See Medellin v.
From page 240...
... Although this report takes a Western perspective on ethics and human rights, the committee acknowledges that these views are not universal. That is, other religious and ethnic cultures have other ethical and human rights traditions and practices that overlap only partially with those of the United States or the West, and their ethical and human rights traditions may lead nations associated with these cultures to take a different perspective on ethical, human rights, and legal issues regarding cyberattack.
From page 241...
... In principle, the UN Security Council can call for coercive military action that forces a violator to comply with its resolutions, but the viability of such options in practice is subject to considerable debate. 7.2.1  The Law of Armed Conflict To understand the legal context surrounding cyberattack as an instrument that one nation might deploy and use against another, it is helpful to start with existing law -- that is, the international law of armed conflict (LOAC)
From page 242...
... First, Articles 39 and 42 permit the Security Council to authorize uses of force in response to "any threat to the peace, breach of the peace, or act of aggression" in order "to maintain or restore international peace and security."  The law of armed conflict is also sometimes known as international humanitarian law. A number of legal scholars, though not all by any means, view international humanitarian law as including human rights law, and thus argue that the law of armed conflict also includes human rights law.
From page 243...
...   armed attack is launched, or is immediately threatened, against a an state's territory or forces (and probably its nationals)
From page 244...
... (The issue of whether a nation may respond militarily without Security Council authorization if it is the target of a use of force short of an armed attack is less clear, with evidence to support both sides of this position.1) Although the term "self-defense" is undefined in the UN Charter, it is convenient to consider three different types of actions, all of which involve the use of force in response to an attack.
From page 245...
... that does not rise to the threshold of an armed attack, responses made by the victimized nation fall into the category of self-help. What self-help actions are permissible under the UN Charter?
From page 246...
... 7.2.1.2  Jus in Bello Once armed conflict has begun, the conduct of a nation's armed forces is subject to a variety of constraints. Jus in bello is governed largely by the Hague Conferences of 1899 and 1907, the Geneva Conventions, and customary international law.
From page 247...
... At the same time, ruses of war are explicitly permissible. A ruse of war is intended to mislead an adversary or to induce him to act recklessly but its use infringes no rule of international law applicable in armed conflict and does not mislead the adversary into believing that he is entitled to special protection.
From page 248...
... , which calls on all member states "to work together urgently to bring to justice the perpetrators, organizers and sponsors of these terrorist attacks" and stresses that "those responsible for aiding, supporting, or harboring the perpetrators, organizers and sponsors of these acts will be  Department of Defense, Office of General Counsel, An Assessment of International Legal Issues in Information Operations, Second Edition, November 1999.  United Nations Security Council Resolution 1368 (2001)
From page 249...
... military forces and other U.S. interests.
From page 250...
... , jus in bello is the body of law that applies. 7.2.2  Applying the Law of Armed Conflict to Cyberattack This section addresses some of the issues that might arise in applying international law to cyberattack.
From page 251...
... . 7.2.2.1  Prior to the Outbreak of Hostilities -- Applying Jus ad Bellum An important question of jus ad bellum in this report is whether, or more precisely, when, a given cyberattack constitutes a "use of force" or an "armed attack." But as a number of analysts have noted,13 the relevant 10 Department of Defense, Office of General Counsel, An Assessment of International Legal Issues in Information Operations, Second Edition, November, 1999.
From page 252...
... Box 7.3 provides some scenarios in which such questions arise. 937, 1999; Jason Barkham, "Information Warfare and International Law on the Use of Force," New York University Journal of International Law and Politics 34:57-113, 2001; Department of Defense, Office of General Counsel, An Assessment of International Legal Issues in Information Operations, Second Edition, November 1999.
From page 253...
... (Indeed, consider as a benchmark the history of long and extended Security Council debate on authorizations for armed conflict involving kinetic force.) 7.2.2.1.2  Criteria for Defining "Use of Force" and "Armed Attack"15 Traditional LOAC emphasizes death or physical injury to people and destruction of physical property as criteria for the definitions of "use of force" and "armed attack." But modern society depends on the existence 15 A related perspective can be found in Jason Barkham, "Information Warfare and International Law on the Use of Force," New York University International Law and Politics 34:57-113, 2001.
From page 254...
... whose disruptive but not actually destructive effects build slowly and gradually be regarded as a use of force or an armed attack? 16 Michael Schmitt, "Computer Network Attack and the Use of Force in International Law: Thoughts on a Normative Framework," Columbia Journal of Transnational Law 37:885937, 1999.
From page 255...
... However, a cyberattack against the stock exchanges that occurs repeatedly and continuously, so that trading is disrupted for an extended period of time (e.g., days or weeks) , would surely constitute a use of force or even an armed attack, even if no buildings were destroyed.
From page 256...
... 17 The scale question also raises the issue of whether there is, or should be, a class of "hostile" cyber actions (that is, certain kinds of cyberattack) that are recognized as not so immediately destructive as to be clear acts of "uses of force" or "armed attack," but that nonetheless entitle the target to some measure of immediate real-time response -- commensurate selfdefense -- that goes beyond just trying to protect the immediate target.
From page 257...
... Box 7.5 provides examples illustrating how such questions might arise. 7.2.2.1.4  Distinctions Between Economic Sanctions and Blockades18 Under international law, economic sanctions appear not to constitute a use of force, even if they result in death and destruction on a scale that would have constituted a use of force if they were caused by traditional military forces, although this interpretation is often questioned by the nation targeted by the sanctions.
From page 258...
... Since Ruritania suffers no ill effects from the fact that its infrastructure now has a number of vulnerabili ties, no armed attack or even use of force has occurred. Ruritania learns of the Zendian penetration because its cybersecurity experts have detected it technically.
From page 259...
... It is clear that the laws of armed conflict and the UN Charter prohibit the use of force -- cyber as well as kinetic force -- in pursuit of purely economic or territorial gain. But the legitimacy of cyberattacks that do not constitute a use of force for economic gain is not entirely clear.
From page 260...
... constitutes a form of denial of information rather than the assertion of a per se violation of international law; domestic laws are promulgated in such a way to deny foreign intelligence collection efforts within a nation's territory without inhibiting that nation's efforts to col lect intelligence about other nations. No serious proposal has ever been made within the international community to prohibit intelligence collec tion as a violation of international law because of the tacit acknowledge ment by nations that it is important to all, and practiced by each.
From page 261...
... Nevertheless, espionage may raise LOAC issues if a clear distinction cannot be drawn between a given act of espionage and the use of force. For example, Roger Scott notes that certain forms of espionage -- for instance involving ships, submarines, or aircraft as the collection platforms -- have indeed been seen as military threats and have been treated as matters of armed aggression permitting a military response rather than domestic crimes demanding a law enforcement response.23 One common thread here appears to be that the collection platform is or appears to be a military asset -- a plane, a ship, a submarine -- that could, in principle, conduct kinetic actions against the targeted nation.
From page 262...
... At the same time, the legality of such use would be subject to the jus in bello conditions regarding proportionality, distinction, and so on, just as they would affect decisions involving the use of kinetic weapons in any given instance. Note also that the attack/defense distinction -- central to applying jus ad bellum -- is not relevant in the midst of armed conflict and in the context of jus in bello.
From page 263...
... • A cyber offensive action introduces an upgradeable software agent into an adversary system. As introduced, the agent is an agent for cyberexploitation, monitoring traffic through the system and passing it along to a collection point.
From page 264...
... The possibility of false claims exists with kinetic attacks as well, but claims about collateral damage from a cyberattack are likely to be even more difficult to refute. • The damage assessment of a cyberattack necessarily includes indirect as well as direct effects, just as it does when kinetic weapons are involved.
From page 265...
... Cyberattacks raise a number of questions in this context: • Does compromising the computers of non-combatants violate prohibitions against attacking non-combatants? • Under what circumstances does a cyberattack on national infrastructure that affects both civilian and military assets constitute a LOAC violation?
From page 266...
... In traditional armed conflict, a combination of visual identification and geog raphy often suffices to identify a valid military target -- for example, a tank is easily refrain from participating in combatant activities, and are legally immune from deliberate targeting;25 non-combatants who engage in combatant activities are subject both to military action and, if captured, to criminal prosecution. Today, there is a growing dependence of the modern military on 25 Note, however, that the systems used to launch cyberattacks are legitimate military targets, and civilians who qualify for the narrow category of "civilians accompanying the armed forces" (presumably those who operate and maintain those systems)
From page 267...
... Although there is no specific ban on the use of non-discriminating weap ons per se, the proportionality requirement means that the military value of a given attack must be weighed against collateral damage. LOAC requires military forces to refrain from using a non-discriminating weapon when a more discriminating weapon would be equally effective, and also to refrain from attacking a military target when the only available means to do so is likely to cause disproportionate civilian damage.
From page 268...
... munitions plant are likely not to enjoy LOAC protection from attack, as they are making a direct contribution to the U.S. war effort.
From page 269...
... ("Emanating from X" means that X is an intermediate node in the attack pathway.) • What, if any, are the obligations of belligerents to avoid routing cyberattacks through the computers of neutral nations?
From page 270...
... 1 Note an interesting side effect of a policy decision to avoid routing through neutral nations.
From page 271...
... covert action involving the use of cyberattack during armed conflict. 7.2.2.2.6  An Operational Note -- Jus in Bello in Practice U.S.
From page 272...
... to be produced by a cyberattack would, if produced by other means, constitute an armed attack in the sense of Article 51 of the UN Charter, it is likely that such a cyberattack would be treated as an armed attack. Similarly, if a cyberattack had the same effects and was otherwise similar to governmentally initiated coercive/harmful actions that are traditionally and generally not treated as the "use of force" (e.g., economic sanctions, espionage, or covert actions such as planting information or influencing elections)
From page 273...
... But other forms of conflict in the 1990s and 2000s (such as terrorism) have blurred many of the distinctions between the LOAC and domestic law enforcement.
From page 274...
... that it would qualify as a use of force or an armed attack on the United States had it been carried out with kinetic means. A second question concerns the geographic origin of the attack.
From page 275...
... Nevertheless, not all nations are signatories to the convention, and the convention itself is oriented toward a law enforcement approach (that is, investigation, arrest, prosecution, and legal due process) that is often too slow given how rapidly a cyberattack can unfold.
From page 276...
... Thus, governments maintain armed forces to participate in armed conflict, under the government's direction. But in the Internet era, another type of non-state actor that complicates the legal landscape for cyberattack is the "hacktivist" or patriotic hacker.
From page 277...
... What actions should the United States take to respond to Zendian patriotic hackers if the Zendian government says in response to a U.S. inquiry, "We do not endorse or encourage these attacks by our citizens, but at the same time, they are not doing anything that we have the ability (or perhaps the legal authority)
From page 278...
... • Illegal interception -- intentional interception without right, made by technical means, of non-public transmissions of computer data to, from, or within a computer system, including electromagnetic emissions from a computer system carrying such computer data. • Data interference -- intentional damage, deletion, deterioration, alteration, or suppression of computer data without right.
From page 279...
... The convention defines a computer system to be "any device or a group of interconnected or related devices, one or more of which, pursuant to a program, performs automatic processing of data." Computer data is defined to be "any representation of facts, information or concepts in a form suitable for processing in a computer system, including a program suitable to cause a computer system to perform a function." The convention calls for signatories to adopt domestic laws that criminalize the above offenses, to provide domestic law enforcement agencies with the authorities and powers necessary for the investigation and
From page 280...
... , and to establish an effective regime of international cooperation, including provisions for extradition and mutual law enforcement assistance. Notably, the convention does not establish espionage as an act that violates international law.
From page 281...
... , or they may be inherent in customary international law. A central point of contention in human rights law today is the extent of its applicability in situations in which the law of armed conflict is operative, that is, in acknowledged armed conflict or hostilities.
From page 282...
... domestic law regulates the division of labor regarding operational activities between the DOD and the intelligence agencies for reasons of government accountability and oversight. Generally, activities of the Department of Defense (DOD)
From page 283...
... As noted in Chapter 4, covert action has a statutory definition. However, the 1991 Intelligence Authorization Act also included a provision, now codifed at 50 USC 413b, that distinguished between covert actions and "traditional military activities," "traditional counterintelligence activities," "traditional diplomatic activities," and "traditional law enforcement activities." The legislation does not define any of the traditional activities, but the conference report stated the intent of the conferees that:39 "traditional military activities" include activities by military personnel under the direction and control of a United States military commander (whether or not the U.S.
From page 284...
... By contrast, no findings, special approval, or notification are needed for conducting any of the traditional military activities, although activities conducted by the uniformed military are subject to the guidance of and restrictions imposed by the law of armed conflict, and, in practice, many highly sensitive military operations -- if conducted outside the framework of a general armed conflict -- have been brought to the attention of congressional leadership. Finally, 50 USC 413b(f)
From page 285...
... On the other hand, activities that are intended to influence the conduct, behavior, or actions of an adversary without the involvement of the United States becoming known are covert actions requiring findings if they are not traditional intelligence activities or otherwise exempt, and the dividing line between activities that should be regarded as covert action and those that should not becomes unclear. For example: • Intelligence preparation of the battlefield is a traditional military activity and thus does not constitute covert action.
From page 286...
... Perhaps the most important point about the distinction between covert action and traditional military activities is that the distinction is essentially irrelevant outside a domestic context. Nations that are the target or subject of an act that they regard as hostile are not likely to care whether the United States classifies it as a covert action or as a military activity.
From page 287...
... , The Foreign Intelligence Surveillance Act: Overview and Modifications, Nova Science Publishers, Hauppauge, N.Y., 2008; and Whitfield Diffie and Susan Landau, Privacy on the Line: The Politics of Wiretapping and Encryption, Updated and Expanded Edition, MIT Press, Cambridge, Mass., 2007. 41 See http://politechbot.com/docs/fbi.cipav.sanders.affidavit.071607.pdf.
From page 288...
... Under the Posse Comitatus Act, the Department of Defense would appear to be forbidden from conducting either cyberattack or cyber­ exploitation in support of domestic law enforcement to enforce domestic law in any context where there was no specific statutory exemption, but would have the authority to conduct such operations domestically if they were part of the exercise of presidential authority to act as commanderin-chief under Article II. 7.3.4  The Computer Fraud and Abuse Act and Other Federal Law A variety of federal laws, including 18 USC 1030 (the Computer Fraud and Abuse Act, described in Section 5.2)
From page 289...
... government to commandeer the computers of private citizens abroad to create a cyberattack capacity for use by the government, perhaps for use in a botnet or perhaps in any attempt to conduct a cyberattack with plausible deniability. Whether such commandeering is legitimate under the international laws of armed conflict is not clear, although the fact that the "zombification" of a computer can leave the computer almost entirely intact and whole for the user's purposes is surely relevant to a LOAC analysis.
From page 290...
... of this order (a United States person is "a United States citizen, an alien known by the intelligence agency concerned to be a permanent resident alien, an unincorporated association substantially composed of United States citizens or permanent resident aliens, or a corporation incorporated in the United States, except for a corporation directed and controlled by a foreign government or governments") , Section 2.3 of Executive Order 12333 establishes constraints on procedures for agencies within the intelligence community to collect, retain or disseminate information concerning United States persons.
From page 291...
... In addition, Executive Order 12333 regulates the conduct of covert action by stipulating that "no agency except the CIA (or the Armed Forces of the United States in time of war declared by Congress or during any period covered by a report from the President to the Congress under the War Powers Resolution (87 Stat.
From page 292...
... Foreign domestic law also has an impact on the ability of the United States to trace the origin of cyberattacks or cyberexploitations directed against the United States -- for example, if a certain cyber action is not criminalized in Zendia, Zendian law enforcement agencies may not have the legal authority to investigate it, even if the action is relevant to a cyberattack action against the United States routed by Ruritania through Zendia.


This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More information on Chapter Skim is available.