By Col Gary Brown, USAF, Retired, and Maj Israel King, USAF, Air Force Cyber College
/ Published July 06, 2017
Cyber capabilities have opened an entirely new area of warfare. It has been called a revolution in military affairs—evolutionary technological development, and associated tactical and strategic change, altering the character of war.1 Many of the same law-of-war issues exist in cyber operations as in traditional military operations. Whether the law of war applies to a particular cyber activity may depend on whether a state of armed conflict exists between the actors. This may be more challenging in cyber, as some basic questions remain unanswered. Perhaps most important, it is not settled when a cyber operation will be considered to constitute a use of force or an armed attack. Despite the uncertainty in policy, if injury, death, damage, or destruction results from a military cyber activity, cyberlaw practitioners should assume the activity is likely to be considered a use of force under international law.2
Even given the limitations noted above, as a matter of policy, the United States complies with the law of armed conflict (LOAC) in all military operations.3 The fundamental issues arising in cyber operations are no different than those relevant to kinetic military operations. The law of cyberwarfare has at its core the same basic principles of military necessity, avoidance of unnecessary suffering (humanity), proportionality, and distinction. One of the greatest challenges in cyberwarfare is applying these time-honored principles to actual cyber operations. These issues are set in detail below.
Another challenge is the way cyberwarfare freely mixes with aspects of everyday life. Affecting cyber systems can have negative effects on utility systems (such as electricity and water), financial systems (such as banking and paying by credit card), and communications (such as telephone systems and social media networks). Complicating the matter further, cyberwarfare techniques are often not very different from the practices of cyber criminals or spies. Because there is significant overlap and different legal regimes apply to the different areas, cyber activities require careful scrutiny from the lawyers involved.
The chapter first addresses cybercrime, followed by a discussion of the law applicable to cyber conflict. It discusses both the resort to armed conflict (jus ad bellum) and the law that applies during armed conflict (jus in bello), focusing on issues of special concern for cyberlaw practitioners. Next, the chapter looks at espionage. It finishes with a discussion of US policy in the area.
Generally, computer code is considered a form of speech and is protected under the First Amendment. That means encryption technology and cyber "weaponry" both at least potentially enjoy constitutional protection.4 Some specific elements of computer-related US laws are set out below.
In 1984 Congress passed the Computer Fraud and Abuse Act (CFAA), the first US domestic cybercrime statute. This statute prohibited unauthorized access to defense and financial computer systems in an era when the nation was just starting to awaken to the possibilities of cybercrime.5 Since then, the number and scope of US cybercrime statutes have broadened in response to the rapid expansion of cyber threats, creating a web of prohibitions and penalties designed to criminalize virtually every unauthorized use of a computer network or system.
The CFAA, located at 18 USC §1030, remains the nation's preeminent cybercrime statute, criminalizing seven main types of computer-related activity. First, it prohibits the act of obtaining national security information without authorization and then willfully retaining that information or providing or attempting to provide that information to an unauthorized recipient.6 Second, it prohibits the unauthorized access of information from financial institutions, US government agencies, or any other protected computer.7 Third, it prohibits trespassing into a federal government computer, even when no information is obtained during such trespass.8 Fourth, it prohibits the unauthorized access of a protected computer with intent to defraud if the access furthered the intended fraud and resulted in the obtaining of something of value by the unauthorized party.9 Fifth, it prohibits the unauthorized access of a protected computer that results in physical or logical damage.10 Sixth, it prohibits a person from trafficking in computer passwords or similar information when the trafficking affects interstate or foreign commerce or may be used to access without authorization a computer used by or for the federal government.11 Seventh, it prohibits extortion attempts involving a threat to cause damage to a protected computer or a threat to impair the confidentiality of information obtained from a protected computer.12
The Wiretap Act, located at 18 USC §2511, also has expanded to account for the crimes of the computer age. Originally designed to regulate the use of wiretaps to investigate crime, it has come to criminalize other types of unauthorized communication intercepts and disclosures, including "electronic communications," such as those made over the Internet.13 The core prohibition of the Wiretap Act disallows any person from intentionally intercepting, or attempting to intercept, any wire, oral, or electronic communication.14 The Wiretap Act also prohibits the intentional disclosure of communications that are known to have been illegally intercepted.15 Finally, the Wiretap Act prohibits the use of the contents of any wire, oral, or electronic communication with knowledge or a reason to know that the contents were obtained through an unauthorized intercept.16
A plethora of other domestic federal statutes also cover cybercrime, including the following:
Most states also have computer crime statutes that might be relevant in some situations. In a situation involving computer fraud or damage to or unauthorized access to a computer, it may be worthwhile to research applicable state law.
Given continuing issues with hacking and the proliferation of malicious software, the volume of laws designed to deter and punish cybercrime will most likely continue to increase. In fact, as recently as January 2015, Pres. Barack Obama announced legislative proposals that would "allow for the prosecution of botnets, criminalize the overseas sale of stolen U.S. financial information like credit card and bank account numbers, would expand federal law enforcement authority to deter the sale of spyware used to stalk or commit ID theft, and would give courts the authority to shut down botnets engaged in distributed denial of service attacks and other criminal activity."24 It remains to be seen how many of these proposals will be added to the burgeoning cybercrime legal regime.
In contrast to the significant volume of domestic legislation, little international law currently exists to combat the problem of cybercrime. In fact there is only one major international treaty on the matter, the aptly named Convention on Cybercrime (also known as the Budapest Convention), which came into force in 2004.25
The core provisions of the Budapest Convention require the convention's signatories (which as of this writing include the United States and 46 other countries) to define criminal offenses and sanctions under their domestic laws for four categories of computer-related crimes: fraud and forgery, child pornography, copyright infringements, and security breaches such as hacking, illegal data interception, and system interferences that compromise network integrity and availability.26 The convention also requires signatories to establish domestic procedures for detecting, investigating, and prosecuting computer crimes and for collecting electronic evidence of any criminal offense.27 Finally, and perhaps most importantly, the convention requires signatories to establish a rapid and effective system for international cooperation in the investigation and prosecution of cybercrime, as the convention deems cybercrimes to be extraditable offenses and permits law enforcement authorities in one country to collect computer-based evidence for those in another.28 Although the Budapest Convention has nowhere near universal acceptance, evidence would indicate that it is rapidly gaining acceptance, given that 16 of the 47 current signatories have acceded to the convention since 2012.29
An additional protocol to the Budapest Convention, criminalizing acts of a racist and xenophobic nature committed through computer systems, came into force in 2006.30 This additional protocol specifically criminalizes the dissemination of racist and xenophobic material through a computer system, the issuance of threats or insults of a racist or xenophobic nature through a computer system, or the distribution of material that "denies, grossly minimizes, approves or justifies acts constituting genocide or crimes against humanity" using a computer system.31 Although the number of countries that has signed and ratified the additional protocol currently stands at 24, the United States has not ratified or even signed it.32 This is believed to be due to concerns that the additional protocol's provisions are inconsistent with US constitutional guarantees—most notably the right to free speech. In fact the principal reason the additional protocol exists is because the United States objected to the inclusion of prohibitions on racist and xenophobic speech in the Budapest Convention.33 Thus, it is unlikely that the United States will accede to this additional protocol for the foreseeable future.
The word cyberspace has been defined in a variety of ways, reflecting different ways of thinking about it. Is cyberspace a shared, consensual hallucination as the originator of the term suggested?34 Or is it more corporeal, as the Department of Defense (DOD) has determined: "the interdependent network of information technology infrastructures and resident data, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers"?35 This chapter will track DOD's definition, leaving aside the human element that is often considered part of the definition of cyberspace.36 In the future, that may well be an important part of any discussion of cyberspace operations, but for the present, US law, policy, and doctrine are built around a machine-oriented view.
Determining what cyberspace is does not answer the question of its legal status. It has been suggested that cyberspace be treated as a global common, similar to the high seas.37 Implementing a global commons theory would be problematic, because there seems to be little interest among states in considering cyberspace a freely shared resource. Even if states agreed, there are plenty of nonstate actors who operate to their own benefit and the detriment of others, so for now any meaningful cyber commons remain just a noble ideal.
The majority position is that because the Internet is hosted on infrastructure (routers, cables, servers, etc.) existing on physical territory, cyberspace remains subject to traditional notions of territorial sovereignty. Even taking this most conservative approach raises practical questions. Normally, states are expected to control their own territory, ensuring that criminal and aggressive actions do not emanate from it. Because of privacy, free speech, volume of data, and other challenges, states really do not control cyber activities moving across infrastructure in their territory. It is estimated, for example, that about 25 percent of all command-and-control servers controlling botnets and over 40 percent of malware sites are hosted in the United States.38 Presumably, the United States would prefer it if this criminal activity with global effects were not occurring, but cyber sovereignty seems to have practical limits. In the future there may be agreement on some modified version of traditional sovereignty, with states assuming responsibility for actions they know about. Under the current system, affecting networks or other computer infrastructure located in a territory of another state might be a violation of sovereignty, although questions remain about exactly when and how virtual intrusions violate territorial sovereignty. Any violation of sovereignty is unfriendly, but violations that cross the threshold of noninterference are most serious. The nonintervention principle mandates that states not take coercive or dictatorial actions that deprive another state of control over a sovereign matter (e.g., military, political, economic, or cultural matters). Violations of this principle could serve as a basis for exercising national self-defense.39
For millennia, humankind has struggled to decide when it is appropriate to resort to the international use of military force.40 Over time, the weight of opinion has swung between allowing the unfettered use of force by states against other states as an instrument of political power to prohibiting any manifestation of international conflict as abhorrent to civilized society.41 In the modern age, the body of law governing the conditions under which states may resort to conflict with other states, called the jus ad bellum, is centered on the Charter of the United Nations (UN), which came into force as a treaty on 24 October 1945.42
For purposes of the jus ad bellum, the most important provision of the UN Charter is Article 2(4), which states that "all members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations."43 States are thus generally prohibited from using force outside of their own borders. The principal means by which the UN enforces this prohibition is through chapter VII of the charter, which outlines certain military and nonmilitary measures that the UN Security Council may take with respect to conduct deemed to be a threat to peace, a breach of peace, or an act of aggression.44
Notwithstanding the UN Security Council's role in suppressing illegal uses of force and restoring international peace and security, states that find themselves subjected to an illegal use of force may also defend themselves in the absence of or in conjunction with UN Security Council assistance. Article 51 of the UN Charter codifies this well-established principle when it states that "nothing in the present Charter shall impair the inherent right of individual or collective self-defense if an armed attack occurs against a Member of the United Nations"45 Although the plain language of Article 51 would seem to indicate that the right of self-defense exists only after a state has been attacked, the weight of opinion on the matter is that states also have a right to defend themselves against an attack that has not yet been prosecuted but is imminent.46 The degree to which this right extends temporally, prior to the execution of an attack, is the subject of a debate that goes beyond the scope of this chapter.
What remains then is the question of what activities would qualify as a use of force under Article 2(4) that could potentially lead to intervention by the UN Security Council, and what activities would qualify as an armed attack under Article 51 that would allow a state to act pursuant to its right of self-defense. On these points, the UN Charter provides no further guidance. However, for assistance in defining the term use of force, many authorities turn to Resolution 3314 of the UN General Assembly, which provides examples of acts that would qualify as "acts of aggression." These acts include the following:
Further, for guidance on what constitutes an "armed attack," many authorities turn to the decision of the International Court of Justice (ICJ) in its judgment in the Military and Paramilitary Activities in and against Nicaragua Case, also known as the Nicaragua Case.48 In this case, the ICJ held that only the "most grave" forms of the use of force would qualify as an armed attack, implying that the "scale and effects" of the act must reach some minimal threshold before it may be elevated above the level of a use of force.49 However, some states, including the United States, have held that they have the right to respond in self-defense against any illegitimate use of force, viewing that allowing a qualitative gap between actions constituting a use of force and those qualifying as an armed attack would create an untenable situation where a nation would be subjected to force and yet would not be able to defend itself,.50
How do actions in cyberspace fit within this framework? Nowhere in the UN Charter or in the classical definitions of act of aggression or armed attack are references to cyberspace or cyberwarfare to be found. However, does this mean that the actions of a state committed in or through cyberspace cannot be deemed a use of force or armed attack? Not according to the ICJ. In 1994 the ICJ issued its Advisory Opinion on the Legality of the Threat or Use of Nuclear Weapons, holding that the principles enshrined in Article 2(4) and Article 51 of the UN Charter "apply to any use of force, regardless of the weapons employed."51 The United States has signaled its acceptance of the ICJ's opinion in the context of cyberspace operations in several ways. First, in the 2011 International Strategy for Cyberspace, President Obama stated that "consistent with the United Nations Charter, states have an inherent right to self-defense that may be triggered by certain aggressive acts in cyberspace."52 Also, one year later, at the 2012 US Cyber Command (USCYBERCOM) Interagency Legal Conference, the US Department of State legal advisor, Harold Koh, stated that "cyber activities may in certain circumstances constitute uses of force within the meaning of Article 2(4) of the UN Charter" and that "a State's national right of self-defense, recognized in Article 51 of the UN Charter, may be triggered by computer network activities that amount to an armed attack or imminent threat thereof."53
Given that the existing jus ad bellum legal framework applies to cyberwarfare, specific acts taken in or through cyberspace are subject to examination to determine whether they rise to the level of a use of force or an armed attack.
In 2009 an international group of experts convened in Tallinn, Estonia, at the invitation of the NATO Cooperative Cyber Defence Centre of Excellence to consider these and many other questions relating to the law and cyberwarfare.54 The conclusion this group of experts reached was that "acts that injure or kill persons or damage or destroy objects are unambiguously uses of force."55 This seems to reflect the official view of the United States, as evidenced by another statement from Koh to the effect that "cyber activities that proximately result in death, injury, or significant destruction would likely be viewed as a use of force."56 Examples of cyberspace activities that would meet this threshold would include those that trigger a nuclear plant meltdown; open a dam above a populated area, causing destruction; or disable air traffic control services, resulting in airplane crashes.57
But what of those cyberspace activities that do not cause death or destruction? While there is agreement that such activities could theoretically also rise to the level of a use of force or even an armed attack, there remains little consensus on where the line separating uses of force from nonuses of force should be drawn.58 The conclusion of the international group of experts was that, in the absence of a clear threshold, states considering a cyberspace operation will do their best to consider "the international community's probable assessment of whether the operation violates the prohibition on the use of force" by analogizing the cyberspace operation to other possible actions, applying a variety of factors that might include the following:
That the United States tends to follow this approach can be discerned once again from Koh's speech, in which he opined that "in assessing whether an event constituted a use of force in or through cyberspace, we must evaluate factors, including the context of the event, the actor perpetrating the action (recognizing challenging issues of attribution in cyberspace), the target and location, effects and intent, among other possible issues."60 For good or ill, as many uses of cyberspace operations are among those that do not cause outright death or destruction, it is likely that the current state of ambiguity regarding the legality of such operations will continue until states develop a specific treaty concerning cyberspace operations, or international norms develop through repeated state practice and custom in response to such operations.
Even if committed to following the law when suffering cyber malfeasance that falls short of a use of force or armed attack, states are not condemned to inaction. There are three potential courses of action they might take.
First, retorsion is an unfriendly but lawful response to an unfriendly, but not illegal, action by another state. As acts of retorsion are lawful, they may be punitive or anticipatory.63 For example, if a state is using an official social media account to spread negative information about another state, the second state could refuse to allow its Internet service providers to be used by the first state.
A second option, countermeasures, takes it up a notch. If a state is a victim of unlawful activity, it has the right to engage in countermeasures for the purpose of ending the other state's unlawful behavior. Countermeasures are actions that would be unlawful but for the fact that they are countermeasures. Countermeasures must be necessary and proportionate.64 Countermeasures in response to illegality perpetrated with cyber means are not limited to cyber activities, and, conversely, cyber countermeasures are available for kinetic offenses.
As the proper purpose for countermeasures is ending illegality, if the offensive conduct has already ceased, countermeasures are not appropriate. Retaliatory activity does not qualify as countermeasures. Further, anticipatory countermeasures are not permitted. However, both of these situations may be complicated by a planned or ongoing campaign of illegality. If a state has taken steps that are an integral part of the illegal act, even if the act has yet to occur, early countermeasures may be permitted. Similarly, if a particular unlawful act has ceased but was part of a continuing campaign of illegal actions, countermeasures to end the campaign might be lawful.
For example, a state might violate another state's sovereignty by planned intrusions into its territorial seas. The victim state in this case might decide to deny service to the ship's communications systems by overloading them with routine network traffic. Interfering with the ship's systems would be unlawful but for the fact that it is an appropriate countermeasure.65
Finally, a third legal framework option a state might use for a response is referred to as the plea of necessity. If an essential interest of a state is subject to a grave and imminent peril, a state may respond.66 Although the action taken would resemble a countermeasure (i.e., normally be unlawful), it would differ in that it would ordinarily be anticipatory.
The best documented event that clearly constituted a cyber attack is Stuxnet, a cyber attack against Iran's nuclear weapons program that destroyed about 1,000 nuclear centrifuges.67 Malware specifically designed to target the brand and source of the industrial control system that operated the uranium enrichment facility at Natanz was able to bridge the air gap between the system and the Internet and wreak controlled havoc on the Iranian program.68 The malware worked by causing the delicate centrifuges to change their rotation rate in a way that exceeded their design. Because the centrifuges were physically damaged, Stuxnet is generally considered to be an example of a cyber attack.
Of course, it is important to note that before any response action is completed, there must be attribution, an assignment of responsibility for the unfriendly activity. Most nefarious activity is designed to disguise the identity of the responsible actor. This can be done in various ways.69 Fortunately, there is also a variety of technical means to discover who is responsible for carrying out cyber activity. The means may involve analyzing the malware for clues about the author or similarities to previous events. It might also analyze network traffic through a variety of means to discover the original source of the malware.70
Given that cyber operations can be launched by individuals acting alone, those sponsored by groups or states, or even by individuals who don't know their sponsor, attribution is rarely absolutely certain. While in some areas of law this might preclude taking action, in international law the standard is reasonableness.71 If a state believes attribution is reasonably established, it may move forward to considering options.
Because states have been reluctant to agree on how the law applies to cyber operations, norms development has assumed a larger role in the discussion. Norms are "shared expectations among states about appropriate behavior."72 The United Nations Group of Government Experts, of which the United States is a member, has suggested a series of norms that seem to have fairly widespread acceptance. They include the following: states should not knowingly allow their territory to be used for internationally wrongful acts and should not conduct or knowingly damage or impair the use of critical infrastructure or the information systems of emergency response teams. States should also cooperate to assist in criminal investigations involving information and communications technologies [cyber].73
Although norms are not law, they do begin to define the behavior that might someday, through custom and practice, become international law. Because cyberspace is a new field of operations, states have seemed reluctant to agree to bind themselves legally. More flexible norms and other confidence-building measures may be the best option available at this point.74
Presuming that a state of hostilities already exists between states, the use of cyberspace operations as a tool of warfare will be regulated by a completely different body of law called the jus in bello. This body of law, most commonly referred to in the United States as the law of armed conflict (LOAC), regulates the conduct of the parties in all aspects of armed conflict.75 Unlike the jus ad bellum, the corpus of the LOAC resides within a diversity of treaties, the most significant of which include the following:
As can be seen, the majority of these treaties came into force more than a half-century ago, and the two Additional Protocols to the Geneva Conventions were promulgated while the Internet was still in its infancy. However, while there is no reference to cyberspace or to cyber warfare within any of the major treaties that compose the LOAC, the weight of opinion is that the principles enshrined within these treaties apply to cyberspace operations in the same way that they apply to other military capabilities. This is through the Martens Clause, proposed by Fyodor Fyodorovich Martens, the Russian delegate to the Hague Convention of 1899, which states that "until a more complete code of the laws of war is issued, the High Contracting Parties think it right to declare that in cases not included in the Regulations adopted by them, populations and belligerents remain under the protection and empire of the principles of international law, as they result from the usages established between civilized nations, from the laws of humanity and the requirements of the public conscience."77 Similar clauses have been incorporated into every subsequent major LOAC treaty, and the widespread presence of such clauses in these treaties has been interpreted to mean that the basic principles of the LOAC apply to all means and methods of warfare, regardless of whether they were foreseen in negotiating a particular treaty or not.78
What, then, are the basic principles of the LOAC that serve to restrain the use of cyberspace operations within armed conflict? For our purposes, we will discuss five such principles: military necessity, distinction, proportionality, humanity (or unnecessary suffering), and chivalry (or honor). Keep in mind that these principles only apply to cyberspace operations that qualify as attacks, meaning those actions that have the tendency to result in damage or destruction to objects or injury or death to people.79 This can make assessing cyber operations for legal compliance more challenging given that cyber capabilities can be used for mischief that does not rise to the level of an attack in the context of armed conflict, making the application of the principles of LOAC, such as distinction and proportionality, uncertain.80 Disruptive activities might include power brownouts, DDoS, intermittent interruption of communications services, and so forth.81 As long as these events do not physically damage equipment or injure anyone, they do not qualify as attacks as currently defined.82 These occurrences have typically been dealt with as law enforcement issues.
Military necessity. The principle of military necessity, which can be found in Article 23(g) of the 1907 Hague Convention, simply requires that the means and methods of warfare used by a combatant to defeat the enemy as quickly and efficiently as possible not be otherwise prohibited by the LOAC.83 For example, the principle of military necessity would justify those actions deemed inherently necessary by the nature of war, such as using a cyberspace operation to destroy or seize persons and property that are properly objects of attack.84 Some commentators claim that the principle of military necessity means that only those actions that are actually necessary under the circumstances are permitted.85 Under this formulation, even if an action is not specifically prohibited by the LOAC, it may still be unlawful if it is deemed to have been unnecessary. The United States has rejected this position as not properly reflecting the state of the law as contained within international treaties or state practice.86
Distinction. The principle of distinction, as codified in Article 48 of Additional Protocol (I) to the Geneva Conventions, requires that "the Parties to the conflict shall at all times distinguish between the civilian population and combatants and between civilian objects and military objectives and accordingly shall direct their operations only against military objectives."87 Military objectives are those "objects which by their nature, location, purpose or use make an effective contribution to military action and whose total or partial destruction, capture or neutralization, in the circumstances ruling at the time, offers a definite military advantage."88 This delineation is necessary to ensure that all parties have the respect due for civilians and their property, which are supposed to be protected as much as possible from the vagaries of war.89
In the cyber context, the application of the principle of distinction would prohibit cyber attacks capable of destroying enemy computer systems directed against ostensibly civilian infrastructure, such as computer systems belonging to stock exchanges, banking systems, and universities. However, many cyber assets are used for both military and civilian purposes, which can complicate the analysis. Such "dual-use" systems are lawful military objectives if they make an effective contribution to the enemy's warfighting efforts.90 This increasing interconnection between military and civilian cyber infrastructure has rendered civilian systems potentially more at risk. Electrical grids, communications nodes, transportation systems—all are potentially lawful military targets. This is also an issue with kinetic operations, but the reach and scope of cyber capabilities increase the opportunity to actually carry out operations against such objects.
Just before launching an air strike on Syrian nuclear facilities in 2007, Israel apparently used cyber techniques to reduce the effectiveness of Syrian air defenses, enabling Israeli jets to carry out the mission unhindered. Integrated air defense systems are clearly valid military targets.91
The principle of distinction would also prohibit the use of cyber attacks against civilians. However, civilians who engage in attacks, including attacks of a cyber nature, are deemed to be "directly participating in hostilities," which consequently causes them to lose the protections generally accorded to civilians and become valid targets.92 Interestingly, the general rule that civilians should not be used to engage in attacks can be difficult to apply in cyber operations.93 The US policy about which cyber activities amount to an attack is unclear, so determining which activities would qualify a civilian as directly participating in hostilities can be a challenge. Also, the issue with civilians participating in fighting is that they can compromise the safety of nonparticipating civilians. However, as the nature of cyber operations is such that they may be conducted from distant and secure locations, there is no practical additional danger to civilians caused by cyber operators launching cyber attacks. It is possible that civilians conducting cyber operations amounting to an attack could be subject to criminal prosecution either by the enemy or by an international tribunal.
Ultimately, although cyber attacks upon either dual-use objects or civilians directly participating in hostilities would not be prohibited by the principle of distinction, as with attacks on all other valid targets, such strikes still need to be tempered through the application of the principle of proportionality discussed below.
Finally, the principle of distinction would prohibit the use of indiscriminate cyber weapons that cannot be directed at a specific military objective or limited in their effects.94 For example, combatants could not employ a cyber weapon that strikes randomly once employed and thus could just as easily strike a protected computer system as one constituting a valid military objective.95 Combatants would also be prohibited from employing a type of malware that is capable of targeting specific military objectives but which, upon striking its objective, spreads uncontrollably and causes harm to purely civilian networks.96
Proportionality. The principle of proportionality finds its expression most clearly in Article 57(2)(iii) of Additional Protocol (I) to the Geneva Conventions, which states that parties to an armed conflict are to "refrain from deciding to launch any attack which may be expected to cause incidental loss of civilian life, injury to civilians, damage to civilian objects, or a combination thereof, which would be excessive in relation to the concrete and direct military advantage anticipated."97 This principle recognizes that civilians and civilian objects, while generally protected from being made the direct object of attack, may, in some situations, be incidentally harmed by a strike conducted against a valid military target.98 In such situations, however, those ordering a strike should remain mindful of the protections generally afforded civilians and civilian objects and thus take feasible measures to limit the collateral damage that attacks will generate.99 In the cyber context, for example, it would be important when planning a cyberspace operation against a military computer system to assess the potential for damage to private civilian computers that hold no military significance but just happen to be networked to the military computers that will be struck.100 In situations where collateral damage may be difficult to quantify or fully predict, the requirement is to consider all apparently reliable information reasonably available at the time.101
However, when examining the concept of proportionality in the context of a specific cyberspace operation, keep in mind the distinction between collateral damage and collateral effects. While cyberspace operations may result in death or destruction—collateral damage—that must be taken into account when calculating the proportionality of a strike, cyberspace operations may also result in nondestructive collateral effects, such as inconvenience, irritation, stress, or fear, which need not be considered when determining whether a particular attack was proportional.102 For example, a minor, brief disruption of Internet services to civilians might result incidentally from a cyber attack against a military objective. The inconvenience caused by this disruption would be a collateral effect that would not need to be measured and compared against the military advantage gained for purposes of a proportionality analysis.103
Humanity. The principle of humanity (also known as the principle of unnecessary suffering) is codified in Article 35(2) of Additional Protocol (I) to the Geneva Conventions. Under this provision, parties to a conflict are prohibited from employing "weapons, projectiles, and material and methods of warfare of a nature to cause superfluous injury or unnecessary suffering."104 Basically, one may only inflict the amount of suffering that is absolutely necessary to accomplish a military objective. Any suffering above and beyond that is inhumane.105 This principle is most often used to prohibit the use of weapons that are crafted in such a way as to create suffering above and beyond that which is necessary or to prohibit the use of otherwise legal weapons in ways that are calculated to cause such an unnecessary amount of suffering.106 In the cyber context, for example, if an enemy combatant has an Internet-addressable pacemaker device with a built-in defibrillator, it would be lawful to take control of the pacemaker to kill him or to otherwise take him out of the fight. However, it would be unlawful to conduct the operation in a manner that is intended to cause additional pain and suffering for their own sake, such as stopping his heart and reviving him multiple times before killing him.107
In order to ensure compliance with the principle of avoiding unnecessary suffering, the DOD requires a legal review of all weapons before the military is permitted to use them.108 The DOD's requirement to review weapons predates Additional Protocol I, but the rule observed by other legally compliant states is Article 36 of the protocol. The DOD, in its reviews, ensures that its weapons are not inherently indiscriminate and that they are not calculated to cause superfluous injury. Additionally, the DOD ensures its weapons are in compliance with specific treaties, such as those banning poisoned and biological weapons.109
Reviews of kinetic weapons are relatively straightforward; they may involve test firing weapons and field tests. Cyber weapons, on the other hand, are not only difficult to review but also difficult to even define.110 On the contrary, cyber methods of warfare are susceptible to review, and methods of warfare, although less often discussed, are also addressed in the prohibition of unnecessary suffering. Terrorism, starvation, and perfidy (discussed below) are all examples of prohibited means of warfare.111 For example, as discussed above, methods of cyberwarfare that are indiscriminately destructive are unlawful, including the random distribution of malware that damages physical computer components. Of course, the military utility of such a method of warfare seems relatively limited. As technology advances, legal advisers will need to be ready to review new methods for compliance.
The DOD Law of War Manual provides little guidance to practitioners regarding the legal review of cyber weapons. It merely notes that "[n]ot all cyber capabilities . . . constitute a weapon or weapons system" and then directs readers to regulations of the various services.112 Unfortunately, the services have not been especially forward leaning in defining cyber weapons.
The Air Force is the first, and to date only, service to regulate the issue specifically. Air Force Instruction (AFI) 51-402, Legal Reviews of Weapons and Cyber Capabilities, defines weapons as "devices designed to kill, injure, disable or temporarily incapacitate people, or destroy, damage or temporarily incapacitate property or materiel."113 Generally, it is computer code or hacking techniques that form the basis of a cyber attack. Much less often does a cyber attack involve a physical device. So, most of the time, the instrumentality of a cyber attack will not qualify as a cyber weapon under the Air Force's formulation. The instruction addresses this gap with the term cyber capability. A cyber capability is "any device or software payload intended to disrupt, deny, degrade, negate, impair or destroy adversarial computer systems, data, activities or capabilities."114 The definition of cyber capability goes on to exclude "a device or software that is solely intended to provide access to an adversarial computer system for data exploitation."115
Once something is defined as a cyber capability (and not intended for espionage), a rigorous requirement for legal review attaches. The Air Force requires that "all cyber capabilities being developed, bought, built, modified or otherwise acquired by the Air Force . . . are reviewed for legality under LOAC, domestic law and international law prior to their acquisition for use in a conflict or other military operation."116 On its face, this provision requires a new legal review every time a line of code is modified. As this could happen dozens of times during the course of a single operation, and would happen thousands of times during the development process, how the Air Force will actually administer the requirement is unclear.
The Tallinn Manual takes a different approach, in that it appears to put more responsibility on the operational legal adviser to ensure compliance with the law, recognizing the speed at which operations may proceed.117 The Tallinn Manual also excludes any requirement for a new review when code is changed in a minor or insignificant way. Finally, the Tallinn Manual does not exempt capabilities from legal review based on the motivation behind their intended use but rather focuses on the effect of the capability in the operational context.118
Honor. The principle of honor (also known as chivalry) stands for the proposition that the application of the weapons of war should be tempered by "a certain amount of fairness in offense and defense and a certain mutual respect between opposing forces."119 Basically, as expressed in Article 35(1) of Additional Protocol (I) to the Geneva Conventions, the principle of honor is an explicit recognition that "in any armed conflict, the right of the Parties to the conflict to choose methods or means of warfare is not unlimited."120 Most commonly, honor prohibits killing, injuring, or capturing an adversary through acts of perfidy, defined in Article 37(1) of Additional Protocol (I) to the Geneva Conventions as "acts inviting the confidence of an adversary to lead him to believe that he is entitled to, or is obliged to accord, protection under the rules of international law applicable in armed conflict, with intent to betray that confidence."121 The rationale is that such actions would potentially undermine or dilute the effectiveness of the protections afforded by the LOAC, impair the ability of the parties to interact in a nonhostile way, such as through diplomatic negotiations, and damage the basis for the restoration of peace short of the total destruction of one party by another.122
For example, in the cyber context, the principle of honor or chivalry would prohibit the use of e-mail to invite the enemy to a meeting with a representative of the International Committee of the Red Cross (an internationally recognized protected symbol) with intent to lead enemy forces into an ambush.123
The principle of honor is not intended to prohibit all types of military deception. Article 37(2) of Additional Protocol (I) to the Geneva Conventions expressly allows ruses of war, which are "acts which are intended to mislead an adversary or to induce him to act recklessly but which infringe no rule of international law applicable in armed conflict and which are not perfidious because they do not invite the confidence of an adversary with respect to protection under that law."124 In the cyber context, such lawful ruses would include the creation of a dummy computer system simulating nonexistent forces, transmission of false information causing an opponent erroneously to believe operations are about to occur or are under way, bogus orders purported to have been issued by the enemy commander, and so forth.125
In any event, application of this principle in cyberspace may be especially difficult, as the notion of honor in long-range combat is already strained. It seems almost quaint that in cyberwarfare, from thousands of miles away, where foes are effectively reduced to electrons and icons on a computer screen, that a notion of fair play would be part of the combat equation. Nevertheless, it is included in the Law of War Manual.
One particular oddity in the Law of War Manual's discussion of honor is its assertion that there is an obligation to avoid inconvenience to civilians, but only in the case of cyber operations: "[E]ven if a cyber operation is not an 'attack' or does not cause any injury or damage that would need to be considered under the proportionality rule, that cyber operation still should not be conducted in a way that unnecessarily causes inconvenience to civilians or neutral persons."126 It is not clear why the DOD included this language in the cyber operations chapter when inconvenience is not a consideration in warfare, as noted elsewhere in the Law of War Manual.127 The principles apply during times of war, when causing death and destruction is lawful, at least under the appropriate circumstances. Under these conditions, the attention due avoiding mere inconvenience is de minimus.
The most straightforward use of cyberwarfare is when cyber activity is taken in conjunction with kinetic action, and the best known example of this occurred in 2008 when Russia invaded the Republic of Georgia. Concurrent with the movement of Russian troops into South Ossetia (the region of Georgia Russia targeted), the majority of websites in the region were taken down. Additionally, cyber attacks took down Georgian government websites at the same time.128
Electronic warfare (EW) has generally been considered separately from cyberwarfare, but there is a trend toward combining the two disciplines. This is being driven by a recognition that both areas rely on the electromagnetic spectrum to some extent and that maintaining a false separation is illogical and potentially detrimental to operations in both areas. Unlike cyberwarfare, EW has a long history of doctrine and practice that enables it to operate as an integral part of kinetic operations. For example, an airstrike would not be routed over contested territory without suppressing enemy air defenses, which can be an EW mission.
It should be noted up front that intelligence law is a very specialized area of practice. Before rendering advice on such matters, legal advisers who do not work in the area regularly should consult with those who do. Classification issues and the large number of organizations involved in the area make it a potentially treacherous field for lawyers.
In the United States, laws designed to safeguard the privacy and constitutional rights of Americans restrain the ability of an intelligence agency to gather intelligence.130 For purposes of intelligence gathering by the DOD, the principal sources of law in this arena are Executive Order 12333, United States Intelligence Activities; DOD Directive 5240.01, DOD Intelligence Activities; and DOD 5240.1-R, Procedures Governing the Activities of DOD Intelligence Components.
The intelligence oversight rules contained within the above documents only apply when members of US intelligence components attempt to collect information on US persons.131 For purposes of these procedures, information is deemed to be collected only when it has been received for use by an employee of an intelligence component in the course of his or her official duties.132 Data collected by electronic means is collected only when it has been processed into intelligible form. A US person is any one of the following: a US citizen, an alien known by the DOD intelligence component concerned to be a permanent resident alien, an unincorporated association substantially composed of US citizens or permanent resident aliens, a corporation incorporated in the United States, except for a corporation directed and controlled by a foreign government or governments.133
Persons or organizations outside the United States are presumed to not be US persons unless specific information to the contrary is received. Also, aliens in the United States are not presumed to be US persons unless specific information to the contrary is received.134
In order for a member of an intelligence component to collect information on a US person, that collection must be a necessary aspect of the mission assigned the collecting component, and the information collected must be within one or more of the following categories: information obtained with consent, publicly available information, foreign intelligence, counterintelligence, potential sources of assistance to intelligence activities, protection of intelligence sources and methods, physical security, personnel security, communications security, narcotics, threats to safety, overhead reconnaissance, and/or administrative purposes.135
Collection of foreign intelligence information by DOD components by means of electronic surveillance is subject to additional restrictions. For example, electronic surveillance for foreign intelligence and counterintelligence purposes may normally be conducted in the United States only pursuant to an order issued by the Foreign Intelligence Surveillance Court, and electronic surveillance for foreign intelligence and counterintelligence purposes may normally only be conducted outside the United States pursuant to the approval of the US attorney general.136 Although DOD 5240.1-R also briefly discusses procedures for conducting signals intelligence, most information dealing with signals intelligence is limited to a classified annex promulgated by the director of the National Security Agency.137
It is well-established that states commonly use cyberspace to conduct espionage activities against other states and nonstate groups.138 When used within the context of an armed conflict, espionage activities are permitted, subject to limitations imposed by the LOAC—such as the prohibition on acts of perfidy.139 Outside of armed conflicts, however, international law neither expressly condones nor condemns espionage.140 In fact, despite the fact that espionage has been commonly used to gather information since ancient times, there has been little international effort to determine what the limits on acceptable espionage might be or even to note its international legality.141 States have seemed satisfied to pass domestic legislation prohibiting espionage activities conducted against them, while simultaneously dedicating much time, effort, and resources to conducting espionage against others—both friend and foe.142 It is clear that in the absence of a direct prohibition in international law on espionage per se, cyber espionage would not rise to the level of use of force under the jus ad bellum legal framework discussed earlier.143
Although the rule, or lack of rules, is straightforward, the application in cyberspace can be difficult. In physical space, it is generally easy to distinguish espionage and more aggressive action. Traditional combatants wear uniforms and carry weapons openly, and someone using kinetic weapons to wound or kill is unlikely to be mistaken for a spy because the activities are just too different.
Cyber espionage, on the other hand, could easily be mistaken for aggressive activity. Obtaining unauthorized access to a computer or network, elevating privileges from user to administrator, viewing system files, and installing malware for persistent access are examples of activities that would be undertaken in both cyber espionage and in cyber attack operations. This ambiguity has the potential to create confusion over whether a particular cyber operation should be considered aggressive or a use of force. Consequently, the traditional international law position that ignores espionage may not be tenable in cyberspace in the long run.
The United States has long felt that cyber espionage with the purpose of stealing industrial information for profit should be treated less favorably than espionage for national security. There has historically been little support for this position, but in 2015, China, whose cyber-espionage activities are often pointed out as the primary reason for US concerns in the area, appeared to give some ground on the issue. The United States and China agreed that neither country's government would conduct or support cyber-enabled theft of intellectual property with the intent of providing competitive advantage to private companies.144 There are concerns that Chinese behavior will not change, but even its recognition of a separate class of espionage might be seen as a victory of sorts for the US position.
In 2008 the DOD's classified military computer networks were compromised by malware. A flash drive preloaded with targeted malware was inserted into a military laptop at a base in Southwest Asia. The malicious code spread from US Central Command's computer network across the DOD information network, infecting both classified and unclassified computers. The purpose of the malware was to discover what information was available on the network, report back to its controller, and then exfiltrate desired information. The DOD concluded the malware was distributed by a foreign intelligence agency.145
Operation Buckshot Yankee is an example of an operation that doesn't rise to the level of a use of force or armed attack but is rather an effective demonstration of the value of cyber techniques as tools of espionage. Another example is the Office of Personnel Management hack of 2015, which resulted in the exfiltration of the personal data of millions of individuals who hold security clearances in the United States.146
Perhaps more than other areas of DOD practice, US cyber operations are affected by internal government policies and are scrutinized by an intensive interagency review process.147 This may be because the law in the area is unsettled. Unfortunately, there are only a few public documents relevant to the US view of the international law applicable to cyberwarfare. The primary ones are the International Strategy for Cyberspace (2011), Koh's speech at the USCYBERCOM Interagency Legal Conference (2012), and the DOD Cyber Strategy (2015).148
There is also a chapter on cyber operations in the DOD Law of War Manual, but as discussed earlier, it contains little of note. It leans heavily on Koh's speech and adds nothing new, making it necessary to turn elsewhere for more comprehensive guidance. For example, the DOD Law of War Manual cyber chapter notes that none of the following would constitute a cyber attack during armed conflict: defacing government webpages; briefly disrupting Internet service in a minor way; briefly disrupting, disabling, or interfering with communications; or disseminating propaganda. These examples are so obvious and limited that they are of little use to legal practitioners in the field.
Turning now to the earliest and broadest of the current US policy documents, the International Strategy for Cyberspace is largely an aspirational list of how things ought to be with cyber operations and international relations relevant to cyberspace. It does, however, provide a useful statement of US policy: "When warranted, the United States will respond to hostile acts in cyberspace as we would to any other threat to our country."149 This statement, although carefully ambiguous, makes clear that there is a point at which the United States will consider cyber aggression the equivalent of a traditional kinetic attack, earning an aggressive cyber—or even kinetic—response.
The DOD Cyber Strategy of 2015 is an update of its 2011 strategy. The original document was almost entirely defensive; the 2015 version offers a bit more of interest to LOAC practitioners. For one thing, it is reportedly the first document in which the United States publicly says cyberwarfare is an option for the military in future conflicts. It notes that "the U.S. military may conduct cyber operations to counter an imminent or on-going attack against the U.S. homeland or U.S. interests in cyberspace" and further indicates the military might use cyber operations to terminate an ongoing conflict on US terms to prevent the use of force against US interests or to deter or defeat strategic threats in other domains.150 Also of interest, the strategy lists "military-related" critical infrastructure as a potential target of cyber operations.151
Some other documents that may be of interest to legal advisers include the National Response Framework (Cyber Incident Annex),152 the draft National Cyber Incident Response Plan,153 and the memorandum of agreement between the DOD and the Department of Homeland Security regarding cybersecurity.154
Cyberspace and the activities that occur in cyberspace continue to grow in importance and complexity. Most state actions in cyberspace are carried out in secret, and states appear to have little interest in agreeing to new treaty law or specific norms of behavior. As a result, cyber operations will continue to be a law-intensive subject, requiring the work of attorneys with deep and broad knowledge of the area as well as an ability to adapt quickly to changing situations. This chapter serves as a basic starting point and reference, but in this ever-changing field, continual research is required to remain current.
1. Steven Metz and James Kievit, Strategy and the Revolution in Military Affairs: From Theory to Policy (Carlisle, PA: Strategic Studies Institute, 27 June 1995), http://www.strategicstudiesinstitute.army.mil/pdffiles/PUB236.pdf.
2. See discussion on the notion of attack, infra.
3. Department of Defense (DOD) Directive 2311.01E, DOD Law of War Program, 22 February 2011, para. 4, http://www.dtic.mil/whs/directives/corres/pdf/231101e.pdf.
4. In Bernstein v. United States Department of Justice, 9th Circuit, 1999, the court protected the dissemination of computer code under the First Amendment.
5. H. Marshall Jarrett and Michael W. Bailie, Prosecuting Computer Crimes (Washington, DC: Office of Legal Education Executive Office for United States Attorneys, 2011), 1.
6. Computer Fraud and Abuse Act of 1984 (CFAA), US Code, vol. 18, sec. 1030(a)(1).
7. Ibid., sec. 1030(a)(2).
8. Ibid., sec. 1030(a)(3).
9. Ibid., sec. 1030(a)(4).
10. Ibid., sec. 1030(a)(5).
11. Ibid., sec. 1030(a)(6).
12. Ibid., sec. 1030(a)(7).
13. Jarrett and Bailie, Prosecuting Computer Crimes, 59.
14. CFAA, sec. 2511(1)(a).
15. Ibid., sec. 2511(1)(c).
16. Ibid., sec. 2511(1)(d).
17. Ibid., sec. 2701(a).
18. Ibid., sec. 1028(a)(7).
19. Ibid., sec. 1028A.
20. Ibid., sec. 1029.
21. Ibid., sec. 1343.
22. Jarrett and Bailie, Prosecuting Computer Crimes, 110.
23. CFAA, sec. 1362.
24. The White House, "Securing Cyberspace—President Obama Announces New Cybersecurity Legislative Proposal and Other Cybersecurity Efforts," The White House, 13 January 2015, https://www.whitehouse.gov/the-press-office/2015/01/13/securing-cyberspace-president-obama-announces-new-cybersecurity-legislat.
25. Kristin Archick, Cybercrime: The Council of Europe Convention (Washington, DC: Congressional Research Service, 2004), 2.
26. US Department of State, Convention on Cybercrime, Treaties and Other International Acts 13174, 1 July 2004, 13174, Articles 7–10.
27. Ibid., Articles 14–22.
28. Ibid., Articles 23–34.
29. Council of Europe (COE) Treaty Office, Chart of Signatures and Ratifications of Treaty No. 185: Convention on Cybercrime, Council of Europe, 19 October 2015, ETS no. 185, http://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/185/signatures?p_auth=WRdndSqa.
30. COE Treaty Office, Details of Treaty No. 189: Additional Protocol to the Convention on Cybercrime, Concerning the Criminalisation of Acts of a Racist and Xenophobic Nature Committed through Computer Systems, Council of Europe, 28 January 2003, ETS no. 189, http://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/189.
31. Ibid., Articles 3–6.
32. COE Treaty Office, Chart of Signatures and Ratifications of Treaty No. 189: Additional Protocol to the Convention on Cybercrime, Concerning the Criminalization of Acts of a Racist and Xenophobic Nature Committed through Computer Systems, accessed 16 December 2016, http://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/189/signatures?p_auth=WRdndSqa.
33. Archick, Cybercrime, 2–3.
34. William Gibson, Neuromancer (New York: Ace Books, 1984).
35. DOD, Joint Publication 1-02, Department of Defense Dictionary of Military and Associated Terms (as amended through 15 October 2015).
36. For example, the Congressional Research Service defined cyberspace as "the total interconnectedness of human beings through computers and telecommunication without regard to physical geography." Steven A. Hildreth, "Cyberwarfare," report for Congress, 19 June 2001, https://www.fas.org/sgp/crs/intel/RL30735.pdf.
37. See, for example, Michael Chertoff, "The Strategic Significance of the Internet Commons," Strategic Studies Quarterly 8, no. 2 (Summer 2014): 10–16, http://www.au.af.mil/au/ssq/digital/pdf/summer_2014/chertoff.pdf.
38. Jaikumar Vijayan, "US Tops List of Countries Hosting Malware and Botnets," Security Intelligence, 18 November 2014, https://securityintelligence.com/news/us-tops-list-of-countries-hosting-malware-and-botnets/.
39. An excellent treatment of the application of the noninterventional principle in a cyber context is Ashley Deeks, "The Geography of Cyber Conflict: Through a Glass Darkly," International Law Studies 89, no. 1 (2013): 1, http://stockton.usnwc.edu/cgi/viewcontent.cgi?article=1043&context=ils.
40. Internet Encyclopedia of Philosophy, s.v. "Just War Theory," accessed 5 November 2015, http://www.iep.utm.edu/justwar/.
41. Yoram Dinstein, War, Aggression and Self-Defence (Cambridge, UK: Cambridge University Press, 2001), 71–80.
42. Ibid., 80.
43. Charter of the United Nations, 26 June 1945, Article 2(4), http://www.un.org/en/sections/un-charter/chapter-i/index.html.
44. Ibid., Articles 39–50, http://www.un.org/en/sections/un-charter/chapter-vii/index.html.
45. Ibid., Article 51, http://www.un.org/en/sections/un-charter/chapter-vii/index.html.
46. Dinstein, War, Aggression and Self-Defence, 165–68.
47. UN General Assembly, Resolution 3314 (XXIX), "Definition of Aggression," 14 December 1974, http://legal.un.org/avl/ha/da/da.html.
48. Michael N. Schmitt, ed., Tallinn Manual on the International Law Applicable to Cyber Warfare (Cambridge, UK: Cambridge University Press, 2013), 55, https://issuu.com/nato_ccd_coe/docs/tallinnmanual/75?e=0/1803379.
49. Republic of Nicaragua v. United States of America, in International Court of Justice Reports, 27 June 1986, 101–4, http://www.icj-cij.org/docket/files/70/6503.pdf.
50. Matthew C. Waxman, "Cyber-Attacks and the Use of Force: Back to the Future of Article 2(4)," Yale Journal of International Law 36, no. 42 (2011): 438, http://dx.doi.org/10.2139/ssrn.1674565.
51. Legality of the Threat or Use of Nuclear Weapons, Advisory Opinion, in International Court of Justice Reports (1996), 244.
52. President, International Strategy for Cyberspace: Prosperity, Security, and Openness in a Networked World (Washington, DC: The White House, 2011), 10, https://www.whitehouse.gov/sites/default/files/rss_viewer/internationalstrategy_cyberspace.pdf.
53. Harold Hongju Koh, "International Law in Cyberspace" (address, USCYBERCOM Interagency Legal Conference, Fort Meade, MD, 18 September 2012).
54. The resulting Tallinn Manual identifies international law applicable to cyber warfare and sets out 95 rules with accompanying commentary. It represents the opinion of the international group of experts who drafted it and is not necessarily reflective of the positions of NATO or any member state.
55. Schmitt, Tallinn Manual, 48.
56. Koh, "International Law in Cyberspace."
57. DOD General Counsel, Department of Defense Law of War Manual, 12 June 2015, 998.
58. Schmitt, Tallinn Manual, 48.
59. Ibid., 48–51.
60. Koh, "International Law in Cyberspace."
61. Eneken Tikk, Kadri Kaska, and Liis Vihul, International Cyber Incidents: Legal Considerations (Tallinn, Estonia: Cooperative Cyber Defence Centre of Excellence, 2010), 15–25.
62. Ibid., 25–26.
63. Schmitt, Tallinn Manual, rule 9, comment 13.
64. Ibid., rule 9, comment 2.
65. For a discussion of countermeasures in cyber, see Gary D. Brown, Paul Walker, and Anthony W. Bell III, "Military Cyberspace Operations," in U.S. Military Operations: Law, Policy, and Practice, ed. Geoffrey Corn, Rachel E. VanLandingham, and Shane R. Reeves (Oxford, UK: Oxford University Press, 2015), 139–46.
66. UN General Assembly, Resolution 56/83, Responsibility of States for Intentionally Wrongful Acts, Article 25, 12 December 2001, http://legal.un.org/ilc/texts/instruments/english/draft_articles/9_6_2001.pdf.
67. There are at least two other examples of destructive attacks, including a 2014 cyber attack on a German steel plant that gained access to the industrial control system and caused a blast furnace to explode. R. A. Becker, "Cyber Attack on German Steel Mill Leads to 'Massive' Real World Damage," Nova Next, 8 January 2015, http://www.pbs.org/wgbh/nova/next/tech/cyber-attack-german-steel-mill-leads-massive-real-world-damage/. Another was a cyber attack on an oil pipeline in Turkey in 2008 that disabled sensors and overpressurized the oil to cause an explosion. Jordan Robertson and Michael Riley, "Mysterious '08 Turkey Pipeline Blast Opened New Cyberwar," Bloomberg Business, 10 December 2014, http://www.bloomberg.com/news/articles/2014-12-10/mysterious-08-turkey-pipeline-blast-opened-new-cyberwar. Neither of these events is as well documented as Stuxnet.
68. Kim Zetter, Countdown to Zero Day (New York: Broadway Books, 2014), 243–48.
69. One popular method of masking identity on the Internet is through the use of TOR (The Onion Router). See https://en.wikipedia.org/wiki/Tor, accessed 4 December 2015.
70. Neil C. Rowe, "The Attribution of Cyber Warfare," in Cyber Warfare: A Multidisciplinary Analysis, ed. James A. Green (New York: Routledge, 2015), 61–72.
71. Monroe Leigh, "Kenneth B. Yeager v. The Islamic Republic of Iran," American Journal of International Law 82, no. 2 (April 1988): 353–62, http://www.jstor.org/stable/2203199.
72. Roger Hurwitz, A Call to Cyber Norms (March 2015), 1, https://www.americanbar.org/content/dam/aba/uncategorized/GAO/2015apr14_acalltocybernorms.authcheckdam.pdf.
73. Report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (22 July 2015), http://www.un.org/ga/search/view_doc.asp?symbol=A/70/174.
74. Paul Meyer, "Another Year, Another GGE? The Slow Process of Norm Building for Cyberspace," IC for Peace Foundation, August 2015, http://ict4peace.org/wp-content/uploads/2015/09/CyberGGEICT4PCommentAug2015aa.pdf.
75. International Committee of the Red Cross (ICRC), International Humanitarian Law: Answers to Your Questions (Geneva, Switzerland: ICRC, 2014), 8, https://www.icrc.org/en/publication/0703-international-humanitarian-law-answers-your-questions.
76. Ibid., 14–15.
77. Rupert Ticehurst, "The Martens Clause and the Laws of Armed Conflict," ICRC, 30 April 1997, https://www.icrc.org/eng/resources/documents/misc/57jnhy.htm.
79. Schmitt, Tallinn Manual, 106–7.
80. See for example William H. Boothby, The Law of Targeting (Oxford, UK: Oxford University Press, 2012), 370: "Issues of proportionality do not of course arise where there is no attack"; and DOD General Counsel, DOD Law of War Manual (Washington, DC: The Department of Defense, 2015), para. 16.5.1: "If a cyber operation constitutes an attack [it] must comport with the requirements of distinction and proportionality."
81. Gary D. Brown and Owen W. Tullos, "On the Spectrum of Cyber Operations," Small Wars Journal (11 December 2012), http://smallwarsjournal.com/print/13595.
82. The clearest definition is found in Schmitt, Tallinn Manual, Rule 30. DOD's position in the Law of War Manual (para. 16.5.1) is vague but appears to be consonant with the Tallinn formulation.
83. DOD General Counsel, DOD Law of War Manual, 52.
84. Ibid., 52–53.
85. Gary G. Solis, The Law of Armed Conflict: International Humanitarian Law in War (Cambridge, UK: Cambridge University Press, 2010), 258.
86. DOD General Counsel, DOD Law of War Manual, 57.
87. COE, Protocol Additional to the Geneva Conventions of 12 August 1949, and relating to the Protection of Victims of International Armed Conflicts (Protocol I), 8 June 1977, Article 48, https://ihl-databases.icrc.org/applic/ihl/ihl.nsf/Treaty.xsp?action=openDocument&documentId=D9E6B6264D7723C3C12563CD002D6CE4.
88. Ibid., Article 52(2).
89. ICRC, International Humanitarian Law, 47.
90. ICRC, Customary International Humanitarian Law, Rule 8: Definition of Military Objectives, accessed 8 November 2015, https://www.icrc.org/customary-ihl/eng/docs/v1_cha_chapter2_rule8.
91. Jason Rivera, "A Theory of Cyberwarfare: Political and Military Objectives, Lines of Communication, and Targets," Georgetown Security Studies Review, 10 June 2014, http://georgetownsecuritystudiesreview.org/2014/06/10/a-theory-of-cyberwarfare-political-and-military-objectives-lines-of-communication-and-targets/.
92. Schmitt, Tallinn Manual, 118–22.
93. Combat operations are considered an inherently governmental function performable only by military personnel, according to DOD Instruction 1100.22, Policy & Procedures for Determining Workforce Mix, encl. 4, para. 1(c)(1) (12 April 2010). For a discussion of some of the issues surrounding civilians engaging in combat, see Joshua P. Nauman, "Civilians on the Battlefield: By Using U.S. Civilians in the War on Terror, Is the Pot Calling the Kettle Black?," Nebraska Law Review 91, no. 2 (2013), http://digitalcommons.unl.edu/cgi/viewcontent.cgi?article=1176&context=nlr.
94. Schmitt, Tallinn Manual, 145–46.
97. COE, Protocol I, Article 57(2)(iii).
98. Solis, Law of Armed Conflict, 274.
100. DOD General Counsel, DOD Law of War Manual, 1004.
101. Schmitt, Tallinn Manual, 162.
102. Ibid., 160.
103. DOD General Counsel, DOD Law of War Manual, 1004.
104. COE, Protocol I, Article 35(2).
105. The noble but somewhat vague concept of unnecessary suffering can be difficult to apply in kinetic contexts; applying it to cyber activities is downright daunting. In the virtual world itself, few actions rise to the level of suffering. Suffering would seem to require a physical or psychological effect; injury might have been a better term to capture the intent of the provision.
106. ICRC, International Humanitarian Law, 48.
107. Schmitt, Tallinn Manual, 143–44.
108. DODD 5000.01, The Defense Acquisition System, 20 November 2007, para. E1.1.15.
109. DOD General Counsel, DOD Law of War Manual, 317.
110. Gary D. Brown and Andrew O. Metcalf, "Easier Said Than Done: Legal Reviews of Cyber Weapons," Journal of National Security Law & Policy 7 (2014): 115, http://jnslp.com/wp-content/uploads/2014/02/Easier-Said-than-Done.pdf.
111. Suffering would seem to require a physical or psychological effect, and some experts have suggested "injury" would have been a better term to capture the intent.
112. DOD General Counsel, DOD Law of War Manual, 1008.
113. AFI 51-402, Legal Reviews of Weapons and Cyber Capabilities, 27 July 2011, 6.
114. Ibid., 5.
115. Ibid. This appears to be an indication of a level of discomfort in logically distinguishing between military operations and espionage.
116. Ibid., 1.
117. Schmitt, Tallinn Manual, 153.
118. Ibid., 155.
119. DOD General Counsel, DOD Law of War Manual, 66.
120. COE, Protocol I, Article 35(1).
121. Ibid., Article 37(1).
122. DOD General Counsel, DOD Law of War Manual, 67.
123. Schmitt, Tallinn Manual, 181.
124. COE, Protocol I, Article 37(2).
125. Schmitt, Tallinn Manual, 184–5.
126. DOD General Counsel, DOD Law of War Manual, 1005.
127. Ibid., 242, footnote 306.
128. Jeffrey Carr, ed., Inside Cyber Warfare, 2nd ed. (Sebastopol, CA: O'Reilly Media, 2012), 17.
129. The DOD defines electronic warfare as "military action involving the use of electromagnetic and directed energy to control the electromagnetic spectrum or to attack the enemy." Joint Publication 1-02, Department of Defense Dictionary of Military and Associated Terms, 15 October 2015.
130. DOD 5240.1-R, Procedures Governing the Activities of DOD Intelligence Components that Affect United States Persons, December 1982, 13.
131. Ibid., 15.
135. Ibid., 16–18.
136. Ibid., 24–25.
137. Ibid., 29.
138. DOD General Counsel, DOD Law of War Manual, 999.
139. Schmitt, Tallinn Manual, 193–94.
140. Daniel B. Silver, Frederick P. Hitz, and J. E. Shreve Ariail, "Intelligence and Counterintelligence," in National Security Law 2nd Edition, ed. John Norton Moore and Robert F. Turner (Durham, NC: Carolina Academic Press, 2005), 965.
143. Schmitt, Tallinn Manual, 50.
144. Office of the Press Secretary, "President Xi Jinping's State Visit to the United States" (fact sheet, The White House, Washington, DC, 25 September 2015), https://www.whitehouse.gov/the-press-office/2015/09/25/fact-sheet-president-xi-jinpings-state-visit-united-states.
145. Ellen Nakashima, "Defense Official Discloses Cyberattack," Washington Post, 24 August 2010, http://www.washingtonpost.com/wp-dyn/content/article/2010/08/24/AR2010082406495.html. Operation Buckshot Yankee was a motivation behind the 2009 US decision to establish USCYBERCOM.
146. David E. Sanger and Julie Hirschfeld Davis, "Hacking Linked to China Exposes Millions of U.S. Workers," New York Times, 4 June 2015, http://www.nytimes.com/2015/06/05/us/breach-in-a-federal-computer-system-exposes-personnel-data.html?_r=0.
147. Senate, "Advance Questions for Vice Adm Michael S. Rogers, USN, Nominee for Commander, United States Cyber Command," 11 March 2014, http://www.americanrhetoric.com/speeches/PDFFiles/advanceqsadmrogers031114.pdf.
148. DOD, The DOD Cyber Strategy, April 2015, http://www.defense.gov/Portals/1/features/2015/0415_cyber-strategy/Final_2015_DoD_CYBER_STRATEGY_for_web.pdf.
149. International Strategy for Cyberspace, 2011, 14, http://www.whitehouse.gov/sites/default/files/rss_viewer/international_strategy_for_cyberspace.pdf.
150. DOD Cyber Strategy, 5.
151. Ibid., 14.
152. Federal Emergency Management Agency, National Response Framework (Cyber Incident Annex), FEMA.gov, accessed 1 November 2015, https://www.fema.gov/media-library/assets/documents/25556.
153. Department of Homeland Security, National Cyber Incident Response Plan, draft, accessed 7 November 2016, https://www.us-cert.gov/sites/default/files/ncirp/NE%20DRAFT%20NATIONAL%20CYBER%20INCIDENT%20RESPONSE%20PLAN%2020160930.pdf.
154. Department of Homeland Security to DOD, Memorandum of Agreement, accessed 1 November 2015, http://www.acq.osd.mil/mibp/dpac/DOD-DHS%20Memorandum%20of%20Agreement%20Sept%202011.pdf.
Col Gary Brown, USAF, retired, is a professor of cybersecurity at Marine Corps University, Quantico, Virginia.
Maj Israel D. King, USAF, is an instructor of operations and international law at the Air Force Judge Advocate General's School, Maxwell Air Force Base, Alabama.