Cyber Attacks Have Legal Consequences? – An introduction to some of the national and international legal issues surrounding cyber-offensives.
Many of the posts in the last few months, including the most recent, have centered on the use, by Nation-States, of viruses and other cyberspace centered technology.1 This post assumes that the reader has read those posts and is at least familiar with the technology as well as its capabilities and recent uses by Nation-States. This post will focus mostly on the legal issues that arise with the use and defense of technological “attacks” by Nations-States against each other.
It should be evident from reading the recent posts on this blog that the use of viruses and other types of “technological attacks” can have devastating effects on the operation of vital military and civil targets and infrastructure. The United States Defense Secretary has said that intelligence has shown an increase in cyber threats and that, “A cyber attack perpetrated by nation states or violent extremist groups could be as destructive as the terrorist attack of 9/11,” and that type of “cyber terrorist attack could paralyze the nation.”2 What may not be clear from the recent posts is the legal issues that arise out of the use of, and defense of, cyber attacks by Nation-States.
The legal issues that arise center on two distinct plains: the first is the depth created from the balancing of national and international laws and the second is the difference legal issues that arise depending whether the action is an “attack” or in defense of “an attack.” Putting these two plains together we are presented with four legal quadrants that interact with each other.
Beginning with the “national level defense of an attack” quadrant the Defense Department is trying to ensure that there is a balance between the rights of citizens and the defense against cyber attacks. The Department of Defense has realized that there must be more than pure improved defense in order to prevent a cyber attack. With that information in mind the Department of Defense is finalizing a change, the most comprehensive change in seven years, to their rules of engagement in cyberspace.3 The secretary of Defense, Leon Panetta, said that the new rules state that the Pentagon “has a responsibility not only to defend the DoD’s networks, but also is prepared to defend the nation and our national interests.”4 The difficulty with the new rules is to ensure that they are comprehensive and effective but also to ensure that they are structured in a way that does not violate privacy laws or any other citizens’ rights.
Mr. Panetta feels that it is important that the public knows, and that any “aggressors should be aware that the U.S. has the capacity to locate them and hold them accountable for actions that harm America or its interests.”5 Also important and little known is that the Defense Department has already identified thousands of attacks, mostly low level, without taking any action. These attacks are attributed to Nation-states, criminal groups, and individuals and the reasons that no action has been taken are plentiful but undisclosed.
Moving from defense of attacks to the use of a cyber-offensive but remaining in the national sphere, there are different legal questions that are presented. Those readers that are familiar with the recent posts on this blog know of the alleged cyber capabilities of the United States. What may be unfamiliar to most is the fact that the use of cyber-offensives have been debated by the current administration on more than one occasion over the last few years.6
The main topics of the discussion were whether or not America’s use of this type of attack would set a negative precedent to other countries such as China and Russia, and whether or not the president has the power to initiate a cyber attack without informing, and ultimately gaining permission from, congress.7 This last question, which is similar to the legal issues that are being considered and debated at the international level, depends on whether or not a cyber attack falls under the War Powers Resolution. Considering the fact that whether or not the use of conventional forces, including bombers, falls under the War Powers Resolution is still debated and not completely settled, it seems clear that the question of cyber-offensives will not be resolved adequately for some time.
The international issues are similar to the national issues; does a cyber attack constitute an “armed attack” that allows the country under cyber attack to go to war in defense of itself and if so what is a “proportional response” to a cyber attack? Another question is, at what level does a cyber-offensive constitute an act of war.8
International laws, from the United Nations Charter to the Geneva conventions, serve as guidelines and provide protection to civilians as well as strive “to save succeeding generations from the scourges of war.”9 One on the reasons that there is a lack of clarity in international law as to how to deal with cyber-offensives is the fact that, like the United States’ War Powers Resolution, when the United Nations Charter was written it did not contemplate current technology.
The uncertainty about the legal ramifications of certain actions by Nation-states presents a problem that may have consequences which are as destructive, or more so, than an actual cyber attack itself. This problem is expressed by Harvard law professor Jack Goldsmith, “If nations don’t know what the rules are, all sorts of accidental problems might arise.” One of those problems is that, “One nation might do something that another nation takes to be an act of war, even when the first nation did not intend it to be and act of war.”10
There are so many legal issues that arise, going into detail about them all is not possible in one post. Some other issues that may be of interest include; determining where technological espionage lies in the equation of determining what type of technological offensive might be considered an “act of war” or an “armed attack”; and enforcement of international laws designed to protect against cyber-offensives by Nation-states. Stewart Baker, former National Security Agency general counsel and an assistant secretary of homeland security under President George W. Bush, presented this potential problem with enforcement, “It is a near certainty that the United States will scrupulously obey whatever is written down, and it is almost as certain that no one else will.”11
 See generally “Criminal law in the virtual context” http://virtualcrimlaw.wordpress.com/
 Gopal Ratnam, Cyberattacks Could Become as Destructive as 9/11: Panetta, Bloomberg Businessweek (October 12, 2012), http://www.businessweek.com/news/2012-10-12/cyberattacks-could-become-as-destructive-as-9-11-panetta.
 Eric Schmitt & Thom Shanker, U.S. Debated Cyberwarfare in Attack Plan on Libya, The New York Times (October 17, 2011), http://www.nytimes.com/2011/10/18/world/africa/cyber-warfare-against-libya-was-debated-by-us.html.
 See generally, Nils Melzer, United Nation Institute for Disarmament Research (UNIDIR), Cyberwarfare and International Law, (2011), http://www.isn.ethz.ch/isn/Digital-Library/Publications/Detail/?lng=en&id=134218.
 Id. see also Tom Gjelten, Extending The Law Of War To Cyberspace, NPR (September 22, 2010), http://www.npr.org/templates/story/story.php?storyId=130023318.
 Tom Gjelten, Extending The Law Of War To Cyberspace, NPR (September 22, 2010), http://www.npr.org/templates/story/story.php?storyId=130023318.