When Nation-States Create Computer Viruses: “Diplomacy by Other Means” or Pandora’s Box? (Part 2 of 8)

This 8-part blog series examines the legality, justifications, and consequences of nation-state involvement in the creation of computer malware such as Stuxnet and Flame.

“If we went in with a drone and knocked out a thousand centrifuges, that’s an act of war. But if we go in with Stuxnet and knock out a thousand centrifuges, what’s that?”

“Well,” Clarke replied evenly, “it’s a covert action. And the U.S. government has, ever since the end of World War II, before then, engaged in covert action. If the United States government did Stuxnet, it was under a covert action, I think, issued by the president under his powers under the Intelligence Act….In U.S. law, it’s a covert action when the president says it’s a covert action. I think if you’re on the receiving end of the covert action, it’s an act of war.”[i]

We know that if an individual created a computer virus like Stuxnet, he would be breaking a host of U.S. and international criminal laws. However, when a nation uses a virus to attack another nation’s infrastructure, is that nation breaking any laws? The answer is complicated, as the quotation from Richard Clarke above shows: international law is far from settled in this area. Whether a state-sponsored virus is subject to any international law is often dependent on whether the nation is on the giving or the receiving end of the attack and on what, if any, actions the receiver wants to take in counterattack.

Is Stuxnet Governed by the Laws of War?

One way that state-sponsored cyberattacks might be subject to international law is through the laws of War governed by the UN Charter, the foundational treaty which all members of the United Nations must sign. The Charter requires nations to peacefully resolve disputes and only to engage in hostilities when either authorized by UN resolution or in self-defense.[ii] Applying those laws is somewhat challenging, however, since they were last revised after World War II and never contemplated the potential for computerized attack. But, the UN Charter and the principles and framework which have grown up around it do serve as a useful starting point.

Was Stuxnet a “Use of Force” or “Armed Attack”?

Article 2(4) of the UN Charter states that, “All Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state….”

Article 51 gives a nation the right of self-defense, regardless of UN resolution: “Nothing in the present Charter shall impair the inherent right of individual or collective self-defence if an armed attack occurs against a Member….”

The innocent-looking words “use of force” and “armed attack” unfortunately give little direction in a technologically advanced age. As a result, scholars have probed the meaning of these terms in an attempt to understand their nuances.  Three broad approaches have emerged.

The first is to view “attack” as based on instrumentality. To qualify as an attack, traditional military means or weapons would have to be employed. Under this approach bombing Iran’s centrifuges would be an attack, but deploying a cyber-weapon like Stuxnet to destroy them would not be. This view is the most limited and least technologically insightful, but has the advantage of providing a clear, bright dividing line which excludes most cyber-war from triggering a retaliatory response under Article 51.

A second approach examines the target of the attack. If the attack is against a computer system which is important to the national security or national infrastructure of a state, the harm could be great enough to invoke the right of self-defense. Under this approach, Stuxnet would justify a response because it attacked an important part of Iran’s national infrastructure. This is the most expansive view.

A third approach attempts to classify the attack according to the severity of its effects. Proponents of this approach propose to measure “severity” in a variety of ways. Some propose that severity be measured rather strictly, by looking to the likelihood of injury or property damage similar to that in an armed attack using traditional weapons. Others have proposed multi-factor tests which look both at severity of harm, immediacy, directness, and other factors. The distinction between these two ways of measuring will become important later when we explore recent developments in U.S. policy.[iii]

Of the approaches, the effects-based approach is probably the most balanced and most widely-accepted. Further, it seems most likely that First World nations with sophisticated computer infrastructure will want a more expansive reading than the instrumentality approach allows. The reason for this is that smaller nations with less raw military force can mount cyber-attacks without the resources and expense of conventional war. Thus it is likely that larger nations like the U.S. will want to preserve their right to retaliate under Article 51 against cyber-incursions into U.S. infrastructure, both in cyberspace and even by using conventional weapons if the attack was severe enough.

Necessity and Proportionality

If a defensive action is justified under Article 51, the laws of war also govern what type of attack is justified in response. The complementary doctrines of necessity and proportionality demand that force only be used as a last resort, and then only to a level which is proportional to the damage or harm caused by the original attack. For example, if Iran were to respond to Stuxnet with a missile attack against Israel that caused several thousand deaths, the response would likely be seen to be disproportionate.

 

The U.S. Position

So, if the roles had been reversed, would the U.S. consider a Stuxnet-like attack on its enrichment centrifuges to justify self-defensive action?  On its face, the United States’ answer to this question seems to be a definitive “yes” according to a recent, widely distributed story: The State Department may consider any attack which causes damage to its own infrastructure to be in violation of Article 2(4), and may invoke the right of self-defense in response.

The timing of this announcement is interesting in light of very recent information linking the U.S. to Stuxnet and Flame. The U.S. has never taken responsibility for those viruses and probably never will;  publicly taking responsibility for Stuxnet would mean that the US either did not consider it an attack, considered the attack defensible under UN resolutions, or believes that it was a measured attack which will only result in a measured response.

However, the widely reported story above blurs some of the nuances of the U.S. position. To understand those nuances, it is necessary to read Harold Koh’s remarks more carefully.  They steer toward the severity-based effects approach outlined above, rather than to the more expansive version of that approach. He carves out with several extreme examples the “cyber activities that proximately result in death, injury, or significant destruction [which] would likely be viewed as a use of force”; for example, causing a nuclear power plant meltdown, opening a dam over a populated area, or disabling air traffic control and causing airplane crashes.

Koh does later acknowledge that the exact definition of “use of force” is subject to debate, and that in the U.S. view there is no real lower threshold to how much “deadly force” would warrant a self-defensive response. However, even in these situations Koh reiterates that the necessity and proportionality covenants of jus ad bellum would act as constraints to any such response. In short, the position outlined by Koh attempts to serve the dual purpose of both warning rogue states not to go too far in attacking the U.S. and also placing the Stuxnet attack in a debatable neutral ground that looks like it might be a measured, proportional action not rising to the level of armed response. In this sense, the U.S. announcement is probably more calculated than it seems at first glance.

Regardless, U.S. saber-rattling about cyber-attacks seems hypocritical to many people. U.S. officials and members of Congress tend to use the hyperbolic term “cyber-war” in response to every computer breach, from teenage hackers to viruses to corporate espionage. This supports their goal of rallying public support and funding for a vast cybersecurity infrastructure, but runs at cross-purposes to what seems a clear desire to utilize these techniques in a limited fashion as a tool of foreign policy.


[i] Ron Rosenbaum, Richard Clarke on Who Was Behind the Stuxnet Attack, SMITHSONIAN MAG. (Apr. 2012), http://www.smithsonianmag.com/history-archaeology/Richard-Clarke-on-Who-Was-Behind-the-Stuxnet-Attack.html?c=y&page=3.

[ii] Some terminology might be useful here. The “Laws of War” is a blanket term which is further divided into two areas: the body of law which concerns the justification to engage in “just war” is called jus ad bellum. Once hostilities have begun, the laws regulating conduct are called jus in bello.

[iii] See Oona A. Hathaway et al., The Law of Cyber-Attack, 100 CAL. L. REV. 817, 845-49 (2012).

Advertisements

~ by K. Miller on September 25, 2012.

3 Responses to “When Nation-States Create Computer Viruses: “Diplomacy by Other Means” or Pandora’s Box? (Part 2 of 8)”

  1. The actions of the United States do seem hypocritical, although it is understandable that the government would try to limit the use of cyber attacks against it while at the same time try to justify its use of cyber attacks against its enemies. What concerns me most about this debate is, where exactly should the line be drawn? If the Stuxnet attack is considered “neutral” action that does not rise to the level of an armed response, then what will be considered a cyber attack severe enough to justify a hostile reaction? And if it was an attack severe enough to warrant self-defense, then our government taking a huge risk engaging in this kind of action, even if it does not claim responsibility for the Stuxnet attack.

    Would the United States take action if another country used this kind of cyber attack against our nuclear plants? I agree with Kevin’s report that the U.S. might consider it an action worthy of self-defense. This is a political question and it does not sit well with me at all. The government does not seem to want to take a definite stance, at least not yet, on the ethical boundaries of cyber war. In the mean time, it seems that it is still willing to test out the waters. But how will the government’s actions affect foreign relations and how will it affect the country itself if one day a country decides to retaliate?

  2. The first approach, that there must be a military weapon in order to be considered an “attack”, seems easy to poke holes in. I cannot even begin to fathom all the ways that someone could seriously hurt our country by virtual means alone. To see it this way would be to ignore the importance of technology in the world we live in today. But the second approach, that if the target is important to national security then it is considered an “attack”, also seems to be inadequate to measure the complexity of the various technologies. However, it seems that the United Nations already built in a justifiable response approach. If the “attack” is non-severe but was technically on a target that is important to national security, only a non-severe defense would be allowed anyway. The third approach, that takes everything into account when deciding if something is an “attack”, does seem to be the most balanced, but also the most complicated. These types of attacks are equally complicated and no one could have foreseen this when constructing the international laws. A case-by-case basis seems to be the most appropriate way to examine this situation.

  3. I feel that in the world of nations it takes something of great magnitude for a country to “go to war”. I think this is backed up by the fact that a country has not gone to war over any cyber attack yet. But the uncertainty of where the line is or should be drawn does not bode well for the world, for that line will be pushed until it must be drawn when the line is crossed and war is likely.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: