Cyber Attacks Have Legal Consequences? – An introduction to some of the national and international legal issues surrounding cyber-offensives.

Many of the posts in the last few months, including the most recent, have centered on the use, by Nation-States, of viruses and other cyberspace centered technology.1  This post assumes that the reader has read those posts and is at least familiar with the technology as well as its capabilities and recent uses by Nation-States.  This post will focus mostly on the legal issues that arise with the use and defense of technological “attacks” by Nations-States against each other. 

It should be evident from reading the recent posts on this blog that the use of viruses and other types of “technological attacks” can have devastating effects on the operation of vital military and civil targets and infrastructure.  The United States Defense Secretary has said that intelligence has shown an increase in cyber threats and that, “A cyber attack perpetrated by nation states or violent extremist groups could be as destructive as the terrorist attack of 9/11,” and that type of “cyber terrorist attack could paralyze the nation.”2  What may not be clear from the recent posts is the legal issues that arise out of the use of, and defense of, cyber attacks by Nation-States.

The legal issues that arise center on two distinct plains: the first is the depth created from the balancing of national and international laws and the second is the difference legal issues that arise depending whether the action is an “attack” or in defense of “an attack.”  Putting these two plains together we are presented with four legal quadrants that interact with each other.  

Beginning with the “national level defense of an attack” quadrant the Defense Department is trying to ensure that there is a balance between the rights of citizens and the defense against cyber attacks.  The Department of Defense has realized that there must be more than pure improved defense in order to prevent a cyber attack.  With that information in mind the Department of Defense is finalizing a change, the most comprehensive change in seven years, to their rules of engagement in cyberspace.3  The secretary of Defense, Leon Panetta, said that the new rules state that the Pentagon “has a responsibility not only to defend the DoD’s networks, but also is prepared to defend the nation and our national interests.”4  The difficulty with the new rules is to ensure that they are comprehensive and effective but also to ensure that they are structured in a way that does not violate privacy laws or any other citizens’ rights. 

Mr. Panetta feels that it is important that the public knows, and that any “aggressors should be aware that the U.S. has the capacity to locate them and hold them accountable for actions that harm America or its interests.”5  Also important and little known is that the Defense Department has already identified thousands of attacks, mostly low level, without taking any action.  These attacks are attributed to Nation-states, criminal groups, and individuals and the reasons that no action has been taken are plentiful but undisclosed. 

Moving from defense of attacks to the use of a cyber-offensive but remaining in the national sphere, there are different legal questions that are presented.  Those readers that are familiar with the recent posts on this blog know of the alleged cyber capabilities of the United States.  What may be unfamiliar to most is the fact that the use of cyber-offensives have been debated by the current administration on more than one occasion over the last few years.6 

The main topics of the discussion were whether or not America’s use of this type of attack would set a negative precedent to other countries such as China and Russia, and whether or not the president has the power to initiate a cyber attack without informing, and ultimately gaining permission from, congress.7  This last question, which is similar to the legal issues that are being considered and debated at the international level, depends on whether or not a cyber attack falls under the War Powers Resolution.  Considering the fact that whether or not the use of conventional forces, including bombers, falls under the War Powers Resolution is still debated and not completely settled, it seems clear that the question of cyber-offensives will not be resolved adequately for some time. 

The international issues are similar to the national issues; does a cyber attack constitute an “armed attack” that allows the country under cyber attack to go to war in defense of itself and if so what is a “proportional response” to a cyber attack?  Another question is, at what level does a cyber-offensive constitute an act of war.8 

International laws, from the United Nations Charter to the Geneva conventions, serve as guidelines and provide protection to civilians as well as strive “to save succeeding generations from the scourges of war.”9  One on the reasons that there is a lack of clarity in international law as to how to deal with cyber-offensives is the fact that, like the United States’ War Powers Resolution, when the United Nations Charter was written it did not contemplate current technology.

The uncertainty about the legal ramifications of certain actions by Nation-states presents a problem that may have consequences which are as destructive, or more so, than an actual cyber attack itself.  This problem is expressed by Harvard law professor Jack Goldsmith, “If nations don’t know what the rules are, all sorts of accidental problems might arise.”  One of those problems is that, “One nation might do something that another nation takes to be an act of war, even when the first nation did not intend it to be and act of war.”10

There are so many legal issues that arise, going into detail about them all is not possible in one post.  Some other issues that may be of interest include; determining where technological espionage lies in the equation of determining what type of technological offensive might be considered an “act of war” or an “armed attack”; and enforcement of international laws designed to protect against cyber-offensives by Nation-states.  Stewart Baker, former National Security Agency general counsel and an assistant secretary of homeland security under President George W. Bush, presented this potential problem with enforcement, “It is a near certainty that the United States will scrupulously obey whatever is written down, and it is almost as certain that no one else will.”11


[1] See generally “Criminal law in the virtual context”

[2] Gopal Ratnam, Cyberattacks Could Become as Destructive as 9/11: Panetta, Bloomberg Businessweek (October 12, 2012),

[3] Id.

[4] Id.

[5] Id.

[6] Eric Schmitt & Thom Shanker, U.S. Debated Cyberwarfare in Attack Plan on Libya, The New York Times (October 17, 2011),

[7] Id.

[8] See generally, Nils Melzer, United Nation Institute for Disarmament Research (UNIDIR), Cyberwarfare and International Law, (2011),

[9] Id. see also Tom Gjelten, Extending The Law Of War To Cyberspace, NPR (September 22, 2010),

[10] Tom Gjelten, Extending The Law Of War To Cyberspace, NPR (September 22, 2010),

[11] Id.


~ by juanufl on November 18, 2012.

7 Responses to “Cyber Attacks Have Legal Consequences? – An introduction to some of the national and international legal issues surrounding cyber-offensives.”

  1. The legal issue of whether or not any particular act would involve the War Powers Act seems so ridiculous to me. I understand that new technologies can pose questions as they were not explicitly considered, but how hard is it to base our answer to these questions by using the Golden Rule? If we would consider an action to be an act of war against us, then it is simply an act of war and we shouldn’t employ it against another unless we mean war. The greyness we attempt to insert into these legal discussion are but a facade to cover up our hypocrisy of hubris and oppressive control of others for the sake of our own selfish interests. Read for a surprisingly cogent explanation of why Bin Laden attacked the US from Bin Laden himself. We can question his methods, but it is hard to question his reasons – simply imagine the actors and religions switched and ask yourself if you think our actions are acts of war.

    • I tend to agree with you, James. A major problem with current viewpoints on cyberwar is that they focus too much on what it technically allowed and not allowed under international law. It is important in U.S. diplomats’ eyes, for example, to phrase each statement about cyber-attacks carefully so that the statement has an effective amount deterrent value to others while leaving space for our own incursions.

      In some ways, one of the projects of my series blog posts has been to put forth a policy argument for viewing cyberspace as an off-limits area, instead of as yet another place to extend real-world conflicts. Perhaps I’m naïve, but I think what is needed is an ethical viewpoint which turns the problem on its head–defining a notion of what a peaceful cyberspace would look like, instead of what a bellicose cyberspace looks like. Tune into Post #8 for more on that topic….

  2. With the potential devastating effects that a cyber attack could have, I find it hard to believe that the U.S. is struggling so much to define the severity of a cyber attack. I agree with the comment above, if a cyber attack has the same effects on the U.S. as would a traditional act of war, then that attack should be seen as such as the U.S. should respond with the same or greater force. That being said, all out cyber warfare is not the answer to every potential cyber attack. If there is a low grade cyber attack that does not rise to the level of an act of war, then the U.S. should again answer in kind, with a response but one that is much less than a declaration of war.

    It seems that while cyber attacks venture into new territory in terms of feuding between nations, they really aren’t that different from traditional attacks that have been launched in the past. When responding to such attacks the government must weigh the damage that the attack caused and answer appropriately. The government must also be prepared to try to combat such attacks if possible. Hopefully the rise in technological power doesn’t lead to the next world war, but if cyber attacks are going to start the U.S. must be ready to respond the them in an appropriate fashion. Personally, I think such responses should be based on the measurable effect that the cyber attack caused and not based on the mere fact that a cyber attack was launched.

  3. One of the issues that I find most troubling about the idea of cyber warfare is that it is civilians and companies that are most likely to suffer direct attacks and not military installations. To me this would mean that any resolution dealing with cyber attacks would be complicated because how would the government distinguish corporate sabotage and an act of war? I also wonder if the government owes some sort of responsibility to help protect corporations from cyber attacks or if corporations ought to be required to have a certain level of protection.
    I think that there is also a concern that what our government uses against other nations today, has the potential to be used against citizens of our country tomorrow. This notion means that transparency is incredibly important when dealing with the methods and responses to cyber attacks.

  4. I have similar concerns as Kristen. I’m also concerned about the prospect of using a regular terrorist attack as a door for a cyber attack. Or a government faking a conventional attack as a secret way to launch a cyber attack.

    Currently, Israel tweeted and liveblogged its operations in Gaza. A terrorist group could launch an attack and create fake twitter accounts with short URLs claiming to provide the details of the attack and response. The URLs actually would contain newer generations of malware that commercial software is currently unprepared for. People would click the links and unwittingly spread the malware around, quickly causing additional damage.

  5. It’s extremely troubling to me that minimal cyber attacks could be taken as a declaration of war. Even more troubling is the idea that countries have different ideas of what constitutes an act of war or what doesn’t. I agree with Kelly that responses to cyber attacks should be in proportion to the original attack, however, it seems that some countries and governments are itching to start a war so it makes me nervous to think that a declaration of full-out war is based on subjective opinions. Hopefully a treaty or some kind of international convention will take place to directly resolve those issues, but I don’t foresee that happening within the next couple years unless something significant (like a potential war) comes up.

    Like the other comments here, I believe cyber warfare is incredibly dangerous, especially since it’s unconventional and it has the potential to directly affect civilians more than traditional warfare. Moreover, the combination of traditional combat and cyber attacks on a country could cause significantly more damage than just combat in significantly less time. The idea that both could be used now, whether or not in combination or alone is terrifying. We, and many other world powers, are completely dependent on technology and although technology has made our lives a little more efficient and enjoyable, it is also a huge weakness that could be exploited by our enemies. Let’s hope some ground rules are set before a real cyber war takes place.

  6. I agree with Kristen that it is troublesome that civilians and companies will be the ones most likely to suffer direct attacks and not military installations. But it seems that this would be a pretty common incident of “war.” Most battles do not take place in the confines of a military base, they take place out on the streets of our people and innocent lives are lost. The fact that someone’s factory or company is ruined forever because of a virus is certainly a loss, but its better that than a bomb blowing up in the factory and having people physically hurt.

    But like Kristen, that does make me wonder if the government would have any sort of duty owed to protect or help restore companies from these kinds of attack. Again, equating this to an actual attack, it seems like the government would do whatever it was required to do before: whether that was to help or not, I’m not sure. I also wonder if that is something an insurance plan would cover.

    These discussions of a cyber attack are very troubling, and we can only hope that attacks are contained to a response of equal nature and do not escalate to, as Kelly said, “the next world war.”

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: