When Nation-States Create Computer Viruses: “Diplomacy by Other Means” or Pandora’s Box? (Part 7 of 8)

This 8-part blog series examines the legality, justifications, and consequences of nation-state involvement in the creation of computer malware such as Stuxnet and Flame.

Hopefully, by now it is clear my own position is that the increasing use of cyber-weaponry will inevitably lead to escalation of capabilities and tactics, to the extreme detriment of human life in general. If one indeed accepts that conclusion (and not all do), what is to be done about it? Not all nations agree that the Laws of Armed Conflict we discussed in Post #2 are applicable; and, as previously noted, the U.S. seems happy to threaten to invoke the self-defense doctrine while at the same time instigating a cyber-attack when it suits our purposes.[i] Many scholars and diplomats argue that a much stronger understanding of the constraints and penalties for nation-state involvement in cyber-attacks needs to be developed. This posting will review some of those approaches, including several arguments against any international legal regime.

A Defense-Emphasis

As previously noted, militaries the world over have an approach toward cyber-attack that emphasizes offensive tactics over defensive ones, resulting in a bias toward building offensive cyber-weaponry over defensive capabilities. Several parties have noted that many of the problems of aggression in cyberspace—attribution and escalation, for example—can be minimized by an increased emphasis on defensive tactics. The first approach, then, is less a legal stance than a practical one; however, it has the advantage of demonstrating a useful principle that will become more important in the next posting.

Security expert Bruce Schneier, for example, has long advocated a posture of reasonable defensive countermeasures. The key to a proper defense, in Schneier’s view, is in open access to security protocols and systems. Today, vendors approach security with the view that maintaining secrecy in security implementations protects them. According to Schneier and others, systems vendors should be more open in detailing how they implement security procedures and key technical details. This allows security researchers to examine the vulnerability of these systems and alert the vendors to weaknesses. Schneier also believes that a rational response to genuine risks in cyberspace is essential—without fear-mongering and saber-rattling—along with improved international cooperation and treaties.[ii]

Schneier’s view is shared by computer expert Peter G. Neumann, who blames the fundamental architecture of the computer operating systems and networks which make up the Internet for many security risks.[iii] The greater defensive posture he recommends is to redesign computer architectures with a “clean slate.”[iv] While he acknowledges that this effort will take years, there is no reason not to start.[v] What has made systems security so bad is that private industry has had little motivation to adopt a security-oriented mindset, even reintroducing fundamental vulnerabilities such as the “buffer overrun” (widely used by malware) into architectures decades after approaches had been developed to ensure against them.[vi] Such efforts in defensive redesign are much more important than building further weapons to exploit vulnerabilities.

A Crime Under the “Law of Aggression”?

One possible formal approach is by punishing cyber-attacks under international law using the new “Law of Aggression.” In 2010, the International Criminal Court (ICC) formally defined the crime of “aggression” and gave the ICC jurisdiction over the crime.[vii] The definition states, in pertinent part, that the crime of aggression is

the planning, preparation, initiation or execution, by a person in a position  effectively to exercise control over or to direct the political or military action of a State, of an act of aggression which, by its character, gravity and scale, constitutes a manifest violation of the Charter of the United Nations.[viii]

It is conceivable that this new criminal jurisdiction could serve as an important mechanism for enforcing penalties against aggressive cyber-acts such as Stuxnet.

However, there are several reasons why it is unlikely the new crime will be applied to cyber-attacks. First, jurisdiction is specifically excluded for non-state actors even when committed by a state’s citizens or from within their territory.[ix] Second, the U.N. Security Council controls the assessment of when an act of aggression has occurred.[x] Since many of the nations on the U.N. Security Council are themselves heavily involved in cyber-attacks, including the United States, Russia, and China, it is difficult to see how or when these nations would unanimously recommend an act to the ICC for prosecution. Finally, the act of aggression must be a violation of the U.N. Charter—meaning that it circularly refers back to the same imprecise and heavily-debated U.N. Charter definition of “armed force” discussed in Post #2.[xi]

An “International Law for Information Operations”

One commentator asserts the difficulty of applying the Laws of War to cyberspace by analogy and recommends the formation of an entirely new law of “Information Operations” or ILIO.[xii] By expanding and clarifying definitions, the ILIO could provide guidance on the types of cyber-force that are prohibited, including an understanding of what types of civilian targeting would violate jus in bello principles.[xiii]

The author acknowledges that the major stumbling block to a new body of international law is getting parties to the table to negotiate, when the larger players already have begun offensive operations in cyberspace.[xiv] Another problem is how a set of standards would be implemented—e.g., as a treaty or as self-governing rules—and who would take the initial normative step of first adopting them.[xv] Even with these drawbacks, however, parts of the proposed ILIO have much to recommend them.

Resistance to the Idea of an International Law of Cyber-war

Perhaps unsurprisingly, not everyone agrees that international law is the way to proceed, even if they accept the premise that cyber-attacks are de facto detrimental (unlike the U.S. and several foreign governments).

One critic of international agreements argues that an international law of cyberspace is extremely unlikely and probably detrimental to U.S. interests.[xvi] It is unlikely because “asymmetries” between the values of U.S. targets and those of other countries mean that those countries would never agree to negotiate. It is detrimental because the difficulties of attribution would mean that many nations would continue to attack in cyberspace surreptitiously regardless of whether they signed treaties.

Instead, he argues that the U.S. should create its own framework by publishing a list of cyber-assets along with a strong warning that anyone who attacks those targets will be subject to military attack.[xvii] This approach, in fact, turns out to be very similar to the current US position, without the comprehensive list of war-causing targets. He also advocates that “The American framework should remove the distinction between state and non-state actors where culpability is at issue.  If the United States can present prima facie evidence that a foreign nation had any knowledge of the actions of individual hackers or a cyber militia group in an attack on U.S. assets, the United States should reserve the right to make an equivocal response and seek legal recourse.”[xviii] In short, he claims that the US should use its “big stick” to incentivize states to control their hackers and cyber militias.[xix]

A better argument against such treaties is put forth by Thomas Rid. He postulates that any such attempt to limit cyber-weapons will end up restricting valid political activity in cyberspace.[xx] Such agreements and laws will often be construed widely by governments to target hacktivist activity and other forms of legitimate dissent. This worry is not without precedent: the U.S. Patriot Act’s stated purpose was to improve the FBI’s access to banking and other records in order to help combat terrorism. However, it has been used only 39 times out of over 400 to prosecute crimes related to terrorism; the other prosecutions have been brought for run-of-the-mill crimes. In addition to the standard arguments of difficulty verifying compliance and attribution, Rid argues that the risk of overreaching governments makes the pursuit of cyberarms control agreements dangerous and, ultimately, pointless.[xxi]

Next Time

Next time, in my last post, we will look at what I consider to be the most comprehensive and promising effort to avoid permanent, harmful cyber-war.

[i] To a certain extent, this emerges from our military’s current belief that we are the “world leader” in cyberweapons.  One wonders if the attitude would change if we lost our position of superiority.


[iii] John Markoff, Killing the Computer to Save It, N.Y. TIMES (Oct. 29, 2012), http://www.nytimes.com/2012/10/30/science/rethinking-the-computer-at-80.html?pagewanted=1&_r=2.

[iv] Id.

[v] Id.

[vi] Id.

[vii] Int’l Criminal Court [ICC], Assembly of State Parties, Review Conference, the Crime of Aggression, ICC Doc. RC/Res. 6, art. 8 bis (June 11, 2010).

[viii] Id. art. 15 bis.

[ix] Id. art. 15(5) bis.

[x] Id.

[xi] See U.N. Charter, Art. 2(4).

[xii] Duncan B. Hollis, Why States Need an International Law for Information Operations, 11 LEWIS & CLARK L. Rev. 1023, 1023 (2007).

[xiii] See id. at 1040-48.

[xiv] See id. at 1058-61.

[xv] Id. at 1059-60.

[xvi] Lawrence L. Muir, Jr., The Case Against an International Cyber Warfare Convention, 2 WAKE FOREST L. REV. ONLINE 5 (2011), available at http://wakeforestlawreview.com/the-case-against-an-international-cyber-warfare-convention.

[xvii] Id.

[xviii] Id.

[xix] Id.

[xx] Thomas Rid, Think Again: Cyberwar, FOREIGN POLICY (March/April 2012),  http://www.foreignpolicy.com/articles/2012/02/27/cyberwar?page=0,5.

[xxi] Id.

~ by K. Miller on November 19, 2012.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: