Even before the terrorist attacks of September 11th, news organizations and legal scholars began debating if the traditional “rules of war” should be applied to the new threat of terrorism. What became clear quickly was that terrorism is a murky area in terms of both warfare and international law. A new threat, some might say an offshoot of terrorism, has now emerged: cyberwarfare.
Scholars have now begun debating whether or not current law is applicable to cyber attacks. One think tank in Europe,the Cooperative Cyber Defense Center of Excellence (CCDCOE), based in Estonia, has compiled a manual entitled “Tallinn Manual on the International Law Applicable to Cyber Warfare”, for use by legal advisors to government agencies. The manual looks at existing international law and sets out guidelines for when countries may legally use force against one another and the current rules of armed conflict. The CCDCOE works with NATO on many issues relating to cyber security and the Tallin manual was developed by a group of NATO experts from various countries including the United States and the United Kingdom. While not official doctrine, it does state NATO’s views on the laws they believe applicable to cyber warfare.
The manual may be a helpful way to lay out what exactly international law concerning warfare entails today, but it does not answer the question, which is stated in the introduction to the manual, “Does existing law apply to cyberwarfare?”. This might be the more important, and most difficult, question in this area.
One of the main problems is the difficulty in determining what constitutes a “cyber attack”. Is a hacked entry into a government organization in an attempt to steal information an example? Perhaps an attack into a financial institution to take credit card numbers and use them? Difficultly also comes with attributing the attack to a particular group since many have no affiliation to a country of origin. Some may even be a collection of different citizens from different states protesting a cause. One example is the group Anonymous UK who shut down the MI5 and MI6 websites in the wake of the arrest and treatment of Wikileaks founder Julian Assange.
Cyberwarfare is an emerging issue that is taking on greater importance, as new incidents of cyber attacks are dominating our news cycle. Unfortunately, we are still left with a lot of unanswered questions. This new manual does not seem to answer, or attempt to answer, any of the more difficult questions. It seems that governments must come together , as they have before with other emerging international issues, to create a treaty on the action allowed against cyber warfare.
Some questions to consider:
What exactly constitutes cyberwarfare?
Can existing rules of warfare, as set out in the “Tallinn Manual on the International Law Applicable to Cyber Warfare”, be used in this area?
What laws need to be developed to deal with this problem?
Sources: PCWorld, Tech Week Europe
Treaties and international arbitration is largely based on the willingness of the states to participate in such agreements, which poses problems as Andrew mentioned in regards to unique situations where the threat isn’t contained within the boundaries of one state. The manual will eventually gain weight in international and domestic courts regarding this issue if it becomes used, and thus generally accepted in the international community. Putting aside the international cooperation and enforceability issue, cyberwarfare itself seems to be an ever-changing issue, which is presumably why organizations have been hesitant in defining it and giving it exact parameters as a legal issue. Additionally, states are struggling to keep up with the technology to deflect against these cyber attacks, therefore making it difficult to be proactive in implementing general cyberwarfare laws that could possibly encompass every line of attack a country might be faced with. In response to the rapidly changing technological advances, new laws need to be developed in addition to any existing policies on cyberwarfare. Existing law that has now become customary in the international community should certainly not be ignored, but it needs to perhaps be modified or added onto in order to adapt with the nature of cyberwarfare itself. The ideal situation regarding this issue would be an international agreement such as a treaty regarding this issue, however, it is unlikely that the demand will be met with cooperation from every player necessary to reduce or even defeat this threat. Additionally, even if the international players can come together on this, it would likely be difficult to enact legislation that could itself keep up with the technological advances of cyberwarfare.
Personally, I view cyber warfare as one of modern society’s greatest threats. Under its broadest definition, applications range from attacks as small as stealing a single person’s identity to a large as shutting down an entire city’s power grid, or worse. It is imperative that governments come together to combat and control this huge danger. Current international law governing conventional warfare may ultimately prove unworkable when applied to cyber warfare, however, I believe it can be effectively utilized as a general starting point that may be adapted and reinterpreted to cover the appropriate response for future incidents. It would seem obvious, then, that the first step would be to reasonably define the term cyber warfare. I would argue for a broad definition that could be interpreted to encompass as many different types of attacks as possible. With such a definition, international governments would have the legal right to defend themselves against a multitude of attacks. One potentially big problem I see in allowing for legal retaliation in response to an attack would present itself when the attack is made by a non-government affiliated person or group. Who would have the right to imprison and try the offender? The government of the country attacked, or the government of the country from which the attack was launched? Further, what laws could be enacted to govern extradition for offenders or to punish countries for harboring and protecting non-government affiliated attackers?
I agree with Joseph that the first step needs to be defining what constitutes cyber warfare. I also agree with Andrew that actually determining what is a cyber attack is going to prove to be a difficult task, as Andrew described how much the term “cyber warfare” can encompass. While I think that current rules of warfare – for instance definitions of an armed attack – are a good place to start, where to go from there remains unknown. These laws and rules of warfare are going to need to be brought into the modern age in order to keep up with the advances in technology that are being used for good as well as bad. I also agree with Andrew and Joseph that it is going to be tough to institute rules of retaliation, as it is not just countries who are committing acts of cyber warfare (whatever that definition may be), but individuals, both with a common country and without one. In all, the new era of technology has brought with it the necessity of changing and/or defining new rules of war, including a definition of cyber warfare, and while this is a daunting task, it is a necessary and most interesting one.