Journal of Conflict & Security Law ß Oxford University Press 2012; all rights reserved. For permissions, please e-mail:
[email protected] doi:10.1093/jcsl/krs016 .......................................................................
Editorial Cyber War and International Law The theme of this special issue is cyber war and international law. More specifically, this special issue examines the application of the international law on the use of force (jus ad bellum) and international humanitarian law (jus in bello) to cyber war. It is a truism to say that, nowadays, information and communication technology forms an integral part of our lives, and that societies as well as states are dependent upon such technology to carry out their manifold activities. Indeed, the cyber space as the global digital communications and information infrastructure1 can deliver immense benefits to individuals and societies but at the same time can be the source of many threats and vulnerabilities. Due to the dependency of modern societies on cyber technology, cyber security has become a number one state priority.2 Perhaps one of the most serious threats facing states is the use of cyber capabilities to conduct military style operations with the aim of degrading, denying or destroying information resident on computers or computer networks. Such threats fall under the banner of cyber war. Conceding that cyber threats are here to stay and that states need to respond to such threats, questions immediately arise as to whether and to what extent international law can apply to cyber activities. These are legitimate questions because the relevant rules have been developed for different types of situations or events, whereas cyber security involves many additional complicating factors, such as the anonymity, speed and multi-level nature of cyber operations, the wide availability of cyber weapons, the easy access by non-state actors to cyber weapons and the destructive direct or indirect effects that cyber attacks can 1
2
P Cornish, D Livingstone, D Clemente and C Yorke, On Cyber Warfare, A Chatham House Report (Royal Institute of International Affairs 2010) 5www.chathamhouse. org.uk4 (accessed 19 June 2012). For example, in the context of the UK see the ‘UK National Security Strategy’ (2010) 5http://www.direct.gov.uk/prod_consum_dg/groups/dg_digitalassets/@dg/@en/documents/ digitalasset/dg_191639.pdf?CID¼PDF&PLA¼furl&CRE¼nationalsecuritystrategy4 (accessed 19 June 2012); ‘Securing Britain in an Age of Uncertainty: The Strategic Defence and Security Review’ (2010) 5http://www.direct.gov.uk/prod_consum_dg/groups/dg_ digitalassets/@dg/@en/documents/digitalasset/dg_191634.pdf?CID¼PDF&PLA¼furl& CRE¼sdsr4 (accessed 19 June 2012); ‘The UK Cyber Security Strategy Protecting and Promoting the UK in a Digital World’ (2011) 5https://update.cabinetoffice.gov.uk/sites/ default/files/resources/uk-cyber-security-strategy-final.pdf4(accessed 19 June 2012). In relation to the US, see National Security Council, ‘The Comprehensive National Cybersecurity Initiative’ (2009)5http://www.whitehouse.gov/cybersecurity/comprehensivenational-cybersecurity-initiative4 and White House, ‘International Strategy for Cyberspace: Prosperity, Security, and Openness in a Networked World’ (2011) 5http:// www.whitehouse.gov/sites/default/files/rss_viewer/international_strategy_for_cyberspace. pdf4(accessed 19 June 2012).
.............................................................................. Journal of Conflict & Security Law (2012), Vol. 17 No. 2, 183–186
184
Editorial
produce. For some, non-military methods involving peaceful countermeasures, sanctions or new treaties are more effective in countering such threats. Yet for others such threats should be countered according to the use of force paradigm. In the latter case, it becomes necessary to examine how the jus ad bellum and the jus in bello rules can apply to cyber war. If the jus ad bellum is to be applied, questions arise as to whether a cyber attack can constitute an unlawful intervention violating the sovereignty of a state or even an unlawful use of force within the meaning of Article 2(4) of the United Nations (UN) Charter. Another question is whether and under what circumstances a cyber attack can amount to an armed attack that can trigger a state’s right to self defence. Further, this raises a critical question as to how such an attack can be attributed to a state against which self-defence action can be taken. What if no attribution can be made? Can self-defence be engaged in relation to a cyber attack committed by a non-state actor? Also, can defensive responses to cyber attacks be cyber in nature or also kinetic? As far as the jus in bello is concerned, pertinent questions relate to whether conflicts that occur in the cyber realm demand the application of international humanitarian law and, if so, whether such conflicts should be characterised as international or non-international in character. Of equal importance are questions relating to whether those that engage in cyber attacks directly participate in hostilities, thus rendering them lawful targets of attack. Furthermore, other questions concern whether cyber weapons can be used compatibly with the principles of distinction, proportionality and precaution. These are some of the crucial questions that this special issue examines. The first part comprises articles contributed by Professor Mary Ellen O’Connell, Dr Russell Buchan and Professor Nicholas Tsagourias and address the application of the jus ad bellum to cyber war. The second part contains articles contributed by Professor Michael Schmitt, Professor Yoram Dinstein and David Turns and concern the application of the jus in bello to cyber war. O’Connell opens the first part of this special issue by arguing that, in most cases, cyber attacks do not fulfil the international law criteria on the use of force and, consequently, the use of force paradigm cannot apply to cyber attacks. More than that, however, O’Connell submits that the use of force framework should not apply because it will lead to the militarisation of cyber space. In O’Connell’s view, alternative international legal frameworks, such as those relating to economic activity and communications, are more relevant and appropriate to regulate cyber activities. For her, cyber security can be delivered through unilateral peacetime countermeasures, Security Council sanctions, cyber law enforcement, cooperation and good cyber hygiene. Buchan assesses whether an attack against the computer network of a state constitutes an unlawful use of force for the purposes of Article 2(4) UN Charter. Using the cyber attack against Iran in 2010 as an example, Buchan concludes that a cyber attack will violate the use of force prohibition where it produces physical damage; this being death or injury to people or damage to physical
Editorial
185
property. It follows that a cyber attack that only causes non-physical damage, such as the attack against Estonia in 2007, will not qualify as an unlawful use of force. However, Buchan argues that such a cyber attack will nevertheless violate the principle of non-intervention where it can be regarded as coercive in nature; this being that the attack is deployed with the intention of forcing the victim state into a change of policy. Assuming that a cyber attack amounts to an armed attack for self-defence purposes, Tsagourias’s contribution examines the question of attribution. For him, attribution has technological, political and legal aspects which interact with each other. As far as the legal aspects of attribution are concerned Tsagourias submits that, according to prevailing international legal standards, an armed attack in cyberspace will be attributed to a state where it has been committed by an organ or agent of that state. Furthermore, attribution can be established on the basis that a state has tolerated the existence of a non-state actor that then commits a cyber attack. Indeed, Tsagourias suggests that, even if no state is implicated in the cyber attack, customary law going back to the Caroline case permits self-defence action against the non-state actor that has committed the cyber attack. Schmitt’s article opens the second part of this special issue by addressing how cyber conflicts should be characterised for the purpose of international humanitarian law and, in particular, whether they give rise to an international or a non-international armed conflict. In this regard, the author considers the question of whether cyber attacks satisfy the requirement of ‘international’, ‘armed’ and ‘attack’ for the purposes of the law of international armed conflict. In relation to the law of non-international armed conflict, the author considers the question of whether a cyber group can be qualified as ‘organised’ and what is the required threshold of intensity of a cyber attack. Dinstein’s contribution focuses on the principle of distinction in international cyber conflicts. For Dinstein, the principles of distinction, proportionality and precaution apply to cyber war but their application is complicated because of the complexity of cyber technology and the interconnectivity of computer systems. Finally, Turns’s contribution considers the application of the notion of direct participation in hostilities to cyber war. In this context, he applies the criteria developed by the International Committee of the Red Cross in its 2005 Interpretive Guidance; namely, the threshold of harm, direct causation and belligerent nexus. For him, direct causation is the most problematic in the context of cyber war. He then goes on to consider the legal status of non-military personnel that are involved in the design, installation and operation of cyber weaponry and, more specifically, whether such non-military personnel can be regarded as directly participating in hostilities. His findings are mixed, with certain personnel not satisfying all the criteria all the time. All the papers in this special issue, with the exception of Professor Schmitt’s, have been presented at a workshop organised at the University of Glasgow in October 2011. We would like to express our gratitude to the School of Law, the
186
Editorial
ASRF and the Chancellor’s Fund at the University of Glasgow and also to the University of Sheffield for their generous financial support, without which this workshop could not have been held. We would also like to thank all the participants in the workshop. In particular, we would like to extend our gratitude to Professor Terry Gill and Professor Eric Myjer for chairing the panels and to Professor Robert Cryer and Professor Nigel White for providing concluding comments to the workshop. Finally, we would like to thank the editors of the Journal of Conflict and Security Law for publishing the papers. We believe that their publication is timely and will contribute to the legal and policy debates on cyber war in the years to come. Russell Buchan, University of Sheffield Nicholas Tsagourias, University of Glasgow