The new cyber face of battle: developing a legal approach to accommodate emerging trends in warfare.
I. INTRODUCTION A. What's in a Name? B. Legal Paradigms for Operations in Cyberspace C. The Attribution Problem II. CYBERATTACKS AS COMBAT ENABLERS AND PART OF A COMBINED ARMS CAMPAIGN A. Cyberattacks and the Law of War: Jus ad Bellum B. Cyberattacks and the Law of War: Jus in Bello C. Cyberattacks as a Combat Enabler and Part of a Combined Arms Operation D. 2007 Israeli Raid on Syrian Nuclear Reactor E. Russian-Georgian War of 2008 III. MODIFIED-EFFECTS: A THRESHOLD TEST FOR CYBERATTACKS WITH NONKINETIC EFFECTS A. When is an Offensive Cyberspace Operation a Cyberattack? A Discussion of Leading Tests B. Modified Effects-Based Approach C. Using the Modified Effects-Based Approach to Analyze the Russian-Georgian War of 2008 IV. CONCLUSION
The Russian-Georgian War of 2008 marked an important evolution in the conduct of warfare. For the first time in history, cyberattacks joined the kinetic triad of air, ground, and naval operations. While Russian aircraft conducted bombing runs, tanks and infantry rolled across the countryside, and naval ships were blockading the Georgian coast, cyberattacks demonstrated the violability of Georgian sovereignty in cyberspace as well. They did so in two capacities: by using non-kinetic operations to facilitate kinetic outcomes by conventional forces, and by using non-kinetic operations to directly achieve effects that supplanted the need to physically destroy targets. These developments add a new dimension to the on-going debate over what legal paradigm applies to cyberattacks--how to analyze non-kinetic cyberspace operations during armed conflict. This question is of critical importance because it determines how a state may respond under international law. State victims of cyberspace operations that are categorized as cybercrime will generally have a more limited response under international law than those classified as cyberattacks. This latter category constitutes an armed attack under the law of war, and therefore merit a response under that broader paradigm.
As with many areas of cyberspace operations, technology and practice have evolved more rapidly than the legal framework. Cyberspace operations do not fit neatly within conventional legal paradigms, which have historically struggled with identification of what constitutes an armed attack under international law. Cyberspace operations have significantly heightened these challenges, and the development of a legal framework optimally suited to the unique characteristics of cyberspace operations has lagged dangerously behind. Rather than developing a new legal framework to fit the unique characteristics of cyberspace operations, the traditional legal framework governing the use of force remains in place. Instead, scholars and practitioners have sought to modify existing tools. For instance, the use of "threshold" tests to determine if an operation meets the level of severity required to be considered an attack under the law of war first evolved with conventional military operations, such as border skirmishes and insurgent activities. In recent years, efforts have been made to adapt threshold tests to account for the unique characteristics of cyberspace. To date, the focus of scholars and practitioners has largely been on cyberattacks that directly cause kinetic effects-physical damage or destruction. Existing scholarship also focuses predominantly on cyberattacks committed in the absence of conventional operations. The threshold approaches that have been developed specifically for cyberspace reflect this concentration on kinetic effects.
This Note addresses an emerging form of cyberspace operations, and adapts existing threshold approaches to this new type of warfare first executed during the Russian-Georgian War of 2008: the use of non-kinetic cyberattacks to facilitate kinetic effects and the use of non-kinetic effects as a substitute for conventional operations, it proposes that the former operations be classified as combat enablers, and the latter be recognized as part of a modem four- dimensional combined arms campaign. This nomenclature parallels that given to conventional weapons that serve a similar role, although it expands the traditional understanding of these terms to apply them to cyberattacks. It does so to emphasize how military planners are increasingly viewing cyberattacks as another tool available to conduct warfare, and are synchronizing them with conventional arms. This discussion also highlights why current approaches to distinguish cybercrime from cyberattacks, which focus on direct kinetic effects, are ill-suited to these emerging uses of cyberattacks as part of a broader military campaign. Determining whether such cyberattacks should be considered under the law of war--even absent direct kinetic effects--is important as it is most probable that military campaigns of the future will follow the Russian precedent and utilize cyberattacks in concert with traditional weapons to achieve their strategic goals.
This Note is divided into four parts. The first part provides a basic introduction to the terminology used in this note and a brief discussion of the legal paradigms that may apply to cyberspace operations. Part II continues with a proposal to consider cyberspace operations as an armed attack when non-kinetic cyberattacks are used in connection with other conventional weapons to achieve kinetic effects or to supplant the need for kinetic effects. As such, this Note proposes the use of the terms "combat enabler" and "part of a combined arms approach" to differentiate these types of attacks. This proposal is significant because it will impact the legal response a state can take in an armed conflict. Part II also introduces two case studies in which cyberspace operations were used in connection with conventional military attacks. The first is the 2007 Israeli raid on the suspected Syrian nuclear reactor; the second is the Russian-Georgian War of 2008. Part III discusses the different tests that have been proposed to determine when a cyberspace operation meets the threshold to be declared an armed attack. After reviewing existing literature, a proposal is made to adopt a modified effects-based approach to better address the unique nature of cyberattacks and their interaction with conventional arms to achieve kinetic outcomes. The Russian- Georgian War case study is used to demonstrate how the modified effects-based test can be applied to determine when a cyberspace operation should be considered cybercrime and when it is a cyberattack. Part IV provides concluding thoughts and discusses what future steps should be taken with regards to developing a legal framework that is better-suited to the distinct challenges of cyberattacks.
A. What's in a Name?
Even the most fundamental notions remain unsettled in cyber literature--scholars and practitioners continue to use a variety of terms to refer to activities conducted in cyberspace. The Department of Defense (DOD) and a growing number of scholars use the term "cyberspace operations" to refer to the "employment of cyber capabilities where the primary purpose is to achieve objectives in or through cyberspace." (1) This umbrella term seems to have mostly replaced the more narrow "computer network attack" terminology, which was prominent in earlier literature. (2) This Note will use "cyberspace operations" and follow the DoD's usage of the term.
In order to more narrowly describe the different types of cyberspace operations, this note will use "cybercrime" to refer to those cyberspace operations that fall under the criminal or law enforcement paradigm. "Cybercrime" is "crime that is enabled by, or that targets computers," (3) a term that has been widely accepted by scholars and practitioners. However, there is no similar consensus on what term should be used to address those cyberspace operations that meet the criteria for an armed attack. The term "cyberattack" is commonly used by scholars and practitioners to refer to offensive cyberspace operations that may be considered an armed attack. In addition, cyberattack is frequently used as an umbrella term to describe offensive cyberspace operations that include both criminal activities and attacks that fall under the law of war. Using cyberattack as both an umbrella term and in specific reference to those offensive cyberspace operations that are considered an armed attack is confusing and makes it more difficult to appreciate the distinction between the two.
Thus, this Note will generally use the term "cyberattack" in the narrow sense: to refer to those cyberspace operations that are offensive in nature and meet the criteria for an armed attack. The term "cyberwarfare," will generally not be used because the focus of this note is only on offensive cyberspace operations. Some use the term "cyberwarfare" in lieu of cyberattack to emphasize the distinction from cybercrime. However, in military doctrine, the term "warfare" encompasses both offensive and defensive operations. For example, the military uses the term "electronic warfare" to include electronic attack, electronic protection, and electronic warfare support. (4) It is logical to use a parallel construction for cyberwarfare, and use the term cyberattack to refer to those offensive cyberwarfare operations that meet the threshold to be considered under the law of war.
B. Legal Paradigms for Operations in Cyberspace
One of the core challenges with cyberspace operations is identifying which legal paradigm applies. Identifying the appropriate paradigm is critical for determining how to legally respond to such activities. There are three legal models relevant to cyberspace operations: criminal, espionage, and the law of war. The criminal, or law enforcement, model is based in domestic law. It is the broadest of the three legal approaches, and is used to prosecute crimes committed through cyberspace. Such activities commonly include credit card and identity theft, violation of patents, trade secrets and copyright, hate crimes, libel, defamation, and fraud. (5)
Cyberspace operations may also rise to the level of an armed attack; such operations are most appropriately analyzed under the law of war. This legal paradigm is narrow and most cyberspace operations will not meet the threshold required to constitute an armed attack. Those cyberspace operations that do not meet this threshold will most likely be considered cybercrime; those that meet the threshold will be cyberattacks and should be analyzed under the law of war. While scholars and practitioners agree that there is a threshold "bar" that must be reached for an attack to be considered under the law of war, how that bar should be defined remains an unsettled issue. This issue will be discussed more in Part III. Cyberespionage will not be discussed in this Note.
Distinguishing between cybercrime and cyberattacks is complicated by the unique nature of cyberspace operations. Cyberspace operations utilize the same method or instrument regardless of whether the operations are cybercrime or cyberattacks. These may include botnets, (6) hacking, spamming, viruses, and worms. (7) In the conventional realm, the instrument used to carry out an operation often provides definitive evidence as to the actor and the legal paradigm that applies. For instance, a submarine-launched cruise missile irrefutably indicates state action that will likely fall under the law of war. However, in cyberspace operations, the same instrument could be used to steal personal data, shut down critical government websites, or shut down enemy air defense systems.
An additional challenge in determining which legal paradigm applies stems from the non-physical nature of cyberspace, and the fact that cyberspace operations may or may not have physical effects. Some cyberattacks will have physical effects--releasing the floodgates on a dam or causing nuclear centrifuges to explode. However, in many cases, cyber technology will achieve the same effects as kinetic weapons without the physical destruction. For instance, military campaigns have historically bombed enemy command and control facilities at the start of offensive operations. Today, cyberattacks can achieve the same disruption and denial of communications without physical damage. This increases the difficulty of determining whether or not a cyberspace operation should be considered a cyberattack or cybercrime.
C. The Attribution Problem
Further complicating distinction between cybercrime and cyberattacks is the attribution problem: it is extremely difficult and sometimes impossible to definitively identify where a cybercrime or cyberattack originates. And, even if the location is identified, the perpetrator is not likely to be a state official, and may even remain anonymous. Thus, in many situations, it will be difficult to determine if the perpetrator is a state actor, state-directed "militia," individual, crime syndicate, or a patriotic network inspired by nationalism but not directed by a state. Non-state actors are technologically proficient and have demonstrated the capacity to conduct devastating cyberspace operations on par with those that a state could carry out. The cyberspace playing field is relatively even between individuals, criminal organizations, and states. For instance, the Department of Defense has suffered from innumerable offensive cyberspace operations in recent years. Chinese military hackers have been identified as one of the more prominent groups of perpetrators. (8) But, so has a 16 year-old Florida student. (9)
Linked to the challenge of identifying the perpetrator is the difficulty of determining their intent. Even for those cases where the identity may be apparent, it is exceedingly difficult to determine when a government or military directs, coordinates, or supports efforts taken by what appear to be groups of civilian hackers. Are the Chinese hackers acting on behalf of state authorities to methodically identify vulnerabilities in the DoD network architecture? is the Florida teen just a kid trying to figure out how good he is by breaking into the DoD system? In most cases, these questions are unlikely to be resolved.
Further complicating the attribution problem is the question of when states should be held responsible for cyberspace operations that originate in their territory. It is helpful to think of state responsibility as a spectrum: cyberattacks executed by military cyberspecialists--clearly an act of state--are at one end, while the 16 year-old hacking into someone's personal computer to find their bank account information--a criminal act that is not an act of state--is at the other end. However, in between is a large grey area that is both clarified and compounded by conventional standards of state responsibility. The first standard for determining state responsibility is the "effective operational control" test established by the International Court of Justice in the 1986 Nicaragua case with regard to the contras rebel group. The effective control test seeks to establish the conditions under which "individuals without the status of State officials could nevertheless engage the responsibility of [the State] as having acted as de facto State organs." (10) This test establishes a high bar for state responsibility, requiring "complete dependence" on state support. (11) The Court reiterated its preference for the effective control test in the 2007 Application of the Genocide Convention case. (12) The effective control test likely sets the state responsibility threshold too high for cyberspace operations, as these operations do not lend themselves to "complete dependence" on a state. Unlike conventional warfare, cyberattacks can be conducted with relatively little financial investment, formal training, or sustainment. Therefore, it seems less probable that an individual or hacker "militia" would exhibit complete dependence on a state, even if acting in pursuit of national objectives.
The second standard for determining state responsibility may be better suited to the nature of cyberattacks. This is the "overall control" test set forth by the International Criminal Tribunal for the Former Yugoslavia (ICTY) (13) in the Tadic case. In Tadic, the Court sought to distinguish the "situation of individuals acting on behalf of a State without specific instructions, from that of individuals making up an organized and hierarchically structured group.: (14) The Court explains that international law not only holds states responsible for acts in breach of international law attributed to individuals having the formal status of organs of the State, but also to "individuals who make up organised groups subject to the State's control ... regardless of whether or not the State has issued specific instructions to those individuals." (15) The "overall control" standard seems more adaptable to cyberspace operations, where hacker militias may operate under loose state control. However, the overall control test also creates a relatively high bar for attribution of a cyberspace operation to a state. (16)
Thus, the attribution problem will be an underlying concern for all efforts to categorize cyberspace operations as either criminal acts or attacks under the law of war. This Note accepts that attribution is a serious impediment to categorization and an underlying concern with all cyberspace operations and particularly with state responsibility under the law of war. However, due to the technical improbability of resolving this challenge in the near future, this Note acknowledges that attribution will affect the ultimate response to cyberspace operations, but does not seek to resolve this problem. Instead, it focuses more narrowly on developing a threshold test to help differentiate between cybercrime and cyberattacks. The attribution problem will be discussed further in the final Part, which seeks to explain a way ahead.
II. CYBERATTACKS AS COMBAT ENABLERS AND PART OF A COMBINED ARMS CAMPAIGN
Cyberattacks are an emerging form of warfare, and will increasingly contribute to the conduct of military operations. Current scholarship has largely focused on whether and when a cyberattack, on its own, constitutes an armed attack. Stuxnet (17) has shown the importance of such scholarship. However, while it is very likely that future cyberattacks will occur as stand-alone attacks, it is equally or more probable that cyberattacks will be used as part of a broader campaign in future warfare. This Note will focus on the law of war implications for this less explored area: the use of cyberattacks with non-kinetic effects in conjunction with conventional arms. This area of cyberattacks is divided into two categories: those cyberattacks that facilitate kinetic effects by conventional arms, and those that achieve a non-kinetic effect that supplants the need to physically destroy the target. This Note proposes calling the first category of cyberattacks "combat enablers." (18) It also proposes that the second category of cyberattacks may be labeled as one prong of a combined arms campaign when the cyberattacks are used as part of a broader, synchronized military campaign. The notion of a combined arms campaign for cyberattacks implies an analysis under the law of war that looks to the totality of circumstances, effectively considering both cyberattacks and conventional attacks together to determine if the threshold is met to apply the law of war, and if so, to shape the conduct of operations in accordance with the law of war. The use of the terms "combat enabler" and "combined arms campaign" to apply to non-kinetic cyber effects expands their current doctrinal usage, which is limited to conventional operations. The intent in choosing these terms for this Note is primarily to create a shorthand reference to describe these two categories of cyberattacks, as well as to facilitate consideration of cyberattacks a tool in modern warfare.
The focus on cyberattacks as part of a broader military campaign is important for several reasons. First, it is important to determine when cyberspace operations conducted concurrently with, or temporally proximate to, conventional military operations can be considered under the law of war, and when they should be considered a criminal activity. Some cyberspace operations conducted during armed conflict could be a cyberattack while others could be cybercrime. Both could occur simultaneously, as the case study of the Russian-Georgian War of 2008 will show. Second, it is important to determine when attacks should be categorized under criminal or armed conflict models in order for the target state to respond in a manner that conforms with the law of war. Just as a state could not respond to conventional criminal activity with a massive military counterattack, a state cannot respond to cybercrime with military force (conventional or a cyberattack). Clarification of when offensive cyberspace operations are cybercrime and when they are cyberattacks will enable states to adhere to accepted principles of international law.
This Part will first examine the applicability of the law of war to cyberattacks. It will discuss the consensus in current scholarship that a cyberattack qualifies as an armed attack under Article 51 of the UN Charter. It will then proceed to examine the idea of cyberattacks as a combat enabler and the proposal that cyberattacks can sometimes be considered one prong of a combined arms attack. This Part provides a general discussion on the interplay between different weapons systems and the use of multiple systems to achieve greater kinetic effects. It will discuss how cyberattacks can fit into military strategy. This Part will provide background knowledge for the next Part, which will discuss the inadequacy of current tests to determine the threshold bar for classification as an armed attack. Further, this Part will include a discussion of two case studies that demonstrate how cyberattacks are being used as part of a broader military campaign.
A. Cyberattacks and the Law of War: Jus ad Bellum
In 1999, the Department of Defense's Office of the General Counsel produced an assessment of international legal issues in information operations. (19) In the report, it stated that the "law of war is probably the single area of international law in which current legal obligations can be applied with the greatest confidence to information operations." (20) Although perhaps overly optimistic as to the ability of the existing legal framework to address cyberattacks, the question of whether or not cyberattacks can fall under the law of war is less debated than how the law of war applies.
This section will briefly discuss the existing international legal regime governing war, focusing on its applicability to cyberattacks. It will explain the general applicability of the law of war to cyberattacks. Next, it will outline basic principles of jus ad bellum, the law governing when states can engage in armed conflict. In particular, this section will emphasize the legal framework that applies to the question of what constitutes an armed attack.
First, it is important to clarify that the law of war may apply to cyberattacks. As discussed in the introduction, there are three possible legal regimes that could apply to cyberspace operations: criminal, espionage, or the law of war. There is a consensus that cyberattacks qualify for categorization under the law of war despite not being explicitly mentioned in the UN Charter, Geneva Conventions, Hague Conventions, or other key foundation documents that comprise the law of war. In its 1996 advisory opinion on nuclear weapons, the International Court of Justice explicitly stated that the provisions of the UN Charter which provide the core principles for jus ad bellum "do not refer to specific weapons ... [t]hey apply to any use of force, regardless of the weapons employed." (21) As a result, the Court held that the established principles and rules of international humanitarian law (jus in bello) continue to apply even as new weapons are introduced--including weapons that could not have been conceived of at the time these conventions were drafted. The Court specifically cites the Martens Clause, of which a modem version is codified in article 1, paragraph 2 of Additional Protocol I of 1977, as an "effective means of addressing the rapid evolution of military technology." (22) Thus, there is little doubt that the established principles of jus ad bellum and jus in bello apply to those cyberspace operations that qualify as cyberattacks.
The more challenging problem is to determine which cyberspace operations qualify as cyberattacks. Examining the key principles and rules of jus ad bellum is the first step in this analysis. The primary sources of jus ad bellum are key articles in the United Nations Charter and principles of customary international law. Article 2(4) of the UN Charter is the cornerstone of jus ad bellum analysis; it requires states to "refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations." (23)
The UN Charter contains several exceptions to the prohibition on the use of force. The most notable is found in Article 51, which acknowledges the "inherent right of individual or collective self-defence" thereby permitting force to be used in self-defense against an armed attack. (24) The Charter also authorizes the Security Council in Article 39 to "determine the existence of any threat to the peace, breach of the peace, or act of aggression and ... decide what measures shall be taken in accordance with Articles 41 and 42, to maintain or restore international peace and security." (25) Article 41 authorizes the Security Council to decide upon measures not involving the use of armed force, while Article 42 contemplates Security Council authorization of force. Specifically, it authorizes the Security Council to "take such action ... as may be necessary to maintain or restore international peace and security." (26)
Neither the "use of force" nor "armed attack" is defined in the Charter. There is consensus that the term "use of force" was intended to refer only to military force based upon the historical background of Article 2(4), the travaux preparatoires of the Charter, and decisions by the International Court of Justice, including the Nicaragua case, which interpret the use of force narrowly. (27) The common reading of "use of force" thus excludes other types of coercion such as economic, political, or psychological.
But, not all use of force--even if it is of a military nature--constitutes an armed attack. While there is no definitive interpretation of "armed attack," the International Court of Justice in the Nicaragua case clarified that the "scale and effect" played a role in determining what constitutes an armed attack, such that border incidents may not meet the threshold for armed attack. (28) In addition, the Court quoted the definition of "aggression" in General Assembly Resolution 3314 as "expressing customary law" on the issue. (29)
The lack of clear criteria for determining what constitutes an armed attack has long been problematic for conventional operations; it continues to present a challenge for cyberspace operations. In both conventional and cyberspace operations, there may be a gap between what constitutes a violation of Article 2(4) (use of force) and what is an armed attack under Article 51, which permits a response in self-defense. This issue will be explored more in Part III, which discusses current efforts to develop threshold tests to guide the characterization of cyberspace operations as either cyberattacks, meriting application of the law of war, or cybercrime, which result in the application of a law enforcement paradigm.
In addition to the framework established by the UN Charter with regards to jus ad bellum, there are also two key principles of customary international law. These principles are necessity and proportionality. Necessity requires that the use of armed force be a last resort, after all other means to peacefully resolve the conflict have been exhausted. Proportionality refers to the scope of force used, requiring actions taken in self-defense to be proportional to the original attack.
B. Cyberattacks and the Law of War: Jus in Bello
Jus ad bellum establishes when the use of force is authorized under international law. The use of force during armed conflict is governed by jus in bello, or international humanitarian law. This section will discuss general principles of jus in bello, and the unique challenges presented by cyberspace operations present a unique challenge to jus in bello. It will also analyze the continued relevance of defining what constitutes an "attack" even after armed conflict begins.
International humanitarian law emphasizes distinction and proportionality. Distinction refers to the legal requirement that non-combatants must be protected; military force is justified only if it is directed at the enemy's military forces or other military objectives. (30) Thus, it is imperative to distinguish between combatants and non-combatants. In modem warfare, distinction has become more problematic due to the growing prevalence of "dual-use" infrastructure. For instance, a power plant may serve a military function such as providing electricity to a military base or a munitions plan, which are both likely to be deemed legitimate military objectives. However, it may also be the sole source of electricity for the civilian populous, powering hospitals, water treatment plants, and transportation. The legality of targeting dual-use infrastructure is problematic for both conventional military operations as well as cyberattacks and requires an analysis under the principle of proportionality. Jus in bello proportionality differs from jus ad bellum proportionality: it examines the collateral damage caused by an attack against a military objective. Military operations that would cause "incidental loss of civilian life, injury to civilians, damage to civilian objects, or a combination thereof, which would be excessive in relation to the concrete and direct military advantage anticipated" are prohibited. (31)
This Note is focused narrowly on the topic of determining which cyberspace operations constitute cyberattacks, and will therefore focus the remainder of the discussion of jus in bello to those aspects that relate to this central question. With conventional weapons, determining whether an operation constitutes an armed attack is of primary importance only in jus ad bellum. Once armed conflict has been declared, there is less of a focus on determining whether individual operations constitute an armed attack and more scrutiny on determining if they comply with the principles of distinction and proportionality. For instance, when bombs are dropped against enemy targets, the focus is not to determine if the bombs constitute an attack. If they are used during the course of armed conflict they automatically are considered under jus in bello and the primary concern is whether that operation was lawful under international humanitarian law. However, cyberattacks complicate the traditional distinction between jus ad bellum and jus in bello, because it is not always apparent whether an offensive cyberspace operation constitutes an attack, even if it occurs during ongoing hostilities. There is a high probability that both cybercrime and cyberattacks will occur simultaneously. Indeed, it appears that this was the case during the Russian-Georgian War of 2008, which will be discussed in more depth in Part III. Website defacements (a criminal activity or propaganda) may occur simultaneously with distributed denial of service (DDoS) attacks that shut down electrical grids (cyberattack). Further complicating matters is the fact that it is likely to be unclear who the cyber actors are--individuals motivated by personal reasons or proper military combatants seeking to achieve military objectives through non-physical means.
Thus, unlike conventional operations, it is important to continuously assess offensive cyberspace operations in ongoing hostilities to determine whether they constitute a cyberattack and should be analyzed under international humanitarian law, or whether they are cybercrime and should be considered under a criminal paradigm. Additional Protocol I to the Geneva Convention provides guidance on what constitutes an attack under international humanitarian law. Article 49 defines an attack to include "acts of violence against the adversary, whether in offence or defence." (32) A narrow interpretation of the word "violence" may severely limit the application of international humanitarian law to cyberspace operations conducted during armed conflict. Cyberspace operations may lack the physical characteristics typically associated with violence; instead of explosions, a grid may just quietly go dark. Further, disruptions or denial of service caused by cyberspace operations may only be temporary. Professor Michael Schmitt argues that cyberspace operations that do not directly cause "injury, death, damage, or destruction" would be "permissible against non-military objectives, such as the population." (33)
The next Subpart will address the challenges presented by cyberspace operations that do not directly cause injury, death, damage, or destruction-- also known as physical or "kinetic" effects. It will propose that the definition of attack for both jus ad bellum and jus in bello be interpreted to include cyberspace operations that directly achieve non-kinetic effects, but indirectly facilitate kinetic outcomes. These cyberspace operations should qualify as cyberattacks, and be analyzed under the law of war.
C. Cyberattacks as a Combat Enabler and Part of a Combined Arms Operation
Much of current literature focuses on when offensive cyberspace operations on their own constitute an armed attack. While this is a very significant potential use of cyberattacks, it is also likely that cyberattacks will be used as one component of a broader military campaign in armed conflict. This Part will focus on the use of cyberattacks that create non-kinetic effects that enable physical destruction by conventional weapons and the use of cyberattacks in a broader military campaign to achieve non-kinetic effects that otherwise would have required physical destruction to achieve equivalent results. (34) The terms combat enabler and cyberattacks as part of a combined arms campaign are used to describe each use, respectively. (35) The purpose of this discussion is to establish a frame of reference that will be developed more in the next Part, which proposes a new threshold test to determine which offensive cyberspace operations should be considered as cybercrime and which are best classified as cyberattacks. The use of cyberattacks as combat enablers and as part of a combined arms campaign are discussed together in this section because there is not always a clear distinction between the two. For instance, cyberattacks can disrupt enemy air defenses to allow bombers to safely enter enemy airspace and physically destroy their targets. In such cases, cyberattacks are not directly causing kinetic effects, but are replacing the need for the physical destruction of enemy air defenses before aircraft can proceed with their mission. As such, cyberattacks are combat enablers of the kinetic effects--they are facilitating the success of the bombing mission. They are also part of a combined arms attack, because they are disrupting or denying the air defenses to achieve results that otherwise would have required the bombers to physically bomb the air defenses.
The end state of most military campaigns is to achieve kinetic results in order to cause the enemy to capitulate. While the objectives of combat operations vary considerably, the strategy implemented by military planners has long focused on combined arms--the pressing of an enemy on multiple fronts in a way that achieves greater results than could be achieved by any one dimension alone. Combined arms attacks traditionally include coordination of conventional arms such as air, ground, and naval attacks. Historically, the components of a combined arms attack have all directly achieved kinetic effects. For instance, field artillery, tanks, naval gunfire, and bombers. However, in modern warfare, the definition of combined arms has effectively--although not necessarily doctrinally--been expanded to include both kinetic and non-kinetic capabilities that work together to achieve mutually complementary results. This expanded view of combined arms includes the use of electronic warfare assets to jam enemy radar so aircraft may bomb targets without concern for enemy air defense capabilities. This modern, less rigid interpretation of combined arms lends itself to inclusion of cyberattacks that use non-kinetic effects to achieve results that would otherwise require kinetic effects.
It also facilitates an understanding that in determining if the threshold is met to be considered an armed attack, a cyberspace should not necessarily be viewed in isolation, but if it achieves complementary or mutually enforcing results with conventional arms, the totality of the operation should be analyzed to determine if the threshold is met. In such cases, this may obviate the need for the threshold test described in the next Parts. However, in others the test will still be relevant. In most cases, the test will always be relevant for cyberattacks as combat enablers.
The following case studies will illustrate the use of cyberattacks as combat enablers and as part of a broader combined arm campaign. These examples will provide support for the proposal that such operations should be considered under the law of war despite their lack of direct kinetic effects. The first case study is the Israeli bombing of Syrian nuclear facilities in 2007. This case is intended to illustrate how cyberattacks can be used to heighten the effectiveness of conventional attacks. The Israeli raid did not trigger an armed counterattack by Syria--although the bombing of a critical industrial target would likely meet the threshold for an armed attack and legitimize a response in self-defense had Syria chosen to take such action. The fact that this event did not escalate into an armed conflict demonstrates that just as with traditional conventional operations, a state may choose not to exercise its right of self-defense under Article 51, as occurred when Israel executed a similar raid in 1981 that destroyed Iraq's Osirak nuclear facility. (36) The second case study examines the use of cyberattacks during the Russian-Georgian War of 2008. It is the first use of cyberattacks as part of a broader armed conflict, and presents a more complex example of the use of cyberattacks as part of a combined arms campaign. We will return to this case study in later parts of this Note to demonstrate how some offensive cyberspace operations may be considered cyberattacks, and others are more appropriately characterized as cybercrime. However, the facts presented in this Part focus solely on the cyberattacks and the broader conventional military campaign.
D. 2007 Israeli Raid on Syrian Nuclear Reactor
The 2007 Israeli raid on Syria constitutes an unlawful use of force, but did not become an armed conflict. It is presented as a case study because it demonstrates the integration of cyberattacks into an armed attack. The use of cyberattacks to facilitate kinetic effect supports the proposal that cyberattacks be considered as both a combat enabler and one prong of a combined arms campaign.
In September 2007, Israeli aircraft destroyed the Syrian nuclear project in a nighttime bombing raid. (37) While the raid did not result in a counterattack by the Syrians, the raid provides a valuable insight into the future of modern warfare. Characterized as the "most sophisticated example of nonkinetic warfare," (38) Israeli aircraft successfully bombed the target after arriving in Syrian air space undetected. (39) The ability of the aircraft to arrive on target without being identified is noteworthy as the Syrians have an extensive air defense network, and the F- 15s used in the attack are not stealth aircraft. The failure of the Syrians to detect the incoming aircraft appears to have been the result of both "traditional" electronic attack (jamming of HF and VHF frequencies) and the work of Israeli specialists that hacked into the Syrian air defense system. (40) These non-kinetic attacks caused the "entire Syrian radar system [to go] off the air for a period of time that included the raid," (41) allowing the F-15s uninterrupted delivery of their payload on the suspected Syrian nuclear reactor site. Thus, the cyberattacks served two functions: 1) to disrupt or deny enemy capabilities that otherwise may have required physical destruction; and 2) to facilitate the success of the kinetic mission--destruction of the nuclear reactor.
Although reports of how the Syrian air defense network was shut down have not been confirmed--and likely will not be--if true, this campaign marks an important point of progression in the use of cyberattacks to facilitate conventional kinetic effects. Electronic attack assets have long been used to accompany aircraft entering hostile territory due to their ability to jam critical enemy electronic frequencies. However, during the Israeli raid, cyberattacks apparently complemented the tactical, air-to-ground electronic attack by simultaneously penetrating the air defense network through computer-to-computer links. (42) The two attacks were distinct, with the cyberattacks described as "higher-level, nontactical penetrations, either direct or as diversions and spoofs, of the Syrian command- and-control capability, done through network attack." (43) The combination of electronic attacks and cyberattacks successfully disrupted Syrian air defense capabilities, preventing them from detecting and launching an attack against the incoming Israeli aircraft. The use of these non-kinetic attacks was critical to the overall success of the mission to destroy the Syrian nuclear site.
E. Russian-Georgian War of 2008
The brief Russian-Georgian War began on the night of August 7, 2008, after months of escalating tensions. The onset of open hostilities was marked by the shelling of the South Ossetian town of Tskhinvali by the Georgian military. Russia swiftly responded to the shelling campaign with a massive counterattack. During the brief war, fierce ground battles were fought with tanks, armored vehicles, heavy artillery, paratroopers, and infantry. Russian aircraft conducted numerous bombing runs, while Russia's Black Sea naval forces implemented a blockade and facilitated kinetic operations from the sea. Throughout the hostilities, cyberattacks joined the kinetic triad of air, ground, and naval operations creating a four-dimensional combined arms campaign and facilitating devastating effects against the enemy.
The primary objective of the Russian cyber campaign was to support the Russian invasion of Georgia by targeting critical infrastructure. (44) The scale of the cyberattacks was significant: fifty-four Georgian websites were attacked in total. (45) The targets of the cyberattacks "were nearly all ones that would produce benefits for the Russian military," and included the targeting of news media and communications facilities which "ordinarily would have been attacked by missiles or bombs during the first phase of an invasion." (46) By denying access to news and government sites, the cyberattackers struck sites critical to understanding what was being attacked in cyberspace and in the physical domain, and coordinating effective responses. As a result, the cyberattackers effectively limited the Georgian military response to Russian kinetic operations. In addition to making it more difficult to conduct battlefield damage assessments and coordinate effective responses, the cyberattacks also had important psychological impacts by creating "panic and confusion in the local populace." (47)
The cyber campaign also directly targeted informational and economic elements of national power, "government websites, Georgian financial institutions, business associations ... [and] news media websites." (48) The national-level cyberattacks expanded during the war to include "nearly all of the more important government websites ... including the presidency, ministries, courts, and parliament." (49) The attacks on the Georgian Ministry of Foreign Affairs site and other key government websites, were of sufficient severity that the Georgian government ended up relocating servers for online government sites to Estonia and the United States in an effort to thwart continued DDoS attacks. (50) During the war, cyberattacks were conducted not only against national-level targets, but also specific geographic areas that were imminent targets of combat operations, something that seems highly improbable without at least some coordination by the government and/or military. One report notes that "[gi]ven the speed of action, the signal to go ahead [and attack specific local targets] ... had to have been sent before the news media and general public were aware of what was happening militarily." (51) For instance, distributed denial of service (DDoS) attacks shut down official sites in Gori just prior to bombings by Russian aircraft. (52) The cyberattacks lasted the duration of the armed conflict, although did not permanently destroy their targets.
In sum, these two case studies demonstrate how cyberattacks can be used as combat enablers and as part of a combined arms campaign. While cyberattacks in neither case caused direct kinetic effects, the lack of physical destruction should not prevent them from being considered as an armed attack under the law of war as they were instrumental in enabling the success of kinetic outcomes by conventional weapons. In the Israeli case, the effectiveness of cyberattacks in disrupting Syrian air defenses significantly improved the chances that aircraft would be able to make bombing runs without fear of being shot down by Syrian anti-aircraft batteries. Similarly, the Russians effectively used cyberattacks to heighten the damage caused by conventional arms by disrupting communications, and the government and military's overall ability to execute command and control functions during the conflict. The military strategy exhibited in these two campaigns--the use of cyberattacks both to facilitate the kinetic effects by conventional arms as well as to supplant the need to physically destroy targets--will likely be a template for future armed conflict.
The next Part examines the threshold question in more detail. It will discuss current literature on the topic, and will use the material discussed in this section to propose that current tests are insufficient as either under- or overinclusive. This Note will propose a modified-effects test as a better tool for addressing those cyberattacks that do not cause direct kinetic effects themselves, but are used to facilitate kinetic effects as part of a combined arms operation. It will return to the case studies to demonstrate how the proposed test might be applied to cyberattacks used as part of a combined arms campaign--but that do not achieve direct kinetic effects themselves.
III. MODIFIED-EFFECTS: A THRESHOLD TEST FOR CYBERATTACKS WITH NONKINETIC EFFECTS
This Part will discuss the different tests that have been proposed to determine when an offensive cyberspace operation meets the threshold to be declared an armed attack. The previous Part applied the term "cyberattacks" to those offensive cyberspace operations that do not directly cause kinetic effects, but facilitate kinetic outcomes by conventional weapons--combat enablers--as well as to those cyberattacks that a part of a combined arms campaign, using non-kinetic effects to supplant the need for conventional weapons in the context of a multidimensional attack. The case studies demonstrated that these offensive cyberspace operations can play an important role in combat operations because they can enable kinetic effects. This Part will discuss how such cyberspace operations are viewed under the current leading approaches. It will discuss why these tests are not optimally suited for offensive cyberspace operations that are combat enablers, having non-kinetic effects but enabling kinetic outcomes. Finally, a modified- effects test will be proposed to classify offensive cyberspace operations that are used as combat enablers as cyberattacks instead of cybercrime, and to more effectively analyze cyberspace operations with non-kinetic effects that are part of a broader combined arms campaign. This Part will use the Russian-Georgian War of 2008 to illustrate how the modified-effects test could be applied.
A. When is an Offensive Cyberspace Operation a Cyberattack? A Discussion of Leading Tests
For over a decade, scholars and practitioners have sought to establish guidelines or tests to determine when an offensive cyberspace operation may be considered an armed attack under the law of war. Presently, there are three leading approaches: instrument-based, target-based, and effects- or consequences-based. Each of these leading approaches will be discussed in turn. Regardless of the difference in approaches, their proponents all agree that some offensive cyberspace operations can constitute armed attack. (53)
The first approach, an instrument-based test, has long been used for traditional concepts of force. (54) This approach focuses on the instrument used to carry out an attack, and has been useful in distinguishing armed coercion (which falls under the use of force) from economic or political coercion (which does not). (55) The use of an instrument-based approach was intended to address the problem that it was "extraordinarily difficult to quantify or qualify consequences in a normatively practical manner." (56) The focus on the instrument used was effective because traditionally, military instruments of force have been defined by or associated with their physical characteristics, such as a bomb. This enabled effective distinction from other types of instruments, such as diplomatic or economic, used to pursue national objectives, but not considered uses of force under Article 2(4). (57)
However, the applicability of the instrument-based approach test to offensive cyberspace operations appears very limited, as under such a test it is questionable of whether or not cyberspace operations could even qualify as armed force. Most cyberattacks are carried out solely through cyberspace, and thus lack the physical characteristics required to be considered a military "instrument." Article 41 of the UN Charter demonstrates the long-standing prominence of the instrument-based approach, as well as the inflexibility of reliance on physical characteristics to determine what constitutes a use of force. Under Article 41, the Security Council is authorized to use "measures not involving the use of armed force" and includes in that category the "interruption of ... telegraphic, radio, and other means of communication." (58) There is little support today for interpreting this article as prohibiting consideration of offensive cyberspace operations as a use of force under Article 2(4). Instead, Article 41 demonstrates that the use of force paradigm has been instrument-based at least since promulgation of the UN Charter. (59) It also reinforces the limitations of an instrument-based approach in the modern era. The non-physical characteristics of offensive cyberspace operations (computer code instead of physical bombs) and the ability for such operations to pursue either criminal or national security ends has generated a consensus among scholars that the instrumentality approach does not adequately extend to today's notion of armed conflict. (60)
Yet, there is a minority that argues that an instrument-based approach would still be relevant for cyberattacks. (61) David Graham argues, "a cyber attack conducted for the purpose of shutting down a power grid would be deemed an armed attack [under an instrument-based approach] ... [b]ecause prior to the development of cyber capabilities, the destruction of a power grid would typically have required bombing a power station or using some other form of kinetic force to achieve such result." However, what Graham categorizes as instrument-based seems to more closely resemble the generally accepted definition for an effects- based approach.
The second approach for determining what constitutes an armed attack is target-based. In contrast to the instrument-based test, this approach focuses on the nature of the target attacked in order to determine if the offensive cyberspace operation constitutes armed attack for the purposes of self-defense. A leading proponent of this approach, Gary Sharp, suggests the threshold is reached when an offensive cyberspace operation occurs against "critical national infrastructure," regardless of the level of destruction caused. (62) Thus, under this approach, cyberattacks could automatically meet the threshold to be considered an armed attack solely based on target selection. This approach has also been called a "strict liability" model because of the automatic trigger. (63)
The target-based approach is over-inclusive for two reasons. The first is because of the broad-range of potential targets considered as "critical infrastructure." Under the Critical Infrastructure Protection Act of 2001, critical infrastructure includes "systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters." (64) The Department of Homeland Security further defines critical infrastructure to include thirteen different sectors. (65) Application of a target-based approach would mean a cyberattack occurs if any of the systems and assets of these thirteen sectors were targeted.
The second reason the target-based approach is over-inclusive is that it does not focus on the severity of an offensive cyberspace operation. As Duncan Hollis notes, cyberspace operations can produce "wide-ranging effects, from merely informational (distributing propaganda) to inconvenient (disrupting systems temporarily via a denial-of-service attack) to potentially dangerous (implanting a logic bomb (66) doing no immediate harm but with the potential to cause future injury) to immediately destructive (disabling a system permanently via a virus)." (67) Under the target-based approach, all of these activities would be classified as a cyberattack. Because of these two reasons, the target-based approach, as defined by the focus on critical national infrastructure, is dangerously over-inclusive. If utilized, the target-based approach seems likely to result in triggering retaliatory operations for minor offensive cyberspace operations that are better categorized under the criminal model. (68)
The final, and most prominent, approach is effects- or consequences-based. (69) There are several different varieties of effects-based approaches; they all focus predominantly on the consequences of an offensive cyberspace operation. As Yoram Dinstein broadly describes the effects-based approach, "what counts is not the specific type of ordnance, but the end product of its delivery to a selected objective." (70) Proponents of an effects-based approach include the Department of Defense. (71)
The effects, however, are calculated in different ways according to the particular approach chosen. Some of the effects-based constructs are very broad, such as Walter Sharp's proposal that "[a]ny computer network attack that intentionally causes any destructive effect within the sovereign territory of another state is an unlawful use of force within the meaning of Article 2(4)." (72) Others attempt to provide a more detailed framework for analysis. Michael Schmitt has constructed a framework from six factors: severity, immediacy, directness, invasiveness, measurability, and presumptive legitimacy. (73) However, his six- factor approach has been criticized for requiting too much information, as well as for being too subjective. (74) Daniel Silver argues that under Schmitt's six-factor framework, "virtually any event of [offensive cyberspace operations] can be argued to fall on the armed force side of the line" except perhaps the "severity" criteria. (75)
Silver, in turn, proposes an effects-based approach with "severity" as the determinant factor. Under this approach, severity is more limited than that proposed by Schmitt. Silver's approach requires that "physical injury or property damage must arise as a direct and foreseeable consequence of the [offensive cyberspace operation] and must resemble the injury or damage associated with what, at the time, are generally recognized as military weapons." Under this approach, in order to constitute an armed attack, an offensive cyberspace operation must cause effects equivalent to those produced by kinetic force. Although it has advantages over Schmitt's framework, Silver's effects-based approach is underinclusive because it requires the direct effect of a cyberattack to cause physical injury or property damage.
Still, Silver's approach seems to be among the best of the effects-based approaches for determining what constitutes an armed attack. Indeed, given the serious concerns with the instrument-based and target-based approaches, his effects-based approach appears to be the prominent threshold test overall. However, the under-inclusiveness of this approach sets the threshold for armed attack too high.
Combat enablers--offensive cyberspace operations that set the conditions for kinetic operations, but do not result in physical damage directly--would fall outside this framework's definition of armed attack. Non-kinetic cyberspace operations that supplant the need for physical destruction would also fall outside this framework. For instance, the offensive cyberspace operations that were used to disrupt air defense systems during the Israeli raid on Syria's nuclear facility would be considered cybercrime under this approach because they did not directly cause any physical injury or property damage. Further, the use of offensive cyberspace operations by Russia against Georgian targets would also fail to be considered an armed attack for the same reason: the attacks did not directly produce any death or destruction. Thus, while Silver's effect-based approach does not suffer the over-inclusiveness of other approaches, it is not optimally suited for the use of nonkinetic offensive cyberspace operations used as combat enablers or those achieving non-kinetic effects even though they are part of a combined arms operation. Recently, Herbert Lin proposed a broadening of the effects-based approach to better address offensive cyberspace operations that produce non-kinetic effects. Lin argues that an effects-based approach should focus on whether "both the direct and indirect effects ... produced by a cyber attack would, if produced by other means, constitute an armed attack." (76) This specific focus on indirect effects seems the better suited for properly categorizing as cyberattacks those operations that are combat enablers or are one prong of a combined arms campaign. However, Lin's approach is limited in its applicability because it does not provide more specific criteria or a framework to facilitate analysis.
B. Modified Effects-Based Approach
This Subpart builds from current approaches to develop a modified effects-based approach that includes both direct and indirect effects of offensive cyberspace operations. The proposed modified effects-based approach will emphasize the importance of specified key elements to provide a loose framework for analysis. These elements are viewed in totality and form the central rationale for applying a particular legal model. This approach seeks to avoid some of the over- and under-inclusive challenges present in the various threshold tests discussed above. The primary focus is to develop a threshold test that has the potential to characterize certain offensive cyberspace operations with indirect effects that are used to facilitate direct kinetic outcomes as cyberattacks. This threshold limit would also categorize as cyberattacks those offensive cyberspace operations that achieved direct kinetic effects (the Silver effects-based approach) as well as those with non-kinetic effects that to achieve the same outcome would otherwise require kinetic effects (Lin's effects-based approach).
The three broad elements in this proposed modified effects-based approach are: the target, impact, and timing. First, this approach is called a "modified" effects-based approach because it acknowledges that target selection can play an important role, although not a determinative one, as under a target-based approach. In particular, this first prong of the analysis should focus on whether the offensive cyberspace operation targets critical elements of national power (diplomatic, military, economic, and informational). (77) The use of these four elements of national power (DIME) is chosen over the overly-inclusive critical infrastructure approach in an attempt to sharpen the analysis and avoid becoming bogged down with the sheer number of sectors included in definitions of critical infrastructure, some of which have less direct connections to national power. Yet, even by narrowing the focus from the thirteen sectors of critical infrastructure to the four elements of national power, this factor will still be over-inclusive as there is not a narrow, precise list of what assets comprise the four elements of national power. As a result, analysis of the target itself provides context and meaning to the overall test but is likely to be the least determinative of the four elements. However, it contributes to the overall effectiveness of the proposed approach because the target selected contributes context and perspective to the test. It may be most helpful in determining what definitively does not meet the threshold and should be considered cybercrime. In such obvious cases, there is no need to continue with the rest of the test.
The second element is the impact of the attack. The impact, which in some ways is analogous to Silver's use of "severity," will likely be the most significant element. The impact refers to the scale of the attack and the effect or result generated by the attack. The focus on "scale and effect" follows the use of these terms by the International Court of Justice in the Nicaragua case to determine what constituted an armed attack. (78) It encompasses the totality of operations. The result generated by this phases of the analysis includes the specific, narrow result such as the disruption or denial of communication, as well as the broader effect, such as the inability to coordinate a response of the creation of psychological effects such as panic and confusion. In recognition of the evolving capacity of cyberspace operations to deny access without causing physical damage or destruction, this element does not require direct kinetic effects. Thus, this element permits consideration of cyberattacks used as combat enablers as well as those with nonkinetic effects that are part of a broader combined arms campaign. For instance, the use of offensive cyberspace operations to temporarily shut down air defense networks, communications, or electrical grids--all of which have previously been on targeting lists for conventional weapons.
The third element is the timing of the offensive cyberspace operation. This element focuses on the overall context or environment in which the operation is conducted. A random operation may be viewed differently from one that occurs in the midst of on-going hostilities. For those cyberattacks that are combat enablers, it is significant that the timing of the cyberattack be proximate to that of the kinetic effects they facilitate. The same is true for those non-kinetic cyberattacks that are conducted as one prong of a broader combined arms strategy. While there is no formal rubric for determining temporal proximity, the goal is to ensure that cyberspace operations that occur months before the onset of hostilities are not considered cyberattacks, even though they may have some tangential impact on kinetic operations. There are parallels to this concept in conventional warfare, where border incidents or other antagonistic events may occur between two states without being considered armed attack even if they do serve an intelligence gathering purpose or otherwise make a contribution to later hostilities. Admittedly, there is a degree of boot-strapping in this part of the test--the whole picture is key to determining whether or not non-kinetic cyberattacks can be classified under the law of war. Such categorization is significant because it will determine what response an attacked state can take under the law of war.
While the modified effects-based approach is better tailored to dealing with cyberattacks as a component of modern warfare, it is not fully effective in dealing with the attribution problem. As discussed earlier in this Note, attribution is a critical challenge to determining an appropriate response to cyberspace operations because there is currently no assured method of identifying the perpetrator of a cyberspace operation. This creates a significant hurdle for applying the law of war to cyberattacks, as identification of the aggressor state (or non-state actor) is imperative under the law of war. Attribution problems impact all threshold approaches, including the proposed modified effects-based approach.
Target selection is highly susceptible to the attribution problem. Individuals, non-state entities, and state actors can all achieve similarly devastating effects against critical targets because the cyberspace playing field is relatively even. As discussed earlier, even critical elements of national power, such as the DoD's network architecture, are subject to offensive cyberspace operations from individuals, non-state entities, and state actors, all of which may have differing intent, but can achieve the same effect on the target. The impact element suffers from the attribution problem for similar reasons--technology is not advanced enough to be able to definitively identify the perpetrator and their intent.
The timing element is primarily intended to ensure that non-kinetic cyberattacks have a direct connection to the kinetic effects they help to enable. Timing is not intended to mitigate the attribution problem, although it may help to do so. Analysis of the timing of cyberattacks in relation to conventional attacks may indicate intentional synchronization and help to develop a case for state responsibility. However, this proposed element does not--and is not intended to- -overcome the attribution problem. As with all other threshold approaches, the attribution problem remains an underlying challenge to developing an appropriate response to cyberattacks.
In sum, the cumulative result of the three elements in the modified effects- based approach facilitates a determination of whether an offensive cyberspace operation best fits in the criminal paradigm or if it reaches the higher threshold to be considered under the law of war. As with traditional uses of force, there is no stable measure of when the threshold of armed conflict is reached, but rather it remains a fact-specific and context-based decision. The modified effects-based approach is designed to provide a framework to structure the facts in order to determine whether a cyberspace operation is best categorized as cybercrime or cyberattack. It also contributes to existing approaches by specifically considering cyberspace operations that are combat enablers or part of a combined arms campaign as cyberattacks, enabling application of the law of war. This approach is more appropriate for the current and anticipated uses of cyberspace operations as part of an integrated combined arms approach to battlespace operations.
The next Subpart applies the modified effects-based approach to the Russian-Georgian War to demonstrate how it may be applied to an armed conflict, and also to highlight how cyberattacks and cybercrime may both occur during an armed conflict. It will also illustrate the challenge of the attribution problem, and how the timing element may assist in determining whether the criteria for a cyberattack can be met even without definitively identifying the perpetrator.
C. Using the Modified Effects-Based Approach to Analyze the Russian-Georgian War of 2008
The Russian-Georgian War of 2008 was clearly an armed conflict; but the existence of an armed conflict does not necessarily mean that all the offensive cyberspace operations that occurred during open hostilities should be classified as cyberattacks and analyzed under the law of war. Under a traditional effects- based approach, it is likely that none of the cyberspace operations would be considered to be cyberattacks as they did not directly cause physical damage or destruction. Instead, they would be classified as cybercrime. The modified effects-based approach acknowledges that some cyberspace operations can be considered cyberattacks even if they achieve non-kinetic effects--if they are used as combat enablers and facilitate outcomes by kinetic operations or are part of a combined arms campaign. This Subpart will analyze the known facts of the war under the modified effects framework to conclude that both cyberattacks and cybercrime occurred during the armed conflict. In the interest of brevity, it will not examine the facts for each of the many cyberspace operations conducted during the armed conflict, but rather will more broadly analyze events to demonstrate how the modified effects-based approach could be implemented.
The first element of the modified effects-based approach is the target. During the war, cyberspace operations directly targeted informational and economic elements of national power, "government websites, Georgian financial institutions, business associations ... [and] news media websites." (79) As discussed earlier, the target selection has less weight in the overall analysis. The cyberspace operations against Georgia demonstrate the challenges with using target selection and a focus on elements of national power, as there is not a detailed explanation for what constitutes an element of national power. However, the use of target selection is not intended to be deterministic and therefore, instead of more closely examining the connection of the different operations to the elements of national power, we will proceed to the next phase of the analysis.
The second element is the impact of the cyberspace operations. The scale of the offensive cyberspace operations was quite large; it appears that fifty- four Georgian websites were attacked in total. (80) The national-level cyberspace operations expanded during the war to include "nearly all of the more important government websites ... including the presidency, ministries, courts, and parliament." (81) The attacks on the Georgian Ministry of Foreign Affairs site and other key government websites, were of sufficient magnitude that the Georgian government ended up relocating servers for online government sites to Estonia and the United States in an effort to thwart continued DDoS attacks and website defacements. (82) in addition, local official websites were targeted.
The impact of the cyberspace operations was significant, and included the disruption and denial of critical communications, accumulation of military and political intelligence through information exfiltration activities, and placement of Russian propaganda on Georgian websites. (83) This later category, website defacement, does not rise to the level of severity necessary to be considered a cyberattack (regardless of target selection). Instead, website defacement is better categorized as cybercrime, regardless of the magnitude of the defacement campaign.
However, the other operations had a severe effect and merit further consideration to determine if they are more appropriately categorized as cyberattacks or cybercrime. By denying access to news and government sites-- sites critical to understanding what was being attacked and coordinating effective responses--the perpetrators indirectly impacted the military element of national power as they limited Georgian military response to Russian kinetic operations. In addition to making it more difficult to conduct battlefield damage assessments and coordinate effective responses, the cyberspace operations also had important psychological impacts by creating "panic and confusion in the local populace." (84) The destruction of communication facilities and networks is a common tactic in warfare; instead of dropping bombs or firing missiles to take out key communications networks, the Russian utilized cyberspace operations with nonkinetic effects to achieve the same outcomes. In turn, this facilitated the effectiveness of conventional operations, which were able to exploit the loss of communications and confusion for military gain by seizing territory and causing physical destruction. There is strong evidence that these cyberspace operations served as critical enablers of conventional operations, facilitating achievement of greater kinetic effects than if the conventional operations had occurred on their own.
Finally, the timing of the attacks provides strong support for the conclusion that some of these offensive cyberspace operations (not including the website defacements) were not targeted cybercrime, but rather the first public instance of combined arms operations in four dimensions--therefore meriting the application of the law of war instead of a criminal paradigm. Timing also helps to minimize attribution problems. As discussed earlier, the bulk of the cyberspace operations occurred precisely as the Russian military commenced kinetic operations against Georgia, indicating intentional synchronization. The counterargument that "patriotic" Russian hackers could have decided on their own to attack important Georgian sites when the war began has some theoretical merit but is not supported by the evidence. First, all indicators suggest that the offensive cyberspace operations, which were quite sophisticated, were prepared well in advance of the start of hostilities, coordinated from the onset, and instructed. (85) Although predominantly carried out by civilian hacker "militias," they were coordinated amongst civilian hackers via online postings that directed the hackers to attack specific targets that were coordinated with Russian military operations. (86)
During the war, cyberspace operations targeted specific geographic areas that were imminent targets of combat operations, something that seems highly improbable without at least some coordination by the government and/or military. One report notes that "[gi]ven the speed of action, the signal to go ahead [and attack specific local targets] ... had to have been sent before the news media and general public were aware of what was happening militarily." (87) For instance, distributed denial of service attacks shut down official sites in Gori just prior to bombings by Russian aircraft. (88)
This timing is also significant because it impacted the ability of Georgia to potentially warn the general populace once the inbound aircraft were detected, as well as hampered an assessment of the situation and response. In cases such as Gori, it appears that cyberspace operations were used in lieu of or in addition to conventional electronic warfare, which has long been used by militaries to jam enemy radar and communications prior to and during kinetic operations to inhibit an enemy response. However, in August 2008, instead of relying solely upon aircraft to electronically jam important enemy sites, the Russians achieved similar effects through non-kinetic cyberspace operations, thereby enabling greater success of kinetic operations by conventional combined arms attacks. In sum, when the totality of the cyberspace operations are reviewed temporally with kinetic operations in other domains, the most plausible conclusion is that the cyberspace operations were used as a combined arms element that directly supported the effects of kinetic operations.
Under the modified effects-based approach, analysis of the three framework elements lead to the determination that some of the Russian offensive cyberspace operations against Georgia met the threshold requirements for classification as cyberattacks, and should be analyzed along with conventional Russian kinetic operations under the law of war. The target selection, impact, and timing lead to the conclusion that while the cyberattacks may not have directly achieved kinetic effects, their role in combined arms operations led to direct kinetic outcomes that are appropriately considered under the law of war.
While the modified effects-based approach provides a useful framework for determining which cyberspace operations meet the threshold to be considered an attack, it is not sufficient to allow cyberattacks to fit neatly under the traditional framework for jus ad bellum and jus in bello. The next Part will discuss why prospects for developing a legal framework better suited for the unique characteristics of cyberattacks are currently not promising. It will discuss the advantages and challenges of attempting to incorporate the proposed modified effects-based approach as one aspect of a potential cyberattack treaty, as opposed to encouraging state practice and the development of customary international law to address the challenges of cyberattack.
The identification of non-kinetic cyberattacks as combat enablers and as a potential prong of a combined arms attack highlights the emergence of a new form of warfare. The tactics and strategy employed during the Russian-Georgian War and the Israeli raid on Syria foreshadow a new era in which cyberattacks will be used as part of a multi-dimensional campaign. As a consequence, it is critically important for the international legal regime to adapt and address this evolving use of cyberspace operations.
The proposed modified effects-based approach acknowledges that some non-kinetic cyberspace operations that enable kinetic outcomes can be considered an attack. This approach also facilitates a determination of whether or not a cyberspace operation that does not achieve physical effects but is part of a broader combined arms operation should be considered an attack and therefore analyzed under the law of war, or if it is more appropriately analyzed under a criminal paradigm. As such, cyberspace operations that are combat enablers or part of a combined arms campaign may qualify as cyberattacks under international law. This development of a threshold test that is better suited to the unique nature and probable uses of cyberspace operations is helpful to determine which legal paradigm applies and what constitutes an appropriate response.
The next step is to determine what response should be taken to promote the use of this approach and, more broadly, to generate international consensus on the legal framework that applies to cyberspace operations. One approach would be to develop and formalize a framework that deliberately addresses what constitutes a cyberattack and what response is appropriate. Such a treaty would serve as a clarifying complement to existing treaty law and customary international law that governs the law of war. The notion of a cyberattack or cyberwarfare treaty has been championed by a number of parties, most prominently Russia. For over a decade, Russia has proposed the drafting of a treaty to restrict the development of cyberweapons and the use of cyberattacks. (89) The United Nations is also a strong proponent of an international treaty on cyberwarfare, with International Telecommunications Union Secretary-General Hamadoun Toure proclaiming that a "cyberwar will be worse than a tsunami--we have to avoid it." (90) The notion of restricting development of cyberweapons has strong precedent: the international community has long prohibited certain types of weapons. (91) In modern times, chemical, biological, and nuclear weapons have all been banned or severely restricted. (92)
The international community thus has a strong precedent for collective action to limit the use of certain types of weapons. However, it seems improbable that the international community will be able to agree on a cyberwarfare treaty of any strength or significance. It is in states' reciprocal self-interest to develop a predictable legal framework for cyberattacks and cybercrime. However, there is currently no way to ensure compliance due to the attribution problem. Until it is resolved--if it ever can be--the international community will ultimately lack the incentive to uphold treaty agreements.
Thus, efforts focusing on developing a treaty that is unable to create mutual reliance and lacks an enforcement mechanism are not efficient contributions to the international legal framework. A better option is to focus on developing state practice in a rational way that develops patches where the existing legal regime is not optimally suited to cyberspace operations. An emphasis on state practice that is aligned with the spirit of existing law of war will foster the evolution of international norms and the creation of new customary international law. Further scholarship should refine of the concept of cyberattacks as combat enablers and part of a combined arms military strategy, as well as ensure the modified effects- based test is tailored to the emergence of this evolving form of warfare.
(1) Cyberspace operation is defined by the Department of Defense as "[t]he employment of cyber capabilities where the primary purpose is to achieve objectives in or through cyberspace. Such operations include computer network operations and activities to operate and defend the Global Information Grid. DEP'T OF DEF., JOINT PUBLICATION 3-0.
(2) Computer Network Attack is defined by the Department of Defense as "[a]ctions taken through the use of computer networks to disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves." DEP'T OF DEFENSE, JOINT PUBLICATION 3-13; Schmitt, Michael N., Wired Warfare: Computer Network Attack and Jus in Bello, IRRC (June 2002).
(3) CLAY WILSON, CONGRESSIONAL RESEARCH SERVICE, BOTNETS, CYBERCRIME, AND CYBER TERRORISM: VULNERABILITIES AND POLICY ISSUES FOR CONGRESS 3 (2008).
(4) See DEP'T OF DEF., ELECTRONIC WARFARE JOINT PUBLICATION 3-13.1 (2007).
(5) See PROSECUTING COMPUTER CRIMES (Scott Eltringham ed., U.S. Dept of Justice, 2007), available at http://www.cybercrime.gov/ccmanual/index.html.
(6) "Botnets" is the term used to describe networks of "zombie" computers-- computers that have been infected with malicious code that allows them to be remotely controlled through cyberspace--that are used to achieve malicious purposes that range from disrupting Internet traffic, collecting information, spreading viruses, etc. The size of botnets can be massive--over a million computers. For more information on botnets, see Wilson, supra note 3, at 4.
(7) See What's the Difference: Viruses, Worms, Trojans, and Bots?, CISCO SYSTEMS, http://www.cisco.com/web/about/security/intelligence/virus-worm-diffs.html (last visited Jan. 07, 2012).
(8) See Marquand, Robert and Ben Arnoldy, China Emerges as Leader in Cyberwarfare, CHRISTIAN SCI. MONITOR (Sept. 14, 2007), available at http://www.nytimes.com/2009/07/17/ technology/17cyber.html.
(9) See Vance, Ashlee, Teen Hacker Pleads Guilty, Sentences to Serve Time, COMPUTERWORLD (Sept. 22, 2000), http://www.computerworld.com/s/article/50999/ Teen_hacker_pleads_guilty_sentenced_to_serve_time_.
(10) Prosecutor v. Yadic, Case No. IT-94-1-A, Judgment, [paragraph] 109 (July 15, 1999).
(11) Military and Paramilitary Activities (Nicar. v. U.S.), 1986 I.C.J. 52 (June 27). In Nicaragua, the Court held that while evidence indicated that the "various forms of assistance to the contras by the United States have been crucial to the pursuit of their activities, but is insufficient to demonstrate their complete dependence on United States aid." Id.
(12) Application of Convention on Prevention and Punishment of Crime of Genocide (Bosh. & Herz. v. Serb. & Mont.), 2007 I.C.J. (February 27).
(13) The full title of the tribunal is the "International Tribunal for the Prosecution of Persons Responsible for Serious Violations of International Humanitarian Law Committed in the Territory of the Former Yugoslavia since 1991."
(14) Prosecutor v. Tadic, Case No. IT-94-1-A, Judgment, [paragraph] 120 (July 15, 1999).
(15) Id. [paragraph] 123.
(16) For an in-depth discussion of the two standards, and an argument for the adoption of the overall control standard for cyberattacks, see Scott Shackelford, State Responsibility for Cyber Attacks: Competing Standards for a Growing Problem (Proceedings of the NATO CCD COL Conference on Cyber Conflict, July 15-18, 2010), available at http://ssrn.com/abstract=1535351.
(17) Stuxnet is a highly destructive computer worm that caused serious damage to the Iranian nuclear effort in the summer/fall of 2010. See James P. Farwell & Rafal Rohozinski, Stuxnet and the Future of Cyber War, SURVIVAL: GLOBAL POLITICS AND STRATEGY, January 28, 2011, http://dx.doi.org/10.1080/00396338.2011.555586; William J. Broad, John Markoff, & David E. Sanger, Stuxnet Worm Used Against Iran Was Tested in Israel, N.Y. TIMES, Jan. 15, 2011, available at http://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html.
(18) The term "combat enabler" is commonly used in military lexicon to refer to traditional combat support elements, which can range from electronic warfare (such as jamming) to intelligence to engineering assets. This Note adapts the term here to be used as a shorthand reference for those cyberattacks with non-kinetic effects that facilitate kinetic outcomes by conventional arms.
(19) Information operations are defined by the DoD as "[t]he integrated employment, during military operations, of information-related capabilities in concert with other lines of operation to influence, disrupt, corrupt, or usurp the decision-making of adversaries and potential adversaries while protecting our own." In the 1999 report, this term was clarified to include computer network attack--which was the focus of the report. OFFICE OF GEN. COUNSEL, DEP'T OF DEF., AN ASSESSMENT OF INTERNATIONAL LEGAL ISSUES IN INFORMATION OPERATIONS, reprinted in COMPUTER NETWORK ATTACK AND INTERNATIONAL LAW app. 1, at 466-67 (Michael N. Schmitt & Brian T. O'Donnell eds., 2002).
(20) Id. at 475.
(21) Legality of the Threat or Use of Nuclear Weapons, Advisory Opinion, 1996 I.C.J. 22, [paragraph] 39 (July 8).
(22) Id. at [paragraph] 78. This paragraph states, "[i]n cases not covered by this Protocol or by other international agreements, civilians and combatants remain under the protection and authority of the principles of international law derived from established custom, from the principles of humanity and from dictates of public conscience." Protocol Additional to the Geneva Conventions of 12 August 1949, and Relating to the Protection of Victims of International Armed Conflicts art. 48, June 8, 1977, available at http://www.icrc.org/ihl.nsf/full/470?opendocument.
(23) U.N. Charter art. 2, para. 4.
(24) U.N. Charter art. 51.
(25) U.N. Charter art. 39.
(26) U.N. Charter art. 42.
(27) Military and Paramilitary Activities in and Against Nicaragua (Nicar. v. U.S.) 1986 I.C.J. 14 (June 27). For more discussion of these three primary reasons, see Michael N. Schmitt, Computer Network Attack and the Use of Force in International Law. Thoughts on a Normative Framework, 37 COLUM. J. TRANSNAT'L L. 886 (1999); Daniel B. Silver, Computer Network Attack as a Use of Force Under Article 2(4), in COMPUTER NETWORK ATTACK AND INTERNATIONAL LAW 88 (Michael N. Schmill & Brian T. O'Donnell eds., 2002).
(28) Military and Paramilitary Activities in and Against Nicaragua (Nicar. v. U.S.) 1986 I.C.J. 14 (June 27).
(29) Id. Under the General Assembly Resolution, aggression is defined as "the use of armed force by a State against the sovereignty, territorial integrity or political independence of another State, or in any other manner consistent with the Charter of the United Nations, as set out in this Definition." Article 3 of the Annex provides a non-exhaustive list of those acts, regardless of a declaration of war, which qualify as an act of aggression. GA Res. 3314 (XXIX), Annex, U.N. Doc. A/3314 (Dec. 14, 1974).
(30) Protocol Additional to Geneva Conventions of 12 August 1949, and Relating to Protection of Victims of International Armed Conflicts art. 48, June 8, 1977, available at http://www.icrc.org/ihl.nsf/full/470?opendocument.
(31) Protocol Additional to Geneva Conventions of 12 August 1949, and Relating to Protection of Victims of International Armed Conflicts art. 51, 57, June 8, 1977, available at http://www.icrc.org/ihl.nsf/full/470?opendocument.
(32) Protocol Additional to Geneva Conventions of 12 August 1949, and Relating to Protection of Victims of International Armed Conflicts art. 49, June 8, 1977, available at http://www.icrc.org/ihl.nsf/full/470?opendocument.
(33) Michael Schmitt, Wired Warfare: Computer Network Attack and the Jus in Bello, in COMPUTER NETWORK ATTACK AND INTERNATIONAL LAW 194-95 (Michael N. Schmitt & Brian T. O'Donnell eds., 2002).
(34) This Part will use the term cyberattacks because this Note proposes that offensive cyberspace operations that are used to facilitate kinetic outcomes be classified as cyberattacks. This is in contrast with some scholarship that states only those offensive cyberspace operations that directly cause kinetic effects qualify as cyberattacks. The threshold bar will be discussed more in the next Part.
(35) This Note does not attempt to change these terms as defined by military doctrine, but rather expand the concepts to provide a workable shorthand for the purposes of this discussion.
(36) See RODGER W. CLAIRE, RAID ON THE SUN: INSIDE ISRAEL'S SECRET CAMPAIGN THAT DENIED SADDAM THE BOMB (2004).
(37) Sanger, David and Mark Mazzetti, Israel Struck Syrian Nuclear Project, Analysts Say, N.Y. TIMES, Oct. 7, 2007, available at http://www.nytimes.com/2007/10/14/washington/14weapons.html? pagewanted=1.
(38) Fulghum, David, Robert Wall, and Amy Butler, Israel Shows Electronic Prowess, AVIATION WEEK & SPACE TECH., Nov. 25, 2007, available at http://www.aviationweek.com/aw/generic/story.jsp?channel= defense&id=news/aw112607p2.xml&headline=Israel%20Shows%20Electronic%20 Prowess&next=10.
(39) Mahnaimi, Uzi, Sarah Baxter, and Michael Sheridan, Israelis 'Blew Apart Syrian Nuclear Cache," THE TIMES, Sept. 16, 2007, available at http://www.timesonline.co.uk/tol/news/world/middle_east/ article2461421.ece.
(40) Fulghum, supra note 38; David Eshel, Israel Adds Cyber-Attack to IDF, AVIATION WEEK'S DEF. TECH. INT'L, Feb. 10, 2010, available at http://www.military.com/features/0,15240, 210486,00.html.
(41) Fulghum, supra note 38.
(43) Id. (citing an unnamed intelligence specialist).
(44) U.S. CYBER CONSEQUENCES UNIT, OVERVIEW BY THE US-CCU OF THE CYBER CAMPAIGN AGAINST GEORGIA IN AUGUST OF 2008 6 (2009) [hereinafter US-CCU Report].
(45) John Oltsik, Russian Cyber Attack on Georgia. Lessons Learned?, NETWORK WORLD, Aug. 17, 2009, available at http://www.networkworld.com/community/node/44448; Markoff, John, Before the Gunfire, Cyberattacks, N.Y. TIMES, Aug. 12, 2008, available at http://www.nytimes.com/2008/08/13/technology/13cyber.html.
(47) David Hollis, Cyberwar Case Study: Georgia 2008, SMALL WARS JOURNAL, Jan. 6, 2011, at 4, http://smallwarsjournal.com/jrnl/art/cyberwar-case-study-georgia-2008.
(48) US-CCU Report, supra note 44, at 5. In addition, websites for educational institutions and a Georgian hacking forum (presumably a preemptive strike to prevent Georgian hackers from retaliating) were attacked.
(50) Kirk, Jeremy, Estonia, Poland Help Georgia Fight Cyber Attacks, PCWORLD BUS. CTR., Aug. 12, 2008, http://www.pcworld.com/businesscenter/ article/149700/estonia_poland_help_georgia_fight_cyber_attacks.html; Information about cyber attacks in Georgia, Sent by CERT Estonia experts from Georgia, ESTONIAN INFORMATICS CENTRE, http://www.ria.ee/index.php?id=30024&highlight=Georgia (last visited Jan. 7, 2011).
(51) US-CCU Report, supra note 44, at 3.
(52) Hollis, supra note 47, at 5.
(53) See Michael N. Schmitt, Computer Network Attack and the Use of Force in International Law: Thoughts on a Normative Framework, 37 COLUM. J. TRANSNAT'L L. 886 (1999); Daniel B. Silver, Computer Network Attack as a Use of Force under Article 2(4), in COMPUTER NETWORK ATTACK AND INTERNATIONAL LAW 99 (Michael N. Schmitt & Brian T. O'Donnell eds., 2002); Duncan B. Hollis, Why States Need an International Law for Information Operations, 11 LEWIS & CLARK L. REV. 1023, 1041-42 (2007); Yoram Dinstein, Computer Network Attacks and Self-Defense, in COMPUTER NETWORK ATTACK AND INTERNATIONAL LAW 99 (Michael N. Schmitt & Brian T. O'Donnell eds., 2002).
(54) Daniel B. Silver, Computer Network Attack as a Use of Force under Article 2(4), in COMPUTER NETWORK ATTACK AND INTERNATIONAL LAW 88 (Michael N. Schmitt & Brian T. O'Donnell eds., 2002).
(55) Michael N. Schmitt, Computer Network Attack and the Use of Force in International Law: Thoughts on a Normative Framework, 37 COLUM. J. TRANSNAT'L L. 886, 911 (1999).
(57) Id. at 909.
(58) U.N. Charter art. 41.
(59) Michael N. Schmitt, Computer Network Attack and the Use of Force in International Law: Thoughts on a Normative Framework, 37 COLUM. J. TRANSNAT'L L. 886, 909 (1999).
(60) See id. at 886; Daniel B. Silver, Computer Network Attack as a Use of Force under Article 2(4), in COMPUTER NETWORK ATTACK AND INTERNATIONAL LAW 99 (Michael N. Schmitt & Brian T. O'Donnell eds., 2002); Duncan B. Hollis, Why States Need an International Law for Information Operations, 11 LEWIS & CLARK L. REV. 1023, 1041-42 (2007).
(61) David E. Graham, Cyber Threats and the Law of War, 4 J. OF NAT'L SECURITY L. & POL'Y 87, 91 (2010). See also Yoram Dinstein, Computer Network Attacks and Self-Defense, in COMPUTER NETWORK ATTACK AND INTERNATIONAL LAW 99 (Michael N. Schmitt & Brian T. O'Donnell eds., 2002).
(62) WALTER GARY SHARP, SR., CYBERSPACE AND THE USE OF FORCE 129-32 (1999). See also Sean M. Condron, Getting It Right: Protecting American Critical Infrastructure in Cyberspace, 20 HARV. J.L. & TECH. 403 (2007).
(63) See David E. Graham, Cyber Threats and the Law of War, 4 J. OF NAT' L SECURITY L. & POL'Y 87, 91 (2010).
(64) 42 U.S.C. [section] 5195(e).
(65) Those sectors are: agriculture, food, water, public health, emergency services, government, defense industrial base, information and telecommunications, energy, transportation, banking and finance, chemical industry and hazardous materials, and posting and shipping. U.S. DEP'T OF HOMELAND SEC., NAT'L INFRASTRUCTURE PROTECTION PLAN 103 (2006).
(66) A logic bomb is piece of code that is intentionally inserted into a software system for the purpose of setting off a malicious function when specified conditions are met.
(67) Duncan B. Hollis, Why States Need an International Law for Information Operations, 11 LEWIS & CLARK L. REV. 1023, 1042 (2007).
(68) See id.
(69) Despite their similar meanings, the term "effects-based" has gained wider acceptance than "consequences-based" and will be used here.
(70) Yoram Dinstein, Computer Network Attacks and Self-Defense, in COMPUTER NETWORK ATTACK AND INTERNATIONAL LAW 103 (Michael N. Schmitt & Brian T. O'Donnell eds., 2002).
(71) OFFICE OF GEN. COUNSEL, DEP'T OF DEF., AN ASSESSMENT OF INTERNATIONAL LEGAL ISSUES IN INFORMATION OPERATIONS reprinted in COMPUTER NETWORK ATTACK AND INTERNATIONAL LAW app. 1, at 483 (Michael N. Schmitt & Brian T. O'Donnell eds., 2002).
(72) WALTER G. SHARP, CYBERSPACE AND THE USE OF FORCE 90-91 (1999). For a detailed critique of Sharp's proposed rule, see Daniel B. Silver, Computer Network Attack as a Use of Force Under Article 2(4) of the United Nations Charter, in COMPUTER NETWORK ATTACK AND INTERNATIONAL LAW 73, 86-88 (Michael N. Schmitt & Brian T. O'Donnell eds., 2002).
(73) Schmitt's six most determinative factors for classifying according to "consequence affinity" are: severity, immediacy, directness, invasiveness, measurability, and presumptive legitimacy. Michael Schmitt, Computer Network Attack and the Use of Force: Thoughts on a Normative Framework, 37 COLUM, J. TRANSNAT'L L. 885, 914-15 (1999).
(74) See Jason Barkham, Information Warfare and International Law on the Use of Force, 34 N.Y.U.J. INT'L L. & POL. 57, 84-86 (2001).
(75) Daniel B. Silver, Computer Network Attack as a Use of Force Under Article 2(4) of the United Nations Charter, in COMPUTER NETWORK ATTACK AND INTERNATIONAL LAW 73, 89 (Michael N. Schmitt & Brian T. O'Donnell eds., 2002).
(76) Herbert S. Lin, Offensive Cyber Operations and the Use of Force, 4 J. OF NAT'L SECURITY L. & POL'Y 63, 73 (2010).
(77) JOINT CHIEFS OF STAFF, JOINT PUBLICATION 1: JOINT WARFARE OF THE ARMED FORCES OF THE UNITED STATES V (2000), "The United States relies for its security on the complementary application of the basic instruments of national power: diplomatic, economic, informational, and military [DIME]."
(78) Military and Paramilitary Activities in and Against Nicaragua (Nicar. v. U.S.) 1986 I.C.J. 14 (June 27).
(79) US-CCU Report, supra note 44, at 5. In addition, websites for educational institutions and a Georgian hacking forum (presumably a preemptive strike to prevent Georgian hackers from retaliating) were attacked.
(80) John Olstik, Russian Cyber Attack on Georgia: Lessons Learned?, NETWORK WORLD, Aug. 17, 2009, available at http://www.networkworld.com/community/node/44448; Markoff, John, Before the Gunfire, Cyberattacks, N.Y. TIMES, Aug. 12, 2008, available at http://www.nytimes.com/2008/08/13/technology/13cyber.html.
(81) US-CCU Report, supra note 44, at 5.
(82) Jeremy Kirk, Estonia, Poland Help Georgia Fight Cyber Attacks, PCWORLD BUS. CTR., Aug. 12, 2008, available, at http://www.pcworld.com/businesscenter/article/149700/ estonia_poland_help_georgia_fight_cyber_attacks.html; ESTONIAN INFORMATICS CENTRE, INFORMATION ABOUT CYBER ATTACKS IN GEORGIA, SENT BY CERT ESTONIA EXPERTS FROM GEORGIA, http://www.ria.ee/index.php?id=30024&highlight=georgia.
(83) Hollis, supra note 47, at 4.
(84) Id. at 6.
(85) US-CCU Report, supra note 44, at 4-5; PROJECT GREY GOOSE, PHASE I REPORT RUSSIA/GEORGIA CYBER WAR--FINDINGS AND ANALYSIS (2008), http://www.scribd.com/doc/ 6967393/Project-Grey-Goose-Phase-l-Report; ENEKEN TIKK ET AL, CYBER ATTACKS AGAINST GEORGIA: LEGAL LESSONS IDENTIFIED 45-46 (2008).
(86) US-CCU Report, supra note 44, at 3.
(88) Hollis, supra note 47, at 5.
(89) John Markoff, U.S. and Russian Accord on Display at Internet Meeting, N.Y. TIMES, Apr. 15, 2010, available at http://www.nytimes.com/2010/04/16/science/16cyber.html.
(90) David Meyer, ITU Head: Cyberwar Could Be 'Worse Than Tsunami,' ZDNET UK (Sept. 3, 2010), available at http://www.zdnet.co.uk/news/security-threats/2010/09/03/ itu-head-cyberwar-could-be-worse-than-tsunami-40089995/ (quoting Secretary-General Toure at the Westminster Media Forum).
(91) The first chemical warfare treaty, the Strasbourg agreement, was signed in 1675. It banned the use of "perfidious and odious" toxic devices. Corey J. Hilmas, et al., History of Chemical and Biological Warfare, in MEDICAL ASPECTS OF CHEMICAL WARFARE 11 (Shirley D. Tuorinsky, et al., eds., 2008).
(92) See generally Hague Conference IV Prohibiting Launching of Projectiles and Explosives from Balloons, Jul. 29, 1899; Hague Declaration II on Use of Projectiles the Object of Which is the Diffusion of Asphyxiating or Deleterious Gases, Jul. 29, 1899; Geneva Protocol for the Prohibition of the Use in War of Asphyxiating Gas, and for Bacteriological Methods of Warfare, Feb. 8, 1928; Convention on the Prohibition of the Development, Production, Stockpiling and Use of Chemical Weapons and on their Destruction, Jan. 13, 1993; Geneva Convention on the Prohibition of the Development, Production and Stockpiling of Bacteriological and Toxin Weapons and on their Destruction, Mar. 26, 1972; Nuclear Non-Proliferation Treaty, Jul. 1, 1968; Strategic Arms Reduction Treaty, Jul. 31, 1991; Anti-Ballistic Missile Treaty, May 26, 1972; Comprehensive Test Ban Treaty, Sept. 24, 1996.
STEPHENIE GOSNELL HANDLER *
* J.D., Stanford Law School, 2011; M.A., Georgetown University, 2001; B.S., United States Naval Academy, 2001. The author served as an active duty officer in the United States Marine Corps for seven years.