Printer Friendly

Legal phantoms in cyberspace: the problematic status of information as a weapon and a target under international humanitarian law.


Reports of state-sponsored harmful cyber intrusions abound. The prevailing view among academics holds that if the effects or consequences of such intrusions are sufficiently damaging, international humanitarian law (IHL) should generally govern them--and recourse to armed force may also be justified against states responsible for these actions under the jus ad bellum. This Article argues, however, that there are serious problems and perils in relying on analogies with physical armed force to extend these legal regimes to most events in cyberspace. Armed conflict models applied to the use of information as a weapon and a target are instead likely to generate "legal phantoms" in cyberspace--that is, situations in which numerous policy questions and domestic criminal issues are often misinterpreted as legal problems governed by the IHL framework or the jus ad bellum. This Article assesses this dilemma in the context of four key problem areas relating to dimensions of information: (1) problems of origin, organization, and availability; (2) problems of access and control; (3) problems of exploitation; and (4) problems of manipulation and content.

     A. The Legal Status of Cyber Capabilities
        as Potential Weapons
        1. Information: The Problem of Origin
        2. Information: The Problems of Organization
           and Armed Conflict Classification
        3. Information: The Problem of Territory
        4. Information: The Problems of Unlimited
           Availability and Ubiquitous Processors

     A. Accessing Information: "Acts of Violence"
        Against "Objects of Attack"?
     B. Controlling, Confining, and Segregating
     A. Exploitation: A Harmful--But
     B. Information Exploitation, Legal Thresholds,
        and Consequentialist Approaches to the Jus ad Bellum
     C. Information Exploitation, Legal Thresholds,
        and Consequentialist Approaches to the Jus in Bello
    A. Information Manipulation or Exploitation?
       The Problem of Content and Economic
    B. Manipulating Information, Layers of
       Cyberspace, and Users of Information


It has long been clear that private persons and state-sponsored actors can cause damage by transmitting information through cyberspace (to disrupt, exploit, manipulate, or deny access to data in other computer systems and networks) and that such actions pose a real threat to businesses and governments. (1) While cybercrime, state-sponsored hostile cyber acts, and diverse types of cyber mischief are common, the world has not yet experienced a "cyberwar." (2) In spite of dire, repeated predictions to the contrary, a cyberwar (an armed conflict limited to cyber actions alone) may in fact be unlikely. (3)

Yet regardless of how conflict and competition in cyberspace may be characterized, military organizations have concluded that cyberspace is in fact a new contested "domain" for military operations (joining the land, maritime, air, and space domains), and some have announced their intention to achieve "superiority" in it. (4) This willingness to apply a traditional model of military operations is based on the assumption that conflict in cyberspace represents an extension of conflict in physical domains, and therefore, actions taken in this realm should generally be subject to the same rules and approaches that apply to the employment of "kinetic capabilities." (5)

The feared arrival of a new epoch of cyber warfare and the decision by military organizations to treat cyberspace as a new operational military domain have been accompanied by an eagerness to view the law of armed conflict or the jus in bello (also referred to as international humanitarian law or IHL) as the appropriate legal framework to govern many cyber operations, particularly those conducted in response to so-called cyber attacks. (6)

The decision to apply the IHL framework to events in cyberspace may appear to be an easy one, drawing on the perceived similarity of the effects of cyber operations and those of conventional military operations in physical domains. For example, a former U.S. military official has suggested that "a cyberattack is governed by basically the same rules as any other kind of attack if the effects of it are essentially the same." (7) It is thus not surprising that military organizations have proceeded to equate many conventional and cyber operations, concluding for example that "[t]he fundamental targeting issues arising are no different in cyber operations as compared to those applicable to kinetic targeting." (8)

By viewing conflict in cyberspace as an extension of conflict in physical domains and by emphasizing the apparent similar effects of cyber and conventional weapons, the IHL framework becomes by default the appropriate lens for assessing many hostile cyber acts. This Article argues, however, that due to the unusual properties of information itself, there are serious problems and perils in relying on such analogies to extend the IHL framework to most events in cyberspace.

Rather than being easily governed by a broad application of the IHL framework, the use of information as a weapon and a target will more often be highly problematic. Armed conflict models are likely to generate "legal phantoms" in cyberspace--that is, situations in which numerous policy questions, domestic criminal issues, and technological challenges are misinterpreted as legal problems governed by the IHL framework or that implicate the jus ad bellum. (This latter body of international law--which is prominently reflected in obligations in the United Nations Charter--governs recourse to armed force, as opposed to the IHL regime, which governs the way warfare is conducted.) (9)

As examined in this Article, the clear reluctance by states to apply these rules to cyber incidents, standing alone, is prudent. There is an underappreciated and significant danger in broadly applying the IHL framework to diverse areas of state-sponsored competition and conflict. (10) This is particularly true with respect to the application of IHL principles and obligations, as well as the jus ad bellum, to the many diverse uses and dimensions of information in cyberspace.

The IHL framework and the jus ad bellum nonetheless continue to be advanced as appropriate legal frameworks to fill perceived gaps in existing legal coverage of cyberspace, particularly in an environment where even the U.S. secretary of defense warns of a "cyber Pearl Harbor," in which catastrophic physical damages are caused by a future cyber attack. (11) However, such hypothetical, devastating, and stand-alone cyber attack scenarios remain highly unlikely from several different perspectives. (12) The reality of the current cyber threat is much different--it is informational in nature, characterized by diverse and increasingly complex cyber actions involving the disruption, exploitation, manipulation, or damage of data.

Current state practice reflects this more complex reality, since no state has actually invoked and applied IHL rules or the jus ad bellum to any hostile cyber act standing alone (nor actually engaged in cyberwar). In practice, cyberwar is in fact still a theoretical concept, and states have thus not yet applied an effects-based approach to real cyber incidents, nor have they done so based exclusively on analogies drawn from the use of conventional weapons in the physical world. (13) As examined in this Article, the more nuanced and reluctant approach taken by states instead reflects both practical considerations and serious legal concerns, the latter being integrally linked to fundamental problems posed by information as a weapon and target. Cyber operations must thus be contrasted with conventional military operations, which involve weapons-employing physical forces and objects, including (but not limited to) those employing kinetic energy. (14)

While it is possible to characterize various types of information as "cyber weapons" and various data sets (including those connected to physical objects) as "targets," these uses of information raise many issues that are much different than those presented by the use of conventional weapons against physical targets. The wholesale importation of the IHL framework and the jus ad bellum into the world of cyber conflicts thus risks ignoring problematic and legally significant dimensions of information.

This Article examines the impact of these dimensions of information on the IHL framework and the jus ad bellum when they are applied to conflicts and competition in cyberspace and contrasts them with the application of IHL rules in conventional conflicts in physical domains. These dimensions of information are assessed in the context of four key problem areas as they relate to the use of information as a weapon and target.

These problem areas, which are examined in Parts I through IV of this Article, are (1) problems of origin, organization, and availability; (2) problems of access and control; (3) problems of exploitation (and related challenges to effects-based legal thresholds); and (4) problems of manipulation (and related questions concerning content and users). A careful assessment of these problem areas calls into question the general application of the IHL framework and the jus ad bellum to conflicts in cyberspace and also challenges supporting theories that focus on effects-based analogies with conventional weapons in physical domains. The Article concludes with further reflections on the inherent difficulties associated with regulating information as a weapon, the problems in broadly analogizing conventional armed conflicts with events in cyberspace, and the critical importance of legal analysis for distinguishing the physical from the informational.


A. The Legal Status of Cyber Capabilities as Potential Weapons

It is clear that information technologies and new types of information have already had profound consequences for military targeting capabilities on the modern battlefield. For example, conventional weapon systems have benefitted in previously unimaginable ways from guidance systems based on information provided by global-positioning-system satellites. (15) Meanwhile, military commanders have gained access to unprecedented intelligence and surveillance capabilities and transformational real-time data provided by unmanned aerial vehicles. (16)

While the use of new types of information is responsible for dramatic improvements in the targeting capabilities of many conventional weapon systems, the use of information itself, as a cyber weapon, is an evolving new chapter in the long history of warfare. These changes include transformational attack capabilities for the military forces of states as well as new asymmetrical attack capabilities for nonstate actors. (17) For the most advanced military powers, cyber capabilities also create new possibilities for attacking a wide variety of objects that may have previously been considered too difficult to target with highly destructive conventional weapons. (18)

Diverse types of computer viruses, worms, malware, logic bombs, and other potentially destructive computer programs continue to be developed from a wide spectrum of information resources. (19) Such harmful computer programs could arguably be classified as cyber weapons even if a precise or comprehensive definition of that term remains elusive. (20) Thus, notwithstanding definitional problems, the U.S. Department of Defense (DoD) has reportedly assessed the military utility of various cyber techniques and data packages in order to determine how they should be classified alongside other U.S. military capabilities. (21)

A "weapon" for purposes of the IHL regime is broadly defined under Additional Protocol I to the Geneva Conventions of 1949 as "a weapon, means or method of warfare." (22) This expansive definition ensures that the United States and other countries must seriously consider the legal ramifications of the study, development, acquisition, or adoption of possible cyber techniques, tools, and capabilities that may have military applications. (23)

Because it was not difficult to envision scenarios in which various types of harmful computer programs or other data packages could be directed against the computer systems and networks of an enemy, scholars concluded at an early stage that such information could constitute a means or method of warfare (or "arms" for military forces to employ as part of an armed conflict) and thus could be subject to the limitations of the IHL regime. (24)

Beyond this widely stated proposition that the IHL framework could be applicable to certain hostile cyber actions, the precise extent to which that framework should govern specific actions in cyberspace is much less clear. There currently is no state practice and no consensus regarding the actual application of IHL rules (or any other international legal obligations) to cyber attacks. (25) Conversely, however, it may be argued that there is a widespread and consistent practice by states of not applying the IHL regime to events that actually occur in cyberspace.

The unwillingness of states to apply IHL obligations to real actions in cyberspace may also reflect practical and strategic considerations that inhibit any discussion or public review of these actions, since states tend to shroud both the development and the deployment of their cyber capabilities in great secrecy. (26) States may also be reluctant to expose their vulnerabilities by discussing hostile cyber actions (and related damages), which were directed against them. (27)

A further explanation for the absence of state practice in applying IHL rules to cyberspace may relate, however, to a critical legal factor: the inherent difficulties in applying the IHL regime to information as a weapon and a target on the same basis that it is applied in conventional conflicts to physical forces, objects, and terrain. In this regard, assessing problems related to the origin, organization, and availability of information serves as a good starting point in illustrating the dimensions of information that complicate such a broad application of the IHL framework and the jus ad bellum to events in cyberspace.

1. Information: The Problem of Origin

Information, more so than physical objects and forces, may not permit those who are harmed by it to identify its origin or source. Computer specialists, engineers, scientists, and government experts continue to make well-funded efforts to develop better methods and "forensics" for identifying the physical source and ultimate origin of data packages used in hostile cyber actions. (28) In spite of these efforts, the nature of the information--and the nature of the Internet--makes it difficult, if not impossible, to identify the origin of information used as a weapon and the intent motivating those employing it. (29)

Because cyberspace is primarily a domain of information, it has only limited physical connections and properties (unlike the domains of land, sea, air, and space) and is characterized by many invisible actions. (30) Even if some malicious acts in cyberspace can be traced to specific physical connections, the ultimate origin of the harmful information may remain a mystery because of the nature of information. One impediment is that information in harmful computer programs can also be used to commandeer and remotely control other computers or computer networks. (31) These compromised computers ("zombies") or compromised networks ("botnets") may then direct or support a wide variety of malicious acts in cyberspace without the knowledge or consent of the users. (32)

Using the methods described above, hackers, criminals, and other actors routinely make use of hijacked systems and networks to engage in unauthorized cyber activities while avoiding detection and concealing their identities. (33) In the case of hostile, state-sponsored actions, the difficulty in identifying the genuine origin of damaging information is only the first step in the arduous process of attributing the transmission of such information to a responsible state. Next comes the challenging task of establishing a legally sufficient connection between an actor--who may appear to be a private person, linked only to privately owned systems and networks--and a specific government.

Determining the origin of information used in a hostile cyber action, identifying its geographic contours, and attributing the transmission of that information to specific persons and then to a responsible state can thus be a Herculean task. This intractable problem is clearly reflected in the current practice of states. One important example of such state practice (or nonpractice) is found in what some have referred to as the first cyber attack by one country on another: the three-week wave of hostile cyber actions against government, media, and financial websites and other computer systems and networks in Estonia in 2007. (34)

While many observers alleged that the hostile cyber actions taken against Estonia in 2007 were directed or sponsored by the Russian government, the origin of these actions, their geographic nexus, and the identity of the responsible parties remain unknown. (35) Instead, investigators found only a shadowy world of "Russian hacktivists," "criminal botnets," and a trail that ultimately led them to computers located primarily in Western countries. (36) Similarly, notwithstanding unofficial accounts of persons in the United States allegedly participating in the deployment of the much-discussed "Stuxnet worm" (a sophisticated malware program that was apparently directed against Iranian nuclear facilities), the positive identification of responsible persons or governments has been a significant and elusive technical challenge. (37)

It is thus for good reason that one scholar argues that while "proponents of rules on cybercrime and cyberwar regularly assume that sufficient attribution of an attack's origins can and will occur.... In reality, however, anonymity, not attribution, prevails." (38) The strategic significance of this phenomenon and the threat that it presents to U.S. national interests has been duly noted by the DoD. (39) While it may be tempting to dismiss attribution in cyberspace as a mere technical problem waiting to be overcome, the unique properties of information and the architecture of the Internet itself ensure that this is a systemic problem. (40)

The fundamental origin and attribution problems discussed above cast long shadows over the application of IHL rules in cyberspace and also over international law governing the right of states to use armed force in response to perceived cyber attacks. As expressed in Article 51 of the UN Charter, the jus ad bellum limits the right of states to use armed force in self-defense to those situations in which an "armed attack" occurs. (41) This right to use armed force in self-defense is also dependent on meeting a high threshold for attribution of the armed attack. (42)

As discussed below, extraordinary difficulties in attributing the information used in hostile cyber actions appear to significantly impede efforts to characterize such actions as armed attacks justifying the use of armed force in self-defense under the UN Charter. As the world advances further and further into an apparent age of cyber conflict, the continuing failure of states to treat damaging cyber acts standing alone as armed attacks is highly significant since the establishment of customary international law is dependent on the finding of such state practice (done out of a sense of legal obligation, or opinio juris). (43)

Notwithstanding the notable absence of supporting state practice to this point in history, some authors suggest new norms that treat destructive cyber operations as unlawful uses of force can be expected to emerge. (44) However, drawing on extant (as opposed to desired) state practice, one might also argue that the problematic characteristics of information as a weapon and target are contributing to a reluctance by states to embrace such a norm.

States have in fact to this point refrained from invoking the right to self-defense in response to hostile cyber acts alone, even though destructive cyber programs have been employed by states for many decades. For example, in 1982 an early version of a "logic bomb" (reportedly planted by the Central Intelligence Agency in a computer-control system stolen by Soviet spies from a Canadian firm) caused a malfunction in a Soviet gas pipeline in Siberia, resulting in a massive explosion. (45) States have also had access to harmful viruses and other malicious computer programs since the early years of the Internet itself. (46)

There is, however, no shortage of rhetoric from government officials and military leaders warning that hypothetical, highly destructive cyber acts in the future will be regarded as conventional armed attacks and armed force will be used in response. (47) States are understandably unwilling to officially foreclose their right to use all necessary means to respond to any serious threat, including the most destructive cyber acts. (48) However, to this point, no state has used armed forced against another state nor actually invoked its right to do so in response to hostile cyber actions alone; nor has any state claimed before the UN Security Council that hostile cyber actions alone have made that state the victim of an armed attack and reported actions taken pursuant to its right of self-defense (as required by the UN Charter). (49)

Significantly, the much-discussed cyber actions taken against Estonia in 2007 only reinforced this absence of state practice, since Estonia never officially claimed to be the victim of an armed attack before the UN Security Council and never invoked its right to self-defense under Article 51. Instead, Estonia acknowledged great difficulties in attributing responsibility for the attacks and generally treated the incident as the work of criminal organizations. (50) Rather than attributing the actions to a foreign government, an Estonian government official would later describe the event as "a mass cyber riot." (51)

Any cyberwar narrative for the incidents that occurred in Estonia in 2007 is also fundamentally at odds with the official statements of both the Estonian Ministry of Defense and NATO officials. (52) Furthermore, the Estonian minister of defense candidly noted that "[n]ot a single Nato defence minister would define a cyberattack as a clear military action at present." (53) Such current state practice stands in stark contrast to alternate scenarios suggested by some authors, in which states that suffer "massive cyber attacks, similar to or more aggravated than those suffered by Estonia, may choose to treat them as justifying a forceful response." (54)

In spite of the reality of current state practice, which rejects equating hostile cyber acts with illegal uses of force, there is no shortage of commentators, government officials, and former government officials (especially those who are now associated with cyber security firms) offering sensationalized accounts of current or imminent so-called cyberwars. (55) The word war in the context of cyberspace has thus become more of a political or cultural term than a legal one (joining "wars" against poverty, crime, drugs, and obesity), with little relevance to the legal right of states to use armed force in response to hostile cyber acts.

Setting aside sensationalized war rhetoric, the fundamental problem of identifying the origin of information used in hostile cyber acts continues to make it extremely difficult for states to equate such acts with armed attacks justifying armed responses. The anonymity of information and the structure of the Internet are more than simply "factors" to be used in evaluating the legal status of hostile cyber acts. Instead, origin and attribution problems have dominated all major cases reported to date, impeding any effort to apply the jus ad bellum regime to hostilities in cyberspace. (56) These problems continue to figure prominently in making contemporary reports of cyber attacks phantoms under the jus ad bellum.

Systemic problems in identifying and legally attributing the origins of information also fundamentally impair the meaningful application of the jus in bello--that is, the IHL framework--to conflicts in cyberspace. A conclusion that the IHL framework governs particular events in cyberspace determines numerous issues, including whether the domestic law enforcement model is displaced in favor of the armed conflict model and whether key IHL rules apply. (57)

The most important IHL obligations include requirements that: (1) attacks must never be directed against civilian objects and must always distinguish between civilian and military objectives (the principles of discrimination and distinction); (2) attacks must not cause injury or damage to civilian objects in excess of the concrete and direct military advantage to be gained even when directed against legitimate military objectives (the principle of proportionality); and (3) those persons responsible for planning and carrying out attacks must take all feasible precautions to ensure adherence to the principles of distinction and proportionality ("precautionary measures"). (58)

Both states and individuals are responsible for their conduct under the IHL framework. (59) However, a state is only responsible for IHL violations that can be legally attributed to that state. While attribution may be a relatively routine matter in the context of many conventional armed conflicts, the nature of information makes attribution highly problematic for conflicts in cyberspace. In fact, it has been suggested that this problem of attribution is perhaps the most fundamental and serious challenge to the application of the IHL framework to conflicts in cyberspace, as well as efforts to regulate cybercrime. (60)

2. Information: The Problems of Organization and Armed Conflict Classification

While attribution of responsibility for hostile cyber actions to states is dominated by the problem of identifying the origin of those actions, it can also be greatly affected by problems related to the way persons can use information to anonymously organize themselves in cyberspace. The absence of physical controls and the possibilities of virtual organization may present significant obstacles to making the legal determinations necessary to attribute cyber conduct by individuals to states.

The establishment of an armed conflict and the classification of that conflict are both critical threshold determinations for applying the IHL framework. (61) These determinations may in turn depend on the establishment of various degrees of organization and control of the actors. While making such determinations may at times present vexing questions in the physical world, efforts to establish necessary levels of organization and control in cyberspace confront even more serious challenges.

In order for the IHL framework to apply, either an "international armed conflict" or "noninternational armed conflict" is required. The Geneva Conventions of 1949 provide that an international armed conflict is present in "all cases of declared war or of any other armed conflict which may arise between two or more of the High Contracting Parties." (62) As further explained in the Commentary on the Additional Protocols of 8 June 1977 to the Geneva Conventions of 12 August 1949 (Commentary), the official International Committee of the Red Cross (ICRC) commentary on Common Article 2 of the Geneva Conventions, "[A]ny difference arising between two States and leading to the intervention of members of the armed forces is an armed conflict within the meaning of Article 2...." (63)

Because it focuses primarily on the actions of members of the armed forces of states, the legal framework for attribution of responsibility for IHL violations in conventional international armed conflicts may be relatively uncomplicated. For example, it is not controversial that responsibility for IHL violations can he attributed to states based on the conduct of its military personnel. (64)

In theory, then, if hostile cyber acts can be linked to the military personnel of a state in an international armed conflict, related IHL violations can be attributed to that state. That link may, of course, be difficult to actually establish in light of the inherent difficulties associated with identifying the origins of information in cyberspace. Furthermore, establishing state control over other types of actors--based on information residing in or passing through cyberspace--may be even more difficult, significantly impeding the attribution of IHL violations by those actors to a state.

In addition to state responsibility based on the conduct of its military personnel, customary international law provides that a state is also responsible for violations of IHL obligations by other persons under various circumstances. These circumstances include violations attributed to a state that are committed by "persons or entities it empowered to exercise elements of governmental authority," by "persons or groups acting in fact on its instructions, or under its direction or control," or by "private persons or groups which it acknowledges and [whose conduct it] adopts as its own." (65)

While the International Court of Justice (ICJ) has acknowledged that conduct by private persons or groups acting under the direction or control of a state can be attributed to that state for purposes of IHL violations, it has also established a very high standard for such attribution. In Nicaragua v. United States, the court concluded that for the United States to be held responsible for alleged IHL violations committed by "Contra" paramilitaries operating in Nicaragua, it would have to be established that the United States had "effective control over the military or paramilitary operations in the course of which the ... violations [occurred]." (66)

The International Criminal Tribunal for the Former Yugoslavia (ICTY) has indicated that for some purposes, including establishing individual criminal responsibility, "the extent of requisite State control varies." (67) Nonetheless, the ICJ has not abandoned the high "effective control" threshold it established in the Nicaragua case for attribution of conduct to states. (68)

As demonstrated by the Nicaragua case and subsequent ICJ decisions, sufficient state control for attribution purposes may be difficult to establish in armed conflicts in the physical world in spite of the availability of physical evidence and the significance of a state's responsibility for conduct occurring on its own territory. With the links between states and persons so difficult to establish in cyberspace, proving effective state control over persons and groups in cyberspace presents an even more daunting challenge.

The ability of individuals to use information to form loosely affiliated cyber "groups" that collectively engage in destructive actions presents a final, significant classification problem under the IHL framework. Common Article 3 to the Geneva Conventions establishes a second category of armed conflicts, referring to them only as those "not of an international character occurring in the territory of one of the High Contracting Parties." (69) According to the ICTY, these noninternational conflicts are characterized by "protracted armed violence between governmental authorities and organized armed groups or between such groups within a State." (70)

The requirement that noninternational armed conflicts reach a particular level of intensity and involve the participation of organized armed groups is well established. (71) Such conflicts are to be contrasted with other forms of violence to which the IHL framework does not apply--namely, "situations of internal disturbances and tensions, such as riots, isolated and sporadic acts of violence and other acts of a similar nature." (72) The phrase "situations of internal disturbances and tensions" encompasses an extremely diverse set of acts that are generally governed by the domestic criminal law of states. Such disturbances and tensions could include many harmful actions of individuals and groups operating in both physical domains and cyberspace.

Through the use of information and the Internet, it is possible for members of a decentralized online community, acting anonymously, to engage in loosely coordinated, destructive actions--sometimes in support of a particular government's interests (although their connection with that government may be unclear or impossible to establish). (73) These cyber communities can take advantage of the ability of individual actors in cyberspace to use information to coordinate damaging actions without a leadership structure, physical interaction, or command and control systems. For example, one such notorious "organization" known as Anonymous, which uses an image of a suit without a head to represent its leaderless, anonymous status, has been described as a loose "hacking collective." (74)

The structural organization that characterizes an armed force in conventional military operations involves varied elements of physical command and control and discipline, allowing physical violence to be organized and effectively directed against targets. Regardless of the damage that cyber communities or collectives may cause, their structurally limited, purely information-based coordination capabilities and their inability to engage in protracted armed violence make them highly unlikely to meet the thresholds for organization and intensity required for armed groups in noninternational armed conflicts.

To the extent that the IHL regime may require armed groups to be sufficiently organized to impose discipline, engage in sustained military operations, and exercise physical control over persons or territory, the limitations of cyber groups further highlight the legal significance of the distinction between physical and informational organization. (75) It is thus not surprising that even writers who emphasize the importance of the damaging consequences of cyber actions conclude that "[i]t would be exceptionally difficult for cyber operations standing alone to rise to the level of noninternational armed conflict." (76)

3. Information: The Problem of Territory

In denying Russian responsibility for cyber actions that allegedly emanated from Russian territory and damaged Estonian computer systems and networks, the Russian ambassador to the European Union famously remarked that "cyberspace is everywhere." (77) Such comments reflect the reality that the nonterritorial dimensions of information in cyberspace pose serious challenges to establishing a state's responsibility for actions on the basis that those actions "originated from," "occurred," or "took place" on its territory.

Conventional legal concepts of responsibility based on physical terrain and control of territory are fundamentally impaired by the realities of cyberspace. Even if information used in a hostile cyber action may eventually be traced to physical connections or nodes on the territory of one state, many of the systems or networks involved may be remotely controlled, as previously noted, by information originating from the territory of another state. Finding a "responsible" computer or network under these circumstances is unlikely to implicate either individual or territorial state responsibility since the hostile actions in question may have been unauthorized or even unknown by the owner of the computer systems or networks in question. (78) Furthermore, attribution of state responsibility may be significantly impeded by the lack of government control or even presence in cyberspace. Unlike other physical domains, much of cyberspace is privately owned. (79)

Private ownership of much of cyberspace creates complex relationships between states and private actors that cloud state responsibility for actions involving the misuse of information at the physical connections or terminals located on its territory. (80) These relationships are further muddled by individual states' different regulatory and legal systems governing the use of the Internet (including restrictions on content and expression), access to privately owned information systems, privacy rights, and the information itself. (81)

While the links that connect information with territory, states, and nonstate actors may be exceedingly tenuous or impossible to find, some commentators have nonetheless argued that states should be held responsible under various circumstances for "cyber attacks ... continuously launched from within [their] borders." (82) Assuming (with difficulty) that the country of origin of a hostile cyber act can be identified, these theories posit that a state should be held responsible for such acts if it serves as a "sanctuary" for nonstate actors engaging in cyber attacks--as determined by that state's failure to enact and enforce on its territory stringent criminal laws against such attacks, to appropriately investigate them, and to fully cooperate with other states in efforts to identify, apprehend, and punish those who engage in these attacks. (83)

As a general matter, and particularly with respect to jus ad bellum issues, state responsibility for actions--even physical ones--that occur on its territory may often be overstated. At the outset, the state's knowledge of such actions may not always be presumed. (84) In addition, even in the physical world, responsibility for those actions must still be imputed to the authorities of that state. (85) In cyberspace this is of course highly problematic, especially since "[n]o method exists of determining whether the individual at the other end of the attacks is a government agent." (86)

With respect to the legal standard governing state responsibility for the actions of groups operating on its territory, it has been suggested that a new threshold, lower than the effective control standard articulated in Nicaragua, has emerged as a result of the actions taken against the Taliban regime in Afghanistan in response to the 9/11 attacks. (87) As previously noted, however, a lower threshold cannot be found in ICJ decisions, nor is it clearly reflected in state practice, notwithstanding the exceptional circumstances surrounding the intervention by NATO in Afghanistan in 2001.

The extraordinarily close relationship between Al Qaeda and the Taliban regime resulted in a series of unprecedented sanctions by the UN Security Council against the Taliban regime (prior to the 9/11 attacks) for its widely recognized, direct, and continuing support of Al Qaeda, its leaders, and its terrorist activities. (88) These unique circumstances make NATO's post-9/11 actions against the Taliban regime a poor precedent upon which to build a case for a lowering of the effective control threshold or for creating a new "sanctuary" theory of state responsibility for the actions of groups in the physical world, let alone for the actions of groups in cyberspace.

Sanctuary theories of state responsibility for cyber attacks (based on a state's failure to enact and enforce on its territory stringent criminal laws against harmful cyber actions) may appear attractive, but they are not part of any obligations now expressed in international conventions or customary international law. To the extent any international consensus in this area can be said to be developing, a representative, nonbinding UN General Assembly resolution calls upon states to "ensure that their laws and practice eliminate safe havens for those who criminally misuse information technologies." (89) Unfortunately, this resolution refers neither to "attacks" nor to IHL obligations.

Furthermore, even in areas of criminal activity that the resolution is intended to address, its broad provisions have not yet been implemented in any manner indicating consistent, widespread, and conforming state practice. Instead, there continues to be a lack of international consensus regarding some of the most fundamental aspects of dealing with cybercrime and the misuse of information in cyberspace. (90)

There currently is only one significant, binding, multilateral agreement on the subject of cybercrime--the Council of Europe Convention on Cybercrime (CEC). (91) The CEC may be an important first step in protecting society from cybercrime by seeking to "harmonize national laws on cybercrime, improve national capabilities for investigating such crimes, and increase cooperation on investigations." (92) However, to date, only a modest number of states (mostly European ones) are parties to the CEC, and those states are also all able to take reservations in nine key designated areas. (93) Furthermore, the CEC does not address state sponsorship or support of harmful cyber activities (including espionage and cyber attacks) or state responsibility for actions under either the jus in bello or jus ad bellum. (94)

Rather than establishing a new norm of customary international law regarding state territorial responsibility for cyber attacks, state practice in this area instead reflects conscious neglect, confusion, lack of consensus, and enormous practical and legal difficulties in both determining the origin of hostile cyber actions and in imposing a territorial model on them. The current shadowy world of cybercrime and the related--and often indistinguishable--world of state-sponsored espionage and sabotage thrive on the lack of territorial boundaries in cyberspace, the invisible nature of information, and the lack of coordination and cooperation between states on cyber issues.

Varied types of hackers, hacktivists, and state-sponsored actors engage in diverse acts of mischief, crime, and destruction in cyberspace on a daily basis. (95) Most of these actors operate with impunity and successfully evade or manipulate the territorial boundaries of the states in which they operate, as demonstrated by the incredible lack of accountability for cyber threats under domestic legal regimes. (96) This profound inability of states to impose their own domestic criminal laws on cyber events that "occur" within their territories vividly illustrates the fragile nature of state territorial control and responsibility over hostile uses of information in cyberspace and should caution against the summary application of international law on this basis.

It is true that a state may have an obligation to exercise "due diligence" in order to prevent conduct contrary to international law within its territory and to prosecute and punish such conduct if it occurs. (97) However, the absence of agreed legal obligations with respect to hostile cyber actions, the pervasive use of commandeered computer systems and networks, the transnational dimensions of information in cyberspace, and the widespread involvement of private entities and private property all work to impede clear findings of state responsibility with respect to the transmission of damaging information.

4. Information: The Problems of Unlimited Availability and Ubiquitous Processors

As noted above, the predominance of privately owned assets in cyberspace and the widespread availability of information and sophisticated information technologies give rise to unparalleled asymmetric warfare capabilities. Because of the exceedingly low barriers to entry in the arena of information (anyone can create it) and the acquisition of information technology (almost anyone can buy it), even the most powerful states are facing serious cyber threats from an unprecedented number of new actors. (98) In fact, states are already being subjected, on a daily basis, to costly intrusions by adversaries with increasingly sophisticated cyber capabilities. (99)

While state actors are generally responsible for the operation of various sophisticated weapon systems and armaments such as tanks, ballistic missiles, and warships, those who possess information and who operate potentially harmful information technologies operate in a new sort of "weapons commons." Nonstate actors, notably transnational terrorist organizations, have long known the value of the Internet as a means of financing and publicizing terrorist activities and recruiting new members--making information technologies and interconnectedness key aspects of modern insurgencies. 100 Now a variety of cyber tools and methods, representing a new set of asymmetric warfare capabilities, are also available to these groups as potential weapons to inflict damage on their enemies.

A powerful addition to the cyber capabilities of nonstate actors may ironically come from the arsenals of the most technologically advanced states. Soon after powerful states use their most sophisticated cyber weapons, the information necessary to recreate these weapons may be readily available for downloading from the Internet. This phenomenon, which is said to be illustrated by information now available about the Stuxnet worm, has led some commentators to observe that the most sophisticated state-developed cyber capabilities may quickly become "open source" weapons once they are used. (101)

These developments mean that states now confront a vast array of new methods and means of warfare, a host of new cyber actors, and an abundance of new places from which hostile cyber actions against them can be taken. This reality of so many easily armed, diverse, and dangerous actors fundamentally complicates the task of determining the origin of specific hostile actions. (102) While many physical weapons may be distributed widely among nonstate actors, such weapons have physical properties and present physical evidence of their possession and use; such evidence is not present in the transmission of various types of information through cyberspace.

The abundance of actors in cyberspace and the widespread availability of new information weapons also raise difficult questions about the IHL status of the many persons who design and create computer programs, use the computer systems and networks, or contribute in other ways to processing or managing information packages that may be used in hostile cyber acts. Under IHL rules, civilians enjoy a protected status and are immune from attack unless they take a "direct" or "active" part in hostilities. (103) The dawn of a new era of abundant information weapons presents the unsettling possibility of an expanded and ambiguous type of involvement by the civilian population in armed conflicts.

The question of what constitutes "direct participation in hostilities" already raises difficult issues in conventional armed conflicts. (104) In light of the diverse types of actions that can be performed by individuals as they create, process, or otherwise use abundant information resources--from designing malware to managing websites or simply processing data--questions of civilian immunity under the IHL framework become even more complex.

The many interrelated activities that may be involved in the processing or management of information related to a particular hostile cyber action will also raise difficult questions about the specific conditions under which civilians involved in these activities could lose their immunity from direct attack. If, for example, civilians are immune from direct attack "unless and for such time as they take a direct part in hostilities," (105) defining the precise temporal period of an individual's work on a computer during which he or she could be legally susceptible to attack may present some serious challenges.

Difficulties in determining the status of individuals engaged in cyber activities in the context of noninternational armed conflicts present further challenges. In order to distinguish civilians in these conflicts from members of insurgencies and other organized armed groups of nonstate actors, the ICRC takes a functional approach by suggesting that such armed groups "consist only of individuals whose continuous function it is to take a direct part in hostilities ('continuous combat function')." (106) Thus, if the IHL regime is extended to encompass cyber activities in these conflicts, this approach will likely raise problematic questions about the status of persons who, by continuously engaging in various damaging, diverse, and interrelated information and computer activities (including the preparation, execution, or command of such activities), are said to assume a continuous combat function that amounts to direct participation in hostilities.

Specific and widely acknowledged examples of direct participation in hostilities by civilians in information-related cyber actions are difficult to find. The ICRC broadly identifies "interfering electronically with military computer networks" as an example of an act causing "military harm to another party," which could potentially make a civilian subject to attack for as long as he or she carries out such an act. (107) This example may, however, raise more questions than it answers. Which personnel working with computer programs and information systems are included in the description of "interfering electronically" with an adversary's computer networks? What are their duties? For how long are the individuals engaged in these and related computer or information processing activities susceptible to attack?

Conflict in cyberspace does not focus on the operation of conventional weapons but instead on the use of information through the deployment of malware and computer programs that include worms, viruses, logic bombs, and an infinite variety of other damaging data packages. Determining the participation of a civilian in hostilities based on the role he or she plays in managing and processing such information--as part of the deployment of a cyber weapon--may present much more complicated scenarios than those associated with conventional weapons that depend on the simple launching, motion, and impact of physical objects or the application of other physical forces.

While the parameters of IHL rules in this area remain uncertain, any broad definition of direct participation in hostilities, in the vast realm of cyber space, risks making many civilian personnel who work with interrelated and diverse types of information and information technologies susceptible to attack. This problem may be significantly complicated by the blurred line between personal and work-related activities that many civilian workers often cross as they process information on their laptop computers, iPhones, and other electronic means of accessing the Internet. Although individuals with laptops sitting in coffee shops may routinely pursue harmful cyber activities and may also undertake work-related activities involving state-sponsored cyber activities, the prospect of expanding an existing armed conflict by imposing the IHL regime on such individuals, potentially subjecting them to lawful attack, is an alarming prospect.

In terms of military operations, a large number of diverse technicians and specialists, many of them civilian, may routinely be involved in interrelated computer and information activities, potentially including those required to access enemy computer systems and direct harmful cyber actions against them. It is thus not surprising that the ICRC notes with concern the reality that a wide variety of civilian specialists may be called upon to assist members of the armed forces of a state in conducting a hostile cyber action. (108) A serious and daunting task will thus confront military planners and their legal staffs: determining which information-related activities by an enemy are so integral to military operations or "intrinsic to a particular cyber process" that they will make the personnel involved in those activities subject to attack based on their direct participation in hostilities. (109)

More broadly, such concerns highlight the dangers of imprudently extending the IHL framework to encompass many information activities. An overbroad application of the concept of direct participation in hostilities into the realm of information processing could in fact threaten the fundamental purposes of the IHL regime in the modern information age, potentially exposing vast areas of existing civilian activity to targeting and attack.


A. Accessing Information: "Acts of Violence" Against "Objects of Attack'"?

Rather than blasting or physically forcing its way into an adversary's systems or networks, a hostile cyber act uses information to persuade targeted systems or networks to grant admittance. (110) While these acts involve "penetrating" enemy systems or networks, they are commenced and conducted essentially as unauthorized acts of accessing information.

The nature of hostile cyber acts--in which information in systems and networks must first be accessed by "persuasion"--makes these acts highly unusual candidates for regulation under either the jus ad bellum or jus in bello. No physical objects are destroyed by the hostile cyber access itself; no planes, missiles, shells, bombs, or other physical objects fall on enemy forces or land on the territory of a foreign state; and no physical forces or physical objects are directed against the military forces of an adversary.

Countless acts of unauthorized access to computer systems and networks occur every day around the world (including diverse forms of cyber espionage), but these acts are routinely addressed as criminal, civil, or administrative matters under domestic laws and regulations--and not as acts of war that implicate the jus ad bellum and IHL framework. (111) However, as noted above, only illegal "acts of force" implicate the jus ad bellum, and only "the most grave" forms of the use of force satisfy the requirements for an armed attack justifying an armed response under the UN Charter. The most common characteristics and effects of illegally accessing computer systems and networks fall far short of the high standards for an armed attack under the jus ad bellum, even if one assumes that other key requirements, such as attribution, can be met.

Acts involving unauthorized access to computer systems and networks are also particularly difficult to reconcile with the model upon which the modern international legal system is founded: state sovereignty over territory. A nonphysical information "incursion" into an adversary's computer systems or networks is not equivalent to the invasion of another state's territory. Without such a physical incursion into anther state's territory by objects or enemy personnel, the negative effects of cyber actions lack a fundamental component of illegal uses of force as they are ordinarily assessed under the jus ad bellum.

In terms of the jus in bello, the legal threshold for the application of the IHL framework under the Geneva Conventions of 1949 is, as noted above, the presence of an "armed conflict." In the broadest terms, such a conflict can be said to exist "whenever there is a resort to armed force between States." (112)

Since armed force necessarily implicates some variation of a clash or contest of arms, the definition of arms plays a part in delineating the concept of "armed force." As noted above, the expansive phrase "weapon, means or method of warfare" appears to be able to encompass harmful cyber techniques, technologies, and computer programs. If so, the use of cyber weapons or techniques could qualify as a "resort to arms" between opposing military forces in an international armed conflict.

Notwithstanding potentially broad definitions of arms and armed conflicts, the IHL framework was never intended to apply to every type of harmful, unfriendly, or unwanted action that states are capable of taking against each other. Instead, as emphasized by the ICRC, "IHL is the body of rules applicable when armed violence reaches the level of armed conflict, and is confined only to armed conflict." (113) The presence of "armed violence" is thus central to the IHL regime. Furthermore, the regime's obligations and restrictions are intended to apply to a specific type of armed violence: an attack.

The term attack has been correctly referred to as "of decisive importance" in the application of key IHL rules. (114) Protocol I, which represents the most widely accepted and authoritative statement of IHL obligations, does not define an attack merely in terms of harmful consequences; instead the protocol's Article 49 describes an attack as "[an] act[] of violence against the adversary, whether in offence or in defence." (115)

The emphasis on acts of violence in the text of Article 49 suggests that attacks are dependent on a finding of "physical force," thus excluding other harmful, nonphysical acts. (116) The ICRC interpretation in the Commentary to Protocol I simply confirms that "[t]he term 'attack' means 'combat action.'" (117)

Proponents of the proposition that harmful consequences alone determine the threshold for an attack have argued that the drafters of Protocol I did not envision modern military capabilities other than those involving "the immediate release of violent kinetic forces." (118) Yet it is unclear why "kinetic forces" alone--as opposed to the broader and more familiar concept of physical forces and objects--should be the key in making this determination. (119) Indeed, as reflected in the Commentary to Protocol I, the threshold for establishing an attack and an act of violence focuses on combat and physical force (which, in its most common understanding, involves the employment of physical forces or objects) and not on the narrower concept of kinetic forces.

From its formative stages, the IHL framework was not centered on the possible effects of many different types of harmful state conduct but instead on the physical violence associated with a broad range of weapons employing physical forces and objects (not merely "violent kinetic forces"). Thus, the foundational 1899 and 1907 Hague Conventions included not only restrictions on projectiles, munitions, and weapons employing kinetic forces but also a ban on the use of poison. (120) The employment of the destructive physical properties of both chemical and bacteriological (later biological) weapons was also formally banned soon after in the 1925 Geneva Protocol. (121)

In spite of the IHL regime's undisputed foundations on physical acts of violence, it has become fashionable among some writers to argue that hostile cyber acts should be included within the scope of attacks because cyber capabilities belong to a subset of physical weapons referred to as nonkinetic weapons. (122) In support of this proposition, operations involving chemical and biological weapons are incongruously cited as precedents for equating cyber weapons with "other" nonkinetic weapons on the basis of their destructive consequences. (123)

As noted, however, the historic focus in the IHL regime has been on physical forces and objects, which has always included a smaller subset of various nonkinetic, physical weapons, ranging from older versions, such as poison and dangerous pathogens, to modern versions, such as electromagnetic radiation and other directed energy weapons. Information weapons, which lack the legally significant physical attributes, characteristics, and capabilities of physical weapons, are another matter.

The fundamental differences between physical weapons and hostile uses of information are not usefully explained by referring to cyber capabilities as nonkinetic. This nonkinetic lens is equally unhelpful in explaining the critical differences between hostile cyber acts and the physical use of armed force for purposes of the jus ad bellum, although some authors employ this lens--again relying on the inapt comparison to biological and chemical weapons--to equate these acts on the basis of their destructive effects. (124)

State practice, to this point in history, continues to support the clear focus of the IHL framework on acts of physical violence (involving weapons that employ physical forces or objects) as opposed to a focus on merely the effects of many varied, harmful state actions. The process of accessing data in an unauthorized manner, however, bears little resemblance to the acts of physical violence that the IHL framework was designed to regulate. (125) The nonviolent nature of such cyber acts is reflected in the innumerable, diverse forms of unfriendly and damaging actions in cyberspace that occur, and will continue to occur, on a daily basis around the world outside of armed conflict and outside the IHL framework.

As noted, the international community has collectively decided to exclude a variety of harmful, nonphysical acts from both the jus ad bellum and IHL framework, including damaging acts of espionage, subversion, and political and economic coercion. In the absence of any state practice, it has nonetheless been argued that the IHL framework should be applied to nonphysical hostile cyber acts when they result in serious physical damages.

Yet to encompass within the IHL framework a vast new set of nonphysical actions--involving the uninvited accessing of information and then subsequent acts of denial of service, exploitation, or manipulation of data--is a highly significant and problematic step, one which remains dependent on state practice (in the continuing absence of any relevant international agreements). Significantly, not a single state has actually embraced this innovation with respect to real (as opposed to hypothetical) cyber incidents, in spite of the expanding universe of hostile cyber acts affecting the financial, industrial, and security interests of states, including acts targeting critical components of their national infrastructure. (126)

The nonviolent, nonphysical nature of a hostile cyber act itself is only one characteristic that makes such an act unusual for purposes of both the jus ad bellum and jus in bello. Another unusual characteristic concerns the diverse, highly ambiguous, and often temporary effects of these acts, which are directly related to the central role that information plays in constituting targets in cyberspace.

An immense array of potential information targets is emerging in cyberspace, accompanied by new cyber techniques capable of damaging, denying, or disrupting them. Governments apparently continue to direct their military forces and intelligence organizations to identify and pursue new opportunities to advance national security objectives by engaging in hostile cyber acts against many of these information targets.

New information targets of potential interest to the military include websites and other portals on the Internet used by adversaries--valuable targets that may be difficult if not impossible to destroy with physical force and conventional weapons. For example, the head of the U.S. Cyber Command and Director of the National Security Agency, General Keith Alexander, reportedly called for cyber capabilities to be used to block the publication of an "online jihadist magazine" because such a cyber action would be against "a legitimate counterterrorism target and would help protect U.S. troops overseas." (127) Along similar lines, even the U.S. State Department apparently has employed cyber capabilities to disable foreign websites associated with Al Qaeda. (128)

A state may thus perceive numerous military, security, or political advantages in undertaking hostile cyber acts that interrupt, disable, or deny access to adversary websites and computer systems, even if the effects are temporary. Such temporary effects on these targets are, however, unlikely to meet the threshold for attacks under the IHL regime.

The view requiring a minimum threshold of damage in order for cyber acts to constitute attacks is widely held, and its proponents include some writers who advocate a consequentialist approach to cyber conflict. (129) However, it has also been suggested that a broad range of cyber actions that disable targets should also qualify as attacks. (130) A legal advisor at the ICRC has also suggested that specially protected objects, such as hospitals and medical units, must not only be protected from attacks but also from all harm and interference, arguably including low levels of cyber interference. (131) To argue, however, that various types of temporary cyber interference, annoyance, mischief, and disruption should constitute attacks subject to IHL restrictions risks dangerously overextending the IHL regime and further highlights the dangers of legally equating the informational with the physical.

While disruptive cyber acts may significantly interfere with activities that rely on timely access to denied information, the actual damages caused to targeted systems and networks are likely to be temporary in nature. (132) This phenomenon illustrates an important aspect of information as a target in cyberspace: unlike the natural environments of land, sea, air, and space, cyberspace is a human construct. This means that cyberspace is replicable, and thus damage to it can be repaired. (133)

The unusual, replicable character of cyberspace and the ambiguous effects of many hostile cyber actions are implicitly reflected in the once widely used term "computer network attack" (CNA). CNAs have been defined as "[a]ctions taken through the use of computer networks to disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves." (134) Words like "disrupt" or "deny" may, of course, describe actions with only limited, temporary effects on the ability to access information. (135)

Hostile cyber acts encompassed by the term CNA may thus have consequences that range from serious damage to no damage at all. Within this range of effects, there are numerous types of nuisance, mischief, inconvenience, disruption, or denial that clearly do not rise to the level of armed attacks for purposes of attacks under the jus in bello or armed attacks under the jus ad bellum. Consequently, the term CNA is a poor tool for legal analysis, although it remains a useful illustration of the spectrum of events occurring in cyberspace.

The difficulty in equating temporary, disruptive cyber acts with armed attacks, even if undertaken on a massive scale against one country, is clearly reflected in current state practice. As noted above, the international community in general, and NATO states in particular, explicitly refrained from characterizing the disruptive cyber actions that paralyzed Estonia in 2007 as an armed attack or even as "a clear military action." (136) Such state practice stands, at least for now, in stark contrast to suggestions that if Russia were found legally responsible for the cyber actions against Estonia in 2007, the international community would or should have regarded them as illegal uses of force under the UN Charter. (137)

Evaluating the legal status of the effects of hostile cyber acts also focuses attention on the nature of the target. In implementing the fundamental principle of distinction, Protocol I requires that attacks be directed only against "military objectives," which are limited to "those objects which by their nature, location, purpose or use make an effective contribution to military action and whose total or partial destruction, capture or neutralization, in the circumstances ruling at the time, offers a definite military advantage." (138)

In assessing the English text of Protocol I, the Commentary concluded that the word object refers to "something placed before the eyes, or presented to the sight or other sense, an individual thing seen, or perceived, or that may be seen or perceived; a material thing." (139) It further concluded that in both English and French, it was clear the word object "means something that is visible and tangible." (140)

The nonphysical objects of disruptive hostile cyber acts are thus highly unusual "objects of attack" for purposes of the IHL framework. The resulting effects may also be very difficult to categorize as the sort of physical damages (death, injury, or destruction of physical objects) that have long served as the basis for applying IHL obligations and restrictions. Even those who emphasize consequences in assessing the legal status of cyber acts may express reservations about treating data as an object of attack. (141) An additional, important, and unresolved issue hanging over the question of whether data can constitute an object of attack is the problem of its content, which is discussed in Part IV.

B. Controlling, Confining, and Segregating Information

Information, as it resides in or passes through cyberspace, may be much more difficult to control, confine, and segregate than physical objects and forces passing over or through the physical features of land, sea, air, and space. This characteristic ensures that information presents its own set of significant challenges related to the observance of the IHL principles of distinction and proportionality.

If in fact the IHL regime does apply to a particular cyber operation, those who plan or decide upon an attack must take various precautionary measures to ensure compliance with the principles of distinction and proportionality. These obligations require responsible planners and decision makers to, among other things, "do everything feasible" to verify that the objectives to be attacked are military objectives and not civilians or civilian objects; "take all feasible precautions in the choice of means and methods of attack" in order to avoid or minimize incidental damage or injury to the civilian population; and "refrain from deciding to launch any attack which may be expected to cause incidental loss of civilian life ... which would be excessive in relation to the concrete and direct military advantage anticipated." (142)

Various methods that are available in conventional conflicts to evaluate whether a planned, ongoing, or completed attack complies with the proportionality principle are not available to the commander of a cyber operation. One fundamental problem is that cyberspace cannot be occupied in the same way that physical terrain can be controlled. This means that there is no guaranteed point, position, or space that can be occupied in such a way as to allow an attacker to observe and evaluate the effects of an attack--even after the attack has been launched. (143) Many types of information about a target may thus be less accessible to the commander of a cyber, as opposed to a conventional, military operation.

In both conventional and cyber military operations, a commander who is planning an attack and attempting to take "all feasible precautions" to minimize harm to the civilian population is not assumed to have access to perfect information. Instead, as explained by the ICTY, "In determining whether an attack was proportionate it is necessary to examine whether a reasonably well-informed person in the circumstances of the actual perpetrator, making reasonable use of the information available to him or her, could have expected excessive civilian casualties to result from the attack." (144)

Although cyberspace is a domain of information, the "information available"

to a reasonable commander who is planning an attack in cyberspace may ironically be extraordinarily limited. Commanders responsible for military cyber operations must deal with many challenges in observing the proportionality principle, including complex barriers that may prevent observation of the different levels of information that surround targets. (145) These barriers may impede efforts to evaluate the military value of targets while also obscuring connected and threatened civilian objects that are not the target of attacks, particularly when networks have both military and civilian functions. (146)

Yet a commander remains under an obligation, to the extent feasible, to gather and evaluate information about potential targets to ensure compliance with IHL targeting rules. At a minimum, this involves a "continuing obligation to assign a high priority to the collection, collation, evaluation, and dissemination of timely target intelligence." (147)

Fundamental challenges, however, confront these efforts in cyberspace. Determining how to access an adversary's systems or networks to reach a specific target generally requires careful planning and substantial preparations. (148) Efforts to collect intelligence about those targets will also generally require penetrating enemy systems or networks to obtain information prior to the attack. (149)

However, an unauthorized entry into an adversary's computer systems for purposes of gathering intelligence may be viewed, if detected, as the attack itself. This dilemma highlights a problematic dimension of information when it is used to penetrate systems as a reconnaissance tool: the difficulty in characterizing the intent behind the intrusion. (150) Efforts to undertake precautionary measures that involve intrusions into enemy networks could thus, in the worst case scenario, prompt a counterattack by the enemy.

Even if an intrusion for purposes of gathering intelligence about a particular target is not viewed by an adversary as an attack, its detection could seriously threaten a commander's mission. Since such an intrusion may rely on the same methodologies and information to be used in a planned attack, its detection could risk compromising the means by which the attack is to be conducted--effectively shutting the "door" that had been opened into the enemy's networks or systems. (151)

A commander may thus face a serious dilemma if the requirement to take all feasible precautions is interpreted as requiring preliminary intrusions into an enemy's systems or networks. To the extent that feasibility relates to making an "informed decision" in this context, it will focus on what cyber intelligence-gathering operations must or can be conducted in order to make that informed decision. (152) However, a commander who undertakes an extensive intelligence-gathering operation as a precautionary measure may risk jeopardizing the planned mission by revealing methods or prompting countermeasures by an adversary who misinterprets the probe as the attack itself.

The contextual term "feasible" thus seems unlikely to require a commander to compromise his or her mission by penetrating an adversary's systems or networks as a precautionary measure. Given the lack of state practice, the contours of these rules in cyberspace are not yet clearly defined. Ostensible rules in cyberspace that defy compliance by reasonable commanders may be, however, just another kind of legal phantom.

More broadly, a commander seeking to comply with IHL obligations confronts formidable technical obstacles in precisely predicting the effects of hostile cyber actions. Because information is so inherently difficult to control, confine, and segregate in cyberspace, these obstacles exist even if the commander is equipped with the best intelligence available. (153) A variety of factors contribute to these obstacles and challenges. Unlike conflict in physical domains, conflict in cyberspace is not predictably constrained by physical laws such as those found in physics or chemistry; complex and rapidly changing operating systems can create conditions in which the same set of stimuli may not yield identical or even similar results, and cyberspace is a medium that can be quickly changed (by defenders or by third parties). (154) Furthermore, various faults, holes, vulnerabilities, barriers, or anomalies in a particular system may be unknown to both attackers and defenders until that system actually confronts new, destructive, and unexpected information programs.

Another factor that may make even the best-planned hostile cyber act unpredictable is the human element. Humans are the key cyber players who may--or may not--detect hostile cyber actions, respond effectively to them, learn from them, make necessary adjustments to them, and be resistant or vulnerable to their methods of deception. (155)

Difficulties in predicting the consequences of a hostile cyber act may go far beyond understanding its immediate effects on targeted systems and networks. Information itself may be uniquely difficult to confine, particularly in view of the interconnected systems and networks that carry data in a "wired" modern society and global economy. (156) In this environment, where key networks and systems are becoming even more complex and interdependent, planners must grapple with the reality that the information they "launch" into cyberspace will confront no natural boundaries, may not easily be confined, and may be amenable to few, if any, certain controls.

The challenges in controlling information in order to limit damage to civilian objects in cyber operations are compounded by the other aspects of the nature of targets in cyberspace. It may be extremely difficult to segregate targeted information and information systems from those that are not to be targeted. While lines of communication used by the military are generally regarded as military objects, which are subject to attack, military communications rely heavily on the commercial communications infrastructure. (157)

The practice of some countries, including the United States, of broadly defining military objectives--by including objects that make "an effective contribution to the enemy's war fighting/war sustaining effort"--further broadens the list of dual-use targets for possible hostile cyber actions. (158) In particular, based on their war-sustaining capabilities, various economic objects--including banks, stock exchanges, main export industries, and other key financial and corporate interests--may represent important targets for cyber capabilities within the framework of "effects based targeting." (159) Attacking such targets on this basis has, however, been intensely criticized. (160)

Nevertheless, cyber capabilities clearly provide new opportunities to conduct operations to destroy, or temporarily disable, these and many other objects that may have been previously inaccessible or impractical to attack with conventional weapons. Such cyber actions may not only be more effective than attacks with conventional weapons but will also have the ability to avoid causing various types of incidental physical damage (from fires, blast damage, chemical spillage, radiation, etc.) that pose a serious threat to civilians. (161)

In general, cyber capabilities represent important new tools for military forces to achieve results that were once only obtainable by conventional weapons. (162) In practical terms, they also add new types of objects of military value to target lists, including targets linked to economic resources upon which an adversary relies. These new targets, however, raise new questions about compliance with the principle of proportionality and the applicability of the IHL regime itself.

Regardless of their legal status, hostile cyber acts against targets of economic importance raise fears about new types of risks. These perceived risks include unwanted and disastrous effects on financial institutions worldwide, said to even inspire a sort of "unwritten international taboo" against cyber targeting of banking systems. (163) Such concerns may, in fact, have played a part in decisions by the U.S. government to forego possible cyber actions against some financial targets in several conflicts, including a contemplated action against the bank accounts of Serbian leader Slobodan Milosevic during the Kosovo conflict in 1999 and against Iraq's financial system in 2003. (164)

While offering significant military advantages, hostile cyber actions against critical economic targets and other national infrastructure objectives may also pose serious risks due to the unpredictable effects of those actions against interdependent systems (particularly as the interdependence of systems upon which national infrastructures depend may not even be visible). (165) The possible extended consequences of a hostile cyber action (whether described as ripples, reverberations, or "second and third tier effects known as 'knock-on' effects") (166) on information in interconnected communications, energy, industrial, or financial systems could be far-reaching and hard if not impossible to reliably predict. (167)

Some commentators have suggested that technical solutions are available to improve the accuracy of cyber weapons and that it is possible to design highly discriminating and accurate cyber weapons. (168) However, as noted above, systemic challenges confront efforts to ensure that harmful information will be effectively controlled or confined once it is used against complex, sensitive targets--particularly in view of unknown interconnected systems, anomalies and changes in those systems, unforeseen technical complications, and unpredictable human involvement.

Unpredictable human involvement includes the possibility that cyber actions will be misinterpreted and that responses to those actions will quickly and dangerously escalate. The "unique characteristics of cyberspace" (which include problems related to determining the intent behind cyber actions, anonymity, vast numbers of actors with malicious cyber tools, and the "the speed of action and dynamism inherent in cyberspace") may collectively make this danger of escalation across interconnected systems "especially acute." (169)

The DoD argues that "dangerous escalatory situations" can be prevented "by following the same policy principles and legal regimes in its cyberspace operations that govern actions in the physical world, including the law of armed conflict." (170) Because of the unique properties of information, however, this reliance on the law of armed conflict to successfully govern and control hostile cyber actions (based on perceived similarities with laws governing conventional weapons in physical domains) may be seriously overstated or misplaced.

The IHL obligations governing those who plan or decide upon attacks do not appear to include responsibility for all the possible, or even foreseeable, consequences of cyber attacks. Instead, based on the language found in Protocol I, the obligations appear to include only those effects that can be described as expected. (171) In particular, the language setting forth the scope of precautionary measures to ensure observance of distinction and proportionality requires those who plan or decide upon an attack to "refrain from deciding to launch any attack which may be expected to cause incidental loss of civilian life." (172)

This legal standard confining the scope of precautionary measures means that the effects of many military operations in cyberspace may simply remain outside the realm of the IHL framework--as legal phantoms in an unchartered area of serious and complex policy concerns. Nonetheless, concerns about collateral damage appear to be an important factor in continuing to restrain many cyber operations. (173) Even if the IHL regime is inapplicable, decision makers reasonably may be hesitant to approve hostile cyber acts with potentially far-reaching and unpredictable effects on information linked to diverse industrial facilities, communication centers, transportation hubs, commercial activities, financial institutions, and other unidentified organizations and activities around the world.

Beyond concerns that are arguably shaded to some degree by legal questions, various other fears appear to have limited the use of many cyber weapons by states. (174) One set of such extralegal fears has been the political and strategic consequences of being the first major power to launch a cyber attack, including the possibility that such an action will legitimize this new means of warfare. (175)

Other extralegal concerns that have apparently limited the use of cyber weapons relate directly to the peculiar status of information as a weapon, further illuminating yet another important aspect of its "uncontrollability." Unlike the payload of physical weapons that is destroyed or damaged in attacks, the information making up a cyber weapon generally remains intact after its use, allowing any adversary with the necessary knowledge and ability to reprogram that malware for its own use (making it, as noted, an "open source" weapon).

This phenomenon, along with the knowledge that use will ensure obsolescence, appears to be important in continuing to limit the use of some new cyber capabilities. Thus, in situations where national interest is not clearly at risk, a sophisticated cyber weapon has reportedly been likened by U.S. government officials to an expensive car that is best left in the garage. (176) A final concern is also presented by the possibility that the use of a sophisticated cyber weapon will provide a clear indication of what might otherwise have been the secret capabilities of the attacker. (177)

Government, military, and intelligence officials must thus grapple with numerous risks as they weigh the strategic, security, and policy implications of using cyber weapons. These concerns, complicated and magnified by the unpredictability of cyber weapons and the inherent difficulty in controlling information, serve to constrain cyber operations. Although legal uncertainties about incidental damages may cloud assessments of many cyber actions, important policy issues also surround almost every aspect of their possible employment. In many cases, the IHL regime will simply not apply to hostile cyber actions, and even if it does, it is unlikely to apply to all of their effects. It has thus been suggested that while cyber activities present various legal challenges, "many problems masquerading as 'legal' issues are really undecided policy issues with a number of legal alternatives." (178)
COPYRIGHT 2014 Vanderbilt University, School of Law
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2014 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:Abstract Through II, Information as a Weapon and Target: Problems of Access and Control, p. 67-112
Author:Beard, Jack M.
Publication:Vanderbilt Journal of Transnational Law
Date:Jan 1, 2014
Previous Article:Climate change, forests, and international law: REDD's descent into irrelevance.
Next Article:Legal phantoms in cyberspace: the problematic status of information as a weapon and a target under international humanitarian law.

Terms of use | Privacy policy | Copyright © 2021 Farlex, Inc. | Feedback | For webmasters |