James Lewis, our distinguished guest last spring and a Senior Fellow at the Center for Strategic and International Studies, released an essay dated October 1, 2010, and entitled "Thresholds for Cyberwar." From the summary on the CSIS website:
It is not correct to call every bad thing that happens on the internet “war” or “attack.” The thresholds for war or attack should not be very different in cyberspace than they are for physical activity. We can also focus discussion by defining cyber war as the use of force to cause damage, destruction or casualties for political effect by states or political groups. A cyber attack would be an individual act intended to cause damage, destruction, or casualties. There is a gray area, of course, when we think about disruption, particularly the disruption of services and data, and when this disruption rises to the level of the use of force. The threshold should be very high for calling a disruptive activity an act of war or attack.
via csis.org (emphasis added).
It seems that his definition of cyber war is determined by effects, and his definition of cyber attack looks to intent. That, of course, is inconsistent with our seminar's discussion last week in which there was a near consensus that both intent and consequences must be considered in determining whether a cyber attack is an armed attack or a use of force under the law of armed conflict and the United Nations Charter. Also, the terms "cyber war" and "cyber attack" are completely meaningless to the present legal structure, which determines legality by whether an act is a "use of force" or an "armed attack." His use of terms foreign to the existing legal framework raises the question whether the law of armed conflict and the U.N. Charter shouldapply in the cyber realm, or whether they are simply anachronisms in cyber space. That is the issue for an upcoming week of study.
His entire essay is in this nine page PDF document. In it, he does consider the terms "use of force" and "armed attack," although the United Nations is mentioned only in a quotation from the North Atlantic Treaty in a footnote. The term "law(s) of war" is used three times, and "law of armed conflict" not at all.
I believe I am correctly summarizing the seminar's discussion by saying that it determined drawing a line between "cyber war" and "cyber attack" to be meaningless. The question is whether any action is a "threat or use of force" or is an "armed attack."
Article 2 of the U.N. Charter says, in part: "All Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations."
Article 51 states, in part: "Nothing in the present Charter shall impair the inherent right of individual or collective self-defence if an armed attack occurs against a Member of the United Nations … ." Surely, if someone fires a bullet at you, you have suffered an armed attack whether or not you are struck. If a nation fires a nuclear-armed missile at another, than the latter has suffered an armed attack whether or not the missile detonates. It is very difficult to determine whether an event in cyberspace is a "threat or use of force against the territorial integrity or political independence of any state" or whether it is "an armed attack." If it is the former, it is illegal. If it is the latter, then it justifies a military response in self defense. There are many kinds of cyber attacks. But, under international law the only legally relevant determination so far is whether the "cyber attack" is an "armed attack" or a "threat or use of force against the territorial integrity or political independence of any state."
Leave a Reply