Strategic Cybersecurity, Module 8: Cyber Conflict and the Law.
Lecture 8 discusses problems that cyber technology poses for international law. In particular, the module focuses on two aspects of international law that deal with the question of armed conflict: Jus Ad Bellum, or “the right to wage war,” and Jus In Bello, or “justice in war.”
Once you have completed the readings, lecture, activity, and assessment, you will be able to
- Define “Jus Ad Bellum”
- Articulate why international law has difficulties adjudicating cyber attacks.
Welcome to Strategic Cybersecurity, Module 8. In the last module, we introduced some problems that the Internet poses to the concept of sovereignty, as it has been understood since the 400-year-old Treaty of Westphalia was signed.
In this module, we cover some problems that cyber technology poses for international law. As you read in the Rosenzweig text, two aspects of international law deal with the question of armed conflict: Jus Ad Bellum, or “the right to wage war,” and Jus In Bello, or “justice in war”: that is, when and how can a country respond to an armed attack?
These two concepts have been around for hundreds of years but were created to be applicable to kinetic, not cyber, warfare.
Over the last decade, legal experts at the NATO Cooperative Defence Centre in Tallinn, Estonia, have attempted to codify how these legal concepts should be applied to cyber attacks. This is especially timely, given how common cyber attacks have become in our world.
Perhaps the most recent and notorious example is the 2016 U.S. presidential election. Details continue to emerge about Russia's interference in our election, including the purchase of politically and racially polarizing ads on social media to sow discord among the public and possibly create political chaos.
How Does The Law Deal With Treats?
How do you think that the United States should respond to these provocations? Should Russian interference be considered a type of armed attack? If so, what should the U.S. Response be?
Whatever your views, the fact is that international law currently does not provide a cut-and-dried template on how to respond to such attacks, or even if these actions should be considered an attack. And, as Rosenzweig notes, there is actually no international consensus on what constitutes an armed attack in the kinetic world, let alone the cyber world.
For our purposes, the principal rule for Jus Ad Bellum, or when countries may respond to force, is found in the United Nations Charter, Article 2, Sub-Paragraph 4, or the “2/4 Rule.”
The 2/4 Rule
The 2/4 rule states that countries must “… refrain from the threat or use of force against the “territorial integrity or political independence of any state “or in any other manner inconsistent with the purposes of the United Nations.” In other words, except for highly specific circumstances, if one country wishes to use force on an another, for any reason, it must first gain a mandate (that is, permission) from the United Nations Security Council.
Barring such a mandate, the country may act in self-defense to stop an incursion by another state, but it may act only to a degree to effectively repel the incursion, nothing more. Additionally, although somewhat controversial, a country may use force to intervene in certain egregious humanitarian situations, but, again, the United Nations strictly defines these situations, and they are beyond the scope of this module.
Not taking into account the United Nations rules regarding the conduct of war, Rosenzweig notes that U.S. policy-makers have adopted a view about cyber attacks that considers the amount of damage that they exact.
Rosenzweig states, for example, that the United States would not categorize another country's theft of sensitive information about a sophisticated fighter jet as a use of force; however, should that country conduct a cyber attack that results in physical damage to our power grid, this would be considered an armed attack, and as far as the United States is concerned, we would be allowed to respond in kind.
Keep in mind, however, that unless the United States received a mandate or permission from the U.N. Security Council to use force, we would be in violation of international law as the rules currently stand.
You should be realizing at this point that a significant gray area exists with respect to cyber conflict in international law. Rosenzweig notes that this situation is highly unsettling, stating that even though cyberwar is now a reality, we have no ideas what rules, if any, apply.
We have a long way to go
The good news is that many international governmental and non-governmental entities have recognized this fact and have made an active effort to deal with the problem. We have a long way to go, but initiatives by international organizations, such as the initiative by the NATO Cooperative Defence Centre, mentioned earlier, are certainly a good start.
Quiz Question 1: Which school of thought best describes how the United States views when a cyber attack would be tantamount to an armed attack?
A: The U.S. strategy is to compare the damage caused by a cyber attack to that of a kinetic attack. If the former could have been caused by a kinetic attack in the past, then it is considered an armed attack.
B: The U.S. strategy focuses on the scope and magnitude of how an attack, or how much of an impact, it had. According to this view, an attack on Wall Street could be considered an armed attack.
C: The U.S. considers any attack on the nation's critical infrastructure, whether successful or unsuccessful, to be an armed attack.
The answer is B: The U.S. strategy focuses on the scope and magnitude of an attack, or how much of an impact it had. According to this view, an attack on Wall Street could be considered an armed attack.
Quiz Question 2: True or false: Jus Ad Bellum may be best described as a set of legal criteria to be consulted to determine if a state is justified in engaging war.
The answer is True.
Quiz Question 3: Which of the following best captures why international law has difficulties adjudicating responses to cyber attacks?
A: There is no international consensus on what constitutes a cyber attack.
B: The United Nations has purposely refused to define the term “cyber.”
C: Each nation has its own definition of the term “cyber.”
D: Both Russia and China refuse to ratify the United Nations treaty on cyber attacks.
The answer is A. There is no international consensus on what constitutes a cyber attack.
The activity for this module asks that you write a one-page reflection of your current views regarding how the United States should respond to the Russian interference in the 2016 presidential election. In your reflection, play devil's advocate, and argue why your initial suggestion might not be legitimate or effective according to international laws governing conflict.