The Pentagon recently stated it intends to treat sufficiently destructive cyber attacks as acts of war, subject to armed retaliation. In its report to the Congress, the Department of Defense (DoD) stated the use of armed force was on the extreme end of a continuum of policy choices rather than a default response. Yet the term “cyberwar” seems to imply the application of international humanitarian law (IHL) in the context of an armed conflict. Cyber attacks within an armed conflict, like those during the South Ossetia war of 2008, are problematic because organized crime and private citizens can more feasibly act on the basis of nationalist agendas rather than government direction. But most instances of cyber attacks against governments occur outside of armed conflict. Given most cyber attacks against American government infrastructure and websites occur outside of armed conflict and authorship of attacks is rarely certain, what are the implications of the DoD’s announced policy for the laws of war?
The first issue raised by “cyberwar” is whether a cyber attack can rise to the kind of attack indicative of war. War under IHL is conceptualized as the resort to protracted and intense armed force by two or more parties. Armed conflict is either between States, characterized as international armed conflict, or between States or armed groups operating inside a single State, referred to as non-international armed conflict. While the distinction can be ambiguous, both forms of conflict are characterized by the loss of life as a result of the commission of an attack. However, cyber attacks have yet to directly kill anyone. Cyberwarfare also raises the issues of what actions constitute an appropriate response to attacks, and to whom attacks should be attributed.
The DoD’s report provides the President with a wide array of options to confront cyber attacks, including intelligence, diplomacy, and law enforcement. For a cyber attack to rise to an act of war, it would have to trigger a self-defense claim, yet no war was started over a cyber attack, including those that caused widespread disruption in Estonia. The DoD report mentions cyber attacks meriting an armed response but mentions attacks that disable or damage vital infrastructure. IHL governs the conduct of the war rather than the beginning of the war. Assuming a cyber attack occurs within armed conflict it can be met with force and considered a war crime if it violates IHL. Such acts typically involve indiscriminate or disproportionate attacks upon a protected population or property. Interpretation will be necessary because none of the treaties which compose the body of IHL refer to cyber attacks, and the only international treaty governing cyber attacks addresses it as a crime issue. States could issue proportionate reprisals to respond to a cyber attack that violated IHL in order to deter future violations as a last resort, made from the highest level of government. On the other hand, any automatic use of armed force to respond to any cyber attack outside of armed conflict is as an act of aggression, because it would involve using force in the territory of another State in violation of that State’s sovereignty. The target could be a residential area or an internet café, likely resulting in substantial collateral damage. Unless the cyber attack was catastrophic, an armed response to a cyber attack would likely start a war or international controversy.
In the case a cyber attack is the catalyst for a war or is carried out during the context of armed conflict, the DoD report highlights multiple policy options prior to the use of force. The strategy it outlines focuses on deterrence and international cooperation in cultivating the growth of international law regulating cyberspace. Other States like Russia have adopted similar policies. Deterrence is questionable in practice. Cyber attacks can and are perpetrated by third parties acting for various reasons without State direction. To assign legal responsibility to a State for the cyber attacks of third parties, the injured State would have to prove those third parties were essentially organs of the accused State, acting at that State’s direction and on its behalf. In the alternative, the injured State would have to apply a standard focusing on the degree of control by the State, such as funding, legal and practical support. Effective deterrence involves dissuading third parties and potential State sponsors, which the DoD seeks to do through conventional means like law enforcement, intelligence, and international cooperation. Ultimately, the DoD announcement is about recognizing the emergence of a new theater of operations in cyberspace, not rewriting international humanitarian law.