It may come as a surprise to some war victims, but there actually is a body of international law that establishes when and how nations can legally engage in armed conflict.
Thanks to various treaties, the United Nations Charter, and the Hague and Geneva Conventions, we are able to draw official distinctions between victims and aggressors, and we have guidelines that, when honored, provide some protection to civilians. Professional militaries train with the rules of war in mind, recognizing that abiding by them works to their benefit as much as to the enemy's.
It is no surprise, then, that many legal experts, diplomats and military commanders around the world are now debating how to extend the law of war to cyberspace. The emergence of electronic and cyberwar-fighting capabilities is the most important military development in decades, but it is not yet clear how existing treaties and conventions might apply in this new domain of conflict.
Uncertainty about the legal and ethical limits of state behavior in cyberspace could have disastrous consequences.
"If nations don't know what the rules are, all sorts of accidental problems might arise," says Harvard law professor Jack Goldsmith. "One nation might do something that another nation takes to be an act of war, even when the first nation did not intend it to be an act of war."
Under the U.N. Charter, states have the right to go to war if they come under an "armed attack" from another state. But there is no consensus yet on what that right means in the event of an attack on a country's computer networks.
One important consideration is whether the attack is the work of a lone hacker, a criminal group or a government. The law of war applies primarily to conflict between states, so truly rogue actions would not normally be covered.
The purpose of the activity is also relevant. Michael Hayden, having directed both the National Security Agency and the CIA, would not include an effort by one country to break into another country's computer system to steal information or plans.
Cyberwar Or Simply Espionage?
"We don't call that an attack," Hayden said at a recent conference on hacking. "We don't call that cyberwar. That's exploitation. That's espionage. States do that all the time."
Cyberwar, Hayden and others argue, involves a deliberate attempt to disable or destroy another country's computer networks. But how much damage must be done before a cyber operation could be considered an act of war under the U.N. Charter — and thus justify the use of force in response?
"We don't know when or if a cyberattack rises to the level of an 'armed attack,' " says Daniel Ryan, who teaches cyber law and the law of war at the U.S. military's National Defense University.
International law is also somewhat unclear when it comes to how states could use cyberweapons in wartime. The Hague and Geneva conventions require militaries to minimize the damage to civilians in wartime. So in a cyber conflict, military targets would presumably have to be distinguished from civilian targets, with civilian computer networks off limits.
"A direct attack on a civilian infrastructure that caused damage, even loss of life of civilians, would, I think, be a war crime," Ryan says.
The civilian computer infrastructure would include the networks that control an air traffic control system or a water supply, for example. But distinguishing civilian and military cybertargets is not necessarily so simple.
Private Networks
"Computers don't always have signs over them that say, 'I'm a military target' [or] 'I'm a civilian target,' " says Harvard's Goldsmith. "Also, the two things are intermixed. Ninety to 95 percent of U.S. military and intelligence communications travel over private networks."
One danger is that an attacking military may set out to hit a military target but then hurt civilians in the process. This could happen if the attack is disproportionate to the military objective.
The law of war requires "proportionality." You can't level a city to destroy a single military unit located there. In the cyberworld, this rule means you couldn't plan a massive computer attack, even on a military network, without regard for the civilian computer networks that would be affected by that attack.
But with computer networks so highly interlinked, it will be harder to adhere to the proportionality rule in a cyber conflict than in a conventional war.
"The U.S. government, when they're dropping a bomb, they have all sorts of computer algorithms and studies that they use to show exactly what the consequences are going to be from dropping this bomb from this angle on this building," Goldsmith says. "Those consequential analyses are much harder in cyberspace, and so it's hard to apply the proportionality test."
Given all the indirect effects that might flow from a cyberattack, cyberwar planners could easily be confounded by the legal considerations.
Looking For The 'Right Answer'
"Since we can't predict what the unintended consequences of the use of cyber might be, that would say, you can't attack at all in cyberspace," Ryan says. "That can't possibly be the right answer."
To Ryan, the "right answer" is that commanders should have to consider those effects of a cyberattack they are able to consider, but not those consequences that can't be anticipated.
Former CIA Director Hayden, a retired Air Force general, suggests using common sense. One example of an attack that should be illegal, he says, would be the insertion of damaging software into an electrical grid.
"Overall, finance is so dependent upon investor confidence that cyberpenetration of any electrical grid, for whatever transient advantage it might create for the aggressor state, is so harmful to the international financial system that we should just all agree: These are like chemical weapons; we're just not going to use them," Hayden said in July.
Yet another troublesome issue is how the rules of war could be enforced in cyberspace. Skeptics point out that even if governments could agree on what is illegal, it wouldn't necessarily mean they would honor those agreements.
"It is a near certainty that the United States will scrupulously obey whatever is written down, and it is almost as certain that no one else will," says Stewart Baker, a former NSA general counsel and an assistant secretary of homeland security under President George W. Bush.
'No One Is Going To Get Caught'
If anything, it would be harder to enforce the law of war in the cyberworld than in other domains of warfighting. The amount of anonymity in cyberspace means that a devastating attack might leave no "signature" or trace of its origin.
"Since we know that that's going to happen all the time," Baker says, "and no one is going to get caught, to say that [a cyberattack] is a violation of the law of war, is simply to make the law of war irrelevant."
But whether war crimes are prosecuted or not, military commanders like to know the rules under which they are supposed to fight. "There is a great deal of discussion going on right now about this," says Daniel Ryan, whose students at the National Defense University include senior U.S. military and government officials.
Discussion of the legal and ethical issues around cyberwar is also a popular and controversial subject at the United Nations; the upcoming session of the U.N. General Assembly is likely to feature renewed debate over the issue.
