The application of international law of armed conflict to cyber-warfare has been under intense discussion recently following the release of Stuxnet, a highly sophisticated computer worm and related malware which was reportedly developed by two technologically advanced countries. The Stuxnet release allegedly ruined centrifuges at Irans Natanz uranium enrichment facility. According to Reuters, Irans Revolutionary Guards had announced that that country was prepared to defend itself in case of a ‘cyber war’ which could cause more harm than a physical confrontation.
Cyber-warfare has been characterized as one of the most important military developments in recent history, as it has taken on as a military dimension – it has the capability of collecting intelligence as well as engaging in attack and defense. This development has raised questions regarding the applicability of existing treaties and conventions regulating the law of war to cyber-attacks. For example, some asked, when does a cyber-attack rise to the level of an armed attack that justifies an act of self defense under Article 51 of the Charter of the United Nations?
The difficulty in determining whether a cyber-attack is an armed attack lies in the difference between the traditional combatants and venue and those that exist in cyberspace. The cyber field, where a cyber-attack occurs, differs from the traditional battlefield, where fighters of opposing armies can identify and directly target their opponents. In a cyber-attack the identity of the attacker, the scope of the damage inflicted, and the dimensions of the cyber field are not easily identifiable.
The thought of opponents not physically being present in the new cyber battlefield made me dream, for a moment, that this technological development may be the solution to prevention of violent conflicts around the world. Could opponents merely engage in cyber-war games instead of in actual violent operations? Unfortunately, the answer is no; this is definitely wishful thinking. Cyber-warfare is not a game. Contrary to my initial thought, many believe that cyber-warfare is much more complex and potentially more harmful than traditional wars. This is particularly true if used against an opponents economic and communications infrastructure. Breaking into an opponents cyber systems has the capacity to inflict enormous damage to both military and civilian installations.
Realizing that the damage inflicted by cyber-attacks can be sizeable, I wondered whether there are any existing rules that currently apply to such attacks. What considerations should be undertaken by nations around the world when they engage in cyber-attacks against opponents? Is it possible to distinguish between telecommunications facilities that are military and those that are civilian for the purpose of compliance with international law requirements under the Hague and Geneva conventions? These conventions generally require that militaries minimize the damage to civilians in wartime. Similarly, how does the rule of proportionality, which focuses on evaluating the proportion between collateral civilian damage to the specific military gain for determination of illegality, apply to cyber-warfare?
An additional challenge to the application of the law of armed conflict on cyber-attacks is the difficulty in identifying the perpetrators for the purpose of enforcement. Experts expressed the view that the level of anonymity in cyberspace may enable even a devastating attack to leave no trace of its origin. According to Prof. Daniel Ryan, who teaches cyber law and the law of war at the U.S. National Defense University, whether war crimes are prosecuted or not, military commanders like to know the rules under which they are supposed to fight.
Although no internationally accepted rules are available at this time, a document titled the “Tallinn Manual on International Law Applicable to Cyber Warfare”, edited by Michael N. Schmitt , has recently been completed. The manual was prepared by a group of legal and military experts at the invitation of the NATO Cooperative Cyber Defence Centre of Excellence Tallinn, Estonia (the Center). The manual proposes 95 rules regulating both jus in bello, the international humanitarian law that seeks to limit the suffering caused by war, and jus ad bellum which regulates the use of force, justification or reasons for war, and its prevention. The manual also addresses implications under the law of state responsibility and the law of the sea.
The Tallin Manual is expected to be published both in paper and electronically in 2013 but is already available on the Centers website (for those with 20/20 eyesight …). Although nonbinding, the manual is considered an authoritative restatement of the law of armed conflict as it relates to cyberwar.