Cyber-Attacks and the Exploitable Imperfections of International Law

Home , Alureon, Bifrost (trojan horse), Cyber ShockWave, Moonlight Maze, Samy (computer worm), Titan Rain

Yaroslav Radziwill

LEIDEN | BOSTON Library of Congress Cataloging-in-Publication Data

Radziwill, Yaroslav, author. Cyber-attacks and the exploitable imperfection of international law / by Yaroslav Radziwill. pages cm Based on author’s thesis (doctoral — University of Warwick, 2014) issued under title: Cyber-attacks and international law : imperfections of a stagnant legal regime. Includes bibliographical references and index. ISBN 978-90-04-29833-0 (hardback : alk. paper) — ISBN 978-90-04-29830-9 (e-book) 1. Information warfare (International law) 2. Cyberspace operations (Military science) I. Title.

KZ6718.R33 2015 341.6’3—dc23 2015023019

This publication has been typeset in the multilingual “Brill” typeface. With over 5,100 characters covering Latin, ipa, Greek, and Cyrillic, this typeface is especially suitable for use in the humanities. For more information, please see brill.com/brill-typeface. isbn 978-90-04-29833-0 (hardback) isbn 978-90-04-29830-9 (e-book)

Copyright 2015 by Koninklijke Brill nv, Leiden, The Netherlands. Koninklijke Brill NV incorporates the imprints Brill, Brill Hes & De Graaf, Brill Nijhoff, Brill Rodopi and Hotei Publishing. All rights reserved. No part of this publication may be reproduced, translated, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission from the publisher. Authorization to photocopy items for internal or personal use is granted by Koninklijke Brill nv provided that the appropriate fees are paid directly to The Copyright Clearance Center, 222 Rosewood Drive, Suite 910, Danvers, ma 01923, usa. Fees are subject to change.

This book is printed on acid-free paper. This book is dedicated to my wonderful, lovely wife Maarja.

∵

Contents

Preface ix Abbreviations x Glossary xiv

1 Introduction 1 1.1 Introduction 1 1.2 Objectives and Research Questions 4 1.3 Structure of the Book 9 1.4 Choice of Terminology 11 1.5 Conclusion 14

2 Theoretical Framework 15 2.1 Introduction 15 2.2 Legal Framework 15 2.3 Political Component 28 2.4 Conclusion 39

3 Cyber-Threat 40 3.1 Introduction 40 3.2 The Hypothetical Threat 40 3.3 Reported Cyber-Incidents 57 3.4 Conclusion 83

4 Cyber-Space 85 4.1 Introduction 85 4.2 Territoriality of Cyber-Space 86 4.3 Sovereignty over the Virtual Realm 95 4.4 Jurisdiction in Cyber-Space 109 4.5 Conclusion 123

5 Cyber-Strikes and Jus ad Bellum 125 5.1 Introduction 125 5.2 Cyber-Attacks and the Use of Force 126 5.3 Cyber-Attacks and Self-Defense 142 5.4 Cyber-Attacks and Aggression 160 5.5 Conclusion 171 viii contents

6 Humanitarian Law Perspective 173 6.1 Introduction 173 6.2 General Applicability of International Humanitarian Law 174 6.3 Principle of Humanity 181 6.4 Necessity and Proportionality in Jus in Bello 195 6.5 Principle of Distinction 201 6.6 Deception 214 6.7 Principle of Neutrality 218 6.8 Conclusion 223

7 Cyber-Terrorism 225 7.1 Introduction 225 7.2 Terrorism and Cyber-Terrorism as Legal Concepts 226 7.3 Conventional Cyber-Terrorism 243 7.4 Escalated Conventional Cyber-Terrorism: Jus ad Bellum 247 7.5 Archaic Cyber-Terrorism: Jus in Bello 257 7.6 Conclusion 265

8 Role of International Organizations 266 8.1 Introduction 266 8.2 United Nations as Part of the Problem 267 8.3 United Nations as Part of the Solution 277 8.4 Role of Other International Organizations 301 8.5 Conclusion 310

9 Conclusion 312 9.1 Introduction 312 9.2 Validity of the Idea 312 9.3 A Way Forward 321

Appendix 1—Toolkit of a Modern-Day Cracker 323 Appendix 2—Normative Model for Command Authorities (Jus ad Bellum) 330 Appendix 3—Direct Participation in Hostilities: A List of Academic Examples 332 Bibliography 337 Index 400 Preface

In April 2007, Estonia’s attention was focused, for the most part, on the violent riot resulting from the relocation of the Bronze Soldier and on the police brutality pertaining to the suppression of that riot. During this period, Estonia became a target for a number of cyber-attacks. As an Estonian national from Tallinn and an undergraduate student at the University of Tartu at the time, I witnessed these cyber-strikes and had the experience of seeing their consequences firsthand. Moreover, as an Estonian Russian, I understood the broader context of the issue and could follow the reactions to the cyber-offensive in both major ethnic communities. In my experience, the 2007 cyber-attacks were barely noticeable. I could access the Internet as usual and no extraordinary interference was encountered. While the inability to enter my bank (Hansapank) online at one point may or may not have been due to the ongoing cyber-offensive, such problems were not uncommon anyway. Neither ethnic group generally (Estonians nor Estonian Russians) seemed to care particularly about the few cyber-attacks that were visible. Website defacements were viewed as ordinary hooliganism, no more damaging than the physical defacement of Anton H. Tammsaare’s statue with a concise, untranslatable Russian insult to Estonia’s prime minister. Considering my personal experience, it is still surprising to see scholarly descriptions of the 2007 cyber-attacks as severe, devastating and crippling, causing fear and mental anguish among the population. The exaggerated danger of something so minor seems to undermine the seriousness of the threat that severe cyber-attacks could have. In fact, the discrepancy between how the 2007 cyber-strikes felt and how they were perceived abroad is one of the factors that inspired me to write a book on this topic. As work progressed, I came to realize that academic views ranged from those skeptically denying the possibility of cyber-attacks causing any damage whatsoever to those that promise “cyber-apocalypse”. The same range of attitudes vis-à-vis cyber-security were encountered in the practical realm, be it the Council of Europe’s Committee of Experts on Terrorism, the NATO Cooperative Cyber-Defense Center of Excellence or the United Nations Counter-Terrorism Implementation Task Force. Thus, while the present book focuses on how international law applies to cyber-warfare, it aims to ensure that cyber-threats are presented in a realistic light, without overemphasizing the danger, but also without giving them too little weight. Abbreviations

3D Three-Dimensional 9/11 11 September 2001 ACHR African Court on Human and Peoples’ Rights AmJIL American Journal of International Law ANZUS Security Treaty between the United States, Australia, and New Zealand AP Additional Protocol to the Geneva Conventions AU African Union CCDCOE NATO Cooperative Cyber Defense Center of Excellence CERT Computer Emergency Response Team CETS CoE Treaty Series CIA US Central Intelligence Agency CIS Commonwealth of Independent States CODEXTER CoE Committee of Experts on Terrorism CoE Council of Europe CTITF UN Counter-Terrorism Implementation Task Force CTS Consolidated Treaty Series CUP Cambridge University Press DDoS Distributed Denial of Service DISEC Disarmament and International Security Committee DoD US Department of Defense DoS Denial of Service DNS Domain Name System DPKO UN Department for Peacekeeping Operations DPRK Democratic People’s Republic of Korea DRC Democratic Republic of Congo ECHR European Convention on Human Rights ECOWAS Economic Community of West African States ECtHR European Court of Human Rights EICAR European Institute for Computer Antivirus Research EJIL European Journal of International Law ENDC Estonian National Defense College ENISA European Network and Information Security Agency ESIL European Society of International Law ETA Basque Homeland and Freedom (Euskadi Ta Askatasuna) EU European Union EUR Euro abbreviations xi

FARC Revolutionary Armed Forces of Colombia—People’s Army (Fuerzas Armadas Revolucionarias de Colombia—Ejército del Pueblo) FBI US Federal Bureau of Investigation G20 Group of Twenty GBP British Pound Sterling GC Geneva Convention (1–4)1 GPS Global Positioning System HC Hague Convention (1–4; 1–14)2 HCA Annex to a Hague Convention IACHR Inter-American Commission on Human Rights IAEA International Atomic Energy Agency ICAO International Civil Aviation Organization ICC International Criminal Court ICISS International Commission on Intervention and State Sovereignty ICJ International Court of Justice ICLQ International & Comparative Law Quarterly ICRC International Committee of the Red Cross ICTR International Criminal Tribunal for Rwanda ICTY International Criminal Tribunal for the former Yugoslavia IDF Israel Defense Forces IEEE Institute of Electrical and Electronics Engineers ILC International Law Commission ILJ International Law Journal ILM International Legal Materials IMO International Maritime Organization IMEI International Mobile Equipment Identifier IMSI International Mobile Subscriber Identity Interpol International Criminal Police

1 Convention (I) for the Amelioration of the Condition of the Wounded and Sick in Armed Forces in the Field (adopted 12 August 1949, entered into force 21 October 1950) 75 UNTS 31; Convention (II) for the Amelioration of the Condition of Wounded, Sick and Shipwrecked Members of Armed Forces at Sea (adopted 12 August 1949, entered into force 21 October 1950) 75 UNTS 85; Convention (III) Relative to the Treatment of Prisoners of War (adopted 12 August 1949, entered into force 21 October 1950) 75 UNTS 135; Convention (IV) Relative to the Protection of Civilian Persons in Time of War (adopted 12 August 1949, entered into force 21 October 1950) 75 UNTS 287. 2 Hague Conventions (I–IV) (adopted 29 July 1899, entered into force 4 September 1900) 26 Martens Nouveau Recue 2nd Ser; Hague Conventions (I–XIV) (adopted 18 October 1907, entered into force 26 January 1910) 3 Martens Nouveau Recueil 3rd Ser. xii abbreviations

IP Internet Protocol IRA Irish Republican Army ISP Internet Service Provider ISPAC International Scientific and Professional Advisory Council IT Information Technology ITU International Telecommunication Union KGB USSR Committee for State Security (Komitet Gosudarstvennoy Bezopasnosti) LAN Local Area Network LED Light-Emitting Diode LNOJ League of Nations Official Journal LNTS League of Nations Treaty Series MAC Media Access Control MI6 British Secret Intelligence Service (Military Intelligence, Section 6) MIN Mobile Identification Numbers MMS Multimedia Messaging Service MP3 MPEG Music File Layer 3 MPEG Moving Picture Experts Group NASA US National Aeronautics and Space Administration NATO North Atlantic Treaty Organization NORAD North American Aerospace Defense Command NY New York NYU New York University OAU Organization of African Unity OIC Organization of Islamic Cooperation OSCE Organization for Security and Cooperation in Europe OUP Oxford University Press P5 Five Permanent Members of the UNSC PC Personal Computer PCIJ Permanent Court of International Justice PRC People’s Republic of China R2P Responsibility to Protect RAND Research and Development Corporation RAT Remote Administration Tool SAARC South Asian Association for Regional Cooperation SCO Shanghai Cooperation Organization SD Secure Digital SIM Subscriber Identity Module SMS Short Messaging Service abbreviations xiii

TCP Transmission Control Protocol TMC Tobias Michael (Carel) Asser U4P Uniting For Peace UAV Unmanned Aerial Vehicle UBS Union Bank of Switzerland UC University of California UK United Kingdom of Great Britain and Northern Ireland UN United Nations UNCLOS UN Convention on the Law of the Sea UNGA / GA UN General Assembly UNHCR UN High Commissioner for Refugees UNICRI UN International Criminal Research Institute UNIDIR UN Institute for Disarmament Research UNITA National Union for the Total Independence of Angola (União Nacional para a Independência Total de Angola) UNODC UN Office on Drugs and Crime UNSC / SC UN Security Council UNSG / SG UN Secretary-General UNTS UN Treaty Series UN ICT UN Information and Communication Technologies US / USA United States of America USB Universal Serial Bus USD US Dollar USSR Union of Soviet Socialist Republics WGIG UN Working Group on Internet Governance WMD Weapon of Mass Destruction WSIS World Summit on the Information Security WTC World Trade Center WW2 Second World War WWW World Wide Web Glossary

Anonymous (group): A group term for multi-national, unaffiliated, unnamed hacktivists and protesters, united by various causes. Anti-Virus: Software that detects and removes malware. Backdoor: A pre-installed vulnerability in software, firmware or hardware that allows undocumented and direct access at the attacker’s discretion. Botnet: A network of computerized devices, which are secretly (see zombies) or openly (see script-kiddies) controlled by skilled cyber-attackers (most often, over the Internet). Brute Force: A tactic that presupposes trying all possible letter and number combinations to guess logins and passwords. Chip: A set of integrated electronic circuits. Computerized Device / System: A computer that processes data or a device capable of performing similar functions (e.g., a smartphone). Counter-Hacking: Accessing and launching counter-attacks against an aggressive system in cyber-space. Cracker: A computer-expert who participates in cyber-attacks with malicious intent. Also sometimes called a black hat hacker. Critical Infrastructure: Facilities and networks that are vital for the normal functioning of a society. Cyber-Attack: An act of unauthorized altering, deleting, disrupting, damaging or suppressing data within targeted computerized systems or networks. Cyber-Espionage: An act of accessing or storing classified data located in cyber-space. Cyber-Infrastructure / Information Infrastructure: Hardware (e.g., network cables) that makes virtual existence of cyber-space possible. Cyber-Space / Cyber-Realm: Virtual realm created as a result of the use of information technology. Cyber-Strike: See Cyber-Attack. Cyber-Terrorism: A cyber-attack that results in an act of terror prohibited by the existing legal instruments. Cyber-Warfare: Exchange of cyber-strikes and conventional attacks between parties to a conflict. Cyber-Zone / Virtual Zone: A delimited section of cyber-space. Data: Information that is held or processed by a computerized system. DDoS (Distributed DoS) Attack: DoS attack that originates from multiple sources and is channeled to a single destination (e.g., via zombie botnets). Defacement: Visual corruption of webpages. glossary xv

Digital Media Frame: A small monitor (in the form of a picture frame) that displays various images. Domain Name: Character transcription of an IP address of a computer connected to a network. DNS (Domain Name System): A software system that translates domain names into IP addresses. DoS (Denial of Service) Attack: A method of externally overwhelming and shutting down servers by simultaneously sending a large number of requests for information. Facebook: The most famous and popular social network (in 2014). File: Transferrable group of data found under one name, accessible to users and their devices. Firewall: A virtual defense mechanism that filters incoming and outgoing network traffic. It can include hardware and software components. Firmware: Software permanently embedded in hardware. Flash Memory Card: A removable data storage device, smaller and flatter than a USB. Forum: Website meant for online discussions. GPS (Global Positioning System): A satellite-based system that provides location coordinates on Earth. Hacker: A computer-expert that participates in cyber-attacks for ethical reasons (e.g., to protect a network). Also known as a white hat hacker. Hacktivism: Politically-motivated cyber-attacks. Hard Disk: A rarely removed internal data storage device in a computer. Hardware: Physical devices and parts of a computerized system. Honeypot: A fake network created to attract and expose crackers. Information Space: A distributed area of related electronic data and general information available to individuals. Information Warfare: Method of warfare involving filtering available data meant to influence the consciousness of the enemy or a population. Instant Messaging Program: Software that allows real-time discussions in cyber-space. Internet: A network of interconnected computerized devices and networks that forms the main part of cyber-space. IP (Internet Protocol): A set of pre-agreed virtual addresses that make sending information between computerized systems over the Internet possible. ISP (Internet Service Provider): An organization or company that offers direct Internet access to users. IT (Information Technology): Technology that processes electronic data. Keyboard Layout: Keyboard’s key arrangements. xvi glossary

Keylogger: A sniffer software that records and transmits data that a user types on a keyboard. Laptop: A small, portable computer. Log: A report on hardware or software activity. Logic Bomb: A malicious piece of software that activates at a pre-arranged time or upon invocation of a specific command. Login: A combination of username and password that allows access to a program. Malware: Malicious software used to facilitate or carry out cyber-attacks. Malicious Program / Software: See Malware. Media Access Control: A virtual address assigned by manufacturer that identifies a computerized device on a network. Network: A virtual link between multiple computerized systems and their components. Network Protocol: Pre-agreed network addresses of data transmissions. Notebook: See Laptop. NSA: US National Security Agency Offline: Not connected to or taking place outside of the Internet. Online: Connected to or taking place on the Internet. OS (Operating System): A complex underlying software that enables the use of hardware and other software by a user. Packet: Batch of data sent as part of network communication. Password: A secret phrase used for cyber-device authentication. Peer-to-Peer: A method of online data exchange that simultaneously shares files and resources between participating computerized systems without the use of a server. Plug and Play: Technology that allows computers to automatically discover and configure a device attached thereto. Port: Endpoint of cyber-communications (as interpreted by a server). PRISM: An ongoing surveillance program of the NSA that, inter alia, involves direct access to data, accumulated by major US corporations. Root Name Servers: Thirteen virtual super-servers that are responsible for the functioning of the Internet generally and DNS specifically. Router: Technology consisting of hardware and software that facilitates data transmission between networks and computerized devices by forwarding packets. SCADA (Supervisory Control and Data Acquisition): A computerized control system that monitors and regulates physical industrial processes. Screenshot: An image depicting elements on screen, as they are visible to a user at a particular moment. glossary xvii

Script: A part of source code that initiates particular processes. Script-Kiddie: A person who uses downloaded malware to participate in cyber-attacks without understanding how it works. Server: A computer running software that provides online services to users and their devices upon request. Sniffer: A program that intercepts data in cyber-space (e.g., logins and passwords). Smartphone: A computerized mobile phone. Software: Programs intended for computerized systems. Social Media: Unofficial online media, making use of social networks. Social Network: A website or service that facilitates social relations online. Source Code: Contents of a program or a website. Spam: Unsolicited virtual correspondence. Spoof: A fake imitation of an object online or a network address (e.g., IP). Stuxnet: A computer worm that is, inter alia, responsible for destruction of centrifuges at the Iranian nuclear enrichment facility Natanz in 2009. TCP (Transmission Control Protocol): A sub-class of shared network protocols that enables two computerized devices to communicate. Trojan: A malicious program that appears to perform a legitimate function. Twitter: A social network that allows posting short messages (up to 140 characters each). Update: A renewal of installed software, inter alia, to fix discovered flaws. USB (Universal Serial Bus) Device / Stick: A small, removable data storage device. User: A person who operates a computerized device. Username: Name used for cyber-device authentication. Virus: A malicious self-replicating code that inserts itself into existing files. Web-Camera: A camera that can directly transmit video online. Website / Webpage: Virtual page(s) accessible over the Internet. WWW (World Wide Web): A network of linked webpages on the Internet. Worm: A self-replicating standalone malicious program. Zero-Day: Exploitable vulnerability known only to a small number of people, including the attackers. Zombies: Infected computerized devices stealthily used for malicious purposes, primarily as part of botnets.

Chapter 1 Introduction

1.1 Introduction

International law sometimes struggles to respond to the introduction of new weapons and tactics. In some cases, a major catastrophe has to occur before the legal community tackles the issues that caused it. Even then, it takes years to finalize and agree upon a common approach to a particular problem. Until this happens, state governments (that is people who rule and exercise executive control over a state) and international lawyers are forced to operate with the existing legal instruments, even if these instruments are not perfectly suitable. Today, we see the emergence of a new threat, unimaginable until the late 20th century: cyber-attacks. These are used increasingly as an individual and composite tool in warfare. More and more states tend to view malicious software (and cyber-attacks generally) as a weapon, which is evidenced by their military doctrines and calls for action.1 Although electronic signals (and, to a lesser extent, high-technology light beams or radio-waves) are the main ways to deliver malware to their destination, experts such as Davis Brown or William Boothby go as far as to compare cyber-attacks with the use of a gun.2 Even the biggest cyber-attacks to date have not caused direct fatalities. However, as the global infrastructure becomes more and more computerized and interconnected, there is a growing possibility that cyber-attackers or cyber-terrorists will find a weakness in one of the systems, exploit it and cause loss of life, serious damage or even jeopardize the existence of a state. Should such an event happen, depending on the amount of damage, governments’ resolve and various other factors, cyber-strikes could provoke reactions similar to the ones of 9/11. Nevertheless, the response to Al-Qaeda’s terrorist attacks of 2001 was based, largely, on the existing legal instruments, already developed by the time of the

1 For instance, see US Department of Defense, “Strategy for Operating in Cyberspace” (US Department of Defense 2011) 3 accessed 1 August 2015; International Code of Conduct for Information Security, Annex to UNGA 66/359 (14 September 2011) UN Doc A/66/359, op para. 2. 2 Davis Brown, “A Proposal for an International Convention To Regulate the Use of Information Systems in Armed Conflict” (2006) 47(1) Harvard ILJ 184–185; William H. Boothby, “Methods and Means of Cyber Warfare” (2013) 89 International Law Studies 389.

© koninklijke brill nv, leiden, ��5 | doi ��.��63/9789004298309_002 2 Chapter 1 attack. Correspondingly, it is not unreasonable to expect international law to keep up with the impending threat of cyber-warfare. Logic dictates that increasing cyber-attacks should provoke meaningful evolution of international law.3 Over the last 20 years, the Russian Federation, supported by other Shanghai Cooperation Organization (SCO) members, has made a number of suggestions to develop a separate international treaty that would govern cyber-warfare and ensure information security of sovereign nations.4 Such proposals continue to meet persistent opposition from the United States and some of its allies, who actively assert that the existing international law is sufficient to tackle cyber- warfare. Various American scholars imply that accepting Russia’s proposals should be resisted, as they might undermine online freedoms or pose a threat to national security of the United States of America.5 Moreover, some Western experts view Russian suggestions (alongside its other “multilateral arms control initiatives”) as a “propaganda tool”.6 The US unquestionably plays a dominant role in international affairs and exercises unparalleled levels of control over the Internet, inter alia, due to the location of major global corporations and root name servers on its soil. It is, therefore, very unlikely that an effective treaty will emerge without its participation. Lack of special agreements signifies that the already-existing

3 See generally ILC Study Group, “Fragmentation of International Law: Difficulties Arising from the Diversification and Expansion of International Law”, 58th Session, Report of the Study Group of the ILC Finalized by Martti Koskenniemi (1 May–9 June, 3 July–11 August 2006) UN Doc A/CN.4/L.702, para. 15; ILC Study Group, “Fragmentation of International Law: Difficulties Arising from the Diversification and Expansion of International Law”, 58th Session, Report of the Study Group of the ILC (1 May–9 June, 3 July–11 August 2006) UN Doc A/CN.4/L.702, para. 10: “New types of specialized law do not emerge accidentally but seek to respond to new technical and functional requirements”. 4 The idea of a separate treaty on information warfare was introduced by the Russian Federation as early as 1995—see Franz-Stefan Gady, Greg Austin, “Russia, The United States, And Cyber Diplomacy: Opening the Doors” (Report, EastWest Institute 2010) 15 accessed 1 August 2015. See generally Dorothy E. Denning, “Obstacles and Options for Cyber Arms Controls” (Arms Control in Cyberspace, Berlin, June 2001) 6 accessed 1 August 2015. 5 See John F. Murphy, “Cyber War and International Law: Does the International Legal Process Constitute a Threat to U.S. Vital Interests?” (2013) 89 International Law Studies 339; Oona A. Hathaway and others, “The Law of Cyber-Attack” (2012) 100(4) California Law Review 832. 6 See Richard A. Clarke, Robert Knake, Cyber War: The Next Threat to National Security and What to Do About It (HarperCollins 2010) 220. Introduction 3 legal regime remains the default system for governing cyber-warfare.7 Even if a special treaty regulating cyber-attacks in war were to emerge in the future, it would not easily supersede current jus ad bellum and jus in bello obligations, but would rather clarify and build upon them. For these reasons, the importance of the existing legal framework for cyber- warfare cannot be overstated and, as such, it must be subjected to rigorous study. The present book contributes to this goal by examining imperfections of international law that can be exploited and which, in theory, could be the reason why certain governments prevent law’s development in the field of cyber-warfare. It should be mentioned that, although the question of jurisdiction over actors who launch serious cyber-strikes, is raised in one of the chapters,8 the work itself does not concentrate on small-scale cyber-crime, and instead focuses on cyber-attacks within the jus ad bellum and jus in bello contexts.9 For this reason, little attention is paid to the 2001 Council of Europe (CoE) Convention on Cybercrime (or to the laws of cyber-peace in general). Although undoubtedly an important instrument, it is not capable of adequately regulating use of force or cyber-attacks in war; what is considered a criminal act in peacetime may become legal in armed conflicts when an entirely different set of norms applies. The purpose of this particular chapter is to introduce the book. It is divided into three parts. The first part outlines questions that the book seeks to answer and objectives that drive it. It identifies its place within the existing scholarly literature, highlighting its original view on the problem of regulating cyber-warfare.

7 For similar opinions, see Wolf H. von Heinegg, “The Tallinn Manual and International Cyber Security Law” (2012) 15 Yearbook of International Humanitarian Law 9–10; David Turns, “Cyber War and the Concept of Attack in International Humanitarian Law” in Dan Saxon (ed.), International Humanitarian Law and the Changing Technology of War (Martinus Nijhoff 2013) 218; William A. Owens and others, Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities (National Academies Press 2009) 3; Deborah Schneider, “Cyber Security Keynote Address” (FSC-PC.DEL/30/10, United States Mission to the OSCE 2010) iv accessed 1 August 2015. 8 See Chapter 4. 9 Some scholars like Dieter Fleck believe that cyber-crime must not be ignored, although tackling all criminal activity online seems unnecessary in the present book, particularly in light of an ongoing cyber-arms race on state military level—see Dieter Fleck, “Searching for International Rules Applicable to Cyber Warfare—A Critical First Assessment of the New Tallinn Manual” (2013) 18(2) Journal of Conflict & Security Law 335. 4 Chapter 1

The second part describes the structure of the book and explains the importance of different chapters, which are categorized in order to best address problems under consideration. Notably, a more detailed description will pre- cede each chapter. The third part sheds light on the most important terms employed throughout the book. While the Glossary briefly defines more specific terminology, the third part clarifies at length why preference is given to the term “cyber-attack” rather than to the possible alternatives. Furthermore, the concepts of “cyber- attack” and “cyber-space” are explained, as they are used here.

1.2 Objectives and Research Questions

Although this book is primarily an academic examination of the law governing cyber-warfare, it can also have practical use for policy-makers and experts in position to influence decisions in the field of international security. It sets out to examine how current international law reacts to the introduction of a new concept of cyber-attack and to determine whether it is prepared, in its current state, to deal adequately with the dangers that actors bring into the international arena. In response to the reluctance of certain governments to develop new written norms on cyber-attacks, this book argues that international law features a substantial amount of significant imperfections that can be exploited in cyber-warfare. Two main propositions underpin this idea. Firstly, although cyber-attacks do not have solid customary norms regulating them, the current jus ad bellum and jus in bello (within their larger framework of international law) are generally capable of accommodating the new threat with the help of available instruments and institutions. Secondly, despite this general fitness for purpose, the existing norms leave uncertainties, deficiencies and gaps that can be exploited to the detriment of international law’s cogent development. Exploitation, in this context, stands for making use of the existing imperfections in order to justify a desired, often politically motivated action. It can occur before the act (as part of a preparatory or public relations campaign), during the act (as part of a practical justification) or after the act (to present the latter in a favorable light). While legal uncertainties, deficiencies and gaps can be exploited by non- state actors and individuals (for example, military personnel engaged in cyber-warfare), the role of the main exploiters in this book is played by Introduction 5 governments. After all, it is their previous negligence or manipulations that could have resulted in international law having imperfections in the first place. Considering the stagnation in the field of cyber-warfare regulation, one should keep in mind that only powerful governments have the means to artificially preserve these imperfections in order to enable their continued exploitation. At the same time, it is prudent to remember that international law generally provides the basis for making a decision on whether particular state conduct is legal or illegal. For obvious reasons, greater clarity in law can help judges (both international and domestic) assign responsibility and issue fair court rulings should such a need arise where cyber-attacks are concerned. In addition, as state behavior can be constrained not only by legal means, but also through shared morals of its population (especially, in democratic societies), lack of clarity should be seen as an obstacle to building such moral constraint that could, in turn, reduce law’s exploitation. The main question that must be raised, therefore, is how fit for the purpose of addressing the threat and reality of militarized cyber-attacks is current international law? Answering this question will help understand the adaptability of existing instruments and reveal any legal uncertainties, deficiencies and gaps that governments may seek to exploit in the context of cyber-warfare. Furthermore, the answer should demonstrate that, although cyber-attacks are a new threat, they are not a danger to international law itself: cyber-attacks by their nature do not threaten the existing legal environment nor the basic premises of international law. The main question entails asking a number of subsidiary questions, which facilitate the analysis by dividing the former and outline the scope of the primary enquiry:

1) What threats do cyber-attacks pose in reality? Can they claim human lives and damage states? 2) To what extent do the current legal understandings of territoriality, sovereignty and jurisdiction cover cyber-space? 3) Under which conditions can cyber-strikes be characterized as use of force, armed attacks, acts of aggression or terrorism? How will this influence their place in the existing legal framework? 4) How well do humanitarian norms adapt to cyber-warfare? 5) What has been the role of the United Nations (UN) and other international organizations so far in preventing threats to peace and security in cyber-space? What should be their role in determining suitable responses to this new danger? 6 Chapter 1

As this book reveals exploitable imperfections of international law, the analysis would not be complete without addressing these imperfections themselves. Therefore, a subsidiary question addressed is: how should international law be transformed to minimize the possibility of exploitation? Cyber-attacks are the focus of this book for three reasons:

1) According to available reports, they are becoming more frequent and serious, and have the potential of causing similar effects and damage that a conventional armed attack would cause;10 2) Currently, elements of cyber-warfare and its treatment under international law are not fully explored in academic literature, and there is insufficient comprehensive critique on this subject generally; 3) The emerging interpretive legal framework covering cyber-attacks and acts of cyber-terrorism itself is in its infancy and necessitates examination and critique.

The last two points are fundamental to the focus of the present book. The existing academic literature that is mostly available in the form of articles and conference papers, represents “pieces of a puzzle” that hardly make up a complete picture. As active legal experts learn more about the technical aspects of cyber-warfare, their positions continuously evolve, sometimes leading to contradictions. Various conclusions are rarely viewed together in one context. David Wall noted that in the modern world, “where new technologies shape the social and the social shapes new technologies the lines between science fiction and science fact become more and more blurred”.11 It is no secret that the media is prone to exaggerating different threats in order to maintain the attention of the general population.12 Likewise, cyber-security companies

10 Unlike acts of terrorism, ordinary cyber-strikes are rarely visible to the public. Today, information about cyber-attacks themselves is mostly available from journalistic sources. Very often the latter are used in academic publications and official reports with or without due accreditation. As they constitute the initial sources of information, as such, they are used in the present book (especially in Chapter 3), although due caution is always shown in approaching them. 11 David S. Wall, “Cybercrime and the Culture of Fear” (2008) 11(6) Information, Communication & Society 878. 12 See Bruce Schneier, “Threat of ‘Cyberwar’ has been Hugely Hyped” (CNN, 7 July 2010) accessed 1 August 2015. See generally Jerry Brito, Tate Watkins, “Loving the Cyber Bomb? The Dangers of Threat Inflation in Cybersecurity Policy” (2011) 3(1) Harvard National Security Journal 44. Introduction 7 might be interested in preserving the feeling of danger over cyber-attacks, inter alia, for financial gain. However, academics also fall into the trap of being carried away with their risk-assessment, revealing a lack of full understanding of the technological issues that they analyze. To name a few questionable examples, Katharina Ziolkowski talks about future “micro-mechanical organisms [spreading] via the Internet”.13 Heather Dinniss mentions malware that could explode and melt monitors.14 Michael Schmitt confessed at a number of conferences that, until recently, he thought that a “cloud” (an online program-running service)15 had physical electromagnetic substance. Estonia, apparently, had cut the Internet to the rest of the world during the 2007 attacks,16 and was saved by the “heroic efforts” of its specialists.17 David Turns describes potential effects of cyber-strikes as “stuff of nightmares”.18 Maura Conway calls Stuxnet a botnet, while it obviously is not.19 Considering these examples, the present work views not only legal observations, but also technological descriptions critically, aiming to provide an objective and realistic picture of cyber-warfare capabilities. A significant number of important books and studies have tackled cyber- warfare.20 However, like those before them, they give little attention to certain important legal matters (for instance, socio-economic use of force, cyber- terrorism and peacekeeping in the virtual realm). This allows the present book

13 Katharina Ziolkowski, “Computer Network Operations and the Law of Armed Conflict” (2010) 49(1–2) Military Law and the Law of War Review 79. 14 Heather H. Dinniss, Cyber Warfare and the Laws of War (CUP 2012) 259. One can also contest the idea that a computerized system and malware can represent a “booby trap”—a device clearly meant to be physical in nature—see ibid., 258; Michael N. Schmitt and others, Tallinn Manual on the International Law Applicable to Cyber Warfare (CUP 2013) R44. 15 See Mark Johnson, Cyber Crime, Security and Digital Intelligence (Gower 2013) 99–102. 16 Mario Golling, Björn Stelte, “Requirements for a Future EWS—Cyber Defence in Internet of the Future” in Christian Czosseck, Enn Tyugu, Thomas Wingfield (eds.), 2011 3rd International Conference on Cyber Conflict (NATO CCDCOE 2011) 138. See also Preface to the present book. 17 Sheng Li, “When Does Internet Denial Trigger the Right of Armed Self-Defense?” (2013) 38(1) Yale JIL 201. 18 Turns (n. 7) 213. 19 See Maura Conway, “Against Cyberterrorism: Why Cyber-Based Terrorist Attacks are Unlikely to Occur” (2011) 54(2) Communications of the Association for Computing Machinery 26. Stuxnet is further discussed in sub-chapter 3.3.1. 20 Recent examples include the Tallinn Manual (n. 14); Dinniss (n. 14); Marco Roscini, Cyber Operations and the Use of Force in International Law (OUP 2014); Jeffrey Carr, Inside Cyber Warfare: Mapping the Underworld (2nd edn, O’Reilly Media 2011). 8 Chapter 1 to fill existing gaps in literature and contribute to the academic knowledge in the field of international law. In 2013, an important publication was released, which is currently the primary source and point of reference for contemporary experts specializing in the topic of cyber-warfare. This publication, formally known as the Tallinn Manual on the International Law Applicable to Cyber Warfare (hereinafter referred to in this book as the Tallinn Manual) represents a product of a joint three-year work by 46 credited scholars (42 of whom have legal background), led by Michael Schmitt. Despite its name, this product features substantive academic commentaries, which to date represent the most comprehensive interpretative framework on international law pertaining to cyber-warfare. Notably, opinions of the manual’s authors were sometimes split on important issues, highlighting and “radicalizing” existing legal uncertainties.21 As such, the manual cannot be ignored and is addressed in the present book.22 The Tallinn Manual is formally divorced from the North Atlantic Treaty Organization (NATO) and nation states’ doctrines.23 However, can it become an effective legal source of international law in the future? At least three factors indicate that it examines legal issues from a predominantly pro-Western position and, as such, it may be flawed, should be approached with caution and, when relevant, critiqued.

21 Oliver Kesser, Wouter Werner, “Expertise, Uncertainty, and International Law: A Study of the Tallinn Manual on Cyberwarfare” (2013) 26(4) Leiden JIL 795, 806, 810. Note that the opinions in the Tallinn Manual are often divided into a clear “majority” and a “minority”. When no vast majority was present during the creation of the manual, the expression “some authors” was used instead. 22 The present book uses a special system of referencing the Tallinn Manual. ChXCY refers to Comment Y in Chapter X of the publication. SX stands for Section X. RXCY refers to Comment Y in Rule X. RX indicates that Rule X should be seen generally. 23 Tallinn Manual (n. 14) 31. Note that this is also the case for Tallinn 2.0—a follow-up project, which concentrates on “peacetime international law”—see comment-reply of Liis Vihul in Liis Vihul, “The Tallinn Manual on the International Law Applicable to Cyber Warfare” (EJIL: Talk!, 15 April 2013) accessed 1 August 2015. Fleck (n. 9) 334–335, 348, 350–351 seems to ignore the connection between the upcoming Tallinn 2.0 and the Tallinn Manual in his criticism of the latter, although he does mention a “book” on peacetime issues being written by Michael Schmitt. Introduction 9

Firstly, the pro-Western position can be deduced from the specific approach that the publication takes, as highlighted later in this book (for instance, the Tallinn Manual fails to deliver an analysis of the potential sovereignty over cyber-space). Secondly, significant reliance is placed on military manuals of NATO states to, inter alia, prove the existence of customary norms. Thirdly, little creativity is shown when it comes to lex ferenda. Instead, the manual seems to fortify the position of those Western governments that wish to preserve the existing international law (and, by extension, its exploitable imperfections). Although it extensively examines the same jus ad bellum and jus in bello fields as this book, the late arrival of the Tallinn Manual resulted in the present work having an independent approach that runs parallel and challenges, rather than just builds upon the publication. Effectively, this turns the present book into a critique of the manual: the author strives to evaluate the conclusions of the Tallinn Manual and, where their validity is challenged, to provide meaningful intellectual alternatives. Finally, a few scholars have so far only scratched the surface of the main problem discussed in this work.24 Its value, therefore, lies in the fact that it provides a legal study that considers in-depth existing exploitable imperfections of jus ad bellum and jus in bello in regulating cyber-attacks. Having outlined the objectives and research priorities, the chapter structure of this work is set out below.

1.3 Structure of the Book

The current book is composed of nine chapters, structured in a way to facilitate examination of international law and its applicability, as well as to identify imperfections, which governments may be interested in exploiting. Arguments advanced in each chapter build upon the conclusions reached previously.

24 See generally Michael J. Glennon, “The Road Ahead: Gaps, Leaks and Drips” (2013) 89 International Law Studies; Matthew C. Waxman, “Cyber-Attacks and the Use of Force: Back to the Future of Article 2(4)” (2011) 36(2) Yale JIL; Michael N. Schmitt, “The Law of Cyber Warfare: Quo Vadis?” (2014) 25 Stanford Law and Policy Review 4 accessed 1 August 2015. 10 Chapter 1

The first chapter is the present Introduction. Chapter 2 provides insights into a theoretical perspective adopted in this book, addressing the nature of international law and the notion of its imperfections. While this chapter highlights general legal theories that could be applicable, it argues in favor of a distinctive theoretical framework. Chapter 3 provides a realistic evaluation of the technical capabilities of cyber-attacks in order to demonstrate that the topic is serious enough to warrant a meaningful response in international law. As a secondary goal, the technical analysis is meant to set a base for arguing that the cyber-threat does not represent an insurmountable challenge to jus ad bellum and jus in bello, does not require a legal revolution and can be met with ordinary proactive reforms, which, at the moment, are not forthcoming. Chapter 4 provides a conceptual framework on cyber-space itself, as a primary realm that makes cyber-warfare possible. Using the lens of the principles of territoriality, sovereignty and jurisdiction, it begins to explore relevant international norms for imperfections that may exist. Chapter 5 continues this quest specifically in the sub-discipline of jus ad bellum. While acknowledging that the jus ad bellum framework is sufficient to address cyber-attacks generally rising to the level of the use of force and beyond, it highlights a number of exploitable deficiencies, gaps and uncertainties. Chapter 6 performs a similar task in relation to jus in bello. It identifies those imperfections of international humanitarian law that governments may be interested in. Chapter 7 deals with cyber-terrorism as a special case of cyber-attack both in jus ad bellum and jus in bello contexts. Building upon the previous two chapters, it concentrates on the terrorism-related inadequacies of international law that can be exploited. Chapter 8 provides a broader picture by focusing the attention on deficiencies, uncertainties and gaps pertaining to tackling the cyber-threat through the existing methods and instruments of collective security: primarily, by the UN and, secondarily, NATO. While critical of their input to the overall problem of exploitability of international law’s imperfections (due to flawed design, pas- siveness, non-use of resources, lack of coordination, impartiality and political exploitation), this chapter also views these organizations as important tools in the potential solution to this issue. Chapter 9 concludes the book and assesses the arguments made throughout the chapters jointly. It further outlines the necessary standards and sets out the principles upon which a plan of action may be constructed to most efficiently and effectively reduce exploitation of international law’s imperfections, promote abuse-free, peaceful and stable environment in cyber-space and, if necessary, set an example for action in respect of other future weapons. Introduction 11

1.4 Choice of Terminology

What is the meaning of “cyber-attack” and “cyber-space” and why are they preferred in the current work? Although these and other terms are briefly explained in the Glossary, for the sake of consistency and clarity throughout this book, these questions are answered at length below.

1.4.1 Cyber-Attack Different sources use miscellaneous terms to describe the threat central to this book. These terms are formed by combining words such as “information”, “Internet”, “hacking”, “computer”, “network”, or “cyber”, with “attack”, “strike”, “operation”, “war”, “warfare”, or “terrorism” and so on. Despite the fact that the resulting expressions are often used to designate the same acts, some terms are not fit to accurately define the menace. For example, “information warfare”, preferred by the SCO, is a much wider concept entailing psychological operations, mind control, propaganda, as well as voice and video manipulation. Concentrating on the “Internet” is unjustified due to the ongoing misuse of other, non-Internet-based networks. At the same time, tying the malicious threat to “hacking” is unethical among information technology (IT) experts (the word “cracking” should be, and is used instead throughout this book).25 “Computer network attack” is better. However, since nowadays strikes can target or be carried out from mobile phones and other “smart” devices, emphasis on the word “computer” seems inaccurate. One might argue that “computer” is actually a device that processes data and, as such, it already includes smartphones and similar portable systems.26 However, “computer” is still largely associated with laptops, notebooks and personal computers (PCs), and the use of that word may be confusing. “Network attack” alone, on the other hand, lacks specificity.

25 “Hacking” in the true meaning of the term does not involve breaking into computerized systems to perform malicious action, but rather refers to an extraordinary style of programming. 26 See Convention on Cybercrime (adopted 8 November 2001, entered into force 1 July 2004) 185 CETS (Cybercrime Convention) Art 1(a): “‘computer system’ means any device or a group of interconnected or related devices, one or more of which, pursuant to a program, performs automatic processing of data”. See also Tallinn Manual (n. 14) 258: “Computer: A device that processes data”. 12 Chapter 1

Ziolkowski believes that, in light of the terms employed in the UN Charter, the word “attack” is frequently used without necessary diligence.27 Is this argument valid and powerful enough to overrule its use? At least three factors indicate that it should not be. Firstly, one cannot automatically associ- ate the word “attack” with terms employed in jus ad bellum and jus in bello, as it has a rich history of describing attempts at violence, regardless of their scale.28 Secondly, academics already use this word to designate “methodology for action [. . .] rather than [. . .] the scale of the action’s effect”.29 Thirdly, it is actively used by IT experts to refer to minor operations in cyber-space (for example, “brute force attack” or “distributed denial of service (DDoS) attack”).30 The most appropriate term, therefore, is “cyber-attack”, which will be given preference in this book. In contrast to the possible alternatives used by academics, it is, short, clear, reasonably comprehensive and well-established.31 For instance, according to the NATO glossary, it incorporates the computer network attack as one of its types.32 Consequently, to avoid confusion, “cyber-attacks” (as a working definition) will refer, throughout this book, to unauthorized acts that are meant to alter, delete, disrupt, damage or suppress data within targeted cyber-systems or networks.33 Where required to avoid repetition, “cyber-attack” will be used inter- changeably with “cyber-strike”. The expressions such as “cyber-warfare” and “cyber-terrorism” are employed within their more specialized contexts. At this point, it is also imperative to explain the meaning of the term “cyber-space”.

27 Katharina Ziolkowski, “Ius Ad Bellum in Cyberspace—Some Thoughts on the ‘Schmitt- Criteria’ for Use of Force” in Christian Czosseck, Rain Ottis, Katharina Ziolkowski (eds.), 2012 4th International Conference on Cyber Conflict (NATO CCDCOE 2012) 296. 28 Notably, international lawyers do not object to the use of the word “piracy” in the cyber- context, nor should it be the case with “attack”. 29 Owens and others (n. 7) 11. 30 “DDoS attack” is a term of art, which will be fully explored in Chapter 3. 31 Consider, for instance, the relatively recent term “cyber operation”, increasingly popular- ized by the Tallinn Manual (n. 14) 7, or the early, yet somewhat inaccurate term “cyberwar”—see John Arquilla, David Ronfeldt, “Cyberwar is Coming!” (1993) 12(2) Comparative Strategy 141. 32 NATO Standardization Agency, “NATO Glossary of Terms and Definitions” (AAP-6, NATO 2010) 2-C-12. 33 I.e. acts that the CoE Convention on Cybercrime defines as “data interference” and “system interference”—see Cybercrime Convention (n. 26) Arts 4–5. Introduction 13

1.4.2 Cyber-Space Nowadays, “cyber-space” is characterized as the “fifth domain of war” by some academics, states, as well as the NATO alliance.34 Building upon this foundation, the term is defined here as the virtual realm created by the use of information technology.35 Currently, the Internet occupies the biggest part of cyber-space. Evolving from an idea of a “Galactic Network” that was meant to connect computers and allow users to exchange data and ideas, it became a “network of networks” (or a “network of people”)36 that delivers information in dividable packets travel- ling through different nodes “that result in the fastest communication”.37 TCP (Transmission Control Protocol) and IP (Internet Protocol) “allow the networks and the computers attached to them to [. . .] find other computers attached to the Internet”.38 That makes information exist in a practically constant state of availability, even when network resources are limited.39 Aside from the Internet, “cyber-space” (as a working definition in this book) is also deemed to include a virtual universe created by isolated, non-Internet

34 For instance, see Christy Marx, Battlefield Command Systems of the Future (Rosen Publishing 2006) 14; Jeffrey L. Caton, “Beyond Domains, Beyond Commons: Context and Theory of Conflict in Cyberspace” in Christian Czosseck, Rain Ottis, Katharina Ziolkowski (eds.), 2012 4th International Conference on Cyber Conflict (NATO CCDCOE 2012) 158. 35 For similar definitions, see Clarke, Knake (n. 6) 70; Daniel T. Kuehl, “From Cyberspace to Cyberpower: Defining the Problem” in Franklin D. Kramer, Stuart Starr, Larry K. Wentz (eds.), Cyberpower and National Security (Potomac Books 2009) 28; Stephen K. Gourley, “Cyber Sovereignty” in Panayotis A. Yannakogeorgos, Adam B. Lowther (eds.), Conflict and Cooperation in Cyberspace: The Challenge to National Security (Taylor & Francis 2014) 278. 36 Robert Koch, Björn Stelte, Mario Golling, “Attack Trends in Present Computer Networks” in Christian Czosseck, Rain Ottis, Katharina Ziolkowski (eds.), 2012 4th International Conference on Cyber Conflict (NATO CCDCOE 2012) 278. 37 Kai Burmeister, “Jurisdiction, Choice of Law, Copyright, and the Internet: Protection Against Framing in an International Setting” (1999) 9(2) Fordham Intellectual Property, Media & Entertainment Law Journal 629; Matthew Burnstein, “A Global Network in a Compartmentalised Legal Environment” in Katharina Boele-Woelki, Catherine Kessedjian (eds.), Internet. Which Court Decides? Which Law Applies? (Kluwer Law International 1998) 23; Jonathan A. Ophardt, “Cyber Warfare and the Crime of Aggression: the Need for Individual Accountability on Tomorrow’s Battlefield” (2010) 9(1) Duke Law & Technology Review 11; Uta Kohl, “Eggs, Jurisdiction, and the Internet” (2002) 51(3) ICLQ 569. 38 Graham J. Smith, Internet Law and Regulation (Sweet & Maxwell 2007) 1. Notably, by 2014, more than 90% of the Internet traffic still used the IP version 4 (IPv4) as opposed to the more secure IPv6. 39 Jack L. Goldsmith, Tim Wu, Who Controls the Internet?: Illusions of a Borderless World (OUP 2006) 3. 14 Chapter 1 based networks and interconnected hardware components of all computerized systems.40 This has relevance in light of the fact that some malware is deliberately programmed to avoid the Internet and relies on other ways of distribution (for example, USB devices).

1.5 Conclusion

This introductory chapter has established the basic groundwork for the present book, identifying its structure, terminology and objectives. It is clearly indicated that the book questions how fit existing international law is for the purpose of addressing cyber-attacks and argues that it features a substantial amount of significant deficiencies, gaps and uncertainties that can be exploited. Here, for the sake of clarity and coherence of the debate, a deeper look into conceptual approach is required. For this reason, the next chapter will introduce, explain and justify the theoretical approaches adopted in this book.

40 In fact, cyber-space, in the broader sense, existed as early as 1970 (when the first Pulsar LED electronic watch was created) or even 1961 (within the first electronic desktop calcu- lator ANITA). Chapter 2 Theoretical Framework

2.1 Introduction

Having introduced the book in the previous chapter, it is imperative to outline the theoretical framework that is employed here. The present chapter identifies the applied conceptual approaches and clearly indicates the theoretical vantage point assumed in this book in relation to international law and its imperfections that can be exploited in the context of cyber-attacks. It consists of two parts. The first part examines the essence of international law (with particular emphasis on jus ad bellum and jus in bello). Furthermore, it highlights sources relevant to the analysis and justifies concentration on government-run states as the primary actors in the international arena. The second part addresses the political component of international law, exploring theories influenced by the discipline of international relations. This is done as part of the search for the most suitable mode of intellectual interpretation required for tackling the main problem identified in the Introduction.

2.2 Legal Framework

What is the nature of international law and its imperfections? Which sources should be consulted? Who are the main actors? The scope of inquiry and the stated arguments necessitate answering these questions before proceeding to examination of the technical aspects of cyber- attacks and more substantive matters related to international law in the subsequent chapters of this book.

2.2.1 Nature of International Law Generally, international law is a set of common norms regulating state relations, their mutual conduct and treatment of individuals under their control.1

1 Anthony Aust, Handbook of International Law (2nd edn., CUP 2010) 4. For discussion of norms’ universality, see Emmanuelle Jouannet, “Universalism and Imperialism: The True-False Paradox of International Law?” (2007) 18(3) EJIL 381; Hans Kelsen, Principles of International Law (The Lawbook Exchange 1952) 3.

These legal norms are traditionally developed by states themselves, who are guided in this process by the political interests of their governments and by their desire to facilitate relations with other international actors or, in some cases, to establish control over them.2 That being said, international law has evolved from a product meant to simply promote the cooperation between nations into a mechanism that also regulates the behavior of states and international organizations themselves (including those that create the norms).3 This development is reflected in the early history of the debate regarding the nature of international law. Two classic theories dominated international legal thinking before the 20th century: natural law and positivism. Both are, to a limited extent, addressed in the present book, although neither plays a dominant conceptual role. They are rather balanced against each other as reflections of factors, which influence the reality of what is international law today. Natural law is an early European idea of universal, divine norms, shared by humans on a subconscious level, provided by God or nature. This theory is grounded in morality, which stems or at least ought to stem from human nature, and its focus lies on moral obligations in adopting legal norms and in complying with them.4 The positivist model rejects natural law. For instance, Hans Kelsen criticized natural law for its (unreasonable) belief “that it is possible to obtain from our insight in nature, that is, from our knowledge of facts, a knowledge of what is right and wrong”.5 As an alternative, positivists argue that binding norms are, in effect, nothing more than expression of states’ will. Positivism motivates the present book to use a normative set of primary international law sources (addressed in the following sub-chapter).6 On the other hand, only relying upon classical positivism is not prudent, especially in light of the wars of the last century, which took the axiom of “dura lex sed lex” to unacceptable heights, and proved its unsustainability. A partial return to natural law from positivism in the 20th century resulted in the emergence of concepts (sometimes driven by individuals or non-

2 Martin Dixon, Textbook on International Law (7th edn., OUP 2013) 13. 3 Ibid. 4 Brian Bix, “On the Dividing Line Between Natural Law Theory and Legal Positivism” (2000) 75(5) Notre Dame Law Review 1615. 5 Kelsen (n. 1) 310. 6 See generally Samantha Besson, “Theorizing the Sources of International Law” in Samantha Besson, John Tasioulas (eds.), The Philosophy of International Law (OUP 2010) 185. Theoretical Framework 17 governmental organizations)7 that influence the behavior of sovereign states. Cumulatively, these concepts are called obligations erga omnes (owed to all states) and non-derogable jus cogens.8 Among them, one can list: 1) the principle of legality, which prohibits punishments for previous non-criminalized behavior, 2) the Martens Clause, which subjects all new weapons and methods of warfare to “laws of humanity” and “public conscience”, as well as 3) the idea of “just war”, which is reflected in the UN Charter. Using jus cogens as a base, today, one can distinguish between international law’s subjective and objective elements. Subjective ones are those created and influenced by states together, those that reflect a balance of power between nations. Objective elements represent universal obligations (erga omnes) that states impose upon themselves as a sign of moral maturity, civility of a nation. Although some overlap between them exists, one should admit that subjective and objective elements evolve separately, as the former belongs to the sphere of influence of positivism and the latter—natural law.

2.2.2 Sources of International Law Discussion of the nature of international law inevitably leads to the inquiry regarding its sources, particularly in the context of the purposes set in the present book. A good starting point for determining the sources of international law is the widely accepted list in Article 38(1) of the International Court of Justice (ICJ) Statute, which mentions international conventions, international custom, general principles of law, “judicial decisions and the teachings of the most highly qualified publicists”.9 The first three categories are considered primary (equal in their importance), whereas case-law and academic teachings are regarded as auxiliary sources of international law.

7 See generally ILC Study Group, “Fragmentation of International Law: Difficulties Arising from the Diversification and Expansion of International Law”, 58th Session, Report of the Study Group of the ILC Finalized by Martti Koskenniemi (1 May–9 June, 3 July–11 August 2006) UN Doc A/CN.4/L.702, para. 158. 8 See Vienna Convention on the Law of Treaties (adopted 23 May 1969, entered into force 27 January 1980) 1155 UNTS 331, Art. 53: “[jus cogens] is a norm accepted and recognized by the international community of States as a whole as a norm from which no derogation is permitted and which can be modified only by a subsequent norm of general international law having the same character”. See also Legality of the Threat or Use of Nuclear Weapons (Advisory Opinion) [1996] ICJ Rep, para. 83. 9 Statute of the International Court of Justice (adopted 26 June 1945, entered into force 24 October 1945) Art. 38(1). 18 Chapter 2

All five categories are relied upon in this book, which adopts the logic of the ICJ in matters relating to international law’s sources and their importance. Thus, these categories deserve more attention here.

2.2.2.1 International Conventions The Permanent Court of International Justice held in the Lotus case that “[t]he rules of law binding upon States [. . .] emanate from their own free will as expressed in conventions or by usages generally accepted as expressing principles of law”.10 Lex scripta, which comprises international conventions, treaties and codified rules, indisputably represents the most obvious source of legal norms. After all, it is the possibility to enter into contracts and to subject themselves to the pacta sunt servanda principle that makes states the primary subjects of international law.11 For this reason, international conventions are the legal source most favored by positivists, although interpretations of the written norms can still be pursued with natural law in mind. Today, very few conventions directly deal with what goes on in cyber-space and none of them deal with cyber-warfare. As implied in the Introduction, this may result from the fact that certain governments deliberately prevent legal developments in this field. Nevertheless, lack of conventions on cyber-warfare does not necessarily mean that other treaties or written norms are not relevant. In fact, they are; as will be shown in the subsequent chapters, documents such as the UN Charter, the Geneva and Hague Conventions preserve their utmost importance.

2.2.2.2 Customary Law Nowadays, customs are recognized as an important source of international law since states voluntarily acknowledge obligations binding upon them (to the satisfaction of legal positivists), inter alia, by their conduct.12 When such acknowledgement, called opinio juris, accompanies uniform state practice itself, it becomes part of the existing law (lex lata). Opinio juris can stem from silent acceptance of others’ behavior, whereas state practice can be deduced from “governmental actions, [. . .] legislation,

10 SS “Lotus” (France v Turkey) [1927] PCIJ Rep Series A No 10, 18. 11 Samantha Besson, “Sovereignty, International Law and Democracy” (2011) 22(2) EJIL 378– 379. See also John O’Brien, International Law (Routledge-Cavendish 2001) 47. 12 See Roozbeh B. Baker, “Customary International Law in the 21st Century: Old Challenges and New Debates” (2010) 21(1) EJIL 176. Theoretical Framework 19 diplomatic notes, [. . .] official statements, government manuals”, as well as other displays of adherence to unwritten legal norms.13 Here, it should be mentioned that due attention in this work is dedicated to the United Nations resolutions and other so-called soft law documents (including declarations, recommendations, guidelines, codes of conduct and so on), as undeniable factors influencing and reflecting the formation of customary law.14 Customary norms can be codified in the form of conventions, while conventions can give rise to customary obligations.15 Nevertheless, unlike specific norms arising out of treaties that states adopt, identifying binding customs is problematic per se due to, inter alia, persistent objections (freeing states from being bound by those norms that the state objects against), the difficulty of abandoning the accepted and outdated customs, as well as frequent violations.16 The present book acknowledges that the existing customary law applies indirectly in the context of cyber-warfare: customs developed for another purpose have not yet been purposefully tested in the new environment of cyber- space. Identifying applicable norms is complicated in light of cyber-attacks, which are still yet to see consistent state practice or opinio juris (or even conscious expression of opinio necessitatis, for that matter)17 and which are sometimes concealed by the involved governments themselves or by the relevant corporations, which do not desire disclosure of their software or hardware vulnerabilities.18

2.2.2.3 General Principles of Law One may argue that general principles of law are positivist in nature, as they were largely borrowed from domestic legal systems: as such, they have under- gone a process of “objectivization”, either through previous court practice or

13 Aust (n. 1) 6. 14 See generally O’Brien (n. 11) 98–99; Military and Paramilitary Activities in and Against Nicaragua (Nicaragua v USA) (Merits) [1986] ICJ Rep, para. 188. 15 Aust (n. 1) 7. 16 See Joel P. Trachtman, “Persistent Objectors, Cooperation, and the Utility of Customary International Law” (2010) 21(1) Duke Journal of Comparative & International Law 232; Rosalyn Higgins, Problems & Process: International Law and How We Use It (OUP 1994) 20. See generally David J. Bederman, “Acquiescence, Objection and the Death of Customary International Law” (2010) 21(1) Duke Journal of Comparative & International Law 44–45. 17 See generally Tarcisio Gazzini, “The Rules on the Use of Force at the Beginning of the XXI Century” (2006) 11(3) Journal of Conflict & Security Law 320–321. 18 See generally Michael J. Glennon, “The Road Ahead: Gaps, Leaks and Drips” (2013) 89 International Law Studies 380. 20 Chapter 2 codification.19 Nevertheless, Article 38 of the ICJ Statute specifically refers to this source as “the general principles of law recognized by civilized nations”, a phrase emerging as a result of political compromise between positivists and natural law supporters.20 General principles were not always seen by all as a distinctive source of international law. Particularly, Soviet academics viewed them rather as a “specific legal phenomena”.21 Nevertheless, today, they are widely recognized and there is nothing to indicate why this book should not pay attention to principles relevant in warfare generally (for instance, the principle of self-preservation).22

2.2.2.4 Judicial Decisions and Scholarly Opinions As in the case of conventions, international judicial decisions do not yet tackle cyber-warfare, although domestic courts increasingly concern themselves with cyber-attacks and what could, arguably, be defined as cyber-terrorism. The present book pays significant attention to jurisprudence of international courts, tribunals, and, where applicable, domestic decisions of international importance, because case-law (including advisory opinions) plays an important role in interpreting conventions, identifying the existence of customary norms and relevant legal principles. When it comes to the existing academic literature, the latter also makes noteworthy proposals as to the regulation of cyber-attacks. Yet, in a technologically and politically diverse world, these proposals have to be taken critically. Thus, assessment of potential candidates for the status of “most highly qualified publicists” must remain realistic, and the reality today is that no author has been officially recognized as a publicist of such level. Ian Scobbie suggests that the most probable candidate for this role is Michael Schmitt, whose “views on computer network attacks and information warfare [. . .] inform, if not structure, the current legal appreciation of these issues”.23 Indeed, it is hard to dispute that. Today, Schmitt is quoted more often than other academics in this field. Moreover, he has made a notable

19 Vladimir D. Degan, Sources of International Law (Martinus Nijhoff 1997) 137. 20 Gennadii M. Danilenko, Law-Making in the International Community (Martinus Nijhoff 1993) 173–174. 21 Godefridus J. Hoof, Rethinking the Sources of International Law (Kluwer Law 1983) 132. 22 See Bin Cheng, General Principles of Law as Applied by International Courts and Tribunals (CUP 2006) 29. 23 Ian Scobbie, “Some Common Heresies About International Law” in Malcolm D. Evans (ed.), International Law (OUP 2003) 64. Theoretical Framework 21 contribution to scholarship that concerns interpretation of international law in light of cyber-attacks. That being said, Schmitt’s ideas fall very neatly into one of the preexisting academic groups (pro-Western), defined by the political interests of different international organizations and their members. In this book, it will be shown that the Shanghai Cooperation Organization’s (SCO) position (Eastern) on information security is challenging that of North Atlantic Treaty Organization (Western) in questions regarding the essence of cyber-space, potential claims of sovereignty therein and even the extent to which cyber-warfare should be regulated. Another relevant “clash” involves the Western position coming into conflict with that of the Organization of Islamic Cooperation (Islamic) in matters of terrorism regulation, particularly when it comes to immunity of state forces and armed resistance to occupation. These two questions are the cornerstone of the lengthy and somewhat fruitless negotiations of the Comprehensive Convention on International Terrorism in the United Nations General Assembly. Like Schmitt, most contemporary authors who openly write about cyber- warfare (and who are mentioned in this book) belong to the Western group, not by nationality, but by the virtue of their writings. This is also the case with the so-called independent International Group of Experts that authored the Tallinn Manual (introduced in the previous chapter) under NATO patronage. This obvious division of scholarship into the Western, Eastern, and Islamic, for whatever reason it may be, makes it hard to identify the authors who satisfy the neutrality criteria necessary for their works to become a legal source (if only subsidiary). On the other hand, it should be added here that case-law and opinions of distinguished academics are considered subsidiary to the main sources of international law for an obvious reason: states do not directly participate in their creation (although they can influence their adoption by suggesting various interpretations of the primary sources). This fact not only reflects the positivist position, but also the (partially) surviving tradition of law-making being a prerogative of states. Indeed, it is important to highlight that only the main sources of international law can provide a guaranteed common denominator for state action in cyber-space. Auxiliary sources, while certainly helpful (from an academic point of view) in suggesting what the right interpretation might be, should not be exclusively relied upon. Even the Tallinn Manual is only a set of private opinions on how some of the legal issues pertaining to cyber-warfare could be resolved. This does not mean that the international community will accept these interpretations. In fact, due to its pro-Western nature (as mentioned above), some elements of the Manual will almost certainly be rejected by 22 Chapter 2 members of the SCO and, possibly, other states. This is openly admitted by one of the Tallinn Manual’s main authors and editors, Wolf von Heinegg, who also adds that the publication “does not meet the requirements of Article 38 (1) (d)” of the International Court of Justice Statute.24 Similarly, the case-law of the ICJ, an organ meant to clarify and develop international law, is not always respected.25 While it would be helpful if the Court gave an advisory opinion on applicability of jus ad bellum and jus in bello to cyber-attacks, such non-binding opinions can be generally disregarded by states or international organizations.26 Notably, the ICJ’s competence and decisions even in contentious cases (with pre-recognized jurisdiction) are sometimes rejected.27

2.2.3 Fragmentation of International Law Absent a clear set of legal sources that would apply to cyber-attacks, some reductionism of international law (that is splitting it into lesser constituents for the purpose of analysis) is not only healthy, but also remains crucial in identifying its uncertainties, gaps and deficiencies, which is the purpose of this book. In doing this, should one consider international law’s sub-regimes (particularly, jus ad bellum and jus in bello) as fragmented? A Study Group of the International Law Commission (ILC Study Group), led by Martti Koskenniemi and others, addressed the issue of “splitting up of the law into highly specialized ‘boxes’ that claim relative autonomy from each other and from the general law”.28 Acknowledging the “differing pursuits and preferences of actors in a pluralistic (global) society” and the fact that primary international law sources (sometimes spontaneously) result from com- promises reflecting “conflicting motives and objectives”, the ILC Study Group argued that normative hierarchies should be determined on an ad hoc basis

24 Wolf H. von Heinegg, “The Tallinn Manual and International Cyber Security Law” (2012) 15 Yearbook of International Humanitarian Law 11–12. 25 See generally James A. Green, The International Court of Justice and Self-Defence in International Law (Hart Publishing 2009) 172. 26 See generally Mahasen M. Aljaghoub, The Advisory Function of the International Court of Justice (1946–2005) (Springer 2005) 225. 27 See Constanze Schulte, Compliance with Decisions of the International Court of Justice (OUP 2004) 404. 28 ILC Study Group, Koskenniemi, “Fragmentation” (n. 7) paras. 13, 482–483; ILC Study Group, “Fragmentation of International Law: Difficulties Arising from the Diversification and Expansion of International Law”, 58th Session, Report of the Study Group of the ILC (1 May–9 June, 3 July–11 August 2006) UN Doc A/CN.4/L.702, para. 8. Theoretical Framework 23 with a particular problem in mind.29 Furthermore, while noting the inherently different priorities in varying sub-regimes, the ILC Study Group rejected the notion of self-contained branches of international law per se.30 Some international judges previously argued that the legality of the use of force has little meaning for the application of humanitarian law.31 However, one cannot easily deny a close link between jus ad bellum and jus in bello, particularly when an “armed attack” could serve as the beginning of an international armed conflict. Furthermore, the two regimes mentioned above are not isolated from other legal branches. For example, terrorism is increasingly seen as an act of war. International criminal law prohibits the crime of aggression that requires a use of force, as well as war crimes committable only in the context of an armed conflict. Thus, at least when discussing warfare, one has to agree with the ILC Study Group’s approach. Separate analysis of international law’s branches in this book should not be seen as accepting the position that sub-regimes of international law are self-contained.32

2.2.4 Legal Imperfections One scholar correctly observed that, while international law is not a perfect system, neither are any domestic law systems.33 Thus, to criticize the existing legal regime simply due to the fact that it has imperfections would be unreasonable. On the other hand, international law can be criticized for generally failing to live up to its purpose. This determines the theoretical bearing of the present work, which seeks to prove not simply that international law is imperfect, but that there are a substantial number of significant imperfections. The major bulk of legal norms related to jus ad bellum and jus in bello (that lie in the focus of the present book) were developed in the 20th century with a particular mission in mind: as a regulatory regime, international law was meant to represent a sufficiently clear framework that ensures a stable, safe

29 ILC Study Group, “Fragmentation” (n. 28) para. 10; ILC Study Group, Koskenniemi, “Fragmentation” (n. 7) paras. 16, 34, 484–486. 30 ILC Study Group, Koskenniemi, “Fragmentation” (n. 7) paras. 192–193, 488, 492. 31 Wilhelm List and Others (The Hostages Trial) (Judgment) [1949] Nuremberg US Military Tribunal 59; Separate Opinion of Judge Kooijmans in Armed Activities on the Territory of the Congo (DRC v Uganda) (Judgment) [2005] ICJ Rep, para. 58. 32 See generally Von Heinegg (n. 24) 13, who argues that “‘international cyber security law’ [. . .] encompasses rules and principles derived from multiple branches of international law”. 33 Dixon (n. 2) 2. 24 Chapter 2 and just environment in the international arena, which, for that purpose, mini- mizes room for exploitation and misinterpretation. Where international law fails to meet this objective due to inadequate regulation, it is imperfect. Therefore, in the present book, the word “imperfections” is used as a collective term to denote uncertainties, deficiencies and gaps of the legal regimes under consideration (primarily, jus ad bellum and jus in bello). “Uncertainty” signifies existence of a vague norm, which lacks clarity and which, for that reason, can be understood differently by different actors. “Deficiency” refers to a norm which can be reasonably believed to have become inadequate for the purpose for which it was created. In case a norm does not exist, but there is a reasonable expectation for it to be present (to regulate a particular situation or scenario), a “gap” in law exists. One may argue that the vagueness of international law allows it to better acclimatize to the ever-changing backgrounds in which it is used. Yet, it would be an incorrect assumption. Vagueness and imperfections interfere with the very purpose of international law described above. In reality, it is the general, natural-law-inspired, all-encompassing approaches that were deliberately used in creating some norms, and which allow for a successful adaptation to social, economic and technological changes (unless this process is manually suspended for political reasons). The Martens Clause is the most obvious example here, as it ensures that international humanitarian law applies to all technology and tactics not yet subjected to lex specialis. So, why do legal imperfections emerge? As implied in the preceding chapter, they are a result of previous manipulation and negligence.34 Since solid international law can only be developed by states that are driven by the politics of their governments, the latter can choose which norms to make or leave imperfect. On the other hand, as long as the general system of law works to the satisfaction of states and governments concerned, there is little incentive for them to improve it, especially if reforms threaten to cause “diminution of state power”.35 Finally, an assumption can be made that preexisting uncertainties, deficiencies and gaps can be deliberately and continuously maintained by state governments, which contribute to the stagnation of international law in the field of cyber-warfare. Nevertheless, the research focus here clearly lies on the legal imperfections themselves and, although the present book considers the prospect of “egoistic” governments exploiting these imperfections, political, psychological and social motivations for such behavior are not explored deeply.

34 See sub-chapter 1.2. 35 Dixon (n. 2) 14. Theoretical Framework 25

2.2.5 Main Actors In the context of legal theory, one is inevitably faced with a question of whether the pre-existing state-centric system remains intact. It is addressed here next, followed by the discussion of the role of international organizations, as well as non-state actors and corporations (as a special category of non-state actors).

2.2.5.1 States This study employs a classic form of legal research, based on the examination of the normative framework and practice of state and non-state actors who have the capability to carry out cyber-attacks and participate in cyber-warfare. Both positivist and naturalist schools have an equally strong claim to sub- regimes of international law, which the present book examines. However, if one takes into account the historical and political perspectives, the importance of which cyber-attacks reanimate, it becomes apparent that the most effective analysis necessitates a theoretical perspective that realistically recognizes the central role of states in warfare, both as the main decision-makers and actors in the international arena. History does provide examples where influence of internal or external populations played a decisive role in the replacement of state leadership. However, vacuum, created as a result of a coup is quickly filled with people that replace this leadership, leaving the external state structure intact. For this reason, although this work clearly indicates that only governments at a given moment (and not the states themselves) can have the human desire to exploit legal imperfections, Philip Allott’s argument that international law is humanity’s self-constituency, meant to serve common goals of all peoples, should be rejected in favor of that of state centrality, advanced by Emer de Vattel.36 The latter author, in his attempt to combine naturalism with positivism, correctly argues that natural law is followed by nations to the extent demanded by their conscience, unless states willingly bind themselves by “positive law of nations”.37 While, in this case, concentrating on a state (as run by governments) is justified by the scope of the present book, it does not go as far as to claim that arguments about human centrality may not hold power outside discussions of warfare. On the contrary, it should be obvious that international law features

36 See generally Philip Allott, The Health of Nations: Society and Law Beyond the State (CUP 2002) 297. 37 Emer de Vattel, The Law of Nations, or, Principles of the Law of Nature, Applied to the Conduct and Affairs of Nations and Sovereigns: A Work Tending to Display the True Interest of Powers (Thomas M. Pomroy 1805) 53–54; 56–57. 26 Chapter 2 regimes that are entirely focused on the person as the main addressee. After all, is that not the mission of “human rights”? The same can be said, for instance, about Thomas Franck’s criteria of “legitimacy”38 and “fairness”,39 which predict whether states will follow a particular legal norm or not. In the context of cyber-warfare, “fair” is what governments subjectively determine to be “fair” for themselves, for their state and for the world community as a whole, although these concepts may be more objective when applied in other legal regimes.

2.2.5.2 International Organizations As of the 20th century, states belong to and operate in global bodies like the UN and organizations of a more limited scope, such as NATO, SCO or the European Union. What are their roles from a theoretical perspective? First of all, since states (as run by governments) are the main decision- makers in the field of international law, they require forums where they can discuss different proposals and compromise. Thus, international organizations (a product of international law themselves)40 provide a positivistic platform for creating new laws and interpreting old ones. For example, a major part of conventions are negotiated and adopted in the United Nations. The role of such organizations in eliminating international law’s imperfections, therefore, is invaluable. Secondly, and particularly when it comes to the smaller regional or military organizations, they can be used for joint action and fortification of the political position of those states that desire to take a certain action. Organizations like NATO and the EU are often vocal about violations of the laws of warfare and ensure that a group of states act as one in imposing sanctions, conducting military operations and so on. As mentioned in the preceding chapters, this type of behavior often has a spill-over effect in legal scholarship, where one can distinguish the lines between pro-Western, pro-Eastern, and pro-Islamic positions with regards to international law.41 Thirdly, while international organizations represent communities of states, they sometimes include non-state actors, non-governmental organizations

38 See Thomas M. Franck, The Power of Legitimacy Among Nations (OUP 1990) 25. 39 See Thomas M. Franck, Fairness in International Law and Institutions (OUP 1998) 3–4. 40 See generally Christopher C. Joyner, “Conclusion: The United Nations as International Law-Giver” in Christopher C. Joyner (ed.), The United Nations and International Law (CUP 1997) 435–436. 41 See sub-chapter 2.2.2.4. Theoretical Framework 27 and even individuals as observers, who are meant to represent the world population. In addition, the staff and working groups of organizations include independent experts without any obvious political affiliations. Through these “representatives”, the world community can hope to exert some influence on the decisions made by individual governments, particularly through the development of soft law. As Michael Glennon notes:

[L]egal order is hardly de-void of coercion. The system does not rest upon pure, unfettered consent by all within it; policymakers within States often do things that they don’t want to do and refrain from doing things that they do want to do. Other States, international organizations, non- governmental organizations and influential national elites all exercise various forms of power; all narrow States’ ability to choose freely.42

However, the global community and the world’s peoples are often too weak to challenge the most powerful governments in reality, particularly when it comes to the area of national security (to which cyber-attacks are increasingly assigned). Their impact, therefore, remains limited.

2.2.5.3 Non-State Actors Nowadays, non-state actors launch a significant number of cyber-attacks. In addition to states, the non-state actors are becoming more regulated under international law. This is particularly true when it comes to warfare. For instance, following the 9/11 terrorist attacks, groups like Al-Qaeda are seen as actors capable of launching “armed attacks” within the context of Article 51 of the UN Charter. National liberation movements, as well as organized groups participating in non-international armed conflicts are directly regulated by the Geneva Conventions. Non-state actors, therefore, are recognized as important international actors in this book (albeit, secondary to states as the main actors of international law). It is important to acknowledge the rising role of corporations as relevant non-state actors. These legal entities have long been subjected to cyber-attacks, eventually leading to their heavy investment in IT security.43 This, in turn, has resulted in their having the most advanced cyber-defense (and logically, cyber- offense) capabilities, which exceed those of many states. In other words, the know-how, relative autonomy of operations, significant funding and structured

42 Glennon (n. 18) 374. 43 See Gaurav Jain, “Cyber Terrorism: A Clear and Present Danger to Civilized Society?” (2005) 3(44) Information Systems Education Journal 6. 28 Chapter 2 teams of experts make companies potential perpetrators of cyber-attacks.44 As such, they are already used by some militaries. In theory, in the absence of states’ control, such legal entities can also be guided by the political views of its leadership, or may be interested in destabilizing countries or the world economy for profit. However, corporations often have a legal personality within their host state and many societies pressure them to be more transparent.45 Though this does not preclude prospects of aggressive behavior, this makes them a special category of non-state actors that can be more easily held responsible for various offenses. This means that, aside from the leadership of the corporations and members of the IT teams that may be directly involved in cyber-attacks, companies themselves risk being prosecuted, if the respective legal systems permit it. For these reasons, cyber-attacks launched by companies are likely to be limited and mostly geared towards espionage on competitors. Although future cyber-conflicts may be waged by individual corporations, for the moment they do not merit specialized analysis in this book and shall remain covered by the more general discussions on non-state actors.

2.3 Political Component

Having discussed the essence of international law from a predominantly legal perspective, one should not ignore political factors that exert direct influence on the law’s application. Such factors (especially, the possibility of governments behaving “egoistically”) are crucial considering that legal norms very often emerge as a result of political processes and international law was never meant to be the only thing constraining states’ behavior.46 Definitely, warfare has always been a subject of international relations. Following this logic, political theories on international law become an undi- vidable part of international legal theory itself. The present sub-chapter takes a look at important academic approaches, inspired by international relations, in

44 See Jason Barkham, “Information Warfare and International Law on the Use of Force” (2001) 34(1) NYU Journal of International Law and Politics 105. 45 UN Conference on Trade and Development, “Disclosure of the Impact of Corporations on Society, Current Trends and Issues” (Paper, UN 2004) 4 accessed 1 August 2015. 46 Dixon (n. 2) 3–4. Theoretical Framework 29 pursuit of establishing the most realistic theoretical vantage point, necessary for analysis of international law’s imperfections in the context of cyber-attacks.

2.3.1 “Political” Theories on International Law Grigory Tunkin believed that “[m]ixing international law with policy inevitably leads to a denial of the normative character of international law, that is to say, to a denial of international law, which becomes buried in policy and van- ishes as law”.47 The opposite extreme to Tunkin’s, arguably, “utopian” position is descriptive “non-normative apology” of politics.48 Which view should be preferred in this book? An objective legal approach to cyber-warfare has to reject both extremes and carefully balance between the two to seek a middle ground. While legal norms have to preserve their normative character, one cannot ignore the reality where international law is inseparable from state interests and behavior.49 Neither can one disregard that, while law operates as an “autonomous formal technique”, it is also an “instrument for advancing particular claims and agendas in the context of political struggle”.50 In weighing legal theories inspired by the international relations, one should be wary of their weaknesses. A careful balance in theoretical approach between positivism and natural law on the one plane and between what Koskenniemi calls “apology” and “utopia” on the other should not one-sidedly devaluate international law in light of certain socio-political factors. One notable theory developed by Myres McDougal and Harold Lasswell, the New Haven school of policy-oriented jurisprudence, rejects the notion that international law is a set of norms, instead focusing on the (constantly ongoing) process of authoritative decision-making and its consequences.51 It correctly identifies human beings as the social actors that have the capacity, as well as the desire to make decisions and to influence the law.52 Furthermore, the New Haven school recognizes that policy, together with the way it is formed and transmitted, should, inevitably, be taken into consideration when discussing legal norms.53

47 Grigory I. Tunkin, Theory of International Law (Harvard University Press 1974) 297. 48 See Martti Koskenniemi, From Apology to Utopia: The Structure of International Legal Argument (CUP 2006) 17. 49 Ibid., 18. 50 Martti Koskenniemi, “What is International Law For?” in Malcolm D. Evans (ed.), International Law (OUP 2003) 96. 51 Eisuke Suzuki, “The New Haven School of Jurisprudence and Non-State Actors in International Law in Policy Perspective” (2012) 42 Journal of Policy Studies 44–45. 52 Ibid., 43. 53 Ibid., 44–45. 30 Chapter 2

As early as 1943, McDougal and Lasswell pointed out:

None who deal with law, however deﬁned, can escape policy when policy is deﬁned as the making of important decisions which affect the distribution of values. Even those who still insist that policy is no proper concern of a law school tacitly advocate a policy, unconsciously assuming that the ultimate function of law is to maintain existing social institutions in a sort of timeless status quo; what they ask is that their policy be smuggled in, without insight or responsibility.54

The world may be returning to the realist ideology (discussed further) that inspired the creation of the New Haven school in the first place.55 Nevertheless, the application of the latter theory to cyber-warfare would not be easy. For instance, an inquiry into the “policy” of cyber-warfare regulation using the New Haven method would necessitate an analysis of how the framework of potentially applicable norms is communicated to governments, if it is taken into account by them. Causes of cyber-attacks would need to be investigated and the scheme of interactions between states, governments, courts and international organizations explored. Such an inquiry would immediately be hampered by the secrecy that surrounds cyber-attacks and the lack of targeted regulation aimed at cyber-warfare itself, making it inefficient. Furthermore, it should be mentioned that while the New Haven school concentrates on socio-political trends behind authoritative decisions that form international law, it does so with an aggressive American “democratic ideal” in mind.56 While the latter may motivate Western governments to exploit imperfections of international law, one should be careful not to forget that other governments and political systems may be no less interested in such exploitation than the West. Institutionalism that focuses on international structures (especially in its neoliberal form) does a good job at recognizing that “egoistic states [may] seek to maximise their respective interests within existing environmental

54 Myres S. McDougal, Harold D. Lasswell, “Legal Education and Public Policy: Professional Training in the Public Interest,” (1943) 52(2) Yale Law Journal 207. 55 Janet K. Levit, “Bottom-Up International Lawmaking: Reflections on the New Haven School of International Law” (2007) 32(2) Yale JIL 394. 56 See McDougal, Lasswell (n. 54) 206–207, 212, 214, 222, 288, 291; Scobbie (n. 23) 69–71; O’Brien (n. 11) 50–51. Theoretical Framework 31 constraints”.57 It correctly acknowledges that states’ behavior, while egoistic, tends to be rational and, although they, as the primary actors of international law, operate in an anarchic arena, cooperation between states is possible with the help of institutions.58 The idea of “complex interdependence” advanced by institutionalists Robert Keohane and Joseph Nye reasonably accepts participation of non-state actors in politics.59 According to the theory under consideration, institutions are of particular importance, because despite the lack of a centralized governance structure in international relations, they establish a secure scene for negotiations, as well as a platform for supervising and, if necessary, controlling state behavior.60 This is, arguably, done by increasing the importance of reputation within the international community, providing an already-existing scheme for decision-making, publicizing soft law instruments that serve as guides for state behavior, ensuring that countries are invested into institutions financially and otherwise (which prevents them from easily “pulling out”).61 In addition, institutions are seen as contributing to the control over state behavior by making different issues on the international agenda inseparable, increasing access to information, promoting transparency and mediating disputes.62 Conventions are seen by institutionalists as establishing long-term relations that are giving “rise to stable expectations between states” and increasing the “importance of reputation and the use of reciprocity to enforce obligations”.63 Customary law, like conventions, is meant to reduce uncertainty by offering a stable model of behavior, built around reputation and reciprocity.64 Where simple deterioration of reputation is seen as ineffective, institutions can coordinate the mechanism of collective punishment. A notable example of this is the work of the UN Security Council, which can impose a spectrum of measures (under Chapters VI and VII of the UN Charter) ranging from sanctions to authorizing the use of force against the violators of international law.

57 Christian Reus-Smit, “The Politics of International Law” in Christian Reus-Smit (ed.), The Politics of International Law (CUP 2004) 15, 18. 58 William J. Aceves, “Institutionalist Theory and International Legal Scholarship” (1997) 12(2) American University International Law Review 236, 240, 260. 59 Robert O. Keohane, Joseph S. Nye, Power and Interdependence (2nd edn., Longman 1989) 24. 60 Aceves (n. 58) 241–242. 61 Ibid., 243, 245–247. 62 Ibid., 248–250, 253. 63 Ibid., 257. 64 Ibid., 258, 260. 32 Chapter 2

There are a number of flaws in institutionalism that should be pointed out here. Firstly, it presupposes constantly existing common goals between states or governments that create institutions to constrain their behavior.65 In reality, these goals come into an obvious conflict when military confrontations occur (also in the form of cyber-warfare). Arguments that governments do not use force regionally lose validity in trans-global environment created by virtual cyber-space.66 Secondly, the already-existing institutions can be ignored or manipulated by certain governments, which have enough power to do so. Possibilities of such manipulations may even sometimes determine the level of investment and, as such, keep the level of state dependency on institutions and other states under government control. Had the situation been different, organizations like the UN or NATO would not be criticized as part of the problem (in addition to being part of the potential solution). Thirdly, manipulations and negligence by governments may be present already in the early stages of creation of international institutions, leading to them having structural imperfections. Finally, reputation of the more powerful states can be preserved by heavily relying on the global media propaganda (this notion is developed further). The next theory that could be useful is the critical legal studies. Emerging in the process of annual “critical legal” conferences, it attempts to unmask the policy elements that are underlying legal systems. While the main Conference has now been dissolved, critical legal studies have not entirely lost their relevance today.67 This theory not only rejects determinate nature of the law, arguing that it is veiled politics, but also views it as one of the instruments for preserving unjust hierarchies in the society (in the international law’s case, the society of states).68 The language employed in the law itself is viewed as one meant to “create the illusion of fairness while really legitimizing and furthering the position” of those on top of the hierarchy.69 Indeed, the illusion on the global

65 Anne-Marie Slaughter, “Liberal International Relations Theory and International Economic Law” (1995) 10(2) American University International Law Review 724–726. See also Markus Burgstaller, Theories of Compliance with International Law (Martinus Nijhoff 2005) 99. Note that a similar problem is present in the constitutionalist theory. 66 See generally Keohane, Nye (n. 59) 25. 67 Guyora Binder, “Critical Legal Studies” in Dennis Patterson (ed.), A Companion to Philosophy of Law and Legal Theory (2nd edn., Wiley-Blackwell 2010) 267. 68 Jerry L. Anderson, “Law School Enters the Matrix: Teaching Critical Legal Studies” (2004) 54(2) Journal of Legal Education 201. 69 Ibid., 202. Theoretical Framework 33 level may be cast in order to keep the weaker states passive and secure, while the more powerful states preserve their dominant positions. This “injustice” is most clear when one considers the unequal state powers in the UNSC, despite the assurances of sovereign equality in the UN Charter. Acknowledgment of historical, political (or, in the case of constructivist thinking, social)70 perspectives should not come at the expense of objectivity of the entire legal system—a sacrifice expected by radical critical legal studies, which reject the possibility of objective norms altogether.71 On the other hand, what one author defines as their moderate form, views only legal interpretations as determined by political (as well as cultural and moral) beliefs.72 For this reason, in the context of the present book, moderate critical legal studies somewhat contribute to identifying an adequate vantage point over the subject of cyber-attacks as regulated by imperfect instruments of law. That being said, critical legal studies cannot be entirely relied upon here due to their focus on societies, which does not take into account the complex relations between states and their governments, as well as the composition of the latter with fluctuating desire and possibilities to exploit the law.73 After dismissing powerful mainstream alternatives, one is left to look at the situation through the prism of realism. An important starting point is the principles formulated by Hans Morgenthau, according to which “politics [. . .] is governed by objective laws that have their roots in human nature”, where “interest [is] defined in terms of power [. . .]—an objective category that is universally valid”, guided by “distinctive [non-universal] intellectual and moral attitude to matters political”.74 In deviating from the classical Morgenthau’s positions, realists continue to preserve a general understanding that states play the main role in the anarchic international arena and that they compete for power.75 International law is believed to reflect this struggle and the balance of power it creates.76

70 Reus-Smit (n. 57) 15, 21–22. 71 O’Brien (n. 11) 52; Andrew Altman, Critical Legal Studies: A Liberal Critique (Princeton University Press 1990) 18. 72 Altman (n. 71) 19. 73 Note that this problem is also shared by liberalism—see generally Slaughter (n. 65) 728. 74 Hans J. Morgenthau, Politics Among Nations: The Struggle for Power and Peace (7th edn., McGraw-Hill 2006) 4–13. 75 Slaughter (n. 65) 722. See also Fernando R. Tesón, A Philosophy of International Law (Westview Press 1998) 41. 76 Reus-Smit (n. 57) 15. 34 Chapter 2

Realism acknowledges that legal rules may be ignored by states, in case it serves their interests.77 This fits well with the reality of contemporary warfare, where existing legal norms are not always complied with. Likewise, lack of lex specialis meant for cyber-warfare, coupled with a frequently expected possibility of remaining anonymous online, make it appealing for states to consider violating laws and to expand dominance by demanding conformity from others.78 The level of threat to national security represented by cyber-attacks ranges and, more importantly, is perceived to range from uncertain to high. Such an atmosphere encourages states and military alliances to strive for security by aggressively seeking advantage (regardless whether that conflicts with interests of other states, or not)—behavior expected by “offensive realism”.79 Furthermore, states may seek to “control and shape their external environment”—conduct predicted by “neoclassical realism”.80 It is acknowledged that realism is sometimes criticized for its indifference to human rights.81 But this is arguably a small concern, in light of the scope of this work. While one may argue that humanitarian law represents an extension of human rights onto the battlefield, the truth is that all but a few basic human rights become formally suspended during armed conflicts. On the other hand, Christian Reus-Smit reasonably notes that realism does not bother to explain how powerful states are constrained in their behavior by international law and how weak actors use it to their advantage.82 Both concerns can be addressed with reference to potential deterioration of reputation upon violation of erga omnes (but not necessarily other) obligations. Here, it should be noted that, as long as erga omnes obligations are not violated, overwhelming military and political force allows the most powerful (but not all) “egoistic” governments to prevent potential retaliation and to use the media as a propaganda tool to preserve their reputation (consider the influence of the pro-Western CNN news channel or the pro-Eastern news agency Russia Today), even if the decisions are not considered rational by parts of

77 Ibid., 16. 78 See Burgstaller (n. 65) 96; Tesón (n. 75) 41. 79 Burgstaller (n. 65) 97. 80 Ibid., 98. 81 See Tesón (n. 75) 52–54. 82 Reus-Smit (n. 57) 17. Theoretical Framework 35 the local population or internationally and negative political repercussions follow.83 Realism openly admits that individual governments and states may ignore international law. Martin Dixon argues that “[t]here is nothing surprising in this and it is a feature of the behavior of every legal person in every legal system”.84 Yet, as Rosalyn Higgins correctly notes, “[i]t rarely is in the national interest to violate international law, even though there might be short-term advantages in doing so”.85 In the words of Reus-Smit, when deciding on actions in ordinary circumstances “[s]trong states do not invariably ignore [international law], and when they choose to deliberately violate it they do so in the knowledge that as well as incurring political costs their actions will have to be justified as ‘legal’”.86 Consider, for instance, the statement of the legal advisor of the US Depart ment of State Harold H. Koh, who argued:

[. . .] compliance with international law frees us to do more, and do more legitimately, in cyberspace, in a way that more fully promotes our national interests. Compliance with international law in cyberspace is part and parcel of our broader ‘smart power’ approach to international law as part of U.S. foreign policy. [. . .] International law is not purely constraint, it frees us and empowers us to do things we could never do without law’s legitimacy. If we succeed in promoting a culture of compliance, we will reap the benefits.87

In line with this, one scholar does not find it surprising “that the United States would advance an expansive interpretation of its rights under international law while simultaneously maintaining a narrow interpretation of its duties”.88 Governments are not interested in outright violation of legal norms when they can instead interpret international law in a way that would justify desired conduct. Such interpretations (and their desired acceptance by the world

83 See generally Andrew T. Guzman, How International Law Works: A Rational Choice Theory (OUP 2008) 9. 84 Dixon (n. 2) 4. 85 Higgins (n. 16) 16. See also Dixon (n. 2) 4, 12–13. 86 Higgins (n. 16) 16. 87 Harold H. Koh, “International Law in Cyberspace” (USCYBERCOM Inter-Agency Legal Conference, 2012) Final Quest 1 accessed 1 August 2015. 88 John Cerone, “Misplaced Reliance on the ‘Law of War’” (2007) 14(1) New England Journal of International & Comparative Law 57. 36 Chapter 2 community) become possible in areas where international law is imperfect, where it features gaps, deficiencies and uncertainties. So, what is the theoretical approach adopted in this book?

2.3.2 Adopted Theoretical Framework Considering the weaknesses of the legal theories mentioned above, in order to achieve objective results, the present book adopts a distinctive theoretical framework. It will serve as a working theory within which an analysis of cyber- attacks is undertaken. Why is it better than other conceptual approaches? Although it leans towards realism, it seeks to avoid its imperfections and assimilates the more successful elements of other models. Some may consider it inspired by ration alism that in the purest form argues that “international law emerges from states acting rationally to maximize their interests, given their perceptions of the interests of other states and the distribution of state power”.89 Nonetheless, this work is not meant to fit perfectly with the game theory (an element often relied upon in rationalism) and, particularly, the idea that all states with various forms of government are simultaneously motivated only by self-interest.90 Thus, the theoretical position assumed in this book can be summarized as follows. International law is composed of subjective elements reflecting a balance of power and objective, universal elements ( jus cogens) meant to constrain state behavior. Its main sources are conventions, customs and general principles. Sub-regimes of jus ad bellum and jus in bello are not self-contained and are related to each other and to other legal regimes. Because the regulation of warfare traditionally aimed to ensure more stability, safety and justice in the international arena, the mission of international law remains to facilitate this process by providing a sufficiently clear framework with minimal room for exploitation and misinterpretation. Where international law fails to meet this objective due to inadequate regulation, it is imperfect. Imperfections emerge as a result of previous manipulations and negligence by the norms’ authors. States are the main actors and decision-makers in the international arena. They can belong to and operate in international organizations. States are represented by their governments. Governments’ goals are not universal and they are in conflict when countries are engaged in hostilities with each other.

89 Jack L. Goldsmith, Eric A. Posner, The Limits of International Law (OUP 2005) 3. 90 See generally D. Jeremy Telman, “Non-State Actors in the Middle East: A Challenge for Rationalist Legal Theory” (2013) 46(1) Cornell ILJ 58. Theoretical Framework 37

If the benefit is sufficiently great, governments may ignore legal norms. That being said, international law (especially jus cogens) is normally complied with by them; instead, governments may interpret legal norms in ways that serve their interests. They, normally, want others to accept these interpretations, as it preserves their good international standing without subjecting them to the risk of sanctions. Having outlined the theoretical framework that provides support for the main idea of this work, it is necessary to take a closer look at the issue of exploiting international law’s imperfections in cyber-warfare itself.

2.3.3 Exploitation of Legal Imperfections in Cyber-Warfare It is hard not to agree with Noam Lubell, when he writes:

If we wish to ensure the relevance of the rules to the twenty-first century, it is vital that they are interpreted in light of modern reality. Proposing new interpretations is not the same as saying the law itself is inadequate to deal with new challenges. [. . .] There should be no doubt that existing law can apply to the cyber sphere, but there must be room for new approaches and interpretations that might differ from the manner in which the same law was read in the past.91 [footnote omitted]

It would be prudent to consider this in the broader context. The prospective cyber-warfare is shifting security of states, which, until recently, has been defined in terms of landscape and distance, towards security that is independent of geography.92 Inter alia, this results in increased feeling of uncertainty and danger, which provokes proliferation of governments’ ways of interpretation and resorting to realistic approaches. What are the opportunities of exploitation, when it comes to legal regulation of cyber-warfare? Mainly, there are possibilities to insist on a favorable interpretation of international norms that are not certain. This allows governments to prevent their conduct from being definitely qualified as illegal, if it is covered by such an uncertain rule. One can consider an example involving a government that wants to launch cyber-attacks against a foreign state to increase its control over it or to compel it to do (or abstain from doing) a certain act. The government will try to match the current factual situation with existing norms that

91 Noam Lubell, “Lawful Targets in Cyber Operations: Does the Principle of Distinction Apply?” (2013) 89 International Law Studies 270–271. 92 See generally Barry Buzan, Ole Wæver, Jaap de Wilde, Security: A New Framework for Analysis (Lynne Rienner Publishers 1998) 59. 38 Chapter 2 allow cyber-strikes in self-defense; a proper match makes it easy to explain to their own population and the world in general why these cyber-attacks are launched in the first place and why they are necessary. If the relevant law is not certain or it features a gap, the government will choose the interpretation which helps it argue that international law does permit self-defense under the present conditions. In this case, the opportunity to exploit a norm is used and potential accusations of illegality are sublimated into political and academic discourse about the “right” interpretation of law. If a government views all such possibilities jointly, it may become interested in preserving the legal regime that enables exploiting many imperfect norms, which regulate cyber-warfare. Since states are expected to develop international law in order to fix its imperfections, hindering its development can be considered an inherently malicious plan. Lastly, before concluding this chapter, one should mention an alternative view voiced by Glennon. According to his logic, international law is experi- encing stagnation vis-à-vis cyber-warfare because states do not want to “regulate the pursuit of core security interests based upon speculation”93 (emphasis added). Is he right to argue that since “cyber capabilities are concealed, [. . .] relative capability becomes speculative, leaving States without the ability to evaluate beforehand the apparent advantages and disadvantages that new rules might reify”?94 Two things should be pointed out here. First of all, sensing their real intentions, Glennon himself implies that states may not be willing to limit their freedom of waging cyber-warfare.95 Secondly, the main opponent of the SCO proposals to expand the legal framework on cyber-warfare, the United States, launches a significant amount of cyber-attacks itself. It was reported that in 2011, three-quarters of these cyber-strikes targeted the most powerful SCO states (China, Russia and SCO observer Iran), revealing a particular political agenda.96 Therefore, Glennon’s alternative view on reasons for international law stagnation, by 2015, seems to be outdated.

93 Glennon (n. 18) 379. 94 Ibid. 95 Ibid. 96 Barton Gellman, Ellen Nakashima, “U.S. Spy Agencies Mounted 231 Offensive Cyber- Operations in 2011, Documents Show” (The Washington Post, 31 August 2013) accessed 1 August 2015. Theoretical Framework 39

2.4 Conclusion

The present chapter identified the theoretical perspective that is most adequate for determining how fit current international law is in addressing militarized cyber-attacks. It sets out the starting point of analysis that, when it comes to international law relating to the use of force and warfare, instead of ignoring legal norms, governments may pursue interpretations that suit them best, ensuring that their actions formally stay within the confines of legality. Such interpretations are most easily advanced where international law is imperfect. With the theoretical framework described in this chapter in mind, the present book will identify international law’s deficiencies, gaps and uncertainties. However, before proceeding with examination of substantive international law in Chapters 4–8, it is necessary to provide an accurate overview of the damaging capabilities of cyber-attacks. This is the purpose of the next chapter, which, on the one hand, demonstrates the seriousness of this threat and, on the other, argues that it can be tackled by properly adopting the already-existing instruments of international law. Chapter 3 Cyber-Threat

3.1 Introduction

The present chapter addresses the nature of the cyber-threat. By looking into hypothetical and real incidents that involve cyber-attacks, it starts to determine whether the consequences suggested by cyber-warfare are so significant as to necessitate a revolution in international law or if the threat and evidence are merely indicative of a need for proactive legal reforms. The chapter is divided into two parts. The first part assesses the damaging capabilities of cyber-attacks, as well as the potential consequences these attacks could have, in order to demonstrate that cyber-strikes represent a serious threat that warrants clarity in international law. This risk-assessment is done with reference to the concept of critical national infrastructure and by providing evidence review of certain objects that may plausibly be targeted by cyber-strikes, if indeed such strikes are not already being effected. The second part provides a review of reported incidents where there is evidence of cyber-attacks having taken place.1 This review begins with life-threatening situations occurring as a result of cyber-strikes, moves on to matters of military importance and concludes with less harmful actions that constitute nuisance for governments, even if they are often perceived as something more serious. Incidents involving designated terrorist organizations are deliberately omitted, as they will be addressed in Chapter 7.

3.2 The Hypothetical Threat

Are cyber-attacks fundamentally extraordinary in the context of military action? What can be seen as the maximum degree of damage that might potentially be achieved in and via cyber-space? As technology is in constant development, understanding the nature and scope of a threat in theory is a necessary first step to assessing the ability of

1 Since, nowadays, information about certain cyber-strikes is primarily available in the form of official statements, press releases and news reports, this chapter utilizes these sources. However, mindful of their uncertain journalistic nature, they are treated with a due degree of caution.

© koninklijke brill nv, leiden, ��5 | doi ��.��63/9789004298309_004 Cyber-threat 41 international law to respond should such a threat become a reality. The concept of critical infrastructure provides a good foundation for beginning this task. Indeed, for some, it may even serve as the basis for equating cyber-strikes with the use of force in jus ad bellum.2 After determining the elements of a state’s essential assets, one can then gauge their vulnerability to cyber-attack.

3.2.1 Special Nature of Cyber-Attacks The first question that helps determine the level of the threat and that requires attention, considering the focus of the present book is whether cyber-attacks are fundamentally different from traditional military strikes? In 2009, Graham Todd observed that cyber-strikes, inter alia, can be delivered faster, can have wider effects on a society, require less investment and provide greater degree of anonymity than conventional forms of attack.3 Although these conclusions may be correct, their importance should not be exaggerated. Indeed, cyber- attacks can be launched over great distances almost with the speed of light,4 yet some of the most serious ones (for instance, Stuxnet) take months to reach their target.5 Production of malware (malicious software)6 can be free or it can be the result of enormous financial investments. Using programs that aim to wreak havoc in any society may simply result in nuisance, and the development of cyber-forensics slowly decreases the chances of remaining anonymous online. Like ordinary military operations, cyber-attacks have the best chances to be effective when they are “based on accurate intelligence” and are “target- specific in their design”.7 They cannot result in seizure of land or physical

2 See further the discussion of target-based approach in sub-chapter 5.2.3. 3 Graham H. Todd, “Armed Attack in Cyberspace: Deterring Asymmetric Warfare with an Asymmetric Definition” (2009) 64 Air Force Law Review 68–69. 4 Richard A. Clarke, Robert Knake, Cyber War: The Next Threat to National Security and What to Do About It (HarperCollins 2010) 30–31; Karlis Podins, Christian Czosseck, “A Vulnerability- Based Model of Cyber Weapons and its Implications for Cyber Conflict” in Eric Filiol, Robert Erra (eds.), Proceedings of the 11th European Conference on Information Warfare and Security (Academic Publishing International 2012) 199–200; Jody M. Prescott, “Direct Participation in Cyber Hostilities: Terms of Reference for Like-Minded States?” in Christian Czosseck, Rain Ottis, Katharina Ziolkowski (eds.), 2012 4th International Conference on Cyber Conflict (NATO CCDCOE 2012) 259. 5 Stuxnet is discussed further in this chapter. 6 A collective term that includes viruses, worms, trojans and logic bombs. A wider spectrum of programs and tactics (“toolkit”) that crackers may use are described in Appendix 1 to this book. 7 Paul A. Walker, “Rethinking Computer Network ‘Attack’: Implications for Law and U.S. Doctrine” (2011) 1(1) American University National Security Law Brief 61. 42 Chapter 3 objects, but they can deny access to virtual cyber-space, as well as infrastructure that sustains it. Cyber-strikes have the potential for surgical precision that allows them to target an opponent’s infrastructure with minimal collateral damage.8 That being said, their effects can also be extremely unpredictable. It can be argued that luck plays a major role in the success of cyber-attacks. For instance, malware often needs to exploit fresh vulnerabilities in the targeted system, and the window of opportunity quickly closes once the flaws become obvious during a cyber-strike or when discovered by the opposing party beforehand.9 Yet, luck is also a critical factor in ordinary military operations or acts of terrorism. Therefore, while cyber-strikes may be a new phenomenon, their capacities vary and they are influenced by classic military factors. At this point, it should be mentioned that scarce evidence of military objects being significantly affected by cyber-attacks (with the exception of few reports related to Conficker and other malware)10 indicates that either these objects are, for the most part, invulnerable or that successful cyber-strikes against their systems are deliberately concealed. In any case, the prospect of total cyber-warfare shifts the attention from pure military-on-military engagement to potential attacks against state infrastructure. Thus, in discussing the hypothetical threat, one should consider state security in a broader context. In other words, it is important to outline which cyber-attacks can be most damaging and which represent the biggest danger to a state as a whole. This can be done with reference to what is called critical infrastructure.

3.2.2 Concept of Critical Infrastructure The European Union (EU) comprehensively defines critical infrastructure as

[. . .] physical and information technology facilities, networks, services and assets which, if disrupted or destroyed, would have a serious impact on the health, safety, security or economic well-being of citizens or the effective functioning of governments.11

8 Duncan B. Hollis, “Why States Need an International Law for Information Operations” (2007) 11(4) Lewis & Clark Law Review 1032. 9 See Podins, Czosseck (n. 4) 200. 10 Discussed further in this chapter. 11 European Commission Communication COM (2004) 702 of 20 October 2004 on Critical Infrastructure Protection in the Fight Against Terrorism 3. Cyber-threat 43

The US12 and the Shanghai Cooperation Organization13 use similar definitions, evaluating the impact of an attack from a national security standpoint. Critical infrastructure should not be confused with conceptually different vulnerable or particularly vulnerable targets mentioned, for instance, in the UN Global Counter-Terrorism Strategy.14 It should also be clearly distinguished from the notion of critical information infrastructure that covers not only computerized systems, but also other, less sophisticated transmitting devices, necessary for the continuous work of critical infrastructure. The exact elements comprising critical infrastructure will no doubt vary from country to country. However, one can outline a common list of industrial and societal sectors that are vital to many technologically advanced states, as reflected in their policy papers.15 These are energy, finance, transport, communications, hazardous materials, emergency services, government, health, water and food. All ten of these sectors are already being targeted by cyber-attackers. When a particular object subjected to cyber-strikes can be realistically grouped under one of these commonly recognized sectors of critical infrastructure, self-defense by the victim-state will be more justifiable in the eyes of the world community (even if there are no casualties). On the other hand,

12 Barack Obama, “Improving Critical Infrastructure Cybersecurity” (Executive Order, The White House 2013) accessed 1 August 2015: “[. . .] systems and assets, [. . .] so vital [. . .] that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters”. See also Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act, Public Law 107–56, 115 Stat 272 (2001) sec 1016(e). 13 Agreement Between the Governments of the Member States of the Shanghai Cooperation Organization on Cooperation in the Field of International Information Security (adopted 2 December 2008, entered into force 16 June 2009) Annex I accessed 1 August 2015: “[P]ublic facilities, systems and institutions attacks on which may cause consequences directly affecting national security” (unofficial translation). 14 UN Global Counter-Terrorism Strategy: Plan of Action, Annex to UNGA Res 60/288 (20 September 2006) UN Doc A/RES/60/288, paras. II-18, III-13. 15 See European Commission (n. 11) 3–4; Assaf Y. Keren, Keren Elazari, “Internet as a Critical Infrastructure—A Framework for the Measurement of Maturity and Awareness in the Cyber Sphere” in Christian Czosseck, Rain Ottis, Katharina Ziolkowski (eds.), 2012 4th International Conference on Cyber Conflict (NATO CCDCOE 2012) 120–122; “The National Infrastructure” (Centre for the Protection of National Infrastructure) accessed 1 August 2015; President’s Commission on Critical Infrastructure Protection, “Protecting America’s Infrastructures” (Report, White House 1997) 3–4. 44 Chapter 3 unreasonable allocations of objects to these ten sectors and to critical infrastructure in general may result in international disapproval of the belligerent response. Hence, the present sub-chapter focuses on ten sectors identified above and does not cover more disputable elements, such as national monuments that the US lists as a separate division of its critical infrastructure,16 and which the EU groups under the government sector,17 Norwegian social services and environmental surveillance,18 the US “critical” manufacturing, education or postal services and so on.19

3.2.3 Critical Infrastructure in State Military Exercises Today, different scenarios are identified by academics as the most dangerous.20 However, validity of the cyber-threat to state critical infrastructure is also acknowledged through military exercises. This is particularly true in the West, where information about them is publically available. One example is the famous US training operation Eligible Receiver that, in 1997, emulated a rogue state that avoided open conflict and sought to damage the US information systems instead.21 In addition to causing maximum damage, the team playing the role of the rogue state had to avoid detection and

16 Department of Homeland Security, “Critical Infrastructure Identification, Prioritization, and Protection” (Homeland Security Presidential Directive 7, 17 December 2003) para. 18(6). 17 European Commission (n. 11) 4. 18 Commission for the Protection of Critical Infrastructure, “Protection of Critical Infrastructures and Critical Societal Functions in Norway” (Report to the Ministry of Justice and the Police, Norwegian Government 2006) 5 accessed 1 August 2015. 19 Keren, Elazari (n. 15) 122; US White House, “Fact Sheet: Cybersecurity Legislative Proposal” (Office of the Press Secretary, 12 May 2011) accessed 1 August 2015. 20 See Todd (n. 3) 68 fn. 7; Christopher C. Joyner, Catherine Lotrionte, “Information Warfare as International Coercion: Elements of a Legal Framework” (2001) 12(5) EJIL 836–839; Michael N. Schmitt, Essays on Law and War at the Fault Lines (TMC Asser Press 2012) 9; Dimitrios Delibasis, The Right to National Self-Defence in Information Warfare Operations (Arena Books 2007) 67–70; Daniel M. Creekman, “A Helpless America? An Examination of the Legal Options Available to the United States in Response to Varying Types of Cyber- Attacks from China” (2002) 17(3) American University International Law Review 646. 21 Stephen A. Hildreth, “Cyberwarfare” (Report, Congressional Research Service 2001) CRS-4 accessed 1 August 2015. Cyber-threat 45 prevent the possible US military response.22 It was later stressed that power grids and 911 emergency systems were found to be most vulnerable.23 The 2000 “Black Ice” simulation also reportedly targeted the Supervisory Control and Data Acquisition (SCADA)24 system of the power grid, this time during a theoretical ice-storm.25 It was noted that cyber-attacks managing to shut down electricity for a prolonged period of time would result in degradation of other infrastructure, such as communications or gas industry.26 In the 2000s, other series of cyber-security exercises were reported, undertaken by the US government and some of its allies. These included Cyber Storm (2006) aimed at energy, transportation and communications,27 Cyber Storm II (2008) simulating an attack against “information technology, communications, chemical, and transportation systems”28 and Cyber ShockWave (2010) war games, that, in theory, affected power industry, mobile phone communications and the Wall Street stock exchange.29 Finally, in 2012, reports indicated that official North Atlantic Treaty Organization (NATO) war games encompassed a hostile African country launching cyber-attacks to crash a military aircraft in Hungary and to affect the Alliance’s critical infrastructure.30 Having explored the general concept of critical infrastructure and the growing recognition of its importance in cyber-warfare, one should now consider the prospect of attacks against its individual elements.

22 Ibid. 23 Dorothy E. Denning, “Cyberterrorism” (Testimony Before the Special Oversight Panel on Terrorism Committee on Armed Services, US House of Representatives, 23 May 2000) accessed 1 August 2015. 24 SCADA is a computerized control system that monitors and regulates physical industrial processes. 25 “Utah’s ‘Black Ice’: Cyber-Attack Scenario” (CNN, 21 October 2001) accessed 1 August 2015. 26 Ibid. 27 Patience Wait, “Cyber Storm Exercise Challenged Coordination, Communications” (GCN, 15 September 2006) accessed 1 August 2015. 28 “Cyber Storm 2 Exercise Reveals Security Preparedness” (Computer Weekly, 18 March 2008) accessed 1 August 2015. 29 Ellen Nakashima, “War Game Reveals U.S. Lacks Cyber-Crisis Skills” (The Washington Post, 17 February 2010) accessed 1 August 2015. 30 “Russia Potential Aggressor for NATO” (RIA Novosti, 18 October 2012) accessed 1 August 2015. 46 Chapter 3

3.2.4 Theoretical Attacks and Their Consequences To facilitate the review of the hypothetical dangers to various sectors of critical infrastructure, this section is divided into three sub-sections.31 The first one tackles elements of critical infrastructure crucial for the well-being of a society, which are most vulnerable to cyber-attacks (energy, finance, transport). The second sub-section deals with threats to societal sectors that appear to be more resistant to cyber-strikes (communication, hazardous materials, emergency services and government). The final sub-section tackles those elements of critical infrastructure that are responsible for sustaining life, but which feature insignificant possibilities of severely harming states themselves by cyber- strikes (health, water, food).

3.2.4.1 Most Vulnerable Sectors Logic dictates that analysis of hypothetical threats should begin with highly computerized objects that societies rely upon. First among them are those belonging to the energy sector. A number of successful incursions and attacks against oil and gas industry have already been experienced, making them no longer theoretical. As such, they will be discussed further when assessing reported cyber-strikes. However, electric facilities present a slightly different proposition, which merits examination here. Like other infrastructure, where convenience of remotely managing the facilities is apparent, power stations are connected to each other and to a centralized SCADA system. The North American Electric Reliability Corporation Network is one such example, which was designed in 1997 to allow “‘all’ participants in the electric power industry to communicate”, in order to ensure the safe and reliable flow of commercial activities.32 It has been reported that power plants and electricity grids are frequently targeted by cyber-attacks of various intensity.33 Millions are said to be spent

31 While this section focuses on vulnerabilities, the next sub-chapter will, inter alia, explore methods of malware distribution. 32 Jamal Henry, “Reducing the Threat of State-to-State Cyber Attack against Critical Infrastructure through International Norms and Agreements” (Working Paper, Center for International and Security Studies at Maryland 2010) 5 accessed 1 August 2015. 33 Siobhan Gorman, “Electricity Grid in U.S. Penetrated by Spies” (The Wall Street Journal, 8 April 2009) accessed 1 August 2015. Cyber-threat 47 on cyber-security in an attempt to ensure a high level of protection.34 Notably, according to the US Department of Homeland Security, when malware on a USB device infected an unnamed American power plant in 2013, the plant was shut down for three weeks as a precaution.35 Nonetheless, serious socio-economic consequences could result from malicious control exercised over power stations. The extent of the possible harm upon entry into the power station systems was described in the 2010 Report by the US General Accounting Office. According to this report, the attackers could:

[1)] [D]isrupt the operation of control systems by delaying or blocking the flow of information through control networks, thereby denying availability of the networks to control system operators; [2)] make unauthorized changes to programmed instructions in [. . .] controllers, change alarm thresholds, or issue unauthorized commands to control equipment, which could potentially result in damage to equipment (if tolerances are exceeded), premature shutdown of processes (such as prematurely shutting down transmission lines), or even disabling control equipment; [3)] send false information to control system operators either to disguise unauthorized changes or to initiate inappropriate actions by system operators; [4)] modify the control system software, producing unpredictable results; and [5)] interfere with the operation of safety systems.36

In 2007, researchers reportedly proved that a cyber-attack can cause a power generator to self-destruct,37 and, in 2012, the Obama administration was said to

34 Brian Wingfield, “Power-Grid Cyber Attack Seen Leaving Millions in Dark for Months” (Bloomberg, 1 February 2012) accessed 1 August 2015. 35 See Jim Finkle, “Malicious Virus Shuttered U.S. Power Plant” (Reuters, 16 January 2013) accessed 1 August 2015. 36 “Critical Infrastructure Protection: Challenges and Efforts to Secure Control Systems” (Report to Congressional Requesters GAO-04–354, United States General Accounting Office 2004) 15 accessed 1 August 2015. 37 Jeanne Meserve, “Sources: Staged Cyber Attack Reveals Vulnerability in Power Grid” (CNN, 26 September 2007) accessed 1 August 2015. 48 Chapter 3 have held a Senate demonstration of a controlled cyber-attack against the New York City’s power supply.38 Underscoring disastrous effects on other critical infrastructure, some participants allegedly concluded that prolonged lack of electricity in a megalopolis will result in “literally thousands of people dying”.39 Nonetheless, it should be noted that repairing power stations (if they have not been physically damaged) should be a fairly quick process, inter alia, due to the globally existing experience in dealing with recurring blackouts caused by thunderstorms and other disasters. The next vulnerable sector of critical infrastructure that requires attention is transport. Modern cars are equipped with advanced computer systems, which make them susceptible to cyber-strikes. Malware can spread through communication modules, mobile phones, portable MP3 players, navigation systems and other devices meant to automatically connect to vehicle electronics.40 According to reports, it has been proven that such cars can be controlled from outside, without any driver input.41 Among other things, research shows that they can be made to brake and accelerate.42 If successfully executed, such an attack can injure the driver and passengers within the car. Similar problems are likely to arise with the development of the computer-controlled personal rapid transport (podcars). On the macro level, a compromised system responsible for the “smart” ground transport control can result in prolonged traffic jams and, depending on the timing of an attack and weather conditions, vehicle crashes. Not unlike electric power, transport is essential for other types of critical infrastructure. Thus, limitless traffic congestions can lead to food shortages, disruption in its distribution and production, inability to transfer patients between hospitals or to physically reach destinations by the emergency services. Likewise, it can cause problems of hazardous materials transportation. Tampering with the subway grid, rail or train controls is capable of causing even more dangerous consequences, as a carefully planned train wreck (for

38 Eric Engleman, Chris Strohm, “Mock Cyber Attack Used to Pitch Senate Legislation” (Pittsburgh Post-Gazette, 9 March 2012) accessed 1 August 2015. 39 Ibid. 40 Hiro Onishi, “Paradigm Change of Vehicle Cyber Security” in Christian Czosseck, Rain Ottis, Katharina Ziolkowski (eds.), 2012 4th International Conference on Cyber Conflict (NATO CCDCOE 2012) 381–382. 41 “Car Hacked on 60 Minutes” (CBS News, 6 February 2015) accessed 1 August 2015. 42 Ibid. Cyber-threat 49 example, when a train is passing over a bridge) can lead to a high number of casualties. Another theoretical scenario includes cyber-attacks causing trains to collide or derail with the purpose of spilling toxic materials in transit.43 Furthermore, a cyber-attack can interfere with the proper work of computerized navigational systems of a ship. The sinking of the Italian cruise ship Costa Concordia in January 2012 demonstrates the disastrous consequences that wrong interpretation of navigational data can bring. When it comes to transport, the most vulnerable targets are civilian airplanes, followed by helicopters, which attackers might try to crash. Malware infecting computers onboard an aircraft can lead to pilots flying “blind”, which alone increases the overall risk significantly.44 In 2013, it was reported that an application for Android was constructed that allows uploading navigation commands into planes’ “flight management system”.45 Clearly, any malfunction caused by cyber-attacks while in the air almost automatically threatens to result in a large number of injuries and deaths. Aside from attacking planes directly, cyber-strikes may be launched at the air traffic controls, which play a significant role in ensuring aviation safety. Wrong instructions from these facilities can result in airplanes flying into unsuitable terrain or into each other. Even leaving more direct approaches behind, though

43 See Scott A. Newton, “Can Cyberterrorists Actually Kill People?” (White Paper, SANS Institute 2002) 7–8 accessed 1 August 2015; Jan Kallberg, Rosemary A. Burk, “Cyberdefense as Environmental Protection—The Broader Potential Impact of Failed Defensive Counter Cyber Operations” in Panayotis A. Yannakogeorgos, Adam B. Lowther (eds.), Conflict and Cooperation in Cyberspace: The Challenge to National Security (Taylor & Francis 2014) 271. Note that, in 2008, a derailment was reported in the Polish city of Lodz, though it turned out to be a result of manipulations with infrared signals and not a cyber-attack—see Graeme Baker, “Schoolboy Hacks into City’s Tram System” (The Telegraph, 11 January 2008) accessed 1 August 2015. 44 Note that more and more systems are being integrated in the contemporary “e-Enabled” airplanes—see Rainer Koelle, Denis Kolev, “Situation Management in Aviation Security—A Graph-Theoretic Approach” in Douglas Hart (ed.), Proceedings of the 8th International Conference on Information Warfare and Security (Academic Publishing International 2013) 126; Stefan A. Kaiser, Oliver Aretz, “Legal Protection of Civil & Military Aviation Against Cyber Infrastructure” in Katharina Ziolkowski (ed.), Peacetime Regime for State Activities in Cyberspace: International Law, International Relations and Diplomacy (NATO CCDCOE 2013) 320. 45 Liat Clark, “Security Consultant Hijacks Plane’s Navigation System with Android App” (Wired, 11 April 2013) accessed 1 August 2015. 50 Chapter 3 air traffic controls may appear to be disconnected from the Internet, according to some commentators, “there are almost always semi-direct connections through routers shared between the control system and business systems that can be exploited”.46 A final (and somewhat unique) type of transport is spacecraft. Wrong programming or injected malware could, in theory, cause the death of an entire crew and the destruction of a craft upon liftoff. Other possible scenarios could include death upon reentry into the atmosphere, or even in outer space. In 2011, it was reported that NASA’s servers still had a lot of vulnerabilities that could be exploited by cyber-attackers.47 Financial structures constitute the last element of critical infrastructure that needs to be mentioned here, due to their potentially high vulnerability to cyber-attacks. Generally, banking, investment and stock exchange remain one of the most popular targets for cyber-attackers, because of the possibility of causing financial damage. The actual accumulative losses due to cyber-strikes (including cyber-crime) is already estimated in billions of GBP, EUR or USD.48 However, so far, they have had little effect on the general population and merely limited users from accessing online banking for a few hours. Nevertheless, if attackers can mount a large-scale operation that would cause a widespread economic disruption for a prolonged period of time, it would not only result in massive economic losses for the state, but could also cause unfavorable devaluation of currency. Furthermore, an effective cyber- attack on the data within financial structures, either by denying the population access to their funds or by launching hyperinflation, could result in mass panic and overall deterioration of social order.

46 Adrian Addison, “Airliners Fly in Face of Cyber Attack Scares” (PhysOrg, 3 November 2010) accessed 1 August 2015. 47 Gabriel Perna, “Report: NASA Vulnerable to Crippling Cyber Attacks” (International Business Times, 29 March 2011) accessed 1 August 2015. 48 Center for Strategic and International Studies, “The Economic Impact of Cybercrime and Cyber Espionage” (Report, McAfee 2013) 3 accessed 1 August 2015. See also UK Cabinet Office, “The Cost of Cybercrime” (Report, Detica 2011) 2 accessed 1 August 2015. Cyber-threat 51

3.2.4.2 Moderately Vulnerable Sectors Next four sectors under purview are those that promise more resilience, but which, nonetheless, remain considerably vulnerable to cyber-attacks. These are communications, hazardous materials, emergency services and government. It makes sense to begin analysis with satellites that have, so far (at least publicly), avoided any damage from cyber-attacks, yet remain vulnerable state assets, used for reconnaissance and communications.49 Unlike industrial computers, which are connected to SCADA for convenience purposes, such connections are the only way to maintain control over satellites in outer space. Their security systems are less frequently updated, and moreover, many of them share software and have identical flaws, making them vulnerable.50 At least on four occasions, in 2007–2008, American satellites were allegedly “interfered” with, which perhaps indicates that crackers are attempting to gain access to artificial space bodies.51 Aside from the more obvious space-espionage, satellites can be “hijacked” in order to collide them against other objects or debris, causing direct financial and social damage to a state.52 In comparison with other cyber-strikes, due to the physical isolation of space objects, such cyber-attacks would leave little in terms of usable forensic evidence.53 A more popular target is communication systems (including email servers) used by the military. In fact, such systems can be expected to be targeted in almost all serious armed conflicts. Therefore, it is important to highlight that cyber-attacks against such infrastructure can also occur during wars. In the 21st century, the US adopted the concept of “Virtual Battlefield”, which ensures unified command and control of troops, vehicles, surveillance

49 Nasser Abouzakhar, “Critical Infrastructure Cybersecurity: A Review of Recent Threats and Violations” in Rauno Kuusisto, Erkki Kurkinen (eds.), Proceedings of the 12th European Conference on Information Warfare and Security (Academic Publishing International 2013) 6. 50 Jan Kallberg, “Designer Satellite Collisions from Covert Cyber War” (2012) 6(1) Strategic Studies Quarterly 130. 51 See Tony Capaccio, Jeff Bliss, “Chinese Military Suspected in Hacker Attacks on U.S. Satellites” (Bloomberg, 27 October 2011) accessed 1 August 2015. Note also that already in 1997, a Chinese cracker claimed that he “neutralized” a satellite of the PRC—see Kevin Curran, Kevin Concannon, Sean McKeever, “Cyber Terrorism Attacks” in Lech J. Janczewski, Andrew M. Colarik (eds.), Cyber Warfare and Cyber Terrorism (IGI Global 2008) 3. 52 Kallberg (n. 50) 130, 132. 53 Ibid., 131. 52 Chapter 3 equipment, unmanned aerial vehicles (UAVs) and other available weapon systems.54 This is a step forward from the 1997 “American Ring of Fire” concept that allowed the US Naval Force commanders to observe the battlefield in 3D real-time view and to make decisions accordingly.55 As it maximizes effectiveness of overall battle control and facilitates message exchange between different forces, custom virtual battlefields are likely to be adopted by other nations as well (for instance, China or Russia). The presence of such technology provides an opportunity for opponents to undermine military effort and disrupt military communications through cyber-attacks. As noted by Simon Finch, American and British “battlefield systems are Internet-connected, since that’s the easiest way to mesh them together”, although other channels also remain open to the attackers.56 A successful cyber-strike against a “Virtual Battlefield” not only would increase the risk of military losses, but could also pose a significant risk to civilians, in case the army is tricked into opening fire upon them. Furthermore, it can be argued that attackers could reprogram military robots to target civilian objects.57 Finally, tampering with the early-warning and missile launch systems can result in real world damage, not excluding nuclear war.58 When discussing hazardous materials, it should be noted that some chemical and bacteriological laboratories, as well as other institutions can be equipped with computers meant to monitor safety. As such, these computers may be subject to cyber-attacks, threatening to release toxic agents into the environment. Drawing attention to the 1984 Bhopal disaster, which injured more than 200,000 people with methyl isocyanate and other chemicals, one researcher

54 Delibasis, The Right to National Self-Defence (n. 20) 36. See generally Håkan Gunneriusson, Rain Ottis, “Cyberspace from the Hybrid Threat Perspective” in Rauno Kuusisto, Erkki Kurkinen (eds.), Proceedings of the 12th European Conference on Information Warfare and Security (Academic Publishing International 2013) 101; Anssi Kärkkäinen, “Improving Cyber Defence of Tactical Networks by Using Cognitive Service Configuration” in Rauno Kuusisto, Erkki Kurkinen (eds.), Proceedings of the 12th European Conference on Information Warfare and Security (Academic Publishing International 2013) 136, 138. 55 Delibasis, The Right to National Self-Defence (n. 20) 42. 56 See Simon Finch, “Cyber-Terrorism Poses a Serious Threat to Global Security” in Louise I. Gerdes (ed.), Cyber Crime (Greenhaven Press 2009) 37. 57 See Phillip W. Brunst, “Use of the Internet by Terrorists—A Threat Analysis” in NATO Centre of Excellence Defence Against Terrorism (ed.), Responses to Cyber Terrorism (IOS Press 2008) 44. 58 See generally ibid. Cyber-threat 53 notes that governmental and environmental agencies freely distribute information on industrial targets that contain poisonous elements, making target choice easy for cyber-attackers.59 Like its traditional analogues, atomic power plants are also connected to their respective SCADA systems, so there is no point in reiterating the way cyber-attacks can materialize and cause damage. Nuclear facilities may prove to be a more appealing target for cyber-attackers, due to the possibility of localized nuclear meltdown, which can have significant economic, social and political effects on the targeted state. Objectively, uncontrolled nuclear energy together with ionizing radiation remain extremely hazardous and capable of causing “unspeakable sickness followed by painful death, affect[ing] the genetic code, damage[ing] the unborn and render[ing] the Earth uninhabitable”.60 A cyber-strike that man- ages to cause a long-lasting catastrophic failure of a nuclear power plant will inevitably affect “health, agricultural and dairy produce and the demography” of thousands.61 Another sector of critical infrastructure susceptible to cyber-attacks is emergency services; it was reported that emergency service numbers have been made unreachable through cyber-attacks at least once in Estonia.62 However, the disruption was too brief to classify it as a real threat. Generally, emergency numbers are not always reachable on first demand, especially during periods of heightened risk (for example, New Year’s Eve). Nevertheless, the possibility of cyber-attacks directly interfering with the telephone exchanges, meant to make calling emergency numbers difficult, persists. For obvious reasons, prolonged disruption can become dangerous, especially when accompanied by disasters, wars or acts of terrorism. Additionally, police cars, fire engines, and ambulances can be slowed down and diverted from their intended destination by tampering with their navigational (for instance, GPS) systems.

59 Newton (n. 43) 8. 60 Dissenting Opinion of Judge Shahabuddeen in Legality of the Threat or Use of Nuclear Weapons (Advisory Opinion) [1996] ICJ Rep 382. 61 Dissenting Opinion of Judge Weeramantry in Nuclear Weapons Case (n. 60) 464. See also Nuclear Weapons Case (n. 60) para. 35. 62 See “Newly Nasty: Defences Against Cyberwarfare is Still Rudimentary. That’s Scary” (The Economist, 24 May 2007) accessed 1 August 2015. See further the discussion of the 2007 cyber-attacks on Estonia in sub-chapter 3.3.3.5. 54 Chapter 3

Cyber-strikes against the last moderately vulnerable sector of critical infrastructure, government, represent an ambiguous threat, since there is no clear list of assets that belong thereto.63 Out of the more serious theoretical scenarios, one could mention the deletion of prison and immigration databases, tampering with the automatic person identification hardware, the “No Fly” lists or the electronic elections software.64 That being said, compared to other possible cyber-attacks, cyber-strikes targeting the governmental sector will more likely result in harmless and rectifiable consequences.

3.2.4.3 Least Vulnerable Sectors Nowadays, three sectors of critical infrastructure—health, water and food— represent the least level of concern to states, since, at the moment, these sectors minimally rely on computer technology. This does not mean that the cyber-threat level will not rise in case of further computerization. Neither does it mean that, currently, no danger exists at all, especially taking into account the lethal potential that cyber-attacks could have, when targeted against some already-computerized objects. In the context of medical facilities, academics have noted that altering pharmaceutical formulas, tampering with laboratories (for instance, jeopardizing cures, vaccines and health research in general) or even ordinary medical data (for example, mixing up results of analysis or annulling health insurance) can pose a real risk to populations’ health.65 Similar dangers could arise as a result of interfering with computers of blood supply facilities, leading to incorrect transfusions.66 Aside from direct danger to life, such cyber-attacks can subject civilian population to suffering, from mental distress in case of a false positive to physical anguish of incorrect treatment. A more direct approach, suggested by

63 Note that in this sub-section (unlike the book generally) the word “government” is used to refer to a general system of state administration rather than to those people, who rule the state. 64 See generally Delibasis, The Right to National Self-Defence (n. 20) 68–69. Note that Estonian citizens can take part in regional and national elections using their identity cards at any time, from anywhere in the world. This leads to the possibility of influencing the election results, e.g., by using trojans that masquerade as legitimate voting software. 65 Angela Clem, Sagar Galwankar, George Buck, “Health Implications of Cyber-Terrorism” (2003) 18(3) Prehospital and Disaster Medicine 273–274. See generally Anna W. Mathews, “Anthem: Hacked Database Included 78.8 Million People” (The Wall Street Journal, 24 February 2015) accessed 1 August 2015. 66 See Joyner, Lotrionte (n. 20) 850. Cyber-threat 55

Dimitrios Delibasis, would be attacking a computerized hospital, where life- support systems and medicine administration are controlled by computers.67 Cyber-attacks against medical devices, such as wireless pacemakers, pros- thetic limbs and other implants that exchange data with hospitals represent another direct threat, as tampering with their programming could cause loss of life.68 For instance, in 2012, a researcher demonstrated that it is possible to wirelessly “deliver a deadly, 830-volt shock” to a pacemaker, using a laptop.69 This opens up a new possibility of cyber-assassinations, where high-ranking officials, who undergo medical treatment or rely on life-supporting devices, can be targeted.70 When discussing the next sector of critical infrastructure, water, it should be noted that computerized systems in the drinking supply networks are sometimes expected to perform routine tasks such as filtering water and monitoring its quality. For that reason, some utility companies in technologically advanced states use computerized maintenance management and are connected to a SCADA system (inter alia, via wireless devices and the Internet),71 which creates dangerous interconnectedness that allows malware to propagate. Cyber-strikes that manage to disturb general water distribution can cause some industrial and financial damage. However, computerized drinking water supplies themselves make an obvious target for cyber-attackers, since they can be seen as essential to human survival and disruption of drinking water is capable of causing suffering through dehydration.72 In more extreme cases,

67 Delibasis, The Right to National Self-Defence (n. 20) 68. 68 See generally Abouzakhar (n. 49) 5. 69 Jeremy Kirk, “Pacemaker Hack Can Deliver Deadly 830-Volt Jolt” (Computer World, 17 October 2013) accessed 1 August 2015. 70 On a side note, it should be mentioned that while the probability of this is low, arson can, in theory, also be committed as a result of cyber-attacks. In a noteworthy experiment of 2011, cyber-security expert Charlie Miller has proven that malware can permanently damage Apple’s laptop battery cells—an act, which hypothetically is capable of starting a fire on its own—see generally John E. Dunn, “Apple Battery Firmware Open to Attack, Researcher Finds” (Techworld, 25 July 2011) accessed 1 August 2015. 71 See Cristina Alcaraz, Gerardo Fernandez, Fernando Carvajal, “Security Aspects of SCADA and DCS Environments” in Javier Lopez, Roberto Setola, Stephen Wolthusen (eds.), Critical Infrastructure Protection: Advances in Critical Infrastructure Protection: Information Infrastructure Models, Analysis, and Defense (Springer 2012) 121. 72 It is known that humans can only survive 2–10 days without drinking water, depending on the outside temperature. Though big cities have a lot of liquid drinks that can replace tap water (from bottled water to Coca-Cola), these will eventually run out. 56 Chapter 3 attackers can try to tamper with the filtering systems in order to pollute a drinking supply or to infect it.73 Dams are other water facilities believed to hold substantial destructive potential if subjected to successful cyber-attacks. So far, only a few insignificant breaches have been reported.74 However, as dams are increasingly connected to SCADA systems and technical details become widely known, the chances of cyber-strikes increase.75 Disconnection from the Internet (for example, reportedly practiced as a precaution at the Hoover Dam),76 does not necessarily save dams from attacks, as malware can also traverse by removable devices, and critical infrastructure generally remains vulnerable to insider threats. Should one also attribute life-threatening potential to such attacks? Malfunctioning torrent controls caused by cyber-strikes could, in theory, flood the surrounding areas, causing widespread physical destruction. Phillip Brunst recalls the Banqiao and Shimantan flood of 1975 in China that resulted in thousands of casualties and concludes that “a deliberate opening of the floodgates could put hundreds or even thousands of people at risk”.77 Similar concerns were recently raised again by Jan Kallberg and Rosemary Burk.78 In reality, unlike the 1975 disaster that was caused by excessive rain, cyber- attacks can only result in slow and steady flow of water, due to the design of the dam itself. As rightly observed by Scott Newton, “floodwaters would take hours, and in some cases days, to accumulate”, leaving “residents plenty of time to

73 A possibility envisioned in Michael N. Schmitt and others, Tallinn Manual on the International Law Applicable to Cyber Warfare (CUP 2013) R13C10. 74 E.g., in the Salt River Project in 1994—see Michael E. Kabay, “Attacks on Power Systems: Hackers, Malware” (Network World, 13 September 2010) accessed 1 August 2015. 75 World Federation of Scientists Permanent Monitoring Panel on Information Security, “Toward a Universal Order of Cyberspace: Managing Threats from Cybercrime to Cyberwar” (Report & Recommendations, WSIS-03/GENEVA/CONTR/6-E, ITU 19 November 2003) 10. 76 David Kravets, “No, Hackers Can’t Open Hoover Dam Floodgates” (Wired, 3 February 2011) accessed 1 August 2015. 77 Phillip W. Brunst, “Terrorism and the Internet: New Threats Posed by Cyberterrorism and Terrorist Use of the Internet” in Marianne Wade, Almir Maljević (eds.), A War on Terror? The European Stance on a New Threat, Changing Laws and Human Rights Implications (Springer 2010) 66. 78 Kallberg, Burk (n. 43) 270–271. Cyber-threat 57 evacuate to higher ground”.79 On the other hand, if a cyber-strike causes internal damage at a facility, for example, mirroring the 2009 turbine’s mechanical failure and subsequent explosion at the Sayano-Shushenskaya hydroelectric power plant, it could create a real risk for its personnel. Last, and presently the least computerized critical infrastructure sector is food. It should be said that some experts believe that certain types of food can be poisoned by a cyber-attack. So, in 1997, Barry Collin suggested a scenario, where attackers “remotely access the processing control systems of a cereal manufacturer, change the levels of iron supplement, and sicken and kill the children of a nation as they eat their food”.80 An even more atrocious scenario envisioned by Collin included altering the infant formula.81 In spite of being significantly less probable than attacks against other critical infrastructure, if successful, cyber-strikes jeopardizing safety of food preparation and processing (or storage)82 may take longer time before they are discovered. In addition, according to Delibasis, since food manufacturing plants often take alarmingly little precautions against cyber-strikes, not only do they seem susceptible to them, but it can also make covering tracks easier for the attackers.83

3.3 Reported Cyber-Incidents

Having discussed the theoretical risks that the development of information technology brought into the international arena, one now needs to enquire as to the extent to which they have already been the subject of realization. This is the next step in understanding, whether international law generally is prepared to meet cyber-threats. The following sections are arranged in order of severity of consequences: life-threatening attacks are identified first, followed by reported security threats and disturbances online.

79 Newton (n. 43) 9. 80 Barry Collin, “The Future of Cyberterrorism” (1997) 13(2) Crime & Justice International accessed 1 August 2015. 81 Ibid. 82 This scenario is suggested in the Tallinn Manual (n. 73) R45C4. 83 Delibasis, The Right to National Self-Defence (n. 20) 69. 58 Chapter 3

3.3.1 Life-Threatening Attacks The very first reported life-threatening cyber-attack in 1982 is attributed to the CIA that made the KGB steal sabotaged chip schematics and software.84 The chips were said to be deliberately designed to pass “Soviet quality tests and then to fail in operation”, while the software itself apparently represented a trojan programmed “to reset pump speeds and valve settings to produce pres- sures far beyond those acceptable”, thus causing a three-kiloton explosion.85 Though these claims were later contested by ex-KGB agents,86 the exact explosion time was recorded by the North American Aerospace Defense Command (NORAD).87 There were no reported victims in the Siberian-pipeline incident, although that could have been mainly due to the blast’s remote location.88 A three-kiloton explosion is, in rough comparison, one-fifth of the nuclear blast in Hiroshima, so, if the incident did occur, the destructive potential of cyber-attacks is clear.89 To further support this, one may recall the Nigerian pipeline explosion in 2006 that reportedly killed at least 260 people.90 Another potentially lethal case involved unauthorized access at a US research station in the Antarctica. According to the FBI, in Antarctic winter of 2003, Romanian crackers breached a computer network, inter alia, responsible for the well-being and medical support of 58 scientists and contractors.91 One should mention that although the same station’s radio telescope was compromised just months earlier, it did not pose the same level of danger.92

84 William Safire, “The Farewell Dossier” (The New York Times, 2 February 2004) accessed 1 August 2015. 85 Ibid. 86 Anatoly Medetsky, “KGB Veteran Denies CIA Caused ‘82 Blast” (The Moscow Times, 18 March 2004) accessed 1 August 2015. The incident is also disputed, e.g., in Thomas Rid, Cyber War Will Not Take Place (Hurst & Co. 2013) 5. 87 Safire (n. 84). 88 Ibid. 89 “Little Boy” bomb amounted to 15 kiloton—see Yousaf M. Butt, “The EMP Threat: Fact, Fiction, and Response” (Space Review, 2010) accessed 1 August 2015. 90 “Nigerian Pipeline Blast Spurs UN Call for Fuel Management Review” (International Business Times, 29 December 2006) accessed 1 August 2015. 91 “The Case of the Hacked South Pole” (FBI, 18 July 2003) accessed 1 August 2015. 92 Kevin Poulsen, “South Pole ‘Cyberterrorist’ Hack Wasn’t the First” (The Register, 19 August 2004) accessed 1 August 2015. Cyber-threat 59

Probably the most famous cyber-attack up to date employed the Stuxnet worm and aimed at crippling the Iranian nuclear program.93 It involved a small- degree health hazard as well, worth mentioning here. Though it was not the first time security at a nuclear facility was compromised (in 2003, the Slammer worm reportedly infiltrated safety monitoring systems of a nuclear power station in Ohio),94 the scope and complexity of Stuxnet were unprecedented. Stuxnet was activated in 2009, leading to a series of technical problems at the Bushehr nuclear power plant, followed by reports of an accident at the Natanz nuclear enrichment facility.95 In 2010, President Mahmoud Ahmadinejad admitted that a cyber-attack had damaged the Iranian enrichment centrifuges.96 Using a combination of mostly non-Internet-based methods to propagate, making use of the four zero-day (previously unknown vulnerability) exploits and stolen Siemens credentials, Stuxnet slowly made its way to its primary target, the Natanz facility.97 Sean Watts suggests that it may have also been moni- tored, updated and controlled throughout the attack—a difficult prospect, due to the lack of the Internet at the facilities, though not impossible.98 Stuxnet “altered the frequency of the electrical current that powers the centrifuges, causing them to switch back and forth between high and low speeds

93 Note that Stuxnet was in development since 2005—see Geoff McDonald and others, “Stuxnet 0.5: The Missing Link” (White Paper, Symantec Security Response 2013) accessed 1 August 2015. 94 Kevin Poulsen, “Slammer Worm Crashed Ohio Nuke Plant Network” (Security Focus, 19 August 2003) accessed 1 August 2015. This incident lasted only a few hours and did not represent a serious danger, since the infected plant was partially offline and the back-up systems were not affected. 95 Kim Zetter, “Blockbuster Worm Aimed for Infrastructure, But No Proof Iran Nukes Were Target” (Wired, 23 September 2010) accessed 1 August 2015; David E. Sanger, “Iran Fights Malware Attacking Computers” (The New York Times, 25 September 2010) accessed 1 August 2015. 96 Christopher Williams, “Iran Admits Cyberattack Hit Nuke Programme” (The Register, 29 November 2010) accessed 1 August 2015. 97 James P. Farwell, Rafal Rohozinski, “Stuxnet and the Future of Cyber War” (2011) 53(1) Survival 24; Nicolas Falliere, Liam O Murchu, Eric Chien, “W32.Stuxnet Dossier” (Paper, Symantec Security Response 2011) accessed 1 August 2015. 98 Sean Watts, “The Notion of Combatancy in Cyber Warfare” in Christian Czosseck, Rain Ottis, Katharina Ziolkowski (eds.), 2012 4th International Conference on Cyber Conflict (NATO CCDCOE 2012) 244. 60 Chapter 3 at intervals for which the machines were not designed”,99 thereby using vibra- tions and distortions to destroy the devices in the process.100 Centrifuges for nuclear enrichment are extremely fragile, usually work in a vacuum, and in a separate room, therefore, Iranian scientists were not injured. However, since they are handling nuclear materials (in this case, uranium) and gasses, even minor destruction increases the risk of personnel’s contamination. The 2009–2010 incident had serious political ramifications (inter alia, for the future development of international law). On the micro-level, it is estimated that the attack set back the Iranian nuclear program at least one year.101 On the macro-level, according to Dorothy Denning, Stuxnet likely catalyzed the development of new cyber-weapons and was the “forbearer” of upcoming cyber-warfare.102 In 2012, it was revealed that the US and Israel created Stuxnet deliberately to undermine Iran in what is now known as Operation Olympic Games.103 The same year the UK government also reportedly admitted that it had launched cyber-attacks to cause disruption at the Iranian facilities.104

99 Ibid. 100 David Albright, Paul Brannan, Christina Walrond, “Did Stuxnet Take Out 1,000 Centrifuges at the Natanz Enrichment Plant?” (Report, Institute for Science and International Security, 22 December 2010) 6 accessed 1 August 2015; Robert Fanelli, Gregory Conti, “A Methodology for Cyber Operations Targeting and Control of Collateral Damage in the Context of Lawful Armed Conflict” in Christian Czosseck, Rain Ottis, Katharina Ziolkowski (eds.), 2012 4th International Conference on Cyber Conflict (NATO CCDCOE 2012) 328. 101 David E. Sanger, “America’s Deadly Dynamics With Iran” (The New York Times, 5 Nov ember 2011) accessed 1 August 2015. However, note that generally Stuxnet did not dissuade Iran from pursuing its nuclear program—see Emilio Iasiello, “Cyber Attack: A Dull Tool to Shape Foreign Policy” in Karlis Podins, Jan Stinissen, Markus Maybaum (eds.), 2013 5th International Conference on Cyber Conflict (NATO CCDCOE 2013) 459. 102 Dorothy E. Denning, “Stuxnet: What Has Changed?” (2012) 4(3) Future Internet 684. 103 David E. Sanger, “Obama Order Sped Up Wave of Cyberattacks Against Iran” (The New York Times, 1 June 2012) accessed 1 August 2015. See also “Snowden Confirms NSA Created Stuxnet with Israeli Aid” (RT, 11 July 2013) accessed 1 August 2015. 104 “UK Admits to Cyber Attack on Iran” (PressTV, 19 July 2012) accessed 1 August 2015. Cyber-threat 61

3.3.2 Security Threat 3.3.2.1 Gaining Access as a Potential Threat to Military Operations Information is power that increases chances of success in war. Cyber- espionage alone does not represent a cyber-attack for the purposes of this book. Nevertheless, it is worth mentioning the most important cases of gaining access to military computer systems and data, as they can constitute preparatory steps for damaging attacks. The following examples give a good overview of targets and show how far attackers can proceed in case they decide to deliberately sabotage military operations. Like many attacks today, the earliest intrusions into military systems were motivated by financial gain. This was the case when Marcus Hess was accused of obtaining information from hundreds of the US military computers and sell- ing it to the KGB in 1987,105 and when a group of Dutch crackers purportedly stole data relating to the Gulf War and offered it to Iraq in 1991.106 In 1994, two young crackers from the UK and Israel accessed one of the US Rome Air Development Center (a research and development laboratory) networks and installed a sniffer that collected sensitive information.107 The facility, at the time, contained research on “artificial intelligence, radar guidance systems, target detection and tracking systems”.108 Nart Villeneuve points out that the system could be easily infiltrated in 1994, due to the total lack of security precautions at the Rome Labs (for instance, employees used common words for passwords).109 On a side note, it should be said that, while one may think that these are mistakes of the past, in 2012, crackers reportedly broke into an email account of the Syrian President Bashar al-Assad just because his password was “1234”.110

105 Stanley H. Kremen, “Apprehending The Computer Hacker: The Collection and Use of Evidence” (1998) 2(1) Computer Forensics Online accessed 1 August 2015. 106 Maura Conway, “Cyberterrorism: Hype and Reality” in Leigh Armistead, Information Warfare: Separating Hype from Reality (Potomac Books 2007) 83. 107 US Senate Permanent Subcommittee on Investigations, “Security in Cyberspace” (Appendix B, Federation of American Scientists, 5 June 1996) accessed 1 August 2015. 108 Ibid. 109 Nart Villeneuve, “Cyberterrorism: A Critical Perspective” (University of Toronto) accessed 1 August 2015. 110 Betsy Isaacson, “Hackers Reveal How They Accessed Syrian President Bashar Assad’s Email Using World’s Worst Password” (The Huffington Post, 7 September 2012)

In 1995, another sniffer was planted in the networks of the US Departments of Defense and Energy, giving an Argentinean cracker Julio Ardita access to satellite, radiation and energy research.111 Though no serious harm was done, before being apprehended, Ardita allegedly downloaded data from the US Navy Research and NASA’s Jet Propulsion laboratories, as well as the Ames Research Center.112 It was reported in 1998 that the US military facilities were breached once more in what became known as the Solar Sunrise incident.113 Again, no classified information was accessed, but the attackers managed to acquire the user rights to delete data, edit passwords and manipulate files in the systems responsible for the US armed forces deployment.114 The incident was so serious that President Clinton was informed that it could have been a prelude to a larger cyber-attack.115 Nevertheless, one month later the perpetrators were found to be Ehud Tenenbaum from Israel (who tampered with Israeli systems as well),116 and his two teenage assistants from California.117 The same year (1998), an ongoing campaign (now referred to as the Moonlight Maze incident) was revealed that had targeted and stolen data from computers at the US Department of Defense, Department of Energy, NASA, military contractors and research institutes.118 According to the FBI investigators, Moonlight Maze was likely a Russian intelligence-gathering operation.119

.huffingtonpost.com/2012/09/07/assad-syria-worlds-worst-password-anonymous- hack_n_1863462.html> accessed 1 August 2015. 111 US Department of Justice, “Argentine Computer Hacker Agrees to Waive Extradition and Returns to Plead Guilty to Felony Charges in Boston” (Press Release, 19 May 1998) accessed 1 August 2015. 112 David C. Are, “When Does a ‘Hacker’ Become an ‘Attacker’?” (Monograph, School of Advanced Military Studies 1998) 31. 113 Bradley Graham, “U.S. Studies a New Threat: Cyber Attack” (Washington Post, 24 May 1998) accessed 1 August 2015. 114 Joyner, Lotrionte (n. 20) 839–840. 115 Jason Barkham, “Information Warfare and International Law on the Use of Force” (2001) 34(1) NYU Journal of International Law and Politics 68. 116 Are (n. 112) 32. 117 Joyner, Lotrionte (n. 20) 840. 118 Ibid., 840–841. 119 Bob Drogin, “Yearlong Hacker Attack Nets Sensitive U.S. Data” (Los Angeles Times, 7 October 1999) accessed 1 August 2015. Cyber-threat 63

The last three years saw the discovery of sophisticated automated programs meant for targeted espionage, likely written with the involvement of the military. It was reported that one such program, the Red October (2012), by multiple ways collected information about governmental, diplomatic and research organizations around the world.120 Stars (2011)121 and Mahdi (2012)122 appear to be malware written to specifically collect information about targets in Iran. Duqu (2011), Flame (2012) and Gauss (2012) are other notable malicious programs aimed at the Islamic Republic and other Middle Eastern states. Combining many approaches into one, in 2012, they “intercepted passwords, tracked key presses, recorded sound from an in-built microphone, took screenshots, gathered information on processed files and analyzed network traffic”,123 encrypting information and sending it to an external server afterwards.124 While Duqu, Flame and Gauss are closely related to Stuxnet, only Duqu is believed to be able to unleash similar destructive potential.125

3.3.2.2 Cyber-Interference in Real Military Operations If computerized systems are interfered with during a time of war, it can represent a direct danger to the success of the military operations.

120 Muthoki Mumo, “Kenya Falls Victim to Cyber Attack” (Daily Nation, 16 January 2013) accessed 1 August 2015; Charlie Osborne, “‘Red October’ Malware Spies on Governments Worldwide” (CNET, 14 January 2013) accessed 1 August 2015. 121 “Iran ‘Uncovers Stars Espionage Virus’” (BBC News, 25 April 2011) accessed 1 August 2015. 122 Kim Zetter, “Mahdi, the Messiah, Found Infecting Systems in Iran, Israel” (Wired, 17 July 2012) accessed 1 August 2015. 123 Konstantin Bogdanov, “Cyber Arms Race Could Change the World Around Us” (RIA Novosti, 26 June 2012) accessed 1 August 2015. 124 Ibid. 125 See Louise Arimatsu, “A Treaty for Governing Cyber-Weapons: Potential Benefits and Practical Limitations” in Christian Czosseck, Rain Ottis, Katharina Ziolkowski (eds.), 2012 4th International Conference on Cyber Conflict (NATO CCDCOE 2012) 97. 64 Chapter 3

It was reported that, in 1991, a certain type of malware was created and installed on a printer chip meant to neutralize the Iraqi Air Defense network prior to the commencement of the first phase of Operation Desert Storm.126 The program never had the chance to perform its function, due to the immediate destruction of the Iraqi Ministry of Defense.127 The story is questionable, because the path of one single infected printer was hard to predict (it allegedly travelled from France, via Jordan’s capital, on a truck, and made its way right to the ministry’s computers).128 Moreover, because the Plug and Play technology was not widely used in 1991, the malware would, more likely, be uploaded onto a software disk necessary for the installation of the printer rather than on the device itself. This strongly suggests that no such program ever existed.129 However, this story led to speculations that the Israeli attack on a Syrian nuclear facility al- Kibar in 2007 was accompanied by a cyber-strike disrupting air defense sys- tems130 and that, nowadays, the French defense contractors implant chips meant to disable equipment in case it is used against France.131 Furthermore, in 2011, it was reported that the President Obama administration openly considered disabling Libyan air defenses through cyber-attacks prior to the NATO bombing campaign, as part of the Operation Unified Protector.132 During the 1999 Kosovo conflict, various groups (primarily from Yugoslavia) attacked NATO, as well as American and British servers, taking some of them offline, and temporarily defacing websites.133 The relatively basic attacks and spam emails were insufficient to alter the course of the Kosovo campaign

126 Delibasis, The Right to National Self-Defence (n. 20) 32. 127 Ibid. 128 Ibid. 129 George Smith, “Iraqi Cyberwar: An Ageless Joke” (Security Focus, 10 March 2003) accessed 1 August 2015. 130 Sally Adee, “The Hunt for the Kill Switch” (IEEE Spectrum, May 2008) accessed 1 August 2015; Ron Rhodes, Cyber Meltdown: Bible Prophecy and the Imminent Threat of Cyberterrorism (Harvest House 2011) 39–40. See also Clarke, Knake (n. 4) 6–8. 131 Adee (n. 130). 132 See Eric Schmitt, Thom Shanker, “U.S. Debated Cyberwarfare in Attack Plan on Libya” (The New York Times, 17 October 2011) accessed 1 August 2015. 133 Janet J. Prichard, Laurie E. MacDonald, “Cyber Terrorism: A Study of the Extent of Coverage in Computer Security Textbooks” (2004) 3 Journal of Information Technology Education 281; Desmond Ball, “China’s Cyber Warfare Capabilities” (2011) 7(2) Security Challenges 95. Cyber-threat 65 itself.134 Nevertheless, at least one official NATO website, which covered the conflict from a Western point of view, was said to have been decommissioned.135 In addition, a simultaneous flood of emails reportedly disrupted work of a NATO email server.136 Although the American war effort was not influenced by the cyber-attacks, the UK was reported to have lost some information.137 The Alliance members also tried to use cyber-attacks during the Kosovo conflict. For example, President Clinton is said to have authorized the infiltra- tion of the Yugoslav leadership’s bank accounts in order to withdraw money meant for military expenditures.138 Like in the cases of Iraq (1991) and Libya (2011), the US considered and attempted to disrupt anti-aircraft systems to ensure maximum protection for NATO airplanes, in this instance, by spoofing fake targets on the radar screens.139 Success of the operation remains unclear. A virtual blockade was considered as well, when the US State and Treasury Departments allegedly negotiated with communication companies the possibility of completely disconnecting Yugoslavia from the Internet.140 With the increased use of UAVs, new military threats arise.141 In 2009, it was reported that Iraqi and Afghani insurgents intercepted real-time video footage from the US Predator drones using cheap software.142 In September 2011, a keylogger (software meant to intercept keys pressed on a keyboard) reportedly

134 See Sam Berner, “Cyber-Terrorism: Reality or Paranoia?” (2003) 5(1) South African Journal of Information Management 3. 135 Kenneth Geers, “Cyberspace and the Changing Nature of Warfare” (SC Magazine, 27 August 2008) accessed 1 August 2015. 136 Ibid. 137 Ibid. 138 Joyner, Lotrionte (n. 20) 842; Gregory L. Vistica, “Cyberwar and Sabotage” (1999) 133(22) Newsweek 38. 139 Anthony H. Cordesman, Cyber-Threats, Information Warfare and Critical Infrastructure Protection: Defending the U.S. Homeland (Praeger Publishers 2002) 38. See also Jeffrey T.G. Kelsey, “Hacking into International Humanitarian Law: The Principles of Distinction and Neutrality in the Age of Cyber Warfare” (2008) 106(7) Michigan Law Review 1434–1435. 140 William Yurcik, David Doss, “Internet Attacks: A Policy Framework for Rules of Engagement” (Paper, 2001) 9 accessed 1 August 2015. 141 Currently UAVs are in use in more than fifty states (including China, Egypt, France, Germany, Georgia, India, Israel, Pakistan, Russia, UK and USA)—see Jack M. Beard, “Law and War in the Virtual Era” (2009) 103(3) AmJIL 103. 142 Siobhan Gorman, Yochi J. Dreazen, August Cole, “Insurgents Hack U.S. Drones” (The Wall Street Journal, 17 December 2009) accessed 1 August 2015. 66 Chapter 3 infiltrated computers at the Creech Air Force Base responsible for the control of the US Reaper and Predator drones.143 While this program does not appear to have caused any damage, three months later, the Iranian Army’s Electronic Warfare Unit (allegedly)144 hijacked the American stealth RQ-170 Sentinel drone from the skies and safely landed it in the Iranian territory.145 In 2013, active UAV interception by what was said to be cyber-means continued.146 Now, for the sake of providing a realistic picture of cyber-attacks, one must look at incidents that are sometimes depicted as cyber-disasters, but which, realistically, very often represent nothing more than nuisance for states.

3.3.3 Nuisance 3.3.3.1 Malware When it comes to malware generally, although it started to appear as early as 1970s, in the beginning it was either deliberately made as non-damaging147 or was limited in its distribution, due to the diversity of existing operating systems, computer systems, and restricted access to the Internet.148 It took until 1987 for the first serious damage-inducing programs to appear. The worm-trojan hybrid Christmas Tree EXEC (1987) was the first to cause major disruption of the international networks by displaying an undesired image.149 A year later, Robert Morris wrote and launched the Morris worm,

143 Noah Shachtman, “Exclusive: Computer Virus Hits U.S. Drone Fleet” (Wired, 7 October 2011) accessed 1 August 2015. 144 Some researchers attribute the drone loss to a “technical malfunction”—see Kim Hartmann, Christoph Steup, “The Vulnerability of UAVs to Cyber Attacks—An Approach to the Risk Assessment” in Karlis Podins, Jan Stinissen, Markus Maybaum (eds.), 2013 5th International Conference on Cyber Conflict (NATO CCDCOE 2013) 101. Thomas Rid also argues that a cyber-attack is unlikely to succeed against a “more complex armed military drone in the field”, although this is debatable—see Rid (n. 86) 15. 145 “Iran Military Landed US Spy Drone” (PressTV, 9 December 2011) accessed 1 August 2015. Note that scientists at the University of Texas reportedly built a 1000 USD system that can reroute and crash civilian drones—see Mathew J. Schwartz, “GPS Spoofer Hacks Civilian Drone Navigation System” (InformationWeek, 29 June 2012) accessed 1 August 2015. 146 “Iran: Military Captured Foreign ‘Enemy Drone’” (CBS News, 16 May 2013) accessed 1 August 2015. 147 E.g., viruses like Creeper (1971), ANIMAL (1974), Elk Cloner (1981). 148 E.g., trojans like ARF (1983) and viruses like Ashar/Brain (1986), Jerusalem (1987), SCA (1987), Vienna (1987). 149 Eduardo Gelbstein, Ahmad Kamal, Information Insecurity: A Survival Guide to the Uncharted Territories of Cyber-Threats and Cyber-Security (UN ICT Task Force 2002) 51. Cyber-threat 67 accidently making it more damaging than originally intended, as it endlessly copied itself onto the same machines, significantly slowing down work and making the computers “catatonic”.150 In the subsequent years, malware continued to be released, becoming more sophisticated, exploiting new vulnerabilities (to a large extent, those of the Microsoft Windows operating system, which was used on the vast majority of computers in the late 1990s). Malicious software inflicted more and more destruction,151 culminating in 2000, when a worm known as ILOVEYOU reportedly, for the first time in history, caused damage reaching 10 billion USD,152 infecting over 50 million of computers worldwide, and forcing the British Parliament, Pentagon, and the CIA to shut down their email servers.153 Though the distribution mechanism of ILOVEYOU was not innovative,154 the speed at which this worm spread was said to have been far quicker than any state body could react.155 This clearly emphasized the high importance of preventive approach when addressing this kind of threats. Many malicious programs that followed used the same tactic as ILOVEYOU and propagated through mass mailing.156 The record for the fastest-spreading worm was set by MyDoom (2004), which, rather than containing a classic message in the transmitted email, appeared as a delivery error.157

150 United States v Morris 928 F2d 504 (2d Cir, 1991) 506. 151 E.g., Ping-Pong (1988), Hate (1988), Ghostball (1989), 1260 (1990), Michelangelo (1992), Leandro & Kelly (1993), Freddy Krueger (1993), OneHalf (1994), Concept (1995), Ply (1996), Chernobyl (1998), Happy99 (1999), Melissa (1999), ExploreZip (1999), KAK (1999). 152 “Top 10 Computer Viruses” (Symantec PC Tools, 21 July 2010) accessed 1 August 2015. 153 Ned Potter, “Top 10 Computer Viruses and Worms” (ABC News, 3 September 2009) accessed 1 August 2015. 154 The worm spread through emails that contained an infected attachment masked as an ordinary (in this case, a Notebook *.txt*) text file. 155 See Dimitrios Delibasis, “State Use of Force in Cyberspace for Self-Defence: A New Challenge for a New Century” (2006) 8(1) Peace, Conflict & Development 4. 156 E.g., Hybris (2000), AnnaKournikova (2001), SirCam (2001), Klez (2001), MyLife (2002), SoBig (2003), Swen (2003), Sober (2003), Bagle (2004), Vundo (2004), Netsky (2004), Nyxem (2006), Brontok (2006), Ofigel (2006), Stration (2006), Yamann (2006), Storm (2007), HereYouHave (2010), Waledac (2010). 157 “Security Firm: MyDoom Worm Fastest Yet” (CNN, 28 January 2004) accessed 1 August 2015. 68 Chapter 3

Other malware utilized peer-to-peer networks,158 shared hard disks,159 general server160 and port vulnerabilities,161 various Internet browser flaws,162 vulnerabilities of operating systems, including Windows,163 Mac OS,164 Linux,165 Solaris,166 and even the Internet security software itself.167 Some programs spread through a combination of these means. For example, Nimda (2004) was quite damaging, since it infected other computers simultaneously through email, shared networks, web servers and Windows vulnerabilities.168 Another example is Daprosy (2009), which spread via emails, local networks and removable USB sticks.169 At this point, it is important to mention that “lost” USB devices (and, to a lesser extent, flash memory cards) or those given away as gifts are an increasingly popular way to distribute malware.170 In one case, an infected USB stick found and connected to a laptop at a US military base in the Middle East was able to upload malware into the US Central Command in 2008, leading to a total prohibition of external devices by the Pentagon.171 Internal reports of the

158 E.g., Kenzero (2010). 159 E.g., Shamoon (2012). 160 E.g., SQL Slammer/Sapphire (2003), Santy (2004). 161 E.g., Sasser (2004). 162 E.g., CoolWebSearch (2003), Bohmini (2008). 163 E.g., Beast (2002), Simile (2002), Agobot/Gaobot (2003), Bolgimo (2003), Bifrost (2004), Blaster (2003), Graybird (2003), Nuclear RAT (2003), ProRat (2003), Welchia (2003), Bandook (2005), Zlob (2005), Rbot/Zotob (2005), Torpig (2008), Morto (2011). 164 E.g., Oompa/Leap (2006). 165 E.g., Ramen (2001), L10n (2001). 166 E.g., Sadmind (2001). 167 Both real (e.g., Witty 2004) and fictional (e.g., Alureon 2010, AntiSpyware 2011). 168 Eric Chien, “W32.Nimda.A@mm” (Symantec Security Response, 13 February 2007) accessed 1 August 2015. 169 Nino F. Gutierrez, Takashi Katsuki, Tamas Rudnai, “W32.Daprosy” (Symantec Security Response, 16 July 2009) accessed 1 August 2015. 170 Robert Koch, Björn Stelte, Mario Golling, “Attack Trends in Present Computer Networks” in Christian Czosseck, Rain Ottis, Katharina Ziolkowski (eds.), 2012 4th International Conference on Cyber Conflict (NATO CCDCOE 2012) 274; Robert Koch, “Towards Next- Generation Intrusion Detection” in Christian Czosseck, Enn Tyugu, Thomas Wingfield (eds.), 2011 3rd International Conference on Cyber Conflict (NATO CCDCOE 2011) 153. 171 Known as Operation Buckshot Yankee (2008)—see William J. Lynn, “Defending a New Domain: The Pentagon’s Cyberstrategy” (2010) 89(5) Foreign Affairs 97–98; Sverre Myrli, “NATO and Cyber Defence” (Committee Report 173 DSCFC 09 E BIS, NATO Parliamentary Cyber-threat 69

Indian army also appear to admit that external storage devices are most dangerous to its security.172 New technological and social advances of the 21st century have led to the creation of specialized malware that employs new methods of distribution. Since certain websites, programs and hardware are all accessed even on the governmental computers, their misuse in the context of cyber-attacks should not be underestimated. One such program, the trojan Optix Pro (2003), propagated through instant messaging programs, such as the ICQ and Msn Messenger,173 while the NGRBot (2012) used Skype to spread.174 Mocmex (2008) was the first reported malware to appear on digital media frames.175 Additionally, it is acknowledged that malicious programs today infect mobile telephones and smartphones,176 and may distribute themselves through device vulnerabilities, SMS, MMS, or the wireless Bluetooth technology.177 Notably, their operation can consume unno- ticeable amount of battery life and data.178

Assembly 2009) para. 8 accessed 1 August 2015. 172 Jitender Singh, “Indian Army Sees USB Drives as Biggest Threat to Their Security” (The News Tribe, 21 October 2012) accessed 1 August 2015. 173 “Backdoor:Win32/Optixpro.J.dr” (Microsoft Malware Protection Center, 7 February 2007) accessed 1 August 2015. 174 “NGRBot” (McAfee Labs Threat Advisory, 17 October 2012) accessed 1 August 2015. 175 Steve Sechrist, “State of Security: China’s Trojan Horse” (Display Daily, 18 March 2008) accessed 1 August 2015. 176 E.g., Cabir (2004), Duts (2004), Mosquit (2004), Skuller (2004), CommWar (2005), Lasco (2005), StealWar (2006), Ikee (2009), FakePlayer (2010), Dream (2011), Geinimi (2011), Gingermaster (2011), KungFu (2011), Toplank (2011), Zitmo (2011), Spitmo (2011). 177 Alexander Gostev, “Mobile Malware Evolution: An Overview, Part 1” (SecureList, 29 September 2006) accessed 1 August 2015; “2012 Threat Predictions” (Report, McAfee Labs, 2012) 9 accessed 1 August 2015. 178 For instance, in one experiment a botnet consumed 0.8% of the battery power per 24 hours and less than 200 kilobytes per month—see Heloise Pieterse, Martin Olivier, “Design of a Hybrid Command and Control Mobile Botnet” in Douglas Hart (ed.), Proceedings of the 70 Chapter 3

Some programs are specially created to abuse social networks, to spread through them, to gather personal information and to corrupt social media. So, the worm Samy (2005) distributed itself in MySpace,179 Adrecl (2007) in Orkut,180 Zeus trojan (2007) propagated through unsolicited messages and groups on Facebook,181 and the Koobface worm (2008) targeted users of Twitter and other social networks.182 Malware is quite capable of interfering with governmental activities and thus causing serious financial and political damage. In 1997, a teenager managed to cause an outage at the Worcester Airport that disabled multiple telephone connections at the facility and hampered the work of the “main radio transmitter [. . .] and a circuit which enables aircraft to send an electric signal to activate the runway lights on approach”.183 In 2004, work at the Neton-Washington water utility was claimed to have been disrupted for three days, when malware crashed its email server.184 A similar disturbance was allegedly caused in the Harrisburg water filtering plant two years later.185 According to reports, the Sasser worm infected computers and made work difficult at the British Maritime and Coastguard Agency, Taiwan’s national

8th International Conference on Information Warfare and Security (Academic Publishing International 2013) 191. 179 Justin Mann, “MySpace Speaks about Samy Kamkar’s Sentencing” (TechSpot Industry News, 31 January 2007) accessed 1 August 2015. 180 Fraser Howard, “Web Attacks 2.0: The Maturating of Web Attacks” in Vlasti Broucek, Eric Filiol (eds.), 17th EICAR Annual Conference Proceedings (EICAR 2008) 422. 181 Ben Nahorney, Nicolas Falliere, “Trojan.Zbot” (Symantec Security Response, 13 November 2012) accessed 1 August 2015. 182 Eric Chien, Jarrad Shearer, “W32.Koobface” (Symantec Security Response, 8 August 2012) accessed 1 August 2015. 183 US Department of Justice, “Juvenile Computer Hacker Cuts off FAA Tower” (Press Release, 18 March 1998) accessed 1 August 2015. 184 Steve Gold, “Computer Hacker Disrupts Washington Water Utility” (SC Magazine Security News, 1 March 2004) accessed 1 August 2015. 185 Robert McMillan, “Hackers Break into Water System Network” (Computer World, 31 October 2006) accessed 1 August 2015. Cyber-threat 71 post, Hong Kong government, Australian railroad services, as well as banks and airlines worldwide in 2004.186 Another serious incident reported in 2004 involved a crisis over wiretapping via malicious software of a large number of mobile phones belonging to officials in the Greek government, including the Prime Minister.187 The perpetrators were never identified. In 2005, malware meant to create a botnet (a stealthy network of computerized devices) for Christopher Maxwell caused multiple temporary malfunc- tions at the Seattle’s Northwest Hospital.188 Specifically, “doors to the operating rooms did not open, pagers did not work and computers in the intensive care unit shut down”.189 Since the discovery of the spy operation called Titan Rain, China is often accused of using malware for computer-espionage, as it is argued that its cyber- operations conducted in more than a hundred countries yearly penetrate and steal files, inter alia, from “embassies, foreign ministries and other government offices, as well as the Dalai Lama’s Tibetan exile centers”.190 Notably, the trojan Gh0st RAT used during the 2009 GhostNet espionage campaign was suspected of allowing crackers to assume control over web-cameras and microphones to determine what was going on around the infected computers.191

186 “Sasser Net Worm Affects Millions” (BBC News, 4 May 2004) accessed 1 August 2015. 187 Vassilis Prevelakis, Diomidis Spinellis, “The Athens Affair” (IEEE Spectrum, July 2007) accessed 1 August 2015. 188 US Department of Justice, “California Man Pleads Guilty in ‘Botnet’ Attack That Impacted Seattle Hospital and Defense Department” (Press Release, 4 May 2006) accessed 1 August 2015. 189 Ibid. 190 John Markoff, “Vast Spy System Loots Computers in 103 Countries” (The New York Times, 28 March 2009) accessed 1 August 2015. See also Myrli (n. 171) para. 8; Rhodes (n. 130) 38–39; Ball (n. 133) 86–97; Deborah L. Wheeler, “Understanding Cyber Threats” in Kim J. Andreasson (ed.), Cybersecurity: Public Sector Threats and Responses (CRC Press 2012) 31; William Hagestad, 21st Century Chinese Cyberwarfare (IT Governance 2012) 28–29; Malcolm Moore, “Chinese Hackers Steal Dalai Lama’s Emails” (The Telegraph, 6 April 2010) accessed 1 August 2015. 191 Markoff, “Vast Spy System” (n. 190). Note that, in 2012, Georgian investigators reportedly photographed a cracker using his own web-camera—see Charlie Osborne, “Georgia Turns the Tables on Russian Hacker” (ZDNet 30 October 2012) accessed 1 August 2015. Similar actions are possible, e.g., via Bundestrojaner (2011) or the DarkComet Remote Access Tool (2012). 72 Chapter 3

Corporate data seems to represent a particular interest to Chinese cyber- spies. For example, the 2009–2010 operation called Aurora allegedly stole intellectual property of Google and other major Western corporations,192 while the 2009–2011 campaign dubbed Night Dragon supposedly targeted and extracted corporate secrets of “global oil, energy and petrochemical companies”.193 The Conficker worm that spread throughout public and military cyber- infrastructure in many countries reportedly infected German Bundeswehr’s (army) computers in 2009.194 Up to three-quarters of the UK Royal Navy also appeared to have their desktop computers infected.195 Because of Conficker, a French Navy network was said to be isolated, forcing aircraft to stand by as they could not “download their flight plans”.196 According to reports, the Japanese military industry was also hit and put on hold in 2011by malware that infected infrastructure used by plants producing submarines, missiles, rocket engines and nuclear components.197 Furthermore, malware was suspected of entering incorrect prices “on a large number of stock orders” at the London Stock Exchange in 2010 resulting in a major disturbance that knocked down stock prices of five major companies and forced the Exchange to stop trading for a day.198

192 “McAfee Offers Guidance and Protection as China-Linked Google Cyberattack Continues to Unfold” (Press Release, BusinessWire, 17 January 2010) accessed 1 August 2015. 193 John E. Dunn, “Chinese Accused of Huge Attack on Energy Sector” (PC World, 10 February 2011) accessed 1 August 2015. 194 John Leyden, “Conficker Botnet Remains Dormant—For Now” (The Register, 1 April 2009) accessed 1 August 2015. 195 Lewis Page, “MoD Networks Still Malware-Plagued After Two Weeks” (The Register, 20 January 2009) accessed 1 August 2015. 196 Kim Willsher, “French Fighter Planes Grounded by Computer Virus” (The Telegraph, 7 February 2009) accessed 1 August 2015; Patrice Tromparent, “French Cyberdefence Policy” in Christian Czosseck, Rain Ottis, Katharina Ziolkowski (eds.), 2012 4th International Conference on Cyber Conflict (NATO CCDCOE 2012) 81. 197 Rob Taylor, “Japan’s Defense Industry Hit by its First Cyber Attack” (Reuters, 19 September 2011) accessed 1 August 2015. 198 Leo King, “London Stock Exchange ‘Under Major Cyberattack’ During Linux Switch” (Computer World UK, 31 January 2011)

In 2011, a trojan seeking files related to the G20 presidency caused incon- venience by contaminating more than 150 computers of the French Ministry of Economy, Finance and Industry.199 The same year a South Korean bank Nonghyup was attacked with malware reportedly from North Korea,200 which “left customers unable to withdraw and transfer money, use their credit cards and take out loans” for three days.201 In 2013, according to the media, the attacks on the South Korean banking sector continued.202 Reports also indicate that a crippling cyber-blow was struck at the Saudi Arabian Oil Company (Aramco), in 2012, when the Shamoon virus wiped out hard disks on thirty thousand computers, leading Saudi Arabia to conclude that it was an attack against its economy, possibly from Iran.203 A few weeks later, the same virus appeared to have caused major disruptions at the Qatari gas-producing company RasGas.204 In response, attempts to access and, possibly, cause damage via networks of the Iranian oil and gas industry were undertaken the same year.205 It should be noted that aside from the economic-harm-oriented cyber- attacks against energy industry, there are other cyber-strikes that aim to

3258808/london-stock-exchange-under-major-cyberattack-during-linux-switch/> accessed 1 August 2015. 199 Tromparent (n. 196) 80. 200 “North Korea ‘Behind South Korean Bank Cyber Hack’” (BBC News, 3 May 2011) accessed 1 August 2015. 201 Tyler Thia, “South Korean Bank Probed After System Outage” (ZDNet, 18 April 2011) accessed 1 August 2015. 202 Se Y. Lee, “South Korea Raises Alert After Hackers Attack Broadcasters, Banks” (Reuters, 20 March 2013) accessed 1 August 2015. 203 “Shamoon was an External Attack on Saudi Oil Production” (InfoSecurity Magazine, 10 December 2012) accessed 1 August 2015; Nicole Perlroth, “In Cyberattack on Saudi Firm, U.S. Sees Iran Firing Back” (The New York Times, 23 October 2012) accessed 1 August 2015. 204 Ibid; Patrick Osgood, “Cyber Attack Takes Qatar’s RasGas Offline” (Arabian Business, 30 August 2012) accessed 1 August 2015. 205 Yeganeh Torbati, “Cyber Attackers Target Iranian Oil Platforms: Official” (Reuters, 8 October 2012) accessed 1 August 2015. 74 Chapter 3 damage rather than to steal. Among them, one could mention the suspected insider-assisted trojan that tried to “gain control over the central switchboard, which controls gas flows in pipelines” of the Russian Gazprom in 1999,206 or efforts to infect computers of the US gas pipeline operators with malware in 2012.207

3.3.3.2 Insider Threat A series of incidents involving people working in close or direct proximity to nationally important computers have occurred over the few last decades.208 Unlike their conventional counterparts, insider cyber-saboteurs allow malicious software to carry out the damaging acts for them. To avoid suspicion, they often rely on logic bombs, which, in contrast to most other malware, have delayed impact on the targeted systems. It should be said that, because of the delay, these cyber-attacks often fail. For example, in 1992, Michael Lauffenburger reportedly attempted to use a logic bomb to delete vital rocket project data at General Dynamics, where he worked at the time.209 The ex-employee’s plan was unsuccessful, as the program was discovered before it could do any harm.210 The same fate awaited Yung-Hsun Lin’s logic bomb that he planted onto the Medco Health Solutions servers in 2003.211 Allegedly, the bomb was meant to erase, inter alia, “patient-specific drug interaction information that pharma- cists use to determine whether conflicts exist among various [. . .] prescribed drugs”, but it was found months before it had the chance to work.212 Doubtless,

206 Denning, “Cyberterrorism” (n. 23); Rid (n. 86) 74. 207 Elinor Mills, “U.S. Warns of Cyberattacks on Gas Pipeline Companies” (CNET, 7 May 2012) accessed 1 August 2015. 208 An outsider can also sometimes access facilities and perform cyber-sabotage by pre- tending to be a person with authorized access (e.g., a maintenance engineer), or by simply asking “to send an urgent e-mail”—see Stefano Baldi, Eduardo Gelbstein, Jovan Kurbalija, Hacktivism, Cyber-Terrorism and Cyberwar: The Activities of the Uncivil Society in Cyberspace (DiploFoundation 2003) 39. See generally Koch, Stelte, Golling (n. 170) 275. 209 “Computer Programmer Charged in Sabotage Plot” (The New York Times, 27 June 1991) accessed 1 August 2015. 210 Ibid. 211 Jaikumar Vijayan, “Unix Admin Pleads Guilty to Planting Logic Bomb” (PC World Security, 21 September 2007) accessed 1 August 2015. 212 Ibid. Cyber-threat 75 if it did work, the lost medical data would create many problems for the local health sector. Other unsuccessful endeavors to cause damage highlighted in the media involved disgruntled employees at UBS in 2006,213 Tehama Colusa Canal Authority in 2007,214 Federal National Mortgage Association in 2008215 and the US Transport Security Administration in 2009.216 Although these attempts to cause damage failed, similar acts by insiders continue to remain a real threat to national interests of technologically advanced states. When insiders are ready to cause damage directly and instantaneously at the expense of higher risk of being exposed, their chances of success are increased. Vitek Boden proved this in 2000, when he accessed the SCADA system of Maroochy Water Services (which he himself helped install) and manually released “800,000 liters of raw sewage [. . .] into local parks, rivers and even the grounds of a Hyatt Regency hotel”.217 Likewise, according to reports, in 2006, two engineers on a strike (Kartik Patel and Gabriel Murillo) directly cracked into traffic lights control, causing a disruption at four major junctions in Los Angeles.218 The next year, a guard (Jesse McGraw) at the Dallas Carrell Clinic successfully tampered with the

213 Sharon Gaudin, “Nightmare on Wall Street: Prosecution Witness Describes ‘Chaos’ In UBS PaineWebber Attack” (InformationWeek, 6 June 2006) accessed 1 August 2015. 214 Robert McMillan, “Insider Charged with Hacking California Canal System” (Computer World, 29 November 2007) accessed 1 August 2015. 215 Thomas Claburn, “Fannie Mae Contractor Indicted for Logic Bomb” (InformationWeek, 29 January 2009) accessed 1 August 2015. 216 Elizabeth Montalbano, “TSA Hacker Sentenced to Prison” (InformationWeek, 13 January 2011) accessed 1 August 2015. 217 Marshall Abrams, Joe Weiss, “Malicious Control System Cyber Security Attack Case Study– Maroochy Water Services” (National Institute of Standards and Technology Computer Security Division, 23 July 2008) 1 accessed 1 August 2015; Susan W. Brenner, “Cybercrime, Cyberterrorism and Cyberwarfare” (2006) 77(3) International Review of Penal Law 458. 218 Sharon Bernstein, Andrew Blankstein, “Key Signals Targeted, Officials Say” (Los Angeles Times, 9 January 2007) accessed 1 August 2015; Scott D. Applegate, “The Dawn of Kinetic Cyber” in Karlis Podins, Jan Stinissen, Markus Maybaum (eds.), 2013 5th International Conference on Cyber Conflict (NATO CCDCOE 2013) 169. 76 Chapter 3 hospital’s “Heating, Ventilation and Air Conditioning”, arguably jeopardizing the health of patients sensitive to high Texan temperatures.219 The last two types of interference that need to be discussed in this sub- chapter are website defacements and denial of service. Whilst such attacks are even less harmless than malware, they are the ones that are most often exaggerated and mistakenly claimed to constitute a serious threat by the media, by victim-states and by the attackers themselves.

3.3.3.3 Website Defacements Nowadays, one of the most frequent exasperating activities in cyber-space is the website defacement, that is, visual corruption of public webpages belonging to states or organizations. Defacements can be perpetrated by anyone who has basic password-cracking and website-editing skills, and they are often the extension of existing political or armed conflicts into the virtual realm. Since 1996, Taiwanese websites are routinely defaced by Chinese crackers every time the officials in Taipei imply that Taiwan may become a fully independent state.220 Similarly, Japanese websites were reportedly defaced by the Chinese in 2012 when Japan nationalized three of the disputed Senkaku (Diaoyu) Islands.221 Certain cyber-antagonism also exists between the US and China, which results in mutual website defacement accompanying serious political tensions. Notable examples include the cyber-fallout of the 1999 Chinese embassy bombing in Yugoslavia or the detention of the American military flight crew in 2001.222 A suspected side-product of the latter, the Code Red worm, vandalized webpages and infected hundreds of thousands of computers.223 From the beginning of the Second Intifada, Israel has been defacing websites of its opponents, namely, Palestinian National Authority, Hamas, Hezbollah and Iran.224 In turn, pro-Palestinian crackers (which, as of 2012, include the

219 US Attorney’s Office, “Arlington Security Guard Arrested on Federal Charges for Hacking into Hospital’s Computer System” (Press Release, FBI, 30 June 2009) accessed 1 August 2015. See also Rid (n. 86) 75. 220 See Ball (n. 133) 94. 221 “Chinese Cyber Attacks Hit Japan over Islands Dispute” (The Globe and Mail, 19 September 2012) accessed 1 August 2015. 222 Creekman (n. 20) 643. 223 Ibid., 664; Jason Fritz, “How China Will Use Cyber Warfare to Leapfrog in Military Competitiveness” (2008) 8(1) Culture Mandala 52. 224 Geers, “Cyberspace” (n. 135). Cyber-threat 77 infamous Anonymous group)225 are said to target Israeli political and military websites, as well as those of the media, banks, universities, stock exchange and national airlines.226 In a parallel cyber-conflict, the Mumbai terrorist attacks in 2008 caused a renewed exchange of hostilities between Pakistani and Indian cracking teams, and hundreds of websites on both sides were vandalized, according to the media (among them, that of the Indian Central Bureau of Investigation, which directly deals with cyber-threats).227 Other reported instances include online protests over the picture of Prophet Mohammed in Jyllands-Posten newspaper (2006),228 the defacement of Burmese dissidents’ webpages (2008),229 vandalism on the Malaysian websites by the Indonesian crackers (2009)230 and defacements of Lithuanian websites by the pro-Soviet crackers (2009).231

225 Damien Gayle, “Hackers Declare ‘Cyber war’ on Israel After IDF Threatens to Cut Off Internet in Gaza” (Daily Mail, 20 November 2012) accessed 1 August 2015. 226 Geers, “Cyberspace” (n. 135); Rhodes (n. 130) 40; Yolande Knell, “New Cyber Attack Hits Israeli Stock Exchange and Airline” (BBC News, 16 January 2012) accessed 1 August 2015. 227 “Hacked by ‘Pakistan Cyber Army’, CBI Website Still Not Restored” (NDTV, 4 December 2010) accessed 1 August 2015; Mayank Tewari, “Indo-Pak Cyber War Hots Up” (Daily News & Analysis, 7 January 2009) accessed 1 August 2015; Waseem Abbasi, “Pakistani Hackers Defaced over 1,000 Indian Websites” (The News International, 6 April 2013) accessed 1 August 2015. 228 John Leyden, “Islamist Hackers Attack Danish Sites” (The Register, 9 February 2006) accessed 1 August 2015. 229 Jose Nazario, “Politically Motivated Denial of Service Attacks” in Christian Czosseck, Kenneth Geers (eds.), The Virtual Battlefield: Perspectives on Cyber Warfare (IOS Press 2009) 168. 230 Kinanti P. Karana, Heru Andriyanto, “Indonesian Hackers Claim Web Attack on Malaysian Sites” (Jakarta Globe, 1 September 2009) accessed 1 August 2015. 231 Sara Rhodin, “Hackers Tag Lithuanian Web Sites with Soviet Symbols” (The New York Times, 1 July 2008) accessed 1 August 2015. 78 Chapter 3

None of the above-mentioned incidents constituted a real threat to national security. The list of less serious defacements is close to unlimited, and, due to their relative simplicity and public effect, such acts can be expected to continue for decades to come. That being said, defacements are unlikely to ever become anything more than a nuisance for states.

3.3.3.4 DoS Attacks All politically-motivated website defacements (including those mentioned above) are almost always accompanied by punitive denial of service (DoS) attacks, which involve “flooding a target computer system with ‘packets’, such as communications requests or messages [. . .] in order to cause it to overload and cease functioning”.232 There is a joke that if the entire population of China will simultaneously enter “Mao Zedong” as the password to one of the Pentagon’s servers, the latter will indeed accept it as the only valid one. This is very unlikely to be true, but, if 1.3 billion people will at the same time enter a webpage using a simple Internet browser, be it of Pentagon, Kremlin, MI6 or the Venezuelan Military Headquarters, and especially if they start pressing F5 (refresh) repeatedly, it is almost certain to crash. This is the most primitive way of conducting a DoS attack, however, more complicated software-assisted strikes are said to be capable of bringing down servers and webpages using no more than 120 computers.233 Already by 2011, when this book was started, there had been hundreds of DoS attacks reported, targeting webpages of embassies, ministries, presi- dents’ administrations, corporations, famous blogs and news-agencies, atomic research centers, various stock exchanges, international and national financial institutions, universities and central application offices, as well as other websites.234 Two major attacks were reportedly performed against the root

232 Mark Johnson, Cyber Crime, Security and Digital Intelligence (Gower 2013) 83. See also Nazario (n. 229) 173. 233 Ashley Fantz, Atika Shubert, “WikiLeaks ‘Anonymous’ Hackers: ‘We Will Fight’” (CNN, 9 December 2010) accessed 1 August 2015. 234 See “DDoS Public Media Reports” (Berkman Center for Internet and Society 2011) accessed 1 August 2015. Cyber-threat 79 name servers themselves: in 2002 and 2007, in an (unsuccessful) effort to bring down the Internet altogether.235 In general, DoS attacks are the most unsophisticated types of cyber-strikes that do not require any understanding of computer security or how networks operate. One can easily obtain the necessary “tools” online (such as Low / High Orbit Ion Cannon or the e-Jihad programs)236 to participate in DoS operations, that is to become a “script-kiddie”. In the past, reports emerged of effective attacks being conducted just by one individual (for example, MafiaBoy),237 though they are usually launched by a group of persons upset over various reasons: for instance, alleged supporters of WikiLeaks,238 PirateBay239 or, more recently, of Bashar al-Assad.240 Websites of banks and other commercial enterprises are the most attractive targets of DoS attacks, since their disruption (even if temporary) can result in direct financial damage. Having said that, such damage can rarely be considered significant enough to be more than just nuisance for states.

235 Sharon Gaudin, “DoS Attack Cripples Internet Root Servers” (InformationWeek, 6 February 2007) accessed 1 August 2015. 236 See Geoff Duncan, “WikiLeaks Supporters Using Volunteer and Zombie Botnets” (Digital Trends Computing, 9 December 2010) accessed 1 August 2015; John Breeden, “Hackers’ New Super Weapon Adds Firepower to DDOS” (GCN, 24 October 2012) accessed 1 August 2015; Andrew Campbell, “‘Electronic Jihad’ November 11 Attack Fails to Materialize” (DailyTech, 13 November 2007) accessed 1 August 2015. 237 “‘Mafiaboy’ Hacker Jailed” (BBC News, 13 September 2001) accessed 1 August 2015. 238 Duncan (n. 236); Noah C. Hampson, “Hacktivism: A New Breed of Protest in a Networked World” (2012) 35(2) Boston College International and Comparative Law Review 511–514; Esther Addley, Josh Halliday, “Operation Payback Cripples MasterCard Site in Revenge for WikiLeaks Ban” (The Guardian, 8 December 2010) accessed 1 August 2015. 239 Patrick Lannin, “Swedish C.Bank Website Shut Down in Cyber Attack” (Reuters, 3 October 2012) accessed 1 August 2015. 240 Adam Gabatt, “New York Times Website Offline after ‘Malicious External Attack’” (The Guardian, 28 August 2013) accessed 1 August 2015. 80 Chapter 3

The reported 2009 and 2011 cyber-attacks against the US and South Korea, aside from the political and media websites, targeted the electronic commerce sector, stock exchanges,241 banks242 and financial regulators.243 Additionally, in 2012, a group called Cyber Fighters of Izz Ad-Din al Qassam (supposedly supported by Iran) was said to specifically target financial institutions of the United States in what became known as Operation Ababil.244 Like in the case of defacements, DoS strikes on the Internet are more often than not spill-over effects of political tensions both inside and outside different states. As such, they were used to suppress anti-governmental online press in Kazakhstan,245 protest the results of the Iranian elections246 or even influence the Australian Parliament that considered banning certain types of pornography.247 Pro-Russian citizens have been especially active in employing DoS attacks to protect what they perceive as the interests of their state(s). They yearly disrupted the work of websites belonging to separatists, Russian opposition, dissident bloggers and press.248 In other ex-Soviet states, DoS strikes have been previously directed at Radio Free Europe in Belarus (2008), pro-NATO Ukrainian media (2007–2008), the Kyrgyz Internet service providers and the

241 Kim Zetter, “Lazy Hacker and Little Worm Set off Cyberwar Frenzy” (Wired, 8 July 2009) accessed 1 August 2015. See also Rhodes (n. 130) 36–37; Clarke, Knake (n. 4) 28–29. 242 John Sudworth, “New ‘Cyber Attacks’ Hit S Korea” (BBC News, 9 July 2009) accessed 1 August 2015. 244 Mathew J. Schwartz, “Bank Attackers Restart Operation Ababil DDoS Disruptions” (InformationWeek, 6 March 2013) accessed 1 August 2015. See also Iasiello (n. 101) 461. 245 Nazario (n. 229) 172. 246 Ibid., 172–173. 247 Ibid.; Keiran Hardy, “Operation Titstorm: Hacktivism or Cyberterrorism?” (2010) 33(2) University of New South Wales Law Journal 474. 248 Nazario (n. 229) 168–172; Rhodes (n. 130) 33. Cyber-threat 81

Kyrgyz Central Election Commission (2009).249 The ongoing Ukrainian Civil War continued this trend.

3.3.3.5 Coordinated Large-Scale DDoS Attacks The most persistent DoS attacks to date that concentrated on a single state, occurred in 2007 and 2008, against the Estonian and Georgian Republics, respectively. In April 2007, the government of Estonia unilaterally decided to relocate a memorial devoted to the fallen Soviet soldiers in WW2, which sparked riots by the Russian-speaking minority (comprising around one third of the country’s population). The somewhat “insulting” decision itself, as well as violations of human rights that followed, inspired Internet users in Russia and other ex-Soviet republics to wage large-scale distributed DoS (DDoS) strikes against the Estonian government. The attacks that lasted for three weeks were said to have reached unprecedented levels of coordination.250 According to various sources, they resulted in defacement of the website belonging to the Prime Minister and temporarily disrupted the “government, law enforcement, banking, media and Internet infrastructure”,251 harming Estonia’s economy in the process.252 There were no less than 128 unique DDoS attacks lasting from one to ten hours each that seemed to emanate from random countries like Peru and Egypt.253 A large number of script-kiddies participated in the attack, increasing the traffic and maximizing the harm done by zombie botnets, employed by more professional attackers.254

249 Nazario (n. 229) 168–172. 250 Heli Tiirmaa-Klaar, “The Emerging Cyber Security Agenda: Threats, Challenges and Responses” [2008] Estonian Foreign Policy Yearbook 156. 251 Geers, “Cyberspace” (n. 135). 252 Matthew J. Sklerov, “Solving the Dilemma of State Response to Cyberattacks: A Justification for the Use of Active Defenses Against States Who Neglect Their Duty to Prevent” (2009) 201 Military Law Review 5. Note that the overall damage is claimed to be between 27.5 and 40.5 million USD—see “EU Seeks Unified Cybersecurity Regime” (United Press International, 16 June 2011) accessed 1 August 2015. 253 Scott J. Shackelford, “From Nuclear War to Net War: Analogizing Cyber Attacks in International Law” (2008) 27(1) Berkeley JIL 203. 254 See Joshua Davis, “Hackers Take Down the Most Wired Country in Europe” (Wired, 21 August 2007) accessed 1 August 2015. 82 Chapter 3

While Estonia initially claimed it was at “war”,255 the 2007 strikes were organized by random pro-Russian patriotic groups and did not cause fear or real destruction.256 They were subsequently dismissed as nuisance and Estonia seems to have agreed with characterization of the overall operation as a criminal act.257 Only one person (living in Estonia) was held accountable as pros- ecutorial efforts were hampered when the Russian government denied Estonia legal assistance, despite the fact that both states have a mutual cooperation agreement.258 August 2008 marked the first case when traditional armed activities were not only accompanied, but directly supported by DDoS attacks. As armies clashed in a battle over separatist republics of Abkhazia and South Ossetia, cyber-strikes launched from the Russian Federation reportedly overloaded and crashed many Georgian servers, disrupting the “government’s ability to get information about the invasion”,259 hampering capacity to broadcast its version of events online260 and undermining public confidence during a time of war that Georgia was unlikely to win.261 The DDoS attacks focused on important online targets, that is, websites belonging to the Georgian government, media, communications, transportation and banking, and were accompanied by a limited blockade of incoming and outgoing Internet traffic. 262 Like in the Estonian case, majority of cyber-strikes were carried out with the help of script-kiddies.263 Attackers also defaced five websites, including that of the Georgian president Mikheil Saakashvili, who was visually compared to Adolf Hitler.264

255 Kari Alenius, “An Exceptional War That Ended in Victory for Estonia or an Ordinary e-Disturbance?” in Eric Filiol, Robert Erra (eds.), Proceedings of the 11th European Con ference on Information Warfare and Security (Academic Publishing International 2012) 23. 256 Hollis (n. 8) 1026. 257 Ibid. 258 Clarke, Knake (n. 4) 15; Eneken Tikk, Kadri Kaska, Liis Vihul, International Cyber Incidents: Legal Considerations (NATO CCDCOE 2010) 27. 259 Walker (n. 7) 51. 260 Clarke, Knake (n. 4) 19; John Markoff, “Before the Gunfire, Cyberattacks” (The New York Times, 12 August 2008)

The blame fell on the ordinary Russian citizens and cyber-crime syndicates (such as the Russian Business Network).265 Nevertheless, despite the fact that “possible involvement of some officials within the Russian administration” was “only backed by circumstantial evidence”,266 the timing of the attacks coincid- ing with the movement of troops suggests that attackers had “advance notice of Russian military intentions”.267 Georgia characterized the 2008 cyber-attacks as an attempt to bring down critical Georgian infrastructure.268 However, the actual damage done to the Caucasian republic, if isolated from the armed conflict, is not enough to characterize it more seriously than a nuisance: it included some disturbance of communications, emails, phone calls, and public unavailability of governmental websites.269 After ineffectively trying to block Russian IPs, the defending side mitigated the attacks by transferring websites to more secure US and Estonian servers, avoiding further disruptions.270 No violence or suffering was caused directly or indirectly by the DDoS strikes.271

3.4 Conclusion

When one cross-references hypothetical threats with reported incidents, it appears that cyber-attacks have not advanced very far in achieving their feared potential. The public consequences of real-life operations do not demonstrate anything so significantly innovative that would completely exclude applicability of international law to the new threat. On the other hand, theoretical dangers in cyber-space promise consequences that international community already had to deal with in the past. This remains true even in case of a “cascading failure” simultaneously shutting down interconnected critical infrastructure of a state, known as

6 accessed 1 August 2015. 265 Tikk, Kaska, Vihul (n. 258) 75. 266 Ibid. 267 Bumgarner, Borg (n. 264) 3. 268 See generally Heidi Tagliavini, Report of the Independent International Fact-Finding Mission on the Conflict in Georgia, vol. 2 (Council of the EU 2009) 218. 269 Bumgarner, Borg (n. 264) 6. 270 Ibid., 7; Tikk, Kaska, Vihul (n. 258) 76–77. 271 Walker (n. 7) 53. 84 Chapter 3

“cyber-doom”.272 The International Court of Justice may be said to have imag- ined such a scenario, when it referred to force that could jeopardize “the very survival of a State”.273 The present chapter outlined the nature of the cyber-threat, assessing the seriousness of possible cyber-strikes in the process. As such, it sets the background necessary for establishing whether international law is fit for the purpose of addressing militarized cyber-attacks. The next chapter begins this task by looking into applicability of the principles of territoriality, sovereignty and jurisdiction to cyber-space—a virtual realm that makes cyber-attacks possible.

272 See Sean Lawson, “Beyond Cyber-Doom: Cyberattack Scenarios and the Evidence of History” (Working Paper 10–77, George Mason University Mercatus Center 2011) 5 accessed 1 August 2015. 273 Nuclear Weapons Case (n. 60) paras. 97, 105(2)(E). Considering the analysis in the present book, one can suggest that even the worst cyber-attacks that may materialize in the future are not so significantly unique as to necessitate a revolution in international law. However, this does not automatically mean that reforms are not required. Not only can cyber-warfare emphasize imperfections of the existing framework that have been present for many years, but it can also inevitably reveal new deficiencies, uncertainties and gaps. Chapter 4 Cyber-Space

4.1 Introduction

It was argued in the Introduction to this book that certain governments can be expected to rely on varying interpretations in the gray areas of international law. While the previous chapter discussed general capabilities of cyber-attacks, setting the scene for subsequent legal analysis in the present book, this chapter begins to explore what exploitable legal imperfections might exist by looking at the very environment that makes cyber-warfare possible—cyber-space. The focus here lies on the principles of territoriality, sovereignty1 and jurisdiction as the fundamental principles of international law that define the extent to which states (led by governments) may exert their power in the virtual realm (if at all). The present chapter is divided into three parts. The first part discusses whether cyber-space can be considered territory or an extension thereof. It further evaluates whether cyber-space can be construed as part of the global commons, in spite of it being an artificial creation. These assertions need to be discussed here first, as they determine the potential extent of the claims of state sovereignty in cyber-space. The second part analyzes whether sovereignty extends into the virtual realm, taking into account the conclusions made in the first part. It assesses if cyber-space can remain independent from state authority and considers state practice in this regard. Particular attention is paid to the apparent legal conflict between the most influential NATO members (that want cyber-space to become fully global) and those of the Shanghai Cooperation Organization (SCO) (that seek to establish sovereignty over their “information space”).2

1 Due to the jus ad bellum and jus in bello focus, the present book views sovereignty as authority to ensure security and control in a particular area to the exclusion of other nations and does not concentrate on issues that arise from sovereign government’s relations with its citizens. 2 Information space is definable in the SCO as “the sphere of activity connected with the formation, creation, conversion, transfer, use, and storage of information and which has an effect on individual and social consciousness, the information infrastructure, and information itself”—see Keir Giles, William Hagestad, “Divided by a Common Language: Cyber Definitions in Chinese, Russian and English” in Karlis Podins, Jan Stinissen, Markus Maybaum (eds.), 2013 5th International Conference on Cyber Conflict (NATO CCDCOE 2013) 419, 421.

The third part focuses on jurisdiction as a notion partially related to territoriality and sovereignty. It discusses the grounds on which any state can exercise jurisdiction over cyber-space and argues that attribution of cyber-attacks to individuals in the virtual realm is not as problematic as is often claimed by academics.

4.2 Territoriality of Cyber-Space

Two questions can be raised in relation to the essence of cyber-space itself. Is it a territory or an extension thereof? Does it belong to the global commons? Depending on their interests, governments can answer these questions differently. As such, they reflect the first gray areas in the context of cyber-warfare existent on the fundamental level of international law. The following analysis seeks to show that territoriality of cyber-space is not defendable, and argues that, even if cyber-space will be considered a global common in the future, it does not represent such common at the moment.

4.2.1 Territory as a Component of Statehood Despite a small number of ratifications mostly in Latin America, the 1933 Montevideo Convention on the Rights and Duties of States is the most widely accepted instrument that sets out the basic criteria for statehood.3 According to that convention and customary law it reflects, a state “as a person of international law” should have “a permanent population”, “a defined territory” (emphasis added), a “government”, as well as “capacity to enter into relations with the other States”.4 Currently, there exist over 200 entities that fulfill these requirements, 193 of which are members of the United Nations. While it is true that some de facto independent countries lack universal recognition,5 this does not diminish their claim for independence under the Montevideo Convention and

3 Montevideo Convention on the Rights and Duties of States (adopted 26 December 1933, entered into force 26 December 1934) 165 LNTS 19; Thomas D. Grant, The Recognition of States: Law and Practice in Debate and Evolution (Praeger Publishers 1999) 6. 4 Montevideo Convention (n. 3) Art. 1. 5 In 2014, they included Abkhazia, Cook Islands, Kosovo, Nagorno-Karabakh, Niue, Turkish Republic of Northern Cyprus, Sahrawi Arab Democratic Repubic, Somaliland, South Ossetia, Taiwan and Transnistria. Cyber-space 87 the declaratory theory of statehood.6 The latter is reflected in Article 3 of that convention, which reads: “the political existence of the state is independent of recognition by the other states”.7 The alternative, constitutive theory of statehood demands recognition from other states.8 Unlike the declaratory model, which favors de facto regimes, it is more suited, for example, to accommodate the practice of de jure recognition of governments-in-exile. Such recognition and the existence of such governments per se may demonstrate that territory is not required to exercise important state functions, but it remains “essential to the original constitution” of a country.9 In fact, the government itself remains tied to the territory that it has been exiled from and where it plans to return. Kinship-based and nomadic societies have, indeed, existed without being fixed to a geographic area in the past.10 However, both major statehood theories agree that international customary norms require a state to be linked to a particular territory.11 The latter is defined by geographic borders (including air space and up to twelve miles of territorial sea), but these borders do not have to be absolutely certain (given the many existing frontier disputes), as long as the “core of territory” is identifiable.12 Given this, it is time to look at whether cyber-space itself fits the notion of territory.

6 David Raič, Statehood and the Law of Self-Determination (Kluwer Law International 2002) 32. See also Grant (n. 3) 5. 7 Montevideo Convention (n. 3) Art. 3. 8 Grant (n. 3) 2; James Crawford, Brownlie’s Principles of Public International Law (8th edn., OUP 2012) 144–145. 9 Jane McAdam, Climate Change, Forced Migration, and International Law (OUP 2012) 135. See generally Crawford (n. 8) 125. 10 John G. Ruggie, “Territoriality and Beyond: Problematizing Modernity in International Relations” (1993) 47(1) International Organization 149; John G. Ruggie, Constructing the World Polity: Essays on International Institutionalization (Routledge 1998) 178–179. See also Michael Burgess, “Territoriality and Federalism in the Governance of the European Union” in Michael Burgess, Hans Vollaard (eds.), State Territoriality and European Integration (Routledge 2006) 102. 11 See Malcolm N. Shaw, International Law (5th edn., CUP 2003) 409, 412, arguing that “without territory a legal person cannot be a state”. See also Peter Malanczuk, Akehurst’s Modern Introduction to International Law (7th edn., Routledge 1997) 75; Robert Jennings, Arthur Watts, Oppenheim’s International Law, vol. 1 (9th edn., Longman 1992) 457, 563. 12 Note that some states (e.g., Israel) were created despite poorly defined borders—see Malanczuk (n. 11) 76. 88 Chapter 4

4.2.2 Virtual Universe as “Territory” Whether the virtual realm is considered a part of territory or not determines the place of cyber-attacks in both jus ad bellum and jus in bello. What can governments theoretically gain by treating cyber-space as territory? Firstly, no state may allow the latter “to be knowingly used for harmful acts contrary to the rights of other States”.13 If the virtual realm is territory, this obligation would then extend to it directly (as opposed to, for example, via cyber- infrastructure located on state territory). Since individuals residing in various territories can launch powerful cyber-attacks, fulfilling this obligation would require total control over the population, which in turn would violate personal freedoms that some Western democracies zealously protect. Secondly, territoriality of cyber-space would call for the reevaluation of the fundamental principle of territorial integrity that reflected the post-WW2 aspirations for stability of international borders.14 Article 2(4) of the UN Charter specifically prohibits the use of force against “territorial integrity” of any state.15 Virtual cyber-attacks challenge the traditional understanding of territorial integrity, which is, unlike political independence, breached only by physical interference. State territory today still conforms to this traditional understanding and is naturally assumed to be clearly demarcated by borders (resulting from countries’ endless struggle for power), whereas the Internet (that is the major part of the virtual realm) is not yet clearly divided among nations.16

13 Corfu Channel (UK v Albania) (Merits) [1949] ICJ Rep 22–23. 14 Anthony Aust, Handbook of International Law (2nd edn., CUP 2010) 40. 15 There is a large volume of various international documents and judgments that refer to this prohibition. E.g., the importance of “territorial integrity” is mentioned multiple times in the Declaration on Principles of International Law Concerning Friendly Relations and Co-Operation Among States in Accordance with the Charter of the United Nations, Annex to UNGA Res 2625 (XXV) (24 October 1970). Its importance is also acknowledged in Military and Paramilitary Activities in and against Nicaragua (Nicaragua v USA) (Merits) [1986] ICJ Rep, paras. 188, 191–193; Legality of the Threat or Use of Nuclear Weapons (Advisory Opinion) [1996] ICJ Rep, para. 70; Accordance with International Law of the Unilateral Declaration of Independence in Respect of Kosovo (Advisory Opinion) [2010] ICJ Rep, para. 80. 16 Note Judge Nancy Gertner’s observation in Digital Equipment Corporation v Altavista Technology, Inc, 960 F Supp 456 (D Mass 1997) 462: “The Internet has no territorial boundaries. [. . .] [A]s far as the Internet is concerned, not only is there perhaps ‘no there there’, the ‘there’ is everywhere where there is Internet access”. Borderless nature of the Internet and cyber-space has also been highlighted by many academics—e.g., see David R. Johnson, David Post, “Law and Borders: The Rise of Law in Cyberspace” (1996) 48(5) Stanford Law Review 1368, 1370–1372, 1379; Stephen J. Kobrin, “Safe Harbours Are Hard to Find: The Trans-Atlantic Data Privacy Dispute, Territorial Jurisdiction and Global Cyber-space 89

Thirdly, if cyber-space is territory, one can attempt to “seize” it. Upon its partial or complete “capture”, the international law governing military occupation would formally apply, and safeguards of humanitarian law would extend therein.17 Like in other cases of belligerent occupation, the “temporal duration of effective control” over the electronic networks representing territory would be irrelevant to the applicability of the legal regime.18 In fact, there are examples of territories (for instance, the Gaza Strip) considered occupied without an effective control of the hostile party.19 Additionally, the legal regime applies to cases where occupation meets no armed resistance.20 The highly acclaimed Tallinn Manual barely addresses this issue. Absent any visible discussion, it is quick to conclude that “[t]here is no legal notion of occupation of cyberspace”.21 Is this claim valid? One can imagine a situation where this claim could be disputed by those governments that wish to extend jus in bello applicability to cyber-space, regardless of whether the latter is territorial. Inter alia, this would facilitate the application of the customary prohibition of destruction of property to data in cyber-space.22 That being said, the treatment of occupation as a territory- based notion in major humanitarian law conventions makes such an argument hardly defendable. In legal terms, belligerent occupation is still firmly linked to (a not necessarily effective) control over territory.

Governance” (2004) 30(1) Review of International Studies 111; Christopher Rudolph, “Sovereignty and Territorial Borders in a Global Age” (2005) 7(1) International Studies Review 4–5. 17 See Arts 42, 52, 53 of 1899HCA2; Arts 42, 52, 53 of 1907HCA4; Common Art. 2(2) of the GCs; Art. 1(4) of AP1. 18 Yutaka Arai-Takahashi, The Law of Occupation: Continuity and Change of International Humanitarian Law, and its Interaction with International Human Rights Law (Koninklijke Brill 2009) 6. 19 Elizabeth Samson, “Is Gaza Occupied?: Redefining the Status of Gaza Under International Law” (2010) 25(5) American University International Law Review 966. 20 Common Art. 2(2) of GCs. Note also Ždanoka v Latvia App no 58278/00 (ECtHR, 16 March 2006), which addresses the Soviet occupation of the Baltic states despite the latter show- ing no active state-level resistance. 21 Michael N. Schmitt and others, Tallinn Manual on the International Law Applicable to Cyber Warfare (CUP 2013) Ch6C3. Notably, in the context of occupation of physical territory, however, the Tallinn Manual adds: “[C]yber operations cannot alone suffice to establish or maintain the degree of authority over territory necessary to constitute an occupation. However, cyber operations can be employed to help establish or maintain the requisite authority”—see ibid. 22 Stemming from Arts 53, 147 of GC4. 90 Chapter 4

The fourth implication of treating cyber-space as territory is whether the virtual world has the same status as land. Under the Montevideo Convention, giving this status would strengthen the case for the independence of self- proclaimed, non-territorial micro-nations that exist purely in online form on the Internet,23 which would put them closer to being serious subjects of international law. Among the consequences of this, micro-states could claim de jure states’ rights (including sovereign equality) and accuse each other of aggression, use of force, and other acts—all at the expense of the already dim reputation of international law. The alternative perspective of cyber-space being seen as an extension of land (like sea and air currently are), would exclude the purely online states from the world community, but still would bolster the claim for sovereignty of those micro-nations that de facto own some land24 or land-like objects (for example, Sealand).25 Even leaving these seemingly unacceptable global repercussions aside, it should be noted that, while state borders kept changing throughout history, countries mostly sought to control the existing physical matter of objective reality (primarily, land), which they came to identify as territory. What does this say about cyber-space? Because smaller fragile national networks are currently in the early stages of development, they are far from achieving the necessary constancy and stability that characterizes a permanent state of existence of physical domains. Therefore, governments cannot hope to argue successfully that cyber-space formed in their states’ national computers or networks (that is state-owned hardware that makes existence of the virtual realm possible) represents territory. They will surely want to explore the other possible alternative, namely claiming sovereignty over “their” cyber-space. On a wider scale, at least theoretically, the Internet is constantly available to everyone who has the necessary technological equipment. In that way, a major part of cyber-space (at least at the moment) is closer to the other existing

23 Grand Duchy of Avram is an example of such micro-nation, as it does not de facto control nor actually claim any physical territory. 24 Note that, e.g., cyber-attacks were launched from Transnistria (a de facto state with limited recognition) in the past—see Eneken Tikk, Kadri Kaska, Liis Vihul, International Cyber Incidents: Legal Considerations (NATO CCDCOE 2010) 28; Athina Karatzogianni, “How Small are Small Numbers in Cyberspace?: Small, Virtual, Wannabe ‘States’, Minorities and Their Cyberconflicts” in Athina Karatzogianni (ed.), Cyber Conflict and Global Politics (Routledge 2009) 130. 25 Principality of Sealand claims the possession of the HM Fort Roughs tower. Other similar micro-nations include, e.g., the Republic of Morac-Songhrati-Meads that claims Spratly Islands or the new Russian Empire that claims the Suwarrow coral atoll. Cyber-space 91 domains than to temporary means of communication such as telephone, telegraph, television or radio. The Internet is no longer just another medium of communication; it has, in fact, become what scholars initially refused to recognize as a “separate place removed from our world” (emphasis added).26 In 2002, a prominent academic contested this position, pointing out distinctive factors of cyber-space transactions, such as speed and distance.27 However, it is not these factors, but constancy and stability of the Internet that make it a permanently existing realm. That being said, since the Internet simultaneously uses all national networks, it is not possible to demarcate it.28 As such, it cannot be a part of an identifiable “core” of state territory nor extension (from other domains or from state cyber-infrastructure) of the latter.29 Thus, claims that the Internet is territorial have little chance to gain adequate support by the international community. To conclude, cyber-space is too different from other domains for the territorial system to apply in a straightforward manner. Thus, due to the reasons listed above, and for the purposes of subsequent analysis, it is hereinafter assumed that cyber-space is a non-territorial realm and lex scripta that explicitly refers to territory is inapplicable to it. If not definable as territory, can cyber-space be seen as an unofficial global common (res communis omnium)?30 In other words, is it an “internationally

26 See Jack L. Goldsmith, “The Internet and the Abiding Significance of Territorial Sovereignty” (1998) 5(2) Indiana Journal of Global Legal Studies 476. See also Jack L. Goldsmith, “Against Cyberanarchy” (1998) 65(4) University of Chicago Law Review 1240. 27 David G. Post, “Against ‘Against Cyberanarchy’” (2002) 17(4) Berkeley Technology Law Journal 1375–1376. 28 Johann-Christoph Woltag, “Computer Network Operations Below the Level of Armed Force” in Nico Krisch, Lauri Mälksoo, Mario Prost (eds.), ESIL 2011 4th Research Forum (ESIL 2011) 12. One may argue here that the creation of the World Wide Web was the force that delimitated cyber-space (into websites with identifiable extensions, e.g., .uk, .ru, .eu etc.), however it is important to note that this was done merely for identification purposes, moreover, these extensions are not under exclusive state control. 29 See generally Shabtai Rosenne, The Perplexities of Modern International Law (Martinus Nijhoff 2003) 349; Georgios I. Zekos, “State Cyberspace Jurisdiction and Personal Cyberspace Jurisdiction” (2007) 15(1) International Journal of Law and Information Technology 1; Ahmad Kamal, The Law of Cyber-Space: An Invitation to the Table of Negotiations (UNITAR 2005) 82. 30 See Wolff H. von Heinegg, “Legal Implications of Territorial Sovereignty in Cyberspace” in Christian Czosseck, Rain Ottis, Katharina Ziolkowski (eds.), 2012 4th International Conference on Cyber Conflict (NATO CCDCOE 2012) 9. 92 Chapter 4 shared resource utilized for trade, communications and other uses”?31 For instance, the US 2005 Strategy for Homeland Defense and Civil Support32 and the 2010 Canada’s Cyber Security Strategy33 explicitly list cyber-space among the global commons. This claim deserves a more detailed analysis.

4.2.3 Cyber-Space as a Global Common From a legal perspective, global commons represent domains that lie outside state territories and, normally, beyond their extension. As such, they, in their entirety, are not subject to exclusive sovereignty or jurisdiction of one particular state and can be used freely by all nations. If cyber-space is a global common, these principles become directly relevant in this domain. Although there may be more global commons in the world (for instance, the Earth’s core), international lex scripta directly administers three distinct areas: Antarctica,34 the high seas35 and outer space36—places that have been characterized as “‘cyberspaces’ of a previous generation”.37 The legal regimes that govern them are a result of a common decision to collectively appropriate resources.38 Similarly, if states were to create a treaty

31 Scott D. Applegate, “The Principle of Maneuver in Cyber Operations” in Christian Czosseck, Rain Ottis, Katharina Ziolkowski (eds.), 2012 4th International Conference on Cyber Conflict (NATO CCDCOE 2012) 191. 32 US Department of Defense, “Strategy for Homeland Defense and Civil Support” (US Department of Defense 2005) 12 accessed 1 August 2015. 33 “Canada’s Cyber Security Strategy: For a Stronger and More Prosperous Canada” (Strategy, Government of Canada 2010) 4 accessed 1 August 2015. 34 See Antarctic Treaty (adopted 1 December 1959, entered into force 23 June 1961) 402 UNTS 71. 35 See UN Convention on the Law of the Sea (UNCLOS) (adopted 10 December 1982, entered into force 16 November 1994) 1833 UNTS 3. 36 See Treaty on Principles Governing the Activities of States in the Exploration and Use of Outer Space, Including the Moon and Other Celestial Bodies (adopted 27 January 1967, entered into force 10 October 1967) 610 UNTS 205; Agreement Governing the Activities of States on the Moon and Other Celestial Bodies (adopted 5 December 1979, entered into force 11 July 1984) 1363 UNTS 3. 37 Paul S. Berman, “The Globalization of Jurisdiction” (2002) 151(2) University of Pennsylvania Law Review 494. 38 Duncan B. Hollis, “Stewardship Versus Sovereignty?: International Law and the Appointment of Cyberspace” (Cyberdialogue 2012: What Is Stewardship in Cyber space?, Toronto, March 2012) 4 accessed 1 August 2015. Cyber-space 93 that would grant cyber-space the status of a global common, it would likely be made out of a “shared recognition of the desirability” to have access to the resources of unlimited knowledge and communication.39 Another potential reason might be the collective creation of a safe environment to deter, defend against, and punish cyber-attackers.40 In this quest, governments may attempt to “demilitarize” the virtual universe, like Antarctica or outer space. The potential legal regime is not burdened by the fact that computers and other hardware that enable transfer of information (such as copper cable and fiber optics) belong to states and are usually located within state borders. They basically perform the same temporary internal jurisdiction-carrier function that ships (“space” of the flag state), interstellar vessels (“space” of the regis- tered state) and Antarctic bases (“space” of the nationals) do.41 If misused, like other belligerent carriers, they can also be targetable militarily.42 There are two important differences between cyber-space and recognized global commons. Firstly, the former was developed artificially and not found as a result of discovery.43 Secondly, cyber-space requires constant investment to stay operational.44 If anything, these differences reduce potential claims of natural law theorists and reinforce the idea that a cyber-common can only result from a state consensus. Which factors determine the viability of such an agreement?

39 Julie J. Ryan, Daniel J. Ryan, Eneken Tikk, “Cybersecurity Regulation: Using Analogies to Develop Frameworks for Regulation” in Eneken Tikk, Anna-Maria Talihärm (eds.), International Cyber Security Legal & Policy Proceedings (NATO CCDCOE 2010) 96; Scott J. Shackelford, “From Nuclear War to Net War: Analogizing Cyber Attacks in International Law” (2008) 27(1) Berkeley JIL 221. See also Katharina Ziolkowski, “Confidence Building Measures for Cyberspace—Legal Implications” (Paper, NATO CCDCOE 2013) 84 accessed 1 August 2015. 40 Shackelford (n. 39) 214. 41 See generally Tallinn Manual (n. 21) R3C3, R3C7, R4C2, R4C3; Darrel C. Menthe, “Jurisdiction in Cyberspace: A Theory of International Spaces” (1998) 4 Michigan Telecommunications and Technology Law Review 83, 93; Wolff H. von Heinegg, “Territorial Sovereignty and Neutrality in Cyberspace” (2013) 89 International Law Studies 126. 42 Ryan J. Vogel, “Drone Warfare and the Law of Armed Conflict” (2010) 39(1) Denver Journal of International Law and Policy 132. See also Tallinn Manual (n. 21) R5C5, R5C13, R91C5. 43 Sean Kanuck, “Sovereign Discourse on Cyber Conflict Under International Law” (2010) 88(7) Texas Law Review 1576. 44 See Jeffrey L. Caton, “Beyond Domains, Beyond Commons: Context and Theory of Conflict in Cyberspace” in Christian Czosseck, Rain Ottis, Katharina Ziolkowski (eds.), 2012 4th International Conference on Cyber Conflict (NATO CCDCOE 2012) 164; Patrick W. Franzese, “Sovereignty in Cyberspace: Can it Exist?” (2009) 64 Air Force Law Review 33. 94 Chapter 4

Networks created for national purposes will inevitably attract claims of sovereignty. Though this turns cyber-space into an “imperfect common”, it is hardly a new problem.45 In fact, one may note the discrepancy between the levels of internationality that the three recognized global commons enjoy: outer space and celestial bodies are entirely free from any sovereignty;46 the oceans and seas contain states’ territorial waters;47 while most of Antarctica is divided into territories claimed by seven nations, which have put their demands on hold by signing the Antarctic Treaty.48 States, therefore, need to clearly establish how, and which part of cyber-space is to be governed collectively (that is over which sovereignty does not extend).49 Until such an agreement is reached, calling cyber-space a global common would be an inaccurate description. One solution might be to limit the new global common to the Internet. Nevertheless, such an approach would be too simplistic and would ignore the political realities of today. Yes, the United States has recently agreed to give up its control over the Internet Corporation for Assigned Names and Numbers (ICANN), but all the latter does is assign unique identifiers to online addresses.50 The US still controls most of the Internet’s root name servers and, no earlier than December 2012, the US delegation rejected a treaty that aimed to provide Internet oversight to the International Telecommunication Union (ITU)—a sign that it is not willing to share its power. On the other hand, the concept of freedom of cyber-space that the US government advances (and which can undermine the non-democratic regimes),51 rejects the idea of creating isolated alternatives to the existing Internet and expects the entire cyber-space to be a global common.52 Among other things, this would allow the US government to collect and access even more data (for example, through its PRISM program) that major American corporations like

45 Joseph S. Nye, “Cyber Power” (Paper, Belfer Center for Science and International Affairs 2010) 15 accessed 1 August 2015. 46 Outer Space Treaty (n. 36) Art. 2. 47 UNCLOS (n. 35) Arts 2, 3. 48 Crawford (n. 8) 252; Hollis (n. 38) 6; Jill Grob, “Antarctica’s Frozen Territorial Claims: A Meltdown Proposal” (2007) 30(2) Boston College International & Comparative Law Review 462. 49 Kanuck (n. 43) 1577. 50 See Richard A. Clarke, Robert Knake, Cyber War: The Next Threat to National Security and What to Do About It (HarperCollins 2010) 79. 51 See Henry H. Perritt, “The Internet as a Threat to Sovereignty? Thoughts on the Internet’s Role in Strengthening National and Global Governance” (1998) 5(2) Indiana Journal of Global Legal Studies 436–437. 52 See generally Franzese (n. 44) 35–36. Cyber-space 95

Facebook accumulate. In order to resist the virtual dominance of the USA, other states’ governments, on the contrary, wish to secure parts of the cyber- realm that they consider vital for their well-being. Considering the lack of agreement on the common nature of national networks and the unwillingness of the US government to restrict its dominance over the Internet, there is not enough evidence to suggest that any part of cyber-space currently constitutes a global common under customary norms. If this is the next step in evolution of international law vis-à-vis cyber-space, it has so far been resisted, whereby some governments, no doubt, wish to keep the virtual realm open to claims of sovereignty and some to maintain their exclusive control over what might be termed “cyber-anarchy”. The next aspect one must discuss is whether state sovereignty can apply to cyber-space despite the latter not being territory.

4.3 Sovereignty over the Virtual Realm

A number of questions arise from the above analysis. Does the emergence of cyber-space as a non-territorial realm challenge the Westphalia-based system of sovereignty and make it no longer viable? Is cyber-space independent? Do states already claim sovereignty over parts of the virtual realm, in addition to their cyber-infrastructure? What are the resulting legal consequences and should a new regime based on national spaces arise? This sub-chapter explores these important questions, which have in the past received only limited attention from academics.

4.3.1 Challenge to the Westphalian Order The contemporary notion of state sovereignty emerged with the Peace of Westphalia in 1648.53 Stephen Krasner rightly notes that it did not represent a “political big bang that created the modern system of autonomous states” at the time.54 However, it did indeed begin the crystallization of the idea that a state has the supreme authority within its borders and the right to determine its relations with other countries.55

53 Nazli Choucri, “Introduction: Cyberpolitics in International Relations” (2000) 21(3) International Political Science Review 250. 54 Stephen D. Krasner “Sovereignty” (2001) 122 Foreign Policy 21. 55 David G. Post, “The ‘Unsettled Paradox’: The Internet, the State, and the Consent of the Governed” (1998) 5(2) Indiana Journal of Global Legal Studies 524, 528; Ian Bryan, “Sovereignty and the Foreign Fighter Problem” (2010) 54(1) Orbis 117. 96 Chapter 4

Initially built on the philosophy of Bodin, Hobbes and Machiavelli, “who identified it with the authority emanating from the sovereign”, the concept of sovereignty evolved during the times of Enlightenment and Romantic ideals to reflect contractarian views of Locke, Rousseau and Montesquieu concentrated on the “political power in the consent of the people of a given territory”.56 Throughout centuries it remained the backbone of the state system,57 and was based, inter alia, on the need to ensure military security of peoples (as well as sovereign rulers) and to prevent coercion.58 In this quest, sovereignty inspired the development of sub-principles of non-intervention, territorial integrity and political independence.59 As a legal element arising from the increasing state equality and pacifism, territoriality developed alongside Westphalian sovereignty to geographically constrain state power.60 In fact, the two became so close that sovereignty is still automatically associated with demarcated land. The Arbitrator Max Huber stated in the Island of Palmas case: “sovereignty in the relations between States signifies independence [. . .] in regard to a portion of the globe” (emphasis added).61 In the 1949 Corfu Channel case, the ICJ concluded that “respect

56 Giampiero Giacomello, Fernando Mendez, “‘Cuius Regio, Eius Religio, Omnium Spatium?’ State Sovereignty in the Age of the Internet” (2001) 7 Information & Security 26–27; John Agnew, “Sovereignty Regimes: Territoriality and State Authority in Contemporary World Politics” (2005) 95(2) Annals of the Association of American Geographers 456; Paul S. Berman, “The Globalization” (n. 37) 456. 57 Samuel F. Miller, “Prescriptive Jurisdiction over Internet Activity: The Need to Define and Establish the Boundaries of Cyberliberty” (2003) 10(2) Indiana Journal of Global Legal Studies 251. 58 Rudolph (n. 16) 6–7; Jan N. Pieterse, “Globalization, Kitsch and Conflict: Technologies of Work, War and Politics” (2002) 9(1) Review of International Political Economy 18. See also Nikolaos K. Tsagourias, Jurisprudence of International Law: The Humanitarian Dimension (Manchester University Press 2000) 65; Lene Hansen, Helen Nissenbaum, “Digital Disaster, Cyber Security, and the Copenhagen School” (2009) 53(4) International Studies Quarterly 1159–1160; Jerry Everard, Virtual States: The Internet and the Boundaries of the Nation State (Routledge 2000) 44. 59 Thomas Schultz, “Carving up the Internet: Jurisdiction, Legal Orders, and the Private/ Public International Law Interface” (2008) 19(4) EJIL 800; Russell Buchan, “Cyber Attacks: Unlawful Uses of Force or Prohibited Interventions?” (2012) 17(2) Journal of Conflict & Security Law 223. 60 Amit M. Sachdeva, “International Jurisdiction in Cyberspace: A Comparative Perspective” (2007) 13(8) Computer and Telecommunications Law Review 246; Joel P. Trachtman, “Cyberspace, Sovereignty, Jurisdiction, and Modernism” (1998) 5(2) Indiana Journal of Global Legal Studies 567. 61 Island of Palmas Case (Netherlands v USA) [1932] Scott Hague Court Rep 838. Cyber-space 97 for territorial sovereignty is an essential foundation of international relations” (emphasis added).62 Today, sovereignty is still defined with reference to territory by academics, notably, even those who write about cyber-space.63 The link between territory and sovereignty has been weakened and then reaffirmed many times during the last century in light of decolonization and self-determination movements,64 biological hazards,65 “growing interdependence between states, the free flow of capital, trans-boundary pollutants and multi-centered production”.66 Each issue contributed to the corrosion of the Westphalia order, yet the notion of territorial sovereignty survives. However, the ever-increasing level of connectivity and transmission-speeds, catalyzed by globalization, pose a unique problem for the traditional notion of state sovereignty.67 This might hasten the long-delayed end of the territory-based regime, as explained below. Cyber-space is the great equalizer. It damages the Westphalian ideal of states commanding superior offensive capabilities to those possessed by ordinary citizens.68 Although the state may have more technologically advanced

62 Corfu Channel Case (n. 13) 35. See also Nicaragua Case (n. 15) para. 202. 63 Applegate (n. 31) 191: “[. . .] exercising authority and control over a given area or geographic region”; Georgios I. Zekos, “Globalisation and States’ Cyber-Territory” (2011) 5 Web Journal of Current Legal Issues 1: “Sovereignty [. . .] has a main meaning, supreme authority within a territory”. 64 Robert H. Jackson, Sovereignty: Evolution of an Idea (Polity Press 2007) 146. 65 Consider, e.g., the concept of “viral sovereignty” that crosses territorial borders, as reportedly suggested by the Indonesian minister of health Siti Supari—see Richard Holbrooke, Laurie Garrett, “Sovereignty That Risks Global Health” (Washington Post, 10 August 2008) accessed 1 August 2015. 66 Roy Smith, “Cyber-States and the ‘Sovereignty’ of Virtual Communities” in Eleonore Kofman, Gillian Youngs (eds.), Globalization: Theory and Practice (3rd edn., Continuum 2003) 280; Joel P. Trachtman, “The Crisis of International Law” (2011) 44(1–2) Case Western Reserve JIL 420. 67 Teresa Scassa, Robert J. Currie, “New First Principles? Assessing the Internet’s Challenges to Jurisdiction” (2011) 42(4) Georgetown JIL 1035, 1082; Gregory J. Rattray, Jason Healey, “Non- State Actors and Cyber Conflict” in Kristin M. Lord, Travis Sharp (eds.), America’s Cyber Future: Security and Prosperity in the Information Age, vol. 2 (Center for a New American Security 2011) 68; Antony Taubman, “International Governance and the Internet” in Lilian Edwards, Charlotte Waelde (eds.), Law and Internet (3rd edn., Hart Publishing 2009) 27. See also Michael Dartnell, “Web Activism as an Element of Global Security” in Athina Karatzogianni (ed.), Cyber Conflict and Global Politics (Routledge 2009) 72. 68 See generally Barry Buzan, Ole Wæver, Jaap de Wilde, Security: A New Framework for Analysis (Lynne Rienner Publishers 1998) 51; Yoram Dinstein, “Cyber War and 98 Chapter 4 hardware at its disposal, when compared with professional cracking groups, their power is far from overwhelming. Moreover, by being non-territorial in nature, cyber-space can challenge the Westphalian territory-based concept of sovereignty altogether. One must, therefore, consider whether cyber-space can at all be governed by individual states and, if so, to what extent can their sovereignty extend there. Without any visible investigation or discussion, the authors of the Tallinn Manual fully rejected the possibility of exercising sovereignty over cyber-space as a virtual realm isolated from counries’ territorial infrastructure, merely stating that “no State may [do so]”.69 But can one simply ignore such an important prospect? Is cyber-space that independent?

4.3.2 Unrecognized Independence of Cyber-Space Once the online world became available to the public in the 1990s, it was “mas- sively colonised by ordinary citizens”.70 The Internet, according to one com- mentator, has become a “borderless realm, ungoverned and unregulated—the equivalent of the ‘wild west without a sheriff’”.71 In 1996, in response to the adoption of the Telecommunications Act in the United States, John Barlow issued “A Declaration of the Independence of Cyberspace” that was quickly disseminated online by other cyber-libertarians. It read:

Governments of the Industrial World, you weary giants of flesh and steel, I come from Cyberspace, the new home of Mind. On behalf of the future, I ask you of the past to leave us alone. You are not welcome among us. You have no sovereignty where we gather. We have no elected government, nor are we likely to have one [. . .] I declare the global social space we are building to be naturally independent of the tyrannies you seek to impose

International Law: Concluding Remarks at the 2012 Naval War College International Law Conference” (2013) 89 International Law Studies 287: “The real challenge [. . .] is to make sure that nobody will be able to turn the tables on the United States, and that the United States [. . .] can preserve its military superiority against all actual and potential adversaries [in cyber-space]”. 69 Tallinn Manual (n. 21) R1C1, R1C12. 70 Andrew Adams, Pauline Reich, Stuart Weinstein, “A Non-Militarised Approach to Cyber- Security” in Eric Filiol, Robert Erra (eds.), Proceedings of the 11th European Conference on Information Warfare and Security (Academic Publishing International 2012) 6. 71 Thomas Thomasen, “Cyber Deterrence—A 21st Century Maginot Line” (Brief, Royal Danish Defence College 2011) 4 accessed 1 August 2015. Cyber-space 99

on us. [. . .] Governments derive their just powers from the consent of the governed. You have neither solicited nor received ours. We did not invite you. You do not know us, nor do you know our world. Cyberspace does not lie within your borders. Do not think that you can build it [. . .] You cannot. [. . .] [I]t grows itself through our collective actions.72 [emphasis added]

The distinct, independent nature of the Internet was also emphasized by a few legal scholars, most notably David Johnson and David Post, who, in 1997 (as it turns out, naively), believed that the flow of electronic information could not be effectively controlled.73 As Philip Weiser notes, before 2000, the “dominant ideology of the Internet community resisted almost all forms of conventional government regulation”.74 Practically no government wanted to support independence of the online world. What some considered the “end of state”75 and “twilight of sovereignty”76 turned out to be a temporary eclipse. Governments quickly realized the need to regulate cyber-space “to the extent that it affects real space life”.77 The “Declaration of Independence” was ignored and, at least currently, a self- governing Internet remains a dream of a few politically motivated cyber- activists, driven by the fading libertarianist (or, perhaps, naturalist or Marxist) ideas that cyber-space should exist in an uncontrolled, anarchic environment.78 In spite of arguments that this virtual realm is still widely perceived as universal,

72 John P. Barlow, “A Declaration of the Independence of Cyberspace” (Declaration, February 1996) accessed 1 August 2015. 73 Johnson, Post (n. 16) 1372, 1378. 74 Philip J. Weiser, “Internet Governance, Standard Setting, And Self-Regulation” (2001) 28(4) Northern Kentucky Law Review 823. 75 See Maryann C. Love, “Global Problems, Global Solutions” in Maryann C. Love (ed.), Beyond Sovereignty: Issues for a Global Agenda (4th edn., Wadsworth 2011) 28. 76 See generally Walter Wriston, The Twilight of Sovereignty (Scribner 1992). Noted also in David G. Post, “Governing Cyberspace: Law” (1996) 43 Wayne Law Review 163. 77 Lawrence Lessig, “The Zones of Cyberspace” (1996) 48 Stanford Law Review 1406. 78 Alexander Melnitzky, “Defending America Against Chinese Cyber Espionage Through the Use of Active Defenses” (2012) 20(2) Cardozo Journal of International & Comparative Law 558–559; James Boyle, “Foucault in Cyberspace: Surveillance, Sovereignty, and Hard- Wired Censors” (1997) 66(2) University of Cincinnati Law Review 178–179. Note generally the recent “wish” of the ICJ for sovereignty to be exercised with “due regard to the needs of the populations concerned”—see Frontier Dispute (Burkina Faso v Niger) (Judgment) [2013] ICJ Rep, para. 112. 100 Chapter 4 open and free,79 already by 2013, more than forty states restricted access to Internet webpages and filter online content.80 Generally, governments have four options when it comes to regulating the virtual realm. They could “assert sovereignty over the whole of the net”, “abdi- cate any claim to sovereignty [. . .] and agree to some form of supranational governance”, “assert sovereignty over a specific [part] of the net”, or “agree to participate in a federated, power-sharing arrangement”.81 The first option is impossible in practice. Even a state as powerful as the US, as James Boyle puts it, “is too big, too slow, too geographically and technically limited to regulate a global citizenry’s fleeting interactions over a mercurial medium”.82 Due to conflicting political interests, even today, governments are not sure which of the remaining models to adopt. De facto, this uncertainty splits cyber- space into an international zone (controlled globally by the world community) and smaller national zones (controlled by individual governments). An analogy can be drawn here with the law of the sea that delineates those areas, over which states can claim sovereignty (internal and territorial waters) and those, over which they cannot (international waters).83 When it comes to national cyber-zones, Steven Barney suggests that one can go even further with the UNCLOS analogy and distinguish between internal cyber-space (under complete state sovereignty) and open (or, as Barney

79 Stephen K. Gourley, “Cyber Sovereignty” in Panayotis A. Yannakogeorgos, Adam B. Lowther (eds.), Conflict and Cooperation in Cyberspace: The Challenge to National Security (Taylor & Francis 2014) 277–278, 288. 80 Ronald Deibert, “The Growing Dark Side of Cyberspace (. . . and What to Do About It)” (2012) 1(2) Pennsylvania State Journal of Law & International Affairs 268. Note that filtering the Internet nowadays also significantly reduces its ability to be a “threat to sovereignty” (especially for “authoritarian” regimes)—see Perritt, “The Internet” (n. 51) 425, 432. See also Georgios I. Zekos, “Internet or Electronic Technology: A Threat to State Sovereignty” (1999) 3 JILT accessed 1 August 2015. 81 Mary Rundle, “Beyond Internet Governance: The Emerging International Framework for Governing the Networked World” (Research Publication, Berkman Center for Internet & Society 2005) 5 accessed 1 August 2015. 82 Boyle (n. 78) 183. 83 Note that law of the sea itself represents a successful regime praised “for balancing the varying and highly competing interests of the world’s states”—see Dimitrios Delibasis, The Right to National Self-Defence in Information Warfare Operations (Arena Books 2007) 344. Contiguous and exclusive economic zones are not mentioned here, as they do not clearly fall into either category. Cyber-space 101 himself inaccurately calls it, “territorial”) cyber-space (“through which, and to which, governments, commercial enterprises, or private organization allow generally unrestricted access”).84 Absent of an international agreement on the potential global cyber- common, the “borders” between the de facto international and national cyber- zones remain unclear and can only be definitively determined in relation to the isolated parts of the virtual universe that are not connected to the Internet. In this uncertain environment, it is necessary to consider state practice as the influencing factor in the formation of future international customary law. One may recall at this point that such practice, for instance, played a decisive role in setting the common limits of sovereignty vis-à-vis continental shelf and territorial waters. In order to crystallize as legally binding norms, such practice must be general and uniform among the affected states, moreover, it should be generally acknowledged as binding.85

4.3.3 State Practice All states (represented by their governments) seem to share the view that traditional Westphalian rules currently allow them to exercise sovereignty over any physical cyber-infrastructure located within their territory.86 Additionally, sovereignty may be exercised over physical hardware placed in areas of traditional state control, such as “internal waters, territorial sea (including its bed and subsoil), archipelagic waters, or national airspace” under international customary law.87 Sovereignty over infrastructure does not mean that it extends into the virtual world itself, but the Russian and a number of SCO states’ governments stand for “national control of all Internet resources” that lie within state borders.88

84 Steven M. Barney, “Innocent Packets? Applying Navigational Regimes from the Law of the Sea Convention by Analogy to the Realm of Cyberspace” (2001) 48 Naval Law Review 65, 69. 85 North Sea Continental Shelf Case (Germany v Netherlands) (Merits) [1969] ICJ Rep 44. 86 See Tallinn Manual (n. 21) R1, R1C1, R1C3. See also Von Heinegg, “Territorial Sovereignty” (n. 41) 128; Eneken Tikk, “Ten Rules for Cyber Security” (2011) 53(3) Survival 121. 87 Tallinn Manual (n. 21) R1C3, R1C11. 88 Keir Giles, “Russia’s Public Stance on Cyberspace Issues” in Christian Czosseck, Rain Ottis, Katharina Ziolkowski (eds.), 2012 4th International Conference on Cyber Conflict (NATO CCDCOE 2012) 65. Note generally that the Russian Federation is the first nation to claim an extended continental Arctic shelf under UNCLOS—see Kathryn Isted, “Sovereignty in the Artic: An Analysis of Territorial Disputes & Environmental Policy Considerations” (2009) 18(2) Journal of Transnational Law & Policy 140–141. 102 Chapter 4

In 2011, Russia, China, Uzbekistan and Tajikistan presented a Code of Conduct for Information Security to the United Nations. This code suggests recognizing the right and responsibility to protect “information space” of states (logically, including their national cyber-zones) “from threats, disturbance, attack and sabotage”.89 This right also became the cornerstone of the Russian 2011 “Convention on International Information Security” concept, released shortly after the Code of Conduct and likely meant to fortify the latter in the UN.90 Generally, the Russian approach to sovereignty (that traditionally concentrated on territorial power and independence in the international arena) is influenced in cyber-space by its understanding of information warfare. The latter has wider political and philosophical implications than the Western concept of cyber-warfare and primarily involves protection of Russian culture, morals and way of life.91 Notably, aside from condemning militarization of the Internet (and information space), seeking regional cooperation and harmonization of legislation, the Russian government sees as one of its priorities the transfer of the root name servers to the International Telecommunication Union—an act that would weaken the US control of the Internet.92 In 2002, an FBI agent who obtained unauthorized access to Russian computers from the US as part of the investigation in the Gorshkov-Ivanov case(s)93 was reportedly accused of “computer hacking” and thus violating Russian

89 International Code of Conduct for Information Security, Annex to UNGA 66/359 (14 September 2011) UN Doc A/66/359, op paras. 3(e), 3(f). 90 “Convention on International Information Security” (Concept, Russian Ministry of Foreign Affairs 28 October 2011) accessed 1 August 2015. 91 Franz-Stefan Gady, Greg Austin, “Russia, The United States, And Cyber Diplomacy: Opening the Doors” (Report, EastWest Institute 2010) 5 accessed 1 August 2015; Keir Giles, “‘Information Troops’—a Russian Cyber Command?” in Christian Czosseck, Enn Tyugu, Thomas Wingfield (eds.), 2011 3rd International Conference on Cyber Conflict (NATO CCDCOE 2011) 46. 92 Dmitry I. Grigoriev, “Russian Priorities and Steps Towards Cybersecurity” in Andrew Nagorski (ed.), Global Cyber Deterrence: Views from China, the U.S., Russia, India, and Norway (EastWest 2010) 7. 93 Vasiliy Gorshkov and Alexey Ivanov were crackers accused of a number of computer- related crimes in the United States after being lured onto the US soil by FBI agents posing as staff of a computer-security company interested in hiring them. Cyber-space 103 sovereignty.94 Sovereignty was also used as an excuse to refuse assistance to the investigators of the 2007 cyber-attacks on Estonia and 2008 cyber-attacks on Georgia, respectively. Similarly, official representatives of the People’s Republic of China bar states from investigating its “patriotic” cracker-activity.95 The rise of the Internet coin- cided with the increased control of media that followed the 1989 Tiananmen Square protests and, in 1995, the PRC’s minister of post and telecommunications Wu Juchuan declared that “by linking with the Internet, [China did] not mean the absolute freedom of information”.96 As Chinese cyber-attacks against the US are tolerated by the PRC government,97 everything deemed “detrimental” is not meant to enter the Middle Kingdom itself.98 In 2002, the PRC government convinced the American company Yahoo! to sign the Public Pledge on Self-Discipline for the Chinese Internet Industry.99 Under this pledge Yahoo! indirectly assisted China’s authorities in arresting at least two dissident-agitators (Wang Xiaoning and Shi Tao).100 Domestically, the Chinese government has achieved unprecedented level of behavior control in cyber-space mostly through its “Golden Shield” policy, also

94 John Leyden, “Russians Accuse FBI Agent of Hacking” (The Register, 16 August 2002) accessed 1 August 2015; Susan W. Brenner, Bert-Jaap Koops, “Approaches to Cybercrime Jurisdiction” (2004) 4(1) Journal of High Technology Law 22–23. 95 See generally Sow K. Tok, “Nationalism-On-Demand? When Chinese Sovereignty Goes Online” in Simon Shen, Shaun Breslin (eds.), Online Chinese Nationalism and China’s Biletaral Relations (Lexington Books 2010) 13. 96 Tony Walker, “China’s Wave of Internet Surfers Sets Censors a Poser” (The Financial Times, 24 June 1995) available via Factiva, accessed 1 August 2015. 97 Jyh-An Lee, “The Red Storm in Uncharted Waters: China and International Cyber Security” (2014) 82(4) UMKC Law Review 962. 98 “Developments in the Law: The Law of Cyberspace” (1999) 112(7) Harvard Law Review 1683. 99 See Matthew Fagin, “Regulating Speech Across Borders: Technology vs. Values” (2003) 9 Michigan Telecommunications and Technology Law Review 425. 100 See Ariana E. Cha, Sam Diaz, “Advocates Sue Yahoo in Chinese Torture Case” (Washington Post, 19 April 2007) accessed 1 August 2015; Testimony of Michael Callahan, Senior Vice President and General Counsel, Yahoo! Inc. Before the Subcommittees on Africa, Global Human Rights and International Operations, and Asia and the Pacific (Statement, The New York Times, 15 February 2006) accessed 1 August 2015. 104 Chapter 4 known as the “Great Firewall”.101 Among other things, the PRC has the capacity to disconnect itself from the Internet, if so required (though it may come at the expense of its economic prosperity).102 Furthermore, one can conceivably see the influence of Chinese diplomacy in the language of international documents (among them, for instance, the Declaration of Principles of the World Summit on the Information Society).103 According to the 2010 National Defense Policy, one of the goals of China’s national defense today is to safeguard “national sovereignty [. . .] and maintain its security interests in [. . .] cyber space”.104 The 2010 White Paper on Internet Policy states:

Within Chinese territory the Internet is under the jurisdiction of Chinese sovereignty. The Internet sovereignty of China should be respected and protected. Citizens of the People’s Republic of China and foreign citizens, legal persons and other organizations within Chinese territory have the right and freedom to use the Internet; at the same time, they must obey the laws and regulations of China and conscientiously protect Internet security.105 [emphasis added]

From a practical standpoint, the biggest problem of the Russian and Chinese approaches of subjugating parts of the already existing Internet, as previously

101 See Hollis (n. 38) 8. See also Clarke, Knake (n. 50) 146; Christopher Stevenson, “Breaching the Great Firewall: China’s Internet Censorship and the Quest for Freedom of Expression in a Connected World” (2007) 30(2) Boston College International & Comparative Law Review 537. 102 Clarke, Knake (n. 50) 146; Gourley (n. 79) 284; Catherine Lotrionte, “State Sovereignty and Self-Defense in Cyberspace: A Normative Framework for Balancing Legal Rights” (2012) 26(2) Emory International Law Review 843–844. 103 The Declaration reads: “policy authority for Internet-related public policy issues is the sovereign right of states”—see Declaration of Principles: Building the Information Society: A Global Challenge in the New Millennium, WSIS 4-E (12 December 2003) WSIS- 03/GENEVA/DOC/4-E, para. 49(a). See also Daniel W. Drezner, “The Global Governance of the Internet: Bringing the State Back In” (2004) 199(3) Political Science Quarterly 489. 104 “Part II: National Defense Policy, China’s National Defense in 2010” (White Paper, Information Office of the State Council of the People’s Republic of China 2011) accessed 1 August 2015. 105 “Part V: Protecting Internet Security, China’s National Defense in 2010” (White Paper, Information Office of the State Council of the People’s Republic of China 2011) accessed 1 August 2015. Cyber-space 105 mentioned, remains the issue of delineating national cyber-zones from each other and from the potential international global common.106 On the other hand, the reported Iranian project to create a “National Internet” (nicknamed “Halal Internet”) is completely isolated from the World Wide Web and exclusively under the control of Iran.107 As such, it produces national cyber-space with clearly defined legal borders—an analogue of intra-territorial waters (such as lakes), as opposed to territorial seas connected to the international oceans. These efforts are supplemented by a special Iranian Cyber Council for controlling domestic Internet which is said to be a matter of “security and sovereignty”.108 Notably, isolated Internet-like sovereign spaces exist in other countries; for example, North Korea is already known for its separate Kwangmyong network.109 Russia, China and Iran are technologically advanced states with a strong claim to sovereignty in cyber-space and are united under the Shanghai Cooperation Organization (SCO) umbrella. The first two countries are the leading entities in this organization (Iran being an observer), and other members have been mostly supportive of their efforts to concentrate on the more expansive information security and to protect “spiritual and cultural environment”, as well as “information space and critical information infrastructure from threats, interference and sabotage attacks”.110 For example, from 2011

106 Note the view of Ji-Jen Hwang, who argues that it is possible to divide cyber-space by using “servers, routers and network protocols[,] [. . .] Domain Name Servers, TCP/ IP, and functional borders”—see Ji-Jen Hwang, “China’s Cyber Warfare: The Strategic Value of Cyberspace and the Legacy of People’s War” (Doctoral Thesis, University of Newcastle upon Tyne 2012) 45 accessed 1 August 2015. See generally Perritt, “The Internet” (n. 51) 427; Christopher A. Ford, “The Trouble with Cyber Arms Control” (2010) 29 The New Atlantis 66. 107 Saeed K. Dehghan, “Iran Clamps Down on Internet Use” (The Guardian, 5 January 2012) accessed 1 August 2015; “Iran Readies Domestic Internet System, Blocks Google” (Reuters, 24 September 2012) accessed 1 August 2015. 108 Louis Charbonneau, “Iran Rejects UN Criticism of its Cyber Security Rules” (Reuters, 25 October 2012) accessed 1 August 2015. 109 Dave Lee, “North Korea: On the Net in World’s Most Secretive Nation” (BBC News, 10 December 2012) accessed 1 August 2015. 110 International Code of Conduct for Information Security (n. 89) op paras. 3(c), 3(e). See also Oona A. Hathaway and others, “The Law of Cyber-Attack” (2012) 100(4) California Law Review 825, 865. 106 Chapter 4 onwards, aside from advocating the idea of Cyberpol (a SCO-led cyber-space police), the minister of foreign affairs of Kazakhstan has been calling for adoption of new concepts in international law, among them, an “electronic border” and “electronic sovereignty”.111 The latter represent viable notions, especially in light of the need to effectively delimitate cyber-space. Thus, the present book will often refer to the SCO position as a unifying alternative to the Western approach, though such references will be done in the context of cyber-attacks and not wider framework of information warfare that the SCO governments favor. Though not explicitly admitting this, strong capitalist governments, to an extent, also seek to control their information environment and develop technological and legislative means to reach this goal. According to reports, the Australian administration seriously considered imposing state restrictions on the Internet from 2009.112 The 2010 Canadian Cyber Security Strategy stated that “[its citizens] trust that the Government will act to defend Canada’s cyber sovereignty” (emphasis added).113 In 2011, representatives of the European Union (EU) reportedly discussed the possibility of creating one cyber-space separated by a “virtual Schengen border”.114 In one of the EU members, Estonia, cyber-space is said to be a “part of [. . .] independence”115 and the Estonian government already unsuccessfully tried to convince NATO that the 2007 cyber-attacks violated its sovereignty.116 The US administration, which is often believed to be disregarding other states’ sovereignty (especially when it comes to issues like terrorism or

111 Statement by Acting Minister of Foreign Affairs of the Republic of Kazakhstan, H.E. Mr. K. Umarov, at the Sixty-Seventh Session of the United Nations General Assembly (Statement, Embassy of the Republic of Kazakhstan, 29 September 2012) accessed 1 August 2015. 112 Marina Kamenev, “First, China. Next: the Great Firewall of . . . Australia?” (Time, 16 June 2010) accessed 1 August 2015. 113 “Canada’s Cyber Security Strategy” (n. 33) 7. 114 Jennifer Baker, “Europe’s ‘Single Secure Cyberspace’ Plan Under Attack” (Computer World, 2 May 2011) accessed 1 August 2015. 115 Peter Finn, “Cyber Assaults on Estonia Typify a New Battle Tactic” (The Washington Post, 19 May 2007) accessed 1 August 2015. 116 Hansen, Nissenbaum (n. 58) 1169. Cyber-space 107

“pro-democratic” rebellions), is also presently exploring opportunities to establish national barriers in cyber-space.117 Its 2011 National Strategy for Trusted Identities in Cyberspace118 is said to be an “attempt to regulate the Internet”,119 and the Obama Administration is “dedicated to building a system of protections in both the private and public sectors to keep out malicious forces”.120 However, unlike Chinese and Russian rulers, the US government (together with that of the UK, which is wary of attempts to “control and restrict the future development of the cyber domain”)121 openly opposes localized restrictions placed on the Internet and has been aggressively undermining censorship efforts in other states, particularly Iran.122 Again, taking into account that the US has important global corporations and root name servers in its sovereign territory, this is perhaps not so surprising.

4.3.4 Seeds of a New Legal Regime State practice shows that, absent any agreements prohibiting claims of exclusive control, many governments will treat not only damage to their information infrastructure, but also intrusions into their cyber-space as a violation of sovereignty, possibly giving rise to customary law in the future. Under these conditions, territoriality becomes less relevant and the Westphalian (that is strictly territory-based) concept of sovereignty will eventually have to be abandoned. Logic and evidence suggest that a similar regime is likely to arise that is based on national spaces rather than purely geography.123

117 Applegate (n. 31) 192. 118 “National Strategy for Trusted Identities in Cyberspace: Enhancing Online Choice, Efficiency, Security, and Privacy” (Strategy, The White House 2011) accessed 1 August 2015. 119 Melnitzky (n. 78) 560. 120 US White House, “Presidential Proclamation—National Cybersecurity Awareness Month, 2013” (Office of the Press Secretary, 30 September 2013) accessed 1 August 2015. 121 See “The UK Cyber Security Strategy Protecting and Promoting the UK in a Digital World” (Cabinet Office, November 2011) 17 accessed 1 August 2015. 122 Ebrahim Anoosheh, “The Islamic Republic of Iran’s Strategy Against Soft Warfare” in in Eric Filiol, Robert Erra (eds.), Proceedings of the 11th European Conference on Information Warfare and Security (Academic Publishing International 2012) 41. 123 Interestingly, at least one scholar insists on calling it a “Cyber Westphalia”, although this expression is clearly misleading—see generally Chris C. Demchak, “Economic and Political Coercion and a Rising Cyber Westphalia” in Katharina Ziolkowski (ed.), Peacetime 108 Chapter 4

The emergence of a new legal regime does not mean that the currently existing territorial borders will lose their value in international law. Inter alia, they will remain useful for demarcating the cyber-infrastructure located in different parts of the world and countries themselves. If customary law is indeed formed, legal safeguards protecting sovereignty against attacks will have to extend into delineated national cyber-zones. These safeguards stem from the prohibition of using force against political independence and the principle of non-intervention, enshrined in the UN Charter, as well as international customary law reflected in case-law going back as far as the early 20th century.124 Notably, both the UNGA Resolution 3314 and the Rome Statute of the International Criminal Court (ICC) define the severe “use of armed force against the sovereignty [. . .] of [a] state” (emphasis added) as an act of aggression.125 An obligation not to abuse sovereignty (for example, to harbor terrorists)126 may likewise become relevant in cyber-space. Potential restrictions will also automatically extend to cyber-sovereignty. As with other domains, sovereignty will remain limitable by UN Security Council resolutions. During the last two decades, the Responsibility to Protect (R2P) has gained more popularity as a factor that may limit state sovereignty (also in cyber- space) under international law.127 This is reflected in the 2004 UN Report on Threats, Challenges and Change, which reads:

In signing the Charter of the United Nations, states not only benefit from the privileges of sovereignty but also accept its responsibilities. Whatever perceptions may have prevailed when the Westphalian system first gave rise to the notion of state sovereignty, today it clearly carries with it the obligation of a state to protect the welfare of its own peoples and meet

Regime for State Activities in Cyberspace: International Law, International Relations and Diplomacy (NATO CCDCOE 2013) 613. 124 Charter of the United Nations (adopted 26 June 1945, entered into force 24 October 1945) 892 UNTS 119, Art. 2(1), 2(4), 2(7); Trail Smelter Case (USA v Canada) (1938/1941) Special Arbitral Tribunal 1963 accessed 1 August 2015. 125 UNGA Res 3314 (XXIX) (14 December 1979) Art. 1; Rome Statute of the International Criminal Court (adopted 17 July 1998, entered into force 1 July 2002, amended 29 November 2010) 2187 UNTS 90, Art. 8bis(2). See further Chapter 5 of the present book. 126 See generally Christian J. Tams, “The Use of Force against Terrorists” (2009) 20(2) EJIL 393. 127 The analysis of the R2P as it applies to cyber-attacks will be presented in Chapter 8 of this book. Cyber-space 109

its [R2P and non-aggression] obligations to the wider international community.128

Finally, one must acknowledge that sovereignty is transferrable between states (for instance, consider the case of Hong Kong). To avoid the influence of the more powerful states, governments of smaller countries might even relocate their cyber-sovereignty to non-national, sub-national or supranational organizations (for example, the European Union).129 If most of the world community proves inflexible and insists that sovereignty can only be grounded in territory, from a realist perspective, governments might want to ignore these opinions altogether. In doing so, until the national and international virtual zones are clearly demarcated in a treaty, they are likely to follow Boris Yeltsin’s advice and “take as much sovereignty as [they] can swallow”.130 Now, one should turn attention to another important principle of international law that may determine the extent to which governments seek control over individuals in cyber-space—jurisdiction.

4.4 Jurisdiction in Cyber-Space

Jurisdiction (that is the right to adjudicate, to prescribe laws and to enforce them)131 is closely related to sovereignty and territoriality. Nevertheless, in

128 High-Level Panel on Threats, Challenges and Change, “A More Secure World: Our Shared Responsibility” (Letter to UNSG, 1 December 2004) UN Doc A/59/565, para. 29. 129 Saskia Sassen, “On the Internet and Sovereignty” (1998) 5(2) Indiana Journal of Global Legal Studies 554; Saskia Sassen, “The Impact of the Internet on Sovereignty: Unfounded and Real Worries” in Christoph Engel, Kenneth H. Heller (eds.), Understanding the Impact of Global Networks in Local Social, Political and Cultural Values (Nomos 2000) 207. See generally Rudolph (n. 16) 8; Christopher K. Ansell, Steven Weber, “Organizing International Politics: Sovereignty and Open Systems” (1999) 20(1) International Political Science Review 87. 130 A famous phrase reportedly pronounced by Boris Yeltsin in 1991 in Tatarstan—see Steven Erlanger, “Tatar Area in Russia Votes on Sovereignty Today” (The New York Times, 21 March 1992) accessed 1 August 2015. See generally Franzese (n. 44) 18, who explains the need of states to control cyber-space by pointing at competing national interests in the field of security. 131 Restatement of the Law (Third): Foreign Relations Law of the United States, vol 1 (The American Law Institute 1986) para. 401. See also Tallinn Manual (n. 21) R2C1; Kamal (n. 29) 197. 110 Chapter 4 certain circumstances, it can also serve as justification for ignoring other states’ sovereignty. The present sub-chapter begins by exploring this paradoxical link between the above-mentioned principles. It further addresses the main question that should be asked in the present context: when can governments claim jurisdiction over individual cyber-attackers, especially those who reside in other countries? Finally, the issue of technical identification of cyber-attackers is addressed, as it is a necessary condition for practical exercise of jurisdiction over individuals.

4.4.1 As an Aspect of Sovereignty As the power to solve disputes traditionally concentrated in the hands of state organs, jurisdiction became the manifestation of state sovereignty.132 While the Peace of Westphalia contributed to the mutual exclusiveness of territorial jurisdictions, the conflicts between them (especially in relation to trans-border activity)133 existed long before the Internet.134 The borderless essence of the latter creates a situation where “crossing” from one jurisdiction to another becomes natural.135 Some find it tempting to think of jurisdiction as geographically limited.136 However, nearly all governments would agree that it remains an aspect of sovereignty that extends beyond state borders and covers any case where there is an “uninterrupted link of responsibility”.137 As early as 1927, in the Lotus case, the Permanent Court of International Justice held that “a State [. . .] may not exercise its power in any form in the territory of another State” or exercise “jurisdiction [. . .] outside its territory”, unless “a permissive rule derived from

132 Kobrin, “Safe Harbours” (n. 16) 130; Dennis Campbell, The Internet: Laws and Regulatory Regimes, vol 1 (Yorkhill Law Publishing 2007) 49, 157. 133 See Gus Hosein, “Policy Laundering” in Edward Halpin and others (eds.), Cyberwar, Netwar and the Revolution in Military Affairs (Palgrave Macmillan 2006) 229. 134 See Kobrin, “Safe Harbours” (n. 16) 111; Rodney J. Heisterberg, “Collaborative Commerce (C-Commerce)” in Hossein Bidgoli (ed.), The Internet Encyclopedia, vol 2 (John Wiley & Sons 2004) 217. 135 Stephen J. Kobrin, “Territoriality and the Governance of Cyberspace” (2001) 32(4) Journal of International Business Studies 692. 136 See Oren Bigos, “Jurisdiction over Cross-Border Wrongs on the Internet” (2005) 54(3) ICLQ 586; A. Benjamin Spencer, “Jurisdiction to Adjudicate: A Revised Analysis” (2006) 73(2) University of Chicago Law Review 641. 137 Ilaşcu and Others v Moldova and Russia App no 48787/99 (ECtHR, 8 July 2004) para. 393. See also Loizidou v Turkey App no 15318/89 (ECtHR, 23 March 1995) para. 62. Cyber-space 111 international custom or from a convention” exists.138 As will be shown further in this sub-chapter, such rules are already a part of international law. Cyber-libertarians argued that “their” virtual realm was free from any jurisdiction.139 However, non-recognition of the independence of cyber-space means that national laws apply therein. The extent to which such laws apply remains uncertain, as most damaging acts online may involve multiple overlapping jurisdictions. The sole fact of their application makes “online activity less transnational”, further contributing to the division of cyber-space.140 In this environment, for effective prosecution, online acts have to become crimes in each relevant jurisdiction.141 Moreover, they have to be supported by mutual assistance treaties, which are sometimes lacking or not complied with. While ordinary cyber-crime may be regulated today, many states still have weak or no laws addressing serious cyber-attacks in and outside the context of warfare. In addition, different states and organizations do not always share relevant information with each other.142 These factors arise from the desire of governments to influence others in politically sensitive cases. For obvious reasons, this can make investigations extremely difficult.143 Individual jurisdiction online was independently claimed in relation to online piracy, gambling, drug, tobacco and liquor distribution,144 producing child

138 SS “Lotus” (France v Turkey) [1927] PCIJ Rep Series A No. 10, 18–19. 139 Steven Furnell, Securing Information and Communications Systems: Principles, Technologies, and Applications (Artech House 2008) 261. See also Neil W. Netanel, “Cyberspace Self-Governance: A Skeptical View from Liberal Democratic Theory” (2000) 88(2) California Law Review 406. 140 Uta Kohl, Jurisdiction and the Internet: Regulatory Competence over Online Activity (CUP 2007) 28. 141 Azeez N. Ayofe, Osunade Oluwaseyifunmitan, “Towards Ameliorating Cybercrime and Cybersecurity” (2009) 3(1) International Journal of Computer Science and Information Security 9. 142 William A. Owens and others, Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities (National Academies Press 2009) 117. 143 See Tonya L. Putnam, David D. Elliott, “International Responses to Cyber Crime” in Abraham D. Sofaer, Seymour E. Goodman (eds.), The Transnational Dimension of Cyber Crime and Terrorism (Hoover Institution Press 2001) 53. 144 See Marc D. Goodman, Susan W. Brenner, “The Emerging Consensus on Criminal Conduct in Cyberspace” (2002) 6(1) UCLA Journal of Law and Technology 15 accessed 1 August 2015. 112 Chapter 4 pornography,145 publishing of “indecent” materials,146 misusing trademarks147 and so on. A large amount of domestic civil and criminal extraterritorial Internet-related cases exists. Since they are of little relevance for the present book, these cases will not be reviewed here, although they are extensively analyzed in general academic literature.148 One should note that in the online world they mirror the discrepancy between what is considered illegal offline (for instance, terrorism) in different jurisdictions. In analyzing jurisdictional grounds, the present sub-chapter prioritizes, above all, crimes of aggression (an element of jus ad bellum), war crimes (an element of jus in bello), crimes against humanity (a possible element of jus ad bellum or terrorism), as well as terrorist crimes themselves.

4.4.2 Grounds for Jurisdiction A genuine link is required between the victim-state and the harmful act in order to practice jurisdiction.149 Thus, one should ask, how such link can be established in the context of cyber-space? A number of existing doctrines provide an answer to that question. These include active and passive territoriality, active and passive nationality, protective principle and universality. In order to determine whether these doctrines contain exploitable imperfections, one should look at them more closely.

145 See ibid.; Neal K. Katyal, “Criminal Law in Cyberspace” (2001) 149(4) University of Pennsylvania Law Review 1029. 146 See Paul S. Berman, “Towards a Cosmopolitan Vision of Conflict of Laws: Redefining Governmental Interests in a Global Era” (2005) 153(6) University of Pennsylvania Law Review 1820. 147 See ibid.; Marcelo Halpern, Ajay K. Mehrota, “From International Treaties to Internet Norms: The Evolution of International Trademark Disputes in the Internet Age” (2000) 121(3) University of Pennsylvania Journal of International Economic Law 523, 528. 148 E.g., Fagin (n. 99) 413; Peter P. Swire, “Elephants and Mice Revisited: Law and Choice of Law on the Internet” (2005) 153(6) University of Pennsylvania Law Review 1995–1998; Richard K. Greenstein, “The Action Bias in American Law: Internet Jurisdiction and the Triumph of Zippo Dot Com” (2007) 80(1) Temple Law Review 48; Ryan T. Holte, “What is Really Fair: Internet Sales and the Georgia Long-Arm Statute” (2009) 10(2) Minnesota Journal of Law, Science & Technology 568–586; Kevin F. King, “Personal Jurisdiction, Internet Commerce, and Privacy: The Pervasive Legal Consequences of Modern Geolocation Technologies” (2011) 21(1) Albany Law Journal of Science and Technology 78–103; Anne McCafferty, “Internet Contracting and E-Commerce Disputes: International and Unites States Personal Jurisdiction” (2011) 2(1) Global Business Law Review 111–114. 149 Woltag (n. 28) 15. Cyber-space 113

4.4.2.1 Limited Territoriality As an aspect of classic sovereignty, jurisdiction, for the most part, cannot avoid being geopolitical.150 Elements of jurisdiction were traditionally based on territoriality, because “a nation [. . .] had jurisdiction to prescribe what was proper conduct within its physical territory and had jurisdiction to enforce those prescriptions”.151 International law recognizes two distinct bases of territorial jurisdiction: subjective territoriality and objective territoriality (also called the effects doctrine).152 If a harmful act originates in the territory of the same state that claims jurisdiction, subjective territoriality comes into play. If an act originates in another country, but produces (or at least intends to produce)153 harm within the borders of the state claiming jurisdiction, objective territoriality becomes relevant. An American district court held in the ALA v Pataki case that while “states’ jurisdictional limits [were] related to geography, [it was] a virtually meaningless construct on the Internet”.154 This is not entirely true. In the context of cyber-attacks, the above-mentioned doctrines are relevant in situations where harmful effects occur in the territory of any state (for example, nuclear meltdown). In addition, “every computer, system, server, wire and cable lies in or crosses existing jurisdictions in real space”.155 Thus, a certain degree of subjective territorial jurisdiction is expected to be exercised over hardware, unless an international treaty specifies otherwise. When applied in the context of damage to virtual data, the non-territorial nature of cyber-space poses a challenge to the territoriality doctrines mentioned above. Absent physical harm, territorial jurisdiction may be rejected altogether. On the other hand, some governments might treat their national cyber-zones as if they were territory, expressly or implicitly demanding the

150 See Livia Iacovino, Recordkeeping, Ethics and Law: Regulatory Models, Participant Relationships and Rights and Responsibilities in the Online World (Springer 2006) 217. 151 See Brenner, Koops (n. 94) 6. See generally Tallinn Manual (n. 21) R2, R2C2; Frank Berman, “Jurisdiction: The State” in Patrick Capps, Malcolm Evans, Stratos Konstadinidis, Asserting Jurisdiction: International and European Legal Approaches (Hart Publishing 2003) 5. 152 Crawford (n. 8) 458. 153 See Vittorio Fanchiotti, Jean P. Pierini, “Impact of Cyberspace on Human Rights and Democracy” in Christian Czosseck, Rain Ottis, Katharina Ziolkowski (eds.), 2012 4th International Conference on Cyber Conflict (NATO CCDCOE 2012) 53: “some states consider a crime to have been committed in their territory when the crime aimed to realise its effects there but did not do so”. See generally Tallinn Manual (n. 21) R2C4, R2C6. 154 American Libraries Association v Pataki, 969 F Supp 160 (SD NY 1997) 168–169. 155 See Ryan, Ryan, Tikk (n. 39) 92. 114 Chapter 4 replacement of an outdated concept of territorial jurisdiction with a newer national space jurisdiction. Also, enforcement of objective territorial prescriptions is complicated by the fact that most persons causing damage through cyber-space (unlike, for instance, Dmitri Galushkevich)156 will not be present within the territorial jurisdictions.157 Sovereignty itself complicates collecting evidence, for instance, by cracking a computer or convincing external Internet service providers (ISPs) to cooperate.158 It is said that this gap between the power to prescribe objectively and the power to enforce can be filled “by relying upon a range of legal assistance mechanisms”, among them, mutual assistance treaties.159 However, as previously argued, these mechanisms are not always available or complied with, especially in the context of an armed conflict or military tensions.160 Next, one should discuss possibilities of claiming jurisdiction extraterritori- ally. The first doctrine that provides such opportunity is active nationality.

4.4.2.2 Nationality In 2006, the UN’s International Law Commission referred to the assertion of extraterritorial jurisdiction as “an attempt to regulate [. . .] the conduct of persons, property or acts beyond its borders which affect the interests of the state in the absence of such regulation under international law”.161 While sufficient lex scripta regulations may indeed be lacking, international customary law recognizes other possible (extraterritorial) grounds for exercising jurisdiction, among them, the active nationality (personality) principle.162

156 An Estonian Russian reportedly convicted for taking part in cyber-attacks against Estonia in 2007—see “Estonia Fines Man for ‘Cyber War’” (BBC News, 25 January 2008) accessed 1 August 2015. 157 Goldsmith, “Against Cyberanarchy” (n. 26) 1217. See also Kristin M. Finklea, Catherine A. Theohary, “Cybercrime: Conceptual Issues for Congress and U.S. Law Enforcement” (Report, Congressional Research Service 2013) 6 accessed 1 August 2015. 158 Goldsmith, “The Internet” (n. 26) 486. See generally Jody R. Westby, International Guide to Cyber Security (American Bar Association 2004) 34. 159 Patricia L. Bellia, “Chasing Bits across Borders” [2001] University of Chicago Legal Forum 44. 160 See sub-chapter 4.4.1. 161 ILC, “Report of the International Law Commission”, 58th Session, Annex E (1 May–9 June, 3 July–11 August 2006) UN Doc A/61/10, 516. 162 Nikos Papadakis, The International Legal Regime of Artificial Islands (A.W. Sijthoff International 1977) 124. Cyber-space 115

Under this principle, countries can assume jurisdiction over acts of their nationals wherever they were perpetrated.163 State practice shows that it can be done irrespective of when the nationality was acquired, either in subordi- nation with the local laws or regardless of the criminalization of such acts in the territorial state.164 The principle is also sometimes applied to residents and stateless persons living in the territory of the state claiming jurisdiction.165 Aside from the potential collision of jurisdictions and extradition problems (which could jeopardize sovereignty), in theory, the active nationality principle is well suited for the virtual realm of cyber-space. Reality does somewhat diminish its applicability however, as in the context of cyber-warfare, citizens rarely chose to attack their own state, while many governments, at least currently, prefer to ignore those attacks that are launched against their political opponents from their states’ territory by non-state actors. According to the related doctrine of passive nationality (personality), a state has jurisdiction over cases where its citizen was the victim.166 During the 20th century, this principle was rarely invoked for two reasons. Firstly, a state had to seize the perpetrator. If done improperly, it could unnecessarily violate sovereignty.167 Secondly, it was considered undiplomatic to imply that local laws were inefficient to protect foreigners.168 Therefore, traditionally, states tried to invoke passive nationality either simultaneously with active personality or in cases where the offense was equally criminalized in both countries.169 The United States which, along with the UK, initially opposed passive nationality,170 accepted it in relation to acts of terrorism after 9/11.171 In practice, this principle is likely to be used by some governments against cyber- terrorists as well (and enforced militarily),172 especially if the level of threat reaches similar proportions. While the extradition of cyber-attackers remains politically problematic, the different pace at which countries computerize

163 See Kamal (n. 29) 197–198; Scassa, Currie (n. 67) 1027. 164 Antonio Cassese, International Criminal Law (3rd edn., OUP 2013) 276. 165 Ibid. 166 Crawford (n. 8) 461. 167 Menthe (n. 41) 72. 168 Ibid. 169 Ibid.; Yulia A. Timofeeva, “Worldwide Prescriptive Jurisdiction in Internet Content Controversies: A Comparative Analysis” (2005) 20 Connecticut JIL 205. 170 Michael P. Scharf, Melanie K. Corrin, “On Dangerous Ground: Passive Personality Jurisdiction and the Prohibition of Internet Gambling” (2002) 8(1) New England Journal of International & Comparative Law 30–32. 171 Scassa, Currie (n. 67) 1027. 172 See Tams (n. 126) 396. 116 Chapter 4 their infrastructure and renew their legislation almost guarantees that without the powerful directives of international organizations, local laws will continue to inadequately cover the threat of serious cyber-attacks, which, in turn, will increase the popularity of the passive nationality doctrine.

4.4.2.3 Protective Principle The protective principle (also known as security doctrine or injured forum doctrine) allows states to assume jurisdiction over acts that threaten their national interests, sovereignty, territorial integrity or political independence.173 Such acts include crimes generally recognized as such by the world community.174 The Israeli government, for example, resorted to this principle while prosecuting “crimes against the Jewish people” in the Eichmann case.175 Although protective doctrine is not often used, it can be invoked in the context of cyber-attacks. An analogy can be drawn here with Article 109(3)(d) of the UNCLOS, which allows a state where an unauthorized broadcast can be received, to prosecute any person engaged in its transmission.176 Virtual damage in a national cyber-zone can also be considered a direct threat to a state that could provide jurisdictional grounds under the protective theory. As such, the protective doctrine can help governments supplement the previously suggested claim of national space jurisdiction. Like in the offline cases, the danger remains that governments might try to interpret their states’ (or organizations’) security in cyber-space too broadly.177 One final ground for extraterritorial jurisdiction is universality, which can be used by governments to prosecute and punish suspected cyber-attackers.

4.4.2.4 Universality For the purposes of this book, universality is the most important doctrine that covers certain acts (inter alia, those in jus ad bellum and jus in bello) that are so offensive that they justify “broad jurisdictional permissiveness”.178 They represent violations of peremptory norms and the international community

173 Crawford (n. 8) 462. 174 See generally Stephan Wilske, Teresa Schiller, “International Jurisdiction in Cyberspace: Which States May Regulate the Internet?” (1997) 50(1) Federal Communications Law Journal 142. 175 Geoff Gilbert, Responding to International Crime (Martinus Nijhoff 2006) 88. 176 UNCLOS (n. 35) Art. 109(3)(d). 177 See generally Malanczuk (n. 11) 112. 178 See Scassa, Currie (n. 67) 1027. Cyber-space 117 recognizes their offensive nature either through treaties or by customary law.179 Moreover, states (and national courts) have an obligation to cooperate in order to bring an end to them lawfully.180 Unlike territorial, national or protective jurisdictional theories, universality does not require a link with the prosecuting state in order to exercise jurisdiction domestically. In fact, governments can have an obligation to “undertake legal proceedings” regardless of “where the crime was committed or the nationality of the perpetrators or the victims”.181 At the same time, it is normally expected that the perpetrator is in state custody.182 For this reason, problems of enforcement, incidental to territorial cases, are usually not present. As a jurisdictional principle, universality is not expressly established by international conventions, but it rather stems from customary law that prioritizes fulfilment of erga omnes obligations over preserving state sovereignty in every situation. As such, universality is often reflected in national laws. Initially, universality was reserved for the crime of piracy (not to be confused with online piracy)183 and later, slave trade. After WW2, it expanded to cover equally heinous war crimes and crimes against humanity.184 In 1948,

179 Henry H. Perritt, “Jurisdiction in Cyberspace” (1996) 41(1) Villanova Law Review 56. 180 ILC, “Draft Articles on Responsibility of States for Internationally Wrongful Acts”, 53rd Session, Supplement No. 10 (November 2001) UN Doc A/56/10, Art. 41(1). See generally Bruce Broomhall, International Justice & The International Criminal Court: Between Sovereignty and the Rule of Law (OUP 2003) 109; Alexander Orakhelashvili, “Law and Policy of International Crimes Between Impunity and Accountability for Serious International Crimes: Legal and Policy Approaches” (2008) 55(2) Netherlands International Law Review 217–219. 181 Stephen Macedo, “Introduction” in Stephen Macedo (ed.), Universal Jurisdiction: National Courts and the Prosecution of Serious Crimes under International Law (University of Pennsylvania Press 2006) 4. 182 Perritt, “Jurisdiction” (n. 179) 56. Note that popularity of “pure” universal jurisdiction, i.e. in absentia, is said to be on the decline—see Sienho Yee, “Universal Jurisdiction: Concept, Logic, and Reality” (2011) 10(3) Chinese JIL 508, 530. 183 Since universality is reserved only for the most serious crimes, relatively harmless online piracy (i.e. online distribution of intellectual property in violation of copyright laws) is not on the same level as real piracy and currently is not covered by universal jurisdiction. 184 Michael P. Scharf, “The ICC’s Jurisdiction over the Nationals of Non-Party States: A Critique of the U.S. Position” (2001) 64(1) Law and Contemporary Problems 82. See generally Convention on the Non-Applicability of Statutory Limitations to War Crimes and Crimes Against Humanity (adopted 26 November 1968, entered into force 11 November 1970) 754 UNTS 73. 118 Chapter 4 genocide was added to the list and subsequently so were also the crimes of torture, apartheid and aggression.185 All eight of the above-mentioned offenses are now universal under international customary law (although US Ambassador David Scheffer tried to argue the contrary in order to justify non-applicability of ICC jurisdiction to US nationals).186 As such, they are listed, for instance, as “serious crimes under international law” in the Princeton Principles on Universal Jurisdiction.187 In the context of the present book, only “crimes against the peace and security of mankind” (war crimes, crimes against humanity, crime of aggression and, arguably, genocide) remain relevant.188 The authors of the Tallinn Manual also seem to agree with this line of thinking, as piracy, slavery or apartheid are not mentioned anywhere in their commentaries, whereas torture is mentioned only once.189 Notably, aside from the limitations placed upon the crime of aggression, which can be perpetrated only by state leadership, international criminal law can already effectively establish responsibility on various levels of power, from individual cyber-attackers to members of government. One has to disagree with scholars who emphasize that international courts and tribunals have a small role to play in the field of cyber-security.190 In reality, the ICC can exercise international jurisdiction over (adult)191 cyber- attackers who, in or via cyber-space, commit, plan or attempt to commit, individually or jointly acts that fall under the ambit of crimes against humanity,

185 For the discussion of torture as a universal crime, see generally Questions Relating to the Obligation to Prosecute or Extradite (Belgium v Senegal) (Merits) [2012] ICJ Rep, para. 74. 186 Scharf (n. 184) 70. 187 Stephen Macedo and others, The Princeton Principles on Universal Jurisdiction (Princeton University Press 2001) 29. 188 ILC, “Draft Code of Crimes against the Peace and Security of Mankind”, 48th Session, Supplement No 10 (6 May–26 July 1996) UN Doc A/CN.4/L.532, Arts 16–20. 189 In the context of protection of detained persons—see Tallinn Manual (n. 21) R75C2. 190 See Fausto Pocar, “International Rules Against Cyber-Crime” in Ernesto U. Savona, Crime And Technology: New Frontiers For Regulation, Law Enforcement And Research (Springer 2004) 37; Sandra L. Hodgkinson, “Are Ad Hoc Tribunals an Effective Tool for Prosecuting International Terrorism Cases?” (2010) 24(2) Emory International Law Review 524. 191 Note that teenage participation in cyber-attacks may call into question Rome Statute (n. 125) Art. 26, under which the ICC is not authorized to prosecute anyone under the age of 18 “at the time of the alleged commission of a crime”. Notably, a number of young people participated in the cyber-attacks on Estonia in 2007 and Georgia in 2008—see Heather H. Dinniss, Cyber Warfare and the Laws of War (CUP 2012) 176. Cyber-space 119 war crimes or genocide, and, no earlier than 2017, crimes of aggression.192 In other words, the ICC can exercise jurisdiction over international crimes committed in or via cyber-space. Whilst the International Criminal Court may be limited in its scope to nationals of the state parties (unless authorized to exercise jurisdiction by the state itself or the UNSC),193 the expected “prestige associated with accountability and the stigma attached to the failure to prosecute international crimes [. . .] encourage[s] [. . .] states to use their courts to assert universal jurisdiction”.194 While the ICTR remains limited to crimes of 1994,195 the ICTY can also, theoretically, prosecute modern cyber-attacks if they were to amount to international crimes within its mandate (that is war crimes, genocide and crimes against humanity) and were committed “in the territory” of the former Yugoslavia.196 Since it was argued in this chapter that cyber-space is not likely to be recognized as a territorial domain, such crimes would have to be restricted to either those having consequences within the ex-Yugoslav republics, or being initiated using hardware inside their borders. In contrast, merely routing malware through ex-Yugoslav cables is very unlikely to provide the ICTY with jurisdiction. Lastly, one must mention another relevant criminal act that has less customary ground than the four crimes prohibited by the Rome Statute, but which is becoming universal—an act of terrorism. It should be noted that particular

192 Rome Statute (n. 125) Arts 15bis(3), 25(2), 25(3)(a), 25(3)(c), 25(3)(d), 25(3)(f). 193 See Scharf (n. 184) 76. Note that the US actively participated in drafting the Rome Statute, but refused to ratify it. Russia has not ratified the Statute, while China has not signed it. This can be taken as another indication of powerful governments trying to increase their powers at the expense of others. Interestingly, this contrasts David Wippman’s opinion, who argued to the contrary, i.e. that the creation of the ICC “[did] not fit comfortably with the realist framework”—see David Wippman, “The International Criminal Court” in Christian Reus-Smit (ed.), The Politics of International Law (CUP 2004) 152. 194 Payam Akhavan, “Beyond Impunity: Can International Criminal Justice Prevent Future Atrocities?” (2001) 95(1) AmJIL 27. See also Rod Rastan, “The Responsibility to Enforce— Connecting Justice with Unity” in Carsten Stahn, Göran Sluiter (eds.), The Emerging Practice of the International Criminal Court (Martinus Nijhoff 2009) 170. The principle of complementarity will be addressed in the next chapter in the context of the crime of aggression. 195 Statute of the International Tribunal for Rwanda (adopted 8 November 1994, amended 13 October 2006) Art. 1. 196 Statute of the International Criminal Tribunal for the Former Yugoslavia (adopted 25 May 1993, amended 17 May 2002) Arts 1–5, 7. See generally William A. Schabas, The UN International Criminal Tribunals: The Former Yugoslavia, Rwanda and Sierra Leone (CUP 2008) 129. 120 Chapter 4 terrorist acts can sometimes also be characterized as crimes against humanity or war crimes.197 For this reason, it is more beneficial for the government of the victim-state to treat them as such for the purposes of establishing universal jurisdiction, since a “jurisprudentially justified category is far more defensible than [that of] a newly created crime [. . .] with an uncertain pedigree”.198 Among other things, such an approach will allow the ICC to prosecute the most serious acts of cyber-terrorism, which require unbiased trials with minimal political involvement. At the same time, certain governments may deliberately rely on the terrorist category in order to deny certain rights to the suspects in an asymmetrical war setting.199 The legal nature of terrorism will be further discussed in Chapter 7 of the present book. For obvious reasons, jurisdiction can only be exercised when a cyber- attacker has been identified. Thus, one must address the more practical issue of individual attribution in cyber-space next. In addition to providing grounds for the exercise of jurisdiction, proper identification of cyber-attackers is generally paramount for any legitimate response, particularly in the context of warfare.

4.4.3 Identifying the Cyber-Attacker Like other criminals, crackers rarely want to reveal their real identities and may instead use individual (for example, c0mrade, Dark Dante, Solo) or group (for instance, Anonymous, TeaMp0isoN, TESO) nicknames.200 In addition,

197 Michael Byers, “Terrorism, the Use of Force and International Law after 11 September” (2002) 51(2) ICLQ 413; Michael P. Scharf, Michael A. Newton, “Terrorism and Crimes Against Humanity” in Leila N. Sadat (ed.), Forging a Convention for Crimes Against Humanity (CUP 2011) 267–269; Roberta Arnold, “Terrorism as a Crime Against Humanity Under the ICC Statute” in Giuseppe Nesi (ed.), International Cooperation in Counter- Terrorism: The United Nations and Regional Organization in the Fight Against Terrorism (Ashgate Publishing 2006) 135; Aviv Cohen, “Prosecuting Terrorists at the International Criminal Court: Reevaluating an Unused Legal Tool to Combat Terrorism” (2012) 20(2) Michigan State International Law Review 239. 198 Scharf, Newton (n. 197) 276. For discussion of potential prosecution of terrorism as a separate crime in the ICC, see Erin Creegan, “A Permanent Hybrid Court for Terrorism” (2011) 26(2) American University International Law Review 280–285; Angela Hare, “A New Forum for the Prosecution of Terrorists: Exploring the Possibility of the Addition of Terrorism to the Rome Statute’s Jurisdiction” (2010) 8(1) Loyola University Chicago International Law Review 99–100. 199 See further sub-chapter 7.5.4. 200 See Susan W. Brenner, “‘At Light Speed’: Attribution and Response to Cybercrime/ Terrorism/Warfare” (2007) 97(2) Journal of Criminal Law and Criminology 407; Kristin M. Finklea, “The Interplay of Borders, Turf, Cyberspace, and Jurisdiction: Issues Confronting Cyber-space 121 serious cyber-attackers are almost certain to spoof their identity and use random networks. A great number of scholars argue that attribution in cyber-space is extremely hard or impossible.201 Yet, this claim can be challenged. While the author does not wish to absolutely insist that legal attribution is always possible, it makes sense to look at the best practices that can already be used to successfully resolve the attribution problem. Almost all online activity (even if it is automated) leaves digital evidence that can be helpful in tracing it back to humans. To a significant extent, successful identification increasingly becomes dependent on the development of cyber-forensic tools. Notably, the US officials openly claim that they have the means to “locate [cyber-aggressors] and to hold them accountable”.202 Even in the non-state-controlled cyber-space, the current level of technology allows accurate tracking of the network protocol address (for example, Internet Protocol) of any connected device, while geo-location computers can automatically translate it into geographic coordinates, revealing the misused

U.S. Law Enforcement” (Report, Congressional Research Service 2013) 16 accessed 1 August 2015. Note that in some cases they may wish to expose themselves as a political statement—see Thomas Rid, Cyber War Will Not Take Place (Hurst & Co 2013) 158. 201 See Gabriel K. Park, “Granting an Automatic Authorization for Military Response: Protecting National Critical Infrastructure from Cyberattack” (2013) 38(2) Brooklyn JIL 809–810; David E. Graham, “Cyber Threats and the Law of War” (2010) 4(1) Journal of National Security Law & Policy 99; Michael J. Glennon, “The Road Ahead: Gaps, Leaks and Drips” (2013) 89 International Law Studies 382; Michael J. Glennon, “The Dark Future of International Cybersecurity Regulation” (2013) 6 Journal of National Security Law & Policy 567; Levi Grosswald, “Cyberattack Attribution Matters under Article 51 of the U.N. Charter” (2011) 36(3) Brooklyn JIL 1164, 1174; Katharina Ziolkowski, “Ius ad Bellum in Cyberspace— Some Thoughts on the ‘Schmitt-Criteria’ for Use of Force” in Christian Czosseck, Rain Ottis, Katharina Ziolkowski (eds.), 2012 4th International Conference on Cyber Conflict (NATO CCDCOE 2012) 306. See also Dinniss (n. 191) 99–100; Stephenie G. Handler, “The New Cyber Face of Battle: Developing a Legal Approach to Accommodate Emerging Trends in Warfare” (2012) 48(1) Stanford JIL 213; Kelly A. Gable, “Cyber-Apocalypse Now: Securing the Internet Against Cyberterrorism and Using Universal Jurisdiction as a Deterrent” (2010) 43(1) Vanderbilt Journal of Transnational Law 78–79; CTITF, “Countering the Use of the Internet for Terrorist Purposes—Legal and Technical Aspects” (Working Group Report, UN 2011) paras. 5 at 2, 13 at 22, 15 at 23 accessed 1 August 2015. 202 Leon E. Panetta, “Remarks by Secretary Panetta on Cybersecurity to the Business Executives for National Security” (News Transcript, US Department of Defense 2012) accessed 1 August 2015. 122 Chapter 4 computer’s physical position.203 Indeed, cyber-attackers may imitate physical location elsewhere, but network protocol tracing is merely one of the factors used for positive identification. The need for “intelligence and information analysis” (that has long been present in criminal investigations) is increasingly emphasized as an imperative element of individual attribution.204 Extensive research already exists that predicts behavioral patterns of attackers, based on psychology, sociology and even cultural preferences.205 In 2012, Robert Fanelli and Gregory Conti presented a methodology that aims to ensure precise tracking and targeting in the context of armed conflict. If reverse-engineered, this noteworthy methodology reveals elements that can be used to attribute cyber-attacks legally. Aside from the “geographic factor”, Fanelli and Conti look at the “general function” of a device, noting that “combatants and protected entities could be intermingled on a shared network, in a cloud infrastructure or, through virtual- ization, on a single host”, as well as “personal factor”, that is, the users that use the device or its owners.206 Identification per Fanelli-Conti must involve analysis of the physical environment surrounding the device, including which hardware it uses, characteristics of operations, manufacturer and specific model, GPS data and mobile network locations, media access control (MAC) and TCP/IP protocols, power sources, clock and time zone settings, language settings and keyboard layouts,

203 See Fanchiotti, Pierini (n. 153) 50; Tallinn Manual (n. 21) R2C5; Kevin F. King, “Geolocation and Federalism on the Internet: Cutting Internet Gambling’s Gordian Knot” (2010) 11 Columbia Science and Technology Law Review 58. Note that in national cyber-zones ISPs may be asked to verify user identities. 204 Nicholas Tsagourias, “Cyber Attacks, Self-Defence and the Problem of Attribution” (2012) 17(2) Journal of Conflict & Security Law 234; W Earl Boebert, “A Survey of Challenges in Attribution” in National Research Council of the National Academies, Proceedings of a Workshop on Deterring Cyberattacks (National Academies Press 2010) 49. See also Clarke, Knake (n. 50) 254; Clement Guitton, “Modelling Attribution” in Rauno Kuusisto, Erkki Kurkinen (eds.), Proceedings of the 12th European Conference on Information Warfare and Security (Academic Publishing International 2013) 93–96. 205 For example, see Charmaine Sample, “Culture and Computer Network Attack Behaviors” (Doctoral Thesis, Capitol College 2013). 206 Robert Fanelli, Gregory Conti, “A Methodology for Cyber Operations Targeting and Control of Collateral Damage in the Context of Lawful Armed Conflict” in Christian Czosseck, Rain Ottis, Katharina Ziolkowski (eds.), 2012 4th International Conference on Cyber Conflict (NATO CCDCOE 2012) 324. Cyber-space 123 as well as “patterns of utilization, workload, transmit and receive frequencies, function-specific firmware or environmental conditions”.207 Examining log files, records, and source code (with and without assistance from the ISPs) might also reveal the function of the system and, thus, possibly the location and ownership of the “aggressive” cyber-devices.208 Furthermore, users and owners of a device can be identified by analyzing the virtual alter ego(s) of the attacker(s) in the cyber-world. Upon entry into the hostile system (in line with, or in violation of rules of enforcement jurisdiction), additional information might be obtained by investigating user accounts, e-mails, software registration entities, digital certificates, stored bio- metric data, real-live or stored images and audio streams.209 Cyber-attackers that employ portable smartphones might also be identified through devices’ International Mobile Equipment Identifier (IMEI), or Mobile Identification Numbers (MIN) and International Mobile Subscriber Identity (IMSI) on SIM cards.210 Finally, while governments are likely to resort to all available methods of technical and personal attribution of cyber-attacks, if their national interests are jeopardized, they may try to exercise jurisdiction and react politically to presumed threats and capabilities.211

4.5 Conclusion

Attempts to interpret law differently in cyber-warfare can be expected already in determining the essence of cyber-space itself. Applying the lenses of territoriality, sovereignty and jurisdiction, the present chapter identified the exploitable imperfections of international law pertaining to the essence of the virtual world. Acknowledging that some governments may choose to argue that cyber- space constitutes a territory (in order to extend certain legal protections therein and to expand their rights), it was shown that such a claim is hardly defendable. At the same time, while some nations contend that cyber-space should constitute a global common, the world community does not yet treat it as such.

207 Ibid., 325. 208 Ibid., 326. 209 Ibid. 210 Ibid., 325. 211 Guitton (n. 204) 91; Glennon, “The Road” (n. 201) 386. 124 Chapter 4

For this reason, the main source of exploitability in the current context lies in claims of sovereignty over parts of the virtual realm. Imperfections of international law in their present form, on the one hand, allow the US to maintain its de facto control over the Internet and, on the other, permit governments to exercise sovereignty over certain parts of cyber-space. While it was claimed that identification of cyber-attackers is not an impossible task, grounds like non-territoriality of the virtual world may be used to deny jurisdiction and assistance to others. Governments demanding jurisdiction, in contrast, may interpret their states’ security in cyber-space too broadly, even if it jeopardizes sovereignty of others. The present chapter focused on the legal framework surrounding the very environment, where cyber-attacks are launched. The next three chapters (Chapters 5, 6 and 7) will concentrate on the substantive norms of jus ad bellum and jus in bello that currently regulate cyber-strikes in order to see whether they contain significant legal imperfections that may exploited. Chapter 5 Cyber-Strikes and Jus Ad Bellum

5.1 Introduction

The previous two chapters have outlined the levels of damage that cyber- attacks can cause and addressed the applicability and imperfections of the international law principles of territoriality, sovereignty and jurisdiction in cyber-space. This chapter will evaluate cyber-attacks from the viewpoint of the legal framework in the field of jus ad bellum. It will demonstrate that this framework is sufficient generally to tackle serious cyber-attacks rising to the level of the “use of force” (and above) and that, at the same time, it leaves uncertainties, deficiencies and gaps that governments may exploit to the detriment of international security. In order to demonstrate this, the chapter is divided into three parts. The first part analyzes whether cyber-attacks generally fall under the prohibition of the use of force established by Article 2(4) of the United Nations Charter and its customary shadow. It highlights imperfections, as well as possible limits of the legal regime, and questions the viability of the existing methods of interpretation of whether cyber-attacks may violate the prohibition. The second part reviews cyber-strikes as “armed attacks” within the context of Article 51 of the UN Charter and the corresponding customary norms. It determines whether international law adequately provides states that fall victim to damaging cyber-attacks with the right to self-defense. Furthermore, it addresses the possibility of anticipatory response by states, as well as other conceivable defensive actions (such as counter-measures). The third part concentrates on the question whether cyber-attacks may be considered aggression within the context of the existing legal instruments. The reason for this analysis is two fold. Firstly, aggression as a concept closely- related to the “use of force” and “armed attack” helps better understand their nature, as well as when states have the right to respond in self-defense. Secondly (and more importantly), it demonstrates for which acts in cyber-space (qualifying as crimes of aggression) state leadership could be held responsible in the future.

5.2 Cyber-Attacks and the Use of Force

The inquiry of the present book necessitates starting the analysis by asking if the classic regime on the use of force matches the emerging cyber-threat. Considering the history of the debate, are economic and socio-political disruptions in cyber-space adequately covered? Does one require a clear normative framework on interpretation of Article 2(4), which would minimize potential exploitation, or does such a framework already exist? The following analysis addresses these questions.

5.2.1 Article 2(4) of the UN Charter as the Starting Point When the UN Charter was drafted in 1945, computers were struggling to perform basic mathematical functions and, therefore, were significantly slower than simple calculators nowadays. One of the most powerful super-secret computers, Colossus (which helped British code-breakers read encrypted German messages during WW2) took long hours to decode one message—a task that modern PCs can do in seconds. The Internet did not make a public appearance until the 1990s, that is more than 45 years after the San Francisco conference. For these reasons, the creators of the UN Charter could not have foreseen the possibility of cyber-attacks. However, as academics continue to point out, this does not mean that this instrument is unfit to face the new threat.1 Indeed, even leaving aside the notion that the Charter is a living instrument, in 1996, the International Court of Justice (ICJ) declared that it applies to any use of force “regardless of the weapons employed”.2 Article 2(4) of the UN Charter is the most authoritative source regulating the use of force that is meant to provide states with a war-free environment. Although it did not always succeed in this task, it was widely embraced by the world community as such: a clear reference to the substantive element of

1 See Albrecht Randelzhofer, Georg Nolte, “Article 51” in Bruno Simma and others (eds.), The Charter of the United Nations: A Commentary, vol 2 (3rd edn, OUP 2012) 1419; Scott J. Shackelford, “From Nuclear War to Net War: Analogizing Cyber Attacks in International Law” (2008) 27(1) Berkeley JIL 229; Antonia Segura-Serrano, “Internet Regulation and the Role of International Law” (2006) 10 Max Planck Yearbook of United Nations Law 231; George K. Walker, “Neutrality and Information Warfare” (2002) 76 International Law Studies 244. 2 Legality of the Threat or Use of Nuclear Weapons (Advisory Opinion) [1996] ICJ Rep, para. 39. See also Michael N. Schmitt and others, Tallinn Manual on the International Law Applicable to Cyber Warfare (CUP 2013) Ch2C1, R10. Cyber-strikes And Jus Ad Bellum 127

Article 2(4) is found in the Helsinki Final Act,3 Rio Pact,4 North Atlantic Treaty,5 Manila Pact,6 ANZUS,7 the now disbanded Warsaw Pact,8 and other important documents on international security.9 The UN Security Council (UNSC) has also adopted the tendency to formally rely on the principles contained in Article 2(4) “when dealing with cases of potential or real armed conflict”.10 For the purposes of the present book, Article 2(4) is broken down into four parts. To facilitate the discussion and ensure that it runs smoothly, they shall be addressed in the following order:

[1] All Members shall refrain in their international relations [3] from the threat [4] or use of force [2] against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations.11

In other words, the following analysis will first address the applicability of this prohibition to states, move on to the objects of its protection, followed by a discussion of threats of force in the cyber-context and, finally, use of force.

3 Conference on Security and Cooperation in Europe Helsinki Final Act (adopted 1 August 1975) 14 ILM 1292, para. 1(b)(i). 4 Inter-American Treaty of Reciprocal Assistance (Rio Pact) (adopted 2 September 1947, entered into force 3 December 1948) 21 UNTS 77, Art. 1. 5 North Atlantic Treaty (adopted 4 April 1949, entered into force 24 August 1949) 34 UNTS 243, Arts. 1, 5. 6 Southeast Asia Collective Defense Treaty (adopted 8 September 1954, entered into force 19 February 1955) 209 UNTS 28, Art. 1. 7 Security Treaty Between the United States, Australia, and New Zealand (adopted 1 September 1951, entered into force 29 April 1952) 131 UNTS 83, Art. 1. 8 Treaty of Friendship, Cooperation and Mutual Assistance (adopted 14 May 1955, entered into force 5 June 1955) 219 UNTS 3, Art. 1. 9 For example, see Declaration on Principles of International Law Concerning Friendly Relations and Co-operation Among States in Accordance with the Charter of the United Nations, Annex to UNGA Res 2625 (XXV) (24 October 1970) op para. 1; Declaration on the Enhancement of the Effectiveness of the Principle of Refraining from the Threat or Use of Force in International Relations, UNGA Res 42/22 (18 November 1987) UN Doc A/RES/42/22, op para. 1(1), 1(2); International Code of Conduct for Information Security, Annex to UNGA 66/359 (14 September 2011) UN Doc A/66/359, op para. 11. 10 Anthony C. Arend, Robert J. Beck, International Law and the Use of Force: Beyond the UN Charter Paradigm (Routledge 1993) 34. 11 Charter of the United Nations (adopted 26 June 1945, entered into force 24 October 1945) 892 UNTS 119, Art. 2(4). 128 Chapter 5

5.2.1.1 Scope of Application The first part of Article 2(4) appears to be limiting the scope of application only to international conflicts, and not to internal ones. It also makes it quite clear that the provision is addressing the members of the United Nations that at the current moment amount to 193 states and include all countries with advanced cyber-capabilities.12 The ICJ previously held that “principles as to the use of force incorporated in the Charter reflect customary international law”.13 Furthermore, in the Nicaragua case, it is implied that Article 2(4) has peremptory nature and is part of jus cogens.14 That being said, it is important to note that a special agreement between states, as well as the ever-evolving customary norms may place more formal constrains on state behavior than Article 2(4) itself.15 Moreover, as correctly observed by Nicholas Tsagourias, the customary shadow of this provision also inevitably binds non-state actors.16

5.2.1.2 Objects of Protection Article 2(4) explicitly refers to “force” that is inconsistent with the purposes of the UN or which targets independence or territorial integrity of a state.

12 Note that this provision also applies to non-UN members according to customary norms—see Tallinn Manual (n. 2) R10C5. See generally UN Charter (n. 11) Art. 103: “In the event of a conflict between the obligations of the Members of the United Nations under the present Charter and their obligations under any other international agreement, their obligations under the present Charter shall prevail”. 13 Legal Consequences of the Construction of a Wall in the Occupied Palestinian Territory (Advisory Opinion) [2004] ICJ Rep, para. 87. See also Military and Paramilitary Activities in and against Nicaragua (Nicaragua v USA) (Merits) [1986] ICJ Rep, para. 190; “Document A/6309/Rev.l: Reports of the International Law Commission on the Second Part of Its Seventeenth Session and on its Eighteenth Session” in ILC, Yearbook of the International Law Commission, vol 2 (UN 1966) 247. 14 Nicaragua Case (n. 13) para. 190. For a skeptical view of the peremptory nature of the ban on the use of force, see James A. Green, “Questioning the Peremptory Status of the Prohibition of the Use of Force” (2011) 32(2) Michigan JIL 256–257. See generally Bruno Simma, “NATO, the UN and the Use of Force: Legal Aspects” (1999) 10(1) EJIL 3. 15 See generally Christian Henderson, James A. Green, “The Jus Ad Bellum and Entities Short of Statehood in the Report on the Conflict in Georgia” (2010) 59(1) ICLQ 133. 16 Nicholas Tsagourias, “The Tallinn Manual on the International Law Applicable to Cyber Warfare: A Commentary on Chapter II—The Use of Force” (2012) 15 Yearbook of International Humanitarian Law 21. Cyber-strikes And Jus Ad Bellum 129

Respect for political independence is based on the principles of sovereign equality of states17 and non-intervention.18 The latter specifically prohibits direct or indirect intervention “in the internal or external affairs of any other State”, that is in matters over which sovereign countries must “decide freely”, absent coercion.19 Today, it is not disputed that cyber-attacks may violate the principle of non-intervention and threaten political independence, especially if they have the capacity to cause direct damage to a state or its population. In fact, cyber- strikes are already used in attempts to influence political decisions of various governments, whether it is to reverse a nuclear program of a state (for instance, in Iran)20 or to stop a relocation of a statue (for example, in Estonia).21 Can cyber-strikes violate the territorial integrity of a country, considering the non-territorial nature of cyber-space?22 At first glance they cannot, unless they are accompanied by physical consequences. However, “territorial integrity” has been interpreted as “territorial inviolability”.23 This is also evident in the jurisprudence of the ICJ. For instance, the Court characterized Uganda’s actions in the DR Congo as a violation of “territorial integrity” in the Armed Activities case of 2005, despite the fact that Uganda did not seem to be interested in any territorial gains.24 According to Judge Koroma, the “principle of respect for sovereignty and territorial integrity” allows states to exercise control “within and over its

17 UN Charter (n. 11) Art. 2(1). 18 Friendly Relations Declaration (n. 9) preamb paras. 8, 16(c), op para. 1; Declaration on the Inadmissibility of Intervention and Interference in the Internal Affairs of States, Annex to UNGA Res 36/103 (9 December 1981) UN Doc A/RES/36/103, op paras. 1, 2. 19 Ibid.; Nicaragua Case (n. 13) para. 205. 20 See discussion of Stuxnet in sub-chapter 3.3.1. See also Terry D. Gill, “Non-Intervention in the Cyber Context” in Katharina Ziolkowski (ed.), Peacetime Regime for State Activities in Cyberspace: International Law, International Relations and Diplomacy (NATO CCDCOE 2013) 235. 21 See discussion of cyber-attacks against Estonia in 2.3.3.5. See also Tsagourias, “The Tallinn Manual” (n. 16) 25; Russell Buchan, “Cyber Attacks: Unlawful Uses of Force or Prohibited Interventions?” (2012) 17(2) Journal of Conflict & Security Law 226. 22 See sub-chapter 4.2.2. 23 See Simon Chesterman, Just War or Just Peace? Humanitarian Intervention and Humanitarian Law (OUP 2001) 50. 24 Armed Activities on the Territory of the Congo (DRC v Uganda) (Judgment) [2005] ICJ Rep, para. 165; André de Hoogh, “The ‘Armed Activities’ Case: Unasked Questions, Proper Answers” (Hague Justice Portal, 30 January 2006) accessed 1 August 2015. 130 Chapter 5

territorial domain”.25 Thus, any attempt to sever that control through cyber- attacks (for example, by disrupting communication between a state and one of its islands or remote territories) would violate that principle. In any event, governments that are convinced that cyber-strikes against their states are unlawful under Article 2(4) may always rely on a third alternative— the purposes of the UN, which are broad enough to prohibit even the most insignificant cyber-attacks. Inter alia, these purposes include aspirations “to develop friendly relations [. . .] based on the principle of equal rights and self- determination”, which can be ruined by any cyber-attack that is inherently unfriendly.26

5.2.1.3 Threat of Force How much attention should one pay to the word “threat” in Article 2(4)? A threat of force, according to Ian Brownlie, is an “express or implied promise” to “resort to force conditional on non-acceptance of certain demands” of the threatening government.27 The ICJ called it a “signaled intention to [illegally] use force if certain events occur”.28 It may be articulated orally, in communications or documents, included in a treaty, or implied by certain military and political actions.29 Some scholars believe that threats of force should be judged on their own and governments may resort to this logic as well.30 However, according to the ICJ’s advisory opinion in the Nuclear Weapons case, the notions of threat and use of force “stand together in the sense that if the use of force itself [. . .] is illegal [. . .]—the threat to use such force will likewise be illegal”.31 Together with the unpredictable nature of cyber-strikes, this tight bond leads to a situation when, as far as cyber-attacks are concerned, the threat of force will either be followed by a use of force, which will overshadow threats politically and legally, or it will not, in which case legal appraisal becomes unnecessary.32 Due to this bond, there is no point in awarding the threat of force a larger place in this book. Whatever conclusions will be reached regarding cyber-

25 Dissenting Opinion of Judge Koroma in Accordance With International Law of the Unilateral Declaration of Independence in Respect of Kosovo (Advisory Opinion) [2010] ICJ Rep, para. 21. 26 UN Charter (n. 11) Art. 1(2). 27 Ian Brownlie, International Law and the Use of Force by States (OUP 1963) 364. 28 Nuclear Weapons Case (n. 2) para. 47. 29 Romana Sadurska, “Threats of Force” (1988) 82(2) AmJIL 242–243. 30 Nikolas Stürchler, The Threat of Force in International Law (CUP 2007) 43. 31 Nuclear Weapons Case (n. 2) para. 47. See also Tallinn Manual (n. 2) R12. 32 See generally Sadurska (n. 29) 239. Cyber-strikes And Jus Ad Bellum 131 attacks as a use of force will automatically extend to the threat of such attacks. In the context of cyber-warfare, the analysis of an independent notion of the “threat of force” has limited value and even Thomas Franck did not bother to conduct a special investigation regarding the demise of the “threat of force” concept in his work “Who Killed Article 2(4)?”.33

5.2.1.4 Use of Force The main strength of Article 2(4) lies in the prohibition of the use of force against all states (including non-UN members).34 What exactly is meant by “force” is still subject to debate and, as noted by Andrea Bianchi, “lack of consensus has caused interpretative methods to ‘proliferate’ ”.35 This makes it difficult to determine whether cyber-attacks constitute use of force per se. However, there may be factors or precedents that help put things into perspective. Above all, the purpose of the UN Charter is to establish a lasting peace and prevent violence.36 It is, therefore, logical and widely accepted by many scholars that the category of the prohibited use of force in cyber- space includes all illegal armed attacks (which themselves represent “the most grave forms of the use of force”),37 especially those resulting in deaths, destruction, significant injury or significant damage in the physical world.38

33 See Thomas M. Franck, “Who Killed Article 2(4)?” (1970) 64(5) AmJIL. 34 Albrecht Randelzhofer, Oliver Dörr, “Article 2(4)” in Bruno Simma and others (eds.), The Charter of the United Nations: A Commentary, vol 1 (3rd edn, OUP 2012) 213. 35 Andrea Bianchi, “The International Regulation of the Use of Force: The Politics of Interpretive Method” (2009) 22(4) Leiden JIL 675. 36 Thomas M. Franck, Recourse to Force: State Action against Threats and Armed Attacks (CUP 2002) 19–20. See also Joel H. Westra, International Law and the Use of Armed Force: The UN Charter and the Major Powers (Routledge 2007) 11. 37 Nicaragua Case (n. 13) para. 191. See also Tallinn Manual (n. 2) R11C6, R13C3, R13C5. 38 See Tallinn Manual (n. 2) R11C9(a), R13C6, R13C9; Michael N. Schmitt, “Cyber Operations and the Jus ad Bellum Revisited” (2011) 56(3) Villanova Law Review 589; Michael N. Schmitt, “ ‘Attack’ as a Term of Art in International Law: The Cyber Operations Context” in Christian Czosseck, Rain Ottis, Katharina Ziolkowski (eds.), 2012 4th International Conference on Cyber Conflict (NATO CCDCOE 2012) 288; Heather H. Dinniss, Cyber Warfare and the Laws of War (CUP 2012) 74, 80; Christopher C. Joyner, Catherine Lotrionte, “Information Warfare as International Coercion: Elements of a Legal Framework” (2001) 12(5) EJIL 850; Katharina Ziolkowski, “Ius ad Bellum in Cyberspace—Some Thoughts on the ‘Schmitt- Criteria’ for Use of Force” in Christian Czosseck, Rain Ottis, Katharina Ziolkowski (eds.), 2012 4th International Conference on Cyber Conflict (NATO CCDCOE 2012) 299; Walter G. Sharp, CyberSpace and the Use of Force (Aegis Research Corporation 1999) 102, 133, 140; Reese Nguyen, “Navigating Jus Ad Bellum in the Age of Cyber Warfare” (2013) 101(4) California Law Review 1084, 1125–1127. 132 Chapter 5

Is the opposite true, is a use of force an armed attack? Notably, the United States government occasionally claims that self-defense (that presupposes armed attack) applies to all illegal uses of force.39 Also, a distinguished legal scholar Katharina Ziolkowski states that, for her, Article 2(4) prohibits use of “armed” force.40 However, this approach invites conflicts in legal assessments. For instance, Ziolkowski argues that damaging data cannot constitute a use of armed force, which is definitely correct, however, this does not mean that such action does not constitute a non-armed use of force.41 Although the Charter explicitly refers to “armed force” in a number of articles, if the drafters wanted to limit Article 2(4) to armed actions, they would use that adjective.42 Consequently, “force” in cyber-space must include not only armed attacks, but also cyber-operations of a lesser magnitude and other equally aggressive acts, as long as they reach the same threshold. This argument is supported by the jurisprudence of the ICJ. For instance, arming and training rebel forces was found to be a use of force, but not an armed attack in the Nicaragua case (funding guerrillas was declared as neither).43 A similar conclusion in the context of “training and military support” was inferred by the ICJ in the Armed Activities judgment.44 It is, therefore, reasonable to assume that supplying dangerous malware to an organized cracker group, accompanied by training, can be considered a violation of Article 2(4) by some governments, as predicted by the Tallinn Manual.45 Furthermore, in the Tehran Hostages case, the ICJ clearly indicated that taking over an embassy and its staff was a use of force.46 In addition, in the Oil Platforms case, it referred to the destruction of individual platforms as the use

39 Harold H. Koh, “International Law in Cyberspace” (USCYBERCOM Inter-Agency Legal Conference, 2012) Uns Quest 1 accessed 1 August 2015. 40 Ziolkowski, “Ius ad Bellum” (n. 38) 299. 41 Ibid. 42 Marco Benatar, “The Use of Cyber Force: Need for Legal Justification?” (2009) 1(3) Goettingen JIL 382. 43 Nicaragua Case (n. 13) paras. 228–229. See also Randelzhofer, Dörr (n. 34) 211. 44 Armed Activities Case (n. 24) paras. 160, 163. 45 Tallinn Manual (n. 2) R11C4. Note that the law is not clear whether the cracker groups have to resort to force in order for their training and arming to constitute a use of force—see Tsagourias, “The Tallinn Manual” (n. 16) 28. 46 United States Diplomatic and Consular Staff in Tehran (USA v Iran) (Judgment) [1980] ICJ Rep, paras. 57, 64, 91. Cyber-strikes And Jus Ad Bellum 133 of force and strongly implied that mining of a single military vessel falls under the same category.47 Here, one should also mention the conclusion reached in the Report of the Independent International Fact-Finding Mission on the Conflict in Georgia, solicited by the European Union (EU). This report states: “the prohibition of the use of force covers all physical force which surpasses a minimum threshold of intensity”.48 With reference to Robert Kolb, it further claims that only “very small incidents lie below this threshold, for instance the targeted killing of single individuals, forcible abductions of individual persons, or the interception of a single aircraft”.49 Can one rely on this conclusion, particularly in the cyber-warfare context? It is true that acts such as assassinations of known terrorists, kidnappings of Nazi criminals and destruction of single spy planes were sometimes left without due legal attention. However, as André de Hoogh rightly noted, the principle de minimis non curat praetor does not “detract from the scope of the rule at stake and would not rule out its (possible) violation”.50 The EU Report’s logic becomes weak, for instance, in cases when cyber- attacks affect the health of state leaders, high-ranking officials or vital military command systems, as many governments may consider them a use of force (if not armed attacks).51 The number of persons harmed on board an aircraft (or a vehicle or vessel, for that matter) may play a decisive role in the governments’ decision to qualify cyber-strikes as a use of force. Similarly, the level of expertise and resources invested into the cyber-attack could be considered. If it is plausible that a cyber-strike, which results in physical damage will be covered by the use of force provisions, can the same be said for economic and social disruption? This is perhaps a more troublesome area for international law, given that cyber-attacks are able to cause such disturbance, yet politico- economic force has traditionally been excluded from the scope of Article 2(4).

47 Oil Platforms (Iran v US) (Judgment) [2003] ICJ Rep, paras. 72, 77. 48 Heidi Tagliavini, Report of the Independent International Fact-Finding Mission on the Conflict in Georgia, vol 2 (Council of the EU 2009) 242. 49 Ibid. 242 fn 49. 50 André de Hoogh, “Georgia’s Short-Lived Military Excursion into South Ossetia: The Use of Armed Force and Self-Defence” (EJIL: Talk!, 9 December 2009) accessed 1 August 2015. 51 See generally ibid.; Nicholas Tsagourias, “Cyber Attacks, Self-Defence and the Problem of Attribution” (2012) 17(2) Journal of Conflict & Security Law 232. 134 Chapter 5

5.2.2 Economic and Social Disruption High reliance of developed countries on computerized systems and storing information in cyber-space has led to a situation where cyber-attacks against financial and social infrastructure may indirectly result in great harm to a society. In addition to damaging the health of the population (for example, in case of a prolonged disruption of transportation), cyber-strikes can aim to initiate social chaos and mass panic, which would lead to loss of political stability of the victim-state, lack of trust in the government, heightened levels of crime, possible mass riots; all of which will be accompanied by unavoidable economic losses. Resulting suffering of the general population (which, according to the Tallinn Manual, can be a cumulative element in determining whether cyber- strikes constitute armed attacks)52 and political instability can then significantly exceed that which would arise even in the case of a serious kinetic strike, incentivizing governments to claim the right of self-defense. Mass restlessness, social disruption and violent crime can be provoked even more easily by a major cyber-offensive on financial institutions. As Paul Cornish notes, “[i]n the worst case, a cyber attack against trade and banking systems could undermine the most important commodity of all—confidence”.53 This is especially true if cyber-attacks succeed in causing hyperinflation. Can such scenarios legally be classified as a use of force? The travaux préparatoires of the UN Charter and subsequent developments reveal strong opposition to the idea of expanding the prohibition of force to political or economic measures.54 Inter alia, this is reflected in the General Assembly declarations, which address such coercion separately from the use of force.55 Today, the exclusion of political and economic acts in the interpretation of Article 2(4) can still be said to be the predominant approach. However, does the emergence of cyber-attacks capable of devastating state economies and causing social unrest not require a reevaluation of these old interpretations? Continuous exclusion of all economic and political measures from the scope of Article 2(4) invites exploitation of this legal loophole in cyber-warfare, as

52 Tallinn Manual (n. 2) R13C7. 53 Paul Cornish, “The Vulnerabilities of Developed States to Economic Cyber Warfare” (Working Paper, Chatham House 2011) 11 accessed 1 August 2015. 54 Tim Hillier, Sourcebook on Public International Law (Cavendish 1998) 601. 55 Friendly Relations Declaration (n. 9) op para. 1; Refraining from Force Declaration (n. 9) op para. 1(8). Cyber-strikes And Jus Ad Bellum 135 state survival could be jeopardized without it being considered a use of force. A suggestion can be made to expand the definition of Article 2(4) so that it would simply assimilate the “traditionally-excluded categories”.56 However, it is not likely to be accepted in light of certain governmental policies for sanctions, as well as socio-political and economic pressure against their adversaries (for instance, the US embargo of Cuba). How does one delineate the new issue from the old? A clear distinction between cyber-attacks and traditional measures can be made with reference to two elements: active involvement and state-wide population impact. Classic means such as trans-border propaganda, sanctions and embargoes are generally passive in their nature and it may take a long time before their effects are even felt by ordinary citizens.57 One such example is the “oil weapon”—an embargo employed by the Arab States that caused the 1973 economic crisis. It represented inactivity (a stop in active oil trade) and it was not seen as a use of force by the international community.58 A similar decision likely awaits geographically or otherwise limited action, such as regional distribution of leaflets or stealing money from state leadership (but not from its people).59 It follows that only cyber-attacks meant to actively harm a state and to affect its population, and which cripple a state’s economy or socio-political system as a whole, can be reasonably considered a use of force.60 This would mean that

56 Jason Barkham, “Information Warfare and International Law on the Use of Force” (2001) 34(1) NYU Journal of International Law and Politics 59. See also Matthew Hoisington, “Cyberwarfare and the Use of Force Giving Rise to the Right of Self-Defense” (2009) 32(2) Boston College International & Comparative Law Review 447; Daniel B. Silver, “Computer Network Attack as a Use of Force under Article 2(4) of the United Nations Charter” (2002) 76 International Law Studies 82. 57 Tallinn Manual (n. 2) R11C9(b), R11C9(c). 58 With the exception of the US government, which considered its own armed action to put an end to the embargo—see Peter Mangold, Superpower Intervention in the Middle East (Croom Helm 1978) 72. 59 Contemplated in the cyber-context by the US against “dictators” and “terrorists”—see Richard A. Clarke, Robert Knake, Cyber War: The Next Threat to National Security and What to Do About It (HarperCollins 2010) 246. This plan was weighted against Milosevic in 1999, as noted in sub-chapter 3.3.2.2. 60 Some authors like Graham Todd rightly observe that damaging cyber-attacks can also be passive (e.g., Stuxnet), however, attacks that in the end cause direct physical harm belong to a different, more obvious category—see Graham H. Todd, “Armed Attack in Cyberspace: Deterring Asymmetric Warfare with an Asymmetric Definition” (2009) 64 Air Force Review 77. See also Herbert S. Lin, “Offensive Cyber Operations and the Use of Force” (2010) 4(1) Journal of National Security Law & Policy 75. 136 Chapter 5 states not only have an international obligation to abstain from such cyber- attacks, but also that they can resort to counter-measures or, where the strikes reach the “armed attack” threshold, to defend against them with force.61 Who would benefit from such interpretation of international law? First of all, it may be appealing to the Western governments due to the possibility of preserving their states’ economic and socio-political stability. Notably, the United States administrations and other capitalist governments previously went to great lengths to suppress communist movements (perceived as an indirect economical and socio-political threat) within and outside their territories. One must highlight that viewing active cyber-attacks with state-wide population impact as a “use of force” is equally crucial for members of the Shanghai Cooperation Organization (SCO). For instance, Russia defines information war as a conflict aimed at, inter alia, “undermining political, economic, and social systems; carrying out mass psychological campaigns against the population [. . .] in order to destabilize society and the government”.62 This definition is actively used by the SCO.63 Moreover, it is reflected in its suggestions made after the Arab Spring to curb cyber-subversion.64 Notably, an observer of that organization, the Islamic Republic of Iran, is convinced that the USA is already waging “soft warfare” against its “cultural integrity, national identity and security”.65

61 The right of self-defense will be discussed further in this chapter. 62 “Convention on International Information Security” (Concept, Russian Ministry of Foreign Affairs 28 October 2011) accessed 1 August 2015. See also Keir Giles, “Russia’s Public Stance on Cyberspace Issues” in Christian Czosseck, Rain Ottis, Katharina Ziolkowski (eds.), 2012 4th International Conference on Cyber Conflict (NATO CCDCOE 2012) 68, 71–72; Keir Giles, “ ‘Information Troops’—a Russian Cyber Command?” in Christian Czosseck, Enn Tyugu, Thomas Wingfield (eds.), 2011 3rd International Conference on Cyber Conflict (NATO CCDCOE 2011) 48–50; Roland Heickerö, “Emerging Cyber Threats and Russian Views on Information Warfare and Information Operations” (Swedish Defence Research Agency, March 2010) 18 accessed 1 August 2015. 63 Oona A. Hathaway and others, “The Law of Cyber-Attack” (2012) 100(4) California Law Review 825. 64 See International Code of Conduct for Information Security (n. 9) op para. 3: “To cooperate in [. . .] curbing dissemination of information which [. . .] undermines other countries’ political, economic and social stability, as well as their spiritual and cultural environment”. 65 Ebrahim Anoosheh, “The Islamic Republic of Iran’s Strategy Against Soft Warfare” in Eric Filiol, Robert Erra (eds.), Proceedings of the 11th European Conference on Information Warfare and Security (Academic Publishing International 2012) 35. Cyber-strikes And Jus Ad Bellum 137

Until the international community comes to an agreement on the matter of economic and socio-political force in cyber-space, it will continue to represent a legal gray zone and governments can continue to interpret the law in ways that best suit their needs. However, converging interests of the SCO and Western governments are almost certain to expand the traditional understanding of Article 2(4) in case jus ad bellum is allowed to develop. Now that the basic elements of the use of force in relation to cyber-attacks have been identified, it is reasonable to address the currently available academic methods of legal assessment of cyber-attacks in the context of Article 2(4).

5.2.3 Academic Models of Interpretation International law experts from various backgrounds often conflict with each other on the level of methodology.66 Therefore, it is not surprising that a number of major academic models have emerged, which aim to assess whether cyber-attacks reach the necessary threshold to be considered a use of force. Are any of them appropriate to help address the new threat? The first major approach distinguished by academics is instrument-based.67 At its foundation lies the question whether the damage caused by a cyber- attack would previously have required an attack by kinetic means.68 In other words, if damage or injury resulting from a cyber-strike in the past presup- posed direct physical force, it would be considered use of force as well. The problem with this approach is its under-inclusiveness, as it does not address cases where damage is caused indirectly through corrupting information or submitting wrong data to computerized systems.69 Considering the previous discussion on economic and socio-political disruption, it would not be reasonable to suggest that cyber-strikes, which leave targeted objects

66 See Olivier Corten, “The Controversies Over the Customary Prohibition on the Use of Force: A Methodological Debate” (2005) 16(5) EJIL 821–822. 67 See Nguyen (n. 38) 1117; David E. Graham, “Cyber Threats and the Law of War” (2010) 4(1) Journal of National Security Law & Policy 91; Duncan B. Hollis, “Why States Need an International Law for Information Operations” (2007) 11(4) Lewis & Clark Law Review 1041. 68 Graham (n. 67) 91. See also Stephenie G. Handler, “The New Cyber Face of Battle: Developing a Legal Approach to Accommodate Emerging Trends in Warfare” (2012) 48(1) Stanford JIL 226–227. See generally Silver (n. 56) 92–93, who seems to lean towards this approach. 69 See generally Hollis (n. 67) 1042. 138 Chapter 5 physically unharmed, automatically do not amount to a use of force.70 A more sophisticated model is clearly needed. The second major approach recognized by academics is target-based, and one of “strict liability”, that deems any cyber-strike against a state’s critical infrastructure to be use of force, based on the serious consequences that may arise from the attack.71 Unlike the instrument-based approach, it does a good job at covering acts such as destroying data held by the vital national computers. Nevertheless, a significant problem with this model is that governments may exploit the lack of definition of critical infrastructure and deliberately interpret this concept widely.72 Moreover, as scholars point out, this method suffers from over-inclusion: it wrongly equates minor disruptive acts (such as low-scale denial of service attacks or website defacements) with use of force, as long as critical infrastructure is targeted.73 The third major approach is identified as consequence-based or effects- based.74 It suggests looking only at the general effects of a cyber-strike and evaluating the severity of the caused damage, regardless of what was hit and whether the attack itself had any resemblance to traditional use of force or not.75 This model is appealing for two reasons: firstly, both state and non-state attackers mostly focus on what effects their potential cyber-strike can achieve,76 and secondly, as Dimitrios Delibasis points out, the “international community is far more likely to be concerned about the actual consequences of a future successful [cyber-attack]”.77 Indeed, reactions to various acts of terrorism around the world underscore the specific concern about violent consequences.

70 Benatar (n. 42) 391; Handler (n. 68) 227; Eric T. Jensen, “Computer Attacks on Critical National Infrastructure: A Use of Force Invoking the Right of Self-Defense” (2002) 38(2) Stanford JIL 222. 71 Graham (n. 67) 91; Hollis (n. 67) 1041; Handler (n. 68) 227–228. See also Nguyen (n. 38) 1119. 72 See generally Handler (n. 68) 228; Nguyen (n. 38) 1119. 73 Hollis (n. 67) 1042; Handler (n. 68) 228; Arie J. Schaap, “Weapons of Cyber Warfare Operations: Development and Use under International Law” (2009) 64 Air Force Law Review 146. 74 Graham (n. 67) 91; Nguyen (n. 38) 1121. 75 Handler (n. 68) 228; Graham (n. 67) 91. 76 Todd (n. 60) 70. 77 Dimitrios Delibasis, “State Use of Force in Cyberspace for Self-Defence: A New Challenge for a New Century” (2006) 8(1) Peace, Conflict & Development 8. See also US Department of Defense Office of General Counsel, “An Assessment of International Legal Issues in Information Operations” (US Department of Defense 1999) 18 accessed 1 August 2015. Cyber-strikes And Jus Ad Bellum 139

The effects-based approach does not have the weaknesses of the two models mentioned above. That being said, it is not without critics. For example, Duncan Hollis argues that “it leaves unregulated the very aspects of [cyber- attack] that make it so novel”, particularly its speed and less violent nature, although this is likely to remain a minor concern.78 Finally, a case-by-case approach may be advocated that, in theory, allows one to balance the imperfections of the three alternative methods described above. Indeed, the ICJ has not yet had the chance to explain the extent to which cyber-attacks can be considered use of force, nor is there any treaty or custom directly addressing this issue. Until a source of law is formed, governments are likely to resort to the case-by-case approach individually and collectively.79 Therefore, at the moment, this theory remains more viable in reality than the rest. One should note that this model will also appeal to governments, because it makes interpretations of Article 2(4) conditional upon political circumstances. As Matthew Waxman correctly points out, “even if states widely share a common, minimum interest in restricting some cyber-attacks, states may have divergent interests regarding [. . .] the desired degree of clarity in the law”.80 For obvious reasons, this risks creating double standards. Acknowledging this situation, Michael Schmitt predicted a set of factors that influence states and governments in their legal assessments of the use of force in and via cyber-space.81 Leaning himself towards the consequence- based approach, already in 1999, he identified six criteria that serve this purpose: severity, immediacy, directness, invasiveness, measurability (of effects) and presumptive legitimacy.82

78 Hollis (n. 67) 1042. See generally Handler (n. 68) 230–232, who focuses on target, impact and timing and fuses all three models into what she calls a modified effects-based approach. 79 For a similar note on “legal advisors” utilizing effects-based approach on a case-by-case basis, see David Tubbs, Perry G. Luzwick, Walter G. Sharp, “Technology and Law: The Evolution of Digital Warfare” (2002) 76 International Law Studies 15. 80 Matthew C. Waxman, “Cyber-Attacks and the Use of Force: Back to the Future of Article 2(4)” (2011) 36(2) Yale JIL 452, 454. 81 See Schmitt, “Cyber Operations” (n. 38) 575; Tallinn Manual (n. 2) R11C9; Michael N. Schmitt, “The ‘Use of Force’ in Cyberspace: A Reply to Dr Ziolkowski” in Christian Czosseck, Rain Ottis, Katharina Ziolkowski (eds.), 2012 4th International Conference on Cyber Conflict (NATO CCDCOE 2012) 314–317. 82 Michael N. Schmitt, “Computer Network Attack and the Use of Force in International Law: Thoughts on A Normative Framework” (1999) 37(3) Columbia Journal of Translational Law 914–915. 140 Chapter 5

In 2001, the proposal was revised, and a seventh criterion was officially added—responsibility.83 With the release of the Tallinn Manual (and the input of other experts), “responsibility” was split into “military character” and “state involvement”, while the “presumptive legitimacy” criterion became “presumptive legality”.84 How plausible is Schmitt’s approach? Lianne Boer considers four ways how the criteria in their latest form could be seen: as reflection of lex lata, a new source of law, legal considerations that should be taken into account and “political tools”.85 Nevertheless, from the start, the role of Schmitt’s model was clearly that of a crystal ball, meant to predict state assessments. Unfortunately, the criteria are still sometimes mistakenly applied and criticized as a normative framework. Falling into this trap, Jason Barkham contested presumed legitimacy and measurability,86 Terence Check objected to immediacy, directness and military character,87 while Ziolkowski argued that Schmitt’s criteria should better accommodate attacks against “[m]assive, medium to long-term disruption of critical infrastructure”.88 Nevertheless, even as a forecasting tool, Schmitt’s approach is flawed. While it implies that a certain hierarchy exists between the suggested criteria, one is left to wonder, how much weight one element can have, compared to the rest. Alarmingly, the framework puts the key determinant, severity, next to those criteria that may be of little relevance for governments: particularly,

83 Previously responsibility was addressed only in a footnote—see ibid. 915, fn 81. See also Michael N. Schmitt, “Computer Network Attack: The Normative Software” (2001) 4 Yearbook of International Humanitarian Law 65. 84 Tallinn Manual (n. 2) R11C9. Notably, a number of additional factors was mentioned in the Manual, which never made it to the revised Schmitt’s framework. These included “political environment, whether the operation portends the future use of military force, the identity of the attacker, any record of cyber operations by the attacker, and the nature of the target (such as critical infrastructure)”—see ibid. R11C10. 85 Lianne J. Boer, “Restating the Law ‘As It Is’: On the Tallinn Manual and the Use of Force in Cyberspace” (2013) 5(3) Amsterdam Law Forum 6, 13–14. 86 Barkham (n. 56) 85–86. 87 Terence A. Check, “Book Review: Analyzing the Effectiveness of the Tallinn Manual’s Jus Ad Bellum Doctrine on Cyber Conflict, a NATO-Centric Approach” (October 2013) accessed 1 August 2015. 88 Inter alia, Ziolkowski is critical of the factors of immediacy (“effects cannot be expected to occur immediately”), directness (“causation [. . .] cannot be a part of the assessment of the legal nature of the action”), invasiveness (“malicious cyber-activities could be imper- ceptible for a long time”), measurability (“apparent effects of malicious cyber-activities will not always be measurable”) and presumptive legitimacy (“a term of political and ethical discourse”)—see Ziolkowski, “Ius ad Bellum” (n. 38) 299–305. Cyber-strikes And Jus Ad Bellum 141

invasiveness (“degree to which cyber operations intrude into the target State or its cyber systems”) and measurability of effects (assessing “quantifiable and identifiable [. . .] set of consequences”).89 Intrusion into national cyber-space per se, as the Tallinn Manual itself states, “does not violate the non-intervention principle [. . .] even where [it] requires the breaching of protective virtual barriers (for example, [. . .] firewalls or the cracking of passwords)” (emphasis added).90 Introduction of the coercive element brings severity into play, which will simply eclipse invasiveness in legal and political appraisals. By insisting on measurability, Schmitt wrongly assumes that cyber-attacks will be delimited from economic and socio-political force and, in fact, this incorrect assumption lies at the base of his analysis.91 For example, according to Schmitt’s criteria, a cyber-attack shutting down all banks of an entire state for a week or causing hyperinflation has little chance of constituting a use of force in the eyes of governments: the negative consequences develop slowly, they are indirect and hard to measure. Considering the inadequacies of the existing academic models and their non-binding nature, it becomes clear that an accurate normative model for determining whether a cyber-strike is a use of force within the context of Article 2(4) and international customary law is still clearly required. One such model based on the arguments presented in this chapter is suggested in Appendix 2. Notably, it does not aim to accurately predict how international law will develop in the future. Rather, it reflects one possible system that could be globally imposed (as a result of government consensus or other means) upon command authorities in order to bring greater clarity in the context of jus ad bellum. If the international community accepts that cyber-attacks can amount to the use of force, one needs to consider whether and under which conditions states may be permitted by law to defend themselves.

89 Tallinn Manual (n. 2) R11C9(d), R11C9(e). 90 Ibid., R10C8. Note that, at one point, the Manual claims that an intrusion of spy planes into national airspace can sometimes constitute use of force—see ibid., R11C9(d), although, e.g., attempt to classify violation of Soviet airspace in 1960 by a U-2 aircraft as “aggressive act” was not supported by the Security Council—see rejected USSR Draft UNSC Res S/4321 (26 May 1960) UN Doc S/4321; Thomas Dukes, Albert C. Rees, “Military Criminal Investigations and the Stored Communications Act” (2009) 64 Air Force Review 143. 91 Schmitt, “Computer Network Attack: The Normative Software” (n. 83) 65. 142 Chapter 5

5.3 Cyber-Attacks and Self-Defense

During the discussions of Article 2(4) at the 1945 San Francisco Conference, it was decided that the use of force should remain permitted in self-defense.92 This eventually led to the creation of a norm in the UN Charter, which provides a special exception to the general prohibition on the use of force. Article 51 begins by stating: “Nothing in the present Charter shall impair the inherent right of individual or collective self-defence if an armed attack occurs against a Member of the United Nations”.93 Although this provision mentions membership of the UN, it does not in any way limit customary norms that provide the right of self-defense to all de facto independent state-like entities (and, arguably, non-state actors).94 This leaves two important questions: how clear is international law on when a cyber- strike becomes an armed attack and when can states exercise their right of self-defense?

5.3.1 Cyber-Strike as Armed Attack As was argued in the previous sub-chapter, the “armed attack” is a narrower concept than the “use of force”. The latter can be approached from a number of theoretical perspectives. However, according to the ICJ, armed attacks have to be viewed through the lens of foreseeable “scale and effects” (that separate such attacks from non-qualifying “frontier incident[s]”).95 Which consequences should cyber-strikes provoke in order to satisfy this test? The most obvious answer is massive loss of life or multiple injuries to civilians (in the sovereign territory) or military personnel (regardless of location). Essentially, these are the consequences that equate the use of chemical or biological weapons with an armed attack, despite them not being “armed” in the traditional sense of the word.96 Governments can also rely on attacks against

92 Stanimir A. Alexandrov, Self-Defense Against the Use of Force in International Law (Kluwer Law International 1996) 80, citing “Report of the Rapporteur of Committee I/1 to Commission I” (13 June 1945) 6 UNCIO Docs 459, 721. 93 UN Charter (n. 11) Article 51. The elements of Article 51 involving the UN Security Council will be tackled in Chapter 8 of the present book. 94 See generally Charles P. Trumbull, “The Basis of Unit Self-Defense and Implications for the Use of Force” (2012) 23(1) Duke Journal of Comparative & International Law 147. 95 Nicaragua Case (n. 13) para. 195. See also Tallinn Manual (n. 2) R13, R13C4, R13C10. Note that the Tallinn Manual (n. 2) R11 also applies the “scale and effects” criteria to the concept of the use of force, although, such approach is not necessarily the only one acceptable. 96 See Sharp (n. 38) 115. See also Joyner, Lotrionte (n. 38) 845; Ian Brownlie, Principles of Public International Law (4th edn, OUP 1990) 362. Cyber-strikes And Jus Ad Bellum 143 its citizens abroad as an excuse to exercise self-defense, although this right is more likely to be contested by others.97 International law in its current form allows certain governments to insist that one or few fatalities or injuries do not qualify as an armed attack. After all, the EU Report on Georgia rejected the view that assassinations of single individuals amounted to the use of force.98 The Eritrea-Ethiopia Claims Commission did state that “localized border encounters between small infan- try units, even those involving the loss of life” cannot be considered an armed attack.99 Logically, to definitively qualify, cyber-strikes have to cause harm exceeding this threshold. Another frequently quoted example of armed attacks is damage to property and its destruction. Very often such harm is associated with the risk of injury. Can the number of victims be a determinative factor in deciding whether a cyber-strike has reached the level of an armed attack or not? According to the logic of the EU Report on Georgia, destruction of an unmanned aerial vehicle (UAV) or a single plane with one or two pilots on board does not even qualify as a use of force.100 In the Oil Platforms case, mining of a single vessel resulted in property damage and a few burn victims, which may or may not have been an armed attack, according to the ICJ that decided to leave the matter unresolved.101 Thus, no less than three fatalities could signify that a cyber-strike has reached the armed attack threshold under the current international law. On the other hand, unlike most kinetic weapons, cyber-strikes have the capacity to remotely neutralize or cause damage to objects with reduced risk to human lives. If there were no victims, then the question becomes whether the cyber-induced harm is similar to that of a traditional armed attack. Comparison is likely to be made with reference to two complementary criteria: financial damage and visibility of the attack. Taking over an embassy in Tehran satisfied both.102 Destruction of a cheap UAV, even if it is covered by the media, will not result in an armed attack. Similarly, damage to a small microchip will

97 See generally Tallinn Manual (n. 2) R13C19. 98 Tagliavini (n. 48) 242 fn 49. 99 Jus Ad Bellum (Ethiopia v Eritrea) [2005] Eritrea-Ethiopia Claims Commission, para. 11 accessed 1 August 2015. See generally Sean D. Murphy, “Aggression, Legitimacy and the International Criminal Court” (2009) 20(4) EJIL 1153. 100 Tagliavini (n. 48) 242 fn 49. 101 Oil Platforms Case (n. 47) para. 72. 102 Tehran Hostages Case (n. 46) paras. 57, 64, 91. 144 Chapter 5 not allow governments to rely on political and emotional sentiments necessary for the self-defense claim, even if that chip is worth billions.103 Lack of visibility ensures that acts such as destruction of ordinary (for example, corporate) data also do not qualify as armed attacks, regardless of the individual financial losses.104 On the other hand, an argument can be advanced that widespread corruption of valuable and visible citizen information would. This is especially true if it is “immediately convertible into tangible objects” (for instance, money).105 A number of scholars seem to agree that if it results in extensive economic or socio-political disruption, data corruption may satisfy the “scale and effects” test.106 Tsagourias links this result with the “unavailability” of information.107 However, one should add that it is particularly the ensuing promise of violent consequences (as a result of mob mentality) that has the biggest chance to turn data corruption into an armed attack. In the context of uncontrollable viruses and worms, a subsidiary question arises: should the inflicted damage be intentional? The authors of the Tallinn Manual could not come to a consensus on this point and it can, indeed, be argued both ways.108 Notably, the majority of the authors took the position that intent is irrelevant for the purposes of qualifying a cyber-strike as an armed attack, as “scale and effects” take precedence.109 However, in the Oil Platforms case, the ICJ did review intent as one of the elements of armed attack.110 As with the case of the “use of force”, one possible normative model of equating cyber-strikes with armed attacks is illustrated in Appendix 2. Having outlined the potential limits of the notion of armed attack in the cyber-context, it is important to consider the conditions under which states can resort to self-defense.

103 See generally Matthew C. Waxman, “Self-Defensive Force against Cyber Attacks: Legal, Strategic and Political Dimensions” (2013) 89 International Law Studies 120. 104 See generally Dinniss (n. 38) 73; Schmitt, “Cyber Operations” (n. 38) 589. 105 Schmitt, “Cyber Operations” (n. 38) 589. 106 See Tallinn Manual (n. 2) R13C9; Tsagourias, “Cyber Attacks” (n. 51) 231; Randelzhofer, Nolte (n. 1) 1419–1420; Sharp (n. 38) 117. 107 Tsagourias, “Cyber Attacks” (n. 51) 231. 108 Tallinn Manual (n. 2) R13C11, R13C18. 109 Ibid., R13C11. 110 Oil Platforms Case (n. 47) para. 64. See Marco Roscini, “World Wide Warfare—Jus ad Bellum and the Use of Cyber Force” (2010) 14 Max Planck Yearbook of United Nations Law 116. Cyber-strikes And Jus Ad Bellum 145

5.3.2 Permissibility of Self-Defense Article 51 emphasizes the existence of an inherent right of self-defense outside the UN Charter regime, in fact creating a situation where the treaty norm co- exists with constantly evolving customary international law. The customary notion of self-defense was, to a large extent, shaped by the Caroline criteria. The latter arose from a disagreement between Great Britain and USA, when in 1837, an American vessel, which organized raids into Canadian territory, was destroyed by the British.111 A diplomatic correspondence that followed between the British Lord Alexander Ashburton and the American Secretary of State Daniel Webster agreed on a set of principles that there had to be “a necessity of self-defense, instant, overwhelming, leaving no choice of means, and no moment for deliberation”, which later became universally accepted as part of international customary law.112 Alongside necessity, another principle arose that has also become a crucial condition for self-defense—proportionality, which seeks to prevent resort to excessive force in retaliation to an armed attack.113 Its importance cannot be underestimated and, as the ICJ stated, “submission of the exercise of the right to self-defence to the conditions of necessity and proportionality is a rule of customary international law”, “whatever the means of force employed”.114 This standard, according to the Court, indisputably limits the warranted measures, and the international community will likely use it to measure the legality of self-defense in and via cyber-space as well.115 Necessity requires states to exhaust all non-forceful measures that, in their view, could stop and prevent future damaging cyber-strikes in due course.116

111 Christine Gray, International Law and the Use of Force (3rd edn, OUP 2008) 148–149; John O’Brien, International Law (Routledge-Cavendish 2001) 682; Yaroslav Shiryaev, “The Right of Armed Self-Defense in International Law and Self-Defense Arguments Used in the Second Lebanon War” (2009) 3 Acta Societatis Martensis 82. 112 Ibid. 113 Shiryaev (n. 111) 82; Judith G. Gardam, Necessity, Proportionality and the Use of Force by States (CUP 2004) 1; Robert D. Sloane, “The Cost of Conflation: Preserving the Dualism of Jus ad Bellum and Jus in Bello in the Contemporary Law of War” (2009) 34(1) Yale JIL 108. 114 Nuclear Weapons Case (n. 2) para. 41. See also Oil Platforms Case (n. 47) paras. 51, 74, 77. See generally James Crawford, The International Law Commission’s Articles on State Responsibility: Introduction, Text and Commentaries (CUP 2002) 166; Tarcisio Gazzini, The Changing Rules on the Use of Force in International Law (Manchester University Press 2005) 119. 115 Nicaragua Case (n. 13) para. 176. See also Tallinn Manual (n. 2) R14. 116 Tallinn Manual (n. 2) R14C3, R14C4, R15C9; Laurie R. Blank, “International Law and Cyber Threats from Non-State Actors” (2013) 89 International Law Studies 418. 146 Chapter 5

Once it becomes clear that they will be ineffective, the victim-state is allowed to resort to the use of force and armed attacks of its own. Generally, necessity remains a subjective criterion without clear normative boundaries. How long, though, does the right to self-defense exist after an attack has been suffered? Circumstances surrounding the surprise 9/11 attacks may hold the answer. After the Pentagon and the WTC towers were struck, it took roughly half-a-day for the US government to definitively determine the source of the attacks and link them to Al-Qaeda. It took close to a month to set the Operation “Enduring Freedom” in motion. Nevertheless, when it was initiated, it never met any opposition from the international community and America’s right to self-defense, which in reality concealed the right to retaliation, was not disputed. By analogy, a devastating cyber-attack may not require an instant response, if a government wraps its desire to retaliate in the usual right to self- defense language. In case the international community accepts this approach, a state will have a reasonable amount of time (a subjective criteria in itself) to conduct a proper investigation and find the ones responsible. In contrast to necessity, proportionality promises more objectivity. Under this principle, results of a counter-strike should not be more damaging than the armed attack, which triggered self-defense.117 Victim-states are allowed to use cyber-strikes against kinetic force and vice versa,118 although political considerations, such as desired effects of deterrence, play a role in this choice.119 In some cases, only response through cyber-space may be acceptable.120 Nonetheless, if the attacking country is immune to cyber-strikes or the victim- state does not have any cyber-attack capabilities, traditional armed response can be more easily justified.121 Cyber-attacks can be asymmetric in their nature and a small group or even one person can hope to seriously damage a state. A response with devastating force such as nuclear weapons even to more serious cyber-attacks would clearly go against the proportionality principle.122 On the other hand, the

117 Blank (n. 116) 418–419. 118 Ibid.; Tallinn Manual (n. 2) R14C5. See also Schmitt, “Computer Network Attack: The Normative Software” (n. 83) 73; Hoisington (n. 56) 452; Matthew J. Sklerov, “Solving the Dilemma of State Response to Cyberattacks: A Justification for the Use of Active Defenses Against States Who Neglect Their Duty to Prevent” (2009) 201 Military Law Review 33. 119 Waxman, “Self-Defensive Force” (n. 103) 117. 120 Randelzhofer, Nolte (n. 1) 1420. 121 Tallinn Manual (n. 2) R14C6; Waxman, “Self-Defensive Force” (n. 103) 116; Roscini (n. 110) 120. 122 Reportedly, the possibility of nuclear response to cyber-attacks is seriously considered, e.g., in the United States—see Andrew Conte, “Task Force Recommends U.S. Keep Cyber-strikes And Jus Ad Bellum 147 use of tactical nuclear weapons may be proportionate to successful cyber- strikes on one or more nuclear facilities or in case the “survival of a State” was jeopardized.123 Proportionality also serves as an incentive to avoid false-flag attacks in cyber-space, which, unlike classic provocations, will be harder to disprove for the accused. As long as the necessity and proportionality criteria are met, self-defense is lawful and it can be exercised individually or collectively. In the latter case, non-attacked countries can provide assistance to the victim-state(s). It is not restricted to coordinated individual responses, nor does it require a mutual assistance treaty in order to be invoked.124 From the ICJ’s Nicaragua ruling it follows that satisfaction of three additional conditions are necessary in order to exercise collective self-defense: the attacked state must regard itself a victim of an armed attack, it should declare itself as such, and it should request (or at least show consent to) assistance from other states.125 Since the attacked state’s government determines the limits of external involvement, in the cyber context, it may authorize only certain passive or active cyber-defense measures, and prohibit conventional attacks by its allies.126 Next, one should discuss state responsibility. Although the attribution standards for responsibility are not explicitly meant to guide the process of establishing accountability for the use force, they do determine if the attacked nations are entitled to full self-defense (against the entire attacking state) or not. Additionally, questions of liability remain relevant for international courts and tribunals (for example, in determining aggression or in matters of compensation).

Nuclear Option as Response for Massive Computer Attack” (Pittsburgh Tribune-Review, 5 March 2013) accessed 1 August 2015. 123 In 1996, the ICJ was not able to “conclude definitively whether the threat or use of nuclear weapons would be lawful or unlawful [. . .] [if] the very survival of a State [was] at stake”— see Nuclear Weapons Case (n. 2) paras. 97, 105(2)(E). 124 See Randelzhofer, Nolte (n. 1) 1421. 125 Nicaragua Case (n. 13) paras. 196, 199; Randelzhofer, Nolte (n. 1) 1421; Tallinn Manual (n. 2) R16, R16C2. The need to declare oneself a victim of an armed attack was considered an “unrealistic” condition and thus unnecessary by Judge Jennings in his Dissenting Opinion in the Nicaragua Case (n. 13) 535. 126 Tallinn Manual (n. 2) R16C3. 148 Chapter 5

5.3.3 State Responsibility 5.3.3.1 State Involvement If a cyber-attack is unlawfully launched by state organs or persons acting in an official capacity, that state’s responsibility for the harmful consequences becomes apparent and the victim is entitled to self-defense against the entire attacking country. If no state responsibility is present, necessity dictates that defensive actions should be limited to a part of territory or, in the cyber-context, to a certain portion of national cyber-space. In case attacks are launched by independent non-state actors, they become directly targetable. The ICJ clearly stated in the Tehran Hostages case that in order for a state to be accountable, the wrongful act has to be imputable to it, and it has to violate an international obligation.127 In that decision, unable to find that militants were acting on behalf of the Iranian state, the Court instead once again reaffirmed the liability for failure to act.128 It further emphasized that approval by a head of state (Ayatollah Khomeini) and the governmental organs turned the actions of the militants into acts of Iran.129 Interpreted in the cyber-context, these principles show that even if there is no direct state involvement (and if a government is not initially aware of the planned attacks), an explicit endorsement of the damaging cyber-attacks by state leadership will be sufficient to trigger the right to self-defense in its entirety. This is subject to two conditions: the offensive must be still ongoing at the moment of the endorsement, and it must be carried out by that state’s citizens or persons within its territory. Both of these conditions may be disputed in order to diminish responsibility by states. Some victim-states’ governments may argue that circumstantial evidence and liberal inferences of fact should have had even more weight than in the Corfu Channel case, since furnishing “direct proof of facts giving rise to responsibility” is usually harder in the virtual realm.130 Others may object that since correct attribution is essential in ensuring that the innocent are not attacked, cyber-strikes seemingly launched from

127 Tehran Hostages Case (n. 46) para. 56. 128 Ibid., paras. 58, 64, 67. 129 Ibid., para. 74. See generally ILC, “Draft Articles on Responsibility of States for Internationally Wrongful Acts”, 53rd Session, Supplement No. 10 (November 2001) UN Doc A/56/10, Arts. 4–11; ILC, “Draft Articles on the Responsibility of International Organizations”, 63rd Session, Supplement No. 10 (June 2011) UN Doc A/63/10, Arts. 6–9; Marja Lehto, Indirect Responsibility for Terrorist Acts: Redefinition of the Concept of Terrorism Beyond Violent Acts (Hotei Publishing 2010) 238–239; Kimberley N. Trapp, State Responsibility for International Terrorism (OUP 2011) 4. 130 Corfu Channel (UK v Albania) (Merits) [1949] ICJ Rep 18. Cyber-strikes And Jus Ad Bellum 149

particular state infrastructure or routed through it should not be automatically associated with that state.131 Jason Healey’s Spectrum of State Responsibility is a useful tool for demonstrating when countries can be accountable for cyber-strikes.132 It centers on their relation and attitude towards attacks that damage another state. According to Healey a cyber-attack can be:

1. State-prohibited. The national government will help stop the third-party attack; 2. State-prohibited-but-inadequate. The national government is cooperative but unable to stop the third-party attack; 3. State-ignored. The national government knows about the third-party attacks but is unwilling to take any official action; 4. State-encouraged. Third parties control and conduct the attack, but the national government encourages them as a matter of policy; 5. State-shaped. Third parties control and conduct the attack, but the state provides some support; 6. State-coordinated. The national government coordinates third-party attackers such as by “suggesting” operational details; 7. State-ordered. The national government directs third-party proxies to conduct the attack on its behalf; 8. State-rogue-conducted. Out-of-control elements of cyber forces of the national government conduct the attack; 9. State-executed. The national government conducts the attack using cyber forces under their direct control; 10. State-integrated. The national government attacks using integrated third- party proxies and government cyber forces.133

131 Tallinn Manual (n. 2) R7, R8. A notable opponent of basing self-defense on “casual evidence or wild political inferences” is Tsagourias, “Cyber Attacks” (n. 51) 235. See generally Robin Geiss, Henning Lahmann, “Freedom and Security in Cyberspace: Shifting the Focus Away from Military Responses Towards Non-Forcible Countermeasures and Collective Threat-Prevention” in Katharina Ziolkowski (ed.), Peacetime Regime for State Activities in Cyberspace: International Law, International Relations and Diplomacy (NATO CCDCOE 2013) 627–628. 132 Jason Healey, “Beyond Attribution: Seeking National Responsibility in Cyberspace” (Brief, Atlantic Council 2012) 2 accessed 1 August 2015. 133 Ibid. 150 Chapter 5

Considering the arguments mentioned above, in the first two cases a state is unlikely to be seen as responsible for the cyber-attack, while the last seven scenarios (4–10) might permit full self-defense. For instance, the last four cases (7–10) include direct conduct of state organs and, therefore, trigger responsibility under international customary law.134 If Healey’s scenario 6 includes delegation of state functions by law, state liability will be apparent.135 Even if no such arrangement is present, following the ICJ’s logic, responsibility may arise as part of the official endorsement and control (discussed further) as in cases 4 and 5. The third scenario is bound to be the most disputed by governments, as it represents the greatest uncertainty in this context. Thus, closer attention should be paid to the borderline scenarios (3), where a government ignores cyber-attacks being launched from the territory of its state.

5.3.3.2 Responsibility for Conduct of Non-State Actors The first seven situations in Healey’s Spectrum deal with state relations vis-à-vis private entities. In the Corfu Channel case, the ICJ held that a state is responsible not only for its actions, but also for its inactivity; in other words, it has an obligation to ensure that other states are not injured from within its territory.136 Some authors of the Tallinn Manual went as far as suggesting that this rule should apply in case the state “should have known” of the attacks or in case they are routed through its infrastructure.137 The extent of the obligation of due diligence (including preventive measures) is bound to remain uncertain in the cyber-context.138 From this principle, academics already deduce specific technical, political and legal elements of the requirement “to notice irregular data streams or malicious software as such”.139 However, governments that benefit from the minor cyber-strikes may

134 See Articles on State Responsibility (n. 129) Art. 4(1). See generally Tallinn Manual (n. 2) R6C6, R6C7. 135 See Articles on State Responsibility (n. 129) Art. 5. See generally Tallinn Manual (n. 2) R6C8. 136 Corfu Channel Case (n. 130) 22. 137 Tallinn Manual (n. 2) R5C11, R5C12. See generally ibid., R5, R5C5. 138 See generally ibid., R13C22; Ziolkowski, “Ius ad Bellum” (n. 38) 306–307; Geiss, Lahmann (n. 131) 653–657; Jeffrey Carr, Inside Cyber Warfare (2nd edn, O’Reilly 2012) 62; Benedikt Pirker, “Territorial Sovereignty and Integrity and the Challenges of Cyberspace” in Katharina Ziolkowski (ed.), Peacetime Regime for State Activities in Cyberspace: International Law, International Relations and Diplomacy (NATO CCDCOE 2013) 208. 139 Katharina Ziolkowski, “Confidence Building Measures for Cyberspace—Legal Implications” (Paper, NATO CCDCOE 2013) 70 accessed Cyber-strikes And Jus Ad Bellum 151 always argue that citizens are generally mobilized for political protests and demonstrations every day, during which minor violations of the law are often expected and tolerated. In this context, to demand constant control in cyber- space would create too much burden for states and go against the Western concept of civil liberties. There are competing legal theories on attribution of non-state actions.140 The first was expressed by the ICJ in the 1986 Nicargua case. According to the Court’s ruling, a state is responsible for acts of private groups and individuals, when it exercises a sufficient degree of control over them, that is, when the latter is effective.141 Additionally, there must be complete dependence on the help from the state in carrying out the wrongful act(s).142 The second theory emanates from the ICTY, which suggested in Tadić a less restrictive overall control test that establishes a state’s responsibility where it organizes, coordinates or plans military actions of the non-state actors.143 The third theory is based on the ICJ’s Genocide ruling. It reiterates the effective control requirement of Nicaragua and rejects the broad overall control test of Tadić.144 However, unlike the first theory, it does not require a complete dependence on state assistance to attribute responsibility.145 It should be noted that, aside from the fact that the Genocide decision is newer than Nicaragua, the “complete dependence” criterion indeed becomes less meaningful in the

1 August 2015. See also Ashley Deeks, “The Geography of Cyber Conflict: Through a Glass Darkly” (2013) 89 International Law Studies 10–15; Catherine Lotrionte, “State Sovereignty and Self-Defense in Cyberspace: A Normative Framework for Balancing Legal Rights” (2012) 26(2) Emory International Law Review 913–919. 140 Note that aside from the mainstream theories addressed in this section, new variations are proposed by in the academia. E.g., consider the suggestion of Collin Allan to focus on timing of the cyber-strikes—see Collin S. Allan, “Attribution Issues in Cyberspace” (2013) 8(2) Chicago-Kent Journal of International and Comparative Law 81. 141 Nicaragua Case (n. 13) paras. 109, 115. 142 Ibid., para. 110. 143 Prosecutor v Tadić (Appeal Judgment) ICTY-94-1-A, AC (15 July 1999) paras. 117, 137. Worthy of mention is that this model is supported by the ICJ Judge Al-Khasawneh—see Dissenting Opinion of Vice-President Al-Khasawneh in Application of the Convention on the Prevention and Punishment of the Crime of Genocide (Bosnia and Herzegovina v Serbia and Montenegro) (Merits) [2007] ICJ Rep, para. 39. 144 Genocide Case (n. 143) paras. 400, 403, 405–406. Note that it was also rejected in favor of Nicaragua criteria by the ILC—see ILC, “Commentaries to Draft Articles on Responsibility of States for Internationally Wrongful Acts”, 53rd Session, Supplement No. 10 (November 2001) UN Doc A/56/10, 48. 145 Genocide Case (n. 143) para. 400. 152 Chapter 5 context of cyber-attacks, since anyone can “arm themselves” with malware and launch cyber-attacks without any state involvement. With regards to the question whether the overall control or effective control test should be employed, Scott Shackelford argues that the latter is too restricted, encourages cyber-strikes, and is less preferable for NATO.146 While this may be true, non-democratic governments may argue that the effective control is demanded by the general unlimited multiplicity of harmful online acts. Additionally, international customary law that seems to have formed after 9/11 attributes state responsibility for indirectly supporting and tolerating on its territory independent terrorist groups that carry out armed attacks.147 That threshold is lower than the overall control requirement and was particularly favorable to the US government in the past. Namely, harboring and supporting Al-Qaeda was sufficient for attribution of the terrorist acts to Afghanistan by the USA (as well as the international community, which endorsed the American response, for that matter). De facto this variety of interpretative models creates an uncertain and exploitable legal regime, where cyber-attacks can be attributed differently by different governments.

5.3.4 Cyber-Dimension of Anticipatory Self-Defense A liberal view of international law allows states to resort to anticipatory self- defense in order to deter potential cyber-attacks. For the purposes of the present analysis, the concept of anticipatory self-defense shall be divided into interceptive, preemptive and preventive.

146 Scott J. Shackelford, “State Responsibility for Cyber Attacks: Competing Standards for a Growing Problem” in Christian Czosseck, Karlis Podins, Conference on Cyber Conflict: Proceedings (NATO CCDCOE 2010) 203–204; Scott J. Shackelford, Richard B. Andres, “State Responsibility for Cyber Attacks: Competing Standards for a Growing Problem” (2011) 42(4) Georgetown JIL 1013. 147 Graham (n. 67) 96; Andrew Garwood-Gowers, “Self-Defence Against Terrorism in the Post-9/11 World” (2004) 4(2) Queensland University of Technology Law and Justice Journal 12; Matthew J. Sklerov, “Solving the Dilemma of State Response to Cyberattacks: A Justification for the Use of Active Defenses Against States Who Neglect Their Duty to Prevent” (2009) 201 Military Law Review 46; René Värk, “State Responsibility for Private Armed Groups in the Context of Terrorism” (2006) 11(1) Juridica International 187. See generally Armed Activities Case (n. 24) para. 431. Cyber-strikes And Jus Ad Bellum 153

5.3.4.1 Interceptive Self-Defense Interceptive self-defense bears not only pre-retaliatory character, but also requires the counter-attack to be targeted at preventing the consequences of offensive cyber-strikes already in motion. The power to respond can be provided to system administrators, avoiding traditional bureaucratic mechanisms.148 However, due to the speed of these strikes, it is sometimes impossible for humans to manually intercept incoming malware (aside from slowly propagating programs, manually led attacks or logic bombs, which provide enough time to identify and diffuse them). Therefore, the task of interception is de facto shared by the automated protection software (for example, anti-viruses that detect and remove suspicious code). Such software may incorporate advanced artificial intelligence elements.149 Yet, as any program, it will not be error-free. Interception that merely stops malicious programs is legal, as it is not damaging to states or other relevant actors. In any case, it complies with the immediacy requirement. On the other hand, programs that are capable of counter-attacks, while also lawful, will require constant supervision and care to avoid possible accidents.

5.3.4.2 Preemptive Self-Defense The right of preemptive self-defense to an imminent threat long exists under international customary law. Indeed, the Caroline incident itself involved preemptive self-defense, and Kofi Annan’s High-Level Panel on Threats, Challenges and Change (hereinafter, UNSG High-Level Panel) concluded that “a threatened State, according to long established international law, can take military action as long as the threatened attack is imminent, no other means would deflect it and the action is proportionate” (emphasis added).150 This argument was repeated and adopted by many academics.151

148 See generally Graham (n. 67) 97, 101. 149 Enn Tyugu, “Artificial Intelligence in Cyber Defense” in Christian Czosseck, Enn Tyugu, Thomas Wingfield (eds.), 2011 3rd International Conference on Cyber Conflict (NATO CCDCOE 2011) 98. 150 High-Level Panel on Threats, Challenges and Change, “A More Secure World: Our Shared Responsibility” (Letter to UNSG, 1 December 2004) UN Doc A/59/565, para. 188. See also UNSG, “In Larger Freedom: Towards Security, Development and Human Rights for All” (Report of the UNSG, 21 March 2005) UN Doc A/59/2005, para. 124: “Lawyers have long recognized that [the right of self-defense] covers an imminent attack as well as one that has already happened”. 151 For example, see Tallinn Manual (n. 2) R15, R15C2; Abraham D. Sofaer, “On the Necessity of Pre-emption” (2003) 14(2) EJIL 220; Jennifer Gunning, Søren Holm, Ethics, Law and Society 154 Chapter 5

Nevertheless, formal permissibility of preemptive self-defense (a concept that itself can be exploited and objected to) seriously suffers, when put in the cyber-security context. Not only are cyber-strikes impossible to measure in terms of their potential consequences (particularly, whether they will reach the armed attack threshold) until the actual strikes take place, but also because it is hard to predict whether other non-offensive measures can stop the attack altogether or they will prove ineffective. In other words, the luck factor corrodes the distinction between preemption and prevention, as a threat’s moment of immediacy becomes impossible to predict. This remains true regardless whether this moment is interpreted temporarily or factually.152 In order to justify preemptive action, a state would have to demonstrate credible research proving that the source code (contents) of malware that is about to be transmitted or a logic bomb that is about to be activated would indeed be very damaging to the state. The paradox is that knowing the code and how it works opens up a possibility of stopping it by non-military means (such as firewalls or anti-viruses). It seems, therefore, that there are only three cases that may justify preemptive self-defense in the context of cyber-warfare: a) when a cyber-strike takes place that definitively serves as a preparatory step in an upcoming physical armed attack (for instance, as with the alleged Israeli cyber-strike and subsequent physical attack on Syria in 2007),153 b) when there is a series of cyber- strikes on various objects in one state, constantly rising in magnitude and threatening to reach the level of an armed attack with the following strike, and c) when a series of identical cyber-strikes on different states is observed (each rising to the level of an armed attack), and a government has good reason to believe that its state is about to be attacked next in the same manner. In all three of these cases, practical difficulties may arise relating to the cred- ibility of the intelligence and governments may be subjective in interpreting evidence put before them. While this problem is present in preemption generally, cyber-attacks that require secrecy complicate this issue further.

(Ashgate Publishing 2005) 244; Howard M. Hensel, The Legitimate Use of Military Force (Ashgate Publishing 2008) 102. 152 See Tallinn Manual (n. 2) R15C4, R15C7, that seems to favor the factual “window of opportunity” approach. See generally Tsagourias, “The Tallinn Manual” (n. 16) 35; Hannah Lobel, “Cyber War Inc.: The Law of War Implications of the Private Sector’s Role in Cyber Conflict” (2012) 47(3) Texas ILJ 629. 153 See sub-chapter 3.3.2.2. See generally Tsagourias, “Cyber Attacks” (n. 51) 232; Dinniss (n. 38) 88; Schmitt, “Cyber Operations” (n. 38) 589; Jessica A. Feil, “Cyberwar and Drones: Using New Technologies, From Espionage to Action” (2012) 45(1–2) Case Western Reserve JIL 536. Cyber-strikes And Jus Ad Bellum 155

5.3.4.3 Preventive Self-Defense Preventive self-defense presupposes response to a putative future threat rather than an immediate one. The UNSG High-Level Panel explicitly stated:

If there are good arguments for preventive military action, with good evidence to support them, they should be put to the Security Council [. . .]. If it does not so choose, there will be, by definition, time to pursue other strategies, including persuasion, negotiation, deterrence and containment.154

Similar arguments were echoed, for example, in the ICJ’s Armed Activities case155 and the UNSG’s “In Larger Freedom” report of 2005.156 It seems that most of the academic world also treats preventive self-defense (including its National Security Strategy / “Bush Doctrine” form) as illegal, regardless of its efficiency from the strategic or political perspectives. The difference between preemptive and preventive self-defense can be made with reference to the Israeli attacks of 1967 and 1981. Although there was no temporal immediacy, the former (the 1967 strike) was not condemned by the UN as illegal.157 Israel’s actions were seen as justified in light of the fact that Egyptian, Syrian, Iraqi and Jordanian troops all moved towards the Israeli borders with unfriendly intentions, obvious to the international community. In contrast, when Israel attacked the Iraqi Osirak reactor in 1981, the Security Council rejected all Israeli arguments of self-defense against the nuclear threat

154 High-Level Panel (n. 150) para. 190. See also Yoram Dinstein, War, Aggression, and Self- Defence (4th edn, CUP 2005) 185. 155 Armed Activities Case (n. 24) para. 148: “[Article 51] does not allow the use of force by a state to protect perceived security interests [. . .] Other means are available to a concerned state, including, in particular, recourse to the Security Council”. 156 UNSG, “In Larger Freedom” (n. 150) para. 125: “Where threats are not imminent but latent, the Charter gives full authority to the Security Council to use military force, including preventively”. 157 Israeli National Unity Government decided to go to war on June 4, 1967. “Operation Focus” was launched on June 5, 1967, i.e. one day after the decision. The secrecy and width of the operation suggest that is has been carefully pre-planned. Therefore, Israel did not seem to be in a situation “where no other response would do because of the time constraints involved in responding to the ‘armed attack’ ”—see Myra Williamson, Terrorism, War and International Law: The Legality of the Use of Force Against Afghanistan in 2001 (Ashgate Publishing 2009) 117. 156 Chapter 5 and “strongly” condemned the preventive attack.158 Tsagourias notes that international community ignored a similar attack on Syrian nuclear facility al-Kibar.159 However, one should emphasize that Syria itself never raised the question within the UN Security Council. In theory, cyber-strikes can be devastating. Yet, the illegality that accompanies preventive self-defense will likely discourage non-immediate counter- attacks in cyber-space. Even the most determined governments that may plan intrusive reconnaissance and preventive cyber-strikes (such as the US and Israel’s administrations)160 will find that the secretive nature of cyber-warfare generally makes it very hard to objectively determine whether certain states or organizations are planning a serious attack in the future.161 While it may be conceivable that governments will not care about this at all, Christine Gray rightly notes that “states” (run by governments), in general, rarely invoke the right of anticipatory self-defense in practice and prefer to rely on classical self- defense if they can, since they intuitively lean towards strongest legal grounds to justify their aims.162

5.3.5 Other Defensive Measures Only a state that has been a victim of an armed attack can invoke the right to individual self-defense. Nevertheless, even in case cyber-strikes do not reach this threshold, international law allows states to legally resort to other coercive

158 UNSC Res 487 (19 June 1981) UN Doc S/RES/487, op para. 1. For a discussion of legality of a potential anticipatory strike against Iran, see Katherine Slager, “Legality, Legitimacy and Anticipatory Self-Defense: Considering an Israeli Preemptive Strike on Iran’s Nuclear Program” (2012) 38(1) North Carolina Journal of International Law & Commercial Regulation 317. 159 Nicholas Tsagourias, “Necessity and the Use of Force: A Special Regime” (2010) 41 Netherlands Yearbook of International Law 21. 160 See David A. Sadoff, “A Question of Determinacy: The Legal Status of Anticipatory Self- Defense” (2009) 40(2) Georgetown JIL 580: “Only US and Israel are comfortable with broad anticipatory self-defense”. See also “US Prepares First-Strike Cyber-Forces” (BBC News, 12 October 2012) accessed 1 August 2015; Ellen Nakashima, “U.S. Eyes Preemptive Cyber-Defense Strategy” (The Washington Post, 29 August 2010) accessed 1 August 2015. 161 See generally Richard Sorabji, David Rodin, The Ethics of War: Shared Problems In Different Traditions (Ashgate Publishing 2006) 171. 162 Gray (n. 111) 161. See also Peter Malanczuk, Akehurst’s Modern Introduction to International Law (7th edn, Routledge 1997) 313. Cyber-strikes And Jus Ad Bellum 157 measures (in addition to lawful protests, sanctions or referral to the UNSC),163 relevant in the context of cyber-warfare. Aside from self-defense, wrongfulness of harmful conduct is generally precluded by a valid consent, grave necessity, counter-measures, distress or force majeure. These defenses are explicitly mentioned in the International Law Commission’s Draft Articles on State, as well as International Organizations’ Responsibility.164 Only the most confident governments can attempt to rely on the categories of distress and force majeure. After all, the former is unlikely in the cyber- context, because it is hard to imagine a real situation where a cyber-strike would save anyone’s life. Force majeure also seems impossible, since even if accidental spread of experimental viruses or worms to other states’ computers can be considered “an unforeseen event”, their development, storage or use itself makes governments assume the risk of that situation occurring, preventing the possibility of invoking this legal defense.165 On the other hand, the defense of consent will apply in a straightforward manner and could be relevant in situations where malware is used for international training exercises. So, for example, a state which has integrated cyber-defense capabilities with other states or a military alliance, and whose government agrees to play the role of a victim, will not be able to attribute responsibility to the “aggressor(s)”. Resorting to necessity is a unilateral action in response to a “grave and imminent peril”.166 Nevertheless, its legality can be disputed. When using it in order to protect their states against cyber-threats, governments will likely face similar skepticism as in the fight against terrorism.167 Moreover, they will need to

163 Schmitt, “ ‘Attack’ as a Term of Art” (n. 38) 287; Schmitt, “Cyber Operations” (n. 38) 587. See also Gregory D. Grove, Seymour E. Goodman, Stephen J. Lukasik, “Cyber-Attacks and International Law” (2000) 42(3) Survival 97. 164 Articles on State Responsibility (n. 129) Arts. 20–25; Articles on Organizations’ Responsibility (n. 129) Arts. 20–25. 165 See Articles on State Responsibility (n. 129) Art. 23(2)(b). See also Articles on Organizations’ Responsibility (n. 129) 23(2)(b). 166 Articles on State Responsibility (n. 129) Art. 25(1)(a); Articles on Organizations’ Responsibility (n. 129) Art. 25(1)(a). See also Tallinn Manual (n. 2) R9C10; Tarcisio Gazzini, Wouter G. Werner, Ige F. Dekker, “Necessity Across International Law: An Introduction” (2010) 41 Netherlands Yearbook of International Law 10. 167 See generally Maria Agius, “The Invocation of Necessity in International Law” (2009) 56(2) Netherlands International Law Review 121–124. 158 Chapter 5 find a way to accommodate “essential interest[s]” of other states while ensuring their countries’ safety, as required by international customary norms.168 When it comes to invoking necessity in order to launch cyber-attacks, one will find it hard to demonstrate that they are the only thing capable of preventing “grave and imminent peril” to a state, that is that no other means are available. This is particularly true, considering that effects of such attacks are often uncertain. In any case, necessity could not be used to launch cyber-strikes reaching the level of the use of force, as they would inevitably jeopardize international peace and security, which happens to be “an essential interest [. . .] of the international community as a whole”.169 Unlike necessity, which can be invoked in relation to a general threat, counter-measures are targeted at other states or organizations (and, arguably, non-state actors)170 in order to legally induce compliance with international obligations.171 They are expected to be used in response to cyber-strikes that do not reach the level of an armed attack.172 However, like self-defense, counter- measures are subject to the principles of necessity and proportionality.173 Here, one should mention that two theories on proportionality of counter- measures have been advanced. The first theory stems from the Articles on State Responsibility, supported also by the ICJ, and states that “countermeasures must be commensurate with the injury suffered, taking into account the gravity of the internationally wrongful act and the rights in question”.174 Another theory suggests measuring proportionality in relation to the initial

168 See Articles on State Responsibility (n. 129) Art. 25(1)(b). See also Articles on Organizations’ Responsibility (n. 129) Art. 25(1)(b); Tallinn Manual (n. 2) R9C11, R9C12. 169 Ibid. 170 Tsagourias, “The Tallinn Manual” (n. 16) 27. Notably, counter-measures against non- state actors are rejected in Michael N. Schmitt, “Cyber Activities and the Law of Countermeasures” in Katharina Ziolkowski (ed.), Peacetime Regime for State Activities in Cyberspace: International Law, International Relations and Diplomacy (NATO CCDCOE 2013) 668, 689. 171 Articles on State Responsibility (n. 129) Arts. 22, 49; Articles on Organizations’ Responsibility (n. 129) Arts. 22, 51. 172 Hathaway and others (n. 63) 857. See also Dinniss (n. 38) 107. 173 Katharine C. Hinkle, “Countermeasures in the Cyber Context: One More Thing to Worry About” (2011) 37 Yale JIL Online 18–20. 174 See Articles on State Responsibility (n. 129) Art. 51; Articles on Organizations’ Responsibility (n. 129) Art. 54; Gabčíkovo-Nagymaros Project (Hungary v Slovakia) (Merits) [1997] ICJ Rep, para. 85. Cyber-strikes And Jus Ad Bellum 159 act that motivates the counter-measure.175 The latter theory may very well be more suited for cyber-space, where effects of malware are unpredictable. The law normally requires victim-states to warn about potential counter- measures in advance.176 Nevertheless, this rule is likely to be ignored in relation to cyber-attacks for two reasons. Firstly, they often necessitate secrecy in order to be effective. Secondly, the speed at which malware transcends cyber-space can justify the urgency of counter-measures, which nullifies this obligation.177 Examples of acceptable counter-measures in cyber-space include passive means like the use of advanced firewalls (systems that “filter” network transmissions)178 or honeypots (fake networks meant to lure crackers),179 as well as active means like severing connections, counter-hacking (for instance, against botnet command and control servers)180 or DDoS attacks in response.181 It is widely believed that the prohibition of the use of force (a peremptory norm) extends to counter-measures, even if they are a response to the use of force themselves.182 However, at least one renowned ICJ Judge and a minority of the Tallinn Manual authors believed that retaliation in kind was acceptable.183 This discrepancy of opinion without doubt highlights an exploitable uncertainty of international law.

175 See Portuguese Colonies Case (Naulilaa) (Portugal v Germany) (Arbitration) [1928] 2 UNRIAA 1028; Tallinn Manual (n. 2) R9C7. 176 Articles on State Responsibility (n. 129) Art. 52(1); Articles on Organizations’ Responsibility (n. 129) Art. 55(1). 177 See generally Articles on State Responsibility (n. 129) Art. 52(2); Articles on Organizations’ Responsibility (n. 129) Art. 55(2); Tallinn Manual (n. 2) R9C4. 178 Hathaway and others (n. 63) 858. 179 Neil C. Rowe, “Ethics of Cyber War Attacks” in Lech J. Janczewski, Andrew M. Colarik, Cyber Warfare and Cyber Terrorism (IGI Global 2008) 98. 180 See generally Graham (n. 67) 92; Andrew Adams, Pauline Reich, Stuart Weinstein, “A Non- Militarised Approach to Cyber-Security” in Eric Filiol, Robert Erra (eds.), Proceedings of the 11th European Conference on Information Warfare and Security (Academic Publishing International 2012) 2; Christian Czosseck, Gabriel Klein, Felix Leder, “On the Arms Race Around Botnets—Setting Up and Taking Down Botnets” in Christian Czosseck, Enn Tyugu, Thomas Wingfield (eds.), 2011 3rd International Conference on Cyber Conflict (NATO CCDCOE 2011) 107, 115. 181 See Czosseck, Klein, Leder (n. 180) 116–118, who describe other possible techniques as well. 182 See Tallinn Manual (n. 2) R9C5, R9C9; Eric T. Jensen, “Cyber Deterrence” (2012) 26(2) Emory International Law Review 798. See also Articles on State Responsibility (n. 129) Arts. 26, 50(1)(a); Articles on Organizations’ Responsibility (n. 129) Arts. 26, 53(1)(a). 183 Tallinn Manual (n. 2) R9C5; Separate Opinion of Judge Simma in Oil Platforms Case (n. 47) para. 12. 160 Chapter 5

Lastly, governments already exploit a legal gap that permits them to continue counter-measures after the offensive act has ceased, and this problem is likely to be inherited by cyber-warfare.184 Having examined existing exploitabilities in jus ad bellum, the next important goal of this chapter is determining whether cyber-attacks fall under the existing definition of aggression. This helps bring clarity to the terms like use of force and armed attacks, but, more importantly, it addresses the possibility of future prosecutions of state leaders in front of the International Criminal Court (ICC) for cyber-attacks.

5.4 Cyber-Attacks and Aggression

The existence of international criminal law and, more specifically, the crime of aggression in the Rome Statute, inter alia, serve to limit the possibility of deliberate jus ad bellum misinterpretations by instituting criminal liability of individuals. For obvious reasons, this also emphasizes the need for clarity in international law. The main question that the present sub-chapter deals with is the following: does the regime on aggression promise adequate prosecution of state leaders that authorize serious cyber-attacks? In light of the purpose of the present chapter, before moving onto that question, a subsidiary issue should be tackled. Namely, one needs to explain the point of conducting a separate analysis of acts of aggression and answer why it was not done in the context of “use of force” and “armed attacks” above.

5.4.1 Uniqueness of the Act When it comes to the UN Charter, the latter sets as one of its purposes taking “effective collective measures [. . .] for the suppression of acts of aggression” and it is clear that Article 2(4) prohibits all acts of aggression.185 However, it is also generally understood that not all uses of force constitute such acts.186 Some may argue that there is a close link between “armed attack” in Article 51 and aggression, often noting that the French version of the Charter refers to

184 Tallinn Manual (n. 2) R9C3. 185 UN Charter (n. 11) Art. 1(1). 186 See Definition of Aggression, Annex to UNGA Res 3314 (XXIX) (14 December 1974) UN Doc A/RES/3314, preamb para. 5, Art. 6. Cyber-strikes And Jus Ad Bellum 161

“aggression armée” (emphasis added) rather than “attaque armée”.187 One argument in favor of this approach is that both the 1974 Definition of Aggression and the amended Rome Statute equate an “act of aggression” with the “use of armed force” (emphasis added).188 However, a look at the equally authentic Spanish, Russian and Chinese versions reveals that “armed aggression” does not belong in the UN Charter.189 Already during the ICC Statute Review Conference in 2010, some delegates raised the point that the “use of armed force” formulation was “excluding non-conventional measures of warfare, such as economic embargoes or cyber attacks” (emphasis added).190 Consensus in Kampala, therefore, was achieved with a clarifying provision stating that the definition is adopted for the purposes of the Rome Statute.191 Use of armed force itself does not denote an armed attack and, for instance, the 1947 inter-American Rio Pact expressis verbis mentions “aggression which is not an armed attack”.192 Positions of certain governments also clearly demonstrate that aggression carries legal, moral and political implications, “which do not necessarily apply to all forms of armed attacks”.193 Moreover, at least one scholar points out the difference in scope and detection mechanisms.194 Therefore, one has to conclude that the concepts of act of aggression and armed attack in international law do not match. Particularly with prosecution of state leadership for ordering cyber-attacks in mind, aggression merits a special analysis in the cyber-context.

187 See Gray (n. 111) 118; Jörg Kammerhofer, Uncertainty in International Law: A Kelsenian Perspective (Routledge 2011) 38. 188 Definition of Aggression (n. 186) Art. 1; Rome Statute of the International Criminal Court (adopted 17 July 1998, entered into force 1 July 2002, amended 29 November 2010) 2187 UNTS 90, Art. 8bis. 189 The phrases “ataque armado” (“armed attack”), “vooruzhennoye napadeniye” (“armed assault” or “armed attack”) and “wǔlì gōngjí” (“armed conflict” or “armed attack”) are used respectively. See generally Daniel G. Partan, The Cuban Quarantine: Some Implications for Self Defense (World Rule of Law Center 1963) 28. 190 Assembly of States Parties to the Rome Statute of the ICC, “Report of the Special Working Group on the Crime of Aggression”, ICC-ASP/6/20/Add.1, Annex II (Report, ICC 2008) para. 35. 191 Rome Statute (n. 188) Art. 8bis. See also Stefan Barriga, Leena Grover, “A Historic Breakthrough on the Crime of Aggression” (2011) 105(3) AmJIL 517–533. 192 Rio Pact (n. 4) Art. 6. 193 Oil Platforms (Iran v USA) (Rejoinder by the USA) [2001] ICJ Rep, para. 5.20. 194 Dimitri N. Kolesnik, “Development of the Right to Self-Defence” in William E. Butler (ed.), The Non-Use of Force in International Law (Martinus Nijhoff 1989) 156. 162 Chapter 5

5.4.2 War of Aggression Aggression was already prohibited in 1919 by the League of Nations Covenant, which imposed obligations on member states to “undertake to respect and preserve as against external aggression the territorial integrity and existing political independence of all members”.195 The non-ratified 1924 Protocol for the Pacific Settlement of International Disputes asserted that a war of aggression is an international crime and a violation of “solidarity of members of the international community”.196 In 1928, the Kellogg-Briand Pact condemned “recourse to war [of aggression] for the solution of international controversies”, and renounced it “as an instrument of national policy”.197 The first group of treaties that legally defined the concept itself, Conventions for the Definition of Aggression, were signed in 1933.198 Stressing that “no political, military, economic or other considerations may serve as an excuse or justification for [. . .] aggression”, they declared that an “aggressor” is the state that commits any of the following:

1) Declaration of war upon another State; 2) Invasion by its armed forces, with or without a declaration of war, of the territory of another State; 3) Attack by its land, naval or air forces, with or without a declaration of war, on the territory, vessels or aircraft of another State; 4) Naval blockade of the coasts or ports of another State; 5) Provision of support to armed bands formed in its territory, which have invaded the territory of another State, or refusal, notwithstanding the request of the invaded State, to take, in its own territory, all the measures in its power to deprive those bands of all assistance or protection.199

195 Covenant of the League of Nations (adopted 28 June 1919, entered into force 10 January 1920) 225 CTS 195, Art. 10. 196 Protocol for the Pacific Settlement of International Disputes (adopted 2 October 1924, never entered into force) 19 AmJIL (Supplement) 9, preamb para. 3. 197 Kellogg-Briand Pact (adopted 27 August 1928, entered into force 24 July 1929) 94 LNTS 57, Art. 1. 198 Convention for the Definition of Aggression (adopted 3 July 1933, entered into force 16 October 1933) 147 LNTS 67; Convention for the Definition of Aggression (adopted 4 July 1933, entered into force 17 February 1934) 148 LNTS 211; Convention for the Definition of Aggression (adopted 5 July 1933, entered into force 14 December 1933) 148 LNTS 79. The total list of signatories included Afghanistan, Czechoslovakia, Estonia, Finland, Latvia, Lithuania, Persia, Poland, Romania, USSR, Turkey and Yugoslavia. 199 Ibid., Arts. 2, 3. For the list of possible “considerations”, see ibid., Annex. Cyber-strikes And Jus Ad Bellum 163

After WW2, the Nuremberg Tribunal condemned war of aggression as a “supreme international crime [. . .] that [. . .] contains within itself the accumulated evil”.200 The Nuremberg Charter outlawed “planning, preparing, initiation or waging of a war of aggression, or a war in violation of international treaties, agreements or assurances” as “crimes against peace”.201 The latter formulation was echoed in the General Assembly because of a “definitional void” of the word “aggression” in the UN Charter.202 For example, this approach was chosen for the 1970 Friendly Relations Declaration, which proclaimed that there is responsibility for aggression in international law and that “States have the duty to refrain from propaganda for wars of aggression”.203 The same year, the ICJ held in its Barcelona Traction case that the prohibition of acts of aggression represents an obligation erga omnes before the entire world community.204 History, therefore, demands starting the analysis of cyber-attacks with “war”. Terms like “cyber war” or “netwar” are still used by scholars.205 Under certain conditions, politically, cyber-attack could be considered an act of war—an “act so egregious that the victim would be justified in declaring war”.206 Nevertheless, the contemporary jus ad bellum regime in that case would only be preoccupied with the question if that act of war were a threat to peace, use of force or an armed attack. Additionally, since the early 20th century, international law has changed up to a point where declarations of war became meaningless. In fact, various

200 Judgment of the Nuremberg International Military Tribunal (1946) 22 NTP 426. 201 Charter of the International Military Tribunal (Nuremberg Charter) (adopted 8 August 1945, entered into force 8 August 1945) 82 UNTS 279, Art. 6(a). See also ILC, “Draft Code of Crimes against the Peace and Security of Mankind”, 48th Session, Supplement No. 10 (6 May–26 July 1996) UN Doc A/CN.4/L.532, Art. 16. 202 Michael J. Glennon, “The Blank-Prose Crime of Aggression” (2010) 35(1) Yale JIL 78. 203 Friendly Relations Declaration (n. 9) op para. 1. See generally Michael G. Kearney, The Prohibition of Propaganda for War in International Law (OUP 2007) 55–70. 204 Barcelona Traction, Light and Power Company, Limited (Belgium v Spain) (Second Phase) [1970] ICJ Rep, paras. 33–34. Note that the prohibition is meant to apply to all countries, including non-UN states—see Definition of Aggression (n. 186) Art. 1(a); Henderson, Green (n. 15) 134. Acts in self-defense and on behalf of the Security Council do not constitute acts of aggression. 205 For instance, while Thomas Rid insists that his (legally questionable) criteria of war (instrumentality, political nature and violence potential) are not met by cyber-attacks yet, he calls “cyber war” a metaphor “for the time being”—see Thomas Rid, Cyber War Will Not Take Place (Hurst & Co 2013) xv, 1, 37. See also John Arquilla, David Ronfeldt, “The Advent of Network (Revisited)” in John Arquilla, David Ronfeldt (eds.), Network and Netwars: The Future of Terror, Crime, and Militancy (RAND 2001) 2, 6. 206 DoD Office of General Counsel (n. 77) 12. 164 Chapter 5 cracking groups “declare wars” on each other and on different states quite often without any legal repercussions. Today, the situation is rather assessed based on the level of fighting and on whether there is an armed conflict or, at least, a threat thereof.207

5.4.3 Modern Concept of Aggression In 1974, to remedy the “definitional void” mentioned previously, a coherent definition was included in the UNGA Resolution 3314. Despite its non-binding nature and heavy criticism in the 1990s, it effectively reflected international customary law, as concluded by the ICJ in the Nicaragua case.208 The 1974 Definition provided a non-exhaustive list of what can be considered “an act of aggression”, irrespective of war declarations: a) The invasion or attack by the armed forces of a State of the territory of another State, or any military occupation, however temporary, resulting from such invasion or attack, or any annexation by the use of force of the territory of another State or part thereof; b) Bombardment by the armed forces of a State against the territory of another State or the use of any weapons by a State against the territory of another State; c) The blockade of the ports or coasts of a State by the armed forces of another State; d) An attack by the armed forces of a State on the land, sea or air forces, or marine and air fleets of another State; e) The use of armed forces of one State which are within the territory of another State with the agreement of the receiving State, in contravention of the conditions provided for in the agreement or any extension of their presence in such territory beyond the termination of the agreement; f) The action of a State in allowing its territory, which it has placed at the disposal of another State, to be used by that other State for perpetrating an act of aggression against a third State; g) The sending by or on behalf of a State of armed bands, groups, irregulars or mercenaries, which carry out acts of armed force against another State of such gravity as to amount to the acts listed above, or its substantial involvement therein.209

207 Mary E. O’Connell, “Defining Armed Conflict” (2008) 13(3) Journal of Conflict & Security Law 399–400. 208 Glennon (n. 202) 79–80; Nicaragua Case (n. 13) para. 195. 209 Definition of Aggression (n. 186) Art. 3. Cyber-strikes And Jus Ad Bellum 165

This list has been adopted without changes as an amendment to the Rome Statute in 2010, thus once again reaffirming its customary nature.210 Notably, the amendment included the phrase “in accordance with United Nations General Assembly Resolution 3314” that creates uncertainty over which norms other than Articles 1 and 3 from the original resolution should remain relevant.211 As mentioned previously, the list of acts of aggression included in the amendment was made exhaustive for the purposes of defining the crime of aggression. Though “aggression” and “armed attacks” do not match in general, it is undisputed that all of the acts mentioned in Article 3 of the UNGA Resolution 3314 must reach the armed attack threshold. Legally, other uses of force (including certain cyber-strikes) can still constitute acts of aggression (for instance, if declared such by the UNSC or other authoritative body),212 although their prosecution as an international crime in the ICC will not be possible in the nearest future due to the limited scope of the Rome Statute. As far as the international community is concerned, a claim that a cyber- strike constitutes an act of aggression not mentioned in the Rome Statute needs nothing more than an assessment of whether it constitutes an armed attack and whether a collective response of the United Nations is required. One important example here could be the Rio Pact, which, inter alia, characterizes aggression as “unprovoked armed attack by a state against [. . .] the people [. . .] of another state” (emphasis added).213 Technology allows

210 Rome Statute (n. 188) Art. 8bis(2). For criticism of this decision, see Surendran Koran, “The International Criminal Court and Crimes of Aggression: Beyond the Kampala Convention” (2012) 34(2) Houston JIL 284; Steve Beytenbrod, “Defining Aggression: An Opportunity to Curtail the Criminal Activities of Non-State Actors” (2011) 36(2) Brooklyn JIL 670. 211 Rome Statute (n. 188) Art. 8bis(2); Claus Kress, Leonie von Holtzendorff, “The Kampala Compromise on the Crime of Aggression” (2010) 8(5) Journal of International Criminal Justice 1179. 212 This may include the ICJ, although, as Judge Simma pointed out, the Court is known for actively dodging the issue of aggression, creating “the impression that it somehow feels uncomfortable being confronted with certain questions of utmost importance in contemporary international relations”—see Separate Opinion of Judge Simma in Armed Activities Case (n. 24) para. 15. Note that the AU Non-Aggression Pact lists support (including encouragement) of terrorism and organized crime as an act of aggression, which can be interpreted as an attempt to misapply the notion of aggression—see African Union Non-Aggression and Common Defence Pact (adopted 31 January 2005, entered into force 18 December 2009) Assembly/AU/Dec 71 (IV), Art. 1(c)(xi). 213 Rio Pact (n. 4) Art. 9. 166 Chapter 5 cyber-attacks to harm people individually, and as a whole. Moreover, the assassination of Khalil al-Wazir in front of his family in Tunisia was condemned by the UNSC as part of aggression.214 However, members of the Security Council wrapped it in the usual “sovereignty and territorial integrity” language, and, today, the world community can be expected to do this to cyber-attacks as well. Having discussed the general concept of aggression, it is important to see whether international law guarantees reasonably foreseeable prosecutions of “person[s] in a position effectively to exercise control over or to direct” damaging state-sponsored cyber-attacks.215

5.4.4 Cyber-Attacks as Specific Acts of Aggression In 2004, the UNSG High-Level Panel expressly acknowledged that information technologies “can be transformed into instruments of aggression”.216 Furthermore, the International Code of Conduct for Information Security suggested by the SCO members (Russia, China and Tajikistan) contains a proposal “not to use [information and communications technologies] including networks to carry out hostile activities or acts of aggression”.217 What forms can the latter take in and via cyber-space?

5.4.4.1 Blockade Non-territoriality of the fifth domain of warfare (emphasized in Chapter 4) significantly limits applicability of the definition of aggression, which, in the criminal context, must be interpreted strictly in line with the universal nullum crimen sine lege principle.218 What becomes clear is that a number of

214 UNSC Res 611 (25 April 1988) UN Doc S/RES/611, preamb para. 1, op para. 1. 215 See Rome Statute (n. 188) Art. 25(8). 216 High-Level Panel (n. 150) para. 16. 217 International Code of Conduct for Information Security (n. 9) op para. 2. 218 This non-retroactivity principle is recognized as fundamental. After its inclusion in the Rome Statute, even ICTY and ICTR, which previously expressed their uncertainty about it (likely, being burdened by the legacy of Nuremberg), admitted that “it would be wholly unacceptable [. . .] to convict an accused person on the basis of a prohibition which [. . .] is either insufficiently precise to determine conduct and distinguish the criminal from the permissible, or was not sufficiently accessible at the relevant time”—see Prosecutor v Vasiljević (Judgment) ICTY-98-32-T, T Ch I (29 November 2002) para. 193. See also Rome Statute (n. 188) Arts. 22, 23; Nuremberg Judgment (n. 200) 461; Prosecutor v Delalić (Čelebići Case) (Judgment) ICTY-96-21-T, TC (16 November 1998) para. 403; Prosecutor v Karemera (Decision on Jurisdictional Appeals: Joint Criminal Enterprise) ICTR-98-44-T (11 May 2004) para. 43; Prosecutor v Aleksovski (Judgment) ICTY-95-14/1-A, (24 March 2000) paras. 126–127. Cyber-strikes And Jus Ad Bellum 167

traditional acts of aggression, such as invasion, occupation or annexation of territory are not relevant when it comes to cyber-attacks. Without physical presence that would both isolate and prevent incoming and outgoing traffic, it is also impossible to establish a blockade around ports or coasts of a country. Nowadays cyber-attacks can result in information blockade (for instance, total disconnection of a country from the Internet),219 which, by coincidence, is imposed by closing network ports (virtual data endpoints that are used to exchange data).220 Can governments exploit this coincidence? Like other acts of aggression, in this case, information blockade would have to reach the levels of the use of force and armed attack. Indeed, from 2011, access to the Internet is increasingly recognized as a part of human rights.221 Its disconnection can be a nuisance, but it is not likely to cause any serious suffering among the population. Firstly, in the age of globalization and satellite telecommunications, it is extremely hard to disconnect an entire country from the online world for a prolonged period of time. Secondly, the architecture of the undying Internet and back-up systems of national networks make recovery from an external information blockade (if it succeeds) a relatively easy task.222 Finally, economic and socio-political disruption can result from permanently corrupting information (which causes loss of confidence), but is unlikely to result from its temporary denial. For these reasons, it will be extremely hard to argue that an information blockade constitutes a use of force or that some states are so dependent on the Internet that it would jeopardize their survival.223 Therefore, in this case, aggression seems to be excluded automatically.

219 See Tallinn Manual (n. 2) Ch4 S9(A) C6, Ch4 S9(A) C13. 220 Cory Janssen, “Network Port” (Technopedia) accessed 1 August 2015. 221 Special Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression, “Report of the Special Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression” (Report, UNHCR 2011) UN Doc A/ HRC/17/27, paras. 20, 65–66, 80–85; Molly Land, “Toward an International Law of the Internet” (2013) 54(2) Harvard ILJ 394–395, 397. For a discussion of the link between the Internet and the right to education, see Vittorio Fanchiotti, Jean P. Pierini, “Impact of Cyberspace on Human Rights and Democracy” in Christian Czosseck, Rain Ottis, Katharina Ziolkowski (eds.), 2012 4th International Conference on Cyber Conflict (NATO CCDCOE 2012) 58–59. 222 Consider the relocation of the Georgian websites to the US and Estonia during the 2008 South Ossetia war—see sub-chapter 3.3.3.5. 223 One academic that seems to insist on this is Sheng Li, “When Does Internet Denial Trigger the Right of Armed Self-Defense?” (2013) 38(1) Yale JIL 196–197. 168 Chapter 5

5.4.4.2 Use of Weapons and Attacks Although traditional bombardment is impossible via cyber-space, the Rome Statute also foresees an alternative—“the use of any weapon [. . .] against the territory of another State”. As Todd notes, the use of the term “any” obviously indicates that the employment of cyber-weapons with severe consequences would be an act of aggression.224 Only cyber-attacks that cause physical destruction on the ground can fit this definition however. Furthermore, a significant number of states not only have advanced cyber- capabilities, but also have created cyber-divisions in their armed forces.225 In the future, more states are likely to incorporate cyber-expert teams into their armies. From a legal point of view, such teams can be considered if not specifically land or other forces, then generally part of the military. If these groups manage to mount a damaging cyber-strike against “land, sea or air forces [. . .] of another State”, it would be enough to classify these attacks as acts of aggression.226

5.4.4.3 Wrongful Use of Territory Situations where one state permits computerized systems in its territory to be accessed by another state (possibly for the purposes of developing a common defense scheme) create a number of ways how aggression can manifest, as long as the consequences are of sufficient gravity.

224 Todd (n. 60) 78. 225 In 2015, this list includes countries like Australia, Brazil, China, Estonia, France, Germany, Iran, Israel, Japan, North Korea, Russia, South Korea, Turkey, the UK and the USA. The present book does not discuss cyber-warfare capabilities of individual states, firstly, because they keep rapidly developing and still have not reached their peak, and secondly, since such reviews are already published by other scholars—e.g., see Carr (n. 138) 243–272; James A. Lewis, Katrina Timlin, “Cybersecurity and Cyberwarfare: Preliminary Assessment of National Doctrine and Organization” (Study, UNIDIR 2011) 5–35 accessed 1 August 2015; James A. Lewis, “Chapter 1: Cybersecurity and Cyberwarfare: Assessment of National Doctrine and Organization” in UNIDIR, The Cyber Index: International Security Trends and Realities (UN 2013) 9–90; Jason Andress, Steve Winterfeld, Cyber Warfare: Techniques, Tactics and Tools for Security Practitioners (Syngress 2011) 69–74. See also Daniel Ventre, Cyber Conflict: Competing National Perspectives (Wiley 2012). 226 See Rome Statute (n. 188) Art. 8bis(d). Cyber-strikes And Jus Ad Bellum 169

One example is when these systems are provided and used specifically to wage cyber-aggression against a third state.227 If countries belong to a military alliance and mutual computer use is automated, responsibility will depend on the purpose of sharing, as all acts of aggression require malicious intent.228 Another example concerns a case where there is an agreement that allows experts belonging to the armed forces of one state to reside in the territory of another state. Use of these forces contrary to the agreement will constitute an act of aggression. Such misuse can include cyber-sabotage, installing logic bombs, covertly uploading malware to be used against third states and other acts.

5.4.4.4 Sending Armed Groups There is no obvious reason why a team of crackers with necessary motivation, knowledge and malware will not be described as an “armed group” in the future. Though they do not physically cross the border into other countries, the amended Rome Statute does not stipulate where they should be sent “by or on behalf of a State”.229 In fact, any location, specified or implied, including home, military center, Internet café or cyber-space itself could be acceptable from the perspective of international law. Therefore, the use of cracker groups that are sent to carry out grave “acts of armed force” may constitute an act of aggression.230 It is important to note that while the “sending” of irregular bands is normally expected, similar use of cracker groups belonging to the military is not formally excluded anywhere in the Rome Statute.

5.4.5 Prosecution under the Rome Statute To summarize, the Rome Statute, inter alia, criminalizes the following conduct that results in severe consequences (reaching the level of an armed attack): cyber-attacks against territory, cyber-attacks by state military against land, aerial or naval forces, allowing external use of own cyber-systems for acts of aggression, violating the status of forces agreement, actively using cracker groups to launch cyber-strikes.

227 Giving “direct aid to a nation committing aggression” is also considered a part of aggression in the UNGA Res 498 (V) (1 February 1951) UN Doc A/RES/498, op para. 1. See also UNGA Res 41/38 (20 November 1986) UN Doc A/RES/41/38, op para. 3. 228 See generally Dinstein, War (n. 154) 136–137. 229 Rome Statute (n. 188) Art. 8bis(g). 230 Ibid. 170 Chapter 5

Two key questions determine the possibilities of prosecution: will the international community accept that it is possible to send armed groups into cyber- space, and will it accept that such armed groups may include the military? If both are answered positively, any ordered cyber-strike reaching the level of an armed attack can be prosecuted as a crime of aggression (though no earlier than 2017 and if the formalities required by the Rome Statute are met).231 If at least one of them is answered negatively, the crime of cyber-aggression will have very visible limits. For example, if “armed groups” cannot include official state forces, the latter can be ordered to launch cyber-attacks against economic and social data or civilian medical implants with impunity. If irregular crackers cannot be “sent” to cyber-space, they can be used for the same acts. Since governments may resort to conflicting interpretations, future clarifications in this regard are clearly required to avoid exploitation. The amended Rome Statute criminalizes not only initiation or execution of an act of aggression, but also its planning and preparation.232 This does not mean that the ICC would want to immediately prosecute the planning of cyber-aggression; it would have to be followed by an act of aggression itself in order to hold the leaders accountable.233 This approach may be prudent in relation to cyber-space, where creation of a “backdoor” in software, hardware or firmware (that allows direct access to a system) can be indicative of both preparatory activities necessary to commit an act of aggression in or via the virtual realm, as well as a mere attempt to engage in cyber-espionage.234

231 See generally ibid., Art. 15bis(3): “The Court shall exercise jurisdiction over the crime of aggression in accordance with this article, subject to a decision to be taken after 1 January 2017 by the same majority of States Parties as is required for the adoption of an amendment to the Statute”. 232 Ibid., Art. 8bis(1). See generally Murphy (n. 99) 1147. 233 See generally Devyani Kacker, “Coming Full Circle: The Rome Statute and the Crime of Aggression” (2010) 33(3) Suffolk Transnational Law Review 267. 234 See Dinniss (n. 38) 90; Benatar (n. 42) 380; Jonathan A. Ophardt, “Cyber Warfare and the Crime of Aggression: The Need for Individual Accountability on Tomorrow’s Battlefield” (2010) 9(1) Duke Law & Technology Review 15; Yoram Dinstein, “Computer Network Attack and Self-Defense” (2002) 76 International Law Studies 111; James H. Doyle, “Computer Networks, Proportionality, and Military Operations” (2002) 76 International Law Studies 152; Scott D. Applegate, “The Principle of Maneuver in Cyber Operations” in Christian Czosseck, Rain Ottis, Katharina Ziolkowski (eds.), 2012 4th International Conference on Cyber Conflict (NATO CCDCOE 2012) 192–193. Note that the AU Non-Aggression Pact (n. 212) Art. 1(c) lists “acts of espionage” and “technological assistance of any kind, intelligence and training” as aggression itself, although they clearly represent preparatory activities. Cyber-strikes And Jus Ad Bellum 171

Planning and preparing for aggression have been critical in previous prosecution strategies, encompassing a wide range of government and military personnel. So, for example, in addressing the Nazi aggression, the Nuremberg Tribunal paid special attention to, inter alia, Mein Kampf and “four secret, high-level meetings at which Hitler outlined his aggressive plans for the future and reviewed the progress achieved in the implementation of his aggressive policies”.235 Due to the fact that it is harder to trace cyber-attacks than physical attacks, planning and preparing for cyber-aggression can become a vital element in the ICC jurisprudence after 2017. Finally, it should be mentioned that political problems may arise when attempting to prosecute state leadership for cyber-attacks. International law does not recognize immunities vis-à-vis international crimes.236 Nevertheless, governments can easily protect state leaders through a set of procedural mechanisms. In fact, the development of these mechanisms is the result of previous political manipulations. Firstly, the principle of complementarity allows states to hold prosecutions domestically.237 Secondly, they can avoid becoming parties to the Rome Statute, and, thirdly, even if they are, their governments still have the option of opting out from the international prosecutions.238

5.5 Conclusion

In the present chapter, legal principles were outlined for determining when and under which conditions a cyber-attack can be considered use of force, and when cyber-strikes are likely to reach the required gravity to constitute armed attacks, allowing states to act in self-defense. Today, many aspects of both

235 UN, Historical Review of Developments Relating to Aggression (UN 2003) 12. 236 See Arrest Warrant of 11 April 2000 (DRC v Belgium) (Judgment) [2002] ICJ Rep, para. 61. See also Nuremberg Charter (n. 201) Art. 7; Alexander Orakhelashvili, “Immunities of State Officials, International Crimes, and Foreign Domestic Courts: A Reply to Dapo Akande and Sangeeta Shah” (2011) 22(3) EJIL 855. 237 See Michael P. Scharf, “Universal Jurisdiction and the Crime of Aggression” (2012) 53(2) Harvard ILJ 388; Jennifer Trahan, “Is Complementarity the Right Approach for the International Criminal Court’s Crime of Aggression? Considering the Problem of ‘Overzealous’ National Court Prosecutions” (2012) 45(3) Cornell ILJ 589–593, 601. 238 Rome Statute (n. 188) Art. 15bis(4), 15bis(5). See generally Beth van Schaack, “Negotiating at the Interface of Power and Law: The Crime of Aggression” (2011) 49(3) Columbia Journal of Transnational Law 585, 591; Jennifer Trahan, “A Meaningful Definition of the Crime of Aggression: A Response to Michael Glennon” (2012) 33(4) University of Pennsylvania JIL 910–911. 172 Chapter 5 these categories require more clarity and remain exploitable. In approaching cyber-attacks, governments are allowed to operate under old notions that sometimes permit conflicting and subjective interpretations to justify desired political ends. The crime of aggression category, which promises prosecution of state leaders for certain armed attacks after 2017, is a more definite one, as it is strictly constrained by the principle of legality. At the same time, the extent of its application currently remains uncertain, providing room for exploitation. This becomes especially apparent in relation to cracking groups that could or could not be “sent” to cyber-space by states. In addition, state-based prosecutions of the crime of aggression can be tampered with politically. This chapter concentrated on the legal regime of the jus ad bellum, revealing a number of significant imperfections that can be exploited in cyber-warfare. The next chapter (Chapter 6) will analyze the exploitable deficiencies, uncertainties and gaps of the “other side of the coin”, namely, the legal framework in the field of humanitarian law ( jus in bello) that applies once the armed conflict is under way. Chapter 6 Humanitarian Law Perspective

6.1 Introduction

While the previous chapter highlighted significant deficiencies in the existing politico-legal framework of jus ad bellum, the current chapter aims to identify the exploitable imperfections in the jus in bello regime in order to demonstrate that, while international law remains applicable, it does not adapt perfectly to cyber-attacks. The chapter is divided into six parts, focusing on the most important principles in the laws of armed conflict that constitute its customary body.1 Due to the constraints of this book, the present chapter does not analyze norms that do not involve causing damage per se (for example, cyber-espionage in war,2 denying the right to correspondence)3 or that, at present, are not sufficiently realistic (for instance, cyber-attacks forever destroying intangible works of art online).4 The first part deals with the general applicability of international humanitarian law to cyber-warfare. It analyzes the conditions under which a cyber- attack can initiate an “armed conflict” or be a part of an existing war. This part provides the necessary foundation for consequent discussions in the chapter, since inapplicability of humanitarian law per se would render the subsequent analysis void.

1 See Jean-Marie Henckaerts, “Study on Customary International Humanitarian Law: A Contribution to the Understanding and Respect for the Rule of Law in Armed Conflict” (2005) 87(857) International Review of the Red Cross 175–212; Jean-Marie Henckaerts and others, Customary International Humanitarian Law, vols 1 & 2 (CUP 2005). Note that, while norms relating to neutrality are not listed in the ICRC study, this is merely due to the scope of Henckaert’s (and others’) inquiry and the principle of neutrality, undoubtedly, constitutes a part of customary law. 2 See generally Arts. 29, 30, 31 of 1899HCA2; Arts. 29, 30, 31 of 1907HCA4; Arts. 5(2), 68(2) of GC4; Arts. 39(3), 45(3), 46 of AP1; Commission of Jurists, “Rules Concerning the Control of Wireless Telegraphy in Time of War and Air Warfare” (December 1922—February 1923) Arts. 11, 27, 28. 3 See generally Arts. 25, 112(1) of GC4. 4 See generally see Arts. 1(a), 3; Arts. 53, 85(4)(d) of AP1, Art. 16 of AP2; Hague Convention for the Protection of Cultural Property in the Event of Armed Conflict (adopted 14 May 1954, entered into force 7 August 1956) 249 UNTS 240.

The second part views cyber-strikes through the prism of the humanity principle, which lies at the root of international humanitarian law. Exploitable imperfections of jus in bello are exposed by analyzing cyber-attacks as a new weapon of war within the context of the Martens Clause and by paying attention to the key humanitarian challenges that may arise in cyber-warfare, including targeting medical transport, as well as biological, chemical and nuclear facilities. The third part addresses the legal challenges pertaining to the principles of proportionality and necessity in the jus in bello. The fourth part then deals with uncertainties, deficiencies and gaps relating to cyber-combatants, civilians and the distinction between them. It also critically reviews norms relevant for civilian objects and military objectives in cyber-space, as well as the issue of non-combatant participation in hostilities. The fifth part is dedicated to the specific aspects of deception that apply to cyber-strikes. Both perfidy and permitted ruses of war are addressed. Finally, the sixth part considers the concept of neutrality in cyber-space. The analysis covers ground for the potential exploitation of neutrality law in cyber-warfare both by the belligerents and by neutral governments.

6.2 General Applicability of International Humanitarian Law

The absence of specific references to cyber-attacks in the existing instruments of humanitarian law does not explicitly exclude them from the scope of applicability of the laws of war, since the latter clearly aim to, inter alia, tackle developing weapons, means and methods of warfare.5 Therefore, any meaningful inquiry into international humanitarian law should begin with the question of whether jus in bello applies to the matter at hand. The following sub-chapter seeks to establish the extent to which it does, concentrating on two particular sub-questions most relevant in the cyber-context, namely, can cyber-attacks be sufficiently damaging to start an international armed conflict and can they have the required nexus with an ongoing conflict, when launched in furtherance of military action?

5 Art. 36 of AP1. See generally Heather H. Dinniss, Cyber Warfare and the Laws of War (CUP 2012) 28; Lesley Swanson, “The Era of Cyber Warfare: Applying International Humanitarian Law to the 2008 Russian-Georgian Cyber Conflict” (2010) 32(2) Loyola of Los Angeles International and Comparative Law Review 314–315. Humanitarian Law Perspective 175

6.2.1 Cyber-Attack as Initiation of an Armed Conflict Contemporary international humanitarian law does not require the existence of a formal state of war to be applicable. De jure it applies to all situations of military occupation6 or armed conflict (international and internal).7 One may plausibly argue that assuming state power over a captured enemy soldier triggers some applicability of jus in bello as well.8 Nevertheless, a scenario involving soldiers being “captured” via cyber-attacks is improbable and does not need to be discussed here. Similarly, as argued in the previous two chapters, the non-territorial nature of cyber-space practically excludes the possibility of cyber-strikes resulting in classic military occupation, regardless of the harm caused.9 This means that cyber-attacks alone (without any conventional weapon use) can trigger the application of humanitarian law in a previously peaceful environment only when they are significantly damaging (in terms of their consequences) and if they satisfy other legal requirements necessary to initiate an international or internal armed conflict.10 What are these requirements? According to the early International Committee of the Red Cross (ICRC) commentaries, armed conflict is “any difference [. . .] leading to the intervention of armed forces”.11 In 2008, the ICRC revised and clarified its opinion to match that of the ICTY in the Tadić case, according to which “an armed conflict exists whenever there is resort to armed force between States or protracted armed violence between governmental authorities and organized armed groups or between such groups within a State”.12

6 Common Art. 2(2) of GCs; Art. 1(3), 1(4) of AP1. 7 Common Art. 2(1) of GCs; Arts. 1(3), 1(4), 3(a) of AP1; Art. 1(1) of AP2. See generally Mary E. O’Connell, “Defining Armed Conflict” (2008) 13(2) Journal of Conflict & Security Law 399–400. 8 See Art. 5(1) of GC3; Keiichiro Okimoto, “The Cumulative Requirements of Jus ad Bellum and Jus in Bello in the Context of Self-Defense” (2012) 11(1) Chinese JIL 62. 9 See sub-chapters 4.2.2; 5.4.4.1. 10 See generally Swanson (n. 5) 313, 317, 322; Nils Melzer, Cyberwarfare and International Law (UNIDIR 2011) 23. 11 ICRC, “Convention (I) for the Amelioration of the Condition of the Wounded and Sick in Armed Forces in the Field: Article 2—Application of the Convention” (Commentary, ICRC 1952) accessed 1 August 2015. 12 Prosecutor v Tadić (Decision on Jurisdictional Appeal) ICTY-94-1-AR72, AC (2 October 1995) para. 70; ICRC, “How is the Term ‘Armed Conflict’ Defined in International Humanitarian Law?” (Opinion Paper, March 2008) 5 accessed 1 August 2015. 176 Chapter 6

When it comes to international wars, there are but a few requirements. The adoption of the First Additional Protocol (AP1) to the Geneva Conventions (GCs) helped erode the archaic view that international armed conflict is one purely between states, equal in rights and duties, but not necessarily in military strength.13 In fact, more than 170 state parties to AP1 now voluntarily recognize that armed conflicts can involve freedom fighters.14 Engagement of such fighters in cyber-warfare will be more closely discussed in Chapter 7. At this point, it is important to highlight that, since cyber-attacks are launched from physical infrastructure by physical persons, it may almost always be possible to politically attach them to a country where infrastructure and persons are located. Thus, firstly, applicability of international humanitarian law to international armed conflicts presupposes involvement of at least one (though usually two or more) state(s). Where non-state actors are supported by countries, determining the existence of an international armed conflict may be hindered by the variety of possible attribution models described in Chapter 5 (among them, the tests of effective control, overall control, complete dependence, support and toleration). While individual governments may attempt to take advantage of this deficiency, it should be noted that strong support from international tribunals and the ICRC make the overall control test (Tadić criteria) more likely to be applied. The second condition for applicability of international humanitarian law to international armed conflicts is: a minimal level of damage must be caused to the detriment of one of the (future) belligerents. One must ask, where does this threshold lie? In answering this question, one cannot ignore the related regime of jus ad bellum and inspiration can be drawn directly from it. Simply put, the two major views seem to require cyber-strikes to reach either the level of the use of force or armed attack in order to trigger an international armed conflict, with different meanings usually attached to these expressions by various governments and scholars.15 One can illustrate this point by reference to the Tallinn Manual, as its authors could not agree whether Stuxnet was sufficient to start

13 See generally David Kretzmer, “Rethinking Application of IHL in Non-International Armed Conflicts” (2009) 42(1) Israel Law Review 24. 14 The expression freedom fighters in this book is used in the context of Art. 1(4) of AP1, i.e. freedom fighters belong to “peoples [. . .] fighting against colonial domination and alien occupation and against racist regimes in the exercise of their right of self-determination”. 15 See generally Michael N. Schmitt and others, Tallinn Manual on the International Law Applicable to Cyber Warfare (CUP 2013) R22C12. Humanitarian Law Perspective 177 an armed conflict merely because they previously adopted different positions on whether the use of Stuxnet constituted an armed attack or not.16 Neither view requires the involvement of the actual armed force.17 In both cases, initiation of an international armed conflict by cyber-attacks is determined by the level of violence. Notably, to prove his point that “cyberwar will not take place”, Thomas Rid underscores that “[v]iolence administered through cyberspace is less direct in at least four ways: it is less physical, less emotional, less symbolic, and, as a result, less instrumental”.18 However, from a legal perspective these factors are irrelevant, as long as violence is present per se. Certain scholars like Heather Dinniss believe that cyber-neutralization of crucial military targets would also qualify to start an international armed conflict, if followed by an actual attack.19 However, governments have little to gain by arguing that the law of armed conflict has to apply retrospectively from the moment of such neutralization, and not from the moment of the kinetic attack itself. For instance, neutralization of an anti-air battery does not raise direct humanitarian concerns, nor would it breach the jus in bello anyway. The close relationship between the politicized perception of jus ad bellum and humanitarian law becomes apparent, for instance, if one considers cyber-attacks on objects crucial to the financial well-being of a country. Minor economic harm to a state is not sufficient to warrant the beginning of an international armed conflict, because governments will not see it as a use of force (for instance, Estonia’s officials did not treat the 2007 attacks against its infrastructure as such, despite the financial losses).20 On the other hand, what will likely trigger an armed conflict is a cyber-strike that destroys a state’s economy (which can also be considered an armed attack).21 When it comes to the threshold for initiating a non-international armed conflict, it is much higher (despite not requiring any state involvement) and does not include “situations of internal disturbances and tensions, such as

16 Ibid., R13C13, R22C14. See also Dinniss (n. 5) 131, arguing that Stuxnet did meet the criteria necessary for initiating an international armed conflict. 17 Tallinn Manual (n. 15) R22C13. 18 Thomas Rid, Cyber War Will Not Take Place (Hurst & Co 2013) 12–13, 34. 19 Dinniss (n. 5) 131–132. See also Michael Schmitt, “Classification of Cyber Conflict” (2012) 17(2) Journal of Conflict & Security Law 252; Michael Schmitt, “Classification of Cyber Conflict” (2013) 89 International Law Studies 240–241; Knut Dörmann, “Applicability of the Additional Protocols to Computer Network Attacks” (Report, ICRC 2004) 6 accessed 1 August 2015. See gene rally Tallinn Manual (n. 15) R30C16. 20 See sub-chapter 3.3.3.5. 21 See sub-chapter 5.3.1. 178 Chapter 6

[. . .] isolated and sporadic acts of violence and other acts of a similar nature”.22 Other requirements comprise a sufficient level of organization of the warring groups (a hierarchical structure and the ability to participate in hostilities are paramount), in addition to responsible command and (formally but no longer necessarily)23 ability to exercise control “over a part of its territory”.24 The authors of the Tallinn Manual determined that a non-international armed conflict may be started by cyber-attacks in rare circumstances.25 However, is this conclusion accurate? It should be observed here that most non-state crackers do not have a clear command structure, thus these cracking groups will not meet the requirement for organization. Furthermore, as Schmitt notes, even if the organization and responsible command criteria of internal conflicts were met, the protracted requirement would exclude sporadic cyber-strikes regardless of their destructiveness.26 The fact remains that all cyber-attacks are sporadic, because their success largely depends on various human factors and luck. The high threshold of intensity requires a series of cyber-strikes, each reaching at least the level of the use of force. A proper technical cyber-security risk-assessment can be reasonably expected to reveal that a succession of such attacks against a state is not possible within a definable time period (unless the ruling government deliberately creates and maintains conditions for their continuous success). The conclusion in the Tallinn Manual, therefore, seems somewhat too optimistic. The resulting initial exclusion of cyber-attackers from the scope of application of AP2 and Common Article 3 of the GCs may provide governments with certain legal maneuverability vis-à-vis non-state actors. However, the room for legal exploitation is somewhat limited by the fact that state counter-actions themselves may satisfy the required criteria, starting a non-international armed conflict.

22 Art. 1(2) of AP2. See also Rome Statute of the International Criminal Court (adopted 17 July 1998, entered into force 1 July 2002, amended 29 November 2010) 2187 UNTS 90, Art. 8(2)(d), 8(2)(f). 23 Tallinn Manual (n. 15) R23C3, R23C4, R23C6. See also Dinniss (n. 5) 135–136. 24 Tallinn Manual (n. 15) R23C11, R23C13, R23C14, R23C15, R23C16. See also Art. 1(1) of AP2. While some governments may view the regime created by AP2 as separate from one of Common Art. 3 of GCs (since it applies only to those states that have ratified it), dividing them for the purposes of the present analysis is unnecessary. 25 Tallinn Manual (n. 15) R23, R23C2, R23C7. 26 Michael N. Schmitt, “Cyber Operations and the Jus in Bello: Key Issues” (2011) 87 International Law Studies 106. Humanitarian Law Perspective 179

6.2.2 Cyber-Attack as Part of an Ongoing Armed Conflict The application of international humanitarian law to cyber-attacks, which are carried out in the context of an ongoing international or internal armed conflict, is rarely disputed.27 However, which particular cyber-strikes are governed by jus in bello? According to the ICTY, there must be a “sufficient nexus [. . .] between the alleged offense and the armed conflict which gives rise to the applicability of international humanitarian law”.28 For such a nexus to exist, it would be sufficient to prove that the cyber-attack was carried out “in the course of or as part of the hostilities in, or occupation of, an area controlled by one of the parties”.29 From the Tadić case it further follows that:

It is not [. . .] necessary to show that armed conflict was occurring at the exact time and place of the proscribed acts alleged to have occurred [. . .] nor is it necessary that [. . .] [it] takes place during combat, that it be part of a policy or of a practice officially endorsed or tolerated by one of the parties to the conflict, or that the act be in actual furtherance of a policy associated with the conduct of war or in the actual interest of a party to the conflict.30

Cyber-strikes were used to support military operations in the past.31 However, none of the incidents prompted their express recognition as part of an armed conflict. The same can be said about the most serious case to date involving an inter-war cyber-offensive against Georgia in 2008. Notably, it appeared to be coordinated with physical attacks of the Russian, South Ossetian and Abkhazian forces.32 According to the Report of the Independent International Fact-Finding Mission on the Conflict in Georgia, these cyber-strikes may have reduced Georgian decision-making capability and ability to communicate

27 See generally Melzer, Cyberwarfare (n. 10) 22; Tallinn Manual (n. 15) R20, R20C1; Louise Doswald-Beck, “Some Thoughts on Computer Network Attack and the International Law of Armed Conflict” (2002) 76 International Law Studies 164. 28 Prosecutor v Tadić (Opinion and Judgment) ICTY-94-1-T, TC (7 May 1997) para. 572. See also Prosecutor v Musema (Judgment and Sentence) ICTR-96-13-T, T Ch I (27 January 2000) para. 973; Prosecutor v Rutaganda (Judgment and Sentence) ICTR-96-3-T, T Ch I (6 December 1999) para. 104. 29 Tadić (Opinion and Judgment) (n. 28) para. 573. 30 Ibid. 31 See sub-chapter 3.3.2.2. 32 See Tallinn Manual (n. 15) R20C3. 180 Chapter 6 with its allies.33 Nevertheless, no direct link between the cyber-attacks and the Russian authorities was established.34 Neither were they explicitly brought up in the context of warfare by the Georgian government, probably because they featured no suffering and targeted, for the most part, legitimate military objectives.35 Therefore, the first official declaration of cyber-attack being part of an armed conflict is still yet to come. One should mention that, traditionally, application of jus in bello is limited to the territory of states.36 While this is easily applied to physical consequences (including those affecting IT objects and infrastructure), the non-territorial nature of cyber-space itself makes the limits of humanitarian law in the virtual realm less certain. Its application, however, seems destined to remain closely tied to the extent of the national cyber-zones and sovereignty therein, as potentially claimed by governments. Finally, it is worth noting that humanitarian law continues to apply beyond the cessation of hostilities “until a general conclusion of peace is reached; or, in the case of internal conflict, a peaceful settlement is achieved”.37 At the same time, AP1 links the application of the GCs to international armed conflicts until “general close of military operations” (or “termination of the occupation”).38 Sometimes, neither peace nor closure of hostilities can be definitively determined. For instance, the Korean War was concluded with an armistice rather than a peace treaty and cross-border skirmishes continued until the DPRK abolished the armistice in 2013.39 This problem is not necessarily inherent to cyber-attacks, although the old concepts on the closure of armed conflict may

33 Heidi Tagliavini, Report of the Independent International Fact-Finding Mission on the Conflict in Georgia, vol 2 (Council of the European Union 2009) 217–218. 34 See generally sub-chapter 3.3.3.5; Jason Andress, Steve Winterfield, Cyber Warfare: Techniques, Tactics and Tools for Security Practitioners (Syngress 2011) 14; Eneken Tikk and others, “Cyber Attacks Against Georgia: Legal Lessons Identified” (Analysis Document, NATO CCDCOE 2008) 21. 35 Eneken Tikk, “Comprehensive Legal Approach to Cyber Security” (Doctoral Thesis, University of Tartu 2011) 72 accessed 1 August 2015. 36 Tallinn Manual (n. 15) R21C3; Dinniss (n. 5) 135. 37 Tadić (Decision on Jurisdictional Appeal) (n. 12) para. 70. 38 Art. 3(b) of AP1. 39 John B. Bellinger, Vijay M. Padmanahbah, “Detention Operations in Contemporary Conflicts: Four Challenges for the Geneva Conventions and Other Existing Law” (2011) 105(2) AJIL 229. Humanitarian Law Perspective 181 in some cases struggle to accommodate the new challenge, providing little direction in law.40 Once the existence of an armed conflict has been established, cyber-attacks must, in theory, then become subject to standing principles of international humanitarian law. The most basic and primal of them is the principle of humanity. For this reason, it should be addressed here first, subsequently followed by the discussion of principles of necessity, proportionality, distinction, “chivalry” and neutrality.

6.3 Principle of Humanity

One may argue that the modern state militaries do not treat humanity as the primary principle of jus in bello, preferring to concentrate on distinction and necessity. However, tangible suffering was the very reason why humanitarian law emerged in the first place and why Henry Dunant founded the Red Cross organization. To ignore the principle of humanity would be unreasonable, as it represents one of the stronger aspects of naturalism, which restrains behavior of states and governments. For instance, it may serve as the determining factor in separating small-scale attacks against financial structures (that do not justify an armed response) and those that destroy the economy (which could justify an armed conflict by causing suffering among an entire population). In light of the above, one must inquire, how does the principle of humanity guide cyber-attacks? Does it leave too much room for interpretation? The present sub-chapter seeks to answer these questions, analyzing potential attacks against objects that can cause significant suffering in the process, with particular attention focused on medical transport, nuclear, biological and chemical facilities.

6.3.1 Innovative Nature of Cyber-Attacks Since the 1868 St. Petersburg Declaration, the concept of humanity has been a legal counterweight to military necessity. This is reflected in the Martens

40 For instance, it is uncertain when the “war on terror” is bound to terminate—see Adam Klein, “The End of Al-Qaeda? Rethinking the Legal End of the War on Terror” (2010) 110(7) Columbia Law Review 1909–1910. See also Matthew C. Waxman, “Temporarily and Terrorism in International Humanitarian Law” (2011) 14 Yearbook of International Humanitarian Law 413; Helen Duffy, The ‘War on Terror’ and the Framework of International Law (CUP 2006) 249. 182 Chapter 6

Clause, a (customary)41 norm that ensures protection by the legal principles stemming “from the usages established between civilized nations, from the laws of humanity and the requirements of the public conscience”.42 In other words, the Martens Clause makes sure that the laws of armed conflict apply to all new technologies, leaving no legal void in addressing humanitarian concerns, even when it comes to cyber-warfare or cyber-attacks.43 This was confirmed by the International Court of Justice (ICJ) in the Nuclear Weapons case, where the Court declared: “[t]he fact that certain types of weapons were not specifically dealt with [previously] does not permit the drawing of any legal conclusions relating to the substantive issues which the use of such weapons would raise”.44 In the view of the Court, it “would be incompatible with the intrinsically humanitarian character of the legal principles in question which permeates the entire law of armed conflict and applies to all forms of warfare and to all kinds of weapons”.45 Has adaptability of the jus in bello to the new war methods become a custom itself? Already in the beginning of the 20th century, rules of land combat were used as a base for successfully adopting the regime of sea warfare.46 Even the lag in the ultimate success of regulating air warfare, caused by an unwillingness of powerful governments to give up the advantage that aerial operations provided, could not prevent customary principles (among them, humanity) from applying.47

41 Yoram Dinstein, The Conduct of Hostilities under the Law of International Armed Conflict (CUP 2004) 56; Fausto Pocar, “Protocol I Additional to the Geneva Conventions and Customary International Law” (2001) 31 Israel Yearbook on Human Rights 154. For an opposite view on the customary nature of the Martens Clause, see generally Michael J. Glennon, “The Road Ahead: Gaps, Leaks and Drips” (2013) 89 International Law Studies 375–376. 42 Martens Clause as it appears in the preamble to 1899HC2. This norm can also be found in the preambles to 1907HC4 and AP2, Art. 63(4) of GC1, Art. 62(4) of GC2, Art. 142(4) of GC3, Art. 158(4) of GC4 and Art. 1(2) of AP1. 43 Tallinn Manual (n. 15) R20C10. 44 Legality of the Threat or Use of Nuclear Weapons (Advisory Opinion) [1996] ICJ Rep, para. 84. 45 Ibid., para. 86. 46 For instance, consider the early version of GC2 (adopted on 6 July 1906) or 1907HC10. 47 For instance, consider the non-adopted Rules of Air Warfare (n. 2), partially applicable 1899HCA2 and 1907HCA4 (see Arts. 25 and 27), and fully applicable AP1. Humanitarian Law Perspective 183

The current body of international humanitarian law makes it quite clear that the means and methods of warfare are not unlimited—a standard reiterated by the ICJ in the Nuclear Weapons case.48 AP1 further provides that:

In the study, development, acquisition or adoption of a new weapon, means or method of warfare, a High Contracting Party [must] determine whether its employment would, in some or all circumstances, be prohibited.49

Moreover, international law forbids conduct towards legally protected persons reaching the level of cruel treatment50 and criminalizes inhuman and degrad- ing treatment, regardless of the means employed.51 Though transmission of electronic signals (containing malware) itself does not violate the Martens Clause, the purpose of the latter demands that the principles of humanity also cover direct consequences of cyber-strikes. The degradation of civilian technology and electricity shortages that inevitably follow any serious armed conflict, can result in quick reversal of computerization of pharmaceutical factories,52 religious institutions,53

48 Art. 22 of 1899HC2; Art. 22 of 1907HC4; Art. 35(1) of AP1; Nuclear Weapons Case (n. 44) para. 78: “[. . .] States do not have unlimited freedom of choice of means in the weapons they use”. 49 Art. 36 of AP1. See also Tallinn Manual (n. 15) R48. 50 See Common Art. 3(1)(a), 3(1)(c) of GCs; Arts. 12(2), 15(1) of GC1; Art. 18(1) of GC2; Art. 87(3) of GC3; Arts. 16(2), 118(2), 119 of GC4; Art. 75(1), 75(2)(b) of AP1; Arts. 4(1), 4(2)(a), 4(2)(e), 8 of AP2. 51 See Rome Statute (n. 22) Art. 8(2)(a)(ii), 8(2)(a)(iii), 8(2)(b)(xxi), 8(2)(c)(i), 8(2)(c)(ii); Statute of the International Criminal Tribunal for the Former Yugoslavia (adopted 25 May 1993, amended 17 May 2002) Art. 2(b), 2(c); Statute of the International Tribunal for Rwanda (adopted 8 November 1994, amended 13 October 2006) Art. 4(a), 4(e). Causing unnecessary suffering is forbidden under Art. 35(2) of AP1, while causing “great suffering” and inhuman treatment are grave violations of the GCs under Art. 50 of GC1, Art. 50 of GC2, Art. 130 of GC3, Art. 147 of GC4 and Art. 85(4)(c) of AP1. See also Rome Statute (n. 22) Art. 8(2)(b)(xx); Tallinn Manual (n. 15) R42. For definitions of the terms “cruel treatment”, “inhuman treatment” and “inhumane conditions”, see generally Prosecutor v Delalić (Čelebići Case) (Judgment) ICTY-96-21-T, TC (16 November 1998) paras. 543, 552, 556, 557. 52 Note that an obligation to ensure adequate medical supplies (including medicines) exists towards civilians and internees under Arts. 55(1), 55(2), 108(1) of GC4. 53 See generally Arts. 15(3), 24 of GC1; Arts. 36, 37 of GC2; Arts. 33, 35, 36 of GC3; Arts. 15(5), 18(1), 18(3) of AP1; Arts. 9(1), 12 of AP2. 184 Chapter 6 hospitals,54 ambulances,55 food preparation and similar facilities,56 in case they were reliant on information technology in the first place. Although cyber- strikes against such objects may serve as the beginning of an armed conflict, their inevitable rapid decomputerization reduces chances of cyber-attacks causing significant and widespread suffering during a war. In any case, a first strike against such objects, would be detrimental to states (though, not to terrorists), as it would expose them to criticism from the international community without providing a military or political advantage. To illustrate this point, one should consider the example of attacking a water supply network—a relatively fragile target, cyber-strikes against which, for instance, could be attempted to reduce a population’s will to resist the invaders. Ever since Urlama, the King of Lagash, diverted the water away from Umma 4500 years ago, it has been used as a weapon and made an object of attack.57 Nowadays, water shortages that sometimes accompany conflicts may undermine sanitary conditions and contribute to the spread of diseases (in the long perspective, perhaps even accumulating to the level of “inhumane conditions”). Nevertheless, it is the contamination or complete lack of drinking water that has the potential to cause suffering among humans. Does humanitarian law protect water facilities? It is debatable whether dual-use water networks (that is those used by the armed forces and civilians) may constitute military objectives.58 Nevertheless, it is generally prohibited to “attack, destroy [. . .] or render useless objects indispensable to the survival of

54 The obligation not to attack hospitals (and other medical units) stems from Art. 19(1) of GC1, Art. 18(1) of GC4, Art. 12(1) of AP1 and Art. 11(1) of AP2. Attacking a hospital under normal circumstances is a grave breach of the GCs under 85(2) of AP1 and a war crime under Rome Statute (n. 22) Art. 8(2)(b)(xxiv), 8(2)(e)(ii). See also Tallinn Manual (n. 15) R70, R70C5, R71. 55 Protected by Art. 21 of AP1 and general humanitarian law provisions on medical transport—see further sub-chapter 6.3.2. 56 Obligation to secure adequate food exists towards neutral societies’ personnel under Art. 32(4) of GC1, prisoners of war under Arts. 20(2), 26(1), 26(2), 46(3), 51(1) of GC3, civilians and internees under Arts. 55(1), 89(1), 127(2) of GC4, Art. 54(1), 54(2) of AP1 and Art. 14 of AP2, and persons deprived of liberty under Art. 5(1)(b) of AP2. Causing starvation of the civilian population is a war crime under Rome Statute (n. 22) Art. 8(2)(b)(xxv). See also Tallinn Manual (n. 15) R45, R81, R81C2, R81C5. 57 Peter H. Gleick, “Water and Terrorism” (2006) 8(6) Water Policy 485. 58 For instance, the USA considered attacking dual-use water networks in Iraq in 2003— see Rex Hughes, “A Treaty for Cyberspace” (2010) 86(2) International Affairs 538. Dual-use objects are discussed further in sub-chapter 6.4.1. Humanitarian Law Perspective 185 the civilian population, such as [. . .] drinking water installations”.59 Therefore, all cyber-attacks that might damage or disable computers controlling the civilian water distribution, contaminate civilian drinking supply or interfere with filtering processes are prohibited by international humanitarian law.60 No such prohibition exists in relation to installations intended for purely military use, although attacks against them should be considered in light of the Martens Clause as well. Some developed countries may, indeed, trust the handling of the central drinking water supply to the automated supervisory control and data acquisition (SCADA) systems, which remain vulnerable before or in the beginning of an armed conflict. However, for various reasons (including power blackouts, security concerns and so on) those countries are likely to disable their SCADA systems during the following stages of war, significantly reducing their suscep- tibility to cyber-strikes. Even in the worst-case scenario, respective authorities can be expected to start providing water for civilians (as well as protected persons within their power)61 from other sources, among them, from humanitarian deliveries.62 Notably, drinking water was obtainable even in the harshest conditions of the Siege of Leningrad during WW263 or the Siege of Sarajevo in the 1990s.64 Therefore, a cyber-strike against civilian drinking water installations will likely be ineffective, yet the attackers condemned by the world community

59 Art. 54(2) of AP1; Art. 14 of AP2. 60 A racially-motivated cyber-attack that denies an entire population clean water supply for a prolonged period of time or seriously pollutes it, especially if supported by a military blockade or similar means, or if carried out in unfavorable weather conditions (heat), can theoretically even be considered an act of genocide, since it inflicts “conditions of life calculated to bring about [the] physical destruction” of a group—see Convention on the Prevention and Punishment of the Crime of Genocide (adopted 9 December 1948, entered into force 12 January 1951) 78 UNTS 277, Art. 2(c). See generally Tallinn Manual (n. 15) R13C10, R36C3, R45C2, R81C4, R81C5, R87C7; Dinniss (n. 5) 242–243. 61 The GCs emphasize the obligation of the parties to ensure sufficient amounts of drinking water for prisoners of war—see Arts. 20(2), 26(3), 46(3) of GC3; Art. 5(b) of AP2, and internees—see Arts. 89(3), 127(2) of GC4; Art. 5(b) of AP2. See generally Tallinn Manual (n. 15) R75. 62 Humanitarian deliveries are themselves legally protected against attacks—see Art. 23(1) of GC4; Tallinn Manual (n. 15) R86. 63 See Leon Goure, The Siege of Leningrad (OUP 1962) 167. 64 See David M. Berman, The Heroes of Treća Gimnazija: A War School in Sarajevo 1992–1995 (Rowman & Littlefield 2001) 120. 186 Chapter 6 and, possibly, prosecuted as war criminals for attempted starvation (if the required mens rea element is present).65 In contrast, modern medical ships and aircraft, as well as facilities containing chemical, bacteriological and nuclear materials are more likely to continue relying on cyber-systems throughout the armed conflict, therefore, attacks against them will be more effective. For this reason, these objects should be discussed next.

6.3.2 Medical Ships and Aircraft Like other ships, most medical maritime vessels will continue to rely on computerized navigational data in times of war. Which jus in bello protections are relevant in the context of cyber-attacks? Although even minor cyber-strikes targeting them may be said to be in violation of the obligation to respect hospital ships,66 international humanitarian law generally is more preoccupied with protecting the ships against jus in bello attacks.67 While GC1 narrows the strikes down to those “from the land”,68 the ICRC commentaries make it clear that it merely serves as a reminder in the context of land warfare and all attacks against medical ships are forbidden.69 A similar issue arises if one considers a lex lata limitation of attacks to land, air and sea warfare in AP1.70 This does not necessarily represent an exploitable deficiency in law, because, even if some governments choose to argue that the relevant norms do not apply to cyber-strikes by analogy, their opponents may plausibly defend the position that such cyber-attacks constitute part of land, air and sea warfare, inter alia, due to the physical presence of infrastructure in these domains. It should be noted that, according to AP1, jus in bello “attacks” stand for “acts of violence [. . .], whether in offence or in defence”.71 The way the GCs are written supports the theory that consequences of cyber-strikes are covered, as long as they are violent or create a realistic danger of violence (including damage or

65 See Rome Statute (n. 22) Art. 8(2)(b)(xxv). 66 Art. 1 of 1907HC10. See also Tallinn Manual (n. 15) R70, R71. 67 Art. 22(1) of GC2; Art. 21 of GC4; Arts. 22(1), 22(2), 23(1) of AP1. 68 Art. 20 of GC1. 69 ICRC, “Convention (I) for the Amelioration of the Condition of the Wounded and Sick in Armed Forces in the Field: Article 20—Protection of Hospital Ships” (Commentary, ICRC 1952) accessed 1 August 2015. 70 Art. 49(3) of AP1. 71 Art. 49(1) of AP1. Humanitarian Law Perspective 187 destruction), at least indirectly.72 Lex scripta does not clearly indicate whether such violence can include suffering,73 neutralization of objects74 or destruction of data,75 revealing an exploitable gray area of international law, where contradictory arguments can be advanced by different parties. So, for example, one government can argue that seriously disrupting the work of navigational computers of a medical ship with malware would be a prohibited attack, even though the ship will not necessarily crash into underwater objects, while another government can argue that this does not constitute “violence”. The Tallinn Manual states that, even if a cyber-strike is stopped by a firewall or anti-virus, its destructive potential is still enough to qualify it as an attack.76 Whether it is true remains open to debate. On the one hand, it is possible to draw an analogy with soldiers trying to enter a protected area, which are then treated as attackers. On the other, a plausible argument may exist that, due to the unpredictable effects of cyber-attacks, unquestionably accepting such an

72 Tallinn Manual (n. 15) R30C3, R30C4, R30C5, R30C7, R30C14, R30C16; Schmitt, “Cyber Operations and the Jus in Bello” (n. 26) 93; Michael N. Schmitt, “Cyber Operations in International Law: The Use of Force, Collective Security, Self-Defense, and Armed Conflicts” in National Research Council of the National Academies, Proceedings of a Workshop on Deterring Cyberattacks (National Academies Press 2010) 175; Michael N. Schmitt, “ ‘Attack’ as a Term of Art in International Law: The Cyber Operations Context” in Christian Czosseck, Rain Ottis, Katharina Ziolkowski (eds.), 2012 4th International Conference on Cyber Conflict (NATO CCDCOE 2012) 290–291; Kalliopi Chainoglou, “An Assessment of Jus in Bello Issues Concerning Computer Network Attacks: A Threat Reflected in National Security Agendas” (2010) 12 Romanian JIL 17–20; Noam Lubell, “Lawful Targets in Cyber Operations: Does the Principle of Distinction Apply?” (2013) 89 International Law Studies 265–266. 73 See Lubell (n. 72) 265–266; Rain Liivoja, Tim McCormack, “Law in the Virtual Battlespace: The Tallin Manual and the Jus in Bello” (2012) 15 Yearbook of International Humanitarian Law 53. 74 For instance, compare neutralization of a transportation grid that creates a danger of traffic accidents with neutralization of a military system that does not involve any risk of violence, damage or destruction. 75 Lubell (n. 72) 267; William H. Boothby, “Methods and Means of Cyber Warfare” (2013) 89 International Law Studies 389–390. Consider the minority opinion on lex lata and majority opinion on lex ferenda in Tallinn Manual (n. 15) R38C5, indicating that data can be considered an object. See also Liivoja, McCormack (n. 73) 53; Michael Bothe, Karl J. Partsch, Waldemar A. Solf, New Rules for Victims of Armed Conflicts: Commentary on the Two 1977 Protocols Additional to the Geneva Conventions of 1949 (Martinus Nijhoff 1982) 289. Notably, widespread destruction of important data and the mob mentality that it entails presupposes violence stemming from a state’s own citizens in addition to their mental suffering. 76 Tallinn Manual (n. 15) R30C15. 188 Chapter 6 approach would play into the hands of those nations that deliberately choose to classify their security too broadly. Jus in bello undoubtedly applies to infecting vital computers on board of a medical airplane. In case the cyber-attacks seriously endanger the safety of flights, they will be in violation of several provisions of the GCs prohibiting attacks on medical planes.77 In addition, failed attempts to interfere with the work of the aircraft’s computers can also be declared “attacks” by the targeted parties. Notably, aside from specific norms that protect them, medical ships and planes are also covered by the more general provisions on medical transport and medical personnel that call for their respect and protection.78 Moreover, the Rome Statute criminalizes attacks against them as war crimes.79 Since medical air and sea crafts are normally used for the removal and transfer of the wounded and sick, a cyber-attack that seriously threatens a medical airplane, helicopter or ship during an armed conflict, can also violate the provisions protecting persons hors de combat80—an act constituting a grave breach of the GCs81 and a war crime on its own.82 Finally, cyber-attacks against a ship (but almost never an aircraft)83 can theoretically breach these provisions without jeopardizing the safety of the vessel itself, by corrupting medical databases, leading to improper treatment or incorrect blood transfusions.84 One should note though that, as in the cases of

77 Art. 36(1) of GC1; Art. 39(1) of GC2; Art. 22(1) of GC4; Art. 24 of AP1. 78 Arts. 24, 35(1) of GC1; Arts. 36, 37(1) of GC2; Arts. 15(1), 85(2) of AP1; Arts. 9(1), 11(1) of AP2. Note that legal protection of medical transport and medical personnel ceases to exist if the vessel or staff participate in cyber-attacks and other activities harmful to one of the parties, despite the warning with an appropriate time limit—see Arts. 21, 22 of GC1; Arts. 34(1), 35 of GC2; Art. 13 of AP1; Art. 11(2) of AP2; Tallinn Manual (n. 15) R73, R73C2, R73C5. On prohibited wireless communications from medical ships, see Art. 34(2) of GC2; Dinniss (n. 5) 247. It should be noted that due to high transmission speeds in cyber-space, parties may accuse a medical ship of participating in cyber-warfare, demand immediate compliance and attack it shortly thereafter, but, since negative political repercussions would seriously outweigh the benefits, this scenario is unlikely in reality. 79 Rome Statute (n. 22) Art. 8(2)(b)(xxiv), 8(2)(e)(ii). 80 Common Art. 3(1)(a) of GCs; Art. 12(1), 12(2) of GC1; Arts. 10(1), 41(1) of AP1. 81 Art. 85(2), 85(3)(e) of AP1. 82 Rome Statute (n. 22) Art. 8(2)(c)(i). 83 For objective reasons, such aircraft are unlikely to use computerized systems in the short- term medical treatment offered during flights in an armed conflict. 84 See generally Tallinn Manual (n. 15) R71, R71C3; Michael Gervais, “Cyber Attacks and the Laws of War” (2012) 30(2) Berkeley JIL 578; Jeffrey T. Kelsey, “Hacking into International Humanitarian Law: The Principle of Distinction and Neutrality in the Age of Cyber Humanitarian Law Perspective 189 ambulances or hospitals, the chances that such computerized databases will be used during a war are insignificant. It is imperative to take into account that international humanitarian law creates an obligation to mark air and seaborne medical transport with distinctive emblems (or, in special cases, to use distinctive signals)85 in order to guarantee their adequate protection.86 Since long-distance cyber-attacks are conducted in an isolated fifth dimension of warfare (cyber-space), visual contact with the attacked physical object will, likely, be lacking (unless conducted as part of a bigger operation with reconnaissance units or satellites).87 That raises the question of how to mark the computers of medical transport online in order to inform the attacker of their special status, as well as to ensure its respect. A number of suggestions can be advanced, though each approach has its weaknesses. For instance, designating particular addresses as military networks exposes them to intensified targeting.88 On the other hand, establishing separate medical and humanitarian networks would encourage their “spoofing”. The Tallinn Manual tries to address this issue. It provides an example where one warring party notifies its opponent “that the files containing its military medical data have the unique name extension ‘.mil.med.B’ and that this nam- ing convention will not be used on any file that is not exclusively medical”.89 This suggestion solves the problem in the most basic scenarios, when state agents manually access adversaries’ computers on board of medical transport and thus learn of and confirm its protected status. However, on its own, it is likely to remain insufficient for the purposes of ensuring safety against automatically spreading malware. Malware will need to be programmed in a way that allows it to discriminate protected objects by scanning for files with certain extensions (like “.mil.med.B”) before copying itself and unleashing its destructive potential. The simplicity of this method will guarantee that it will

Warfare” (2008) 106(7) Michigan Law Review 1438; Louise Arimatsu, “A Treaty for Governing Cyber-Weapons: Potential Benefits and Practical Limitations” in Christian Czosseck, Rain Ottis, Katharina Ziolkowski (eds.), 2012 4th International Conference on Cyber Conflict (NATO CCDCOE 2012) 104. 85 Art. 18(5) of AP1. 86 Art. 36(2) of GC1; Arts. 39(2), 43 of GC2; Arts. 21, 22(2) of GC4; Arts. 18(2), 18(4), 23(1) of AP1; Art. 12 of AP2. 87 Note that a similar problem existed before vis-à-vis planes, as shown on military radars. It was solved by adopting a “system of transponders”—see Dinniss (n. 5) 146, 246. 88 Ibid. 246. 89 Tallinn Manual (n. 15) R72C5. 190 Chapter 6 be frequently abused (as an attacker can add the identifiers to his computerized system before the cyber-strike and remove them after the attack has taken place). Alternatively, malware can look for special encrypted certificates that could be issued and embedded into software or hardware by internationally recognized organizations.90 However, this may not suit certain parties’ interests, as decrypting and scanning will take time and expose malware to defensive cyber-systems and human operators. Thus, while jus in bello applies to cyber-attacks targeting medical transport, the extent of the obligation to mark it in cyber-space remains uncertain. Other objects that will likely retain computerization, regardless of external circumstances (such as wars), include biological, chemical and nuclear installations. What is their status in the context of the principle of humanity and jus in bello generally?

6.3.3 Biological, Chemical and Nuclear Facilities Aside from being indiscriminate and capable of causing great suffering and death, bacterial, toxic and radioactive contamination has significant negative impact on nature. That means that any cyber-attack that results or may result in such pollution can be considered an illegal method of warfare.91 Regardless of motive and possible military advantage, even if it is proportionate, such conduct is prohibited under international humanitarian law as long as its consequences are intended or are expected to reach the high threshold of “widespread, long-term and severe damage” to the natural environment.92 Furthermore, the Rome Statute criminalizes launching cyber-attacks “in the

90 Encryption is required in order to minimize the chances of perfidy or false-blame. 91 However, even in the worst cases, it is unlikely to amount to an “environmental modification technique” within the meaning of the Convention on the Prohibition of Military or Any Other Hostile Use of Environmental Modification Techniques (adopted 10 December 1976, entered into force 18 May 1977) 1108 UNTS 151, Art. 2. At this point one should note that Dinniss may be wrong in assuming that flood control is an environmental modification technique—see Dinniss (n. 5) 225, although abuse of peaceful weather control in the future through cyber-attacks is not excluded. See generally Boothby, “Methods” (n. 75) 395. 92 Arts. 35(3), 55(1) of AP1. See generally Tallinn Manual (n. 15) R83(b); Dinniss (n. 5) 221–227; Dinstein, The Conduct of Hostilities (n. 41) 184; Katharina Ziolkowski, “Computer Network Operations and the Law of Armed Conflict” (2010) 49(1–2) Military Law and Law of War Review 79; Davis Brown, “A Proposal for an International Convention to Regulate the Use of Information Systems in Armed Conflict” (2006) 47(1) Harvard ILJ 198; Michael N. Schmitt, “Wired Warfare: Computer Network Attack and Jus in Bello” (2002) 84(846) International Review of the Red Cross 386. Humanitarian Law Perspective 191 knowledge” that they will cause such damage, if the latter is “clearly excessive in relation to the concrete and direct overall military advantage anticipated”.93 On the one hand, damage to the environment as a result of nuclear, bacteriological or chemical facilities being accidentally infected (for example, indirectly through external computers) cannot be considered a war crime due to the lack of subjective element. On the other, governments of the victim- states may argue that infection of cyber-systems connected to such facilities is enough to demonstrate mens rea.94 There are also a number of instruments that specifically prohibit the use of biological and chemical agents per se as a method of warfare. The Hague Conventions (HCs) were the first to impose a legal ban on the employment of poison. The 1925 Geneva Protocol (inspired by the 1919 Treaty of Versailles and the 1922 Draft Washington Treaty)95 expanded the prohibition to cover uses of “asphyxiating, poisonous or other gases, and all analogous liquids, materials or devices” and “bacteriological methods of warfare”.96 Though the ban on the biological and chemical weapons was reaffirmed in the subsequent international declarations and documents,97 it was not until the 1972 Biological Weapons Convention that the international society decided to “exclude completely the possibility of bacteriological (biological) agents and toxins being used as weapons”.98 A similar determination towards chemical weapons was expressed in the 1993 Chemical Weapons Convention.99

93 Rome Statute (n. 22) Art. 8(2)(b)(iv). See generally William J. Fenrick, “Article 8—War Crimes” in Otto Triffterer (ed.), Commentary on the Rome Statute of the International Criminal Court (Nomos 1999) 197. 94 See further the discussion of cyber-vicinity in the current sub-chapter. 95 See Treaty of Peace between the Allied and Associated Powers and Germany (adopted 28 June 1919, entered into force 10 January 1920) 225 CTS 188, Art. 171(1); Draft Treaty Relating to the Use of Submarines and Noxious Gases in Warfare (adopted 6 February 1922) 25 LNTS 202, Art. 5. 96 Protocol for the Prohibition of the Use in War of Asphyxiating, Poisonous or other Gases, and of Bacteriological Methods of Warfare (adopted 17 June 1925, entered into force 8 February 1928) 94 LNTS 65, preamb paras. 1, 3, op para. 1. 97 For instance, International Law Association, “Draft Convention for the Protection of Civilian Populations Against New Engines of War”, 40th Session (29 August 1938– 2 September 1938) Art. 6; Declaration on the Protection of Women and Children in Emergency and Armed Conflict, UNGA Res 3318 (XXIX) (14 December 1974) op para. 2. 98 Convention on the Prohibition of the Development, Production and Stockpiling of Bacteriological (Biological) and Toxin Weapons and on Their Destruction (adopted 10 April 1972, entered into force 26 March 1975) 1015 UNTS 163, preamb para. 9. 99 Convention on the Prohibition of the Development, Production, Stockpiling and Use of Chemical Weapons and on their Destruction (adopted 3 September 1992, entered into force 29 April 1997) 1974 UNTS 45, preamb para. 6. 192 Chapter 6

Today, the customary nature of the ban is undisputed.100 Moreover, employment of poison, asphyxiating, poisonous or other gases, and all analogous liquids, materials or devices in international armed conflict was included in the Rome Statute as a war crime.101 In 2010, the criminalization was formally extended to their use in internal conflicts as well.102 Some chemical and bacteriological laboratories and other institutions, today, may be equipped with computers, which are used to ensure safety. As such, these computers can be subject to cyber-attacks, threatening to release biological and toxic agents into the environment. Taking into account the non- exhaustive list of devices in the Geneva Protocol, the purposes and context of relevant instruments and existing customary law, it seems that the release of harmful agents would fall under the definition of the use of chemical or bacteriological weapons, if the corresponding intent is present.103 From the legal perspective, there exists a paradox that governments might take advantage of. In the Protocol, the word “weapon” stands for toxins, chemicals or their precursors, and it is precisely their release that is forbidden (regardless of the amount).104 However, the definitions used in the conventions on bacteriological and chemical weapons exclude agents that are meant for peaceful and other non-prohibited purposes, “as long as the types and quantities are consistent with [them]”.105 There are three possibilities in this case. First, if the targeted laboratories or institutions do not possess excessive quantities, the applicability of the two conventions to cyber-strikes on these centers would automatically be excluded (although the provisions safeguarding the environment, as well as other principles may still ensure some protection). Second, if the targeted facilities are actually producing or maintaining chemical or bacteriological weapons, the victim-state itself could be in violation of the Bacteriological and Chemical Weapons conventions—a condemnable fact that will become very difficult to hide, should the cyber-attack be successful.

100 See Sandesh Sivakumaran, “Re-envisaging the International Law of Internal Armed Conflict” (2011) 22(1) EJIL 228. 101 Rome Statute (n. 22) Art. 8(2)(b)(xvii), 8(2)(b)(xviii). 102 Ibid., Art. 8(2)(e)(xiii), 8(2)(e)(xiv). 103 See generally Vienna Convention on the Law of Treaties (adopted 23 May 1969, entered into force 27 January 1980) 1155 UNTS 331, Art. 31(1): “A treaty shall be interpreted in good faith in accordance with the ordinary meaning to be given to the terms of the treaty in their context and in the light of its object and purpose”. 104 Biological Weapons Convention (n. 98) Art. 1(1); Chemical Weapons Convention (n. 99) Art. 2(1)(a). 105 Chemical Weapons Convention (n. 99) Art. 2(1)(a). Humanitarian Law Perspective 193

Finally, there may be a case where the victim-state has not ratified either of the conventions, but it is using sophisticated computerized systems to create or handle harmful agents. However, in a world, where the use of chemical and biological weapons is de facto outlawed (consider accusations of using weapons of mass destruction in the latest civil war in Syria), a customary obligation may already be in the latest stages of crystallization, requiring states to eliminate all available harmful agents and to refrain from producing them. The two additional protocols to the GCs expressis verbis mention only nuclear electrical generating stations, but not other atomic, biological or chemical facilities as “installations containing dangerous forces”, attacking which (under normal circumstances)106 is a grave breach of the GCs.107 Scholars note that relevant norms lack customary nature, but do governments have the legal flexibility to argue otherwise?108 They can, in fact, claim that all nuclear, bacteriological and chemical installations should also have a special protected status (that is not only dams, dikes and nuclear power stations), if the release of hazardous substances provoked by cyber-attacks objectively result in “consequent severe losses among the civilian population”.109 Interestingly, AP1 forbids attacking military objectives located “in the vicinity” of the installations containing dangerous forces.110 Though this phrase initially meant physical closeness, this narrow interpretation may inevitably be disputed by governments in light of cyber-attacks.111 The concept of cyber-vicinity can be advanced, which involves military objects that are directly connected to the installations, the infection of which is likely to transfer onto the computers controlling the “dangerous forces”,

106 I.e. unless these objects are used “in regular, significant and direct support of military operations”—see Art. 56(2) of AP1. Notably, a similar provision is absent from AP2. See further the current section on applicability of this rule to objects within the vicinity of installations containing dangerous forces. 107 Arts. 56(1), 85(3)(c) of AP1; Art. 15 of AP2. See also Art. 56(4) of AP1 that reads: “It is prohibited to make any of [such] works, installations or military objectives [. . .] the object of reprisals”. On reprisals, see generally Art. 46 of GC1; Art. 47 of GC2; Art. 13(3) of GC3; Art. 33(3) of GC4; Arts. 20, 51(6), 52(1), 53(c), 54(4), 55(2) of AP1; Tallinn Manual (n. 15) R80C8. 108 See Tallinn Manual (n. 15) R80C6; Dinniss (n. 5) 241. 109 Art. 56(1) of AP1; Art. 15 of AP2; Tallinn Manual (n. 15) R80C5. See generally Claude Pilloud and others, Commentary on the Additional Protocols of 8 June 1977 to the Geneva Conventions of 12 August 1949 (Martinus Nijhoff 1987) 668. 110 Art. 56(1) of AP1. 111 See generally Dinniss (n. 5) 241–242. 194 Chapter 6

risking their release. Cyber-attacks against them would likewise be prohibited, regardless of how far away these objects are located on the map. The prohibition would then remain in force only if these objects are not used “in regular, significant and direct support of military operations” and if a cyber-attack against them “is the only feasible way to terminate such support”.112 In any case, the damaging software would have to be programmed in a way that would, to the maximum extent, “avoid the release of dangerous forces”.113 One should note that allowing malware to identify an object in both physical and cyber-vicinity of protected installations might prove a challenge from a practical standpoint. This issue can be solved by incorporating encrypted international digital certificates into the protected objects’ code, although, like in the case of medical transport, the problem of detectability due to prolonged system scanning may be present. Some states made reservations in relation to applicability of AP1 to nuclear weapons.114 However, this does not exclude attacks against ordinary atomic facilities and materials from the scope of the GCs. Unlike biological, chemical and non-power-generating nuclear facilities, atomic power plants seem to enjoy less lex scripta safeguards due to Article 56(2)(b) of AP1, which removes the protection of Article 56(1) (but not of other legal norms) in case the electricity is provided “in regular, significant and direct support of military operations” and that support can only be terminated with an attack.115 As in the case of objects in the cyber-vicinity, the attackers should do all they can to avoid the possible release of the dangerous forces.116 One should note that the ICRC Commentaries imply that destroying electricity lines may be a preferred and safe way of severing the power supply of an adversary.117 However, it is also plausible that, in some cases (for instance, when power lines or even the targeted atomic power plant is underground), a cyber-attack can be the only secure way of neutralizing the facility, or the only way to disable power per se without causing or incurring heavy losses.118

112 Art. 56(2)(c) of AP1. 113 See Art. 56(3) of AP1. See generally Brown (n. 92) 194. 114 See Julie Gaudreau, “The Reservations to the Protocols Additional to the Geneva Conventions for the Protection of War Victims” (2003) 84(849) International Review of the Red Cross 161–163. 115 See generally Art. 56(2)(b) of AP1. 116 Art. 56(3) of AP1. 117 Pilloud and others (n. 109) 672. 118 Schmitt, “Wired Warfare” (n. 92) 385. See also Dinniss (n. 5) 242. Humanitarian Law Perspective 195

Having considered the applicability of the principle of humanity, one needs to examine the subsequent application of necessity and proportionality.

6.4 Necessity and Proportionality in Jus in Bello

Necessity and proportionality within the jus in bello framework differ from those of jus ad bellum, although both indisputably represent important (and traditionally contested) principles that merit attention in the context of cyber-attacks.119 This sub-chapter seeks to explore the extent to which governments themselves can subjectively, yet plausibly determine whether their actions adhere to the principles of jus in bello necessity and proportionality in cyber-warfare.

6.4.1 Necessity Necessity in war concerns the military advantage gained from a specific belligerent act.120 Like any attack, a substantial cyber-strike must be necessary in order to be lawful.121 In case it does not advance the military objective, its legality comes under question. The Hague Conventions prohibit destroying (and seizing) an enemy’s property, unless it is “imperatively demanded by the necessities of war”.122 Such acts carried out unlawfully and wantonly constitute grave breaches of the GCs123 and can be considered war crimes.124 Notably, in Nuremberg, Nazi criminals were tried for acts particularly constituting “wan- ton destruction” and “devastation not justified by military necessity”.125

119 See generally David P. Fidler, “Inter Arma Silent Leges Redux? The Law of Armed Conflict and Cyber Conflict” in Derek S. Reveron (ed.), Cyberspace and National Security: Threats, Opportunities, and Power in a Virtual World (Georgetown University Press 2012) 80. 120 Oona A. Hathaway and others, “The Law of Cyber-Attack” (2012) 100(4) California Law Review 850. 121 Ibid. 122 Art. 23(g) of 1899HCA2; Art. 23(g) of 1907HCA4. 123 Art. 50 of GC1; Art of GC2; Art. 147 of GC4. 124 ICTY Statute (n. 51) Art. 2(d); Rome Statute (n. 22) Art. 8(2)(a)(iv), 8(2)(b)(xiii). 125 Charter of the International Military Tribunal (Nuremberg Charter) (adopted 8 August 1945, entered into force 8 August 1945) 82 UNTS 279, Art. 6(b); ILC, “Principles of International Law Recognized in the Charter of the Nüremberg Tribunal and in the Judgment of the Tribunal”, 2nd Session, Supplement No. 12 (5 June–29 July 1950) UN Doc A/1316, Principle VI(b). Note generally that attacking non-defended localities is a grave breach of the GCs and a war-crime—see Art. 25 of 1899HCA2; Art. 25 of 1907HCA4; Arts. 59(1), 85(3)(d) of AP1; Rome Statute (n. 22) Art. 8(2)(b)(v). 196 Chapter 6

In accordance with international humanitarian law, attacks may be launched against military objectives.126 Such objectives may comprise computerized systems and networks, which “by their nature, location, purpose or use make an effective contribution to military action and whose total or partial destruction, capture or neutralization, in the circumstances ruling at the time, offers a definite military advantage”.127 In 1999, the United States Department of Defense (DoD) came to the conclusion that, in the context of information warfare, virtually all military infrastructure will be a lawful target, “but purely civilian infrastructures must not be attacked unless the attacking force can demonstrate that a definite military advantage is expected from the attack”.128 A cyber-attack against a military computer is justified by military necessity due to its exclusive military use.129 However, it is not clear whether a “definite military advantage” is present when civilian and dual-use systems (which are used both for civilian and military purposes)130 are targeted. In fact, a gap in jus in bello may be observed here: cascading effects of cyber-attacks often make it impossible to predict their indirect effects, turning the advantage non-definite until the cyber-strike occurs and its results are clear.131

126 Art. 52(2) of AP1. 127 Ibid. Consider, for instance, the necessity of resorting to “active defenses” in order to protect state infrastructure against an incoming cyber-attack—see Matthew J. Sklerov, “Solving the Dilemma of State Response to Cyberattacks: A Justification for the Use of Active Defenses Against States Who Neglect Their Duty to Prevent” (2009) 201 Military Law Review 79. See generally Tallinn Manual (n. 15) R38. 128 US Department of Defense Office of General Counsel, “An Assessment of International Legal Issues in Information Operations” (US Department of Defense 1999) 8 accessed 1 August 2015. See also Dinniss (n. 5) 184–185, 187. 129 Gervais (n. 84) 564. 130 Tallinn Manual (n. 15) R39C1; Arimatsu (n. 84) 106; Dinniss (n. 5) 193; Hathaway and others (n. 120) 852–853; Swanson (n. 5) 322; Ziolkowski (n. 92) 82; Brian T. O’Donnell, James C. Kraska, “Humanitarian Law: Developing International Rules for the Digital Battlefield” (2003) 8(1) Journal of Conflict & Security Law 157. Note the opinion of Matthew Crosston, who believes that pure civilian infrastructure will never exist—see Matthew Crosston, “Duqu’s Dilemma: The Ambiguity Assertion and the Futility of Sanitized Cyber War” in Douglas Hart (ed.), Proceedings of the 8th International Conference on Information Warfare and Security (Academic Publishing International 2013) 45, 49. 131 Gervais (n. 84) 564. See generally Ziolkowski (n. 92) 79, who may seem too optimistic in assuming that limiting malware to a range of IP addresses can prevent it from having cascading effects. Humanitarian Law Perspective 197

Dual-use objects can only be attacked if they satisfy the criteria of being military objectives and the intent of the attack is to gain military advantage.132 A cyber-strike against such targets that merely aims to demoralize (or terrorize) the general population would still be unlawful.133 The problem lies in identifying the moment of emergence of military necessity, the moment of transition from civilian status to military objective. Schmitt goes as far as to claim that presence of a military advantage can make objects more liable to attack even if the military purposes are secondary to civilian ones.134 The implication is that even software and hardware produc- ers can be targeted, since the military, to an extent, relies on their products.135 The latter example demonstrates that the “effective contribution to military action” and the “definite military advantage” criteria remain subjective, and, as such, exploitable. Preserving jus in bello in its current form maintains this subjectivity. When looking at systems of communication, it is notable that authors of the Tallinn Manual concluded that only those Facebook and Twitter elements can be targeted, which contribute to military action.136 Is this position correct? In reality, such attacks would constitute an exercise in futility, comparable to cutting off Hydra’s heads, as new groups and accounts (likely with the help of external actors) will just continue to emerge. In other words, civilian and military elements of Facebook and Twitter services are inseparable. Neutralization and corruption of entire social networks, therefore, remain defendable under military necessity. Similar logic can be applied to attacks against individual networks and the Internet itself.137 Special attention should also be paid to cyber-strikes against economic, financial and banking systems, which directly or indirectly fund the war effort. While the link between economic damage and definite military advantage is sometimes claimed to be too remote,138 the US DoD, as early as 1999, implied

132 Note that it is claimed in the Tallinn Manual (n. 15) R39C1 that “[a]s a matter of law, status as a civilian object and military objective cannot coexist; an object is either one or the other”. 133 Gervais (n. 84) 569. See also Tallinn Manual (n. 15) R38C23. 134 Schmitt, “Wired Warfare” (n. 92) 385. 135 Schmitt, “Cyber Operations and the Jus in Bello” (n. 26) 96–97; Tallinn Manual (n. 15) R38C9, R38C16. 136 Tallinn Manual (n. 15) R39C4. 137 See Ziolkowski (n. 92) 82–84; Tallinn Manual (n. 15) R38C24, R39C3, R39C5, R39C6. Unlike strikes against individual networks, attacks against the Internet may be largely seen as disproportionate—see further the next sub-chapter on proportionality. 138 Tallinn Manual (n. 15) R38C16; Brown (n. 92) 198. 198 Chapter 6 that the “damage to [an] enemy’s economy and research and development capabilities” may well be legal, albeit in long and protracted conflicts only.139 One should note that this conclusion was ignored by the US itself the same year, and, for instance, cyber-attacks aimed against financial well-being of the Yugoslav leadership were planned (though not executed) in a conflict that was relatively short.140 An external “war-sustaining” nature of economic objects, together with the weak cyber-security of civilian infrastructure will in any case make these objects highly probable targets.141 Moreover, states may resort to economy- crippling cyber-strikes merely due to the fact that civilian and military economic activity becomes indistinguishable during serious armed conflict.

6.4.2 Proportionality The principle of proportionality in the laws of armed conflict is, effectively, an instrument by which the principles of necessity and humanity are balanced.142 It requires weighing the potential advantage against incidental harm and prohibits attacks not necessary to achieve the military objective.143 Although proportionality is not explicitly defined in international humanitarian law, it derives from the prohibition of indiscriminate attacks.144 The latter outlaws excessive injury and damage to civilians and civilian objects “in relation to the concrete and direct military advantage anticipated”, as well as attacks that treat concentrated areas of distinct military and civilian objects as a single military objective.145 The principle of proportionality applies to all attacks, including those in cyber-space. In order to be lawful, the attack should not only offer an obvious

139 DoD, “An Assessment” (n. 128) 8. 140 See sub-chapter 3.3.2.2. 141 See generally Schmitt, “Cyber Operations and the Jus in Bello” (n. 26) 97. 142 Brown (n. 92) 201. 143 Hughes (n. 58) 539. See also Hathaway and others (n. 120) 850–851; Michael N. Schmitt, Essays on Law and War at the Fault Lines (TMC Asser Press 2012) 116. 144 Michael Wells-Greco, “Operation ‘Cast Lead’: Jus in Bello Proportionality” (2010) 57(3) Netherlands International Law Review 420. Note that international humanitarian law treats as indiscriminate attacks, inter alia, those that are not directed or cannot be directed at a specific military objective—see Art. 51(4) of AP1. See also Nuclear Weapons Case (n. 44) para. 78: “states must [. . .] never use weapons that are incapable of distinguishing between civilian and military targets”; Dissenting Opinion of Judge Higgins in ibid., para. 24; Dissenting Opinion of Judge Schwebel in ibid. 320; Declaration of President Bedjaoui in ibid., paras. 21–22. 145 Arts. 51(5), 57(2)(a)(iii), 57(2)(b) of AP1; Tallinn Manual (n. 15) R50. Humanitarian Law Perspective 199 military advantage but it should also demonstrate that care was taken to minimize harm to civilians and civilian objects (primarily by those who plan and decide upon a cyber-attack, but also parties to a conflict generally).146 In such circumstances, cyber-strikes that do not result in direct kinetic damage are preferable. That being said, as they can still cause incidental harm both in the physical and non-physical worlds, such attacks are also constrained by the principle of proportionality. The authors of the Tallinn Manual argue that the expression “concrete and direct” removes mere “speculation from the equation of military advantage” in the context of cyber-warfare.147 However, while the ICTY relied on reason- ability in light of available information to determine whether an attack was proportionate, the achievement of military advantage via cyber-strikes is often not certain.148 Moreover, the damage to civilian devices might be unpredictable and uncontrollable (consider, for instance, the Morris or Stuxnet worms).149 An attacking entity might not understand what is being targeted, it may not be able to regulate the amount of applied force and the cyber-strike might have a destructive effect on an unintended target.150 The issue becomes especially complicated when a case involves interconnected military and civilian computers.151 Thus, in reality, “speculation” is not easily removed, and, instead, governments may simply choose to erode what is considered “concrete” and “direct” in humanitarian law. Throughout human history, military technology has been constantly improved in order to increase combat effectiveness. Excessive reliance on it,

146 See Arts. 57, 58(c) of AP1; Tallinn Manual (n. 15) R51, R52, R55, R57; Dinniss (n. 5) 206– 207. See also Kelsey (n. 84) 1448; Laurie R. Blank, “International Law and Cyber Threats from Non-State Actors” (2013) 89 International Law Studies 433–435; Michael Newton, “Proportionality and Precautions in Cyber Attacks” in Dan Saxon (ed.), International Humanitarian Law and the Changing Technology of War (Martinus Nijhoff 2013) 247. 147 Tallinn Manual (n. 15) R51C8. See also ibid., R51C11. 148 See generally Tallinn Manual (n. 15) R51C10, R51C13; Prosecutor v Galić (Judgment and Opinion) ICTY-98-29-T, T Ch I (5 December 2003) para. 58. 149 See sub-chapters 3.3.3.1; 3.3.1. See generally Hathaway and others (n. 120) 851; Tallinn Manual (n. 15) R43C7, R49C4; Dinniss (n. 5) 203; Schmitt, “Wired Warfare” (n. 92) 390; Charles J. Dunlap, “Perspectives for Cyber Strategists on Law for Cyberwar” (2011) 5(1) Strategic Studies Quarterly 90; David Turns, “Cyber War and the Concept of Attack in International Humanitarian Law” in Dan Saxon (ed.), International Humanitarian Law and the Changing Technology of War (Martinus Nijhoff 2013) 225. 150 See Schmitt, “Wired Warfare” (n. 92) 391, 394. 151 See Hughes (n. 58) 538. See also Yoram Dinstein, “The Principle of Distinction and Cyber War in International Armed Conflict” (2012) 17(2) Journal of Conflict & Security Law 267. 200 Chapter 6 however, comes at a price of increased collateral damage. For example, in the 1960s, when the British were fighting against the rebels of south Arabia, they noticed that “the speed and simplicity of air attack was preferred to the more time-consuming and painstaking investigation of grievances and disputes”.152 Since most minor cyber-attacks are launched indiscriminately, a similar temp- tation might arise in the context of greater cyber-warfare. Would such cyber- strikes be legal? Collateral damage is, to some extent, expected during armed conflicts.153 Yet, if harm caused by a cyber-attack is excessive and substantial, it will automatically be considered indiscriminate.154 In addition, it will constitute a grave breach of the GCs155 as well as a war crime.156 Some networks are entirely isolated, so their precise targeting is expected under international humanitarian law. Indeed, targeted cyber-attacks can be in accordance with the proportionality principle when otherwise a kinetic attack against a network-sustaining physical infrastructure would not.157 For example, if a state is being attacked from one computer in an Internet-café, it seems more prudent to counter-attack and disable it through cyber-means rather than to call in an airstrike.158 In addition, the effects of a cyber-strike, in some cases, may be potentially reversible by the attacker.159 Sometimes, Stuxnet is also mentioned as an illustration of possible precise targeting, although, one should note that it was not completely absent collateral damage, particularly in networks it was not meant to hit.160

152 Peter Sluglett, Britain in Iraq: Contriving King and Country 1914–1932 (Colombia University Press 2007) 191. 153 Gervais (n. 84) 569. Note Tallinn Manual (n. 15) R51C3: “a cyber attack can cause collateral damage during transit and because of a cyber attack itself”. See generally ibid., R51C6. 154 Art. 51(5)(b) of AP1; Tallinn Manual (n. 15) R43C5; Schmitt, “Wired Warfare” (n. 92) 389; Ziolkowski (n. 92) 82. 155 Art. 85(3)(b), 85(3)(c) of AP1. 156 Rome Statute (n. 22) Art. 8(2)(b)(iv). 157 David E. Graham, “Cyber Threats and the Law of War” (2010) 4(1) Journal of National Security Law & Policy 99. See also Sklerov (n. 127) 79–80; Arimatsu (n. 84) 105, 108; Schmitt, “Wired Warfare” (n. 92) 196; Hathaway and others (n. 120) 852; Lucian Dervan, “Information Warfare and Civilian Populations: How the Law of War Addresses a Fear of the Unknown” (2011) 3(1) Goettingen JIL 392; Jack M. Beard, “Law and War in the Virtual Era” (2009) 103(3) AmJIL 436. 158 See generally Brown (n. 92) 201–202; Esharenana E. Adomi, Security and Software for Cybercafés (IGI Global 2008) 248. 159 Gervais (n. 84) 572; Dervan (n. 157) 392. 160 See Gervais (n. 84) 571; Tallinn Manual (n. 15) R54C6; Robert Fanelli, Gregory Conti, “A Methodology for Cyber Operations Targeting and Control of Collateral Damage in Humanitarian Law Perspective 201

Jeffrey Kelsey offers an opposite example: since cyber-neutralization of an air-defense network (a military objective) will not cause any damage to civilians, at first glance, it seems more preferable to a kinetic attack. However, a military commander must also consider potential repercussions of a cyber- strike, and if the cyber-attack endangers relief or commercial planes, a kinetic attack might be demanded instead.161 As with necessity, when the situation is not obvious, governments may lean towards subjectively determining what constitutes proportionate damage in cyber-space and what does not. For instance, all authors of the Tallinn Manual agreed that damage to civilian objects can include “deprivation of functionality”, most of them concluded that “extensive collateral damage may be legal if the [. . .] military advantage is sufficiently great”, and few argued that “sparing one’s own forces” should be taken into account when determining proportionality of cyber-strikes—all representing deductions, disputable by individual governments, if the political considerations so require.162 Likewise, governments have the discretion to argue that cyber-attacks were or were not indiscriminate, relying on a number of factors, among them, various interpretations of the required severity of harm, “the nature of the system [. . .]; [. . .] the method or means of cyber warfare [. . .]; the extent and quality of planning; and any evidence of indifference on the part of the cyber operator planning, approving, or conducting the attack”.163 Having discussed the principles of humanity, necessity and proportionality, one should now turn to distinction.

6.5 Principle of Distinction

The principle of distinction concentrates on distinguishing between combatants and civilians, as well as military objectives and civilian objects. The main question that the present sub-chapter seeks to answer is whether there are exploitable areas that arise in the context of distinction, as applied to cyber- warfare. A number of secondary questions also need to be addressed. Namely, are the traditional criteria for determining combatant status still relevant in

the Context of Lawful Armed Conflict” in Christian Czosseck, Rain Ottis, Katharina Ziolkowski (eds.), 2012 4th International Conference on Cyber Conflict (NATO CCDCOE 2012) 329–330. 161 See Kelsey (n. 84) 1434–1435, 1438. 162 Tallinn Manual (n. 15) R51C5, R51C7, R51C14. 163 Ibid., R49C5. 202 Chapter 6 cyber-warfare? Can the levée en masse category survive the transition into cyber-space? What is the extent of discretion given to governments in determining whether a civilian (or a civilian object) directly participated in hostilities online?

6.5.1 Cyber-Combatants According to international humanitarian law, only combatants, that is, members of the armed forces (including official conscripts)164 of a party to a conflict, have the right to directly participate in hostilities.165 Lawful combatants are not held responsible for acts of war, which would otherwise be unlawful, as long as they do not violate the laws of the armed conflict themselves.166 This principle is equally applicable both to conventional and cyber-warfare. Though this comes at a price of being more vulnerable to attacks, if cyber- attackers satisfied all the criteria of being lawful combatants, they would also enjoy prisoner of war status upon their capture.167 On the other hand, falling outside that definition removes their privileges and makes cyber-attackers

164 For certain aspects arising out of cyber-conscription, including “conscription” of corporate resources, involuntary participation in hostilities of companies and ISPs, conscientious objection, see Susan W. Brenner, Leo L. Clarke, “Civilians in Cyberwarfare: Conscripts” (2010) 43(4) Vanderbilt Journal of Transnational Law 1055, 1060–1062; Susan W. Brenner, Leo L. Clarke, “Conscription and Cyber Conflict: Legal Issues” in Christian Czosseck, Enn Tyugu, Thomas Wingfield (eds.), 2011 3rd International Conference on Cyber Conflict (NATO CCDCOE 2011) 2–8, 11. Note that Brenner and Clarke conclude that, unlike ordinary conscription, cyber-conscription must be targeted against IT specialists, however, in fact, governments can still recruit and use non-experts for routine tasks, such as DDoS attacks. Furthermore, note that while conscription of children remains prohibited, young cyber-attackers are not automatically exposed to cruelty of war, which could damage them psychologically. Governments may argue that this fact defeats the whole purpose of prohibition of recruitment of children into the armed forces under international law— see Art. 77(2) of AP1; Art. 4(3)(c) of AP2; Convention on the Rights of the Child (adopted 20 November 1989, entered into force 2 September 1990) 1577 UNTS 3, Art. 38(2), 38(3); Optional Protocol to the Convention on the Rights of the Child on the Involvement of Children in Armed Conflict (adopted 25 May 2000, entered into force 12 February 2002) 2173 UNTS 222, Arts. 1, 2, 4. See generally Tallinn Manual (n. 15) R78. 165 Art. 43(2) of AP1. 166 Brown (n. 92) 190; Sean Watts, “The Notion of Combatancy in Cyber Warfare” in Christian Czosseck, Rain Ottis, Katharina Ziolkowski (eds.), 2012 4th International Conference on Cyber Conflict (NATO CCDCOE 2012) 237. See also Dunlap (n. 149) 91. 167 Art. 4(A) of GC3; Arts. 44(1), 45(1) of AP1. See also Tallinn Manual (n. 15) R34(a), R34(b); Kretzmer (n. 13) 27; Watts, “The Notion of Combatancy” (n. 166) 242. Humanitarian Law Perspective 203 subject to criminal prosecution.168 Thus, governments of those states that possess militarized cyber-forces have an interest in ensuring that the latter are legally protected on international level, while the combatant status of their opponents may be denied. Under international humanitarian law, combatants (both conventional and cyber-combatants) must be incorporated into a state’s army and belong to organized armed forces, militias, volunteer corps, resistance movements, groups or units (including paramilitary ones),169 which are under a command responsible by that state, even if its government is not recognized by its opponents.170 Moreover, an internal disciplinary system must exist for such groups, which enforces compliance with the laws of armed conflict.171 Armed forces of unrecognized republics can conduct cyber-attacks while preserving combatant status. However, if the fighting is being waged against groups short of a de facto independent state entity, where conflict is non- international, combatant and prisoner of war status will rarely be provided for the cyber-attackers.172 Even the Taliban fighters captured by the American forces in Afghanistan were not qualified as prisoners of war by the USA, since they allegedly failed to satisfy at least two criteria (in spite of the US Special Operations Forces ignoring some of these requirements themselves).173 Additionally, it should be noted that, today, some international crackers may be recruited abroad in order to participate in cyber-warfare. The fact that they do not need to be present in the territory of the conflict to launch cyber- attacks and that more often than not they do not belong to any official armed forces indicates that they may fall under the legal definition of mercenaries, as long as their participation in hostilities is motivated by substantial financial

168 Tallinn Manual (n. 15) R26, R27C17; Scott J. Shackelford, “From Nuclear War to Net War: Analogizing Cyber Attacks in International Law” (2008) 27(1) Berkeley JIL 241. 169 See generally Art. 43(3) of AP1: “whenever a party to a conflict incorporates a paramilitary or armed law enforcement agency into its armed forces it shall notify the other Parties to the conflict”. 170 Art. 4(A)(1) of GC3; Art. 43(1) of AP1. For discussion of organization of groups in cyber- space, see Schmitt, “Cyber Operations and the Jus in Bello” (n. 26) 98–101. 171 Art. 43(1) of AP1. 172 As discussed further in sub-chapter 7.5.4. 173 Sean Watts, “Combatant Status and Computer Network Attack” (2010) 50(2) Virginia JIL 431–432. Note that some governments might also treat violations of “allegiance” as an excuse for rejecting combatant privileges, although, nowadays, self-determination wars have made this argument weak. For a contrary position, see Tallinn Manual (n. 15) R26C2. 204 Chapter 6 gain.174 Under the existing international humanitarian law, the status of combatants can be denied to such mercenaries.175 Generally, the “widely accepted irreducible minimum for combatant status” is reflected in the requirements (first proposed in the 1874 Brussels Declaration draft)176 that all forces must be commanded by a responsible person, have a “fixed distinctive emblem recognizable at a distance”, “carry arms openly” and conduct operations lawfully.177 Would it be correct to argue that the criteria above are uncertain in the cyber-warfare context? Responsible command and lawful conduct of cyber-operations remain a matter of organization.178 However, the need for a distinctive emblem and carrying arms openly in cyber-space present new legal challenges. Firstly, it has been claimed that wearing physical military insignia and uniforms is not important in cyber-warfare, if the opponents cannot see each other.179 Is this line of thinking acceptable? Long-range fighting has existed for thousands of years, moreover, certain operations, like the NATO intervention in Kosovo in 1999, the 2011 bombing of Libyan Arab Jamahiriya or the 2014 intervention against the “Islamic State”, have been, for the most part, limited to long-distance attacks.

174 See Art. 47(2) of AP1; OAU Convention for the Elimination of Mercenaries in Africa (adopted 3 July 1977, entered into force 22 April 1985) OAU Doc CM/433/Rev L, Art. 1; International Convention against the Recruitment, Use, Financing and Training of Mercenaries (adopted 4 December 1989, entered into force 20 October 2001) 2163 UNTS 75, Art. 1. See generally Art. 4 of 1907HC5. 175 Art. 47(1) of AP1; Tallinn Manual (n. 15) R28. See generally Dinstein, The Conduct of Hostilities (n. 41) 58–60. 176 Project of an International Declaration concerning the Laws and Customs of War (adopted 27 August 1874) 4 Martens Nouveau Recueil 2nd Ser 219, Art. 9. 177 Art. 1 of 1899HCA2; Art. 1 of 1907HCA4; Art. 4(A)(2) of GC3; Watts, “Combatant Status” (n. 173) 420; Dinniss (n. 5) 150–151. For an opposing view that these criteria only apply to military-assimilated groups, see opinion of the minority in Tallinn Manual (n. 15) R26C6. 178 The rules on accountability of military commanders and other superiors, as well as of those acting under their orders, seem to apply in a straightforward manner to cyber- attacks—see Rome Statute (n. 22) Arts. 25(3)(b), 28, 33; ICTY Statute (n. 51) Art. 7(3), 7(4). Worth noting is that organization and state command responsibility are present not only in state armies with their own cyber-forces, but also in ad hoc groups, such as the Russian Business Networks, that previously received “implicit consent to act and, arguably, even direction” from the government—see Gervais (n. 84) 566. See also Tallinn Manual (n. 15) R24, R26C9, R26C14. For an opposing view, see generally Watts, “The Notion of Combatancy” (n. 166) 246–247. 179 DoD, “An Assessment” (n. 128) 8; Dinniss (n. 5) 148. Humanitarian Law Perspective 205

A clear parallel may be drawn between cyber-combatants and operators of the unmanned aerial vehicles (UAVs), which fight in somewhat similar conditions, yet which normally wear uniforms and insignia.180 The fact that certain military tactics do not allow the belligerents to see each other does not eliminate the legal obligation to use a distinctive sign and generally accepted practice of wearing a uniform.181 Because a structure, vehicle or vessel from which cyber-attacks are launched becomes a military target—like in the case of tanks, ships, airplanes and similar military objects— cyber-combatants have to be prepared for unexpected circumstances that will make them visible to the enemy. Therefore, as Doswald-Beck correctly points out, cyber-attackers should appear as if they were in constant anticipation of capture.182 If governments reject this requirement due to the feeling of overwhelming superiority and remoteness, they risk leaving their states’ cyber- forces without combatant and prisoner of war privileges, as non-uniformed saboteurs or “unlawful combatants”. Secondly, it is currently unclear how to make cyber-warriors “recognizable at a distance”. If interpreted literally, it becomes an outdated phrase that has no legal meaning in the age of cyber-warfare. Victim-states’ governments may argue that it should be understood as calling for recognition of the attacker beforehand, although such approach is likely to be rejected by the governments of technologically powerful states, since it would jeopardize the possibility of a surprise attack, which sometimes remains paramount to overcoming adversaries’ cyber-defense. A more compromising approach could be to inform the enemies of cyber- strikes the moment when damage has already been done, either by including relevant information in the attached encrypted certificates or directly, for example, through diplomatic channels.183 Multiplicity of cyber-attacks makes the first option more practical.

180 See generally Charles J. Dunlap (n. 149) 91; Michael J. Glennon, “The Dark Future of International Cybersecurity Regulation” (2013) 6 Journal of National Security Law & Policy 569; Alessandro Guarino, “Autonomous Intelligent Agents in Cyber Offence” in Karlis Podins, Jan Stinissen, Markus Maybaum (eds.), 2013 5th International Conference on Cyber Conflict (NATO CCDCOE 2013) 387. 181 See Art. 44(7) of AP1. See also Tallinn Manual (n. 15) R26C10, R26C11, R26C12 fn 15. 182 Doswald-Beck (n. 27) 172. 183 Note that Dinniss (n. 5) 146 again offers using designated military IP addresses to achieve this—an ineffective tactic, criticized by herself ibid. Ziolkowski (n. 92) 81 offers an even more simplistic solution of verifying IP addresses and technical data through the WhoIs? System, although even without potential spoofing, as she herself points out, problems may arise should combatants use their own computers at home or elsewhere—see ibid. 206 Chapter 6

There is another alternative, however. Combatants are generally required to distinguish themselves from the civilian population “while they are engaged in an attack or in a military operation preparatory to an attack”.184 This rule is not absolute, and, in case the “nature of the hostilities” does not permit distinguishing oneself, the combatants can still retain their legal status if they carry arms “openly” during attacks and in military preparations to them.185 Formal inclusion of this exception in 1977 was a clear, yet controversial acknowledgement of guerrilla and other irregular tactics.186 However, it inevitably raises the question whether it also applies to cyber-warfare, that is, whether the requirement of distinctive emblems is at all applicable due to the special nature of cyber-attacks. This leads to the third issue. Is the Tallinn Manual right to claim that the “requirement to carry arms openly has little application in the cyber context”?187 According to the ICRC commentaries, carrying arms “openly” does not mean the same thing as carrying them “visibly” or “ostensibly”, since “surprise is a factor in any war operation, whether or not involving regular troops”.188 Arms must be carried visibly ex ante, however, for recognition purposes, if the combatants do not have a distinctive sign.189 Therefore, in contrast to the conclusion in the Tallinn Manual, the present requirement remains applicable. While this rule is clear as regards simple weapons (such as pistols), which computer operators might have for self-defense against physical attacks, the legal implications for “arms” in cyber-space remain uncertain, and, as such, leave space for disagreements between governments. Interestingly, the applicability of the requirement to carry arms “visibly” in cyber-space directly depends on whether jus in bello will demand of combatants to have a distinctive digital signature or not. As mentioned previously in this section, making cyber-arms visible to an adversary before the attack will be opposed by many. Thus, the most likely solution to guarantee legal status to lawful cyber-combatants is the one that will allow for a post factum recognition via distinctive encrypted digital certificates.

See generally Vijay M. Padmanabhan, “Cyber Warriors and the Jus in Bello” (2013) 89 International Law Studies 295–296. 184 Art. 44(3) of AP1. 185 Ibid. 186 See Watts, “Combatant Status” (n. 173) 416. 187 Tallinn Manual (n. 15) R26C13. 188 ICRC, “Convention (III) Relative to the Treatment of Prisones of War: Article 4— Prisoners of War” (Commentary, ICRC 1952) accessed 1 August 2015. 189 Ibid. Humanitarian Law Perspective 207

Lastly, one must take into account a special category of international combatants, commonly referred to as levée en masse, which includes:

Inhabitants of a non-occupied territory, who on the approach of the enemy spontaneously take up arms to resist the invading forces, [. . .] provided they carry arms openly and respect the laws and customs of war.190

Considering the spontaneous cyber-attacks in recent armed conflicts, it is plausible that an invasion (but not other types of aggression)191 of a state might result in its civilians resorting to cyber-strikes against the aggressor’s infrastructures not only within the invaded territory, but also abroad. Authors of the Tallinn Manual could not decide whether members of a mass levy can legally attack extraterritorial military objectives.192 Obviously, the invaders would argue that they cannot, although effective resistance in the 21st century presupposes attacks that can, at least, disable drones controlled from abroad. According to the ICRC commentaries, a mass levy can only be considered to exist during a short period of the actual invasion, thus, cyber-attacks could become illegal once the enemy retreats or if aggression results in an occupation.193 The levée en masse can also operate without a sufficient organization and state control, which ideally suits the non-hierarchical coordination environment of cyber-space.194 Somewhat favoring the invaders, the Tallinn Manual implies that, if only a small portion of the inhabitants is resisting (due to a limited understanding of the cyber-world), they can be denied the mass levy status.195 Is this position defendable? Three important aspects indicate that it may not be. Firstly, the majority of civilians are traditionally reluctant to resist invaders. Secondly, in contrast to the HCs, the newer GCs clearly refer to inhabitants and not to the general population as potential levée en masse members. Thirdly, a moral argument may exist, as highlighted by philosopher Jeff McMahan, that civilians

190 Art. 4(A)(6) of GC3. See also Art. 2 of 1899HCA2; Art. 2 of 1907HCA4. See generally Tallinn Manual (n. 15) R27, R34(d). 191 Interestingly, minority of the Tallinn Manual authors insisted that privileges should be extended to civilians resisting a serious cyber-attack—see Tallinn Manual (n. 15) R27C5, although non-territoriality of cyber-space will make cyber-invasions impossible and such arguments void. 192 See Tallinn Manual (n. 15) R26C4. 193 ICRC, “Convention (III) [. . .] Article 4” (n. 188). 194 Melzer, Cyberwarfare (n. 10) 34. 195 See Tallinn Manual (n. 15) R27C3. 208 Chapter 6 should be allowed to have combatant status if unjust attacks against them are launched by a military.196 There is, however, one serious legal deficiency related to this category of combatants that the aggressors may exploit: since members of a mass levy are not required to wear uniforms or use distinctive emblems, and, by extension, incorporate digital certificates into the used malware, they become subject to the legal obligation to make their cyber-arms visible to the enemy ex ante. Consider the following example: if some Georgians have launched cyber- attacks to resist the Russian invasion in 2008, they were unlikely to satisfy this requirement, nor could they, without a significant risk to themselves.197 In other words, not only does the requirement of carrying arms visibly exclude the possibility of surprise cyber-strikes, making the tactic almost non-effective, but it also exposes combatants to intensified targeting. It is for this reason that mass levy in cyber-warfare may be viewed as inadequately regulated with the current laws in place. Whether one should alter the requirements relating to this category of combatants or abandon it altogether (as suggested by some scholars)198 remains uncertain and opinions of various governments on this matter may conflict with each other.

6.5.2 Non-combatant Participation in Hostilities Modern conflicts increasingly see civilians (that is persons who do not have the status of combatants) trying to abuse the principle of distinction.199 At the same time, various governments may be interested in using non-combatants not only due their expertise, but also because they can serve as proxies without

196 Jeff McMahan, Killing in War (OUP 2009) 15. 197 See generally David Wallace, Shane R. Reeves, “The Law of Armed Conflict’s ‘Wicked’ Problem: Levée en Masse in Cyber Warfare” (2013) 89 International Law Studies 661. 198 See generally ibid. 664: “Rather than forcibly applying a concept that is incongruous in this new domain, a more practical solution is to eliminate levée en masse as a combatant category [. . .] and instead require all assemblages of cyber participants [. . .] to [. . .] comply with the [general combatant] criteria”. 199 See Art. 50(1) of AP1; Emily Crawford, “Regulating the Irregular: International Humanitarian Law and the Question of Civilian Participation in Armed Conflict” (2012) 18(1) UC Davis Journal of International Law and Policy 183–184. See also Tallinn Manual (n. 15) R29C2, R29C4. Note that most authors of the Tallinn Manual decided that civilian status itself is preserved even during participation in the hostilities—see ibid., R29C3, however this opens the door for abuse of terminology by the belligerents (e.g., it legiti- mizes the right to speak of any legitimate killing as slaughter of “civilians”). Humanitarian Law Perspective 209 revealing state involvement.200 Nevertheless, this comes at a price. Civilians who directly participate in hostilities (regardless of their location)201 lose their protection under international humanitarian law, are not taken into account when calculating collateral damage and may be directly attacked for such time as they take a direct part in hostilities.202 They do not benefit from the combatant privileges and can be punished for violations of national laws if captured.203 Today, participation in hostilities may include not only causing death, injury, damage or destruction,204 but also other acts in support of a belligerent party that directly and “adversely affect the military operations or military capacity” of its opponents, including those in cyber-space.205 In addition to the latter criterion, establishing direct participation in hostilities usually requires finding a “direct causal link” between the act and the harm likely to result from it, as well as the aim to cause harm “in support of a party to the conflict and to the detriment of another” (belligerent nexus).206 What exactly satisfies these criteria on the battlefield remains unclear in international humanitarian law and conflicting views can be advanced. This is reflected in a large volume of academic examples pertaining to cyber-warfare, summarized in Appendix 3. The latter aims to demonstrate the wide discretion that parties to an armed conflict have in determining acts that they, absent

200 Hathaway and others (n. 120) 854. See also Watts, “The Notion of Combatancy” (n. 166) 245. 201 Dinstein, “The Principle of Distinction” (n. 151) 268. 202 Art. 51(3) of AP1; Art. 13(3) of AP2; Tallinn Manual (n. 15) R29, R34(c), R35. Note that persons launching cyber-strikes on behalf of a non-state party in a non-international armed conflict assimilate into that party’s forces only if their attacks are conducted on a continuous basis—see Melzer, Cyberwarfare (n. 10) 35. 203 Melzer, Cyberwarfare (n. 10) 35. Some claim that civilians do not lose protection if their contribution is carried out far from the battlefield, which, for obvious reasons, becomes less defendable in cyber-warfare—see generally Jamie A. Williamson, “Challenges of the Twenty-First Century Conflicts: A Look at Direct Participation in Hostilities” (2010) 20(3) Duke Journal of Comparative & International Law 462. 204 See Schmitt, “Wired Warfare” (n. 92) 383. 205 Tallinn Manual (n. 15) R35C4; Melzer, Cyberwarfare (n. 10) 28; Nils Melzer, Interpretive Guidance on the Notion of Direct Participation in Hostilities under International Humanitarian Law (ICRC 2009) 46. Notably, direct participation in hostilities can also be passive—see Tallinn Manual (n. 15) R35C5; Michael N. Schmitt, “Human Shields in International Humanitarian Law” (2009) 47(2) Columbia Journal of Transnational Law 336; Samuel Estreicher, “Privileging Asymmetric Warfare? Part I: Defender Duties under International Humanitarian Law” (2011) 11(2) Chicago JIL 8–9. 206 Melzer, Interpretive Guidance (n. 205) 16, 46. 210 Chapter 6 specific rules in international law itself, might or might not declare as constituting direct participation in hostilities. Nils Melzer guided the ICRC in an attempt to clarify the scope of the three criteria mentioned above. So, for instance, when it comes to the directness element, the ICRC’s Interpretative Guidance distinguishes between active contribution to the defeat of the enemy (satisfying the criterion) and war- sustaining activities (not satisfying it), adding that directness presupposes harm occurring in “one causal step”.207 Yet, there is little evidence to indicate that the Interpretative Guidance has achieved the status of soft law or that the ICRC’s commentary reflects customary law. Even the Tallinn Manual, to which Nils Melzer himself contributed, diverges from the logic of the Interpretative Guidance, for instance, when it comes to the question of intent in the context of direct causation.208 Thus, while there are cases, where some of the criteria are obviously not satisfied (for example, stealing funds from belligerents for private gain fails to achieve the direct causation and the belligerent nexus), cyber-warfare will involve acts which can be viewed either as constituting direct participation in hostilities or not. One borderline example here could be the conscious development, installation and operation of software or hardware for use in subsequent cyber-attacks. Finally, it should be pointed out that sometimes governments employ private contractors (and, in fact, entire corporations)209 for tasks traditionally performed by state military. Occasionally such contractors are thought of as civilian mercenaries.210 Nevertheless, they practically never fall under the definition of a mercenary under the GCs, and governments are often reluctant to recognize them as de jure or de facto combatants.211 By default, contractors

207 Ibid. 51, 53. 208 See generally Collin Allan, “Direct Participation in Hostilities from Cyberspace” (2013) 54(1) Virginia JIL 178–192. 209 See generally Joel Slawotsky, “The Global Corporation as International Law Actor” (2012) 52(3) Virginia JIL Digest 86. 210 Louise Doswald-Beck, Azizur R. Chowdhury, Jahid H. Bhuiyan, International Humanitarian Law—An Anthology (LexisNexis India 2009) 74; Jackson N. Maogoto, Benedict Sheehy, “Contemporary Private Military Firms Under International Law: An Unregulated ‘Gold Rush’ ” (2006) 26(2) Adelaide Law Review 19–20. See generally Zoe Salzman, “Private Military Contractors” (2008) 40(1) NYU Journal of International Law and Politics 866; Christopher Spearin, “Private Security Companies and Humanitarians: A Corporate Solution to Securing Humanitarian Spaces?” (2001) 8(1) International Peacekeeping 29. 211 See Dinniss (n. 5) 172, 174; John Riley, Michael Gambone, “Men With Guns” (2010) 28(1) Wisconsin ILJ 73. Humanitarian Law Perspective 211 preserve their legal protection along with civilian status, which some governments could exploit. Contractors may also enjoy the prisoner of war status upon capture, in case they formally accompany the armed forces of a state.212 Nonetheless, today, aside from ordinary responsibilities in the field of logistics, communication and defense, the tasks of contractors may include support, preparation and participation in cyber-attacks.213 In cyber-space, private security companies often possess greater offensive capabilities and, unlike ordinary deployments, their arsenal cannot be easily limited to small arms by governmental regulations.214 Consequently, they remain at a high risk of being exposed to accusations of directly participating in hostilities. One must now consider if any deficiencies in humanitarian law are revealed by the category of civilians in cyber-space per se.

6.5.3 Civilians in Cyber-Warfare Although, in reality, they often become victims of violence,215 formally civilians and civilian objects enjoy general protection against dangers arising from military operations.216 Unless they participate in hostilities, they cannot be made the object of attack.217 Willful killing of persons with this status (including journalists,218 relief workers219 and peacekeepers)220 is prohibited both

212 Art. 4(A)(4) of GC3. 213 Melzer, Cyberwarfare (n. 10) 34; Nathaniel Stinnett, “Regulating the Privatization of War: How to Stop Private Military Firms from Committing Human Rights Abuses” (2005) 28(1) Boston College International and Comparative Law Review 212. 214 See Jennifer S. Martin, “Contracting for Wartime Actors: The Limits of the Contract Paradigm” (2007) 14(1) New England Journal of International & Comparative Law 26. 215 See Eve L. Haye, War Crimes in Internal Armed Conflicts (CUP 2008) 57. 216 Art. 51(1) of AP1; Art. 13(1) of AP2. 217 Art. 51(2) of AP1; Art. 13(2) of AP2. See also Declaration on Women and Children (n. 97) op para. 1; Tallinn Manual (n. 15) R32; Draft Rules for the Limitation of the Dangers Incurred by the Civilian Population in Time of War (adopted 15 October 1956) ICRC, Arts. 1, 6 accessed 1 August 2015. Note that the other side of the obligation to protect civilian infrastructure is shared by the attacked party—see Tallinn Manual (n. 15) R59C3, R59C7, R59C10; Dinniss (n. 5) 217–219. 218 See Art. 79(1) of AP1; Tallinn Manual (n. 15) R79C3. 219 Tallinn Manual (n. 15) R74C3, R74C4. 220 Ibid. See generally Mohamed A. Bangura, “Prosecuting the Crime of Attack on Peacekeepers: A Prosecutor’s Challenge” (2010) 23(1) Leiden JIL 180–181. 212 Chapter 6 in international,221 as well as internal armed conflicts,222 and is considered a war crime.223 In addition to obligations stemming from the principle of proportionality, belligerents have a duty to exercise constant care to make sure that the attacked objectives are not legally protected.224 The “cardinal” principle of distinction, rooted in international humanitarian law and meant to supplement the prohibition of indiscriminate attacks, prescribes that parties to the conflict should always distinguish between civilians and combatants (both lawful and unlawful), as well as between civilian objects and military objectives, and “accordingly [. . .] direct their operations only against military objectives”.225 The Fanelli-Conti methodology for precise tracking and targeting, which is based on a variety of factors, demonstrates that distinction is indeed possible in cyber-space.226 Therefore, a party to a conflict must always determine whether the planned cyber-strike fulfills these requirements.227 Moreover, it should take all feasible precautions in choosing malware to be used and the way it will be employed (that is means and methods of attack).228 That being said, governments can be expected to exercise distinction between

221 Art. 50 of GC1; Art. 50 of GC2; Art. 130 of GC3; Art. 147 of GC4; Arts. 75(2)(a)(i), 85(3)(a) of AP1; Declaration on Respect for Human Rights in Armed Conflicts, UNGA Res 2444 (XXIII) (19 December 1968) op para. 1(b). 222 Common Art. 3(1)(a) of GCs; Art. 4(2)(a) of AP2. 223 ICTY Statute (n. 51) Art. 2(a); ICTR Statute (n. 51) Art. 4(a); Rome Statute (n. 22) Art. 8(2) (a)(i), 8(2)(b)(i), 8(2)(b)(iii), 8(2)(e)(i), 8(2)(e)(iii). See Prosecutor v Strugar (Dubrovnik Case) (Decision on Jurisdictional Appeal) ICTY-01-42-AR72, AC (22 November 2002) para. 10; Emily Crawford, The Treatment of Combatants and Insurgents Under the Law of Armed Conflict (OUP 2010) 31–34. 224 Art. 57(2)(a)(i) of AP1. See also Tallinn Manual (n. 15) R40, R53. 225 Art. 48 of AP1; Nuclear Weapons Case (n. 44) para. 78. See also Tallinn Manual (n. 15) R31, R31C2, R31C3, R59; Declaration on Respect for Human Rights in Armed Conflicts (n. 221) op para. 1(c). 226 Sub-chapter 4.4.3; Robert Fanelli, Gregory Conti, “A Methodology for Cyber Operations Targeting and Control of Collateral Damage in the Context of Lawful Armed Conflict” in Christian Czosseck, Rain Ottis, Katharina Ziolkowski (eds.), 2012 4th International Conference on Cyber Conflict (NATO CCDCOE 2012) 324–326. See also David Raymond and others, “A Control Measure Framework to Limit Collateral Damage and Propagation of Cyber Weapons” in Karlis Podins, Jan Stinissen, Markus Maybaum (eds.), 2013 5th International Conference on Cyber Conflict (NATO CCDCOE 2013) 190–193. 227 Gervais (n. 84) 565; Tallinn Manual (n. 15) R33. 228 Art. 57(2)(a)(ii) of AP1; Tallinn Manual (n. 15) R43, R49, R50, R54, R56, R59. See generally Dinniss (n. 5) 211–217; Eric T. Jensen, “Cyber Attacks: Proportionality and Precautions in Attack” (2013) 89 International Law Studies 208–209. Humanitarian Law Perspective 213 civilians and “unlawful combatants” with reference to subjective direct participation criteria. While international humanitarian law also encourages giving an advance warning of an attack that might affect the civilian population (and some governments may indeed insist on this), it is not obligatory.229 Circumstances surrounding cyber-strikes can reasonably be considered as not permitting such ex ante disclosure without jeopardizing the effectiveness of the tactic. Interestingly, while acknowledging this, the authors of the Tallinn Manual still chose to include a fragile and impractical rule that recommends “effective advance warning[s]”.230

6.5.4 Civilian Objects in Cyber-Warfare Aside from being covered by norms identified previously, civilian objects (all objects which are not military objectives) are guaranteed additional legal protection.231 Namely, AP1 discretely prohibits attacks against civilian objects,232 while the Rome Statute condemns them as war crimes.233 Governments have a great deal of discretion in determining when something shifts from a civilian to a military purpose. Like in the case of civilians who exhibit direct participation in a conflict, governments may also determine when civilian objects become military objectives, that is, when such objects contribute to an enemy’s military action.234 Here, one may recall the NATO air strike upon the Radio-Televizija Srbije building in 1999, which was claimed to have been transmitting propaganda for genocide235 and used as a military communications relay site.236 Though condemned by Yugoslavia, the act was never globally recognized as unlawful. The US DoD Report on Information Operations, released the same year, emphasized that interference with a military mission by civilian media broadcasts might require using the minimum

229 See Art. 57(2)(c) of AP1. 230 See Tallinn Manual (n. 15) R58, R58C8. 231 See Art. 52(1) of AP1. 232 Ibid.; Tallinn Manual (n. 15) R37. 233 Rome Statute (n. 22) Art. 8(2)(b)(ii). 234 See generally Tallinn Manual (n. 15) R37. 235 Shackelford (n. 168) 242. Note that direct and public incitement to commit genocide often occurs online. The messages are routinely reported and cleaned up, but it is very hard to prevent them from being published, read and reposted in the age of instant global messaging systems like Facebook, Twitter and YouTube—see generally Genocide Convention (n. 60) Art. 3(d); Rome Statute (n. 22) Art. 25(3)(b), 25(3)(e); ICTY Statute (n. 51) Art. 7(1). 236 Kelsey (n. 84) 1440. See also Eric T. Jensen, “Cyber Warfare and Precautions against the Effects of Attacks” (2010) 88(7) Texas Law Review 1543. 214 Chapter 6 necessary force to shut them down, limitable, in theory, to cyber-attacks.237 The distinctions drawn in characterizing the airstrike on the Radio-Televizija Srbije reveal how flexible definitions can be, a trait which is also inherited in cyber-warfare.238 Further, one must discuss legal issues that arise out of deception in cyber-warfare.

6.6 Deception

When dealing with the two aspects of deception in armed conflict—perfidy and ruses—one must inevitably ask whether the new tactics used in cyber- warfare clearly fall into one of these categories and whether the latter contain imperfections sufficient to allow for exploitation using these new tactics.

6.6.1 Perfidy Particular emphasis in humanitarian law is put on the unlawful nature of “treacherous” killing or wounding of individuals belonging to the hostile nation or army (also constituting a war crime).239 AP1 additionally prohibits “capturing” enemy combatants in “acts inviting the confidence of an adversary to lead him to believe that he is entitled to, or is obliged to accord, protection [. . .] with intent to betray that confidence”.240 Such conduct is considered unacceptable, since it uses enemy’s adherence to humanitarian law against him.241 This is particularly true for cyber-strikes, the point of which is to alter the opponent’s perception of reality.242 Importantly, however, this prohibition is only limited to actions directed against adversaries in armed conflict and is not applicable without such nexus (for instance, in case of mass spam).

237 See DoD, “An Assessment” (n. 128) 9. 238 Thomas W. Smith, “The New Law of War: Legitimizing Hi-Tech and Infrastructural Violence” (2002) 46(3) International Studies Quarterly 361. 239 Art. 23(b) of 1899HCA2, Art. 23(b) of 1907HCA4; Rome Statute (n. 22) Art. 8(2)(b)(xi), 8(2) (e)(ix). 240 Art. 37(1) of AP1. See also William Boothby, “Cyber Deception and Autonomous Attack— Is There a Legal Problem?” in Karlis Podins, Jan Stinissen, Markus Maybaum (eds.), 2013 5th International Conference on Cyber Conflict (NATO CCDCOE 2013) 260; Mark R. Shulman, “Discrimination in the Laws of Information Warfare” (1999) 37(3) Colombia Journal of Transnational Law 959–960. 241 Gervais (n. 84) 574–575. See also Dinniss (n. 5) 263. 242 Dimitrios Delibasis, The Right to National Self-Defence in Information Warfare Operations (Arena Books 2007) 283. Humanitarian Law Perspective 215

A majority of the Tallinn Manual authors refused to recognize that perfidious capture of an adversary is prohibited under customary law.243 For the most part, this seems irrelevant in cyber-warfare. After all, are the chances of a cyber-attack capturing and exercising prolonged control over an adversary significant enough to warrant a serious inquiry? On the other hand, the existing law allows governments to perfidiously use malware that maximizes damage to data and property without any direct risk of killing, injuring (or capturing) in the process. As such, jus in bello may contain an exploitable deficiency. While the victim-states’ governments can argue that perfidious neutralization and destruction of objects is illegal, the fact remains that the GCs themselves currently do not support this logic.244 Similarly, uncertainty in law allows belligerents to claim that perfidious attacks do not actually need to be successful under customary norms245 or that the cyber-system itself can be equated with a rational adversary.246 The current law of war clearly bans making improper use of a flag of truce, national flags, military insignia and uniform of the enemy, of neutral states, or of the United Nations, as well as of the distinctive emblems of the GCs.247 Moreover, if used to cause serious personal injury or death, such acts are explicitly considered war crimes.248 Misusing the distinctive emblem of the Red Cross, Red Crescent or other protective signs (for example, the Red Crystal) for the same reasons, is listed as grave breaches of the GCs.249 Other

243 Tallinn Manual (n. 15) R60C2. 244 Note that scholars normally also reject this possibility—see Tallinn Manual (n. 15) R60C10; Dinniss (n. 5) 264. An exception to this rule is Dimitrios Delibasis, who seems to be particularly concerned about this—see Delibasis (n. 242) 283. 245 Tallinn Manual (n. 15) R60C7. 246 See ibid., R60C9. 247 Such acts are considered perfidious under Art. 37(1)(a), 37(1)(d) of AP1; Art. 6(1) of AP3. These acts are also generally prohibited under Art. 23(f) of 1899HC2, Art. 23(f) of 1907HC4, Arts. 38, 39 of AP1, Art. 12 of AP2. See also Tallinn Manual (n. 15) R62, R63, R64. One should point out that the authors of the Tallinn Manual wrongly classify gaining control, outside naval warfare, of enemy equipment with enemy indicators onboard (such as guided missiles and UAVs) as making use of the latter—see Tallinn Manual (n. 15) R64C7, R64C9. In reality, since such equipment, for the most part, will not be visible to crackers themselves, there is no mens rea to misuse these indicators. 248 Rome Statute (n. 22) Art. 8(2)(b)(vii). See generally Knut Dörmann, Elements of War Crimes Under the Rome Statute of the International Criminal Court: Sources and Commentary (CUP 2003) 198. 249 Art. 85(3)(f) of AP1. 216 Chapter 6 perfidious acts include feigning of an incapacitation by wounds or sickness250 and feigning of civilian or non-combatant status.251 The development of information technology opens up a whole new list of possibilities of what governments may perceive as perfidy in cyber-space. To name a few examples, aside from the straightforward disguising of cyber- strikes by spoofing IPs, sending forged or morphed communications and falsely declaring the will to surrender online, cyber-perfidy can take the more complicated form of virtually camouflaging combat troops and vehicles as medical transport and military facilities as protected sites.252 If states agree to develop encrypted digital certificates, prohibition of perfidy will automatically extend to their potential forgery and misuse as well. Special attention should be paid to disguised malicious attachments sent by email, or transmitted via compromised networks and USB devices. The entire tactic of infecting adversary’s computerized objects, which can kill, injure (or capture), in order to be effective, must be based on deception and inevitably has to misrepresent the origin of the malicious program. Davis Brown suggests that one may resort to such methods without violating what he calls the principle of chivalry, in case the transmission is not disguised as originating from a governmental official or armed forces of a targeted state, generally from a neutral state, or any medical or religious organization.253 However, if one adds the other logical exceptions, such as the United Nations, non-combatants and civilians, the list of who the cyber-attacker may imper- sonate becomes so narrow, that the tactic loses its effectiveness. Therefore, considering that the best results in the extreme conditions of an armed conflict can be expected from perfidious transmissions, international humanitarian law, in this context, seems more beneficial to the defending, rather than attacking states.254

6.6.2 Ruses of War While perfidy is prohibited, the law of armed conflict allows belligerents to resort to ruses of war, that is, “acts which are intended to mislead an adversary or to induce him to act recklessly but which [. . .] do not invite the confidence of an adversary with respect to protection under that law”.255

250 Art. 37(1)(b) of AP1. 251 Art. 37(1)(c) of AP1. 252 See Melzer, Cyberwarfare (n. 10) 32; DoD, “An Assessment” (n. 128) 10. 253 Brown (n. 92) 204–205. 254 Ibid. 203. 255 Art. 37(2) of AP1. See also Art. 24 of 1899HCA2; Art. 24 of 1907HCA4; Art. 37(2) of AP1; Tallinn Manual (n. 15) R61. Humanitarian Law Perspective 217

According to Kalliopi Chainoglou, in order for cyber-attacks to be lawful they have to “resemble or be analogous to the ruses that would be conducted in their traditional forms”.256 Taking into account that cyber-strikes are a relatively new aspect of warfare, how hard is it to distinguish between what is acceptable as ruses and what is not? Like in the case of perfidy, the list of what is allowed and what is not seems sufficiently clear. Governments may simply rely on the “what is not forbidden is allowed” principle. Not relying on it would ignore the ever-changing nature of warfare. For instance, if in the Middle Ages camouflage could have been considered a dishonest tactic, now it is expressis verbis mentioned in the AP1 as one example of a lawful ruse, alongside decoys, mock maneuvers and misinformation.257 The covert nature of cyber-strikes per se does not violate international law, because sneak attacks have long been a tactic and ruse of conventional warfare.258 Since misinformation is legal, such acts as lying about the time and target of cyber-attacks, sending messages to enemy headquarters purporting to be from subordinate units and vice versa, sabotaging adversary’s intelligence databases, transmitting false data meant to be intercepted and interpreted by an opponent regarding planned cyber-attacks, military units or their intent, remain lawful.259 Creating fake networks (so called, honeypots) meant to lure crackers is another example of a permitted tactic.260 Since some states rely on the virtual battlefield concept, hiding military objects from enemy’s view by means of a cyber-attack can be a legal ruse.261 Alternatively, one can imitate a much bigger force on screen or an attack itself, which would have a psychological effect similar to the False Missile Attack incident of 1979.262 However, it is important to note that, if an army to a significant

256 Chainoglou (n. 72) 50–52. 257 Art. 37(2) of AP1. 258 See generally Gervais (n. 84) 574; Tallinn Manual (n. 15) R60C13. 259 Tallinn Manual (n. 15) R61C2, R61C3. See also Schmitt, “Wired Warfare” (n. 92) 395. 260 See Ziolkowski (n. 92) 77–78. See also Tallinn Manual (n. 15) R61C2(c), R61C3. 261 See sub-chapter 3.2.4.2. As William Boothby argues, even an imitation of the forces’ location near civilian centers would be a permitted ruse, as it does not feign the civilian status itself—see Boothby, “Cyber Deception” (n. 240) 259. See generally Tallinn Manual (n. 15) R61C4. 262 On November 9, 1979, a training tape was loaded into the North American Aerospace Defense Command (NORAD) which resulted in transmission of realistic warnings to command centers worldwide, causing widespread confusion—see “A Brief History of NORAD: As of 31 December 2012” (NORAD Office of History 2013) 8 accessed 1 August 2015. 218 Chapter 6 extent relies on its virtual battlefield, infecting it with malware may result in inability of the adversary to adequately follow the principle of distinction. Having discussed the main principles applicable to cyber-warfare between opposing parties themselves, one should consider one last aspect of humanitarian law that lies on the borderline between jus ad bellum and jus in bello, but which, nonetheless, arises in the context of an ongoing armed conflict—neutrality.

6.7 Principle of Neutrality

Neutrality may arise by constitutional provision, declaration or a treaty article.263 For centuries, it has guaranteed non-aligned states’ immunity from attack in exchange for withholding support to any of the belligerents.264 Obligations and rights arising from this principle can be effectively divided into two categories: those pertaining to opposing forces in relation to neutral states and those governing the conduct of neutral states themselves. Most importantly, the present sub-chapter demonstrates that rejecting inviolability of neutral cyber-space may be a logical step for some governments, and that current humanitarian law provides neutral states’ leadership with discretion in choosing how to perceive and follow their obligations in cyber-warfare.

6.7.1 Belligerents in the Context of Cyber-Neutrality At least one prominent scholar writing about cyber-attacks believes that it might be beneficial to extend the neutrality regime to non-international armed conflicts.265 Nonetheless, current international law explicitly provides states with the right to be neutral only in the context of an international armed conflict.266 Unless this right is abused (or it is believed to be abused),267 it is

263 John O’Brien, International Law (Routledge-Cavendish 2001) 781. 264 Hughes (n. 58) 539. 265 See Eric T. Jensen, “Sovereignty and Neutrality in Cyber Conflict” (2012) 35(3) Fordham ILJ 839. 266 See Helmut P. Aust, Complicity and the Law of State Responsibility (CUP 2011) 20. 267 See generally Tallinn Manual (n. 15) R91C5, R94; Brown (n. 92) 209; Jody M. Prescott, “Direct Participation in Cyber Hostilities: Terms of Reference for Like-Minded States?” in Christian Czosseck, Rain Ottis, Katharina Ziolkowski (eds.), 2012 4th International Conference on Cyber Conflict (NATO CCDCOE 2012) 262; Wolff H. von Heinegg, “Neutrality in Cyberspace” in Christian Czosseck, Rain Ottis, Katharina Ziolkowski (eds.), 2012 4th International Conference on Cyber Conflict (NATO CCDCOE 2012) 39, 45. Humanitarian Law Perspective 219 widely accepted that territory of neutral powers (and its extension) is inviolable: belligerents are not allowed to conduct hostilities on land, sea or in airspace of a neutral state.268 The non-territorial nature of cyber-space, as discussed in Chapter 4, means that this rule does not easily extend therein. Is neutral cyber-space inviolable? Can it be? One can reasonably expect belligerents to refrain from manually or remotely launching attacks from neutral states’ computerized systems (located in all four classical dimensions of warfare),269 importing or using preinstalled hardware “for the purpose of communicating with belligerent forces on land or sea”,270 or intentionally routing cyber-strikes through neutral cyber-space.271 Although governments may argue the opposite, a more defendable position, today, is that there is not enough evidence (or state practice) to conclude that an automated transfer of malware by neutral computers would amount to a breach of neutrality.272 As with the case of jus in bello attacks, governments may find it convenient to recognize that cyber-attacks are part of land, sea or air warfare, due to the location of relevant infrastructure in these realms. Such an approach solves the problem of brief electronic incursions of neutral jurisdictions, which inevitably accompany most cyber-attacks on belligerent states, due to the structure of the Internet per se.273 A contrary position would make all Internet-attacks

268 Arts. 1, 2, 3 of 1907HC5; Art. 1, 2, 5 of 1907HC13. See also Tallinn Manual (n. 15) R91, R92; Wolff H. von Heinegg, “Territorial Sovereignty and Neutrality in Cyberspace” (2013) 89 International Law Studies 145–146. 269 Tallinn Manual (n. 15) R91C2, R92C2, R92C3. Wolff von Heinegg raises an interesting question, whether this rule also applies to external cyber-infrastructure owned by a corporation or individual—see Von Heinegg, “Neutrality” (n. 267) 39. It may be argued that it should be answered in the negative, as absent state control, infrastructure cannot be considered under state sovereignty, although this can be disputed. 270 Prohibited by Art. 3(a), 3(b) of the 1907HC5. See also Rules of Air Warfare (n. 2) Art. 3; Von Heinegg, “Territorial Sovereignty” (n. 268) 147. 271 Brown (n. 92) 210. 272 See generally Tallinn Manual (n. 15) R92C5 (especially minority opinion), R93C3. Note that Art. 7 of 1907HC5 in the context of naval warfare, in fact, frees neutral states from the obligation “to prevent the export or transport, on behalf of one or other of the belligerents, of arms, munitions of war, or, in general, of anything which can be of use to an army or a fleet”. 273 Online signals travel along unpredictable routes and the attacking side has little control over them—see sub-chapter 3.2.1. See generally Brown (n. 92) 210; Kelsey (n. 84) 1443– 1444; Gervais (n. 84) 577; Ziolkowski (n. 92) 88; Von Heinegg, “Neutrality” (n. 267) 40; Von Heinegg, “Territorial Sovereignty” (n. 268) 147; Wolff H. von Heinegg, “Legal Implications of Territorial Sovereignty in Cyberspace” in Christian Czosseck, Rain Ottis, Katharina 220 Chapter 6 illegal until the entire architecture of the Internet has been remade to ensure that neutral states do not participate in a conflict without their knowledge. Consequently, physical destruction of neutral states’ computers and communication lines to stop malware from being transferred from one of the belligerents to another in the first place, would be in violation of the principle of neutrality. At the same time, a cyber-attack launched with the same purpose, which does not reach the level of the use of force, could still be lawful.274 Special protection is also given to “submarine cables connecting an occupied territory with a neutral territory”, the use of which is not excluded in conducting cyber-attacks.275 This protection, however, is removed when “absolute necessity” is present, which can be invoked by governments in case of a series of damaging cyber-strikes.276 The authors of the Tallinn Manual could not agree whether one can spoof auxiliary indicators of neutral countries such as domain names in light of the prohibition of misusing neutral flags, emblems, insignia and uniforms.277 Since the rule is clear when it comes to physically visible signs and uniforms, the issuance of distinct combatant certificates by international organizations (meant to substitute insignia and uniforms in cyber-space) can actually make it the only contentious question here.

6.7.2 Obligations and Rights of Neutral States States that desire to retain their neutral status have to abide by a set of rules applicable to them. For obvious reasons, they may not launch physical attacks and cyber-strikes against any of the belligerents; moreover, they have a duty to

Ziolkowski (eds.), 2012 4th International Conference on Cyber Conflict (NATO CCDCOE 2012) 17; Erki Kodar, “Applying the Law of Armed Conflict to Cyber Attacks: From the Martens Clause to Additional Protocol I” in Rain Liivoja, Andres Saumets (eds.), The Law of Armed Conflict: Historical and Contemporary Perspectives (15th ENDC Proceedings, Tartu University Press 2012) 113. 274 Note that the DoD declared that in case a neutral power is involved in a cyber-threat to the US, it will adhere to the principles of humanitarian law and can respond with actions short of the use of force—see US Department of Defense, “A Report to Congress Pursuant to the National Defense Authorization Act for Fiscal Year 2011, Section 934” (Cyberspace Policy Report, US Department of Defense 2011) 8 accessed 1 August 2015. 275 See Art. 54 of 1907HCA4. 276 See ibid.; Tallinn Manual (n. 15) R91C5. 277 Tallinn Manual (n. 15) R65, R65C4. See also Art. 39(1) of AP1; Dinniss (n. 5) 265; Ziolkowski (n. 92) 76. Humanitarian Law Perspective 221 prevent its residents from participating in the conflict.278 The latter requirement is to an extent limited by territoriality. For instance, Switzerland, whose neutrality was recognized during the Congress of Vienna, has not been engaged in international wars since 1815, but its troops still served foreign states on certain occasions.279 Under international humanitarian law, a “neutral” (a national of a state “which is not taking part in the war”) “cannot avail himself of his neutrality” if he commits any “hostile acts” against a belligerent or in case he commits “acts in favor” of a belligerent.280 Governments may indisputably view cyber-attacks and other related activities as constituting such acts. While cyber-space may not enjoy the same level of protection as the traditional state domains, international humanitarian law places an obligation upon neutral countries to ensure that belligerents do not use their territory (or infrastructure in other physical domains) to launch attacks against their opponents.281 This is further supplemented by another obligation: to resist belligerents’ erection or the use of existing wireless telegraphy stations and other apparatus for military purposes.282 In sum, neutral states have an obligation to monitor their own territory and infrastructure to prevent cyber-attacks.283 The extent of this obligation is disputable, even more so when there is an automated transfer of electronic signals. On the one hand, governments can accuse a neutral state of violating neutrality if a number of suspicious activities from its infrastructure are observable.284 This possibility could lead to neutral states officials exercising extreme caution in their monitoring duty, going beyond actual (known) or constructive (should have known) analysis

278 See generally Tallinn Manual (n. 15) R93. 279 Hughes (n. 58) 539. 280 Arts. 16, 17 of 1907HC5. 281 See Tallinn Manual (n. 15) R93, R93C4. 282 Art. 5 of 1907HC5. See also Rules of Air Warfare (n. 2) Arts. 4, 5, 6(1). 283 Jensen, “Sovereignty and Neutrality” (n. 265) 826; Von Heinegg, “Territorial Sovereignty” (n. 268) 144. 284 Consider a “partial” list of acts that can result in loss of neutrality—see Jason Healey, “When ‘Not my Problem’ Isn’t Enough: Political Neutrality and National Responsibility in Cyber Conflict” in Christian Czosseck, Rain Ottis, Katharina Ziolkowski (eds.), 2012 4th International Conference on Cyber Conflict (NATO CCDCOE 2012) 27: “Hosting bots in its physical territory”, “Hosting command and control nodes of a network of bots”, “Attacks pass through physical territory on their way to the target”, “Residents in its physical territory are participating in the attack”, “Hosting legitimate military or dual-use targets of interest to one of the belligerents”, “Hosting chat rooms that are coordinating the attack”, “Senior leaders are encouraging attacks”, “Refusing to respond to requests for help”. 222 Chapter 6 in terminating and preventing hostile activity.285 While such activity should be targeted at pacifying belligerents, governments of neutral states may also use this as an excuse to establish additional control over what they see as their national cyber-space (including parts of the Internet)—a prospect, which might not satisfy Western nations that prefer to keep the entirety of cyber- space freely accessible.286 Furthermore, some governments may actually require neutral states to assess the situation from the perspective of the means-at-its-disposal test, borrowed from naval warfare.287 This test would create an obligation to use all available methods and technology in order to detect, prevent and disarm malware passing through its infrastructure.288 Even though this currently has a little chance of stopping real-time cyber-attacks, it could help expose logic bombs and botnets within neutral jurisdictions. A pattern of demonstrable violations of state neutrality can then be a valid reason for severing Internet connections with one of the belligerents.289 On the other hand, neutral powers are specifically not “called upon to forbid or restrict the use on behalf of the belligerents of [. . .] telephone cables or of wireless telegraphy apparatus belonging to it or to companies or private individuals”, as long as their use is allowed impartially for both belligerents.290 Applying this principle to cyber-space seems reasonable, since its biggest part (the Internet) is accessed through telephone cables and wireless devices.291 Nevertheless, actively stopping cyber-attacks from passing across neutral cables can be construed as defense of the targeted state, that is, acts in favor of a belligerent and breach of neutrality.292 Here, one should mention a legal concern that arose during 2008 South- Ossetia war, when Estonia, Poland and private entities within the US agreed to host on their servers the content of Georgian websites that were subject to

285 See generally Tallinn Manual (n. 15) R93C5, R93C6; Von Heinegg, “Neutrality” (n. 267) 43. 286 See generally Von Heinegg, “Neutrality” (n. 267) 43; Ziolkowski (n. 92) 87–88. 287 See Art. 8 of 1907HC13: “A neutral Government is bound to employ the means at its disposal to prevent the fitting out or arming of any vessel within its jurisdiction which it has reason to believe is intended to cruise, or engage in hostile operations”. 288 Kelsey (n. 84) 1445. See also Von Heinegg, “Territorial Sovereignty” (n. 268) 150–153. 289 Brown (n. 92) 211. 290 Arts. 8, 9 of 1907HC5. 291 See Tallinn Manual (n. 15) R92C4. 292 See Scott J. Shackelford, Richard B. Andres, “State Responsibility for Cyber Attacks: Competing Standards for a Growing Problem” (2011) 42(4) Georgetown JIL 1003. Humanitarian Law Perspective 223 numerous cyber-attacks, most of which originated from Russia.293 The latter rejected allegations of cyber-attacks and no direct evidence of its involvement was found.294 For these reasons, Russia’s government could not accuse Estonia, Poland or the US of helping counter cyber-strikes and, therefore, violating neutrality, although it could have done so if the circumstances were different. Notably, from a historical point of view, the HCs allowed the use of devices that pass data forward and not those that generate or alter it.295 While ordinary telephone or telegraph communications may be said to be indirectly linked to warfare, cyber-attacks represent war operations themselves. Neutral states’ governments, therefore, have discretion to choose how to perceive and follow their obligations in cyber-warfare. In accordance with the legal theory adopted in this book, such choice can be politically-motivated.

6.8 Conclusion

International humanitarian law indisputably regulates and channels cyber- warfare now and it will in the future.296 Despite its “deficiencies, loopholes and ambiguity” (according to Antonio Cassese), presuming common interests of the belligerents, jus in bello tries to limit their actions for their mutual benefit.297 The ICJ is firm that states are required to fulfill their obligations under humanitarian law “in all circumstances”,298 and that “they remain responsible for acts attributable to them which are contrary to [it]”.299 However, the above analysis reveals a number of imperfections of international humanitarian law that governments can exploit during preexisting armed conflicts or those started by cyber-attacks themselves. This may lend them a free hand in adopting strategies designed for use in armed conflict.

293 See sub-chapter 3.3.3.5; Eneken Tikk, Kadri Kaska, Liis Vihul, International Cyber Incidents: Legal Considerations (NATO CCDCOE 2010) 83. 294 Ibid. 295 DoD, “An Assessment” (n. 128) 10. 296 O’Donnell, Kraska (n. 130) 154–155. 297 Antonio Cassese, International Law (2nd edn, OUP 2005) 434. See also Michael N. Schmitt, “Asymmetrical Warfare and International Humanitarian Law” (2008) 62(1) Air Force Law Review 42. 298 Military and Paramilitary Activities in and against Nicaragua (Nicaragua v USA) (Merits) [1986] ICJ Rep, para. 220. See also Common Art. 1 of GCs; Art. 1(1) of AP1; Henckaerts and others (n. 1) Rule 140, 498–499. 299 Armed Activities on the Territory of the Congo (DRC v Rwanda) (Merits) [2006] ICJ Rep, para. 127. 224 Chapter 6

For instance, it is unclear how computer operators of medical transports must mark their transport online in order to avoid attacks and ensure respect provided for by the GCs. The same issue arises in relation to other objects that should be clearly distinguished, such as bio-chemical laboratories, nuclear powers plants, combatants, civilians and civilian objects generally. While the concept of vicinity to installations containing dangerous forces can be reevalu- ated to include cyber-proximity of networks, explaining such vicinity to automatically propagating malware remains problematic. It is also clear that current law provides governments with significant discretion in determining whether their actions adhere to the principles of jus in bello necessity and proportionality and in subjectively deciding when civilians or civilian objects directly participate in hostilities through cyber-space. At the same time, the levée en masse tactic becomes ineffective, as it requires attacks to be exposed beforehand. Furthermore, it is argued that certain tactics in cyber-warfare may be construed by governments as either prohibited perfidious conduct or as permitted ruses. Nevertheless, the extent to which cyber-perfidy appears to be overregu- lated in international humanitarian law suggests that these governments may try to find ways to ignore the prohibition of perfidy altogether. Finally, this chapter demonstrates that inviolability of neutral cyber-space might be rejected and that neutral states, in turn, have to decide to what extent to follow their obligations in cyber-warfare in order to protect their neutrality. When looking at jus in bello as a whole, it becomes apparent that, although cyber-attacks do not require a complete revision of this legal regime, the existing imperfections are exploitable and necessitate certain proactive reforms. If the current and the previous chapters concentrated on legal aspects relating to jus ad bellum and jus in bello, the next chapter (Chapter 7) will focus on cyber-terrorism as a special case of cyber-attack regulated both under the use of force and international humanitarian law regimes. Unlike Chapters 5 and 6, Chapter 7 will have a strong focus on non-state actors. Chapter 7 Cyber-Terrorism

7.1 Introduction

The previous chapters have addressed the applicability of the general frameworks of jus ad bellum and jus in bello to cyber-attacks, as well as their imperfections, which can be exploited. This chapter deals with cyber-terrorism as a special category of cyber-strikes confinable by these two frameworks. It shows that jus ad bellum and jus in bello cover predictable cyber-terrorist attacks. It further identifies specific terrorism-related uncertainties, deficiencies and gaps that governments can exploit. While the existence of a wider academic debate involving criminalization of terrorism in domestic legal systems is acknowledged, it is treated here as unhelpful and undermining the universality of terrorist offenses in international law, which the present book favors. The need for a separate chapter on terrorism is justified by the matter under examination, which does not necessarily presuppose (though, also does not exclude) any state involvement. The previous two chapters did not and could not adequately cover some of the legal issues that arise mostly in the context of cyber-terrorism. The UN approach to cyber-terrorism is omitted, as it is reserved for specific assessment in Chapter 8. The current chapter is divided into four parts. The first part addresses the matter of defining terrorism and cyber-terrorism. It demonstrates that, despite the lack of a universal definition in international law and duality of the terrorism concept, one can and should view cyber- terrorism as a variable, dependent upon the existing international treaties. It is further shown that, while potential perpetrators of cyber-terrorism include states, non-state actors and individuals, different elements of international law apply to them differently. The second part demonstrates to what extent cyber-attacks can breach the existing eighteen instruments of the United Nations prohibiting terrorism, thus effectively becoming acts of cyber-terrorism. It separates realistic scenarios from those less realistic and identifies the objects of attack that are adequately protected by this legal regime. The third part concentrates on jus ad bellum aspects that will emerge if governments attempt to escalate cases of cyber-terrorism to armed attacks in order to respond militarily. Unlike Chapter 5, which deals with legal issues

arising out of state conduct, analysis in this part focuses on engagements with independent non-state actors. The fourth part is dedicated to terrorism in the jus in bello context. It considers the special nature of cyber-terrorism in war, concentrating particularly on those legal imperfections, which, arguably, have already been exploited in the past. Namely, issues relating to the freedom fighter dilemma, as well as the prisoner of war status of potential cyber-terrorists are tackled.

7.2 Terrorism and Cyber-Terrorism as Legal Concepts

To facilitate the exploration of international law’s imperfections, one should begin by asking a basic set of questions that determine whether the current law is fit for the purpose of addressing cyber-terrorism per se. Is the existing framework still relevant in light of the new threat? How difficult is the challenge of identifying a universal definition of terrorism? Is it required at all in order to address cyber-terrorism? Can one identify potential perpetrators in this legal environment? This sub-chapter aims to provide some tentative answers to these four questions, each in a separate section.

7.2.1 Importance of the Existing Framework Today, some scholars argue that there is no imminent cyber-terrorism threat.1 Indeed, as can be seen from Chapter 3, there is a certain gap between the expected menace and ongoing cyber-activities.2 Why is the current international law relevant for cyber-terrorism, taking into account that the latter

1 See Joshua Green, “The Problem of Cyberterrorism is Exaggerated” in Louise I. Gerdes (ed.), Cyber Crime (Greenhaven Press 2009) 42; Mauro Massimo, “Threat Assessment and Protective Measures: Extending the Asia-Europe Meeting IV Conclusions on Fighting International Terrorism and Other Instruments to Cyber Terrorism” in Edward Halpin and others (eds.), Cyberwar, Netwar and the Revolution in Military Affairs (Palgrave Macmillan 2006) 219, 221; Dorothy Denning, “A View of Cyberterrorism Five Years Later” in Kenneth E. Himma (ed.), Internet Security: Hacking, Counterhacking, and Society (Jones & Bartlett Learning 2007) 135, 137. 2 This gap is also noted by various academics—e.g., see Anna-Maria Talihärm, “Cyberterrorism: in Theory or in Practice?” (2010) 3(2) Defence Against Terrorism Review 61–63; Hai-Cheng Chu and others, “Next Generation of Terrorism: Ubiquitous Cyber Terrorism with the Accumulation of All Intangible Fears” (2009) 15(12) Journal of Universal Computer Science 2379; Dorothy E. Denning, “Terror’s Web: How the Internet Is Transforming Terrorism” in Yvonne Jewkes, Majid Yar (eds.), Handbook on Internet Crime (Willan Publishing 2010) 198. Cyber-terrorism 227 has not yet materialized? One may answer this question by recalling the 9/11 impact on the international law framework surrounding terrorism generally. Out of the eighteen international instruments adopted since 1963, twelve were present before 2001.3 Though it seems obvious that the attack on the World Trade Center and other objects within the United States served as cata- lysts for the development of serious international documents, they are built upon the previously existing legal foundations. For instance, the New Civil Aviation Convention4 and the Aircraft Protocol5 are built upon the Aircraft Convention,6 Unlawful Seizure Convention,7 Civil Aviation Convention8 and the Airport Protocol.9 The Nuclear Terrorism Convention10 and its 2005 Amendment11 are based on the Nuclear Materials Convention.12 Similarly, the

3 For the latest list of the instruments, see “United Nations Action to Counter Terrorism: International Legal Instruments to Counter Terrorism” (UN) accessed 1 August 2015. 4 Convention on the Suppression of Unlawful Acts Relating to International Civil Aviation (New Civil Aviation Convention) (adopted 10 September 2010, not yet in force) 974 UNTS 178. 5 Protocol Supplementary to the Convention for the Suppression of Unlawful Seizure of Aircraft (Aircraft Protocol) (adopted 10 September 2010, not yet in force) ICAO Doc 9959. 6 Convention on Offences and Certain Other Acts Committed On Board Aircraft (Aircraft Convention) (adopted 14 September 1963, entered into force 4 December 1969) 704 UNTS 220. 7 Convention for the Suppression of Unlawful Seizure of Aircraft (Unlawful Seizure Convention) (adopted 16 December 1970, entered into force 14 October 1971) 860 UNTS 105. 8 Convention for the Suppression of Unlawful Acts Against the Safety of Civil Aviation (Civil Aviation Convention) (adopted 23 September 1971, entered into force 26 January 1973) 974 UNTS 178. 9 Protocol for the Suppression of Unlawful Acts of Violence at Airports Serving International Civil Aviation (Airport Protocol) (adopted 24 February 1988, entered into force 6 August 1989) 1589 UNTS 474. 10 International Convention for the Suppression of Acts of Nuclear Terrorism (Nuclear Terrorism Convention) (adopted 13 April 2005, entered into force 7 July 2007) 2445 UNTS 89. 11 Amendment to the Convention on the Physical Protection of Nuclear Material (2005 Amendment) (adopted 8 July 2005, not yet in force) IAEA Doc GOV/INF/2005/ IO-GC(49)/INF. 12 Convention on the Physical Protection of Nuclear Material (Nuclear Materials Con vention) (adopted 26 October 1979, entered into force 8 February 1987) 1456 UNTS 101. 228 Chapter 7

2005 Protocol13 and the Protocol to the Protocol (P2P)14 play a supplementary role to the Fixed Platform Protocol15 and the Maritime Convention.16 9/11 did not generate sufficient resolve to immediately adopt the Comprehensive Convention on International Terrorism (hereinafter, Comprehensive Convention)—a treaty meant to universally prohibit all acts of terror (now negotiated for almost 20 years). However, it did shape international law, most notably when the UN Security Council recognized the right to self-defense in response to a terrorist attack by a non-state actor in its Resolutions 1368 and 1373.17 Should a cyber-terrorist strike cause destruction comparable to the 9/11 attacks, there is serious reason to believe that the legal approach will be the same as for the Al-Qaeda attacks themselves: the formation of international law on an already-existing base. The lack of a universal definition, however, can be said to represent an obstacle in identifying this base. This claim is considered further below.

7.2.2 Lack of a Universal Definition of Terrorism Generally, a clear definition is required in order to determine the status of customary law pertaining to terrorism, as well as to prevent, condemn and punish the latter.18 Numerous suggestions made on how to define this concept comprehensively are only partially overlapping and range from those including socio-psychological aspects to purely legal approaches.

13 Protocol to the Convention for the Suppression of Unlawful Acts against the Safety of Maritime Navigation (2005 Protocol) (adopted 14 October 2005, entered into force 28 July 2010) IMO Doc LEG/CONF.15/21. 14 Protocol to the Protocol for the Suppression of Unlawful Acts Against the Safety of Fixed Platforms Located on the Continental Shelf (P2P) (adopted 14 October 2005, entered into force 28 July 2010) IMO Doc LEG/CONF.15/22. 15 Protocol for the Suppression of Unlawful Acts Against the Safety of Fixed Platforms Located on the Continental Shelf (Fixed Platform Protocol) (adopted 10 March 1988, entered into force 1 March 1992) 1678 UNTS 304. 16 Convention for the Suppression of Unlawful Acts against the Safety of Maritime Navigation (Maritime Convention) (adopted 10 March 1988, entered into force 1 March 1992) 1678 UNTS 221. 17 See UNSC Res 1368 (12 September 2001) UN Doc S/RES/1368; UNSC Res 1373 (28 September 2001) UN Doc S/RES/1373. 18 See Clive Walker, “The Legal Definition of ‘Terrorism’ in United Kingdom Law and Beyond” [2007] Public Law 336. See also UNGA Res 42/159 (7 December 1987) UN Doc A/RES/42/159, preamb para. 17. Cyber-terrorism 229

The lack of a common definition has been the object of a prolonged inter-state19 and academic debate.20 It is the result of the existence of two incompatible concepts of terrorism in international law identified below. Practice shows that, due to competing government interests, fusing them together is not an easy task and the present book does not seek to reach that goal. Instead, it makes sense to utilize both notions separately to narrow down the scope of enquiry to lex lata. The original (hereinafter, archaic) concept of terrorism, that dates back to the French Revolution, is closely linked to state actions aimed at intimidating populations.21 Such state terrorism was divisible into two categories: internal and external. “Internal” state terrorism entailed state violence against its own citizens to weaken the morale and destroy willingness to resist the government’s will, while the “external” dimension targeted foreign populations.22

19 See “Written Amendments and Proposals Submitted by Delegates in Connection with the Elaboration of a Draft International Convention for the Suppression of the Financing of Terrorism”, Annex III to the Report of the Ad Hoc Committee Established by General Assembly Resolution 51/210 of 17 December 1996, Supplement No. 37 (5 May 1999) UN Doc A/57/37. See generally UNGA Res 49/60 (9 December 1994) UN Doc A/RES/49/60, op para. 3; UNGA Res 51/210 (17 December 1996) UN Doc A/RES/51/210, op para. 2; Convention on the Prevention and Combating of Terrorism (adopted 14 July 1999, entered into force 6 December 2002) 2219 UNTS 179, Art. 1(3); Council Framework Decision 2002/475/JHA of 13 June 2002 on combating terrorism [2002] OJ L164/3, Art. 1; SAARC Regional Convention on Suppression of Terrorism (adopted 4 November 1987, entered into force 22 August 1988) Art. 1 accessed 1 August 2015; Treaty on Cooperation Among the States Members of the Commonwealth of Independent States in Combating Terrorism (adopted 4 June 1999, entered into force individually for each state-party in 2000–2005) Art. 1 accessed 1 August 2015. 20 See Ben Saul, Defining Terrorism in International Law (OUP 2006) 57–66; Helen Duffy, The ‘War on Terror’ and the Framework of International Law (CUP 2005) 19; Christian Walter, “Defining Terrorism in National and International Law” in Christian Walker and others, Terrorism as a Challenge for National and International Law: Security versus Liberty? (Springer 2004) 33–42; Sudha Setty, “What’s in a Name? How Nations Define Terrorism Ten Years After 9/11” (2011) 33(1) University of Pennsylvania JIL 15–16; Myra Williamson, Terrorism, War and International Law: The Legality of the Use of Force Against Afghanistan in 2001 (Ashgate Publishing 2009) 45–49; Bruce Hoffman, Inside Terrorism (Columbia University Press 2006) 34. 21 Tim Wilson, “State Terrorism: An Historical Overview” in Gillian Duncan and others (eds.), State Terrorism and Human Rights (Routledge 2013) 16. See generally Michael N. Schmitt and others, Tallinn Manual on the International Law Applicable to Cyber Warfare (CUP 2013) R36. 22 Donald J. Hanle, Terrorism: The Newest Face of Warfare (Potomac Books 1989) 164. 230 Chapter 7

Formal attempts were made to introduce a qualification of terrorism as a non-state offense before WW2, most notably in the 1937 Convention for the Prevention and Punishment of Terrorism.23 Nonetheless, the latter never entered into force and terrorism remained a state action up until 1949, when it crystallized in the Geneva Conventions (GCs) as a form of intimidation in war. The belligerents were expressis verbis prohibited from “all measures of [. . .] terrorism” (in other words, “intimidatory measures to terrorise the population”)24 first in the occupied zones, and, in 1977, generally.25 That year, the two Additional Protocols (APs) to the GCs reaffirmed the archaic understanding of terrorism, unofficially defining the latter as “acts or threats of violence the primary purpose of which is to spread terror among the civilian population”.26 The emergence of independent non-state actors in the international arena during the 20th century resulted in the need to deviate from the state-centric archaic concept applicable in armed conflicts and to create a system that provided sufficient flexibility to address non-traditional tactics of various extremist groups both in and outside armed conflicts. Thus, the conventional regime was born. Unlike archaic terrorism, which exists in legal stasis (it has not formally changed since 1977), the conventional concept expands every time a new international instrument on terrorism is adopted. Currently, twelve conventions exist, supplemented by six protocols and amendments.27 All of these

23 See Convention for the Prevention and Punishment of Terrorism (adopted 16 November 1937, not in force) 19 LNOJ 23. See also Reuven Young, “Defining Terrorism: The Evolution of Terrorism as a Legal Concept in International Law and Its Influence on Definitions in Domestic Legislation” (2006) 29(1) Boston College International & Comparative Law Review 35–36. 24 ICRC, Convention (IV) Relative to the Protection of Civilian Persons in Time of War: Commentary (ICRC 1958) 225–226 accessed 1 August 2015. 25 See Art. 33(1) of GC4. 26 Art. 51(2) of AP1; Art. 13(2) of AP2. See also Art. 4(2)(d) of AP2. 27 Additional instruments not mentioned in (nn 4–16) include the Convention on the Prevention and Punishment of Crimes Against Internationally Protected Persons (Diplomatic Agents Convention) (adopted 14 December 1973, entered into force 20 February 1977) 1035 UNTS 167; International Convention against the Taking of Hostages (Hostages Convention) (adopted 17 December 1979, entered into force 3 June 1983) 1316 UNTS 205; Convention on the Marking of Plastic Explosives for the Purpose of Detection (Plastic Explosives Convention) (adopted 1 March 1991, entered into force 21 June 1998) 2122 UNTS 359; International Convention for the Suppression of Terrorist Bombings (Terrorist Bombing Convention) (adopted 15 December 1997, entered into force 23 May 2001) 2149 UNTS 256; International Convention for the Suppression of the Cyber-terrorism 231

instruments concentrate on acts perpetrated by non-state actors from a criminal law perspective (aut dedere aut judicare—extradite or adjudicate).28 In spite of a certain overlap in times of war, a de facto divide between the two legal regimes was noted by the ICTY in the Galić case, where a majority of the Court observed that, although international instruments exist to outlaw terrorism in different forms, it had to limit itself to the framework of armed conflict between states and ignore the “international efforts directed against ‘political’ varieties of terrorism”.29 Is it possible for opponents of the archaic regime to circumvent this divide and incorporate “political” elements into the laws of armed conflict? Here, one may consider, for instance, the widely ratified Terrorist Financing Convention.30 It suggests that any attack intended to cause death or injury to civilians (or persons hors de combat)31 during armed conflict should be seen as an act of terror not only if carried out to intimidate a population, but also if used to “compel a government or an organization to do or to abstain from doing any act”.32 This clearly attempts to expand the archaic concept in relation to those states that have ratified the Terrorist Financing Convention. At the same time, because mere threats of violence and acts not targeting civilians or persons hors de combat were excluded from the definition contained in the Convention, they cannot be considered archaic terrorism if their purpose is simply to coerce a government and not to intimidate a state population. The incompatibility of the two above-described notions of terrorism is best reflected by the deadlock in the negotiations over the Comprehensive Convention. Major disagreements concern applicability of the Comprehensive Convention to states and their armed forces (expected by the archaic concept),

Financing of Terrorism (Terrorist Financing Convention) (adopted 9 December 1999, entered into force 10 April 2002) 2178 UNTS 197. 28 See Bibi van Ginkel, The Practice of The United Nations in Combating Terrorism From 1946 to 2008: Questions of Legality and Legitimacy (Intersentia 2010) 11; Daniel Moeckli, “The Emergence of Terrorism as Distinct Category of International Law” (2008) 44(2) Texas ILJ 161; Daniel O’Donnell, “International Treaties Against Terrorism and the Use of Terrorism During Armed Conflict and by Armed Forces” (2006) 88(864) International Review of the Red Cross 855. 29 Prosecutor v Galić (Judgment and Opinion) ICTY-98–29-T, T Ch I (5 December 2003) para. 87 fn 150. 30 Terrorist Financing Convention (n. 27) is ratified by 186 states, i.e. all but a few UN nations (most notably, Iran is not among the parties). 31 See Antonio Cassese, International Criminal Law (3rd edn, OUP 2013) 155. 32 Terrorist Financing Convention (n. 27) Art. 2(1)(b). 232 Chapter 7 as well as immunity of liberation movements (excluded by the conventional concept).33 Nevertheless, the core definition contained in the drafts has remained unchanged for more than ten years. It still reads:

Any person commits an offence within the meaning of the present Convention if that person, by any means, unlawfully and intentionally, causes: (a) Death or serious bodily injury to any person; or (b) Serious damage to public or private property, including a place of public use, a State or government facility, a public transportation system, an infrastructure facility or to the environment; or (c) Damage to property, places, facilities or systems referred to in paragraph 1(b) of the present article resulting or likely to result in major economic loss, when the purpose of the conduct, by its nature or context, is to intimidate a population, or to compel a Government or an international organization to do or to abstain from doing any act.34

In a slightly modified form, this definition was included in the recommenda- tion of the UN’s High-Level Panel on Threats, Challenges and Change.35 In 2004, it argued that the upcoming Comprehensive Convention, inter alia, should include a:

33 See “Informal Summary Prepared by the Chair on the Exchange of Views in Plenary Meeting and on the Results of the Informal Consultations”, Annex I to 14th Session of the Ad Hoc Committee Established by General Assembly Resolution 51/210 of 17 December 1996, Supplement No. 37 (12–16 April 2010) UN Doc A/65/37, para. 13. 34 See “Informal Texts of Articles 2 and 2 bis of the Draft Comprehensive Convention, Prepared by the Coordinator”, Annex II to 6th Session of the Ad Hoc Committee Established by General Assembly Resolution 51/210 of 17 December 1996, Supplement No. 37 (28 January–1 February 2002) UN Doc A/57/37, Art. 2(1). Compare with “Preamble and Articles 1, 2 and 4 to 27 of the Draft Comprehensive Convention on International Terrorism Prepared by the Bureau”, Annex I to 16th Session of the Ad Hoc Committee Established by General Assembly Resolution 51/210 of 17 December 1996, Supplement No. 37 (8–12 April 2013) UN Doc A/68/37, Art. 2(1). The draft also suggests criminalizing threats, attempts, and organization of these acts, as well as assistance and participation in them—see ibid., Art. 2(2), 2(3), 2(4). This criminalization is also present in the existing eighteen conventional instruments. 35 High-Level Panel on Threats, Challenges and Change, “A More Secure World: Our Shared Responsibility” (Letter to UNSG, 1 December 2004) UN Doc A/59/565, para. 164(d). Cyber-terrorism 233

[. . .] description of terrorism as ‘any action [. . .] that is intended to cause death or serious bodily harm to civilians or non-combatants, when the purpose of such an act, by its nature or context, is to intimidate a population, or to compel a Government or an international organization to do or to abstain from doing any act’.36

In the 2005 “In Larger Freedom” Report, Kofi Annan endorsed this suggestion, adding that “[i]t is time to set aside debates on so-called ‘State terrorism’ [. . .] [a]nd the right to resist occupation must be understood in its true meaning”.37 Does the fact that the core of the definition itself is not widely disputed mean that it currently reflects lex ferenda? Here, it would be prudent to remember that an “act of terrorism” is not merely an expression with negative political connotations.38 It is also an actual international offense (explicitly under the conventional regime, and implicitly under the archaic one). Therefore, any attempt to domestically characterize something not covered by the archaic or conventional concepts as terrorism on the international level would go against the principle of nullum crimen sine lege and should be seen as exploitation of the definitional void. In fact, the existence of deviant national frameworks itself can be said to be such an exploitation. Customary norms are equally limited by the legality principle. A traditionally problematic aspect of describing terrorism has been its intent. Scholars may insist that it is imperative to link terrorism to the wider political context.39 The core definition in the Draft Comprehensive Convention

36 Ibid. Note that other important elements that had to be included, according to the Panel were: the “[r]estatement that acts under the 12 preceding anti -terrorism conventions are terrorism, and a declaration that they are a crime under international law; and restatement that terrorism in time of armed conflict is prohibited by the Geneva Conventions and Protocols” and “[r]eference to the definitions contained in the [Terrorist Financing Convention] and Security Council resolution 1566”—see ibid., para. 164(b), 164(c). Interestingly, the UNSC Resolution 1566 itself limits its description of terrorism by the existing conventions on terrorism—see UNSC Res 1566 (8 October 2004) UN Doc S/RES/1566, op para. 3. 37 UNSG, “In Larger Freedom: Towards Security, Development and Human Rights for All” (Report of the UNSG, 21 March 2005) UN Doc A/59/2005, para. 91. 38 See Hoffman, Inside Terrorism (n. 20) 23; Rosalyn Higgins, “The General International Law of Terrorism” in Rosalyn Higgins, Maurice Flory (eds.), Terrorism and International Law (Routledge 1997) 28. 39 For example, see Cástor M. Diáz-Barrado, “The Definition of Terrorism and International Law” in Pablo A. Fernández-Sánchez (ed.), International Legal Dimension of Terrorism (Koninklijke Brill 2009) 33. 234 Chapter 7 also aims to cover all violent acts that have a specific purpose (terrorizing general population or compelling governments to perform or abstain from an act). Does this provide possibilities for exploitation? In effect, it prevents any other equally grave acts (also in or through cyber- space) from being criminalized as terrorism, if they are not subject to the “purpose of conduct” criteria. Therefore, violence that compels non-state actors (as opposed to states) to perform any act would not be terrorism—a gap that governments can attempt to exploit. On the other hand, the introduction of the core definition of the Com prehensive Convention in the present form is unlikely to reverse the current conventional criminalization of terrorist acts (or, possibly, even future criminalization, if there will be any new legal instruments adopted after the Comprehensive Convention) committed without such intent. Unless explicitly stated otherwise in the Comprehensive Convention, existing instruments will remain in force, preserving the notion (especially prevalent in the early treaties) that certain acts by their very nature are so severe that they can be considered terrorism, even if committed without a global purpose.40 Taking the above into account, one must now consider the concept of cyber- terrorism itself.

7.2.3 Defining Cyber-Terrorism as a Dependent Variable The term “cyber-terrorism” predates 9/11, and it existed even before the Internet became publicly accessible.41 In essence, it unites the concepts of “cyber- attack” and “terrorism”.42 Since the nature of these notions is already disputed,

40 See generally Michael A. Newton, “Exceptional Engagement: Protocol I and a World United Against Terrorism” (2009) 45(2) Texas ILJ 373; Gerhard Hafner, “The Definition of the Crime of Terrorism” in Giuseppe Nesi (ed.), International Cooperation in Counter- Terrorism: The United Nations and Regional Organization in the Fight Against Terrorism (Ashgate Publishing 2006) 41; Curtis A. Bradley, Mitu Gulati, “Customary International Law and Withdrawal Rights in an Age of Treaties” (2010) 21(1) Duke Journal of Comparative & International Law 30. 41 See Sam Berner, “Cyber-Terrorism: Reality or Paranoia?” (2003) 5(1) South African Journal of Information Management 1. 42 See Peter Flemming, “Myths and Realities of Cyberterrorism” in Alex P. Schmid (ed.), Countering Terrorism Through International Cooperation (ISPAC 2001) 84–86; Dorothy E. Denning, “Cyberterrorism” (Testimony before the Special Oversight Panel on Terrorism Committee on Armed Services, US House of Representatives, 23 May 2000) accessed 1 August 2015; Namosha Veerasamy, Marthie Grobler, Basie von Solms, “Building an Ontology for Cyberterrorism” in Eric Filiol, Robert Erra (eds.), Proceedings of the 11th European Cyber-terrorism 235 this resulted in “cyber-terrorism” being defined differently by different authors. This confusion is further exacerbated by the media, which randomly characterizes minor cyber-attacks as “cyber-terrorism”.43 As in the case of terrorism, academics have proposed a wide array of possible definitions that could cover its cyber variation. Suggestions include concentrating on the destabilizing nature of cyber-terrorism,44 attacks on critical national infrastructure,45 cyber-strikes damaging networks themselves,46 as well as those that inherit the usual polemics of terrorism: limiting it only to individuals and non-state perpetrators,47 focusing on wider psychological effects (fear)48 or on ideological and political aims.49 There have also been opinions expressed that “cyber-terrorism” is a self-contradictory term, as terrorism requires a physical attack by definition.50 Are these suggestions over-inclusive or under-inclusive? Consider the Stanford Draft International Convention to Enhance Protection from Cyber Crime and Terrorism that defines cyber-terrorism as:

Conference on Information Warfare and Security (Academic Publishing International 2012) 286. 43 Talihärm (n. 2) 62–64. 44 Natasha Solce, “The Battlefield of Cyberspace: The Inevitable New Military Branch—The Cyber Force” (2008) 18(1) Albany Law Journal of Science & Technology 301. 45 Gabriel Weimann, “Cyberterrorism: The Sum of All Fears?” (2005) 28(2) Studies in Conflict & Terrorism 130. 46 CTITF, “Countering the Use of the Internet for Terrorist Purposes” (Working Group Report, UN 2009) paras. 23, 25 accessed 1 August 2015. 47 Daniel T. Kuehl, “The National Information Infrastructure: The Role of the Department of Defense in Defending It” in Carolyn W. Pumphrey, Transnational Threats: Blending Law Enforcement and Military Strategies (Strategic Studies Institute 2000) 151. 48 Maura Conway, “Cyberterrorism: Media Myth or Clear and Present Danger?” in Jones Irwin, War and Virtual War: The Challenges to Communities: Probing the Boundaries (Rodopi 2004) 85; Christopher Beggs, “Cyber-Terrorism: A Threat to Australia?” in Mehdi Khosrow-Pour (ed.), Managing Modern Organizations Through Information Technology: Proceedings of the 2005 Information Resources Management Association International Conference (Information Resources Management Association 2005) 472. 49 Roland Heickerö, “Terrorism Online and the Change of Modus Operandi” (Paper, UNIDIR) 7 accessed 1 August 2015. 50 See Julian P. Charvat, “Cyber Terrorism: A New Dimension in Battlespace” in Christian Czosseck, Kenneth Geers (eds.), The Virtual Battlefield: Perspectives on Cyber Warfare (IOS Press 2009) 83. 236 Chapter 7

[. . .] intentional use or threat of use, without legally recognized authority, of violence, disruption or interference against cyber systems, when it is likely that such use would result in death or injury of a person or persons, substantial damage to physical property, civil disorder, or significant economic harm.51

According to this definition, a virus that causes a deliberate release of radio active material into the environment, albeit with a low risk of human contamination, would not be cyber-terrorism, although it is explicitly criminalized as a terrorist act by the Nuclear Terrorism Convention.52 At the same time, an angry employee physically destroying vital governmental computers would be a cyber-terrorist within the scope of the Stanford Draft definition, since he or she disrupts cyber-systems and causes substantial damage to a state. In reality, however, the way the attack is carried out in this theoretical example (physically and not through an electronic network), should rule out the possibility of classifying such act as cyber-terrorism. Cyber-terrorism should also be viewed separately from other terroristic uses of the Internet, which involve aspects such as communication, recruitment, funding, organization of physical attacks, propaganda, incitement to and apology of terrorism.53 While these acts may constitute terrorist offenses on their own, they do not involve cyber-attacks. Finally, not all cyber-strikes constitute cyber-terrorism. The latter should be clearly separated from “hacktivism”, that is ordinary politically-motivated attacks, the consequences or intent of which fall outside the scope of the UN’s counter-terrorist conventions (forming the base of conventional concept of terrorism), as well as the GCs and APs (containing the archaic notion of terrorism). This remains true even if hacktivism claims civilian lives or is sponsored

51 Abraham D. Sofaer and others, “A Proposal for an International Convention on Cyber Crime and Terrorism” (Stanford Conference, 6–7 December 1999) 26 accessed 1 August 2015. 52 Nuclear Terrorism Convention (n. 10) Art. 2(1)(b)(ii). 53 See generally CTITF, “Countering the Use of the Internet for Terrorist Purposes” (n. 46) paras. 11–18; CTITF, “Countering the Use of the Internet for Terrorist Purposes—Legal and Technical Aspects” (Working Group Report, UN 2011) 4–6, paras. 8–16 accessed 1 August 2015; UNODC, The Use of the Internet for Terrorist Purposes (UN 2012) paras. 3–27 accessed 1 August 2015. Cyber-terrorism 237 or carried out by members of known terrorist organizations.54 An argument to the contrary can be a disguised attempt to exploit the lack of a universal definition, meant to justify a harsh response to the threat under the pretext of tackling terrorism—a legal tactic that, perhaps, is already used by some governments today. Taking these factors into account, the general concept of cyber-terrorism is inevitably linked to the changing conventional and the non-changing archaic notions of terrorism. Therefore, at least for the purposes of the present book, cyber-terrorism should be simply defined as a cyber-attack that results in an act of terrorism, whereas the latter must be recognized only in the context of the existing legal instruments (including the GCs). To put this definition into context and to clearly distinguish between conventional and archaic aspects of cyber-terrorism, it is essential to identify the potential perpetrators.

7.2.4 Potential Perpetrators Cyber-attacks are impossible without the necessary technology and a minimal knowledge (at least by one person) of how computerized devices and networks operate. Since a significant part of Earth’s population can access cyber-space, and cracking manuals are available online, everyone, including self-taught individuals, persons belonging to groups, large non-state actors and states, at least in theory, can be engaged in cyber-terrorism. Since the archaic and conventional regimes apply to different categories of actors unequally, each category must be addressed individually.

7.2.4.1 States In general, states are capable of causing much greater destruction than non- state actors.55 Moreover, in the past, intimidation of civilian population by deliberate attacks or as a result of collateral damage in counter-terrorism

54 See generally CTITF, “Countering the Use of the Internet for Terrorist Purposes—Legal and Technical Aspects” (n. 53) 37, 39, 42–43, paras. 43–44, 47–48, 55; Graham Meikle, “Electronic Civil Disobedience and Symbolic Power” in Athina Karatzogianni (ed.), Cyber Conflict and Global Politics (Routledge 2009) 181–182; Talat Fatima, “Cyber Terrorism: The International Menace—Concept and Responses” (2006) 46(2) Indian JIL 256; Catherine A. Theohary, John Rollins, “Terrorist Use of the Internet: Information Operations in Cyberspace” (Report, Congressional Research Service 2011) 5–6 accessed 1 August 2015. 55 Richard Jackson and others, Terrorism: A Critical Introduction (Palgrave Macmillan 2011) 242. 238 Chapter 7

campaigns have been the cause of retributive conventional terrorism, creating a vicious circle of violence.56 The expression “state terrorism” is sometimes used to denote various governmental acts that merit at least equal a condemnation as terrorist attacks by non-state actors.57 Nevertheless, from a lex lata point of view, it would be improper to mean anything other than terrorism itself, carried out by states (individually, or within larger international organizations). In that sense, at least for the purposes of the present book, state terrorism (and state cyber- terrorism as its sub-class) should be defined as such. The negotiations over the Comprehensive Convention are deadlocked on this issue.58 That being said, none of the eighteen existing legal instruments foresee responsibility of states or their forces for acts of terrorism. In fact, the latest instruments provide immunity to state military in armed conflicts.59 This may indicate that governments believe that a state cannot be a perpetrator of conventional terrorism (with minor exceptions).60 However, a state

56 Ibid. See also Nigel D. White, “The United Nations and Counter-Terrorism: Multilateral and Executive Law-Making” in Ana M. de Frías, Katja L. Samuel, Nigel D. White (eds.), Counter-Terrorism: International Law and Practice (OUP 2012) 66; Jeffrey A. Sluka, “State Terrorism and Anthropology” in Jeffrey A. Sluka (ed.), Death Squad: The Anthropology of State Terror (University of Pennsylvania Press 2000) 2. 57 Scott Poynting, David Whyte “Introduction: Counter-Terrorism and the Terrorist State” in Scott Poynting, David Whyte (eds.), Counter-Terrorism and State Political Violence: The ‘War on Terror’ as Terror (Routledge 2012) 4. See also UNGA Res 39/159 (17 December 1984) UN Doc A/RES/39/159, preamb para. 2, op para. 1. See generally Yves Daudet, “International Action against State Terrorism” in Rosalyn Higgins, Maurice Flory (eds.), Terrorism and International Law (Routledge 1997) 202; Joseph H. Campos, The State and Terrorism: National Security and the Mobilization of Power (Ashgate Publishing 2007) 108–109. 58 Compare the Western draft: “The activities undertaken by the military forces of a State in the exercise of their official duties, inasmuch as they are governed by other rules of international law, are not governed by this Convention” with the Organization of the Islamic Cooperation (OIC) version: “The activities undertaken by the military forces of a State in the exercise of their official duties, inasmuch as they are in conformity with international law, are not governed by this Convention”—see “Informal Summary” (n. 33) Annex II, paras. 6–7. 59 See Terrorist Bombing Convention (n. 27) Art. 19(2); Maritime Convention (n. 16) Art. 2bis(2), as amended by the 2005 Protocol (n. 13); Nuclear Materials Convention (n. 12) Art. 2(4)(b), as amended by the 2005 Amendment (n. 11); Nuclear Terrorism Convention (n. 10) Art. 4(2); Unlawful Seizure Convention (n. 7) Art. 3bis(2), as amended by the Aircraft Protocol (n. 5); New Civil Aviation Convention (n. 4) Art. 6(2). 60 One exception is Cuba, which refers to state terrorism in its respective declarations on instruments such as Nuclear Terrorism Convention and Terrorist Bombing Cyber-terrorism 239 can be involved in state-sponsorship of conventional cyber-terrorism if, for instance, it instigates, assists, supports or contributes towards the commission of a terrorist offense through cyber-space.61 Moreover, state cyber-terrorism can still arise in the context of the original archaic concept in the course of an armed conflict. Here, one should note that a legal deficiency exists, created by the immunity of state forces in the conventional regime. If a state is able to keep its cyber-strikes outside the context of occupation and armed conflict, not only can its government use the military to terrorize the general population, but it can also launch those cyber-attacks that would otherwise be criminalized under the conventional regime. In other words, states sometimes may have a way of resorting to de facto cyber-terrorist acts without them being classified as terrorism.

7.2.4.2 Non-State Actors During the last decades, non-state actors have been increasingly viewed as groups capable of perpetrating acts of terror and this status, nowadays, is deeply rooted in international customary law. It is reflected in a number of the UNSC resolutions that directly refer to “terrorist groups” and “terrorist organizations”.62 Since conventional regime was created for the purpose of criminalizing non-state terrorism per se, its applicability to such actors remains obvious. To the extent that terrorists participate in hostilities within the context of an armed conflict or represent liberation movements, they are also subject to the prohibition of terrorism under the archaic regime.

Convention—see “United Nations Conventions Deposited with the Secretary-General of the United Nations” (UNTS, 2013) accessed 1 August 2015. 61 See generally Declaration on Principles of International Law Concerning Friendly Relations and Co-Operation Among States in Accordance with the Charter of the United Nations, Annex to UNGA Res 2625 (XXV) (24 October 1970) op para. 1. 62 See UNSC Res 1373 (n. 17) op paras. 2(a), 2(g), 3(a); UNSC Res 1566 (n. 36) op para. 10; UNSC Res 1455 (17 January 2003) UN Doc S/RES/1455, preamb para. 5; UNSC Res 1526 (30 January 2004) UN Doc S/RES/1526, preamb para. 5; UNSC Res 1530 (11 March 2004) UN Doc S/RES/1530, op para. 1; UNSC Res 1963 (20 December 2010) UN Doc S/RES/1963, preamb paras. 5, 9; UNSC Res 1988 (17 June 2011) UN Doc S/RES/1988, preamb para. 9, op para. 18; UNSC Res 1989 (17 June 2011) UN Doc S/RES/1989, preamb para. 17; UNSC Res 2082 (17 December 2012) UN Doc S/RES/2082, op para. 20; UNSC Res 2083 (17 December 2012) UN Doc S/RES/2083, preamb paras. 6, 17; UNSC Res 2129 (17 December 2013) UN Doc S/RES/2129. Note that when non-state terrorism is mentioned in the UN resolutions, conventional (not archaic) terrorism is often implied. 240 Chapter 7

Can one expect the already-existing extremist organizations to engage in cyber-terrorism? Currently, there are over a hundred international terrorist groups, ranging from small bands, designated as such by a few states,63 to widely recognized terrorist organizations.64 The success of counter-terrorist operations may force these non-state actors to consider cyber-attacks and to seek safe haven in cyber-space.65 Some analysts note that acts of cyber-terrorism may seem less favorable for terrorist organizations, since they would “have a lower psychological impact than a traditional [. . .] attack” (such as the 2013 Boston Marathon bombings).66 However, this remains a matter of perspective and undoubtedly causing the crash of a civilian airplane or a nuclear meltdown by malware can result in equally frightening footage in the media. In addition, unlike traditional terrorism, cyber-terrorism may require smaller financial investments or physical presence to be successful.67 In fact, the only real prerequisite to carry out an act of cyber-terrorism is technical knowledge—once acquired, a free and reusable asset.68 This makes cyber- terrorist attacks a much more convenient, and thus, probable option in situations where distance and financial matters may otherwise be a constraint.

63 For example, groups like Fianna Éireann or People’s Mujahedin of Iran. 64 For instance, groups like Al-Qaeda, Lashkar-e-Taiba, Kurdistan Workers’ Party, Palestinian Islamic Jihad or the “Islamic State”. 65 Stuart H. Starr, “Towards an Evolving Theory of Cyberpower” in Christian Czosseck, Kenneth Geers (eds.), The Virtual Battlefield: Perspectives on Cyber Warfare (IOS Press 2009) 34; Gabriel Weimann, “Cyberterrorism: How Real Is the Threat?” (Special Report, US Institute of Peace 2004) 11 accessed 1 August 2015. 66 Clay Wilson, “Computer Attack and Cyber Terrorism: Vulnerabilities and Policy Issues for Congress” (Report, Congressional Research Service 2003) 18 accessed 1 August 2015; Clay Wilson, “Computer Attack and Cyberterrorism: Vulnerabilities and Policy Issues for Congress” in Lawrence V. Brown (ed.), Cyberterrorism and Computer Attacks (Novinka Books 2006) 18. See also James A. Lewis, “Assessing the Risks of Cyber Terrorism, Cyber War and Other Cyber Threats” (Center for Strategic and International Studies 2002) 8 accessed 1 August 2015; Maura Conway, “Against Cyberterrorism: Why Cyber-Based Terrorist Attacks are Unlikely to Occur” (2011) 54(2) Communications of the Association for Computing Machinery 27–28. 67 See generally Giampiero Giacomello, “Bangs for the Buck: A Cost-Benefit Analysis of Cyberterrorism” (2004) 27(5) Studies in Conflict & Terrorism 399. 68 Sarah Gordon, Richard Ford, “Cyberterrorism?” (Study, Symantec Security 2003) 8 accessed 1 August 2015. Cyber-terrorism 241

Interestingly, a number of traditional terrorist organizations have in one way or another made their presence known in cyber-space.69 To name a few examples, the Black Tigers (a wing of the Liberation Tigers of Tamil Eelam) have spammed Sri Lankan embassies with emails meant to disrupt their communications.70 The Real IRA was reported as declaring that the future resided “in cyber-terrorism rather than car bombs”.71 In 2008, the Palestinian Islamic Jihad announced its specialized cyber-warfare units (so called Al-Quds Brigades).72 The most infamous terrorist organization Al-Qaeda is, nowadays, highly reliant on the Internet and reports have emerged of its engagement in small- scale cyber-strikes, including website defacements and DDoS attacks.73 In 2002, it reportedly considered a cyber-attack against a dam, and, in 2005, to bring down the entire Internet traffic in the UK.74 Though most of these actions do not qualify as terrorism, such examples do demonstrate that existing extremist groups are interested in inflicting damage through cyber-space, combining it with traditional attacks, as well as in cyber-terrorism per se. The low level of their technical expertise can be, and

69 See Yariv Tsfati, Gabriel Weimann, “www.terrorism.com: Terror on the Internet” (2002) 25(5) Studies in Conflict & Terrorism 320. See also Fatima (n. 54) 257; Frazer Egerton, “The Internet and Militant Jihadism: Global to Local Re-Imaginings” in Athina Karatzogianni (ed.), Cyber Conflict and Global Politics (Routledge 2009) 116. 70 Denning, “Cyberterrorism” (n. 42). 71 Simon Finch, “Cyber-Terrorism is Real—Ask Estonia” (The Telegraph, 30 May 2007) accessed 1 August 2015. 72 Ola Al-Madhoun, “Islamic Jihad’s Cyber-War Brigades” (Menassat, 17 June 2008) accessed 1 August 2015. 73 Steve Coll, Susan B. Glasser, “The Internet Helps Promote Terrorism” in Louise I. Gerdes (ed.), Cyber Crime (Greenhaven Press 2009) 96; Alex Kingsbury, “Documents Reveal Al Qaeda Cyberattacks” (US News, 14 April 2010) accessed 1 August 2015. 74 Shima D. Keene, “Terrorism and the Internet: A Double-Edged Sword” (2011) 14(4) Journal of Money Laundering Control 363–365. One should note that the Internet was also used against Al-Qaeda itself. E.g., from 2001 to the present, cyber-attacks are launched, meant to disable websites supporting Al-Qaeda and Taliban—see Dimitrios Delibasis, The Right to National Self-Defence in Information Warfare Operations (Arena Books 2007) 37; Bill Gertz, “Inside the Ring: Al Qaeda Websites Hacked” (The Washington Times, 15 May 2013) accessed 1 August 2015; Evan M. Axelrod, Violence Goes to the Internet: Avoiding the Snare of the Net (Charles C. Thomas 2009) 182. 242 Chapter 7 sometimes is compensated by recruiting technically-skilled individuals.75 In order to engage in cyber-terrorism, entire teams of cyber-criminals can work together or even merge with known terrorist organizations, if they share similar radical views or are motivated financially.76 Individual groups also may avoid traditional attacks, relying purely on cyber- terrorism to achieve similar goals. One such group, the G-Force Pakistan group (sympathizers of Al-Qaeda) waged an independent cyber-campaign with the aim of liberating Kashmir.77 Another group, calling itself the Cutting Sword of Justice, took responsibility for the Shamoon cyber-attack on oil and gas infrastructure in the Middle East.78 Although no act of cyber-terrorism has occurred yet, governments do attempt to prosecute cyber-criminals as “terrorists”. For example, in 2012, members of the RedHack group were reportedly accused of belonging to an “armed terrorist organization” in Turkey.79 It seems likely that such prosecutions will become more commonplace in the future.

7.2.4.3 Individuals Individual persons may also attempt to engage in acts of terrorism online. In fact, the existing conventional regime clearly allows for the prosecution of one-man cyber-terrorists.80 It should be noted, though, that governments may have a political interest in avoiding prosecution of gifted cyber-terrorists, who attack their opponents. Considering the current proposals to integrate convicted crackers into the

75 Andrew Rathmell, “Cyber-Terrorism: The Shape of Future Conflict?” (1999) 6(3) Journal of Financial Crime 279. 76 See Clay Wilson, “Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress” (Report, Congressional Research Service 2008) 21 accessed 1 August 2015. 77 Namosha Veerasamy, “Motivation for Cyberterrorism, Defence, Peace, Safety and Security” (9th Annual Information Security for South Africa, Johannesburg, 2–4 August 2010) accessed 1 August 2015. See also Denning, “A View of Cyberterrorism” (n. 1) 123. 78 See sub-chapter 3.3.3.1; Thomas Rid, Cyber War Will Not Take Place (Hurst & Co 2013) 63. 79 “ ‘Hackers’ on Trial in Turkey for the First Time” (Al Arabiya, 26 November 2012) accessed 1 August 2015. 80 See generally Sean M. Condron, “Getting It Right: Protecting American Critical Infrastructure in Cyberspace” (2007) 20(2) Harvard Journal of Law & Technology 406; Eric Luiijf, “Understanding Cyber Threats and Vulnerabilities” in Javier Lopez, Roberto Setola, Stephen Wolthusen (eds.), Critical Infrastructure Protection: Information Infrastructure Models, Analysis, and Defense (Springer 2012) 60; Stephen Herzog, “Revisiting the Estonian Cyber Attacks: Digital Threats and Multinational Responses” (2011) 4(2) Journal of Strategic Security 54. Cyber-terrorism 243 military,81 it becomes clear that they are sometimes seen as limited state assets, due to the lack of cyber-experts.82 Obviously, non-prosecution could be in violation of a country’s legal obligations, and may possibly be seen as state- sponsorship of cyber-terrorism. Independent individuals can also engage in archaic cyber-terrorism in the context of an armed conflict. Such behavior would constitute direct participation in hostilities with legal consequences described in the previous chapter.83 Having addressed the more basic matters, one must now turn attention to the more specific issues arising in the context of the two legal regimes on terrorism.

7.3 Conventional Cyber-Terrorism

The majority of existing conventional terrorism instruments were created when cyber-strikes were unimaginable. None of these instruments address them directly.84 Thus, one must ask how effective can they be in criminalizing cyber-terrorism? Are these treaties and their protocols sufficient to classify the most serious cases as conventional terrorism? This sub-chapter considers the key issues and concepts that help answer these questions.

7.3.1 Serious Attacks First of all, in the context of cyber-terrorism, it is important to distinguish between the real risks and low-probability scenarios that are close to fiction. Indeed, it would be surprising if cyber-attacks alone resulted in the manufac- ture of unmarked explosives,85 bombings,86 taking of hostages,87 kidnappings,88 or other acts that require direct physical interaction.89

81 For example, see “UK Cyber Defence Unit ‘May Include Convicted Hackers’ ” (BBC News, 22 October 2013) accessed 1 August 2015. 82 See Jeffrey Carr, Inside Cyber Warfare (2nd edn, O’Reilly 2012) 29. 83 See sub-chapter 6.5.2. 84 Note, however, that according to the UN Action to Counter-Terrorism website, the New Civil Aviation Convention prohibits a “cyber attack on air navigation facilities”—see “United Nations Action to Counter Terrorism” (n. 3). 85 See Plastic Explosives Convention (n. 27) Art. 2. 86 See Terrorist Bombing Convention (n. 27) Arts. 1(3), 2(1). 87 See Hostages Convention (n. 27) Arts. 1(1), 2. 88 See Diplomatic Agents Convention (n. 27) Art. 1(1)(a). 89 For instance, providing funds in order to carry out a terrorist act—see Terrorist Financing Convention (n. 27) Art. 2(1); seizing cargo or an entire ship, endangering the latter—see Maritime Convention (n. 16) Art. 3(1); transportation of persons or dangerous materials, 244 Chapter 7

On the other hand, cyber-attacks against two of the most obvious targets in cyber-space—nuclear objects and aviation—appear to be covered by the conventional regime. One, therefore, needs to take a closer look at how the relevant international instruments apply. While dangers of cyber-induced nuclear meltdown have been described in Chapter 3, one needs to concentrate on more specific aspects of attacks against nuclear objects, which are particularly relevant in the context of cyber-terrorism. Contemporary nuclear reactors run on uranium-235 or plutonium-239 fissile—matter that falls under the definition of “nuclear material”, as established in the Nuclear Materials Convention.90 If a cyber-attack causes meltdown, it will result in the dispersal of such material, causing substantial damage to the environment, as well as property and, possibly, injury and death; acts which are nowadays criminalized as terrorism.91 Additionally, the amended Nuclear Materials Convention provides that attempting to achieve the same consequences through “an act directed against a nuclear facility, or an act interfering with the operation of a nuclear facility” also represents a terrorist offense.92 Furthermore, the Nuclear Terrorism Convention prohibits damaging or using a nuclear facility “in a manner which releases or risks the release of radioactive material” (emphasis added) not only with intent of damage to the environment, injury or death, but also in the case when the perpetrators intend to

their discharge, use of a ship to cause injury or death—see ibid., Arts. 3bis(1), 3ter, as amended by the 2005 Protocol (n. 13); seizing or endangering an entire fixed platform— see Fixed Platform Protocol (n. 15) Art. 2(1); discharging dangerous materials from a fixed platform—see P2P (n. 14) Art. 2bis; physical manipulations with nuclear material and nuclear devices—see Nuclear Materials Convention (n. 12) Art. 7(1), Art. 7(1), as amended by the 2005 Amendment (n. 11), Nuclear Terrorism Convention (n. 10) Art. 2(1)(a), 2(1) (b); seizing a manned aircraft—see Unlawful Seizure Convention (n. 7) Art. 1(a); Aircraft Convention (n. 6) Art. 6(1); physical manipulations with dangerous materials and devices, violence against persons on board—see Civil Aviation Convention (n. 8) Art. 1(1)(a), 1(1) (c), New Civil Aviation Convention (n. 4) Art. 1(1)(h), 1(1)(i). 90 See Nuclear Materials Convention (n. 12) Art. 1(a): “ ‘Nuclear material’ means plutonium except that with isotopic concentration exceeding 80% in plutonium-238; uranium-233; uranium enriched in the isotopes 235 or 233; uranium containing the mixture of isotopes as occurring in nature [. . .]”. See also Nuclear Terrorism Convention (n. 10) Art. 1(2). 91 Nuclear Materials Convention (n. 12) Art. 7(1)(a) in its original form and as amended by the 2005 Amendment (n. 11). 92 Nuclear Materials Convention (n. 12) Art. 7(1)(e), as amended by the 2005 Amendment (n. 11). Cyber-terrorism 245

“compel a natural or legal person, an international organization or a State to do or refrain from doing any act”.93 Was the Stuxnet attack an act of nuclear terrorism?94 While no obvious intent of causing injury, death or harm to the environment was present, the uranium enrichment center Natanz is, clearly, a nuclear facility and the destruction of centrifuges through cyber-attacks constitutes damage to it.95 However, even together with the unpredictable behavior of malicious software and infection of hardware, this damage seems too insignificant to be classified as “substantial” under the Nuclear Materials Convention. At the same time, even minor destruction at a nuclear facility risks the release of radioactive material. In this case, one of the Stuxnet’s goals was to make the Islamic Republic of Iran abandon its nuclear program. Both of these factors satisfy the requirement for an act to be considered a terrorist offense under the Nuclear Terrorism Convention, therefore, the use of Stuxnet could have been the first case of nuclear cyber-terrorism in history. Nevertheless, it must be noted that not Iran, Israel, nor the US had ratified this convention by 2009. Moreover, the attack was carried out by state military, which remains immune under that very same convention.96 When it comes to civil aviation, it must be noted that, once the Aircraft Protocol enters into force, any seizure of an aircraft (regardless of whether anyone is on board) “by any technical means” will be criminalized.97 Therefore, it would be possible to commit an act of cyber-terrorism by hijacking unmanned aerial vehicles (UAVs). As shown in Chapter 3, this remains a realistic scenario. However, this prohibition does not apply to military, customs and police aircraft.98 For this reason, future cyber-terrorism can presuppose unlawful control only over commercial, civilian and scientific UAVs. Terrorists may attempt to use such UAVs to “caus[e] death, serious bodily injury or serious damage to property or the environment” on the ground (much like Boeings were used during 9/11), in breach the New Civil Aviation

93 Nuclear Terrorism Convention (n. 10) Art. 2(1)(b). See generally Christopher C. Joyner, “Countering Nuclear Terrorism: A Conventional Response” (2007) 18(2) EJIL 245; Michael L. Hummel, “Internet Terrorism” (2008) 2(2) Homeland Security Review 121. 94 See sub-chapter 3.3.1. 95 See the definition of “nuclear facility” in Nuclear Terrorism Convention (n. 10) Art. 1(3); Nuclear Materials Convention (n. 12) Art. 1(c), as amended by the 2005 Amendment (n. 11). 96 Nuclear Terrorism Convention (n. 10) Art. 4(2). 97 Unlawful Seizure Convention (n. 7) Art. 1(1), as amended by the Aircraft Protocol (n. 5). 98 Unlawful Seizure Convention (n. 7) Art. 3(2); Civil Aviation Convention (n. 8) Art. 4(1); New Civil Aviation Convention (n. 4) Art. 5(1). 246 Chapter 7

Convention, although, due to the size of the drones, physical damage will be significantly lower.99 Destroying or causing significant damage to an entire (civilian) plane is also a terrorist offense under the Civil Aviation Conventions.100 In the context of cyber-attacks, such damage can occur as a result of a malfunction triggered by a cyber-strike (for instance, detonation of the aircraft’s fuel) or upon impact with the ground. The latter can, inter alia, be the result of an equally criminalized cyber-interference with the operation of navigational facilities or communicating wrong information to the pilots, air traffic control or to the UAV control stations.101 The Airport Protocol and the New Civil Aviation Convention set out another relevant offense: endangering airport safety by using a device to disrupt an airport’s services or to perform an “act of violence against a person at an airport serving international civil aviation [. . .] likely to cause serious injury or death”.102 The danger in this case can take the form of a cyber-attack against any computerized system within the airport that would endanger either the health of the persons at the airport, or, if the targeted individuals are working at the flight control facilities, the lives of the passengers on incoming and outgoing flights. The latter threat can also materialize in case of service disruption, especially if the interference targets vital air traffic control computers.103

7.3.2 Small-scale Attacks In additional to nuclear and aviation objects, the conventional regime on terrorism shields three other categories: internationally protected persons, maritime vessels and financial institutions. However, cyber-attacks against them promise comparatively smaller impact on the general population and the state as a whole. The Diplomatic Agents Convention criminalizes the intentional commission of “a murder [. . .] or other attack upon the person or liberty of an internationally protected person” or “a violent attack upon the [. . .] means of transport

99 New Civil Aviation Convention (n. 4) Art. 1(1)(f). 100 Civil Aviation Convention (n. 8) Art. 1(1)(b); New Civil Aviation Convention (n. 4) Art. 1(1)(b). 101 Civil Aviation Convention (n. 8), Art. 1(1)(d), 1(1)(e); New Civil Aviation Convention (n. 4) Art. 1(1)(d), 1(1)(e). 102 Civil Aviation Convention (n. 8) Art. 1(1bis), as amended by the Airport Protocol (n. 9); New Civil Aviation Convention (n. 4) Art. 1(2). 103 See Aviv Cohen, “Cyberterrorism: Are We Legally Ready?” (2010) 9(1) Journal of International Business & Law 23. Cyber-terrorism 247 of an internationally protected person likely to endanger his person or liberty”.104 Murder or injury (“other attack”) is the prohibited conduct, which does not depend on the means employed. It can take the form of crashing a protected person’s transport, tampering with a computer at a hospital, infecting a medical device or a similar harmful act.105 Interestingly, in line with the text of the Diplomatic Agents Convention, even trapping protected persons in a computerized car or an elevator can constitute an “other attack upon liberty” and, as such, cyber-terrorism. Terrorist conduct may also arise in the context of interfering with the operation of navigational facilities or communicating false information in order to endanger the safety of a ship, especially if it heavily relies on computerized systems for directions.106 Lastly, breaking into someone’s financial online accounts by means of cyber-attack for the purposes of collecting money to be used for conventional or archaic terrorism satisfies the narrow overlapping legal requirements necessary in order to be considered both a cyber-attack and an offense under the Terrorist Financing Convention.107 To summarize the last two sections, a table that reflects the applicability of the relevant anti-terrorism instruments in the context of conventional cyber- terrorism is presented below.

7.4 Escalated Conventional Cyber-Terrorism: Jus ad Bellum

The next logical step in the context of the present book is to ask, whether and how governments can exploit the existence of this conventional framework. Aside from pursuing a criminal law approach (possibly supported by counter-measures), 108 governments may attempt to escalate conventional cyber-terrorist activities to armed attacks in order to exercise their individual or collective right of self-defense. In the post-9/11 environment, where military

104 Diplomatic Agents Convention (n. 27) Art. 2(1). 105 Because damage to health has to be a direct consequence of a cyber-strike to be intentional, acts such as general food or water poisoning through cyber-attacks do not fall under those prohibited by the Diplomatic Agents Convention. 106 Maritime Convention (n. 16) Art. 3(1)(e), 3(1)(f). Note that warships, naval auxiliary ships, vessels of customs or police authorities and ships withdrawn from navigation are not covered by the Maritime Convention—see ibid., Art. 2(1). 107 See Terrorist Financing Convention (n. 27) Art. 2(1). 108 See sub-chapter 5.3.5. See also Mary E. O’Connell, “Lawful Self-Defense to Terrorism” (2002) 63 University of Pittsburgh Law Review 908. 248 Chapter 7

Table 1 Relevant anti-terrorism instruments

Treaty Number of Parties Relevant Examples (August 2015) Provisions

Nuclear Materials Convention: 152 7(1)(a) A cyber-attack causing a nuclear Convention 2005 Amendment: 84 7(1)(a), as meltdown at an atomic power plant amended that contaminates the surrounding 7(1)(e), as environment. amended

Nuclear Terrorism 99 2(1)(b) A cyber-attack causing damage Convention at a uranium materials enrichment facility with intent to force a government to abandon its nuclear program.

Unlawful Seizure Convention: 185 1(1), as Hijacking a civilian UAV by infecting Convention 2010 Protocol: 11 (not yet in force) amended its control station with malware.

Civil Aviation Convention: 188 1(1)(b) A cyber-attack that creates a wrong Convention Airport Protocol: 173 1(1)(d) impression of the flying conditions 1(1)(e) in a civilian plane. 1(1bis)(a), as amended 1(1bis)(b), as amended

New Civil 11 (not yet in force) 1(1)(b) Taking control of and flying a Aviation 1(1)(d) civilian UAV into a building. Convention 1(1)(e) 1(1)(f) 1(2)(a) 1(2)(b)

Diplomatic Agents 178 2(1) Trapping diplomatic staff in a Convention computerized car.

Maritime 165 3(1)(e) Infecting navigational facilities with Convention 3(1)(f) malware that prevents their use.

Terrorist 186 2(1) Breaking into online accounts by Financing means of cyber-attack to transfer Convention the money to terrorists. Cyber-terrorism 249 response to terrorism per se is tolerated (unlike that in response to minor attacks by non-terrorists),109 escalation can be done in three ways: by raising the concept of conventional cyber-terrorism to the required level and responding to it preventively, by arguing that a particular cyber-terrorist strike amounted to an armed attack, or by relying on the accumulation of events theory. The challenges of the preventive approach were already highlighted elsewhere in this book and will not be addressed in this sub-chapter.110 On the other hand, the last two approaches merit close attention, since they feature specific aspects present in relation to cyber-terrorism. To put them into context, one should first consider state attitudes to conventional terrorism generally. The argument that freedom fighters can use force as an exception to Article 2(4) of the UN Charter is no longer raised today.111 This clearly makes them a category of jus in bello and, for this reason, the uneasy relationship of national liberation movements with conventional and archaic concepts of terrorism in international law is reserved for further assessment in this chapter.112

7.4.1 State Practice Nowadays, governments are aware of the threat that cyber-terrorism represents for local infrastructures.113 If in 2009, when the Stuxnet struck, only a few states listed cyber-attacks by terrorists as the threat that directly concerned them, a lot has changed since then.114 Today, a vast majority of the technologically developed states continue to boost cyber-defensive and cyber-offensive capabilities in preparation for potential attacks against their critical infrastructure. For political, economic and other reasons, some governments may clearly favor exercising their right of self-defense (as understood in jus ad bellum) against conventional cyber-terrorists in the future over any other action. In fact, at least two technologically-advanced states, Israel and the United States,

109 This sometimes results in governments attempting to attach the “terrorist” label to their enemies. 110 See sub-chapter 5.3.4.3. 111 Nico Schrijver, “Challenges to the Prohibition to Use Force: Does the Straitjacket of Article 2(4) UN Charter Begin to Gall too Much?” in Niels Blokker, Nico Schrijver (eds.), The Security Council and the Use of Force: Theory and Reality—A Need for Change (Brill 2005) 37. 112 See sub-chapter 7.5.3. 113 William Gravell, “Some Observations Along the Road to ‘National Information Power’ ” (1999) 9(2) Duke Journal of Comparative & International Law 408. 114 See generally CTITF, “Countering the Use of the Internet for Terrorist Purposes” (n. 46) para. 10. 250 Chapter 7 stand out for their continuous practice of using force against terrorist groups and states harboring them.115 Both favor wide interpretations of international law to justify their controversial activities and both are known to invest heavily in military counter-terrorism campaigns. Israel, despite the condemnation by the UNSC of its use of force in anti-terrorist operations (such as the raid on Beirut airport in 1968,116 raids on Lebanon in 1973,117 bombing of Palestine Liberation Organization Headquarters Tunisia in 1985118 or assassination of Khalil al-Wazir in 1988),119 continues to stand by its position of interpreting the right to self-defense broadly and is likely to do so in relation to groups launching conventional cyber-terrorist attacks as well. Although most of the international community still considers Israeli arguments controversial, after 9/11, governments do not explicitly exclude the possibility of acting in self-defense against organizations like Hezbollah and Hamas. Instead, they prefer to concentrate on issues of proportionality (for instance, in assessing the legality of the airstrikes near Damascus in 2003 and 2007, invasion of Lebanon in 2006, and bombings of the Gaza Strip in 2007–2013).120 The condemnation of the US “self-defense” against terrorists or cyber- terrorists is not likely to occur in the Security Council due to the US veto. However, the General Assembly did condemn the bombardment of the Libyan Arab Jamahiriya in 1986, carried out in response to the Berlin discotheque bombing.121 The use of force by the US in its counter-terrorist operations in Iraq in 1993, as well as in Sudan and Afghanistan in 1998 continued to raise questions of legality until 2001, when the Security Council heavily implied that the USA has the right to resort to self-defense against a terrorist organization.122 This was affirmed by the silent approval of the international community of the invasion

115 Devika Hovell, “Chinks in the Armour: International Law, Terrorism and the Use of Force” (2004) 27(2) University of New South Wales Law Journal 412. 116 UNSC Res 262 (31 December 1968) UN Doc S/RES/262. 117 UNSC Res 332 (21 April 1973) UN Doc S/RES/332; UNSC Res 337 (15 August 1973) UN Doc S/RES/337. 118 UNSC Res 573 (4 October 1985) UN Doc S/RES/573. 119 UNSC Res 611 (25 April 1988) UN Doc S/RES/611. 120 Christian J. Tams, “The Use of Force against Terrorists” (2009) 20(2) EJIL 379; Raphaël van Steenberghe, “Self-Defense in Response to Attacks by Non-State Actors in the Light of Recent State Practice: A Step Forward?” (2010) 23(1) Leiden JIL 193. 121 UNGA Res 41/38 (20 November 1986) UN Doc A/RES/41/38. 122 Tams (n. 120) 380; UNSC Res 1368 (n. 17). Cyber-terrorism 251 of Afghanistan in 2001 and, also, by the legal attitudes adopted in the US itself, which inevitably transit into cyber-space.123 Other states also occasionally engage conventional terrorist groups with mixed feedback. For example, reactions to numerous Turkish incursions into Northern Iraq in the last two decades to pursue the Kurdistan Workers Party have ranged from understanding to a “mixture of sympathy and concern” from the world’s nations.124 Other cases, where self-defense arguments arose in relation to conventional terrorists, include the Russian pursuit of Chechen fighters into Georgia, the Iranian attacks on Iraqi bases of People’s Mujahedin and Kurdish bands, involvement of Ethiopia in the Somali Civil War in 2006, the Colombian invasion of the Ecuadorian territory in 2008 to engage the FARC, and, more recently, the Kenyan pursuit of Al-Shabaab in 2011–12.125 Although these examples do not involve cyber-strikes, they demonstrate how states might react to serious cyber-terrorist attacks by non-state actors. This is particularly important, since governments often attempt to conceal and distance themselves from cyber-operations from their countries’ territories, and non-state entities remain the likeliest actors to engage in conventional terrorist acts via cyber-space.

7.4.2 Cyber-Terrorist Strike as an Armed Attack Labeling a group or an individual “terrorist” is not enough to exercise the right of self-defense.126 As argued in Chapter 5, an illegal armed attack (or its immediate prospect) is required. Tarcisio Gazzini notes that terrorist attacks consist of mostly “unpredictable, sudden and instantaneous acts”, but cyber-terrorism takes this to a whole new level.127 Can a cyber-strike of independent non-state actors be an armed

123 See generally John C. Yoo, Robert J. Delahunty, “Authority for Use of Military Force to Combat Terrorist Activities Within the United States” (Memorandum, Office of the Deputy Assistant Attorney General 2001) accessed 1 August 2015; William Banks, “The Role of Counterterrorism Law in Shaping Ad Bellum Norms for Cyber Warfare” (2013) 89 International Law Studies 182. 124 Van Steenberghe (n. 120) 194; Tams (n. 120) 379. See also Christine Gray, International Law and the Use of Force (3rd edn, OUP 2008) 143. 125 See generally Tams (n. 120) 380; Theresa Reinold, “State Weakness, Irregular Warfare, and the Right to Self-Defense Post 9/11” (2011) 105(2) AmJIL 253; Noam Lubell, Extraterritorial Use of Force Against Non-State Actors (OUP 2010) 30. 126 See Clive Walker, “Cyber-Terrorism: Legal Principle and Law in the United Kingdom” (2006) 110(3) Pennsylvania State Law Review 627. 127 See Tarcisio Gazzini, “The Rules on the Use of Force at the Beginning of the XXI Century” (2006) 11(3) Journal of Conflict & Security Law 319, 324–326, 330. 252 Chapter 7 attack de jure? Although the ICJ concluded in the Wall case that “Article 51 recognizes the existence of an inherent right of self-defence in the case of armed attack by one State against another State”,128 it did not mention that the right to defend itself against “aggressive non-state actors” has existed in customary international law (that is outside Article 51 of the UN Charter) since ancient times.129 Furthermore, as noted by Judge Higgins, Article 51 does not stipulate that “self-defence is available only when an armed attack is made by a State”.130 The overwhelming support for the legality of the US invasion of Afghanistan did not necessarily create “instant customary international law and an authoritative reinterpretation of the UN Charter” (emphasis added).131 Notably, the US did not approach the UNSC and, instead, chose to invoke self-defense individually, in order to avoid a precedent.132 Nonetheless, one has to acknowledge that enough time has passed to speak of a natural non-instant evolution of the customary norms. Today, governments are unlikely to contest that terrorists (or, by extension, cyber-terrorists) can launch an armed attack. As Christine Gray points out, the question is rather in the degree to which state involvement is necessary “to allow the use of force against the territory of the host state”.133 What are the possible legal consequences for the host nations? Currently, there are two opposing views in international jurisprudence that became apparent in the Armed Activities case.134 A majority of the ICJ judges agreed that if the attacks by “armed bands” were not attributable to a state, there are no legal circumstances for the exercise of a right of self-defense against that state.135 On the other hand, Judge Kooijmans and Judge Simma defended a position

128 Legal Consequences of Construction of a Wall in the Occupied Palestinian Territory (Advisory Opinion) [2004] ICJ Rep, para. 128. For a strong criticism of this decision, see David McKeever “The Contribution of the International Court of Justice to the Law on the Use of Force: Missed Opportunities or Unrealistic Expectations?” (2009) 78(3) Nordic JIL 396. 129 Yaroslav Shiryaev, “Circumstances Surrounding the Separation Barrier and the Wall Case and Their Relevance for the Right of Self-Defense” (2011) 14(1) Gonzaga JIL 18; Jordan J. Paust, “Nonstate Actor Participation in International Law and the Pretense of Exclusion” (2011) 51(4) Virginia JIL 1003. See also Marko Milanovič, “State Responsibility for Acts of Non-State Actors: A Comment on Griebel and Plücken” (2009) 22(2) Leiden JIL 320. 130 Separate Opinion of Judge Higgins in the Wall Case (n. 128) para. 33. 131 Christine Gray, “The Use of Force and the International Legal Order” in Malcolm D. Evans (ed.), International Law (OUP 2003) 600, 604. See also Shiryaev (n. 129). 132 Said Mahmoudi, “Self-Defence and International Terrorism” (2005) 48 Scandinavian Studies in Law 206. 133 Gray, International Law (n. 124) 132. See generally Tallinn Manual (n. 21) R13C16, R13C17. 134 Armed Activities on the Territory of the Congo (DRC v Uganda) (Judgment) [2005] ICJ Rep. 135 Ibid., paras. 146–147. Cyber-terrorism 253 that “armed attacks [. . .] by irregular bands [. . .] are still armed attacks even if they cannot be attributed to the territorial state”.136 This view is supported, for example, by Leiden Policy Recommendations on Counter-Terrorism and International Law, which reads: “it is now well accepted that attacks by non- state actors, even when not acting on behalf of a state, can trigger a state’s right of [. . .] self-defense”.137 A reasonable compromise may exist between the two opinions that would reflect state practice: the “link” between the self-sufficient non-state actors and host-countries should consist at least in unwillingness or inability to stop the attacks by the latter.138 As Ashley Deeks notes, in the cyber-context, this results in defending governments being pressured to “conduct both a rapid and accurate assessment of the territorial State’s capabilities and political disposition”.139 At the same time, the suspected state formally must “reveal some of its technological capacity” in order to avoid violent victim-state response.140 One should emphasize that some governments can anyway attempt to accuse others of links with cyber-terrorists and not fully complying with their international obligations concerning cyber-capabilities. In fact, wide citizen access to cyber- space makes such accusations easier than in cases of suspected links to known terrorist organizations and proliferation of weapons of mass destruction by Saddam Hussein’s Iraq or Mahmoud Ahmadinejad’s Iran. Therefore, not only states that clearly control, support, take advantage of, but also those that tolerate cyber-terrorist strikes reaching the armed attack threshold originating from their territories can be targeted alongside cyber-terrorists themselves in self-defense, subject to the necessity and proportionality

136 Separate Opinion of Judge Kooijmans in ibid., paras. 30–31. See also Separate Opinion of Judge Simma in ibid., para. 12. See generally Yoram Dinstein, War, Aggression and Self-Defence (4th edn, CUP 2005) 205–206. 137 Nico Schrijver, Larissa van den Herik, “Leiden Policy Recommendations on Counter- terrorism and International Law” (2007) 54(3) Netherlands International Law Review, paras. 38, 40. 138 Van Steenberghe (n. 120) 197, 202; Ashley S. Deeks, “ ‘Unwilling or Unable’: Toward a Normative Framework for Extraterritorial Self-Defense” (2012) 52(3) Virginia JIL 495. See also Andrea Bianchi, “Terrorism and Armed Conflict: Insights from a Law & Literature Perspective” (2011) 24(1) Leiden JIL 7. 139 Ashley Deeks, “The Geography of Cyber Conflict: Through a Glass Darkly” (2013) 89 International Law Studies 3–4, 20. 140 Ibid. 254 Chapter 7 criteria.141 If strikes emanated from parts of a failed state that the government cannot control, those territories can also be subject to acts of self-defense. A problem may arise, however, when a government does not want to tolerate acts of cyber-terrorism (for instance, it has ratified a convention that demands extradition or prosecution, or it is bound by a UNSC Resolution), but it cannot locate or identify the perpetrators. This is especially relevant if devastating cyber-attacks are carried out only by one person. In theory, if non-state actors can launch armed attacks, a single cyber-terrorist can launch them as well under international law.142 Military operations against parts of a country in pursuit of only one man are not unheard of (consider Osama bin Laden). However, even if they will not entail assassinations of crackers in self-defense, they will inevitably raise questions of necessity and proportionality. Since such situations are not clearly regulated by international law, governments are left with the choice of either seeking collective action (for example, by turning to the UN Security Council) or by subjectively assessing the necessity and proportionality criteria. Do acts prohibited by the conventional regime provide sufficient grounds for self-defense? When it comes to serious attacks against aviation and nuclear objects, it would certainly seem so. Not only can one reach this conclusion in light of state practice, but also because parallels can be drawn with other cases, where the fact of an armed attack was established. For example, considering the ICJ’s attitude in the Nuclear Weapons case and widely recognized “armed” element of biological and chemical weapons, the widespread release of radiation at a nuclear facility will almost certainly be seen as an armed attack. Destroying a civilian airplane or, as mentioned earlier, taking control of a civilian UAV and flying it into a building, resonates with 9/11 and, by analogy, the victim-state may claim self-defense. When it comes to less serious cyber-terrorist strikes, it should be noted that they still may be escalated to the armed attack level by governments that seek to exploit the gray areas of law. For instance, recalling some examples from Chapter 5, jeopardizing ship safety by tampering with its navigation systems is comparable to mining a single vessel, which could trigger the right to self- defense, according to the ICJ.143 Life-threatening attacks against diplomatic

141 See generally Thomas M. Franck, Recourse to Force: State Action against Threats and Armed Attacks (CUP 2002) 54; Olivier Corten, “The Controversies Over the Customary Prohibition on the Use of Force: A Methodological Debate” (2005) 16(5) EJIL 810. 142 See Laurie R. Blank, “International Law and Cyber Threats from Non-State Actors” (2013) 89 International Law Studies 415–416. 143 Oil Platforms (Iran v USA) (Judgment) [2003] ICJ Rep, para. 72. Cyber-terrorism 255 personnel and attacks upon their liberty constituted an armed attack in the Tehran Hostages case, and, thus, can be seen as such in the cyber-terrorism context.144 Merely exercising control over a UAV, minor destruction at a nuclear facility or attempts to do the above-mentioned acts can be viewed as armed attacks, for instance, from the perspective of preemptive action. Only using Internet to steal funds for a terrorist cause cannot be relied upon, since it does not even reach the level of the use of force. It is remarkable how easily international law provides grounds for escalation of potential conventional cyber-terrorism strikes to a level required to invoke the right to self-defense. Of course, much will depend on the individual circumstances of each situation and, most likely, political circumstances. However, it is essential to remember that an optimal threshold for invoking the right of self-defense in international law should be preserved, since a very low threshold will “blur the lines between armed conflict and criminal law enforcement”, while a very high one will jeopardize the security of states.145

7.4.3 Accumulation of Events Theory In 1989, before the Internet became global, Antonio Cassese claimed that “to qualify as an armed attack, international law requires that terrorist acts form part of a consistent pattern of [. . .] terrorist action rather than just being isolated or sporadic attacks”.146 Although most of the modern cyber-strikes form an endless wave of low-scale attacks, if a vital zero-day exploit becomes available to cyber-terrorists, they will likely utilize their window of opportunity to attack as many targets as possible simultaneously. The use of the same hardware, software and synchronized upgrades in multiple systems makes this a dangerous yet realistic prospect (for instance, a fleet of civilian drones of the same type may be hijacked at once). As in the case of traditional terrorism, in

144 See United States Diplomatic and Consular Staff in Tehran (USA v Iran) (Judgment) [1980] ICJ Rep, paras. 57, 91. 145 Kenneth Watkin, “Controlling the Use of Force: A Role for Human Rights Norms in Contemporary Armed Conflict” (2004) 98(1) AmJIL 5. 146 Antonio Cassese, “The International Community’s ‘Legal’ Response to Terrorism” (1989) 38(3) ICLQ 596. See also Niaz A. Shah, “Self-Defence, Anticipatory Self-Defence and Pre- Emption: International Law’s Response to Terrorism” (2007) 12(1) Journal of Conflict & Security Law 105; Cecilia M. Bailliet, “The ‘Unrule’ of Law: Unintended Consequences of Applying the Responsibility to Protect to Counterterrorism, A Case Study of Colombia’s Raid in Ecuador” in Cecilia M. Bailliet (ed.), Security: A Multidisciplinary Normative Approach (Martinus Nijhoff 2009) 183. 256 Chapter 7 this context, “account may be taken of a series of attacks emanating from the same territory and the same terrorist group”.147 The ICJ did imply that armed attacks can be “cumulative in character” in its case-law.148 Also, a large number of governments accepted Turkey’s and Israel’s claims to self-defense “by implication”, as they involved constant small- scale terrorist attacks.149 Nevertheless, the accumulation of events theory (also called the needle-prick or the pin-prick theory) was never officially endorsed by the Security Council, a majority of prominent academics, or the international community itself.150 According to this doctrine, instead of measuring the severity of each individual attack, one should consider the cumulative effect of multiple strikes.151 In this case, rather than “expiring immediately after a single attack, the right to self-defence survives it and allows States to take forcible action necessary to put an end to the chain of attacks”.152 An obvious requirement for this, as Laurie Blank highlights, is the attribution of acts to the same actor.153 This theory must be mentioned in the context of cyber-terrorism, since at least two of the states that engage in controversial counter-terrorism operations and possess serious cyber-attack capabilities (USA and Israel)154 have resorted to the “cumulative effect” approach in the past, specifically in response to acts of terror.155 Generally, due to the luck factor, cyber-terrorist strikes can be expected to be less intensive in their nature than traditional terrorist attacks.156 It is, therefore, more probable that a series of damaging attacks

147 Schrijver, Herik (n. 137) para. 39. 148 For example, see Oil Platforms Case (n. 143) para. 64; Armed Activities Case (n. 134) para. 146; Military and Paramilitary Activities in and against Nicaragua (Nicaragua v USA) (Merits) [1986] ICJ Rep, para. 231. 149 Tams (n. 120) 388. 150 Although the Security Council has been reluctant to accept the accumulation of events theory, it became less willing to condemn it in the 1980s (particularly, in relation to Israeli self-defense wars)—see Kinga T. Szabó, Anticipatory Action in Self-Defence: Essence and Limits under International Law (TMC Asser Press 2011) 215. 151 Andrew Garwood-Gowers, “Self-Defence Against Terrorism in the Post-9/11 World” (2004) 4(2) Queensland University of Technology Law and Justice Journal 7. 152 Gazzini (n. 127) 319. 153 Blank (n. 142) 417. See also Tallinn Manual (n. 21) R13C8. 154 Portugal and apartheid-era South Africa were among other states that resorted to this doctrine, as noted in Gray, International Law (n. 124) 108. 155 Shiryaev (n. 129) 17. 156 Luck factor cannot be underestimated in terrorist attacks, and will be equally significant in cyber-terrorism which is even harder to plan. Consider, e.g., the entire “auspicious” 9/11 operation, or the “unlucky” Aum Shinrikyo criminal group, which attempted to spread Cyber-terrorism 257

(for instance, a pattern of assassination attempts of internationally protected persons) can provoke the victim-state’s government to resort to the accumulation of events theory. As in the case of conventional response, self-defense against cyber-terrorism under the needle-prick theory is bound to face the same challenges: response may seem like a reprisal, disproportionate action, or an act exceeding permitted limits of preemptive self-defense.157 Even if the accumulation of events theory is recognized in the future vis-à-vis cyber-terrorism, it will be subjected to the same limits that are applicable to traditional self-defense. Until there is sufficient evidence to suggest that this theory is incorporated into international customary law, accumulating cyber-terrorist strikes short of armed attack for the purpose of invoking self-defense will remain hardly defensible for governments. Having discussed the legal issues relating to the applicability of the conventional regime to cyber-terrorism, one can now consider specific legal aspects that exist when it comes to cyber-warfare in the context of archaic terrorism.

7.5 Archaic Cyber-Terrorism: Jus in Bello

International humanitarian law is said to be sufficiently well suited to provide a “regulatory framework” and “effective mechanisms” to condemn, punish and prosecute acts of terrorism in international and internal armed conflicts.158

botulinum toxin and anthrax at least nine times, failing each time. Eventually, the “successful sarin attack on the Tokyo subway” had to be carried by manually stabbing plastic bags with gas—see Bruce Hoffman, “Terrorism by Weapons of Mass Destruction: A Reassessment of the Threat” in Carolyn W. Pumphrey, Transnational Threats: Blending Law Enforcement and Military Strategies (Strategic Studies Institute 2000) 92. 157 Jörg Kammerhofer, “Uncertainties of the Law on Self-Defence in the United Nations Charter” (2004) 35 Netherlands Yearbook of International Law 177. See also Stanimir A. Alexandrov, Self-Defense Against the Use of Force in International Law (Kluwer Law International 1996) 167; Marco Roscini, “World Wide Warfare—Jus ad Bellum and the Use of Cyber Force” (2010) 14 Max Planck Yearbook of United Nations Law 120. 158 Bianchi (n. 138) 21; Luigi Condorelli, Yasmin Naqvi, “The War against Terrorism and Jus in Bello: Are the Geneva Conventions Out of Date?” in Andrea Bianchi (ed.), Enforcing International Law Norms Against Terrorism (Hart Publishing 2004) 37. See also Fionnuala Ni Aoláin, “The No-Gaps Approach to Parallel Application in the Context of the War on Terror” (2007) 40(2) Israel Law Review 579; Matthew C. Waxman, “The Structure of Terrorism Threats and the Law of War” (2010) 20(3) Duke Journal of Comparative & International Law 430; Gabor Rona, “Interesting Times for International Humanitarian 258 Chapter 7

However, does jus in bello really not suffer from its own set of uncertainties, deficiencies and gaps that need to be addressed in the context of cyber-terrorism? How helpful is it in supplementing the conventional regime?

7.5.1 Overlap with Conventional Regime The archaic regime applies in situations of armed conflict. Therefore, in order for an act to be classified as archaic cyber-terrorism per se, such act needs to reach sufficient intensity to begin an armed conflict, be carried out in its context or in the context of occupation, with the required nexus.159 Can cyber-terrorism initiate an armed conflict? When it comes to the conventional terrorist attacks, the answer leans towards negative. Indeed, the applicability of the norms regulating international war presupposes two or more state parties, which independent cyber-terrorists cannot be.160 The UK had openly declared that “the term ‘armed conflict’ [. . .] denotes a situation of a kind which is not constituted by the commission of [. . .] crimes including acts of terrorism whether concerted or in isolation”.161 This creates a situation where conventional cyber-terrorist attacks, which will be sufficiently intensive to initiate an international armed conflict had they been carried out by a state, do not trigger it. Some governments use this to classify armed conflicts with extremist groups as non-international (for example, the US administration) or even below this threshold (for instance, the Israeli government), in order to reduce the amount of legal obligations existing vis-à-vis suspected terrorists.162 Namely, governments may invoke the “double inequality”: on the one hand, they accuse the extremists of engaging in

Law: Challenges from the ‘War on Terror’ ” in Magnus Ranstorp, Paul Wilkinson (eds.), Terrorism and Human Rights (Routledge 2008) 154; Hans-Peter Gasser, “Acts of Terrorism, ‘Terrorism’ and International Humanitarian Law” (2002) 84(847) International Review of the Red Cross 568. 159 See Schrijver, Herik (n. 137) para. 60. 160 Common Art. 2 of the GCs. 161 “Protocol Additional to the Geneva Conventions of 12 August 1949, and relating to the Protection of Victims of International Armed Conflicts (Protocol I), 8 June 1977: United Kingdom” (Declarations/Reservations, ICRC 2002) accessed 1 August 2015. 162 David Kretzmer, “Targeted Killing of Suspected Terrorists: Extra-Judicial Executions or Legitimate Means of Defence?” (2005) 16(2) EJIL 194–196. See generally Eric T. Jensen, “Applying a Sovereign Agency Theory of the Law of Armed Conflict” (2012) 12(2) Chicago JIL 726–727. Cyber-terrorism 259 criminal activity (even if it is legal under humanitarian law) and, on the other, they reject safeguards of the international and domestic norms.163 While, in the Kordić and Čerkez judgment, the ICTY emphasized that the protraction requirement is “significant in excluding [. . .] single acts of terrorism in cases of non-international conflicts”,164 a protracted state response itself can initiate an internal war under international law (if the other legal requirements are satisfied).165 Even in the unlikely event of a series of conventional acts of cyber- terrorism starting a non-international armed conflict, they will still need to satisfy the archaic criteria in order to be classified as such. For instance, a cyber-strike against a diplomat is unlikely to sufficiently intimidate the civilian population and, consequently, it cannot constitute archaic terrorism. Nevertheless, these acts would still need to be seen through the prism of the principles of necessity, proportionality, humanity, distinction and permitted deception. Another imperfection of humanitarian law inherited by cyber-warfare and favorable to some governments can be observed: although state military is currently immune from the conventional regime, those persons and groups who do not constitute such forces are covered by it, even if they are engaged against state military in the same (internal) armed conflict. Though justifiable by some, in light of universality of certain crimes, this creates a situation where non-state actors lose incentive to follow their obligations under humanitarian law both in and outside cyber-warfare.166 One should note that, nowadays, this discrepancy is de jure somewhat remedied by the fact that both categories can be held liable for war crimes and archaic terrorism (acts of terrorism are expressis verbis listed as war crimes in

163 ICRC, “The Relevance of IHL in the Context of Terrorism” (Frequently Asked Questions, ICRC, January 2011) accessed 1 August 2015; Orna Ben-Naftali, Keren R. Michaeli, “ ‘We Must Not Make a Scarecrow of the Law’: A Legal Analysis of the Israeli Policy of Targeted Killings” (2003) 36(2) Cornell ILJ 270; François Bugnion, “Jus ad Bellum, Jus in Bello and Non-International Armed Conflicts” (2003) 6 Yearbook of International Humanitarian Law 175–176. See generally Tallinn Manual (n. 21) R26C20; Heather H. Dinniss, Cyber Warfare and the Laws of War (CUP 2012) 142. 164 Prosecutor v Kordić, Čerkez (Judgment) ICTY-95–14/2-A, AC (17 December 2004) para. 341. 165 See sub-chapter 6.2.1. 166 Charles Garraway, “Can the Law of Armed Conflict Survive 9/11?” (2011) 14 Yearbook of International Humanitarian Law 389. 260 Chapter 7 the statutes of the ICTR167 and Sierra Leone Special Court,168 as well as the 1996 Draft Code of Crimes against the Peace and Security of Mankind).169 However, in reality, some governments (for example, those that have not ratified the Rome Statute) prefer to rely on internal disciplinary systems, which will produce comparatively lighter sentences or none at all for members of their states’ cyber-forces.

7.5.2 Prohibited Conduct in War Archaic cyber-terrorism can include various acts of violence via cyber-space or threats that primarily aim to intimidate the general civilian population.170 A direct intention to frighten the civilian populace is paramount, since neither accidental nor collateral terror (consider the American “shock and awe” tactic that might feature a cyber-element in the future) is prohibited and, consequently, it does not fall under the archaic definition of terrorism.171 It seems obvious that the prospect of death or bodily injury scares civilians, regardless of the means employed, especially if the victims are random.172 Therefore, all cyber-attacks that in any way deliberately endanger health (for instance, corrupting hospital computers) would constitute acts of archaic cyber-terrorism if carried out during an armed conflict. Cassese rightly observes that, as long as damage results in the terrorizing effect on the civilian population, no casualties are required for such conduct to be an act of terror.173 However, does damaging data constitute an equally prohibited act here? One might, again, consider the definition in the Draft Comprehensive Convention. At least currently, it represents a consensus between states that, to a degree, reflects customary law, and, as such, it leaves hints on what “violence” or threat thereof might entail. It specifically refers to “damage to public or private property” (a non-exhaustive list) which is either “serious” or “likely to result in major economic loss”.174

167 Statute of the International Tribunal for Rwanda (adopted 8 November 1994, amended 13 October 2006) Art. 4(d). 168 Statute of the Special Court for Sierra Leone (adopted 16 January 2002) Art. 3(d). 169 ILC, “Draft Code of Crimes against the Peace and Security of Mankind”, 48th Session, Supplement No. 10 (6 May–26 July 1996) UN Doc A/CN.4/L.532, Art. 20(f)(iv). 170 See sub-chapter 7.2.2. 171 Tallinn Manual (n. 21) R36C3, R36C4, R36C5. 172 See generally Alex P. Schmid, “The Definition of Terrorism” in Alex P. Schmid (ed.), Routledge Handbook on Terrorism Research (Routledge 2011) 84. 173 See Cassese, International Criminal Law (n. 31) 156. 174 “Informal Texts of Articles 2 and 2 bis” (n. 34) Annex II, Art. 2(1)(b), 2(1)(c). Note that a similar clause is present in the Terrorist Bombing Convention (n. 27) Art. 2(1)(b). Cyber-terrorism 261

Today, it is not disputed that information and data can constitute intangible property.175 Nonetheless, when it comes to the archaic concept of terrorism, it must be noted that fear in civilians can emerge only as a result of attacks against objects that are essential for the functioning of the economy and society as a whole, that is a major part of critical infrastructure. This logic seems to be supported by the 2011 Report of the CTITF’s Working Group on Countering the Use of the Internet for Terrorist Purposes, which described cyber-terrorism as “launch[ing] network-based attacks against critical infrastructure”, albeit by “terrorist organizations”.176 Cyber-strikes against these targets or credible threats thereof may significantly contribute to the creation of restlessness and mob-mentality among the general population and, therefore, can constitute acts of archaic cyber-terrorism absent any immediate risk to life. Next, one should address the legal issues related to the freedom fighter dilemma in armed conflict, as it has traditionally constituted a contentious gray area of international law.

7.5.3 Freedom Fighters in Cyber-Space In the past, the label of “freedom fighters” was used in a variety of settings where armed resistance was said to be just, also as a jus ad bellum justification for using force. Today, the activities of freedom fighters are regulated by international humanitarian law. The latter specifically distinguishes and provides combatant and prisoner of war status to members of national liberation movements, that is, peoples who are “fighting against colonial domination, alien occupation or racist regimes in the exercise of their right of self-determination”.177 This approach is directly supported by a vast number (more than 170) of states that have ratified the AP1.178 From a legal point of view, only such peoples can be considered “freedom fighters” and all other uses of this expression, particularly in cyber-space, should be viewed as political in nature. As such, they lie outside the scope of inquiry of the present book.

175 For example, consider intellectual property online. 176 CTITF, “Countering the Use of the Internet for Terrorist Purposes—Legal and Technical Aspects” (n. 53) 1, para. 1. 177 Arts. 1(4), 43(1), 43(2), 44(1) of AP1. See generally Peter van Krieken, Terrorism and the International Legal Order (TMC Asser Press 2002) 113, who notes that “in the late 1980s efforts were undertaken to look upon terrorism with some understanding”. 178 With the important exceptions of technologically-advanced India, Iran, Israel, Pakistan, Turkey and the US. 262 Chapter 7

The meaning of the word “peoples” itself is uncertain in international law and it may be interpreted differently by different governments in cyber-warfare (in addition to the freedom fighters themselves). Furthermore, one should emphasize that it is not just people’s motivations that produce a national liberation movement de jure.179 There appears to be a customary requirement that such movements must be recognized by the United Nations or at least relevant regional organizations. If they are not, Article 1(4) of AP1 remains inapplicable. Colonialism, racist regimes and occupations cannot be established online. Nonetheless, this does not eliminate the likelihood of fighting for physical freedom by resorting to cyber-attacks (most realistic in case of foreign occupations). The possibility of such struggles in cyber-space is still yet to be formally recognized, although, their de facto presence is already being felt. For example, groups like Islamic Jihad and G-Force Pakistan engage in cyber-strikes with the purpose of liberating “occupied” Palestine and Kashmir respectively.180 Upon satisfaction of the formalities, members of such groups could be classified as members of the cyber-liberation-movements (or cyber-freedom- fighters) under the existing international law. Like other lawful combatants, the cyber-guerrillas would have a set of obligations that they must follow, including “carrying arms openly” (whichever way it is interpreted in the future) and, if possible, wearing uniforms.181 Legal conflicts may also stem from the controversial nature of the recent counter-terrorism operations (“war on terror”).182 One relevant aspect that has been subject to recurrent exploitation concerns the combatant and prisoner of war privileges of suspected terrorists. Since similar behavior can be expected vis-à-vis archaic cyber-terrorists, these privileges should be addressed here.

7.5.4 Protected Status It was once noted that there is no “intermediate status” in jus in bello and “nobody in enemy hands can be outside the law”.183 Since 2002, the US

179 See generally Siobhan Wills, “The Legal Characterization of the Armed Conflicts in Afghanistan and Iraq: Implications for Protection” (2011) 58(2) Netherlands International Law Review 207. 180 See sub-chapter 7.2.4.2. 181 The legal issues relating to these obligations remain the same as discussed in sub-chapter 6.5.1. See generally Schmid (n. 172) 68. 182 See Marja Lehto, “War on Terror—Armed Conflict with Al-Qaida?” (2010) 78(4) Nordic JIL 499–511. See also Waxman (n. 158) 456. 183 Jean S. Pictet and others, Commentary of the Geneva Conventions: Fourth Geneva Convention (ICRC 1958) 51. Cyber-terrorism 263

Government somewhat degraded the level of overall protection enjoyed by victims of war by defining Taliban and Al-Qaeda detainees as unlawful combatants and denying them prisoner of war as well as civilian detainee status.184 Opposition from international organizations and academics continues to prevent the formation of global opinio juris (a crucial element necessary for the formation of customary norms) that would leave “unlawful combatants” entirely without legal protection.185 Nonetheless, in the future, certain governments may similarly attempt to deny this status to cyber-attackers. One should note that, aside from arbitrary detention, controversial “defensive” acts like targeted killings may also be practiced against suspected cyber- terrorists or group leaders.186 In the words of David Kretzmer, “[t]he state involved will probably claim that it has prevented terrorist attacks, which would have cost the lives of many civilians”.187 Likewise, governments may illegally resort to “targeted cracking” in the framework of the future “war on cyber- terror”.188 How justifiable would such conduct be? Launching cyber-attacks or belonging to a terrorist organization does not deprive freedom fighters or intra-state group forces of their combatant and prisoner of war status, as long as they abide by the obligations imposed upon

184 Note that this interpretation stems from Art. 3 of the 1899 HCA2 (“armed forces of the belligerent parties”), as opposed to AP1, which the USA has not ratified. See Jensen (n. 162) 726; Rona (n. 158) 165; Condorelli, Naqvi (n. 158) 34. For a similar discussion on Israel, see Henning Lahmann, “The Israeli Approach to Detain Terrorist Suspects and International Humanitarian Law: The Decision Anonymous v. State of Israel” (2009) 69(2) Heidelberg JIL 358. 185 See generally Noëlle Quénivet, “The ‘War on Terror’ and the Principle of Distinction in International Humanitarian Law” (2010) 3(2) Colombian Yearbook of International Law 172. 186 See generally Ben-Naftali, Michaeli (n. 163) 291; Peter M. Cullen, “The Role of Targeted Killing in the Campaign against Terror” (2008) 48(1) Joint Force Quarterly 22; Louis R. Beres, “After Osama bin Laden: Assassination, Terrorism, War, and International Law” (2011) 44(1–2) Case Westin Reserve JIL 125; Anthony P. Rogers, Dominic McGoldrick, “Assassination and Targeted Killing—The Killing of Osama bin Laden” (2011) 60(3) ICLQ 787–788; Beth van Schaak, “The Killing of Osama Bin Laden and Anwar Al-Aulaqi: Uncharted Legal Territory” (2011) 14 Yearbook of International Humanitarian Law 293. 187 Kretzmer (n. 162) 200–201. 188 This is especially relevant since some governments started authorizing remote searches of computers of suspected criminals—see Juan C. Pradillo, “Fighting against Cybercrime in Europe: The Admissibility of Remote Searches in Spain” (2011) 19(4) European Journal of Crime, Criminal Law and Criminal Justice 374. Consider also the 2013 testimony of Edward Snowden concerning the US PRISM program. 264 Chapter 7 them by international humanitarian law.189 Since jus in bello only prohibits archaic terrorism, in theory, participation in cyber-attacks that constitute non- overlapping conventional terrorism (for instance, acquiring funds through cyber-attacks for terrorists purposes) does not remove combatant or prisoner of war privileges. Though maybe a political paradox, under international law it is possible for one person to be a freedom fighter and a conventional terrorist. Notably, governments of the OIC states insist upon excluding applicability of the future Comprehensive Convention in situations of struggle against foreign occupation.190 This stance of Islamic nations, which became most apparent in response to the occupation of Palestine, continues to be relevant in the more recent conflicts and is aimed at protecting members of legitimate liberation movements (as recognized by AP1) from being branded “terrorists” (and, thus, criminals). In determining whether cyber-combatants were involved in acts of archaic terrorism or whether civilians participated in hostilities this way, before denying them legal protection one must consider that, as in the case of traditional terrorist organizations, suspects may belong to a group that consists of cyber- attackers, organizers, donors, facilitators, trainers, provocateurs, and persons who are engaged in non-related services (cooks, for example), each with a different form of responsibility.191 In each case, archaic cyber-terrorists are legally entitled to “fundamental guarantees” set out in the GCs.192

189 Art. 44(2), 44(5) of AP1. 190 “Informal Texts of Articles 2 and 2 bis” (n. 34) Annex IV, “Text proposed by the Member States of the Organization of the Islamic Conference”, para. 2: “The activities of the parties during an armed conflict, including in situations of foreign occupation, as those terms are understood under international humanitarian law, which are governed by that law, are not governed by this Convention”. 191 See Gerald L. Neuman, “Humanitarian Law and Counterterrorist Force” (2003) 14(2) EJIL 289. See also Kretzmer (n. 162) 193, 198; Jean-Philippe Kot, “Israeli Civilians versus Palestinian Combatants? Reading the Goldstone Report in Light of the Israeli Conception of the Principle of Distinction” (2011) 24(4) Leiden JIL 986. 192 Art. 75 of AP1; Art. 4 of AP2. See also Common Art. 3 of the GCs. Note that the US Supreme Court found that Common Art. 3 to the GCs was applicable to Al-Qaeda sus- pect in Hamdan v Rumsfeld, 548 US 557 (2006) 632, a position that the US government accepted—see John Cerone, “Misplaced Reliance on the ‘Law of War’ ” (2007) 14(1) New England Journal of International & Comparative Law 68–70. Cyber-terrorism 265

7.6 Conclusion

This chapter addressed the legal issues surrounding cyber-terrorism. It established that, despite the lack of a universal definition of terrorism, the existing international law is formed by two solid concepts, the archaic and conventional, which are equally relevant and applicable in the cyber-terrorism context. Everyone from states to single individuals can perpetrate acts of cyber- terrorism, though different rules apply to different actors. The rift between the two concepts identified above is primarily responsible for international law imperfections that governments can exploit, inter alia, in cyber-space. It is doubtless that future convergence of these legal regimes will require careful supervision in order to reduce the substantial amount of identified imperfections of law that exist in the field of cyber-terrorism. At the same time, should the issue of unequal applicability to different categories of actors in cyber-space be resolved, these concepts could become more complementary in the future. For instance, the archaic terrorism regime regulates those cases of violence in cyber-space (as long as it is committed in the context of an armed conflict) that conventional terrorism does not, while the latter is more flexible and, as such, can more easily incorporate the prohibition of cyber- terrorist attacks into lex scripta. The present chapter dealt with terrorism—an area of international law traditionally believed to be devoid of clarity, inter alia, as a result of various governments’ manipulations and conflicting state practice. In this field, the current chapter continued to identify significant jus ad bellum and jus in bello imperfections exploitable in cyber-warfare. The next chapter will deal with the existing mechanisms of collective security meant to prevent such exploitation and look at whether it resolves or adds to the problems identified in Chapters 5, 6 and 7. CHAPTER 8 Role of International Organizations

8.1 Introduction

The preceding three chapters focused on the legal framework regulating use of force and international humanitarian law. Its applicability to cyber-attacks was analyzed, revealing a number of juridical uncertainties, deficiencies and gaps that can be exploited in the context of individual state actions. The current chapter serves to demonstrate that norms pertaining to the existing mechanisms of collective security also feature exploitable imperfections, despite the expected effectiveness of the legal framework. Such mechanisms are important not only because they encourage state adherence to the jus ad bellum and jus in bello norms in practice, but also because the United Nations (UN) and, to a lesser degree, other international organizations are the entities which provide the opportunity for creating new laws and interpreting old ones collectively with the goal of reducing exploitability of their uncertainties, deficiencies and gaps. The attention in this chapter is particularly focused on the UN, as it is the only organization with a global scope sufficient to regulate activities in cyber-space. Due regard is also paid to the North Atlantic Treaty Organization (NATO), as it increasingly influences interpretation of international law in the field of cyber-warfare. The chapter is divided into five parts. The first part tackles the existing approach of the UN to cyber-attacks. It is argued here that the current approach of the United Nations is inadequate and that it contributes to the overall problem of exploitation of legal imperfections in the context of cyber-warfare. The second part analyzes the originally envisioned role of the major UN bodies as a potential solution to the problem of exploitation of international law’s imperfections. It discusses the role that the United Nations can assume in regards to the exercise of individual and collective state action vis-à-vis cyber-attacks, as well as how the UN Security Council’s (UNSC) Chapter VI and Chapter VII powers can serve as a response to the general threat. The General Assembly’s Uniting for Peace plan (U4P) is reviewed as an auxiliary system in case the Security Council fails. This part further analyzes the legal concept of the Responsibility to Protect (R2P) that directly impacts on the work of the UNSC and the UN General Assembly (UNGA).

The second part also concentrates on the most important existing tools that the Security Council or the General Assembly can use in the context of collective security. One section, therefore, focuses on potential peacekeeping and peace enforcement in or via the cyber-space. It argues that specific aspects need to be addressed in order to maximize the effectiveness of such peace operations in this realm. The feasibility of establishing arms control in cyber- space or devising a cyber-disarmament treaty is evaluated as well. The last part of this chapter looks at the role that the existing international law prescribes to regional and military organizations, particularly within the framework of collective security analyzed in the previous parts. It evaluates whether the current activities and preparations for cyber-warfare match the envisioned role, focusing on NATO as the most notable player in this field.

8.2 United Nations as Part of the Problem

A number of general changes were initiated by Kofi Annan (for instance, in the UN Secretariat) that, arguably, improved the overall effectiveness of the UN system and made it more transparent. However, when it comes to the area of peace and security, the United Nations structure continues to be a frequent point of criticism, subject to repeated calls for reform. Particular concerns pertain to the structure of the UN Security Council that privileges victors of the WW2, providing them with the permanent membership in the UNSC and the power of veto. Calls for a more balanced geographical distribution of permanent seats (with Brazil, Germany, India and Japan making the strongest claims) have been ignored. That being said, this sub-chapter looks beyond the structural imperfections of the UN. A number of important questions must be asked in light of the analysis in the previous chapters. What role has the UN assumed in relation to cyber-warfare? Has it contributed to the understanding of how and whether jus ad bellum and jus in bello norms must adjust to the new environment of cyber-space? The present sub-chapter considers whether enough attention is paid to the issue of cyber-warfare. It further explores if the approach to cyber-attacks and cyber-terrorism, chosen by the United Nations agencies, contributes to the main problem highlighted in this book, namely, the potential exploitation of international law’s deficiencies, uncertainties and gaps (which underscores the lack of legal clarity, in turn jeopardizing peace and security). 268 CHAPTER 8

8.2.1 Excessive Emphasis on Cyber-Crime In 2003, the Permanent Monitoring Panel on Information Security concluded that due to “the ubiquitous nature of the Internet”, the United Nations is the ideal actor to lead the “inter-governmental activities for the functioning and protection of cyber-space so that it is not exploited by criminals, terrorists, and states for aggressive purposes”.1 Although the UN organization has been dealing with the issue of cybercrime since as early as 1990, one needs to raise the question whether its response to the threat of cyber-warfare remains vague and unacceptably slow.2 Concentrating on the ideas of improving confidence-building, capacity- building, mutual dialogue and cooperation in criminal matters under the Internet Governance umbrella, the UN agencies have so far not come up with any concrete suggestions vis-à-vis collective security.3 It is admitted that a threat to international security exists.4 However, alarmingly, none of the existing documents and resolutions considers cyber-attacks as a potential part of warfare, instead practically always treating them merely as criminal acts.5

1 World Federation of Scientists Permanent Monitoring Panel on Information Security, “Toward a Universal Order of Cyberspace: Managing Threats from Cybercrime to Cyberwar” (Report & Recommendations, WSIS-03/GENEVA/CONTR/6-E, ITU 19 November 2003) 15, 19. See also Nat Katin-Borland, “Cyberwar: A Real and Growing Threat” in Sean S. Costigan, Jake Perry (eds.), Cyberspaces and Global Affairs (Ashgate 2012) 16: “The cyber security problem is global and will not be resolved by the efforts of just one state or group of states”. 2 See generally United Nations Manual on the Prevention and Control of Computer-Related Crime (UN 1994) para. 123. Note that although it is not binding, this manual represents UN’s first serious attempt to deal with specific computer related crimes. 3 See generally Working Group on Internet Governance (WGIG), “Report of the Working Group on Internet Governance” (WGIG 2005) op para. 10 accessed 1 August 2015. 4 For instance, see Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, “Report[s] of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security” (Reports, UN 2010, 2013) UN Docs A/65/201, A/68/98. 5 See generally UNGA documents on the “Developments in the Field of Information and Telecommunications in the Context of International Security”: from UNGA Res 51/210 (17 December 1996) UN Doc A/RES/51/210 to UNGA Report 67/27 (3 December 2012) UN Doc A/RES/67/27; “Combating the Criminal Misuse of Information Technologies”: UNGA Res 55/63 (4 December 2000) UN Doc A/RES/55/63, UNGA Res 56/121 (19 December 2001) UN Doc A/RES/56/121; “Global Culture of Cybersecurity”: UNGA Res 57/239 (20 December 2002) UN Doc A/RES/57/239, UNGA Res 58/199 (23 December 2003) UN Doc A/RES/58/199, UNGA Res 64/211 (21 December 2009) UN Doc A/RES/64/211; WSIS, “Geneva Declaration of Principles Role of International Organizations 269

Emphasis on the criminal nature of cyber-strikes has resulted in the development of techniques and structures that presuppose inter-state dialogue, whereas, for obvious reasons, such dialogue will be absent during armed confrontations. Thus, few (if any) approaches developed for tackling cyber-crime can be of any use in the context of cyber-warfare. The problem is further complicated by the continuing disparity between the Shanghai Cooperation Organization’s (SCO) and Western approaches to cyber-space, which has political spill-over effects even in the field of cybercrime. Some authors optimistically mention that progress has been achieved, when in 2010, after a “long impasse”, the United States and Russia started to work together on issues of cyber-security.6 However, the same year, a Russian proposal for an international treaty on cyber-crime, at the 12th pentennial UN Crime Congress, was rejected by the European Union (EU) and the US.7 The US argued that there was no need for another agreement beside the 2001 Council of Europe’s (CoE) Convention on Cybercrime—a treaty from which Russia deliberately withdrew its signature.8 The issue of cyber-security within the UN is primarily delegated to its smaller specialized body, the International Telecommunication Union (ITU). While the ITU is an organization that deals with technical standards and related aspects of cyber-security, it is argued that its Secretary-General has turned the ITU

and Plan of Action” (ITU 2003) accessed 1 August 2015; World Summit on the Information Security, “Tunis Commitment” (ITU 2005) accessed 1 August 2015. 6 Oona A. Hathaway and others, “The Law of Cyber-Attack” (2012) 100(4) California Law Review 861. 7 “UN Rejects International Cybercrime Treaty” (Computer Weekly, 20 April 2010) accessed 1 August 2015. 8 Convention on Cybercrime (adopted 8 November 2001, entered into force 1 July 2004) 185 CETS (Cybercrime Convention). Russia is not willing to adopt this treaty due to the sovereignty-breaching possibility of accessing computer data without the government’s authorization (especially by non-members of the CoE). Also, China considers the crimes listed in the Cybercrime Convention outdated and, therefore, the instrument itself obsolete. The ITU (where China and Russia play an important role) does not favor the universalization of this convention neither—see Keir Giles, “Russia’s Public Stance on Cyber/Information Warfare” in Christian Czosseck, Rain Ottis, Katharina Ziolkowski (eds.), 2012 4th International Conference on Cyber Conflict (NATO CCDCOE 2012) 67; Keir Giles, “‘Information Troops’— a Russian Cyber Command?” in Christian Czosseck, Enn Tyugu, Thomas Wingfield (eds.), 2011 3rd International Conference on Cyber Conflict (NATO CCDCOE 2011) 51. 270 CHAPTER 8 into a norm-setting body.9 Indeed, after his appointment in 2007, Hamadoun I. Touré launched the “Global Cybersecurity Agenda”, aimed to promote better cooperation against cyber-threats, and led the ITU into collaboration with the International Multilateral Partnership Against Cyber Threats (IMPACT). Currently, the ITU maintains a roster of experts who can be called for help, develops cyber-defense capabilities of the member states and attempts to harmonize national legal frameworks (also through its Global Cyber-Security Index project).10 The work of the ITU, however, remains largely geared towards cyber-crime, which is persistently viewed as constituting the cyber-threat itself. One might argue that, in spite of being a “consensus-driven organization” with unenforceable decisions and resolutions, the ITU has the potential for regulating cyber-warfare through the development of soft law.11 Nevertheless, no attempt to consciously do this has yet been made, possibly due to the perceived lack of sufficient political authority. Although, according to its Constitution, the ITU intends to “promote the use of telecommunication services with the objective of facilitating peaceful relations”, it generally lacks the mandate to deal with cyber-attacks rising to the level of a threat to peace and security.12 In other words, while, in theory, capable of coordinating a response to small-scale and medium-scale level cyber-crime, the ITU is not fit to take the leading role vis-à-vis cyber-warfare or severe cyber- attacks with serious political repercussions that can be expected to automatically involve major non-technical UN entities, above all, the Security Council.

9 Tim Maurer, “Cyber Norm Emergence at the United Nations—An Analysis of the UN’s Activities Regarding Cyber-Security” (Discussion Paper 2011–11, Belfer Center for Science and International Affairs 2011) 29–31 accessed 1 August 2015. 10 Ibid., 29; Zeinab Karake-Shalhoub, Lubna al Qasimi, Cyber Law and Cyber Security in Developing and Emerging Economies (Edward Elgar Publishing 2010) 137. 11 See generally David A. Gross and others, “Cyber Security Governance: Existing Structures, International Approaches and the Private Sector” in Kristin M. Lord, Travis Sharp (eds.), America’s Cyber Future: Security and Prosperity in the Information Age, vol. 2 (Center for a New American Security 2011) 114; Lesley Swanson, “The Era of Cyber Warfare: Applying International Humanitarian Law to the 2008 Russian-Georgian Cyber Conflict” (2010) 32(2) Loyola of Los Angeles International and Comparative Law Review 327. 12 See Constitution of the International Telecommunication Union (adopted 22 December 1992, last amended 1 January 2004) ITU, Art. 1(1)(e). Role of International Organizations 271

Potential expansion of the ITU’s “organizational mandate and structure”, suggested by David Kraemer, is not yet in sight.13 Similar concerns also arise in relation to other UN bodies that de facto have a secondary role in tackling cyber-security, but which are also orientated towards cyber-crime and not cyber-warfare. These include the UN Economic and Social Council, as well as the UN Office for Drugs and Crime (UNODC).14 On the other hand, the UN International Criminal Research Institute (UNICRI) and the UN Institute for Disarmament Research (UNIDIR), which seem to recognize cyber- warfare as a threat, never bothered to step out of their comfort zone of merely conducting seminars and summarizing already-existing developments.15 Extreme focus on cyber-crime by the UN agencies and the lack of attempts to preventively regulate cyber-warfare even on the soft law level inevitably contribute to the main problem identified in the previous chapters: governments are not prevented from exploiting legal imperfections of jus ad bellum and jus in bello norms, whether due to their deliberate political (and financial) manipulations involving rejection of a larger role of the UN agencies, general rigidness of the latter, or both. Since individual governments can escalate the status of conventional terrorist acts from international crimes to matters of international security, special attention should be paid to how the UN tackles cyber-terrorism.

8.2.2 Underplaying Cyber-Terrorism For more than 15 years, both the UNGA and the UNSC have been determined to eliminate international terrorism “in all its forms and manifestations”.16 Yearly, the Security Council stresses that terrorism constitutes “one of the most serious threats to peace and security” and that it is “unjustifiable regardless

13 See David S. Kraemer, “Addressing Global Cyberthreats Through International Colla boration” (2013) 45(Online Notes) George Washington International Law Review 92, 116. 14 See generally Götz Neuneck, “Chapter 2: Assessment of International and Regional Organizations and Activities” in UNIDIR, The Cyber Index: International Security Trends and Realities (UN 2013) 94; UNODC, Comprehensive Study on Cybercrime, Draft (UN 2013) accessed 1 August 2015; “Cyber Crime: Issues and Explanations” (UNICRI) accessed 1 August 2015. 15 See generally “Emerging Security Threats” (UNIDIR) accessed 1 August 2015. 16 See UNGA Res 52/165 (15 December 1997) UN Doc A/RES/52/165; UNSC Res 1189 (13 August 1998) UN Doc S/RES/1189. 272 CHAPTER 8 of [terrorists’] motivations”.17 Furthermore, it declared that acts, methods and practices of terrorism are contrary to the purposes and principles of the United Nations per se.18 The General Assembly condemned these methods and practices prior to,19 during,20 and after21 the unanimous adoption of the 2006 Global Counter- Terrorism Strategy (hereinafter Strategy). All three Strategy review resolutions renewed the “unwavering commitment” to cooperate in order to prevent and combat terrorism and condemned such acts carried out by “whomever, wherever and for whatever purposes” (emphasis added).22 Active implementation of the Strategy and relevant resolutions show that it is supported by uniform state practice and opinio juris.23 Since cyber-terrorism represents an act of terrorism committed via computerized devices (the possibility of which increasingly attracts public attention and concern), it would be reasonable to state that it is, therefore, a new form and manifestation. As such, it deserves equal condemnation and attention from the UN’s general counter-terrorism effort.

17 See UNSC Res 1989 (17 June 2011) UN Doc S/RES/1989; UNSC Res 2083 (17 December 2012) UN Doc S/RES/2083; UNSC Res 2129 (17 December 2013) UN Doc S/RES/2129. 18 See UNSC Res 1373 (28 September 2001) UN Doc S/RES/1373. 19 See UNGA Res 50/53 (11 December 1995) UN Doc A/RES/50/53; UNGA Res 51/210 (17 December 1996) UN Doc A/RES/51/210; UNGA Res 52/165 (15 December 1997) UN Doc A/RES/52/165; UNGA Res 53/108 (8 December 1998) UN Doc A/RES/53/108; UNGA Res 54/110 (9 December 1999) UN Doc A/RES/54/110; UNGA Res 55/158 (12 December 2000) UN Doc A/RES/55/158; UNGA Res 56/88 (12 December 2001) UN Doc A/RES/56/88; UNGA Res 57/27 (19 November 2002) UN Doc A/RES/57/27; UNGA Res 58/81 (9 December 2003) UN Doc A/RES/58/81; UNGA Res 59/46 (2 December 2004) UN Doc A/RES/59/46; UNGA Res 59/191 (20 December 2004) UN Doc A/RES/59/191; UNGA Res 60/43 (8 December 2005) UN Doc A/RES/60/43. 20 UNGA Res 60/288 (8 September 2006) UN Doc A/RES/60/288. 21 UNGA Res 61/40 (4 December 2006) UN Doc A/RES/61/40; UNGA Res 62/71 (6 December 2007) UN Doc A/RES/62/71; UNGA Res 63/129 (11 December 2008) UN Doc A/RES/63/129; UNGA Res 64/118 (16 December 2009) UN Doc A/RES/64/118; UNGA Res 65/34 (6 December 2010) UN Doc A/RES/65/34; UNGA Res 66/105 (9 December 2011) UN Doc A/RES/66/105; UNGA Res 67/99 (14 December 2012) UN Doc A/RES/67/99; UNGA Res 68/119 (16 December 2013) UN Doc A/RES/68/119. 22 UNGA Res 62/272 (5 September 2008) UN Doc A/RES/62/272; UNGA Res 64/297 (8 September 2010) UN Doc A/RES/64/297; UNGA Res 66/282 (29 June 2012) UN Doc A/ RES/66/282. 23 Kelly A. Gable, “Cyber-Apocalypse Now: Securing the Internet Against Cyberterrorism and Using Universal Jurisdiction as a Deterrent” (2010) 43(1) Vanderbilt Journal of Transnational Law 107. Role of International Organizations 273

In fact, the UN Security Council has previously expressed its deep concern about criminal misuse of the Internet (and other communication technologies) by terrorist organizations, such as Al-Qaeda, in furtherance of terrorist attacks.24 The UN Strategy not only appears to condemn various forms of terrorism, but also calls upon states to take urgent action to prevent and combat all of the manifestations of terrorist activities (logically, including cyber-terrorism).25 In the latest Strategy review resolution of 2012, states openly expressed their concern “at the increasing use [. . .] by perpetrators of terrorist acts of new information and communications technologies”.26 Internet terrorism is specifically mentioned in Pillar II of the Strategy, in which states pledge to explore means to “[c]oordinate efforts at the international and regional levels to counter terrorism in all its forms and manifestations on the Internet” and to “[u]se the Internet as a tool for countering [. . .] [its] spread”.27 It must be noted that the Strategy has a significant legal flaw: it ties terrorism to the use of the Internet, and not to the use of the wider cyber-space, which includes non-Internet-based networks. However, this flaw is somewhat remedied by Pillar II that further seeks to improve the security and protection of “particularly vulnerable targets” (which, from a rational standpoint, include all those susceptible to serious cyber-attacks), while Pillar III encourages the identification and sharing of best practices in preventing terrorist attacks against them.28 The Counter-Terrorism Committee currently remains the main anti- terrorism UN body. However, the task of countering terror via cyber-space is delegated to the Counter-Terrorism Implementation Task Force (CTITF). The latter is meant to enhance coordination and coherence of the UN system efforts, inter alia, through its working groups and the recently activated Counter-Terrorism Center. The CTITF’s Working Group on Countering the Use of the Internet for Terrorist Purposes (hereinafter Working Group) composed of representatives of various international organizations (among them, the ITU, UNICRI and

24 For instance, see UNSC Res 2129 (n. 17) op para. 14; UNSC Res 1735 (22 December 2006) UN Doc S/RES/1735; UNSC Res 1822 (30 June 2008) UN Doc S/RES/1822. 25 UN Global Counter-Terrorism Strategy: Plan of Action, Annex to UNGA Res 60/288 (20 September 2006) UN Doc A/RES/60/288, paras. 1, 2. 26 UNGA Res 66/282 (n. 22) op para. 19. 27 Global Counter-Terrorism Strategy (n. 25) Ch II paras. 13(a), 13(b). 28 Ibid., Ch II para. 18, Ch III para. 13. 274 CHAPTER 8

UNODC) has a clear mandate to tackle Internet terrorism.29 The group’s terms of reference are constrained to the Internet and not to cyber-space due to the specific wording of the Strategy. Nevertheless, as argued above, the existing framework allows it to engage in protection of “particularly vulnerable targets” under Pillars II and III, thus tackling cyber-terrorism in its entirety. In fact, the Working Group already feels comfortable using the term “cyber-terrorism” in its reports.30 The problem, however, lies in the de facto focus of the Working Group under the de facto leadership of the 1267/1989 Monitoring Team, oriented towards ordinary terrorist use of the Internet.31 As with the case of one-sided focus on cyber-crime (which the Working Group also seems to lean towards), such an approach does little to stop governments from exploiting uncertainties, deficiencies and gaps of the jus ad bellum and jus in bello norms. The first Working Group’s contribution to fighting cyber-terrorism itself is the 2009 Report that analyzed various approaches taken towards countering, inter alia, the “use of the Internet to perform terrorist attacks by remotely altering information on computer systems or disrupting the flow of data”.32 The Report rightly observed that “in computer emergencies there is often no obvious place to go for help”, but it does not properly acknowledge the threat of cyber-terrorism, emphasizing instead that there is an “overwhelming” agreement (among “[s]tates, industry and academia”) that the “most important political contribution to the fight against [. . .] cyber-attacks by terrorists [. . .] is the development and expansion of sensible, interoperable cyber-crime laws” (emphasis added).33

29 Other Working Group’s entities include the CTITF Office itself, Alliance of Civilizations, Counter-Terrorism Executive Directorate, Department of Public Information, Inter national Criminal Police Organization (Interpol), Office of the High Commissioner for Human Rights, Special Rapporteur on Promotion and Protection of Human Rights While Countering Terrorism, United Nations Educational, Scientific and Cultural Organization. 30 The reports are discussed further in this section. 31 1267/1989 Monitoring Team stands for Monitoring Team of the Security Council Committee pursuant to resolutions 1267 (1999) and 1989 (2011) concerning Al-Qaeda and associated individuals and entities. 32 CTITF, “Countering the Use of the Internet for Terrorist Purposes” (Working Group Report, UN 2009) paras. 22–30 accessed 1 August 2015. 33 Ibid., paras. 30–31. Role of International Organizations 275

The role envisaged for the UN in the Report is very modest and collective security is not mentioned at all.34 In fact, it is stated that “given that there is not yet an obvious terrorist threat in [. . .] [the cyber-security] area, it is not obvious that it is a matter for action within the counter-terrorism remit of the United Nations”.35 If such threat does materialize, the Report suggests considering a new counter-terrorism treaty.36 At the same time none of the existing counter- terrorism instruments (that may prohibit certain cyber-terrorist attacks) are mentioned. Instead of “particularly vulnerable” assets addressed in the Strategy, the Report focuses on critical infrastructure.37 Whereas a new treaty on protection of the latter may indeed somewhat reduce the possibility of launching attacks against them, its adoption, presently, seems too remote. The Working Group’s 2011 follow-up Report, while providing a greater overview of technical and legal matters, again does not acknowledge the fact that cyber-terrorism is a dependent variable.38 Instead, throughout the 2011 Report, cyber-terrorism is mixed with ordinary cyber-crime, presenting additional grounds for political exploitation of the lack of a general definition of terrorism.39 It is also noteworthy that one of the Working Group’s entities, the UNODC, refused to consider cyber-attacks that bear the same characteristics as an act of terrorism in its 2012 study on misuse of the Internet.40 As with the case of cyber-warfare generally, lack of due attention to cyber- terrorism in the jus ad bellum and jus in bello contexts may constitute a result of manipulations by those governments that are interested in preserving

34 The role of the UN includes “facilitating Member States sharing of best practices”, “building a database of research into use of the Internet for terrorist purposes”, “more work on countering extremist ideologies”, “creation of international legal measures aimed at limiting the dissemination of terrorist content on the Internet”—see ibid., para. 90. 35 Ibid., para. 92. 36 Ibid. 37 Ibid. 38 CTITF, “Countering the Use of the Internet for Terrorist Purposes—Legal and Technical Aspects” (Working Group Report, UN 2011) accessed 1 August 2015. 39 As mentioned in Chapter 7, the 2011 Report itself describes cyber-terrorism as “terrorist organizations [. . .] launch[ing] network-based attacks against critical infrastructure”— see ibid., 1, para. 1. 40 See UNODC, The Use of the Internet for Terrorist Purposes (UN 2012) para. 28 accessed 1 August 2015. 276 CHAPTER 8 international law in its current form in order to enable the continuous exploitation of its imperfections in the future. In these circumstances, aside from treating terrorism as a dependent variable, how else can the UN agencies reduce uncertainties and exclude the possibility of double standards? Since the CTITF is a supervisory body, it has the capacity to adopt a coordinated response strategy to serious cyber-terrorist strikes, similar to the one it has on nuclear and radiological attacks.41 Such strategy can, inter alia, anchor concrete plans of rapid and coordinated assistance by various UN bodies and a network of computer emergency response teams (CERTs) under the United Nations’ leadership. A pre-agreed plan of action is particularly important in light of the UN’s infamous hesitancy to act (arising from political factors), as well as the potential necessity to cooperate with a large number of private actors. Exposure to international assistance will reduce the discretion that governments have in recognizing their state’s right of self-defense against cyber- terrorists, reasonably limiting their scope of response. Other support (such as locating and holding international cyber-terrorists responsible) can also be made available to the attacked states or those under imminent threat of being attacked. Particular emphasis could be put on effective collaboration between the Security Council and the ITU, as the former is already actively engaged in counter-terrorist activities, whilst the latter possesses technical expertise, which the United Nations Security Council lacks, yet requires in this matter. Finally, it is worth asking whether the potential for the full UN bodies’ cooperation in the field of cyber-terrorism is fully realized. Nuclear and aircraft facilities remain one of the most vulnerable objects for serious cyber-attacks; in addition, their targeting is criminalized by the respective anti-terrorism conventions.42 Thus, the International Atomic Energy Agency (IAEA) and the International Civil Aviation Organization (ICAO), that currently comprise a part of the CTITF, could be more actively involved in multilateral efforts to counter cyber-terrorism. Their absence from the Working Group remains an anomaly. Having discussed the role that the smaller UN bodies play, one must now consider whether mechanisms of collective security involving major fora

41 See CTITF, “Interagency Coordination in the Event of a Nuclear or Radiological Terrorist Attack: Current Status, Future Prospects” (Working Group Report, UN 2010) accessed 1 August 2015. 42 See sub-chapter 7.3.1. Role of International Organizations 277 within the United Nations can properly function in responding to cyber- attacks generally.

8.3 United Nations as Part of the Solution

Because international law features significant imperfections in its regulation and response to cyber-warfare (as shown in the previous chapters of the present book), one should consider whether the current legal regime also offers tools for the control of these uncertainties, deficiencies and gaps and for the prevention of their exploitation. Since the United Nations was conceived primarily as an imbalanced political organization and it can be somewhat susceptible to manipulation, these tools themselves are not perfect and governments may attempt to rely upon them and exploit their imperfections as well. Thus, such mechanisms must be and are viewed in the present sub-chapter critically. Currently, the most effective mechanism is the UN Security Council, which is, inter alia, meant to ensure that states do not abuse the right to self-defense and which is responsible for collective security generally. Should it fail, international law provides an auxiliary system in the form of the General Assembly and its U4P plan. Particular attention in the present sub-chapter is paid to the theoretical possibility of establishing peace operations and arms control, as the most powerful pre-existent tools at the disposal of the UNGA and UNSC. Nowadays, the work of the two major UN organs is juridically influenced by the Responsibility to Protect, which is also analyzed in this sub-chapter.

8.3.1 Constraining Self-Defense Under the UN Charter, the right to both individual and collective self-defense is preserved and cannot be impaired until the Security Council “has taken measures necessary to maintain international peace and security”.43 Additionally, it cannot “affect the authority and responsibility of the Security Council [. . .] to take at any time such actions as it deems necessary”.44 Like in other cases, the UNSC can approve self-defense in cyber-space or in response to cyber-attacks; it can declare a general cyber-ceasefire, or, in case of abuse, condemn it as aggressive action and call for its stop.

43 Charter of the United Nations (adopted 26 June 1945, entered into force 24 October 1945) 892 UNTS 119, Art. 51. 44 Ibid. 278 CHAPTER 8

To facilitate this, Article 51 of the UN Charter requires the attacked states to immediately report measures taken in the exercise of their right of self-defense to the Security Council.45 The Tallinn Manual justly extends this requirement to cyber-operations, however it leaves unanswered how detailed the report must be and whether passive defense measures in cyber-space should be reported alongside active ones.46 Absent clarifications, determining the scope of this responsibility falls under the discretion of the government in control of the state exercising the right to self-defense. Does this represent a problem in the context of cyber-warfare? In 1986, the ICJ implied that the reporting duty may not be part of customary law at all.47 As Albrecht Randelzhofer and Georg Nolte note, the UNSC’s frequent political failure to perform its main duty during the Cold War has resulted in the erosion of respect for obligations to report and to discontinue self-defense.48 However, if governments entirely ignored the obligation to report, it would represent a bigger challenge in the context of cyber-space, where not only strikes are carried out under the veil of secrecy, but also where they may lie on the borderlines between armed attack, use of force and ordinary cyber-crime. In this environment, the importance of factors “indicating whether the State in question [is] itself convinced that it [is] acting in self- defence” is obviously increased.49 When it comes to the obligation to discontinue defensive use of force, notably, a minority of the Tallinn Manual authors took the view that the UNSC must

45 Ibid. 46 See Michael N. Schmitt and others, Tallinn Manual on the International Law Applicable to Cyber Warfare (CUP 2013) R17. 47 Military and Paramilitary Activities in and against Nicaragua (Nicaragua v USA) (Merits) [1986] ICJ Rep, para. 200. Note that Yoram Dinstein, who argues that Nicaragua decision implied that the right of self-defense might be discontinued if a state failed to comply with the reporting duty, still supports preserving this right in the context of cyber-attacks until effective measures to restore international peace have been taken (unless ruled otherwise by the Security Council)—see Yoram Dinstein, “Computer Network Attack and Self-Defense” (2002) 76 International Law Studies 113–114. See generally Tallinn Manual (n. 46) R17C1. 48 Albrecht Randelzhofer, Georg Nolte, “Article 51” in Bruno Simma and others (eds.), The Charter of the United Nations: A Commentary (3rd edn., OUP 2012) 1425. 49 Nicaragua Case (n. 47) para. 200. See also Gregory D. Grove, Seymour E. Goodman, Stephen J. Lukasik, “Cyber-Attacks and International Law” (2000) 42(3) Survival 95: “If no declaration is made, this may set a precedent that the attack (and response) are not uses of force. If it is made, this may set a precedent that the attack (and response) do constitute force”. Role of International Organizations 279 not “expressly divest” self-defense rights.50 The aggressor-government may rely on this argument in case the counter-strikes against its state continue after the Security Council has taken action, while the defending state’s government can insist on the opposite. Finally, Dimitrios Delibasis once argued that the extraordinary nature of information warfare “ideally demand[s] that the potential lawfulness of all self-defense claims [. . .] is evaluated by a [new] competent international forum specifically created for that purpose”.51 Should this position be supported in the context of cyber-warfare? The UNSC is expected to intervene in case of a use of force, regardless of the domain where it is employed. As argued in the previous sub-chapter, lack of expertise in cyber-security can be compensated by the Security Council’s closer cooperation with its more technical organs, such as the ITU. Therefore, creation of a special forum is not urgent and will, likely, be prevented by governments of those five technologically-advanced states that have a veto privilege in the UNSC (P5).52 Delibasis’ argument, therefore, should be rejected.

8.3.2 Security Council’s Legislative Powers Aside from controlling the exercise of self-defense on behalf of the United Nations, the UNSC has a role sometimes described as “legislative”.53 After all, its Chapter VII decisions immediately de jure bind all UN members and de facto also non-members in the world.54 Therefore, by adopting or rejecting resolutions, the UNSC members can remedy situations where international law is violated or its imperfections exploited. On the other hand, the Security Council can be manipulated into transforming political arguments of a government into legal (yet not necessarily legitimate) grounds, which become decisive in warfare. During the last two decades, the Security Council was predominantly accused of failure to act on many occasions, although, as Christine Gray points out, the limited and delayed response came as a result of “lack of political will”

50 Tallinn Manual (n. 46) R17C2. 51 Dimitrios Delibasis, The Right to National Self-Defence in Information Warfare Operations (Arena Books 2007) 258. 52 The P5 includes China, France, Russia, the UK and the US. 53 See David D. Caron, “The Legitimacy of the Collective Authority of the Security Council” (1993) 87(4) AmJIL 562. 54 See UN Charter (n. 43) Arts 24(1), 25; Erling J. Husabø, Ingvild Bruce, Fighting Terrorism Through Multilateral Criminal Legislation (Martinus Nijhoff 2009) 35. 280 CHAPTER 8 of individual governments and not as a result of an institutional failure.55 In fact, the end of the Cold War allowed the UNSC to show a greater degree of flexibility and to actively engage in its primary function.56 Already in the early 1990s, in response to what it saw as threats to peace, the Security Council members acted to enforce sanctions, solve humanitarian emergencies, restore legal governments, protect and even avenge the UN peacekeepers.57 “Threat to peace”, however, remains a political concept minimally constrained by the legal requirement of violating purposes or principles of the UN Charter.58 Thus, cyber-attacks can constitute a threat to peace if they are of sufficient gravity or warrant an armed response, or in other cases where political interest of the UNSC members is present.59 In the context of the current book, it is important to emphasize that violations of international humanitarian law were also found to be a threat to peace by the UNSC both in individual cases (Rwanda, Bosnia and Herzegovina), as well as generally.60 The Tallinn Manual asserts that the Security Council can declare that certain types of cyber-attacks constitute a threat to peace without reference to any particular incident, like it did vis-à-vis international terrorism and

55 Christine Gray, “A Crisis of Legitimacy for the UN Collective Security System?” (2007) 56(1) ICLQ 157. 56 Martti Koskenniemi, “The Place of Law in Collective Security” (1996) 17(2) Michigan JIL 457; Inger Österdahl, Threat to the Peace: The Interpretation by the Security Council of Article 39 of the UN Charter (Iustus Vorlag 1998) 21. See also Franklin Berman, “The UN Charter and the Use of Force” (2006) 10 Singapore Yearbook of International Law 15. 57 Helmut Freudenschuss, “Between Unilateralism and Collective Security: Authorizations of the Use of Force by the UN Security Council” (1994) 5(1) EJIL 522. 58 Prosecutor v Tadić (Decision on Jurisdictional Appeal) ICTY-94–1-AR72, AC (2 October 1995) para. 29. See also Nico Krisch, “Article 39” in Bruno Simma and others (eds.), The Charter of the United Nations: A Commentary (3rd edn., OUP 2012) 1275–1276. 59 See Heather H. Dinniss, Cyber Warfare and the Laws of War (CUP 2012) 110. 60 UNSC Res 808 (22 February 1993) UN Doc S/RES/808, preamb para. 7; UNSC Res 955 (8 November 1994) UN Doc S/RES/955, preamb para. 5; UNSC Res 1296 (19 April 2000) UN Doc S/RES/1296, op para. 5; UNSC Res 1674 (28 April 2006) UN Doc S/RES/1674, op para. 26. See also Marco Roscini, “The United Nations Security Council and the Enforcement of International Humanitarian Law” (2010) 43(2) Israel Law Review 334–335. One should note that the ICTY, ICTR, Special Court for Sierra Leone and Special Tribunal for Lebanon were all established by the Security Council itself. Therefore, the UNSC has the Chapter VII power to create an international court specifically for cyber-space if its members so desire—see generally UNSC Res 808 (ibid.); UNSC Res 955 (ibid.); UNSC Res 1315 (14 August 2000) UN Doc S/RES/1315; UNSC Res 1664 (29 March 2006) UN Doc S/RES/1664. Role of International Organizations 281 proliferation of weapons of mass destruction (WMDs).61 However, sometimes there may be no need for such a declaration at all: if one looks at the already-existing UNSC resolutions, it becomes apparent that all cyber-attacks that qualify either as acts of international terrorism or “systematic, flagrant and widespread violations of international humanitarian law” already represent a threat to peace.62 Based on this logic, governments can demand world community’s counter-action against such cyber-attack through the Security Council or, if the latter is idle, via the invocation of the U4P plan (discussed in the next sub-chapter). If a “threat to the peace, breach of the peace, or act of aggression” has been determined by the UNSC, it can decide “what measures shall be taken [. . .] to maintain or restore international peace and security”.63 These measures may include those “not involving use of armed force” (among them, interruption of means of communication)64 and those that do (that is “action by air, sea or land forces”).65 Aside from traditional political deliberations accompanying such UNSC action, a few things must be pointed out in the cyber-warfare context. Firstly, the Security Council members have the legal authority to partially or entirely disconnect a state or an organization from the Internet (or other networks).66 Currently, this can be done directly via large-scale distributed denial of service (DDoS) disruption or by compelling all countries to sever individual connections with the sanctioned state. Should control over the Internet be passed to the International Telecommunication Union in the future, the UN will even be able to do it manually, using its and the ITU’s Secretariat. Marco Benatar and Kristof Gombeer may be correct in pointing out that a cyber-blockade is “far too intrusive to be unequivocally considered a

61 Tallinn Manual (n. 46) R18C2. See also UNSC Res 1373 (n. 18) preamb para. 3; UNSC Res 1540 (28 April 2004) UN Doc S/RES/1540, preamb paras. 1, 4, 9–10. 62 UNSC Res 1296 (n. 60) op para. 5; UNSC Res 1373 (n. 18) preamb para. 3. 63 UN Charter (n. 43) Art. 39. 64 Ibid., Art. 41. Other measures include interruption of economic links and severance of diplomatic relations. See also Tallinn Manual (n. 46) R18C4, R18C5. 65 UN Charter (n. 43) Art. 42. See also Tallinn Manual (n. 46) R18, R18C3, R18C6, R18C7. 66 See Dinniss (n. 59) 111–112. Note generally that the Internet and technology were “viewed as one of the [Angolan UNITA’s] most powerful means of sustaining itself and fighting against the continuation of Security Council sanctions”—see Monitoring Mechanism on Sanctions against UNITA, “Supplementary Report of the Monitoring Mechanism on Sanctions Against UNITA” (12 October 2001) UN Doc S/2001/966, para. 65. 282 CHAPTER 8 non-forcible sanction”.67 However, are they right to avoid classifying it as an Article 41 measure?68 It was shown in Chapter 5 that governments will find it difficult to argue that an information blockade constitutes a use of force.69 An even harder task would be to claim that disconnection from the Internet involves use of armed force (a different threshold). Lastly, the latter expressis verbis excludes interruption of means of communication, according to the UN Charter itself. Therefore, not classifying cyber-blockades under Article 41 seems wrong. A second important point in the cyber-context is that national cyber- warfare units must be considered part of the “air, sea or land forces”, or the Security Council will not be able to use them under the current Article 42 of the UN Charter. This remains true even though armed attacks are usually authorized by the UNSC resolutions as “all necessary means”.70 This is due to the fact that, unlike measures listed in Articles 41, those in Article 42 are exhaustive.71 As shown in the previous chapters of the present book, governments are generally incentivized to consider cyber-units as part of the traditional armed forces (inter alia, due to the location of cyber-infrastructure); moreover, such dynamic interpretation of the UN Charter may be expected “in the light of its object and purpose” under the Vienna Convention.72 Nevertheless, governments may argue the opposite, insisting on the “ordinary meaning” of the terms.73 As with other cases, in addressing or authorizing cyber-attacks under Article 42, the UNSC is expected to individually consider the seriousness of the threat, purpose of intervention, proportionality, balance of consequences, and whether all non-military options are exhausted.74 Using a theoretical scenario of defiant “State A [. . .] developing a nuclear weapons capability”, which

67 Marco Benatar, Kristof Gombeer, “Cyber Sanctions: Exploring a Blind Spot in the Current Legal Debate” in Nico Krisch, Lauri Mälksoo, Mario Prost (eds.), ESIL 2011 4th Research Forum (ESIL 2011) 13. 68 See ibid. 69 See sub-chapter 5.4.4.1. 70 See Nico Krisch, “Article 42” in Bruno Simma and others (eds.), The Charter of the United Nations: A Commentary (3rd edn., OUP 2012) 1336–1338. 71 Tadić (n. 58) para. 35. See also Nico Krisch, “Article 41” in Bruno Simma and others (eds.), The Charter of the United Nations: A Commentary (3rd edn., OUP 2012) 1311. 72 See Vienna Convention on the Law of Treaties (adopted 23 May 1969, entered into force 27 January 1980) 1155 UNTS 331, Art. 31(1). 73 See ibid. 74 Krisch, “Article 42” (n. 70) 1341; High-Level Panel on Threats, Challenges and Change, “A More Secure World: Our Shared Responsibility” (Letter to UNSG, 1 December 2004) UN Doc A/59/565, para. 207. Role of International Organizations 283 ignores the UNSC and “has weathered economic sanctions”, the Tallinn Manual seems to imply that the use of Stuxnet on Iranian enrichment facilities should have been authorized by the Security Council, since the necessary conditions were met.75 This argument is further developed by Heather Dinniss, who adds that “had the measures decided on been taken under Article 42 with its usual phraseology ‘all necessary means’, the Stuxnet worm would have proved an efficient way to achieve one of the aims of the resolution [1929]”.76 One can recall, at this point, that certain governments have previously relied on existing resolutions to deduce an implied UNSC authorization for action.77 They may rely on such arguments again to justify launching cyber- attacks. Therefore, it is not excluded that Israel and the US could have deduced a similar right from the existing sanctions regime against Iran and authorized the employment of Stuxnet using these grounds. Through binding states, governments may also attempt to use the UNSC to influence the fates of non-governmental organizations and even individuals. So, for example, Resolution 1267 establishes a sanctions regime to cover persons associated with Al-Qaeda or the Taliban. Similar sanctions can, in theory, apply in relation to individual crackers who, like certain terrorist leaders, may for a long time remain beyond governments’ reach. While Joy Gordon raises concerns that the “machinery of global governance” has been and can be abused to further the agenda of single nations with overwhelming political and economic influence,78 this is not surprising and reflects the essence of classic international relations.79 In any case, the current legal scholarship agrees on the limits of power of the UNSC and, theoretically, the latter remains constrained by it.80 The veto power of the P5 is criticized in its current form for privileging a few states.81 Nevertheless, to an extent, it embodies common moral safeguards

75 Tallinn Manual (n. 46) R18C6. 76 Dinniss (n. 59) 113. 77 For instance in Kosovo or Iraq—see Krisch, “Article 42” (n. 70) 1342. 78 Joy Gordon, “The Sword of Damocles: Revisiting the Question of Whether the United Nations Security Council is Bound by International Law” (2012) 12(2) Chicago JIL 645. 79 See Achilles Skordas, “Hegemonic Intervention as Legitimate Use of Force” (2007) 16(2) Minnesota JIL 407, 448–449. 80 Gordon (n. 78) 644. 81 Note that there have been various proposals to change the veto process in the UNSC— see Alex Conte, Security in the 21st Century, The United Nations, Afghanistan and Iraq (Ashgate 2005) 176. Notably, the question of veto is also raised in the context of R2P—see Anne Peters, “The Security Council’s Responsibility to Protect” (2011) 8(1) International Organizations Law Review 28; Thomas G. Weiss, “R2P After 9/11 and the World Summit” (2006) 24(3) Wisconsin ILJ 758. 284 CHAPTER 8

(representing “community defined values”)82 against Security Council resolutions coming into conflict with the existing international law and, particularly jus cogens. In urgent cases, where the UNSC fails due to a political stalemate or it is compromised by a diplomatic conspiracy, the General Assembly can step in under the U4P plan to legally resolve any crisis that threatens peace.

8.3.3 Auxiliary “Uniting for Peace” Plan No more than five years after the creation of the United Nations, flaws in the work of the Security Council became obvious.83 In 1950, the USSR boycotted the UNSC meetings on the situation in Korea (due to non-recognition of the People’s Republic of China as the true “China” in the Council), encouraging the US and its allies to “change the institutional balance of power between the Security Council and the General Assembly”.84 This resulted in the creation of the UNGA Resolution 377 (V) that allows for special emergency sessions in the General Assembly under the U4P umbrella. If the UNGA is not already in session, nine members of the Security Council (regardless of their permanence) or majority of the UN members in the UNGA itself can initiate the emergency sessions, which have taken place ten times so far.85 While the adoption of the UNGA Resolution 377 (V) itself was sur- rounded by controversy regarding its constitutionality within the UN Charter system (a particular concern was expressed regarding it being a possible threat to the role of the UNSC), the initial opponents of the U4P subsequently eased their criticism, contributing to its acceptance in state practice.

82 Danesh Sarooshi, The United Nations and the Development of Collective Security: The Delegation by the UN Security Council of its Chapter VII Powers (OUP 1999) 285. 83 Note, however, that disagreements existed as early as 1946—see Jean Krasno, Mitushi Das, “The Uniting for Peace Resolution and Other Ways of Circumventing the Authority of the Security Council” in Bruce Cronin, Ian Hurd (eds.), The UN Security Council and the Politics of International Authority (Routledge 2008) 174. 84 Dominik Zaum, “The Security Council, the General Assembly, and War: The Uniting for Peace Resolution” in Vaughan Lowe and others (eds.), The United Nations Security Council And War: The Evolution of Thought and Practice Since 1945 (OUP 2010) 155. 85 See UN Charter (n. 43) Art. 11(2); UNGA Res 377 (V) (3 November 1950) UN Doc A/RES/377, op para. 1. Role of International Organizations 285

The U4P’s invocation was avoided in the 1999 Kosovo conflict and the 2003 Iraq invasion for political reasons.86 Similarly, it may be ignored or silently rejected vis-à-vis cyber-warfare by certain governments. Nevertheless, the U4P plan was never formally dismissed and there was no observable change in customary law that would invalidate this mechanism.87 Thus, as part of the potential solution, it, arguably, preserves its relevance in the context of cyber- warfare and serves as an auxiliary tool meant to prevent the most serious cases of international law abuse. The U4P is based on the notion of the UNGA’s secondary responsibility for the maintenance of international peace and security, as opposed to the primary responsibility of the Security Council under the UN Charter.88 The U4P can be triggered when the UNSC fails to exercise its obligations “because of lack of unanimity of the permanent members” in situations when “there appears to be a threat to peace, breach of peace, or an act of aggression” (emphasis added).89 Cyber-attacks can fall under all three of these categories, permitting a special emergency response if the political will is present. Although the General Assembly recommendations are not binding, the U4P regime allows the two-thirds majority of the UNGA to issue recommendations for collective measures, including cyber-strikes that constitute armed attacks, in case when there is a “breach of peace” or an “act of aggression”.90

86 Krasno, Das (n. 83) 187–188. See also Ian Johnstone, “The Use of Force” in Jane Boulden, Ramesh Thakur, Thomas G. Weiss (eds.), The United Nations and Nuclear Orders (UN University Press 2009) 140. 87 One has to disagree here with Benedetto Conforti, who claims that U4P’s customary character has eroded. Members of the no-longer-existing Warsaw pact that were the only ones who opposed the U4P. The shifting attitudes of the Western nations, on the other hand, are readjusted by the development of the erga omnes obligations—see Benedetto Conforti, The Law and Practice of the United Nations (3rd edn., Martinus Nijhoff 2005) 225; Thomas M. Franck, Recourse to Force: State Action against Threats and Armed Attacks (CUP 2002) 33–34. 88 See UN Charter (n. 43) Arts. 11(2), 24(1); UNGA Res 377 (V) (n. 85) preamble; Certain Expenses of the United Nations (Advisory Opinion) [1961] ICJ Rep 163–164. 89 UNGA Res 377 (V) (n. 85) op para. 1. 90 Ibid.; UN Charter (n. 43) Art. 18(2). Note that actions in conformity with these recommendations become legal—see Antonios Tzanakopoulos, Disobeying Security Council: Countermeasures Against Wrongful Sanctions (OUP 2011) 174. See generally UN Charter (n. 43) Arts. 10, 11(2); Chi Y. Pak, Korea and the United Nations (Kluwer Law International 2000) 114. 286 CHAPTER 8

Sean Murphy argues that omission of the “threat to peace” from the wording of Resolution 377 (V) sets a higher standard for the UNGA action.91 Can one agree with this logic? The inclusive, clarifying and illustrative formulation in the Resolution suggests that the list is non-exhaustive and, on the contrary, the General Assembly can act when there “appears” to be a threat to peace. For the same reason, the UNGA is not limited to action by the armed forces and can recommend other means, including low-scale cyber-attacks. Thus, Murphy’s conclusion in this context is debatable. As with the Security Council, political and diplomatic positions play an important role and they can influence how the U4P mechanism operates. Nevertheless, it should be noted that the two-thirds majority requirement (meant to reflect international community’s approval) ensures that any resolution adopted can no longer be easily viewed as unreasonably favoring certain parties. The UNSC (in addition, to the UNGA itself)92 can still overrule such recommendations if all P5 members disagree with them, but, due to competing political interests, this remains almost impossible in practice.

8.3.4 “Responsibility to Protect” and Cyber-Space The whirlwind of violence that took place in Europe, Africa and other parts of the world in the 1990s, and particularly genocides in Bosnia and Herzegovina, as well as in Rwanda, have accelerated a crystallization of the R2P in customary law, which, inter alia, is meant to prevent attacks arising to the level of mass atrocities.93 An academic debate is still being waged whether the R2P concept constrains the veto right in the UNSC, although the exercise of the veto by governments in situations of humanitarian crisis can have negative political repercussions.94 In practice, no humanitarian intervention has ever been authorized under

91 Sean D. Murphy, Humanitarian Intervention (University of Pennsylvania Press 1996) 300. 92 Consider generally in this context the UNGA Res 3379 (10 November 1975) UN Doc A/ RES/3379 on Zionism as racism, revoked by UNGA Res 46/86 (16 December 1991) UN Doc A/RES/46/86. 93 See Randolph Kent, “Humanitarian Dilemmas in Peace and War” (2003) 3(3) Conflict, Security & Development 440–441; Mindia Vashakmadze, “Responsibility to Protect” in Bruno Simma and others (eds.), The Charter of the United Nations: A Commentary (3rd edn., OUP 2012) 1202. 94 Vashakmadze (n. 93) 1232–1233. Role of International Organizations 287 the U4P resolution.95 Nevertheless, the UNGA members, not unlike those of the UNSC, can also be influenced in their decision-making process by matters relating to the R2P.96 The initial idea of viewing the responsibility to protect the population against mass atrocities as inherent to sovereignty belongs to the International Commission on Intervention and State Sovereignty (ICISS). However, despite the wide endorsement of its 2001 Report, one would be naïve to assume that all of the suggestions in the Report made it to international law.97 The suggested set of ICISS rules on engaging in humanitarian interventions were stripped of details and reduced from a combination of wide responsibilities to prevent, react and rebuild to more basic state’s “responsibility to protect its populations from genocide, war crimes, ethnic cleansing and crimes against humanity” and international community’s “responsibility to use appropriate diplomatic, humanitarian and other peaceful [and non-peaceful] means” to protect these populations.98 Particular emphasis is put on cases where the national authorities do not fulfill their obligations.99 Robert Lancaster correctly observed that this narrow approach with a clearly defined role of the Security Council is likely to reflect the existing opinio juris.100 Thus, any attempt to juridically interpret the R2P widely (inter alia, by referring to the ICISS Report) should be considered detrimental to international law, particularly considering the uncertain legal environment surrounding cyber-warfare. According to the ICISS, there are six criteria necessary to justify military intervention: right authority, just cause, right intention, last resort, proportional

95 Julia Hoffmann, André Nollkaemper, Responsibility to Protect: From Principle to Practice (Pallas Publications 2012) 162. 96 Zaum (n. 84) 156. 97 See generally ICISS, Responsibility to Protect (International Development Research Centre 2001); High-Level Panel (n. 74) paras. 201–203; UNSG, “In Larger Freedom: Towards Security, Development and Human Rights for All” (Report of the UNSG, 21 March 2005) UN Doc A/59/2005, paras. 132–135. 98 “2005 World Summit Outcome”, UNGA Res 60/1 (16 September 2005) UN Doc A/RES/60/1, paras. 138–139. See also UNSC Res 1674 (n. 60) op para. 4; UNSG, “Implementing the Responsibility to Protect” (Report of the UNSG, 12 January 2009) UN Doc A/63/677. 99 Note that this obligation may vary depending on state’s capacity to influence the events (depending on geographic factors, “strength of ties between states” etc)—see generally Application of the Convention on the Prevention and Punishment of the Crime of Genocide (Bosnia and Herzegovina v Serbia and Montenegro) (Merits) [2007] ICJ Rep, para. 430. 100 Robert Lancaster, “Intervening Interests: Humanitarian and Pro-Democratic Intervention in the Asia-Pacific” (2009) 16 Australian ILJ 114. See also Vashakmadze (n. 93) 1228, 1230. 288 CHAPTER 8 means and reasonable prospects.101 None of them were included in the official UN documents, mostly due to the opposition from the US government, which did not want to limit the UNSC’s freedom (and, by extension, its own power), and governments of a few developing states, which thought that these principles would encourage future interventions.102 Is there less respect for these six criteria now (in the wider spectrum) than twenty years ago? Indeed, for example, the NATO command in Bosnia (which was allowed to use all necessary measures) tried to solve the crisis by lodg- ing complaints, writing letters of protest and demonstrating force rather than using it.103 In contrast, the 2011 bombing of Libya almost immediately went well beyond the agreed mandate to protect civilians and turned into a de facto regime change, culminating in the assassination of Muammar al- Gaddafi himself, who was persistently depicted as the “root of the humanitarian problem”.104 In this context, Pierre Thielbörger noted that whether the “intervention was initiated in accordance with international law [can be] secondary to the question of whether it [. . .] [is] carried out until the very end”.105 The modern R2P in response to cyber-attacks can primarily arise in the context of war crimes and crimes against humanity, although implications of genocide (or political acts of ethnic cleansing) are possible, when a clear mens rea exists to commit it.106 The legitimacy of preventing mass atrocity crimes stems primarily from the jurisprudence of international courts and tribunals.107

101 ICISS (n. 97) paras. 4.16, 4.32, 6.1, 8.28. 102 Gareth Evans, “From Humanitarian Intervention to the Responsibility to Protect” (2006) 24(3) Wisconsin ILJ 717. See generally Anne Orford, Reading Humanitarian Intervention: Human Rights and the Use of Force in International Law (CUP 2003) 42. 103 Paul R. Williams, Colleen Popken, “Security Council Resolution 1973 on Libya: A Moment of Legal & Moral Clarity” (2011) 44(1–2) Case Western Reserve JIL 236–237. 104 Pierre Thielbörger, “The Status and Future of International Law after the Libya Intervention” (2012) 4(1) Goettingen JIL 23. See also UNSC Res 1970 (26 February 2011) UN Doc S/RES/1970; UNSC Res 1973 (17 March 2011) UN Doc S/RES/1973; Spencer Zifcak, “The Responsibility to Protect After Libya and Syria” (2012) 13(1) Melbourne JIL 12. 105 Thielbörger (n. 104) 31. See also Zifcak (n. 104) 11; Amos N. Guiora, “Intervention in Libya, Yes; Intervention in Syria, No: Deciphering the Obama Administration” (2011) 44(1–2) Case Western Reserve JIL 251–253. 106 See sub-chapter 6.3.1. 107 David Scheffer, “Atrocity Crimes Framing the Responsibility to Protect” (2008) 40(1–2) Case Western Reserve JIL 115. Role of International Organizations 289

It is important to note that the R2P remains a complementary principle.108 Thus, there needs to be a series of cyber-strikes emanating from national authorities that would target their own civilians before sovereignty in the physical realms or in cyber-space no longer needs to be respected and external military invasion can be considered. Pure standalone attacks remain an unlikely scenario, since oppressive governments have little reason to choose less effective cyber-strikes instead of conventional methods of intimidation. A more realistic case would include employing them in combination with other punitive operations, especially in a territory not controlled by the official government. Additionally, cyber-attacks themselves may be used as part of a humanitarian response to mass atrocities. Considering the trend not to deploy ground troops (which was ruled out, inter alia, in the UNSC Resolution 1973 on Libya), such cases may become a reality in the nearest future. For example, cyber- strikes launched as part of all necessary means against media-hubs that call for ethnic cleansing may very well represent the “minimum force required” to achieve the mission.109 Furthermore, the goal of humanitarian wars may be to break the spirit of the oppressors.110 Inter alia, governments may use this to justify cyber-attacks that target economic accounts of the oppressor-government’s members, perpetrators, or “a large part of a population [. . .] complicit in causing, or allowing, a genocidal campaign”.111 Starting from the failure of the UN mission in Somalia, the effectiveness of humanitarian intervention is normally expected to be a condition of its legitimacy internationally.112 When one looks at three pillars of effectiveness suggested by James Pattison, while pure cyber-intervention is probably not going to be different from conventional invasions in terms of global external effectiveness for the enjoyment of human rights worldwide, it is likely to be beneficial “internally”, mainly because it is relatively safe for those who carry it out.113

108 See generally Mayeul Hiéramente, “The Myth of ‘International Crimes’: Dialectics and International Criminal Law” (2011) 3(2) Goettingen JIL 585. 109 See generally Zifcak (n. 104) 12. 110 Larry May, “Aggression, Humanitarian Intervention, and Terrorism” (2009) 41(2–3) Case Western Reserve JIL 328. 111 Ibid. See also sub-chapter 3.3.2.2. 112 James Pattison, “Legitimacy and Humanitarian Intervention: Who Should Intervene?” (2008) 12(3) International Journal of Human Rights 400. 113 Ibid. 290 CHAPTER 8

On the other hand, cyber-intervention alone is unlikely to suppress sufficiently the abuse of civilians and may provoke a new wave of atrocities.114 The latter outweighs the positive factor of internal effectiveness, since prevention of mass atrocities is the rationale behind the humanitarian interventions per se.115 For this reason, it appears that cyber-attacks in the R2P context will have to be supported by traditional military action, in order to ensure their maximum effectiveness. The new R2P doctrine not only expands the erga omnes obligation to prevent genocide to crimes against humanity, war crimes and ethnic cleansing.116 It also clearly excludes the possibility of interventions (also in the form of cyber-attacks) without the Security Council or General Assembly’s U4P-based approval.117 As such, it does not leave much ground for justification of Kosovo- like “illegal but legitimate” missions, which continues despite the Kosovo intervention being considered a serious threat by the senior officials of the UN departments of political and legal affairs, as well as its widely advertised sui generis and non-precedent-setting character.118 The developed R2P principle can also contribute to a non-sanctioned unilateral humanitarian action triggering the crime of aggression in the future.119 One author believes that it is “unclear, [. . .] whether the World Summit Outcome document requires Security Council authorization for the use of

114 See generally Benjamin Valentino, “The Perils of Limited Humanitarian Intervention: Lesson from the 1990s” (2006) 24(3) Wisconsin ILJ 737. 115 See Pattison (n. 112) 400. 116 Note that some authors claim that obligation to prevent genocide may even trump the UN Charter—see Sarah Mazzochi, “Humanitarian Intervention in a Post-Iraq, Post-Darfur World: Is There Now a Duty to Prevent Genocide Even Without Security Council Approval?” (2011) 17(1) Annual Survey of International & Comparative Law 126–128; Larry May, Jeff Brown, Philosophy of Law: Classic and Contemporary Readings (John Wiley & Sons 2009) 222. See generally Genocide Case (n. 99) paras. 428–438; Convention on the Prevention and Punishment of the Crime of Genocide (adopted 9 December 1948, entered into force 12 January 1951) 78 UNTS 277, Art. 1. 117 See UNSG, “Implementing the [R2P]” (n. 98) paras. 11(c), 49; Zifcak (n. 104) 14; Jonah Eaton, “An Emerging Norm? Determining the Meaning and Legal Status of the Responsibility to Protect” (2011) 32(4) Michigan JIL 800; Mehrdad Payandeh, “The United Nations, Military Intervention, and Regime Change in Libya” (2012) 52(2) Virginia JIL 390–393. 118 See Ralph Zacklin, The United Nations Secretariat and the Use of Force in a Unipolar World (CUP 2010) 97. 119 See Sean D. Murphy, “Criminalizing Humanitarian Intervention” (2009) 41(2–3) Case Western Reserve JIL 375. Role of International Organizations 291 armed force under R2P”.120 Yet, it would not have passed if it did not. The need for the UN mandate is equally justified in cyber-space and in the real domain by the possibility of exploitation of the imperfections pertaining to the R2P principle by individual governments. The possibility of exploitation, for instance, is luminous in light of the Iraq invasion case where after failure to locate WMDs and Saddam Hussein’s links to Al-Qaeda, the UK and the US, while still relying on the UNSC Resolution 678, retroactively decided there was a need to protect the Iraqi people against the dictator’s tyranny.121 A similar scenario could occur both with cyber-attacks as the R2P response and with the humanitarian intervention being provoked by cyber-strikes. When discussing collective action, in order to prevent future violations of international law, governments might also consider the possibility of peace operations’ transition onto the cyber plane. While the UN’s involvement is not always necessary (in case of official states’ consent, such operations might be organized by third countries or regional organizations),122 it remains the likeliest facilitator due to the borderless nature of common cyber-space.

8.3.5 Peace Operations Generally, peace operations can be divided into four categories: peacemaking, peacekeeping, peace enforcement and peace building. Due to the limitations of the present book and its particular focus on warfare, peacemaking (“action to bring hostile parties to agreement”)123 and peace building (“range of measures targeted to reduce the risk of lapsing or relapsing into conflict”)124 shall

120 John F. Murphy, “International Law in Crisis: Challenges Posed by the New Terrorism and the Changing Nature of War” (2011) 44(1–2) Case Western Reserve JIL 81–82. 121 Evans (n. 102) 717–718; UNSC Res 678 (29 November 1990) UN Doc S/RES/678. 122 Alexander Orakhelashvili, “The Legal Basis of the United Nations Peace-Keeping Operations” (2003) 43(2) Virginia JIL 486. See also Bryan D. Kreykes, “Toward a Model of Humanitarian—Intervention: The Legality of Armed Intervention to Address Zimbabwe’s Operation Murambatsvina” (2010) 32(3) Loyola of Los Angeles International and Comparative Law Review 357. 123 UNSG, “An Agenda for Peace: Preventative Diplomacy, Peacemaking and Peace-Keeping” (Report of the UNSG, 17 June 1992) UN Doc A/47/277, paras. 20, 36. Since some crackers will prefer to remain anonymous, it is not excluded that a new form of reconciliation might be required in an untraditional diplomatic environment of an online chat. 124 Peacebuilding Support Office, “UN Peacebuilding: An Orientation” (Brochure, UN 2010) 5 accessed 1 August 2015, citing a Decision of the Secretary-General’s Policy Committee (May 2007). Particular peacebuilding measures may present a challenge (and raise skepticism) when viewed in the cyber-context, namely demilitarization, rehabilitation and reintegration of 292 CHAPTER 8 not be specifically analyzed and attention will, instead, concentrate on peacekeeping and peace enforcement.

8.3.5.1 Peacekeeping Peacekeeping is “the deployment of a United Nations presence in the field, hitherto with the consent of all the parties concerned, normally involving United Nations military and/or police personnel and frequently civilians as well”.125 Such deployment is often required in order to implement a cease-fire or a peaceful settlement.126 Traditionally, UN peacekeepers are provided with the required mandate by the UNSC, which, together with the UN Secretary-General, exercises command and control over them.127 However, in some cases, peacekeeping missions can be organized by the UNGA under the U4P resolution. A certain degree of peacekeeping in cyber-space is likely to be considered as a potential safeguard of international security in the future, taking into account the ever-rising frequency and sophistication of cyber-strikes, and political circumstances in which they are launched. An online peacekeeping mission, in this context, can monitor cyber-space traffic and block any incoming strikes, if necessary, as well as disarm potentially damaging malware. Centralization of online peacekeeping under the UN per se is not likely to be opposed. This organization has already used Chapter VII of the UN Charter to establish international territorial administration and could formally set control over any part of cyber-space.128 Additionally, the impartiality and transparency of the United Nations could ensure that civil liberties and freedom of the Internet or cyber-space will not be violated, which may be demanded as one of the conditions by the Western governments.

former combatants. While reintegration of crackers with knowledge potentially useful for the civil society can be a symbolic act, disarmament and demilitarization can take the only possible and a very untraditional form, described further. 125 UNSG, “Agenda for Peace” (n. 123) para. 20. See also Michael Bothe, “Peacekeeping” in Bruno Simma and others (eds.), The Charter of the United Nations: A Commentary (3rd edn., OUP 2012) 1182–1183, 1187. 126 Peter Malanczuk, Akehurt’s Modern Introduction to International Law (7th edn., Routledge 1997) 423–424; Simon Chesterman, You, The People: The United Nations, Transitional Administration, and State-Building (OUP 2005) 103. 127 Sarooshi, The United Nations (n. 82) 67; Terry D. Gill, “Legal Aspects of the Transfer of Authority in UN Peace Operations” (2011) 42 Netherlands Yearbook of International Law 45. 128 See generally Krisch, “Article 42” (n. 70) 1344–1345. Role of International Organizations 293

The UN forces comprise “voluntary contributions of personnel and equipment by [. . .] Member States which transfer elements of authority and control over the contingents to [the Department for Peacekeeping Operations] for the duration of the operation”.129 Even if the UN coordination of the specialized standby cyber-units or militaries under the status of forces agreements proves to be ineffective, the original drafters’ plan envisioning the UN having its own forces can be fulfilled in the cyber-dimension, since it is relatively easy to form a specialized task-force (inter alia, from civilian experts) and to maintain it. Such a step will require a major state consensus (or, at least, proactive soft law development in this direction by the UN Secretariat). Currently, no similar arrangements exist within or outside the United Nations, although individual states have set up cyber-security working groups.130 If the idea of an independent UN peacekeeping force for cyber-space is implemented as part of the solution to the general problem highlighted in this book (exploitability of international law’s imperfections), a number of factors would have to be taken into account. Firstly, peacekeepers are customarily identified by their headwear, the blue helmets (or blue berets). A corresponding encrypted digital certificate will need to be devised and advertised in order to ensure that the nature of these forces is recognized and respected in cyber- space. Lack of such signature will represent a gap in international law that will allow parties opposed to the UN’s activities in cyber-space to hinder the peacekeeping efforts with impunity. Secondly, while peacekeepers are granted jurisdictional immunity,131 they have a responsibility to respect international law, and remain bound by the

129 Gill (n. 127) 45. See also UNSG, “Agenda for Peace” (n. 123) para. 44; Bothe (n. 125) 1184. 130 One such group was reportedly established between China and the US in 2013—see “U.S., China Agree to Work Together on Cyber Security” (Reuters, 13 April 2013) accessed 1 August 2015. Consider also the reported existence of the cyber-hotline between Russia and the US meant to notify the two governments of various cyber-space exercises and cyber- incidents—see Ellen Nakashima, “U.S. and Russia Sign Pact to Create Communication Link on Cyber Security” (The Washington Post, 17 June 2013) accessed 1 August 2015. 131 See Bothe (n. 125) 1185, 1188–1190; Róisín Burke, “Status of Forces Deployed on UN Peacekeeping Operations: Jurisdictional Immunity” (2011) 16(1) Journal of Conflict & Security Law 64. 294 CHAPTER 8 customary norms arising from the Hague and Geneva Conventions.132 Because an independent UN force will not be subject to any one state’s jurisdiction, the United Nations will need to have an organ that will monitor its activities, as well as discipline and punish the peacekeeping cyber-group members that violate permitted norms. Finally, peacekeepers must remain impartial and have a limited possibility of using force.133 Though this was initially narrowed down to situations where the UN forces had to act in self-defense,134 there are increasing expectations that peacekeepers should also use force in order to protect civilian populations from attacks.135 The extent of allowed cyber-force and active defenses in these circumstances will depend on the agreed mandate.

8.3.5.2 Peace Enforcement Sometimes the lines between peacekeeping and peace enforcement are blurred, and what starts off as the former ends as the latter.136 Peace enforcement is the most active form of peace operations.137 It almost automatically presupposes action under Chapter VII of the UN Charter or at least the U4P resolution. Originally, it was conceived to allow UN troops to use force in order to ensure that parties comply with the terms of a cease-fire.138 However, in the last two decades it has been expanded to, inter alia, protecting

132 UNSG, “In Larger Freedom” (n. 97) para. 113. See generally Carsten Stahn, “‘Jus ad bellum’, ‘Jus in Bello’ . . . ‘Jus Post Bellum’?—Rethinking the Conception of the Law of Armed Force” (2007) 17(5) EJIL 928. 133 Gill (n. 127) 41, 43. See also Hitoshi Nasu, International Law on Peacekeeping: A Study of Article 40 of the UN Charter (Martinus Nijhoff 2009) 136. 134 High-Level Panel (n. 74) para. 213. See also Ralph Zacklin, “The Use of Force in Peacekeeping Operations” in Niels Blokker, Nico Schrijver (eds.), The Security Council and the Use of Force: Theory and Reality—a Need for Change? (Martinus Nijhoff 2005) 93. 135 See High-Level Panel (n. 74) paras. 222–223; John O’Brien, International Law (Routledge- Cavendish 2001) 733; Andrzej Sitkowski, UN Peacekeeping: Myth and Reality (Praeger Security International 2006) 112, 122. 136 See Christine Gray, International Law and the Use of Force (3rd edn., OUP 2008) 326. See generally High-Level Panel (n. 74) paras. 211–213; UN DPKO, “General Guidelines for Peacekeeping Operations” (Guidelines, UN 1995) para. 34. 137 Holger Schabio, “The UN Role in Future Military Conflicts” (2006) 8 Baltic Security And Defence Review 157. 138 James S. Sutterlin, The United Nations and the Maintenance of International Security: A Challenge to Be Met (Praegar 1995) 55. Role of International Organizations 295 relief supplies, ensuring freedom of movement, protecting humanitarian missions and even restoring legal governments.139 For obvious reasons, a UNSC (or UNGA) authorization to use cyber-attacks in any of the above-mentioned scenarios is likely to become manifestly legal (yet, not necessarily legitimate). As Michael Pugh notes, while attempting to operate with “‘active impartiality’, in practice peace enforcement disguises actual bias, or is perceived as bias, towards particular parties”.140 By their nature, enforcement actions are not governed by the principles of impartiality, consent, or limited use of force and must “differ radically in terms of [. . .] mandates, force composition, and application of force” from the peacekeeping operations.141 This was most obviously felt during the second phase of the UN intervention in Somalia, when impartiality of the intervening force was abandoned and consent to its presence damaged beyond repair.142 Like potential cyber-peacekeepers, enforcement groups will be bound by international humanitarian law and could be formed from the constructed UN’s cyber-forces or those of member states. On the other hand, the law would only require enforcers to use digital signatures to identify themselves after the attacks. Notably, they could use malware with any offensive capabilities. In fact, leaving out the question whether force per se can be used in order to preserve international values, peace enforcers are expected to be adequately armed in order to fulfill their mandate. Peace enforcement operations (and to a lesser extent, peacekeeping operations) will also require ensuring the safety of the United Nations internal computer networks themselves, since the latter already contain information directly pertaining to peace and security (reports, analyses, maps and so on)143 and will be crucial to the success of any cyber-operations on behalf of the United Nations. Another important tool at the UN’s disposal is arms control, which could prevent violations of international law and minimize exploitation of its imperfections in cyber-warfare. It is addressed next.

139 Ibid., 62; Michael Pugh, “Peace Enforcement” in Thomas G. Weiss, Sam Daws (eds.), The Oxford Handbook on the United Nations (OUP 2007) 371. 140 Pugh (n. 139) 381. 141 Gill (n. 127) 41–42. It is important to note that some enforcement action did occur with formal state consent—see Krisch, “Article 42” (n. 70) 1344. 142 Trevor Findlay, The Use of Force in UN Peace Operations (OUP 2002) 204. 143 Panel on UN Peace Operations, “Report of the Panel on United Nations Peace Operations” (Letter to UNSG, 17 August 2000) UN Doc A/55/305, para. 255. 296 CHAPTER 8

8.3.6 Arms Control and Disarmament in the Virtual Realm Malware can be and is considered a weapon.144 Today, the Wassernaar Arrangement ensures transparency of transfers of dual-use hardware and, to a limited extent, software.145 However, a true binding arms control treaty in cyber-space currently does not exist, although it could enhance international law and limit the ability of governments to exploit legal imperfections in cyber-warfare. The number of states, which list cyber-security as one of their top concerns, has risen from 5 in 2005 to over 25 in 2013, and now includes almost every technologically advanced state.146 The majority of these nations now have robust cyber security strategies, established cyber-command headquarters and they operate military groups that specialize in cyber-defense and cyber-offense.147 In this environment, and taking into account the rapid development and complexity of cyber-space itself, it is not surprising that malware meant to cause damage in the virtual realm and in the physical world is constantly updated and perfected. In fact, due to the large number of participants, the current cyber proliferation is the fastest arms race in the world.148 In 1948, Hans Kelsen wrote:

Collective security reaches the highest possible degree when the obligation of the members to refrain from the use of force is guaranteed by their disarmament, when the force monopoly of the community is constituted not only by the exclusive right of a central organ to take enforcement actions against members, but also by the fact that only a central organ of the international community has armed forces at its disposal to be employed against delinquent member states, whereas the single members

144 See sub-chapter 1.1. 145 See Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies, “Guidelines & Procedures, Including the Initial Elements” (adopted 21 July 1996, last amended December 2011) accessed 1 August 2015. 146 See Eli Jellenc, “Explaining Politico-Strategic Cyber Security: The Feasibility of Applying Arms Race Theory” in Eric Filiol, Robert Erra (eds.), Proceedings of the 11th European Conference on Information Warfare and Security (Academic Publishing International 2012) 153. 147 Ibid., 153–154. 148 Ibid., 158. Role of International Organizations 297

of the community are allowed only to keep a police force for the maintenance of law and order among their subjects.149 [emphasis added]

Although this was never applied to conventional forces, in light of the UN’s potential to possess its own cyber-forces, Kelsen’s idea may be more relevant for cyber-warfare today. Should one consider establishing an arms control agreement that would limit, forbid the use or prevent the development of certain types of cyber-weapons? Generally, arms control agreements can be bilateral, regional or multilateral, and they can take the form of the UNGA resolutions or codification of the existing customary international law.150 While the former categories remain relevant, the latter is inapplicable in the present context, since neither cyber-strikes nor cyber-disarmament have any solid customary norms regulating them. The UN may represent the best possible platform for an arms control agreement.151 Other international and regional organizations could attempt to adopt instruments of their own, but bilateral and regional instruments are likely to remain insufficient to address the threat (although they can serve as a starting point for developing international customary law). In reality, the non- delimited cyber-space, as well as the possibility of producing and acquiring malware from anywhere in the world, almost automatically presupposes that any disarmament treaty must be developed under the auspices of the global United Nations organization. Not only should it be multilateral, but, in order to be successful, it would also have to be widely ratified, at least by the technologically developed states on different continents. Richard Clarke and Robert Knake point out that, due to the weaknesses of the US in the cyber-arena (which, inter alia, include production of hardware abroad, great dependency of civilian and military sectors on computerized systems and powerful private actors), the American government may be interested in prohibiting cyber-attacks against its infrastructure.152 However, the US administration is reluctant to refrain from using cyber-weapons itself

149 Hans Kelsen, “Collective Security and Collective Self-Defense Under the Charter of the United Nations” (1948) 42 AmJIL 784. 150 Philip A. Johnson, “Is It Time for a Treaty on Information Warfare?” (2002) 76 International Law Studies 450–453. 151 See Gabriel K. Park, “Granting an Automatic Authorization for Military Response: Protecting National Critical Infrastructure from Cyberattack” (2013) 38(2) Brooklyn JIL 817. 152 Richard A. Clarke, Robert Knake, Cyber War: The Next Threat to National Security and What to Do About It (HarperCollins 2010) 175, 226–227, 254. 298 CHAPTER 8 and, so far, primarily due to its opposition, proposals for such an agreement remain unpopular and the law underdeveloped.153 For instance, in 2009, the Russian Federation unsuccessfully lobbied a treaty aimed “to ban states from secretly embedding malicious codes or circuitry that could be later activated from a distance in the event of war”.154 Furthermore, the International Code of Conduct for Information Security that suggested “[n]ot to proliferate information weapons and related technologies” was also rejected.155 Which solution could the United Nations offer, if no opposition from the US were present? The UN Charter allows the UNGA to “consider [. . .] principles governing disarmament and the regulation of armaments, and [. . .] make recommendations with regard to such principles to the Members or to the Security Council”.156 Proposals to reduce cyber-arms can be initiated in the 1st Committee of the UNGA (Disarmament and International Security), although subsidiary commissions or independent, yet UN-affiliated Committee on Disarmament may also be engaged.157 Due to the traditional nuclear disarmament role of the IAEA, the latter can, likewise, be expected to contribute to the reduction and elimination of malware that targets nuclear facilities (such as Stuxnet).158 The UNSC, on the other hand, is “responsible for formulating [. . .] plans [. . .] for the establishment of a system for the regulation of armaments”.159 The Charter presupposes that the Security Council regulates arms “in order to promote the establishment and maintenance of international peace and security with the least diversion for armament of the world’s human and economic

153 Ibid., 239, 254. 154 Louise Arimatsu, “A Treaty for Governing Cyber-Weapons: Potential Benefits and Practical Limitations” in Christian Czosseck, Rain Ottis, Katharina Ziolkowski (eds.), 2012 4th International Conference on Cyber Conflict (NATO CCDCOE 2012) 108. 155 International Code of Conduct for Information Security, Annex to UNGA 66/359 (14 September 2011) UN Doc A/66/359, op para. 2. 156 UN Charter (n. 43) Art. 11(1). 157 Gabriella Venturini, “Control and Verification of Multilateral Treaties on Disarmament and Non-Proliferation of Weapons of Mass Destruction” (2011) 17(2) UC Davis Journal of International Law and Policy 349–350. 158 See generally ibid., 351; Ryan T. Kaminski, “Escaping the Cyber State of Nature: Cyber Deterrence and International Institutions” in Christian Czosseck, Karlis Podins (eds.), Conference on Cyber Conflict: Proceedings (NATO CCDCOE 2010) 90. 159 UN Charter (n. 43) Art. 26. Note that, initially, the legally-dormant Military Staff Committee was also assigned an assisting role to the Security Council in these matters— see ibid., Arts. 26, 47(1). Role of International Organizations 299 resources” (emphasis added).160 Some might argue that this sentence loses value in light of potential regulation of certain malware, due to its relatively cheap price, easy reproduction and wide accessibility.161 However, it is not entirely true, as developing malware may sometimes also require significant human and financial investment.162 The UNSC often prefers to deal with issues of disarmament and arms control under Chapter VII of the UN Charter, which can be seen by observing its attitude to real and presumed Iraqi possession of WMDs or its embargo against North Korea in response to the 2006–2012 nuclear weapon and ballistic missile tests.163 Whether and to what extent cyber-proliferation per se will be considered a threat to peace will depend on the political circumstances. The importance of disarmament in the UN peace operations, officially emphasized since the UNSG’s Agenda for Peace report, is likely to be preserved in cyber-space.164 That being said, traditional roles fulfilled by UN peacekeeping troops, such as collection and maintenance of voluntarily surrendered weapons in accordance with cease-fire agreements or even forcible disarmament of warring parties, will need to take a special cyber-disarmament form.165 In the latter case, it can, inter alia, include decoding and disclosing to the world community the discovered malware, targets and, if necessary, vulnerabilities of the systems. Notably, Stuxnet was publicly dissected in this manner. One should also note that attempts to similarly “disarm” cyber-peacekeepers themselves could result in the latter having the right to self-defense under customary norms.166 Cyber-attacks are sometimes said to resemble WMDs in their effects on populations. Which aspects apply by analogy and what can they say about the possibility of arms control in cyber-space? In comparison with WMDs generally, the development of new malware is not very effective for deterrence purposes, as it often lacks the capacity to cause large-scale devastation or ensure

160 Ibid., Art. 26. 161 See Arimatsu (n. 154) 100, 102–103. 162 See sub-chapter 3.2.1. 163 See Venturini (n. 157) 350. 164 See UNSG, “Agenda for Peace” (n. 123) para. 55. 165 See generally James D. Fry, “Of Pinpricks and Cannon Shots: UN Arms Embargoes and Peacekeeping as Coercive Disarmament Measures” (2011) 17(2) UC Davis Journal of International Law and Policy 223–224. 166 Consider the UN Peacekeeping Force in Cyprus that was authorized to use self-defense under these circumstances by the UNSG—see ibid., 225. 300 CHAPTER 8 mutually assured destruction.167 Therefore, there does not seem to be an urgent need for a global mechanism of monitoring malware use in the world,168 or an early warning-and-assist system based on the humanitarian emergencies model169 or suggested academic models.170 Malware does share certain similarities with chemical and biological weapons, “including ease of acquisition, asymmetric damage, and polymorphism”.171 For instance, knowledge of various strains of viruses and chemical formulas cannot be easily “disarmed”.172 Likewise, the techniques of developing malware will likely be preserved in the minds of experienced crackers and cyber-security specialists. Unlike biological and chemical weapons, however, no special or laboratory equipment is required at all in order to practically produce malware. All one needs is access to a computerized device. For this reason, total prohibition of cyber-attacks in a treaty remains problematic to achieve.173 Another difficult task, due to unlimited quantities of source code on the Internet nowadays, is establishing viable verification and inspection mechanisms.174 Political pressure to disarm, therefore, will not be as effective in cyber-space as with WMDs.175

167 For a list of similarities and differences between cyber-conflict and nuclear conflict, see James C. Mulvenon, Gregory J. Rattray, Addressing Cyber Instability (Cyber Conflict Studies Association 2012) 4–6. 168 See generally Neil C. Rowe, Simson L. Garfinkel, Robert Beverly, Panayotis A. Yannakogeorgos, “Challenges in Monitoring Cyberarms Compliance” in Panayotis A. Yannakogeorgos, Adam B. Lowther (eds.), Conflict and Cooperation in Cyberspace: The Challenge to National Security (Taylor & Francis 2014) 87, 96–97. 169 See Gavan Duffy, “An Early Warning System for the United Nations: Internet or Not?” (1995) 39(2) Mershon International Studies Review 316. 170 See Duncan B. Hollis, “An e-SOS for Cyberspace” (2011) 52(2) Harvard ILJ 409–411; Eric T. Jensen, “A Response to Duncan Hollis, An e-SOS for Cyberspace” (2011) 53 Harvard ILJ Online 1–10. See also Clarke, Knake (n. 152) 252, who suggest the creation of an “International Cyber Forensics and Compliance Staff”, meant to assist nations under attack. 171 Kenneth Geers, Strategic Cyber Security (NATO CCDCOE 2011) 127. 172 E.g., formulas of biological weapons were preserved at Biopreparat facilities, after the USSR collapsed. 173 Geers (n. 171) 130. 174 Ibid., 130–131; Arimatsu (n. 154) 101; Clarke, Knake (n. 152) 220, 254. 175 For an opposing view, see Jason Healey, “When ‘Not my Problem’ Isn’t Enough: Political Neutrality and National Responsibility in Cyber Conflict” in Christian Czosseck, Rain Ottis, Katharina Ziolkowski (eds.), 2012 4th International Conference on Cyber Conflict (NATO CCDCOE 2012) 26. Role of International Organizations 301

Because of these factors, if governments would agree on a special malware- control treaty, in order to diminish advantage of technologically developed states, cyber-disarmament would have to take the only possible form of simple disclosure of software vulnerabilities and malware in the common interest.176 This can be supplemented, perhaps, by effective mutual assistance treaties meant to help minimize damage and recover from cyber-attacks.177 As emphasized by Louise Arimatsu, maintaining a balance of power between technologically developed states will remain the key factor for the success of such disarmament arrangements.178 As with the case of bilateral Strategic Arms Reduction Treaties between Russia and the US, such disarmament may never be fully complete, but it could, nonetheless, contribute to peace and security in cyber-space substantially. A somewhat unique characteristic of potential cyber-disarmament and arms control will be the need to collaborate with the private sector, which currently controls a significant part of the Internet.179 Finally, since cyber-attacks are less likely to raise humanitarian concerns than WMDs, withdrawal from any cyber-arms control treaty can be expected to be less problematic than in the case of nuclear, biological or chemical weapons, particularly when state interests are jeopardized or it is acting in extreme circumstances of self-defense.180 Having discussed the main global UN mechanisms and tools that may be relied upon for collective security and prevention of abuse of international law, one should turn attention to the role that other inter-governmental organizations play.

8.4 Role of Other International Organizations

The principle of subsidiarity has guided the international community in its pursuit of security for many years. Notably, non-global organizations have

176 See Arimatsu (n. 154) 99; Karlis Podins, Christian Czosseck, “A Vulnerability-Based Model of Cyber Weapons and its Implications for Cyber Conflict” in Eric Filiol, Robert Erra (eds.), Proceedings of the 11th European Conference on Information Warfare and Security (Academic Publishing International 2012) 202–203. 177 Richard Stiennon, Surviving Cyberwar (Government Institutes 2010) 103. 178 Arimatsu (n. 154) 100. 179 Ibid., 101. See also Clarke, Knake (n. 152) 226. 180 See generally Guido den Dekker, Tom Coppeny, “Termination and Suspension of, and Withdrawal from, WMD Arms Control Agreements in Light of the General Law of Treaties” (2012) 17(1) Journal of Conflict & Security Law 36. 302 CHAPTER 8 traditionally provided platforms for increased diplomatic pressure, as well as coordinated sanctions on individual states181 and have taken active part in a number of peace operations.182 Nonetheless, it must be stated that, on their own, they cannot overcome the general normative rules (such as the prohibition of the use of force). Moreover, their limited geographical scope does not allow such organizations to assume the main role in controlling borderless cyber-space. They, therefore, remain subject to the United Nations primacy and will be more so, should the UN be allowed to reach its full centralizing potential in this field. In this environment, and taking into account the conclusions made in the previous sub-chapters, one should ask, what is the role that international law prescribes to these non-global organizations? Are these entities ready to assume this role or are they prone to violating the law themselves? Can they create and interpret international law? The present sub-chapter seeks to answer these questions, concentrating specifically on the most powerful military alliance that has a significant presence in the field of cyber-warfare—NATO.

8.4.1 Prescribed Role within the Global Framework of Collective Security The Security Council can decide whether its decisions bind all members or only certain states, although all countries are expected to afford mutual assistance in carrying them out.183 In practice, the UNSC has always relied on consenting regional agencies, individual states, coalitions or, more recently, military organizations like NATO to enforce its decisions under Chapter VII of the UN Charter.184 The Tallinn Manual correctly foresees similar arrangements arising in the context of cyber-attacks.185 However, since cyber-space opens up a possibility of creating the UN’s own special forces, one should not simply agree with Michael Schmitt, who claims that equally “defensive or offensive cyber

181 For instance, consider the current collective EU sanctions against North Korea, Syria or the Islamic Republic of Iran. 182 See Bothe (n. 125) 1192–1193. 183 UN Charter (n. 43) Arts 48(1), 49. 184 See UN Charter (n. 43) Art. 53(1); Michael N. Schmitt, “Cyber Operations and the Jus ad Bellum Revisited” (2011) 56(3) Villanova Law Review 585. See generally Bothe (n. 125) 1180, 1192; Dan Sarooshi, International Organizations and Their Exercise of Sovereign Powers (OUP 2005) 35. 185 See Tallinn Manual (n. 46) R19: “International organizations, arrangements, or agencies of a regional character may conduct enforcement actions, involving or in response to cyber operations, pursuant to a mandate from, or authorization by, the United Nations Security Council”. Role of International Organizations 303 operations [. . .] [will depend] on the willingness of states to provide necessary cyber assets and forces to execute them”.186 Though an independent non-governmental cyber-force of the UN might be preferable, the United Nations members have the de jure option of sum- moning forces of other states after signing “special agreements” with them, as provided for by the UN Charter.187 Since “assistance, [. . .] facilities, [and] rights of passage” remain indispensable, due to the global and partially state- controlled nature of cyber-space, the United Nations will greatly benefit from such agreements.188 Similar effects could also be achieved through binding UNSC Resolutions. In either case, the UN is likely to continue to rely on regional organizations to some extent. Indeed, the UN Charter itself expects that member-states carry out the decisions “directly and through their action in the appropriate international agencies of which they are members”.189 Before a matter pertaining to international peace and security is referred to the Security Council, it is anticipated that states will make “every effort to achieve pacific settlement of local disputes through [. . .] regional arrangements”.190 The Charter clearly states that any enforcement action (including the one in cyber-space) will require the UNSC authorization,191 although the 2011 Libyan precedent demonstrated that regional organizations themselves (in this case, the Arab League) sometimes determine whether a Security Council authorization of an armed intervention is appropriate at all.192 The trend to use forces of regional organizations has been previously justified by the problem of limited numbers.193 Whilst the amount of troops has minimal importance in cyber-warfare, lack of experienced individuals possess- ing the necessary knowledge in cyber-security may create similar difficulties. As in the previous case, the UNSC will then be expected to have a close mutual cooperation with regional organizations.194 The “In Larger Freedom” report went as far as recommending financing UNSC-mandated regional operations

186 Schmitt (n. 184) 585. 187 UN Charter (n. 43) Art. 43(1), 43(2). 188 See ibid., Art. 43(1). 189 Ibid., Art. 48(2). 190 Ibid., Art. 52(2). See also ibid., Arts 51(1), 54. 191 Ibid., Art. 53(1). Note that the “enemy states” exception was invalidated by customary law. 192 Zifcak (n. 104) 14. See also Vashakmadze (n. 93) 1234. 193 High-Level Panel (n. 74) para. 220. 194 Ibid. See also UNSG, “In Larger Freedom” (n. 97) para. 112. 304 CHAPTER 8 and “regional organizations in multi-pillar peace operations under the overall United Nations umbrella”.195 For the purposes of the present book, the existing political unions of states can be divided into three categories, based upon their roles in military affairs and, as an extension, cyber-warfare capabilities: non-armed regional organizations, political organizations with limited military capacities and military blocks. Since the present work concentrates on the jus ad bellum and jus in bello, the non-armed regional groups shall not be addressed in detail in this sub-chapter. What could be noted, however, is that the non-military focus of these organizations itself contributes to the overall problems of the disproportional emphasis on cyber-crime (while cyber-warfare is ignored), as well as underplaying cyber-terrorism in the global arena.196 While one may object that this is merely due to their initial peaceful orientation, the same issues also arise in politico-economic organizations that have limited military capacities. These include entities like the Economic Community of West African States (ECOWAS), African Union (AU) and the EU. Notably, the troops of the latter two organizations were specifically mentioned in the “In Larger Freedom” report as a “valuable component to [the UN] efforts”.197 Most African and Arab nations (as well as Latin American states, for that matter) remain technically underdeveloped, which could nullify the effectiveness of any cyber-enforcement.198 On the other hand, the EU’s rigidness in engaging with cyber-warfare and its excessive orientation on cyber-crime leaves no similar excuse. This organization clearly has advanced IT expertise and financial potential.199 Nonetheless, the EU’s role within the global framework of international response to cyber-warfare (as part of the solution

195 UNSG, “In Larger Freedom” (n. 97) para. 215. 196 These organizations include, for instance, the CoE, Organization for Security and Cooperation in Europe (OSCE), Organization for Economic Cooperation and Development, Asia-Pacific Economic Cooperation, Association of Southeast Asian Nations, Organization of American States, Group of Eight and Interpol. 197 UNSG, “In Larger Freedom” (n. 97) para. 112. 198 Though this is likely to pose a lesser challenge in the context of cheaper cyber-warfare, one should mention that the AU and ECOWAS have sometimes lacked financial resources and equipment in order to intervene and enforce decisions of the UNSC or peace generally—see Pattison (n. 112) 409. 199 Consider, for instance, the EU’s development of the quick response unit (CERT-EU) and the European Network and Information Security Agency (ENISA) that coordinate European computer emergency response teams. Role of International Organizations 305 to reducing exploitability of legal imperfections), at least currently, remains extremely limited. Its own 2011 Study points out that “given the current relatively weak wider institutional framework of common EU command and control capabilities, it will be hard for the EU to build common cyberdefence”.200 In contrast to the non-armed groups, the significant role in cyber-warfare of collective security organizations and regional defense arrangements is prede- termined by their initial orientation towards countering military aggression, regulating (and if necessary, participating in) armed conflicts, as well as fighting against escalated conventional terrorism. The existing capacities, established plans and hierarchies make all of these organizations likely enforcers of the UN decisions in cyber-space. Moreover, some of these alliances already have experience in peacekeeping and peace enforcement and could engage in cyber peace operations if called upon. Why was NATO selected for a special analysis in the following sub- chapter? It is true that there are multiple military organizations in the world.201 However, the NATO Alliance stands out not only in terms of its logistical and military resources, but also due to the present high level of investment in its cyber-security and cyber-warfare capabilities.202 Additionally, it is currently the most influential standalone military policy-maker.

8.4.2 NATO as Part of the Problem and the Solution Previously, the UN held that NATO has a “constructive role [. . .] to play in assisting in the training and equipping of less well resourced regional organizations and states”.203 This is particularly true in the cyber-context. However, as Rex Hughes notes, since a large number of cyber-strikes originate from outside the

200 Alexander Klimburg, Heli Tirmaa-Klaar, “Cybersecurity and Cyberpower: Concepts, Conditions and Capabilities for Cooperation for Action within the EU” (Study, Directorate- General for External Policies of the European Parliament 2011) 34 accessed 1 August 2015. 201 For instance, American, British, Canadian, Australian and New Zealand Armies’ Program, Australia, New Zealand, United States Security Treaty, Auscannzukus, Collective Rapid Reaction Force, Collective Security Treaty Organization, Finabel, Five Power Defense Arrangements, Organization for Joint Armament Cooperation, Permanent Joint Board on Defense, Quadrilateral Security Dialogue, the SCO and the Technical Cooperation Program. 202 See generally Pattison (n. 112) 408. 203 High-Level Panel (n. 74) para. 273. 306 CHAPTER 8

Alliance, it has to be in close cooperation with the non-member states, especially Russia and China.204 The reliance of the UN on the Alliance to enforce its decisions has grown in the last decades and is certain to mirror into the cyber-arena as well, taking into account the advanced NATO capabilities that allow it to be a part of the global solution to the problem of international law violations and exploitation of its uncertainties, deficiencies and gaps. Since 1991, NATO has become one of the most active actors in the field of humanitarian interventions, as well as peacekeeping and peace enforcement missions, often undertaking them “beyond [. . .] mandated areas”.205 The UN generally welcomes these missions only as long as they are authorized by the Security Council.206 The same constraints are enshrined in Article 7 of the North Atlantic Treaty, although they are not always followed by NATO itself (for example, consider the operation in Kosovo). How politically and legally advanced is NATO in the field of cyber-warfare? For the first time the Alliance agreed on the need to “strengthen [. . .] capacities to defend against cyber attacks” at the Prague Summit in 2002,207 although defense of its information systems has been a priority before, for instance, in its 1999 Strategic Concept.208 This priority was not mentioned in the 2004

204 Rex B. Hughes, “NATO and Cyber Defence: Mission Accomplished?” (2009) 1(4) Atlantisch Perspectief 4. Political conflicts between NATO and the SCO members represent another argument why the UN is better suited to maintain its primary role in cyber-space security and should start addressing the issue of cyber-warfare and cyber-terrorism more closely. 205 High-Level Panel (n. 74) para. 273; Nicola Butler, “NATO: From Collective Defence to Peace Enforcement” in Albrecht Schnabel, Ramesh Thakur (eds.), Kosovo and the Challenge of Humanitarian Intervention (UN University Press 2000) 273. See also Dick A. Leurdijk, “UN Reform and NATO Transformation: The Missing Link” in Oliver Ribbelink (ed.), Beyond the UN Charter: Peace, Security and the Role of Justice (TMC Asser Press 2008) 142. 206 High-Level Panel (n. 74) para. 273. See also Nico Schrijver, Larissa van den Herik, “Leiden Policy Recommendations on Counter-terrorism and International Law” (2007) 54(3) Netherlands International Law Review, para. 37: “Regional and sub-regional organizations, such as NATO [. . .], when playing a role in respect of the use of force against terrorist groups, should not undermine the Security Council’s primary responsibility under the Charter”. 207 Heads of State and Government Participating in the Meeting of the North Atlantic Council in Prague, “Prague Summit Declaration” (Declaration, NATO 2002) para. 4(f). See generally Sverre Myrli, “NATO and Cyber Defence” (Committee Report 173 DSCFC 09 E BIS, NATO Parliamentary Assembly 2009) para. 46 accessed 1 August 2015. 208 Heads of State and Government Participating in the Meeting of the North Atlantic Council in Washington DC, “The Alliance’s Strategic Concept” (Concept Document, NATO 1999) para. 23. Role of International Organizations 307

Istanbul Summit Declaration, and, in the 2006 Riga Summit, it was only briefly reiterated.209 However, during the 2008 Bucharest Summit, a unified Policy on Cyber Defense was adopted that emphasized that there is a “need for NATO and nations to protect key information systems in accordance with their respective responsibilities; share best practices; and provide a capability to assist Allied nations, upon request, to counter a cyber attack”.210 The Policy on Cyber Defense was revised in 2011, to include a more comprehensive, clear framework of coordinated action under the North Atlantic Council’s supervision.211 The 2008 Summit additionally led to the creation of the Cyber Defense Management Authority charged with centralizing and coordinating NATO’s cyber defense capabilities and national computer emergency response teams.212 At the 2010 Lisbon Summit (echoed also in the adopted 2010 Strategic Concept and the 2020 Report),213 the heads of states addressed the general issue in more detail and, inter alia, pledged to “take into account the cyber dimension of modern conflicts in NATO’s doctrine” and “work closely with other actors, such as the UN and the EU”.214 These commitments were reaffirmed at the 2012 and 2014 Summits, where the leaders additionally decided to “integrate cyber defence measures into Alliance structures and procedures and [. . .] [to] remain committed to identifying and delivering national cyber defence capabilities that strengthen Alliance

209 See Heads of State and Government Participating in the Meeting of the North Atlantic Council in Riga, “Riga Summit Declaration” (Declaration, NATO 2006) para. 24. 210 Heads of State and Government Participating in the Meeting of the North Atlantic Council in Bucharest, “Bucharest Summit Declaration” (Declaration, NATO 2008) para. 47. Note that this is first time when an “international military organization had deemed cyber-security to be a collective defence obligation”—see Rex Hughes, “A Treaty for Cyberspace” (2010) 86(2) International Affairs 529. 211 “NATO and Cyber Defence” (NATO, 2012) accessed 1 August 2015. 212 Hathaway and others (n. 6) 862; Klimburg, Tirmaa-Klaar (n. 200) 26; Hughes, “NATO and Cyber Defence” (n. 204) 3. 213 Heads of State and Government Participating in the Meeting of the North Atlantic Council in Lisbon, “Active Engagement, Modern Defence” (Strategic Concept Document, NATO 2010) paras. 12, 19; Group of Experts on a New Strategic Concept for NATO, “NATO 2020: Assured Security; Dynamic Engagement” (Report, NATO 2010) 7, 9, 11, 17, 20, 24, 35, 45 accessed 1 August 2015. 214 Heads of State and Government Participating in the Meeting of the North Atlantic Council in Lisbon, “Lisbon Summit Declaration” (Declaration, NATO 2010) para. 40. 308 CHAPTER 8 collaboration and interoperability”.215 Notably, activation of the “quick- reaction cyber defense teams” that aim to defend NATO networks and assist allies to fend off cyber-attacks was planned.216 The increased NATO interest in the field of cyber-security was triggered by cyber-attacks on Estonia in 2007 (and to some extent those on Georgia in 2008).217 As a NATO member, Estonia requested assistance, which was provided only in the limited form of observers and advisors.218 Estonian and, later, other states’ officials raised the issue whether cyber-strikes can trigger Article 5 of the North Atlantic Treaty—a provision meant to invoke collective self-defense rights by the member states in case of an armed attack against one or more of them.219 However, already in 2007, the Alliance clearly understood that cyber-attacks against Estonia were not serious enough to warrant an armed response.220 As the Estonian Defense Minister Jaak Aaviksoo reportedly admitted, NATO did “not define cyber-attacks as a clear military action” and collective self-defense was “not automatically [. . .] extended to the attacked country”.221 Michael Schmitt further adds that triggering Article 5 could be a political improbability at the time, since all NATO members have the veto power in the North Atlantic Council and Russia (the suspected coordinator of the attacks) played an important role in the European security and NATO commitments abroad.222 Generally, cyber-strikes that reach the level of threat to political independence and security to one of the member states can automatically initiate con-

215 Heads of State and Government Participating in the Meeting of the North Atlantic Council in Chicago, “Chicago Summit Declaration” (Declaration, NATO 2012) para. 49. Note that the list of partners was expanded to cover the OSCE and the CoE—see ibid. 216 Karen Parrish, “Rasmussen Outlines Cyber Progress, Urges Defense Investment” (American Forces Press Service, 4 June 2013) accessed 1 August 2015. 217 See sub-chapter 3.3.3.5. 218 Eneken Tikk, Kadri Kaska, Liis Vihul, International Cyber Incidents: Legal Considerations (NATO CCDCOE 2010) 24; Duncan B. Hollis, “Why States Need an International Law for Information Operations” (2007) 11(4) Lewis & Clark Law Review 1028. 219 Myrli (n. 207) para. 59; Stephen Herzog, “Revisiting the Estonian Cyber Attacks: Digital Threats and Multinational Responses” (2011) 4(2) Journal of Strategic Security 54. 220 Scott J. Shackelford, Richard B. Andres, “State Responsibility for Cyber Attacks: Competing Standards for a Growing Problem” (2011) 42(4) Georgetown JIL 1012. 221 Ian Traynor, “Russia Accused of Unleashing Cyberwar to Disable Estonia” (The Guardian, 17 May 2007) accessed 1 August 2015. 222 Schmitt (n. 184) 598. Role of International Organizations 309 sultations under Article 4 of the North Atlantic Treaty. Reflecting the principle of non-intervention, until recently, this approach remained the predominant one in the NATO’s response to cyber-attacks and cyber-terrorism.223 At the same time, general possibility of invoking Article 5 in response to a cyber- strike or an act of cyber-terrorism reaching the threshold of an “armed attack” is not excluded. In fact, the only time this provision was invoked by a NATO state was in response to the use of other unconventional weapons—commercial airliners during 9/11.224 Therefore, whatever method is employed, the consequences of the attack are likely to dictate the counter-action of NATO. The same remains true for the hybrid threat combining elements of conventional and cyber-attacks.225 The above-mentioned independent political and legal NATO actions, as well as plans on cyber-warfare seem to fall within the ambit of recognized international law and contribute to its positive role within the UN’s collective security framework. However, is the Alliance simultaneously also a part of the overall problem? While NATO does not aim to create new laws, it frequently interprets the existing norms in a favorable light. In doing so, governments of the Alliance present the latter as a back-up mechanism for humanitarian causes, human rights and democracy in case the United Nations system fails as a whole. The incurred cyber-strikes allowed the Estonian Republic to receive NATO accreditation for its Cooperative Cyber-Defense Center of Excellence (CCDCOE) in 2008.226 On the surface, the Center represents a think tank

223 Myriam D. Cavelty, “Cyber-Allies, Strengths and Weaknesses of NATO’s Cyberdefense Posture” (2011) 3(12) Internationale Politik 13; Katharine C. Hinkle, “Countermeasures in the Cyber Context: One More Thing to Worry About” (2011) 37 Yale JIL Online 16. 224 Häly Laasme, “Estonia: Cyber Window into the Future of NATO” (2011) 63(4) Joint Force Quarterly 60. See also Bob Reinalda, Routledge History of International Organizations: From 1815 to the Present Day (Routledge 2009) 738; Ulf Häussler, “Cyber Security and Defence from the Perspective of Articles 4 and 5 of the NATO Treaty” in Eneken Tikk, Anna-Maria Talihärm (eds.), International Cyber Security Legal & Policy Proceedings (NATO CCDCOE 2010) 108. 225 Note that NATO has set up a special hybrid threat study group—see Sascha-Dominik Bachmann, Gerhard Kemp, “Aggression as “Organized Hypocrisy”—How the War on Terrorism and Hybrid Threats Challenge the Nuremberg Legacy” (2012) 30(1) Windsor Yearbook of Access to Justice 253. 226 Aspirations to create such a center go back to 2003, i.e. even before Estonia was a member of NATO—see William C. Ashmore, “Impact of Alleged Russian Cyber Attacks” (2009) 11(1) Baltic Security & Defence Review 9. 310 CHAPTER 8 striving to “enhance the capability, cooperation and information sharing”.227 However, inactiveness and wrong orientation of the UN permitted the CCDCOE to assume a role similar to the one of the UN’s International Law Commission and to de facto establish a monopoly in codifying and interpreting the applicability of the existing international laws to cyber-attacks and, thus, to influence the formation of customary law, inter alia, through funding projects such as the Tallinn Manual. Therefore, while NATO promises a significant contribution to the global solution of reducing international law violations and exploitation of its imperfections, it simultaneously creates difficulties for the same UN-led solution by preventively adopting legal interpretations favorable only to the Alliance members. Moreover, it could seek to establish a whole system of international law interpretation that will continue to provide its members the ability to exploit legal imperfections in the future. Close United Nations supervision over NATO, therefore, may be required.

8.5 Conclusion

In the present chapter, the existing mechanisms of collective action meant to remedy exploitation of international law’s uncertainties, deficiencies and gaps were discussed. It was revealed that, currently, the UN agencies that can participate in the creation of soft law fail to acknowledge the danger of cyber- warfare, instead concentrating only on cyber-crime. Furthermore, while the legal framework necessary to tackle terrorism as part of cyber-warfare exists, the present UN approach is not inclusive and is oriented towards tackling the ordinary use of the Internet by terrorists. These factors contribute to the overall exploitability of international law’s imperfections. On the other hand, the current legal regime offers more solid mechanisms in the form of the UNSC and a back-up UNGA’s U4P plan that promise to ensure collective security in cyber-space. Both of these mechanisms are further supported by the R2P concept. The UNGA and UNSC can use the already-existing tools, such as peace operations and arms control in cyber-space, although no preparations to employ them in this context are under way yet. The UN has yet to fully realize its potential vis-à-vis cyber-warfare.

227 “Mission and Vision” (NATO CCDCOE, 2013) accessed 1 August 2015. Note that not all NATO states are part of the CCDCOE, although the Center assists all member states. Role of International Organizations 311

Moreover, it was shown in this chapter that, as part of international law itself, norms regulating the work of the major UN bodies contain some imperfections that individual governments may exploit in the future. This chapter argued in favor of creating special UN cyber-forces, although the likelihood of employing consenting regional and other organizations with and without the “special agreements” is acknowledged. Reliance upon them can be expected at least in the initial stages, inter alia, due to the limited number of highly-qualified experts in the world, who can serve as the United Nations’ cyber-backbone. Due to its advanced cyber-capacities, NATO still remains the likeliest external enforcer of UN decisions, although, in the future, it can be expected to act beyond that which is allowed by the global collective action framework. The next and last chapter, the Conclusion, will address jointly the exploitable imperfections of the current international law regime identified in Chapters 4 through 8 and will set out standards and principles upon which a plan of action might be constructed that can help ensure that jus ad bellum and jus in bello are fit for the purpose of addressing militarized cyber-attacks. CHAPTER 9 Conclusion

9.1 Introduction

The current book analyzed the applicability of jus ad bellum and jus in bello to cyber-attacks and identified imperfections of international law that governments may exploit in the context of cyber-warfare. This was done with a clear theoretical framework in mind, which emphasizes that, instead of ignoring legal norms, governments prefer to deliberately pursue interpretations favorable to them in imperfect areas of international law (as explained in Chapter 2). This chapter summarizes the main argument and provides an analytical assessment of its significance. It is divided into two parts. The first part jointly evaluates the observations made throughout the book, explaining why the main idea of this book can be considered proven and discussing what this means for international law in the broader politico-legal perspective. The second part tackles the issue of finding future solutions to the general problem identified in this book.

9.2 Validity of the Idea

Having divided international law into lesser constituents in order to evaluate its applicability to cyber-attacks and identify its imperfections, one should now view all relevant conclusions made throughout the chapters. In their assessment, analysis ought to return to the suggestions made as part of the book in the Introduction to the present work.1 Is international law generally capable of accommodating cyber-attacks? Does it leave a substantial amount of significant uncertainties, deficiencies and gaps that can be exploited? The current sub-chapter answers these questions in order to demonstrate that the suggested proposition was correct.

1 See sub-chapter 1.2.

9.2.1 Applicability of International Law to Cyber-Warfare Chapter 3 was dedicated to demonstrating that much of cyber-attacks’ potential remains unrealized. During the writing of this book, no visible “game- changing” strike has materialized in the fifth domain of warfare. The publicly known incidents themselves do not pose a challenge to international law that would exclude its applicability.2 Indeed, the occurrences of serious cyber- strikes are so few or so insignificant, that scholars like Dieter Fleck wonder whether the main focus on jus ad bellum and jus in bello, and not on peacetime law, is justified.3 However, law is concerned with the actual, as well as the potential. One, therefore, has to look at the broader picture and consider cyber-attacks together with their full capacity to harm. The world may not have entered the era of “cyber-punk” yet, where high level of technological development would combine with increased violence, but it seems to be heading that way. Efficiency promised by information technology (in comparison with human capabilities) makes computerization of the world an inevitable reality in many aspects of life, and its impact continues to increase even over the poorest of countries (for instance, today, it is almost impossible to imagine a government that would not be reliant upon computerized systems). In this climate, considering its purpose, it is logical for international law to take a preventive stance against serious cyber-attacks, especially in the fields of jus ad bellum and jus in bello. The present level of computerization does not create a threat that would undermine the existing legal regime. In fact, the gradual, step-by-step analysis of how jus ad bellum and jus in bello would apply to cyber-attacks shows that international law can, indeed, accommodate cyber-strikes just as any other military use of technology, even though no specific customary norms exist for cyber-warfare. That being said, it does not accommodate it sufficiently well, as a substantial number of uncertainties, deficiencies and gaps have been identified. What are they?

2 The present book did not specifically consider which types of cyber-attacks could have been concealed by governments or corporations. For the purposes of the present analysis, it remains irrelevant. Whatever attacks have occurred, but were concealed, they are very likely to have been covered by the analysis of the hypothetical threats in Chapter 3. 3 See Dieter Fleck, “Searching for International Rules Applicable to Cyber Warfare—A Critical First Assessment of the New Tallinn Manual” (2013) 18(2) Journal of Conflict & Security Law 335. 314 CHAPTER 9

9.2.2 Legal Imperfections 9.2.2.1 Territoriality, Sovereignty, Jurisdiction Analysis in Chapter 4 revealed that imperfections of international law exist even at the most basic level and pertain to the essence of cyber-space itself. Lex scripta currently does not specify whether the virtual realm created by information technology can constitute a “global common”, “territory” or an extension thereof. This work has argued that, while it is not excluded in the future, absent agreement clarifying the limits of collective cyber-space, the latter does not clearly represent a “global common”. On the one hand, it cannot easily be proclaimed over sovereign states’ exclusive cyber-space and, on the other, it cannot be limited to the current Internet due to the clear and dominant US opposition. Furthermore, in light of the special nature that separates the virtual from other domains of warfare, it is unlikely that arguments will be advanced defending cyber-space’s territoriality. Overcoming the customary notion that links territory and military occupation with physical spaces represents a bur- densome task and governments may find it unnecessary, as they can, in any case, claim sovereignty over the virtual realm. The book has shown that rejection of territoriality results in corruption of the Westphalian system of sovereignty, which is traditionally based on political geography. It becomes unclear whether arguments of sovereignty should force the virtual realm to become “territorial” or whether its non-territoriality will result in the existing system changing its orientation from geographic to broader forms of national zones. If the latter scenario materializes, a gap in international law becomes apparent: the matter of separating various cyber-zones remains unregulated. While it is possible to identify isolated parts of cyber-space as under exclusive sovereignty of a state, no clarity exists in dividing the online zones from each other and from the potential global common (if applicable). Accepting the position that cyber-space is not territorial leads to another exploitable deficiency of international law. It allows an aggressive government to limit the exercise of territorial jurisdiction by a victim-state vis-à-vis attacks that have no direct effect in the real world and which are limited to cyber- space. In this case, one is left to wonder whether the victim-state’s leadership may counter such a move by arguing that, since the system of sovereignty must switch from territory to national zones (if it must), so too the territorial jurisdiction becomes jurisdiction of national spaces. Another uncertainty exists when it comes to the doctrine of passive nationality: its expansion to terrorism by some governments raises the question Conclusion 315 whether cyber-terrorists are automatically covered by this doctrine or, in other words, if states automatically have jurisdiction in cases where their citizens have been harmed by cyber-terrorists. This issue is also directly related to the problem of corrupting the definition of terrorism by individual governments. In addition, both in the case of passive nationality theory and protective doctrine, governments are not clearly constrained in determining the level of harm that triggers their states’ jurisdiction. Lastly, in the context of universal crimes, international law is too weak to subject all nations to the same conditions. An obvious advantage is possessed by those states that refuse to ratify the Rome Statute, as their nationals, for the most part, remain outside the International Criminal Court jurisdiction. Notably, a particular effort is made to guarantee impunity of state leadership by ensuring that launched cyber-attacks do not fall under the definition of crimes prohibited by the Rome Statute, by insisting on domestic prosecutions, by not signing the Rome Statute and (if applicable) through the veto power in the UN Security Council. In case of a crime of aggression, the possibility exists to simply opt out of prosecution altogether.

9.2.2.2 Jus ad Bellum When it comes to jus ad bellum, previous exclusion of political and economic measures from the scope of Article 2(4) of the UN Charter represents a legal deficiency, allowing states to target each other’s economies and social order without it immediately being qualified as the use of force. The meaning of “force” itself and its limits still remain open to debate and governments may rely on conflicting theories that suit them best at the moment. Attempts to rely on the case-by-case approach may hide double standards. In case a qualification of “force” becomes closely intertwined with the concept of critical infrastructure, international law will face competing claims as to the latter’s definition. Another uncertainty rests in the fact that jus ad bellum does not explicitly specify whether inflicted damage has to be intentional in order to qualify as the use of force. In the context of self-defense, not only is the concept of “armed attack” lacking definition, but states are also expected to rely on the subjective criteria of necessity, which does not have concrete normative boundaries. The special nature of cyber-attacks makes it unclear to what extent states may rely on circumstantial evidence and liberal interpretations in deciding whether to resort to self-defense. Proportionality allows a smaller element of subjectivity, though its determination, in any case, rests with the states. Inter alia, this permits nations to freely choose whether to launch kinetic attacks against cyber-force and vice versa. 316 CHAPTER 9

Chapter 5 revealed another uncertainty in law: it is not clear if a state is responsible for armed attacks launched from its territory that it ignores. De facto it allows governments to select whatever theoretic test suits them best (effective control, overall control, complete dependence, support and tolerate, or unable or unwilling) in order to attribute cyber-attacks to individual countries. States are also left to decide what constitutes a “grave and imminent peril” in the context of the plea of necessity. Similarly, the law does not properly constrain subjectivity of the principles of necessity and proportionality in deciding counter-measures. Since cyber-attacks often require secrecy and swiftness, the obligation to warn others about potential counter-measures in cyber-space may be perceived as a legal deficiency. In addition, one can debate whether there is a duty to discontinue counter-measures once the offensive act has ceased and whether the use of force can constitute a lawful response. Furthermore, lack of clarity surrounds counter-measures in relation to non-state actors. The issue whether attacks on nationals abroad trigger the right to self- defense remains unresolved. Additionally, because it is extremely hard to weigh effects of cyber-strikes before they materialize and it is unknown if they can be stopped by non-forceful measures, the law fails to provide adequate answers if and when a potential armed attack in or via cyber-space becomes “immediate”, triggering the possibility of exercising self-defense preemptively. Although the UN Security Council is at liberty to determine that any act can constitute aggression, the crime of aggression is indisputably constrained by the nullum crimen sine lege principle. Nevertheless, uncertainties in law continue to exist and make prosecution opportunities (potentially, from 2017) unsettled in some instances. Most importantly, international law does not explain whether it is possible to “send” armed groups into cyber-space and if these groups can include official state military.

9.2.2.3 Jus in Bello Jus in bello features its own set of imperfections. First of all, it is not clear how intensive cyber-attacks should be and which consequences they should achieve in order to trigger an international or non-international armed conflict alone. For instance, it is uncertain whether hardware neutralization can serve as an international conflict trigger. Similarly, “attack” in the context of Article 49(1) of AP1 (“acts of violence [. . .], whether in offence or in defence”) may or may not encompass destruction of data, neutralization of objects and suffering caused by cyber-attacks. Conclusion 317

International law leaves unsettled the matter of when application of jus in bello is bound to cease in the context of cyber-warfare. Since cyber-space is not yet divided into national and (if applicable) international cyber-zones, jus in bello seems to automatically extend into the limitless cyber-space. Furthermore, one is left to wonder whether cyber-attacks can constitute part of land, sea or air warfare due to the presence of cyber-infrastructure in all of these domains. Although medical transport, installations containing dangerous forces, civilians, civilian objects and potential UN peacekeepers must be “marked” to guarantee their protection, no common agreement presently exists on how to do this in cyber-space. A potential gap concerns the deliberate release of biological and chemical materials from protected facilities, which, in strict legal terms, would not constitute a use of biological or chemical weapons, as these facilities normally contain small substance amounts that are initially meant for peaceful purposes. Moreover, Chapter 6 showed that it is currently hard to predict whether environmental damage due to accidental infection of bio-chemical or nuclear facilities with malware constitutes a war crime or not. Furthermore, it is not clear whether governments can successfully argue that not only nuclear power stations, but other atomic and bio-chemical facilities should be considered installations containing dangerous forces, attacks against which are prohibited. If it is accepted that they are such installations, a gap emerges, as AP1 can remove the prohibition on attacks only in case of nuclear power stations, but not other atomic or bio-chemical facilities. AP1 prohibits striking military objectives “in the vicinity” of the installations containing dangerous forces. Thus, governments are likely to present conflicting arguments on whether computerized systems in military facilities within classic vicinity of these installations, or cyber-vicinity of military objectives (connected to computerized systems at the installations) should be respected. Notably, it is uncertain how to make such “vicinity” understood, both by human operators and activated malicious programs. As with the case of jus ad bellum, jus in bello’s necessity and proportionality exist without concrete instructions on their application. What exactly constitutes a “definite military advantage”, “concrete and direct overall military advantage” and “effective contribution to military action” in cyber-warfare, particularly in the context of dual-use systems, remains open for governments to decide. Another uncertainty revealed is related to making cyber-warriors “recognizable at a distance”. Various conflicting arguments may be presented, pertaining to whether distinctive emblems are relevant or irrelevant in cyber-warfare, and 318 CHAPTER 9 whether attackers have to declare their intentions beforehand or post factum. A connected issue is whether the obligation to give advance warning of attacks, which might affect the civilian population, is still valid in cyber-warfare. A number of uncertainties exist also in relation to a category of combatants called levée en masse. Firstly, it is not clear whether they can engage extraterritorial military objectives: previously, their actions should have been constrained to the occupied territory, which becomes impractical today. Secondly, the law does not specify which portion of the population should resist online in order to be classified as a mass levy. Thirdly, since mass levy members are not required to wear distinctive emblems, the question whether cyber-attacks should be declared beforehand becomes more topical. Governments are left to subjectively determine which actions in and outside cyber-space can be considered participation of civilians and civilian objects in the hostilities. Next, one may argue that, when it comes to perfidy, jus in bello contains a gap: malware can be used to perfidiously damage data and property. Although the GCs do not prohibit it, such concerns can be raised with regard to lex ferenda. Governments could also debate whether attacks need to be successful to be considered perfidy and whether misled rational human adversary can be equated with a misled computerized system, from a legal point of view. It is not clear if belligerents are allowed to accuse others of violating neutrality on the basis of automatic transfer of hostile malware by their computers. A related uncertainty pertains to the level of control that neutral states should exercise over their infrastructure in order to ensure they do not violate their obligations. Lastly, the current international law does say if spoofing secondary indicators of neutral states is allowed.

9.2.2.4 Cyber-Terrorism The legal regime on terrorism has a number of special imperfections not present in jus ad bellum and jus in bello generally. Chapter 7 aimed to separate two distinct concepts of terrorism: conventional (formed by the UN’s anti-terrorist instruments) and archaic (formed by relevant provisions of the GCs). Governments can be expected to attempt to mix these two concepts together and to brand political cyber-attacks as terrorism. An example of this tactic can be seen in the introduction of a special definition in the Terrorist Financing Convention. Inter alia, it creates an uncertainty of whether death or injury, caused with the purpose of compelling a government or an organization to do or abstain from doing an act, should be considered an act of archaic terrorism in case it does not instill fear in the civilian population. Conclusion 319

A significant legal deficiency could lie in the ongoing crystallization of state forces’ immunity against the conventional terrorism regime. If artificially kept outside the context of an armed conflict, this allows state military to resort to attacks, which would otherwise (that is if launched by non-state actors) be classified as “terrorist”. Another deficiency may be present in international law: the conventional (not archaic) cyber-terrorist attacks, no matter how intensive, do not necessarily trigger an international armed conflict. In turn, this allows governments to deny the belligerent rights to lawful combatants either by rejecting existence of a conflict altogether or starting a non-international armed conflict itself. Aside from determining that it is necessary and proportionate to assassinate suspected cyber-terrorists, governments may drive their states towards breaking into accounts and computerized systems of their enemies, arbitrary detention, denying combatant and prisoner of war status and other controversial acts associated with the “war on terror”. Next, it should be said that international law is not sufficiently clear on whether cyber-strikes, initiated by independent non-state entities or even individuals can constitute “armed attacks” within the meaning of Article 51 of the UN Charter, in case they are not attributable to states in any way. It also remains uncertain at which intensity governments can legally escalate less-serious conventional cyber-terrorist attacks to the level necessary to trigger the right of self-defense. Particularly, this concerns those borderline scenarios that involve cyber-attacks potentially endangering a ship, undermining health or liberty of diplomatic staff, causing minor destruction at a nuclear installation or controlling an unmanned aerial vehicle. Furthermore, the law does not explicitly indicate whether one can resort to the needle-prick theory, that is if one can view cyber-terrorist attacks (or cyber-strikes generally) cumulatively for the purposes of invoking the right of self-defense.

9.2.2.5 Collective Security When talking about collective security and the United Nations’ role in international affairs generally, Chapter 8 highlighted a deficiency in the politico-legal framework: the UN (not unlike major regional organizations) is presently oriented towards tackling cyber-crime and, for the most part, ignores the rising threat of cyber-warfare. It does not actively seek to facilitate cyber-disarmament or establish presence of its peacekeepers online, neither are its secretariat and experts consciously engaged in soft law development. The UN disproportionally places emphasis on ordinary use of the Internet by terrorists instead of cyber-terrorism itself. At least at the moment, this allows 320 CHAPTER 9 governments to freely exploit any imperfections of international law identified above in addition to those that pertain to the framework of collective security. Notably, the only organization with a clear orientation on cyber-warfare, which is meant to be a productive part of the global collective security effort, the North Atlantic Treaty Organization, itself, tends to support pro-Western interpretations of international law. A small amount of special imperfections is present in the collective security framework. For example, governments may accuse each other of failing to report attacks launched in self-defense to the Security Council (UNSC). At the same time, international law does not give a clear indication whether this obligation still exists in relation to cyber-strikes, which sometimes require secrecy to succeed. Even if it does, it is hard to predict which defensive measures should be reported and which should not. A related issue is whether the UNSC should formally divest the right of self-defense in order for it to discontinue. In case national cyber-forces are not considered land, sea or air units, a gap emerges, because the Security Council cannot use them as part of an enforcement mission under the (exhaustive) Article 42 of the UN Charter. Reluctance of governments to refer to the Uniting for Peace (U4P) resolution in the recent conflicts, where the UNSC was deadlocked, raises the question whether it is still in force and if it can be invoked in the context of cyber-strikes. Simultaneously, Western states’ practice infers that there might (or might not be) an implied UNSC authorization for armed action, including cyber-attacks. Furthermore, international law does not feature a clear understanding of how and if the “Responsibility to Protect” should guide the work of major UN fora and limit the right of veto in the UNSC. Finally, it is currently unsettled if the UN should acquire its own special forces, as originally intended, for action in cyber-space or it should continue to rely on forces of its members and other organizations to enforce its decisions concerning that realm.

9.2.3 Revisiting the Main Argument Having summarized the legal deficiencies, uncertainties and gaps observed in the present work, one is finally in a position to answer two important questions directly related to the main idea of this book, namely, are these imperfections significant enough to attract attempts at their exploitation and are they sufficiently numerous to cause concern, in light of jus ad bellum and jus in bello stagnation? From the previous section it follows that, with the current international laws in place, depending on their interests, various governments can provide Conclusion 321 different (conflicting) opinions on a vast array of issues. One thing that can be noted immediately is the all-pervading nature of the identified imperfections: not only are they present in jus ad bellum and jus in bello, but also in the related regimes on territoriality, sovereignty, jurisdiction, terrorism, collective security and international criminal law. What does this mean from the perspective of the main theoretical premises adopted in this book?4 It indicates that if a state is run by a government that is in pursuit of power and control over others, preserving these imperfections and relying upon them allows such a government to shape the legal environment applicable to cyber-warfare as a whole. In other words, it can attempt to secure a desired legal position before, during and after an armed conflict, on individual and collective levels. It would be wrong to argue that all of the cited imperfections are equally significant. For instance, measures taken in self-defense by individual states are frequently not reported to the Security Council without any serious repercussions, nor would it raise any concern in the context of cyber-warfare. Nevertheless, unresolved issues, such as those pertaining to sovereignty over the virtual realm, essence of “armed attacks”, distinction between military objectives and protected objects in cyber-space, terrorist status of cyber- attackers and so on, without doubt, are extremely significant. As such, they can be expected to attract attention of those governments that attempt to interpret international law in a light favorable to them. The idea is, thus, confirmed. Notably, the ensuing lack of clarity in cyber-warfare affects the general populations and, to a lesser extent, judges, who might need to assess the legality of state behavior in cyber-space. Confused, they can be more easily persuaded to support the position of those governments that exploit the legal deficiencies, uncertainties and gaps in the first place. The last question remains therefore: how to begin the transformation of international law in order to minimize the possibility of its exploitation?

9.3 A Way Forward

Martin Libicki observed that “the instinct that a rules-based world is safer than one ruled by emotion is a sound basis for policy”.5 This is an approach presumed to be appropriate in relation to the subject matter of this book.

4 See sub-chapter 2.3.2. 5 Martin C. Libicki, “Two, Maybe Three Cheers for Ambiguity” in Panayotis A. Yannakogeorgos, Adam B. Lowther (eds.), Conflict and Cooperation in Cyberspace: The Challenge to National Security (Taylor & Francis 2014) 34. 322 CHAPTER 9

Given the imperfections identified above, there is a need for the development of international law in response. That being said, most of the issues were tackled throughout the present book with a clear understanding that reforms suggested in it, while based on logic and available evidence, do not substitute future decisions of states themselves. Eventually, the existing uncertainties, deficiencies and gaps will have to be addressed by treaties, customary norms or general principles of law. Such developments are possible, as Roger Hurwitz notes, because there are areas in law where state interests and practice clearly converge.6 Drafting a whole new treaty (and a manual) on cyber-warfare that would guide states is not possible here. That would be a matter for a much longer and more detailed construction that should involve various state representatives; as such, it lies outside the book parameters. Instead, attention should be focused on the most important changes that could be implemented for the sake of increasing resistance of international law against exploitation in the future. These changes can help place clear legal and moral constraints upon state behavior. Four requirements emerge from the current book that could enable key reforms: 1) greatest possible clarity and sophistication in all matters, 2) clear, uniform and pre-agreed definitions, 3) larger role for the UN (including its agencies and the Secretariat) and 4) involvement of technical experts in the law-making process. That being said, if a treaty (or a series of treaties) would materialize, it would have to address many of the issues raised in this book. In fact, the present analysis can serve as the beginning of a long quest on the political level meant to ensure that international law is most adequately fit for the purpose of addressing militarized cyber-attacks.

6 Roger Hurwitz, “A New Normal? The Cultivation of Global Norms as Part of a Cybersecurity Strategy” in Panayotis A. Yannakogeorgos, Adam B. Lowther (eds.), Conflict and Cooperation in Cyberspace: The Challenge to National Security (Taylor & Francis 2014) 243. See generally Stephen Moore, “Cyber Attacks and the Beginnings of an International Cyber Treaty” (2013) 39(1) North Carolina Journal of International Law & Commercial Regulation 251, 254. Appendix 1 Toolkit of a Modern-Day Cracker

Table 2 Cracker’s toolkit

Tactic / Tool Description

Gaining and Maintaining Access to a System

Social Engineering Tricking legitimate users into performing unwanted operations or disclosing sensitive information, exploiting their ego, worries, laziness, beliefs, sympathy and other character traits.1

Parameter Tampering Directly modifying the users’ Uniform Resource Locator (URL) and website address data to send them to the attacker’s website.2

Chipping “Embedding hidden functions in the hardware itself to allow the designer access to or control over the chip at a later point”.3 Although it would require physical tampering with the machine or at least its schematics, once the chip is installed, its modifications are not

* The present list highlights some of the most important tactics and tools that modern day cyber-attackers may use in order to achieve effects discussed throughout the present book. 1 Robert Koch, Björn Stelte, Mario Golling, “Attack Trends in Present Computer Networks” in Christian Czosseck, Rain Ottis, Katharina Ziolkowski (eds.), 2012 4th International Conference on Cyber Conflict (NATO CCDCOE 2012) 272; Mark Johnson, Cyber Crime, Security and Digital Intelligence (Gower 2013) 64; Michael Kraft and others, “The Adam and Eve Paradox” in Douglas Hart (ed.), Proceedings of the 8th International Conference on Information Warfare and Security (Academic Publishing International 2013) 279; Libor Sarga, Roman Jašek, “User-Side Password Authentication: A Study” in Rauno Kuusisto, Erkki Kurkinen (eds.), Proceedings of the 12th European Conference on Information Warfare and Security (Academic Publishing International 2013) 241. 2 Margaret Rouse, “Definition: Parameter Tampering” (TechTarget Search Security, November 2010) accessed 1 August 2015. 3 Jason Barkham, “Information Warfare and International Law on the Use of Force” (2001) 34(1) NYU Journal of International Law and Politics 63.

Table 2 Cracker’s toolkit (cont.)

Tactic / Tool Description

revealed by the testing programs, which only check for “specific functionality”.4 In addition, a chip can be programmed to shut down automatically or malfunction at a specific time without any external commands.5

Spambot A program that sends out large quantities of unwanted messages over email and other media (via SMS, social networks, chats, forums etc). The containing messages can ask the recipients to provide sensitive data to the attacker or have automatically propagating malware attached.6 If targeted against a particular system, they can significantly slow down and prevent legitimate correspondence from reaching its destination—a dangerous prospect in the context of military conflict.7 Spam can be sent just from one machine, however spammers prefer to rely on illegal stealthy networks (“botnets”) of infected computers (“zombies”) that help send out spam-messages in large numbers.

Sniffer A program meant to intercept and retrieve information, (Packet Analyzer) most notably IDs and passwords as persons navigate cyber-space.8 Since users often use the same passwords

4 Paul A. Walker, “Rethinking Computer Network ‘Attack’: Implications for Law and U.S. Doctrine” (2011) 1(1) American University National Security Law Brief 55; Wesley K. Clark, Peter L. Levin, “Securing the Information Highway: How to Enhance the United States’ Electronic Defenses” (2009) 88(6) Foreign Affairs 5. 5 Sally Adee, “The Hunt for the Kill Switch” (IEEE Spectrum, May 2008) accessed 1 August 2015. 6 See Meyer Potashman, “International Spam Regulation & Enforcement: Recommendations Following the World Summit on Information Technology” (2006) 29(2) Boston College International and Comparative Law Review 327. 7 Christopher C. Joyner, Catherine Lotrionte, “Information Warfare as International Coercion: Elements of a Legal Framework” (2001) 12(5) EJIL 838. 8 Ibid., 836. Appendix 1 325

Tactic / Tool Description

in different systems, the information acquired on less serious occasions can later be used to access national defense servers, trade secrets and sensitive research.9

Spyware A program that performs the same function as a sniffer, but unlike the latter, it is installed on a user’s device.10

Keylogger A subclass of sniffer or spyware that can track and record the order of buttons pressed on a keyboard.11

Cookie Poisoning Modifying digitally stored personal information (cookies) to gain unauthorized access to user data.12

Brute Force A program that tries to gain access to a system or server by using exhaustive combinations of all existing words, letters and numbers to guess usernames and passwords.13

Port Scanner A program meant to scan every single port (endpoint of computer communications) of a server in order to determine the weakest spot in security.14

Domain Name System Software or a script that poisons the DNS cache (reserved (DNS) Spoofer part of memory on a server that translates the domain

9 Ibid.; Johnson (n. 1) 39–40. 10 Johnson (n. 1) 54. 11 Ibid., 55, 62. 12 Margaret Rouse, “Definition: Cookie Poisoning” (TechTarget Search Security, June 2007) accessed 1 August 2015. 13 See Johnson (n. 1) 38; Margaret Rouse, “Definition: Brute Force Cracking” (TechTarget Search Security, July 2006) accessed 1 August 2015. 14 Johnson (n. 1) 39. 326 Appendix 1

Table 2 Cracker’s toolkit (cont.)

Tactic / Tool Description

names to their numeric equivalents),15 rerouting an Internet connection to the attacker’s website.16

Exploit A program or script code that takes advantage of and is limited to an already existing vulnerability in the system (often missed by the vendor during release),17 causing unwanted behavior of programs and hardware.18 Exploited vulnerabilities that are known only to the attackers are referred to as zero-days.19

Backdoor Installed software or code that secures constant undetected access to the targeted device or server, thus bypassing the normal method of authentication.20 Backdoor access can also be the result of a compromised chip.

Rootkit An auxiliary program that helps hide malicious operations while ensuring continuous access to a device.21 Unlike a backdoor, rootkit does not have to be preinstalled.

15 Lech Janczewski, Andrew Colarik, Managerial Guide for Handling Cyber-Terrorism and Information Warfare (Idea Group Publishing 2005) 106. 16 Margaret Rouse, “Definition: Cache Poisoning (Domain Name System Poisoning or DNS Cache Poisoning)” (TechTarget Search Security, September 2005) accessed 1 August 2015. 17 Clay Wilson, “Computer Attack and Cyberterrorism: Vulnerabilities and Policy Issues for Congress”, in Lawrence V. Brown (ed.), Cyberterrorism and Computer Attacks (Novinka Books 2006) 15. 18 “What Does Exploit Mean?” (Symantec PC Tools) accessed 1 August 2015. See also Johnson (n. 1) 41–46. 19 “What is a Zero-Day Vulnerability?” (Symantec PC Tools) accessed 1 August 2015. 20 Dimitrios Delibasis, The Right to National Self-Defence in Information Warfare Operations (Arena Books 2007) 79. 21 “What is a Rootkit?” (AVG) accessed 1 August 2015. See also Johnson (n. 1) 52. Appendix 1 327

Tactic / Tool Description

IP Spoofer A program that forges an Internet Protocol (IP) address in order to conceal the true identity of the attackers, imitate a trusted host or create an impression that cyber-strikes were launched from a different location.22

Inflicting Damage upon Accessing the System

Virus A piece of replicating code that injects itself into existing programs, corrupts them and causes harm when these programs are run.23 In 2009, viruses were estimated to mutate every eight seconds.24

Worm An independent program that spreads automatically via all available channels.25 In addition to destroying information and creating backdoors, in most cases worms consume a lot of resources, significantly slowing down the work of computers and servers.26

Trojan Software that appears to be legitimate, but which contains a malicious code meant to delete and destroy information or provide the attacker access to the user’s system.27 In order to work, this program must first be run by the victim himself. In comparison with other malware, trojans “do not reproduce by infecting other files nor do they self-replicate”.28

22 Michael N. Schmitt, “Computer Network Attack and the Use of Force in International Law: Thoughts on a Normative Framework” (1999) 37(3) Columbia Journal of Transnational Law 892. See also Johnson (n. 1) 40–41, 68–70. 23 Barkham (n. 3) 63; Johnson (n. 1) 48. 24 Jeffrey Carr, Inside Cyber Warfare (2nd edn., O’Reilly 2011) 151. 25 Vangie Beal, “The Difference Between a Virus, Worm and Trojan Horse” (Webopedia, 29 June 2010) accessed 1 August 2015. See also Johnson (n. 1) 49–52; Arie J. Schaap, “Weapons of Cyber Warfare Operations: Development and Use Under International Law” (2009) 64 Air Force Law Review 136. 26 Ibid. 27 Ibid. 28 Ibid. 328 Appendix 1

Table 2 Cracker’s toolkit (cont.)

Tactic / Tool Description

Logic Bomb A malicious program that is activated at a particular time or when certain conditions are met (for example, a specific command is issued).29

Inflicting Damage without Accessing the System

Denial of Service (DoS) Bombarding servers or routers with requests for information, consuming bandwidth and forcing them to shut down.30 The point is to disrupt the ordinary data flow and make access for legitimate users impossible.31 Performing DoS attacks does not necessarily require any special software or equipment and can be carried out by simply reloading a website in an Internet browser by a large number of individuals.32 However, more complicated DDoS (Distributed DoS) attacks utilize zombie botnets to target servers in multiple ways and from multiple locations.33 Such botnets are very widespread and by the end of 2012 just one of them (ZeroAccess) reportedly controlled approximately 2.2 million computers around the world.34

29 Barkham (n. 3) 63. 30 Janczewski, Colarik (n. 15) 88; Johnson (n. 2) 83. 31 Jose Nazario, “Politically Motivated Denial of Service Attacks” in Christian Czosseck, Kenneth Geers (eds.), The Virtual Battlefield: Perspectives on Cyber Warfare (IOS Press, 2009) 163. 32 Ibid. 33 Matthew J. Sklerov, “Solving the Dilemma of State Response to Cyberattacks: A Justification for the Use of Active Defenses Against States Who Neglect Their Duty to Prevent” (2009) 201 Military Law Review 16; Rex Hughes, “A Treaty for Cyberspace” (2010) 86(2) International Affairs 540. 34 John P. Mello, “Malware Infects 13 Percent of North American Home Networks” (PC World Security, 31 October 2012) accessed 1 August 2015. Appendix 1 329

Tactic / Tool Description

Permanent DoS Unlike the usual DoS attacks, permanent DoS targets (Phlashing) hardware rather than software and aims to disable the system components themselves (for instance, by introducing corrupted updates).35

35 Rouse M, “Definition: Phlashing” (TechTarget Search Security, July 2008) accessed 1 August 2015. Appendix 2 Normative Model for Command Authorities (Jus ad Bellum) e er ve e an ehicle, object? s ything essel, or sev Ye impact? as an damaged? wide population functionality ature of infrastructur W e- Critical civilian of N destruction of installation, v Does the attack ha stat Irreparable damage or aircraft or v and permanent disruption e e y er -attack No civilian disruption Military harmed? How man Non-critical cyber emporary or no objects w t infrastructur One in a single Minor or no damage, , e force -attacks which is o and mor successful ed cyber at least one of Tw of or one in a series es a use of ere highly trained resources and the is the attack? e required a substantial ers w or How sophisticat -attack occurs ey -attack constitut amount of attack The strik force A cyber civilians Non-k ordinary Cyber military sta f e a use of e -attack does not force e a fairs? Cyber stat constitut ed and basic Victims role in e a use of , -attack does not The code or manipulations ar Cyber , constitut unsophisticat e leader or death commander stat t least one military A high-ranking o cial or injury o No fatalities low risk of e -attack death or prov of or causation is not possible t No connection o a cyber t ermanent bodily injury P No fatalities, but high risk a one y causality? en el of as an injured? W Lev sine qua non with a prov e cyber attack or Direct result of its indirect result fatalities One or mor

© koninklijke brill nv, leiden, ��5 | doi ��.��63/9789004298309_012 Appendix 2 331 -attack s s Ye Ye nancial harm? Did cyber cause tremendous ble? va as destruction or or percei W No disruption publicly visibl e No e forc force, but it does es an armed attack es a use of e an armed attack -attack constitut -attack is a use of not constitut -attack constitut Cyber Cyber Cyber s No No Ye the the e? ory of ed stat errit s, mostly attack? civilians re they located Ye attack We die as a result of in the t Did more than 3 people s, mostly Ye military sta f Appendix 3 Direct Participation in Hostilities: A List of Academic Examples

Table 3 Academic examples

Act of a Civilian

Performing a continuous function in preparations, execution or command of definitively hostile cyber-operations1

Launching cyber-attacks that result in violence or destruction2

Disrupting enemy’s command and control systems3

Disrupting the work of radars and weapon systems4

Disrupting vital military networks5

Identifying and disclosing vulnerabilities of a specific network6

* The list of civilian actions is tentatively arranged in order of likelihood of third parties accepting whether they constitute a direct participation in hostilities or not, from most likely (at the top) to less likely (at the bottom). 1 Nils Melzer, Interpretive Guidance on the Notion of Direct Participation in Hostilities under International Humanitarian Law (ICRC 2009) 34. See also Oona A. Hathaway and others, “The Law of Cyber-Attack” (2012) 100(4) California Law Review 853. 2 See Michael N. Schmitt and others, Tallinn Manual on the International Law Applicable to Cyber Warfare (CUP 2013) R35C5; Heather H. Dinniss, Cyber Warfare and the Laws of War (CUP 2012) 167. 3 Ibid. 4 Nils Melzer, Cyberwarfare and International Law (UNIDIR 2011) 28. 5 Melzer, Interpretive Guidance (n. 1) 48. See also Charles J. Dunlap, “Perspectives for Cyber Strategists on Law for Cyberwar” (2011) 5(1) Strategic Studies Quarterly 90; Phillip W. Brunst, “Terrorism and the Internet: New Threats Posed by Cyberterrorism and Terrorist Use of the Internet” in Marianne Wade, Almir Maljević (eds.), A War on Terror? The European Stance on a New Threat, Changing Laws and Human Rights Implications (Springer 2010) 68. 6 Tallinn Manual (n. 2) R35C5.

Act of a Civilian

Developing programs actively used to exploit specific network vulnerabilities7

Otherwise making cyber-attacks possible8

Manually activating a logic bomb9

Maintaining active cyber-defenses, especially when defended systems are used to launch counter-attacks10

Launching distributed denial of service (DDoS) attacks that disrupt military operations11

Gathering information on enemy operations via unauthorized access12

Disturbing or restricting military logistics, communications and deployments13

Establishing or exercising control over an enemy’s military network14

Being about to commit a qualifying hostile act15

Having just committed a qualifying hostile act16

7 Ibid., R35C5, R38C9; Dinniss (n. 2) 167; Laurie R. Blank, “International Law and Cyber Threats from Non-State Actors” (2013) 89 International Law Studies 430; David Turns, “Cyber Warfare and the Notion of Direct Participation in Hostilities” (2012) 17(2) Journal of Conflict & Security Law 289. 8 Tallinn Manual (n. 2) R35C4, R35C5. 9 Ibid., R35C9. 10 Dinniss (n. 2) 167–171. 11 Tallinn Manual (n. 2) R35C5. 12 Ibid.; Melzer, Interpretive Guidance (n. 1) 48; Blank (n. 7) 430; Knut Dörmann, “Applicability of the Additional Protocols to Computer Network Attacks” (Report, ICRC 2004) 9 accessed 1 August 2015. 13 Melzer, Interpretive Guidance (n. 1) 48; Melzer, Cyberwarfare (n. 4) 28. 14 Melzer, Interpretive Guidance (n. 1) 48; Dinniss (n. 2) 167. 15 Tallinn Manual (n. 2) R35C7. See also Melzer, Interpretive Guidance (n. 1) 67–68. 16 Ibid. 334 Appendix 3

Table 3 Academic examples (cont.)

Act of a Civilian

Broadcasting calls for international crimes17

Broadcasting propaganda18

Maintaining passive cyber-defenses19

Enhancing military capacity of cyber-forces20

Developing programs meant for cyber-attacks without knowing the target21

Stealing funds from belligerents to support a certain military operation22

Probing network for vulnerabilities23

Assessing damage after a successful cyber-attack24

Waiting after having planted a logic bomb25

Having a break between repeated cyber-attacks26

Acting suspiciously under the circumstances (supported by relevant information)27

17 Tallinn Manual (n. 2) R79C9. 18 Ibid. 19 Ibid., R35C4. 20 Ibid. 21 Ibid., R35C5. 22 Ibid., R35C6. 23 Ibid., R35C7. 24 Ibid. 25 Ibid., R35C8. 26 Ibid., R35C10, R35C11, R38C10. 27 Ibid., R35C12. See also Dinniss (n. 2) 161, 166; Katharina Ziolkowski, “Computer Network Operations and the Law of Armed Conflict” (2010) 49(1–2) Military Law and Law of War Review 80; Prosecutor v Tadić (Opinion and Judgment) ICTY-94–1-T, TC (7 May 1997) para. 616. Appendix 3 335

Act of a Civilian

Launching DDoS attacks that do not influence warring capability28

Defending networks against ordinary cyber-criminals29

Stealing funds from belligerents for private gain30

Developing damaging malware and making it available online31

Maintaining computer equipment and networks, which are later used to perform qualifying hostile acts32

28 Kalliopi Chainoglou, “An Assessment of Jus in Bello Issues Concerning Computer Network Attacks: A Threat Reflected in National Security Agendas” (2010) 12 Romanian JIL 47–49. 29 Dinniss (n. 2) 172. 30 Tallinn Manual (n. 2) R35C6. 31 Ibid., R35C5. 32 Ibid., R35C5, R38C9; Dörmann (n. 12) 9; Turns (n. 7) 289; Michael N. Schmitt, “Humanitarian Law and Direct Participation in Hostilities by Private Contractors or Civilian Employees” (2005) 5(2) Chicago JIL 536.

Bibliography

Books and Book Chapters

———, “Document A/6309/Rev.l: Reports of the International Law Commission on the Second Part of Its Seventeenth Session and on its Eighteenth Session” in ILC, Yearbook of the International Law Commission, vol. 2 (UN 1966). ———, Restatement of the Law (Third): Foreign Relations Law of the United States, vol. 1 (The American Law Institute 1986). Adomi E.E., Security and Software for Cybercafés (IGI Global 2008). Alexandrov S.A., Self-Defense Against the Use of Force in International Law (Kluwer Law International 1996). Aljaghoub M.M., The Advisory Function of the International Court of Justice (1946–2005) (Springer 2005). Allott P., The Health of Nations: Society and Law Beyond the State (CUP 2002). Altman A., Critical Legal Studies: A Liberal Critique (Princeton University Press 1990). Anderson J.L., “Law School Enters the Matrix: Teaching Critical Legal Studies” (2004) 54(2) Journal of Legal Education. Andress J., Winterfield S., Cyber Warfare: Techniques, Tactics and Tools for Security Practitioners (Syngress 2011). Arai-Takahashi Y., The Law of Occupation: Continuity and Change of International Humanitarian Law, and its Interaction with International Human Rights Law (Koninklijke Brill 2009). Arend A.C., Beck R.J., International Law and the Use of Force: Beyond the UN Charter Paradigm (Routledge 1993). Armistead L., Proceedings of the 6th International Conference on Information Warfare and Security (Academic Publishing International 2011). Arquilla J., Ronfeldt D., “The Advent of Network (Revisited)” in Arquilla J., Ronfeldt D. (eds.), Network and Netwars: The Future of Terror, Crime, and Militancy (RAND 2001). Aust A., Handbook of International Law (2nd edn., CUP 2010). Aust H.P., Complicity and the Law of State Responsibility (CUP 2011). Axelrod E.M., Violence Goes to the Internet: Avoiding the Snare of the Net (Charles C. Thomas 2009). Bailliet C.M., “The ‘Unrule’ of Law: Unintended Consequences of Applying the Responsibility to Protect to Counterterrorism, A Case Study of Colombia’s Raid in Ecuador” in Bailliet C.M. (ed.), Security: A Multidisciplinary Normative Approach (Martinus Nijhoff 2009). Baldi S., Gelbstein E., Kurbalija J., Hacktivism, Cyber-Terrorism and Cyberwar: The Activities of the Uncivil Society in Cyberspace (DiploFoundation 2003). 338 Bibliography

Bayuk J.L. and others, Cyber Security Policy Guidebook (John Wiley & Sons 2012). Beggs C., “Cyber-Terrorism: A Threat to Australia?” in Khosrow-Pour M (ed.), Managing Modern Organizations Through Information Technology: Proceedings of the 2005 Information Resources Management Association International Conference (Informa tion Resources Management Association 2005). Berman D.M., The Heroes of Treća Gimnazija: A War School in Sarajevo 1992–1995 (Rowman & Littlefield 2001). Berman F., “Jurisdiction: The State” in Capps P., Evans M., Konstadinidis S., Asserting Jurisdiction: International and European Legal Approaches (Hart Publishing 2003). Besson S., “Theorizing the Sources of International Law” in Besson S., Tasioulas J. (eds.), The Philosophy of International Law (OUP 2010). Binder G., “Critical Legal Studies” in Patterson D. (ed.), A Companion to Philosophy of Law and Legal Theory (2nd edn., Wiley-Blackwell 2010). Blokker N., Schrijver N. (eds.), The Security Council and the Use of Force: Theory and Reality—A Need for Change (Brill 2005). Bothe M., Partsch K.J., Solf W.A., New Rules for Victims of Armed Conflicts: Commentary on the Two 1977 Protocols Additional to the Geneva Conventions of 1949 (Martinus Nijhoff 1982). Broomhall B., International Justice & The International Criminal Court: Between Sovereignty and the Rule of Law (OUP 2003). Brownlie I., International Law and the Use of Force by States (OUP 1963). ———, Principles of Public International Law (4th edn., OUP 1990). Brunst P.W., “Use of the Internet by Terrorists—A Threat Analysis” in NATO COEDAT (ed.), Responses to Cyber Terrorism (IOS Press 2008). Burgess M., “Territoriality and Federalism in the Governance of the European Union” in Burgess M., Vollaard H. (eds.), State Territoriality and European Integration (Routledge 2006). Burgstaller M., Theories of Compliance with International Law (Martinus Nijhoff 2005). Burnstein M., “A Global Network in a Compartmentalised Legal Environment” in Boele-Woelki K., Kessedjian C. (eds.), Internet. Which Court Decides? Which Law Applies? (Kluwer Law International 1998). Butler N., “NATO: From Collective Defence to Peace Enforcement” in Schnabel A., Thakur R. (eds.), Kosovo and the Challenge of Humanitarian Intervention (UN University Press 2000). Buzan B., Wæver O., Wilde J., Security: A New Framework for Analysis (Lynne Rienner Publishers 1998). Campbell D., The Internet: Laws and Regulatory Regimes, vol. 1 (Yorkhill Law Publishing 2007). Campos J.H., The State and Terrorism: National Security and the Mobilization of Power (Ashgate Publishing 2007). Bibliography 339

Carr J., Inside Cyber Warfare (2nd edn., O’Reilly 2011). Cassese A., International Criminal Law (3rd edn., OUP 2013). ———, International Law (2nd edn., OUP 2005). Cheng B., General Principles of Law as Applied by International Courts and Tribunals (CUP 2006). Chesterman S., Just War or Just Peace? Humanitarian Intervention and Humanitarian Law (OUP 2001). ———, You, The People: The United Nations, Transitional Administration, and State- Building (OUP 2005). Clarke R.A., Knake R., Cyber War: The Next Threat to National Security and What to Do About It (HarperCollins 2010). Condorelli L., Naqvi Y., “The War against Terrorism and Jus in Bello: Are the Geneva Conventions Out of Date?” in Bianchi A (ed.), Enforcing International Law Norms Against Terrorism (Hart Publishing 2004). Conforti B., The Law and Practice of the United Nations (3rd edn., Martinus Nijhoff 2005). Conte A., Security in the 21st Century, The United Nations, Afghanistan and Iraq (Ashgate 2005). Conway M., “Cyberterrorism: Media Myth or Clear and Present Danger?” in Irwin J., War and Virtual War: The Challenges to Communities: Probing the Boundaries (Rodopi 2004). ———, “Cyberterrorism: Hype and Reality” in Armistead L., Information Warfare: Separating Hype from Reality (Potomac Books 2007). Cordesman A.H., Cyber-Threats, Information Warfare and Critical Infrastructure Protection: Defending the U.S. Homeland (Praeger Publishers 2002). Crawford E., The Treatment of Combatants and Insurgents Under the Law of Armed Conflict (OUP 2010). Crawford J., Brownlie’s Principles of Public International Law (8th edn., OUP 2012). ———, The International Law Commission’s Articles on State Responsibility: Introduction, Text and Commentaries (CUP 2002). Czosseck C., Geers K. (eds.), The Virtual Battlefield: Perspectives on Cyber Warfare (IOS Press 2009). Czosseck C., Ottis R., Ziolkowski K. (eds.), 2012 4th International Conference on Cyber Conflict (NATO CCDCOE 2012). Czosseck C., Podins K. (eds.), Conference on Cyber Conflict: Proceedings (NATO CCDCOE 2010). Czosseck C., Tyugu E., Wingfield T. (eds.), 2011 3rd International Conference on Cyber Conflict (NATO CCDCOE 2011). Danilenko G.M., Law-Making in the International Community (Martinus Nijhoff 1993). Degan V.D., Sources of International Law (Martinus Nijhoff 1997). 340 Bibliography

Deibert R.J., “Censorship, Sovereignty, and Cyberspace” in Chadwick A., Howard P.N. (eds.), Routledge Handbook on Internet Politics (Routledge 2009). Delibasis D., The Right to National Self-Defence in Information Warfare Operations (Arena Books 2007). Denning D., “A View of Cyberterrorism Five Years Later” in Himma K.E. (ed.), Internet Security: Hacking, Counterhacking, and Society (Jones & Bartlett Learning 2007). Denning D.E., “Terror’s Web: How the Internet Is Transforming Terrorism” in Jewkes Y., Yar M (eds.), Handbook on Internet Crime (Willan Publishing 2010). Diáz-Barrado C.M., “The Definition of Terrorism and International Law” in Fernández- Sánchez P.A (ed.), International Legal Dimension of Terrorism (Koninklijke Brill 2009). Dinniss H.H., Cyber Warfare and the Laws of War (CUP 2012). Dinstein Y., The Conduct of Hostilities under the Law of International Armed Conflict (CUP 2004). Dinstein Y., War, Aggression and Self-Defence (4th edn., CUP 2005). Dixon M., Textbook on International Law (7th edn., OUP 2013). Dörmann K., Elements of War Crimes Under the Rome Statute of the International Criminal Court: Sources and Commentary (CUP 2003). Doswald-Beck L., Chowdhury A.R., Bhuiyan J.H., International Humanitarian Law—An Anthology (LexisNexis India 2009). Duffy H., The ‘War on Terror’ and the Framework of International Law (CUP 2005). Evans M.D. (ed.), International Law (OUP 2003). Everard J., Virtual States: The Internet and the Boundaries of the Nation State (Routledge 2000). Fenrick W.J., “Article 8—War Crimes” in Triffterer O. (ed.), Commentary on the Rome Statute of the International Criminal Court (Nomos 1999). Fidler D.P., “Inter Arma Silent Leges Redux? The Law of Armed Conflict and Cyber Conflict” in Reveron D.S. (ed.), Cyberspace and National Security: Threats, Opportunities, and Power in a Virtual World (Georgetown University Press 2012). Filiol E., Erra R. (eds.), Proceedings of the 11th European Conference on Information Warfare and Security (Academic Publishing International 2012). Findlay T., The Use of Force in UN Peace Operations (OUP 2002). Flemming P., “Myths and Realities of Cyberterrorism” in Schmid A.P. (ed.), Countering Terrorism Through International Cooperation (ISPAC 2001). Franck T.M., Fairness in International Law and Institutions (OUP 1998). ———, Recourse to Force: State Action against Threats and Armed Attacks (CUP 2002). ———, The Power of Legitimacy Among Nations (OUP 1990). Furnell S., Securing Information and Communications Systems: Principles, Technologies, and Applications (Artech House 2008). Gardam J.G., Necessity, Proportionality and the Use of Force by States (CUP 2004). Bibliography 341

Gazzini T., The Changing Rules on the Use of Force in International Law (Manchester University Press 2005). Geers K., Strategic Cyber Security (NATO CCDCOE 2011). Gelbstein E., Kamal A., Information Insecurity: A Survival Guide to the Uncharted Territories of Cyber-Threats and Cyber-Security (UN ICT Task Force 2002). Gerdes L.I. (ed.), Cyber Crime (Greenhaven Press 2009). Gilbert G., Responding to International Crime (Martinus Nijhoff 2006). Ginkel B., The Practice of The United Nations in Combating Terrorism From 1946 to 2008: Questions of Legality and Legitimacy (Intersentia 2010). Goldsmith J.L., Posner E.A., The Limits of International Law (OUP 2005). Goldsmith J.L., Wu T., Who Controls the Internet?: Illusions of a Borderless World (OUP 2006). Goure L., The Siege of Leningrad (OUP 1962). Grant T.D., The Recognition of States: Law and Practice in Debate and Evolution (Praeger Publishers 1999). Gray C., International Law and the Use of Force (3rd edn., OUP 2008). Green JA., The International Court of Justice and Self-Defence in International Law (Hart Publishing 2009). Grigoriev D.I., “Russian Priorities and Steps Towards Cybersecurity” in Nagorski A. (ed.), Global Cyber Deterrence: Views from China, the U.S., Russia, India, and Norway (EastWest 2010). Gunning J., Holm S., Ethics, Law and Society (Ashgate Publishing 2005). Guzman A.T., How International Law Works: A Rational Choice Theory (OUP 2008). Hagestad W., 21st Century Chinese Cyberwarfare (IT Governance 2012). Hanle DJ., Terrorism: The Newest Face of Warfare (Potomac Books 1989). Hart D. (ed.), Proceedings of the 8th International Conference on Information Warfare and Security (Academic Publishing International 2013). Haye E.L., War Crimes in Internal Armed Conflicts (CUP 2008). Heisterberg R.J., “Collaborative Commerce (C-Commerce)” in Bidgoli H. (ed.), The Internet Encyclopedia, vol. 2 (John Wiley & Sons 2004). Henckaerts J. and others, Customary International Humanitarian Law, vols. 1 & 2 (CUP 2005). Hensel H.M., The Legitimate Use of Military Force (Ashgate Publishing 2008). Higgins R., Flory M. (eds.), Terrorism and International Law (Routledge 1997). ———, Problems & Process: International Law and How We Use It (OUP 1994). Hillier T., Sourcebook on Public International Law (Cavendish 1998). Hoffman B., Inside Terrorism (Columbia University Press 2006). Hoffmann J., Nollkaemper A., Responsibility to Protect: From Principle to Practice (Pallas Publications 2012). Hoof G.J., Rethinking the Sources of International Law (Kluwer Law International 1983). 342 Bibliography

Howard F., “Web Attacks 2.0: The Maturating of Web Attacks” in Broucek V., Filiol E. (eds.), 17th EICAR Annual Conference Proceedings (EICAR 2008). Iacovino L., Recordkeeping, Ethics and Law: Regulatory Models, Participant Relationships and Rights and Responsibilities in the Online World (Springer 2006). ICISS, Responsibility to Protect (International Development Research Centre 2001). ICRC, Convention (IV) Relative to the Protection of Civilian Persons in Time of War: Commentary (ICRC 1958) accessed 1 August 2015. Jackson R. and others, Terrorism: A Critical Introduction (Palgrave Macmillan 2011). Jackson R.H., Sovereignty: Evolution of an Idea (Polity Press 2007). Janczewski L., Colarik A., Managerial Guide for Handling Cyber-Terrorism and Informa tion Warfare (Idea Group Publishing 2005). Janczewski L.J., Colarik A.M., Cyber Warfare and Cyber Terrorism (IGI Global 2008). Jennings R., Watts A., Oppenheim’s International Law, vol. 1 (9th edn., Longman 1992). Johnson M., Cyber Crime, Security and Digital Intelligence (Gower 2013). Johnstone I., “The Use of Force” in Boulden J., Thakur R., Weiss T.G. (eds.), The United Nations and Nuclear Orders (UN University Press 2009). Joyner C.C., “Conclusion: The United Nations as International Law-Giver” in Joyner C.C. (ed.), The United Nations and International Law (CUP 1997). Kamal A., The Law of Cyber-Space: An Invitation to the Table of Negotiations (UNITAR 2005). Kammerhofer J., Uncertainty in International Law: A Kelsenian Perspective (Routledge 2011). Karake-Shalhoub Z., Qasimi L., Cyber Law and Cyber Security in Developing and Emerging Economies (Edward Elgar Publishing 2010). Karatzogianni A. (ed.), Cyber Conflict and Global Politics (Routledge 2009). Katin-Borland N., “Cyberwar: A Real and Growing Threat” in Costigan S.S., Perry J. (eds.), Cyberspaces and Global Affairs (Ashgate 2012). Kearney M.G., The Prohibition of Propaganda for War in International Law (OUP 2007). Kelsen H., Principles of International Law (The Lawbook Exchange 1952). Keohane R.O., Nye J.S., Power and Interdependence (2nd edn., Longman 1989). Kohl U., Jurisdiction and the Internet: Regulatory Competence over Online Activity (CUP 2007). Kolesnik D.N., “Development of the Right to Self-Defence” in Butler W.E. (ed.), The Non-Use of Force in International Law (Martinus Nijhoff 1989). Koskenniemi M., From Apology to Utopia: The Structure of International Legal Argument (CUP 2006). Krasno J., Das M., “The Uniting for Peace Resolution and Other Ways of Circumventing the Authority of the Security Council” in Cronin B., Hurd I. (eds.), The UN Security Council and the Politics of International Authority (Routledge 2008). Bibliography 343

Krieken P., Terrorism and the International Legal Order (TMC Asser Press 2002). Krisch N., Mälksoo L., Prost M (eds.), ESIL 2011 4th Research Forum (ESIL 2011). Kuehl D., “From Cyberspace to Cyberpower: Defining the Problem,” in Kramer F.D., Starr S., Wentz L.K. (eds.), Cyberpower and National Security (Potomac Books 2009). Kuusisto R., Kurkinen E. (eds.), Proceedings of the 12th European Conference on Information Warfare and Security (Academic Publishing International 2013). Lehto M., Indirect Responsibility for Terrorist Acts: Redefinition of the Concept of Terrorism Beyond Violent Acts (Hotei Publishing 2010). Leurdijk D.A., “UN Reform and NATO Transformation: The Missing Link” in Ribbelink O. (ed.), Beyond the UN Charter: Peace, Security and the Role of Justice (TMC Asser Press 2008). Lopez J., Setola R., Wolthusen S. (eds.), Critical Infrastructure Protection: Information Infrastructure Models, Analysis, and Defense (Springer 2012). Lord K.M., Sharp T. (eds.), America’s Cyber Future: Security and Prosperity in the Information Age, vol. 2 (Center for a New American Security 2011). Love M.C., “Global Problems, Global Solutions” in Love M.C. (ed.), Beyond Sovereignty: Issues for a Global Agenda (4th edn., Wadsworth 2011). Lubell N., Extraterritorial Use of Force Against Non-State Actors (OUP 2010). Macedo S. and others, The Princeton Principles on Universal Jurisdiction (Princeton University Press 2001). Macedo S., “Introduction” in Macedo S. (ed.), Universal Jurisdiction: National Courts and the Prosecution of Serious Crimes under International Law (University of Pennsylvania Press 2006). Malanczuk P., Akehurst’s Modern Introduction to International Law (7th edn., Routledge 1997). Mangold P., Superpower Intervention in the Middle East (Croom Helm 1978). Marx C., Battlefield Command Systems of the Future (Rosen Publishing 2006). Massimo M., “Threat Assessment and Protective Measures: Extending the Asia-Europe Meeting IV Conclusions on Fighting International Terrorism and Other Instruments to Cyber Terrorism” in Halpin E. and others (eds.), Cyberwar, Netwar and the Revolution in Military Affairs (Palgrave Macmillan 2006). May L., Brown J., Philosophy of Law: Classic and Contemporary Readings (John Wiley & Sons 2009). McAdam J., Climate Change, Forced Migration, and International Law (OUP 2012). McMahan J., Killing in War (OUP 2009). Melzer N., Cyberwarfare and International Law (UNIDIR 2011). ———, Interpretive Guidance on the Notion of Direct Participation in Hostilities under International Humanitarian Law (ICRC 2009). Morgenthau H.J., Politics Among Nations: The Struggle for Power and Peace (7th edn., McGraw-Hill 2006). 344 Bibliography

Mulvenon J.C., Rattray G.J., Addressing Cyber Instability (Cyber Conflict Studies Association 2012). Murphy S.D., Humanitarian Intervention (University of Pennsylvania Press 1996). Nasu H., International Law on Peacekeeping: A Study of Article 40 of the UN Charter (Martinus Nijhoff 2009). National Research Council of the National Academies, Proceedings of a Workshop on Deterring Cyberattacks (National Academies Press 2010). Nesi G. (ed.), International Cooperation in Counter-Terrorism: The United Nations and Regional Organization in the Fight Against Terrorism (Ashgate Publishing 2006). O’Brien J., International Law (Routledge-Cavendish 2001). Orford A., Reading Humanitarian Intervention: Human Rights and the Use of Force in International Law (CUP 2003). Österdahl I., Threat to the Peace: The Interpretation by the Security Council of Article 39 of the UN Charter (Iustus Vorlag 1998). Owens W.A. and others, Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities (National Academies Press 2009). Pak C.Y., Korea and the United Nations (Kluwer Law International 2000). Papadakis N., The International Legal Regime of Artificial Islands (A.W. Sijthoff International 1977). Partan D.G., The Cuban Quarantine: Some Implications for Self Defense (World Rule of Law Center 1963). Pictet J.S. and others, Commentary of the Geneva Conventions: Fourth Geneva Convention (ICRC 1958). Pilloud C. and others, Commentary on the Additional Protocols of 8 June 1977 to the Geneva Conventions of 12 August 1949 (Martinus Nijhoff 1987). Pocar F., “International Rules Against Cyber-Crime” in Savona E.U., Crime And Techno logy: New Frontiers For Regulation, Law Enforcement And Research (Springer 2004). Podins K., Stinissen J., Maybaum M. (eds.), 2013 5th International Conference on Cyber Conflict (NATO CCDCOE 2013). Poynting S., Whyte D. “Introduction: Counter-Terrorism and the Terrorist State” in Poynting S., Whyte D. (eds.), Counter-Terrorism and State Political Violence: The ‘War on Terror’ as Terror (Routledge 2012). Pugh M., “Peace Enforcement” in Weiss T.G., Daws S. (eds.), The Oxford Handbook on the United Nations (OUP 2007). Pumphrey C.W., Transnational Threats: Blending Law Enforcement and Military Strategies (Strategic Studies Institute 2000). Putnam T.L., Elliott D.D., “International Responses to Cyber Crime” in Sofaer A.D., Goodman S.E. (eds.), The Transnational Dimension of Cyber Crime and Terrorism (Hoover Institution Press 2001). Raič D., Statehood and the Law of Self-Determination (Kluwer Law International 2002). Bibliography 345

Rastan R., “The Responsibility to Enforce—Connecting Justice with Unity” in Stahn C., Sluiter G. (eds.), The Emerging Practice of the International Criminal Court (Martinus Nijhoff 2009). Reinalda B., Routledge History of International Organizations: From 1815 to the Present Day (Routledge 2009). Reus-Smit C. (ed.), The Politics of International Law (CUP 2004). Rhodes R., Cyber Meltdown: Bible Prophecy and the Imminent Threat of Cyberterrorism (Harvest House 2011). Rid T., Cyber War Will Not Take Place (Hurst & Co 2013). Rona G., “Interesting Times for International Humanitarian Law: Challenges from the ‘War on Terror’” in Ranstorp M., Wilkinson P. (eds.), Terrorism and Human Rights (Routledge 2008). Roscini M., Cyber Operations and the Use of Force in International Law (OUP 2014). Rosenne S., The Perplexities of Modern International Law (Martinus Nijhoff 2003). Ruggie J.G., Constructing the World Polity: Essays on International Institutionalization (Routledge 1998). Sarooshi D., International Organizations and Their Exercise of Sovereign Powers (OUP 2005). ———, The United Nations and the Development of Collective Security: The Delegation by the UN Security Council of its Chapter VII Powers (OUP 1999). Sassen S., “The Impact of the Internet on Sovereignty: Unfounded and Real Worries” in Engel C., Heller K.H. (eds.), Understanding the Impact of Global Networks in Local Social, Political and Cultural Values (Nomos 2000). Saul B., Defining Terrorism in International Law (OUP 2006). Saxon D. (ed.), International Humanitarian Law and the Changing Technology of War (Martinus Nijhoff 2013). Schabas W.A., The UN International Criminal Tribunals: The Former Yugoslavia, Rwanda and Sierra Leone (CUP 2008). Scharf M.P., Newton MA., “Terrorism and Crimes Against Humanity” in Sadat L.N. (ed.), Forging a Convention for Crimes Against Humanity (CUP 2011). Schmid A.P., “The Definition of Terrorism” in Schmid A.P. (ed.), Routledge Handbook on Terrorism Research (Routledge 2011). Schmitt M.N., Essays on Law and War at the Fault Lines (TMC Asser Press 2012). Schmitt M.N. and others, Tallinn Manual on the International Law Applicable to Cyber Warfare (CUP 2013). Schulte C., Compliance with Decisions of the International Court of Justice (OUP 2004). Sharp W.G., CyberSpace and the Use of Force (Aegis Research Corporation 1999). Shaw M.N., International Law (5th edn., CUP 2003). Simma B. and others (eds.), The Charter of the United Nations: A Commentary, vols. 1 & 2 (3rd edn., OUP 2012). 346 Bibliography

Sitkowski A., UN Peacekeeping: Myth and Reality (Praeger Security International 2006). Sluglett P., Britain in Iraq: Contriving King and Country 1914–1932 (Colombia University Press 2007). Sluka J.A., “State Terrorism and Anthropology” in Sluka J.A. (ed.), Death Squad: The Anthropology of State Terror (University of Pennsylvania Press 2000). Smith G.J., Internet Law and Regulation (Sweet & Maxwell 2007). Smith R., “Cyber-States and the ‘Sovereignty’ of Virtual Communities” in Kofman E., Youngs G. (eds.), Globalization: Theory and Practice (3rd edn., Continuum 2003). Sorabji R., Rodin D., The Ethics of War: Shared Problems In Different Traditions (Ashgate Publishing 2006). Stiennon R., Surviving Cyberwar (Government Institutes 2010). Stürchler N., The Threat of Force in International Law (CUP 2007). Sutterlin J.S., The United Nations and the Maintenance of International Security: A Challenge to Be Met (Praegar 1995). Szabó K.T., Anticipatory Action in Self-Defence: Essence and Limits under International Law (TMC Asser Press 2011). Tagliavini H., Report of the Independent International Fact-Finding Mission on the Conflict in Georgia, vol. 2 (Council of the EU 2009). Taubman A., “International Governance and the Internet” in Edwards L., Waelde C. (eds.), Law and Internet (3rd edn., Hart Publishing 2009). Tesón F.R., A Philosophy of International Law (Westview Press 1998). Tikk E., Kaska K., Vihul L., International Cyber Incidents: Legal Considerations (NATO CCDCOE 2010). Tikk E., Talihärm A. (eds.), International Cyber Security Legal & Policy Proceedings (NATO CCDCOE 2010). Tok S.K., “Nationalism-On-Demand? When Chinese Sovereignty Goes Online” in Shen S., Breslin S. (eds.), Online Chinese Nationalism and China’s Biletaral Relations (Lexington Books 2010). Trapp K.N., State Responsibility for International Terrorism (OUP 2011). Tsagourias N.K., Jurisprudence of International Law: The Humanitarian Dimension (Manchester University Press 2000). Tunkin G.I., Theory of International Law (Harvard University Press 1974). Tzanakopoulos A., Disobeying Security Council: Countermeasures Against Wrongful Sanctions (OUP 2011). UN, Historical Review of Developments Relating to Aggression (UN 2003). ———, United Nations Manual on the Prevention and Control of Computer-Related Crime (UN 1994). UNIDIR, The Cyber Index: International Security Trends and Realities (UN 2013). UNODC, Comprehensive Study on Cybercrime, Draft (UN 2013) accessed 1 August 2015. Bibliography 347

———, The Use of the Internet for Terrorist Purposes (UN 2012) accessed 1 August 2015. Vattel E., The Law of Nations, or, Principles of the Law of Nature, Applied to the Conduct and Affairs of Nations and Sovereigns: A Work Tending to Display the True Interest of Powers (Thomas M. Pomroy 1805). Ventre D., Cyber Conflict: Competing National Perspectives (Wiley 2012). Walter C., “Defining Terrorism in National and International Law” in Walker C. and others, Terrorism as a Challenge for National and International Law: Security versus Liberty? (Springer 2004). Westby J.R., International Guide to Cyber Security (American Bar Association 2004). Westra J.H., International Law and the Use of Armed Force: The UN Charter and the Major Powers (Routledge 2007). Wheeler D.L., “Understanding Cyber Threats” in Andreasson K.J. (ed.), Cybersecurity: Public Sector Threats and Responses (CRC Press 2012). White N.D., “The United Nations and Counter-Terrorism: Multilateral and Executive Law-Making” in Frías A.M., Samuel K.L., White N.D. (eds.), Counter-Terrorism: International Law and Practice (OUP 2012). Williamson M., Terrorism, War and International Law: The Legality of the Use of Force Against Afghanistan in 2001 (Ashgate Publishing 2009). Wilson C., “Computer Attack and Cyberterrorism: Vulnerabilities and Policy Issues for Congress”, in Brown L.V. (ed.), Cyberterrorism and Computer Attacks (Novinka Books 2006). Wilson T., “State Terrorism: An Historical Overview” in Duncan G. and others (eds.), State Terrorism and Human Rights (Routledge 2013). Wriston W., The Twilight of Sovereignty (Scribner 1992). Yannakogeorgos P.A., Lowther A.B. (eds.), Conflict and Cooperation in Cyberspace: The Challenge to National Security (Taylor & Francis 2014). Zacklin R., The United Nations Secretariat and the Use of Force in a Unipolar World (CUP 2010). Zaum D., “The Security Council, the General Assembly, and War: The Uniting for Peace Resolution” in Lowe V. and others (eds.), The United Nations Security Council And War: The Evolution of Thought and Practice Since 1945 (OUP 2010). Ziolkowski K. (ed.), Peacetime Regime for State Activities in Cyberspace: International Law, International Relations and Diplomacy (NATO CCDCOE 2013).

Articles

———, “Developments in the Law: The Law of Cyberspace” (1999) 112(7) Harvard Law Review. 348 Bibliography

Aceves W.J., “Institutionalist Theory and International Legal Scholarship” (1997) 12(2) American University International Law Review. Agius M., “The Invocation of Necessity in International Law” (2009) 56(2) Netherlands International Law Review. Agnew J., “Sovereignty Regimes: Territoriality and State Authority in Contemporary World Politics” (2005) 95(2) Annals of the Association of American Geographers. Akhavan P., “Beyond Impunity: Can International Criminal Justice Prevent Future Atrocities?” (2001) 95(1) AmJIL. Allan C., “Direct Participation in Hostilities from Cyberspace” (2013) 54(1) Virginia JIL. Allan C.S., “Attribution Issues in Cyberspace” (2013) 8(2) Chicago-Kent Journal of International and Comparative Law. Ansell C.K., Weber S., “Organizing International Politics: Sovereignty and Open Systems” (1999) 20(1) International Political Science Review. Aoláin F., “The No-Gaps Approach to Parallel Application in the Context of the War on Terror” (2007) 40(2) Israel Law Review. Arquilla J., Ronfeldt D., “Cyberwar is Coming!” (1993) 12(2) Comparative Strategy. Ashmore W.C., “Impact of Alleged Russian Cyber Attacks” (2009) 11(1) Baltic Security & Defence Review. Ayofe A.N., Oluwaseyifunmitan O., “Towards Ameliorating Cybercrime and Cyber security” (2009) 3(1) International Journal of Computer Science and Information Security. Bachmann S., Kemp G., “Aggression as “Organized Hypocrisy”—How the War on Terrorism and Hybrid Threats Challenge the Nuremberg Legacy” (2012) 30(1) Windsor Yearbook of Access to Justice. Baker R.B., “Customary International Law in the 21st Century: Old Challenges and New Debates” (2010) 21(1) EJIL. Ball D., “China’s Cyber Warfare Capabilities” (2011) 7(2) Security Challenges. Bangura M.A., “Prosecuting the Crime of Attack on Peacekeepers: A Prosecutor’s Challenge” (2010) 23(1) Leiden JIL. Banks W., “The Role of Counterterrorism Law in Shaping Ad Bellum Norms for Cyber Warfare” (2013) 89 International Law Studies. Barkham J., “Information Warfare and International Law on the Use of Force” (2001) 34(1) NYU Journal of International Law and Politics. Barney S.M., “Innocent Packets? Applying Navigational Regimes from the Law of the Sea Convention by Analogy to the Realm of Cyberspace” (2001) 48 Naval Law Review. Barriga S., Grover L., “A Historic Breakthrough on the Crime of Aggression” (2011) 105(3) AmJIL. Beard J.M., “Law and War in the Virtual Era” (2009) 103(3) AmJIL. Bederman D.J., “Acquiescence, Objection and the Death of Customary International Law” (2010) 21(1) Duke Journal of Comparative & International Law. Bibliography 349

Bellia P.L., “Chasing Bits across Borders” [2001] University of Chicago Legal Forum. Bellinger J.B., Padmanahbah V.M., “Detention Operations in Contemporary Conflicts: Four Challenges for the Geneva Conventions and Other Existing Law” (2011) 105(2) AJIL. Benatar M., “The Use of Cyber Force: Need for Legal Justification?” (2009) 1(3) Goettingen JIL. Ben-Naftali O., Michaeli K.R., “‘We Must Not Make a Scarecrow of the Law’: A Legal Analysis of the Israeli Policy of Targeted Killings” (2003) 36(2) Cornell ILJ. Beres L.R., “After Osama bin Laden: Assassination, Terrorism, War, and International Law” (2011) 44(1–2) Case Westin Reserve JIL. Berman F., “The UN Charter and the Use of Force” (2006) 10 Singapore Yearbook of International Law. Berman P.S., “The Globalization of Jurisdiction” (2002) 151(2) University of Pennsylvania Law Review. ———, “Towards a Cosmopolitan Vision of Conflict of Laws: Redefining Governmental Interests in a Global Era” (2005) 153(6) University of Pennsylvania Law Review. Berner S., “Cyber-Terrorism: Reality or Paranoia?” (2003) 5(1) South African Journal of Information Management. Besson S., “Sovereignty, International Law and Democracy” (2011) 22(2) EJIL. Beytenbrod S., “Defining Aggression: An Opportunity to Curtail the Criminal Activities of Non-State Actors” (2011) 36(2) Brooklyn JIL. Bianchi A., “Terrorism and Armed Conflict: Insights from a Law & Literature Perspective” (2011) 24(1) Leiden JIL. Bianchi A., “The International Regulation of the Use of Force: The Politics of Interpretive Method” (2009) 22(4) Leiden JIL. Bigos O., “Jurisdiction over Cross-Border Wrongs on the Internet” (2005) 54(3) ICLQ. Bix B., “On the Dividing Line Between Natural Law Theory and Legal Positivism” (2000) 75(5) Notre Dame Law Review. Blank L.R., “International Law and Cyber Threats from Non-State Actors” (2013) 89 International Law Studies. Boer L.J., “Restating the Law ‘As It Is’: On the Tallinn Manual and the Use of Force in Cyberspace” (2013) 5(3) Amsterdam Law Forum. Boothby W.H., “Methods and Means of Cyber Warfare” (2013) 89 International Law Studies. Boyle J., “Foucault in Cyberspace: Surveillance, Sovereignty, and Hard-Wired Censors” (1997) 66(2) University of Cincinnati Law Review. Bradley C.A., Gulati M., “Customary International Law and Withdrawal Rights in an Age of Treaties” (2010) 21(1) Duke Journal of Comparative & International Law. Brenner S.W., “‘At Light Speed’: Attribution and Response to Cybercrime/Terrorism/ Warfare” (2007) 97(2) Journal of Criminal Law and Criminology. 350 Bibliography

———, “Cybercrime, Cyberterrorism and Cyberwarfare” (2006) 77(3) International Review of Penal Law. Brenner S.W., Clarke L.L., “Civilians in Cyberwarfare: Conscripts” (2010) 43(4) Vanderbilt Journal of Transnational Law. Brenner S.W., Koops B., “Approaches to Cybercrime Jurisdiction” (2004) 4(1) Journal of High Technology Law. Brito J., Watkins T., “Loving the Cyber Bomb? The Dangers of Threat Inflation in Cybersecurity Policy” (2011) 3(1) Harvard National Security Journal. Brown D., “A Proposal for an International Convention to Regulate the Use of Information Systems in Armed Conflict” (2006) 47(1) Harvard ILJ. Bryan I., “Sovereignty and the Foreign Fighter Problem” (2010) 54(1) Orbis. Buchan R., “Cyber Attacks: Unlawful Uses of Force or Prohibited Interventions?” (2012) 17(2) Journal of Conflict & Security Law. Bugnion F., “Jus ad Bellum, Jus in Bello and Non-International Armed Conflicts” (2003) 6 Yearbook of International Humanitarian Law. Burke R., “Status of Forces Deployed on UN Peacekeeping Operations: Jurisdictional Immunity” (2011) 16(1) Journal of Conflict & Security Law. Byers M., “Terrorism, the Use of Force and International Law after 11 September” (2002) 51(2) ICLQ. Caron D.D., “The Legitimacy of the Collective Authority of the Security Council” (1993) 87(4) AmJIL. Cassese A., “The International Community’s ‘Legal’ Response to Terrorism” (1989) 38(3) ICLQ. Cavelty M.D., “Cyber-Allies, Strengths and Weaknesses of NATO’s Cyberdefense Posture” (2011) 3(12) Internationale Politik. Cerone J., “Misplaced Reliance on the ‘Law of War’” (2007) 14(1) New England Journal of International & Comparative Law. Chainoglou K., “An Assessment of Jus in Bello Issues Concerning Computer Network Attacks: A Threat Reflected in National Security Agendas” (2010) 12 Romanian JIL. Choucri N., “Introduction: Cyberpolitics in International Relations” (2000) 21(3) International Political Science Review. Chu H. and others, “Next Generation of Terrorism: Ubiquitous Cyber Terrorism with the Accumulation of All Intangible Fears” (2009) 15(12) Journal of Universal Computer Science. Clark W.K., Levin P.L., “Securing the Information Highway: How to Enhance the United States’ Electronic Defenses” (2009) 88(6) Foreign Affairs. Clem A., Galwankar S., Buck G., “Health Implications of Cyber-Terrorism” (2003) 18(3) Prehospital and Disaster Medicine. Cohen A., “Cyberterrorism: Are We Legally Ready?” (2010) 9(1) Journal of International Business & Law. Bibliography 351

———, “Prosecuting Terrorists at the International Criminal Court: Reevaluating an Unused Legal Tool to Combat Terrorism” (2012) 20(2) Michigan State International Law Review. Collin B., “The Future of Cyberterrorism” (1997) 13(2) Crime & Justice International accessed 1 August 2015. Condron S.M., “Getting It Right: Protecting American Critical Infrastructure in Cyberspace” (2007) 20(2) Harvard Journal of Law & Technology. Conway M., “Against Cyberterrorism: Why Cyber-Based Terrorist Attacks are Unlikely to Occur” (2011) 54(2) Communications of the Association for Computing Machinery. Corten O., “The Controversies Over the Customary Prohibition on the Use of Force: A Methodological Debate” (2005) 16(5) EJIL. Crawford E., “Regulating the Irregular: International Humanitarian Law and the Question of Civilian Participation in Armed Conflict” (2012) 18(1) UC Davis Journal of International Law and Policy. Creegan E., “A Permanent Hybrid Court for Terrorism” (2011) 26(2) American University International Law Review. Creekman D.M., “A Helpless America? An Examination of the Legal Options Available to the United States in Response to Varying Types of Cyber Attacks from China” (2002) 17(3) American University International Law Review. Cullen P.M., “The Role of Targeted Killing in the Campaign against Terror” (2008) 48(1) Joint Force Quarterly. Deeks A., “The Geography of Cyber Conflict: Through a Glass Darkly” (2013) 89 International Law Studies. Deeks A.S., “‘Unwilling or Unable’: Toward a Normative Framework for Extraterritorial Self-Defense” (2012) 52(3) Virginia JIL. Deibert R., “The Growing Dark Side of Cyberspace (. . . and What to Do About It)” (2012) 1(2) Pennsylvania State Journal of Law & International Affairs. Dekker G., Coppeny T., “Termination and Suspension of, and Withdrawal from, WMD Arms Control Agreements in Light of the General Law of Treaties” (2012) 17(1) Journal of Conflict & Security Law. Delibasis D., “State Use of Force in Cyberspace for Self-Defence: A New Challenge for a New Century” (2006) 8(1) Peace, Conflict & Development. Denning D.E., “Stuxnet: What Has Changed?” (2012) 4(3) Future Internet. Dervan L., “Information Warfare and Civilian Populations: How the Law of War Addresses a Fear of the Unknown” (2011) 3(1) Goettingen JIL. Dinstein Y., “Computer Network Attack and Self-Defense” (2002) 76 International Law Studies. ———, “Cyber War and International Law: Concluding Remarks at the 2012 Naval War College International Law Conference” (2013) 89 International Law Studies. 352 Bibliography

———, “The Principle of Distinction and Cyber War in International Armed Conflict” (2012) 17(2) Journal of Conflict & Security Law. Doswald-Beck L., “Some Thoughts on Computer Network Attack and the International Law of Armed Conflict” (2002) 76 International Law Studies. Doyle J.H., “Computer Networks, Proportionality, and Military Operations” (2002) 76 International Law Studies. Drezner D.W., “The Global Governance of the Internet: Bringing the State Back In” (2004) 199(3) Political Science Quarterly. Duffy G., “An Early Warning System for the United Nations: Internet or Not?” (1995) 39(2) Mershon International Studies Review. Dukes T., Rees A.C., “Military Criminal Investigations and the Stored Communications Act” (2009) 64 Air Force Review. Dunlap C.J., “Perspectives for Cyber Strategists on Law for Cyberwar” (2011) 5(1) Strategic Studies Quarterly. Eaton J., “An Emerging Norm? Determining the Meaning and Legal Status of the Responsibility to Protect” (2011) 32(4) Michigan JIL. Estreicher S., “Privileging Asymmetric Warfare? Part I: Defender Duties under International Humanitarian Law” (2011) 11(2) Chicago JIL. Evans G., “From Humanitarian Intervention to the Responsibility to Protect” (2006) 24(3) Wisconsin ILJ. Fagin M., “Regulating Speech Across Borders: Technology vs. Values” (2003) 9 Michigan Telecommunications and Technology Law Review. Farwell J.P., Rohozinski R., “Stuxnet and the Future of Cyber War” (2011) 53(1) Survival. Fatima T., “Cyber Terrorism: The International Menace—Concept and Responses” (2006) 46(2) Indian JIL. Feil J.A., “Cyberwar and Drones: Using New Technologies, From Espionage to Action” (2012) 45(1–2) Case Western Reserve JIL. Fleck D., “Searching for International Rules Applicable to Cyber Warfare—A Critical First Assessment of the New Tallinn Manual” (2013) 18(2) Journal of Conflict & Security Law. Ford C.A., “The Trouble with Cyber Arms Control” (2010) 29 The New Atlantis. Franck T.M., “Who Killed Article 2(4)?” (1970) 64(5) AmJIL. Franzese P.W., “Sovereignty in Cyberspace: Can it Exist?” (2009) 64 Air Force Law Review. Freudenschuss H., “Between Unilateralism and Collective Security: Authorizations of the Use of Force by the UN Security Council” (1994) 5(1) EJIL. Fritz J., “How China Will Use Cyber Warfare to Leapfrog in Military Competitiveness” (2008) 8(1) Culture Mandala. Fry J.D., “Of Pinpricks and Cannon Shots: UN Arms Embargoes and Peacekeeping as Coercive Disarmament Measures” (2011) 17(2) UC Davis Journal of International Law and Policy. Bibliography 353

Gable K.A., “Cyber-Apocalypse Now: Securing the Internet Against Cyberterrorism and Using Universal Jurisdiction as a Deterrent” (2010) 43(1) Vanderbilt Journal of Transnational Law. Garraway C., “Can the Law of Armed Conflict Survive 9/11?” (2011) 14 Yearbook of International Humanitarian Law. Garwood-Gowers A., “Self-Defence Against Terrorism in the Post-9/11 World” (2004) 4(2) Queensland University of Technology Law and Justice Journal. Gasser H., “Acts of Terrorism, ‘Terrorism’ and International Humanitarian Law” (2002) 84(847) International Review of the Red Cross. Gaudreau J., “The Reservations to the Protocols Additional to the Geneva Conventions for the Protection of War Victims” (2003) 84(849) International Review of the Red Cross. Gazzini T., “The Rules on the Use of Force at the Beginning of the XXI Century” (2006) 11(3) Journal of Conflict & Security Law. Gazzini T., Werner W.G., Dekker I.F., “Necessity Across International Law: An Introduction” (2010) 41 Netherlands Yearbook of International Law. Gervais M., “Cyber Attacks and the Laws of War” (2012) 30(2) Berkeley JIL. Giacomello G., “Bangs for the Buck: A Cost-Benefit Analysis of Cyberterrorism” (2004) 27(5) Studies in Conflict & Terrorism. Giacomello G., Mendez F., “‘Cuius Regio, Eius Religio, Omnium Spatium?’ State Sovereignty in the Age of the Internet” (2001) 7 Information & Security. Gill T.D., “Legal Aspects of the Transfer of Authority in UN Peace Operations” (2011) 42 Netherlands Yearbook of International Law. Gleick P.H., “Water and Terrorism” (2006) 8(6) Water Policy. Glennon M.J., “The Blank-Prose Crime of Aggression” (2010) 35(1) Yale JIL. ———, “The Dark Future of International Cybersecurity Regulation” (2013) 6 Journal of National Security Law & Policy. ———, “The Road Ahead: Gaps, Leaks and Drips” (2013) 89 International Law Studies. Goldsmith J.L., “Against Cyberanarchy” (1998) 65(4) University of Chicago Law Review. ———, “The Internet and the Abiding Significance of Territorial Sovereignty” (1998) 5(2) Indiana Journal of Global Legal Studies. Goodman M.D., Brenner S.W., “The Emerging Consensus on Criminal Conduct in Cyberspace” (2002) 6(1) UCLA Journal of Law and Technology accessed 1 August 2015. Gordon J., “The Sword of Damocles: Revisiting the Question of Whether the United Nations Security Council is Bound by International Law” (2012) 12(2) Chicago JIL. Graham D.E., “Cyber Threats and the Law of War” (2010) 4(1) Journal of National Security Law & Policy. Gravell W., “Some Observations Along the Road to ‘National Information Power’” (1999) 9(2) Duke Journal of Comparative & International Law. 354 Bibliography

Gray C., “A Crisis of Legitimacy for the UN Collective Security System?” (2007) 56(1) ICLQ. Green J.A., “Questioning the Peremptory Status of the Prohibition of the Use of Force” (2011) 32(2) Michigan JIL. Greenstein R.K., “The Action Bias in American Law: Internet Jurisdiction and the Triumph of Zippo Dot Com” (2007) 80(1) Temple Law Review. Grob J., “Antarctica’s Frozen Territorial Claims: A Meltdown Proposal” (2007) 30(2) Boston College International & Comparative Law Review. Grosswald L., “Cyberattack Attribution Matters under Article 51 of the U.N. Charter” (2011) 36(3) Brooklyn JIL. Grove G.D., Goodman S.E., Lukasik S.J., “Cyber-Attacks and International Law” (2000) 42(3) Survival. Guiora A.N., “Intervention in Libya, Yes; Intervention in Syria, No: Deciphering the Obama Administration” (2011) 44(1–2) Case Western Reserve JIL. Halpern M., Mehrota A.K., “From International Treaties to Internet Norms: The Evolution of International Trademark Disputes in the Internet Age” (2000) 121(3) University of Pennsylvania Journal of International Economic Law. Hampson N.C., “Hacktivism: A New Breed of Protest in a Networked World” (2012) 35(2) Boston College International and Comparative Law Review. Handler S.G., “The New Cyber Face of Battle: Developing a Legal Approach to Accommodate Emerging Trends in Warfare” (2012) 48(1) Stanford JIL. Hansen L., Nissenbaum H., “Digital Disaster, Cyber Security, and the Copenhagen School” (2009) 53(4) International Studies Quarterly. Hardy K., “Operation Titstorm: Hacktivism or Cyberterrorism?” (2010) 33(2) University of New South Wales Law Journal. Hare A., “A New Forum for the Prosecution of Terrorists: Exploring the Possibility of the Addition of Terrorism to the Rome Statute’s Jurisdiction” (2010) 8(1) Loyola University Chicago International Law Review. Hathaway O.A. and others, “The Law of Cyber-Attack” (2012) 100(4) California Law Review. Heinegg W.H., “Territorial Sovereignty and Neutrality in Cyberspace” (2013) 89 International Law Studies. ———, “The Tallinn Manual and International Cyber Security Law” (2012) 15 Yearbook of International Humanitarian Law. Henckaerts J., “Study on Customary International Humanitarian Law: A Contribution to the Understanding and Respect for the Rule of Law in Armed Conflict” (2005) 87(857) International Review of the Red Cross. Henderson C., Green J.A., “The Jus Ad Bellum and Entities Short of Statehood in the Report on the Conflict in Georgia” (2010) 59(1) ICLQ. Herzog S., “Revisiting the Estonian Cyber Attacks: Digital Threats and Multinational Responses” (2011) 4(2) Journal of Strategic Security. Bibliography 355

Hiéramente M., “The Myth of ‘International Crimes’: Dialectics and International Criminal Law” (2011) 3(2) Goettingen JIL. Hinkle K.C., “Countermeasures in the Cyber Context: One More Thing to Worry About” (2011) 37 Yale JIL Online. Hodgkinson S.L., “Are Ad Hoc Tribunals an Effective Tool for Prosecuting International Terrorism Cases?” (2010) 24(2) Emory International Law Review. Hoisington M., “Cyberwarfare and the Use of Force Giving Rise to the Right of Self- Defense” (2009) 32(2) Boston College International & Comparative Law Review. Hollis D.B., “An e-SOS for Cyberspace” (2011) 52(2) Harvard ILJ. ———, “Why States Need an International Law for Information Operations” (2007) 11(4) Lewis & Clark Law Review. Holte R.T., “What is Really Fair: Internet Sales and the Georgia Long-Arm Statute” (2009) 10(2) Minnesota Journal of Law, Science & Technology. Hovell D., “Chinks in the Armour: International Law, Terrorism and the Use of Force” (2004) 27(2) University of New South Wales Law Journal. Hughes R., “A Treaty for Cyberspace” (2010) 86(2) International Affairs. Hughes R.B., “NATO and Cyber Defence: Mission Accomplished?” (2009) 1(4) Atlantisch Perspectief. Hummel M.L., “Internet Terrorism” (2008) 2(2) Homeland Security. Isted K., “Sovereignty in the Artic: An Analysis of Territorial Disputes & Environmental Policy Considerations” (2009) 18(2) Journal of Transnational Law & Policy. Jain G., “Cyber Terrorism: A Clear and Present Danger to Civilized Society?” (2005) 3(44) Information Systems Education Journal. Jensen E.T., “A Response to Duncan Hollis, An e-SOS for Cyberspace” (2011) 53 Harvard ILJ Online. ———, “Applying a Sovereign Agency Theory of the Law of Armed Conflict” (2012) 12(2) Chicago JIL. ———, “Computer Attacks on Critical National Infrastructure: A Use of Force Invoking the Right of Self-Defense” (2002) 38(2) Stanford JIL. ———, “Cyber Attacks: Proportionality and Precautions in Attack” (2013) 89 International Law Studies. ———, “Cyber Deterrence” (2012) 26(2) Emory International Law Review. ———, “Cyber Warfare and Precautions against the Effects of Attacks” (2010) 88(7) Texas Law Review. ———, “Sovereignty and Neutrality in Cyber Conflict” (2012) 35(3) Fordham ILJ. Johnson D.R., Post D., “Law and Borders: The Rise of Law in Cyberspace” (1996) 48(5) Stanford Law Review. Johnson P.A., “Is It Time for a Treaty on Information Warfare?” (2002) 76 International Law Studies. Jouannet E., “Universalism and Imperialism: The True-False Paradox of International Law?” (2007) 18(3) EJIL. 356 Bibliography

Joyner C.C., “Countering Nuclear Terrorism: A Conventional Response” (2007) 18(2) EJIL. Joyner C.C., Lotrionte C., “Information Warfare as International Coercion: Elements of a Legal Framework” (2001) 12(5) EJIL. Kacker D., “Coming Full Circle: The Rome Statute and the Crime of Aggression” (2010) 33(3) Suffolk Transnational Law Review. Kallberg J., “Designer Satellite Collisions from Covert Cyber War” (2012) 6(1) Strategic Studies Quarterly. Kammerhofer J., “Uncertainties of the Law on Self-Defence in the United Nations Charter” (2004) 35 Netherlands Yearbook of International Law. Kanuck S., “Sovereign Discourse on Cyber Conflict Under International Law” (2010) 88(7) Texas Law Review. Katyal N.K., “Criminal Law in Cyberspace” (2001) 149(4) University of Pennsylvania Law Review. Keene S.D., “Terrorism and the Internet: A Double-Edged Sword” (2011) 14(4) Journal of Money Laundering Control. Kelsen H., “Collective Security and Collective Self-Defense Under the Charter of the United Nations” (1948) 42 AmJIL. Kelsey J.T., “Hacking into International Humanitarian Law: The Principles of Distinction and Neutrality in the Age of Cyber Warfare” (2008) 106(7) Michigan Law Review. Kent R., “Humanitarian Dilemmas in Peace and War” (2003) 3(3) Conflict, Security & Development. Kesser O., Werner W., “Expertise, Uncertainty, and International Law: A Study of the Tallinn Manual on Cyberwarfare” (2013) 26(4) Leiden JIL. King K.F., “Geolocation and Federalism on the Internet: Cutting Internet Gambling’s Gordian Knot” (2010) 11 Columbia Science and Technology Law Review. ———, “Personal Jurisdiction, Internet Commerce, and Privacy: The Pervasive Legal Consequences of Modern Geolocation Technologies” (2011) 21(1) Albany Law Journal of Science and Technology. Klein A., “The End of Al-Qaeda? Rethinking the Legal End of the War on Terror” (2010) 110(7) Columbia Law Review. Kobrin S.J., “Safe Harbours Are Hard to Find: The Trans-Atlantic Data Privacy Dispute, Territorial Jurisdiction and Global Governance” (2004) 30(1) Review of International Studies. ———, “Territoriality and the Governance of Cyberspace” (2001) 32(4) Journal of International Business Studies. Kodar E., “Applying the Law of Armed Conflict to Cyber Attacks: From the Martens Clause to Additional Protocol I” in Liivoja R., Saumets A (eds.), The Law of Armed Bibliography 357

Conflict: Historical and Contemporary Perspectives (15th ENDC Proceedings, Tartu University Press 2012). Kohl U., “Eggs, Jurisdiction, and the Internet” (2002) 51(3) ICLQ. Koran S., “The International Criminal Court and Crimes of Aggression: Beyond the Kampala Convention” (2012) 34(2) Houston JIL. Koskenniemi M., “The Place of Law in Collective Security” (1996) 17(2) Michigan JIL. Kot J., “Israeli Civilians versus Palestinian Combatants? Reading the Goldstone Report in Light of the Israeli Conception of the Principle of Distinction” (2011) 24(4) Leiden JIL. Krasner S.D., “Sovereignty” (2001) 122 Foreign Policy. Kremen S.H., “Apprehending The Computer Hacker: The Collection and Use of Evidence” (1998) 2(1) Computer Forensics Online accessed 1 August 2015. Kress C., Holtzendorff L., “The Kampala Compromise on the Crime of Aggression” (2010) 8(5) Journal of International Criminal Justice. Kretzmer D., “Rethinking Application of IHL in Non-International Armed Conflicts” (2009) 42(1) Israel Law Review. ———, “Targeted Killing of Suspected Terrorists: Extra-Judicial Executions or Legitimate Means of Defence?” (2005) 16(2) EJIL. Kreykes B.D., “Toward a Model of Humanitarian—Intervention: The Legality of Armed Intervention to Address Zimbabwe’s Operation Murambatsvina” (2010) 32(3) Loyola of Los Angeles International and Comparative Law Review. Land M., “Toward an International Law of the Internet” (2013) 54(2) Harvard ILJ. Laasme H., “Estonia: Cyber Window into the Future of NATO” (2011) 63(4) Joint Force Quarterly. Lahmann H., “The Israeli Approach to Detain Terrorist Suspects and International Humanitarian Law: The Decision Anonymous v. State of Israel” (2009) 69(2) Heidelberg JIL. Lancaster R., “Intervening Interests: Humanitarian and Pro-Democratic Intervention in the Asia-Pacific” (2009) 16 Australian ILJ. Lee J., “The Red Storm in Uncharted Waters: China and International Cyber Security” (2014) 82(4) UMKC Law Review. Lehto M., “War on Terror—Armed Conflict with Al-Qaida?” (2010) 78(4) Nordic JIL. Lessig L., “The Zones of Cyberspace” (1996) 48 Stanford Law Review. Levit J.K., “Bottom-Up International Lawmaking: Reflections on the New Haven School of International Law” (2007) 32(2) Yale JIL. Li S., “When Does Internet Denial Trigger the Right of Armed Self-Defense?” (2013) 38(1) Yale JIL. Lin H.S., “Offensive Cyber Operations and the Use of Force” (2010) 4(1) Journal of National Security Law & Policy. 358 Bibliography

Lobel H., “Cyber War Inc.: The Law of War Implications of the Private Sector’s Role in Cyber Conflict” (2012) 47(3) Texas ILJ. Lotrionte C., “State Sovereignty and Self-Defense in Cyberspace: A Normative Framework for Balancing Legal Rights” (2012) 26(2) Emory International Law Review. Lubell N., “Lawful Targets in Cyber Operations: Does the Principle of Distinction Apply?” (2013) 89 International Law Studies. Lynn W.J., “Defending a New Domain: The Pentagon’s Cyberstrategy” (2010) 89(5) Foreign Affairs. Mahmoudi S., “Self-Defence and International Terrorism” (2005) 48 Scandinavian Studies in Law. Maogoto J.N., Sheehy B., “Contemporary Private Military Firms Under International Law: An Unregulated ‘Gold Rush’” (2006) 26(2) Adelaide Law Review. Martin J.S., “Contracting for Wartime Actors: The Limits of the Contract Paradigm” (2007) 14(1) New England Journal of International and Comparative Law. May L., “Aggression, Humanitarian Intervention, and Terrorism” (2009) 41(2–3) Case Western Reserve JIL. Mazzochi S., “Humanitarian Intervention in a Post-Iraq, Post-Darfur World: Is There Now a Duty to Prevent Genocide Even Without Security Council Approval?” (2011) 17(1) Annual Survey of International & Comparative Law. McCafferty A., “Internet Contracting and E-Commerce Disputes: International and Unites States Personal Jurisdiction” (2011) 2(1) Global Business Law Review. McDougal M.S., Lasswell H.D., “Legal Education and Public Policy: Professional Training in the Public Interest,” (1943) 52(2) Yale Law Journal. McKeever D., “The Contribution of the International Court of Justice to the Law on the Use of Force: Missed Opportunities or Unrealistic Expectations?” (2009) 78(3) Nordic JIL. Melnitzky A., “Defending America Against Chinese Cyber Espionage Through the Use of Active Defenses” (2012) 20(2) Cardozo Journal of International & Comparative Law. Menthe D.C., “Jurisdiction in Cyberspace: A Theory of International Spaces” (1998) 4 Michigan Telecommunications and Technology Law Review. Milanovič M., “State Responsibility for Acts of Non-State Actors: A Comment on Griebel and Plücken” (2009) 22(2) Leiden JIL. Miller S.F., “Prescriptive Jurisdiction over Internet Activity: The Need to Define and Establish the Boundaries of Cyberliberty” (2003) 10(2) Indiana Journal of Global Legal Studies. Moeckli D., “The Emergence of Terrorism as Distinct Category of International Law” (2008) 44(2) Texas ILJ. Moore S., “Cyber Attacks and the Beginnings of an International Cyber Treaty” (2013) 39(1) North Carolina Journal of International Law & Commercial Regulation. Bibliography 359

Murphy J.F., “Cyber War and International Law: Does the International Legal Process Constitute a Threat to U.S. Vital Interests?” (2013) 89 International Law Studies. Murphy S.D., “Aggression, Legitimacy and the International Criminal Court” (2009) 20(4) EJIL. ———, “Criminalizing Humanitarian Intervention” (2009) 41(2–3) Case Western Reserve JIL. Netanel N.W., “Cyberspace Self-Governance: A Skeptical View from Liberal Democratic Theory” (2000) 88(2) California Law Review. Neuman G.L., “Humanitarian Law and Counterterrorist Force” (2003) 14(2) EJIL. Newton M.A., “Exceptional Engagement: Protocol I and a World United Against Terrorism” (2009) 45(2) Texas ILJ. Nguyen R., “Navigating Jus Ad Bellum in the Age of Cyber Warfare” (2013) 101(4) California Law Review. O’Connell M.E., “Defining Armed Conflict” (2008) 13(2) Journal of Conflict & Security Law. ———, “Lawful Self-Defense to Terrorism” (2002) 63 University of Pittsburgh Law Review. O’Donnell B.T., Kraska J.C., “Humanitarian Law: Developing International Rules for the Digital Battlefield” (2003) 8(1) Journal of Conflict & Security Law. O’Donnell D., “International Treaties Against Terrorism and the Use of Terrorism During Armed Conflict and by Armed Forces” (2006) 88(864) International Review of the Red Cross. Okimoto K., “The Cumulative Requirements of Jus ad Bellum and Jus in Bello in the Context of Self-Defense” (2012) 11(1) Chinese JIL. Ophardt J.A., “Cyber Warfare and the Crime of Aggression: The Need for Individual Accountability on Tomorrow’s Battlefield” (2010) 9(1) Duke Law & Technology Review. Orakhelashvili A., “Immunities of State Officials, International Crimes, and Foreign Domestic Courts: A Reply to Dapo Akande and Sangeeta Shah” (2011) 22(3) EJIL. ———, “Law and Policy of International Crimes Between Impunity and Accountability for Serious International Crimes: Legal and Policy Approaches” (2008) 55(2) Netherlands International Law Review. ———, “The Legal Basis of the United Nations Peace-Keeping Operations” (2003) 43(2) Virginia JIL. Padmanabhan V.M., “Cyber Warriors and the Jus in Bello” (2013) 89 International Law Studies. Park G.K., “Granting an Automatic Authorization for Military Response: Protecting National Critical Infrastructure from Cyberattack” (2013) 38(2) Brooklyn JIL. Pattison J., “Legitimacy and Humanitarian Intervention: Who Should Intervene?” (2008) 12(3) International Journal of Human Rights. 360 Bibliography

Paust J.J., “Nonstate Actor Participation in International Law and the Pretense of Exclusion” (2011) 51(4) Virginia JIL. Payandeh M., “The United Nations, Military Intervention, and Regime Change in Libya” (2012) 52(2) Virginia JIL. Perritt H.H., “Jurisdiction in Cyberspace” (1996) 41(1) Villanova Law Review. ———, “The Internet as a Threat to Sovereignty? Thoughts on the Internet’s Role in Strengthening National and Global Governance” (1998) 5(2) Indiana Journal of Global Legal Studies. Peters A., “The Security Council’s Responsibility to Protect” (2011) 8(1) International Organizations Law Review. Pieterse J.N., “Globalization, Kitsch and Conflict: Technologies of Work, War and Politics” (2002) 9(1) Review of International Political Economy. Pocar F., “Protocol I Additional to the Geneva Conventions and Customary International Law” (2001) 31 Israel Yearbook on Human Rights. Post D.G., “Against ‘Against Cyberanarchy’” (2002) 17(4) Berkeley Technology Law Journal. ———, “Governing Cyberspace: Law” (1996) 43 Wayne Law Review. ———, “The ‘Unsettled Paradox’: The Internet, the State, and the Consent of the Governed” (1998) 5(2) Indiana Journal of Global Legal Studies. Potashman M., “International Spam Regulation & Enforcement: Recommendations Following the World Summit on Information Technology” (2006) 29(2) Boston College International and Comparative Law Review. Pradillo J.C., “Fighting against Cybercrime in Europe: The Admissibility of Remote Searches in Spain” (2011) 19(4) European Journal of Crime, Criminal Law and Criminal Justice. Prichard J.J., MacDonald L.E., “Cyber Terrorism: A Study of the Extent of Coverage in Computer Security Textbooks” (2004) 3 Journal of Information Technology Education. Quénivet N., “The ‘War on Terror’ and the Principle of Distinction in International Humanitarian Law” (2010) 3(2) Colombian Yearbook of International Law. Rathmell A., “Cyber-Terrorism: The Shape of Future Conflict?” (1999) 6(3) Journal of Financial Crime. Reidenberg J.R., “Technology and Internet Jurisdiction” (2005) 153(6) University of Pennsylvania Law Review. Reinold T., “State Weakness, Irregular Warfare, and the Right to Self-Defense Post 9/11” (2011) 105(2) AmJIL. Riley J., Gambone M., “Men With Guns” (2010) 28(1) Wisconsin ILJ. Rogers A.P., McGoldrick D., “Assassination and Targeted Killing—The Killing of Osama bin Laden” (2011) 60(3) ICLQ. Roscini M., “The United Nations Security Council and the Enforcement of International Humanitarian Law” (2010) 43(2) Israel Law Review. Bibliography 361

———, “World Wide Warfare—Jus ad Bellum and the Use of Cyber Force” (2010) 14 Max Planck Yearbook of United Nations Law. Rudolph C., “Sovereignty and Territorial Borders in a Global Age” (2005) 7(1) International Studies Review. Ruggie J.G., “Territoriality and Beyond: Problematizing Modernity in International Relations” (1993) 47(1) International Organization. Sachdeva A.M., “International Jurisdiction in Cyberspace: A Comparative Perspective” (2007) 13(8) Computer and Telecommunications Law Review. Sadoff D.A., “A Question of Determinacy: The Legal Status of Anticipatory Self-Defense” (2009) 40(2) Georgetown JIL. Sadurska R., “Threats of Force” (1988) 82(2) AmJIL. Salzman Z., “Private Military Contractors” (2008) 40(1) NYU Journal of International Law and Politics. Samson E., “Is Gaza Occupied?: Redefining the Status of Gaza Under International Law” (2010) 25(5) American University International Law Review. Sassen S., “On the Internet and Sovereignty” (1998) 5(2) Indiana Journal of Global Legal Studies. Scassa T., Currie R.J., “New First Principles? Assessing the Internet’s Challenges to Jurisdiction” (2011) 42(4) Georgetown JIL. Schaack B., “Negotiating at the Interface of Power and Law: The Crime of Aggression” (2011) 49(3) Columbia Journal of Transnational Law. Schaak B., “The Killing of Osama Bin Laden and Anwar Al-Aulaqi: Uncharted Legal Territory” (2011) 14 Yearbook of International Humanitarian Law. Schaap A.J., “Weapons of Cyber Warfare Operations: Development and Use under International Law” (2009) 64 Air Force Law Review. Schabio H., “The UN Role in Future Military Conflicts” (2006) 8 Baltic Security And Defence Review. Scharf M.P., “The ICC’s Jurisdiction over the Nationals of Non-Party States: A Critique of the U.S. Position” (2001) 64(1) Law and Contemporary Problems. ———, “Universal Jurisdiction and the Crime of Aggression” (2012) 53(2) Harvard ILJ. Scharf M.P., Corrin M.K., “On Dangerous Ground: Passive Personality Jurisdiction and the Prohibition of Internet Gambling” (2002) 8(1) New England Journal of International & Comparative Law. Scheffer D., “Atrocity Crimes Framing the Responsibility to Protect” (2008) 40(1–2) Case Western Reserve JIL. Schmitt M.N., “Asymmetrical Warfare and International Humanitarian Law” (2008) 62(1) Air Force Law Review. ———, “Classification of Cyber Conflict” (2012) 17(2) Journal of Conflict & Security Law. ———, “Classification of Cyber Conflict” (2013) 89 International Law Studies. 362 Bibliography

———, “Computer Network Attack and the Use of Force in International Law: Thoughts on a Normative Framework” (1999) 37(3) Columbia Journal of Trans national Law. ———, “Computer Network Attack: The Normative Software” (2001) 4 Yearbook of International Humanitarian Law. ———, “Cyber Operations and the Jus ad Bellum Revisited” (2011) 56(3) Villanova Law Review. ———, “Cyber Operations and the Jus in Bello: Key Issues” (2011) 87 International Law Studies. ———, “Human Shields in International Humanitarian Law” (2009) 47(2) Columbia Journal of Transnational Law. ———, “Humanitarian Law and Direct Participation in Hostilities by Private Contractors or Civilian Employees” (2005) 5(2) Chicago JIL. ———, “Wired Warfare: Computer Network Attack and Jus in Bello” (2002) 84(846) International Review of the Red Cross. Schrijver N., Herik L., “Leiden Policy Recommendations on Counter-terrorism and International Law” (2007) 54(3) Netherlands International Law Review. Schultz T., “Carving up the Internet: Jurisdiction, Legal Orders, and the Private/Public International Law Interface” (2008) 19(4) EJIL. Segura-Serrano A., “Internet Regulation and the Role of International Law” (2006) 10 Max Planck Yearbook of United Nations Law. Setty S., “What’s in a Name? How Nations Define Terrorism Ten Years After 9/11” (2011) 33(1) University of Pennsylvania JIL. Shackelford S.J., “From Nuclear War to Net War: Analogizing Cyber Attacks in International Law” (2008) 27(1) Berkeley JIL. Shackelford S.J., Andres R.B., “State Responsibility for Cyber Attacks: Competing Standards for a Growing Problem” (2011) 42(4) Georgetown JIL. Shah N.A., “Self-Defence, Anticipatory Self-Defence and Pre-Emption: International Law’s Response to Terrorism” (2007) 12(1) Journal of Conflict & Security Law. Shiryaev Y., “Circumstances Surrounding the Separation Barrier and the Wall Case and Their Relevance for the Right of Self-Defense” (2011) 14(1) Gonzaga JIL. ———, “The Right of Armed Self-Defense in International Law and Self-Defense Arguments Used in the Second Lebanon War” (2009) 3 Acta Societatis Martensis. Shulman M.R., “Discrimination in the Laws of Information Warfare” (1999) 37(3) Colombia Journal of Transnational Law. Silver D.B., “Computer Network Attack as a Use of Force under Article 2(4) of the United Nations Charter” (2002) 76 International Law Studies. Simma B., “NATO, the UN and the Use of Force: Legal Aspects” (1999) 10(1) EJIL. Sivakumaran S., “Re-envisaging the International Law of Internal Armed Conflict” (2011) 22(1) EJIL. Bibliography 363

Sklerov M.J., “Solving the Dilemma of State Response to Cyberattacks: A Justification for the Use of Active Defenses Against States Who Neglect Their Duty to Prevent” (2009) 201 Military Law Review. Skordas A., “Hegemonic Intervention as Legitimate Use of Force” (2007) 16(2) Minnesota JIL. Slager K., “Legality, Legitimacy and Anticipatory Self-Defense: Considering an Israeli Preemptive Strike on Iran’s Nuclear Program” (2012) 38(1) North Carolina Journal of International Law & Commercial Regulation. Slaughter A., “Liberal International Relations Theory and International Economic Law” (1995) 10(2) American University International Law Review. Slawotsky J., “The Global Corporation as International Law Actor” (2012) 52(3) Virginia JIL Digest. Sloane R.D., “The Cost of Conflation: Preserving the Dualism of Jus ad Bellum and Jus in Bello in the Contemporary Law of War” (2009) 34(1) Yale JIL. Smith T.W., “The New Law of War: Legitimizing Hi-Tech and Infrastructural Violence” (2002) 46(3) International Studies Quarterly. Sofaer A.D., “On the Necessity of Pre-emption” (2003) 14(2) EJIL. Solce N., “The Battlefield of Cyberspace: The Inevitable New Military Branch—The Cyber Force” (2008) 18(1) Albany Law Journal of Science & Technology. Spearin C., “Private Security Companies and Humanitarians: A Corporate Solution to Securing Humanitarian Spaces?” (2001) 8(1) International Peacekeeping. Spencer A.B., “Jurisdiction to Adjudicate: A Revised Analysis” (2006) 73(2) University of Chicago Law Review. Stahn C., “‘Jus ad bellum’, ‘Jus in Bello’ . . . ‘Jus Post Bellum’?—Rethinking the Conception of the Law of Armed Force” (2007) 17(5) EJIL. Steenberghe R., “Self-Defense in Response to Attacks by Non-State Actors in the Light of Recent State Practice: A Step Forward?” (2010) 23(1) Leiden JIL. Stevenson C., “Breaching the Great Firewall: China’s Internet Censorship and the Quest for Freedom of Expression in a Connected World” (2007) 30(2) Boston College International & Comparative Law Review. Stinnett N., “Regulating the Privatization of War: How to Stop Private Military Firms from Committing Human Rights Abuses” (2005) 28(1) Boston College International and Comparative Law Review. Suzuki E., “The New Haven School of Jurisprudence and Non-State Actors in International Law in Policy Perspective” (2012) 42 Journal of Policy Studies. Swanson L., “The Era of Cyber Warfare: Applying International Humanitarian Law to the 2008 Russian-Georgian Cyber Conflict” (2010) 32(2) Loyola of Los Angeles International and Comparative Law Review. Swire P.P., “Elephants and Mice Revisited: Law and Choice of Law on the Internet” (2005) 153(6) University of Pennsylvania Law Review. 364 Bibliography

Talihärm A., “Cyberterrorism: in Theory or in Practice?” (2010) 3(2) Defence Against Terrorism Review. Tams C.J., “The Use of Force against Terrorists” (2009) 20(2) EJIL. Telman D.J., “Non-State Actors in the Middle East: A Challenge for Rationalist Legal Theory” (2013) 46(1) Cornell ILJ. Thielbörger P., “The Status and Future of International Law after the Libya Intervention” (2012) 4(1) Goettingen JIL. Tiirmaa-Klaar H., “The Emerging Cyber Security Agenda: Threats, Challenges and Responses” [2008] Estonian Foreign Policy Yearbook. Tikk E., “Ten Rules for Cyber Security” (2011) 53(3) Survival. Timofeeva Y.A., “Worldwide Prescriptive Jurisdiction in Internet Content Controversies: A Comparative Analysis” (2005) 20 Connecticut JIL. Todd G.H., “Armed Attack in Cyberspace: Deterring Asymmetric Warfare with an Asymmetric Definition” (2009) 64 Air Force Law Review. Trachtman J.P., “Cyberspace, Sovereignty, Jurisdiction, and Modernism” (1998) 5(2) Indiana Journal of Global Legal Studies. ———, “Persistent Objectors, Cooperation, and the Utility of Customary International Law” (2010) 21(1) Duke Journal of Comparative & International Law. ———, “The Crisis of International Law” (2011) 44(1–2) Case Western Reserve JIL. Trahan J., “A Meaningful Definition of the Crime of Aggression: A Response to Michael Glennon” (2012) 33(4) University of Pennsylvania JIL. ———, “Is Complementarity the Right Approach for the International Criminal Court’s Crime of Aggression? Considering the Problem of ‘Overzealous’ National Court Prosecutions” (2012) 45(3) Cornell ILJ. Trumbull C.P., “The Basis of Unit Self-Defense and Implications for the Use of Force” (2012) 23(1) Duke Journal of Comparative & International Law. Tsagourias N., “Cyber Attacks, Self-Defence and the Problem of Attribution” (2012) 17(2) Journal of Conflict & Security Law. ———, “Necessity and the Use of Force: A Special Regime” (2010) 41 Netherlands Yearbook of International Law. ———, “The Tallinn Manual on the International Law Applicable to Cyber Warfare: A Commentary on Chapter II—The Use of Force” (2012) 15 Yearbook of International Humanitarian Law. Tsfati Y., Weimann G., “www.terrorism.com: Terror on the Internet” (2002) 25(5) Studies in Conflict & Terrorism. Tubbs D., Luzwick P.G., Sharp W.G., “Technology and Law: The Evolution of Digital Warfare” (2002) 76 International Law Studies. Turns D., “Cyber Warfare and the Notion of Direct Participation in Hostilities” (2012) 17(2) Journal of Conflict & Security Law. Bibliography 365

Valentino B., “The Perils of Limited Humanitarian Intervention: Lesson from the 1990s” (2006) 24(3) Wisconsin ILJ. Värk R., “State Responsibility for Private Armed Groups in the Context of Terrorism” (2006) 11(1) Juridica International. Venturini G., “Control and Verification of Multilateral Treaties on Disarmament and Non-Proliferation of Weapons of Mass Destruction” (2011) 17(2) UC Davis Journal of International Law and Policy. Vistica G.L., “Cyberwar and Sabotage” (1999) 133(22) Newsweek. Vogel R.J., “Drone Warfare and the Law of Armed Conflict” (2010) 39(1) Denver Journal of International Law and Policy. Walker C., “Cyber-Terrorism: Legal Principle and Law in the United Kingdom” (2006) 110(3) Pennsylvania State Law Review. ———, “The Legal Definition of ‘Terrorism’ in United Kingdom Law and Beyond” [2007] Public Law. Walker G.K., “Neutrality and Information Warfare” (2002) 76 International Law Studies. Walker P.A., “Rethinking Computer Network ‘Attack’: Implications for Law and U.S. Doctrine” (2011) 1(1) American University National Security Law Brief. Wall D.S., “Cybercrime and the Culture of Fear” (2008) 11(6) Information, Commu nication & Society. Wallace D., Reeves S.R., “The Law of Armed Conflict’s ‘Wicked’ Problem: Levée en Masse in Cyber Warfare” (2013) 89 International Law Studies. Watkin K., “Controlling the Use of Force: A Role for Human Rights Norms in Contemporary Armed Conflict” (2004) 98(1) AmJIL. Watts S., “Combatant Status and Computer Network Attack” (2010) 50(2) Virginia JIL. Waxman M.C., “Cyber-Attacks and the Use of Force: Back to the Future of Article 2(4)” (2011) 36(2) Yale JIL. ———, “Self-Defensive Force against Cyber Attacks: Legal, Strategic and Political Dimensions” (2013) 89 International Law Studies. ———, “Temporarily and Terrorism in International Humanitarian Law” (2011) 14 Yearbook of International Humanitarian Law. ———, “The Structure of Terrorism Threats and the Law of War” (2010) 20(3) Duke Journal of Comparative & International Law. Weimann G., “Cyberterrorism: The Sum of All Fears?” (2005) 28(2) Studies in Conflict & Terrorism. Weiser P.J., “Internet Governance, Standard Setting, And Self-Regulation” (2001) 28(4) Northern Kentucky Law Review. Weiss T.G., “R2P After 9/11 and the World Summit” (2006) 24(3) Wisconsin ILJ. Wells-Greco M., “Operation ‘Cast Lead’: Jus in Bello Proportionality” (2010) 57(3) Netherlands International Law Review. 366 Bibliography

Williams P.R., Popken C., “Security Council Resolution 1973 on Libya: A Moment of Legal & Moral Clarity” (2011) 44(1–2) Case Western Reserve JIL. Williamson J.A., “Challenges of the Twenty-First Century Conflicts: A Look at Direct Participation in Hostilities” (2010) 20(3) Duke Journal of Comparative & Inter- national Law. Wills S., “The Legal Characterization of the Armed Conflicts in Afghanistan and Iraq: Implications for Protection” (2011) 58(2) Netherlands International Law Review. Wilske S., Schiller T., “International Jurisdiction in Cyberspace: Which States May Regulate the Internet?” (1997) 50(1) Federal Communications Law Journal. Yee S., “Universal Jurisdiction: Concept, Logic, and Reality” (2011) 10(3) Chinese JIL. Young R., “Defining Terrorism: The Evolution of Terrorism as a Legal Concept in International Law and Its Influence on Definitions in Domestic Legislation” (2006) 29(1) Boston College International & Comparative Law Review. Zekos G.I., “Globalisation and States’ Cyber- Territory” (2011) 5 Web Journal of Current Legal Issues. ———, “Internet or Electronic Technology: A Threat to State Sovereignty” (1999) 3 Journal of Information, Law & Technology accessed 1 August 2015. ———, “State Cyberspace Jurisdiction and Personal Cyberspace Jurisdiction” (2007) 15(1) International Journal of Law and Information Technology. Zifcak S., “The Responsibility to Protect After Libya and Syria” (2012) 13(1) Melbourne JIL. Ziolkowski K., “Computer Network Operations and the Law of Armed Conflict” (2010) 49(1–2) Military Law and Law of War Review.

Case-Law

Accordance with International Law of the Unilateral Declaration of Independence in Respect of Kosovo (Advisory Opinion) [2010] ICJ Rep. American Libraries Association v. Pataki, 969 F Supp 160 (SD NY 1997). Application of the Convention on the Prevention and Punishment of the Crime of Genocide (Bosnia and Herzegovina v. Serbia and Montenegro) (Merits) [2007] ICJ Rep. Armed Activities on the Territory of the Congo (DRC v. Rwanda) (Merits) [2006] ICJ Rep. Armed Activities on the Territory of the Congo (DRC v. Uganda) (Judgment) [2005] ICJ Rep. Arrest Warrant of 11 April 2000 (DRC v. Belgium) (Judgment) [2002] ICJ Rep. Barcelona Traction, Light and Power Company, Limited (Belgium v. Spain) (Second Phase) [1970] ICJ Rep. Certain Expenses of the United Nations (Advisory Opinion) [1961] ICJ Rep. Bibliography 367

Corfu Channel (UK v. Albania) (Merits) [1949] ICJ Rep. Digital Equipment Corporation v. Altavista Technology, Inc, 960 F Supp 456 (D Mass 1997). Frontier Dispute (Burkina Faso v. Niger) (Judgment) [2013] ICJ Rep. Gabčíkovo-Nagymaros Project (Hungary v. Slovakia) (Merits) [1997] ICJ Rep. Hamdan v. Rumsfeld, 548 US 557 (2006). Ilaşcu and Others v. Moldova and Russia App. no. 48787/99 (ECtHR, 8 July 2004). Island of Palmas Case (Netherlands v. USA) [1932] Scott Hague Court Rep. Judgment of the Nuremberg International Military Tribunal (1946) 22 NTP. Jus Ad Bellum (Ethiopia v. Eritrea) [2005] Eritrea-Ethiopia Claims Commission accessed 1 August 2015. Legal Consequences of the Construction of a Wall in the Occupied Palestinian Territory (Advisory Opinion) [2004] ICJ Rep. Legality of the Threat or Use of Nuclear Weapons (Advisory Opinion) [1996] ICJ Rep. Loizidou v. Turkey App. no. 15318/89 (ECtHR, 23 March 1995). Military and Paramilitary Activities in and against Nicaragua (Nicaragua v. USA) (Merits) [1986] ICJ Rep. North Sea Continental Shelf Case (Germany v. Netherlands) (Merits) [1969] ICJ Rep. Oil Platforms (Iran v. USA) (Judgment) [2003] ICJ Rep. Oil Platforms (Iran v. USA) (Rejoinder by the USA) [2001] ICJ Rep. Portuguese Colonies Case (Naulilaa) (Portugal v. Germany) (Arbitration) [1928] 2 UNRIAA. Prosecutor v Aleksovski (Judgment) ICTY-95-14/1-A, (24 March 2000). Prosecutor v. Delalić (Čelebići Case) (Judgment) ICTY-96-21-T, TC (16 November 1998). Prosecutor v. Galić (Judgment and Opinion) ICTY-98-29-T, T Ch I (5 December 2003). Prosecutor v. Karemera (Decision on Jurisdictional Appeals: Joint Criminal Enterprise) ICTR-98-44-T (11 May 2004). Prosecutor v. Kordić, Čerkez (Judgment) ICTY-95-14/2-A, AC (17 December 2004). Prosecutor v. Musema (Judgment and Sentence) ICTR-96-13-T, T Ch I (27 January 2000). Prosecutor v. Rutaganda (Judgment and Sentence) ICTR-96-3-T, T Ch I (6 December 1999). Prosecutor v. Strugar (Dubrovnik Case) (Decision on Jurisdictional Appeal) ICTY-01- 42-AR72, AC (22 November 2002). Prosecutor v. Tadić (Appeal Judgment) ICTY-94-1-A, AC (15 July 1999). Prosecutor v. Tadić (Decision on Jurisdictional Appeal) ICTY-94-1-AR72, AC (2 October 1995). Prosecutor v. Tadić (Opinion and Judgment) ICTY-94-1-T, TC (7 May 1997). Prosecutor v. Vasiljević (Judgment) ICTY-98-32-T, T Ch I (29 November 2002). 368 Bibliography

Questions Relating to the Obligation to Prosecute or Extradite (Belgium v. Senegal) (Merits) [2012] ICJ Rep. SS “Lotus” (France v. Turkey) [1927] PCIJ Rep Series A No. 10. Trail Smelter Case (USA v. Canada) (1938/1941) Special Arbitral Tribunal 1963 accessed 1 August 2015. United States Diplomatic and Consular Staff in Tehran (USA v. Iran) (Judgment) [1980] ICJ Rep. United States v. Morris 928 F2d 504 (2d Cir, 1991). Wilhelm List and Others (The Hostages Trial) (Judgment) [1949] Nuremberg US Military Tribunal. Ždanoka v. Latvia App. no. 58278/00 (ECtHR., 16 March 2006). Declaration of President Bedjaoui in Legality of the Threat or Use of Nuclear Weapons (Advisory Opinion) [1996] ICJ Rep. Dissenting Opinion of Judge Higgins in Legality of the Threat or Use of Nuclear Weapons (Advisory Opinion) [1996] ICJ Rep. Dissenting Opinion of Judge Koroma in Accordance With International Law of the Unilateral Declaration of Independence in Respect of Kosovo (Advisory Opinion) [2010] ICJ Rep. Dissenting Opinion of Judge Schwebel in Legality of the Threat or Use of Nuclear Weapons (Advisory Opinion) [1996] ICJ Rep. Dissenting Opinion of Judge Shahabuddeen in Legality of the Threat or Use of Nuclear Weapons (Advisory Opinion) [1996] ICJ Rep. Dissenting Opinion of Judge Weeramantry in Legality of the Threat or Use of Nuclear Weapons (Advisory Opinion) [1996] ICJ Rep. Dissenting Opinion of Vice-President Al-Khasawneh in Application of the Convention on the Prevention and Punishment of the Crime of Genocide (Bosnia and Herzegovina v. Serbia and Montenegro) (Judgment) [2007] ICJ Rep. Separate Opinion of Judge Higgins in Legal Consequences of the Construction of a Wall in the Occupied Palestinian Territory (Advisory Opinion) [2004] ICJ Rep. Separate Opinion of Judge Kooijmans in Armed Activities on the Territory of the Congo (DRC v. Uganda) (Judgment) [2005] ICJ Rep. Separate Opinion of Judge Simma in Armed Activities on the Territory of the Congo (DRC v. Uganda) (Judgment) [2005] ICJ Rep. Separate Opinion of Judge Simma in Oil Platforms (Iran v. USA) (Judgment) [2003] ICJ Rep. Bibliography 369

Treaties and Normative Documents

“2005 World Summit Outcome”, UNGA Res 60/1 (16 September 2005) UN Doc A/ RES/60/1. “Informal Summary Prepared by the Chair on the Exchange of Views in Plenary Meeting and on the Results of the Informal Consultations”, Annex I to 14th Session of the Ad Hoc Committee Established by General Assembly Resolution 51/210 of 17 December 1996, Supplement No. 37 (12–16 April 2010) UN Doc A/65/37. “Informal Texts of Articles 2 and 2 bis of the Draft Comprehensive Convention, Prepared by the Coordinator”, Annex II to 6th Session of the Ad Hoc Committee Established by General Assembly Resolution 51/210 of 17 December 1996, Supplement No. 37 (28 January–1 February 2002) UN Doc A/57/37. “Preamble and Articles 1, 2 and 4 to 27 of the Draft Comprehensive Convention on International Terrorism Prepared by the Bureau”, Annex I to 16th Session of the Ad Hoc Committee Established by General Assembly Resolution 51/210 of 17 December 1996, Supplement No. 37 (8–12 April 2013) UN Doc A/68/37. “Protocol Additional to the Geneva Conventions of 12 August 1949, and relating to the Protection of Victims of International Armed Conflicts (Protocol I), 8 June 1977: United Kingdom” (Declarations/Reservations, ICRC 2002) accessed 1 August 2015. “Written Amendments and Proposals Submitted by Delegates in Connection with the Elaboration of a Draft International Convention for the Suppression of the Financing of Terrorism”, Annex III to the Report of the Ad Hoc Committee Established by General Assembly Resolution 51/210 of 17 December 1996, Supplement No. 37 (5 May 1999) UN Doc A/57/37. African Union Non-Aggression and Common Defence Pact (adopted 31 January 2005, entered into force 18 December 2009) Assembly/AU/Dec 71 (IV). Agreement Between the Governments of the Member States of the Shanghai Cooperation Organization on Cooperation in the Field of International Information Security (adopted 2 December 2008, entered into force 16 June 2009) accessed 1 August 2015. Agreement Governing the Activities of States on the Moon and Other Celestial Bodies (adopted 5 December 1979, entered into force 11 July 1984) 1363 UNTS 3. Amendment to the Convention on the Physical Protection of Nuclear Material (2005 Amendment) (adopted 8 July 2005, not yet in force) IAEA Doc GOV/INF/2005/ IO-GC(49)/INF. Antarctic Treaty (adopted 1 December 1959, entered into force 23 June 1961) 402 UNTS 71. 370 Bibliography

Assembly of States Parties to the Rome Statute of the ICC, “Report of the Special Working Group on the Crime of Aggression”, ICC-ASP/6/20/Add. 1, Annex II (Report, ICC 2008). Charter of the International Military Tribunal (Nuremberg Charter) (adopted 8 August 1945, entered into force 8 August 1945) 82 UNTS 279. Charter of the United Nations (adopted 26 June 1945, entered into force 24 October 1945) 892 UNTS 119. Conference on Security and Cooperation in Europe Helsinki Final Act (adopted 1 August 1975) 14 ILM 1292. Constitution of the International Telecommunication Union (adopted 22 December 1992, last amended 1 January 2004) ITU. Convention (I) for the Amelioration of the Condition of the Wounded and Sick in Armed Forces in the Field (adopted 12 August 1949, entered into force 21 October 1950) 75 UNTS 31. Convention (II) for the Amelioration of the Condition of Wounded, Sick and Shipwrecked Members of Armed Forces at Sea (adopted 12 August 1949, entered into force 21 October 1950) 75 UNTS 85. Convention (III) Relative to the Treatment of Prisoners of War (adopted 12 August 1949, entered into force 21 October 1950) 75 UNTS 135. Convention (IV) Relative to the Protection of Civilian Persons in Time of War (adopted 12 August 1949, entered into force 21 October 1950) 75 UNTS 287. Convention for the Definition of Aggression (adopted 3 July 1933, entered into force 16 October 1933) 147 LNTS 67. Convention for the Definition of Aggression (adopted 4 July 1933, entered into force 17 February 1934) 148 LNTS 211. Convention for the Definition of Aggression (adopted 5 July 1933, entered into force 14 December 1933) 148 LNTS 79. Convention for the Prevention and Punishment of Terrorism (adopted 16 November 1937, not in force) 19 LNOJ 23. Convention for the Suppression of Unlawful Acts Against the Safety of Civil Aviation (Civil Aviation Convention) (adopted 23 September 1971, entered into force 26 January 1973) 974 UNTS 178. Convention for the Suppression of Unlawful Acts against the Safety of Maritime Navigation (Maritime Convention) (adopted 10 March 1988, entered into force 1 March 1992) 1678 UNTS 221. Convention for the Suppression of Unlawful Seizure of Aircraft (Unlawful Seizure Convention) (adopted 16 December 1970, entered into force 14 October 1971) 860 UNTS 105. Convention on Cybercrime (adopted 8 November 2001, entered into force 1 July 2004) 185 CETS. Bibliography 371

Convention on Offences and Certain Other Acts Committed On Board Aircraft (Aircraft Convention) (adopted 14 September 1963, entered into force 4 December 1969) 704 UNTS 220. Convention on the Marking of Plastic Explosives for the Purpose of Detection (Plastic Explosives Convention) (adopted 1 March 1991, entered into force 21 June 1998) 2122 UNTS 359. Convention on the Non-Applicability of Statutory Limitations to War Crimes and Crimes Against Humanity (adopted 26 November 1968, entered into force 11 November 1970) 754 UNTS 73. Convention on the Physical Protection of Nuclear Material (Nuclear Materials Convention) (adopted 26 October 1979, entered into force 8 February 1987) 1456 UNTS 101. Convention on the Prevention and Combating of Terrorism (adopted 14 July 1999, entered into force 6 December 2002) 2219 UNTS 179. Convention on the Prevention and Punishment of Crimes Against Internationally Protected Persons (Diplomatic Agents Convention) (adopted 14 December 1973, entered into force 20 February 1977) 1035 UNTS 167. Convention on the Prevention and Punishment of the Crime of Genocide (adopted 9 December 1948, entered into force 12 January 1951) 78 UNTS 277. Convention on the Prohibition of Military or Any Other Hostile Use of Environmental Modification Techniques (adopted 10 December 1976, entered into force 18 May 1977) 1108 UNTS 151. Convention on the Prohibition of the Development, Production and Stockpiling of Bacteriological (Biological) and Toxin Weapons and on Their Destruction (adopted 10 April 1972, entered into force 26 March 1975) 1015 UNTS 163. Convention on the Prohibition of the Development, Production, Stockpiling and Use of Chemical Weapons and on their Destruction (adopted 3 September 1992, entered into force 29 April 1997) 1974 UNTS 45. Convention on the Rights of the Child (adopted 20 November 1989, entered into force 2 September 1990) 1577 UNTS 3. Convention on the Suppression of Unlawful Acts Relating to International Civil Aviation (New Civil Aviation Convention) (adopted 10 September 2010, not yet in force) 974 UNTS 178. Council Framework Decision 2002/475/JHA of 13 June 2002 on combating terrorism [2002] OJ L164/3. Covenant of the League of Nations (adopted 28 June 1919, entered into force 10 January 1920) 225 CTS 195. Declaration on Principles of International Law Concerning Friendly Relations and Co-Operation Among States in Accordance with the Charter of the United Nations, Annex to UNGA Res 2625 (XXV) (24 October 1970). 372 Bibliography

Declaration on Respect for Human Rights in Armed Conflicts, UNGA Res 2444 (XXIII) (19 December 1968). Declaration on the Enhancement of the Effectiveness of the Principle of Refraining from the Threat or Use of Force in International Relations, UNGA Res 42/22 (18 November 1987) UN Doc A/RES/42/22. Declaration on the Inadmissibility of Intervention and Interference in the Internal Affairs of States, Annex to UNGA Res 36/103 (9 December 1981) UN Doc A/ RES/36/103. Declaration of Principles: Building the Information Society: A Global Challenge in the New Millennium, WSIS 4-E (12 December 2003) WSIS-03/GENEVA/DOC/4-E. Declaration on the Protection of Women and Children in Emergency and Armed Conflict, UNGA Res 3318 (XXIX) (14 December 1974). Definition of Aggression, Annex to UNGA Res 3314 (XXIX) (14 December 1974) UN Doc A/RES/3314. Draft Treaty Relating to the Use of Submarines and Noxious Gases in Warfare (adopted 6 February 1922) 25 LNTS 202. European Commission Communication COM (2004) 702 of 20 October 2004 on Critical Infrastructure Protection in the Fight Against Terrorism. Hague Convention for the Protection of Cultural Property in the Event of Armed Conflict (adopted 14 May 1954, entered into force 7 August 1956) 249 UNTS 240. Hague Conventions (I–IV) (adopted 29 July 1899, entered into force 4 September 1900) 26 Martens Nouveau Recue 2nd Ser. Hague Conventions (I–XIV) (adopted 18 October 1907, entered into force 26 January 1910) 3 Martens Nouveau Recueil 3rd Ser. Heads of State and Government Participating in the Meeting of the North Atlantic Council in Prague, “Prague Summit Declaration” (Declaration, NATO 2002). Heads of State and Government Participating in the Meeting of the North Atlantic Council in Washington DC, “The Alliance’s Strategic Concept” (Concept Document, NATO 1999). Heads of State and Government Participating in the Meeting of the North Atlantic Council in Bucharest, “Bucharest Summit Declaration” (Declaration, NATO 2008). Heads of State and Government Participating in the Meeting of the North Atlantic Council in Lisbon, “Active Engagement, Modern Defence” (Strategic Concept Document, NATO 2010). Heads of State and Government Participating in the Meeting of the North Atlantic Council in Lisbon, “Lisbon Summit Declaration” (Declaration, NATO 2010). Heads of State and Government Participating in the Meeting of the North Atlantic Council in Chicago, “Chicago Summit Declaration” (Declaration, NATO 2012). Heads of State and Government Participating in the Meeting of the North Atlantic Council in Riga, “Riga Summit Declaration” (Declaration, NATO 2006). Bibliography 373

Draft Rules for the Limitation of the Dangers Incurred by the Civilian Population in Time of War (adopted 15 October 1956) ICRC accessed 1 August 2015. Inter-American Treaty of Reciprocal Assistance (adopted 2 September 1947, entered into force 3 December 1948) 21 UNTS 77. International Code of Conduct for Information Security, Annex to UNGA 66/359 (14 September 2011) UN Doc A/66/359. International Convention against the Recruitment, Use, Financing and Training of Mercenaries (adopted 4 December 1989, entered into force 20 October 2001) 2163 UNTS 75. International Convention against the Taking of Hostages (Hostages Convention) (adopted 17 December 1979, entered into force 3 June 1983) 1316 UNTS 205. International Convention for the Suppression of Acts of Nuclear Terrorism (Nuclear Terrorism Convention) (adopted 13 April 2005, entered into force 7 July 2007) 2445 UNTS 89. International Convention for the Suppression of Terrorist Bombings (Terrorist Bombing Convention) (adopted 15 December 1997, entered into force 23 May 2001) 2149 UNTS 256. International Convention for the Suppression of the Financing of Terrorism (Terrorist Financing Convention) (adopted 9 December 1999, entered into force 10 April 2002) 2178 UNTS 197. Kellogg-Briand Pact (adopted 27 August 1928, entered into force 24 July 1929) 94 LNTS 57. Monitoring Mechanism on Sanctions against UNITA, “Supplementary Report of the Monitoring Mechanism on Sanctions Against UNITA” (12 October 2001) UN Doc S/2001/966. Montevideo Convention on the Rights and Duties of States (adopted 26 December 1933, entered into force 26 December 1934) 165 LNTS 19. North Atlantic Treaty (adopted 4 April 1949, entered into force 24 August 1949) 34 UNTS 243. OAU Convention for the Elimination of Mercenaries in Africa (adopted 3 July 1977, entered into force 22 April 1985) OAU Doc CM/433/Rev L, Art 1. Obama B., “Improving Critical Infrastructure Cybersecurity” (Executive Order, The White House 2013) accessed 1 August 2015. Optional Protocol to the Convention on the Rights of the Child on the Involvement of Children in Armed Conflict (adopted 25 May 2000, entered into force 12 February 2002) 2173 UNTS 222. Panel on UN Peace Operations, “Report of the Panel on United Nations Peace Operations” (Letter to UNSG, 17 August 2000) UN Doc A/55/305. 374 Bibliography

Project of an International Declaration concerning the Laws and Customs of War (adopted 27 August 1874) 4 Martens Nouveau Recueil 2nd Ser 219. Protocol for the Pacific Settlement of International Disputes (adopted 2 October 1924, never entered into force) 19 AmJIL (Supplement). Protocol for the Prohibition of the Use in War of Asphyxiating, Poisonous or other Gases, and of Bacteriological Methods of Warfare (adopted 17 June 1925, entered into force 8 February 1928) 94 LNTS 65. Protocol for the Suppression of Unlawful Acts Against the Safety of Fixed Platforms Located on the Continental Shelf (Fixed Platform Protocol) (adopted 10 March 1988, entered into force 1 March 1992) 1678 UNTS 304. Protocol for the Suppression of Unlawful Acts of Violence at Airports Serving International Civil Aviation (Airport Protocol) (adopted 24 February 1988, entered into force 6 August 1989) 1589 UNTS 474. Protocol Supplementary to the Convention for the Suppression of Unlawful Seizure of Aircraft (Aircraft Protocol) (adopted 10 September 2010, not yet in force) ICAO Doc 9959. Protocol to the Convention for the Suppression of Unlawful Acts against the Safety of Maritime Navigation (2005 Protocol) (adopted 14 October 2005, entered into force 28 July 2010) IMO Doc LEG/CONF15/21. Protocol to the Protocol for the Suppression of Unlawful Acts Against the Safety of Fixed Platforms Located on the Continental Shelf (P2P) (adopted 14 October 2005, entered into force 28 July 2010) IMO Doc LEG/CONF15/22. SAARC Regional Convention on Suppression of Terrorism (adopted 4 November 1987, entered into force 22 August 1988) accessed 1 August 2015. Rome Statute of the International Criminal Court (adopted 17 July 1998, entered into force 1 July 2002, amended 29 November 2010) 2187 UNTS 90. Security Treaty Between the United States, Australia, and New Zealand (adopted 1 September 1951, entered into force 29 April 1952) 131 UNTS 83. Southeast Asia Collective Defense Treaty (adopted 8 September 1954, entered into force 19 February 1955) 209 UNTS 28. Statute of the International Criminal Tribunal for the Former Yugoslavia (adopted 25 May 1993, amended 17 May 2002). Statute of the International Tribunal for Rwanda (adopted 8 November 1994, amended 13 October 2006). Statute of the Special Court for Sierra Leone (adopted 16 January 2002). Statute of the International Court of Justice (adopted 26 June 1945, entered into force 24 October 1945). Treaty of Friendship, Cooperation and Mutual Assistance (adopted 14 May 1955, entered into force 5 June 1955) 219 UNTS 3. Bibliography 375

Treaty of Peace between the Allied and Associated Powers and Germany (adopted 28 June 1919, entered into force 10 January 1920) 225 CTS 188. Treaty on Cooperation Among the States Members of the Commonwealth of Independent States in Combating Terrorism (adopted 4 June 1999, entered into force individually for each state-party in 2000–2005) accessed 1 August 2015. Treaty on Principles Governing the Activities of States in the Exploration and Use of Outer Space, Including the Moon and Other Celestial Bodies (adopted 27 January 1967, entered into force 10 October 1967) 610 UNTS 205. UN Convention on the Law of the Sea (UNCLOS) (adopted 10 December 1982, entered into force 16 November 1994) 1833 UNTS 3. UN Global Counter-Terrorism Strategy: Plan of Action, Annex to UNGA Res 60/288 (20 September 2006) UN Doc A/RES/60/288. UNGA Res 39/159 (17 December 1984) UN Doc A/RES/39/159. UNGA Res 41/38 (20 November 1986) UN Doc A/RES/41/38. UNGA Res 42/159 (7 December 1987) UN Doc A/RES/42/159. UNGA Res 46/86 (16 December 1991) UN Doc A/RES/46/86. UNGA Res 49/60 (9 December 1994) UN Doc A/RES/49/60. UNGA Res 498 (V) (1 February 1951) UN Doc A/RES/498. UNGA Res 50/53 (11 December 1995) UN Doc A/RES/50/53. UNGA Res 51/210 (17 December 1996) UN Doc A/RES/51/210. UNGA Res 52/165 (15 December 1997) UN Doc A/RES/52/165. UNGA Res 53/108 (8 December 1998) UN Doc A/RES/53/108. UNGA Res 53/70 (4 December 1998) UN Doc A/RES/53/70. UNGA Res 54/110 (9 December 1999) UN Doc A/RES/54/110. UNGA Res 54/49 (1 December 1999) UN Doc A/RES/54/49. UNGA Res 55/158 (12 December 2000) UN Doc A/RES/55/158. UNGA Res 55/28 (20 November 2000) UN Doc A/RES/55/28. UNGA Res 55/63 (4 December 2000) UN Doc A/RES/55/63. UNGA Res 56/121 (19 December 2001) UN Doc A/RES/56/121. UNGA Res 56/19 (29 November 2001) UN Doc A/RES/56/19. UNGA Res 56/88 (12 December 2001) UN Doc A/RES/56/88. UNGA Res 57/239 (20 December 2002) UN Doc A/RES/57/239. UNGA Res 57/27 (19 November 2002) UN Doc A/RES/57/27. UNGA Res 57/53 (22 November 2002) UN Doc A/RES/57/53. UNGA Res 58/199 (23 December 2003) UN Doc A/RES/58/199. UNGA Res 58/32 (8 December 2003) UN Doc A/RES/58/32. UNGA Res 58/81 (9 December 2003) UN Doc A/RES/58/81. UNGA Res 59/191 (20 December 2004) UN Doc A/RES/59/191. UNGA Res 59/46 (2 December 2004) UN Doc A/RES/59/46. 376 Bibliography

UNGA Res 59/61 (3 December 2004) UN Doc A/RES/59/61. UNGA Res 60/288 (8 September 2006) UN Doc A/RES/60/288. UNGA Res 60/43 (8 December 2005) UN Doc A/RES/60/43. UNGA Res 60/45 (8 December 2005) UN Doc A/RES/60/45. UNGA Res 61/40 (4 December 2006) UN Doc A/RES/61/40. UNGA Res 61/54 (6 December 2006) UN Doc A/RES/61/54. UNGA Res 62/17 (5 December 2007) UN Doc A/RES/62/17. UNGA Res 62/272 (5 September 2008) UN Doc A/RES/62/272. UNGA Res 62/71 (6 December 2007) UN Doc A/RES/62/71. UNGA Res 63/129 (11 December 2008) UN Doc A/RES/63/129. UNGA Res 63/37 (2 December 2008) UN Doc A/RES/63/37. UNGA Res 64/118 (16 December 2009) UN Doc A/RES/64/118. UNGA Res 64/211 (21 December 2009) UN Doc A/RES/64/211. UNGA Res 64/25 (2 December 2009) UN Doc A/RES/64/25. UNGA Res 64/297 (8 September 2010) UN Doc A/RES/64/297. UNGA Res 65/34 (6 December 2010) UN Doc A/RES/65/34. UNGA Res 65/41 (8 December 2010) UN Doc A/RES/65/41. UNGA Res 66/105 (9 December 2011) UN Doc A/RES/66/105. UNGA Res 66/24 (2 December 2011) UN Doc A/RES/66/24. UNGA Res 66/282 (29 June 2012) UN Doc A/RES/66/282. UNGA Res 67/27 (3 December 2012) UN Doc A/RES/67/27. UNGA Res 67/99 (14 December 2012) UN Doc A/RES/67/99. UNGA Res 68/119 (16 December 2013) UN Doc A/RES/68/119. UNGA Res 377 (V) (3 November 1950) UN Doc A/RES/377. UNGA Res 3379 (10 November 1975) UN Doc A/RES/3379. UNSC Draft Res S/4321 (26 May 1960) UN Doc S/4321. UNSC Res 262 (31 December 1968) UN Doc S/RES/262. UNSC Res 332 (21 April 1973) UN Doc S/RES/332. UNSC Res 337 (15 August 1973) UN Doc S/RES/337. UNSC Res 487 (19 June 1981) UN Doc S/RES/487. UNSC Res 573 (4 October 1985) UN Doc S/RES/573. UNSC Res 611 (25 April 1988) UN Doc S/RES/611. UNSC Res 678 (29 November 1990) UN Doc S/RES/678. UNSC Res 808 (22 February 1993) UN Doc S/RES/808. UNSC Res 955 (8 November 1994) UN Doc S/RES/955. UNSC Res 1189 (13 August 1998) UN Doc S/RES/1189. UNSC Res 1296 (19 April 2000) UN Doc S/RES/1296. UNSC Res 1315 (14 August 2000) UN Doc S/RES/1315. UNSC Res 1368 (12 September 2001) UN Doc S/RES/1368. UNSC Res 1373 (28 September 2001) UN Doc S/RES/1373. Bibliography 377

UNSC Res 1455 (17 January 2003) UN Doc S/RES/1455. UNSC Res 1526 (30 January 2004) UN Doc S/RES/1526. UNSC Res 1530 (11 March 2004) UN Doc S/RES/1530. UNSC Res 1540 (28 April 2004) UN Doc S/RES/1540. UNSC Res 1566 (8 October 2004) UN Doc S/RES/1566. UNSC Res 1664 (29 March 2006) UN Doc S/RES/1664. UNSC Res 1674 (28 April 2006) UN Doc S/RES/1674. UNSC Res 1735 (22 December 2006) UN Doc S/RES/1735. UNSC Res 1822 (30 June 2008) UN Doc S/RES/1822. UNSC Res 1963 (20 December 2010) UN Doc S/RES/1963. UNSC Res 1970 (26 February 2011) UN Doc S/RES/1970. UNSC Res 1973 (17 March 2011) UN Doc S/RES/1973. UNSC Res 1989 (17 June 2011) UN Doc S/RES/1989. UNSC Res 2082 (17 December 2012) UN Doc S/RES/2082. UNSC Res 2083 (17 December 2012) UN Doc S/RES/2083. UNSC Res 2129 (17 December 2013) UN Doc S/RES/2129. Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act, Public Law 107–56, 115 Stat 272 (2001). Vienna Convention on the Law of Treaties (adopted 23 May 1969, entered into force 27 January 1980) 1155 UNTS 331. Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies, “Guidelines & Procedures, Including the Initial Elements” (adopted 21 July 1996, last amended December 2011) accessed 1 August 2015.

Studies, Reports and Papers

———, “2012 Threat Predictions” (Report, McAfee Labs, 2012) accessed 1 August 2015. ———, “A Brief History of NORAD: As of 31 December 2012” (NORAD Office of History 2013) accessed 1 August 2015. ———, “Canada’s Cyber Security Strategy: For a Stronger and More Prosperous Canada” (Strategy, Government of Canada 2010) accessed 1 August 2015. ———, “Convention on International Information Security” (Concept, Russian Ministry of Foreign Affairs 28 October 2011)

5f0de28fe77fdcc32575d900298676/7b17ead7244e2064c3257925003bcbcc!OpenDoc ument> accessed 1 August 2015. ———, “Critical Infrastructure Protection: Challenges and Efforts to Secure Control Systems” (Report to Congressional Requesters GAO-04–354, United States General Accounting Office 2004) accessed 1 August 2015. ———, “Cyber Crime: Issues and Explanations” (UNICRI) accessed 1 August 2015. ———, “DDoS Public Media Reports” (Berkman Center for Internet and Society 2011) accessed 1 August 2015. ———, “Emerging Security Threats” (UNIDIR) accessed 1 August 2015. ———, “National Strategy for Trusted Identities in Cyberspace: Enhancing Online Choice, Efficiency, Security, and Privacy” (Strategy, The White House 2011) accessed 1 August 2015. ———, “Part II: National Defense Policy, China’s National Defense in 2010” (White Paper, Information Office of the State Council of the People’s Republic of China 2011) accessed 1 August 2015. ———, “Part V: Protecting Internet Security, China’s National Defense in 2010” (White Paper, Information Office of the State Council of the People’s Republic of China 2011) accessed 1 August 2015. ———, “The UK Cyber Security Strategy Protecting and Promoting the UK in a Digital World” (Cabinet Office, November 2011) accessed 1 August 2015. ———, Statement by Acting Minister of Foreign Affairs of the Republic of Kazakhstan, H.E. Mr. K.Umarov, at the Sixty-Seventh Session of the United Nations General Assembly (Statement, Embassy of the Republic of Kazakhstan, 29 September 2012) accessed 1 August 2015. ———, “United Nations Conventions Deposited with the Secretary-General of the United Nations” (UNTS, 2013) accessed 1 August 2015. Abrams M., Weiss J., “Malicious Control System Cyber Security Attack Case Study— Maroochy Water Services” (National Institute of Standards and Technology Bibliography 379

Computer Security Division, 23 July 2008) accessed 1 August 2015. Adee S., “The Hunt for the Kill Switch” (IEEE Spectrum, May 2008) accessed 1 August 2015. Are D.C., “When Does a ‘Hacker’ Become an ‘Attacker’?” (Monograph, School of Advanced Military Studies 1998). Barlow J.P., “A Declaration of the Independence of Cyberspace” (Declaration, February 1996) accessed 1 August 2015. Bumgarner J., Borg S., “Overview by the US-CCU of the Cyber Campaign Against Georgia in August of 2008” (Special Report, US-CCU 2009) accessed 1 August 2015. Butt Y.M., “The EMP Threat: Fact, Fiction, and Response” (Space Review, 2010) accessed 1 August 2015. Center for Strategic and International Studies, “The Economic Impact of Cybercrime and Cyber Espionage” (Report, McAfee 2013) accessed 1 August 2015. Check T.A., “Book Review: Analyzing the Effectiveness of the Tallinn Manual’s Jus Ad Bellum Doctrine on Cyber Conflict, a NATO-Centric Approach” (October 2013) accessed 1 August 2015. Chien E., “W32.Nimda.A@mm” (Symantec Security Response, 13 February 2007) accessed 1 August 2015. Chien E., Shearer J., “W32.Koobface” (Symantec Security Response, 8 August 2012) accessed 1 August 2015. Commission for the Protection of Critical Infrastructure, “Protection of Critical Infrastructures and Critical Societal Functions in Norway” (Report to the Ministry of Justice and the Police, Norwegian Government 2006) accessed 1 August 2015. Commission of Jurists, “Rules Concerning the Control of Wireless Telegraphy in Time of War and Air Warfare” (December 1922—February 1923). Cornish P., “The Vulnerabilities of Developed States to Economic Cyber Warfare” (Working Paper, Chatham House 2011) accessed 1 August 2015. 380 Bibliography

CTITF, “Countering the Use of the Internet for Terrorist Purposes” (Working Group Report, UN 2009) accessed 1 August 2015. ———, “Countering the Use of the Internet for Terrorist Purposes—Legal and Technical Aspects” (Working Group Report, UN 2011) accessed 1 August 2015. ———, “Interagency Coordination in the Event of a Nuclear or Radiological Terrorist Attack: Current Status, Future Prospects” (Working Group Report, UN 2010) accessed 1 August 2015. Denning D.E., “Cyberterrorism” (Testimony Before the Special Oversight Panel on Terrorism Committee on Armed Services, US House of Representatives, 23 May 2000) accessed 1 August 2015. Department of Homeland Security, “Critical Infrastructure Identification, Prio ritization, and Protection” (Homeland Security Presidential Directive 7, 17 December 2003). Dörmann K., “Applicability of the Additional Protocols to Computer Network Attacks” (Report, ICRC 2004) accessed 1 August 2015. Falliere N., Murchu L.O., Chien E., “W32.Stuxnet Dossier” (Paper, Symantec Security Response 2011) accessed 1 August 2015. Finklea K.M., “The Interplay of Borders, Turf, Cyberspace, and Jurisdiction: Issues Confronting U.S. Law Enforcement” (Report, Congressional Research Service 2013) accessed 1 August 2015. ———, Theohary CA, “Cybercrime: Conceptual Issues for Congress and U.S. Law Enforcement” (Report, Congressional Research Service 2013) accessed 1 August 2015. Gady F., Austin G., “Russia, The United States, And Cyber Diplomacy: Opening the Doors” (Report, EastWest Institute 2010) accessed 1 August 2015. Gordon S., Ford R., “Cyberterrorism?” (Study, Symantec Security 2003) accessed 1 August 2015. Group of Experts on a New Strategic Concept for NATO., “NATO 2020: Assured Security; Dynamic Engagement” (Report, NATO 2010) accessed 1 August 2015. Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, “Report of the Group Bibliography 381

of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security” (Report, UN 2010) UN Doc A/65/201. Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, “Report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security” (Report, UN 2013) UN Doc A/68/98. Gutierrez N.F., Katsuki T., Rudnai T., “W32.Daprosy” (Symantec Security Response, 16 July 2009) accessed 1 August 2015. Healey J., “Beyond Attribution: Seeking National Responsibility in Cyberspace” (Brief, Atlantic Council 2012) accessed 1 August 2015. Heickerö R., “Emerging Cyber Threats and Russian Views on Information Warfare and Information Operations” (Swedish Defence Research Agency, March 2010) accessed 1 August 2015. ———, “Terrorism Online and the Change of Modus Operandi” (Paper, UNIDIR) accessed 1 August 2015. Henry J., “Reducing the Threat of State-to-State Cyber Attack against Critical Infrastructure through International Norms and Agreements” (Working Paper, Center for International and Security Studies at Maryland 2010) accessed 1 August 2015. High-Level Panel on Threats, Challenges and Change, “A More Secure World: Our Shared Responsibility” (Letter to UNSG, 1 December 2004) UN Doc A/59/565. Hildreth S.A., “Cyberwarfare” (Report, Congressional Research Service 2001) accessed 1 August 2015. Hollis D.B., “Stewardship Versus Sovereignty?: International Law and the Appointment of Cyberspace” (Cyberdialogue 2012: What Is Stewardship in Cyberspace?, Toronto, March 2012) accessed 1 August 2015. Hoogh A., “Georgia’s Short-Lived Military Excursion into South Ossetia: The Use of Armed Force and Self-Defence” (EJIL: Talk!, 9 December 2009) accessed 1 August 2015. ———, “The ‘Armed Activities’ Case: Unasked Questions, Proper Answers” (Hague Justice Portal, 30 January 2006) accessed 1 August 2015. 382 Bibliography

Hwang J., “China’s Cyber Warfare: The Strategic Value of Cyberspace and the Legacy of People’s War” (Doctoral Thesis, University of Newcastle upon Tyne 2012) accessed 1 August 2015. ICRC, “Convention (I) for the Amelioration of the Condition of the Wounded and Sick in Armed Forces in the Field: Article 2—Application of the Convention” (Commentary, ICRC 1952) accessed 1 August 2015. ———, “Convention (I) for the Amelioration of the Condition of the Wounded and Sick in Armed Forces in the Field: Article 20—Protection of Hospital Ships” (Commentary, ICRC 1952) accessed 1 August 2015. ———, “Convention (III) Relative to the Treatment of Prisones of War: Article 4— Prisoners of War” (Commentary, ICRC 1952) accessed 1 August 2015. ———, “How is the Term ‘Armed Conflict’ Defined in International Humanitarian Law?” (Opinion Paper, March 2008) accessed 1 August 2015. ———, “The Relevance of IHL in the Context of Terrorism” (Frequently Asked Questions, ICRC, January 2011) accessed 1 August 2015. ILC, “Commentaries to Draft Articles on Responsibility of States for Internationally Wrongful Acts”, 53rd Session, Supplement No. 10 (November 2001) UN Doc A/56/10. ———, “Draft Articles on Responsibility of States for Internationally Wrongful Acts”, 53rd Session, Supplement No. 10 (November 2001) UN Doc A/56/10. ———, “Draft Articles on the Responsibility of International Organizations”, 63rd Session, Supplement No. 10 (June 2011) UN Doc A/63/10. ———, “Draft Code of Crimes against the Peace and Security of Mankind”, 48th Session, Supplement No. 10 (6 May–26 July 1996) UN Doc A/CN.4/L.532. ———, “Principles of International Law Recognized in the Charter of the Nüremberg Tribunal and in the Judgment of the Tribunal”, 2nd Session, Supplement No. 12 (5 June–29 July 1950) UN Doc A/1316. ———, “Report of the International Law Commission”, 58th Session, Annex E (1 May–9 June, 3 July–11 August 2006) UN Doc A/61/10. ILC Study Group, “Fragmentation of International Law: Difficulties Arising from the Diversification and Expansion of International Law”, 58th Session, Report of the Study Group of the ILC Finalized by Martti Koskenniemi (1 May–9 June, 3 July–11 August 2006) UN Doc A/CN.4/L.702. ———, “Fragmentation of International Law: Difficulties Arising from the Diversification and Expansion of International Law”, 58th Session, Report of the Bibliography 383

Study Group of the ILC (1 May–9 June, 3 July–11 August 2006) UN Doc A/CN.4/ L.702. International Law Association, “Draft Convention for the Protection of Civilian Populations Against New Engines of War”, 40th Session (29 August 1938–2 September 1938). Klimburg A., Tirmaa-Klaar H., “Cybersecurity and Cyberpower: Concepts, Conditions and Capabilities for Cooperation for Action within the EU” (Study, Directorate- General for External Policies of the European Parliament 2011) accessed 1 August 2015. Koh H.H., “International Law in Cyberspace” (USCYBERCOM Inter-Agency Legal Conference, 2012) accessed 1 August 2015. Lawson S., “Beyond Cyber-Doom: Cyberattack Scenarios and the Evidence of History” (Working Paper 10–77, George Mason University Mercatus Center 2011) accessed 1 August 2015. Lewis J.A., “Assessing the Risks of Cyber Terrorism, Cyber War and Other Cyber Threats” (Center for Strategic and International Studies 2002) accessed 1 August 2015. Lewis J.A., Timlin K., “Cybersecurity and Cyberwarfare: Preliminary Assessment of National Doctrine and Organization” (Study, UNIDIR 2011) accessed 1 August 2015. Liivoja R., McCormack T., “Law in the Virtual Battlespace: The Tallin Manual and the Jus in Bello” (2012) 15 Yearbook of International Humanitarian Law. Maurer T., “Cyber Norm Emergence at the United Nations—An Analysis of the UN’s Activities Regarding Cyber-Security” (Discussion Paper 2011–11, Belfer Center for Science and International Affairs 2011) accessed 1 August 2015. McDonald G. and others, “Stuxnet 0.5: The Missing Link” (White Paper, Symantec Security Response 2013) accessed 1 August 2015. Myrli S., “NATO and Cyber Defence” (Committee Report 173 DSCFC 09 E BIS, NATO Parliamentary Assembly 2009) accessed 1 August 2015. NATO Standardization Agency, “NATO Glossary of Terms and Definitions” (AAP-6, NATO 2010). 384 Bibliography

Newton S.A., “Can Cyberterrorists Actually Kill People?” (White Paper, SANS Institute 2002) accessed 1 August 2015. Nye J.S., “Cyber Power” (Paper, Belfer Center for Science and International Affairs 2010) accessed 1 August 2015. Panetta L.E., “Remarks by Secretary Panetta on Cybersecurity to the Business Executives for National Security” (News Transcript, US Department of Defense 2012) accessed 1 August 2015. Peacebuilding Support Office, “UN Peacebuilding: An Orientation” (Brochure, UN 2010) accessed 1 August 2015. President’s Commission on Critical Infrastructure Protection, “Protecting America’s Infrastructures” (Report, White House 1997). Prevelakis V., Spinellis D., “The Athens Affair” (IEEE Spectrum, July 2007) accessed 1 August 2015. Rundle M., “Beyond Internet Governance: The Emerging International Framework for Governing the Networked World” (Research Publication, Berkman Center for Internet & Society 2005) accessed 1 August 2015. Sample C., “Culture and Computer Network Attack Behaviors” (Doctoral Thesis, Capitol College 2013). Schmitt M.N., “The Law of Cyber Warfare: Quo Vadis?” (2014) 25 Stanford Law and Policy Review, 4 accessed 1 August 2015. Schneider D., “Cyber Security Keynote Address” (FSC-PC.DEL/30/10, United States Mission to the OSCE 2010) accessed 1 August 2015. Sofaer A.D. and others, “A Proposal for an International Convention on Cyber Crime and Terrorism” (Stanford Conference, 6–7 December 1999) accessed 1 August 2015. Special Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression, “Report of the Special Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression” (Report, UNHCR 2011) UN Doc A/HRC/17/27. Theohary C.A., Rollins J., “Terrorist Use of the Internet: Information Operations in Cyberspace” (Report, Congressional Research Service 2011) accessed 1 August 2015. Thomasen T., “Cyber Deterrence—A 21st Century Maginot Line” (Brief, Royal Danish Defence College 2011) accessed 1 August 2015. Bibliography 385

Tikk E. and others, “Cyber Attacks Against Georgia: Legal Lessons Identified” (Analysis Document, NATO CCDCOE 2008). Tikk E., “Comprehensive Legal Approach to Cyber Security” (Doctoral Thesis, University of Tartu 2011) accessed 1 August 2015. UK Cabinet Office, “The Cost of Cybercrime” (Report, Detica 2011) accessed 1 August 2015. UN Conference on Trade and Development, “Disclosure of the Impact of Corporations on Society, Current Trends and Issues” (Paper, UN 2004) accessed 1 August 2015. UN DPKO, “General Guidelines for Peacekeeping Operations” (Guidelines, UN 1995). UNSG, “An Agenda for Peace: Preventative Diplomacy, Peacemaking and Peace- Keeping” (Report of the UNSG, 17 June 1992) UN Doc A/47/277. ———, “Implementing the Responsibility to Protect” (Report of the UNSG, 12 January 2009) UN Doc A/63/677. ———, “In Larger Freedom: Towards Security, Development and Human Rights for All” (Report of the UNSG, 21 March 2005) UN Doc A/59/2005. US Department of Defense Office of General Counsel, “An Assessment of International Legal Issues in Information Operations” (US Department of Defense 1999) accessed 1 August 2015. US Department of Defense, “A Report to Congress Pursuant to the National Defense Authorization Act for Fiscal Year 2011, Section 934” (Cyberspace Policy Report, US Department of Defense 2011) accessed 1 August 2015. ———, “Strategy for Homeland Defense and Civil Support” (US Department of Defense 2005) accessed 1 August 2015. ———, “Strategy for Operating in Cyberspace” (US Department of Defense 2011) accessed 1 August 2015. US Senate Permanent Subcommittee on Investigations, “Security in Cyberspace” (Appendix B, Federation of American Scientists, 5 June 1996) accessed 1 August 2015. Veerasamy N., “Motivation for Cyberterrorism, Defence, Peace, Safety and Security” (9th Annual Information Security for South Africa, Johannesburg, 2–4 August 2010) accessed 1 August 2015. Vihul L., “The Tallinn Manual on the International Law Applicable to Cyber Warfare” (EJIL: Talk!, 15 April 2013) accessed 1 August 2015. 386 Bibliography

Villeneuve N., “Cyberterrorism: A Critical Perspective” (University of Toronto) accessed 1 August 2015. Wait P., “Cyber Storm Exercise Challenged Coordination, Communications” (GCN, 15 September 2006) accessed 1 August 2015. Weimann G., “Cyberterrorism: How Real Is the Threat?” (Special Report, US Institute of Peace 2004) accessed 1 August 2015. WGIG., “Report of the Working Group on Internet Governance” (WGIG 2005) accessed 1 August 2015. Wilson C., “Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress” (Report, Congressional Research Service 2008) accessed 1 August 2015. ———, “Computer Attack and Cyber Terrorism: Vulnerabilities and Policy Issues for Congress” (Report, Congressional Research Service 2003) accessed 1 August 2015. World Federation of Scientists Permanent Monitoring Panel on Information Security, “Toward a Universal Order of Cyberspace: Managing Threats from Cybercrime to Cyberwar” (Report & Recommendations, WSIS-03/GENEVA/CONTR/6-E, ITU 19 November 2003). WSIS, “Geneva Declaration of Principles and Plan of Action” (ITU 2003) accessed 1 August 2015. ———, “Tunis Commitment” (ITU 2005) accessed 1 August 2015. Yoo J.C., Delahunty R.J., “Authority for Use of Military Force to Combat Terrorist Activities Within the United States” (Memorandum, Office of the Deputy Assistant Attorney General 2001) accessed 1 August 2015. Yurcik W., Doss D., “Internet Attacks: A Policy Framework for Rules of Engagement” (Paper, 2001) accessed 1 August 2015. Ziolkowski K., “Confidence Building Measures for Cyberspace—Legal Implications” (Paper, NATO CCDCOE 2013) accessed 1 August 2015.

Internet News and Other Online Resources

———, “‘Hackers’ on Trial in Turkey for the First Time” (Al Arabiya, 26 November 2012) accessed 1 August 2015. Bibliography 387

———, “‘Mafiaboy’ Hacker Jailed” (BBC News, 13 September 2001) accessed 1 August 2015. ———, “Backdoor:Win32/Optixpro.J.dr” (Microsoft Malware Protection Center, 7 February 2007) accessed 1 August 2015. ———, “Car Hacked on 60 Minutes” (CBS News, 6 February 2015) accessed 1 August 2015. ———, “Chinese Cyber Attacks Hit Japan over Islands Dispute” (The Globe and Mail, 19 September 2012) accessed 1 August 2015. ———, “Computer Programmer Charged in Sabotage Plot” (The New York Times, 27 June 1991) accessed 1 August 2015. ———, “Cyber Storm 2 Exercise Reveals Security Preparedness” (Computer Weekly, 18 March 2008) accessed 1 August 2015. ———, “Estonia Fines Man for ‘Cyber War’” (BBC News, 25 January 2008) accessed 1 August 2015. ———, “EU seeks Unified Cybersecurity Regime” (United Press International, 16 June 2011) accessed 1 August 2015. ———, “Hacked by ‘Pakistan Cyber Army’, CBI Website Still Not Restored” (NDTV, 4 December 2010) accessed 1 August 2015. ———, “Iran ‘Uncovers Stars Espionage Virus’” (BBC News, 25 April 2011) accessed 1 August 2015. ———, “Iran Military Landed US Spy Drone” (Press TV, 9 December 2011) accessed 1 August 2015. ———, “Iran Readies Domestic Internet System, Blocks Google” (Reuters, 24 September 2012) accessed 1 August 2015. ———, “Iran: Military Captured Foreign ‘Enemy Drone’” (CBS News, 16 May 2013) accessed 1 August 2015. ———, “Kaspersky Lab Discovers ‘Gauss’—A New Complex Cyber-Threat Designed to Monitor Online Banking Accounts” (Kaspersky Lab Virus News, 9 August 2012) accessed 1 August 2015. 388 Bibliography

———, “McAfee Offers Guidance and Protection as China-Linked Google Cyberattack Continues to Unfold” (Press Release, BusinessWire, 17 January 2010) accessed 1 August 2015. ———, “Mission and Vision” (NATO CCDCOE, 2013) accessed 1 August 2015. ———, “NATO and Cyber Defence” (NATO, 2012) accessed 1 August 2015. ———, “Newly Nasty: Defences Against Cyberwarfare is Still Rudimentary. That’s Scary” (The Economist, 24 May 2007) accessed 1 August 2015. ———, “NGRBot” (McAfee Labs Threat Advisory, 17 October 2012) accessed 1 August 2015. ———, “Nigerian Pipeline Blast Spurs UN Call for Fuel Management Review” (International Business Times, 29 December 2006) accessed 1 August 2015. ———, “North Korea ‘Behind South Korean Bank Cyber Hack’” (BBC News, 3 May 2011) accessed 1 August 2015. ———, “North Korea Accuses Enemies Of ‘Persistent and Intensive’ Cyber Attack” (Business Insider / AFP, 15 March 2013) accessed 1 August 2015. ———, “Russia Potential Aggressor for NATO” (RIA Novosti, 18 October 2012) accessed 1 August 2015. ———, “Sasser Net Worm Affects Millions” (BBC News, 4 May 2004) accessed 1 August 2015. ———, “Security Firm: MyDoom Worm Fastest Yet” (CNN, 28 January 2004) accessed 1 August 2015. ———, “Shamoon was an External Attack on Saudi Oil Production” (InfoSecurity Magazine, 10 December 2012) accessed 1 August 2015. ———, “Snowden Confirms NSA Created Stuxnet with Israeli Aid” (RT, 11 July 2013) accessed 1 August 2015. Bibliography 389

———, “The Case of the Hacked South Pole” (FBI, 18 July 2003) accessed 1 August 2015. ———, “The National Infrastructure” (Centre for the Protection of National Infrastructure) accessed 1 August 2015. ———, “Top 10 Computer Viruses” (Symantec PC Tools, 21 July 2010) accessed 1 August 2015. ———, “U.S., China Agree to Work Together on Cyber Security” (Reuters, 13 April 2013) accessed 1 August 2015. ———, “UK Admits to Cyber Attack on Iran” (PressTV, 19 July 2012) accessed 1 August 2015. ———, “UK Cyber Defence Unit ‘May Include Convicted Hackers’” (BBC News, 22 October 2013) accessed 1 August 2015. ———, “UN Action to Counter Terrorism: International Legal Instruments to Counter Terrorism” (UN) accessed 1 August 2015. ———, “UN Rejects International Cybercrime Treaty” (Computer Weekly, 20 April 2010) accessed 1 August 2015. ———, “US Prepares First-Strike Cyber-Forces” (BBC News, 12 October 2012) accessed 1 August 2015. ———, “Utah’s ‘Black Ice’: Cyber-Attack Scenario” (CNN, 21 October 2001) accessed 1 August 2015. ———, “What Does Exploit Mean?” (Symantec PC Tools) accessed 1 August 2015. ———, “What is a Rootkit?” (AVG) accessed 1 August 2015. ———, “What is a Zero-Day Vulnerability?” (Symantec PC Tools) accessed 1 August 2015. ———, Testimony of Michael Callahan, Senior Vice President and General Counsel, Yahoo! Inc. Before the Subcommittees on Africa, Global Human Rights and International Operations, and Asia and the Pacific (Statement, The New York Times, 15 February 2006) accessed 1 August 2015. Abbasi W., “Pakistani Hackers Defaced over 1,000 Indian Websites” (The News International, 6 April 2013) accessed 1 August 2015. 390 Bibliography

Addison A., “Airliners Fly in Face of Cyber Attack Scares” (PhysOrg, 3 November 2010) accessed 1 August 2015. Addley E., Halliday J., “Operation Payback Cripples MasterCard Site in Revenge for WikiLeaks Ban” (The Guardian, 8 December 2010) accessed 1 August 2015. Albright D., Brannan P., Walrond C., “Did Stuxnet Take Out 1,000 Centrifuges at the Natanz Enrichment Plant?” (Report, Institute for Science and International Security, 22 December 2010) accessed 1 August 2015. Al-Madhoun O., “Islamic Jihad’s Cyber-War Brigades” (Menassat, 17 June 2008) accessed 1 August 2015. Baker G., “Schoolboy Hacks into City’s Tram System” (The Telegraph, 11 January 2008) accessed 1 August 2015. Baker J., “Europe’s ‘Single Secure Cyberspace’ Plan Under Attack” (Computer World, 2 May 2011) accessed 1 August 2015. Beal V., “The Difference Between a Virus, Worm and Trojan Horse” (Webopedia, 29 June 2010) accessed 1 August 2015. Bernstein S., Blankstein A., “Key Signals Targeted, Officials Say” (Los Angeles Times, 9 January 2007) accessed 1 August 2015. Bogdanov K., “Cyber Arms Race Could Change the World Around Us” (RIA Novosti, 26 June 2012) accessed 1 August 2015. Breeden J., “Hackers’ New Super Weapon Adds Firepower to DDOS” (GCN, 24 October 2012) accessed 1 August 2015. Campbell A., “‘Electronic Jihad’ November 11 Attack Fails to Materialize” (DailyTech, 13 November 2007) accessed 1 August 2015. Capaccio T., Bliss J., “Chinese Military Suspected in Hacker Attacks on U.S. Satellites” (Bloomberg, 27 October 2011) accessed 1 August 2015. Cha A.E., Diaz S., “Advocates Sue Yahoo in Chinese Torture Case” (Washington Post, 19 April 2007) accessed 1 August 2015. Bibliography 391

Charbonneau L., “Iran Rejects UN Criticism of its Cyber Security Rules” (Reuters, 25 October 2012) accessed 1 August 2015. Claburn T., “Fannie Mae Contractor Indicted for Logic Bomb” (InformationWeek, 29 January 2009) accessed 1 August 2015. Clark L., “Security Consultant Hijacks Plane’s Navigation System with Android App” (Wired, 11 April 2013) accessed 1 August 2015. Conte A., “Task Force Recommends U.S. Keep Nuclear Option as Response for Massive Computer Attack” (Pittsburgh Tribune-Review, 5 March 2013) accessed 1 August 2015. Davis J., “Hackers Take Down the Most Wired Country in Europe” (Wired, 21 August 2007) accessed 1 August 2015. Dehghan S.K., “Iran Clamps Down on Internet Use” (The Guardian, 5 January 2012) accessed 1 August 2015. Drogin B., “Yearlong Hacker Attack Nets Sensitive U.S. Data” (Los Angeles Times, 7 October 1999) accessed 1 August 2015. Duncan G., “WikiLeaks Supporters Using Volunteer and Zombie Botnets” (Digital Trends Computing, 9 December 2010) accessed 1 August 2015. Dunn J.E., “Apple Battery Firmware Open to Attack, Researcher Finds” (Techworld, 25 July 2011) accessed 1 August 2015. ———, “Chinese Accused of Huge Attack on Energy Sector” (PC World, 10 February 2011) accessed 1 August 2015. Engleman E., Strohm C., “Mock Cyber Attack Used to Pitch Senate Legislation” (Pittsburgh Post-Gazette, 9 March 2012) accessed 1 August 2015. Erlanger S., “Tatar Area in Russia Votes on Sovereignty Today” (The New York Times, 21 March 1992) accessed 1 August 2015. Fantz A., Shubert A., “WikiLeaks ‘Anonymous’ Hackers: ‘We Will Fight’” (CNN, 9 December 2010) accessed 1 August 2015. 392 Bibliography

Finch S., “Cyber-Terrorism is Real—Ask Estonia” (The Telegraph, 30 May 2007) accessed 1 August 2015. Finkle J., “Malicious Virus Shuttered U.S. Power Plant” (Reuters, 16 January 2013) accessed 1 August 2015. Finn P., “Cyber Assaults on Estonia Typify a New Battle Tactic” (The Washington Post, 19 May 2007) accessed 1 August 2015. Gabatt A., “New York Times Website Offline after ‘Malicious External Attack’” (The Guardian, 28 August 2013) accessed 1 August 2015. Gaudin S., “DoS Attack Cripples Internet Root Servers” (InformationWeek, 6 February 2007) accessed 1 August 2015. ———, “Nightmare on Wall Street: Prosecution Witness Describes ‘Chaos’ In UBS PaineWebber Attack” (InformationWeek, 6 June 2006) accessed 1 August 2015. Gayle D., “Hackers Declare ‘Cyber war’ on Israel After IDF Threatens to Cut Off Internet in Gaza” (Daily Mail, 20 November 2012) accessed 1 August 2015. Geers K., “Cyberspace and the Changing Nature of Warfare” (SC Magazine, 27 August 2008) accessed 1 August 2015. Gellman B., Nakashima E., “U.S. Spy Agencies Mounted 231 Offensive Cyber-Operations in 2011, Documents Show” (The Washington Post, 31 August 2013) accessed 1 August 2015. Gertz B., “Inside the Ring: Al Qaeda Websites Hacked” (The Washington Times, 15 May 2013) accessed 1 August 2015. Gold S., “Computer Hacker Disrupts Washington Water Utility” (SC Magazine Security News, 1 March 2004) accessed 1 August 2015. Gorman S., “Electricity Grid in U.S. Penetrated by Spies” (The Wall Street Journal, 8 April 2009) accessed 1 August 2015. Bibliography 393

Gorman S., Dreazen Y.J., Cole A., “Insurgents Hack U.S. Drones” (The Wall Street Journal, 17 December 2009) accessed 1 August 2015. Gostev A., “Mobile Malware Evolution: An Overview, Part 1” (SecureList, 29 September 2006) accessed 1 August 2015. Graham B., “U.S. Studies a New Threat: Cyber Attack” (Washington Post, 24 May 1998) accessed 1 August 2015. Holbrooke R., Garrett L., “Sovereignty That Risks Global Health” (Washington Post, 10 August 2008) accessed 1 August 2015. Isaacson B., “Hackers Reveal How They Accessed Syrian President Bashar Assad’s Email Using World’s Worst Password” (The Huffington Post, 7 September 2012) accessed 1 August 2015. Janssen C., “Network Port” (Technopedia) accessed 1 August 2015. Kabay M.E., “Attacks on Power Systems: Hackers, Malware” (Network World, 13 September 2010) accessed 1 August 2015. Kamenev M., “First, China. Next: the Great Firewall of . . . Australia?” (Time, 16 June 2010) accessed 1 August 2015. Karana K.P., Andriyanto H., “Indonesian Hackers Claim Web Attack on Malaysian Sites” (Jakarta Globe, 1 September 2009) accessed 1 August 2015. King L., “London Stock Exchange ‘Under Major Cyberattack’ During Linux Switch” (Computer World UK, 31 January 2011) accessed 1 August 2015. Kingsbury A., “Documents Reveal Al Qaeda Cyberattacks” (US News, 14 April 2010) accessed 1 August 2015. Kirk J., “Pacemaker Hack Can Deliver Deadly 830-Volt Jolt” (Computer World, 17 October 2013) accessed 1 August 2015. Knell Y., “New Cyber Attack Hits Israeli Stock Exchange and Airline” (BBC News, 16 January 2012) accessed 1 August 2015. Kravets D., “No, Hackers Can’t Open Hoover Dam Floodgates” (Wired, 3 February 2011) accessed 1 August 2015. 394 Bibliography

Lannin P., “Swedish C.Bank Website Shut Down in Cyber Attack” (Reuters, 3 October 2012) accessed 1 August 2015. Lee D., “North Korea: On the Net in World’s Most Secretive Nation” (BBC News, 10 December 2012) accessed 1 August 2015. Lee S.Y., “South Korea Raises Alert After Hackers Attack Broadcasters, Banks” (Reuters, 20 March 2013) accessed 1 August 2015. Leyden J., “Conficker Botnet Remains Dormant—For Now” (The Register, 1 April 2009) accessed 1 August 2015. ———, “Islamist Hackers Attack Danish Sites” (The Register, 9 February 2006) accessed 1 August 2015. ———, “Russians Accuse FBI Agent of Hacking” (The Register, 16 August 2002) accessed 1 August 2015. Mann J., “MySpace Speaks about Samy Kamkar’s Sentencing” (TechSpot Industry News, 31 January 2007) accessed 1 August 2015. Markoff J., “Before the Gunfire, Cyberattacks” (The New York Times, 12 August 2008) accessed 1 August 2015. ———, “Vast Spy System Loots Computers in 103 Countries” (The New York Times, 28 March 2009) accessed 1 August 2015. Mathews A.W., “Anthem: Hacked Database Included 78.8 Million People” (The Wall Street Journal, 24 February 2015) accessed 1 August 2015. McMillan R., “Hackers Break into Water System Network” (Computer World, 31 October 2006) accessed 1 August 2015. ———, “Insider Charged with Hacking California Canal System” (Computer World, 29 November 2007) accessed 1 August 2015. Medetsky A., “KGB Veteran Denies CIA Caused ‘82 Blast” (The Moscow Times, 18 March 2004) accessed 1 August 2015. Bibliography 395

Mello J.P., “Malware Infects 13 Percent of North American Home Networks” (PC World Security, 31 October 2012) accessed 1 August 2015. Meserve J., “Sources: Staged Cyber Attack Reveals Vulnerability in Power Grid” (CNN, 26 September 2007) accessed 1 August 2015. Mills E., “U.S. Warns of Cyberattacks on Gas Pipeline Companies” (CNET, 7 May 2012) accessed 1 August 2015. Montalbano E., “TSA Hacker Sentenced to Prison” (InformationWeek, 13 January 2011) accessed 1 August 2015. Moore M., “Chinese Hackers Steal Dalai Lama’s Emails” (The Telegraph, 6 April 2010) accessed 1 August 2015. Mumo M., “Kenya Falls Victim to Cyber Attack” (Daily Nation, 16 January 2013) accessed 1 August 2015. Nahorney B., Falliere N., “Trojan.Zbot” (Symantec Security Response, 13 November 2012) accessed 1 August 2015. Nakashima E., “U.S. and Russia Sign Pact to Create Communication Link on Cyber Security” (The Washington Post, 17 June 2013) accessed 1 August 2015. ———, “U.S. Eyes Preemptive Cyber-Defense Strategy” (The Washington Post, 29 August 2010) accessed 1 August 2015. ———, “War Game Reveals U.S. Lacks Cyber-Crisis Skills” (The Washington Post, 17 February 2010) accessed 1 August 2015. Osborne C., “‘Red October’ Malware Spies on Governments Worldwide” (CNET, 14 January 2013) accessed 1 August 2015. ———, “Georgia Turns the Tables on Russian Hacker” (ZDNet 30 October 2012) accessed 1 August 2015. Osgood P., “Cyber Attack Takes Qatar’s RasGas Offline” (Arabian Business, 30 August 2012) accessed 1 August 2015. 396 Bibliography

Page L., “MoD Networks Still Malware-Plagued After Two Weeks” (The Register, 20 January 2009) accessed 1 August 2015. Parrish K., “Rasmussen Outlines Cyber Progress, Urges Defense Investment” (American Forces Press Service, 4 June 2013) accessed 1 August 2015. Perlroth N., “In Cyberattack on Saudi Firm, U.S. Sees Iran Firing Back” (The New York Times, 23 October 2012) accessed 1 August 2015. Perna G., “Report: NASA Vulnerable to Crippling Cyber Attacks” (International Business Times, 29 March 2011) accessed 1 August 2015. Potter N., “Top 10 Computer Viruses and Worms” (ABC News, 3 September 2009) accessed 1 August 2015. Poulsen K., “Slammer Worm Crashed Ohio Nuke Plant Network” (Security Focus, 19 August 2003) accessed 1 August 2015. ———, “South Pole ‘Cyberterrorist’ Hack Wasn’t the First” (The Register, 19 August 2004) accessed 1 August 2015. Rhodin S., “Hackers Tag Lithuanian Web Sites with Soviet Symbols” (The New York Times, 1 July 2008) accessed 1 August 2015. Rouse M., “Definition: Brute Force Cracking” (TechTarget Search Security, July 2006) accessed 1 August 2015. ———, “Definition: Cache Poisoning (Domain Name System Poisoning or DNS Cache Poisoning)” (TechTarget Search Security, September 2005) accessed 1 August 2015. ———, “Definition: Cookie Poisoning” (TechTarget Search Security, June 2007) accessed 1 August 2015. ———, “Definition: Parameter Tampering” (TechTarget Search Security, November 2010) accessed 1 August 2015. ———, “Definition: Phlashing” (TechTarget Search Security, July 2008) accessed 1 August 2015. Safire W., “The Farewell Dossier” (The New York Times, 2 February 2004) accessed 1 August 2015. Bibliography 397

Sanger D.E., “America’s Deadly Dynamics With Iran” (The New York Times, 5 November 2011) accessed 1 August 2015. ———, “Iran Fights Malware Attacking Computers” (The New York Times, 25 September 2010) accessed 1 August 2015. ———, “Obama Order Sped Up Wave of Cyberattacks Against Iran” (The New York Times, 1 June 2012) accessed 1 August 2015. Schmitt E., Shanker T., “U.S. Debated Cyberwarfare in Attack Plan on Libya” (The New York Times, 17 October 2011) accessed 1 August 2015. Schneier B., “Threat of ‘Cyberwar’ has been Hugely Hyped” (CNN, 7 July 2010) accessed 1 August 2015. Schwartz M.J., “Bank Attackers Restart Operation Ababil DDoS Disruptions” (InformationWeek, 6 March 2013) accessed 1 August 2015. ———, “GPS Spoofer Hacks Civilian Drone Navigation System” (InformationWeek, 29 June 2012) accessed 1 August 2015. Sechrist S., “State of Security: China’s Trojan Horse” (Display Daily, 18 March 2008) accessed 1 August 2015. Shachtman N., “Exclusive: Computer Virus Hits U.S. Drone Fleet” (Wired, 7 October 2011) accessed 1 August 2015. Singh J., “Indian Army Sees USB Drives as Biggest Threat to Their Security” (The News Tribe, 21 October 2012) accessed 1 August 2015. Smith G., “Iraqi Cyberwar: An Ageless Joke” (Security Focus, 10 March 2003) accessed 1 August 2015. Sudworth J., “New ‘Cyber Attacks’ Hit S. Korea” (BBC News, 9 July 2009) accessed 1 August 2015. Taylor R., “Japan’s Defense Industry Hit by its First Cyber Attack” (Reuters, 19 September 2011) accessed 1 August 2015. Tewari M., “Indo-Pak Cyber War Hots Up” (Daily News & Analysis, 7 January 2009) accessed 1 August 2015. 398 Bibliography

Thia T., “South Korean Bank Probed After System Outage” (ZDNet, 18 April 2011) accessed 1 August 2015. Torbati Y., “Cyber Attackers Target Iranian Oil Platforms: Official” (Reuters, 8 October 2012) accessed 1 August 2015. Traynor I., “Russia Accused of Unleashing Cyberwar to Disable Estonia” (The Guardian, 17 May 2007) accessed 1 August 2015. US Attorney’s Office, “Arlington Security Guard Arrested on Federal Charges for Hacking into Hospital’s Computer System” (Press Release, FBI, 30 June 2009) accessed 1 August 2015. US Department of Justice, “Argentine Computer Hacker Agrees to Waive Extradition and Returns to Plead Guilty to Felony Charges in Boston” (Press Release, 19 May 1998) accessed 1 August 2015. ———, “California Man Pleads Guilty in ‘Botnet’ Attack That Impacted Seattle Hospital and Defense Department” (Press Release, 4 May 2006) accessed 1 August 2015. ———, “Juvenile Computer Hacker Cuts off FAA Tower” (Press Release, 18 March 1998) accessed 1 August 2015. US White House, “Fact Sheet: Cybersecurity Legislative Proposal” (Office of the Press Secretary, 12 May 2011) accessed 1 August 2015. ———, “Presidential Proclamation—National Cybersecurity Awareness Month, 2013” (Office of the Press Secretary, 30 September 2013) accessed 1 August 2015. Vijayan J., “Unix Admin Pleads Guilty to Planting Logic Bomb” (PC World Security, 21 September 2007) accessed 1 August 2015. Walker T., “China’s Wave of Internet Surfers Sets Censors a Poser” (The Financial Times, 24 June 1995) available via Factiva, accessed 1 August 2015. Williams C., “Iran Admits Cyberattack Hit Nuke Programme” (The Register, 29 November 2010) accessed 1 August 2015. Willsher K., “French Fighter Planes Grounded by Computer Virus” (The Telegraph, 7 February 2009) accessed 1 August 2015. Bibliography 399

Wingfield B., “Power-Grid Cyber Attack Seen Leaving Millions in Dark for Months” (Bloomberg, 1 February 2012) accessed 1 August 2015. Zetter K., “Blockbuster Worm Aimed for Infrastructure, But No Proof Iran Nukes Were Target” (Wired, 23 September 2010) accessed 1 August 2015. ———, “Lazy Hacker and Little Worm Set off Cyberwar Frenzy” (Wired, 8 July 2009) accessed 1 August 2015. ———, “Mahdi, the Messiah, Found Infecting Systems in Iran, Israel” (Wired, 17 July 2012) accessed 1 August 2015. Index

Abkahzia 82, 179 arms (conventional) 2, 204, 207–209, 211, accumulation of events theory 249, 262, 267 255–257 See also cyber-arms active nationality principle 114–116 arms control 277, 295, 310 Adrecl 70 and disarmament in the virtual realm Afghanistan 152, 162n195, 203, 250–252 296–301 aggression Articles on State Responsibility 158 and annexation 164, 167 Ashburton, Lord Alexander 145 and invasion 164, 167 Assad, Bashar al- 61, 79 and the UN 52, 281, 285, 290, 305, 315, Australia 71, 80, 106 316 aviation safety 49 blockades as 166–167 crime of 23, 165 Barcelona Traction case 163 cyber-attacks as 166–171 Barkham, Jason 140 defined 164, 166 Barney, Steven 100 modern concept of 164 Belarus 80 occupation 164, 167 belligerents 174, 176, 205, 210, 212, 215, 216, wars of 162–164 218–223, 230, 318 Ahmadinejad, Mahmoud 59, 253 See also cyber-belligerents ALA vs Pataki 113 Benatar, Marco 281 Allott, Philip 25 Bianchi, Andrea 131 Al-Qaeda 1, 27, 146, 152, 228, 232, 241, 263, biological, chemical and nuclear facilities 273, 283, 291 174, 190–195 American Ring of Fire 52 Biological Weapons Convention 191, 192 Ames Research Center 62 “Black Ice” simulation 45 Annan, Kofi 153, 233, 267 Bluetooth technology 69 Anonymous group 77, 120 Boden, Vitek 75 Antarctic Treaty 94 Boer, Lianne 140 Antarctica 38, 92–94 Boothby, William 1 anti-viruses 154, 163, 187 Bosnia and Herzegovina 280, 286, 288 Arimatsu, Louise 301 botnet 7, 71, 159, 222 Ardita, Julio 62 zombie 81 Armed Activities case 129, 155, 252 Boyle, James 100 armed attack 5, 27, 124, 125, 131, 142–144, 146, British Maritime and Coastguard Agency 70 152, 160, 161, 165, 171, 172, 225, 247, 251, British Parliament 67 256, 282, 284, 310, 316, 321 Brown, Davis 1, 216 armed conflict 3, 23, 27, 34, 51, 76, 83, 114, Brownlie, Ian 130 122, 127, 164, 172–186, 188, 192, 198, 200, Brunst, Phillip 56 202, 203, 207, 209, 212, 214, 216, 218, 220, Brussels Declaration 204 223, 230, 231, 238, 239, 243, 255, 257–261, Burk, Rosemary 56 265, 305, 316, 319, 321 See also cyber-attacks Canada 92, 106 armed force 62, 162, 164, 168, 169, 175, Canadian Cyber Security Strategy 106 184, 202, 203, 211, 216, 231, 282, 286, Caroline criteria 145 296 Cassese, Antonio 223, 255, 260 index 401

CCDCOE (Cooperative Cyber-Defense Center Conficker 42 of Excellence) 309–310 Congress of Vienna 221 CERTS (computer emergency response consent 27, 96, 99, 147, 157, 291, 292, 295 teams) 276 Conti, Gregory 122 Chainoglou, Kalliopi 217 contractors 58, 210–211 Check, Terence 140 defense 64 Chemical Weapons Convention 191, 192 military 62 chivalry principle 181, 216 Convention on Cybercrime 3, 269 Christmas Tree EXEC 66 Convention on International Information China 38, 52, 56, 71, 76, 68, 102, 105, 107, 109, Security 102 166, 289, 306 conventional warfare 217 CIA 58, 67 conventions 17, 19, 20, 26, 31, 36, 89, 192, 193, Civil Aviation Convention 246 230 civilian objects 52, 174, 198, 199, 201, 224, 317, anti-terrorism 276 318 counter-terrorist 236 in cyber warfare 211, 213–214 international 18, 117 civilians 52, 142, 174, 184, 185, 198, 199, 201, Conventions for the Definition of 207–109, 216, 224, 231, 233, 260, 261, 263, Aggression 162 264, 288–290, 292, 317, 318 Conway, Maura 7 in cyber-warfare 211–213 Corfu Channel case 96, 148, 150 Clarke, Richard 297 Cornish, Paul 134 Clinton, President William 62, 65 counter-attacks 153 CoE (Council of Europe) 3, 269 counter-hacking 159 collective security 10, 265–268, 275–277, counter-measures 125, 136, 158–160 296–297, 301–310, 319–329 Counter-Terrorism Committee 273 Collin, Barry 57 crackers 51, 120, 159, 169–170, 203, 217, 242, combatants 122, 201, 208, 212, 214, 224, 233, 254, 283, 300 262, 319 Chinese 76 and the UN 52, 281, 285, 290, 305, 315, 316 Dutch 61 as levée en masse 318 Indian 77 de facto 210 Indonesian 77 de jure 210 non-state 178 unlawful 213, 263 Pakistani 77 communication systems 51 Palestinian 76 Comprehensive Convention on International Romanian 57 Terrorism 21, 228 Soviet 77 defines terrorism 232 UK 61 Draft 233–234 critical infrastructure 41–57, 83, 138, 140, computers 13, 49, 51, 52, 54, 55, 62, 64, 66–71, 249, 261, 275, 315 73, 74, 76, 78, 90, 93, 102, 106, 138, 185, and state military exercises 44–45 188, 189, 191, 193, 219, 220, 236, 246, 257, CTITF (Counter-Terrorism Implementation 260, 318 Task Force) 261, 273, 276 civilian 195, 199 Working Group on Countering the Use of geo-location 121 the Internet for Terrorist Purposes 261 industrial 51 customary law 18–19, 31, 86, 101, 107, 108, 114, military 62, 72, 196, 199 117, 118, 141, 145, 150, 152, 153, 164, 192, navigational 187 210, 215, 228, 239, 242, 245, 250, 253, 257, personal 11 260, 264, 278, 285, 286, 297, 310 402 index cyber-activities 226 long distance 189 cyber-arena 297, 306 military 84 cyber-arms 206, 208, 298, 301 modern 119 cyber-arms race 3n9 on communications 46 cyber-attackers 1, 43, 50, 53, 55, 93, 110, on energy, transportation and 115, 116, 118, 120–124, 178, 202, 203, 205, communications 45–54 263 on finance 46 cyber-attacks 2–7, 9, 10, 14–15, 19–22, 25, on hazardous materials 46 27–30, 33, 34, 37–43, 46, 48–51, 54–58, on IT, chemical and transportation 60, 64, 66, 69, 73, 79, 82, 85–86, 88, systems 45 94, 106, 111, 113, 116, 122–125, 174, 176, on mobile phone communications 45 178–179, 183–187, 192–194, 197–201, 203, on power grids 43–45, 46 205–208, 210–211, 214, 217, 219, 220, 223, special nature of 41–42 225, 235, 236, 239, 241, 243–246, 251, target-based 138 255, 259, 261, 262, 269, 285, 289, 291, targets of 43, 44 292, 297, 305, 308, 309, 312–316, 319, vs traditional uses of force 34–137 320 virtual 88 against Georgia 83, 103 on Wall Street stock exchange 45 against ships 188 cyber-blockade 281, 282 against United States 80, 103 cyber-ceasefire 277 and aggression 160–171 cyber-combatants 179, 202–208, 264 and armed attack 142–144 cyber-crime 3, 50, 83, 111, 118–271, 274, 276, and collective security 302 278, 304, 310, 319 and humanitarian law 174 cyber-criminals 242 and information blockade 167 cyber-defense 27, 147, 157, 205, 270, 296 and initiation of armed conflict 175–179 cyber-disarmament 67, 297, 299, 301, 319 and insider threats 74 cyber-espionage 170, 173 and jus ad bellum 125–172 cyber-experts 243 and the Martens Clause 174 cyber-forces 203, 205, 260, 295, 297, 311, and medicine 55 320 and NATO 308–310 cyber-incidents and organized armed conflict 179–191 and real military operations 63–66 and potential perpetrators 237–239 life-threatening attacks 58–60 and self-defense 142–160 reported 57–83 and state responsibility 148–152 cyber-infrastructure 91, 95, 101, 108, 282, and the UN 266–270, 273–278, 280, 317 282, 285, 286, 288–291, 295, 297, cyber-interventions 289, 290 299–301, 310 cyber-neutrality 218–220 and use of force 126–142 cyber-offense 296 consequences/effects-based 138–139 cyber-operations 132, 204, 251, 278, 295 defined 12 cyber-peace 3, 295, 299 defined by Healey 149–150 cyber-perfidy 216, 224 economic and social disruptions from Cyberpol 106 124–137 cyber-proximity 224 in Estonia 103, 108, 308 cyber-punk 313 in Kosovo 65 cyber-security 6, 45, 47, 118, 154, 198, 269, innovative nature of 181–186 271, 275, 279, 293, 296, 300, 303, 305, 308 instrument-based 137–138 cyber-security companies 6 index 403

Cyber ShockWave 45 cyber-warriors 205, 317 cyber-space 5, 9–12, 18, 21, 32, 40, 42, 76, 83, cyber-zones 100, 102, 105, 108, 113, 180, 314, 84, 123, 126, 129, 132, 134, 137, 139, 141, 317 145–148, 156, 159, 166, 168–170, 172, 174, 175, 180, 190, 198, 201, 202–204, 206, 207, “Declaration of the Independence of 209, 211, 212, 216, 218–222, 224, 237, Cyberspace” 98–99 239–241, 244, 251, 260–262, 265–69, Declaration of Principles of the World 273, 274, 277, 278, 292, 293, 296, 297, Summit on the Information Society 104 299–303, 305, 310, 314, 316–318, 320 deception 259 and responsibility to protect 286–291 perfidy 214–216 and virtual realm 95–109 ruses of war 216–218 as a global common 92–95 Delibasis, Dimitrios 55, 57, 138, 279 defined 13–14 de minimis non curat praetor principle 133 freedom fighters in 261 Denning, Dorothy 60 jurisdiction in 109–123 Dinniss, Heather 7, 177, 283 regulation of 100–103 distinction principle 181, 218, 259 security threats 61–63 civilian objects 213–214 territoriality of 86–95 civilians 211–213 unrecognized independence of 98–101 cyber-combatants 202–208 Cyber Storm 45 non-combatants 208–211 Cyber Storm II 45 distress 157 cyber-strikes. See cyber-attacks. mental 54 cyber-systems 12, 169, 186, 190, 191, 236 Dixon, Martin 35 cyber-terrorism 6, 115, 120, 224, 240, 265 domestic law 23 and serious attacks 243–246 DoS (denial of services) attacks 12, 81–83, and small-scale attacks 246–247 159, 241, 281 and jus ad bellum 247–257 Doswald-Beck, Louise 205 and the UN 271–277 DPRK. See North Korea archaic 257–264 Draft Code of Crimes against the Peace and as dependent variable 234–237 Security of Mankind 260 as legal concept 226–243 Durant, Henry 181 conventional 243–247 defined 20, 237 early-warning systems 52 cyber-terrorists 226, 242, 249, 250, 253, 255, economic and social disruption 103–137 258, 262, 264, 276, 315, 319 Egypt 81, 155 cyber-threats 40–84, 157, 270 Eichmann case 116 hypothetical 40–57 Eligible Receiver operation 44 reported cyber-incidents 58–83 emergency services 40, 46, 48, 51, 53 cyber-units 282, 293 erga omnes obligations 17, 34, 117, 163, 290 cyber-vicinity 193–194, 317 escalation 247, 255 cyber-warfare 2–10, 12, 18–21, 24–26, 29, 30, state practices 249–251 32, 34, 37, 38, 40, 42, 45, 60, 85, 96, 102, Estonia 7, 53, 54n64, 81–83, 103, 106, 129, 177, 115, 123, 131, 137, 139, 154, 156, 157, 160, 222, 223, 308, 309 172–174, 176, 182, 195, 199, 200, 202–206, EU Report on Georgia 133, 143 208–211, 213–215, 218, 223, 224, 241, 257, European Union 26, 42, 106, 109, 133, 269 259, 262, 267, 269–271, 275, 277–279, 281, 285, 287, 295–297, 302–306, Facebook 70, 95, 197 309–313, 317–322 Fanelli, Robert 122, 212 404 index

FBI 58, 102 hardware 14, 19, 54, 69, 90, 93, 98, 101, 113, finances/money 43, 46, 73, 135, 144, 247, 248 119, 122, 170, 190, 197, 210, 219, 245, 255, financial institutions 50, 78, 80, 134, 246 296, 297, 316 Finch, Simon 52 hazardous materials 43, 46, 51, 52 firewall 87, 141, 154, 159, 187 transportation of 48–49 “Great” (Chinese) 104 HCs (Hague Conventions) 18, 191, 194, 195 flags/insignia, etc. 215, 220 Healey, Jason 149, 150 Fleck, Dieter 3, 313 health 42, 43, 46, 53, 75, 76, 133, 134, 246, food 43, 46, 54, 57, 184n56 319 preparation 189 cyber-attacks to 54–55, 260 shortage 48 hazards 59 force Hess, Marcus 61 use of 126–142 Higgins, Rosalyn 35, 252 force majeure 157 high seas 92 France 64 Hollis, Duncan 139 Franck, Thomas 26, 131 honeypots 159, 217 freedom fighters 176, 176n14, 249, 263 Hong Kong 71, 109 Hoogh, André de 133 G20 73 Hoover Dam 56 Gaddafi, Muammar al 288 Huber, Max 96 Galić case 231 Hughes, Rex 305 Galushkevich, Dmitri 114 humanitarian law. See jus in bello. Gauss 63 humanity principle 174 GCs (Geneva Conventions) 1, 18, 176, 178, and biological, chemical and nuclear 180, 186, 188, 193–195, 200, 207, 210, 224, facilities 186–190 230, 236, 237, 269, 318 and cyber-attacks 181–186 See also AP1; AP2 and medical ships and aircraft 186–190 general principle of law 17, 19–20, 322 and principle of distinction 201–214 Geneva Protocol 191–192 and principle of humanity 181–195 Genocide ruling 151 and principle of neutrality 218–223 geographic factors 122 and proportionality 198–201 Georgia 81–83, 103, 133, 143, 179, 180, 208, 251, and ruses of war 216–218 308 Hussein, Saddam 253, 291 GhostNet espionage campaign 71 Glennon, Michael 2, 38 IAEA (International Atomic Energy Agency) global commons 85, 86, 92–95, 105, 123, 314 276, 298 Global Counter-Terrorism Strategy 43, ICANN (Internet Corporation for Assigned 272–276 Names and Numbers) 94 Golden Shield (Great Firewall) policy 103 ICAO (International Civil Aviation Gombeer, Kristof 281 Organization) 276 Google 72 ICC (International Criminal Court) 108, Gordon, Joy 283 118–120, 160, 165, 170, 171, 315 Gray, Christine 156, 252, 279 Statute Review Conference 161 Gulf War 61 ICISS (International Commission on Intervention and State Sovereignty) hacking 11, 11n25, 102 287 hacktivism 236 ICJ (International Court of Justice) 17, 18, Halal Internet 105 22, 84, 126, 182 index 405

ICRC (International Committee of the Iran 38, 63, 73, 76, 80, 107, 129, 136, 148, 245, Red Cross) 175, 176, 181, 185, 194, 206, 251, 253, 283 207, 215 Iranian Army Electronic Warfare Unit 66 Interpretive Guidance 210 Iranian Cyber Council 105 ICQ 69 Iranian nuclear program 59–60 ICTR (International Criminal Tribunal for Iraq 61, 64, 65, 155, 250, 251, 253, 285, 291, Rwanda) 119, 260 299 ICTY (International Criminal Tribunal for the Iraqi Ministry of Defense 64 former Yugoslavia) 119, 151, 175, 179, 199, Islamic republic 63, 136, 245 231, 259 Island of Palmas case 96 ILC (International Law Commission) 114, ISP (Internet service providers) 114 310 Israel 60–62, 64, 76, 77, 116, 154–156, 245, Draft Articles on State Responsibility 157 249, 250, 256, 258, 283 Study Group 22 IT security 27 IMPACT (International Multilateral ITU (International Telecommunication Partnership Against Cyber Threats) 270 Union) 94, 102, 269–271, 273, 276, 279, India 69, 77, 267 281 infrastructure 1, 40–46, 48, 50, 51, 53–57, 72, 81, 83, 88, 98, 105, 107, 116, 122, 138–140, Japan 72, 76, 267 149, 150, 176, 177, 180, 186, 196, 198, 200, Johnson, David 99 207, 219, 221, 222, 232, 235, 242, 249, 261, Jordan 64, 155 315, 318 judicial decisions 17, 20–22 “In Larger Freedom” report 155, 233, 303, jurisdiction 5, 22, 84–86, 93, 104, 109–123, 304 125, 219, 222, 293, 294, 314–315, 321 insider threats 74–76 and limited territoriality 113–114 institutionalism 30, 32 and state sovereignty 110–112 interceptive self-defense 153 extraterritorial 114 International Code of Conduct for grounds for 112 Information Security 166, 298 in cyber-space 109–124 international criminal law 23, 118, 160, 321 jurisdiction-carrier function 93 international law jus in bello (humanitarian law) 3, 4, 9, 10, 12, customary 145, 150 15, 22–24, 34, 36, 88, 89, 112, 116, 124, fragmentation of 22–23 172–175, 177, 179–183, 185, 186, 188–191, imperfections of 23–24 196, 198, 200, 202–204, 206, 209, 212, 213, nature of 15–17 215, 216, 218, 219, 221, 223–226, 249, 257, objective elements of 17 259–261, 264–267, 271, 274, 275, 280, 281, political theories on 29–36 295, 304, 311–313, 316–318, 320, 321 source of 17–18 and archaic cyber-terrorism 257–264 subjective elements of 17 and biological, chemical and nuclear sub-regimes of 23 facilities 190–195 Internet 2, 7, 11, 13, 14, 50, 52, 55, 59, 65, 68, and civilian objects in cyber-warfare 78–82, 88, 90, 91, 94, 95, 98–107, 110, 213–214 112–114, 121, 124, 126, 167, 197, 200, 219, and civilians in cyber-warfare 211–213 220, 221, 224, 236, 241, 255, 268, 273–275, and cyber-attacks 175–181 281, 292, 300, 301, 310, 314, 319 and cyber-combatants 202–208 invasion 82, 162, 164, 207, 207n91, 208, and cyber-neutrality 218–220 250–252, 267, 285, 289, 291 and deception 214–218 IP (Internet Protocol) 13, 83, 121 and medical ships and aircraft 186–190 406 index jus in bello (cont.) legal regime 3, 23, 24, 26, 38, 89, 92, 93, and necessity 195–198 107–109, 125, 152, 173, 224, 225, 231, 265, and neutral states 220–223 277, 310, 313, 318 and non-combatants 208–211 legality 17, 23, 39, 145, 172, 195, 250, 252, 321 and perfidy 214–216 presumptive 140 and proportionality 195, 198–201 legality principle 233 and protected status 262–265 levée en masse 202, 207–208, 224, 318 sub-regimes of 22, 36 lex ferenda 9, 233, 318 jus ad bellum 3, 4, 9, 10, 12, 15, 22–24, 36, lex lata 18, 140, 186, 229, 238 41, 66, 112, 116, 124, 125, 173, 176, 177, lex scripta 18, 91, 92, 113, 187, 194, 265, 314 195, 218, 224, 225, 249, 261, 262–267, lex specialis 24, 34 271, 274, 275, 303, 311–313, 315–318, Libicki, Martin 321 320, 321 Libya 65, 288, 289 and cyber-attacks 125–172 Libyan air defense 64 See also cyber-terrorism logic bombs 74, 153, 169, 222 jus cogens 17, 36, 37, 128, 284 Lotus case 18, 110 just war 17 Lubell, Noam 37

Kallberg, Jan 56 malware 1, 7, 14, 41, 42, 47–50, 55, 56, 64, Kashmir 262 66–74, 76, 119, 132, 152–154, 157, 159, 169, Kazakhstan 80, 106 183, 187, 189, 190, 194, 208, 212, 215, Kellogg-Briand Pact 162 218–220, 224, 240, 248, 292, 295–301, Kibar al- 64 317, 318 Kelsen, Hans 16, 296–297 Martens Clause 17, 24, 174, 182, 183, 185 Keohane, Robert 31 mass spam 214 keylogger 65 Maxwell, Christopher 71 KGB 58, 51 McDougal, Myres 29, 70 Knake, Robert 297 McGraw, Jesse 75–76 Koh, Harold H. 35 McMahan, Jeff 207–208 Kolb, Robert 133 means-at-its-disposal test 222 Kordić and Čerkez judgment 259 medical ships and aircraft 186–190 Koroma, Judge Abdul G. 129–130 Melzer, Nils 210 Koskenniemi, Martti 22, 29 mens rea element 186, 191, 288 Kosovo 64, 65, 205, 285, 290, 306 Microsoft Windows 67 Kraemer, David 271 military intervention Krasner, Stephen 95 criteria necessary for 287–288 Kretzmer, David 263 military occupation 89, 164, 175, 314 Kwangmyong network 105 misinformation 217 MMS (Multimedia Messaging Service) 69 Lancaster, Robert 287 Mocmex 69 land combat moderately vulnerable sectors 51–54 rules of 182 Montevideo Convention on the Rights and Lasswell, Harold 29, 30 Duties of States 86–87, 90 Lauffenburger, Michael 74 Moonlight Maze incident 62 least vulnerable sectors 54–57 morality 16 legal imperfections 23–25, 85, 124, 226, 266, Morgenthau, Hans 33 271, 296, 305, 314–320 Morris, Robert 66 in cyber-warfare 37–39 most vulnerable sector 46–50 index 407

Murillo, Gabriel 75 NORAD (North American Aerospace Defense Murphy, Sean 286 Command) 58 MySpace 70 North American Electric Reliability Corporation Network 46 9/11 attacks 1, 27, 115, 146, 152, 227, 228, 234, North Korea 73, 105, 180, 299 247, 250, 309 Nuclear Terrorism Convention 227, 236, NASA 50 244, 245, 248 Jet Propulsion lab 62 Nuclear Weapons case 84–85n273, 130, 182, National Defense Policy 104 254 National Strategy for Trusted Identities in nuisances 40, 41, 82, 83, 167 Cyberspace 107 nullum crimen sine lege principle 166, 233, NATO (North American Treaty Organization) 316 8–10, 12, 13, 21, 26, 32, 45, 64, 65, 80, 85, Nye, Joseph 31 106, 152, 153, 204, 213, 266, 267, 288, 302, 305–311, 320 Obama administration 47, 64, 107 natural law 16–18, 20, 24, 25, 29, 93, 181 occupation 21, 89, 89n21, 164, 167, 175, 179, necessity 145–148, 174, 181, 195–198, 201, 220, 180, 207, 227, 229, 258, 261, 262, 264, 224, 253, 259, 276, 315–317 314 network ports 167 OIC (Organization of Islamic Cooperation) networks 11–14, 42, 47, 61, 62, 66, 73, 79, 89, 21, 264 94, 121, 159, 192, 200, 204, 216, 217, 224, Oil Platforms case 132, 143, 144 235, 237, 273, 281, 298, 308 online piracy 111, 117, 117n183 drinking supply 55, 184 Operation Ababil 80 humanitarian 189 Operation Aurora 72 military 189 Operation Desert Storm 64 national 90, 91, 95, 167 Operation Olympic Games 60 peer-to-peer 68 opinio juris 18–19, 263, 272, 287 shared 68 Orkut 70 social 70, 197 outer space 92–94 Newton, Scott 49, 56–57 neutral states 215, 218, 219, 224, 318 P5 (permanent members of the Security obligations and rights of 220–223 Council) 279, 283, 286 neutrality principle 181, 217–223 pacta sunt servanda principle 18 and cyber-vulnerability 218–220 Palestine 262, 269 and neutral states 220 passive nationality principle 112, 115, 116, NGOs (non-governmental organizations) 314, 315 27, 301–302 Patel, Kartik 75 Nicaragua case 128, 132, 147, 151, 278n47 Pattison, James 289 Night Dragon campaign 72 peace enforcement 267, 281, 292, 294–295, Nolte, Georg 278 305, 306 non-combatants 208–211, 216, 237 peacekeeping 7, 291–295, 306 non-intervention principle 96, 108, 129, 141, peace operations 266–267, 291–296, 299, 309 302, 304, 305, 310 non-state actors 25–28, 31, 115, 128, 142, 148, Pentagon 67, 68, 78, 146 158, 176, 178, 224–226, 230, 231, 234, 237, People’s Republic of China (PRC). See China 238, 251–254, 316, 319 perfidy 174, 189, 214–217, 224, 318 conduct of 150–152 Permanent Court of International Justice non-territoriality 124, 166, 314 18, 110 408 index persons hors de combat 188, 231 Saakashvili, Mikheil 82 Peru 81 satellites 51, 189 poison 53, 57, 191–192 See also spacecraft Poland 222, 223 Saudi Arabia 73 political independence 88, 96, 116, 127, SCADA (Supervisory Control and Data 129, 162, 308 Acquisition) 45, 46, 51, 53, 55, 56, 75, 185 positivism 16, 17, 25, 29 Scheffer, David 118 Post, David 94 Schmitt, Michael 7, 8, 20, 21, 138–141, 178, potential perpetrators 28, 225, 226, 197, 302, 308 237–239 SCO (Shanghai Cooperation Organization) power/energy systems 45–48, 57 2, 21, 43, 85, 85n2, 105, 136, 269 atomic 53, 59 Scobbie, Ian 20 Predator drones 65, 66 security threat 57, 61–63 principles of self-defense 153–154, 257 threat to military operations 61–66 preventive self-defense. See self-defense self-defense 38, 43, 125, 132, 124, 145–147, 171, Princeton Principles on Universal 206, 247, 249–257, 276–279, 294, 299, Jurisdiction 118 301, 315, 319–321 PRISM program 94 and cyber-attacks 142–160 prohibited conduct in war 260–261 anticipatory 152–156 proportionality principle 45, 198–201, interceptive 153 250, 254, 259, 282, 315–317 permissibility of 145–148 protective principle 116 preemptive vs. preventive 153–154 preventive 155–156 Qatar 73 Sentinel drone 66 Sierra Leone Special Court 260 Randelzhofer, Albrecht 278 Shackelford, Scott 152 R2P (Responsibility to Protect) 108, 109, Skype 69 277, 310, 320 SMS (Short Messaging Service) 69 and cyber-space 286–291 soft law 19, 29, 31, 219, 270, 271, 293, 310, 319 rationalism 36 software 19, 41, 47, 51, 54, 58, 64, 65, 67, 68, realism 33–36 71, 74, 78, 123, 150, 153, 170, 190, 194, 197, neoclassical 34 210, 245, 255, 296, 301 Reaper drone 66 Solar Sunrise incident 62 Red Crescent 215 South Korea 73, 80 Red October 63 South Ossetia 82, 179, 222 Reus-Smit, Christian 34, 35 sovereignty 5, 9, 10, 21, 84–86, 90, 92, 94, 95, Rid, Thomas 177 110, 113–117, 123–125, 129, 166, 180, 287, Rio Pact 127, 161, 165 314, 321 rogue states 44 and cyber-space 98–101, 107–109 Rome Air Development Center 61 and state practice 101–107 Rome Statute 109, 119, 160, 161, 165, 168, 188, and the virtual realm 95–109 190, 192, 213, 260, 315 and the Westphalian order 95–98, 101 prosecution under 169–171 spacecraft 50, 51 Russia 2, 38, 52, 80, 82, 83, 101, 102, 104, 105, See also satellites 107, 136, 161, 166, 179, 180, 223, 251, 269, space-espionage 51 298, 301, 306, 308 Spectrum of State Responsibility 149, 150 Rwanda 280, 286 spoofing 65, 189, 216, 318 index 409

Stanford Draft International Convention subjective 113 235–236 See also jurisdiction state terrorism 233, 238 territorial sovereignty 97 external 229 terrorism 5, 11, 21, 23, 42, 53, 106, 112, 115, 119, internal 229 138, 159, 226–228, 271–273, 275, 276, 280, statehood 281, 305, 310, 314, 315 and territory 86–92 archaic 230, 231 state responsibility 147–152, 158 conventional 232, 233 and non-actor states 150–152 Internet 274 and state involvement 148–150 lack of universal definition 228–34 states 1, 5, 8, 13, 15–19, 21, 22, 24–28, 30–38, See also cyber-terrorism 43, 46, 54, 55, 63, 66, 75, 76, 78–80, 82, territory 96–98, 101, 104, 107, 109, 110, 113, 115, 85–88, 90, 92–98, 100–111, 113, 115–117, 119, 123, 142, 145, 148, 150, 152, 162, 164, 119, 124–133, 136, 139, 141, 142, 144, 145, 167, 178, 180, 203, 207, 219, 220, 221, 251, 147, 148, 150–154, 156–159, 162–164, 252, 256, 289, 314, 316, 318 167–169, 171, 172, 175, 176, 180, 181, 183, and cyber-space 85–95 184, 191, 193, 194, 196, 198, 203, 205, wrongful use of 168–169 215–225, 227, 231, 234, 237–240, 249–251, Terrorist Financing Convention 231, 247, 253, 255, 256, 260, 261, 264, 265, 248, 318 268–270, 273, 276–279, 288, 291, 293, theoretical attacks 46–57 295–298, 301–308, 310, 314–316, 318–322 least vulnerable sectors 54–57 St. Petersburg Declaration 181 moderately vulnerable sectors 51–54 Strategic Arms Reduction Treaties 301 most vulnerable sectors 46–50 Switzerland 221 Thielbörger, Pierre 288 Syria 61, 64, 154–156, 193 Titan Rain 71 Todd, Graham H. 41, 168 Tadić case 151, 175, 176, 179 Touré, Hamadoun I. 270 Taiwan 70, 76 TCP (Transmission Control Protocol) 13, 122 Tajikistan 102, 166 transportation 45, 48, 82, 134, 232 Taliban 203, 263, 283 Treaty of Versailles 191 Tallinn Manual on the International Law trojans 74 Applicable to Cyber Warfare 8, 9, 21, 22, Ghost RAT 71 89, 98, 118, 132, 134, 140, 141, 144, 150, Optix Pro 69 159, 176, 178, 187, 189, 197, 199, 201, 206, Zeus 70 207, 210, 213, 215, 220, 278, 280, 283, 302, Tsagourias, Nicholas 128, 144, 156 310 Tunkin, Grigory 29 Tehran Hostages case 132, 148, 255 Turns, David 7 Telecommunications Act 98 Twitter 70, 197 Tenenbaum, Ehud 62 territorial integrity 88, 96, 116, 127–129, 162, United Kingdom 60, 61, 65, 72, 115, 241, 258, 166 291 territorial jurisdiction 110, 113, 114, 314 United Nations 1, 5, 19, 26, 86, 102, 142, territoriality 109 215, 216, 225, 262, 266, 302–304, 309–311, and cyber-space 85–96 319 and statehood 86–89 and cyber-attacks 267–277 and the virtual universe 88–92 and cyber-crimes 268–271 objective 113 and cyber-terrorism 271–277 410 index

United Nations (cont.) UAV (unmanned aerial vehicle) 52, 65, 66, and disarmament of 297 143, 205, 245, 246, 248, 254, 255 Committee on Disarmament 298 Uzbekistan 102 Counter-Terrorism Committee 273 Counter-Terrorism Implementation Task Vattel, Emer de 25 Force 273 victim-state 43, 76, 112, 120, 134, 146–148, 159, United Nations Charter 12, 17, 18, 27, 31, 33, 192, 193, 205, 215, 253, 254, 257, 314 88, 108, 125, 142, 145, 153, 249, 252, 262, Vienna convention 282 277, 280, 282, 284–286, 292, 294, Villeneuve, Nart 61 297–299, 302, 303, 315 violence 12, 83, 131, 175, 177, 178, 186, 211, and travaux préparatoires 134 229–231, 234, 236, 238, 246, 260, 265, UNCLOS (United Nations Convention on 286, 313, 316 the Law of the Sea) 100–101, 116 virtual battlefield 51–52, 217, 218 UNGA (United Nations General Assembly) virtual data 113, 167 21, 108, 166, 271, 277, 284–287, 292, 295, virtual realm. See cyber-space 297, 298, 310 viruses 147, 157, 187, 236, 300 Definition of Aggression 161, 164–165 Shamoon 73 Friendly Relations Declaration 163 UN Global Counter-Terrorism Strategy 43 Wall, David 6 UNSG High-Level Panel 153, 155, 166, 232 war 3, 11, 16, 23, 51, 53, 61, 65, 82, 173, 175, UNIDIR (United Nations Institute for 182, 184–186, 190, 193, 198, 202, 202n164, Disarmament Research) 271 206, 207, 221–223, 230, 231, 263, 289, UNICRI (United Nations Criminal Research 298 Institute) 271 and necessity 195 UN International Law Commission 22, 114, conduct of 179 157, 310 fifth domain of 13 UNODC (United Nations Office for Drugs and international 176 Crime) 271 just 17 UNSC (United Nations Security Council) 31, laws of 174 33, 108, 127, 155, 156, 166, 228, 250, 254, nuclear 52 256, 266, 267, 270, 271, 273, 276–287, of aggression 162–164 290, 298, 302, 305, 306, 315, 316, 320, prisoners of 203, 205, 211, 226, 261–264, 321 319 United States 2, 25, 38, 80, 94, 96, 115, 132, prohibited conduct in 260–261 136, 196, 227, 249, 269 ruses of 216–217 US Central Command 68 weapons of 174 US Department of Defense 62, 196 war crimes 112, 117–120, 184nn54 and 56, 186, US Department of Energy 62 188, 189, 191, 192, 195, 195n125, 200, US Department of Homeland Security 47 212–215, 228, 287, 288, 290, 317 US General Accounting Office 47 war games 145 US Navy Research laboratory 62 Wassernaar Agreement 296 US State Department 65 water supply US Treasury Department 65 cyber-attacks to 55–57, 184–188 USB (Universal Serial Bus) 68, 216 Watts, Sean 59 U4P (Uniting for Peace) plan 266, 277, 281, Waxman, Matthew 139 290, 292, 294, 310, 320 websites 69, 76–80, 82, 83, 222 auxiliary 284–288 defacement of 69, 76–78, 138 universality 116–120, 223, 225, 259 Webster, Daniel 145 index 411

Weiser, Philip 99 Morris 66, 199 Westphalian system 95–97, 101, 107, 108, 110, My Doom 67 314 NGRBot 69 challenge to 95–98 Nimdo 68 WMD (Weapons of Mass Destruction) 281, Samy 70 291, 299–301 Sasser 70 Working Group on Countering the Use of Slammer 59 the Internet for Terrorist Purposes 261, Stuxnet 7, 199, 283, 299 274–276 worms Yahoo! 103 Code Red 76 Yeltsin, Boris 109 Daprosy 68 Yugoslavia 64, 65, 76, 119, 213 ILOVEYOU 67 Yung-Hsun Lin 74 Koobface 70 Ziolkowski, Katharina 7, 12, 132, 140