Members of International Telecommunications Union and UN Institute for Training and Research confer on cyber security UN (Jean-Marc Ferré) UN (Jean-Marc Stuxnet, Schmitt Analysis, and the Cyber “Use-of-Force” Debate
By Andrew C. Foltz
All Members shall refrain in ne of the many seemingly advance the specific criteria states will use in intractable legal issues sur- making such determinations. their international relations rounding cyberspace involves As discussed in this article, several ana- from the threat or use of force O whether and when peacetime lytic frameworks have been developed to help against the territorial integ- cyber operations constitute a prohibited use of assess when cyber operations constitute a use force under Article 2(4) of the United Nations of force.3 One conclusion these frameworks rity or political independence (UN) Charter. Notwithstanding a significant share is that cyber operations resulting in of any state, or in any other body of scholarly work on this topic and physical damage or injury will almost always manner inconsistent with extensive real-world examples from which to be regarded as a use of force. When these draw, there is no internationally recognized frameworks were developed, however, there the Purposes of the United definition of a use of force.2 Rather, what has were few, if any, examples of peacetime, state- Nations. emerged is a general consensus that some sponsored cyber coercion. More importantly, cyber operations will constitute a use of force, the prospect of cyber attacks causing physical —Article 2(4), Charter of the but that it may not be possible to identify in damage was largely theoretical.4 Beginning United Nations1
Lieutenant Colonel Andrew C. Foltz, USAF, wrote this essay while a student at the Air War College. It won the Strategic Research Paper category of the 2012 Chairman of the Joint Chiefs of Staff Strategic Essay Competition.
40 JFQ / issue 67, 4 th quarter 2012 ndupress.ndu.edu FOLTZ in 2007, however, a string of cyber opera- difficulty applying it in the cyber context. I governs state behavior.12 If state-sponsored tions—including the 2007 Distributed Denial then review Schmitt’s model and perform cyber activities constitute a use of force, of Service (DDoS) attack on Estonia, the 2008 a Schmitt Analysis of Stuxnet. Finally, I then international law governing the use of DDoS attack on Georgia, and the 2008 discov- examine what the analysis of Stuxnet reveals force (jus ad bellum) and the Law of Armed ery that the U.S. Government’s most sensitive about the framework’s continued utility Conflict (jus in bello) apply. In appropriate networks had been compromised—hinted at and relevance. Overall, I find that Schmitt’s circumstances, this could trigger a state’s right increased use of the cyber domain by states underlying analytical approach remains to self-defense and thereby permit a forceful, and their proxies for peacetime coercion. sound—that is, the best way to characterize perhaps even armed response. In contrast, Then, with the discovery of the Stuxnet worm the lawfulness of peacetime cyber operations non-state-sponsored cyber operations and operations not amounting to a use of force are the need for clarity has taken on greater importance now traditionally governed by more constrained 13 that the United States and many of its allies law enforcement regimes. The need for clarity has taken on greater treat cyberspace as a military operational domain importance now that the United States and many of its allies treat cyberspace as a military in 2010, which damaged uranium enrichment is to predict how states will characterize them. operational domain.14 Accordingly, discerning equipment at a nuclear facility in Iran, theory That said, the Stuxnet analysis reveals several a use-of-force threshold would seem to be nec- became reality. limitations with Schmitt’s framework, while essary for a wide range of peacetime military Although Stuxnet has been described also highlighting opportunities to broaden it. activities, such as defining the spectrum of as a watershed event, there has been little aca- More importantly, I conclude that the time permissible peacetime cyber operations, such demic discussion on whether it constituted a has come to relax the model’s strict adherence as computer network exploitation; develop- use of force.5 Perhaps this is because it caused to the UN Charter because Article 2(4) is just ing peacetime cyber rules of engagement; physical damage and, therefore, clearly consti- one of several factors that states are likely to identifying appropriate approval authorities; tutes a use of force under prevailing analytic consider when characterizing the lawfulness assigning appropriate agency responsibilities frameworks. This appears to be the emerging of cyber operations. and resources; signaling adversaries and allies consensus.6 Although I generally agree with as part of a deterrence strategy; recognizing this conclusion, I also believe that by looking Why the Use-of-Force when treaty obligations have been triggered; beyond the physical damage, Stuxnet provides Threshold Matters and determining whether UN Security a unique opportunity to assess the adequacy Cyberspace represents a strategic Council authorization is required to conduct and continued relevancy of these frameworks. vulnerability for many states because it is certain operations. As a first step toward such an assess- inextricably tied in to their economies, criti- ment, this article tests one of the more cal infrastructures, and even their national The Use of Force in Cyberspace robust frameworks, known as the Schmitt security apparatus. Compounding these Notwithstanding the need for clarity Analysis, by applying it to Stuxnet. Devel- concerns is the fact that a wide range of discussed above, there is no international oped in 1999 by Professor Michael Schmitt, actors have proven adept at exploiting these consensus on what constitutes a use of force in it is one of the most academically rigorous vulnerabilities. Cybercrime, for example, is cyberspace, nor does it appear a mechanical and frequently cited frameworks for char- now estimated to exceed $1 trillion globally rule is likely to emerge any time soon.15 This acterizing cyber operations. The Schmitt per year.7 Even the most secure U.S. defense section describes why ambiguity persists and Analysis consists of seven factors that states networks are not immune.8 The scope of the the various solutions that have been proposed are likely to consider when character- problem has become so great that some claim to resolve it. After summarizing the relevant izing cyber activities: severity, immediacy, the United States is engaged in a cyber war, law governing the use of force in international directness, invasiveness, measurability, and that it is losing.9 The National Security relations, I highlight the technical, legal, and presumptive legitimacy, and responsibility. Strategy of 2010 notes that “cybersecurity political challenges of applying existing norms A key feature of the framework is that it threats represent one of the most serious within cyberspace. remains faithful to Article 2(4) of the UN national security, public safety, and economic Use of Force Under the UN Charter. Charter while at the same time effectively challenges we face as a nation.”10 The White Jus ad bellum16 describes the law governing bridging key elements of competing analytic House’s International Strategy for Cyberspace the transition from peace to armed conflict. frameworks that do not exhibit such fidelity of 2011 goes further by proclaiming: “When Though grounded in customary international to the Charter. By focusing this evaluation warranted, the United States will respond to law, the black letter principles of jus ad bellum on Schmitt’s model, I expect the results will hostile acts in cyberspace as we would to any are now contained in Article 2(4) of the UN have implications for the use-of-force debate other threat to our country,” to include a mili- Charter, which prohibits states from the more generally. tary response.11 “threat or use of force” in their international The article begins with a discussion Against this backdrop, discerning a relations. Several features of this prohibition of why, as a practical matter, discerning a cyber use-of-force threshold becomes impor- are problematic in the cyber context. First, peacetime use-of-force threshold in cyber- tant for a number of reasons. Foremost is that Article 2(4) only pertains to international space is important. Next, I detail the Article characterizing cyber operations is a precon- relations between sovereign states—it does 2(4) prohibition on the use of force and the dition to determining which legal regime not proscribe the conduct of nonstate actors,
ndupress.ndu.edu issue 67, 4 th quarter 2012 / JFQ 41 essay winners | Cyber “Use-of-Force” Debate who appear to be the source of most mali- v. United States (hereinafter Nicaragua), “effects-based” approach, which states that cious cyber activity. Also, as noted above, when it concluded that arming and train- the quantum of damage, and not the means the Charter does not define the phrase use of ing guerrillas amounted to a prohibited of attack, is all that matters. The advantage of force. Finally, Article 2(4) does not provide use of force, even though it did not rise to this approach—which is generally favored by any exceptions to the prohibition on the the level of an armed attack.25 Accordingly, U.S. policymakers and military operators—is unilateral use of force, nor does it prescribe the use of force threshold has traditionally that it is fairly simple to apply and it acknowl- remedies for unauthorized uses of force. Such been viewed as lying somewhere between edges that states are principally concerned exceptions and remedies are found in chapter purely economic and political coercion on about consequences. The drawback is that it VII of the Charter which, unlike Article 2(4), the one hand and activities that result in represents a hard break from the Charter’s is not limited to relations between states and physical damage or injury on the other.26 instrument-based approach and thereby relies employs thresholds quite distinct from the As discussed below, discerning a clear on inherently subjective assessments among use-of-force standard.17 Importantly, it is not use-of-force threshold in this gray area—a states that have divergent strategic capabili- the use of force, but rather an “armed attack” difficult task even in traditional kinetic ties, vulnerabilities, and interests. A second that triggers a state’s right to use force in context—has proven particularly difficult approach relies upon kinetic equivalency, self-defense.18 in the cyber context.27 arguing that cyber operations constitute a Although use of force is not defined, Use of Force in Cyberspace. The dif- use of force only if the damage they cause an approximate threshold has emerged ficulty of applying Article 2(4) in cyberspace could previously have been achieved only by through consideration of the Charter’s is that the instrument-based paradigm does a kinetic attack.31 This framework generally preparatory work, state practice, and not cleanly translate to cyber operations, adheres to the Charter’s instrument-based opinio juris.19 First, the framers of the particularly for gray area operations that do approach, but it struggles to characterize hostile gray area cyber operations—such as discerning the use-of-force threshold is really about projecting false targets on an adversary’s early predicting how states will respond to cyber incidents in warning radars—that do not result in physical damage. A third approach applies a “strict light of prevailing international norms liability” test for any cyber operations that target a state’s critical infrastructure and vital Charter took an instrument-based, vice not result in physical harm.28 According to a interests because of the severe consequences consequence-based, approach to the use of strict instrument-based interpretation, even that could result from such attacks. According force prohibition.20 While acknowledging highly disruptive peacetime cyber operations to this model, the mere penetration of such that states are most concerned about the may not qualify as a use of force because they systems—such as power production, stock consequences of coercive activities (that lack the traditional kinetic characteristics exchanges, and air traffic control—can con- is, the degree of injury, deprivation, or associated with armed force.29 Most commen- stitute evidence of hostile intent and thereby destruction), the framers recognized that a tators reject this strict interpretation because trigger the right of self-defense.32 This frame- consequence-based criterion was too sub- of the potential widespread destabilizing work suffers from the inherent subjectivity jective to distinguish lawful from unlawful consequences of cyber operations. That said, of defining what constitutes “critical infra- state coercion.21 Because the term force by focusing on consequences to determine structure and vital interests,” and because it connotes violence, injury, and destruc- whether prohibited force has been used, these expands the gray area to encompass activities tion—consequences that pose the greatest commentators call Article 2(4)’s instrument- such as computer network exploitation that threat to international peace and security— based paradigm into question. are not currently prohibited by international they adopted the instrument-based use-of- The perceived shortcomings of Article law. Professor Schmitt’s framework represents force standard as prescriptive shorthand. 2(4) have led many to propose a new treaty law the fourth major model. According to Professor Schmitt, such an to govern cyber operations.30 Others counter approach “eases the evaluative process by that states are unlikely to negotiate any Schmitt Analysis simply asking whether force has been used, meaningful treaties in the foreseeable future. Professor Schmitt recognized that rather than requiring a far more difficult They argue that divergent strategic interests discerning the use-of-force threshold is really assessment of the consequences that have and significant attribution problems make about predicting how states will characterize resulted.”22 According to this approach, the treaty enforcement unrealistic. They suggest and respond to cyber incidents in light of pre- Article 2(4) prohibition does not extend to that existing international norms, though vailing international norms.33 To aid in such all forms of state coercion. For example, imperfect, are adequate for extrapolating predictions, his framework bridges the instru- the instruments of economic and political general principles governing the use of force ment- and consequence-based approaches. coercion are not prohibited.23 Less clear, in cyberspace and urge gradual expansion of In keeping with the Article 2(4) instrument- but generally accepted, is that the prohibi- international norms within the Article 2(4) based standard, his model consists of seven tion is not limited to “armed” force—it framework. factors that represent the major distinctions may also encompass unarmed, nonmilitary Over the past two decades, proponents between permissible (that is, economic and physical force, such as releasing water of this gradualist approach have developed political) and impermissible (armed) instru- from a dam.24 The International Court of several analytic frameworks to characterize ments of coercion.34 When applying these Justice highlighted this point in Nicaragua the legality of cyber operations. First is the factors, the more closely the attributes of a
42 JFQ / issue 67, 4 th quarter 2012 ndupress.ndu.edu FOLTZ
cyber operation approximate the attributes ■■ Presumptive legitimacy: To the extent instrument-based paradigm appears tortu- of armed force, the more likely states are to certain activities are legitimate outside of the ous, particularly given the appeal of simple characterize the operation as a prohibited use cyber context, they remain so in the cyber effects-based frameworks. However, he of force. The Schmitt Analysis factors consist domain, for example, espionage, psychological reasoned that such adherence is necessary to of the following: operations, and propaganda. properly describe where the cyber use of force ■■Responsibility: The closer the nexus threshold lies under prevailing standards—in ■■ Severity: Cyber operations that between the cyber operation and a state, the contrast to the other leading models, which threaten physical harm more closely approxi- more likely it will be characterized as a use prescribe new standards for where the use of mate an armed attack. Relevant factors in the of force.35 force threshold should lie.38 He also believed analysis include scope, duration, and intensity. that “reference to the instrument-based short- ■■ Immediacy: Consequences that mani- According to Professor Schmitt, hand facilitates greater internal consistency fest quickly without time to mitigate harmful evaluating these factors is an imprecise and and predictability within the preexisting effects or seek peaceful accommodation are subjective endeavor. The factors are useful framework. . . . As a result, subscription by more likely to be viewed as a use of force. but not determinative, and they should not be the international community is more likely, ■■ Directness: The more direct the causal applied mechanically. Rather, they need to be and application should prove less disruptive connection between the cyber operation and applied holistically according to the relevant and controversial.”39 In the end, the Schmitt the consequences, the more likely states will context—that is, which factors are important Analysis has generally stood the test of time deem it to be a use of force. and how they should be weighted will vary and remains one of the most commonly refer- ■■ Invasiveness: The more a cyber on a case-by-case basis. Moreover, he never enced frameworks for characterizing the use operation impairs the territorial integrity or intended the factors to be exhaustive, though of force in cyberspace. sovereignty of a state, the more likely it will be they are often treated as such.36 Finally, the viewed as a use of force. framework is more useful for post hoc forensic Characterizing Stuxnet ■■ Measurability: States are more likely to analysis of particular cyber attacks than for Stuxnet has been described as a game view a cyber operation as a use of force if the characterizing real-time operations.37 changer—the first digital “fire and forget” consequences are easily identifiable and objec- Professor Schmitt also acknowledged precision-guided munition and perhaps the tively quantifiable. that his adherence to the Article 2(4) first peacetime act of cyberwar.40 According U.S. Air Force (Lance Cheung) U.S. Air Force
Analysts attending Defense Cyber Investigations Training
ndupress.ndu.edu issue 67, 4 th quarter 2012 / JFQ 43 essay winners | Cyber “Use-of-Force” Debate
Deputy Secretary of Defense addresses Defense Information System Agency’s Customer and Industry Forum on cyber warfare DOD (R.D. Ward) to reports, the Stuxnet worm was designed to avoid collateral damage.45 If the malware did supports characterizing it as a use of force— target gas centrifuges used in Iran’s uranium not detect the specific software-hardware con- though this delay is due to sanctions that bar enrichment program in Natanz. Specifically, figuration associated with Iran’s enrichment Iran from legitimately acquiring new centri- the worm exploited the software used in program, the program would lie dormant. It fuges. It is also worth noting that the scope programmable logic controllers (PLCs) manu- was also designed to delete itself from thumb of the actual damage appears to have been factured by Siemens. These PLCs controlled drives after infecting three machines, and relatively minor and fairly discrete, and that it frequency converter drives that, in turn, con- it contained a built-in self-destruct feature. posed no apparent risk of harm to personnel. trolled the speed of the centrifuges. By manip- Thus, even though the worm is reported to Immediacy: According to this factor, ulating the speed of already temperamental have infected more than 100,000 hosts in 155 Stuxnet would probably not be viewed as a and frequency-sensitive centrifuges over time countries, 60 percent of the infections were use of force. The attack, which consisted of at (weeks and perhaps months), Stuxnet caused localized to Iran, and there are no reports of least three waves over 10 months, took time as many as 1,000 of the centrifuges to break. physical damage outside of Iran.46 Although to evolve.49 More importantly, once a targeted Estimates suggest Stuxnet set Iran’s nuclear no one has claimed responsibility for Stuxnet, system was infected, it appears the damage program back by several years.41 it has the signature of a state operation.47 Most took weeks or even months to manifest. Given Although some have described Stuxnet’s speculation and some anecdotal evidence the nature of how the attack unfolded, there code as a relatively unsophisticated “Fran- points to Israel, with possible support from was and remains adequate opportunity for kenstein patchwork of existing tradecraft, the United States and/or Germany.48 Iran to mitigate the harmful effects and to code and best practices drawn from the global Although there is an emerging consen- seek peaceful accommodation. That said, cyber-crime community,” its true sophistica- sus that Stuxnet constituted a use of force, given the physical damage inflicted, imme- tion lies in the synergy of its components there is value in looking beyond the physical diacy is probably not a factor that warrants and its method of infection.42 First, Stuxnet’s damage to see what the operation reveals much emphasis in this analysis. designers required incredibly precise intel- about the strengths and weaknesses of exist- Directness: There appears to be a direct ligence about Iran’s PLCs and frequency ing analytic frameworks, such as the Schmitt causal connection between Stuxnet and the converters, as well as the performance Analysis. Accordingly, the following analysis damaged centrifuges. parameters of its centrifuges.43 Second, the is offered not only to characterize Stuxnet, but Invasiveness: Stuxnet represents a malware was self-replicating and designed to to help evaluate Schmitt’s framework. significant intrusion on Iranian sovereignty. infect systems that were not connected to the Severity: According to this criterion, Not only does it appear to have crossed inter- Internet (“air-gapped”), thereby requiring the Stuxnet is per se a use of force because it national borders, but it targeted sensitive and use of intermediary devices such as thumb caused physical damage. Moreover, the highly secure systems that were air-gapped drives. Stuxnet also employed four “zero-day” damage was inflicted upon a critical Iranian from the Internet. That said, Stuxnet would exploits44 and two stolen digital signatures interest—its nuclear program. By setting have been just as invasive if it had simply to gain access to targeted systems. Finally, Iran’s nuclear program back several years, collected intelligence on the inner workings Stuxnet appears to have been designed to the duration of Stuxnet’s consequences also of the Natanz facility—an activity the interna-
44 JFQ / issue 67, 4 th quarter 2012 ndupress.ndu.edu FOLTZ
tional community would likely not regard as a Responsibility: Although no state has a cyber operation may be derived from a use of force. claimed responsibility for Stuxnet, the worm’s single factor: severity of the consequences. Measurability: Taking into account the purpose and design strongly suggest state If true, then the framework could arguably already high failure rate of Iran’s centrifuges, involvement. That said, it is possible that be reduced to an effects-based model with the consequences attributed to Stuxnet appear Stuxnet was created and launched by nonstate little remaining affinity with the Article 2(4) both quantifiable and identifiable. actors—such as Iranian dissidents working instrument-based paradigm. To illustrate the Presumptive legitimacy: Stuxnet does with freelance hackers—in which case it point, what if instead of damaging Iranian not enjoy presumptive legitimacy. Short of would not be subject to international laws centrifuges Stuxnet achieved the same effects UN Security Council authorization or actions governing the use of force. by causing the centrifuges to operate inef- taken in self-defense—both of which would On balance, the Schmitt Analysis sug- ficiently or not at all? Except for severity, each constitute lawful uses of force—there is no gests most states would characterize Stuxnet of Schmitt’s factors would likely be evaluated customary acceptance within the interna- as a use of force. The worm was highly inva- the same. It is debatable, though, whether tional community for damaging another sive, caused direct and measurable physical the international community would consider state’s nuclear facilities. Even so, it is worth damage, lacked a clear presumption of legiti- such an operation a prohibited use of force. considering the effect of existing Iranian macy, and probably involved state support. This is not to suggest that the other factors sanctions upon this analysis. First, Iran What does the foregoing analysis of are irrelevant, but it highlights what Professor cannot import or export nuclear-related mate- Stuxnet reveal about the continued useful- Schmitt himself acknowledged: “severity is rials or technology. If such Iranian-owned ness of Professor Schmitt’s framework? Most self-evidently the most significant factor in nuclear materials are discovered outside importantly, the model’s underlying analytic the analysis.”51 of Iran, they can be lawfully seized and approach appears sound—that is, discerning Next, the characteristics of Stuxnet destroyed. Second, prior to Stuxnet, Iran had the use of force threshold entails predicting and its intended target suggest at least one been operating its centrifuges for several years how states will characterize cyber operations. additional factor that may be relevant when in violation of multiple UN Security Council That said, the analysis reveals several limita- performing a Schmitt Analysis: apparent Resolutions.50 Although these points may tions with the framework, as well as opportu- compliance with the Law of Armed Conflict relate more to whether Stuxnet constituted a nities for its expansion. (LOAC).52 Assuming reports are true, the lawful use of force, they also seem to bear on First, it appears that in any given fact that Stuxnet was targeted so precisely the factor of presumptive legitimacy. Schmitt Analysis, the characterization of and designed to minimize collateral damage U.S. Navy (Joshua J. Wahl)
Commander of Navy Cyber Forces observes spectral warrior demonstration during exercise Bold Alligator 2012
ndupress.ndu.edu issue 67, 4 th quarter 2012 / JFQ 45 essay winners | Cyber “Use-of-Force” Debate
reveals something about the identity and the responsible party must be identified as a attacked.”56 Although Iran has acknowledged intent of its creators. First, it reinforces the state.54 As noted above, without reliable attri- the presence of Stuxnet in its systems, it notion that Stuxnet was a state-sponsored bution states generally must respond to cyber has denied any significant damage and has operation, which is important because Article operations as a law enforcement problem. Yet never claimed that it was subject to an armed 2(4) only regulates state conduct. Second, it each of the prevailing frameworks, includ- attack. As U.S. Cyber Command’s top lawyer, suggests Stuxnet’s creators were concerned ing the Schmitt Analysis, treats attribution Colonel Gary Brown, has commented: “Iran’s about complying with LOAC, particularly the as a condition precedent to any use-of-force ‘non-position’ on the Stuxnet event has been principles of military necessity, distinction, analysis.55 In other words, without attribution, frustrating to practitioners in the field of and proportionality.53 Thus, the responsible a Schmitt Analysis offers limited practical cyberspace operations. Finally, there was a state apparently regarded Stuxnet as the value. But if state attribution can be estab- well-documented, unambiguous cyber attack equivalent of an armed attack and executed lished, it is questionable whether a Schmitt to dissect! And yet there was little official the operation as such. Since an armed attack Analysis would be necessary because more discussion of the issue because Iran passed up constitutes a use of force, the implication is revealing indicators should be discernable, its opportunity to complain of an unjustified that states are more likely to characterize such as motive and intent. attack.”57 Unfortunately, Professor Schmitt’s cyber attacks as a use of force if they appear to Next, to the extent state attribution framework does not address the implications comply with LOAC—even in gray area opera- bears on the characterization of cyber of such state inaction. It remains to be seen tions that do not result in actual damage. operations, so too should the victim state’s what, if any, impact Iran’s “non-position” has A third observation involves one of response. As the International Court of Justice on the development of use of force norms in the most technically challenging aspects of noted in Nicaragua: “it is the State which is cyberspace. cyber operations: attribution. For Article 2(4) the victim of an armed attack which must A more significant observation relates and the principles of jus ad bellum to apply, form and declare the view that it has been so to Professor Schmitt’s premise that states will principally rely upon existing norms, Commander of U.S. Fleet Cyber particularly Article 2(4), when making use- Command and U.S. 10th Fleet addresses of-force determinations in cyberspace. As Information Dominance Corps some commentators predicted—and Stuxnet demonstrated—Article 2(4) has proven to be a “weak constraint on offensive cyber-attacks.”58 This is due, in part, to the difficulty of observ- ing, measuring, and attributing cyber opera- tions. More importantly, it reflects the fact that international law is not static and that the principles of jus ad bellum are not the exclu- sive province of the UN Charter.59 Whereas contemporary interpretations of Article 2(4) reflect the distribution of traditional instru- ments of power—that is, political, military, and economic strength—the current array of cyber capabilities and vulnerabilities does not mirror the traditional distribution.60 Conse- quently, states with significant cyber capabili- ties or vulnerabilities—regardless of their political, military, or economic strength—are likely to consider factors well beyond Article 2(4) when characterizing the legality of cyber operations. Such additional considerations may include relative cyber strengths and vulnerabilities; strategic risks and opportuni- ties; scope of potential consequences; ability to control escalation; effectiveness of cyber deterrence; potential reactions by adversar- ies, allies, and international organizations; domestic politics; state declaratory policies; emerging state practice (including state inac- tion); attribution problems; and other legal, political, and technical constraints.61 More- over, given the novelty of cyberspace, different U.S. Navy (Shauntae Hinkle-Lymas)
46 JFQ / issue 67, 4 th quarter 2012 ndupress.ndu.edu FOLTZ states will likely weigh their strategic risks and dominate the analysis.63 In light of recent Stuxnet Was an Attack,” Joint Force Quarterly 63 th opportunities very differently. events in Estonia, Georgia, and Iran, it (4 Quarter 2011), 70–73; and John Richardson, Perhaps these additional considerations appears that time has come. “Stuxnet as Cyber Warfare: Applying the Law of War to the Virtual Battlefield,” Social Science explain why there has been so little academic The Schmitt Analysis of Stuxnet also Research Network Working Paper, 2011. debate about the legal implications of Stuxnet. has implications for the broader debate over 6 Ibid.; Michael N. Schmitt, interview by the Even though most states would probably the use of force in cyberspace. For one thing, author, December 1, 2011; and Colonel Gary D. agree that Stuxnet constituted a use of force the lack of discussion over the legal implica- Brown, interview by the author, December 2, 2011. under Article 2(4), they may be reluctant to tions of Stuxnet demonstrates that states are 7 Information Operations Primer (Carlisle characterize the attack as unlawful since, by unlikely to reach consensus on what consti- Barracks, PA: U.S. Army War College, November targeting an illicit program in a pariah state, tutes a cyber use of force any time soon. The 2011), 23. it was justifiable. In this regard, it is worth lack of a discernable threshold also suggests 8 Ellen Nakashima, “Cyber-Intruder Sparks noting that Stuxnet’s objective was consistent that state-sponsored gray area cyber attacks Massive Federal Response—and Debate Over with multiple UN Security Council mandates are more likely.64 Consequently, policymak- Dealing With Threats,” The Washington Post, December 9, 2011. 9 See “Mike McConnell on how to win the policymakers and cyber practitioners must be prepared to cyber-war we’re losing,” The Washington Post, operate in an ambiguous and contested legal environment February 28, 2010; Richard A. Clarke and Robert K. Knake, Cyber War: The Next Threat to National Security and What To Do About It (New York: and it promoted those mandates without ers and cyber practitioners and their legal Harper-Collins Publishers, 2010); Ryan Singel, resorting to armed force. Thus, it remains advisors must be prepared to operate in an “Is the Hacking Threat to National Security to be seen whether Stuxnet represents a new ambiguous and contested legal environment, Overblown?” Wired Magazine, June 3, 2009; and form of tacitly condoned cyber vigilante-ism, while at the same time shaping new norms Bruce Schneier, “The Threat of Cyberwar Has Been or whether the perpetrator(s) will eventually of acceptable state conduct.65 In the end, Grossly Exaggerated,” Schneier.com, July 7, 2010. 10 be held in contempt. Either way, Iran’s “non- these evolving norms are not likely to be con- National Security Strategy (Washington, DC: position” has made it easy for the interna- strained by Article 2(4)’s narrow prohibition The White House, May 2010), 27. 11 International Strategy for Cyberspace: tional community to sidestep the issue. on the use of force. Rather, they will likely Prosperity, Security, and Openness in a Networked reflect the new realities and unique features World (Washington, DC: The White House, May Conclusion of cyberspace, such as cyber’s potentially 2011), 14. Although Professor Schmitt’s analytic devastating consequences, the nontraditional 12 Charles J. Dunlap, Jr., “Perspectives for approach to characterizing cyber operations distribution of cyber capabilities and vulner- Cyber Strategists on Law and Cyberwar,” Strategic remains sound, the analysis of Stuxnet reveals abilities, and the international community’s Studies Quarterly (Spring 2011), 84; and Eneken several shortcomings with his model. These response (or lack thereof) to seminal events Tikk, Kadri Kaska, and Liis Vihul, International include severity of the consequences as a like Stuxnet. JFQ Cyber Incidents: Legal Implications (Tallin, potentially determinative factor, attribution Estonia: NATO Cooperative Cyber Defence as a condition precedent to a use of force Notes Centre, 2010), 79. 13 analysis, and failure to account for a victim Dunlap, 84. 1 United Nations (UN), Charter of the United 14 See Department of Defense (DOD), state’s “non-position” toward a particular Nations and Statute of the International Court of Department of Defense Strategy for Operating in cyber operation. This analysis also reveals Justice (San Francisco, CA: UN, 1945). Cyberspace (Washington, DC: DOD, July 2011), 5; at least one additional factor states may 2 Michael N. Schmitt, “Computer Network National Security Strategy, 22; and International consider when characterizing cyber opera- Attack and the Use of Force in International Law: Strategy for Cyberspace, 14. tions—whether an attack appears to comply Thoughts on a Normative Framework,” Columbia 15 As one commentator has noted, “Although with LOAC. Journal of Transnational Law 37 (1999), 925. See the application of the UN Charter Article 2(4) to More importantly, this analysis suggests also U.S. Senate, Advance Questions for Lieutenant CNA [computer network attack] is an intellectu- the time has come to relax the model’s strict General Keith Alexander, USA Nominee for Com- ally interesting question, there is reason to wonder adherence to the Article 2(4) instrument- mander, United States Cyber Command: Before the whether, as a practical matter, the issue ever will th th based paradigm. By tying his framework to Senate Armed Services Committee, 11 Cong., 11 arise in a context requiring an actual decision. The Article 2(4), Professor Schmitt anticipated sess., April 15, 2010, 11. most important obstacle may be the difficulty of 3 Walter Gary Sharp, Sr., Cyberspace and the more consistent, predictable, and relatively attributing CNA to State action. Moreover, even Use of Force (Falls Church, VA: Aegis Research, if State use of CNA were to emerge as a recogniz- objective characterizations of force in cyber- 1999), 140; and David E. Graham, “Cyber Threats able phenomenon, such CNA would have to occur space. However, state practice over the last and the Law of War,” Journal of International Law in relative isolation in order squarely to pose the decade suggests that states will treat Article & Policy, 4 (2010), 91–92. relevant legal issue. Because this seems improbable, 2(4) as just one of several factors to consider 4 Isaac R. Porche III, Jerry M. Sollinger, and it likely will be a long time, if ever, before the prac- when characterizing cyber operations.62 As Shawn McKay, A Cyberworm That Knows No tice of States, decisions of the International Court Professor Schmitt himself acknowledged, as Boundaries (Washington, DC: RAND, 2011), ix. of justice (ICJ), or other recognized sources of state practice emerges, other considerations 5 Duncan B. Hollis, “Could Deploying Stuxnet international law yield a clarification of how Article and normative approaches—such as greater Be a War Crime?” OpinioJuris.org, January 25, 2(4) applies to CNA.” Daniel B. Silver, “Computer emphasis on consequences—may come to 2011; Gary D. Brown, “Why Iran Didn’t Admit Network Attack as a Use of Force under Article
ndupress.ndu.edu issue 67, 4 th quarter 2012 / JFQ 47 essay winners | Cyber “Use-of-Force” Debate
46 2(4) of the United Nations Charter,” in Naval War 29 Ibid., 1041. Professor Schmitt highlighted Falliere, Murchu, and Chien, 10. Despite College International Law Studies 76; Computer this dilemma: “The advent of cyber operations early speculation that Stuxnet damaged an Indian Network Attack and International Law, ed. threw the instrument-based approach into disar- satellite, the claim has never been substantiated. 47 Michael N. Schmitt and Brian T. O’Donnell, 77–78 ray by creating the possibility of dramatically Porche, Sollinger, and McKay, 8. 48 (Newport, RI: Naval War College Press, 2002). destabilizing effects caused by other than kinetic Zetter; Brown, “Why Iran Didn’t Admit 16 Latin for “right to the war,” more commonly actions.” Schmitt, “Cyber Operations in Interna- Stuxnet Was an Attack”; Richardson, 30; and understood as the “right to wage war.” The prin- tional Law,” 177. William J. Broad, John Markoff, and David E. ciples of jus ad bellum are distinct from the related 30 See Clarke and Knake, 219–255; Hollis, “Why Sanger, “Israeli Test on Worm Called Crucial in principles of jus in bello—or the Law of Armed States Need an International Law for Information Iran Nuclear Delay,” The New York Times, January Conflict (LOAC)—which govern how armed con- Operations,” 1053; and Silver, 78. 15, 2011. 49 flict is conducted. 31 See Hollis, “Why States Need an Interna- Falliere, Murchu, and Chien, 8. 50 17 For example, compare Article 39’s “breach of tional Law for Information Operations,” 1041; and See, UN Security Council Resolutions 1737 the peace” and “aggression” thresholds; Article 41’s Graham, 91. (2006), 1747 (2007), 1803 (2008), and 1929 (2010). 51 “measures short of armed force” standard; Article 32 Sharp, 129–131; and Hollis, “Why States Schmitt, “Cyber Operations in International 42’s “such action by air, sea, or land forces as may Need an International Law for Information Opera- Law,” 156. 52 be necessary” language; and Article 51’s “armed tions,” 1041. The Law of Armed Conflict (LOAC)—also attack” threshold for self-defense actions. 33 Schmitt, interview by the author. In this known as the Law of War and International 18 Schmitt, “Computer Network Attack and the regard, Professor Schmitt noted that states would Humanitarian Law—is the body of law governing Use of Force,” 920. likely seek to balance the conflicting objectives of the conduct of armed conflict. It is derived from 19 Ibid.,” 905–907. Opinio juris means a sense of maximizing their own freedom of action in cyber- both customary international law and treaty law, legal obligation. In the international law context, it space while avoiding the harmful consequences including The Hague and Geneva Conventions. is used to judge whether State practice and adher- caused by adversaries. See also Schmitt, “Cyber The basic principles of LOAC include: military ence to norms is due to a sense of legal obligation, Operations in International Law,” 155. necessity, unnecessary suffering, distinction, vice political expediency, or convenience. Duhaime. 34 Schmitt, “Computer Network Attack and the proportionality, and chivalry. Air Force Operations org Legal Dictionary, available at
48 JFQ / issue 67, 4 th quarter 2012 ndupress.ndu.edu