FACULTY OF LAW Stockholm University ARMED ATTACKS IN CYBERSPACE Do they exist and can they trigger the right to self-defence? Elin Jansson Holmberg Thesis in International Law, 30 HE credits Examiner: Said Mahmoudi Stockholm, Spring term 2015 TABLE OF CONTENTS ABBREVIATIONS.......................................................................................3 1. INTRODUCTION....................................................................................6 1.1 BACKGROUND....................................................................................... 6 1.2 PURPOSE AND RESEARCH QUESTIONS.................................................... 8 1.3 METHOD AND MATERIAL....................................................................... 8 1.4 DELIMITATION....................................................................................... 11 1.5 PROBLEM DISCUSSION AND SOURCE CRITICISM.......................................12 1.6 DISPOSITION..........................................................................................13 2. DEFINITIONS..........................................................................................15 2.1 THE USE OF FORCE............................................................................... 15 2.2 ARMED ATTACKS AND THE INHERENT RIGHT TO SELF-DEFENCE.............. 17 2.3 CYBER ATTACK.....................................................................................19 3. DIFFERENT APPROACHES TO CYBER ATTACKS....................... 22 3.1 APPLICABILITY OF THE UN CHARTER IN THE CYBER CONTEXT...............22 3.2 CYBER ATTACKS AS A USE OF FORCE.....................................................22 3.2 CYBER ATTACKS AS ARMED ATTACKS...................................................24 3.2.1 THE CONSEQUENCE BASED APPROACH........................................... 24 3.2.2 THE TARGET BASED OR STRICT LIABILITY APPROACH..................... 28 3.2.3 THE MEANS OR INSTRUMENTS BASED APPROACH............................ 30 3.2.4 A CYBER ATTACK CAN NEVER CONSTITUTE AN ARMED ATTACK....... 31 4. ATTRIBUTION AND STATE RESPONSIBILITY...............................34 4.1 ATTRIBUTION IN GENERAL.....................................................................34 4.2 ATTRIBUTION OF CYBER ATTACKS.........................................................36 5. THE USE OF FORCE IN SELF-DEFENCE.........................................41 5.1 NECESSITY, PROPORTIONALITY AND IMMEDIACY..................................... 41 5.2 THE NATURE OF SELF-DEFENCE AGAINST CYBER ATTACKS..................... 43 5.3 THE TEMPORAL DIMENSION OF SELF-DEFENCE.......................................44 5.3.1 ANTICIPATORY SELF-DEFENCE.........................................................45 5.3.2 PRE-EMPTIVE SELF-DEFENCE, THE BUSH DOCTRINE......................... 48 6. NON-STATE ACTORS............................................................................50 1 7. SUMMARY AND DISCUSSION............................................................ 55 8. CONCLUSION.........................................................................................59 BIBLIOGRAPHY.........................................................................................60 TREATIES.....................................................................................................60 ACADEMIA.................................................................................................. 60 BOOKS.................................................................................................. 60 ARTICLES.............................................................................................. 61 UNITED NATIONS DOCUMENTATION..............................................................65 UNITED NATIONS DOCUMENTATION........................................................ 65 RESOLUTIONS........................................................................................ 65 CASE LAW............................................................................................. 66 INTERNET SOURCES..................................................................................... 67 MISCELLANEOUS DOCUMENTATION..............................................................68 2 ABBREVIATIONS AP I First Additional Protocol to the Geneva Conventions CCDCOE Cooperative Cyber Defence Centre of Excellence CNA Computer Network Attack DDOS Distributed Denial of Service Draft Articles Draft Articles on Responsibility of States for Internationally Wrongful Acts ICJ International Court of Justice ICTY International Tribunal for the former Yugoslavia ILC International Law Commission ISIL Islamic State in Iraq and the Levant IHL International Humanitarian Law NSAs Non-State Actors NATO North Atlantic Treaty Organization NRC National Research Council Tallinn Manual Tallinn Manual on the International Law Applicable to Cyber Warfare UN United Nations UN Charter Charter of the United Nations UNGA United Nations General Assembly UNSC United Nations Security Council 3 4 Rarely has something been so important and so talked about with less clarity and less apparent understanding than this phenomenon. - Michael Hayden 5 1. Introduction 1.1 Background In April 2007, a Soviet World War II memorial was moved from Tallinn, Estonia, to its suburbs. As a reaction to this, hackers began attacking the websites of the government, Estonia's biggest bank and several newspapers in the country. The attacks were so called Distributed Denial of Service (hereinafter DDOS) attacks. DDOS attacks are characterized by an attacker denying legitimate users of a certain service access to that service, for instance by “flooding” a network to prevent legitimate network traffic.1 In the attacks at hand, users wanting to reach the government websites were redirected to images of Soviet soldiers or simply were not able to reach the website in question. As a result of the attack, emergency communication lines became unavailable for a short period.2 The hackers hijacked up to 85 000 computers from all around the world to carry out the attacks, but experts have established that the computers initiating the attacks had Russian IP addresses. Russia has denied any involvement and Russian officials have called accusations of involvement unfounded. Thus, it is uncertain who conducted the attacks and exactly from where they originated.3 After these incidents in Estonia, NATO established a permanent Internet defence agency in the country called the Cooperative Cyber Defence Center of Excellence (hereinafter CCDCOE). CCDCOE is an “international military organization with a mission to enhance the capability, cooperation and information sharing among NATO, its member nations and partners in cyber defence by virtue of education, research and development, lessons 1 Lau, F., Rubin, S. H., Smith, M. H., & Trajkovic, L., (2000), Distributed denial of service attacks, in Systems, Man, and Cybernetics, 2000 IEEE International Conference, pp. 2275-2280. 2 Bussolati, N., (2015), The Rise of Non-State Actors in Cyberwarfare, in Cyberwar, Law and Ethics for Virtual Conflicts, Eds. Ohlin, J. D., Govern, K., Finkelstein, C., Oxford University Press, p. 102. 3 See e.g., O'Connell, M., (2012), Cyber Security without Cyber War, Journal of Conflict and Security Law, Oxford University Press, pp. 192-193 and Rid, T., (2013), Cyber War will not take place, Oxford University Press, pp. 8-9. 6 learned and consultation”.4 Amongst other things, CCDCOE brought together international law scholars and practitioners to create the Tallinn Manual on the International Law Applicable to Cyber Warfare (hereinafter Tallinn Manual), launched in 2009. In 2010, Iranian nuclear centrifuges were infected by the Stuxnet worm, a virus so complex and sophisticated that all evidence led experts to believe that it was originating from state-backed professionals.5 The virus caused the nuclear centrifuges to spin far more rapidly than they should and therefore harmed the centrifuges. The extent of the physical damage is uncertain but several hundred centrifuges were shut down.6 It should be noted that the Stuxnet worm infected several computers manufactured by Siemens, 40% of which is believed existed outside Iran at the time of the attack7 and up to 5% of the entire world's computers may have been infected by Stuxnet. 8 The incident was allegedly a joint US-Israeli operation but it is still unclear whom to attribute the actions to.9 The Tallinn and Stuxnet incidents are two significant examples, but during the last decade numerous of cyber incidents have taken place.10 The threat of 4 Stated objective of the Cooperative Cyber Defence Center of Excellence, available at https://ccdcoe.org (last assessed 18 May 2015). 5 See e.g., Harrison Dinniss, H., (2012), Cyber Warfare and the Laws of War, Cambridge University Press, p. 37, Falliere, N., Murchu O. L., Chien, E., (2011), W32 Stuxnet Dossier, Symantech, version 1.4, available at http://www.symantec.com/content/en/us/enterprise/media/ security_response/whitepapers/w32_stuxnet_dossier.pdf (last assessed 18 May 2015) and Matrosov, A., Rodionov, E., Harley, D., & Malcho, J., (2010), Stuxnet under the microscope, ESET, white paper, revision 1.31, p. 70, available at http://www.eset.com/us/resources/white-papers/Stuxnet_Under_the_Microscope.pdf (last assessed 18 May 2015). 6 Richmond, J., (2011), Evolving Battlefields: Does Stuxnet Demonstrate a Need for Modifications to the Law of Armed Conflict, Fordham International Law Journal, pp. 851, 857-859. 7 O'Connell, M., (2012), Cyber Security without