Legal Implications of Cyber Attacks and Cyber Warfare

Abstract

Since the very concept of cyber attacks as a form of warfare is so novel, it is unsurprising that legal guidance has not caught up with technological possibilities. In the absence of international agreements and domestic legislation in the United States and Europe, creative attempts have been made to bring cyber attacks under the umbrella of existing international and domestic legal doctrines. Yet analogies, however creative and persuasive, are not infinitely elastic. The Tallinn Manual represents an important international step in attempting to state current international treaty and customary law that pertains to cyber exploitation. In 2009, the NATO Cooperative Center of Excellence commissioned a broad international group of legal and technical experts to explain the relevant law and practice as it stood at the time. Under the leadership of its editor, Professor Michael N. Schmitt, it chose the format of rules with explanations, not unlike the judicious approach taken by the American Law Institute in its Restatements of Law in various fields. It is not meant to express an official interpretation, as a disclaimer makes clear, but it is an influential document toward that end, and it has been treated as such. It did not create new law, nor suggest possible international agreements that might be adopted. It did create a consensus, nonbinding document that could form the basis for future negotiations. However, the process has not stimulated perceptible international movement since its completion in 2012. Unfortunately, a life raft that is being constructed very slowly – one nail at a time – may not be finished before the storm hits. U.S. Domestic Legal Issues While questions of international law and use of force may be at the forefront of scholarly discussion, domestic steps to cope with cyber incidents are of immediate importance in view of the vulnerability of critical infrastructure in the United States. The U.S. president has war powers to deal with an unmistakable cyber attack with kinetic effects under the AUMF of 2001, limited to those responsible for 9/11, and under Article II of the U.S. Constitution. In the event of a cyber attack on critical infrastructure, what powers would an American president have to intervene to step in to restore and manage the problem if the private company were not cooperating?