The Degrees of Force Exercised in the Cyber Battlespace

Abstract

IntroductionEach instance of communication via the Internet depends on the transfer of confidential, readily available, and authenticated information. If this information is read, altered, or forged in any way, it jeopardizes the secure and safe operation of any service depending on the transfer of data. Thus, the exploitation of data can be leveraged in ways that can have devastating effects on modem societies. The problem with a networked society is that the international conventions on the use of force fail to sufficiently safeguard the world from the instability caused by computer attacks. This article seeks to remedy the situation by defining what kinds of actions carried out via computerized networks constitute a use of armed force or armed conflict.This article applies the existing Laws of Armed Conflict (LOAC) to three cases of computer-based attacks carried out by nation-states. In doing so, the aim is to highlight the legal limitations on actions that can be taken to respond to computer attacks. The first examination involves the wave of cyber attacks that precluded the 2008 South Ossetia War between Russia and Georgia. The second case addresses the United States' covert operation, codenamed Olympic Games. For this case, the analysis will be focused on the Stuxnet computer program. The third case utilizes LOAC to assess the acts of digital espionage carried out by the Chinese People's Liberation Army Unit 61398.Using LOAC as a legal rubric, the cases suggest that there are three distinct interpretations of computer-based operations. The case of the 2008 South Ossetia War constitutes a situation in which using computers to attack another country can be interpreted as a use of force and as an act of armed conflict. The Olympic Games operation reveals that a computer-based attack can be considered a use of force but not an act of armed conflict. The analysis of the actions of Unit 61398 shows a perspective on computer attacks that are neither a use of force nor an act of armed conflict. Each case expresses unique characteristics of operations in cyberspace. Therefore, in order to develop a legal understanding of these cases, the analysis favors an effects-based assessment of cyber attacks, pioneered by Michael Schmitt and expressed in the Tallinn Manual on the International Law Applicable to Cyber Warfare.* 1Developing a Legal Framework of Cyber Attacks Through an EffectsBased ApproachComputer-based attacks represent a subset of actions that can be described as information operations. Information operations (10) are defined as actions taken by the military in times of peace or war to affect adversary information and information systems while defending one's own information and information systems.2 Broadly speaking, 10 refers to radar jamming, psychological, and electronic means of carrying out operations. A subset of electronic 10 is called computer network operations (CNO). CNO are defined as operations to attack, deceive, degrade, disrupt, deny, exploit, and defend electronic information and infrastructure.3 Two sub-elements of CNO are attack and defense. Computer network attacks (CNA) are defined as actions taken via computer networks to disrupt, deny, degrade, or destroy the information within computers and computer networks and/or the computers themselves.4 If the information within a computer that controls the water level in a nuclear power plant suffers any disruption to the information flow, it can have devastating physical effects.5 Each case presented in this article represents a form of CNA with its own unique effect. The effects highlighted by each case range from denial of service and theft of information to physical destruction.Due to the relatively new nature of state-sponsored international cyber attacks, this article addresses the existing body of international treaty law that includes the prohibitions on the use of force and self-defense as found in the United Nations Charter. …