LIMITATIONS TO THE GUIDANCE OF THE LAW OF INTERNATIONAL ARMED CONFLICT AS TO THE LAWFUL BOUNDS OF CYBER WARFARE Exam No:

9678047 MSc Global Crime, Justice & Security Submitted in Partial Fulfilment of a MSc Global Crime Justice and Security University of Edinburgh

Abstract In the last half-decade previously little-discussed periphery scenarios involving complex legal ambiguities, of more concern to academics than military planners, have emerged centre stage in reality. Thus the significant first shots in cyber war have arguably been fired and new legal uncertainties have been exposed, so that a far more practical assessment of the limits of the LOIAC can now be conducted. Numerous scholars are of the view that cyber warfare is so vastly different from conventional warfare that a separate international instrument, supplementary to the present LOIAC, is required to govern its conduct. In contrast, the position of the United States has consistently been that the present LOIAC and its core principles are sufficient to govern cyber warfare. The purpose of this paper is to determine the strength of these competing claims. Therefore the research question for this paper is as follows; does the law of international armed conflict provide sufficient guidance to national military commanders to determine the lawful bounds of cyber warfare?

TABLE OF CONTENTS
INTRODUCTION..........................................................................................4 CHAPTER I: INTERPRETING THE RIGHT OF SELF-DEFENCE IN CYBERSPACE.....7 PART I: THE THRESHOLD OF ARMED ATTACK ..............................................................................7 PART II: THE RIGHT OF SELF DEFENCE AND NON-STATE ACTORS.....................................................15 PART III: PRACTICAL DIFFICULTIES IN DETERMINING THE RIGHT TO SELF-DEFENCE ..................................18 CHAPTER II: DETERMINING THE LAWFUL LIMITS OF CYBER WARFARE WITHIN AN EXISTING CONFLICT............................................................................25 PART I: MILITARY NECESSITY ...............................................................................................25 PART II: DISTINCTION ........................................................................................................32 PART III: PROPORTIONALITY..................................................................................................42 CONCLUSION...........................................................................................44 BIBLIOGRAPHY.........................................................................................46

INTRODUCTION The question of the adequacy of the law of international armed conflict (LOIAC) in governing the conduct of cyber warfare has received significant attention in academic literature, yet has been little discussed in any publicly distributed military doctrine. It has been more than a decade since the US Department of Defence published An Assessment of International Legal Issues in Information Operations (Office of General Counsel, 1999) the only publicly available doctrinal guidance as to the application of the LOIAC to cyber warfare. Additionally, the Office of General Counsel assessment provided no definitive policy pronouncements or guidance, only a general review of likely interpretations of particular legal issues in information operations. Since that time, the significant first shots in cyber war have arguably been fired and new legal uncertainties have been exposed, so that a far more practical assessment of the limits of the LOIAC can now be conducted. Previously little-discussed periphery scenarios involving complex legal ambiguities, of more concern to academics than military planners, have emerged centre stage in reality. For example, some argued it improbable that a state-led, physically destructive computer network attack would ever occur in isolation from a conventional interstate conflict (see Silver, 2002, p 78). However, such a scenario emerged with the revelation of the Stuxnet computer virus in June 2010 allegedly the product of American-Israeli state espionage (Sanger, 2012). The purpose-built infection caused the physically destructive malfunction of the centrifuges in Irans Natanz nuclear fuel-refining facility in mid-2009 (Clayton, 2010). From an international legal perspective the attack raised many questions including whether the incident constituted a use of force or even armed attack under the Charter of the United Nations (Articles 2(4) and Article 51, respectively). Furthermore, those who considered the incident an armed attack have asked further questions of its lawfulness under the international law of armed conflict, noting the use of civilian systems as conduits to the attack and the failure of attackers to distinguish themselves as lawful combatants (see Richmond, 2012; Crawford, 2011).

Several one-off cyber incidents of a similar scale have also caused debate as to the degree of state responsibility for cyber attacks emanating from their territories and to what extent states may respond with force to such attacks (see Sklerov, 2009). Notable among these incidents were the May 2007 distributed-denial of service (DDoS) attacks upon the websites of Estonian government ministries, banks and news organizations and the disabling of the emergency phone number, following political tensions between Russia and Estonia (Traynor, 2007). Equally significant has been the emergence of, allegedly state-sponsored, campaigns of cyber industrial espionage and intellectual property theft against US companies, including defence contractors (US Office of the National Counterintelligence Executive, 2011). In both cases extensive digital forensics and intelligence investigations have been unable to provide conclusive proof of state responsibility for attacks. However several investigations identified the implied consent of the Russian and Chinese governments in refusing to stop hackers attacks emanating from their territories (Swanson, 2010; see also Soldatov, 2011, US Office of the National Counterintelligence Executive, 2011). Noting the legal ambiguities discussed above, numerous scholars are of the view that cyber warfare is so vastly different from conventional warfare that a separate international instrument, supplementary to the present LOIAC, is required to govern its conduct (see Brown, 2006; Crawford, 2011; Kelsey, 2008). In contrast, the position of the United States has consistently been that the present LOIAC and its core principles are sufficient to govern cyber warfare (Developments in the Field, 2011, p 31). The purpose of this paper is to determine the strength of these competing claims. Therefore the research question for this paper is as follows; does the law of international armed conflict provide sufficient guidance to national military commanders to determine the lawful bounds of cyber warfare? Key Terms Before moving to explain the structure of this paper it is necessary to briefly define the terms law of international armed conflict and cyber warfare. 5

The law of international armed conflict is composed of both customary and treaty law governing the conduct of hostilities between states (UK The Joint Service Manual of the Law of Armed Conflict, 2004, 1.12). The relevant customary international law is extracted from state practice and codified in various military manuals, international and national jurisprudence and state pronouncements. Chief among the relevant treaty law sources are the Hague conventions and declarations of 1899 and 1907, the four Geneva Conventions of 12 August 1949 and the additional protocols thereto (Dinstein, 2010). Also of significance are various treaties prohibiting or restricting the use of certain weapons, including those annexed to the Geneva Conventions of 1949. Particularly frequent reference will be made to the 1977 Additional Protocol I to the Geneva Conventions of 12 August 1949, and relating to the Protection of Victims of International Armed Conflicts, which henceforth shall be referred to as Additional Protocol I. The term cyber warfare as used in this paper is analogous to the term computer network operations as defined in Joint Publication 3-13: Information Operations (JP 3-13) (2006), released by the US Chairman of the Joint Chiefs of Staff. Under JP 3-13, computer network operations are comprised of computer network attack, exploitation and defence, and can be used to attack, deceive, degrade, disrupt, deny, exploit, and defend electronic information and infrastructure (2006, p II-5). Structure and Methodology The following research response is divided into two substantive chapters assessing the guidance of the LOIAC in respect to different categories of legal consideration that a commander is likely to make. Chapter I includes a discussion of jus ad bellum type considerations of when cyber attack warrants the exercise of the right of self-defence. Note that these jus ad bellum type considerations are restricted to those required to determine the legality of a self-defence response, rather than those required in the political justification of a war. Chapter II discusses jus en bello type considerations of the lawful limits of cyber warfare within an existing conflict. Both chapters include an analysis of different interpretations of various elements of the LOIAC, and practical 6

complications that may limit the utility of those interpretations in an operational context. Accordingly, both chapters will draw extensively upon national military doctrine, state policy pronouncements and national and international jurisprudence in identifying points of interpretive tension in respect to the LOIAC. Particular research emphasis has been placed upon the interpretations of the United States because of its preeminent war-fighting capabilities in the cyber theatre and role as a front-runner in the development of cyber warfare doctrine. Significant reference is also made to the wealth of academic works on this topic, which in many cases provide a more comprehensive analysis of certain interpretive issues than any state pronouncements to date. In identifying the practical constraints placed upon commanders in adhering to these interpretations, this paper draws upon academic works by armed services colleges, doctrinal and policy publications and technical reports by information operations specialists.

CHAPTER I: Interpreting the Right of Self-Defence in Cyberspace The purpose of this chapter is to identify limitations to the LOIAC in providing guidance as to when cyber attack warrants the exercise of the right of selfdefence by states. To this end this chapter is divided into three sections. The first section will examine different interpretations of what actions in cyberspace constitute an armed attack and key points of ambiguity in this respect. The second section will examine different interpretations of the requirement to determine state responsibility in responding to an armed attack. Finally, the third section of this chapter will examine the utility of these interpretations given practical obstacles faced by commanders in the field. This discussion will also include possible solutions to these obstacles.

Part I: The Threshold of Armed Attack The inherent right of states to conduct individual or collective self-defence in the event of armed attack is enshrined in Article 51 of the UN Charter. 7

Therefore commanders who wish to exercise the right of national self-defence, in accordance with Article 51, require clear guidance as to when an armed attack has occurred. However neither the Charter nor any international convention provides a definition of the term. Although there is no international consensus on exactly what constitutes an armed attack under international law, it is possible to identify core (generally accepted) and marginal interpretations of the term (Kammerhofer, 2004, p 160). Core interpretations include traditional acts of kinetic violence committed by the uniformed military personnel of one state against the territorial integrity and political independence of another state (Cassese, 2005, p 469). Kammerhofer (2004) further deconstructs this core interpretation of armed attack as including two self-evident elements the use of military or paramilitary means and some form of trespass, border-crossing, or violation of territorial inviolability or of the state apparatus (p 161). Conversely, more marginal meanings of armed attack include very minor acts of international kinetic violence (such as the firing of a single shot across an international border by a soldier), non-kinetic violence (such as cyber attack), and even acts merely in support of kinetic violence (such as the foreign supply of arms to rebels) (Lubell, 2010, p 48). International recognition is growing that cyber attack can reach a level of seriousness on par with that of a conventional armed attack. This is evidenced by NATOs Strategic Concept report for 2010, which states cyber attacks can reach a threshold that threatens national and Euro-Atlantic prosperity, security and stability (NATO, 2010, p 11). However significant room for debate remains as to where the threshold of armed attack lies in terms of cyber operations. Three main approaches have emerged in academic literature in respect to the threshold of armed attack in cyber warfare. According to the strict liability approach, any imminent cyber threat or cyber attack deemed to be targeting a vital U.S. national interest such as critical infrastructure systems as defined under Presidential Decision Directive 63 (1998), could be considered an armed attack and warrant a forceful self-defence (Terry, 2001). This approach is justified upon the basis that the effects of computer network attack may spread at such speeds that commanders need immediate authority to respond 8

to threats before networked assets of vital importance to national security are substantially compromised (Condron, 2007). The obvious drawback to this approach is that in setting such a low threshold for armed response to cyber threats, there is a strong likelihood of false positives, resulting in unnecessary and unlawful uses of force (Graham, 2010, p 91). Alternatively, the threshold of armed attack in cyberspace according to the instrument-based approach is when the damage caused could only be matched by a kinetic attack (Barkham, 2001, p 72). Although such an approach produces clear thresholds for commanders, the exclusion of non-kinetic uses of force as armed attacks lacks consistency with customary international law, which recognizes other nonkinetic actions, such as of biological and radiological warfare, as armed attacks (Schmitt, 2010a). The third and most widely utilized approach in determining the threshold of armed attack in terms of cyber operations is the effects-based approach. Proponents of this approach advocate that the overall direct and indirect consequences of cyber attack should determine when a particular action reaches the threshold of armed attack. Some have expressed this as a distinction as to whether the force caused or could have caused death, injury or damage to goods or infrastructure (Dutch Advisory Council on International Affairs, 2011, p 20; Swanson, 2010, p 306). The most thorough effects-based model has been developed by Schmitt (1999), which identifies a comprehensive list of factors that are likely to be considered by states in determining if an armed attack occurred. The factors are as follows; severity (a measure of death and physical destruction), immediacy (if there is enough time to accommodate peaceful negotiation), directness (how concrete the causal link is between the initial act and its consequences), invasiveness (how deep has been the breach of security), measurability (how quantifiable and identifiable the consequences are), presumptive legitimacy (absent an express prohibition, acts are usually considered legitimate under international law) and responsibility (how close the nexus is between a state and the attack) (Schmitt, 1999, pp 914-916). Having noted various academic interpretations of the notion of armed attack in a cyber warfare context, it is now possible to turn to the more influential interpretations of states. 9

State Interpretation and Practice in Respect to the Threshold of Armed Attack It should be understood that the strength of different interpretations of armed attack under customary international law is subject to the geostrategic considerations of states and has oft reflected distributions of power and vulnerability (Waxman, 2011, p 421). Historically the United States, as a major military power, has attempted to push the boundaries as to the minimum severity of an attack or threat against its forces required to justify armed selfdefence. A prominent example of such behaviour was the United States defence in the case Nicaragua v. United States of America, in which the United States contended that the Nicaraguan provision of arms, munitions, finance, logistics, training, safe havens, planning and command and control support to armed opposition in El Salvador, constituted an armed attack under Article 51 of the United Nations Charter (Counter-Memorial of the United States of America, 1984, para 189, p 57). Although the International Court of Justice ultimately rebuffed the above claim in its judgement on the case, it is important to note that in an operational context powerful states draw upon marginal interpretations of armed attack where strategic necessity dictates (Judgement, 1986, para 195, p 104). In respect to the threshold signifying the occurrence of an armed attack, the United States has refrained from the use of any specific doctrinal guidance that could constrain commanders. Instead the Standing Rules of Engagement for US forces allow US commanders to respond in self-defence to a hostile act defined as An attack or other use of force against the United States, US forces, and, in certain circumstances, US nationals, their property, US commercial assets, and/or other designated non-US forces, foreign nationals and their property. It is also force used directly to preclude or impede the mission and/or duties of US forces, including the recovery of US personnel and vital US Government property. (Chairman of the Joint Chiefs of Staff, 2000, Enclosure A, 5 (g)) 10

It should be noted there are no additional rules of engagement for the employment of US cyber warfare capabilities. However despite this lack of explicit doctrinal guidance, the US Office of General Counsel Assessment of International Legal Issues in Information Operations (1999) gives a strong indication of the category of approach the US Department of Defense (DoD) is most likely to employ in assessing if an armed attack has occurred in cyberspace. it seems likely that the international community will be more interested in the consequences of a computer network attack than in its mechanism if a coordinated computer network attack shuts down a nations air traffic control system along with its banking and financial systems and public utilities, and opens the floodgates of several dams resulting in general flooding that causes widespread civilian deaths and property damage, it may well be that no one would challenge the victim nation if it concluded that it was a victim of an armed attack (p 18) Two points are worth noting in the above passage. Firstly, the DoD recognizes that the consequences or effects-based approach to interpretations of armed attack is that which is most likely to be recognized by the international community. Secondly, the DoD places the threshold of effects required to characterize armed attack relatively high, most notably, the occurrence of widespread civilian deaths and property damage. However, it is also evident from the testimony of General Keith Alexander, head of US Cyber Command, that US cyber warfare decision-makers may also draw upon other approaches in classifying events as armed attacks; If the President determines a cyber event does meet the threshold of a use of force/armed attack, he may determine that the activity is of such scope, duration, or intensity that it warrants exercising our right to selfdefense and/or the initiation of hostilities as an appropriate response. (Senate Armed Services Committee, 2010, p 12) The Lieutenant Generals use of the term scope suggests that the nature of the targets affected might also be of special significance in DoD assessment of 11

attacks, in line with a strict-liability approach. Indeed the Office of General Counsel guidance states that there may be a right to use force in self defense against a single foreign electronic attack in circumstances where significant damage is being done to the attacked system or the data stored in it, when the system is critical to national security or to essential national infrastructures (1999, p 20). The use of the strict-liability approach in this context is justified by the difficulty in distinguishing between mere computer exploitation and a potentially crippling computer attack against systems critical to national security, noting that expert opinion is that gaining access to a target for intelligence collection is tantamount to gaining the ability to attack that target (Senate Armed Services Committee, 2010, p 13). Having identified different approaches to interpreting armed attack under international law, it is necessary to highlight several key points of interpretive ambiguity and contention that are likely to arise in the context of cyber operations. Key Points of Interpretive Ambiguity as to the Threshold of Armed Attack in Cyberspace Although not an exhaustive list, this section will highlight several significant points of interpretive ambiguity in respect to the threshold of armed attack, yet to be clearly addressed in national military doctrine or other public policy pronouncements by any state. In the context of the strict-liability and effectsbased approaches to interpreting armed attack, it remains to be determined to what extent computer network operations that do not result in fatalities or physical destruction could constitute armed attack. In particular, it is unclear whether the neutralization (shutting down) or interference with a target network in isolation can constitute an armed attack (Owens et al, 2009). Drawing upon an instrument-based approach, Brown (2006) argues that the neutralization of a system achieves an effect that only a kinetic attack could match and therefore should be considered an armed attack (p 188). Others point to Article 52 (2) of Additional Protocol I to the Geneva Conventions of 1949, which lists neutralization as a possible result of an attack, along with 12

total or partial destruction and capture (Drmann, 2004). However such indirect evidence of customary international law is far from conclusive. There is also significant uncertainty as to whether cyber exploitation can be of such significance as to pass the threshold of armed attack. It has been argued by some analysts that tactical computer exploitation against sensitive military or intelligence sites can constitute a demonstration of hostile intent (Lin, 2010, p 84). Such preparatory activities in cyberspace, also termed enabling operations, most commonly involve the mapping of target networks and the gaining of substantive information or access so as to be able to conduct a network attack (Huntley, 2010, p 5). These actions arguably pass the threshold engaging the right to respond in self-defence to demonstrations of hostile intent or imminent attack, as recognized in various national military doctrines (see ADFP 06.4: Law of Armed Conflict, 2006, 6.18; Standing Rules of Engagement for US Forces, 2000, Enclosure A, 7). Indeed US military doctrine on information operations (IO) muddies the distinction between cyber espionage and cyber operations preparatory to an attack in referring to both enabling operations and intelligence collection capabilities as components of computer network exploitation (JP 3-13, 2006, p II-5). However, this approach is greatly at odds with a consequences or effects-based model with an emphasis on severity in terms of death and destruction (Kesan & Hayes, 2010, p 332). In lowering the potential threshold for forceful self-defence, the utilization of such an approach is likely to be highly controversial in practice. Particularly in respect to exploitations of unclassified information systems, claims of the occurrence of an armed attack are likely to be hard to sell (Office of General Counsel, 1999, p 18). A final additional point of ambiguity is whether the use of cyber attack to disseminate misinformation, as part of a broader information warfare campaign, can in itself constitute an armed attack. Such activity could include the distortion of foreign radar systems through cyber attack to make it appear a third party is launching missiles against that state, or the digital hijacking of media communications to disseminate false reports of the attack. In support of this claim, some Russian analysts have suggested information warfare 13

(including computer network operations) against Russia would categorically not be considered a non-military phase of conflict, to which Russia would retain the right of nuclear-response (Tsymbal, 1995 in Thomas, 1996, p 501). However, others contend this is unlikely to be official view, rather such bellicose statements my Russian Ministry of Defence officials are part of a typical strategy of deterrence (Heicker, 2010, p 26). Indeed Russian and Chinese strategists conceive of information warfare as an incessant fight, independent of conventional conflict and conducted in peacetime, the prelude to a conflict, and in wartime (see Liang & Xiangsui, 1999). Nonetheless, a report jointly commissioned by the Dutch Minister for Foreign Affairs and Minister of Defence argues that a cyber attack that could or did lead to serious disruption of the functioning of the state or serious and long-lasting consequences for the stability of the state could be qualified as an armed attack (Dutch Advisory Council on International Affairs, 2011, p 21). From the analysis above it is evident that there is no agreed bright-line rule as to when cyber attack constitutes an armed attack (Silver, 2002, p 75). Considering the variety of potential approaches adopted by states to the threshold of armed attack in a cyber context, national military commanders face considerable challenges in determining if their own operations are likely to be interpreted by other states as armed attacks or demonstrations of hostile intent. In lieu of these interpretive tensions, Schmitt (1999) argues that states should adhere to a conservative position on the threshold of armed attack based on the common interest in basic order (p 886). An additional benefit of a conservative threshold of armed attack is that a preference for cyber attack as a means of state coercion (less than armed force) may arise, such that civilians will be insulated from the more immediate dangers of kinetic warfare (ODonnell & Kraska, 2003, p 133). Furthermore, states with significant cyber offensive capabilities have an interest in promoting a weak response regime to cyber attack so as to maximise the benefit of their relative strength in this area (Huntley, 2010, p 3). Conversely, states that are particularly dependent upon networked infrastructure and digital information security may also have an incentive to publicize a low threshold of armed attack as part of a deterrence 14

strategy. Among other factors, the effectiveness of such a deterrence strategy will greatly depend on the perception by potential aggressors of a reasonable likelihood of attribution for their actions (Barkham, 2001, p 70). Frustratingly, the United States fits into both the above categories of states and thus would appear to be torn between the desire for defensive stability and the desire for offensive flexibility. However, before drawing any final conclusions as to the value of different approaches to the threshold of armed attack, there is still to be addressed the issue of the threshold of state responsibility for a given armed attack.

Part II: The Right of Self Defence and Non-State Actors In establishing the state right of self-defence against armed attack, Article 51 of the UN Charter provides no guidance as to whether this right may be exercised in response to the actions of non-state actors, or if some degree of state responsibility for an attack is required. This issue is of particular significance in the context of the altered power dynamic of cyber warfare, by which non-state actors may possess offensive capabilities akin to those of states (Jurich, 2009, p 287). The problem of nonstate cyber attacks has been exacerbated by a lack of cooperation by many states in dealing with cyber attacks through domestic law enforcement (Graham, 2010, p 93). Neither Russia nor China has signed the Council of Europe Convention on Cybercrime, such that cybercrimes are not extraditable offences in the very territories that arguably have the greatest representation of non-state cyber aggressors. Furthermore, there is substantial indirect evidence that some states, particularly China and Russia, have actively encouraged individuals to develop the capability to annoy or attack other states, analogous to peoples information warfare (Bickers, 2001; see also Soldatov, 2011). This is particularly problematic for US commanders as DoD guidance states that victim states generally do not have the right to use force in self-defence where individuals carry out malicious acts for private purposes (Office of General Counsel, 1999, p 22).

15

It has also been argued that the attribution of cyber attacks exclusively to private individuals is being exploited by states as a convenient cover for acts that are essentially state-sponsored, or at minimum, knowingly tolerated (Graham, 2010, p 93). The use of non-state proxies by state actors is also prevalent in conventional warfare see for example the blurring of Taliban and Al-Qaeda forces in Afghanistan (Lubell, 2010, p 98). However, this problem is particularly acute in the cyber theatre due to substantial technical obstacles in determining the identity of an attacker and therefore any connection to a state (see Part III). Noting the gravity of the issue, a critical point of ambiguity for commanders is the degree of state involvement required to warrant the exercise of self-defence in the territory of that state. Much like the range of interpretations of the threshold of armed attack, there is a significant spectrum of interpretations as to the threshold of state involvement in an attack to engage Article 51 rights. International jurisprudence has provided some guidance on the issue. In its Advisory Opinion on the Legal Consequences of the Construction of a Wall in the Occupied Palestinian Territory the International Court of Justice found that Article 51 recognizes the existence of an inherent right of self-defence in the case of armed attack by one State against another State but is of no relevance where attacks are not imputable to a foreign state (Advisory Opinion, 2004, para 139, p 62). This interpretation was reaffirmed the following year in the case Democratic Republic of Congo v. Uganda, in which the court held that attribution to a state for an attack was a precondition to the exercise of the right of self-defence by states (Judgement, 2005, para 146-157, p 223). A detailed assessment of the precise degree of involvement for an armed attack to be imputable or attributable to a foreign state can be found in the ICJ decision in the case Nicaragua v. United States of America, in which the court held that the United States could only be held legally responsible for the operations of the contras rebels in Nicaragua to the extent that it had effective control of the operations (Judgement, 1986, para 115). In this respect, the financing, organizing, training, supplying and equipping of the contras by the United States was not sufficient so as to constitute effective control (Judgement, 1986, para 115). Thus the jurisprudence of the ICJ argues 16

for the existence of a customary law norm that limits the exercise of the right of self-defence against non-state actors to cases where such actors are in effect operating at the behest of states and are therefore de facto state actors (Lubell, 2010, p 99). However it is uncertain if the ICJ jurisprudence in this area is truly recognisant of customary international law, given that state practice has consistently extended the right of self-defence beyond these bounds. In contrast to the jurisprudence of the ICJ, some states have asserted a right to armed self-defence against non-state actors with far more tenuous links to any given state. For example, the United States claimed the 9/11 Terrorist Attacks constituted an armed attack and consequentially invoked its inherent right of individual and collective self-defence as justification for its military operations against al-Qaeda in Afghanistan in 2001 (Letter from the Permanent Representative of the United States of America, 2001). It is important to note that in invoking the right of self-defence the United States also alleged a degree of complicity by the Taliban in the 9/11 attacks. In the same letter to the United Nations Security Council, the United States alleged that the Taliban (the de facto government of Afghanistan) refused to change its policy that allowed al-Qaeda to use Afghanistan to train and support agents of terror who target United States nationals and interests in the United States and abroad. The claim by the United States to a right of self-defence in this context is indicative of a broader shift in emphasis by states away from conclusive attribution and toward a norm of the imputed responsibility of states for all acts launched from within their territory (Graham, 2010, p 93). Certainly the evidence provided by the United States of Taliban support for al-Qaeda arguably would not have met the threshold of effective control established by the ICJ in the Nicaragua case. Rather, state practice in this case appears to extend the right of self-defence to cases where a state fails to fulfil an affirmative obligation to refrain from harbouring the perpetrators of an attack (Owens et al, 2009). More precisely, the threshold test of imputed state responsibility utilized by the United States military is if the host state of an attack is unwilling or unable to prevent a recurrence of attacks (Office of General Counsel, 1999, p 22). Thus there is an enormously significant gap 17

between the effective control interpretation of the ICJ and the imputed territorial responsibility interpretation utilized by some states in determining if a right of self-defence may be engaged. The conceptual divide between imputed territorial responsibility and effective control is likely to be of enormous significance in the context of self-defence against cyber attack. Although examined in detail in Part III of this paper, it is sufficient to note that there are significant practical obstacles to the detailed identification of the source of a cyber attack. Investigations into high profile cyber attacks conducted against Estonia, Georgia and the United States, were able to attribute the attacks to particular host territories (i.e. Russia and China) with relative ease (see Traynor, 2007; Swanson, 2010; US Office of the National Counterintelligence Executive, 2011). However, many months later, authorities were still unable to produce any evidence of effective control over the attacks by the governments of those host territories. Hence in an operational context, the imputed territorial responsibility threshold of state involvement in cyber attack is of much greater utility than the effective control threshold as a requisite burden of proof in the exercise of self-defence. However, in setting the threshold so low, an enormous burden is placed upon states to prevent the conduct of cyber attack from within their own territories. Noting that no state is currently able to detect or contain all aggressive cyber activity emanating from its networks, the decision to support a norm of imputed territorial responsibility for cyber attack would be as much a practical consideration as one of legal principle (Kanuck, 2010, p 1592). It is therefore appropriate at this juncture to turn to the issue of the practical limitations that commanders face in utilizing various interpretations of the right of self-defence against cyber attack. Part III: Practical Difficulties in Determining the Right to Self-Defence From the two previous parts of this chapter it is possible to extrapolate two principal practical requirements that must be satisfied by commanders before exercising the right to national self-defence. Firstly, there must be some technical measure of the effects or potential effects of a perceived threat to determine if it passes the threshold of armed attack or demonstration of hostile intent. Some understanding of the effects or potential effects of an attack is 18

also required if commanders are to exercise a proportional self-defence in accordance with the LOIAC and applicable national military doctrine. For example, the Standing Rules of Engagement for US Forces require that the application of force in self-defence must be proportional in intensity, duration, and magnitude to the perceived or demonstrated threat based on all facts known to the commander at the time (2000, 5 (f)). Secondly, there must be some evidence of the source of an attack so that the desired degree of state responsibility may be verified to conduct self-defence. Additionally, knowledge of the source of an attack will guidance commanders as to where self-defence measures may be most appropriately directed so as to neutralize the threat and deter further attacks. It will be demonstrated below that commanders face enormous challenges in fulfilling these two principal practical requirements and hence that the guidance of certain interpretive approaches to armed attack are of limited utility in the context of cyber warfare. Determining the Effects of an Attack In the event of cyber attack, information about the scale, trajectory and success of an attack is often slow and difficult to procure. From the earliest stage of discovery, commanders face severe obstacles in threat assessment. Firstly, the early effects of a cyber attack upon critical infrastructure may be hard to distinguish from computer or other technical malfunction. As a result, software errors have caused a number of incidents that were initially widely thought to be incidents of cyber attack (Greenburg et al, 1998, p 22). Widespread power blackouts in the US Northeast (2003) and the state of Espirito Santo in Brazil (2007), effecting millions of homes, were both initially blamed on malicious software (Clarke & Knake, 2010). However official inquiries ultimately revealed both to be the result of technical faults (Brito & Watkins, 2011, p 13). Based on this evidence, if states are to apply a strictliability approach to cyber attacks on critical infrastructure, such as power generating facilities, the risk of false positives is dangerously high (Dunlap, 2011, p 87). However an instrument or effects-based approach to determining the occurrence of armed attack is likely to be equally unworkable in the case of 19

attacks on critical infrastructure. Given that the effects of cyber attack may accrue at network speeds, the risk of further damage to critical systems may not permit commanders sufficient time to gather enough evidence to make an effects-based assessment (Owens et al, 2009, p 135). The established military decision-making process (MDMP) of threat assessment and response is based a systematic sequence of authorities not designed for such a rapid turn around between initial hostilities and forceful response (Caudle, 2010, p 167). Therefore an additional practical obstacle faced by commanders is the compression of decision-making time that results in the event of cyber attack (Terry, 2001). An additional complication in gauging the scale of an attack is that the effects of an attack may accrue according to multiple timescales. The effects of cyber attack may be modulated by a range of factors, including the speed at which malicious software is able to connect to additional systems, or by a particular trigger within the target system, such as the passing of a certain date or when a particular action is taken by users, which engages prepositioned malicious software known as a logic bomb (Brown, 2006). As a result it can take many months to determine the full consequences of an attack, including the number of infected systems and the purpose of malicious code. For example, the Stuxnet virus, thought to have begun taking effect on the nuclear centrifuges of Irans Natanz uranium refinement facility in mid-2009, was not discovered until June 2010, after which it took an additional three months to fully determine its purpose (Clayton, 2010). Thus the utilization of an effects-based approach to the threshold of armed attack may also lead to unworkable delays in the exercise of the right to self-defence. With this notion of time-compressed decision-making in mind, it is appropriate to consider complications that are likely to arise in assessing demonstrations of hostile intent or the threat of imminent attack by cyber actors. There is little to distinguish a cyber intrusion conducted for intelligence purposes (cyber exploitation) from actions preparatory to the delivery of hostile payloads of information (Lin, 2010, p 82). The difficulty for commanders is that there is no cyber equivalent to the acts that typically characterize an imminent conventional attack, such as the massing of troops on a border or the launch of 20

combat aircraft. Computer network attacks are most commonly conducted covertly and utilize swarming tactics such that hostile intent is almost indiscernible (Arquilla et al, 1999, p 53). Attacks often make use of multiple systems dispersed geographically and across Internet protocol zones (Hunker et al, 2008). Commanders will likely find it extremely difficult to distinguish between the initial stages of an attack by such dispersed state threats, and the background of attempted cyber exploitation that occurs routinely against defence systems (Owens et al, 2009, p 135). Therefore chief among obstacles to the assessment of the effects of cyber attack are the compression of decision-making time, accruement of effects over multiple time scales and use of complex attack trajectories by cyber adversaries. Determining the Source of an Attack Commanders must overcome immense practical obstacles in determining the source of a cyber attack and gathering potential evidence of state responsibility. In examining these obstacles it must be first understood that the Internet has no standard provisions for tracking or tracing data or for authenticating information in Internet Protocol (IP) packets (Hunker et al, 2008, p 6). At the most basic level, post event tracing of cyber attack is conducted by way of IP traceback by which the IP address of the attacking system is narrowed down to a physical location through the assistance of Internet Service Providers (ISPs). However, IP-addresses can be easily spoofed or faked in the case of one-way information flows, such as those that define DDoS attacks (Hunker et al, 2008, p 7). More sophisticated traceback methods trace other more-robust types of digital fingerprint imbedded in information packets such as hashes. During the transfer of each packet of information across a network a digital hash, or one-way cryptographic representation, is made of the data to authenticate its integrity as it travels across routers. By tracing the use of particular hashes, the source of a data packet can be traced backwards from one router to another (Wheeler & Larsen, 2003).

21

However, all such post-event traceback techniques are reliant upon the storing of data logs by routers and also require a significant degree of commercial and international cooperation in providing access to those routers logs where they exist in different jurisdictions (Graham, 2010, p 97). Due to the high volume of data that travels through routers, logs (including hashes) are only kept temporarily to save storage space (Chaikin, 2006, p 246). Internet Service Providers may not cooperate swiftly with requests by foreign authorities to access router logs or match IP addresses to physical locations for fear of privacy concerns and domestic legal liabilities (Young, 2010, p 190). Hence, many investigations of cyber attack often come to a grinding halt at a particular territorial boundary where ISPs are uncooperative. Additionally, network evidence located abroad is susceptible to manipulation or deletion by foreign authorities that wish to remove evidence of involvement in an attack (Chaikin, 2006, p 239). Thus even where a cyber adversary takes no special measures to conceal their identity, their location may be protected by a lack of international legal cooperation. In the investigation of ongoing cyber attack, commanders may draw upon a wider array of tools. Flows of data back to an attacker can be modified so as to aid in attribution such as through the addition of control packets that prompt each router the packet passes through to log its location within the packet data (Wheeler & Larson, 2003, p 18-22). Once the attacking system is identified it is then possible to attempt to hack back and mine that system for data revealing the identity or location of the user geographically or within a particular network (such as that of a known intelligence or military base). In addition, US Department of Defense guidance argues that more easily identifiable indirect evidence such as persistence, sophistication of methods, targeting of sensitive systems and effects of an attack will assist commanders in identifying state-sponsored intruders (Office of General Counsel, 1999, p 21). However, sophisticated attackers can also employ the use of proxy or conduit systems to further frustrate such tracing efforts. The use of proxy systems may take the form of a botnet a network of innocent systems previously compromised by hacker (Rush et al, 2009, p 66). Alternatively, a highly able attacker may compromise innocent systems in a more ad hoc manner, to be 22

used as stepping stones between the attacker and ultimate victim (Hunker et al, 2008, p 6). An attacker may then encrypt information flows between the source and conduit systems or leave conduit systems to conduct attacks autonomously, such that definitive end attribution for an attack becomes extremely time consuming, if not impossible (Chaikin, 2006, p 242). Attackers may also place false evidence on proxy systems to further implicate innocent parties as the source of the attack (Owens et al, 2009, p 145). Finally, there is no practical obstacle to states launching cyber attacks from within the territory of another state through the use of irregular or covert forces (Silver, 2002, p 9). For example, a cyber army in civilian guise may conduct cyber attacks from an office block in the Netherlands against the United States on behalf of the Peoples Republic of China. Thus at the heart of the attack attribution problem is the difficulty in linking the computer system responsible for an attack with the individuals or state that sponsored it (Developments in the Field, 2011, p 34). Therefore, chief among the obstacles to determining the source of cyber attack are the lack of international legal assistance in such investigations, the manipulability and short life span of digital evidence, and the use of proxies or conduit systems by attackers. Solutions From the above discussion it is evident that no particular fixed approach to the threshold of armed attack is likely to provide adequate guidance to commanders in an operational context. Noting the practical obstacles to determining the source and effects of cyber attack, a low threshold of armed attack and the imputed responsibility threshold of state involvement in an attack are of greatest utility to commanders in the conduct of cyber defence. In this respect, the ambiguity inherent in descriptions of armed attack in US military doctrine (notably the Standing Rules of Engagement for US Forces) may be beneficial in providing commanders flexibility. However, such a flexible approach also guarantees that the legality of defensive uses of force will constantly be open to contestation. Commanders may therefore become overly hesitant in responding to cases of cyber attack for fear of legal consequences 23

something adversaries are likely to exploit. Additionally, from the perspective of those engaged in offensive cyber operations, such low thresholds give commanders little certainty as to the threshold at which their operations will prompt an armed response. Due to the deficient guidance of the LOIAC in this respect, states are likely to draw upon particular interpretations of the thresholds of armed attack and state responsibility based on diplomatic or military tensions at the time of attack (Owens et al, 2009, p 146). Particularly in the case of large scale cyber attacks against sensitive targets, for example the New York Stock Exchange, public pressure is likely to ensure national leadership will respond to attacks with significantly less than 100% certainty of attribution and end effects (National Security Threats in Cyberspace, 2009, p 15). This present state of affairs is particularly troubling, given that serving members of the Joint Chiefs of Staff in cyber warfare decision-making roles have found senior leaders unappreciative and unfamiliar with the complexities of the cyber domain and attack assessment therein (Caudle, 2010, p 427). Although there is unlikely to be any swift solution to the practical obstacles described above, more precise doctrinal guidance and wise delegations of authority could help reduce the risk of unnecessary conflict. Dormant rules of engagement that become effective upon certain thresholds of evidence of armed attack, could provide authorization for particular uses of force according to the threshold of evidence that has been met (ODonnell & Kraska, 2003, p 150). This would also allow the delegation of authority to be brought down to the level of commanders familiar with the technological novelties of the cyber theatre, without fear of rapid escalation of hostilities. Additionally, this would help commanders cope with the time compression of the military decisionmaking processes in the cyber theatre. There is evidence that the MDMP of the US is already moving in this direction. Lieutenant General Keith Alexander has stated that he anticipates there will be a requirement to pre-authorize the use of force below the level of the National Command Authority due to the speed of developments in the cyber theatre (Armed Services Committee, 2010, p 14). Therefore although the guidance of the LOAIC is insufficient in this area, state policy making could work towards filling this void. 24

CHAPTER II: Determining the Lawful Limits of Cyber Warfare within an Existing Conflict The purpose of this chapter is to identify practical and conceptual limitations to the guidance of the LOIAC in determining the lawful bounds of cyber warfare within an existing conflict. This discussion will include possible remedies to these limitations. To this end, this chapter is divided into three sections according to three fundamental principles derived from the various declarations, conventions and embodiments of customary international law that comprise the LOIAC. Each section shall highlight interpretive differences in respect to these principles before examining how these might be applied to the cyber theatre. The three fundamental principles identified are military necessity, distinction and proportionality. Various national military manuals identify other fundamental principles, however it will be demonstrated that such principles are already expressed within the three identified above. Furthermore, this particular semantic grouping is favoured as it is that which was expressly recognized by Lieutenant General Keith Alexander, head of US Cyber Command, as governing all military operations (Armed Services Committee, 2010, p14). Part I: Military Necessity The principle of military necessity was embodied in the law of international armed conflict as early as the 1868 St. Petersburg Declaration, the preamble of which states that the only legitimate object which States should endeavour to accomplish during war is to weaken the military forces of the enemy. However, the most definitive embodiment of the principle of military necessity is found in Article 52 (2) of Additional Protocol I to the Geneva Conventions of 12 August 1949, which states; Attacks shall be limited strictly to military objectives. In so far as objects are concerned, military objectives are limited to those objects which by their nature, location, purpose or use make an effective contribution to military action and whose total or partial destruction, capture or 25

neutralization, in the circumstances ruling at the time, offers a definite military advantage. It is from this definition of the principle of necessity that this paper will primarily draw. The effect of the Hague and Geneva law cited above is to relativise the definition of military objectives according to the conceptual bounds of the two yardsticks of effective contribution to military action and definite military advantage (Dinstein, 2010, p 94). Conversely, civilian objectives, which are protected from being made the object of attack, are all objectives which are not military objectives (Additional Protocol I, 1977, Article 52 (1)). However, such special protections do not apply where objects become dual-use by making an effective contribution to military action. For example, the protection afforded to nuclear power facilities as an instalment containing dangerous forces, ceases if it provides electric power in regular, significant and direct support of military operations and if such attack is the only feasible way to terminate such support (Article 56 (2)). The rule of military necessity is therefore restrictive rather than permissive, in that an object is presumed not to be a military objective unless it can be demonstrated that is making an effective contribution to military action and its total or partial destruction, capture or neutralization would provide a definitive military advantage (Dinstein, 2010, p 98). In practical terms, where an object makes an effective contribution to military action, its destruction, capture or neutralization should also offer a definite military advantage (Commentary on the HPCR Manual on International Law Applicable to Air Warfare, 2010, p 49). Differing Interpretations of Military Necessity There is a significant divide within Western military doctrine between liberal and conservative approaches to how direct the contribution to military action an object must make in order that its destruction should constitute a definite military advantage. In interpreting the two yardsticks of the military necessity of an attack, the relevant Australian and British military manuals define definite military advantage as a concrete and perceptible advantage rather than a hypothetical and speculative one and the advantage anticipated from 26

the attack considered as a whole (ADFP 06.4: Law of Armed Conflict, 2006, 5.29; JSP 383: Joint Service Manual of the Law of Armed Conflict, 2004, 5.4.4). Based on these interpretations, the British and Australian manuals provide relatively conservative lists of examples of possible military objectives extending from the enemy armed forces to industry and infrastructure directly supporting the war effort such as refined oil production facilities and communications towers. This list appears analogous to that of the 1923 Hague Rules of Air Warfare which limits air bombardment to military forces, military depots, arms manufacturing plants and military lines of communication and supply (Article 24(2)). The conservative approach to military advantage therefore does not include attacks on targets that will yield solely political, psychological or economic advantages (Commentary on the HPCR Manual on International Law Applicable to Air and Missile Warfare, 2010, p 45). Additionally, this military advantage must be immediately perceptible within the context of the attack considered as a whole, rather than of speculative advantage to the war effort in general. In contrast to the British and Australian approach, the military doctrine and practice of the United States has embodied a much more liberal interpretation of the necessary nexus between the destruction, neutralization or capture of a target and attainment of a definite military advantage. This position is encapsulated in the US Commanders Handbook on the Law of Naval Operations, which identifies as a valid military objective any object which by location, use or purpose makes an effective contribution to the enemys war fighting/war sustaining effort (2007, 5.3.1). It is important to note that the handbook considers purpose concerned with the intended, suspected, or possible future use of an object rather than its immediate and temporary use. In essence, the American position is that, particularly in protracted conflicts, attacks upon civilians directly contributing to the war effort, the national economy, research and development capabilities and political morale, constitute a definite military advantage by way of weakening the enemys warsustaining capability (Office of General Counsel, 1999, p 8). The effect of this interpretation of military necessity is therefore to drastically expand the range of objects that can permissibly be targeted. 27

The American position is commonly justified in terms of the dependence of modern military forces upon private industry and broader society (ODonnell & Kraska, 2003, p 155). It is also argued that the psychological effect of targeting non-military targets, in particular political leadership, can topple an opposing regime and bring an early cessation to hostilities (Kelsey, 2008, p 1447). However, actions that further the national-strategic goals being pursued in an armed conflict must be distinguished from those that produce a definite military advantage (Henderson, 2009, p 146). A potential political outcome, such as a possible change in the negotiating attitudes of the enemy, is a political, rather than military advantage (Dinstein, 2010, p 93). As a result of these interpretive differences, the United States military has encountered significant mission planning difficulties when operating in coalition with other Western forces. For example, during the 1999 NATO air campaign against the Serbian Government of Slobodan Milosevic the United States was forced to cancel a number of missions mid flight due to a refusal by allied forces to participate in attacking non-military targets (Kelly, 2005, p 163). Similarly, Australian F/A-18 pilots, under the joint operational command of American forces in Afghanistan, reportedly refused to drop bombs on up to forty missions when their own interpretation of the military necessity and proportionality of the strike, differed from that of their American commanders particularly in respect to the risk of civilian casualties (Walker, 2004). Thus it is evident that liberal approaches to the interpretation of military necessity are likely to prove highly controversial. At this point it is appropriate to examine where the interpretive limits of military necessity are likely to be drawn in respect to cyber operations. Interpreting Cyber War Fighting Military Objectives Noting the different interpretations of military necessity discussed above, there are a number of war fighting and war sustaining targets of questionable legality that are particularly vulnerable to cyber attack. Downs (1995) suggests that national financial networks and stock exchanges are likely to be targeted by cyber attack in an attempt to disrupt commerce and erode the enemys 28

political will. However it is unlikely that many states will accept the existence of a sufficient nexus between financial networks and the enemys war sustaining capability to justify such attacks on the basis of military necessity (Brown, 2006, p 198). In contrast, there is a significant case to be made for attacks upon civilian telecommunications infrastructure as a contributor to both war fighting and war sustaining capability. Civilian communication lines have long been recognized as potential military objectives. For example, Article 8 (1) of the 1954 Hague Convention for the Protection of Cultural Property in the Event of Armed Conflict cites main lines of communication, along with broadcasting stations, as examples of important military objectives. The classification of civilian communication lines as military objectives was historically due to their role in military logistics. For example, the majority of the telecommunications of the US Department of Defense move through public switch networks provided by civilian contractors (Kelsey, 2008, p 1432). However since the 1954 Hague Convention and the digital revolution, civilian communication lines have taken on an additional military significance as potential conduits of cyber attack. Indeed dedicated military infrastructure rarely exists in respect to network (Internet) based communications and cyber operations (Brown, 2006, p 186). However, it should be noted that the 1954 Hague Convention recognizes main, rather than all, lines of communication as military objectives, suggesting that it must either be known or anticipated that targeted communication lines will be of particular military priority. To satisfy the principle of military necessity there must be a reasonable expectation that the destruction, capture or neutralization of a particular communications line will provide a military advantage in the circumstances ruling at the time of attack (Terry, 2001, p 86). Thus, although all systems and communications lines connected to the Internet, including civilian computer systems, routers and satellites, are potential conduits of attack in cyber warfare or channels of military communications, this does not mean that all attacks upon such structures can be summarily considered to satisfy the principle of military necessity (Brown, 2006, p 185). 29

If commanders are to adhere to the conservative interpretation of military necessity and direct attacks purely towards objects that contribute to the enemys war fighting capability, a key challenge will be determining which particular civilian computer systems and lines of communication are likely to be utilized in routing military communications or cyber attack. In this endeavour, upstream conduits of cyber attack and military communications are likely to be identified with reasonable confidence such as the routers or fibre-optic cable connecting a known cyber operations centre to the Internet. In contrast, down stream conduits of communications and cyber attack, such as the particular routers and cables through which a cyber attack will cross international borders, are likely to be extremely difficult to determine as the route that information takes across the Internet is not subject to any standard protocol (Hunker et al, 2008). Thus the key difficulty facing commanders is that in the age of networked communications, there are no dedicated main lines of communication. Military forces can potentially route military communications and cyber attack through any portion of the national or international communications grid (adjusting for the information carrying capacity of certain interchanges). Because of these difficulties, some commentators argue that the entire network communications grid of a belligerent can be considered a military objective (Kelsey, 2008). However, it will be difficult to demonstrate that the military advantage attained in disabling an entire nations communications grid was proportionate to any collateral damage that might result from the collapse of civilian networked infrastructure (Brown, 2006, p 194). Thus although arguably within the bounds of military necessity, attempts to disable a belligerents entire communications grid may not satisfy the principle of proportionality (see Part III of this chapter for further discussion of the principle of proportionality). Thus commanders face considerable pressure to restrict attacks to better-defended upstream conduits of military communications and cyber attack. In this respect, limitations to the guidance of the LOIAC may hinder commanders in effectively combating a belligerents cyber warfare capability without fear of international criminal liability. A Cyber Exception to Military Necessity? 30

As discussed in Part I of the previous chapter, there is significant uncertainty as to whether cyber attacks that solely result in the neutralization of targets can be considered armed attacks under international law. Noting that the guidance of Article 52 (2) of Additional Protocol I applies to attacks, there is some debate as to whether the principle of military necessity should apply to cyber attacks that result solely in neutralization. To this end, some scholars place particular emphasis on Article 57 of Additional Protocol I, which requires military planners only to avoid incidental loss of civilian life, injury to civilians and damage to civilian objects in the planning and execution of attacks (see Schmitt, 2002, p 187; Swanson, 2010, p 317). From this somewhat selective reading, they conclude that cyber attacks that do not cause death or destruction do not require adherence to the principles of military necessity or distinction under the LOIAC. However, such a reading ignores the explicit requirement, laid down in Article 48, that Parties direct their operations (rather than attacks) solely against military objectives and distinguish at all times between civilians/civilian objects and combatants/military objectives. Any cyber operation that is conducted by military personnel during an armed conflict is certainly a military operation, and therefore would be governed by the basic rule of distinction inherent in Article 48 (Harrison-Dinniss, 2011, p 7). This interpretation is in keeping with the view expressed by General Keith Alexander that all military operations, to include actions taken in cyberspace must comply with the principles of the LOIAC (Armed Services Committee, 2010, p 14). There is additional reason to the extension of the principles of the LOIAC in that the indirect effects of military operations, and in particular cyber attacks, can induce far worse calamities than the observable direct effects. For example, in the Korean War, Vietnamese War and First Gulf War, US commanders touted attacks upon electrical power generating facilities as bloodless or humanitarian methods of weakening enemy resolve and war-sustaining capability (Crawford, 1997). Similarly, some commentators tout cyber attack against power generating facilities and other infrastructure as a humanitarian alternative to conventional warfare (see Kelsey, 2008, p 1432). However such attempts to adhere to the LOIAC while coercing civilian populations have been 31

repeatedly proven to redistribute rather than reduce civilian casualties (Downes, 2008, p 246). For example, the indirect effects of attacks upon Iraqs electrical power grid during Operation Desert Storm included the disabling of water purification, distribution and sanitation systems, a reduction in hospital capacity and the refrigeration of insufficient quantities of vaccines and medicines (Crawford, 1997). The resultant epidemic of disease and lack of medical treatment is conservatively estimated to have caused at least 70,000 non-combatant deaths (Arkin, 1994). Thus there is no logical case for a special rule excluding non-destructive, nonlethal military operations from the requirements of military necessity, distinction and proportionality. Such an exception would be in contradiction to the fundamental purpose of the LOIAC, expressed in the preamble to the 1868 St Petersburg Declaration, to have the effect of alleviating as much as possible the calamities of war. Part II: Distinction Under Additional Protocol I to the Geneva Conventions of 1949, the principle of distinction is composed of two separate obligations placed upon belligerent parties to a conflict. The first of these obligations, referred to as the Basic Rule under Article 48 of the Protocol, requires parties to at all times distinguish between the civilian population and combatants and between civilian objects and military objectives and accordingly direct their operations only against military objectives. This obligation includes the prohibition on indiscriminate attacks. Indiscriminate attacks are defined under Article 51 (4) of the Protocol as; (a) those which are not directed at a specific military objective; (b) those ( which employ a method or means of combat which cannot be directed at a specific military objective; or(c) those which employ a method or means of combat the effects of which cannot be limited as required by t this Protocol;and consequently, in each such case, are of a nature to strike military objectives and civilians or civilian objects without distinction. 32

The prohibition on indiscriminate attacks is subsumed within the principle of distinction, as by nature an indiscriminate attack would also not satisfy the principle of distinction. The second obligation within the principle of distinction is the requirement under Article 44(3) that combatants distinguish themselves from civilian population while engaged in an attack or in a military operation preparatory to an attack. According to Article 44, the generally accepted practice of states is that distinction of combatants is achieved by the wearing of a regular uniform or a fixed distinctive insignia visible at a distance. However, where the nature of the hostilities do not permit a combatant to distinguish themselves as such, they must at minimum carry their arms openly during each military engagement and during such time as they are visible to the enemy while engaged in a deployment preceding an attack in which they are to participate. It should be noted that a number of states, including Australia, France, Germany, the United Kingdom and the Republic of Korea, made declarations at the time of ratification to the effect that this exception to the wearing of regular uniforms applies only in occupied territories or during wars of national liberation (Gaudreau, 2003, p 10). Additionally, the killing, injuring or capture of an adversary by resort to the feigning civilian, non-combatant or other protected status is specifically prohibited within the broader prohibition of perfidious acts under Article 37 (see also, US Commanders Handbook on the Law of Naval Operations, 2007, 12.7). Perfidious acts are considered unacceptable because they blur the distinction between combatants and non-combatants and thereby encourage attacks upon civilians (Rowe, 2010). Correspondingly, for civilians to enjoy protection from the dangers arising from military operations, they are required to not take a direct part in the hostilities (Additional Protocol I, Article 51 (3)). Indeed, civilians generally do not have a legal right to participate directly in international hostilities. Civilians can play a role in military logistics and support, however they must not engage in attacks or carry arms with the possible exception of small arms for self-defence purposes (UK Joint Service Manual of the Law of Armed Conflict, 2004, 4.3.7). The only exception to this 33

rule is in the case of a leve en masse, by which, upon the approach of the enemy, the inhabitants of an unoccupied territory may spontaneously take up arms as lawful combatants and resist the enemy, so long as they carry their arms openly and respect the rules of war (Geneva Convention I of 12 August 1949, Article 13 (6)). The obligation of combatants to distinguish themselves assists other combatants in the fulfilment of the first obligation to direct their operations only against military objectives. In examining limitations to the guidance of the LOIAC in the conduct of cyber warfare, this section will first examine the potential classification of certain cyber weapons as indiscriminate and uncertainties in this respect. This will be followed by a discussion of ambiguities as to the application and fulfilment of the second obligation of the principle of distinction and the avoidance of perfidy in cyberspace. Determining the Discriminate Use of Cyber Weapons Commanders face significant practical obstacles in directing the effects of cyber attack or cyber defence in accordance with the principle of distinction. In addition to difficulties in attack attribution (cyber combatant identification) and the interpretation of military objectives, the nature of certain cyber weapons may prevent their use in a discriminate manner. Multiple international conventions restrict or ban the use of certain weapons that may be considered indiscriminate in certain contexts, including chemical and biological weapons land mines and cluster bombs (for an exhaustive list see Dinstein, 2010, p 62). This paper will focus specifically on self-propagating malicious code and autonomous or active defences as potentially indiscriminate or blind cyber weapons, noting this is by no means an exhaustive list of cyber weapons of questionable legality. The use of self-propagating malicious code or computer viruses in cyber attack could potentially be interpreted as an indiscriminate means of warfare, and therefore in conflict with the LOIAC. Similarly to biological viruses, the spread of self-propagating malicious code cannot necessarily be limited to military objectives (Brown, 2006, p 158). This has lead some to label self-propagating 34

malicious code as an indirect fire weapon, which is indiscriminate by nature and should be prohibited (ODonnell & Kraska, 2003, p 158). The US Department of Defence notes that where malicious logic spreads to neutral territories or other traditionally protected targets, the prohibition on indiscriminate weapons may apply (Office of General Counsel, 1999, p 10). However, it is necessary to distinguish between weapons that may be employed contrary to the principle of distinction, and those which, by design, cannot be employed in a discriminate manner (Dinstein, 2010, p 62). In considering in which of the two categories self-propagating malicious code lies, it is appropriate to consider the Stuxnet attack against Irans Natanz nuclear refining plant. Although Stuxnet, a self-propagating piece of malware, entered the refining plant systems through civilian gateway targets, the virus was designed so as to only detrimentally effect the operation of a particular industrial platform used to control centrifuge speeds (Harrison-Dinnis, 2011, p 8). The only effect the virus had on any other system was to propagate itself. The malware included an additional safety in the form of a built-in selftermination code that stopped its replication routines on the 24th of June 2012 (Kaspersky Securelist Blog, 2012). It is therefore evident, that self-propagating malicious is not an inherently indiscriminate weapon. Where there is sufficient lead-in time to an attack as to attain detailed information of target systems, such cyber attacks can be customized so as to only affect certain preapproved targets (Owens et al, 2009, p 123). Brown goes far further in arguing that smarter self-propagating malicious code can autonomously distinguish between civilian and military objectives according to the type of software and hardware systems contain or by the type of networks to which they are connected (2006, p 197). However, as explained in the previous part to this chapter, there are no permanent characteristics associated with military objectives that can be coded into a piece of software. Rather, military objectives are subjectively identified according to their contribution to military action and the perceived military advantage in their destruction, neutralization or capture, in the circumstances at the time of attack (Additional Protocol I, 1977, Article 52(2)). The code that governs a piece of malware is impervious to the contextual shifts that govern 35

military necessity in the real world, and therefore cannot be considered to be able to autonomously distinguish legitimate military objectives. Thus the use of self-propagating malicious code may be considered indiscriminate, except where the military effects of that code have been limited to a known system that has been identified by human combatants as a military objective, in accordance with the principle of military necessity (Terry, 2001, p 87). On this note, it is appropriate to examine the legality of autonomous cyber defences. The US Department of Defence has recognized that, due to the speed at which the effects of sophisticated cyber attack may accrue, active or autonomous cyber defences may be warranted in the protection of critical infrastructure (Office of General Counsel, 1999, p 21). However the removal of human judgement from the combat decision-making cycle brings with it certain risks and legal complications (Young, 2010). Before discussing these risks and complications further it is necessary to briefly explain the functioning of automated cyber defences. Automated or active cyber defences are defined by their ability to both detect an attack and conduct an effective defensive response autonomously, by way of further threat monitoring, containment or neutralizing counter-attack. A typical component of an automated defence is an intelligent software decoy (ISD). ISDs are a software component that tolerates violations of its code (unknown or foreign data sequences) in order to learn more about a violating process (also termed a cyber opponent) (Michael, 2002, p 2). An ISD can be wrapped around important components of software, such that it will activate when any violations of that protected components contract (code) occur and respond by transferring those interactions to a secure virtual sandbox where they can be further monitored. In this respect, ISDs can detect, isolate and attempt to discern the purpose of malicious software or processes. However, in the case of a truly active defence, ISDs can respond to a known pattern of intrusion, such as a sequence of processes designed to overload a system with information, with disruptive, neutralizing or exploitative sequences of its own. In other words, an ISD can autonomously conduct cyber warfare against the apparent source of malicious code. The employment of such a capability raises several legal issues. 36

Noting that cyber attack is often routed through a series of innocent stepping stone systems or networks, there is the danger that active defences will direct malicious code indiscriminately and disproportionately against networks and systems between itself and the attacker (Graham, 2010, p 99). For the effects of cyber attack to be directed at a particular system certain intelligence information is generally required, such as the systems IP address, operating platform, security configuration and network connectivity (Owens et al, 2009, p 118). Without such information, attackers must rely on cyber tools capable of targeting a broad spectrum of systems. Where network infrastructure and system connectivity is not completely mapped a broad-spectrum cyber attack upon a legitimate military objective, such as a civilian telecommunications hub being used to channel a cyber attack, may indiscriminately spread to civilian objects, such as the computer network of a hospital (Michael, 2002). It is doubtful that active defences could autonomously conduct such intelligence gathering and subjective target data interpretation as would be required to ensure that any counter attack was directed purely towards military objects (ODonnell & Kraska, 2003, p 157). Noting that human interpretations of such intelligence are likely to be superior to that of software, it is difficult to argue that reliance upon an automated system to conduct the entire targeting process could fulfil the obligation under Article 57 of Additional Protocol I to do everything feasible to verify that the objectives to be attacked are neither civilians nor civilian objects. Furthermore, where an automated defence was conducted against dual-use objects, such as civilian systems used as conduits of cyber attack, that defensive action would also have to adhere to the principle of proportionality. However no present piece of software could be considered to have the properties necessary to replace human commanders in the calculation of such contextually grounded notions as military advantage and proportionality (Sharkey, 2010, p 378). Thus at present, there is insufficient evidence that active cyber defences can autonomously conduct cyber counter attack in accordance with the principles of distinction and proportionality.

37

Thus despite the complexities of cyber warfare technologies, the basic tenets of the LOIAC are sufficient to determine where the use of particular weapons, such as self-propagating malicious code and active defences, is in violation of the principle of distinction (Dunlap, 2011, p 81). Thus the lack of specific doctrinal or treaty guidance specifically limiting the use of such cyber weapons is due to a policy gap by states, rather than any particular limitation to the guidance LOIAC (Lin et al, 2012). How Combatants Must Distinguish Themselves in Cyberspace As explained above, the distinction between combatants and civilians is maintained by complimentary requirements placed upon combatants and civilians under the LOIAC. However, there is enormous uncertainty as to how to interpret the application and fulfilment of these requirements in regard to hostilities conducted in cyberspace. One point of particular uncertainty is whether combatants have an obligation to distinguish themselves in cyberspace as they would on a conventional battlefield. Many forms of cyber attack function by imitating civilians, neutral parties or members of the armed forces of adverse parties. The least sophisticated examples of such behaviour include the routing of distributed denial of service attacks through gateway systems in neutral states or the sending of malware via email from the apparent address of a protected organization such as the UN (ODonnell & Kraska, 2003, p 157). At a more sophisticated level, intelligent software decoys may act perfidiously in gaining an entryway into an attacking system by imitating the responses of a protected civilian system suffering cyber attack (Michael, 2002, p 4). The feigning of non-combatant or neutral status inherent to such cyber warfare methods is arguably perfidious within the meaning of Article 37 (1) of Additional Protocol I, by inviting the confidence of an adversary to lead him to believe that he is entitled to, or is obliged to accord, protection under the rules of international law applicable in armed conflict, with intent to betray that confidence. Where combatants use the guise of non-combatant or neutral systems, the distinction between non-combatant and combatants becomes 38

blurred and the likelihood of both kinetic and cyber attacks upon civilian objects and civilian increases (Brown, 2006, p 203). However, Drmann argues that only the killing, injuring or capturing of an adversary by resort to perfidy is prohibited, such that perfidious cyber attacks that do not have such effect are not prohibited (2004, p 11). However, as the UK Joint Service Manual of the Law of Armed Conflict rightly notes, where a person takes a direct part in the hostilities without distinguishing themselves as a combatant they violate the principle of distinction and may be tried as unlawful combatants, regardless of whether their actions included the killing, injury or capture of an adversary (2004, 5.9.2). This perspective has been upheld in numerous case law examples in respect to the actions of nonuniformed saboteurs, including where said saboteurs were part of the regular armed forces of a belligerent party to the conflict (see Military Prosecutor v. Swarka and Others, 1974). Where cyber combatants merely feign the status of enemy combatants, rather than non-combatants or neutrals, the unlawfulness of such tactics is less certain. It should be noted that Article 39 of Additional Protocol I forbids as perfidious, the use of the military emblems, insignia or uniforms of adverse parties while engaging in attacks or in order to shield, favour, protect or impede military operations. Thus the use of the military electronic signals of adverse parties to gain access to military systems could be interpreted as contrary to international law. However the standard interpretation of Article 39 is that it only applies to concrete visual objects such as human combatants, military vehicles and aircraft, such that the use of an adversarys electronic signals, codes or passwords are legitimate ruses of war (OBrien, 2001, p 15). Indeed the use of enemy signals, wireless code signs and command sequences are also recognized as legitimate ruses in numerous military manuals (see for example, Law of Armed Conflict at the Operational and Tactical Level (Canada), 2001, 602.3). Dinstein adds that although it would be legitimate ruse of war to send false messages that appear to come from an enemys own forces, such signals could not include distress signals, signals of surrender or any other recognize signal warranting special protection (2010, p 312). This is in accordance with Article 37 (2) of Additional Protocol I, which recognizes ruses 39

of war as legitimate so long as they do not invite the confidence of an adversary with respect to protection under international law. Therefore there is a strong case to be made that cyber combatants may masquerade as enemy cyber combatants (military users or systems) as a legitimate ruse of war, where no resort to internationally recognizes symbols or signals or protection is made. In contrast, the feigning of cyber non-combatant or neutral status through the use of non-combatant or neutral gateway systems or identifying signals can be considered a violation of the principle of distinction under the LOIAC. At this point, it is appropriate to examine potential ambiguities in the application and fulfilment of civilian obligations under the principle of distinction. Distinguishing Direct Participation in Cyber Warfare As discussed earlier, according to the LOIAC civilians shall not be made the object of attack unless and for such time as they take a direct part in hostilities (Additional Protocol I, Article 51 (3)). However there is potential ambiguity as to what constitutes direct participation in hostilities in cyberspace, such that some argue there is a risk that civilians will unwittingly cross the threshold of combatant status. Hoffman (2003) argues that, tacit support of a belligerent party through online propaganda or the spreading of false information to undermine military efforts may lead to the identification of civilian users as combatants (2003, p 425). Brown further argues that the increased dependence of military operations on civilian infrastructure and logistics, inherent to the Revolution in Military Affairs, blurs the distinction between military personnel and civilian operators (Brown, 2006, p 183). Especially in respect to remote warfare, including drone and cyber warfare, the legal limits of the involvement of civilian operations have been pushed in recent years. For example, the CIA has made use of civilian drone operators to strike Taliban and al Qaeda leaders in Afghanistan and Pakistan, in potential breach of the LOIAC (Solis, 2010). However, despite the novelty of the cyber theatre, there have been numerous attempted clarifications of the concept of direct participation in the hostilities 40

that can provide useful guidance as to its limits in cyberspace. The International Committee of the Red Cross (ICRC) conducted a half-decade of forums of experts on the subject, to the conclusion that acts amounting to direct participation in the hostilities must meet certain requirements. In particular, such acts must be reasonably expected to adversely affect the military operations or military capacity of a party to the conflict, or alternatively inflict death, injury or destruction on persons or objects protected from direct attack under the LOIAC (ICRC, 2009, p 46). Such affects must be achieved in one causal step (ICRC, 2009, p 53). Schmitt argues that a more accurate interpretation is that the act must be of tactical, rather than strategic significance to the war effort (2010b, p 728). According to the final interpretive guidance report of the ICRC, included amongst acts adversely affecting military operations and capacity is the electronic interference with military computer networks, whether through computer network attacks (CNA) or computer network exploitation (CNE), as well as wiretapping the adversarys high command or transmitting tactical targeting information for an attack (ICRC, 2009, p 48). However, in earlier ICRC forums specifically on the topic of the cyber warfare, a small minority of experts contended that CNA would have to result in death, injury or destruction to constitute direct participation in hostilities (Drmann, 2004, p 9). A substantial majority of also agreed computer that support activities, not including the maintenance military programs did constitute direct

participation in hostilities (Drmann, 2004, p 9). Thus there appears to be a general consensus that civilian support of military cyber capacity through the maintenance of cyber infrastructure and logistics should not be interpreted as direct participation in hostilities. However, it also appears that where civilian ISPs or individual users provide targeting information to combatants, such as the IP address of an enemy cyber combatant, they arguably take a direct part in hostilities. This interpretation is in accordance with the US Commanders Handbook on the Law of Naval Operations, which lists a range of potential examples of direct participation in the hostilities, including acting as a lookout or intelligence agent for military forces (2007, 8.2.2). 41

In contrast, the tacit support of a belligerent party through online propaganda does not appear to fit the rubric of direct participation in hostilities. The military contribution made by propaganda is neither tactical nor achieved in one casual step. This interpretation is also supported by national jurisprudence. In the case Public Committee Against Torture in Israel v. Government of Israel the Israeli Supreme Court held that that general logistical support and the distribution of propaganda merely constitutes indirect participation in the hostilities (Judgment of the 14th December, 2006, para 35). Therefore, contrary to the claims of Hoffman (2003) and Brown (2006), there is sufficient consensus as to the meaning of taking a direct part in hostilities as to govern the distinction between the activities of civilians and combatants in cyberspace. Part III: Proportionality The principle of proportionality was implicitly recognized as early as the 1923 Hague Rules of Air Warfare, which recognized the bombardment of population centres or buildings as legitimate provided the concentration of military forces therein was sufficiently important, having regard to the danger thus caused to the civilian population (Article 24(4)). However, the principles explicit recognition under Additional Protocol I (1977) was indicative of a tectonic shift in customary international law, in favour of proportionality in the conduct of warfare (Dinstein, 2010, p 130). The principle of proportionality is embodied in Article 51 (5) (b) of Additional Protocol I, which prohibits attacks which may be expected to cause incidental loss of civilian life, injury to civilians, damage to civilian objects, or a combination thereof, which would be excessive in relation to the concrete and direct military advantage anticipated. In support of the customary law status of the principle of proportionality, the text of Article 51 (5)(b) is repeated verbatim in Australian Defence Force Publication 06.4: The Law of Armed Conflict (2006, 5.61) and the UK Joint Service Manual of the Law of Armed Conflict (2004, 5.32). Similarly, the US Commanders Handbook on the Law of Naval Operations recognizes the principle of proportionality as the requirement that incidental injury, including 42

death to civilians and damage to civilian objects resulting from an attack, is not excessive in relation to the concrete and direct military advantage expected to be gained (2007, 5.3.3). Thus there is an effective consensus amongst states as to the basic interpretation of the principle of proportionality. The only point of considerable contention is in the interpretation of military advantage, which was already discussed in detail in Part I of this chapter. Thus the remainder of this section will focus upon potential practical difficulties for commanders in determining the proportionality of cyber attacks. Practical Obstacles to the Proportional Use of Cyber Weapons In attempting to adhere to the principle of proportionality in attack, the issue of cascading effects within network infrastructure should be of particular concern to commanders. Unlike the effects of kinetic attacks, which can theoretically calculated and empirically validated based on ballistics testing, the effects of a particular type of cyber attack can vary enormously depending on the design of network infrastructure, the configuration of the target system, and the behaviour of users (Owens et al, 2009, p 122). Furthermore, Internet traffic is supported by a hub and spokes model of network connections between small nodes such as businesses and infrastructure, and larger nodes such as major cities and international undersea cables (Kelsey, 2008, p 1432). As a result, attacks affecting one Internet node may also affect all the systems and nodes dependent upon that connectivity hub. Additionally, cyber attackers may exploit such network architecture to ensure that any cyber response directed against them would result in unacceptable collateral damage to civilian objects (Michael, 2002, p 3). Therefore in cyberspace there is no analog to the conventional notion of a lethal radius in which targets will be affected (Owens et al, 2009, p 122). Instead, military planners must grapple with extremely long chains of causality in determining the risk of incidental damage and loss of life. Especially in the case of large scale cyber attacks upon networked infrastructure, designed to weaken an enemys war-sustaining capability, it may be difficult for commanders to contain the effects of cyber attacks to a proportionate range of targets (Downs, 1995, p 15). Thus it appears extremely difficult for 43

commanders to satisfy the obligation to take all feasible precautions in the choice of means and methods of attack to minimize incidental damage and loss of life, in accordance with Article 57 (2) (ii) of Additional Protocol I. In recognition of this burden, several states merely require commanders to take all reasonable precautions to avoid incidental injury, loss or damage to protected persons and objects (see ADFP 06.4: The Law of Armed Conflict, 2006, 5.53; US Commanders Handbook on the Law of Naval Operations, 2007, 8.3.1) The weakness of the lesser requirement to take all reasonable precautions is that commanders can subjectively flex this requirement towards a minimal obligation. Of great concern in this respect is the documented tendency amongst remote warfare combatants towards emotional and moral disengagement in the making of targeting decisions (see Royakkers & van Est, 2010). This problem is exacerbated by the frequent handling of cyber attacks in a purely notional sense in US war-gaming exercises. Combatants are simply told if an attack succeeds or fails, rather than being made to grapple with the uncertainties of real-world intelligence and potential unexpected collateral effects (ODonnell & Kraska, 2003, p 151). To stave off any trend towards the minimization of precautionary measures in cyber warfare, without completely sacrificing operational efficiency, commanders are likely to require supplementary guidance to the LOIAC. Similarly to the concept of dormant rules of engagement discussed in Chapter I, commanders could benefit from a staggered set of force options based on the extent of targeting information able to be obtained or the satisfaction of specific precautionary measures such as the determination of the geographical location or network connectivity of the system. If particular pieces of targeting information cannot be obtained, commanders attack options can be restricted to reversible, easily containable or otherwise conservative methods and means of cyber warfare.

CONCLUSION In this paper it has been demonstrated that the guidance of the LOIAC is of varied utility in determining the lawful bounds of cyber warfare. In Chapter I it 44

was demonstrated that several points of interpretive ambiguity and contest exist as to the limits of the right of national self-defence in response to cyber attack. Furthermore, no single approach to the right of national self-defence in cyberspace is universally advantageous or strategically prudent. Additionally, it has been argued that commanders face significant obstacles in fulfilling the practical requirements of a lawful self-defence response to cyber attack. In Chapter II it was demonstrated that significant interpretive contest and resultant operational uncertainties exist in respect to the application of the principle of military necessity in cyber warfare. In contrast, the guidance of the LOIAC is sufficient so as to determine the application of the principle of distinction in cyber warfare, despite the use of particularly complex and novel means and methods of attack. Conversely, the guidance of the LOIAC was of little utility in guiding commanders as to determinations of proportionality in cyber warfare, principally because of practical complications inhibiting any reasonable assessment. Therefore overall, the guidance of the LOIAC is of mixed utility to commanders in determining the lawful bounds of cyber warfare. However, throughout this paper it has also been argued that such deficiencies in the LOIAC are not beyond amelioration. Where international legal guidance is lacking and practical complications are abundant, careful domestic policy-making and doctrinal guidance can assist in protecting commanders and minimizing uncertainty and risk in operational decision-making. Some points of contestation, such as the interpretation of the principle of military necessity, are admittedly likely to remain contested indefinitely. This is in part due to the nature of international law as a living and evolving organ of international relations. However, in the interest of further adapting the LOIAC to emerging methods of warfare, there must be a greater effort made by states to frequently and comprehensively publicize their interpretations of international law in this area. On this note, a particular limitation to this paper has been the lack of publicly accessible cyber warfare doctrine. Future research would benefit from access to key decision makers in the practice of cyber warfare. Public access 45

permitting, further study of the technological constraints facing commanders in cyber warfare decision-making would also be of enormous assistance in reaching more definitive answers in this paper.

BIBLIOGRAPHY Books and Academic Articles Alexandrov, S A, 1996, Self-Defense Against the Use of Force in International Law, The Hague: Kluwer International Arkin, W M, 1994, "The Environmental Threat of Military Operations, paper presented at the Symposium on Protection of the Environment During Armed Conflict and Other Military Operations, September 20-22, Newport, RI: Naval War College Arquilla, J, D Ronfeldt & M Zanini, 1999, Networks, Netwar, and InformationAge Terrorism, in I Lesser (ed), Countering the New Terrorism, Santa Monica: Calif Barkham, J, 2001, Information Warfare and International Law on the Use of Force, 34 New York University Journal of International Law and Politics 57 Brito, J & Watkins, T, 2011, Loving the Cyber Bomb? The Dangers of Threat Inflation in Cybersecurity Policy, Mercatus Center: George Mason University, working paper, available at <http://mercatus.org/sites/default/files/publication/WP1124_Loving_cyber _bomb.pd> Brown, Davis, 2006, A Proposal for an International Convention to Regulate the Use of Information Systems in Armed Conflict, Harvard International Law Journal, vol. 47, no. 1, pp. 179-221 Cassese, A, 2006, International Law, Oxford University Press: Oxford Caudle, D L, 2010, Decision-Making Uncertainty and the Use of Force in Cyberspace: A Phenomenological Study of Military Officers, University of Phoenix, <http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA534888> Chaikin, D, 2006, Network investigations of cyber attacks: The limits of digital Evidence, Crime, Law, and Social Change, vol. 46, no. 4-5, pp. 239-256. Clarke, R & Knake, R, 2010, Cyber War, New York: HarperCollins Publishers Condron, S, 2007, Getting it Right: Protecting American Critical Infrastructure in Cyberspace, Harvard Journal of Law and Technology, vol. 20, no. 2, pp. 403-422

46

Crawford, J W, 1997, The Law of Noncombatant Immunity the Targeting of National Electrical Power Systems, Fletcher Forum of World Affairs, Summer/Fall, p. 101 Crawford, C S, 2011, Stuxnet: Cyber Conflict, Article 2(4), and the Continuum of Culpability, working paper, Wake Forest University, Available at <http://works.bepress.com/context/colin_crawford/article/1000/type/nativ e/viewcontent> Dinstein, Y, 2010, The Conduct of Hostilities under the Law of International Armed Conflict, Cambridge: Cambridge University Press Dinstein, Y, 2005, War, Aggression, and Self-Defence, Cambridge: Cambridge University Press Drmann, K, 2004, Applicability of the Additional Protocols to Computer Network Attacks, International Committee of the Red Cross, available at <http://www.icrc.org/eng/assets/files/other/applicabilityofihltocna.pdf> Downs, L G, 1995, Digitial Data Warfare: Using Malicious Computer Code as a Weapon, research report submitted to Air University (US), available at <http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA424872> Downes, Alexander B, 2008, Targeting Civilians in War, New York: Cornell University Press Dunlap, C J, 2011, Perspectives for Cyber Strategists on Law for Cyberwar, Strategic Studies Quarterly, Spring, pp. 81-89, available at <http://scholarship.law.duke.edu/cgi/viewcontent.cgi? article=2992&context=faculty_scholarship> Gaudreau, J, 2003, The Reservations to the Protocols Additional to the Geneva Conventions for the Protection of War Victims, International Review of the Red Cross, March, no. 849, pp. 143-184 Graham, D E, 2010, Cyber Threats and the Law of War, Journal of National Security Law & Policy, vol. 4, no. 1, pp. 87-102 Grant, J, 2010, Will There Be Cybersecurity Legislation?, 4 Journal of National Security Law & Policy 103 Greenberg, L T, S E Goodman, K J Soo Hoo, 1998, Information Warfare and International Law, National Defense University Press, available at <http://www.dodccrp.org/files/Greenberg_Law.pdf> Harrison-Dinniss, H A, 2011, Attacks and Operations The Debate over Computer Network Attacks, Paper for the Minerva Centre Conference, Jerusalem, Israel, 28 November, available at <http://law.huji.ac.il/upload/5_HarrisonDinniss.pdf> Heicker, R, 2010, Emerging Cyber Threats and Russian Views on Information Warfare and Information Operations, Swedish Defence Research Agency 47

(FOI), Stockholm, available at <http://www.highseclabs.com/Corporate/foir2970.pdf> Hunker, J, B Hutchinson, J Margulies, 2008, Role and Challenges for Sufficient Cyber-Attack Attribution, Institute for Information Infrastructure Protection, available at <http://www.thei3p.org/docs/publications/whitepaper-attribution.pdf> Huntley, T C, 2010, Controlling the Use of Force in Cyberspace: The Application of the Law of Armed Conflict During a time of Fundamental Change in the Nature of Warfare, Naval Law Review vol. 60, pp. 1-40 Hoffman, M, 2003, The Legal Status and Responsibilities of Private Internet Users Under the Law of Armed Conflict: A Primer for the Unwary on the Shape of Law to Come, 2 Washington University Global Studies Law Review 415 Intoccia, G F & Moore, J W, 2006, Communications Technology, Warfare, and the Law: Is the Network a Weapon System? 28 House Journal of International Law 267 Jurich, J P, 2009, Cyberwar and Customary International Law: the Potential of a Bottom-up Approach to an International Law of Information Operations, Chicago Journal of International Law, vol. 9, no. 1, pp. 275-295 Kelly, M, 2005, Legal Factors in Military Planning for Coalition Warfare and Military Interoperability: Some Implications for the Australia Defence Force, Australian Army Journal: Law and Ethics, vol. 2, no. 2, 161-172 Kammerhofer, J, 2004, Uncertainties of the Law on Self-Defence in the United Nations Charter in D M Curtin, P A Nollkaemper, L A N M Barnhoorn (eds), Netherlands Yearbook of International Law, Vol. 35, Cambridge University Press: Cambridge Kanuck, S, 2010, Sovereign Discourse on Cyber Conflict Under International Law, Texas Law Review, vol. 88, no. 7 pp. 1571-1597 Kelsey, J T G, 2008 Hacking Into International Humanitarian Law: the Principles of Distinction and Neutrality in the Age of Cyber Warfare, 106 Michigan Law Review 1427 Kesan, J & Hayes, C, 2010, Thinking Through Active Defense in Cyberspace, in Proceedings of a Workshop on Deterring Cyberattack: Informing Strategies and Developing Options for U.S. Policy, Computer Science and Telecommunications Board, Washington: National Academies Press Lin, H S, 2010, Offensive Cyber Operations and the Use of Force, Journal of National Security Law and Policy, vol. 4, pp. 63-86 Liang, Q & W Xiangsui, 1999, Unrestricted Warfare, Beijing: PLA Literature and Arts Publishing House, available at <http://cryptome.org/cuw.htm> 48

Lubell, N, 2010, Extraterritorial Use of Force Against Non-state Actors, Oxford: Oxford University Press Michael, J B, 2002, On the Response Policy of Software Decoys: Conducting Software-based Deception in the Cyber Battlespace, Proceedings of the 26th Annual International Computer Software and Applications Conference (COMPSAC02), Naval Postgraduate School, available at <http://cs.iupui.edu/~tuceryan/pdf-repository/Michael2002a.pdf> Neff, S, 2000, The Rights and Duties of Neutrals, Manchester: Manchester University Press ODonnell, B T & J C Kraska,2003, Humanitarian Law: Developing International Rules for the Digital Battlefield, Journal of Conflict and Security Law, vol. 8, no. 1, pp. 133-160 Owens, W A, K W Dam & H S Lin (eds), 2009, Technology, Policy, Law and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities, Committee on Offensive Information Warfare, National Academy of Sciences, Washington: National Academies Press Richmond, J, 2012, Evolving Battlefields: Does Stuxnet Demonstrate a Need for Modifications to the Law of Armed Conflict?, Fordham International Law Journal, vol. 35, no. 3, pp. 842-892 Rowe, 2010, The Ethics of Cyberweapons in Warfare, International Journal of Cyber Ethics, vol. 1, no. 1, pp. 20-31 Royakkers, L. & van Est, R, 2010, The Cubicle Warrior: the Marionette of Digitalized Warfare, Ethics and Information Technology, vol. 12, pp. 289296. Rush, H, C Smith, E Kraemer-Mblua, P Tang, 2009, Crime Online: Cybercrime and illegal innovation, Research Report, CENTRIM: University of Brighton, <http://eprints.brighton.ac.uk/5800/1/Crime_Online.pdf> Schmitt, M N, 1999, Computer Network Attack and the Use of Force in International Law: Thoughts on a Normative Framework, Columbia Journal of Transnational Law, vol. 37, pp. 885-937 Schmitt, M N, 2002, 'Wired Warfare: Computer Network Attack and the Jus in Bello' in M Schmitt and B ODonnell (eds) Computer Network Attack and International Law, Newport, RI: Naval War College Schmitt, M N, 2010a, Cyber Operations in International Law: the Use of Force, Collective Security, Self-Defense, and Armed Conflict in Proceedings of a Workshop on Deterring Cyberattacks: Informing Strategies and Developing Options for U.S. Policy, Computer Science and Telecommunications Board, Washington: National Academies Press

49

Schmitt, M, 2010b, Deconstructing Direct Participation in the Hostilities: the Constitutive Elements, New York University Journal of International Law and Politics, vol. 42, pp. 697-739 Sharkey, N, 2010, Saying No! to Lethal Autonomous Targeting, Journal of Military Ethics, vol. 9, no. 4, pp. 369-383 Silver, D B, 2002, Computer Network Attack as a Use of Force under Article 2(4) of the United Nations Charter in M Schmitt and B ODonnell (eds) Computer Network Attack and International Law, Newport, RI: Naval War College Sklerov, M J, 2009, Solving the Dilemma of State Responses to Cyberattacks: A Justification for the Use of Active Defenses Against States Which Neglect Their Duty to Prevent, 201 Military Law Review 1 Soldatov, A, 2011, Vladimir Putins Cyber Warriors, Foreign Affairs, December 9, <http://www.foreignaffairs.com/articles/136727/andreisoldatov/vladimir-putins-cyber-warriors?page=show> Swanson, Lesley, 2010, The Era of Cyber Warfare: Applying International Humanitarian Law to the 2008 Russian-Georgian Cyber Conflict, Loyola of Los Angeles International and Comparative Law Review, vol. 32, pp. 303-333 Terry, James P, 2001, The Lawfulness of Attacking Computer Networks in Armed Conflict and in Self Defense During Periods Short of Armed Conflict: What Are Targeting Constraints?, Military Law Review, vol. 169, pp. 70-91 Thomas, T, 1996, A Russian View of Future War: Theory and Direction, Journal of Slavic Military Studies, vol. 9, no. 3, pp. 501-518 Waxman, Mathew C, 2011, Cyber Attacks and the Use of Force: Back to the Future of Article 2(4), Yale Journal of International Law, vol. 36, no. 2, pp. 421-459 Wheeler, D A & G N Larsen, 2003, Techniques for Cyber Attack Attribution, Institute for Defense Analysis, Paper P-3792, October Young, M D, 2010, National Cyber Doctrine: The Missing Link in the Application of American Cyber Power, 4 Journal of National Security Law and Policy 173 Official Reports and Letters Advance Questions for Lieutenant General Keith Alexander, USA Nominee for Commander, United States Cyber Command (2010), testimony to United States Senate Armed Services Committee, April 15, available at <http://armed-services.senate.gov/statemnt/2010/04%20April/Alexander %2004-15-10.pdf> 50

Commentary on the HPCR Manual on International Law Applicable to Air and Missile Warfare (2010), Program on Humanitarian Policy and Conflict Research at Harvard University, Available at <http://ihlresearch.org/amw/Commentary%20on%20the%20HPCR %20Manual.pdf> Cyberspace Policy Review (2009), National Security Council, available at <http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Revie w_final.pdf> Developments in the Field of Information and Telecommunications in the Context of International Security (2011), Report of the UN SecretaryGeneral, 15 July, Doc No. A/66/152, available at <http://daccess-ddsny.un.org/doc/UNDOC/GEN/N11/416/91/PDF/N1141691.pdf?OpenElement> Dutch Advisory Council on International Affairs (AIV) & Advisory Committee on Issues of Public International Law (CAVV), Cyber Warfare (2011), December, Document No. 77, AIV/No 22, available at <http://www.aivadvies.nl/ContentSuite/upload/aiv/doc/webversie__AIV77CAVV_22_ENG.p df> International Committee of the Red Cross, Interpretative Guidance on the Notion of Direct Participation in Hostilities Under International Law (May 2009), available at <http://www.icrc.org/eng/assets/files/other/icrc-0020990.pdf> National Security Threats in Cyberspace (2009), report of a Workshop Jointly Conducted by the American Bar Association Standing Committee on Law and National Security and the National Strategy Forum, September, available at <http://www.americanbar.org/content/dam/aba/migrated/2011_build/law _national_security/threats_in_cyberspace_report.authcheckdam.pdf> NATO Strategic Concept for the Defence and Security of the North Atlantic Treaty Organization (2010), adopted by Heads of State and Government at the NATO Summit in Lisbon 19-20 November, available at <http://www.nato.int/nato_static/assets/pdf/pdf_publications/20120214_s trategic-concept-2010-eng.pdf> Office of General Counsel, Department of Defence, An Assessment of International Legal Issues in Information Operations (1999), May, available at <http://www.au.af.mil/au/awc/awcgate/dod-io-legal/dod-iolegal.pdf> Owens, W, Dam, K & Lin, H (eds), Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities (2009), report of the Committee on Offensive Information Warfare, Washington: National Academies Press, available at <http://www.nap.edu/catalog.php?record_id=12651>

51

Project on National Security Reform, Forging a New Shield, November 2008, available at <http://pnsr.org/data/files/pnsr_forging_a_new_shield_report.pdf> Security Cyberspace for the 44th Presidency (2008) Commission on Cybersecurity, 8 December, Available at <http://csis.org/files/media/csis/pubs/081208_securingcyberspace_44.pdf > US Office of the National Counterintelligence Executive, 2011, Foreign Spies Stealing US Economic Secrets in Cyberspace: Report to Congress on Foreign Economic Collection and Industrial Espionage, 2009-2011, October, available at < http://www.ncix.gov/publications/reports/fecie_all/Foreign_Economic_Coll ection_2011.pdf> Media Sources Clayton, 2010, How Stuxnet Cyber Weapon Targeted Iran Nuclear Plant, Christian Science Monitor, November 16, <http://www.csmonitor.com/USA/2010/1116/How-Stuxnet-cyber-weapontargeted-Iran-nuclear-plant> Lin, P, F Allhoff & N Rowe, 2012, Is it Possible to Wage a Just Cyberwar?, The Atlantic, 5 June, available at <http://www.theatlantic.com/technology/archive/2012/06/is-it-possibleto-wage-a-just-cyberwar/258106/> Raiu, C, 2012, The Day The Stuxnet Died, Kaspersky Securelist Blog, June 25, available at <http://www.securelist.com/en/blog/208193609/The_Day_The_Stuxnet_Di ed> Sanger, D, 2012, Obama Order Sped Up Wave of Cyberattacks Against Iran, New York Times, June 1, available at <http://www.nytimes.com/2012/06/01/world/middleeast/obama-orderedwave-of-cyberattacks-against-iran.html?_r=1> Shanker, T, 2010, Cyberwar Nominee Sees Gaps in Law, New York Times, April 12, available at <http://www.nytimes.com/2010/04/15/world/15military.html?_r=1> Solis, G, 2010, CIA drone attacks produce Americas own unlawful combatants, Washington Post, 12 March, available at < http://www.washingtonpost.com/wpdyn/content/article/2010/03/11/AR2010031103653.html> Traynor, I, 2007, Russia Accused of Unleashing Cyberwar to Disable Estonia, The Guardian, May 17, <http://www.guardian.co.uk/world/2007/may/17/topstories3.russia>

52

Walker, F, 2004, Our Pilots Refused to Bomb 40 Times, Sydney Morning Herald, 14 March, available at < http://www.smh.com.au/articles/2004/03/13/1078594618101.html> International Treaties, Declarations and Case Law Treaties 1868 Declaration Renouncing the Use, in Time of War, of Explosive Projectiles Under 400 Grammes Weight (Saint Petersburg Declaration) 1899 Hague Convention With Respect to The Laws and Customs of War on Land 1907 Hague Convention Respecting the Rights and Duties of Neutral Powers and Persons in Case of War on Land 1907 Hague Convention Respecting the Laws and Customs of War on Land 1907 Hague Convention Respecting the Rules of Air Warfare 1949 Geneva Convention (I) for the Amelioration of the Condition of the Wounded and Sick in Armed Forces in the Field 1949 Geneva Convention (II) for the Amelioration of the Condition of Wounded, Sick and Shipwrecked Members of Armed Forces at Sea 1949 Geneva Convention (III) relative to the Treatment of Prisoners of War 1949 Geneva Convention (IV) relative to the Protection of Civilian Persons in Time of War 1954 Hague Convention for the Protection of Cultural Property in the Event of Armed Conflict 1972 Convention on the Prohibition of the Development, Production and Stockpiling of Bacteriological (Biological) and Toxin Weapons and on their Destruction 1977 Additional Protocol (I) to the Geneva Conventions of 12 August 1949, and relating to the Protection of Victims of International Armed Conflicts 1994 San Remo Manual on International Law Applicable to Armed Conflicts at Sea Declaration of United Kingdom to Protocol Additional to Geneva Conventions of 12 August 1949, and relating to the Protection of Victims of International Armed Conflicts (Protocol I), 8 June 1977, made 2 July 2002, available at <http://www.icrc.org/ihl.nsf/NORM/0A9E03F0F2EE757CC1256402003FB6 D2?Open> Declarations of Australia to Protocol Additional to the Geneva Conventions of 12 August 1949, and relating to the Protection of Victims of International 53

Armed Conflicts (Protocol I), 8 June 1977, made 21 July 1991, available at <http://www.icrc.org/ihl.nsf/NORM/10312B4E9047086EC1256402003FB2 53?OpenDocument> Declarations of New Zealand to Protocol Additional to the Geneva Conventions of 12 August 1949, and relating to the Protection of Victims of International Armed Conflicts (Protocol I), 8 June 1977, made 8 February 1988, available at <http://www.icrc.org/ihl.nsf/NORM/8FEC3861203ABE21C1256402003FB5 3B?OpenDocument> Letter dated 7 October 2001 from the Permanent Representative of the United States of America to the United Nations addressed to the President of the Security Council [7 October 2001] UNSC, Doc s/2001/946, Available at <http://www.hamamoto.law.kyoto-u.ac.jp/kogi/2005kiko/s-2001946e.pdf> Case Law Advisory Opinion the Legal Consequences of the Construction of a Wall in the Occupied Palestinian Territory [2004] ICJ, 9 July, General list no. 131 Case Concerning Armed Activities on the Territory of the Congo (Democratic Republic of the Congo v. Uganda) [2005] ICJ, Judgement of 19 December, ICJ Reports 2005 Case Concerning the Military and Paramilitary Activities in and Against Nicaragua (Nicaragua v. United States of America) [1986] International Court of Justice, 27 June, ICJ Reports 1986 Military Prosecutor v. Swarka and Others [1974] Israel, Military Court, Judgement, Case EA/412/71, SJMC, Vol. 3, 1974, p. 206 Military Doctrine Australian Defence Force Publication 06.4: Law of Armed Conflict (2006), 11 May, Available at <http://www.defence.gov.au/adfwc/Documents/DoctrineLibrary/ADDP06. 4-LawofArmedConflict.pdf> Australian Defence Force Publication 3.14: Targeting (2 February 2009) available at <http://www.defence.gov.au/foi/docs/disclosures/021_1112_Document_A DDP_3_14_Targeting.pdf> Chairman of the Joint Chiefs of Staff (CJCS), Instruction 3121.01A: Standing Rules of Engagement for US Forces, 15 January 2000, available at <http://www.fas.org/man/dod-101/dod/docs/cjcs_sroe.pdf> Chairman of the Joint Chiefs of Staff (CJCS), Joint Publication 3-13: Information Operations,13 February 2006, available at <http://www.fas.org/irp/doddir/dod/jp3_13.pdf> 54

Department of Defense, Procedures Governing the Activities of DOD Intelligence Components That Affect United States Persons, DOD Regulation 5240.1-R, December 1982, available at <http://www.dtic.mil/whs/directives/corres/pdf/524001r.pdf> Department of the Army (US), Field Manual 27-10: The Law of Land Warfare, 15 July 1976, available at <http://www.loc.gov/rr/frd/Military_Law/pdf/law-ofwar-documentary-supplement_2010.pdf> Department of National Defence and Canadian Forces, Law of Armed Conflict at the Operational and Tactical Level, 13 August 2001, Available at <http://www.forces.gc.ca/jag/publications/oplaw-loiop/loac-ddca2004/index-eng.asp> Ministry of Defence (UK), The Joint Service Manual of the Law of Armed Conflict, JSP-383, 23 October 2004, available at <http://www.mod.uk/NR/rdonlyres/82702E75-9A14-4EF5-B41449B0D7A27816/0/JSP3832004Edition.pdf> United States Naval War College, NWP 1-14M: US Commanders Handbook on the Law of Naval Operations, July 2007, available at <http://www.usnwc.edu/getattachment/a9b8e92d-2c8d-4779-99250defea93325c/1-14M_(Jul_2007)_(NWP)>

55