Âé¶ą´«Ă˝

Satellites could be targeted to stop cyberattacks

Michael Schmitt, lead author of a new NATO manual, reveals how international law applies to cyberattacks and when an armed response is legitimate
“If a cyber operation causes significant damage you have the right to defend yourself with military force”
(Image: US Navy photo by lt. cmdr Anthony Ohl)

Michael Schmitt, lead author of a new NATO manual, reveals how international law applies to cyberattacks and when an armed response is legitimate

The internet is 30 years old. Why has it taken so long to examine the law on how governments can respond to cyberattacks?
We were researching military cyber operations and cyberlaw in 1995, ran a major conference in 1998, and published a book in 2000 to get international legal debate going. But then 9/11 happened, and everyone forgot about cyberlaw. Suddenly, we were concerned only with counterterrorism law: could we cross borders to go after terrorists? Is it lawful to conduct attacks in Afghanistan? That focus continued until 2007 when the cyberattacks on Estonia, a NATO member, brought down its computer networks. That was a big wake-up call.

So NATO set up a cyber research group?
Yes, in Tallinn, Estonia. I assembled a group of international lawyers to create a cyber-response manual for NATO governments. Our mission was not to determine what the law should be – it was to determine what the law is.

How did you define a cyberattack?
This was the hardest thing we dealt with. The problem is that lawyers and techies do not speak the same language. A cyberattack to a techie is when a hacktivist, a state or a non-state actor carries out a harmful cyber operation. But in international law the term “attack” has legal meaning, in two contexts.

The first is in the law of self defence, that is, when a state can defend itself with the use of force, either kinetically – using armed military force – or with a high-order cyber response, against an “armed attack”. We had to define what is meant by “armed attack”. Unless you have a cyber equivalent of an armed attack, you cannot resort to military force to defend yourself.

The second meaning of attack is, once you are at war, what can you then do to respond? The law says a nation may not attack civilians, for example. So when is a cyber operation directed at civilians an “attack” under international humanitarian law?

What did you conclude?
All 20 of us agreed that if a cyber operation causes significant damage, or injures or kills individuals, that constitutes an armed attack such that you have the right to defend yourself with military force. We also acknowledged the fact that cyber operations can have devastating consequences without causing physical damage or injury – if critical infrastructure has to be repaired, for example.

“A cyberattack qualifies as an armed attack if it causes significant damage”

Is a cyberattack, then, equivalent to a physical attack? I could smash filtration systems so pathogens end up in a city’s drinking water. Or I could hack the control system to disable the filters. Are these equal under the law?
Those would both qualify as armed attacks because you are going to cause widespread illness. Civilians will drink that water and there is a prohibition on injuring civilians. Similarly, opening the gates of dams to cause floods, affecting air-traffic-control systems and so forth, all constitute attacks.

Are new laws needed for cyberspace?
Although it is sometimes hard to apply the existing law, it generally works. The US government has said cyberspace is the “fifth dimension” of warfare after land, sea, air and space, but in consultation with computer scientists and electronics engineers, we rejected that notion. In any cyberattack there will be tangible objects involved – someone will be at a computer, electrons will course through servers and so forth. So laws governing the use of objects in territories are sufficient.

If a non-state hacktivist group commits a serious cyberattack, could that warrant an armed response?
This is a point of some dispute. A minority of our group believe that the law of self defence only applies to cyber operations that qualify as armed attacks if they are conducted by states. If it is not a state, use regular law enforcement.

However, the majority concluded that the law of self defence applies to cyberattacks by non-state actors if they are organised groups. If a terrorist group launches cyber operations at an armed-attack level, the NATO panel felt you could respond in the same way as you could if a terrorist group were bombing you.

What about lone activists?
If it is an individual behind the attack, most of us said the law of self defence does not apply. Then it is a criminal conducting a massive crime. Once it is a group, if the consequences of the cyber operation rise to the armed-attack level of harm, they become cyberterrorists.

How does current international law apply to the leaking of documents? If computer-mediated leaks risk harm to military personnel or informants, could that legally provoke a pre-emptive armed response?
Some of our experts would say yes. I don’t think we are there. Leaks are not an armed attack. But if somebody wanted to reveal the CIA network in some country, and knew that leak would result in their deaths, then, yes, you bet. Governments need to be a little bit careful, though, because there is a presumption against the use of force in international law.

But leakers should at least consider downstream effects?
Anyone engaging in any cyber operation should think about effects that reverberate through systems because they will be held responsible – either criminally, or, if it is an organised group, at the armed-attack level.

The US and Israel were accused of being responsible for Stuxnet, a computer worm that wrecked hundreds of uranium centrifuges in Iran. Did Iran have the right to an armed response?
If Stuxnet was conducted by a state – and I have no evidence that it was – then most of us thought it would be a use of force in violation of international law.

A few of the experts, however, felt that it was also an armed attack. Therefore at the time it was under way, Iran could have responded. But remember we are talking about the law of self defence – to defend yourself from an attack that is ongoing – not the law of retaliation or reprisal. If a state was behind Stuxnet and that is discovered a year later there is no right of self defence. The remedy is then international litigation. The thing about cyber operations is once an attack is discovered, it is usually over.

It is not always easy to track the source of an attack. So how do you know where to strike?
Attribution has to be done on a case-by-case basis looking at the quality of intelligence. There are thousands of factors. But international law does not require you to get it right – it requires you to act reasonably in the circumstances.

Are governments likely to use a cyber response as the first line of defence?
It is now one of the tools in the weapons kit bag. You use it in some circumstances and not others, in the same way you sometimes use a drone, artillery or special forces.

Satellites can end up carrying cyberattack data streams. Could they become legal targets of armed cyber responses?
If, say, the US needs to take a satellite out to defend itself, it may. If we’re in the midst of an armed conflict then we have to apply what is called the rule of proportionality and ask whether the harm to civilians will exceed the military advantage of taking the satellite out. But, yes, it is likely that cyber defence will move into orbit.

Profile

Former US air force intelligence officer Michael Schmitt is chairman of the international law department at the US Naval War College in Newport, Rhode Island. He directed a team of attorneys to create the Tallinn Manual on the International Law Applicable to Cyber Warfare (Cambridge University Press)

Topics: Computer crime / Weapons