All too often when lecturing on cybersecurity topics, I am asked about the employment of self-defense, cyberwar and cyberweapons. My hope is that this article sheds a little light on the complexities that exist regarding this topic as well the intricacies we must consider. This article by no means is meant to be a full treatment of subject, but rather a working summary to help you better understand.
A rather interesting, and often misunderstood, paradox that exists between the physical world and the virtual world is the right to self-defense. In the physical world, at least in the United States, you have the right to defend yourself and others in many cases, against an attack on your person or property.
Depending on your personal views and the laws of the state where you reside, this right can provide you the ability to employ a weapon to aide in your defense. The paradox arises because this right does not extend to the virtual world. If someone attacks your computer, you do not have the right to defend yourself in an analogous manner as you would in the physical world.
But what about our government? Can our country employ cyber-attacks?
Was it an act of self defense?
There are many reasons why this is currently the case, but one of the biggest reasons is attribution. Attribution is defined, at a high-level, as the ability for you as the defender to be able to positively and without doubt identify the person(s) that attacked you. In the virtual world it is extremely difficult to establish attribution and can often take days, weeks and months. Even when attribution exists in the virtual world many times the accuracy of the attribution comes into question. In both the virtual and physical world, you can never say “I thought that was the person who attacked me, so I attacked them back.” You must always be certain of who attacked you.
Another aspect of self-defense is that you must act in the moment. You cannot act against an attacker minutes, hours or days after they attacked you and still claim self-defense. The only exception to this may be a claim that you believed the attacker was going to attack you again and therefore you acted to pre-empt further attacks. But I would not suggest you employ this as a legal tactic as it is extremely hard to win this line of reasoning.
Ultimately, the right to self-defense is generally believed to be available to you in the moment. In the virtual world, as stated earlier, establishing attribution may not occur until long after the attack has concluded. Given that we cannot act in the moment and with clear attribution of who is performing the attack, the claim of self-defense in the virtual world, is typically not be applicable.
Having dived into the nuances of self-defense, we can start to better understand that in the virtual world it is very difficult, if not impossible, to defend oneself in a manner that would support self-defense tests. We also find that as an individual or as a company, even a very large, the technology required to allow us to fight back does not exist today. Regardless of your thinking on this topic, as it stands today, it is not legal to fight back in the virtual world, especially if you were to employ cyberweapons.
What does the law say?
But what about our government? Can our country employ cyber-attacks? The answer is it all depends on the circumstances. Acts of aggression between two or more countries is governed by international law. One of the challenges with international law, is that the laws governing war have traditionally applied and been developed to address physical wars. The pace of technology, especially as it relates to cyberweapons, has evolved exponentially. This dramatic evolution has created large vacuums in international war. Over the past several years, this has led to debates regarding the rights of countries to employ cyber-attacks in a lawful manner. Much of the challenge in defining when it is appropriate to employ cyberweapons and how cyberweapons work is still very much not well understood. Progress is being made but unfortunately all the intricacies that are part of these debates is well beyond the scope of this article. For now, let us take a high-level review of cyberwar and some generally accepted principles.
Article 51 is an international law, that basically states and governs the rights of countries to engage in self-defense against an armed attack. Surmising Article 51, we find that it states, “As a country that is the victim of an armed attack, you may defend yourself or respond collectively." In essence Article 51 is typically the foundation for any act that ultimately involves one country defending itself from an attack by another country.
Using Article 51, we can assert that a cyber-operation that is destructive, injurious or causes substantial harm – theoretically allows you to “shoot” back kinetically or by employing cyberweapons. A kinetic response is one which employs traditional weapons – fighter jets, naval assets, missiles, firearms, etc. A cyberweapon would be a computer program that is designed as a weapon. For example, a computer program that could take another country’s computer systems off-line or possibly damage computers of another country.
It is unclear if Article 51 applies to non-state actors. For example, can a country take action against a organized crime group in Russia who decides to attack the United States’ critical infrastructure? The United States believes that this right does apply to non-state actors, but this has not been settled as part of international law. It is one of the many on-going debates.
Do cyberweapons violate international law?
You may be wondering why there is on-going debate regarding the right of a country to employ cyberweapons in self-defense? The biggest reason is that a country that employs any weapon must be able to show that the weapons employed allow for a proportional response. When we employ physical weapons, we can predict the damage they will cause. We also can be rather certain that a physical weapon can only be used once. For example, a bomb that is dropped on a target, cannot be picked up and employed by someone on another target (assuming the bomb exploded). We also know that a bomb will create a specific or reasonably specific amount of damage. The same cannot be said of cyberweapons.When we consider cyberweapons we must keep in mind that no cyberweapon today, can meet the same standard as a physical weapon. If we deploy a cyberweapon against an enemy, even a highly surgical cyberweapon, it is very possible that the cyberweapon can be reused. This creates a serious challenge that the release of a cyberweapon by anyone, leads to the potential for that cyberweapon to be employed against the person who developed or deployed the weapon. It is also possible that they cyberweapon could be used against others. This is the crux of the debate I mentioned earlier. The current state of cyberweapons is such that no one can guarantee that the launch of a cyberweapon will not arm the enemy or others thereby creating insecurity to those not involved in the conflict. We also have no way to truly predict the damage that can be caused by a cyberweapon.
Cyberweapons are an emerging area of research. We have been working on research related to cyberweapons since the late 90s. We can tell you that in the past three years we have seen amazing breakthroughs in the development of cyberweapons and certain their abilities will grow exponentially in the coming years. The challenges these weapons create as well as the opportunities is a fascinating topic on many levels. We hope that this article has shed a small light on the complexities of this topic and more importantly intrigued you to learn more. As someone who may be responsible for protecting a network, facilities or people, the evolution of cyberweapons and your rights will become a rather critical aspect of your strategies in the coming years.