Cyber war vs the law
28 December 2018 | Written by Guido Casavecchia
What are the effects of cyber-attacks and why we have the right to self-defense
Forget the traditional combat tactics, made of trenches and firearms. Now the conflicts take place in a silent way, at a distance and with your hands (almost) cleaned.
Today almost all the vital sectors of a country are vulnerable, being connected to informed superstructures. E-commerce, e-banking, gas, electricity, transport, defense and surveillance systems can be affected by syntactic or semantic attacks. The former are directed against a specific target, to neutralize it or destroy it using viruses, worms or Trojan Horses. The latter consist in the dissemination of false information or requests to cover their tracks and direct the enemy to a wrong direction (eg DDoS or DoS attack to prevent users from accessing a service or resource).
These tools, experimented in traditional war theaters, are often used by various individuals or organized groups that are not always employed by states. In 2007, NATO intervened in Estonia to protect the country’s IT systems from DDoS attacks, probably from Russia, with national websites. Between 2006 and 2008, the US government conducted computer attacks with the STUXNET virus to destroy the Iranian nuclear program. In 2014 the JP Morgan Chase & Co, and in 2016 the central bank of Bangladesh, were vulnerable by cyber criminals.
States are increasingly focusing on the fight against cyber crime. In Italy, the latest package of legislative reforms to adapt our security systems is in 2017. The European Union has been conducting a campaign to harmonize national laws on cyber de-fence from the early 2000s.
In the international community, on the other hand, problems arise regarding the legitimate defense of States in the event of a cyber war. When, how and against whom can you react?
Article. 51 of the UN Charter recognizes the natural right of self-defense for a State (after an armed attack) to defend itself respecting the principles of proportionality and immediacy of the response. Since 1945, however, the techniques of armed conflicts have evolved, and one wonders if a cyber-attack is considered as an armed attack.
It would seem so, being the cyber war a use of particular technical-IT tools in a traditional war. For the more recent doctrine the effects of a cybernetic war are comparable to the traditional armed ones. The severity of the damage, the speed of manifestation of the effects and the degree of invasiveness of these penetrations make us incline for their assimilation.
However, to allow a State to intervene in legitimate defense against an IT attack against itself or another State, it is necessary that the attack has already been launched and that there has been an effective recognition of its author.
The legitimate defense. Since the 1990s, the UN Security Council has nevertheless consented to the use of legitimate preventive defense, that is, carried out against attacks that have not yet been launched but with a high probability of realization, if there is certain evidence. This is perfectly suited to the prevention of more nuanced attacks, such as cyber-attacks (especially if these are the prelude to traditional military attacks).
However, three problems remain: the degree of damage (typical of a conventional armed attack) must be established so that it is possible to intervene in self-defense; identify the actual responsible for the attack; establish the methods of reaction.
This is made increasingly nebulous because the cyber war goes beyond geographical boundaries and is often conducted by non-state actors. For example, a group of coordinated hackers or terrorists (or a single individual who does not even know how to compete with others in an illegal attack), spread across several states, are due to the design of a single state? Should we react against them or against the State that coordinates them? What damage rate must be incurred to consider it a traditional armed attack?
First of all, we must compare the effects that these attacks have on the country system and on people (directly or indirectly) to the effects that would have a traditional conflict. If there is an assimilation, a legitimate reaction is admitted ex art. 51 UN Charter.
For the imputability of the act to a State (which is hidden behind individual operators) a criterion of effective control of the referability to it is made, as stated by the “Draft of articles on the international responsibility of the State” of 2001, and it reacts against this.
Solutions. Finally, an IT attack can be answered with the same system or with a countermeasure. It is not, for now, recognized the immediate possibility to react militarily. In the future it could be admitted but nevertheless within the limit of proportionality (quite difficult to calculate and with risks of excessive legitimate defense).
To reduce the risk of military escalation, clearer international rules are necessary for greater cyber security. Telekom proposed a “World Cyber Security Organization”. Micro-soft supports a “Geneva digital convention” to ban certain cybernetic weapons. Berlin has declared that it reserves the right to respond to a cyber attack with a military attack. London considers a just cause to respond with an armed attack on a cyber-aggressor. The G7 has adopted a non-binding Declaration on the responsible behavior of states in cyberspace.
The current Huawei scandal shows how the interconnection of information systems can promote cyber espionage and overshadow a technological war.
Unfortunately, there are still no express rules and established practice on the part of States, fundamental actors in international law. But the regulatory framework seems applicable to conflicts in cyber space.