Catherine Lotrionte is Director of the Institute for Law, Science, & Global Security and a Visiting Assistant Pro- fessor of Government and Foreign Service at Georgetown University. Dr. Lotrionte has served as Counsel to the President’s Foreign Intelligence Advisory Board at the White House and as Assistant General Counsel at the Central Intelligence Agency. She is the Director and Founder of the Cyber Project at Georgetown University and a Life Member of the Council on Foreign Relations.
"As state expectations shift in the context of cyber warfare, the international norms will evolve to meet those expectations..." "Without a consensus on what constitutes an armed attack in the cyber domain, states risk being condemned by others for “acts of aggression.”
On 6 September 2007, Israeli jets flew into Syrian airspace unobserved by Syrian military forces and bombed what Israeli government sources believed to be a nuclear facil- ity. The failure of the Syrian air defense network was the result of an Israeli cyber attack. In the age of cyber warfare, the Israelis defeated the enemy before the battle had begun. The cyber operation facilitated the successful use of kinetic military resources.
Cyberspace, however, can also be used by states to con- duct a war without ever needing to engage in kinetic mili- tary operations. In 2007, ethnic tension escalated between native Estonians and ethnic Russians in Estonia following the movement of a Soviet era war memorial. That April, Estonia was hit by a Distributed Denial of Service attack (DDOS), which overwhelmed computers and servers across the country for two weeks.1 By the end of the attacks, Esto- nia’s largest bank had lost over $1 million.2 The Estonian authorities ultimately blamed Russia, claiming that at least one query had been traced to an IP address in the Russian administration.3
Both episodes demonstrate that cyberspace is a real battle- ground in today’s warfare operations. The first section of this article examines the challenges in defining the term cyberwar and will propose a working definition for the legal analysis of the topic. The second section considers the relevance of the contemporary jus ad bellum to the prob- lems of cyberwar, examining five questions of law:
1) Does international law apply to cyber?
2) Is cyberwar permissible?
3) When is a cyber operation a use of force?
4) When is a cyber operation an armed attack?
5) How does a victim state legally respond to a cyber attack?
6) When can a victim state legally respond to a cyber attack?
7) Where can a victim state legally respond to a cyber attack?
This analysis will focus on state prac- tice in digital activities since 1945, analogous areas of state practice over the same period, and the writings of legal experts and publicists. Finally, the article will set forth a number of conclusions about the relevance of the Charter jus ad bellum and jus in bello to the post-Charter digital era and the onset of cyber conflict. (purchase article...)