Amid the flurry of national security documents leaked in the last weeks was one that got less attention than the PRISM surveillance program, but also opened a window on a secretive new realm: Presidential Policy Directive 20, issued last October, which instructed national security and intelligence officials to develop America’s capacity to wage cyberwarfare.
Cyberwarfare is emerging as the latest uncertain frontier of international relations, a way for developed nations to attack one another without appearing to do anything at all. The issue lay at the center of President Obama’s recent meeting in California with China’s leader, Xi Jinping: Obama confronted Xi about cyberattacks on government and corporate websites apparently hacked by a secret directorate of the Chinese military, People’s Liberation Army Unit 61398. The United States, of course, has its own alleged history of cyberattacks: It is believed to have helped launch the Stuxnet computer worm against Iran’s nuclear program several years ago.
Are these attacks permissible? How should nations respond? The first efforts to answer those questions are now coming to fruition. A group of 20 independent experts on international law has just completed a manual that attempts to lay out how the established rules of war might apply to cyberspace. The Tallinn Manual on the International Law Applicable to Cyber Warfare, published in March, is the result of an unofficial three-year-long project hosted by NATO in Estonia, intended to start the debate about how nations should conduct themselves on a field of battle that would have been unimaginable just a few decades ago.
Michael Schmitt, chairman of the international law department at the United States Naval War College, led the project. He spoke to Ideas from Germany, where he is on a lecture tour introducing the manual to academic audiences.
IDEAS: It seems almost impossible to match traditional rules of war to this new virtual world. How do you begin?
SCHMITT: First you have to look closely at what is known as “use of force.” That’s a legal term that comes from the UN charter, which tells us in article 2 that uses of force by one state against another are forbidden unless they are pursuant to a Security Council resolution or an act of self-defense on the part of the state. The question then is, in cyberspace, when do you have a use of force, and when can you defend yourself? The group of experts that put together the manual said that it is almost certainly a use of force if there was physical damage to objects or if there was injury to individuals. And that can definitely be the result of cyberwarfare—as conducted by a state, or groups of hackers that are armed and trained by a state to engage in this type of activity.
IDEAS: We don’t normally think of cyberwarfare as causing physical damage.
SCHMITT: A cyberattack could be huge. You could literally shut a small country down. The classic example is you interfere with the traffic control system of a country, which could of course cause death. You could interfere with navigational systems such that everyone is 100 feet off, so that when airplanes try to land they actually land not on the runway but next to it. You could hack into a nuclear reactor and cause a meltdown. Open the gates of a dam to release flood waters downstream. Interfere with medical data such that individuals are given the wrong blood type. There are many examples of truly catastrophic harm that could be caused to people and places.
IDEAS: In putting together the manual, you must have come across some contentious issues. What triggered the most debate?
SCHMITT: We really struggled with identifying a bright line, a threshold, across which you can say, “That’s a use of force.” What actions below the level of damage or injury would also qualify? We thought that training hacktivists counted, but what about financing a cyberactivist group? We thought that that didn’t make the cut. It’s gray and it remains gray and we acknowledged that in the text.
Another big question is related but different. Someone is conducting operations against you. When can you use force, either cyberforce or regular force to respond, like hacking back in a way that will cause damage to them, or firing a cruise missile into the location where the cyberattack is coming from? In current international law, before you can do that you have to be the victim of an armed attack. All the experts agreed that if the cyberattack caused significant injury or damage, then a state could respond. The big question we had was, what if you had an operation that was really devastating—something directed at the New York Stock Exchange that bottoms our economy out and causes massive loss of assets—but it doesn’t cause any physical damage or injury whatsoever?Continued...