Although the United States is believed to lead the world in information warfare capability, other countries are pursuing such capabilities, as perhaps are transnational criminal organizations or terrorist groups. Because of the perceived overwhelming traditional military might of the United States and its allies, and because international networks may offer a way for adversaries to strike at the U.S. homeland without needing the sort of logistical and military capabilities that a traditional attack would require, it seems likely that the United States or one of its technologically and economically developed allies will suffer some sorts of serious information warfare attacks. If such an attack comes, the United States (or any other victim) may find its response hindered, as it may find both that the norms arising from traditional concepts of the international system of sovereign states may conflict with the physical reality of the newly wired world, and that the international legal system may not yet have arrived at rules applicable to such attacks. The United States may thus face difficulty in tracing an attack across national boundaries, gaining authority over the attackers, and determining the appropriate responses the attack.
Other observers have laid out in detail the types of information warfare attacks that adversaries may conduct against U.S. security facilities, the U.S. homeland or infrastructures, or the facilities of other countries.143 These adversaries may include foreign governments, including those of some "friendly" countries; state-supported or independent terrorist organizations, which may be international in composition or aim; transnational criminal organizations, such as the Russian mafiya or Latin American drug cartels; foreign competitors of U.S. companies; domestic terrorists or other criminals; or "hackers," who conduct mischief of varying severity using computers, telephones, and networks.
Such attacks may be part of armed conflict or a prelude to war. They may constitute a warning or threat to influence a government's decision makers as they contemplate particular courses of action. They may be part of an economic conflict, either between nations or between corporations (and in many countries, such a distinction is blurred). They may be terrorism, or part of other efforts to attract attention to a cause.144 They may be part of crime, as a mechanism of theft of funds or valuable data, as part of extortion, or as part of an effort to hinder law enforcement. Finally, the attacks may be motivated by perversity, as individuals or groups attack systems because they can, or to show off, or because of various personal shortcomings.145
The first dilemma that a country that has suffered an information attack may face in responding to the attack may be to identify an event as an actual attack. Especially when an attack does not come during a period of heightened international tensions, it may be difficult for investigators to distinguish a catastrophe resulting from a "natural" or "accidental" computer error from one stemming from malice.
Physical attacks should be distinguishable from accidents or malfunctions, as the culprits must come into some proximity with their target, and they may leave some physical evidence behind. As Aristide Briand said, "A cannon shot is a cannon shot; you can hear it and it often leaves traces."146 But even so, the causes of catastrophes may be hard to ascertain, especially when they involve complex systems that may not be fully understood. For example, despite exhaustive investigations, the separate but similar crashes of two Boeing 737 passenger jets remain unexplained.147 Furthermore, and most dramatically, the mystery of the July 1996 crash of TWA Flight 800 into Long Island Sound, which some immediately assumed was a terrorist incident, remains unsolved, and investigators did not publicly rule out the possibility of sabotage until May 1997.
Computer-based attacks may be even harder to distinguish from innocent malfunctions. If the attack is carried out across a network, the culprits may never be physically close to the target (perhaps never entering the same continent), and they may leave no tangible evidence. Attacks or sabotage using viruses, logic bombs, or simply buggy software may be particularly difficult to detect quickly, if at all, because of the complexity of systems and the frequency of unintentional errors in publicly shipped products.148
Software errors or conflicts are known or suspected to have caused a number of incidents that might have seemed to be intentional attacks on important systems, products, or weapons by criminals, terrorists, or even enemy nations. Perhaps the most dramatic example occurred on Martin Luther King Day in 1990, when the AT&T long distance network failed for nine hours. Although the actual source of the failure was ultimately attributed to a faulty software update, many believed that hackers had actually caused the system to crash.149 Perhaps more frighteningly, a software error caused a Canadian nuclear reactor to release thousands of liters of radioactive water in 1990.150 Similarly, a timing delay in targeting software caused a British Royal Air Force pilot to drop a practice bomb on a British aircraft carrier in 1992,151 and it has been suggested that the crashes of two U.S. Air Force F-117 fighters in identical, suspicious circumstances were due to a bug in their software.152 Systems may even be inadvertently sabotaged by their creators. For example, in October of 1994, Adobe Systems, Inc. accidentally shipped a "time bomb" in a version of its popular Photoshop software program. The time bomb, which was to cause the program to stop running after a particular date, had been inserted into the code to force those using a pre-release version of the program to upgrade to the final shipping version, only when it was time to ship the product, nobody remembered to take it out.153
An incident during a time of heightened international tensions might seem to present evidence that wrongdoing is afoot. Nevertheless, such evidence might not be compelling alone, as times of stress are also the times when complex, brittle systems may be most likely to break down.154
The difficulty in distinguishing attacks from accidents is particularly significant in light of the apparent U.S. preference for acting under the auspices of international coalitions. Unless the United States is prepared to act alone, the evidence it uncovers that an incident was the result of an attack, and that the attack stemmed from a specific source, must be sufficient not only to convince U.S. policymakers, but also to convince foreign governments. There is no set standard of proof for U.S. officials to meet; the deliberations of the UN Security Council, and those of foreign governments, are political rather than judicial. Diplomacy, including carrots and sticks, may be more significant than persuasive, logical arguments. That foreign governments may be skeptical of both U.S. intentions and U.S. technical methods of detection complicates the tasks of investigators and policymakers alike.
After extensive investigation of the explosion of Pan Am Flight 103 over Lockerbie, Scotland, in December 1988, for example, the United States and United Kingdom tried to convince the Libyan government of Muammar Qadhafi to extradite the Libyan agents who were allegedly responsible for the bombing. In their efforts to obtain UN sanctions against Libya for its refusal to extradite the suspects, they presented evidence to the other members of the UN Security Council, which held meetings in camera, with no public minutes taken, to protect the confidentiality of the evidence and the Council's deliberations.155 Qadhafi refused to extradite the suspects and demanded that the United States provide him with evidence to support its charges, which he mocked.156 Perhaps to protect intelligence sources and methods, the United States refused to provide Libya with the evidence.157 Despite ongoing sanctions, Qadhafi has neither acknowledged the value of the U.S. evidence nor complied with the Security Council's demands.
Investigators tracing attacks across computer networks may be stymied by a collision between fundamental principles of physics and those of international law, namely that electrons may flow through networks freely across international borders, but the authority of agents of national governments does not. Simply, an attack may come from a foreign country, or may be routed through computers in several countries, but law enforcement or national security personnel cannot unilaterally launch pursuit into networks in other countries. Under the principle of sovereignty each government has exclusive authority over events within its borders.158 Investigators will thus need foreign cooperation or help in their investigations or, with proper domestic authorization, they will need to operate covertly.
Historically, foreign agents have not been permitted to operate physically on a state's territory without that state's permission.159 As the International Court of Justice held in the 1949 Corfu Channel case, when Great Britain wanted to investigate and stop the Albanian mining of the channel, intervention in another state to secure evidence is prohibited.160
Although the principles of sovereignty were conceived when international law contemplated only physical intrusions into a nation's borders, national governments would probably try to apply the principles to intrusions into computers, networks, or data banks, and they would probably succeed. Individual governments have already exerted authority over information in domestic systems just as they would if it had physical form; many European governments, as well as the European Union, for example, have enacted data protection codes that forbid the transport or transmission of certain personal data to countries (such as the United States, perhaps) that do not provide sufficient protection for that data.161 Governments may thus go so far as to consider the act of investigation by foreigners of criminal misuse of their systems to be a form of computer crime, or worse.162
The 1994 intrusion into the computers at the U.S. Air Force's Rome Laboratory in New York hinted at the problem of the collision between sovereignty and a wired world. That spring, two hackers, both now believed to have been British, broke into and took control of the operational network at the U.S. Air Force's command and control research facility at the Rome Labs. Air Force investigators were observing one attacker in the Rome computer when he accessed a system at the [South] Korean Atomic Research Institute, obtained all of its stored data, and deposited that data into the Rome Labs system. The investigators, initially fearing that the system belonged to North Korea, were concerned that the North Korean government would interpret the intrusion and transfer of data to the U.S. Air Force system as an act of war, at a time of sensitive negotiations with North Korea over its nuclear weapons program.163
Although the stronger view is probably that government agents' intrusion into a foreign computer would constitute a violation of the target nation's sovereignty, it is important to note that not all electronic crossing of boundaries is considered that way. For example, orbital remote sensing, including the bouncing of such signals as radar off a country's territory, is now so universally accepted that it is conducted by private entities, which may sell the products of their sensing on the open market.
Furthermore, particularly where they do not interfere with registered stations, countries have no obligation to keep their radio broadcasts from penetrating others' borders.164 Weak authority even supports the proposition that the target country may not resist such broadcasts by jamming.165 Even if the dubious international legality of unauthorized cross-border electronic intrusion by a government's agents were to become accepted, those intrusions could still violate the target country's domestic laws, if any, on espionage or computer intrusion. Just as it would be hard for U.S. authorities to exert authority over foreign computer attackers, though, foreign governments would face difficulty in enforcing their laws against U.S. agents operating from computer terminals within the United States.
The conflict between international networks and national sovereignty is not merely an academic one. The U.S. Government has already had to face the problem of pursuing foreigners who have broken into U.S. computer systems from abroad for malicious purposes, although these attackers have apparently not succeeded in causing, or have not attempted to cause, significant destruction or denial of service. Attackers have complicated U.S. investigatory efforts by "looping and weaving" their attacks through several foreign countries so that investigators cannot follow the trail. For example, to stymie tracing efforts, the attackers who invaded the Rome Labs computers wove their way through phone switches in Columbia and Chile before entering Rome Labs through commercial sites in the United States.166
The apparent widespread, inexpensive availability of the technology necessary for international attacks across computer networks, combined with the anonymity that the technology may provide its users, may complicate the efforts of investigators to determine whether responsibility for an attack carried out by an individual or group rests with a foreign government, and would certainly make it more difficult to convince other nations or international organizations of that government's role. This availability could reduce the need for terrorists or similar actors to seek state support. It should also give states that do support terrorism claims of "plausible deniability" that are stronger than those of states that have supported terrorism in the past. Conversely, the inexpensive, small, and ubiquitous technology may make it harder for states to live up to their obligation to prevent their territories from being used for attacks against other states. As Paul A. Strassmann, former Director of Defense Information and Principal Deputy Assistant Secretary of Defense for Command, Control, Communications and Intelligence, has stated, "Info-assassin paraphernalia is booming, and it's gory stuff you can buy....There is also a wide range of people available for hire to carry things out, many of them ex-intelligence agency people."167
The tasks of investigators, policymakers, and diplomats are made harder by the uncertainty that arises from the ability of users (or abusers) of computer networks to hide their identities through such techniques as "spoofing" so that others may be blamed for their misdeeds. In fact, absent a credible admission of responsibility, it may be impossible to attribute an attack to its actual source with any degree of confidence. This uncertainty may have ramifications both for national security and for law enforcement.168
Further complicating nations' attempts to trace attacks against them is the international investigatory legal regime, or lack thereof. First, in the absence of a treaty, countries have no underlying obligation to cooperate with each other in their law enforcement or national security investigations. The mere fact of noncooperation probably cannot be considered evidence of implication in the attack. Even where they had no involvement in, or sympathy for, an attack, hostile or indifferent nations may be unwilling to assist foreign investigators, whom they may view as spies. Even largely friendly governments may be reluctant to cooperate, often for domestic political reasons.
International law enforcement agreements may not be adequate to support an investigation. For example, treaties of mutual legal assistance, which may institutionalize cooperation between countries' law enforcement agencies, generally contain exceptions that permit parties to refuse cooperation under certain circumstances, such as to protect "sovereignty, security, or similar essential interests."169 In the context of computers, networks, and databases that may implicate a country's national security interests, its technological development, security of its financial and communications infrastructure, or the privacy of its citizens, and where governments may not feel confident about their ability to monitor foreign (especially U.S.) investigators' activities, some nations may likely at least consider taking advantage of any loopholes they can.
Even where other countries are cooperative, mechanisms of international cooperation, such as letters rogatory,170 may be prohibitively slow, particularly given the speed of communications and action across networks. Furthermore, and perhaps most significantly, requesting cooperation, even through such an organization as Interpol,171 would require the substantial involvement of foreign governments' officials and could expose them to information about the victim's intelligence capabilities or the vulnerabilities of the systems and networks they depend upon.
Given the difficulties of international cooperation discussed above, some in the U.S. Government may advocate that it unilaterally pursue its investigation without the cooperation of countries whose computers or networks have been used for attacks against U.S. systems. Although such a course of action seems likely to violate the sovereignty of those nations, and may be inconsistent with U.S. responsibilities under individual treaties of legal assistance, it would not in itself violate international law any further. The investigation would probably be characterized as "espionage," which does not violate international law, although it violates the domestic law of virtually all states. The U.S. Government would need to consider the diplomatic, political, and precedential ramifications that would arise if such an investigation were detected, just as it would have to in the case of more traditional forms of espionage or covert action.
Obviously, a government cannot respond to an attack successfully unless it can identify the attack's source.172 If the culprits can be identified, the options available for the victim state are unsettled and potentially unsatisfactory. As discussed above, it may be difficult, if not impossible, to tie the individual culprits to state support. A victim state may therefore need to proceed as if a given attack were a purely criminal matter, and request that the state in which the culprits are present extradite them to its territory for trial. Even where the victim has substantial grounds for believing that state support existed, it may proceed with the extradition request, because denial of the request may be seen in world forums, as well as in its domestic politics, as further evidence of that state's complicity. The UN sanctions against Libya in the wake of the Lockerbie bombing, for example, stemmed not as directly from Libya's involvement in the bombing, as they did from Libya's refusal to extradite the alleged bombers to the United States or United Kingdom, in violation of Security Council Resolution 748. The significance of political considerations in such a calculus is emphasized by the fact that at the time the sanctions were promulgated, Libya, which had claimed to be willing to try the alleged culprits, had not actually violated the procedural terms of the Montreal Convention on the Suppression of Unlawful Acts Against Civil Aviation, which permits a signatory to extradite or try a suspect (although, of course, bombing a plane would, indeed, violate the convention).173
The ability of a victim state to gain custody of those who have attacked its systems from abroad is complicated by the collision of the longstanding international state system, the international nature of networks, and the relative historical novelty of computers and networks. For a country to apprehend an alleged criminal in a foreign country and transport the culprit to the requesting country for trial, certain conditions must exist. First, an extradition treaty must bind both countries, as there is no underlying right of extradition under international law.174 Extradition treaties may be bilateral or multilateral, and they may apply to a broad range or to discrete categories of offenses.175
Second, the requesting country must have jurisdiction to prescribe the activity for which it seeks extradition; in other words, it must be within the power of the state to apply its laws to the relevant conduct. States base their claims to jurisdiction over criminal suspects on five general theories: first, and most simply, the territorial theory, by which states claim jurisdiction over those who act within their territories; second, nationality, by which states claim jurisdiction over their nationals; third, protective, by which states claim jurisdiction over those whose activities threaten their security or vital interests; fourth, passive personality, by which they claim jurisdiction over those who might threaten their nationals, even if they are abroad; and fifth, universality, under which all states may claim jurisdiction over those who have committed certain universally condemned crimes, such as piracy.176 An extended discussion of prescriptive jurisdiction is beyond the scope of this report, but it seems obvious that an attack against U.S. systems would fall within U.S. prescriptive jurisdiction, even if its perpetrators were beyond the reach of U.S. authorities.177
Third, virtually all extradition treaties contain a "double criminality" requirement that mandates that the act that is the basis for the extradition request be an offense under the laws of both the requesting country and the one to which the request is directed.178 This requirement has been a significant obstacle to U.S. efforts to try those who have intruded into sensitive U.S. data systems. In the case of computer hackers from the Netherlands who broke into U.S. Navy and NASA systems during the Persian Gulf War, for example, Dutch concepts of privacy were such that the hackers' intrusion into sensitive systems was not yet considered a crime under Dutch law.179 Similarly, when Julio Caesar Ardita, a young Argentine, broke into computers containing sensitive information at the Naval Command Control and Ocean Surveillance Center, the Navy Research Laboratory, and Los Alamos National Laboratory, among others, the United States was unable to obtain his extradition, even though Argentine police cooperated with U.S. authorities, because Argentina's legal system, faced with new technology, had not yet classified such intrusions as criminal.180
The dual criminality requirement has, perhaps, also protected U.S. nationals who have been combatants in a different form of information conflict, namely the conflict surrounding the spread of U.S. popular culture. For example, when a Pakistani cleric recently reportedly asked the U.S. Department of State to extradite the entertainers Madonna and Michael Jackson because the lasciviousness of their performances violated Islamic law, the United States had no obligation to comply because, among other reasons, such violations of Islamic law are not criminal offenses in the United States.181
Lastly, most extradition treaties contain exemptions for "political offenses," although governments interpret that term differently. Some states will refuse extradition only where the crime for which extradition is sought is a "pure" political offense, one directed at a sovereign political institution, absent the elements of common crime. Others refuse extradition for offenses committed in connection with a political cause or national liberation struggle. Some other states require that the political elements of the offense predominate over the common criminal elements. Finally, the French interpretation of the political offense exception is broader; French courts tend to deny extradition when a state wishes to punish an offender for injuries inflicted upon that state.182 Whatever interpretation they embrace formally, many states will find rationales to deny extradition for those accused offenders whom they do not wish to extradite.
A country's extradition requests for those who have attacked it from abroad may fail for several reasons distinct from the aforementioned requirements. First, a country that supported an attack will have tremendous, obvious incentives not to extradite its agents and may take advantage of any loophole it can find. Such loopholes may include the requirements discussed above, as well as the prohibition in many countries' domestic laws against extradition of their own nationals. For example, in rejecting the U.S. and UK requests that it extradite the agents who were alleged to have carried out the Lockerbie bombing, Libya claimed that its law prohibited the extradition of its nationals and said that it planned to try them itself, fulfilling its obligations under the Montreal Convention.183
Second, as has apparently been the case with some terrorists, governments may reject extradition requests out of fear that the alleged criminals' colleagues will retaliate against them for their cooperation. In 1977, for example, France released Abu Daoud, the architect of the 1972 Munich Olympic massacre, despite efforts of the Federal Republic of Germany and Israel to obtain his extradition, apparently because it feared retaliation.184 Similarly, after two Germans were taken hostage in Beirut, West Germany used the political offense exception in its extradition treaty with the United States and released Mohammed Ali Hamadei, whom the United States had indicted for hijacking TWA flight 847 in 1987.185 Where information attacks with broad effects may be carried out from a distant sanctuary, the threat of such retaliation would appear particularly grave, especially for Western or other developed nations with significant dependence upon information infrastructures.
Third, the United States and other countries with advanced, vulnerable information infrastructures may exert diplomatic or other pressure to close some of the above loopholes, especially the failure of many countries' legal codes to recognize certain forms of computer intrusions as crimes. Nevertheless, potential incentives exist for countries to refuse to join any such formal or informal regime. First, of course, some countries may wish to use such intrusions or other attacks for their own political, economic, or other ends, and they may value maintaining that offensive capacity more than they do the incremental security that their systems would receive, particularly where their systems are poorly developed or relatively unimportant. Secondly, it is conceivable, although perhaps unlikely, that some nations may have ideological reasons to resist such rules, such as differing conceptions of privacy in electronic systems or data, or distrust of any system that would appear to preserve the advantages of the developed nations.186 Finally, and perhaps most disturbingly, countries may choose not to criminalize certain conduct as part of a development strategy. In what could be termed a form of "regulatory arbitrage,"187 nations that hope to improve their information technology development may permit the behavior of hackers or other attackers in the hope that they will relocate to these nations, bringing with them their technical expertise. Such countries may seek the skilled personnel either to deploy them against enemies or to build their own economy or infrastructure.
Although the concept of "regulatory arbitrage" may seem farfetched, it should not be dismissed out of hand. First, it seems likely that countries, as well as transnational criminal organizations and, perhaps, terrorist groups, have sought individuals or groups of foreign hackers to engage in espionage, crime, or other attacks and that such recruitment will occur in the future. During the 1980s, for example, the Soviet Union employed a group of West German computer hackers, who were eventually apprehended after they broke into a series of U.S. civilian and military computers in search of U.S. and NATO defense secrets.188 Second, "regulatory arbitrage" has taken place in other contexts. For example, in the wake of the U.S. military and diplomatic withdrawal after the Cold War, the Seychelles, hoping to attract foreign capital, enacted an Economic Development Act that granted citizenship and immunity from asset forfeiture or extradition to anyone investing at least $10 million in the islands.189 Closer to home, the legislatures of several U.S. states have, at times, engaged in a "race to the bottom," weakening their restrictions on the conduct of corporate officers and directors in the hope of attracting corporations to register in their respective states.190 States and countries have also given special incentives, reducing taxes and regulations or providing other benefits, in the hope of attracting business, including professional sports franchises.
Where a government refuses to extradite those responsible for attacks against another country, the victim state is not without recourse, although some options facing it may not be particularly attractive. First, of course, it may exert diplomatic, economic, or multilateral pressure against an uncooperative state, as has been the unsuccessful case with Libya after the Lockerbie bombing. Second, it may attempt to capture the alleged culprits and bring them back home for trial.
A government may contemplate abductions of criminal suspects from foreign lands when the urgent need to try the suspects outweighs the diplomatic and precedential costs of the abduction, and where such abductions do not violate the government's domestic law (if the government cares about such niceties). Abduction of suspects from foreign lands is not illegal under U.S. law, nor, at least, does it deprive U.S. courts of their ability to try abductees. In 1990, for example, after the Mexican government was unwilling or unable to extradite Dr. Humberto Alvarez-Machain, who had been indicted in a U.S. court for his role in the torture and murder of Enrique Camarena-Salazar, a U.S. Drug Enforcement Administration agent, U.S. agents abducted Dr. Alvarez-Machain and returned him to the United States for trial. The U.S. Supreme Court ultimately held that neither general principles of international law nor the terms of the U.S.-Mexico extradition treaty barred his prosecution, and that forcible abduction does not deprive a court of the ability to consider the case against the suspect.191 Eventually, though, charges against Alvarez-Machain were dismissed for lack of evidence.
Depending upon the language of the applicable extradition treaty, such abduction will not violate its terms and, under the maxim male captus, bene detentus, international law recognizes the right of a state to try a suspect, even where his capture was technically illegal.192 Nevertheless, agents operating abroad to capture suspects do violate the sovereignty of the countries in which they operate and risk punishment, perhaps for espionage or kidnapping, if they are apprehended by those countries' authorities. Furthermore, in the wake of the international and domestic furor that followed the abduction of Alvarez-Machain and the Supreme Court opinion permitting the abduction, such abductions seem likely to be extremely rare.
Responding to an "armed attack." Where a state can tie an attack to a foreign government, it may need to retaliate, either to terminate an ongoing attack or to prevent future attacks. The retaliating state would probably justify its retaliation as part of its right of self-defense as set out in Article 51 of the UN Charter. However, it is not obvious that Article 51 actually provides a basis for military action against a state conducting certain information attacks.
As discussed above, the peaceful settlement of disputes is one of the primary purposes of the United Nations Charter.193 The Charter forbids the threat or use of force by one state against the territorial integrity or political independence of another state.194 The only lawful use of force, besides collective action to enforce peace under UN auspices, is in individual or collective self-defense against "armed attack."195 As the International Court of Justice asserted in its opinion in the case of Nicaragua v. United States, states do not have a right of armed response to acts which do not constitute an "armed attack."196 A computer network-based attack, or one involving software weapons such as viruses, would not unquestionably qualify as "armed attack" under the UN Charter, and thus might not provide the international legal basis for a conventional, kinetic military response.
The UN Charter does not define "armed attack"; nor has the International Court of Justice (ICJ) laid out any comprehensive definition. To the extent that the term has been construed, it seems to include the use of armed forces, force, or violence, as well as interference with a nation's sovereign rights. Economic coercion does not constitute "armed attack" nor, for that matter, according to the ICJ, did the Nicaraguan Sandinista government's actions in providing sanctuary and support during the early 1980s to the rebels who fought the U.S.-backed government of El Salvador.197 Even actions using destructive physical force may not rise to the level of "armed attack." Despite repeated requests, the United Nations refused to recognize guerrilla and terrorist attacks by Palestinians against Israel during the late 1960s and early 1970s as armed attacks, rejecting the Israeli position that individual small attacks from bases in Lebanon should be considered on a cumulative basis, as parts of an "armed attack" justifying Israeli incursions into Lebanon.198
As discussion of such terms as "war," "aggression," and "force" have shown, it can be difficult to predict whether specific actions will be considered to be "armed attacks." Unlike the domestic criminal law, international law sets out no mandatory elements of "crimes," and any determination in such forums as the United Nations will be inherently political and diplomatic.199 Nevertheless, it appears likely that an "armed attack" would include some level of actual or potential physical destruction, combined with some level of intrusion into its target's borders, or violation of its sovereign rights. Figure 4 is a rough attempt to predict potential categorization of information warfare attacks.
Some attacks, such as aerial bombing strikes against a nation's military command and control centers, are highly likely to be considered "armed attacks," as they involve high levels of both intrusion and destruction. Other attacks, such as propaganda broadcasts, are unlikely to be considered "armed attacks," at least by relatively impartial world forums. Attacks such as computer intrusions or communications disruptions are much harder to characterize. It may be that increases in one variable may make up for limitations in the other. For example, computer intrusions for purposes of stealing data and to disrupt air traffic control may be equally intrusive, but the greater level of destruction and death that the air traffic control system attack may cause may make it more likely to be considered "armed attack" than would the data theft attempt. Furthermore, attacks that are sufficiently destructive may qualify as "armed attacks," no matter what their level of intrusion, and vice versa.
If a target country cannot characterize a computer attack against its information systems as an "armed attack," then it may not be able to respond to the attack with conventional, kinetic force, unless it wants to risk having its response considered the aggressive "armed attack" under Article 51. Presumably, a response in kind would not constitute "armed attack" if the original attack did not, but some potential information attackers, who may be able to hire from abroad the equipment and expertise they need for their attacks, may lack the information infrastructures to make them vulnerable to such attacks.
Proportionality. In addition to the United Nations' requirements that force be limited to a response to an armed attack, customary international law has developed requirements for retaliation. Such retaliation must be in individual or collective self-defense against an attack; it must be necessary to stop the initial, unjustified attack or to prevent further violations; and it must be proportional to the attack to which it is a response.200
The proportionality analysis applies in two ways. First, under the requirements of the jus ad bellum, the level of force of the response must be proportionate to that of the initial attack-a full-scale blitzkrieg across a broad front accompanied by aerial bombing would generally be disproportionate to a patrol's border raid, for example. Second, as in any other military action, the response must balance the damage it will inflict, especially to civilians, against the military objectives it is intended to accomplish.201
Just as it is not obvious that an information attack will be an "armed attack," it is not obvious what would be proportionate to such an attack, especially where the attack inflicts little or no physical destruction or loss of life. Where a computer intrusion disrupts or corrupts a database or denies service for important elements of the electronic infrastructure, inflicting great hardship on the target country, that country must determine what sort of response would be proportionate to the attack. In the absence of real physical destruction or death, such as by the crash of a passenger aircraft through manipulation of the air traffic control system, it is questionable that a conventional military attack would be proportionate. The use of force may be qualitatively distinct from other tools of coercion, as demonstrated by its inclusion in the UN Charter and the UN definition of aggression.202
If a conventional response is disproportionate to an information warfare attack, a response in kind could seem likely to be proportionate. However, such a response may require the use of neutral assets, such as networks owned by or passing through neutral countries and thus could run the risk of violating their neutrality.203 Perhaps more significantly, because of the limited infrastructure and resources necessary to conduct some information warfare attacks, and the potential expertise available for hire or ideological recruitment, an adversary who has attacked the United States or a similarly advanced country may lack sufficient targets for an information warfare response, or may have only targets that are too important to be retaliated against for anything other than a grave attack. It would seem inappropriate to cause aircraft to crash, for example, in retaliation for a limited disruption of a local telephone network, or an intrusion into a military computer.
It seems unlikely that the United States would refrain from traditional military retaliation where an information warfare response would be inappropriate overkill or ineffectual underkill. It also seems unlikely that international law would mandate such inaction. Assuming that an information warfare attack is an "armed attack," and an information warfare response were unavailable or excessive, then a kinetic response, appropriately calibrated, would seem proportional even if, as a general rule, the relevant form of information warfare attacks were considered distinct from violence.204 If the information warfare attack is not an "armed attack" justifying a military response under the UN Charter, then, aside from such measures as economic sanctions, the United States might then assert an underlying, inherent right of national self-defense, which predates and goes beyond the rights contained in Article 51 of the UN Charter,205 rather than suffering ongoing attacks stoically or petitioning the UN Security Council for help. In considering their responses to such attacks, policymakers must be aware that their actions may establish precedents that other nations may look to in similar circumstances, or draw upon cynically to excuse their behavior in dissimilar circumstances.
In sum, current understandings of "armed attack," as well as dissonance between international networks and the international system of state sovereignty, may complicate or hinder victims' efforts to respond to information warfare attacks. The United States may need to pursue international initiatives to change that understanding, as well as to alter nations' responsibilities, or lack thereof, to forego such attacks, prevent their occurrence, or to cooperate in defensive or law enforcement measures.
| Index | Acknowledgments | Preface | Executive Summary | Chapter 1 | Chapter 2 | Chapter 3 | Chapter 4 | About the Authors | Endnotes |