As discussed above, international law has not yet resolved ambiguities over the characterization of information warfare activities, and must face a conflict between the international system of sovereign states and the realities of global networks. International law thus leaves space for the United States and others to conduct information warfare activities, perhaps even in peacetime, without significant legal repercussions. Conversely, international law may permit attacks against the United States, as well as exacerbate U.S. difficulties in responding to attacks against it, particularly in peacetime.
The legal status quo may appear satisfactory to U.S. policymakers. As the United States apparently leads the world in information warfare development, an international legal regime that permits information attacks can give it an advantage, allowing the United States to apply its technological strength to international conflicts in ways beyond the capacities of anyone else. In the absence of conclusive legal authority indicating, say, that particular information warfare attacks are "armed attacks," "aggression," or "force," the United States can act with some confidence that its acts will not be held to be so. Given its position in the world, the United States will have the opportunity to begin the state practice that can establish international norms and, perhaps, customary international law. To an extent, then, given the United States' voice in world politics and predominant military might, the United States is in the positions of legislator, sheriff, and (perhaps, to its adversaries) executioner, and it has a lot of influence over the judge.
Despite its freedom to act, the United States should not be sanguine about the state of international law. The "legislator, sheriff, and executioner" may all live together in a large glass house. Just as the United States can attack, it can be attacked, and its actions in conducting attacks may provide precedent for attacks against it and its allies. Furthermore, just as U.S. capabilities may outstrip those of its potential adversaries, so too may its vulnerabilities, as it is perhaps uniquely dependent upon its information infrastructure for both civilian and military needs. If only to increase protection for U.S. systems, then, certain nonexclusive legal, diplomatic, or policy initiatives may be appropriate.
A first approach would be to clarify the delineation of such terms as "armed attack," "force," and others, so that the status of information warfare attacks under international law is understood. Without knowing the extent of U.S. offensive capabilities or defensive vulnerabilities, it is impossible for us to judge the desirability of limiting information warfare.206 The United States might support restrictive definitions of those terms, so as to preserve its ability to use its technological advantages, to protect potentially desirable technological developments, and to encourage the use of nonlethal methods of conflict; or it might support broad definitions, to help reduce the lawful methods by which adversaries can exploit its vulnerabilities. Definitions that included nonlethal information warfare attacks within "war" or "force" could give civilians a measure of protection from such attacks during times of peace, as they would increase the diplomatic and political repercussions of such attacks. To protect civilian targets during wartime, the United States could pursue treaties or other international understandings that the financial or other intangible damages caused by certain types of nonlethal information attacks are, indeed, the types of injuries against which humanitarian law should protect noncombatants.
The United States may use several legal mechanisms to achieve the goal it chooses, ranging from a treaty setting out the circumstances in which certain types of information warfare are permissible, to silence on the subject to avoid hindrances on U.S. capabilities. Additionally, the United States could try to influence the development of customary international law regarding the appropriateness of information warfare. It may move for declarations of the UN General Assembly interpreting the Charter as it would apply to information warfare.207 U.S. statements of its views on the subject would have a significant effect both on the opinions of other states and, ultimately, the emergence of international norms regarding information attacks, or particular aspects thereof. Although customary international law traditionally evolved naturally from state practice over an extended period of time, states have recently pursued efforts to create customary law purposefully. Such efforts have been most visible in international forums, such as the General Assembly, which has passed declarations setting out world opinion as to the state of the law on such topics as the use of nuclear weapons, seabed mining, or the equation of Zionism with racism. 208
There is no reason, though, that an individual state could not set out to influence the development of customary legal norms, especially in an area such as information warfare, where that state leads the world in the development or application of the technologies and techniques to which these norms would be applied. U.S. efforts to draw world attention to dangers that information warfare poses could be counterproductive, however, as they might spur other countries' efforts to obtain or use information warfare weapons, and those countries may be suspicious of what they perceive to be U.S. efforts to protect its technological advantages or retard the development of others' capacities.
Second, to improve its defensive or responsive options, the United States could make efforts to reconcile the system of sovereign states with international networks, through promoting harmonization of laws and cooperation in investigation and prosecution of computer attacks. The first part of such a strategy would include diplomatic pressure and criminal justice advice and assistance to promote the criminalization of computer-based attacks in those nations that do not yet recognize such attacks as crimes, both to encourage other countries to discourage such behavior by individuals within their borders, and to enable extradition of offenders. Secondly, the United States could support the development of an extradition regime for criminal or terrorist computer attacks, obliging all countries to extradite or try those who have committed specified network-related crimes. Models for such measures could be drawn from the treaties executed in the 1960s and early 1970s to combat hijacking and other terrorism against civil aviation.209 The Montreal Convention on the Suppression of Unlawful Acts Against Civil Aviation, for example makes it an offense for anyone to destroy an aircraft, place a device likely to destroy an aircraft, destroy or damage air navigation facilities, or communicate information which he knows to be false, thus endangering the safety of aircraft in flight,210 and it obliges countries to extradite or try suspected offenders. Such agreements, along with diplomatic and other public statements relating to the criminalization of such attacks, could also contribute to the development of a norm that countries cannot support computer-based attacks in peacetime, or that they must cooperate in resisting such attacks. Given the United States' and its allies' ambiguous success in fighting international terrorism, it is obvious, though, that such agreements or norms would not be panaceas.
Third, just as the aviation efforts were incremental steps in the fight against terrorism, similar efforts could be made for the protection of particular information systems from dangers including crime, terrorism, war, or even natural disasters. Some systems may be so critical that countries can agree that they must be put off limits from attacks, or that all countries must cooperate to defend them. Systems that could be the subject of individual protection regimes include those involved in the command and control of strategic weapons, international financial transfers, individual financial markets or stock exchanges, telephone switches, emergency communications, rail transport, and medical databases.211 Such arrangements could be pursued under direct UN auspices, or as individual treaties in the context of existing institutions, such as the ITU, OECD, or ICAO, or even, perhaps the World Intellectual Property Organization (WIPO).
Along with providing legal bases for responses and countermeasures, incremental prohibitions against certain information warfare attacks could contribute to the development of broader international norms against such attacks, particularly in peacetime. In the context of nuclear weapons, in comparison, proclamations and regional agreements against the use of nuclear weapons contributed to the legal argument that the use of such weapons had become illegal, although the International Court of Justice did not ultimately embrace that argument.212
A fourth approach that has been suggested could be to pursue some sort of ban on information warfare attacks or control of the weapons of information warfare.213 Such an approach would seem to provide clear legal norms to guide future actions, and might seem particularly sensible if the United States were to determine that its vulnerabilities outweighed its technological advantages.
But such clarity would be illusory; the distinction between information warfare and traditional warfare is blurry, at best. An information warfare weapons ban would pose problems because not only do many information weapons have dual military and civilian uses, but their applications are predominantly civilian. Because of technological diffusion, the small size of much information technology, and its primary incorporation into consumer goods, an arms control regime would seem difficult to enforce. Furthermore, although arms controls and weapons bans have been applied to new technologies before they were widely used or their military ramifications understood, as in the bans on bacteriological weapons,214 hostile use of environmental modification techniques,215 and blinding laser weapons,216 it does seem premature to limit a weapon that promises to bring some measure of nonlethality to conflict, and in which the United States apparently holds an advantage in development. In any event, arms controls or warfare bans would not apply to the non-state actors, such as terrorists or criminal organizations, who would not be parties to the agreements and who may make up the gravest short-term information warfare threat. Such bans, then, would not eliminate the need for defensive measures, so countries might still need to explore offensive capabilities, if only to test their defensive measures adequately.
A final prospective course of action is to do nothing, or very little. Although international law does not now conclusively address the legality of many information warfare attacks or the appropriate responses to them, that has not been a grave problem yet, because the attacks, aside from some computer intrusions and crimes, have not been particularly serious. But as information technology continues to develop and diffuse, the danger of such attacks seems likely only to increase, as might the opportunities for U.S. offensive uses. If the United States needs to conduct such attacks, it will undoubtedly do so. If the United States is subject to attacks, it will respond. International law will address information warfare attacks in some way or another. It may be wise to address the legal issues that the United States will face in advance, rather than having to address them in the heat of an emergency, where inadequate legal institutions may reduce national options and precedents may be set by exigencies, rather than forethought.
Despite the apparent attractiveness of addressing the potential international legal issues arising from the development of information warfare technologies and techniques before the issues actually arise, it is important to remember (and easy for lawyers to forget) that law is no panacea. Even the wisest agreements and soundest legal analysis will not guarantee the safety of U.S. systems or the potency of U.S. offensive measures. Law can go a long way toward regulating nations' and individuals' behavior, and it can be an important part of diplomatic efforts both to alleviate conflict and to address its effects. At the same time, though, the development of advanced information warfare technologies and techniques and the continuing global diffusion of information technology illustrate the fluidity of the world that law attempts to govern. No law can change as swiftly as can technology; unless law is to somehow stop technology's seemingly inexorable worldwide progress, it cannot fully control the use of its fruits for warfare. Legal measures can thus supplement, but not supplant, vigilance, preparedness, and ingenuity.
| Index | Acknowledgments | Preface | Executive Summary | Chapter 1 | Chapter 2 | Chapter 3 | Chapter 4 | About the Authors | Endnotes |