Posted on 26 October 2016.
Photo Credit: Download Detector
On Friday, October 20th, malicious cyber attacks prohibited access to major websites like Twitter, PayPal, and Amazon in intermittent locations throughout the U.S. and abroad. Experts determined the attacks are the result of a virus that infected thousands of users’ internet-connected devices through webcams and video recording devices. This method of hacking is both complicated and sophisticated, which makes it difficult to prevent within the general population of internet product users.
While both the F.B.I. and the Department of Homeland Security announced investigations into the incident, public response to the attacks demonstrates mounting uneasiness about cyber security. Coming on the heels of the Democratic National Committee hacks this summer, Friday’s attacks raise questions about cyber security and the proper response by both national and international bodies. The Department of Homeland Security did issue a warning about the virus code last week, but this ultimately was not enough to remedy the security gaps in consumers’ devices. Some in the industry have assigned blame to the producers of such devices, but many now contend that the issue of cyber security is an international issue that must have an international solution.
Because cyber attacks of international scope are a relatively new phenomenon, the U.N. Charter does not explicitly provide for a procedure to address their consequences and effects. As such, it remains unclear what kind of responses to cyber attacks would be legal under international law. Most likely an issue of self-defense, article 51 of the U.N. Charter provides that, “Nothing in the present charter shall impair the inherent right of individual or collective self-defense if an armed attack occurs against a member of the United Nations. . . .” Cyber attacks, however, are certainly not “armed” attacks in the traditional sense, so any retribution framed in terms of self-defense may not prove to be a successful argument under the Charter. As international law currently stands, cyber security suffers from a noticeable gap.
Governments could also seek to impose sanctions and countermeasures against the perpetrators of cyber attacks, but this strategy poses an additional issue. Because these attacks are designed to preserve the hackers’ anonymity, attributing the attacks to a foreign government is extremely difficult. Attributions would necessitate an investigation into the level of complicity the foreign government had in the individuals’ hacking efforts, which could range from explicitly contracting for their services or neglecting to shut down suspected offenders. Further, the possible development of automated or “robot” hackings make punishing even individual offenders a complicated affair.
Because cyber attacks are likely to only increase in severity and frequency as technology and hackers become more advanced, the international community may be forced to address the issue in setting a clear legal precedent for the aftermath of incidents like Friday’s blackout.
Jane Rugg is a 2L at the University of Denver Sturm College of Law, and she is currently the Event Coordinator for the Denver Journal for International Law and Policy.
Posted in 1TVFA Posts, 2Featured Articles, DJILP Staff, Jane Rugg
Posted on 09 April 2013.
Experts are focusing on new guidance for cyber warfare. (u-antiq-time.jp)
How should nations behave in the face of cyber attacks? Can you distinguish between civilians and combatants in cyberspace? Are the laws of war capable of guiding actions in the age of cyber conflict? The newly released Tallinn Manual addresses these and many other questions about modernizing international law to address cyber war.
The latest guidance on cyber warfare comes not from governments or treaties, but from a group of experts who researched and wrote for three years. Their efforts resulted in the guidelines that became the Tallinn Manual, released in late March. The authors worked for NATO’s think tank, the NATO Co-operative Cyber Defence Centre of Excellence, which requested the guidelines’ creation. The authors emphasize, however, that this manual is not an official NATO document and the guidelines do not have standing in a court of law. The authors believe these guidelines will be a reference for courts and military decision-makers or lawyers dealing with cyber attacks and their fallout. The manual’s name comes from Tallinn, Estonia – the nation’s capital and the location of the manual’s compilation.
The guidance is welcomed, but controversial: some worry that the guidelines give nations permission to execute hackers involved in cyber conflict. Michael Schmitt, lead author of the Tallinn Manual, clarified that a hacker would only be a target within the context of an armed conflict – “State A versus State B” – when that hacker was “directly participating in hostilities.” Within the cyber world, armed attacks are not clearly defined, but Rule 30 of the Tallinn Manual defines them as “[a] cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects.”
Situations like Stuxnet, the alleged cyber attack by the US and Israel against Iran, arguably falls within the definition of an armed attack or “act of force,” although other examples are unclear. The idea of an armed attack meshes with attacks coming specifically from certain countries. A Mandiant report released in mid-February traced attacks to Shanghai, prompting media and government claims that a Chinese military unit was attacking and spying on the US and other countries including Canada, UK, and Japan.
Laws of war apply even in the cyber context, meaning hospitals, power plants, including dams and nuclear power generators, and other sensitive civilian sites are off-limits for attacks. Some argue that cyber attacks (and espionage) have now risen above terrorism to become the primary security threat in the United States. The Tallinn Manual is timely because the law is struggling to catch up to the reality of cyber conflict. At the same time, the manual leaves many grey areas because it aims to be broad enough to encompass as many situations as possible. There are problems with accurate identification and attribution of cyber attacks, and there are problems dealing with non-combatants. The Tallinn Manual is a good first step toward meshing the laws of armed conflict with the realities of cyber attacks, and its publication begins the process of moving this conversation into a public and legal arena.
Kaiti Carpenter is a third-year law student at the University of Denver, and is a staff editor on the Denver Journal of International Law and Policy.
Posted in 1TVFA Posts, 2Featured Articles, DJILP Staff, Kaiti Carpenter