Estonia claimed to be under attack last spring, but not by guns or bombs. This assault came in the form of data requests from more than a million computers. It overwhelmed the Baltic nation’s computer networks, crashing e-mail for its parliament, taking down emergency phone lines and freezing online services of government offices, banks, universities and hospitals. Estonia accused Russia of conducting a cyberwar in retaliation for a decision to move a Soviet-era war memorial. The Russian government denied involvement.
Likewise, last month when hackers somewhere in China infiltrated a U.S. Defense Department network, Chinese officials denied its army had any role. (British, French, German and New Zealand officials have complained of similar China-based hacking.) Though no one accused China of acts of war, both events revealed how the Internet is reshaping warfare.
The Internet creates real risks for societies dependent on information networks. Just last March, in an experimental cyberattack, researchers at the Department of Energy’s Idaho National Laboratory managed to make a generator self-destruct. So computer attacks don’t just threaten other computers but the larger infrastructure. Viruses could become as dangerous as missiles. At the same time, cyberattacks have the potential to minimize the costs of conflict in lives and dollars. Instead of demolishing an electrical grid, cyberattacks offer militaries the option of disabling it temporarily.
Although hotly debated in the ‘90s, discussions of cyberwar’s risks and potential had gone dormant since 9/11. But the Estonia event quickly put cybersecurity back on NATO’s agenda. And after the Defense Department breach, President Bush conceded the vulnerability of U.S. systems to cyberattack and the government’s need to develop defenses against them.
Countries must, however, do more than recognize cyberspace as a new battleground. They also need to know when and how they can deploy weapons. What are the rules of cyberwar?
For more than a century, nations have devised rules of international law, such as the Geneva Convention, which seek to avoid war or minimize human suffering when conflicts occur. And as new technologies emerge, nations have weighed whether to draft new rules, such as treaties restricting biological, chemical and laser weapons.
Governments and scholars have so far, however, resisted calls to craft new rules of international law to govern attacks on or by computers. Conventional wisdom suggests that the laws we have extend by analogy to cover cyberspace.
And they do. But serious “translation” problems make them ill-suited to the task. For example, the U.N. Charter clearly prohibits states from using force except in self-defense or with U.N. authorization. So does that ban Russia from computer attacks on Estonia? It might. Or is it a “use of force” only if the target is physically harmed? Or only if it leads to death and destruction? Or simply whenever the target is critical to a nation’s security? Similar uncertainties surround rules on neutrality and civilian distinction.
Such uncertainty can unintentionally escalate conflicts if participants have different interpretations of what’s permissible. Or states may shy away from cyberattacks entirely if they don’t know what’s allowed -- even in cases in which those attacks might cause less harm than the bombs they’ll use instead.
Existing laws of war also focus primarily on conflicts between nations. But 9/11 and the ongoing asymmetrical warfare in Iraq and Afghanistan underscore how insufficient that approach is. Cyberwar undoubtedly will attract groups like Al Qaeda; the technology is inexpensive, easy to use and can be deployed from almost anywhere. As the Russia-Estonia and China-U.S. cases show, it is also hard to pin the origins of a cyberattack on a country rather than on individual hackers.
When the laws of war don’t apply -- even by analogy -- an overwhelmingly complex set of other international and foreign laws kicks in. For example, assume the hackers in the Estonia case were indeed operating from Russia but had no ties to the government or military. Under existing rules, Estonia should respond by asking Russia to police its own territory. To counter-attack would violate Russia’s sovereignty. With new rules, however, nations could agree to waive sovereignty concerns and permit a direct response in certain cases, such as cyberattacks by terrorists that all nations might want thwarted.
The status quo presents dangers that countries need to stop ignoring. We need new rules of international law so military commanders can operate with greater certainty in cyberspace, and can use new cybertools in ways that reduce the collateral costs of conflict. War has entered the Information Age, and it’s time for international law to get a needed update.
Duncan B. Hollis is an associate professor of law at Temple University and a contributor to the international law blog Opinio Juris.