For almost two decades, military analysts have worried that foreign powers might use computer networks to inflict harm on the United States. Politicians quickly translated those concerns into warnings of a “cyber Pearl Harbor.” Almost as promptly, legal analysts began dutifully charting the limits on how we would fight the cyber war that might follow such an attack—if we chose to conform to the UN Charter and various post-war Geneva Conventions
But cyber attacks are already a persistent and disturbing aspect of international relations in the twenty-first century. At moments of particular tension between hostile states, computer network attacks have been launched against national infrastructure, causing large-scale disruptions. It happened in Estonia in 2007, Georgia in 2008, and South Korea in 2011. Meanwhile, large and important American companies, including Google, Lockheed Martin, and RSA, have fallen victim to highly sophisticated, multi-stage attacks. These attacks appear to have been encouraged or aided by national governments seeking economic or strategic advantages. So-called “advanced persistent threats”—from highly skilled attackers with deep knowledge of the target—are a major headache for American companies.
So far, the United States government has responded with earnest but vague calls to strengthen international norms of good behavior in the cyber realm. Hostile forces are already probing our defenses and testing the limits of our patience. The Obama administration’s International Strategy for Cyberspace suggests the U.S. could retaliate with “military force”—implying that if there really is a devastating cyber attack, we might respond with conventional bombing.
As a general strategy, that has some obvious limitations. Would we actually risk war with China or Russia in response to a cyber attack? What if we traced the attack to a state that officially denied any role in it? What if American intelligence could not prove that the government of that state had condoned the attack? While it threatens military responses, the administration’s strategy document makes no mention of the possibility of responding to cyber attacks from foreign countries with counter attacks in the cyber realm.
Meanwhile, Congress—on its own initiative—enacted legislation that “affirms” that the Department of Defense, “upon direction of the President, may conduct offensive operations in cyberspace to defend our Nation, Allies and interests. . . .” This provision in the 2012 National Defense Authorization Act stipulates that such “offensive operations” are “subject to the policy principles and legal regimes that the Department follows for kinetic capability, including the law of armed conflict.” But it does not say whether other agencies of government can also undertake or sponsor cyber attacks—nor whether other agencies would be subject to the same “policy principles and legal regimes.”
There are good reasons for hesitation or equivocation. The world has never experienced a sustained conflict between major powers in cyberspace. We don’t know how far such a conflict might escalate or how easily it might trigger responses with more destructive weapons. We don’t know how third parties might react, or all the ways they might be affected. There are good grounds for assessing our options with caution, for not waving cyber swords at potential adversaries, for not trying to defend cyberspace with blogging-style bluster.
But some part of our current hesitation seems to reflect the influence of legal cautions that are not really appropriate. Stewart Baker, former Assistant Secretary for Policy at the Department of Homeland Security, warns that government lawyers have been “tying themselves in knots of legalese . . . to prevent the Pentagon from launching cyberattacks” so the Defense Department has “adopted a cyberwar strategy that simply omitted any plan for conducting offensive operations.” Concerns about disrupting international law seem to be a major inhibiting factor in formulating a serious cyber strategy. Or perhaps, as Columbia University law professor Matthew Waxman has argued, appeals to international law limitations are simply convenient trumps for bureaucratic rivals to play against each other in the endemic turf wars of American security policy.
In exploring the options for dealing with a cyber attack from abroad, we should at least try to shake off the constraints of outdated or irrelevant legal norms. The UN Charter was designed to prevent another world war. Whatever benefits we have obtained from that framework over the past sixty years, the Charter regime has coincided with hundreds of small wars and a number of large wars to which the Security Council remained largely irrelevant. The post-war Geneva Conventions sought to repress the worst atrocities of the Second World War. Whatever their success in that respect, they have not been conscientiously observed even in conventional wars. It is highly unlikely that these arrangements—designed for military warfare in a far different world—will more effectively contain cyber conflicts today. We would do better to heed the words of our greatest wartime president, Abraham Lincoln: “As our case is new, so we must think anew and act anew.”
We do not argue that cyber conflict should be viewed as something so novel that it transcends all previous legal categories. To the contrary, past experience can be instructive in framing strategies and categories for dealing with cyber attacks. Cyber conflict bears some similarities to past methods of warfare and might be usefully regulated under legal categories used in international law in earlier times. But cyber conflict does not resemble the kinds of land-based military incursions that the drafters of the UN Charter and post-war Geneva Conventions were trying to control. When we look for legal categories for controlling cyber conflict, we need to look even farther back, to categories the framers of the U.S. Constitution would have recognized from their experience with warfare in the eighteenth century. To continue reading this essay, please click here.
Jeremy A. Rabkin is currently a professor of law at George Mason University (GMU), where he teaches courses including ones on international law and the law of war. He holds a PhD in political science from Harvard University. Before coming to GMU in 2007, he taught for many years in the Department of Government at Cornell University. His most recent book is Law without Nations? (Princeton University Press).
Ariel Rabkin received his PhD in computer science from UC Berkeley in 2012, where he was advised by Randy Katz. His dissertation concerns making software systems easier to configure and manage; he is also interested in security and cloud computing. Rabkin obtained his bachelor’s degree in 2006 and his master’s in engineering in 2007, both from Cornell University.