The Next Battlefield is in Cyberspace: Evaluating Cyberattacks under Article 51

Tyler VanderMolen
Vol. 42 Online Content Editor

In 2010 a malicious computer worm, now known as Stuxnet, infiltrated the supervisory control and data acquisition systems of Iran’s nuclear program, inflicting significant damage to its uranium enriching centrifuges.[1] In 2015, Russian hackers compromised the information systems of several Ukrainian energy companies and shut down the power grid, leaving nearly a quarter-million people in the dark.[2] And in 2019 a US Senate Intelligence Committee report concluded that Russia targeted the election infrastructure of all 50 states in the 2016 presidential election, and though it did not find evidence that any votes were changed, it determined that Russian cyberactors were in position to delete or change voter data.[3] Interstate conflict that once required the use of conventional weapons can now take place in cyberspace, posing challenges for a post-WWII legal order designed to deal with and prevent traditional armed conflict.  As cyberweapons become more sophisticated and available to a larger number of state and nonstate actors, it is essential to understand how cyberattacks fit into the existing legal framework.

At the very core of the international legal order is the UN Charter’s prohibition on the use of force in Article 2(4).[4] This prohibition has two critical exceptions: Article 42 permits the Security Council to authorize member states to use force “when necessary to maintain and restore international peace and security,” and Article 51 codifies the customary right to self-defense against an “armed attack.”[5]  Our focus is on the second of these exceptions, and we must seek to answer the question of when, if ever, a cyberattack can rise to the level of “armed attack.”  Relatedly, we must address the issue of state attribution, since the origin of a cyberattack is not always clear.

 

Cyberattacks as Armed Attacks

 

The UN Charter does not define “armed attack,” but ICJ jurisprudence offers some guidance.  The Nicaragua case sets out that an armed attack must rise to a certain “scale and effect,” thus excluding minor border incidents and, presumably, at least low-level cyberattacks.[6]  The critical point here is that the ICJ distinguished between the illegal “use of force” in Article 2(4) and “armed attack” in Article 51, indicating that an armed attack implies a greater level of gravity.  The international community has broadly agreed with this distinction.[7]

International law recognizes that at least some cyberattacks can rise to the level of an armed attack.  The principal criteria is that a cyberattack could be considered an armed attack under Article 51 if its effects are similar to those of traditional kinetic weapons.[8] The US Department of Defense Law of War Manual includes as examples cyber operations that would trigger a nuclear meltdown, open a dam above a populated area, disable air traffic control services, resulting in airplane crashes, or cripple the military’s logistic systems.[9]

Yet other cases are less clear.  Stuxnet, widely believed to be a US-Israeli cyberweapon, caused the breakdown of Iranian centrifuges with minimal kinetic damage and no known loss of life.[10]  Russia’s shutdown of the Ukrainian power grid certainly had physical effects, but likely posed a lesser degree of danger to civilians that would opening a dam or incapacitating air traffic control. An extensive election day attack on voting infrastructure that creates chaos at the polls or an assault on banking systems leading to a severe economic crisis remain in a zone of uncertainty.  The problem here is that “in a world of heavy economic, political, military, and social dependence on information systems, the ‘nonviolent’ harms of cyberattacks could easily dwarf the ‘violent’ ones.”[11]

The Tallinn Manual, considered the most comprehensive academic guide on how international law applies to cyber operations, articulates a majority view that operations that alter or destroy civilian data without generating physical consequences are not attacks.[12]  This would seem to exclude assaults on voter rolls and financial systems. Attacks like the one on Iran’s centrifuges or the Ukrainian power grid, however, seem to be in a gray area under this definition, and in the absence of specific treaty law states will likely evaluate them on a case-by-case basis. States may interpret these operations as illegal uses of force authorizing countermeasures short of armed self-defense, or alternatively as armed attacks if the effects are severe.

Determinations based on effects, however, may lead to inconsistency between states’ interpretations.  Scholar Michael Schmitt proposes an instrument-based model using seven factors – severity, immediacy, directness, invasiveness, measurability, presumptive legitimacy, responsibility.[13] He argues that this framework hews closer to the instrumental approach envisioned by Article 2(4) and bridges the gap between the Charter and effects-based approaches.[14] An international treaty that defines when cyberattacks rise to the level of a use of force or an armed attack appears unlikely given the opposing interest of powerful states, and a strictly effects-based analysis seems certain to lead to unpredictable and haphazard interpretations.  Schmitt’s framework might then present a useful, if not fully determinative, set of organizing principles for the international community to use in evaluating cyberattacks going forward.

 

The Problem of Attribution

 

Attributing cyberattacks to states can be a challenging proposition for a number of reasons. First, the attacks themselves can be difficult to trace to their origin.  Unlike conventional forces using bombs and bullets, the perpetrators of cyberattacks may use secrecy to maintain plausible deniability.  Similarly, the perpetrators might not be state actors themselves, but rather nonstate entities operating with varying degrees of state consent and assistance. This is also true of conventional armed groups, but drawing a link between malicious actors and their state enablers can be even more difficult in the cyber context. In other cases, perpetrators might be rogue actors that the state is unaware of or cannot control.  All of this adds an extra layer of complexity to states’ analysis of their right to self-defense.

The International Law Commission has seemingly endorsed the attribution standard articulated in the Nicaragua case that the conduct of a nonstate actor may be considered the act of a state under international law if the person or group is acting on the instruction of, or under the direction or control of, that state.[15] If a private group of actors is employed or instructed by a hostile state to commit cyberattacks that rise to the level of armed attacks on foreign soil, the victim state may lawfully engage in self-defense.  More difficult are cases where nonstate actors are operating outside of state control.  A growing number of states have endorsed the use of self-defense when a nonstate actor undertakes an armed attack and the state in which the nonstate actor operates is “unwilling or unable” to prevent the attack.[16] Still, given the uncertainty around classifying cyberattacks as armed attacks and the difficulty of locating their exact source, it seems that states will be cautious in deploying self-defense outside of cyberspace in response to these attacks.

 

Stuxnet as a Case Study

 

Consensus has emerged that Stuxnet likely did constitute a use of force.[17]  Whether it rose to the level of an armed attack remains an open question. Applying the Schmitt framework offers some insight, while also revealing some of the framework’s shortcomings. The worm caused physical damage to a critical Iranian asset, though the damage was limited and does not appear to have resulted in any immediate harm to persons on the ground.  There was a direct causal connection between Stuxnet and the damaged centrifuges.  It was a significant intrusion of Iranian sovereignty.  It did not have presumptive legitimacy since it was not authorized by the UN Security Council and was not taken in self-defense.  Its consequences appear to have been measurable and identifiable, and its purpose and design strongly suggest state involvement.[18] Cutting in the opposite direction, the attack lacked immediacy since it took over 10 months to evolve.[19] And while presumptive legitimacy was not present, it is worth considering that Iran had been operating its centrifuges for several years in violation of multiple UN Security Council Resolutions and was already under sanctions by many countries.[20] Few in the international community publicly objected when Stuxnet was discovered.

Still, there are gaps in the framework. It gets us no closer to solving the problem of attribution, and in the case of Stuxnet the United States and Israel have formally denied involvement, even as anonymous officials have confirmed both countries’ role.[21] Attribution will likely remain a thorny issue when it comes to cyberattacks.  Moreover, it seems that Schmitt’s analysis runs the risk of being reduced to an effects-based model where a single factor – the severity of the consequences – becomes determinative by itself.  Lastly, Iran’s denial of any significant damage and failure to claim that it was subject to an armed attack complicates the analysis.[22] In Nicaragua, the ICJ wrote that “it is the State which is the victim of an armed attack which must form and declare the view that it has been so attacked.”[23] If Iran itself refuses to call Stuxnet an armed attack, it seems odd for the international community to do so, regardless of how it fits under the Schmitt framework. Given the difficulty of building an international regime to address cyberattacks, employing the Schmitt framework as a starting point while using a holistic view to evaluate issues like attribution might be the most broadly acceptable solution currently available.


[1] Kim Zetter, An Unprecedented Look at Stuxnet, the World’s First Digital Weapon, wired (Nov. 3, 2014), https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/.

[2] Andy Greenberg, How an Entire Nation Became Russia’s Test Lab for Cyberwar, wired (June 20, 2017), https://www.wired.com/story/russian-hackers-attack-ukraine/)

[3] David E. Sanger and Catie Edmondson, Russia Targeted Election Systems in All 50 States, Report Finds, N.Y. Times (July 25, 2019), https://www.nytimes.com/2019/07/25/us/politics/russian-hacking-elections.html.

[4] U.N Charter art. 2, ¶ 4.

[5] Id. art. 42; Id. art. 51.

[6] Military and Paramilitary Activities in and Against Nicaragua (Nicar. V. U.S.), Judgment, 1986 I.C.J. 14, ¶190 (June 27).

[7] LENS Conference 2020, Michael Schmitt, Keynote: Offensive Cyber Operations, YouTube (Feb. 28, 2020), https://www.youtube.com/watch?v=Sf1qLnyC1x4&feature=youtu.be. (The notable exception is the United States, which rejects any difference between illegal uses of force and armed attacks.)

[8] Id.

[9] U.S. Dep’t of Defense, Law of War Manual ¶ 16.3.1 (2016).

[10] Kim Zetter, An Unprecedented Look at Stuxnet, the World’s First Digital Weapon, wired (Nov. 3, 2014), https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/.

[11] Waxman page 436

[12] Tallinn Manual,  supra note 10.

[13] See Michael N. Schmitt, Computer Network Attack and the Use of Force in International

Law: Thoughts on a Normative Framework, 37 COLUM. J. TRANSNAT’L L. 885, 914-15 (1999);

[14] Foltz Page 41

[15] Nicar. V. U.S., 1986 I.C.J at 181; Int’ Law Comm’n, Rep. on the Responsibility of States for Internationally Wrongful Acts, U.N. Doc. A/56/49, at 3-6 (2001)

[16] Elena Chachko and Ashley Deeks, Which States Support the “Unwilling and Unable” Test?, Lawfare, https://www.lawfareblog.com/which-states-support-unwilling-and-unable-test. (The United States has signed onto this position as grounds for its offensive action against ISIL and related groups in Syria.)

[17] Andrew C. Foltz, Stuxnet, Schmitt Analysis, and the Cyber “Use-of-Force” Debate, Joint Force Q., Oct. 2012, at 40, 44.

[18] Id. at 45.

[19] Id. at 44.

[20] Id. at 45.

[21]Ellen Nakashima and Joby Warrick, Stuxnet was work of US and Israeli experts, officials say, Wash. Post (June 2, 2012), https://www.washingtonpost.com/world/national-security/stuxnet-was-work-of-us-and-israeli-experts-officials-say/2012/06/01/gJQAlnEy6U_story.html?utm_term=.3283038083d7.

[22] Foltz, supra note 19 at 46.

[23] Nicar. V. U.S., 1986 I.C.J at 182.

The views expressed in this post represent the views of the post’s author only.