AustLII Home | Databases | WorldLII | Search | Feedback

University of New South Wales Law Journal Student Series

You are here:  AustLII >> Databases >> University of New South Wales Law Journal Student Series >> 2021 >> [2021] UNSWLawJlStuS 28

Database Search | Name Search | Recent Articles | Noteup | LawCite | Author Info | Download | Help

Eliezer, Joseph --- "Cyberwar: A Critical Analysis Of Schmitt And The Tallinn Manual" [2021] UNSWLawJlStuS 28; (2021) UNSWLJ Student Series No 21-28


CYBERWAR: A CRITICAL ANALYSIS OF SCHMITT AND THE TALLINN MANUAL

JOSEPH ELIEZER

I INTRODUCTION

‘Cyber activities have become an integral part of international relations’[1] and ‘[h]armful cross-border cyber operations, both by State and non-State actors, can jeopardize international stability’.[2] ‘The global community is fast becoming wired’[3] which has led to civilian and military cyber dependencies that expose ‘dangerous vulnerabilities exploitable by opponents’.[4] Moreover, cyber attacks targeting vulnerabilities of critical cyber infrastructure can be mounted with relative ease – ‘... jus ad bellum issues loom large’.[5]

The threshold jus ad bellum issue is whether a cyber attack can constitute a use of force under Article 2(4) of the UN Charter and under customary international law. The general consensus in cyberwar scholarship is that cyber attacks that amount to political and economic coercion would not constitute a use of force and hence are not covered under Article 2(4) whereas cyber attacks that cause physical damage or injury would. ‘Among the analytic frameworks developed to address this issue, one of the most enduring is the ‘Schmitt Analysis’’.[6] It was first proposed in 1999 and the framework has been used since then to assess whether or not a cyber attack could constitute a use of force.

However, the discussion is merely academic at this stage as ‘[s]o far, the vast majority of malicious cyber operations fall outside the scope of “force”’.[7] The Stuxnet worm cyber attack on Iranian nuclear facilities in 2010 is the first and perhaps the only real example of a cyber attack that targeted industrial systems in a manner that had the potential to cause physical damage.

This article distinguishes between various types of cyber attacks – cyber crime, cyber espionage and cyber warfare and looks at some of the major cyber attacks in the past including the Stuxnet worm. The article reviews the major milestones in the application of international law to cyber attacks, such as, the Schmitt Analysis, Tallinn Manual 2013 etc. focusing on the use of force. This article does not discuss cyber attacks that fall below the threshold of a use of force or the issues of sovereignty and intervention that are used to address them.

II TYPES OF CYBER ATTACK

A Cyber Crime, Cyber Espionage and Cyber Warfare

The term ‘cyber attack’ is often used ‘without clarifying what it is meant to include and exclude’.[8] ‘[I]t is all too clear that any cyber-intrusion, whether mundane or malicious, from a teenager, a criminal or a nation state, regardless of place of origin, is likely to be described as a cyber-attack’.[9]

‘If this generalized misuse and mischaracterization was merely the product of our media, it could be forgiven ... politicians, military leaders and NATO allies have consistently used ‘cyber-attack’ as shorthand for almost every event involving a computer intrusion’.[10] There are in fact different categories of activities taking place under the cyber attack rubric – cyber crime, cyber espionage or cyber warfare.

‘Cyber crime is simply committing crime via cyber means: usually theft or fraud or hacking’.[11] Cyber crime is covered under domestic laws and certain treaties, such as, the Council of Europe’s (COE) Convention on Cybercrime and ‘is the purview of law enforcement’.[12] Cyber criminality falls below the level of a ‘use of force’ in the jus ad bellum and hence the international law on the use of force or armed attack plays no role.

Cyber espionage involves cyber attacks that are carried out with the objective of obtaining information. Cyber espionage can be defined as ‘theft of classified national defense information and persistent and invasive economic espionage on a massive scale’. ‘[C]yber espionage does not rise to the level of a use of force due to the absence of a direct prohibition in international law on espionage per se’.[13]

Cyber warfare refers to a subset of cyber attacks that may rise to the level of a use of force; hence, only these are relevant to the use of force debate.

B Disruptive Cyber Attack Examples

In April 2007, Republic of Estonia suffered a distributed denial of service (DDOS) attack. The attack caused severe disruption due to Estonia’s heavy dependency on computer networks – ‘Estonia has one of the highest network saturation rates in the world’.[14] Given that the attack took place following the decision to move a Soviet-era memorial, political coercion appears to be the goal.

In 2008, when Russian forces invaded South Ossetia, Georgia suffered a similar DDOS attack that left it unable to communicate with the outside world over the Internet.

From a use of force standpoint, there are two issues that arise. First, the effect of the attacks was severe disruption to the target state and not physical damage; hence, the attacks were coercive in nature. Second, there is a problem of attribution which is an issue in all cyber attacks but particularly so in case of DDOS attacks. DDOS attacks involve taking over computers from around the world without the knowledge of their users to carry out the attack ‘making accurate attribution uniquely difficult’.[15] Article 2(4) of the UN Charter would only be applicable where the cyber attack can be attributed to a state.

C Cyber Attacks That Cause Damage

In 2010, a computer worm that came to be known as Stuxnet was discovered at Iran’s uranium enrichment plant in Natanz. The Stuxnet worm was designed to target gas centrifuges at the plant that were used to enrich uranium. It caused the rotor speed of the centrifuges to substantially increase then decrease.

While it is claimed that Stuxnet damaged up to 1,000 centrifuges[16], it appears that Stuxnet was never designed for the purpose of causing all out physical damage. Rather, the Stuxnet worm was a semantic attack, which is a discrete type of attack where the ‘... system under semantic attack operates and will be perceived as operating correctly, . . . but it will generate answers at variance with reality’.[17] ‘The Stuxnet attack described above was, in part, a semantic attack because the nuclear plant appeared to be operating normally even as it was malfunctioning’.[18] This suggests that ‘Stuxnet ... seemed to have as its goal the delay of the enrichment of uranium in Iran by manipulating the respective facilities.[19] Some legal scholars assert that the centrifuges were damaged and physical damage meant that the particular cyber attack constituted a use of force; however, the problem is that the actual extent of the damage is far from clear. ‘The exact impact of the Stuxnet virus has never been concretely identified’.[20]

The ICJ noted in Nicaragua: ‘it is the State which is the victim of an armed attack which must form and declare the view that it has been so attacked’.[21] ‘Although Iran has acknowledged the presence of Stuxnet in its systems, it has denied any significant damage resulting from the worm and it has never claimed that it was attacked. As U.S. Cyber Command’s top lawyer, Colonel Gary Brown, has commented: ‘Iran’s ‘non-position’ on the Stuxnet event has been frustrating to practitioners in the field of cyberspace ... Iran passed up its opportunity to complain of an unjustified attack’.[22]

Nevertheless, the Stuxnet worm did gain control over the centrifuges through the industrial controllers which marked an extraordinary development in the area of cyber attacks. ‘Stuxnet has been described as a game changer—the first digital ‘fire and forget’ precision-guided munition and perhaps the first peacetime act of cyberwar’.[23]

III CYBER SPACE – A FIFTH DOMAIN IN ARMED CONFLICT

‘Warfare traditionally functions in four domains – land, air, sea, and space – each of which is addressed by one of the full-time armed services. With the rise of cyber-warfare, strategists have identified a fifth domain: cyberspace. In response, the United States has created the U.S. Cyber Command, a subdivision of the joint services Strategic Command’.[24]

‘On 5 December 2005, the US Air Force Mission Statement was amended to read: ‘[t]he mission of the United States Air Force is to fly, fight and win ... in air, space and cyberspace’. The inclusion of cyberspace as a new – theatre of war reflects a revolution in military affairs that began in the 1990s and continues until today’.[25]

Cyberspace can be considered as part of the global commons. The US Department of Defense explains that ‘the global common consists of international waters and airspace, space and cyberspace’.[26] Despite this strong stance, ‘experiences with military operations in cyberspace so far are ambivalent’. Examples of cyber attacks in Estonia, Georgia and the Stuxnet worm have led to a situation where ‘opinions over the actual threat level of cyber operations are at a variance. While for some the threat level amounts to no more than an economic one, others rank it as a new kind of weapon of mass destruction or fear an ‘electronic Pearl Harbor’’.[27]

IV OVERVIEW OF EXISTING INTERNATIONAL LAW ON THE USE OF FORCE

The principles taken from customary international law, that is, from the jus ad bellum and jus in bello bodies of law has been incorporated into Articles 2(4) and 51 of the UN Charter respectively.

Article 2(4) of the UN Charter states: ‘All Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any State, or in any other manner inconsistent with the Purposes of the United Nations’. ‘The prohibition is undoubtedly a norm of customary international law’.[28]

One of the purposes of the United Nations cited in Article 1(1) of the UN Charter is the maintenance of international peace and security. ‘Therefore, uses (or threats) of force which endanger international stability fall within Article 2(4)’s prescriptive envelope’.[29] That is, the use of force need not be restricted to a use of force against territorial integrity or political independence of the State. Also, ‘the mainstream view among international law experts is that the ‘other manner’ language extends coverage to virtually any use of force not authorized within the Charter’.[30]

There are two exceptions to the general prohibition on the use of force in Article 2(4): first, use of force authorized by the Security Council under Rule 18 of Chapter VII; second, self-defense pursuant to Article 51 and customary international law.

Article 2(4) is prohibitive and not remedial in nature – it ‘merely serves to render particular uses of force wrongful in the Charter scheme’.[31] The remedy in Article 51 is to the effect that the State has the right to self-defense in the case of an ‘armed attack’. However, the ‘use of force’ threshold in Article 2(4) is lower than the ‘armed attack’ threshold meaning that a use of force will not automatically authorize a response under Article 51.

V MILESTONES IN APPLICATION OF INTERNATIONAL LAW TO CYBER OPERATIONS

‘Cyber operations began to draw the attention of the international legal community in the late 1990s’.[32] The first major legal conference on the subject was held only in 1999 by United States Naval War College.[33] However, the application of international law to the subject posed many difficult questions.

The UN Charter was written at a time when the internet did not exist. This leads to obvious issues as ‘[q]uite clearly, Article 2(4) was never intended to address attacks against computer systems or the information resident on them’.[34] Article 2(4) was ‘considered anachronistic and demonstrates an ‘inability’ to protect states from new methods of warfare like cyber attacks ...’[35] ‘... [c]yberwarfare presents a unique challenge to traditional definitions of what constitutes a use of force’.[36] ‘The tools for analyzing conventional actions under Article 2(4) do not lend themselves well to IW [information warfare]’.[37] ‘In the context of cyber attacks, Silver refers to this as the ‘unsatisfactory reality’ of the situation’.[38]

But, with the threat of cyber attacks growing to the point where a cyber attack ‘against computers servers or information located on them can be just as destructive as an attack that produces physical damage’[39] clarification as to whether existing international legal framework could be applied to such attacks became a pressing matter and led to the development of cyberwar scholarship.

Several analytic frameworks were developed to address whether an action in cyberspace was a prohibited use of force under Article 2(4) of the UN Charter, that is, under jus ad bellum principles. One such framework was the ‘Schmitt Analysis’.[40] ‘Developed in 1999 by Professor Michael Schmitt, the Schmitt Analysis is one of the most academically rigorous and frequently cited frameworks for characterizing cyber operations’.[41]

‘In 2009, the NATO Cooperative Cyber Defence Centre of Excellence (NATO CCD COE) in Tallinn, Estonia, invited a group of independent experts – the International Group of Experts (IGE) – on the law of armed conflict to produce a manual on cyber warfare’.[42] This led to the publication of the Tallinn Manual in 2013.[43] It is considered ‘an authoritative statement of international legal norms in cyberspace’.[44]

‘... the Tallinn Manual offers an indispensable resource for scholars, practitioners, and policy makers’.[45] ‘Although other perspectives may emerge to challenge the Tallinn Manual's legal conclusions, for scholars and others focused on cyberwar issues the Tallinn Manual is now the go-to resource on the law applicable to cyberwar’.[46]

The Tallinn Manual 2013 in turn, consulted the publicly available military manuals of Canada, Germany, the United Kingdom, and the United States as evidence of state practice.[47] The Tallinn Manual 2.0 published in 2017 built on the earlier work extending it to address cyber operations that fall below the threshold of the use of force.

‘In 2011, the United States set forth its position on the matter in the International Strategy for Cyberspace: ‘[t]he development of norms for State conduct in cyberspace does not require a reinvention of customary international law, nor does in render existing international norms obsolete. Long-standing international norms guiding State behaviour – in times of peace and conflict – also apply in cyberspace’ but additional work is needed ‘clarify how these norms apply’.[48]

VI DOES THE PROHIBITION ON THE USE OF FORCE APPLY TO CYBER WARFARE?

A The ‘Schmitt Analysis’ Approach

In a seminal paper in 1999, Schmitt highlighted the seriousness of the cyber threat and the need for a normative framework to address computer network attacks (CNA).[49] The approach was to apply the existing law to cyber attacks but the meaning of the term ‘force’ in Article 2(4) was contentious.

‘After categorizing cyber attacks as either a use of force or an act of coercion Barkham explains that the Charter, through Article 2(4), bans the use of force, but acts of coercion do not violate international law because they are not uses of force’.[50] As per Schmitt ‘... analysis based on both UN Charter travaux and text leads to an interpretation excluding economic, and for that matter political coercion from Article 2(4)’s prescriptive sphere’.[51]

Given this interpretation, it then becomes necessary to distinguish between cyber attacks – those that amount to economic and political coercion from those that amount to a use of force. To aid in that goal, Schmitt proposed six factors[52] that States can consider to assess a cyber attack. This analytic framework proposed by Schmitt has come to be known as ‘Schmitt Analysis’ and has been referred to and used by cyber war scholars since then.

Hathaway et al state: ‘Professor Michael Schmitt, the best-known proponent of the effects-based approach for determining when a cyber-attack should be considered an armed attack, argues that a cyber-attack's effects should be measured by reference to six factors: (1) severity: the type and scale of the harm; (2) immediacy: how quickly the harm materializes after the attack; (3) directness: the length of the causal chain between the attack and the harm; (4) invasiveness: the degree to which the attack penetrates the victim state's territory; (5) measurability: the degree to which the harm can be quantified; and (6) presumptive legitimacy: the weight given to the fact that, in the field of cyber-activities as a whole, cyber-attacks constituting an armed attack are the exception rather than the rule’.[53] The list of factors is not exhaustive.[54]

Folz referring to Schmitt Analysis states that: ‘It consists of seven factors (severity, immediacy, directness, invasiveness, measurability presumptive legitimacy, and responsibility) that states can consider in assessing whether a cyber activity amounts to a use of force’.[55] ‘According to Professor Schmitt, evaluating these factors is an imprecise and subjective endeavor. The factors are useful, but not determinative, and they should not be applied mechanically. Rather, they need to be applied holistically according to the relevant context; i.e., which factors are important and how they should be weighted will vary on a case-by-case basis’.[56]

Foltz went on to apply the Schmitt Analysis to the Stuxnet worm and concluded that: ‘On balance, the Schmitt Analysis suggests most states would characterize Stuxnet as a use of force. The worm was highly invasive, caused direct and measurable physical damage, lacked a clear presumption of legitimacy, and it bore the markings of a state-sponsored operation’.[57]

B Position Adopted in the Tallinn Manual 2013

The Tallinn Manual 2013 aims to address the normative ambiguity arising out of two extreme positions on the law of armed conflict – that it applies to ‘any use of force, regardless of the weapons employed’ as per the ICJ in Nuclear Weapons Advisory Opinion (para 39) or the Permanent Court of International Justice’s pronouncement that acts not forbidden in international law are generally permitted.[58]

‘The threshold questions are whether the existing law applies to cyber issues at all, and, if so, how’.[59] ‘The legality of cyber intelligence activities is examined only as they relate to the jus ad bellum notions of ‘use of force’ and ‘armed attack’ or as relevant in the context of an armed conflict governed by the jus in bello’.[60] ‘The Tallinn Manual provides a thorough and careful analysis of how the jus ad bellum and jus in bello translate to cyberspace’.[61] It ‘sets out ninety-five black-letter rules and accompanying commentary’.[62] Rules 10 to rule 12 address the prohibition on the use of force.

Rule 10 of the Tallinn Manual states: ‘A cyber operation that constitutes a threat or use of force against the territorial integrity or political independence of any State, or that is in any other manner inconsistent with the purposes of the United Nations, is unlawful’.[63]

This is an interpretation of Article 2(4) of the UN Charter as it applies to cyber operations. The accompanying commentary clarifies the following aspects of Rule 10: [64]

• The Rule would apply to any state regardless of whether the ‘action qualifying as a ‘use of force’ is undertaken either by the armed forces, the State’s intelligence agencies ‘or by a private contractor whose conduct is attributable to the State based upon the law of State responsibility’.

• It would also apply to non-member States because Article 2(4) and therefore Rule 10 ‘extends to non-member States by virtue of customary international law’.

• Cyber operations that do not rise to the level of a use of force are not covered by Article 2(4) and therefore, by Rule 10.

In Nicaragua, the ICJ found that arming and training a guerilla force that is engaged in hostilities against another State qualified as a use of force.[65] The question arises whether this concept can be extended to cyber attacks and whether an analogous conclusion can be made where cyber attacks are involved. The IGE majority agreed that ‘the provision of sanctuary coupled with other acts, such as substantial support or providing cyber defenses for the non-State group, could, in certain circumstances be a use of force’.[66]

Rule 11 provides a definition of use of force in the following terms: ‘A cyber operation constitutes a use of force when its scale and effects are comparable to non-cyber operations rising to the level of a use of force’.[67]

In formulating the above rule, the IGE noted that the ‘The UN Charter offers no criteria by which to determine when an act amounts to a use of force’.[68] But, while there is no definition of what constitutes a threat or use of force, there is agreement that coercive operations are not uses of force. ‘... mere economic or political coercion’ does not constitute use of force.[69] The is because the UN Charter was drafted in that way and the idea that use of force should include ‘all forms of pressure including those of a political or economic character ...’ was twice rejected – first, in 1945 at UN Charter drafting conference and then in 1970 at the General Assembly’s Declaration on Friendly Relations.[70] Hence, the conclusion that ‘... non-destructive cyber psychological operations intended solely to undermine confidence in a government or economy do not qualify as uses of force’.[71]

Rule 11 essentially relies on the ‘scale and effects’ test, that is ‘any cyber operation which rises to the level of an ‘armed attack’ in terms of scale and effects ... and which is conducted by or otherwise attributable to a State, qualifies as a ‘use of force’’.[72] This test was applied in the Nicaragua Judgment in the context of Article 51.

In that case, the International Court of Justice stated that ‘scale and effects’ are to be taken into account when determining whether particular actions amount to an ‘armed attack’. ‘Scale and effects’ is a shorthand term that captures the quantitative and qualitative factors to be analysed in determining whether a cyber operation qualifies as a use of force’.[73] The IGE then proposes a number of factors that States or the international community can take into account to assess whether or not a cyber operation is a use of force. The factors include those proposed in the Schmitt Analysis discussed above plus further two factors – military character and state involvement.[74]

Rule 12 defines a threat of force in following terms: ‘A cyber operation, or threatened cyber operation, constitutes an unlawful threat of force when the threatened action, if carried out, would be an unlawful use of force’.[75]

A threat to use force may be lawful, that is, a use of force that is permissible under law. For example, ‘it would be lawful to threaten that a State will defend itself forcefully if attacked’.[76] The ICJ in Nuclear Weapons Advisory Opinion para 47 stated: ‘If it is to be lawful, the declared readiness of a State to use force must be a use of force that is in conformity with the Charter’.

C German Federal Government Position

On 5 March 2021, German Federal Foreign Office, Ministry of Defense and Ministry of the Interior released a position paper on Germany’s stance on the role of international law in dealing with cyber attacks.[77] ‘The inter-ministerial document stipulates Germany’s views on the rules regulating state activity in cyberspace in a concise, well-founded and comprehensive manner. For this, Germany has been applauded by leading scholars in the field’.[78] The paper refers extensively to Tallinn Manual 2.0 which was the follow-on project[79] to Tallin Manual 2013 and was published in 2017.

Acknowledging cyber networks ‘has created new vulnerabilities’ and that ‘[i]n cyberspace, only limited resources are often needed to cause significant harm’, the paper reaffirmed Germany’s position that ‘international law, including the UN Charter and international humanitarian law (IHL), applies without reservation in the context of cyberspace’.[80]

The following are the key points underlying Germany’s stance on jus ad bellum and the use of force.

• While ‘the vast majority of malicious cyber operations fall outside the scope of ‘force’ ... cyber operations might in extremis fall within the scope of the prohibition of the use of force and thus constitute a breach of art. 2 para. 4 UN Charter’.[81]

• As per the ICJ in Nuclear Weapons opinion, Charter provisions ‘apply to any use of force, regardless of the weapons employed’.[82]

• In defining ‘use of force’ the ‘emphasis needs to be put on the effects rather than on the means used’.[83]

In regard to cyber attacks and the prohibition on the use of force, Germany’s stance is to use the scale and effects approach. ‘Germany shares the view expressed in the Tallinn Manual 2.0: the threshold of use of force in cyber operations is defined, in analogy to the ICJ’s Nicaragua judgment, by the scale and effects of such a cyber operation’.[84] ‘[A]ssessments are conducted on a case-by-case basis by reference to various qualitative criteria’.[85]

Three of the qualitative criteria relied on to assess the scale and effects of a cyber operation are the same as the ones proposed in Schmitt Analysis and repeated in Tallinn Manual 2013 and 2.0: ‘the severity of the interference, the immediacy of the cyber operation’s effects, and the degree of intrusion’. In addition, the paper proposes a fourth: ‘the degree of organization and coordination of the malicious cyber operation’.[86]

VII ISSUES IN APPLYING INTERNATIONAL LAW TO CYBER WARFARE?

A No Treaty on Cyber Operations

Whether or not a cyber attack constitutes a use of force is only one of the many concerns that arise in relation to cyber operations. Majority of the cyber attacks fall below the level of force and are more appropriately dealt with international law dealing with sovereignty and non-intervention principles and domestic legislation dealing with cyber criminality, espionage etc.

‘[T]here have been sustained calls that a ‘new, comprehensive legal framework is needed to address cyber attacks’’.[87] ‘In particular the call has been for an international treaty, similar to the Outer Space Treaty 1967 or the UN Convention on Law of the Sea 1982, which would regulate the use of computer technology and, specifically, prohibit hostile attacks against computer servers or the information resident on them’.[88] But, ‘[t]he agreement and implementation of an international treaty...seems unlikely’.[89]

However, the preceding review suggests that the application of the UN Charter and jus ad bellum and jus in bello to cyber warfare is sound and therefore there is no need for a new treaty or changes to treaty arrangements at least on those issues. Another proposal is that ‘Article 2(4) needs to be subject to an ‘interpretive reorientation’,[90] dilating its scope in order to encompass cyber attacks which, although not producing physical damage, nevertheless have a destructive impact’.[91] ‘[H]owever, dilation of the term ‘force’ within Article 2(4) either by way of treaty reform or state practice is unlikely. No reform to the text of the UN Charter has ever been agreed and State practice in the context of applying Article 2(4) to cyber attacks is far from consistent’.[92] This approach relies on interventions which is again outside the scope of Article 2(4).

B Disagreement on Some Issues

‘Despite numerous attempts to do so, i.e., the Tallinn Manual and, the Schmitt Analysis, there is no solid, international consensus when a cyberintrusion equals a use of force or armed attack to be considered an actual cyber-attack. Although the Schmitt Analysis is widely accepted, it fails to address certain key areas and lacks consistent uniformity’.[93] ‘Cyber is still too new for customary international law to have fully developed. It will take many more years to develop’.[94]

While there is consensus that Article 2(4) prohibits only armed force, ‘[w]eaker states and some scholars have argued that Article 2(4) broadly prohibits not only the use of armed force, but also political and economic coercion’.[95]

C Views of Some States is Unknown

The challenge for leading publications in cyber warfare, such as, Tallinn Manual 2013 and the views expressed in them ‘is whether non-NATO states, experts, and commentators will agree in substance with the Tallinn Manual or be willing to rely on it’.[96] ‘The drafting process may have inadvertently hampered the prospects for broad geographic acceptance of the resulting product. All of the Tallinn Manual's drafters, technical experts, and observers hail from the United States, Western Europe, or Australia (pp. x-xii)’.[97] ‘[T]he Tallinn Manual's reliance on the Western and NATO-centric perspectives of its drafters may hamper its acceptance in countries, such as China and Russia, that espouse very different visions for cyberspace’.[98]

‘Moreover, the selection of national military manuals from Canada, Germany, the United Kingdom, and the United States as reference materials does nothing to dispel the perception that the Tallinn Manual is channeling, even though not officially representing, a particular worldview with respect to the laws of armed conflict (p. 8)’.[99]

‘[S]tatements about the IGE's unanimity, such as that the group was ‘unanimous in its estimation that both the jus ad bellum and jus in bello apply to cyber operations’ (p. 5), may not reflect worldwide unanimity on such issues’.[100]

D Non-State Actors

All cyber attacks are secretive which leads to the problem of attribution. It is important ‘to assign the attack to an author against whom self-defence action will be taken’.[101] While self-defense is not discussed here, attribution is uniquely difficult in case of cyber attacks and hence must be mentioned.

‘Three particular characteristics of cyberspace make attribution extremely difficult. The first is 'anonymity' in that cyber attackers can hide their identity; the second is the possibility of launching multi-stage cyber attacks, in that a number of computers operated by different people and placed in different jurisdictions are infiltrated before an attack is launched; and the third is the speed with which a cyber attack can materialize’.[102]

The above problem is further compounded by the fact that many cyber attacks originate with non-state actors. All of these issues ‘makes the eventual identification of the physical operators of the computers and, above all, of the coordinators or real masterminds behind the attack, very difficult’.[103]

While a State will be liable for tolerating non-state actors that launch cyber attacks against other states, there is considerable difficulty in obtaining and presenting such evidence.

E Cyber Threat is an Evolving Threat

The preceding review highlights the need to collaborate with cyber-physical researchers so that legal researchers can get to understand the facts of a cyber attack better! This is important because it can assist in the legal analysis or assessment of the cyber attack or evaluation of the attribution evidence and could possibly lead to different conclusions.

For example, severity is the most decisive factor in the Schmitt analysis and involves asking questions, such as, ‘How many people were killed? How large an area was attacked? How much damage was done within the area?’[104] If the damage is not known, then it is not possible to make an assessment as to the severity of the attack which would create doubt whether the cyber attack has crossed the use of force threshold. For example, cyber war scholarship relies heavily on the Stuxnet worm. However, the treatment of the Stuxnet worm in legal articles appears to be simplistic or more seriously may not be accurate.

The following is a paraphrased extract from the account of a virus/cyber-physical expert, Ralph Langner (who received worldwide recognition for his analysis of Stuxnet malware), regarding the Stuxnet worm:[105] There were two iterations of the attack – one in 2008 and then in 2010. In the first instance, the malware was designed to damage centrifuge rotors by increasing gas pressure in the centrifuge; in the second case by spinning up the rotors to high speed and then decreasing speed to minimal. In both cases, the malware then restored normal pressure and speed, that is, the attackers went out of their way to avoid catastrophic damage. It would have been much simpler in the first case to let the pressure in the centrifuge to increase to triple point – the pressure at which gas in the centrifuge solidifies. That would have destroyed the centrifuges instantly but that was not the goal of the attack. In the second case, raising and decreasing the speed of the centrifuge rotors would have been very much noticeable to the operators due to the high and low-pitched sound respectively of the rotors. That is, the attack had turned into a prank.

A legal article in the preceding discussion picked up on the fact that there was a previous attack in 2008: ‘The seeds for this attack were apparently sown well before 2010. The worm was first detected in 2008’.[106]

A couple of articles considered the possibility that the threshold may not have been crossed: ‘If ... the computer virus prevented the centrifuges from rotating at the correct speed and that this in turn prevented the uranium from being enriched, the Stuxnet attack cannot be regarded as an unlawful use of force because no damage to physical property was caused’.[107]

Another reason why collaboration is so important is because cyber-physical researchers are better placed to evaluate the evolving risk of cyber attacks. However, in the case of Stuxnet, even predictions from this side appear to have been wrong: ‘In the ten years since Stuxnet was uncovered ... [t]he simple fact is that we didn’t see disastrous cyber-physical attacks against critical infrastructure, manufacturing plants, or terrorist targets such as nuclear power plants and chemical facilities. Not one’.[108]

VII CONCLUSION

Cyberwar scholars, the IGE and the Tallinn Manual have been excellent in showing how existing law could be applied to cyber warfare. The position in the publications discussed is widely accepted and the disagreements do not detract from the overall work. Issues, such as, the lack of specialized treaty or the fact that some States may disagree is unlikely to have any adverse impact on this body of work.

If there is any weakness though, it lies not in the legal treatment but in the factual treatment of cyber warfare.

The technical nature of the subject matter must be respected, perhaps even collaborating or referring to cyber-physical research, as this can lead to insights that are not otherwise possible. While the number of cyber attacks taking place daily is growing exponentially, a cyber attack that is in scale and effect, equivalent to a kinetic attack is clearly not a common event. It is only possible in hotspots between States like Israel and Iran for example. And a cyber attack equivalent in scale and effect equivalent to a kinetic attack would compel the target State to act; that is, it would lead to an immediate escalation of conflict – either an all-out kinetic war or a similar cyber attack in retaliation.

Hence, most cyber attacks lie deliberately below the use of force threshold; that is, most attacks will fall in the grey zone, such that the target State is not able to legally respond with force under international law. The description of Stuxnet by cyber-physical researcher Langner shows that it was designed to avoid catastrophic physical damage. This suggests that even Stuxnet was in fact an attack that fell in the grey zone.

While an application of Schmitt Analysis may lead to a conclusion that it amounted to a use of force, that conclusion is purely academic in nature. In theory, Stuxnet was a use of force, whereas in reality, despite the fact that it was highly intrusive, fell in the grey zone because the Iranians were able to ignore it – neither they reported any damage, nor did they make any complaint. Clearly, such an approach would have been untenable had Stuxnet caused the centrifuges to explode resulting in damage, death and chaos, which from Langner’s description it was clearly able to do.

Nevertheless, Stuxnet has shown that cyber-physical attack causing catastrophic damage is possible. There are grave concerns in military circles regarding the vulnerability of defense networks, critical infrastructure, etc. Some day such an attack may materialize, the target State may retaliate, all-out conflict may follow. The international community is ready and well-placed to evaluate the legality of these events if and when they do happen thanks to the work of cyber scholars discussed in this article.


[1] German Federal Foreign Office and German Federal Ministry of Defence, ‘On the Application of International Law in Cyberspace’, Position Paper, 2021 (‘Germany Position Paper’).

[2] Ibid.

[3] Michael N Schmitt, ‘Computer Network Attack and the Use of Force in International Law: Thoughts on a Normative Framework’ (1998-1999) 37 Columbia Journal of Transnational Law 885, 886.

[4] Ibid 888.

[5] Ibid 899.

[6] Andrew C Foltz, ‘Stuxnet, ‘Schmitt Analysis,’ and the Cyber ‘Use of Force’ Debate’ (2012) Air War College Air University.

[7] Germany Position Paper (n 1) 6.

[8] Oona A Hathaway et al, 'The Law of Cyber-Attack' (2012) 100(4) California Law Review 817, 822.

[9] James E McGhee, 'Hack, Attack or Whack; The Politics of Imprecision in Cyber Law' (2014) 4(1) Journal of Law & Cyber Warfare 13, 14.

[10] Ibid 15.

[11] Ibid 20.

[12] Ibid 17.

[13] Michael N Schmitt (ed), Tallinn Manual on the International Law Applicable to Cyber Warfare (Cambridge University Press, 2013) 50 (‘Tallinn Manual 2013’).

[14] Richard A Clarke and Robert K. Knake, ‘Cyber War: The Next Threat to National Security and What to Do About It (2010) Journal of National Security & Policy 6, 13.

[15] Hathaway (n 8) 838.

[16] Foltz (n 6) 14.

[17] Hathaway (n 8) 828 quoting Martin C Lebicki, What is Information Warfare? (1995) 77.

[18] Ibid.

[19] Johann-Christoph Woltag, ‘Cyber Warfare’ ed Rudiger Wolfrum and Anne Peters, Max Planck Encyclopedias of International Law (August 2015) Oxford University Press citing K Ziolkowski ‘Stuxnet—Legal Considerations’ (2012) 25 Humanitäres Völkerrecht 139–47 and Johann-Christoph Woltag ‘Cyber Warfare: Military Computer Network Operations under International Law’ (Intersentia Cambridge 2014) 47-50.

[20] Russell Buchan, ‘Cyber Attacks: Unlawful Uses of Force or Prohibited Interventions?’ (2012) 17(2) Journal of Conflict & Security Law 211, 220.

[21] Foltz (n 6) 19 quoting Military and Paramilitary Activities in and against Nicargua (Nicaragua v. United States of America) (Judgment) [1986] ICJ Reports 14 (General List No 70, 27 June 1986) [195].

[22] Ibid 19-20 citing Gary D. Brown, ‘Why Iran Didn’t Admit Stuxnet Was An Attack’ Issue 63 (4th Quarter 2011) Joint Forces Quarterly 71.

[23] Foltz (n 6) citing Lukas Milevski, ‘Stuxnet and Strategy: A Special Operation in Cyberspace?’ Issue 63 (4th Quarter 2011) Joint Forces Quarterly 64 and Isaac R. Porche III, Jerry M. Sollinger, and Shawn McKay ‘A Cyberworm that Knows no Boundaries’ (RAND Occasional Paper 2011) 1.

[24] Hathaway (n 15) 827.

[25] Woltag (n 19).

[26] Buchan (n 20) 222 quoting US Department of Defense, ‘Strategy for Homeland Defense and Civil Support’ (Report/National Security Strategy Series, June 2005) 12.

[27] Woltag (n 19) citing S Shackelford ‘From Nuclear War to Net War: Analogizing Cyber Attacks in International Law’ (2009) 27 Berkeley Journal of International Law 192–251.

[28] Tallinn Manual 2013 (n 13) 45.

[29] Schmitt (n 3) 900.

[30] Ibid 901.

[31] Ibid 900.

[32] Tallinn Manual 2013 (n 13) 16.

[33] Ibid.

[34] Buchan (n 20) 213.

[35] Ibid.

[36] Ibid n [11] quoting Mathew Hoisington, ‘Cyberwarfare and the Use of Force Giving Rise to the Right of Self-Defense’ (2009) 32 Boston College International Comparative Law Review 439, 454.

[37] Ibid n [11] quoting Jason Barkham, ‘Information Warfare and International Law on the Use of Force’ (2001) 34 NYU Journal of International Law & Policy 56, 84, n [112].

[38] Ibid. quoting Daniel B Silver, ‘Computer Network Attack as a Use of Force under Article 2(4)’ (2002) 76 International Law Studies 73, 92.

[39] Ibid.

[40] Schmitt (n 3) 914-915.

[41] Foltz (n 6).

[42] Kristen E Eichensehr, ‘Tallinn Manual on the International Law Applicable to Cyber Warfare; Edited by Michael N. Schmitt’ (2014) 108(3) American Journal of International Law 585.

[43] Tallinn Manual 2013 (n 13).

[44] Ian Yuying Liu, ‘The due diligence doctrine under Tallinn Manual 2.0’ (2017) 33(3) Computer Law and Security Review 390.

[45] Eichensehr (n 43) 585.

[46] Ibid 589.

[47] Tallinn Manual 2013 (n 13) 21.

[48] Ibid 17-18 citing The White House, ‘International Strategy for Cyberspace’ (Report, May 2011) 9.

[49] Schmitt (n 3).

[50] Buchan (n 20) 212 citing Jason Barkham, ‘Information Warfare and International Law on the Use of Force’ (2001) 34 NYU Journal of International Law & Policy 56, 84 n [112].

[51] Schmitt (n 1) 905.

[52] Ibid 914-915.

[53] Hathaway (n 15) 847.

[54] Tallinn Manual 2013 (n 13) 52; Foltz (n 6) 12.

[55] Foltz (n 6) 12.

[56] Ibid.

[57] Foltz (n 6) 12.

[58] Tallinn Manual 2013 (n 13) 17.

[59] Ibid.

[60] Ibid 18.

[61] Eichensehr (n 43) 585.

[62] Ibid.

[63] Tallinn Manual 2013 (n 13) 45.

[64] Ibid 45-46.

[65] Ibid 48 citing Military and Paramilitary Activities in and against Nicargua (Nicaragua v. United States of America) (Judgment) [1986] ICJ Reports 14 (General List No 70, 27 June 1986) [195].

[66] Ibid.

[67] Ibid 47.

[68] Ibid.

[69] Ibid 48.

[70] Ibid. citing UN GAOR Special Committee On Friendly Relations, UN Doc A/AC.125/SR.110 to 114 (1970).

[71] Ibid.

[72] Ibid 49.

[73] Ibid 47.

[74] Ibid 49-52.

[75] Ibid 52.

[76] Ibid 53.

[77] Germany Position Paper (n 1).

[78] Florian Kriener, ‘Cyber Space, Sovereignty and the Intricacies of International Law-Making Reflections on Germany’s Position Paper on International Law in Cyberspace’ Voelkerrechtsblog (Blog Post 16 April 2021) <https://voelkerrechtsblog.org/cyber-space-sovereignty-and-the-intricacies-of-international-law-making/>.

[79] Michael Schmit, ‘Tallinn Manual 2.0 on the International Law of Cyber Operations: What It Is and Isn’t’ (2017) Just Security (Blog Post, 9 February 2017) <https://www.justsecurity.org/37559/tallinn-manual-2-0-international-law-cyber-operations/>.

[80] Germany Position Paper (n 1) 1.

[81] Ibid 6.

[82] Ibid. citing Legality of the Threat or Use of Nuclear Weapons (Advisory Opinion) [1996] ICJ Rep 226 [39].

[83] Ibid.

[84] Ibid.

[85] Michael N Schmitt, ‘Germany’s Positions on International Law in Cyberspace Part II’ Just Security (Blog Post March 10, 2021).

[86] Ibid.

[87] Buchan (n 20) 213-214 quoting Hathaway et al ‘The Law of Cyber-Attack’ (2012) 100 California Law Review 1, 5.

[88] Ibid 214 citing Davis Brown, ‘A Proposal for an International Convention to Regulate the Use of Information Systems in Armed Conflict’ (2006) 47 Harvard International Law Journal 179; Scott J Shackelford, ‘From Nuclear War to New War: Analogizing Cyber Attacks in International Law’ (2009) 27 Berkeley Journal of International Law 192.

[89] Ibid. citing Mathew C Waxman, ‘Cyber-Attacks and the Use of Force: Back to the Future of Article 2(4)’ (2011) 36 The Yale Journal of International Law 421, 425.

[90] Ibid 213 citing Waxman (n 89) 437.

[91] Ibid.

[92] Ibid 214.

[93] McGhee (n 9) citing James E McGhee, ‘CyberRedux: The Schmitt Analysis, Tallinn Manual and US Cyber Policy’ (2013) 2 Journal of Law & Cyber Warfare.

[94] Ibid.

[95] Hathaway (n 15) 842.

[96] Eichensehr (n 43) 587.

[97] Ibid 587-588.

[98] Ibid 585.

[99] Ibid 588.

[100] Ibid.

[101] Nicholas Tsagourias, 'Cyber Attacks, Self-Defence and the Problem of Attribution' (2012) 17(2) Journal of Conflict and Security Law 229, 233.

[102] Ibid.

[103] Ibid.

[104] Tallin Manual 2013 (n 13) 51 n [114].

[105] ‘The Stuxnet Story’ Langner (Web Page 23 July 2020) <https://www.langner.com/2020/07/the-stuxnet-story>.

[106] Hathaway (n 15) 819 n [1].

[107] Buchan (n 20) 220 citing Johann-Christoph Woltag, ‘Computer Network Operations Below the Level of Armed Force’ (Conference Paper Series No 1/2011, European Society of International Law, May 2011).

[108] Langner (n 100).


AustLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback
URL: http://www.austlii.edu.au/au/journals/UNSWLawJlStuS/2021/28.html