What is not cyber warfare? Al-Qaeda terrorists fly two jetliners into the twin towers killing almost 3,000 people. An American plane flies over Hiroshima and drops an atomic bomb killing over 90,000 people. The Nazis force hundreds of thousands of people into gas chambers and kill millions of people. A group of soldiers execute hundreds of innocent people. A military releases poisonous gases upon opposing forces. All of these actions if committed constitute acts of war and war crimes (albeit some may argue that not all of these acts constitute war crimes). While the devil is in the details, the crux is that in all of these scenarios there is physical evidence: DNA, radiation signature, witnesses, bullets, and gas residue. In cyber warfare, what is the physical evidence? A binary string of 10101010 in the digital ether?
Since the establishment of the United Nations, wars of aggression have been outlawed, and multilateral conventions refer to "armed conflict" instead of "war." The word "cyber" does not appear in these texts or in the multitude of others that adjoin these legal frameworks. This is the time to promote legal scholarship that can aid the global community as a whole to address this new dimension of war. With the advent of cyber warfare the complexity of what is war is even more clouded and the application of law to this is even murkier.
Cyber warfare occurs when one country perpetrates a cyber attack against another country that would to the reasonable person constitute a state act of war. This is the time to encourage dialog to explore and define what constitutes a cyber attack and what constitutes a reasonable expectation of cyber-security.
Below are two of the hundreds of scenarios on which the law remains silent: Would a cyber-assassination by a foreign government constitute an act of war? Is a nation's cyber attack initiated in self-defense that results in the deaths of thousands of civilians an act of war? Is it a war crime?
The assassination by bullet of a foreign leader is an act of war and proving it is a matter of using the physical evidence to connect the dots. However, what about an individual working for a foreign government who attends a speech, say at the United Nations, and using a wireless device kills five world leaders by sending a signal to their pace makers or insulin pump, that tells the device to send a fatal dose.
In this scenario, a trail will be hard to find and even if found, it could be a plant, meaning spyware could have been used to put spyware on an unknowing attendee who by simply turning their phone to silent triggered the incident. This scenario, where five foreign leaders may have been assassinated by a foreign government, raises a slew of complex and new legal issues, such as: How do we prove a country was an actor? What evidence is needed to establish guilt? How does one acquire such digital evidence?
Another complex scenario, a foreign government defends itself (pre-emptively or post cyber attack) against a cyber attack and in defending itself retaliates in a way that results in massive civilian deaths. For example, say a foreign government is cyber attacked by several foreign governments that results in a nuclear powered aircraft carrier almost melting down, which if it had melted down would have killed thousands of civilians. As a defensive measure the attacked country responds triggering defensive digital counter cyber attack that results in the foreign governments' power grids going down, causing tens of thousands of civilian deaths. The origin of the power failure was the counter attack, but the fragile digital counter cyber attack that results in the foreign governments power grids going down, causing tens of thousands of civilian deaths. The origin of the power failure was the counter attack, but the fragile infra-structure, feeble cyber security, and the antiquated state of the power grid all contributed.
The aforesaid defensive scenario presents a slew of issues, including: whether a noon-lethal cyber warfare attack is a "use of force" that can be returned, or merely an act that violates international law.
Would the defensive counter measures constitute an act of war? Do they constitute war crimes against humanity? Who is to be held responsible? The computer programmers who wrote the code? The military project manager who oversaw the creation of the code? The commander who hit the button setting off the event? The hardware engineer who created the computers that enabled the attack? What constitutes an act of war is blurred? Moreover, establishing who is the perpetrator, or enemy, in a cyber warfare scenario is an even greater challenge.
As a cyber-security and legal professional where I am asked to bridge these realms I often find that many scenarios lack bright lines as in the examples above, which makes the legal realm even more complex.
As a bridge between these realms, it is apparent there is a vast divide between the cyber and legal realms. No one disputes that (1) the digital realm blurs the complicated and often confusing rules that govern modern day warfare and (2) the rules of warfare have changed and will continue to evolve. It is my belief that the threshold is shifting and thus mandates the need to redefine the act of war itself and the laws that govern the conflict.