Current international laws surrounding warfare can be applicable to instances of cyber war, according to experts. However, concerns of attribution and automation can complicate the degree of response a nation is legally allowed to take.

“The problem is: What is the law?” said Michael Schmitt, chairman of the Stockton Center for the Study of International Law at the United States Naval War College and professor of public international law at the University of Exeter.

Schmitt and 20 other experts have spent the past six years analyzing the applicability of international law to cyber conflict in a study commissioned by the NATO Cyber Defense Centre of Excellence and titled the “Tallinn Manual Project.” Many nations, including the United States, have struggled with how to define a digital act of war, and what the response should be. Schmitt and his colleagues focused on what a nation-state could legally do in the event of a cyberattack by another country or non-state actor.

“We said you have four options in such cases,” said Schmitt. These options are self-defense, countermeasures, necessity, and traditional lawful responses.

Schmitt defined self-defense under Article 51 of the U.N. Charter, which states, “Nothing in the present charter shall impair the inherent right of individual or collective self-defense if an armed attack occurs against a member of the United Nations.”

“We felt in our discussions that this was a very high threshold,” Schmitt said of determining whether a cyberattack constitutes an “armed attack.” He and his colleagues agreed that there would have to be significant physical damage or harm to citizens taking place to meet that definition.

Tom Wingfield, a professor of cyber law at National Defense University, listed seven characteristics that categorize a cyber event as a military attack: severity, immediacy, directness, invasiveness, measurability, presumptive legitimacy, and responsibility.

“If you look at any event […] and you look at these seven different facets, you can figure out if it is a military attack or something else,” Wingfield said.

The second option that nation-states have in responding legally to a cyberattack is to enact countermeasures.

“You break the law, and I get to break the law in response,” Schmitt said, explaining that this is only an option if the action is legally attributable to a state actor.

Wingfield added that the two biggest factors to consider in attribution of a cyberattack are a nation’s degree of certainty that another state was involved and the degree to which that state was involved.

“This is about getting the other side to knock it off,” Schmitt said, adding that the countermeasure does not have to be in kind, such as hacking the election systems of a nation that has hacked your election systems.

According to Schmitt, the third response option is that of necessity: “You can still strike back, if you don’t know who it is, if it impacts the essential interests of the state.”

Finally, if none of the previous requirements can be met, a state can respond with traditional lawful responses such as diplomacy and sanctions.

“What we found in our project is that the current law applies pretty well,” said Schmitt. “We may see a slow evolution in the law as states respond.”

Though current law can by and large apply to cyber actions taken by another country or non-state actor, Wingfield noted that the rise of autonomous robots and weaponry, which make life-and-death decisions without human involvement, can complicate legal understanding of responsibility.

“If I had to say what the next big thing is going to be, it’s going to be […] killer robots,” said Wingfield. “Whatever selects targets gets a huge amount of responsibility legally.”

He added that an understanding of the law would have to be included in the “killer robot’s” code, and that those in charge of the robot would have to remain responsible for its actions, whether or not they knew about them.

“If we start releasing autonomous lethal agents, what the commander should have known is how she is going to be judged,” Wingfield said.

Read More About
More Topics
Jessie Bur
Jessie Bur
Jessie Bur is a Staff Reporter for MeriTalk covering Cybersecurity, FedRAMP, GSA, Congress, Treasury, DOJ, NIST and Cloud Computing.