Despite the contemporary nature of cyberspace, its virtual decentralization and ability “to be everywhere,” it is hard to believe that current construction of the international law is obsolete against cyber attacks or other types of violence in
211 Ibid., 44.
212 Fred Schreier, Barbara Weekes, Theodor H. Winkler,“Cyber Security: The Road Ahead,” The Geneva Centre for the Democratic Control of Armed Forces (DCAF), DCAF Horizon 2015 Working Paper No. 4, 39.
213 Gen. Larry D. Welch USAF (Ret.), “Cyberspace – The Fifth Operational Domain,” in “Challenges in Cyberspace,” Institute for Defense Analyses, Research Notes, Alexandria, VA, Summer, 2011, 2–3.
cyberspace. International society has already experienced other areas that under certain conditions have been similarly decentralized and of very contemporary nature like cyberspace. Here one may mention customs and treaties that regulate international commerce and business relations. Furthermore, international humanitarian law must be considered as an invention of recent past but its universal meaning has no expiration date as well as it is hard to undermine the universality of norms that are included in this law.214 Experts have focused their attention on international humanitarian law (IHL) in order to define a common legal basis acceptable to all international actors.
Even though IHL was generally developed in order to deal with kinetic conflicts, its tenets are helpful for defining cyber-attacks and thus cyber threats in general as armed conflicts. In the framework of IHL, cyber-attacks might be recognized as an instrument within an armed conflict that is comparable with other means of warfare capable of making individuals suffer and states unable to function.215 Legal experts, like Schmitt, have also addressed the issue of targets in cyber-attacks that make cyber threats even more dangerous and requiring greater necessity for strict legal regulations. Examples of such targets include critical infrastructure objects, state or privately owned, that are operating under computerized and automated systems, e.g., nuclear power plants, pipe lines, airport controls, dams, dykes, and other mechanisms that, in the case of an attack, might cause a number of casualties among populations.216 Thus cyber threats as part of cyber operations used for cyber-attacks separately or as part of bigger military or non-military operation represent a form of attack that is similar to kinetic attacks and causes of death or injury among civilians.217
The issue, however, is that cyber threats may not result in viable consequences of civilian casualties and destroyed infrastructure, as is the case in conventional or irregular warfare. In this regard, it is hard to apply IHL even in a case when the intent of the
214 Sean D. Murphy, Principles of International Law, 65–86.
215 Michael N. Schmitt “Wired Warfare: Computer Network Attack and jus in bello,” IRRC 84:846, (June 2002):
375.
216 Schmitt “Wired Warfare: Computer Network Attack and jus in bello,” 374; See also Michael N. Schmitt
“Cyber Operations and the Jus in Bello: Key Issues,” 94.
217 Schmitt “Cyber Operations and the Jus in Bello: Key Issues,” 94.
warring parties was not tracked to use cyber space in order to harm the opposite side.
Consequently, it is not possible to apply IHL in speaking about recognizable evidence that one or another type of warfare has injuries and damage to civilians, especially if the cyber-attack was directed at military or dual-use targets, not civilian.218 Yet, despite these existing caveats, IHL gives a “helping hand” to NATO, which needs a legal basis for taking a much stronger position against cyber-attacks and implementing more effective measures. Several arguments speak to this issue.
First, IHL is internationally recognized and has a prestigious codex of binding norms. Second, on the basis of IHL, in the future NATO along with other organizations has an opportunity to create new international circle of norms that would restrain anarchy in the cyber domain. Third, cyber-attacks represent a slippery slope because it is hard to define where military vs. civilian spaces start and end. These previously separated worlds are so interdependent and technically so connected that cyber-attacks, which at the start were directed toward military targets, could easily transform into an attack on civilian targets. The latter fall under IHL, giving a state or an organization such as NATO the jus in bello and subsequently jus ad bellum if considered an appropriate response to stop the violence.
Nevertheless, IHL does not solve the legal regime issue for cyber defense because it does not speak to cyber-attacks nor is it covered in the UN Charter. As a result, states that actively use cyber space for their rogue actions cannot be taken to trial or put under any kind of sanctions because of the high degree of normative interpretation. This does not only include the issue of the usually unknown sources of cyber threats, technological weaknesses, or political impotence. It directly refers to the issue that there still does not exist an international legal regime such as those that prohibit nuclear armament, the production of chemical and biological weapons, or other types of weapons of mass destruction, which is universally agreed on by not only NATO members but also
218 Ibid., 97–102.
worldwide among all UN members and non-state actors. Still, there is a political task on the one hand and a permanent tendency of growing cyber threats on the other, requiring quick and effective solutions from the Alliance now.
In sum, there are so many rules and norms that regulate cyber-crime on the national/state level attempting to regulate and prevent cyber threats that makes it for internationl level even more challening to create one common and universally binding regime:
There are divergent legal systems and laws relating to cyber-crime and cyber-security; some countries have no laws relating to cyber-crime or security legislation while others have relatively advanced cyber-security frameworks. There will always be the challenge of dual criminality issues between legal systems but without, at a minimum, an international framework to “track and trace,” there is little hope of catching the criminals.219
The common problem for both international and national levels is that they all deal with some specific part or detail related to violence in the cyberspace not whole domain all together or; international laws are too blurry to be applied. In most cases these are national criminal laws that deal with the cyber-crimes that are international by their nature.220 This unclarity challenges any real consenus on fundamental questions: what are cyber threats, what must be considered as cyber attacks and who must be considered as cyber threat actors as well as what kind of response state and/or non-state actors are allowed to take.