Defending America against Chinese Cyber Attacks

MELNITZKY_Note (Do Not Delete) 4/24/2012 2:53 PM

537

DEFENDING AMERICA AGAINST CHINESE CYBER ESPIONAGE THROUGH THE USE OF

ACTIVE DEFENSES

Alexander Melnitzky*

TABLE OF CONTENTS

I. INTRODUCTION ........................................................................ 537 II. BACKGROUND ON CYBERSECURITY...................................... 541

A. The Broad Picture ............................................................ 541 B. The Threat of Cyber Espionage ..................................... 543 C. U.S. Cyber Policy ............................................................. 546 D. The Military ...................................................................... 549 E. The Legislature ................................................................ 551

III. CYBERATTACKS AND THE LAWS OF WAR ............................. 552 A. Introduction ...................................................................... 552 B. Jus ad Bellum ................................................................... 553 C. Attribution ........................................................................ 554

1. Extending State Sovereignty into Cyberspace ........ 557 D. Jus in Bello ........................................................................ 560

IV. A LEGAL RATIONALE FOR USING ACTIVE DEFENSES IN

RESPONSE TO CYBER ESPIONAGE ......................................... 562 A. Introduction ...................................................................... 562 B. A Duty to Prevent Cyber Espionage ............................. 563 C. The Espionage Exception ............................................... 564 D. Cyber Espionage Under an Effects-Based

Approach .......................................................................... 565 E. Customary International Law ........................................ 567 F. Cyber Espionage and Preventative War ....................... 568

V. CONCLUSION ............................................................................ 569

I. INTRODUCTION

The rapid growth of the Internet over the last decade has forced the issue of cybersecurity to the forefront of national policy


538 CARDOZO J. OF INT’L & COMP. LAW [Vol. 20:537

across the developed world. The United States, being “fully dependent upon information technology,”1 is particularly vulnerable to cyber threats. Michael Chertoff, the former Secretary of the Department of Homeland Security, believes that “[c]ybersecurity is among our first rank of security priorities in the twenty-first century.”2

This Note focuses on defending against cyber espionage, also known as “cyberexploitation,” which can be understood as “the use of actions and operations—perhaps over an extended period of time—to obtain information that would otherwise be kept confidential and is resident on or transiting through an adversary’s computer systems or networks.”

The task at hand for every country is to secure its online networks from attack, espionage, and crime. For countries like the United States, which guarantee basic civil liberties, it is to do so while ensuring a free Internet and protecting personal privacy.

3 As discussed below, cyber espionage is conducted against both businesses and governments.4

Under the current legal framework, countries have few options to defend against both cyberattacks and cyber espionage because such threats are considered a criminal matter.

5

* Associate Editor, CARDOZO JOURNAL OF INTERNATIONAL AND COMPARATIVE

LAW. Candidate for Juris Doctor, Benjamin N. Cardozo School of Law, June 2012.

This Note challenges the argument that cyber espionage must always be treated as a crime, as opposed to a national security threat. It will argue that cyber espionage, if pervasive enough, poses both a direct and indirect threat to national security. In response to this threat, the United States should employ what are known as “active defenses.” An active defense is “effectively, a counter-cyberattack against the attacker’s system, shutting down the attack before it can do further harm and/or damaging the perpetrator’s system to

1 U.S. DEP’T OF HOMELAND SEC., THE NATIONAL STRATEGY TO SECURE

CYBERSPACE 6 (2003), http://www.dhs.gov/xlibrary/assets/National_Cyberspace_Strategy .pdf. 2 Michael Chertoff, Cybersecurity Symposium: National Leadership, Individual Responsibility—Foreword, 4 J. NAT’L SECURITY L. & POL’Y 1, 1 (2010). 3 Herbert S. Lin, Offensive Cyber Operations and the Use of Force, 4 J. NAT’L

SECURITY L. & POL’Y 63, 63 (2010). 4 See infra Part II.B. 5 See JONATHAN CLOUGH, PRINCIPLES OF CYBERCRIME 27 (2010) (“We turn now to consider the first distinct category of cybercrimes: those offences where a computer is itself the target. Such offences are colloquially referred to as ‘hacking’, [sic] and cover a broad range of conduct . . . .” (footnote omitted)).


2012] CYBER ESPIONAGE & ACTIVE DEFENSES 539

stop it from launching future attacks.”6

It is important to state at the outset that this Note does not seek to justify use of traditional military force against cyber espionage. As explained below, the use of traditional military force against cyber espionage would most likely violate the principal of jus in bello.

7 It is equally important to recognize at the outset that active defenses constitute use of force, and thus, “may only be used when force is authorized under the law of war.”8 The reason that active defenses constitute use of force is because they “send destructive viruses back to the perpetrator’s machine,”9 and, as will also be explained later, destructive viruses are potentially “armed” attacks under Article 2(4) of the U.N. Charter.10

While individual cyber thefts are surely criminal matters, Chinese cyber espionage against the United States has reached such a massive scale that it more closely resembles an act of looting, which before the Internet could have only occurred coupled with military occupation, rather than a series of criminal acts. Whether the United States considers military action necessary to combat cyber espionage will ultimately be a political decision that should take many factors into consideration. It may be that the risk of cyber conflict escalating into actual war is enough to deter the use of active defenses in protecting U.S. cyberspace. It may be that the economic benefits derived from maintaining harmonious relations with China are substantial enough to outweigh any benefits from aggressively defending against cyber espionage. This Note rejects these arguments, but recognizes that before using military force all factors must be weighed. At the very least, this Note seeks to establish the use of active defenses against cyber spies as a legal option.

Part II of this Note will provide background on the issue of cybersecurity and cyber espionage. It will not focus on technical issues in detail. Instead, its purpose is to familiarize the reader with basic knowledge related to cyber threats and how the United States has thus far attempted to address them. Part III addresses the application of the laws of war to cyberattacks. As the cyber

6 Matthew J. Sklerov, Solving the Dilemma of State Responses to Cyberattacks: A Justification For the Use of Active Defenses Against States Who Neglect Their Duty to Prevent, 201 MIL. L. REV. 1, 25 (2009). 7 See infra Part IV.C. 8 Sklerov, supra note 6, at 22. 9 Sklerov, supra note 6, at 25. 10 See discussion infra Part IV.B.



capabilities of militaries around the world have advanced, the question of how to apply the laws of war to cyberspace has been of particular concern.11 An increasing body of scholarship argues that a cyberattack could constitute an “armed attack” under Article 51 of the U.N. Charter, thus justifying a nation’s right of self-defense.12 This same body of scholarship has examined the issue of “attribution,” meaning the requirement under the laws of war to positively identify the party responsible for an attack before responding in self-defense.13 Problematically, “[i]n cyberspace, attackers can hide their identity, cover their tracks. Worse, they may be able to mislead, placing blame on others by spoofing the source.”14 The inherent technical difficulties involved in positively attributing a cyberattack to a state, let alone an individual, have prompted “a growing effort to formulate acceptable alternatives to the notion of ‘conclusive attribution.’”15 This acceptable alternative emphasizes that states have a duty to prevent cyberattacks from being launched within their sovereign territory at the risk of being held responsible for them.16

Viewing particular cyberattacks—namely, attacks targeting “critical infrastructure[]”

This duty is based on the idea that national sovereignty extends to cyberspace.

17

11 See, e.g., David E. Graham, Cyber Threats and the Law of War, 4 J. NAT’L

SECURITY L. & POL’Y 87 (2010).

—as an issue of national security is a

12 Lin, supra note 3, at 73 (“[I]f both the direct and indirect effects to be produced by a cyber attack would, if produced by other means, constitute an armed attack in the sense of Article 51 of the U.N. Charter, it is likely that the cyber attack would be treated as an armed attack.”). 13 See id. at 77-78; see also Untangling Attribution: Moving to Accountability in Cyberspace: Hearing on Planning for the Future of Cyber Attack Before the H. Subcomm. on Tech. and Innovation of the H. Comm. on Sci. and Tech., 111th Cong. 2 (2010) [hereinafter Untangling Attribution] (statement of Robert K. Knake, International Affairs Fellow in Residence, Council on Foreign Relations), available at http://www.cfr.org/ content/publications/attachments/Knake%20-Testimony%20071510.pdf. 14 Richard Clarke, War From Cyberspace, NAT’L INT., Nov.–Dec. 2009, available at http://nationalinterest.org/article/war-from-cyberspace-3278. 15 Graham, supra note 11, at 93. 16 See Sklerov, supra note 6, at 72 (“Once a host-state demonstrates, by inaction, that it is a sanctuary state, other states can impute responsibility to it. At that point, the host-state becomes liable for the cyberattack . . . as well as for all future cyberattacks originating from it. This opens the door to a victim-state to use active defenses against the computer severs in that state during a cyberattack.”). 17 U.S. DEP’T OF HOMELAND SEC., supra note 1, at vii (“Our Nation’s critical infrastructures are composed of public and private institutions in the sectors of agriculture, food, water, public health, emergency services, government, defense industrial base, information and telecommunications, energy, transportation, banking and finance,

http://www.cfr.org/content/publications/attachments/Knake%20-Testimony%20071510.pdf�

http://www.cfr.org/content/publications/attachments/Knake%20-Testimony%20071510.pdf�



significant improvement over the theory that views all cyberattacks as an issue of criminal law, but the current theory fails to adequately address the most important cyber threat facing the United States from foreign nations, particularly China: cyber espionage. Because cyber espionage does not satisfy the literal meaning of “armed attack,” it is generally assumed that nations are not justified in resorting to the use of force to prevent it.18

This Note rejects the legal consensus that cyber espionage is always a matter of criminal law. Part IV will extend the argument that nations may legally respond to cyberattacks with cyber countermeasures aimed at stopping current as well as future attacks to responses to cyber espionage. It will provide a legal justification for using active defenses to prevent the looting of America’s business and government secrets.

II. BACKGROUND ON CYBERSECURITY

A. The Broad Picture

The remarkable transformation of the Internet over the past half-century belies the fact that it is very much the “same Internet” that was “originally designed to share unclassified research among scientists who were assumed to be uninterested in abusing the network.”19 As explained by Richard A. Clarke, the Internet was “the product of now aging hippies on the campuses of MIT, Stanford, and Berkeley.”20

The characteristics of the Internet that pose such challenges to cybersecurity—”placelessness, anonymity, and ubiquity”

21—are remnants of its original design. While the basic structure of the Internet has remained the same, computer viruses, worms, trojan horses, and other types of malicious software (known simply as “malware”) have become far more sophisticated.22

chemicals and hazardous materials, and postal and shipping.”).

Coupled with

18 See discussion infra Part IV.C. 19 U.S. DEP’T OF HOMELAND SEC., supra note 1, at viii. 20 RICHARD A. CLARKE & ROBERT K. KNAKE, CYBER WAR: THE NEXT THREAT TO

NATIONAL SECURITY AND WHAT TO DO ABOUT IT 82 (2010). 21 GEOFFREY L. HERRERA, CYBERSPACE AND SOVEREIGNTY: THOUGHTS ON

PHYSICAL SPACE AND DIGITAL SPACE 12 (2006), http://citation.allacademic.com//meta/ p_mla_apa_research_citation/0/9/8/0/6/pages98069/p98069-1.php (prepared for the 47th Annual International Studies Association Convention, Mar. 22-25, 2006). 22 For an account of the year and a half battle between cybersecurity experts and the Conflicker worm, see Mark Bowden, The Enemy Within, ATLANTIC, June 2010, http://



the increase in malware capability has been the increase in the total amount of malware. According to a Threat Report released by McAfee, the company discovered ten million new pieces of malware in first half of 2010, which “makes the first six months of 2010 the most active half-year ever for total malware production.”23 Faced with these facts, McAfee’s senior vice president confessed that “[e]very time we release a new statistic about the rise in malware it points to our failure as an industry.”24

As of 2007, over 120 countries were developing cyber commands to complement traditional military force.

25 The fact that modern militaries are “no more capable of operating without the Internet than Amazon.com would be,”26 makes cyber vulnerabilities in national defenses particularly valuable targets. The success of an air strike by the Israeli Air Force on a Syrian WMD construction site, for example, was due in large part to the fact that Syria’s air defense system had been hacked.27 Militaries have discovered that sophisticated cyberattacks on their own can be as debilitating as any conventional or “kinetic” attack. For example, instead of bombing Iran’s nuclear facilities, as Israel did with Iraq in 1981, Israel is believed to have developed “a destructive program [called Stuxnet] that appears to have wiped out roughly a fifth of Iran’s nuclear centrifuges . . . .”28

According to some commentators, the world has already

www.theatlantic.com/magazine/archive/2010/06/the-enemy-within/8098 (which concludes that “[t]he worm is winning”). 23 MCAFEE LABS, MCAFEE THREATS REPORT: SECOND QUARTER 2010, at 9 (2010), http://www.mcafee.com/us/local_content/reports/q22010_threats_report_en.pdf. 24 It’s Time to Be Proactive on Cybersecurity, MCAFEE (Aug. 8, 2010), http://newsroom .mcafee.com/article_display.cfm?article_id=3676. 25 See Major Arie J. Schaap, Cyber Warfare Operations: Development and Use Under International Law, 64 A.F. L. REV. 121, 123 (2009). 26 CLARKE & KNAKE, supra note 20, at 93. 27 CLARKE & KNAKE, supra note 20, at 5 (“What appeared on the radar screens was what the Israeli Air Force had put there, an image of nothing.”). 28 William J. Broad, John Markoff & David E. Sanger, Israel Tests on Worm Called Crucial in Iran Nuclear Delay, N.Y. TIMES, Jan. 15, 2011, http://www.nytimes.com/ 2011/01/16/world/middleeast/16stuxnet.html?_r=1&hp (“The worm itself now appears to have included two major components. One was designed to send Iran’s nuclear centrifuges spinning wildly out of control. Another seems right out of the movies: The computer program also secretly recorded what normal operations at the nuclear plant looked like, then played those readings back to plant operators, like a pre-recorded security tape in a bank heist, so that it would appear that everything was operating normally while the centrifuges were actually tearing themselves apart.”).



witnessed its first cyber war.29 Cyberattacks originating from Russia, in response to the removal of a Soviet World War II Memorial, essentially shut down the internet in the small Baltic country of Estonia.30 Estonia’s Defense Minister, Jaak Aaviksoo, likened the attack to “when your ports are shut to the sea.”31 Russia’s invasion of Georgia in 2008 was also “accompanied by a wave of cyber attacks on Georgian government websites.”32 The issue of cybersecurity gained significant media attention in January of 2010 when the search engine Google announced that its servers had been hacked and that the company would stop cooperating with Chinese internet censorship.33 Less than a week after Google’s announcement, U.S. Secretary of State Hillary Clinton gave a powerful speech warning that “a new information curtain is descending across much of the world.”34 Considering these developments, it is not surprising “that the international community sees cyber conflict between sovereign nations as a growing concern worthy of increased legal attention.”35

B. The Threat of Cyber Espionage

According to the Cyberspace Policy Review, issued by the White House in May 2009, “industry estimates of losses from intellectual property [“IP”] to data theft in 2008 range as high as $1 trillion.”36

29 See Bruce Nussbaum, The First Cyber War Battle—Estonia, BLOOMBERG

BUSINESSWEEK (May 29, 2007), http://www.businessweek.com/innovate/ NussbaumOnDesign/archives/2007/05/the_first_cyber_war_battle--estonia.html; Mark Landler & John Markoff, In Estonia, What May Be the First War in Cyberspace, N.Y. TIMES, May 28, 2007, http://www.nytimes.com/2007/05/28/business/worldbusiness/28iht-cyberwar.4.5901141.html.

The reported hacking of Google in January 2010 targeted not only access to dozens of Gmail user accounts of

30 See Landler & Markoff, supra note 29. 31 Id. 32 War, Redefined, L.A. TIMES, Aug. 17, 2008, http://articles.latimes.com/2008/aug/17/ opinion/ed-cyberwar17. 33 See Miguel Helft & John Markoff, In Rebuke of China, Focus Falls on Cybersecurity, N.Y. TIMES, Jan. 13, 2010, http://www.nytimes.com/2010/01/14/technology/14google .html?ref=computer_security. 34 Hillary Rodham Clinton, U.S. Sec’y of State, Remarks on Internet Freedom (Jan. 21, 2010), available at http://www.state.gov/secretary/rm/2010/01/135519.htm. 35 Sean Kanuck, Sovereign Discourse on Cyber Conflict Under International Law, 88 TEX. L. REV. 1571, 1584 (2010). 36 WHITE HOUSE, CYBERSPACE POLICY REVIEW: ASSURING A TRUSTED AND

RESILIENT INFORMATION AND COMMUNICATIONS INFRASTRUCTURE 2 (2009), available at http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf.



Chinese human rights activists, but also Google’s IP.37 The hacking, moreover, was not limited to Google alone, but included “some 30 other California companies . . . .”38 According to an alarming report on cyber espionage by the University of Toronto’s Munk School of Global Affairs, these types of attacks “are becoming the norm rather than an exception.”39 While the potential of a cyber apocalypse has captured the fears of many people familiar with America’s vulnerability to a cyberattack,40 as of now, “the main losses have come through economic espionage.”41

As for theft of government data, a cyber espionage ring code-named Titan Rain “stole massive amounts of information from military labs, NASA, the World Bank, and others.”

42 In June 2008, “150 computers in the $1.75 billion computer network at the Department of Homeland Security (DHS)—guardian of the nation’s critical cyberinfrastructure—were quietly penetrated with programs that sent an unknown quantity of information to a Chinese-language Web site.”43 Chinese hackers have also targeted the U.S. State Department’s East Asia Bureau, the Naval War College, and even the McCain and Obama presidential campaigns.44 Outside of the United States, two substantial Chinese cyber espionage campaigns—named “Ghostnet” and the “Shadow Network” by the Information Warfare Monitor—were discovered targeting Tibetan institutions, including the private office of the Dalai Lama.45

37 See John Markoff & Asyhlee Vance, Fearing Hackers Who Leave No Trace, N.Y. TIMES, Jan. 20, 2010, http://www.nytimes.com/2010/01/20/technology/20code.html.

According to U.S. Deputy Secretary of

38 Id. 39 INFO. WARFARE MONITOR & SHADOWSERVER FOUND., SHADOWS IN THE

CLOUD: INVESTIGATING CYBER ESPIONAGE 2.0, at 2 (2010), http://www.nartv.org/mir ror/shadows-in-the-cloud.pdf. 40 See CLARKE & KNAKE, supra note 20, at 64-68. See also Bob Drogin, In a Doomsday Cyber Attack Scenario, Answers Are Unsettling, L.A. TIMES, Feb. 17, 2010, http://articles.latimes.com/2010/feb/17/nation/la-na-cyber-attack17-2010feb17. 41 James Fallows, Cyber Warriors, ATLANTIC, Mar. 2010, http://www.theatlantic.com/ magazine/archive/2010/03/cyber-warriors/7917. 42 Josh Rogin, The Top 10 Chinese Cyber Attacks (That We Know of), FOREIGN POL’Y (Jan. 22, 2010, 8:57 PM), http://thecable.foreignpolicy.com/posts/2010/01/22/the_top_10 _chinese_cyber_attacks_that_we_know_of. 43 JOHN J. TKACIK, JR., TROJAN DRAGON: CHINA’S CYBER THREAT 6, HERITAGE

FOUND. (2008), http://s3.amazonaws.com/thf_media/2008/pdf/bg2106.pdf. 44 See id. 45 See INFO. WARFARE MONITOR, TRACKING GHOSTNET: INVESTIGATING A CYBER

ESPIONAGE NETWORK (2009), http://www.nartv.org/mirror/ghostnet.pdf; INFO.



Defense William J. Lynn III: In 2008, the U.S. Department of Defense suffered a significant compromise of its classified military computer networks. It began when an infected flash drive was inserted into a U.S. military laptop at a base in the Middle East. . . . Th[e] code spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control.46

In some instances, IP theft presents a direct threat to national security, such as when Chinese hackers stole terabytes worth of data on the F-35 fighter plane being developed by Lockheed Martin.

47

As may be gleaned from the above examples, China is the culprit behind much of the world’s cyber theft.

48 According to Richard Clarke, a leading expert on cyber war, “[t]he extent of Chinese government hacking against U.S., European, and Japanese industries and research facilities is without precedent in the history of espionage.”49 It is no secret that China is desperately trying to modernize its economy.50 Cyber espionage has proliferated because it is a cheap alternative to traditional research and development.51

WARFARE MONITOR & SHADOWSERVER FOUND., supra note

China’s cyber activities are, moreover, not limited to espionage: “Since the late 1990s, China has systematically done all the things a nation would do if it contemplated having an offensive cyber war capability and also

39, at 2. 46 William J. Lynn III, Defending a New Domain: The Pentagon’s Cyberstrategy, FOREIGN AFF., Sept.–Oct. 2010, at 97, 97, available at http://www.foreignaffairs .com/articles/66552/william-j-lynn-iii/defending-a-new-domain. 47 See Siobhan Gorman, August Cole & Yochi Dreazen, Computer Spies Breach Fighter-Jet Project, WALL ST. J., Apr. 21, 2009, http://online.wsj.com/article/NA_WSJ _PUB:SB124027491029837401.html. 48 See Cyberwar—War in the Fifth Domain: Are the Mouse and Keyboard the New Weapons of Conflict?, ECONOMIST, July 1, 2010, http://www.economist.com/node /16478792 (“China, in particular, is accused of wholesale espionage . . . .”). 49 CLARKE & KNAKE, supra note 20, at 59. 50 See generally Michael Brooks, The Spark Rises in the East, NEW STATESMAN, Aug. 16, 2010, http://www.newstatesman.com/asia/2010/08/china-research-chinese-science (“China’s strategies for economic development . . . are centered on creating a world-beating science base . . . .”). 51 Fallows, supra note 41 (“‘You could think of it as taking a shortcut on the ‘D’ of R&D,’ research and development, one former government official said. ‘When you create a new product, a competitor can cherry-pick the good parts and introduce a competitive product much more rapidly than he could otherwise.’”).



thought that it might itself be targeted by cyber war . . . .”52

C. U.S. Cyber Policy

U.S. cyber policy, if summarized in a single phrase, would undoubtedly be a ‘public-private partnership.’ Since 2000, when the Clinton Administration released its National Plan for Information Systems Protections (Plan),53 every subsequent President’s explanation of U.S. cyber policy has embraced this idea. The Plan declared that in order for it “to succeed, government and the private sector must work together in a partnership unlike any we have seen before . . . . We cannot mandate our goals through Government regulation.”54

Clinton’s Plan served as the basis for the National Strategy to Secure Cyberspace (National Strategy), signed by President Bush in 2003.

55 Its stated purpose “is to engage and empower Americans to secure the portions of cyberspace that they own, operate, control, or with which they interact.”56 Clarke, who was then Special Advisor to the President for Cybersecurity, admits that “[s]ubstantively, there was little difference between the Clinton and Bush approaches, except that the Republican administration not only continued to eschew regulation, they downright hated the idea . . . .”57

When Barack Obama became President, he initiated a sixty-day assessment of American cyber policy, which resulted in the Cyberspace Policy Review (Review).

58 One of its principal conclusions was that “[t]he Federal government should enhance its partnership with the private sector.”59

52 CLARKE & KNAKE, supra note

The similarity between Obama’s Review, Bush’s National Strategy, and Clinton’s Plan did not go unnoticed. Eric A. Greenwald, Chief Counsel for the House Permanent Select Committee on Intelligence, dedicated an entire article, titled History Repeats Itself, to pointing out their

20, at 54. 53 WHITE HOUSE, NATIONAL PLAN FOR INFORMATION SYSTEMS PROTECTION

VERSION 1.0: AN INVITATION TO A DIALOGUE (2000), available at http://www.fas.org /irp/offdocs/pdd/CIP-plan.pdf. 54 Id. at ii. 55 CLARKE & KNAKE, supra note 20, at 113. 56 U.S. DEP’T OF HOMELAND SEC., supra note 1, at vii. 57 CLARKE & KNAKE, supra note 20, at 113. 58 See WHITE HOUSE, supra note 36. 59 Id. at iv.



similarities.60 According to Greenwald, the Review’s basic assessment “was not fundamentally different from previous iterations of cybersecurity strategy that the U.S. government has issued over the past 12 years.”61

There is good reason—or at least a rational explanation—for why the public-private partnership has been at the center of American cyber policy. Unlike in authoritarian countries, such as China, in the United States “[i]nformation and communications networks are largely owned and operated by the private sector . . . .”

62 Many cybersecurity experts, however, have begun to question this voluntary partnership, arguing that it has failed to provide the security necessary to protect U.S. critical infrastructure from a cyberattack. Jim Lewis, who headed the Center for Strategic and International Studies’ (CSIS) Commission on Cybersecurity for the 44th Presidency, said it outright: “Voluntary action is not enough.”63

At the beginning of the age of cyber war, the U.S. government is telling the population and industry to defend themselves. As one friend of mine asked, “Can you imagine if in 1958 the Pentagon told U.S. Steel and General Motors to go buy their own Nike missiles to protect themselves?”

According to Clarke:

64

Despite these criticisms, U.S. cyber policy has undeniably made advancements. The Commission on Cybersecurity for the 44th Presidency acknowledged that “[t]he Bush administration took a major step toward improving federal cybersecurity with its Comprehensive National Cybersecurity Initiative.”

65 The Comprehensive National Cybersecurity Initiative (CNCI) is a classified document. In March 2010, the Obama Administration declassified an outline of its twelve initiatives.66

60 Eric A. Greenwald, History Repeats Itself: The 60-Day Cyberspace Policy Review in Context, 4 J. NAT’L SECURITY L. & POL’Y 41 (2010).

The future of American cyber defense will ultimately depend on how successfully these initiatives are implemented. It is still too early

61 Id. at 41. 62 WHITE HOUSE, supra note 36, at i. 63 CSIS COMM’N ON CYBERSECURITY FOR THE 44TH PRESIDENCY, SECURING

CYBERSPACE FOR THE 44TH PRESIDENCY 2 (2008), http://csis.org/files/media/csis/pubs/ 081208_securingcyberspace_44.pdf. 64 CLARKE & KNAKE, supra note 20, at 144. 65 CSIS COMM’N ON CYBERSECURITY FOR THE 44TH PRESIDENCY, supra note 63, at 3. 66 See WHITE HOUSE, THE COMPREHENSIVE NATIONAL CYBERSECURITY

INITIATIVE (2010), http://www.whitehouse.gov/sites/default/files/cybersecurity.pdf.



to judge, but two other proposals recently released by the White House show that the United States is beginning to move in the right direction: the National Initiative for Cybersecurity Education (NICE)67 and the National Strategy for Trusted Identities in Cyberspace.68

NICE was released on April 19, 2010, and “represents the continual evolution of [the] Comprehensive National Cybersecurity Initiative (CNCI) . . . .”

69 Its purpose is to “establish an operational, sustainable, and continually improving cybersecurity education program . . . .”70 The document establishes four “tracks” and the government agencies responsible for them.71 A draft version of the National Strategy for Trusted Identities in Cyberspace (NSTIC) was recently released by Howard A. Schmidt, the Obama Administration’s Cyber Czar.72 The strategy seeks to establish an “Identity Ecosystem.”73 The basic idea is to allow Americans to voluntarily “obtain[]identity credentials from either public or private sector identity providers . . . .”74 NSTIC envisions something similar to an ATM card—provided by private companies and accepted by different institutions. Key to the Identity Ecosystem is flexibility: an individual could choose how much information he or she wished to provide in accordance with their online needs.75

67 WHITE HOUSE, NATIONAL INITIATIVE FOR CYBERSECURITY EDUCATION (2010), http://www.whitehouse.gov/sites/default/files/rss_viewer/cybersecurity_niceeducation.pdf [hereinafter NICE].

Thus, NSTIC

68 WHITE HOUSE, NATIONAL STRATEGY FOR TRUSTED IDENTITIES IN CYBERSPACE: CREATING OPTIONS FOR ENHANCED ONLINE SECURITY AND PRIVACY (drft. 2010), http://www.dhs.gov/xlibrary/assets/ns_tic.pdf [hereinafter NSTIC]. 69 NICE, supra note 67, at 1. 70 Id. 71 Track 1, led by the Department of Homeland security, is “to promote cybersecurity” awareness in America. Id. Its goal is to make safe cyber practices “as common as wearing seat belts when driving or riding in a car.” Id. at 2. The Department of Education and the Office of Science and Technology are in charge of Track 2, which is to promote cybersecurity education programs as early as K-12 so as to “provide a pipeline of skilled workers for private sector and government” jobs. Id. at 1. Track 3 aims to create a better structured federal cybersecurity workforce. Id. It is led by the Office of Personnel Management. Id. Lastly, Track 4, led by the Department of Defense, the Office of the Director of National Intelligence, and the Department of Homeland Security, aims to improve cybersecurity professional development and training. Id. 72 See NSTIC, supra note 68. 73 Id. at 4. 74 Id. at 6. 75 See id. at 10 (“The Identity Ecosystem should encompass a range of transactions from anonymous to high assurance. Thus, the Identity Ecosystem should allow an



appears to be one of the first real efforts by the United States to address one of the major underlying problems of the Internet’s structure: anonymity.

Despite these steps forward, the United States government has failed to adequately address the threat of cyber espionage. For Jim A. Lewis at the CSIS, “[a] key decision for the United States is how much longer to tolerate economic damage from cyber crime and cyber espionage . . . .”76

D. The Military

This Note takes the position that the United States must act now.

It is generally accepted that America’s offensive cyber warfare capabilities are the best in the world.77 In 2002, the Pentagon assigned responsibility for centralized control of American cyber war operations to Strategic Command (STRATCOM).78 Cyber war operations, however, were far from its top priority. STRATCOM is in charge of missile defense, space operations, global strike, and strategic deterrence, as well as intelligence and surveillance operations.79 It was the Air Force that took the initiative to become America’s leader in cyber war. By 2005, the Air Force had adopted the following motto in its mission statement: “to fly, fight, and win . . . in air, space and cyberspace.”80 A year later, the Air Force established Air Force Cyber Command, with the intention that in the event of a cyber war, it would be in charge of military operations.81

While the Air Force had initiative, the real cyber experts and talent belonged to the National Security Agency (NSA).

82

individual to select the credential he or she deems most appropriate for the transaction, provided the credential meets the risk requirements of the relying party.”).

Many

76 James A. Lewis, Ctr. for Strategic & Int’l Studies (CSIS), Remarks at the China Institutes of Contemporary International Relations: Cyber War and Competition in the China-U.S. Relationship 2 (May 13, 2010), available at http://csis.org/files/publication/ 100510_CICIR%20Speech.pdf. 77 See CLARKE & KNAKE, supra note 20, at 145 (“In cyber offensive capability, the United States probably would rank first if you could develop an appropriate contest.”). 78 Id. at 35. 79 About, U.S. STRATEGIC COMMAND, http://www.stratcom.mil/about (last visited Mar. 21, 2012). 80 Our Mission, U.S. AIR FORCE, http://www.airforce.com/learn-about/our-mission (last visited Mar. 7, 2012). 81 CLARKE & KNAKE, supra note 20, at 34. 82 See id. at 37 (“Populated with Ph.D.s and electrical engineers, NSA quietly became the world’s leading center of cyberspace expertise.”).



in the NSA believed that if anyone was best suited to lead America in cyber war, it should be them.83 The NSA, however, does not fight wars; it is an intelligence agency.84 The NSA can engage in cyber espionage, but is restricted under Title 10 of the United States Code from engaging in combat.85

Along with resolving this turf war, the creation of Cyber Command resolved the tricky legal questions involved in using the assets of a civilian agency for conducting military operations. Cyber Command was established under STRATCOM, with General Keith Alexander, Director of the NSA, as the commander.

86 General Alexander would remain head of the NSA, and thus have both a civilian and military position, which is known as being “dual hatted.”87 At Cyber Command’s disposal would be the intelligence capabilities of the NSA, but it would be units from the Air Force, Army, and Navy that actually engaged in any combat.88 Air Force Cyber Command became one of these units, reorganized as the 24th Air Force.89

For Josh Rogin at Foreign Policy magazine, the creation of Cyber Command was a sign that America was “finally getting its act together.”

90 Other recent developments also suggest this. At the end of January 2010, the Navy officially established U.S. Fleet Cyber Command, and in doing so, the Chief Naval Officer recommissioned the 10th Fleet.91 The 10th Fleet is without ships; its purpose is to “partner with and support other fleet commanders to provide guidance and direction to ensure coordinated, synchronized and effective preventative and response capability in cyberspace.”92

83 Id. at 38.

On the same day that the creation of Cyber Command was announced, the Army announced that it planned on establishing a new Army Forces Cyber Command

84 Id. 85 Id. at 40. 86 Id. at 37. 87 Id. at 39. 88 Id. 89 24th Air Force Activated, 2 Units Realign in Joint Ceremony, U.S. AIR FORCE, http://www.af.mil/news/story.asp?id=123163831 (last updated Aug. 19, 2009). 90 Josh Rogin, Who Runs Cyber Policy?, FOREIGN POL’Y (Feb. 22, 2010, 12:36 PM), http://thecable.foreignpolicy.com/posts/2010/02/22/who_runs_cyber_policy. 91 Navy Stands Up Fleet Cyber Command, Reestablishes U.S. 10th Fleet, U.S. NAVY.MIL (Jan. 29, 2010, 6:48 PM), http://www.navy.mil/search/display.asp?story_id =50954. 92 Id.



(ARFORCYBER) Headquarters in Washington, D.C.93 Meanwhile, the Air Force began construction on a new 38,000 square-foot cyber warfare command center.94 As impressive as the U.S. cyber warfare capabilities are though, it should also be noted that America, because of its unparalleled reliance on the Internet, is also the country most at risk of a crippling cyberattack.95

E. The Legislature

Congress had been slow to act regarding almost all aspects of cyber policy.96 The problem facing the passage of a comprehensive cybersecurity bill is that computers have become so omnipresent in our daily lives “that they cross every sector of the economy—and nearly every congressional committee’s turf.”97 In 2010, two proposals emerged from the Senate to secure cyberspace. From the Senate Committee on Commerce, Science and Technology came the Rockefeller-Snow Cybersecurity Act,98 which was introduced in 2009 and reintroduced in 2010. In June, Senators Joseph Lieberman (I-CT), Susan Collins (R-ME), and Thomas Carper (D-DE)—all members of the Senate Committee on Homeland Security and Government Affairs—introduced the Protecting Cyberspace as a National Asset Act of 2010.99

93 Press Release, U.S. Dep’t of Def., Army Forces Cyber Command Headquarters Standup Plan Announced (May 21, 2010), available at http://www.defense.gov/ releases/release.aspx?releaseid=13549.

Although “the two cyber bills reflect the Senate committees from

94 Construction Begins on First Cyber Warfare Intelligence Center, U.S. AIR FORCE, http://www.af.mil/news/story.asp?id=123204543 (last updated May 17, 2010). 95 See CLARKE & KNAKE, supra note 20, at 145 (“While the United States very likely possesses the most sophisticated offensive cyber war capabilities, that offensive prowess cannot make up for the weaknesses in our defensive position.”). 96 See CSIS COMM’N ON CYBERSECURITY FOR THE 44TH PRESIDENCY, supra note 63, at 2 (“U.S. laws for cyberspace are decades old, written for the technologies of a less-connected era.”); see also PAUL ROSENZWEIG & JAMES JAY CARAFANO, CONGRESS

STARTS THINKING SERIOUSLY ABOUT CYBERSECURITY—BUT MORE THINKING

NEEDED 2, HERITAGE FOUND. (July 16, 2010), http://thf_media.s3.amazonaws.com/ 2010/pdf/wm2962.pdf (“America needs a broader cybersecurity legislative conversation. . . . Congress is only just beginning to take cybersecurity seriously.”). 97 T.S., Cyber-Security in Congress, ECONOMIST BLOG (Aug. 3, 2010, 2:15 PM), http:// www.economist.com/blogs/democracyinamerica/2010/08/cyber-security. 98 Cybersecurity Act of 2009, S. 773, 111th Cong. (2009), available at http://www.gpo .gov/fdsys/pkg/BILLS-111s773is/pdf/BILLS-111s773is.pdf (introduced in Senate). 99 S. 3480, 111th Cong. (2010), available at http://www.gpo.gov/fdsys/pkg/BILLS-111s3480is/pdf/BILLS-111s3480is.pdf (introduced in Senate).



which they came,”100 they nevertheless represent a positive change in the Senate regarding the importance of cybersecurity. Neither bill attempts to strictly regulate the Internet. Their focus is instead on “trying to come up with incentives for businesses to act. Some options have momentum, like using the government’s purchasing power to push software companies to produce more secure products. Others don’t, like tax credits for companies that improve their defences.”101

Not later than 6 months after the date on which the Director promulgates regulations under section 248(b), and every year thereafter, each owner or operator of covered critical infrastructure shall certify in writing to the Director whether the owner or operator has developed and implemented, or is implementing, security measures approved by the Director under section 248 and any applicable emergency measures or actions required under section 249 for any cyber vulnerabilities and national cyber emergencies.

The Protecting Cyberspace as a National Asset Act, in particular, is an important breakthrough, because of its security performance requirements. Section 250 mandates that:

102

Neither bill has become law, but at least some in Congress appear to recognize the problem.

III. CYBERATTACKS AND THE LAWS OF WAR

A. Introduction

In light of the developments described above, it is not surprising that application of the laws of war to cyberattacks has recently been a popular topic in legal scholarship. At the same time, scholars have been analyzing the use of force in response to a cyberattack for over a decade.103

100 ROSENZWEIG & CARAFANO, supra note

Broadly speaking, the laws of war seek to answer two distinct questions: (1) when can a nation

96, at 2. The Rockefeller-Snow Act “leans heavily on the private sector, with a healthy leavening of authority relating to the Department of Commerce.” Id. The Protecting Cyberspace as a National Asset Act of 2010 “considers cyberspace through the prism of critical infrastructure protection, relying on existing capabilities within DHS.” Id. 101 Cyber-Security in Congress, supra note 97. 102 S. 3480 § 250(a)(1). 103 See, e.g., Michael N. Schmitt, Computer Network Attack and the Use of Force in International Law: Thoughts on a Normative Framework, 37 COLUM. J. TRANSNAT’L L. 885 (1999).



use force; and (2) once hostile action has begun, how may belligerents act?104 The body of law that applies to the first question is known as jus ad bellum.105 Inherent to the idea of jus ad bellum, and thus a precursor to any lawful act of self-defense, is the distinct concept of attribution, which as stated in the introduction, is the requirement to positively identify the party responsible for an attack before responding with force.106 The body of law that seeks to answer the second question is known as jus in bello.107

B. Jus ad Bellum

The U.N. Charter has essentially codified jus ad bellum.108 Article 2(4) of the U.N. Charter states: “All Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations.”109 Article 51, however, preserves a nation’s “inherent right of individual or collective self-defence if an armed attack occurs . . . .”110 Thus, the question of whether a cyberattack, including cyber espionage, can constitute an armed attack determines whether a nation can legally respond to a cyberattack with force. For this reason, the question of whether a cyberattack can constitute an armed attack was of particular concern to early scholarship on the application of the laws of war to cyberspace.111

There are three basic analytical models to consider in answering this question: (1) an “instrument-based” approach; (2) an “effects-based” approach; and (3) strict liability.

112 According to the instrument-based approach, a cyberattack would constitute an armed attack if the damage caused by the cyberattack “could only have been previously achieved with a kinetic attack.”113

104 See JAMES A. LEWIS, CSIS, A NOTE ON THE LAWS OF WAR IN CYBERSPACE (2010), http://csis.org/files/publication/100425_Laws%20of%20War%20Applicable%20 to%20Cyber%20Conflict.pdf.

An

105 Id. at 1. 106 See discussion infra Part I. 107 LEWIS, supra note 104, at 1. 108 See Lin, supra note 3, at 71. 109 U.N. Charter art. 2, para. 4. 110 Id. art. 51. 111 See generally Schmitt, supra note 103. 112 Sklerov, supra note 6, at 54-55. 113 Id. at 54.



effects-based approach examines whether the attack caused an effect traditionally possible only by a kinetic attack.114 Strict liability treats any cyberattack against critical national infrastructure as an armed attack.115 The effects-based approach appears to have received the most support,116 but the take-away point is that there is agreement “on the singularly important conclusion that cyber attacks can constitute armed attacks” under all three approaches.117 The question today is not whether a cyberattack can constitute an armed attack—it can—but “whether a cyber attack with a specified effect constitutes a use of force.”118

C. Attribution

The “specified effect” addressed in this Note is the massive theft of government information and corporate IP.

Use of force in self-defense is not legal “unless the provocation can be attributed to an agent of the nation concerned.”119

The nature and timing of the attack, the exploit, the malware, and the command and control infrastructure, are just some of the components that go into determining attribution. Knowing the methods and behaviour of the attackers as well as the

The somewhat obvious purpose of the attribution requirement is to prevent, or at least reduce the possibility of, attacking innocent nations. Attribution is relatively easy in conventional war. When an army invades, it is usually obvious from which country it entered. Attributing cyberattacks is not as simple. It involves an array of considerations:

114 Id. at 54-55. 115 Id. at 55. 116 Id. at 56 (“[T]he effects-based approach is the best analytical model for dealing with cyberattacks.”). See also Lin, supra note 3, at 73 (“The assumption of this article is that the effects rather than the modality of an action are the appropriate starting point for understanding how jus ad bellum and the U.N. Charter apply to offensive cyber operations.”). 117 Graham, supra note 11, at 91-92. 118 Lin, supra note 3, at 73. 119 Matthew Hoisington, Comment, Cyberwarfare and the Use of Force Giving Rise to the Right of Self-Defense, 32 B.C. INT’L & COMP. L. REV. 439, 451 (2009). See also Dieter Fleck, Individual and State Responsibility for Intelligence Gathering, 28 MICH. J. INT’L L. 687, 695 (2007) (“To establish state responsibility for certain acts of intelligence gathering as internationally wrongful acts of a state, implicating the international responsibility of that state, it is not enough to qualify such actions as constituting a breach of an international legal obligation. The action must also be attributable to the state under international law.”).



character of the tools the attackers use once inside the target’s network, the data that the attackers exfiltrate and where that data goes, are also crucial parts of the overall assessment.120

Attributing cyberattacks is a particularly difficult, if not impossible, task because of the anonymous nature of the Internet. In a recent military exercise that simulated a sophisticated cyberattack, it soon became apparent that “[n]o one could pinpoint the country from which the attack came . . . .”

121 The difficulty of positively attributing a cyberattack is exemplified by the 2007 and 2008 cyberattacks against Estonia and Georgia, which were both traced back to Russia.122 In each instance, however, the Kremlin was able to deny responsibility because there was no direct evidence linking the attacks to the Russian government.123

At the same time, some cybersecurity experts believe that “the problem of attribution has been over-stated . . . .”

124 Robert K. Knake, co-author of Cyber War, testified before the U.S. House of Representatives that “[i]n the event of a catastrophic cyber attack, attribution to at least some level will almost always be possible.”125 In the same testimony, Knake suggested that the United States must “move beyond the search for perfect attribution and instead hold states that do not cooperate accountable.”126 Lieutenant Commander Matthew J. Sklerov made this argument earlier, in a Fall 2009 Military Law Review article, Solving the Dilemma of State Responses to Cyberattacks: A Justification for the Use of Active Defenses Against States Who Neglect Their Duty to Prevent.127 In the recent cybersecurity edition of the Journal of National Security Law & Policy, David E. Graham repeats it.128

120 INFO. WARFARE MONITOR & SHADOWSERVER FOUND., supra note

All three argue that “[s]tates have an affirmative duty to prevent cyberattacks from their territory

39, at 6 (citations omitted). 121 John Markoff, David E. Sanger & Thom Shanker, In Digitial Combat, U.S. Finds No Easy Deterrent, N.Y. TIMES, Jan. 26, 2010, http://www.nytimes.com/2010/01/26/world/ 26cyber.html. 122 See supra notes 29-32. 123 See CLARKE & KNAKE, supra note 20, at 20. 124 Untangling Attribution, supra note 13, at 2. 125 Id. at 5. 126 Id. at 8. 127 See generally Sklerov, supra note 6. 128 See Graham, supra note 11, at 93.



against other states.”129 Included in this duty is a responsibility to enact and enforce “stringent criminal laws” against committing cyberattacks, as well as to “cooperat[e] with . . . victim-states” in their own investigations.130 Nations that fail to meet their international obligations to prevent cyberattacks would be deemed “sanctuary state[s]” and held liable for the attack.131

At the heart of this argument is the recognition that “[o]ver the last decade[,] the concept of state sovereignty has evolved so that sovereignty not only comes with rights in the international system but also responsibilities.”

132 Prior to 1999, the standard for determining state responsibility for the actions of non-state actors was the “effective control test,” established in Nicaragua v. United States.133 In 1999, the International Criminal Tribunal for the former Yugoslavia established a less demanding standard: the “overall control” test.134 To hold a state liable for paramilitary activity occurring within its own territory, it was no longer necessary to prove that the state effectively controlled their operations—only that it “coordinated or assisted in the general planning of the group’s military activity.”135 It was America’s response to the 9/11 terrorist attacks that “marked the culmination of the shift of state responsibility from the paradigm of direct control to indirect responsibility.”136

This recent development in the concept of state sovereignty would be irrelevant to the issue of cyberattacks unless state sovereignty extends into cyberspace. Knake simply says: “Applying this new concept of sovereignty to cyberspace has its merits.”

The United States justified its invasion of Afghanistan to remove the Taliban government because they were continuing to harbor al Qaeda.

137

129 Sklerov, supra note

While Knake is correct, the question of whether the Internet is subject to state sovereignty has been subject to intense legal debate.

6, at 62. 130 Id. 131 Id. at 72. 132 Untangling Attribution, supra note 13, at 8. 133 Military and Paramilitary Activities in and Against Nicaragua (Nicar. v. U.S.), Judgment, 1986 I.C.J. 14 (June 27); Graham, supra note 11, at 95. 134 Graham, supra note 11, at 95. 135 Id. 136 Sklerov, supra note 6, at 46. 137 Untangling Attribution, supra note 13, at 8.



1. Extending State Sovereignty into Cyberspace

On the one hand, cyberspace is a “global conduit” for information, “and like information itself, transcends physical space.”138 On the other hand, “[e]ach copper wire, fiber-optic cable, microwave relay tower, satellite transponder, or Internet router has been produced or installed by some entity whose legal successors not only maintain ownership of that physical asset but also expect protection of the same by sovereign authorities.”139

The idea that cyberspace exists outside of territorial jurisdiction derives from the ‘placelessness’ of the Internet.

Thus, while cyberspace transcends physical space, it is also literally grounded in it. The result is a contentious debate on the issue of whether states may regulate the Internet.

140 Without attempting to explain how the Internet works, it should be taken for granted that in cyberspace “[d]istance and borders have no relevance.”141 In fact, it “is not even possible to identify a single stream of information as coming from a given source or being sent to another.”142 These facts led some legal scholars, such as David R. Johnson and David Post, to argue that cyberspace should be considered “a distinct ‘place’ for purposes of legal analysis by recognizing a legally significant border between Cyberspace and the ‘real world.’”143 Four arguments support their thesis. First, governments are not capable of asserting control over online activity.144 Second, the effects of cyberspace on the “real” world are not fixed to any particular place.145 Third, a sovereign’s attempt to regulate the Internet lacks legitimacy because that sovereign only represents a fraction of Internet users.146

138 HERRERA, supra note

Lastly,

21, at 4. 139 Kanuck, supra note 35, at 1573-74. 140 See Lewis, supra note 76, at 4 (“The pioneers of cyberspace believed it would be a self-organizing community, open, non-hierarchical, where national borders would not apply and where governments were not needed.”). 141 HERRERA, supra note 21, at 6. 142 Id. 143 David R. Johnson & David Post, Law and Borders—The Rise of Law in Cyberspace, 48 STAN. L. REV. 1367, 1378 (1996). 144 Id. at 1372 (“[E]fforts to control the flow of electronic information across physical borders—to map local regulation and physical boundaries onto Cyberspace—are likely to prove futile, at least in countries that hope to participate in global commerce.”). 145 Id. at 1375 (“Information available on the World Wide Web is available simultaneously to anyone with a connection to the global network.”). 146 Id. (“There is no geographically localized set of constituents with a stronger and more legitimate claim to regulate it than any other local group.”).



there is no notice of what territory’s laws apply because “[i]ndividuals are unaware of the existence of . . . borders as they move through virtual space.”147

Governments of the Industrial World, you weary giants of flesh and steel, I come from Cyberspace, the new home of Mind. On behalf of the future, I ask you of the past to leave us alone. You are not welcome among us. You have no sovereignty where we gather.

The solution to the problem of imposing state sovereignty on the Internet is to view cyberspace as independent from state control. This idea reached its height in the grandiose language of John Perry Barlow’s A Declaration of the Independence of Cyberspace, which begins:

148

A decade and a half later, Johnson and Post’s arguments still have not been accepted, either in theory or by governments. Moreover, A Declaration of the Independence of Cyberspace has been dismissed as mere rhetoric.

149 The idea that cyberspace is beyond state control may have “made sense in the past, but it does not make sense now . . . .”150 Yet, even at the time of its original publication, Johnson and Post’s thesis was problematic. In the same 1996 issue of the Stanford Law Review that published Johnson’s and Post’s Law and Borders—The Rise of Law in Cyberspace, Lawrence Lessig challenged the basic ideas of their argument that cyberspace should be independent of state sovereignty.151 As to their first argument—that state sovereignty should not extend into cyberspace because states are unable to assert control over online activity—Lessig argued that it fails to recognize that “[a] regulation need not be absolutely effective to be sufficiently effective.”152 More fundamentally, the Johnson and Post thesis ignores the simple political reality that cyberspace “will be regulated by real space regulation to the extent that it affects real space life . . . .”153

The idea that cyberspace exists independent of state sovereignty seems to represent the wishes of a select group of

147 Id. 148 John Perry Barlow, A Declaration of the Independence of Cyberspace, HACHE (Feb. 9, 1996), http://editions-hache.com/essais/pdf/barlow1.pdf. 149 See HERRERA, supra note 21, at 1 (describing A Declaration of the Independence of Cyberspace as “a Garbo-esque request to be left alone”). 150 Lewis, supra note 76, at 4. 151 See Lawrence Lessig, The Zones of Cyberspace, 48 STAN. L. REV. 1403 (1996). 152 Id. at 1405. 153 Id. at 1406.



politically motivated individuals, rather than an objective description of the Internet. As explained by Geoffrey L. Herrera, an expert on technology: “There is nothing natural or inherent about technologies. They are human creations, and as such subject to conscious and unconscious shaping by social actors and institutions. In other words, technology is political.”154 Cyberspace is no different. Remember, the Internet was designed by “now aging hippies on the campuses of MIT, Stanford, and Berkeley.”155 The problem is that “[t]he belief that cyberspace should be free from government interference, or sovereignty, led to the idea that cyberspace is, in fact, immune from state sovereignty.”156

Johnson and Post’s remaining arguments can easily be dismissed, particularly in the context of cyberattacks. Cyberattacks most often target a particular person, company, or country, and not the world at large. When the attack is on a nation’s infrastructure, that nation represents more than a fraction of the affected individuals. And while an individual may have no idea where the server of a particular website is located, a hacker targeting the U.S. government or a U.S. company, for example, can hardly feign ignorance on the issue of notice.

While legal commentators and intellectuals may argue over the merits of an independent Internet, the simple fact is that “nation-states do strive to exercise their sovereignty over cyberspace—albeit ineffectively at times.”157 Some countries, most notably China, have been quite effective in regulating the Internet. Through a government-run system, nicknamed the “Great Firewall of China,” China “screens traffic on ISPs [Internet Service Providers] for subversive material . . . sending you to a Chinese government clone of a real site. . . .”158 If China wished, it could “disconnect all Chinese networks from the rest of the global Internet . . . .”159


The argument that states are unable to monitor the online activities of their citizens cannot withstand the fact that the online surveillance efforts of authoritarian regimes “seem to be

21, at 11. 155 CLARKE & KNAKE, supra note 20, at 82. 156 Lieutenant Colonel Patrick W. Franzese, Sovereignty in Cyberspace: Can it Exist?, 64 A.F. L. REV. 1, 11 (2009). 157 Kanuck, supra note 35, at 1573. 158 CLARKE & KNAKE, supra note 20, at 57. 159 Id.



working.”160 Moreover, the effective regulation of the Internet is not limited to authoritarian regimes. The National Strategy for Trusted Identities in Cyberspace, mentioned earlier, represents an American attempt to regulate the internet; Russia is attempting to create a Cyrillic based web domain;161 Australia has recently considered its own “Great Firewall”;162 and “[f]oreign courts have ordered American Internet service providers to filter certain materials from their European Web sites.”163 This mere handful of examples shows that “[t]he topology of the Internet reflects its Westphalian underbelly.”164

Returning to the concept of attribution and state responsibility for the actions of non-state actors, it is clear that if sovereignty extends into cyberspace, along with “the right to control the bits of information that flows into a country,” states must also be responsible for “the bits that flow out.”

165

D. Jus in Bello

As will be addressed in more detail below, this duty is essential to a legal framework for using active defenses to prevent cyber espionage.

Determining that a cyberattack may, in certain circumstances, constitute an armed attack (which in turn justifies a nation’s use of force in self-defense), does not answer the equally, if not more, important question of how a nation may exercise this right. There are four jus in bello principles that govern whether the use of force in self-defense is legal: (1) “military necessity”; (2) “distinction” or “discrimination”; (3) “proportionality”; and (4) “unnecessary suffering.”166 Military necessity is permits only the “use of force required to accomplish the mission.”167


Distinction or discrimination “requires that combatants be distinguished from noncombatants and that military objectives be distinguished from

21, at 25. 161 See Clifford J. Levy, Russians Wary of Cyrillic Web Domains, N.Y. TIMES, Dec. 22, 2009, http://www.nytimes.com/2009/12/22/world/europe/22cyrillic.html?ref=computer _security. 162 Marina Kamenev, First, China. Next: The Great Firewall of . . . Australia?, TIME, June 16, 2010, http://www.time.com/time/world/article/0,8599,1995615,000.html. 163 Kanuck, supra note 35, at 1574. 164 HERRERA, supra note 21, at 26. 165 Lewis, supra note 76, at 5. 166 Graham, supra note 11, at 98. 167 Id.



protected property or protected places.”168 Proportionality “mandates that the anticipated loss of life and damage to property incidental to attacks must not be excessive in relation to the concrete and direct military advantage expected to be gained.”169 Lastly, to be legal, “military force must minimize unnecessary suffering.”170

Consider, for example, if the United States could prove with absolute certainty that a Chinese computer virus infected a U.S. power plant. Dropping an atomic bomb on Beijing would surely deter a future Chinese cyberattack, but would flagrantly violate the principals of distinction, proportionality, and unnecessary suffering. If, however, the virus targeted a nuclear power plant, which in turn caused a nuclear explosion, the analysis would be quite different.

The appropriate response to cyber espionage is the use of active defense. Active defenses, as opposed to traditional kinetic weapons, will almost always adhere to the principles of jus in bello. Active defense satisfies the distinction requirement because it only targets the intruding computer or computers. The response is proportional because it responds to a cyberattack with cyber countermeasures. Most importantly, active defenses cause little, if any, unnecessary suffering.171 In the worst case scenario, where a virus spreads beyond the intended target, the harmful consequences would not be substantial loss of life, as would be the case with kinetic weapons, but loss of property, if even that. This is not to say that the potential for collateral damage should be ignored. A responsible nation must always consider the possibilities of collateral damage in deciding whether an act of self-defense is justified, be it cyber or kinetic. At the same time, “the law of war also puts an affirmative obligation on the defender with regard to civilians and civilian objects.”172 Nations must “take certain precautions to protect civilians and civilian objects from the potential dangers of anticipated attacks.”173

168 Id.

According to Eric Talbot Jensen, former Chief of the International Law Branch of

169 Id. 170 Id. 171 See Sklerov, supra note 6, at 79 (“[I]n terms of proportionality, active defenses are less likely to cause disproportionate collateral damage than kinetic weapons.”). 172 Eric Talbot Jensen, Cyber Warfare and Precautions Against the Effects of Attacks, 88 TEX. L. REV. 1533, 1546 (2010). 173 Id.



the Office of the Judge Advocate General for the U.S. Army, the same principal of taking precautions against the effects of an attack is true in cyberspace.174 Considering that China has nearly absolute control of its Internet,175

IV. A LEGAL RATIONALE FOR USING ACTIVE DEFENSES IN RESPONSE TO CYBER ESPIONAGE

it cannot deny its obligation under the laws of war to limit the potential collateral damage of any cyberattack against it. Even without a legal obligation, self-interest would motivate nations to take precautions to mitigate the potential damage flowing from a cyberattack. The idea that a virus could easily spread beyond its target and inflict substantial damage ignores the reality that developed nations are vigorously trying to prevent this exact scenario from occurring. In sum, the potential for loss of life or unnecessary suffering in using active defenses against cyber espionage is minute.

A. Introduction

The preceding Part established three fundamental arguments at the foundation of a legal rationale for using active defenses in response to cyber espionage: (1) cyberattacks can constitute armed attacks, which in turn justify a nation to act in self-defense; (2) cyberspace is subject to national sovereignty, which imposes state responsibility for armed attacks by non-state actors; and (3) active defenses satisfy the requirements of jus in bello. Combining these ideas, commentators, most notably Lieutenant Commander Sklerov, have argued that victim-states may use active defenses against states that neglect their duty to prevent cyberattacks (not cyber espionage) from being launched within their jurisdiction.176 Included in this duty is “passing stringent criminal laws, conducting vigorous investigations, prosecuting attackers, and, during the investigation and prosecution, cooperating with the victim-states of cyberattacks that originated from within their borders.”177

Examples of states neglecting to prevent cyberattacks are not

174 See id. at 1551. 175 See Jonathan Ansfield, China Passes Tighter Information Law, N.Y. TIMES, Apr. 29, 2010, http://www.nytimes.com/2010/04/30/world/asia/30leaks.html?ref=computer_security. 176 See generally Sklerov, supra note 6. 177 Sklerov, supra note 6, at 62.



hard to come by. In the denial of service attack178 that essentially shut down the Internet in Estonia, “[n]o one doubted for a minute that the KGB’s successors had the ability to find the culprits and to block the traffic.”179 When cyberattacks hit Georgia during the 2008 Russian invasion, the Kremlin once again claimed that the attacks were conducted by Russian “hacktivists.”180 Even assuming this to be true, which is doubtful,181 “it is very clear that the government did nothing to stop it.”182

B. A Duty to Prevent Cyber Espionage

Under the theory advocated by Sklerov (and others), it would seem that both Estonia and Georgia could lawfully respond to these attacks (by non-state actors) against Russia itself.

Expanding on the argument that states should be held accountable for cyberattacks emanating from their jurisdiction, states should also be held accountable for cyber espionage. States benefit immensely from turning a blind eye to cyber espionage. Among cybersecurity experts, there are “long-standing concerns that malware ecosystems are actively cultivated, or at the very least tolerated, by governments like the PRC [People’s Republic of China] who stand to benefit from their exploits through the black and grey markets for information and data.”183 And benefit they have. According to Clarke, “[t]he secrets behind everything from pharmaceutical formulas to bioengineering designs, to nanotechnology, to weapons systems, to everyday industrial products have been taken by the People’s Liberation Army and by private hacking groups and given to China, Inc.”184

178 See CLARKE & KNAKE, supra note

Yet, even assuming that a state could be held accountable for cyber espionage committed by independent non-state actors, the question remains whether cyber espionage can ever rise to the

20, at 284 (defining “Distributed Denial of Service”) (“A basic cyber war technique often used by criminals and other nonstate actors in which an Internet site, a server, or a router is flooded with more requests for data than the site can respond to or process. The result of such a flood is that legitimate traffic cannot access the site and the site is in effect shut down.”). 179 Id. at 16. 180 Id. at 215. 181 See id. at 20 (“A group of Western computer scientists, however, concluded that the websites used to launch the attacks were linked to the Russian intelligence apparatus.”). 182 Id. 183 INFO. WARFARE MONITOR & SHADOWSERVER FOUND., supra note 39, at I. 184 CLARKE & KNAKE, supra note 20, at 59.



level of an armed attack.

C. The Espionage Exception

Espionage violates domestic law; it is not illegal under international law.185 In fact, “[n]o serious proposal has ever been made within the international community to prohibit intelligence collection as a violation of international law because of the tacit acknowledgement by nations that it is important to all, and practiced by each.”186 Intelligence collection seems to be part of a nation’s inherent right to self-defense. As explained by Commander Roger D. Scott, “[a]ppropriate defensive preparations cannot be made without information about potential threats.”187 Under traditional international law then, surreptitious nondestructive intelligence collection certainly does not rise to the level of force necessary to invoke a nation’s right of self-defense. At the same time, nations may punish discovered spies under their domestic laws and culpable nations through diplomatic actions. Thus, the law of espionage “consists of a norm (territorial integrity), the violation of which may be punished by offended states, but states have persistently violated the norm, accepting the risk of sanctions if discovered.”188 Cyber espionage is no different. According to Herbert S. Lin, “[i]f the traditional international legal regime regarding espionage is accepted, espionage conducted by or through the use of a computer—that is, cyberexploitation—is permissible . . . .”189

The general acceptance that espionage fails to constitute an armed attack is the primary barrier to this Note’s thesis. At the same time, the understanding that espionage is a criminal matter has never been absolute: “Particular forms of espionage, for

185 See Commander Roger D. Scott, Territorially Intrusive Intelligence Collection and International Law, 46 A.F. L. REV. 217, 217 (1999) (“[I[nternational law does not specifically prohibit espionage.”). See also Fleck, supra note 119, at 688 (“No general norm exists in international law expressly prohibiting or limiting acts of intelligence gathering.”). 186 W. Hays Parks, The International Law of Intelligence Collection, in NATIONAL

SECURITY LAW 433, 433-34 (John Norton Moore et al. eds., 1990). 187 Scott, supra note 185, at 224; see also id. at 225 (“Accordingly, the surreptitious collection of intelligence in the territory of other nations that present clear, articulable threats based on their past behavior, capabilities, and expressions of intent, may be justified as a practice essential to the right of self-defense.”). 188 Id. at 218. 189 Lin, supra note 3, at 78.



example by ships, submarines, or aircraft, may raise issues of national self-defense instead of issues of domestic criminal law.”190

D. Cyber Espionage Under an Effects-Based Approach

So too can espionage by computer. Moreover, the severity and scope of cyber espionage calls into question whether the traditional understanding and analysis of espionage still makes sense.

The effects-based approach, considered by many authorities as the best method for determining whether a cyberattack constitutes an armed attack, looks “to the overall effect that the cyberattack has on a victim-state.”191 The effects-based approach accounts for cyberattacks which could only have previously been accomplished through kinetic means, such as shutting down the U.S. power grid by causing the plants to destruct, “but it also provides an analytical framework for situations that do not neatly equate to kinetic attacks.”192

Cyber espionage presents an interesting dilemma under the effects-based approach because inherent in the idea of espionage is a lack of physical damage or destruction. Yet other types of espionage, which also lack the capability of causing physical destruction (e.g., spy planes), justify acts of national self-defense.

193 According to Lin, such actions are justified because “the collection platform is or could be a military asset such as a plane, a ship, or a submarine that could conduct kinetic actions against the targeted nation.”194 Thus, it is the potential for an armed attack that appears to be determinative: i.e., a possible effects-based approach. Like a plane, ship, or submarine, a computer virus can be used both for spying and as a means of causing harm.195 Moreover, and crucial to this analysis, the capabilities of a program’s “payload. . . may be upgradeable in real time.”196

190 Scott, supra note

In other words, software that appears to only collect data may easily be changed into a weapon after it has infiltrated a

185, at 223. 191 Sklerov, supra note 6, at 55. See also id. at 54-55. 192 Id. at 56. 193 See generally Scott, supra note 185. 194 Lin, supra note 3, at 78. 195 See id. (“[A] payload of a software agent may have capabilities for both exploitation and destruction action . . . .”). 196 Id.



network. Because it only takes a few key strokes to initiate this ‘transformation,’ cyber espionage should be treated as a potential armed attack from the outset.

Relying on the potential transformation of cyber espionage into a more lethal attack to justify the use of active defenses skirts the more difficult issue of whether cyber espionage, by itself, is ever enough to justify such defensive actions. Under the effects-based approach, cyber espionage alone can be sufficient to warrant military action. The severity of the problem of data theft is simply too great and its effects are too harmful. Today, “the speed, volume, and global reach of cyber activities make cyber espionage fundamentally and qualitatively different from”197 more traditional forms of spying. The scale of theft is unprecedented: “Every year, an amount of intellectual property many times larger than all the intellectual property contained in the Library of Congress is stolen from networks maintained by U.S. businesses, universities, and government agencies.”198 So too, is the lack of risk.199 In the case of the theft of the F-35 data, “[i]f a Cold War spy wanted to move that much information out of a secret, classified facility, he would have needed a small moving van and a forklift. He also would have risked getting caught or killed.”200 As already mentioned, the U.S. government cites the loss in economic value of intellectual property to U.S. businesses in 2008 alone as upwards of $1 trillion.201

In Offensive Cyber Operations and the Use of Force, Lin provides a series of hypothetical cyberattacks and analyzes whether such attacks would constitute an armed attack.

America is being robbed of its most valuable asset: its technological superiority. Prior to the Internet, looting on such a scale could only have been accomplished by a military occupation. The effects-based approach requirement that a cyberattack must cause damage only previously possible by traditional military force is therefore satisfied.

202

197 CLARKE & KNAKE, supra note

One hypothetical involves a cyberattack that disrupts the stock

20, at 232-33. 198 Lynn, supra note 46, at 100. 199 See Cyberwar—War in the Fifth Domain, supra note 48 (“Traditional human spies risk arrest or execution by trying to smuggle out copies of documents. But those in the cyberworld face no such risks.”). 200 CLARKE & KNAKE, supra note 20, at 234. 201 WHITE HOUSE, supra note 36, at 2. 202 See Lin, supra note 3.



exchange of the fictitious country of Zendia.203

Bombs dropped on Zendia’s stock exchanges at night, so that casualties were minimized, would be regarded as a use of force or an armed attack by most observers, even if physical backup facilities were promptly available so that actual trading was disrupted only for a few hours. The posited cyber attack could have the same economic effects, except that the buildings themselves would not be destroyed. In this case, the cyber attack may be less likely to be regarded as a use of force than a kinetic attack with the same (temporary) economic effect, simply because the lack of physical destruction would reduce the scale of the damage caused. However, a cyber attack against the stock exchanges that occurs repeatedly and continually, so that trading is disrupted for an extended period of time, for days or weeks, would surely constitute a use of force or even an armed attack, even if no buildings were destroyed.

Lin provides the following analysis:

204

At the heart of Lin’s analysis seems to be the idea that a cyberattack causing sustained and substantial economic damage, without any physical damage, can rise to the level of an armed attack. The argument this Note makes regarding cyber espionage is no different, except with cyber espionage, the assault has not lasted mere days or weeks, but years. The important point is that once it is accepted that an armed attack can occur without physical damage, to limit the use of active defenses to cyber “attacks”—the corruption of data—as opposed to cyber “espionage”—the theft of data—is an overly mechanical distinction, which ignores the basic idea of the effects-based approach. It is the effect that matters most.

E. Customary International Law

A strict textualist may not be persuaded by the above argument. Article 51 of the U.N. Charter specifically says “armed attack,”205

203 See id. at 74-75.

and cyber espionage, no matter how severe, is still espionage and not an armed attack. The text of the U.N. Charter, however, is not the determinative factor for what is legal in the international community. Nor should it be: “[T]he current international legal paradigm predates cyberspace and cannot

204 Id. at 74 (emphasis added). 205 U.N. Charter art. 51.



adequately address the various issues raised by cyberspace.”206 State custom is a recognized source of authority. Both the Statute of the International Court of Justice (a treaty to which all U.N. members are party) and the Statute of the International Law Commission “clearly indicate state practice to be a legitimate—and guiding—source of customary international law, [and] they confirm that what sovereign governments do and say directly affects the law itself.”207 With regards to cyber conflicts specifically, the lack of any controlling legal authority facilitates “broad room for maneuver—both diplomatically and militarily.”208 An announcement by the United States that it henceforth interprets “armed attack” to include cyber espionage would not only notify the international community, but should also bind them. As explained by Sean Kanuck, co-author of the 2009 White House Cyberspace Policy Review, how countries like the United States and Russia—both of which are on the U.N. Security Council—”decide to ‘deter, prevent, detect, and defend against’ cyber attacks and ‘recover quickly from any disruptions or damage’ will set a precedent for the rest of the world.”209 President Obama has already declared that “our digital infrastructure—the networks and computers we depend on every day—will be treated as they should be: as a strategic national asset.”210 In the speech given by Secretary of State Clinton warning of an “information curtain,” she also stated “that the United States will protect our networks.”211

F. Cyber Espionage and Preventative War

In line with this assertive rhetoric would be a policy that uses active defenses to prevent and deter cyber espionage.

Even if this Note has failed to establish that cyber espionage can constitute an armed attack, which in turn justifies military action, there is an additional doctrine worth considering that supports using active defenses against this threat. The aggressive

206 Franzese, supra note 156, at 6. 207 Kanuck, supra note 35, at 1585. 208 Id. at 1588. 209 Id. at 1586. 210 Barack Obama, U.S. President, Remarks on Securing Our Nation’s Cyber Infrastructure (May 29, 2009), available at http://www.whitehouse.gov/the_press_office/ Remarks-by-the-President-on-Securing-Our-Nations-Cyber-Infrastructure. 211 Clinton, supra note 34.

http://www.whitehouse.gov/the_press_office/Remarks-by-the-President-on-Securing-Our-Nations-Cyber-Infrastructure�

http://www.whitehouse.gov/the_press_office/Remarks-by-the-President-on-Securing-Our-Nations-Cyber-Infrastructure�



stance the United States has begun to take regarding cyber threats, as exhibited by the statements of both President Obama and Secretary of State Clinton, is in line with the concept of “preventative” war, which has been embraced by the United States in its fight against terrorism. As explained by Michael W. Doyle:

The traditional conception of self-defense allowing only for imminent preemptive anticipation of planned attacks is clearly rejected in current U.S. strategic doctrine. Despite attempts to adopt preemptive terminology, President Bush reiterated his and the U.S. government’s commitment to a much more preventive anticipation of threats posed by shows who share a ‘murderous ideology.’212

The threat that must be prevented in this case is war with China. This Note does not suggest that China is seeking to engage militarily with the United States, but that “[t]he Chinese military’s main and unconcealed ambition is to someday be strong enough to take Taiwan by force if it had to.”

213 Cyber espionage both strengthens the People’s Liberation Army and weakens the United States military, and by doing so, increases the likelihood of actual conflict. Importantly, the main criticism of preventative war—loss of life in preventing only potential threats—is absent when the force being used is a computer virus.214

V. CONCLUSION

Cyber espionage has proliferated rapidly because it “is the great equalizer.”215 At a fraction of the cost of traditional espionage, countries can fund substantial cyber intelligence gathering operations. This Note has shown that cyber espionage both directly and indirectly threatens America’s national security. Predictions of the decline of the U.S. military and economy, and the rise of China as the next superpower, are now common place.216

212 MICHAEL W. DOYLE, STRIKING FIRST: PREEMPTION AND PREVENTION IN

INTERNATIONAL CONFLICT 3-4 (Stephen Macedo ed., 2010).

A sure way for these predictions to become reality is to

213 Fallows, supra note 41. 214 See supra Part III.D. 215 INFO. WARFARE MONITOR & SHADOWSERVER FOUND., supra note 39, at I (“Countries no longer have to spend billions of dollars to build globe-spanning satellites to pursue high-level intelligence gathering, when they can do so via the web.”). 216 See, e.g., G. John Ikenberry, The Rise of China and the Future of the West, FOREIGN

AFF., Jan.–Feb. 2008, available at http://www.foreignaffairs.com/articles/63042/g-john-



continue ignoring the plundering of U.S. companies’ intellectual property and the U.S. military’s secrets.

As in the fight against terrorism, the United States must be vigilant and aggressive in the face of both cyberattacks and cyber espionage. In considering how to address these threats, it must always be remembered that “[i]n cyberspace, the offense has the upper hand.”217 While the United States must undoubtedly increase its cyber defense capabilities, the nation “cannot retreat behind a Maginot Line of firewalls or it will risk being overrun.”218

This Note has examined the scholarship concluding that cyberattacks can constitute armed attacks. It has examined the scholarship showing that a state’s failure to prevent cyberattacks from emanating from within its jurisdiction satisfies the attribution requirement under modern conceptions of national sovereignty. These conceptions include both holding states accountable for non-state actors and extending national sovereignty into cyberspace. This Note has also examined the scholarship showing that active defenses satisfy the requirements of jus in bello. The addition this Note makes to the discussion surrounding American cybersecurity policy is that the justification for the use of active defenses against cyberattacks is equally applicable to the case of cyber espionage.

ikenberry/the-rise-of-china-and-the-future-of-the-west. 217 Lynn, supra note 46, at 99. 218 Id.

Copyright of Cardozo Journal of International & Comparative Law is the property of Benjamin N. Cardozo

School of Law of Yeshiva University and its content may not be copied or emailed to multiple sites or posted to

a listserv without the copyright holder's express written permission. However, users may print, download, or

email articles for individual use.

Data & Analytics

Defending America against Chinese Cyber Attacks