Navigating Conflicts in Cyberspace: Legal Lessons from the History of War at Sea

Article excerpt

Abstract

Despite mounting concern about cyber attacks, the United States has been hesitant to embrace retaliatory cyber strikes in its overall defense strategy. Part of the hesitation seems to reflect concerns about limits imposed by the law of armed conflict. But analysts who invoke today's law of armed conflict forget that war on the seas has always followed different rules. The historic practice of naval war is a much better guide to reasonable tactics and necessary limits for conflirt in cyberspace. Cyber conflict should be open-as naval war has been-to hostile measures short of war, to attacks on enemy commerce, to contributions from private auxiliaries. To keep such measures within safe bounds, we should consider special legal constraints, analogous to those traditionally enforced by prize courts.

Table of Contents

I. Introduction......................198

Π. Offensive Operations At Sea: An Overview................202

III. Arming Merchant Ships and Other Instructive Analogies...........................212

IV. Jus Ad Bellum. When Cyber Retaliation is Justified..............................220

V. Permissible Targets and the Problem of Attribution.....................................231

VI. Who Are Lawful Combatants in Cyberspace?.................................................239

f Post-Doctoral Researcher, Department of Computer Science, Princeton University; PhD, Computer Science, University of California, Berkeley. The authors thank Ken Anderson, Stewart Baker, Gabriella Blum, Philip Bobbitt, Jack Goldsmith, Abram Shulsky, Matthew Waxman and John Yoo for comments on an earlier version of this article and also thank Chris Grier and Vern Paxson for their advice on legal issues facing researchers in the field of computer security. The authors also thank Rachel Parker of the George Mason University School of Law for energetic and astute research assistance.

VU Legal Liability, Political Responsibility...............................247

ΥΠ!. Conclusion: Cyber Norms Won't Come from Τreaties.............................252

'"Chinese metaphysics.... An abstruse subject I should conceive, ' said Mr. Pickwick. 'Very, Sir, ' responded Pott. . . '[the writer] read up for the subject at my desire in the Encyclopedia Britannica. '

'Indeed!'said Mr. Pickwick; ? was not aware that that valuable work contained any information respecting Chinese metaphysics. '

'He read, Sir, ' rejoined Pott. . . with a smile of intellectual superiority, 'he read for metaphysics under the letter M and for China under the letter C; and combined his information, Sir. 1

"There are no new problems in the law, only forgotten solutions and the issues which arose yesterday will always arise again tomorrow. "2

I. Introduction

In the summer of 2011, General James E. Cartwright, the vice chairman of the Joint Chiefs of Staff, expressed frustration with the government's current approach to cyber attacks: "If it's OK to attack me, and I'm not going to do anything other than improve my defenses every time you attack me, it's very difficult to come up with a deterrent strategy."3 At the time, there was much dispute about whether the United States could use cyber technology as an offensive weapon and, if so, in what circumstances.

A few weeks later, the House of Representatives sought to clarify the issue with a provision in the 2012 Defense Authorization Act: "Congress affirms that the Department of Defense has the capability, and, upon direction by the President, may conduct offensive operations in cyberspace to defend our Nation, Allies and interests." The Senate insisted on a qualification, however, which was duly inserted in the final text of the legislation: "subject to-(1) the policy principles and legal regimes that the Department follows for kinetic capabilities, including the law of armed conflict; and (2) the War Powers Resolution."4

In June of 2012, The New York Times published a detailed account of an elaborate, long-term American effort to disrupt Iran's nuclear weapons program:5 A customized computer virus, Stuxnet, devised by American programmers, had been introduced into the equipment regulating Iranian centrifuges, causing the centrifuges to malfunction, thereby setting back Iranian efforts to purify uranium to the level required for nuclear weapons. …