28 June 2012
Cyber warfare: some questions of shared responsibility
During the past weeks several reports have emerged revealing details on one of the gravest cyber-attacks that have taken place, the Flame malware. It has been suggested that Flame has been co-sponsored by the same State or States that had launched Stuxnet, even though the head of the International Telecommunications Union (ITU) of the UN has stated that this is mere speculation, Stuxnet being the virus that had targeted the Iranian nuclear programme. Flame has been used to attack computers and network systems across the Middle East. The malware exploited a flaw in the Windows operating system in order to map and monitor the targeted computers. The situation provoked a reaction by the ITU, which stressed the need for co-operation among states in addressing the problems arising out of the growing use of networks to infiltrate and cause damage to systems across the world.
The suggestion that Flame was launched by more than one State raises a number of questions concerning the apportionment of responsibility among the actors that have participated in the cyber-attack. Matters become even more complicated if one takes into account that in some instances non-state actors are also involved in the cyber-attacks.
First of all, it must be noted that identifying the source of a cyber-attack is notoriously problematic. The structure of the Internet poses hurdles both as to the accuracy and as to the immediacy of the identification of the source. It is only evident that it would be even more difficult to point to the source in the case of multiple responsible actors.
A second problem is that the conceptualization, in terms of international law, of the nature of cyber warfare is also fraught with difficulties. The analogies employed usually, and naturally, point to the direction of the law of armed conflict. This approach is, for the time being, problematic. A direct analogy does not sit comfortably with the way the traditional means of using force or conducting an armed attack are conceived predominantly because they are of a remarkably different nature.
Nevertheless, for the purposes of this post we can assume that the analogy is accurate. The literature, by and large, accepts a model according to which cyber-attacks may be seen in the same way as classic cases of use of force or armed attack. The cyber-attack will therefore fall into one of the categories already developed under the international law of armed conflict such as use of force or armed attack, using as a criterion its consequences. The categorization is extremely important because it will carry with it consequences for both the wrongdoing State and the victim State. For example, if a cyber-attack is categorized as use of force then the victim State may take countermeasures. On the other hand if a cyber-attack falls indeed under the category of armed attack, the victim state will be in a position where it can respond invoking self-defence.
The question that has not received enough attention is what happens in the case where the consequences of an attack do not fall neatly within any of the pre-existing categories envisaged in the law of armed conflict. In other words, what happens when the consequences of the cyber-attack are not grave enough so as to warrant a categorization as use of force, armed attack or aggression?
A possible ground for establishing wrongfulness in this scenario is that in this case the State from whose territory the attack is launched is under an obligation not to allow its territory knowingly to be used in such a way so as to cause harm to another state. The application of this standard, established by the International Court of Justice in Corfu Channel, is not without problems. First, it is not clear which is the primary rule breached in this case. An extension of the ‘no harm’ rule established in international environmental law could be a solution, yet the main difference is that in international environmental law there are specific obligations that bind states (notification, exchange of information, procedures of licensing potentially harmful activities) and cumulate to the ‘no harm’ rule. Unless something similar can be established in the sphere of controlling the cyberspace there is little use even for this analogy. Another possible ground would be the principle of non-intervention. Second, there is no presumption of knowledge. When non-state actors are involved in launching the attack, establishing knowledge on the part of the source State might be equally hard, given the difficulty in obtaining accurate evidence, as it is to establish that a State exercised effective or overall control over the cyber-attack. In other words, the theoretical advantage of having to establish ‘knowledge’ instead of ‘control’ (variations of which may be employed if the cyber attack is classified as armed attack etc.) might not translate into a practical advantage.
If multiple actors are involved in launching the attack a number of further problems arise. The most important is that the victim State will not be able to direct its response — be it countermeasures or self defence — accurately: it has already been made clear that the identification of the source of the attack is a difficult endeavour. Also, when the multiplicity of actors is understood as including both state and non-state actors, the tests of attributing the conduct of the latter to the former (effective, overall control etc.) will be even more difficult to apply in the cyber warfare context.
In any case, it is true that the fact that a number of States (such as the Flame case seems to be) or States and non-state actors are involved in launching cyber-attacks does complicate the issues that have to be dealt with in the law of responsibility as well.
First, the victim State(s) will not be in a position to accurately point to the role of each responsible party. As it has already been stated above, this will be problematic since the victim State will have to be in a position to show – at least – knowledge of the operation and to be able to distinguish between the components of the operation that were stemming from each State. More difficult issues of attributing responsibility among multiple states might arise if the consequences are so grave that it will have to establish which source State had control over which entities that launched the attack. The connection between the entities actually designing and launching the cyber-attack with the State from which they operate will not be easy to establish because of the difficulties in presenting tangible evidence.
Second, according to the Article 47 of the ILC Articles on State Responsibility the criterion for attributing responsibility to multiple actors is that they breach the same obligation. In the case of cyber-attacks it may well be that each state has contributed through different means towards the realization of the attack and might easily have breached a different obligation. Therefore a more appropriate criterion could be to establish the responsibility of multiple actors on the occurrence of a single harmful outcome.
Third, the causal link connecting the same harmful outcome or damage caused with each actor will be difficult to establish. This is a problem that will be faced even in a single wrongdoing actor situation but the existence of multiple actors will effectively exacerbate the difficulties. A way out of this situation would be to apply a principle of joint and several liability, allowing thus the victim State the option against whom it might bring a claim. Accordingly, the victim State could bring a claim against the actor that is easier to tie to the specific attack, both in terms of attribution and in terms of causation and then claim full reparation. It would be then up to the respondent State to turn against other responsible States in order to recover. Nevertheless it is not clear whether the principle of joint and several liability, despite its obvious appeal in this type of situations, is part of general international law and the criteria under which it would be applied are not established (See: C. Ahlborn, ‘A Comment on Bruno Simma’s SHARES Lecture’, SHARES blog, 13 June 2012).
In conclusion it must be noted that the state of international law in relation to cyber-attacks has not reached a point where it can address all the issues that arise adequately. Especially when there are multiple actors involved, the problems do become more complex and difficult to address. Therefore it is clear that in order to have a more comprehensive picture of the legal aspects of cyber-attacks two things must happen: first, the practical difficulties that arise in relation to issues like the production of concrete evidence and the accurate determination of the facts must be overcome and second, the legal conceptualization of the issues must become more rigorous.