The central concepts that make up the law of armed conflict (LOAC) have not been easy to adapt to cyber operations.2 In addition to their kinetic history and orientation, the core LOAC principles do not in most instances anticipate the kind of cyber-specific analysis that should accompany the use of increasingly advanced cyber systems and tools in conflict. Cyber operations rarely cause physical damage, much less injury or death.3 More often they cause cyber harm—by corrupting, manipulating, or stealing data; denying access to a website; or interfering temporarily with the functionality of information systems. Or they indirectly disrupt or damage objects that are not part of the cyber domain. Measuring the harm from (p. 236) a cyber incident and calculating that harm in ways that the LOAC credits remains challenging, as does defining and distinguishing civilian and military objects, and accounting for the indirect effects of cyber operations.4 Nor has the LOAC settled on a legal status for critical national-security-related components of the cyber domain, including data and dual-use infrastructure.
Intuitively, we do not think of cyber weapons in the same way we do kinetic arms. Cyber seldom involves the use of force, is not thought of as constituting an armed attack, and is not by itself likely to trigger or become an armed conflict. Yet the LOAC commentary has gone to great lengths in recent years to show how these terms and principles derived from kinetic warfare can be applied to the cyber domain.5
Meanwhile, little attention has been paid to what might be thought of as a threshold question that could be usefully posed in applying traditional LOAC principles to cyber incidents in armed conflict: Who is responsible for the cyber operations absorbed by the States in an armed conflict? Is the enemy in the kinetic conflict responsible for the incoming cyber intrusions? Tracing the source and responsibility for a cyber operation can be challenging, and the possibilities for proxies, anonymity, and spoofing add uncertainties and complexity to an already daunting task.6
Why bother? There are at least two good reasons to determine responsibility for cyber operations during armed conflict. First, in today’s climate of increasing cyber conflicts between states and between states and nonstate criminals, hackers, and terrorists, adversaries expect that they may use cyber operations to attack anonymously with impunity. In short, attribution may easily be assumed but mistaken. Sometimes mistaken attribution does not make a cyber operation unlawful, but at other times it does. Second, international law, including the LOAC, applies to cyber activity in armed conflict only when there is “a nexus between the cyber activity in question and the conflict.”7 In other words, the cyber operations have (p. 237) to be connected in some way to the armed conflict for the LOAC to apply. That determination cannot be made confidently in the cyber domain without an attribution process that looks beyond the machines involved to the persons or entities responsible for what those computers or systems do. Although LOAC targeting and precautions analysis takes into account some of the same intelligence that would be part of an attribution process, establishing state responsibility and attribution before responsive targeting could strengthen the lawful application of the LOAC in armed conflict.
This chapter concludes that even a rudimentary process designed to attribute cyber intrusions may accomplish important objectives in armed conflict. First, States responsible for harmful cyber operations would be on notice that they may be held accountable for their cyber activity, including unlawful acts. Second, military commanders would have more reliable guidance in response targeting during the armed conflict, whether through cyber or non-cyber means. Better targeting guidance could, in turn, enhance compliance with LOAC. Relatedly and third, States may avoid making unlawful mistakes in the armed conflict—targeting civilian but arguably dual-use cyber infrastructure or failing to take available precautions knowing more about potential targets—because of weak or nonexistent efforts to attribute incoming attacks. In the aggregate, attribution of cyber attacks in an armed conflict may act as a deterrent to unlawful uses of cyber tools and serve to better protect civilians, particularly if the attributed attacks expose an enemy State’s cyber attacks against civilians or civilian cyber infrastructure.8
(p. 238) International law has relatively little to say about the obligations of States to identify the perpetrator of cyber intrusions,9 and such law as exists resides in the jus ad bellum. There the law of attribution aims to identify and place responsibility for internationally wrongful acts.10 The analysis is conducted after the fact regarding incidents below the armed conflict or attack threshold. The essence of the legal rule is simple: there can be no State responsibility for internationally wrongful acts until those acts have been attributed to a State.11
The jus ad bellum law of attribution has no bearing on legal obligations during an armed conflict. Yet the modest ad bellum attribution requirements, further addressed in Section I of this chapter, may provide guidance in evaluating whether and to what extent some legal principles for attribution of cyber intrusions could be usefully extended to the jus in bello. The LOAC does not address cyber attribution, apparently presuming that cyber intrusions that occur during an armed conflict are simply a part of the conflict, subject to LOAC principles. However, it is not necessarily the case that cyber intrusions suffered by a State are attributable to the other State engaged in the armed conflict. Nor is all cyber activity during an armed conflict necessarily connected to the hostilities between the States in conflict.12 For the same reason, nor is all cyber activity during an armed conflict necessarily subject to the LOAC. Assuming a sort of corporate enemy posture for hostile acts during an armed conflict may facilitate operational decision-making. Yet errors in cyber attribution could lead to unlawful responses directed at the enemy State and failures to identify and respond in lawful ways to other cyber intruders.
This chapter explores in a preliminary way the potential benefits of adding an attribution component to the LOAC. The chapter asks whether the principles of the LOAC are well served by treating the enemy State as the functional equivalent of a corporate enemy in an armed conflict, including a presumption that any cyber attacks suffered are its responsibility. The difficulty of accommodating dual-use cyber infrastructure and the data resident on many cyber systems within traditional LOAC doctrine underscores the shortcomings in protecting civilians and civilian objects during armed conflict. The chapter also preliminarily considers (p. 239) elements of an attribution process that could be grafted onto the LOAC for the cyber components of armed conflict.
It is important to clarify that the category of cyber operations considered in this chapter include those that do not rise to the level of attack under relevant law, defined in Additional Protocol I (AP I) as “acts of violence against the adversary, whether in offence or defence.”13 This chapter assesses cyber operations that produce a cyber effect during an armed conflict. A cyber effect may consist of adverse effects on an information system or access to a public-facing website, and corruption, manipulation, or loss of data even where there is no corresponding impact on the functionality of a cyber system.14 The widespread colloquial use of the term “attack” or “cyber attack” to refer to various types of malicious cyber activities are not necessarily “attacks” under the LOAC.15 The 2015 Department of Defense (DOD) Law of War Manual lists characteristics that render a cyber operation not an “attack” under the LOAC, including defacing a government web page; a minor, brief disruption of internet services; briefly disrupting, disabling, or interfering with communications; and disseminating propaganda.16 Although the DOD Law of War Manual concludes that cyber operations that are not attacks are not restricted by the rules that apply to attacks, including targeting restrictions,17 the law remains unsettled.18 Thus, it remains unclear whether all cyber activity that occurs during armed conflict is subject to the LOAC, or whether instead the cyber operations must be connected in some way to the conflict or cross some threshold of harm to civilians before the LOAC applies.19 In any event, some cyber operations that are not “attacks” according to the LOAC nonetheless produce a cyber effect and will be considered here on the assumption that they take place in connection (p. 240) with an armed conflict and that their attribution may serve the humanitarian objectives of the LOAC.
Arguably the corporate enemy presumption should not extend to cyber operations conducted during armed conflict. A growing array of cyber operations may occur during armed conflict. Some are reasonably presumed to be a means for conducting a military campaign, but others are less clearly connected to the conflict or are not related to the conflict at all. These cyber operations may originate from a third State or multiple States and could be the responsibility of these other States or a nonstate actor.
Consider three examples:
(p. 242) In light of the distinctive challenges presented by cyber operations in the battlespace—their non-kinetic but potentially serious harms to civilians, along with the potential anonymity of attackers and their use of deception techniques—it may be prudent and perhaps legally advisable for States to develop and agree upon principles for attribution of cyber operations during an armed conflict. It is prudent because misdirected cyber or kinetic responses can cause harmful effects on innocent parties or States and because errors could unnecessarily escalate existing conflicts. It is legally important if mistaken assumptions of State responsibility lead to LOAC violations.
In Section II, this chapter will summarize why attribution of cyber intrusions remains challenging. Section III will review briefly a few aspects of the LOAC that are hardest to apply to cyber operations. I will argue that paying attention to attribution of cyber incidents in armed conflict could lessen some of these doctrinal challenges in applying the LOAC to cyber. In Section IV I will suggest modest enhancements to the LOAC analysis that would incorporate attribution of cyber intrusions for at least some categories of cyber operations in an armed conflict.
II. Attribution and International Law
Because the internet facilitates anonymous communications and “was not designed with the goal of deterrence in mind,”31 attribution of cyber intrusions can be challenging, all the more so when the intruders purposefully hide their tracks. The practice of attributing cyber attacks is a relatively recent phenomenon. As cyber intrusions have proliferated in recent years, States have invested in doing attribution well and, as a result, deterring and coercing States and other cyber intruders into complying with societal norms.32 When attribution is done badly or not at all, States lose credibility and likely effectiveness in dealing with those who would harm the State and its citizens.33 These risks hold for state-on-state interactions across the spectrum of cyber operations—from espionage to destructive attacks on infrastructure.
The United States takes seriously meeting the challenges of cyber attribution. Former Director of National Intelligence (DNI) Director James Clapper opined a few years ago that “definitive, real-time attribution of cyber attacks—that is, knowing who carried out such attacks and where these perpetrators are located” is the most important challenge faced by the United States.34 In its 2015 (p. 243) Cyber Strategy, the U.S. Department of Defense emphasized the importance of attribution:
Attribution is a fundamental part of an effective cyber deterrence strategy as anonymity enables malicious cyber activity by state and non-state groups. On matters of intelligence, attribution, and warning, DoD and the intelligence community have invested significantly in all source collection, analysis, and dissemination capabilities, all of which reduce the anonymity of state and non-state actor activity in cyberspace. Intelligence and attribution capabilities help to unmask an actor’s cyber persona, identify the attack’s point of origin, and determine tactics, techniques, and procedures. Attribution enables the Defense Department or other agencies to conduct response and denial operations against an incoming cyberattack.35
Despite the U.S. rhetoric, there is little law to guide attribution. Attribution is hard because States do not usually carry out cyber attacks transparently.36 Instead, they use technical tools to hide their responsibility and rely on nonstate proxies to carry out cyber activities for them.37 Indeed, the United States has only rarely officially attributed a malicious cyber operation to another State—China following widespread corporate espionage in 2014,38 North Korea following the Sony hack in 2014,39 and Russia following the DNC hack in 2016.40 Notably, none of these incidents and attributions occurred during armed conflict.
(p. 244) When cyber operations are launched alongside or to facilitate kinetic strikes in an armed conflict, attribution will in all likelihood be assumed. Indeed, Jody Prescott, a senior fellow at the United States Military Academy (USMA) noted that “[w]ith cyber operations conceivably moving at near light speed, commanders in cyber warfare will likely need to rely extensively upon autonomous decision-making processes (ADPs) to be effective.”41 For example, during a hypothetical armed conflict between States A and B, it may be reasonable to assume that attacks on the command and control systems, classified communications networks, or weapons guidance systems are the result of actions taken by the enemy State.42 However, even during a conventional state-on-state armed conflict it is not necessarily the case that all cyber intrusions suffered by State A were caused by State B, even those apparently originating in State B. Nor will the origins of all cyber activity be known, certainly not in the real time dynamics of an armed conflict. Private actors could be responsible for any of the cyber operations, as could another State or proxies of another State or a terrorist organization. Machine attribution could trace malware to computers or systems in State C, which may or may not be controlled by neutral State C. Or malware could be coming from sources in several States, and State responsibility is not immediately clear.
Attribution has been characterized as more art than science.43 In fact, significant strides have been made in attribution of cyber events in the last decade, making the task “more nuanced, more common, and more political” than has typically been acknowledged.44 Attribution is measured in degrees of certainty, and requires input from a range of actors. In the United States, much of the evidence to support attribution is offline and involves traditional interviews and examination of equipment.45 The attribution efforts may themselves be thwarted or slowed down by adversaries, often using cyber tools to spoof their location or identity.46
Although considerable advances in detection technology enable States to more reliably identify the machines that have disseminated cyber attacks than in the past,47 identifying the persons, organizations, or States that are responsible for (p. 245) the cyber attack remains challenging.48 Even finding and seizing the offending computer is unlikely to reveal the sponsors of an attack.49 The problems are in part due to technical means of deception and anonymity, but are also due to the vagaries of the process of fixing responsibility for cyber attacks and the malleability and open-endedness of the little attribution law that currently exists in the jus ad bellum.50
The customary law of State responsibility and attribution is largely drawn from the long-term work of the International Law Commission (ILC) and its Rules on State Responsibility. The ILC rules were commended to the member states by the UN General Assembly in 2012 and have become the authoritative guidepost for public international cyber law.51 The starting point is that “a State bears international responsibility for a cyber-related act that is attributable to the State and that constitutes a breach of an international legal obligation.”52 Thus, attribution is required before a State may be found legally responsible for a cyber intrusion. Once attributed, States are legally responsible for an internationally wrongful act. Establishing factual attribution remains challenging in many instances, as does setting legal requirements for arriving at attribution.
The 2017 Tallinn Manual 2.0 on the International Law of Cyber Operations53 summarizes the extant customary international law on State responsibility and attribution. In essence, States are responsible for cyber-related acts of their own officials, agents, contractors, nonstate actors, and other States to the extent they actually control the operations.54 States do not escape legal responsibility for internationally wrongful acts by perpetrating them through proxies.55 Below the use of force threshold, States are responsible for a “cyber-related act . . . that constitutes a breach of an international legal obligation.”56 The act may violate a treaty, customary international law, or other “general principles of law.”57
(p. 246) Outside an armed conflict, international law forbids cyber intrusions that violate the prohibition on intervention.58 Based on the international law principle of sovereignty, the principle forbids coercive intervention by cyber means.59 Tallinn 2.0 reports that State-on-State cyber intrusions that are not coercive but are “detrimental, objectionable, or otherwise unfriendly”60 are not international law violations. As confirmed by the International Court of Justice (ICJ) in the Nicaragua judgment, “the element of coercion . . . forms the very essence of  prohibited intervention.”61 What constitutes coercion? According to Tallinn 2.0, “coercion is not limited to physical force, but rather refers to an affirmative act designed to deprive another State of its freedom of choice . . . to force that State to act in an involuntary manner or involuntarily refrain from acting in a particular way.”62 The General Counsel of the DOD indicated in a January 2017 memorandum to the Combatant Commands and other senior military and civilian lawyers in the Pentagon that coercion is a prerequisite for unlawful intervention and that even attributed non-coercive cyber intrusions do not violate the non-intervention principle and are “largely unregulated by international law at this time.”63
To date, state practice on intervention is based on kinetic examples; the analogy to cyber may not be persuasive. The leading case is Nicaragua, where the ICJ found that United States support of the Nicaraguan Contras in 1983 and 1984 through financial support, training, supply of weapons, intelligence, and logistical support breached the principle of non-intervention and constituted a threat to use force, thus coercing the government of Nicaragua.64 In any case, physical damage or injury is not necessary for a cyber intrusion to be an internationally wrongful act.65 For example, a State that launches a targeted and highly disruptive distributed denial of service (DDoS) operation against another State may have acted coercively and engaged in a prohibited intervention if the operation is intended to cause the victim State to change its conduct, such as in relation to a third State.66
(p. 247) The International Group of Experts (IGE) that provided the analysis in Tallinn 2.0 acknowledged the “uncertainty as to the attribution of cyber operations” and agreed “that as a general matter, States must act as reasonable States would in the same or similar circumstances when considering responses to them.”67 The IGE elaborated:
Reasonableness is always context dependent. It depends on such factors as, inter alia, the reliability, quantum, directness, nature (e.g., technical data, human intelligence), and specificity of the relevant available information when considered in light of the attendant circumstances and the importance of the right involved. These factors must be considered together. Importantly in the cyber context, deficiencies in technical intelligence may be compensated by, for example, the existence of highly reliable human intelligence.68
The IGE opined that “as a general matter the graver the underlying breach . . ., the greater the confidence ought to be in the evidence relied upon by a State considering a response69 . . . because the robustness of permissible self-help responses . . . grows commensurately with the seriousness of the breach.”70 Notwithstanding the best work of the IGE, because attribution judgments that determine state responsibility remain to some extent uncertain, and because there is no robust international or domestic law understanding on how much evidence suffices for attribution of state responsibility, the attribution bar is set very low by international law.
In addition, the legal standards for attribution are malleable to the extent that the evidence of attribution is not required to be shared publicly71 and normally is not. In addition, the evidence leading to attribution is often based on intelligence collection rather than testable machine-derived data. As a result, the legal criteria for attribution decisions from the jus ad bellum distill to a subjective reasonableness.72 For example, it may be difficult to tell whether cyber intrusions were (p. 248) ordered by a State, tolerated by a State that knew about them, or carried out by proxies for the State that followed their own loosely governed agenda.
Ultimately, the decision to assign responsibility for a cyber attack to a State is a political one, based on a combination of digital forensics and intelligence intercepts rather than a set of established legal criteria.73 Actual (beyond technical, machine) attribution in a State-sponsored attack rarely takes place quickly, except when strategic or political considerations incentivize rapid attribution.74 Indeed, the more time investigators have to collect evidence for attribution, the more reliable the attribution judgment is likely to be. Strategic reasons may also give States cause for delaying attribution or never making it public.75 States can normally make an initial guess about the perpetrators of a cyber intrusion in the national security realm, but obtaining conclusive evidence of sponsorship is difficult.
In addition, the time it takes to produce a high confidence attribution judgment can impact the lawful responses to cyber operations below the armed conflict threshold. For example, mistaken attribution can lead to an unlawful response even if the State made a reasonable attribution judgment and implemented countermeasures.76 The IGE concluded that “as a general matter the graver the underlying breach . . . the greater the confidence ought to be in the evidence relied upon by a State considering a response.”77 The more severe the injury, the less certain attribution needs to be, and the stronger the planned response, the greater the confidence in attribution. When intrusions are not severe, the State can accumulate more data for attribution.78 Judgments are heavily influenced by what is at stake politically. Although attribution is necessarily probabilistic, the process serves its purpose if it convinces the responsible State (and victim State citizens) that a response to the cyber intrusion was called for.79 As suggested in Section IV, such a sliding scale approach to attribution may be portable to the in bello world of armed conflicts.
The architecture of the internet has changed little over the last two decades. Burdened by a largely insecure structure, the art and science of attribution are evolving, but only gradually. The good news is that better intrusion detection systems now flag breaches in real or nearly real time.80 At the same time, (p. 249) improvements in adaptive, resilient networks help deter offensive intrusions.81 The bad news is that the intruders are learning, too, and encryption and other deception advances greatly complicate forensic identification.82 Meanwhile, States and nonstate actors often act in the cyber realm with relative impunity when no or only negligible sanctions follow from being outed.83 Indeed, a 2017 Council on Foreign Relations Memorandum opined that even a major cyber attack on the U.S. electric power grid could be carried out on the likely mistaken assumption that the attack could not be attributed. Even an unfounded expectation that another State could attack the United States anonymously and with impunity could lead to devastating consequences.84 Under such circumstances, a “lax de-facto norm of negligible consequences”85 may emerge, even during an armed conflict. The dangers of complacency—increasing harms from cyber intrusions following lax attribution and only modest enforcement of norms—enhance the value of undergirding the LOAC with in bello attribution components. Only if States invest in accountable attribution mechanisms will any new international law on attribution have practical value.86 A dilemma for the United States is that we benefit from the absence of express norms because we have the most offensive tools. But our society is also the most vulnerable to cyber intrusions.87 Ironically, we also have the best attribution capabilities and can therefore sleuth out and identify the States and nonstate actors engaged in unlawful cyber operations, even during armed conflict.
It remains to be seen how well the jus ad bellum law on State responsibility and attribution, limited as it is, may be applied in armed conflict. It is certainly true that the LOAC has an interconnected patchwork of principles and doctrinal rules that serve to protect civilians in armed conflict from the impacts of cyber intrusions. In theory, because attribution occurs before response targeting analysis and its application of the LOAC principles of distinction, proportionality, and precautions, something like the ad bellum law on state responsibility and (p. 250) attribution may improve the application of LOAC when cyber is part of armed conflict.
III. Challenges in Applying the LOAC to Cyber
Consider a hypothetical illustration:
State A is engaged in an armed conflict with State B. The conflict is primarily kinetic, although both States have utilized cyber means in attempts to degrade the command and control of each other’s military. Meanwhile, various additional cyber operations have impacted civilian infrastructure in State A, including civilian networks and operations that directly or indirectly support the ongoing military campaign. The victimized networks include civilian contractors that supply and provide logistical support to the State A military, and the infrastructure the military relies on for its operations, including ports, railroads, and electricity. No State or anyone else has claimed responsibility for the cyber intrusions in State A. Preliminary machine attribution indicates that the attacks have originated primarily inside State B, although the dissemination of malware has exploited computers at various locations around the world.
Are the cyber intrusions in State A “attacks”? If so, although the offending machines may be targeted by State A as military objectives, may or must State A attribute State responsibility for the attacks to State B before targeting the facilities or entities responsible for the incoming cyber attacks? If the intrusions do not qualify as attacks, does their occurrence during an armed conflict permit a cyber or kinetic military response? Is attribution required for those operations?
A. Which Cyber Intrusions Are Subject to the LOAC? Must They Be Attributed?
Most cyber intrusions that cross sovereign boundaries do not violate international law. Outside an armed conflict, for those operations where the impact does not constitute an “attack” according to the LOAC, only cyber intrusions that constitute an internationally wrongful act—coercive cyber intervention—are clearly proscribed by international law. Thus, an isolated cyber intrusion that is neither an attack nor an internationally wrongful act may have no international legal consequences.
According to Tallinn 2.0, “a situation involving hostilities, including those conducted using cyber means” is an armed conflict.88 In addition, intrusions that cause cyber harm but not physical damage during an armed conflict are subject to the LOAC. As Tallinn 2.0 explains, the 2007 cyber operations targeting Estonia did not trigger the LOAC because the “situation did not rise to the level of an (p. 251) armed conflict,”89 while the cyber operations that occurred between Georgia and Russia in 2008 and now in the ongoing conflict between Ukraine and Russia are subject to the LOAC because those conflicts involved hostilities rising to the level of armed conflict.90
Are all cyber intrusions during armed conflict subject to the LOAC? According to one view held among the IGE, the LOAC “governs any cyber activity conducted by a party to the armed conflict against its opponent.”91 (This view presumes attribution or dismisses its importance.) Another group maintained that the LOAC applies only when “the cyber activity [is] undertaken in furtherance of the hostilities.”92 (Still no mention of attribution.) All members of the IGE agreed “that there must be a nexus between the cyber activity in question and the conflict for the law of armed conflict to apply to that activity.”93
The IGE acknowledged “that the application of the law of armed conflict to cyber operations can prove problematic [because] it is often difficult to identify the existence of a cyber operation, its originator, its intended object of attack, or its precise effects.”94 However, the experts agreed that questions of fact regarding the existence, purpose, or origins of a cyber operation “do not prejudice the application of the law of armed conflict.”95 Because of the vagaries of applying the LOAC to cyber activities, the IGE agreed that the Martens Clause96 would provide general law-of-nations protections for cyber activities conducted in the course of an armed conflict.97
Although the definition of “attack” in the LOAC is clearly focused on kinetics, the colloquial understanding of what constitutes a “cyber attack” has a broad, almost all-encompassing meaning, ranging from destructive attacks to exfiltration to denial of service.98 Additional Protocol I, the Tallinn Manual, and the DOD Law (p. 252) of War Manual agree that “attack” is the pertinent triggering concept for invoking LOAC principles.99 The Tallinn Manual defines a cyber attack as “a cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects.”100 The focus of analysis is on the effects or consequences of a cyber operation, and the harm or damage to objects must be more than de minimus.101 The Tallinn Manual definition clearly is not limited to kinetic force. For example, interference with the functionality of a computer or system may qualify as an attack.102
At the same time, some categories of cyber harm are not cyber attacks and may not trigger LOAC principles standing alone. As Michael Schmitt has recognized, the effects of cyber operations that cause “inconvenience, disruption, disorder or irritation . . . might . . . be severe, as in significant interference with the economy, transportation system or other critical infrastructure.”103 Yet such cyber operations do not by themselves initiate an armed conflict even if the effects on civilians are significant.104 To the extent the LOAC is not in force, the important principles such as distinction and proportionality do not apply to protect civilians.
Tallinn Manual 2.0 confirms that once an armed conflict exists, cyber operations that cause cyber harm are subject to the LOAC.105 Cyber harm might become the benchmark for invoking the rules designed to shield civilian populations from harm. Section III of this chapter will consider whether international law could insist that State responsibility for cyber operations that cause cyber harm during an armed conflict be attributed in order to add accountability for the harms to civilians during conflict and to improve responsive targeting by cyber means.
B. Cyber and the LOAC Principle of Distinction
Codified in AP I, the bedrock principle of distinction requires that “Parties to the conflict . . . at all times distinguish between the civilian population and combatants and between civilian objects and military objectives.”106 Accordingly, (p. 253) the LOAC prohibits cyber attacks in an armed conflict that are uncontrollable, that are unpredictable, or that otherwise do not discriminate between civilian and military objectives.107 Article 52(2) of AP I enforces the principle of distinction by stating that
What objects in the cyber domain are obviously lawful targets under the Protocol? Weapon guidance systems, classified military networks, the factory that makes the software for the network or guidance system for the weapon, for openers. Likewise, some cyber attacks would be clearly unlawful, including a cyber attack on a hospital, museum, or place of worship.109
Beyond the easy cases, in the cyber domain the principle of distinction may be seriously compromised. Machine attribution is often straightforward, so that a computer may be targeted, but establishing State responsibility is often challenging. An easy illustration involves spoofing. The computer that “shot” at the victim State was taken over, so the computer is a military objective, but its owner is not. Attribution would attempt to determine who is responsible for the spoofed cyber activity before a targeting analysis is undertaken.
The distinction principle is enforced by the military objective definition quoted previously. In many instances, the “nature” of the object cannot be determined without knowing who owns or controls it. Civilian telecommunications infrastructure is not a lawful target, while military communications infrastructure that relies on the same internet backbone may be targeted in an armed conflict. Following the same military objective criteria, “purpose” and “use” determinations in the cyber domain require knowing about ownership, or at least control, and, thus, attribution. The latter two components of the military object definition are confounded in the cyber realm by the fact that just about every cyber installation could be considered a dual-use object110 and thus a military objective.111 While (p. 254) objects in the physical world are theoretically capable of being dual-use, most are not in fact.112 Because the military uses the same cyber infrastructure that civilians use for their purposes, that infrastructure may in general be lawfully attacked during an armed conflict.113
As technologically advanced States attain greater sophistication in the use of the cyber domain for strategic purposes, the cyber infrastructure will present increasingly significant targets in future armed conflicts. Based on the conventional LOAC conception of what counts as a military object, all civilian cyber infrastructure that transmits military communications and data are dual-use and could be seen as lawful military objectives.114 As Robin Geiβ and Henning Lahmann argued in 2013, “there simply is no difference between a military and a civilian computer; any computer and basically any part of the larger cyber infrastructure can be used to serve the military and the civilian constituency either interchangeably or simultaneously.”115 According to Article 52(2) of AP I, a wide range of civilian cyber assets would qualify as legitimate military objectives because their neutralization or destruction would offer a definite military advantage. Of course, these permissive targeting principles do not apply unless the civilian infrastructure is actually used by the military.
Despite widespread criticism of the sweeping potential for the military objective definition to reach virtually the entire civilian cyber infrastructure,116 the recent trends, particularly in the United States, are to expand the definition to include war-sustaining objects.117 The United States includes war-sustaining objects as lawful military objectives, defined in the Handbook on the Law of Naval Operations as “[e]conomic objects of the enemy that indirectly but effectively support and sustain the enemy’s war-fighting capability. . . .”118 War-supporting or war-sustaining objects would include a factory that makes a computer guidance system for a weapon or the software that runs on a classified network. Under the (p. 255) U.S. approach, it would also be lawful to “launch cyber attacks against the enemy State’s oil export industry if the war effort depends on revenue from oil sales.”119
The U.S. interpretation is contrary to the views of the IGE in Tallinn Manual 2.0. The Tallinn 2.0 Rule 100 concedes that “[c]yber infrastructure may qualify as a military objective.”120 However, on the issue of war-sustaining objects, a majority of the IGE rejected the extension of the “military objective” treaty language “on the ground that the connection between war-sustaining activities and military action is too remote.”121 The majority would limit permissible targets to those objects that are war-fighting or war-supporting. An example of the latter is a factory producing hardware or software for use by the military.122
Following the U.S. approach in the DOD Law of War Manual and API, the Tallinn 2.0 IGE confirmed that dual-use objects and facilities are military objectives “without qualification.”123 However, the IGE also carefully parsed several examples in the commentary on the dual-use and related Rules, acknowledging several categories of hard cases and affirming the duty to expeditiously resolve any doubts about the legal status of cyber infrastructure as a military or civilian object.124 In any event, the AP-I standard and the U.S. stance generally call into question LOAC protections for civilian cyber infrastructure. Although cogent proposals have been made to limit cyber operations against dual-use infrastructure to the least disruptive action and to preclude war-sustaining objects from being subject to cyber attack,125 there is no indication that the LOAC or State practice has adopted these reforms.
Arguably, Article 56(1) of AP I and its exemption from attack due to severe humanitarian consequences where objects otherwise qualify as military objectives may protect civilian cyber infrastructure in some settings.126 If, for example, components of the dual-use cyber infrastructure are impacted by military cyber operations (as they almost surely would be), the Protocol could be read to limit such actions where the consequences for the functionality of civilian cyber traffic are significant.127 Unfortunately, Article 56(1) justifies an exemption only when there may be “severe losses among the civilian population”128 and is unlikely to (p. 256) protect against the loss of functionality of the internet short of the destruction of important infrastructure components.129 Alternatively, steps could be taken to segregate military and civilian networks, following the Article 58(a) obligation to take passive precautions in an armed conflict.130 However, the obligation applies only “to the maximum extent feasible,” and in any case, the passive precautions duty does not override lawful dual-use targeting.131 In addition, the precautions requirement in Article 58(c), requiring States to take other necessary precautions to protect the civilian population and civilian objects from the dangers resulting from military operations, has not but could be construed to require ensuring continuing cyber functionality of, for example, the electric grid during an armed conflict.132 Consistent with the Protocol, the DOD Law of War Manual notes that the “obligation to take feasible precautions may be of greater relevance in cyber operations . . . because this obligation applies to a broader set of activities than those to which other law of war rules apply.”133
Overall, the dual-use phenomenon makes it unlikely that States will take steps based on the principle of distinction to limit military cyber operations that impact civilian systems. Even in the face of the U.S. position on war-sustaining objects, however, an attribution process embedded in analyzing the incoming cyber operations, if implemented before the response targeting process, could ameliorate the risk of targeting mistakes, highlight responsibility for the provoking attack, and possibly provide alternative targeting options.
In theory, the principle of proportionality affords greater flexibility than the principle of distinction toward the same objective. Article 51(5)(b) of AP I sets up a balancing, where incidental loss of civilian life, injury to civilians, damage to civilian objects or a combination thereof is prohibited if it is excessive in relation to the concrete and direct military advantage anticipated.134 The principle clearly applies in the cyber domain.135 Yet the relevant criteria for consideration in a proportionality assessment are “loss of civilian life, injury to civilians, damage to civilian objects, or a combination thereof.”136 A loss of functionality is apparently not part of a proportionality calculus.137 Thus, the principle would be an important factor for destructive cyber operations, but not for those that cause (p. 257) cyber harm but do not destroy any objects. Although creative arguments have been made to extend proportionality analysis to incorporate cyber harms,138 the law has not embraced such a change so far.
C. What to Do about Data
May data be lawfully treated as a civilian “object” protected from attack for LOAC purposes? The answer remains unclear. The Tallinn Manual 2.0 IGE agreed by a majority that data should not be considered an “object . . . at least in the current state of the law” because “data is intangible and therefore neither falls within the ‘ordinary meaning’ of the term object, nor comports with the explanation of it offered in the ICRC Additional Protocols 1987 Commentary.”139 The ICRC Commentary indicates that the term “object” refers to something “visible and tangible.”140 Of course, the commentators’ view was only an understanding, not part of the language, and it was observed in 1987 before the growing significance of the cyber domain.
The implication of the IGE understanding is that a cyber operation aimed at corrupting, manipulating, or destroying data resident on a computer or cyber system does not constitute an attack and is not subject to the distinction principle so long as the operation does not affect the functionality of the computer or system. An operation that does affect functionality of computers or cyber systems was thought by the IGE as “sometimes” qualifying as an attack.141 Exceptions are recognized where the attack on data leads to injuries or physical damage.142 A minority of the IGE argued that at least certain data (such as social security data, tax records, and bank accounts) should be within the scope of the targeting rule and protected by distinction so that such critical data are not lost and the civilian population thereby victimized. For the minority, the severity of the consequences of a cyber operation matter more than the nature of the harm.143 None of the analyses of how to treat data in the LOAC have to date considered attributing state responsibility for incoming cyber activity that harms data on cyber systems.
Certainly, the overall approach to the LOAC taken by the United States is to focus on practical impacts of military operations when striving to protect civilians. In the cyber world, the focus should properly be on harm to the cyber system, including resident data.144 At the same time, it would be similarly helpful to reframe (p. 258) the criteria for military objective in a cyber setting to focus on whether the data offers a definite military advantage or demonstrable military purpose.145 Data not meeting the test for military objective would be civilian objects and thus protected in applying LOAC principles.
During international armed conflicts, the law of neutrality applies to cyber operations and to cyber infrastructure located within or owned by a neutral State.146 The law of neutrality protects neutral States and their citizens from the armed conflict while it protects the States in conflict against actions taken by the neutral State for the benefit of one of the States in conflict.
In the cyber domain, the territorial boundaries that can signify neutrality are not easily applied, in part because internet pathways host traffic that may be routed through neutral States’ cyber infrastructure regardless of its origins or destinations. As such the core principle of the law of neutrality—that States in conflict are prohibited from conducting hostilities within neutral territory—is not easily applied.147 Attacks on neutral cyber infrastructure are, of course, forbidden, but parsing when an attack on a belligerent State that impacts infrastructure in a neutral State is unlawful is difficult, and the law remains unsettled.148 Analysis is complicated because computers in the neutral State may be exploited by another State for its armed conflict ends without the knowledge of the neutral State. The main objective of neutrality analysis can be spoofed.149
Likewise, using cyber means to conduct armed conflict in neutral territory is unlawful.150 The same principle applies to remotely conducting cyber operations in neutral territory.151 According to the Tallinn 2.0 IGE, the principle applies to private individuals or groups only if their conduct is attributable to a State in an international armed conflict.152 Thus, an element of attribution is already part of the law of neutrality. Extending the analysis from private participants to States could become a straightforward part of neutrality law in the cyber domain. In the same way it is essential to know whether apparently private actions can be attributed to a State, it is important to know that an incoming cyber attack is attributable to a (p. 259) neutral State or to a third State that has exported malware through a neutral State’s cyber infrastructure.
Although the Tallinn 2.0 IGE agreed with the prevailing customary international law that State parties in conflict do not violate the law of neutrality by using the internet to the extent components of it are located in neutral territory, a majority of the experts concluded that transmitting cyber weapons across a neutral State’s cyber infrastructure violates international law. This conclusion was based on a provision of Hague Convention V that prohibits movement of munitions or supplies of war across the territory of a neutral State.153 Illustrating the unsettled nature of neutrality law in cyber, the United States DOD Law of War Manual interpreted the Hague Convention not to prohibit routing even destructive cyber weapons through a neutral State.154
The basic and fundamental attribution question reappears: In light of spoofing capabilities, and the dynamic features of malware, the legal questions about neutrality cannot be answered reliably without a process that fixes State responsibility. The same questions should be asked and answered before deciding whether a neutral State has knowingly allowed a State in conflict to use its cyber infrastructure for military purposes.155 “Knowingly” presumes a duty on the part of neutral States.
IV. Could Attribution Review Improve the Adaptations of LOAC to Cyber?
The development of cyber weaponry may in some ways make armed conflict less violent and thus less costly in human suffering. At the same time, the cyber domain also expands greatly the available targets in armed conflict. Yet, once an armed conflict has begun there is no legal requirement that incoming cyber activity be attributed to the enemy or some other state or nonstate entity. The apparent mainstream view in the LOAC is that once an armed conflict has begun it is lawful for each side to presume that incoming cyber operations are the responsibility of the enemy in the armed conflict.156 In other words, the enemy is corporate, and the hostile acts that surround the core conflict are part and parcel of (p. 260) that conflict. While the corporate enemy concept is appealing from an operational perspective and may be a practical imperative in some conflict situations, a more nuanced approach that pays careful attention to the nature and source of ongoing cyber operations may enhance enforcement of LOAC requirements.
This section of the chapter will argue that an attribution process for cyber intrusions in an armed conflict would augment existing LOAC protections, particularly those that drive response targeting. In one important sense, LOAC compliance is about timing. Targeting analysis mirrors the kind of analysis that determines attribution, or at least similar questions are asked and answered. But attribution should occur before response targeting and is a separate inquiry. In colloquial terms, you have to know who is shooting at you in an armed conflict before you can lawfully shoot back. Target identification becomes an adjunct to attribution, where much of what is learned through an attribution process serves the targeting analysis.
Incorporating a cyber attribution process during armed conflict could more precisely identify state (or some other) responsibility for cyber harms. As a consequence, States would be better able to isolate the nature and degree of response targeting called for by the cyber intrusion, taking care to meet traditional LOAC principles of distinction, proportionality, and precaution. Attribution could also assist in setting the metrics in some particular cyber response settings, such as determining the circumstances and scope of lawfully targeting critical infrastructure in the responsible State. For example, to the extent that attribution of enemy State responsibility is established with high confidence, greater discretion to target dual-use critical infrastructure could lawfully follow. Lesser confidence in attribution could demand more discrimination analysis in response targeting. International law could incorporate a sort of sliding scale regarding attribution—the greater the confidence in State responsibility, the more discretion should be used in targeting dual-use infrastructure; with less confidence, more attention should be paid to carefully parsing civilian impacts.
A. Calibrating Cyber Intrusions
Of course, cyber operations are not monolithic. Distinguishing among the types of cyber intrusions may help to calibrate application of the key LOAC principles during an armed conflict. Where the type of cyber operation is likely to cause significant cyber harm to civilians, attributing the source even some time after the fact may better protect civilians by deterring aggressive cyber operations in the future. To be sure, some cyber intrusions may be more amenable to attribution than others, and the risk of harm to civilians may be greater in some kinds of operations, thus meriting enhanced attention toward attribution and State responsibility.
For example, the LOAC could distinguish operations that have as their objective shutting down or otherwise interfering with the functionality of a computer network—command and control systems or communications networks, for (p. 261) example, such as through a DDoS. A second category of cyber operations seeks to corrupt or destroy data on a computer system, not the system itself, while a third type attempts to take control of a system for the purpose of manipulating some physical object, such as a missile system, a dam, or an electric grid. In the latter case, the target is the physical thing, and the cyber operation is part of the means and methods of attack.157 For the category of cyber operations that attempts to take control of a physical object, such as the enemy’s missile defense system or the controls on its water supply, the LOAC analysis is more or less unaffected by the cyber means of impacting the object.158
Regarding cyber operations that target networks and data resident on them, the LOAC analysis is more complicated. To a degree, an attribution process is mirrored by traditional LOAC targeting analysis. For a target to constitute a military objective, the State is required to have knowledge of the target’s nature, including State ownership or responsibility.159 Although the prospective targeting judgments are not now based on attribution of a cyber operation that has already occurred, the judgments about what is a military or civilian object and their derivative inquiries approximate the analysis that the responding State should undertake in assessing responsibility for incoming cyber activity.
Cyber operations during armed conflict that attempt to impact the functionality of computer systems or impact the data resident on them may cause significant harm to civilians. An attribution process for those operations could serve to more clearly identify the State responsible for the intrusions and, once held publicly accountable, deter excessive or especially harmful cyber operations. Depending on how the LOAC principles of distinction, proportionality, and precaution are applied to cyber operations, an attribution process could be attempted for cyber operations significantly impacting civilians during armed conflict or only those constituting “attacks” as understood in the LOAC.160 If the practical assessment of the level of harm caused by a cyber operation is used as the measure of whether there has been an attack,161 operations that impact the functionality of the targeted (p. 262) system to the extent that components must be replaced are attacks162 and could be made subject to attribution.
A cyber operation that manipulates, destroys, or corrupts data on a computer or server in a way that does not affect or destroy the functionality of the computer or system is not an attack on an object and apparently is not regulated by the LOAC or its distinction and proportionality principles. Although a minority of the Tallinn 2.0 IGE pointed out that the traditional LOAC principle would not protect “essential civilian datasets such as social security data, tax records, and bank accounts,”163 contrary to the overarching goal of protecting civilians during armed conflict, the IGE confirmed that data is not an object for LOAC purposes.164 An attribution process for incoming cyber activity that targets essential civilian data resident on computer systems could expose enemy overreach in armed conflict. Establishing State responsibility for these attacks on data could also lead to a more nuanced LOAC approach to treating data as an object in targeting.
Similarly, the approach taken by the United States that treats war-supporting or war-sustaining objects as valid military targets broadens the scope of dual-use and civilian components of critical infrastructure that are vulnerable to attack consistent with the LOAC.165 Although a majority of the Tallinn 2.0 IGE rejected the United States’ view “on the ground that the connection between war-sustaining activities and military action is too remote,”166 theirs is expert opinion, not law. In any event, the debates and fine contextual lines between warfighting, war-supporting, and war-sustaining activities illustrate that a one-size-fits-all rule for dual-use targets does not serve well the overarching LOAC objective of protecting civilians in armed conflict. As with attacks on data, an attribution process for incoming cyber activity that targets various categories of dual-use but war-related cyber infrastructure could expose enemy excesses, serve to model response attacks, and possibly deter future such attacks.167
One widespread type of cyber intrusion is the DDoS attack. These operations involve coordinated botnets where virus-infected hijacked “zombie” computers overwhelm servers by systematically and continuously visiting designated websites.168 DDoS attacks are typically carried out by networks of hackers, but State involvement is often suspected, as was the case with suspected Russian State (p. 263) involvement in the 2007 Estonia and 2008 Georgia DDoS attacks.169 Conclusive attribution was not established for these and other DDoS operations because of the anonymity created by the botnets utilizing unsuspecting computers from around the world.170 Although temporarily shutting down websites causes inconvenience and delay in transacting business or government, not injury or destruction, DDoS operations can be costly.171 The consensus view among scholars is that the Estonia attacks were not subject to the LOAC because there was no armed conflict with (p. 264) Russia, while the 2008 cyber attacks on Georgia were part of an armed conflict with Russia and were thus subject to the LOAC.172 So, too, are ongoing DDoS attacks by Russia in its armed conflict with Ukraine.173 For those DDoS attacks during an armed conflict, whether they constitute LOAC “attacks” or cyber harm, attributing significant attacks could call attention to unlawful interventions by states and perhaps deter some future operations. Improvements in attribution technology, along with commitments from affected States to assign State responsibility for DDoS attacks, could combine to make this category of cyber activity less likely during armed conflict.
Another form of cyber operation, a semantic attack, involves surreptitiously inputting inaccurate information in a computer system while causing the computer to appear to operate normally while it is failing.174 Examples in the security realm include an abandoned United States’ plan in 1999 to provide false target data into the Serbian defense network, thereby interfering with Serbia’s capacity to target NATO planes, and a 2007 Israeli semantic operation that compromised the Syrian air-defense system causing Syrian radars to show clear skies at the same time the Israeli Air Force conducted a strike against a nuclear facility in Syria.175
The 2010 Stuxnet attack began as a semantic attack but evolved into an operation that disrupted the nuclear facility. Stuxnet has not been officially attributed,176 (p. 265) and there was no armed conflict between the apparently responsible parties, the United States and perhaps Israel and Iran. When semantic operations coincide with conventional attacks, attribution judgments are less difficult. Aside from conventional attack or armed conflict indicators, however, attribution cannot be accomplished expeditiously because the computer disruption is not knowable until the conventional or kinetic attack occurs. However, in the course of an armed conflict, attributing semantic attacks as part of LOAC compliance could be a potentially useful tool for deterring unlawful cyber activity.
The principle of precautions in attack requires a commander to take “feasible” precautions to minimize harm to civilians from an attack.177 The obligation to take feasible precautions is manifest in the customary international law obligation to take “constant care” in reducing harm to civilian persons or objects.178 The traditional role of a precautions analysis lies in target identification and verification, and in assessing collateral harm to civilians that may result from a military operation.179
Tallinn Manual 2.0 offers a Rule on precautions, based on AP I and part of customary law in international and non-international armed conflicts: “During hostilities involving cyber operations, constant care shall be taken to spare the civilian population, individual civilians, and civilian objects.”180 Intended to (p. 266) supplement the distinction and proportionality principles and corresponding Rules,181 the precautions Rule “requires commanders and all others involved in the operations to be continuously sensitive to the effects of their activities on the civilian population and civilian objects, and to seek to avoid any unnecessary effects thereon.”182 The “constant care” admonition “requires situational awareness at all times” in the cyber context.183 A related Rule on target verification applies to cyber operations that qualify as an “attack”184 and requires all “feasible precautions”185 that could include “gathering intelligence . . . to determine the attack’s likely effects . . . .”186 According to the IGE, when target verification is not practically possible, “the decision-maker may have to refrain from conducting an attack” or modify it.187
According to the IGE, precautions must extend to “the choice of means or methods of warfare employed in . . . an attack, with a view to avoiding, and in any event to minimising, incidental injury to civilians, loss of civilian life, and damage to or destruction of civilian objects.”188 Recognizing that cyber infrastructure is dual-use, the IGE stressed that commanders “must take all feasible precautions to avoid, or at least minimise, indirect as well as direct collateral damage.”189 Related Rules describe similar precautions concerning proportionality,190 choice of targets,191 and warnings,192 and against the effects of cyber attacks.193 An example chosen by the IGE focused on a choice of targets and involved disrupting enemy command and control. Given a choice between attacking the dual-use electric grid and the enemy’s command and control network directly, the latter must be chosen if it is expected to achieve the desired military advantage because of the significant collateral harm to civilian infrastructure.194
(p. 267) The IGE also included a Rule on “passive precautions,” those that must be taken by a defender based on the effects of cyber attacks.195 Examples offered include segregating military from civilian cyber infrastructure and civilian systems from the internet, backing up important civilian data, arranging in advance for repairs of systems likely to be harmed, and using antivirus programs to protect civilian systems.196
AP I obligates attackers selecting military objectives to choose the one that “may be expected to cause the least danger to civilian lives and to civilian objects.”197 The same article requires attackers to take all feasible precautions in the choice of means and methods to avoid or at least minimize incidental loss of civilian life, injury to civilians, and damage to civilian objects, and refrain from attacks that “may be expected to cause incidental loss of civilian life, injury to civilians, damage to civilian objects, or a combination thereof, which would be excessive in relation to the concrete and direct military advantage anticipated.”198 Of course, in general a cyber operation may cause fewer casualties and damage than a kinetic strike and, for that reason, may be preferable and more likely to meet the objectives outlined in the Protocol. However, on a case-by-case basis, where state militaries choose to launch cyber operations against dual-use civilian systems that the military rely on (instead of an internal military cyber target), the impact on civilians may be significant and avoidable. Thus, the DOD Law of War Manual recognizes that the “obligation to take feasible precautions may be of greater relevance in cyber operations . . . because this obligation applies to a broader set of activities than those to which other law of war rules apply.”199
Relatedly, the presumption that war-sustaining objects are proper targets that “contribute to military action”200 could be rebutted if targeting analysis reveals significant civilian losses or insufficient connection to the military effort.201 At present there are no standards to assess whether an object will in fact have a military use. In at least some instances the cyber response to an intrusion during armed conflict is expected to target computers, systems, or networks similarly situated to those harmed in the incoming operation. Military objectives in cyber can include computers, networks, and other tangible components of cyber infrastructure. In addition, interconnected networks and systems do not lend themselves to clear segregation of civilian and military uses or purposes. As with dual-use targeting, (p. 268) an attribution process attached to the cyber operations that prompt the cyber responses may improve the decisions.
Article 58 of AP I obligates parties to an armed conflict “to the maximum extent feasible: a) . . . endeavor to remove . . . civilian objects under their control from the vicinity of military objectives.”202 The obligation to take feasible precautions may thus be more fully realized by including an attribution process during armed conflict in order to protect some cyber activities in the civilian sphere, independent of the targeting analysis. To the extent that the Tallinn 2.0 rules and commentary reflect customary international law, the precaution principle and its derivative doctrine, along with the requirement that the State have knowledge of the nature of a proposed military objective in targeting, provide harmonious protections alongside an attribution analysis for the cyber components of armed conflict. The attribution analysis precedes the more general LOAC requirements of precautions and discrimination.
C. A Proposed LOAC Rule
Considering attribution below the armed conflict threshold, the Tallinn 2.0 IGE agreed “that as a general matter, States must act as reasonable States would in the same or similar circumstances when considering responses to them.”203 As explained in Section I of this chapter, the IGE opined that
reasonableness . . . depends on such factors as . . . the reliability, quantum, directness, nature (e.g., technical data, human intelligence), and specificity of the relevant available information when considered in light of the attendant circumstances and the importance of the right involved.204
The IGE found that “as a general matter the graver the underlying breach . . ., the greater the confidence ought to be in the evidence relied upon by a State considering a response205 . . . . Because there is no international or domestic law on how much evidence suffices for attribution of State responsibility, the attribution bar is set very low by international law. In addition, the legal standards for attribution are malleable to the extent that the evidence of attribution is not required to be and usually is not shared publicly.206 In short, the law on attribution is anything but robust.
(p. 269) Consider this proposal:
In conducting military operations during armed conflict, the commander (or other decision maker) must act as a reasonable commander in same or similar circumstances would to attribute the source of a cyber operation before responding with kinetic or cyber weapons, or as soon thereafter as practical. The attribution requirement varies depending on the value of the target and the quality and quantity of available attribution analysis or data. For instance, a state may pursue a very high-value target with less certainty of attribution than in situations involving a target that is of low value. High value can be measured by value to the enemy or the seriousness of the target’s actions in relation to the state’s own operations.207
We know from experience outside the armed conflict setting that attribution is an imperfect process, one that in many cases improves over time through intelligence collection, information sharing, and political or diplomatic discussions. In many cases, even during armed conflict, it may behoove a State to avoid a rush to judgment or immediate counterattack in response to a significant cyber intrusion. Delayed attribution may be more reliable and more authoritative,208 and a solid evidence-based attribution may enable the States in conflict to avoid international law violations for targeting innocent parties. At the same time and based on limited experience in the jus ad bellum realm, legally prescribed standards or criteria for attribution are not likely to be effective.209 Because attribution is usually based on judgment, paying too much attention to standards can cloud the political or policy process required before an attribution judgment is reached.210
An analogy to State responsibility and the unlawful intervention rules is instructive in the armed conflict setting in two different respects. The first underscores the importance attached to attribution and State responsibility for cyber intrusions below the armed conflict threshold. As explained previously,211 attribution is required, a prerequisite to finding State responsibility for an unlawful intervention by cyber means. The second reminds us that international law has not yet fully adapted to the cyber domain, in the jus ad bellum or jus in bello. The jus ad bellum permits countermeasures in response to an unlawful (p. 270) intervention.212 Countermeasures may be cyber in nature or not, below the use of force threshold that would be unlawful but for the purpose of stopping the unlawful intervention. However, countermeasures also require prior attribution and notice to the offending State so that it has the opportunity to discontinue its unlawful conduct. The purpose of the countermeasures is to induce compliance with international law.213 Because State attribution in cyber can be so difficult and time-consuming, countermeasures often are realistically unavailable. Countermeasures implemented after the time has passed for encouraging the offending State to stop its intrusions become unlawful punishment.214 So while the jus ad bellum doctrine has not adapted to the realm of cyber conflict, its bedrock principles underscore the importance of attribution before attaching State responsibility for an unlawful act. Although it is unrealistic to expect authoritative attribution in the real-time environment of armed conflict, identifying the source of cyber operations will serve important purposes even after the armed conflict is over.
The importance attached to attribution of cyber incidents below the armed conflict threshold supports the argument for extending an attribution element to the LOAC. Although response targeting analysis and precautions in the LOAC replicate and overlap with some of the value that could be derived from attribution, attribution would attempt to answer the threshold question of who is responsible for the cyber intrusion, setting the stage for more reliable targeting and precautions.
One possible additional component of building in an attribution step for cyber operations in armed conflicts beyond identifying the responsible party is providing some details about the intrusion.215 The need to protect intelligence sources and methods will continue to foreclose disseminating much of the attribution process and details about intrusions to all but senior officials and elected leaders. However, particularly when the cyber intrusion causes considerable cyber harm to civilians or civilian infrastructure, publicizing at least some of the details of the operation and responsible parties can enhance the credibility of the victim State and deter adversaries who fear the impact of widespread knowledge of their cyber activities.216 Communications about attribution are also likely to improve attribution and the collective defenses against cyber attacks.217
Public attribution may also change the behavior of the cyber adversaries. The most prominent, recent example is the May 2014 decision by the United States to indict members of the Chinese PLA for computer fraud and abuse, among other crimes. Although the indictment detailed the criminal economic espionage (p. 271) conducted by the PLA Unit, it did not reveal much of the evidence in support of attribution. The not-so-subtle message was that, if the Chinese did not desist, that information could be released.218 Not long after the indictments, China and the United States agreed on some parameters for protecting commercial secrets from cyber espionage.219
1. Director, Institute for National Security and Counterterrorism, Board of Advisers Distinguished Professor, Syracuse University College of Law and Maxwell School of Citizenship & Public Affairs, Syracuse University. The author appreciates the helpful feedback from the participants in the Lieber Institute for Law and Land Warfare workshop on the Impact of Emerging Technology on the Law of Armed Conflict at the USMA, West Point, October 2017, and thanks Taylor Henry, Syracuse University College of Law, JD, 2018, for excellent research assistance.
2. See U.S. Dep’t of Defense, Law of War Manual ¶ 16.2.1 (2015) (updated Dec. 2016) [hereinafter DOD Law of War Manual]; Michael Gervais, Cyber Attacks and the Laws of War, 30 Berkeley J. Int’l L. 525, 579 (2012).
3. See Sue Halpern, US Cyber Weapons: Our ‘Demon Pinball,’ N.Y. Rev. Books (Sept. 29, 2016), http://www.nybooks.com/articles/2016/09/29/us-cyber-weapons-our-demon-pinball/ (describing the software worm Stuxnet that destroyed thousands of centrifuges at the Natanz nuclear enrichment facility between 2008 and 2010); David E. Sanger, Confront and Conceal 188–225 (2012) (same, including the Olympic Games mission of the Obama administration); Kim Zetter, Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon (2014) (same).
4. See Michael N. Schmitt & Eric W. Widmar, “On Target”: Precision and Balance in the Contemporary Law of Targeting, 7 J. Nat’l Sec. L. & Pol’y 379, 395 (2014); Noam Lubell, Lawful Targets in Cyber Operations: Does the Principle of Distinction Apply?, 89 Int’l L. Stud. 252, 268–69 (2013); Peter P. Pascucci, Distinction and Proportionality in Cyberwar: Virtual Problems with a Real Solution, 26 Minnesota J. Int’l L. 419, 431, 448−49 (2017).
6. See John P. Carlin, Detect, Disrupt, Deter: A Whole-of-Government Approach to National Security Cyber Threats, 7 Harv. Nat’l Sec. J. 391, 396−97, 409 (2016); David D. Clark & Susan Landau, Untangling Attribution, 2 Harv. Nat’l Sec. J. 323, 327, 329 (2011), http://harvardnsj.org/wp-content/uploads/2011/02/Vol-2-Clark-Landau.pdf; Clement Guitton, Inside the Enemy’s Computer: Identifying Cyber Attackers 5, 11 (2017); Koh, supra note 5, at 6, 8.
7. Tallinn Manual 2.0, supra note 5, at 376 (Rule 80(5)).
8. Clark & Landau, supra note 6, at 352. To date, there are no clear examples of a civilian population being severely affected by cyber operations during armed conflict. See Cordula Droege, Get Off My Cloud: Cyber Warfare, International Humanitarian Law, and the Protection of Civilians, 94 Int’l Rev. Red Cross 533, 539 (2012); see, e.g., Michael Connell & Sarah Vogler, Ctr. for Strategic Studies, Russia’s Approach to Cyber Warfare 18 (2016), https://www.cna.org/CNA_files/PDF/DOP-2016-U-014231-1Rev.pdf (“[T]he overall impact of the [Russian] cyberattacks [in Georgia] was minimal—Georgia’s IT infrastructure was limited in 2008, and the Georgian government was eventually able to reroute most of its through servers in other countries.”). But see David Hollis, Cyber War Case Study: Georgia 2008, Small Wars Foundation (Jan. 6, 2011), http://smallwarsjournal.com/jrnl/art/cyberwar-case-study-georgia-2008 (describing Georgian citizens being unable to access government websites for information and instructions during armed conflict with Russia); Connell & Vogler, supra, at 19 (“Russia has been able to compromise the Ukrainian government and military’s ability to communicate and operate, thereby undermining the legitimacy and authority of Ukrainian political and military institutions.”). In December 2015, Ukraine was subjected to what is believed to be the first cyberattack on another country’s electric power grid. Connell & Vogler, supra at 20. Cyber attacks took three Ukrainian power distribution centers offline, causing outages that affected more than 220,000 citizens for periods spanning from one to six hours. Connell & Vogler, supra at 20. The overall effect of the attack has been described as limited, although the power company’s distribution centers were not fully operational for several months. Connell & Vogler, supra at 20. The attackers also executed a telephone denial of service attack on the power company’s call center, preventing customers from being able to call customer support during the outages. Robert M. Lee et al., Elec. Info. & Sharing Ctr., Analysis of the Cyber Attack on the Ukrainian Power Grid 12 (2016), http://www.nerc.com/pa/CI/ESISAC/Documents/E-ISAC_SANS_Ukraine_DUC_18Mar2016.pdf. See also Eric Talbot Jensen, Cyber Warfare and Precautions Against the Effects of Attacks, 88 Tex. L. Rev. 1533, 1540 (2010) (noting the “natural integration” of cyber attacks with future kinetic attacks, a trend that will “almost certainly” continue).
9. Tallinn Manual 2.0, supra note 5, at 79–110.
10. See id. at 84–87 (Rule 14).
11. Id. at 84 (Rule 14(1)).
12. Id. at 376 (Rule 80(6)) (citing the example of a cyber operation in pursuit of commercial secrets undertaken by State A while in armed conflict with State B). The International Group of Experts (IGE) convened to develop Tallinn 2.0, were split on whether the commercial secrets operation would be subject to LOAC. Id.
13. Protocol Additional to the Geneva Conventions of 12 August 1949, and Relating to the Protection of Victims of International Armed Conflicts (Protocol I) art. 19, June 8, 1977, 1125 U.N.T.S. 3 [hereinafter Additional Protocol I]. Tallinn 2.0 defines cyber attack as “a cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects.” Tallinn Manual 2.0, supra note 5, at 415 (Rule 92).
14. Pascucci, supra note 4, at 453.
15. DOD Law of War Manual, supra note 2, ¶ 16.5.2, at 996.
18. One subset of the IGE believed that the LOAC applies to any cyber activity conducted by a party to an armed conflict against its opponent, while another group indicated that the cyber activity must have been undertaken in furtherance of the hostilities for LOAC to apply. Tallinn Manual 2.0, supra note 5, at 376 (Rule 80(6)).
20. Jason Healey, Cyber Attacks Against NATO, Then and Now, Atlantic Council (Sept. 6, 2011), http://www.atlanticcouncil.org/blogs/new-atlanticist/cyber-attacks-against-nato-then-and-now. These cyber incidents included an upsurge of defacements of DOD websites. Id. See also Ellen Messmer, Serb Supporters Sock It To NATO, U.S. Web Sites, CNN (Apr. 6, 1999), http://edition.cnn.com/TECH/computing/9904/06/serbnato.idg/index.html (“The same week a U.S. F-117A stealth fighter was lost over Yugoslavia, a NATO Web server here was shot down by denial-of-service attacks, which NATO sources strongly suspect came from the Serbian military, not independent hackers.”).
21. Healey, supra note 20.
22. Kenneth Geers, Cyberspace and the Changing Nature of Warfare, SC Media (Aug. 27, 2008), https://www.sto.nato.int/publications/RTO-MP-IST-076/$MP-IST-076-KN.pdf/. See also Myriam Dunn Cavelty, Cyber-Security and Threat Politics: U.S. Efforts to Secure the Golden Age 77 (2007) (“The question remains whether any of these attacks were state-sponsored . . . .”).
28. Markoff, supra note 26. The independent, nonprofit research institute, U.S. Cyber Consequences Unit (US-CCU), determined that the cyber attacks were carried out by “civilians with little to no direct involvement on the part of the Russian government or military.” John Bumgarner, Overview by the US-CCU of the Cyber Campaign Against Georgia in August of 2008, in Cyberwar Resources Guide, Item #138, http://www.projectcyw-d.org/resources/items/show/138. See also Tikk et al., supra note 27, at 12 (“[T]here is no conclusive proof of who is behind the DDoS attacks, even though finger pointing at Russia is prevalent by the media. There seems to be a widespread consensus that the attacks appeared coordinated and instructed.”); Oona Hathaway et al., The Law of Cyber-Attack, 100 Cal. L. Rev. 817, 837–38 (2012) (noting that as Russian forces invaded South Ossetia, private hackers—not the Russian government—orchestrated a cyber attack, and that although the Russian government “stood by” while the attack was “openly” committed, it was not the party that planned and executed the attack).
31. Clark & Landau, supra note 6, at 323.
32. Thomas Rid & Ben Buchanan, Attributing Cyber Attacks, 38 J. Strategic Stud. 4, 4 (2015).
35. Dep’t of Defense, The Department of Defense Cyber Strategy 11–12 (2015).
36. See Matthew J. Sklerov, Solving the Dilemma of State Responses to Cyberattacks: A Justification for the Use of Active Defenses Against States Who Neglect Their Duty to Prevent, 201 Mil. L. Rev. 1, 8 (2009).
37. See Jeffrey Carr, Inside Cyber Warfare 29, 139–40 (2010).
41. Jody M. Prescott, Autonomous Decision-Making Processes and the Responsible Cyber Commander, in 2013 5th International Conference on Cyber Conflict: Proceedings (K. Podins, J. Stinissen & M. Maybaum eds., 2013), https://ieeexplore.ieee.org/document/6568389.
42. See Hathaway et al., supra note 32, at 838.
43. Rid & Buchanan, supra note 36, at 4; Clark & Landau, supra note 6, at 350 (“[Attribution] is not actually a technical issue at all, but a policy concern with multiple solutions depending on the type of technical issue . . . to be solved . . . . [S]olutions . . . lie outside the technical realm, and are instead in the space of law, regulation, multi-national negotiation, and economics.”)
44. Rid & Buchanan, supra note 32, at 6.
45. See Herbert Lin, Attribution of Malicious Cyber Incidents: From Soup to Nuts, 70 J. Int’l Affairs 75, 92 (2017); Carlin, supra note 6, at 414.
46. See Carlin, supra note 6, at 409; see also Lin, supra note 49, at 82.
47. See, e.g., Carlin, supra note 6, at 416; Lin, supra note 49, at 82–83.
48. Carlin, supra note 9, at 409; Lin, supra note 49, at 84.
49. See Guitton, supra note 6, at 47.
50. See William Banks, State Responsibility and Attribution of Cyber Intrusions After Tallinn 2.0, 95 Tex. L. Rev. 1487, 1494–97 (2017).
51. Tallinn Manual 2.0, supra note 5, at 79 n.112.
53. Tallinn Manual 2.0, supra note 5.
54. See generally, id. at 87–92 (Rule 15).
55. Id. at 94–95 (Rule 17).
56. Id. at 84 (Rule 14); see, e.g., Phosphates in Morocco (It. v. Fr.), Preliminary Objections, 1938 P.C.I.J. (ser. A/B), No. 74, at 28 (June 14) (“This act being attributable to the State and described as contrary to the treaty right of another State, international responsibility would be established immediately as between the two States.”); United States Diplomatic and Consular Staff in Tehran (U.S. v. Iran), Judgment, 1980 I.C.J. 73, ¶¶ 29–30 (May 24).
57. Tallinn Manual 2.0, supra note 5, at 84 (Rule 14(2)).
58. Id. at 312 (Rule 66(1)).
60. Id. at 85 (Rule 15(7)).
61. Military and Paramilitary Activities in and Against Nicaragua (Nicar. v. U.S.), Judgment, 1986 I.C.J. 14, ¶ 205 (June 27).
62. Tallinn Manual 2.0, supra note 5, at 317 (Rule 66(18)).
63. Dep’t of Def., Memorandum for Commanders in the Combatant Commands, International Law Framework for Employing Cyber Capabilities in Military Operations (2017) (on file with author). The Memorandum acknowledges that the “exact contours that might violate the principle of non-intervention are not clear, and will continue to develop with state practice over time.” Id.
64. See Nicar. v. U.S., 1986 I.C.J. 14, ¶¶ 202, 205, 251.
65. See Tallinn Manual 2.0, supra note 5 (Rules 14(8), 66(16)–(17)).
66. Id. at 318 (Rule 66(19)).
69. In support of its position, the IGE cited: Oil Platforms (Iran v. U.S.), Judgment, 2003 I.C.J. 161, ¶ 33 (Nov. 6) (separate opinion of Judge Higgins); Corfu Channel (U.K. v. Alb.), Judgment, 1949 I.C.J. 4, ¶ 17 (Apr. 9); Application of Convention on Prevention and Punishment of Crime of Genocide (Bosn. & Herz. v. Serb. & Montenegro), Judgment, 2007 I.C.J. 108, ¶¶ 209–10 (Feb. 26); and Application of Convention on Prevention and Punishment of Crime of Genocide (Croat. v. Serb.), 2015 I.C.J. General List No. 118, ¶ 178 (Feb. 3).
70. Tallinn Manual 2.0, supra note 5, at 82.
72. See Banks, supra note 50, at 1505–06.
74. Guitton, supra note 6, at 138.
75. Id. at 154, 160, 185.
76. Tallinn Manual 2.0, supra note 5, at 82–83.
77. Id. at 82; See also Application of Convention on Prevention and Punishment of Crime of Genocide (Bosn. & Herz. v. Serb. & Montenegro), 2007 I.C.J. 108, ¶¶ 209–10 (Feb. 26) (discussing the implicitly proportionate connection between the degree of one country’s offense and another country’s response); Corfu Channel (U.K. v. Alb.), 1949 I.C.J. 4, 17 ¶ 39 (Apr. 9) (“A charge of such exceptional gravity against a State would require a degree of certainty.”).
78. See Tallinn Manual 2.0, supra note 5, at 82.
79. See Guitton, supra note 6, at 66.
80. E.g., Lin, supra note 45, at 108; Guitton, supra note 6, at 137–46.
81. E.g., Lin, supra note 45, at 106–07
82. See Rid & Buchanan, supra note 32, at 31–32.
83. See Banks, supra note 50, at 1511–12.
85. Rid & Buchanan, supra note 32, at 33.
86. E.g., Egan, supra note 71, at 11–12; Rid & Buchanan, supra note 32, at 31–33.
87. See Banks, supra note 50, at 1511–12. The 2015 DoD Law of War Manual claims that “[a]s a matter of U.S. policy, the United States has sought to work internationally to clarify how existing international law and norms, including law of war principles, apply to cyber operations.” DOD Law of War Manual, supra note 2, ¶ 16.1, at 985. Others have suggested that “lingering ambiguity with respect to what the U.S. regards as lawful and unlawful actions in the cyber domain [may] actually serve U.S. interests.” SCOLANS Report, supra note 17, at 61.
88. Tallinn Manual 2.0, supra note 5, at 375 (Rule 80(2)).
89. Id. at 376 (Rule 80(3)).
94. Id. at 377 (Rule 80(10)).
96. Convention No. IV Respecting the Laws and Customs of War on Land, preamble, Oct. 18, 1907, 36 Stat. 2227; Convention for the Amelioration of the Condition of the Wounded and Sick in Armed Forces in the Field art. 63, Aug. 12 1949, 6 U.S.T. 3114, 75 U.N.T.S. 31; Convention for the Amelioration of the Condition of Wounded, Sick and Shipwrecked Members of Armed Forces at Sea art. 62, Aug. 12, 1949, 6 U.S.T. 3217, 75 U.N.T.S. 85; Convention Relative to the Treatment of Prisoners of War art. 142, Aug. 12, 1949, 6 U.S.T. 3316, 75 U.N.T.S. 135: Convention Relative to the Protection of Civilian Persons in Time of War art. 158, Aug. 12, 1949, 6 U.S.T. 2516, 75 U.N.T.S. 287; Additional Protocol I, supra note 17, art. 1(2).
97. See Tallinn Manual 2.0, supra note 5, at 378 (Rule 80(12)).
98. See, e.g., Lubell, supra note 4, at 255–56.
99. Additional Protocol I, supra note 13, art. 1; Tallinn Manual 2.0, supra note 5, at 415 (Rule 92(2)); DOD Law of War Manual, supra note 2, ¶ 16.5.1, at 994.
100. Tallinn Manual 2.0, supra note 5, 92, at 415.
101. See Michael N. Schmitt, Cyber Operations and the Jus in Bello: Key Issues, 87 Int’l L. Stud. 89, 94 (2011).
102. See Tallinn Manual 2.0, supra note 5, at 417 (Rule 92(6)). A majority of the IGE concluded that interference with functionality amounts to damage if restoring the system requires replacing components. Id. at 417 (Rule 92(11)).
103. Schmitt, supra note 101, at 103.
105. See Tallinn Manual 2.0, supra note 5, at 375 (Rule 80).
106. Additional Protocol I, supra note 13, art. 48.
107. See id. art. 52(2) (requiring that targets serve a military purpose and their attainment produces a definite military advantage); id. art. 51(4) (forbidding weapons that cannot be limited to a military objective).
110. Dual-use objects can have military and civilian purposes. Jensen, supra note 8, at 1535, 1544 n.76; Hathaway et al., supra note 28, at 852–53; Droege, supra note 8, at 562–63.
111. See Robin Geiβ & Henning Lahmann, Cyber Warfare: Applying the Principle of Distinction in an Interconnected Space, 45 Isr. L. Rev. 381, 383 (2012).
114. See Jensen, supra note 8, at 1542.
115. Geiβ & Lahmann, supra note 111, at 389.
116. See Geiβ & Lahmann, supra note 111, at 390; Lubell, supra note 4, at 272; see, e.g., Tallinn Manual 2.0, supra note 5, at 446 (Rule 101(6)) (“In theory, strict application of the definition of military objective could lead to the conclusion that the entire Internet can become a military objective if used for military purposes. . . . [i]n this regard, particular attention must be paid to the requirement to conduct operations in a manner designed to minimise harm to the civilian population.”).
117. E.g., Geiβ & Lahmann, supra note 111, at 390; DOD Law of War Manual, supra note 2, ¶ 5.7.8, at 213.
119. Tallinn Manual 2.0, supra note 5, at 441 (Rule 101(1)).
120. Id. at 436 (Rule 100).
121. Id. at 441 (Rule 100(19)).
123. Id. at 445 (Rule 101(1)).
124. See id. at 445–51 (Rules 101–102).
125. See Pascucci, supra note 4, at 456; Int’l Law Ass’n Study Grp. on the Conduct of Hostilities in the 21st Century, The Conduct of Hostilities and International Humanitarian Law: Challenges of 21st Century Warfare, 93 Int’l L. Stud. 322, 335–40 (2017).
126. See Geiβ & Lahmann, supra note 111, at 391.
130. See Additional Protocol I, supra note 13, art. 58(c).
131. Geiβ & Lahmann, supra note 111, at 393.
133. DOD Law of War Manual, supra note 2, ¶ 16.5.3, at 997.
134. Additional Protocol I, supra note 13, art. 51(5)(b).
135. Eric Talbot Jensen, Unexpected Consequences from Knock-on Effects: A Different Standard for Computer Network Operations?, 18 Am. U. Int’l L. Rev. 1145, 1158–61 (2003).
136. Additional Protocol I, supra note 13, art. 51(5)(b).
137. See Geiβ & Lahmann, supra note 111, at 397.
139. Tallinn Manual 2.0, supra note 5, at 437 (Rule 100(6)).
140. Int’l Comm. Red Cross, Commentary on the Additional Protocol of 8 June 1977 to the Geneva Conventions of 12 August 1949 ¶ 2008 (Yves Sandoz, Christophe Swinarski & Bruno Zimmerman eds., 1987).
141. Tallinn Manual 2.0, supra note 5, at 437 (Rule 100(6)).
143. See id. at 437 (Rule 100(7)).
144. See Lubell, supra note 4, at 268.
145. See Pascucci, supra note 4, at 455.
146. See DOD Law of War Manual, supra note 2, ¶ 16.4, at 993; Tallinn Manual 2.0, supra note 5, chap. 20(1), at 553.
147. Tallinn Manual 2.0, supra note 5, at 555 (Rule 150(4)).
149. Hathaway et al., supra note 28, at 859.
150. Tallinn Manual 2.0, supra note 5, at 556 (Rule 151).
151. Id. at 556 (Rule 151(1)).
152. Id. at 556 (Rule 151(2)).
153. Id. at 557 (Rule 151(5–6)); Convention No. V Respecting the Rights and Duties of Neutral Powers and Persons in Case of War on Land, art. 2, Oct, 19, 1907, 36 Stat. 2310.
154. DOD Law of War Manual, supra note 2, ¶ 16.4.1, at 993–94; SCOLANS Report, supra note 17, at 64–65.
155. Tallinn Manual 2.0, supra note 5, at 559 (Rule 152(5)).
156. The Tallinn 2.0 IGE opined that the LOAC “does not embrace activities of private individuals or entities that are unrelated to the armed conflict,” (id. at 377 (Rule 80(8)), and that the “applicability of [LOAC] does not depend upon the qualification of the situation under the jus ad bellum.” Id. (Rule 80(9)). Otherwise, the significant ongoing debate concerning application of LOAC to cyber is what it means for cyber activity to be “in the context of an armed conflict.” Id. at 376 (Rule 80(5)).
157. Lubell, supra note 4, at 255.
159. See Tallinn Manual 2.0, supra note 5, at 438 (Rule 100(8)). Objects may qualify as military objectives due to their nature, location, purpose, or use. Id. The object must also make “an effective contribution to military action.” Id. at 440 (Rule 100(15)).
160. Lubell, supra note 4, at 260–61; Tallinn Manual 2.0, supra note 5, at 415 (Rule 92) (defining a “cyber attack” for the purposes of LOAC as a “cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction”).
161. See Tallinn Manual 2.0, supra note 5, at 415 (Rule 92(3)) (“The crux of [‘acts of violence’] lies in the effects that are caused.”).
162. Lubell, supra note 4, at 265–66; see Tallinn Manual 2.0, supra note 5, at 415 (Rule 92) (including operations that are reasonably expected to cause damage or destruction to objects in the definition of cyber attack).
163. Tallinn Manual 2.0, supra note 5, at 437 (Rule 100(7)).
165. See DOD Law of War Manual, supra note 2, ¶¶ 18.104.22.168, at 210.
166. Tallinn Manual 2.0, supra note 5, at 441 (Rule 100(19)).
167. See id. at 442 (Rule 100(20)–(22)).
168. See Hathaway et al., supra note 28, at 837–38.
169. Id. at 838; see Connell & Vogler, supra note 8, at 13 (describing how the attack on Estonia lasted for about a month, “forcing most sites to either shut down or sever their international connections” and preventing the country from communicating with the outside world). See also Ian Traynor, Russia Accused of Unleashing Cyberwar to Disable Estonia, The Guardian (May 16, 2007), https://www.theguardian.com/world/2007/may/17/topstories3.russia (describing one Estonian citizen as stating, in the immediate aftermath of the flurry of DDoS attacks, “[t]he cyber-attacks are from Russia. There is no question. It’s political.”); Tikk et al., supra note 27, at 12 (2008) (describing the “wide public understanding that the attacks were at least tolerated by the Russian authorities, if not coordinated or supported by them,” based on Russia’s large-scale collusion of interest between South Ossetia and the Russian government and because “the coordination of and support to attacks took place mainly in the Russian language and was conducted on Russian or Russia-friendly forums”); Noah Shachtman, Top Georgian Official: Moscow Cyber Attacked Us—We Just Can’t Prove It, Wired (Mar. 11, 2009), https://www.wired.com/2009/03/georgia-blames/ (describing a Georgian National Security Council official as stating that there is “plenty of evidence” that the attacks were “directly organized” by the Russian government without providing any evidence to conclusively link Moscow to the attacks); Brian Krebs, Report: Russian Hacker Forums Fueled Georgia Cyber Attacks, Wash. Post (Oct. 16, 2008, 3:15 PM), http://voices.washingtonpost.com/securityfix/2008/10/report_russian_hacker_forums_f.html (noting that after an “exhaustive inquiry,” there is “no smoking gun in the hands of the Russian government,” although the attack was coordinated through a Russian online forum that appeared to have been prepped with target lists and details about Georgian Web site vulnerabilities”); Healey, supra note 20 (discussing the NATO DDoS incidents in 1999, and noting that while it was initially thought that the Serbian military directly conducted the attacks, such a claim is “often made about incidents later proven to be conducted by non-states”).
170. Tikk et al., supra note 27, at 12 (“[M]ajor DDOS attacks observed were globally sourced, suggesting a botnet (or multiple botnets) behind them.”). See generally Jose Nazario, Coop. Cyber Def. Ctr. of Excellence, Politically Motivated Denial of Service Attacks (last visited Feb. 19, 2018), https://ccdcoe.org/uploads/2018/10/12_NAZARIO-Politically-Motivated-DDoS.pdf (describing the use of the botnets to anonymously conduct DDoS attacks in Estonia in 2007, China in 2008, Georgia in 2008, and in Ukraine in 2008); see, e.g., HIDDEN COBRA—North Korea’s DDoS Botnet Infrastructure, Dep’t of Homeland Security (June 13, 2017), https://www.us-cert.gov/ncas/alerts/TA17-164Ahttps://www.us-cert.gov/ncas/alerts/TA17-164A (providing technical details about how to avoid IP addresses associated with a malware variant that is used by North Korea to manage its DDoS botnet infrastructure).
171. See, e.g., Hathaway, supra note 28, at 819 (describing the 2010 DDoS attack as one that “took the entire population of Burma off the internet immediately preceding the country’s first national election in twenty years”); id. at 837 (describing the effects of the DDoS attacks on Estonia as “life-threatening,” as the emergency line to call for an ambulance was out of service for an hour); Damien McGuinness, How a Cyber Attack Transformed Estonia, BBC News (Apr. 27, 2017), http://www.bbc.com/news/39655415 (“Online services of Estonian banks, media outlets and government bodies were taken down by unprecedented levels of internet traffic.”); Schmitt, supra note 101, at 89; Matthew J. Sklerov, Solving the Dilemma of State Responses to Cyberattacks: A Justification for the Use of Active Defenses Against States Who Neglect Their Duty to Prevent, 201 Mil. L. Rev. 1, 5 (2009) (“[C]yberattacks from Russia crippled the Estonian government and commercial computer networks. These attacks lasted approximately three weeks, disrupted Estonia’s ability to govern, harmed Estonia’s economy, and damaged their networks so badly that Estonia had to reach out to its NATO allies for help recovering.”); see also Kim Zetter, Inside the Cunning, Unprecedented Hack of Ukraine’s Power Grid, Wired (Mar. 3, 2016, 7:00 AM), https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/ (describing how, even after power was restored to civilians after the cyber attack on a Ukrainian power grid, the damage from the attack required the breakers to be controlled manually, and control centers remained partially incapacitated for more than two months).
172. See Tikk, et al., supra note 27, at 19–23; Tallinn Manual 2.0, supra note 5, at 376 (Ruler 80(3)); see Lubell, supra note 4, at 254.
173. See Jan Stinissen, A Legal Framework for Cyber Operations in Ukraine, in Cyber War in Perspective: Russian Aggression Against Ukraine 131 (2015) (“During the occupation of Crimea and the armed conflict in Eastern Ukraine, the Law of Armed Conflict applies [and] regulated the conduct of all . . . cyber actors.”); Tallinn Manual 2.0, supra note 5, at 376 (Rule 80(3)); Schmitt & Widmar, supra note 4, at 380.
174. E.g., Martin C. Libicki, What Is Information Warfare? 77 (1995).
175. See, e.g., Richard A. Clarke & Robert K. Knake, Cyber War: The Next Threat to National Security And What to Do About It 1–9 (2010).
176. See David E. Sanger, Obama Order Sped Up Wave of Cyberattacks Against Iran, N.Y. Times (June 1, 2012), http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html (“[F]orensic investigations into the inner workings of the code. . . . came to no conclusions about who was responsible.”); Jon R. Lindsay, Stuxnet and the Limits of Cyber Warfare, 22 Sec. Stud. 365, 400 (2013) (discussing how the most persuasive evidence for attributing Stuxnet to the United States or Israel is only circumstantial). Besides having the means and motive, there is no direct evidence linking the United States and/or Israel to the Stuxnet attacks; see, e.g., Rid & Buchanan, supra note 36, at 21–22 (“No non-state actor, and indeed few governments, would likely have the capability to test Stuxnet, let alone build and deploy it.”); Kim Zetter, How Digital Detectives Deciphered Stuxnet, the Most Menacing Malware in History, Wired (July 11, 2011, 7:00 AM), https://www.wired.com/2011/07/how-digital-detectives-deciphered-stuxnet (noting that despite the talents of private security experts, the strongest language regarding attribution is only that “[t]he sophistication of the code, plus the fraudulent certifications, and [having] Iran at the center of the fallout [makes] it look like Stuxnet could be the work of a government cyber army—maybe even a United States cyberarmy.”).
177. Additional Protocol I, supra note 13, art. 57(2)(a)(i).
178. Id. art. 57(1); Int’l Comm. Red Cross, I Customary International Humanitarian Law 51 (Jean-Marie Henckaerts & Louise Doswald eds., 2009); Int’l Comm. Red Cross, II Customary International Humanitarian Law 337–39 (Jean-Marie Henckaerts & Louise Doswald eds., 2005).
179. See Geoffrey S. Corn, War, Law, and the Oft Overlooked Value of Process as a Precautionary Measure, 42 Pepperdine L. Rev. 419, 435–36 (2015); Tallinn Manual 2.0, supra note 5, at 116 (Rules 115(4), 116(2)).
180. Tallinn Manual 2.0, supra note 5, at 476 (Rule 114).
181. Id. at 477 (Rule 114(3)).
184. Id. at 478 (Rule 115(1)).
185. Id. at 479 (Rule 115(4)).
188. Id. at 479–80 (Rule 116).
189. Id. at 480 (Rule 116(5)).
190. See id. at 481 (Rule 117).
191. See id. at 481 (Rule 118).
192. See id. at 485 (Rule 120).
193. See id. at 487 (Rule 121).
194. See id. at 483 (Rule 118(8)).
195. Id. at 487–88 (Rule 121).
196. See id. at 488 (Rule 121(3)).
197. Additional Protocol I, supra note 13, art. 57(3).
198. Id. art. 57(2)(a)(i–iii).
199. DOD Law of War Manual, supra note 2, ¶ 16.5.3, at 997.
200. Commander’s Handbook, supra note 118, ¶ 8.2 (defining “military objects” only as those objects that, “by their location, purpose, or use, effectively contribute to the enemy’s war-fighting or war-sustaining capability”).
201. Schmitt & Widmar, supra note 4, at 392–93.
202. Additional Protocol I, supra note 13, art. 58(a).
203. Tallinn Manual 2.0, supra note 5, at 81.
205. In support of its position, the IGE cited Iran v. U.S., 2003 I.C.J. at 33 (separate opinion of Judge Higgins); U.K. v. Alb., 1949 I.C.J. at 17; Bosn. & Herz. v. Serb. & Montenegro, 2007 I.C.J. ¶¶ 209–10; and Croat. v. Serb., 2015 I.C.J. ¶ 178.
206. See Egan, supra note 71; Tallinn Manual 2.0, supra note 5, at 83.
207. See Tallinn Manual 2.0, supra note 5, at 81–82.
208. See Guitton, supra note 6, at 150–51, 160 (noting that it is unrealistic to expect high-confidence attribution in real-time, if ever, and that reducing the time for attribution does not make sense politically).
210. Id. at 81; see also id. at 86, 90–92, 98–99 (noting, respectively, that attribution is easily malleable; that establishing the facts can be difficult, but political will can overcome strict standards; and that using criteria to attribute attacks can be used to manipulate evidence).
211. See supra text accompanying note 12.
212. See Tallinn Manual 2.0, supra note 5, at 111 (Rule 20(1)).
213. Id. at 118 (Rule 21(5)).
214. Id. at 124 (Rule 22(5)).
215. See Rid & Buchanan, supra note 32, at 26; Guitton, supra note 6, at 47.
216. Rid & Buchanan, supra note 32, at 26–27.
217. See id. at 28; Guitton, supra note 6, at 153–54.
218. See Knake, supra note 84, at 5 (noting that the Obama administration named the foreign actors behind some cyber attacks and arguing that making public attribution could be a deterrent).
220. See Guitton, supra note 6, at 45, 70–71, 185–88; Lin, supra note 45, at 77; Rid & Buchanan, supra note 32, at 7. Thomas Rid asserts in 2017 that “[i]t is now generally accepted that attributing computer network operations reliably is possible in principle—an assumption that a few years ago was still contested.” Thomas Rid, Cyber War Will Not Take Place 188 (2013).
221. See Banks, supra note 50, at 1511–12; Guitton, supra note 6, at 11.
222. See Rid & Buchanan, supra note 32, at 26–28; Knake supra note 84, at 5 (“Making public attribution of attacks a routine practice could be a deterrent.”).
223. Rid & Buchanan, supra note 32, at 33.