Michael R. Tregle, Jr. is a U.S. Army judge advocate officer currently assigned as a student in the 65th Graduate Course at The Judge Advocate General’s Legal Center & School.  A former enlisted infantryman, he has served at almost every level of command, from the infantry squad to an Army Service Component Command, and overseas in Afghanistan and the Pacific Theater.  He tweets @shockandlawblog and writes at www.medium.com/@shock_and_law.  Divergent Options’ content does not contain information of an official nature nor does the content represent the official position of any government, any organization, or any group.

National Security Situation:  The international community lacks consensus on a binding definition of “act of war” in cyberspace.

Date Originally Written:  March 24, 2017.

Date Originally Published:  June 5, 2017.

Author and / or Article Point of View:  The author is an active duty officer in the U.S. Army.  This article is written from the point of view of the international community toward common understandings of “acts of war” in cyberspace.

Background:  The rising prominence of cyber operations in modern international relations highlights a lack of widely established and accepted rules and norms governing their use and status.  Where no common definitions of “force” or “attack” in the cyber domain can be brought to bear, the line between peace and war becomes muddled.  It is unclear which coercive cyber acts rise to a level of force sufficient to trigger international legal rules, or how coercive a cyber act must be before it can be considered an “act of war.”  The term “act of war” is antiquated and mostly irrelevant in the current international legal system.  Instead, international law speaks in terms of “armed conflicts” and “attacks,” the definitions of which govern the resort to force in international relations.  The United Nations (UN) Charter flatly prohibits the use or threat of force between states except when force is sanctioned by the UN Security Council or a state is required to act in self-defense against an “armed attack.”  While it is almost universally accepted that these rules apply in cyberspace, how this paradigm works in the cyber domain remains a subject of debate.

Significance:  Shared understanding among states on what constitutes legally prohibited force is vital to recognizing when states are at war, with whom they are at war, and whether or not their actions, in war or otherwise, are legally permissible.  As the world finds itself falling deeper into perpetual “gray” or “hybrid” conflicts, clear lines between acceptable international conduct and legally prohibited force reduce the chance of miscalculation and define the parameters of war and peace.

Option #1:  States can define cyberattacks causing physical damage, injury, or destruction to tangible objects as prohibited uses of force that constitute “acts of war.”  This definition captures effects caused by cyber operations that are analogous to the damage caused by traditional kinetic weapons like bombs and bullets.  There are only two known instances of cyberattacks that rise to this level – the Stuxnet attack on the Natanz nuclear enrichment facility in Iran that physically destroyed centrifuges, and an attack on a German steel mill that destroyed a blast furnace.

Risk:  Limiting cyber “acts of war” to physically destructive attacks fails to fully capture the breadth and variety of detrimental actions that can be achieved in the cyber domain.  Cyber operations that only delete or alter data, however vital that data may be to national interests, would fall short of the threshold.  Similarly, attacks that temporarily interfere with use of or access to vital systems without physically altering them would never rise to the level of illegal force.  Thus, states would not be permitted to respond with force, cyber or otherwise, to such potentially devastating attacks.  Election interference and crashing economic systems exemplify attacks that would not be considered force under the physical damage standard.

Gain:  Reliance on physical damage and analogies to kinetic weapons provides a clear, bright-line threshold that eliminates uncertainty.  It is easily understood by international players and maintains objective standards by which to judge whether an operation constitutes illegal force.

Option #2:  Expand the definition of cyber force to include effects that cause virtual damage to data, infrastructure, and systems.  The International Group of Experts responsible for the Tallinn Manual approached this option with the “functionality test,” whereby attacks that interfere with the functionality of systems can qualify as cyber force, even if they cause no physical damage or destruction.  Examples of such attacks would include the Shamoon attack on Saudi Arabia in 2012 and 2016, cyberattacks that shut down portions of the Ukrainian power grid during the ongoing conflict there, and Iranian attacks on U.S. banks in 2016.

Risk:  This option lacks the objectivity and clear standards by which to assess the cyber force threshold, which may undermine shared understanding.  Expanding the spectrum of cyber activities that may constitute force also potentially destabilizes international relations by increasing circumstances by which force may be authorized.  Such expansion may also undermine international law by vastly expanding its scope, and thus discouraging compliance.  If too many activities are considered force, states that wish to engage in them may be prompted to ignore overly burdensome legal restrictions on too broad a range of activities.

Gain:  Eliminating the physical damage threshold provides more flexibility for states to defend themselves against the potentially severe consequences of cyberattacks.  Broadening the circumstances under which force may be used in response also enhances the deterrent value of cyber capabilities that may be unleashed against an adversary.  Furthermore, lowering the threshold for legally permissible cyber activities discourages coercive international acts.

Other Comments:  None.

Recommendation:  None.