NOTE HACKING BACK: REEVALUATING THE LEGALITY OF RETALIATORY CYBERATTACKS

NOTE HACKING BACK: REEVALUATING THE LEGALITY OF RETALIATORY CYBERATTACKS Manny Halberstam* I. INTRODUCTION In late 2009 and early 2010, a complex software worm dubbed Stuxnet infected Iran s computer network system and destroyed up to 1,000 nuclear-fuel centrifuges, 1 substantially delaying Iran s program to develop nuclear weapons. 2 After learning about the damage that Stuxnet wrought, the cyber security community characterized the software worm as a game-changer in the evolution of cyber weaponry 3 and a harbinger of an emerging warfare capability. 4 Stuxnet, unlike previous computer network attacks, not only gathered information, but also destroyed military equipment. 5 * J.D. expected 2014, The George Washington University Law School; B.A. Philosophy & American Studies, 2010, Brandeis University. The author would like to thank the staff of The George Washington International Law Review for the time and energy they invested in preparing this Note for publication. The author also wishes to express thanks to Professor Erin Creegan for the invaluable supervision she provided him throughout the Notewriting process. In addition, the author would like to extend a special thank you to Professor Gary Solis who took the time to meet with him to discuss contemporary law of war topics. Last but not least, the author would like to express his immeasurable gratitude to his parents for their unconditional support. 1. Mark Clayton, Stuxnet Attack on Iran Nuclear Program Came About a Year Ago, Report Says, CHRISTIAN SCI. MONITOR (Jan. 3, 2011), http://www.csmonitor.com/usa/2011/ 0103/Stuxnet-attack-on-Iran-nuclear-program-came-about-a-year-ago-report-says. 2. See William J. Broad et al., Israeli Test on Worm Called Crucial in Iran Nuclear Delay, N.Y. TIMES (Jan. 15, 2011), http://www.nytimes.com/2011/01/16/world/middleeast/16 stuxnet.html. 3. See Charles Jeter, Stuxnet: Cyber Warfare s Game-Changer, Part One, SC MAGAZINE (Oct. 14, 2010), http://www.scmagazine.com/stuxnet-cyber-warfares-game-changer-partone/article/180962; Robert L. Mitchell, After Stuxnet: The New Rules of Cyberwar, COM- PUTERWORLD (Nov. 5, 2012, 6:00 AM), http://www.computerworld.com/s/article/ 9233158/After_Stuxnet_The_new_rules_of_cyberwar (quoting Mark Weatherford, deputy undersecretary for cybersecurity in the National Protection Programs Directorate at the U.S. Department of Homeland Security ). 4. PAUL K. KERR ET AL., CONGRESSIONAL RESEARCH SERV., THE STUXNET COMPUTER WORM: HARBINGER OF AN EMERGING WARFARE CAPABILITY (2010). 5. Mikko Hypponen, Viewpoint: Stuxnet Shifts the Cyber Arms Race Up a Gear, BBC NEWS (July 13, 2012, 7:01 PM), http;//www.bbc.co.uk/news/technology-18825742. 199

200 The Geo. Wash. Int l L. Rev. [Vol. 46 By confirming the prospect of a weaponized computer virus, 6 the Stuxnet worm opened the eyes of the international community to the destructive capacity of a computer network attack. 7 In the aftermath of Stuxnet, governments face a threat not only of cyber espionage but also of cyber sabotage, which has aroused great concern from national security analysts worldwide. 8 According to the U.S. Cyber Consequences Unit, a research institute that focuses on the consequences of cyberattacks, [a]t a national level, [computer network attacks] directed at critical infrastructure industries, have the potential to cause hundreds of billions of dollars worth of damage and to cause thousands of deaths. 9 As U.S. Secretary of Defense Leon Panetta warned, [t]he next Pearl Harbor that we face could well be a cyber attack. 10 The development of cyber sabotage weaponry not only poses vexing national security questions, but also opens up a Pandora s Box of legal issues. 11 Technology tends to race ahead of the law, and as cyber weaponry continues to grow increasingly sophisticated, scholars of the law of war are busy playing catch up, analyzing how old international rules of war apply to a new battlefield. 12 Among the many legal issues raised is the particularly challenging question of how a state may lawfully respond to a computer net- 6. Ed Barnes, Mystery Surrounds Cyber Missile That Crippled Iran s Nuclear Weapons Ambitions, FOX NEWS (Nov. 26, 2010), http://www.foxnews.com/tech/2010/11/26/secretagent-crippled-irans-nuclear-ambitions (internal quotation marks omitted). 7. See Oona A. Hathaway et al., The Law of Cyber-Attack, 100 CAL. L. REV. 817, 884 (2011). 8. See Maggie Shiels, Cyber-Sabotage and Espionage Top 2011 Security Fears, BBC NEWS (Dec. 30, 2010, 7:10 AM), http://www.bbc.co.uk/news/technology-12056594; see also Luis Martinez, Intel Heads Now Fear Cyber Attack More Than Terror, ABC NEWS (Mar. 13, 2013), http://abcnews.go.com/blotter/intel-heads-now-fear-cyber-attack-terror/story?id=187195 93 (describing how top U.S. intelligence officials reported to Congress that cyberattacks lead the numerous national security threats the United States faces). 9. Mark Clayton, Cyber Security in 2013: How Vulnerable to Attack Is US Now?, CHRISTIAN SCI. MONITOR (Jan. 9, 2013), http://www.csmonitor.com/usa/2013/0109/cyber-securityin-2013-how-vulnerable-to-attack-is-us-now-video; see also COMM N ON THE THEFT OF AM. INTELLECTUAL PROP., THE IP COMMISSION REPORT 2 (2013) (finding that the economic losses that the United States annually incurs due to intellectual property theft likely exceed $300 billion). 10. Andrew F. Krepinevich, Panetta s Challenge: China s and Iran s Weapons Programs, WASH. POST (July 15, 2011), http://www.washingtonpost.com/opinions/panettas-challenge-chinas-and-irans-weapons-programs/2011/07/12/giqainvxei_story.html. 11. See Matthew J. Sklerov, Solving the Dilemma of State Responses to Cyberattacks: A Justification for the Use of Active Defenses Against States Who Neglect Their Duty to Prevent, 201 MIL. L. REV. 1, 50 (2009). 12. See id. at 2 ( As warfare changes, so must the law, and warfare is changing fast. ).

2013] The Legality of Retaliatory Cyberattacks 201 work attack (CNA) 13 by another state. 14 Can the victim state respond with a counter CNA, or maybe even military force? In the event of a cyber-pearl Harbor, how could the United States lawfully respond? According to national security experts, prevailing legal ambiguity about how the existing law of war applies to cyber operations has put states in a response crisis, unsure as to when counter CNAs are legally valid. 15 To help prevent states from continuing to face such a response crisis, this Note puts forth a novel proposal for how existing international laws of war 16 can be interpreted in such a manner that would provide states with clearer legal guidance as to when counter CNAs can be used. Specifically, the Note proposes that the legal doctrines of retorsion and reprisal should be consolidated into one unqualified rule that permits victim states to use proportionate counter CNAs if the victim state (1) attributes the initial CNA to a perpetrator state, (2) calls upon the perpetrator state to discontinue its use of CNAs, and (3) reasonably finds that the counter CNA is necessary to induce the perpetrator state to cease its use of CNAs. As an overview of the present problem this proposal seeks to solve, Part II of this Note details the types of CNAs that currently pose a threat to states and describes the legal ambiguity states encounter when they consider using counter CNAs in response. Part III provides background on two existing doctrines in international law retorsion and reprisal that each offer guidance on when use of a counter CNA is valid. Finally, Part IV proposes an unqualified rule derived from the doctrines of reprisal and retorsion, and argues that such a rule not only would provide states with clear legal guidance for when they can use counter CNAs, but 13. The attack in computer network attack, for purposes of this Note, should not be interpreted as carrying legal significance in the sense that an armed attack triggers the victim state s right to self-defense. See U.N. Charter art. 51. Rather, the Note uses the phrase computer network attack (CNA) interchangeably with the non-legal phrase offensive cyber operation, an operation that does not necessarily rise to the level of an armed attack. 14. See Sklerov, supra note 11, at 6 7. 15. See id. (explaining that the current practice of many states to respond to only those cyberattacks that they can equate to a traditional armed attack has left these states in a response crisis ); JEREMY A. RABKIN & ARIEL RABKIN, TO CONFRONT CYBER THREATS, WE MUST RETHINK THE LAW OF ARMED CONFLICT 2 3 (2012), available at http://media.hoover.org/sites/default/files/documents/emergingthreats_rabkin.pdf. 16. The focus of the Note is narrowed to the principles of international law. For a discussion on how state domestic law may govern offensive cyber operations, see Scott J. Shackelford, From Nuclear War to Net War: Analogizing Cyber Attacks in International Law, 27 BERKELEY J. INT L L. 192, 211 (2009).

202 The Geo. Wash. Int l L. Rev. [Vol. 46 would also advance some important policy goals related to international cyber conflict. II. THE GROWING THREAT OF CYBERATTACK AND THE RESPONSE CRISIS STATES FACE CNAs are operations designed to disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers or networks themselves. 17 CNAs differ fundamentally from conventional kinetic attacks. 18 Whereas kinetic operations tend to involve tangible weapons that inflict tangible damage, cyber operations tend to involve intangible weapons that cause intangible damage. 19 A. Destructive and Disruptive Forms of Computer Network Attacks and the Threat They Currently Pose to States States can launch offensive cyber operations against other states. 20 Although the world has not yet experienced a sustained 17. STEVEN A. HILDRETH, CONGRESSIONAL RESEARCH SERV., CYBERWARFARE 17 (2001). 18. See HEATHER HARRISON DINNISS, CYBER WARFARE AND THE LAWS OF WAR 65 74 (2012). 19. Id. But see Aaron P. Brecher, Note, Cyberattacks and the Covert Action Statute: Toward a Domestic Legal Framework for Offensive Cyberoperations, 111 MICH. L. REV. 423, 424 (2012) (noting that sophisticated software like Stuxent can cause tangible damage beyond cyberspace). 20. See DINNISS, supra note 18, at 53. Often, non-state bodies, acting under the direction of states, launch CNAs against other states. Id. at 25 27. For this reason, the role of non-state actors is particularly relevant to both policy issues and legal issues in the area of international cyber conflict. See id. at 25 26 (noting that, as weapons and equipment become more technologically advanced, states recruit civilians to provide essential maintenance and support functions, sometimes from their own factories). For a description of how China arranges for seemingly independent non-state actors to launch CNAs against other states, see Lolita C. Baldor, Pentagon Warns Public About Cyber Attacks by China, BOSTON.COM (Aug. 20, 2010), http://www.boston.com/news/nation/washington/articles/2010/ 08/20/pentagon_warns_public_about_cyber_attacks_by_china. One particularly relevant legal issue involves the question of when state-sponsored acts by non-state actors can be characterized as acts by the sponsoring state for responding against the sponsoring state. See generally Sklerov, supra note 11, at 38 50 (discussing when a state can be held responsible for the actions of non-state actors). If a group of private individuals under the direction of a host state commits a cyberattack against another state, the international community holds the sponsoring state responsible for the attack. See INT L GROUP OF EXPERTS, TALLINN MANUAL ON THE INTERNATIONAL LAW APPLICABLE TO CYBER WARFARE 32 (Michael N. Schmitt ed., 2013)[hereinafter TALLINN MANUAL]. On the other hand, if a host state does not direct a non-state actor s attack, it is less likely that the international community will hold the state responsible for the attack. See id. at 33. This Note, however, does not address the question of when a CNA initiated by a nonstate actor can be attributed to a state. This Note strictly deals with interstate cyberattacks and not cases where the connection between the allegedly sponsoring state and non-state actor is not sufficiently strong to render the attack by the non-state actor an attack by the

2013] The Legality of Retaliatory Cyberattacks 203 conflict between major powers in cyberspace, 21 there have been instances, like the Stuxnet worm described above, in which states initiate isolated CNAs against other states. 22 Stuxnet is an example of a particularly destructive form of CNA that target[s] the control systems which regulate the most critical infrastructure systems of technologically advanced societies; these systems control power plants, water systems, dams, gas pipelines, chemical plants and reactors, to name a few. 23 Another recent instance of a CNA inflicted on a state was the distributed denial of service attack (DDoS) Estonia suffered in 2007. The DDoS clogged the websites of many of Estonia s government agencies, banks, and newspapers and reportedly, came close to shutting down the country s digital infrastructure. 24 Such disruptive forms of CNAs, in addition to destructive forms of CNAs such as Stuxnet, illustrate the serious damage that CNAs can inflict on states cyber infrastructures. 25 Cyber infrastructure refers to communications, storage, and computing resources [such as the Internet] upon which information systems operate. 26 As civilization grows increasingly dependent on cyber infrastructure and the accessibility of information across cyberspace, states are bound to become increasingly vulnerable to the devastating impact of cyberattacks. 27 Thus, the prospect of suffering a DDoS or a CNA like Stuxnet poses a progressively menacing threat to states. state. For in-depth analyses of such a legal issue, see id. at 29 36 and Sklerov, supra note 11, at 38 50. 21. RABKIN & RABKIN, supra note 15, at 2; see TALLINN MANUAL, supra note 20, at 84 ( To date, no international armed conflict has been publicly characterized as having been solely precipitated in cyberspace. ). 22. David E. Sanger, Obama Order Sped Up Wave of Cyberattacks Against Iran, N.Y. TIMES (June 1, 2012), http://www.nytimes.com/2012/06/01/world/middleeast/obama-orderedwave-of-cyberattacks-against-iran.html. Although there is no proof as to who launched the attack, most commentators have concluded that both the United States and Israel perpetrated the cyberattack. See id. 23. DINNISS, supra note 18, at 5. 24. Mark Landler & John Markoff, Digital Fears Emerge After Data Siege in Estonia, N.Y. TIMES (May 29, 2007), http://www.nytimes.com/2007/05/29/technology/29estonia.html. Most analysts agree that Russian nationalists perpetrated the DDoS against Estonia. See GEORG KERSCHISCHNIG, CYBERTHREATS AND INTERNATIONAL LAW 62 63 (2012). 25. See KERSCHISCHNIG, supra note 24, at 61 63, 69 71; Sklerov, supra note 11, at 4 6. 26. TALLINN MANUAL, supra note 20, at 258. 27. KERSCHISCHNIG, supra note 24, at 7.

204 The Geo. Wash. Int l L. Rev. [Vol. 46 B. The Strategy of Responding to Cyberattacks with Counter Cyberattacks Given the dangerous impact a CNA can have on the well-being of a nation, 28 the measures a state chooses to take in response to offensive cyber operations can be crucial to protecting its cyber infrastructure. 29 In the event that a state suffers a CNA as destructive as Stuxnet was against Iran or as disruptive as the DDoS attack was against Estonia, the state must be prepared to respond in a way that deters the perpetrator state from further inflicting cyberattacks. 30 A victim state of a CNA can employ a variety of measures against the perpetrator state to protect itself from future cyberattacks, ranging from more passive measures, such as economic sanctions, 31 to more aggressive measures, such as conventional military strikes. 32 One intermediate form of response, more forceful than economic sanctions but less violent than a conventional strike, is a counter CNA against the perpetrator state. 33 A counter CNA exemplifies an in-kind response, in which the victim launches an offensive operation against the perpetrator using a method that is similar in nature to the one used against [it]. 34 In the wake of Stuxnet, multiple states are considering such a strategy of responding to a cyberattack with an in-kind response. 35 Moreover, there is 28. WALTER GARY SHARP, SR., CYBERSPACE AND THE USE OF FORCE 101 02 (1999). 29. See Sklerov, supra note 11, at 5 6. 30. See id. 31. KERRSCHISCHNIG, supra note 24, at 162. 32. Id. at 156. 33. See id. at 155 56. 34. Sean M. Condron, Getting It Right: Protecting American Critical Infrastructure in Cyberspace, 20 HARV. J. L. & TECH. 404, 410 (2007). Specifically, such a response may involve a hack-back measure designed to strike attacking computer systems and shut them down before the attacker can inflict further harm. See Eric Talbot Jensen, Computer Attacks on Critical National Infrastructure: A Use of Force Invoking the Right of Self-Defense, 38 STAN. J. INT L L. 207, 231 (2002); Sklerov, supra note 11, at 25. Internet security companies regularly employ hack-back measures to flood the computers of hackers with data and to effectively render their attackers Internet-blind. See Condron, supra at 410 11. 35. See KERSCHISCHNIG, supra note 24, at 90 99. Most notably, the United States has explicitly expressed its willingness to use offensive operations in cyberspace in the name of national defense. National Defense Authorization Act for Fiscal Year 2012, Pub. L. No. 112-81, 954, 125 Stat. 1298, 1551 (2011). Congress approved the possible use of counter CNAs when it passed legislation affirming the Department of Defense s right to conduct offensive operations in cyberspace to defend our Nation, Allies and interests. Id. Other states, such as India and Russia, have also supported the strategy of conducting offensive cyber operations. CHARLES G. BILLO & WELTON CHANG, CYBER WARFARE AN ANAL- YSIS OF THE MEANS AND MOTIVATIONS OF SELECTED NATION STATES 47, 107 (2004); Dmitry I. Grigoriev, Russian Priorities and Steps Towards Cybersecurity, in GLOBAL CYBER DETERRENCE 7 (Andrew Nagorski ed., 2010). Russia, while negotiating bilateral and multilateral treaties

2013] The Legality of Retaliatory Cyberattacks 205 strong speculation that certain states including the United States have conducted covert cyber-retaliations against their cyberattackers. 36 C. The Existing Laws of War and the Present State of Legal Ambiguity In considering the strategy of responding to CNAs with CNAs, states consult the bounds of their authority to conduct such operations as defined by the international law of war. 37 Legal experts agree that existing principles of international law can govern state cyber operations. 38 What experts continue to debate, however, is not whether, but how the law of war applies to CNAs. 39 In recent years, scholars have produced a wealth of literature detailing how the existing law of war applies to the context of cyberspace. 40 Most notably, an International Group of Experts (the Experts) came together in 2008 with the hope of bringing some degree of clarity to the complex legal issues surrounding cyber operations. 41 The Experts have since released an advisory manual entitled the Tallinn Manual that purports to guide states on how the existing law of war applies to state operations conducted in cyberspace. 42 that regulate cyber security, has insisted that the development of countermeasures against hostile use of information technology should remain a priority. Grigoriev, supra. 36. See Jacob Davidson, China Accuses U.S. of Hypocrisy on Cyberattacks, TIME (July 1, 2013), http://world.time.com/2013/07/01/china-accuses-u-s-of-hypocrisy-on-cyberattacks ( China likely does have mountains of data on U.S. hacking attacks because the U.S. has been doing mountains of hacking. ); Lee Ferran & Akiko Fujita, Edward Snowden Claims NSA Documents Show U.S. Hacks China: Report, ABC NEWS (June 12, 2013), http://abcnews.go.com/blotter/edward-snowden-claims-evidence-shows-us-hacks-china/story?id=19384 436; see also Tom Gjelten, First Strike: US Cyber Warriors Seize the Offensive, WORLD AFFAIRS (Jan./Feb. 2013), http://www.worldaffairsjournal.org/article/first-strike-us-cyber-warriorsseize-offensive ( US officials suspect the Iranian government was responsible for the recent wave of cyber attacks directed against Aramco, the Saudi oil company, and may also have been behind a series of denial-of-service attacks on US financial institutions. Such attacks could be in retaliation for the Stuxnet worm. ). 37. See Matthew C. Waxman, Cyber-Attacks and the Use of Force, 36 Y. J. INT L L. 421, 431 (2012). 38. See TALLINN MANUAL, supra note 20, at 75 (examining how the international law of war regulates state operations in cyberspace). 39. See Tom Gjelten, Extending the Law of War to Cyberspace, NPR (Sept. 22, 2010, 12:01 AM), http://www.npr.org/templates/story/story.php?storyid=130023318. 40. E.g., SHARP, supra note 28; DINNISS, supra note 18; KERSCHISCHNIG, supra note 24. 41. TALLINN MANUAL, supra note 20, at 3 4. 42. See id. at 4. Although the manual is not binding, its influence as a persuasive secondary source will be substantial. See Raphael Satter, Cyberwar Manual Lays Down Rules for Online Attacks, USA TODAY (Mar. 19, 2013, 12:42 PM), http://www.usatoday.com/ story/tech/2013/03/19/cyberwar-manual-online-attacks-tallinn-manual/1999685.

206 The Geo. Wash. Int l L. Rev. [Vol. 46 Despite these scholarly efforts at clarification, however, states that consider the use of counter CNAs encounter significant legal ambiguity, unsure as to when using a counter CNA would be lawful. 43 The absence of clear legal norms for how states may respond to disruptive and destructive CNAs leaves states in a response crisis. 44 As Professor Jeremy Rabkin and Ariel Rabkin explain, [c]oncerns about disrupting international law seem to be a major inhibiting factor in formulating a serious cyber strategy. 45 Specifically, uncertainty as to when counter cyber operations are legal inhibits states from considering the option of fighting CNAs with CNAs. 46 According to the former Assistant Secretary for Policy at the U.S. Department of Homeland Security, Stewart Baker, government lawyers have been tying themselves in knots of legalese... to prevent the Pentagon from launching cyberattacks, and, as a result, the Defense Department has adopted a cyberwar strategy that simply omitted any plan for conducting offensive operations. 47 D. Problematic Policy Implications of the Current Legal Ambiguity The lack of clear legal guidance for how states may respond to cyberattacks produces problematic policy implications. The prevailing legal ambiguity about how states can lawfully respond to CNAs gives rise to international normative uncertainty about how states ought to respond to CNAs. This, in turn, creates a practical unpredictability as to how states will actually respond to CNAs. 48 Because deterrence is predicated on predictability of an undesired response, prospective perpetrator states will be less deterred from striking other states with CNAs if there is no predictable response 43. See Sklerov, supra note 11, at 7; Andrew Paliotta, New Manual on International Law and Cyberwarfare Leaves More Questions, PACE INT L L. REV. BLOG (Sept. 6, 2012), http:// pilr.blogs.law.pace.edu/2012/09/06/new-manual-on-international-law-and-cyberwarfareleaves-more-questions. 44. See Sklerov, supra note 11, at 6 7. 45. RABKIN & RABKIN, supra note 15, at 2. 46. See Sklerov, supra note 11, at 6. 47. RABKIN & RABKIN, supra note 15, at 2 (alteration in original). Stewart Baker reported similarly in a 2011 lecture that top officials working at the Defense Department are waiting to receive legal permission to use counter CNAs. TheFederalistSociety, Address by Stewart A. Baker 6-28-11, YOUTUBE (July 1, 2011), http://www.youtube.com/watch?v=o6_ ZCiv8dZI. 48. See Sklerov, supra note 11, at 11; see also North Atlantic Treaty Organization [NATO], NATO and Cyber Defence, at para. 18, 173 DSCFC 09 E bis (2009). ( There is now widespread recognition that legal efforts to deter future attacks must form a key aspect of any cyber defence strategy. ).

2013] The Legality of Retaliatory Cyberattacks 207 that victim states will take. 49 Conversely, demystifying norms of when states may use counter cyber operations will clarify the expectations of perpetrator states as to when victim states will respond to CNAs with counter CNAs. 50 In practice, uncertainty over the legality of counter CNAs may induce states to exclude cyber weaponry from their arsenal and instead choose to respond to CNAs with conventional weapons that are more deadly and damaging than cyber weaponry. 51 State practice to respond to cyber strikes with conventional strikes runs the risk of allowing cyber exchanges to escalate into conventional military altercations, a prospect that the international community hopes to avert. 52 These problematic policy implications of the current state of legal uncertainty demonstrate the urgent need to achieve legal clarity. 53 Providing states with clear legal guidance as to when counter CNAs are valid would not only advance the goal of cyber deterrence, but also discourage victim states of CNAs from responding with more deadly conventional military attacks. 54 E. Different Approaches to Achieving Legal Clarity Over State Operations in Cyberspace International legal scholars generally split into two camps in determining how to achieve legal clarity over state operations in cyberspace. Some argue that legal ambiguity over the application of the existing law of war to the cyber realm stems from fundamental differences between conventional weaponry and cyber weaponry, and that resolving the ambiguity must therefore involve the enactment of a different set of legal norms to govern state cyber operations. 55 In this view, the old laws of war do not adequately 49. Cf. Sklerov, supra note 11, at 10 ( [A]ttackers will hesitate to attack a state when they know their attacks will be met with a forceful response. ). 50. See James A. Lewis, Center for Strategic & Int l Studies, Cyber War and Competition in the China-U.S. Relationship 3 (May 13, 2010), available at http://csis.org/files/ publication/100510_cicir%20speech.pdf 51. See KERSCHISCHNIG, supra note 24, at 294. 52. See id. 53. See Hathaway et al., supra note 7, at 841 (noting the importance of bringing clarity to how existing law of war principles apply in the cyber context). 54. See Lewis, supra note 50, at 3 ( Developing this framework of norms and expectations for cyber conflict would improve international security. ). 55. See e.g., Hathaway et al., supra note 7, at 880; see also Shane Harris, The Cyberwar Plan, NATIONALJOURNAL (Jan. 30, 2011, 11:35 AM) http://www.nationaljournal.com/nj magazine/cs_20091114_3145.php (describing proposals for the creation of an international cyberspace agreement similar to the U.N. Convention on the Law of the Sea); see generally Davis Brown, A Proposal for an International Convention to Regulate the Use of Informa-

208 The Geo. Wash. Int l L. Rev. [Vol. 46 account for this new form of warfare. 56 Others, however, contend that old principles of the law of war can adapt to these new types of attacks and that creating a cyber-specific legal regime is therefore unnecessary. 57 Yet it must be noted that until the scholarly push for a new law of cyberattacks results in an international treaty, states must consult the existing body of laws to determine when they can launch a counter CNA. 58 Thus, as much as creating a new regime might offer the long-term solution to the present legal ambiguity, any short-term solution to the uncertainty must involve an effort to derive from the existing law of war a clear framework for when states can use counter CNAs. 59 The recently released Tallinn Manual takes this approach and has already begun to clarify the picture of how the existing law of war applies to cyber operations. 60 The Manual analyzes multiple legal doctrines that offer states guidance as to when they can use counter CNAs, two of which are retorsion and proportionate countermeasures, 61 or reprisal. 62 Part III explores these two legal doction Systems in Armed Conflict, 47 HARV. INT L L. J. 179 (2006) (attempting to propose a legal standard palatable to the major participants in information warfare ). In support of this position, just as separate legal regimes exist for land war and sea war, a separate legal regime should apply to cyber war. See RABKIN & RABKIN, supra note 15, at 7 8. 56. See Hathaway et al., supra note 7, at 841. 57. See DINNISS, supra note 18, at 28. Moreover, it is fair to assume that political considerations surrounding the cyber activities between nations such as the United States, China, and Russia may inhibit the establishment of an internationally accepted law of cyber war. See RABKIN & RABKIN, supra note 15, at 4 ( [T]he [U.N.] Security Council can rarely agree on effective measures to enforce international standards. ). 58. See Stephenie Gosnell Handler, The New Cyber Face of Battle: Developing a Legal Approach to Accommodate Emerging Trends in Warfare, 48 STAN. J. INT L L. 209, 210 (2012) ( Rather than developing a new legal framework to fit the unique characteristics of cyberspace operations, the traditional legal framework governing the use of force remains in place. ). 59. See id. 60. Satter, supra note 42. But see Paliotta, supra note 43. 61. This Note uses the phrase proportionate countermeasure interchangeably with the term reprisal. Although other authors distinguish proportionate countermeasures from belligerent reprisals and armed reprisals, see TALLINN MANUAL, supra note 20, at 40, 150, the term reprisal in its general sense is synonymous with proportionate countermeasure. Sklerov, supra note 11, at 36; see Jensen, supra note 34, at 200 n.89 (quoting Oscar Schacter, United Nations Law, 88 AM. J. INT L L. 1, 15 (1994)) (noting that the term counter measures has come to be used for self-help action in place of older terms reprisal and retorsion ). 62. TALLINN MANUAL, supra note 20, at 36 41. There are additional legal justifications for a counter CNA that the Tallinn Manual discusses: self-defense and U.N. Security Council-authorized measures. Id. at 55 61, 69 71. The latter doctrine derives from Articles 39, 41, and 42 of the U.N. Charter and empowers the Security Council to call upon member

2013] The Legality of Retaliatory Cyberattacks 209 trines and assesses when states can conduct counter CNAs according to each respective doctrine. III. BACKGROUND ON HOW THE EXISTING LAW OF WAR APPLIES TO STATE CYBER OPERATIONS To understand how existing doctrines of international law apply to state cyber operations, it is necessary first to outline the normative framework of jus ad bellum, the branch of international law that governs when states may use force against other states. 63 As Part III will show, such a normative framework plays a foundational role in determining when the doctrines of retorsion and reprisal can justify the use of a particular counter CNA. A. The Jus Ad Bellum Framework: An Overview Jus ad bellum derives from both customary international law and multilateral treaties like the U.N. Charter. 64 The normative framework emerging from these two sources of law is straightforward; it consists of general prohibitions on a state s use of force against another state and on a state s intervention in the domestic affairs of another sovereign state, and provides a set of exceptions under which states can use certain forms of interstate force or unlawful intervention. 65 The most notable of these exceptions is force used in self-defense in response to an armed attack. 66 states to take measures against a state that the Council finds to be posing a threat to the peace. U.N. Charter arts. 39, 41, 42. However, because of serious doubt as to whether the Council would, in practice, authorize a victim state s use of counter cyber-force, this Note does not include a discussion on when this doctrine can justify a counter CNA. Specific political considerations affecting the behavior of Security Council members likely make a victim state s recourse under Article 39 unhelpful. See RABKIN & RABKIN, supra note 15, at 4 ( The Security Council is unlikely to impose sanctions in response to cyber attacks because Russia and China, both quite active in developing means of cyber attack, have veto power on the Council. ). Further, states may need to launch a counter CNA quickly enough to deter the perpetrator state from continuing its hostile cyber operations and may feel that the administrative process they must undergo to receive Security Council authorization may preclude them from acting swiftly. See KERSCHISCHNIG, supra note 24, at 160. For an assessment of when U.N. Security Council-authorized measures can justify a responsive cyber operation, see TALLINN MANUAL, supra note 20, at 69 71, or KER- SCHISCHNIG, supra note 24, at 161 62. 63. Sklerov, supra note 11, at 27. 64. YORAM DINSTEIN, WAR AND SELF-DEFENSE 95 (5th ed. 2012). 65. See id. at 91, 95. 66. See id. at 187 94 (describing self-defense).

210 The Geo. Wash. Int l L. Rev. [Vol. 46 1. General Prohibition on the Use of Force The prohibition on the use of force in international law is binding on all states that ratified the U.N. Charter. 67 Article 2(4) of the U.N. Charter provides, All members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations. 68 Central to the applicability of Article 2(4) is the issue of what constitutes a threat or use of force. 69 Scholars of jus ad bellum have debated the precise scope of the term force since the Charter s enactment in 1945. 70 Nonetheless, the predominant position among scholars is that the term force should be narrowly construed to mean armed force, and that Article 2(4) s prohibition therefore does not preclude a state from imposing economic pressure on another state. 71 2. General Prohibition on Interfering in Another State s Sovereignty The non-intervention principle prohibits states from conducting coercive or dictatorial operations that deprive another state of its ability to control governmental matters such as military, political, and economic activities. 72 The prohibition is predicated on the principle of state sovereignty, which recognizes a state s right to exercise, to the exclusion of other states, the functions of a state, 73 a right recognized by Article 2(1) of the U.N. Charter. 74 Although intervention in another state s sovereignty must be coercive or forcible to be illegal, 75 the intervention need not amount to force to be illegal. 76 To the contrary, an unlawful intervention may involve 67. U.N. Charter art. 2, para. 4. 68. Id. 69. See id. 70. DINNISS, supra note 18, at 40. 71. See id. at 41 43; DINSTEIN, supra note 64, at 88 ( [W]hen studied in context, the term force in Article 2(4) must denote violence. ); Michael N. Schmitt, Computer Network Attack and the Use of Force in International Law: Thoughts on a Normative Framework, 37 COLUM. J. TRANSNAT L L. 885, 904 05 (noting that Article 2(4) was intended to achieve its preambular goal of preventing use of armed force (emphasis added)). 72. See OPPENHEIM S INTERNATIONAL LAW 430 31 (Robert Jennings & Arthur Watts eds., 9th ed. 1992). 73. TALLINN MANUAL, supra note 20, at 44. 74. U.N. Charter art. 2, para. 1. 75. KERSCHISCHNIG, supra note 24, at 124. 76. Jutta Brunnée, The Meaning of Armed Conflict and the Jus ad Bellum, in WHAT IS WAR? AN INVESTIGATION IN THE WAKE OF 9/11 31, 32 (Mary Ellen O Connell ed., 2012).

2013] The Legality of Retaliatory Cyberattacks 211 a lower intensity of force than armed force and therefore is not necessarily a violation of Article 2(4). 77 Moreover, a state operation that does not cross the threshold of unlawful intervention is generally permissible under international law. 78 3. A State s Right of Self-Defense Under Article 51 of the U.N. Charter, neither Article 2(4) nor the non-intervention principle precludes a state from using force in self-defense. 79 Article 51 states, Nothing in the present Charter shall impair the inherent right of individual or collective selfdefence if an armed attack occurs against a Member of the United Nations. 80 Thus, a state that is the victim of an armed attack may use force or threaten to use force in self-defense. 81 A violation of international law falling short of an armed attack, however, does not trigger the victim state s right of self-defense. 82 Although some experts have contested this principle, asserting that customary international law provides a state with a right of self-defense broader than the inherent right of self-defense that Article 51 recognizes, 83 recent International Court of Justice (ICJ) case law supports the more restrictive view. 84 As one law of war scholar explains, [the ICJ] has confirmed in both the Nicaragua (Merits) and Oil Platforms decisions that nothing short of an armed attack (with the possible exception of an anticipated armed attack) will be sufficient to trigger the right of self-defence under international law. 85 77. The principle of non-intervention will be elaborated upon in discussing the legal doctrine of retorsion, which permits a state to respond to an unfriendly but legal act with a counter unfriendly but legal act. See infra Part III.B.2. Thus, under retorsion, the responsive act cannot involve an unlawful intervention. Id. 78. Gary Brown & Owen W. Tullos, On the Spectrum of Cyberspace Operations, SMALL WARS JOURNAL (Dec. 11, 2012, 5:30 AM), http://smallwarsjournal.com/jrnl/art/on-thespectrum-of-cyberspace-operations ( Actions that don t cross [the] threshold [of unlawful intervention] may be considered generally permissible under international law. ). 79. See Schmitt, supra note 71, at 924. 80. U.N. Charter art. 51. 81. See DINSTEIN, supra note 64, at 193 94. 82. Id. at 193; TALLINN MANUAL, supra note 20, at 52. 83. See DINSTEIN, supra note 64, at 196. 84. See Jensen, supra note 34, at 219 20; DINNISS, supra note 18, at 76 77. 85. DINNISS, supra note 18, at 76 77; see Oil Platforms (Iran v. U.S.), 2003 I.C.J. 161, para. 51 (Nov. 6); Military and Paramilitary Activities in and Against Nicaragua (Nicar. v. U.S.), 1986 I.C.J. 14, para. 176 (June 27). The doctrine of anticipatory self-defense is a subset of self-defense, which allows states to defend themselves against imminent armed attacks, rather than forcing them to wait until their enemies cross their borders. JEFFREY CARR, INSIDE CYBER WARFARE 51 (2010). This Note does not discuss the doctrine of anticipatory self-defense because the victim state of a CNA will typically not learn of a hostile

212 The Geo. Wash. Int l L. Rev. [Vol. 46 The term armed attack as used in Article 51 is a subset of the term force as used in Article 2(4). 86 Put differently, while an armed attack is necessarily a use of force, a use of force is not necessarily an armed attack. 87 Scholars commonly trace this possibility of a use of force falling short of an armed attack to the gap between Article 2(4) and Article 51. 88 Given this gap, it is conceivable that a state could employ armed force against another state in violation of Article 2(4) without that force amounting to an armed attack under Article 51. 89 4. The Three Jus Ad Bellum Thresholds and the Four Jus Ad Bellum Classifications That Emerge from the Normative Framework The jus ad bellum framework distinguishes between unlawful interventions not amounting to a use of force and unlawful interventions amounting to a use of force, and between uses of force not amounting to an armed attack and uses of force amounting to an armed attack. 90 In doing so, the framework creates three jus ad bellum thresholds: the threshold of unlawful intervention, the threshold of use of force, and the threshold of armed attack. Each threshold represents a point on a continuum that spans from the least hostile interstate acts to the most hostile interstate acts. 91 Placing the three thresholds along the continuum divides all hostile interstate acts into four classifications: (1) acts that are not unlawful interventions, (2) acts that are unlawful interventions, but not uses of force under Article 2(4), (3) acts that are uses of force, but not armed attack[s] under Article 51, and (4) acts that are armed attack[s]. The various jus ad bellum thresholds and classifications play a significant role in determining when the international law doctrines of retorsion and reprisal can justify the use of counter CNAs. The CNA until after it has been inflicted and therefore will rarely have the opportunity to anticipate an imminent CNA. As Major Jeffrey K. Souder points out, in most cases, the [cyber] attack will already be over and the damage done by the time it is identified. Jensen, supra note 34, at 213. For a brief discussion on how the doctrine of anticipatory selfdefense may affect the legality of a counter CNA, see DINNISS, supra note 18, at 82 83. 86. DINNISS, supra note 18, at 77; Schmitt, supra note 71, at 928. 87. See DINNISS supra note 18, at 77 78. 88. DINSTEIN, supra note 64, at 207 08. 89. Id. 90. See supra Part III.A.2 (noting an armed attack as used in Article 51 is a subset of a use of force as used in Article 2(4)). 91. See generally Brown & Tullos, supra note 78 (describing the continuum of cyber operations).

2013] The Legality of Retaliatory Cyberattacks 213 following Sections, which provide an overview of these two doctrines, will show that a state s ability to justify their use of a counter CNA as a retorsion or reprisal depends on the jus ad bellum classification of either the initial CNA they suffered or the counter CNA they used. For this reason, the following Sections will explore, in greater detail, the exact meanings of unlawful intervention, use of force, and armed attack, and assess those cyber operations that cross each of these thresholds. B. Retorsion as a Basis for a State s Use of a Counter Computer Network Attack A retorsion is an unfriendly but not illegal act by a state in response to an unfriendly or unlawful act by another state. 92 Under the doctrine of retorsion, states can initiate counter acts against perpetrator states with a retaliatory or coercive motive, provided the counter acts do not violate international law. 93 As outlined above, a hostile act by one state against another can violate either of two primary jus ad bellum prohibitions: the prohibition on the use of force and the prohibition on unlawful intervention. 94 1. The Counter Cyber Operation Must Not Amount to a Use of Force. A counter CNA cannot be justified as a retorsion if it amounts to an unlawful use of force in violation of Article 2(4) of the UN Charter. 95 Determining when a counter CNA amounts to a use of force hinges on the definition of use of force. a. The Threshold of Use of Force Like other fundamental terms and phrases in the jus ad bellum lexicon, the phrase use of force has stirred debate since the ratification of the U.N. Charter. 96 The Tallinn Manual explains that, while a use of force clearly represents a lower threshold than an armed attack, the question as to what actions short of an armed attack constitute a use of force [is unresolved]. 97 Although [t]he international jurisprudence indicates that... the definition of 92. KERSCHISCHNIG, supra note 24, at 123. 93. TALLINN MANUAL, supra note 20, at 40. 94. See id. at 42 44. 95. See KERSCHISCHNIG, supra note 24, at 162. 96. DINNISS, supra note 18, at 40. 97. TALLINN MANUAL, supra note 20, at 48.

214 The Geo. Wash. Int l L. Rev. [Vol. 46 force is to be limited to armed force, 98 some scholars insist that the prohibition could apply to force other than armed force. 99 In support of the minority view is the observation that the drafters chose to use the term force and not armed force, a phrase used elsewhere in the Charter. 100 Because of these deviating constructions of the term force, there is ambiguity as to the extent to which Article 2(4) prohibits nonmilitary physical force, such as flooding, forest fires, or pollution. 101 Even according to those who narrowly construe force as armed force, the definition of armed force itself is to be interpreted widely. 102 Scholars take two different approaches in defining the precise scope of armed force. The Experts endorsed an effectsbased approach that focuses on whether the consequences of an operation reached the necessary level of severity to qualify as a use of force. 103 Under this approach, acts resulting in damage, destruction, injury, or death most likely rise to the level of a use of force. 104 An alternative approach, the instrument-based approach, focuses on whether the instrument a state used can be classified as force, rather than requiring a far more difficult assessment of the consequences that have resulted. 105 b. Applying the Definition of Use of Force to Cyberattacks The effects-based approach identifies cyber operations as uses of force if the effects of such cyber operations are analogous to other non-kinetic or kinetic actions that the international community would describe as a use of force. According to this approach, a highly invasive operation such as the DDoS on Estonia that causes only inconvenience most likely falls short of a use of force. 106 The question of whether a massive cyber operation that cripples an economy is a use of force, however, is less clear. 107 One author 98. DINNISS, supra note 18, at 49. 99. See KERSCHISCHNIG, supra note 24, at 106. 100. Id. Professor Michael Schmitt notes further that although the prohibition of the threat or use of force includes armed, but not economic or political coercion.... [T]he borders of force [fail to] precisely coincide with armed force, i.e., physical or kinetic force applied by conventional weaponry. Schmitt, supra note 71, at 908. 101. Daniel B. Silver, Computer Network Attack as a Use of Force Under Article 2(4) of the United Nations Charter, 76 INT L L. STUD. 73, 82 83 (2002). 102. DINNISS, supra note 18, at 49. 103. See TALLINN MANUAL, supra note 20, at 45 52. 104. Id. at 48. 105. See Schmitt, supra note 71, at 914 15. 106. TALLINN MANUAL, supra note 20, at 48. 107. See id. at 52.

2013] The Legality of Retaliatory Cyberattacks 215 contends that under the effects-based approach, CNAs against financial transaction systems, targeting intangible software and data, that, by hitting one of its cornerstones, collapses the economy, would not count as a use of force. 108 Yet, other experts, according to the Tallinn Manual, may categorize such an economically devastating cyber operation as a use of force, despite the presumption that economic coercion is lawful. 109 As a result, it remains unclear whether the doctrine of retorsion permits a state to launch an economically paralyzing counter CNA against a state that cyberattacked it. 2. The Counter Computer Network Attack Must Not Be Unlawful Intervention in the Sovereignty of Another State. Under the doctrine of retorsion, a counter CNA must not only fall short of the use of force threshold but must also fall short of the unlawful intervention threshold. 110 Consequently, a counter cyber operation that falls short of a use of force is not a valid retorsion if it unlawfully intervenes in the sovereignty of another state. 111 a. The Threshold of Unlawful Intervention In discussing what constitutes an unlawful intervention, the Tallinn Manual recognizes that [t]he precise scope and content of the non-intervention principle remains the subject of some debate. 112 As a rule, however, the ICJ noted in Nicaragua that the [non-intervention] principle forbids all states... to intervene directly or indirectly in the internal or external affairs of other states. 113 The court also specified that [i]ntervention is wrongful when it uses methods of coercion. 114 On this basis, unlawful intervention is defined more broadly than armed force and may include forms of political and economic coercion. 115 Nonetheless, the line 108. KERSCHISCHNIG, supra note 24, at 131. 109. TALLINN MANUAL, supra note 20, at 52. 110. See id. at 44. 111. See id. 112. TALLINN MANUAL, supra note 20, at 44. 113. Military and Paramilitary Activities in and Against Nicaragua (Nicar. v. U.S.), 1986 I.C.J. 14, para. 205 (June 27); see also TALLINN MANUAL, supra note 20, at 46. 114. Nicaragua, 1986 I.C.J. 14, para. 205. 115. See Schmitt, supra note 71, at 15.

216 The Geo. Wash. Int l L. Rev. [Vol. 46 between prohibited economic coercion and permitted economic pressure has proved difficult to draw. 116 b. Application of the Threshold to Cyber Operations Applying the threshold of unlawful intervention to the cyber realm, the Experts agreed that acts of cyber espionage or cyber exploitation, which lack a coercive element, do not necessarily violate the non-intervention principle. 117 By contrast, a cyber operation that is intended to coerce the government may be an unlawful intervention. 118 Although the Experts agreed that unlawful intervention includes CNAs that cause damage, they disagreed as to whether a state s placement of malware into another state s cyber infrastructure violates the non-intervention principle. 119 Such dissent among the Experts is significant because the issue of whether a counter CNA is an unlawful intervention determines whether that counter CNA is a valid retorsion. 120 If the placement of malware into another state s cyber infrastructure qualifies as unlawful intervention, then a victim state s use of such an operation against a perpetrator state that cyberattacked it is not justifiable on the basis of retorsion. 121 Retorsion presents one law of war doctrine that states can invoke to legally justify their use of counter CNAs. Another legal doctrine that states can invoke to justify counter cyber operations is reprisal, which is the subject of the next Section. C. Reprisal as a Basis for a State s Use of Counter Cyber Operations Traditionally, a reprisal is defined as [an act] of retaliation [by a victim state] in the form of conduct which would otherwise be unlawful, resorted to solely to compel the [perpetrator state] to cease his own [violation of the law of armed conflict]. 122 Put dif- 116. KERSCHISCHNIG, supra note 24, at 124. 117. TALLINN MANUAL, supra note 20, at 44. 118. Id. at 17. 119. Id. at 16. 120. KERSCHISCHNIG, supra note 24, at 162. 121. See id. 122. GARY D. SOLIS, THE LAW OF ARMED CONFLICT 318 (2010). The doctrine of reprisal discussed in this Section should be distinguished from the doctrine of belligerent reprisal. See FRITS KALSHOVEN, BELLIGERENT REPRISALS 33 34 (2005). Belligerent reprisals presuppose a preexisting state of war between the perpetrator state and the victim state and therefore are governed by jus in bello principles as opposed to jus ad bellum principles. Id.; William K. Lietzau, Old Laws, New Wars: Jus ad Bellum in an Age of Terrorism, 8 MAX PLANCK Y.B. UNITED NATIONS L. 395 n.47 (2004) (stating that while peacetime reprisals are resorted to for the purpose of settling a conflict without going to war... belligerent

2013] The Legality of Retaliatory Cyberattacks 217 ferently, reprisals are counter-measures that would be illegal if not for the prior illegal act of the State against which they are directed. 123 Reprisals differ from retorsions in that a retaliatory measure involved in a reprisal, unlike a retaliatory measure involved in a retorsion, is per se illegal. 124 As with the doctrine of retorsion, scholars point to the doctrine of reprisal as a potential legal justification for counter CNAs. 125 The Tallinn Manual articulates the following rule: A State injured by an internationally wrongful act may resort to proportionate countermeasures, including cyber countermeasures, against the responsible State. 126 Thus, a victim state, under the doctrine of reprisal or proportionate countermeasures, may use counter CNAs against a perpetrator state that cyberattacked it. As the following Subsections will show, however, there are significant limitations on the circumstances under which a state can launch such a cyber reprisal. 1. The Four Elements of Reprisal The ICJ, in the Case Concerning the Gabcikovo-Nagymaros Project, set out a four-part test for determining the validity of countermeasures. 127 First, the victim state must establish that the perpetrator state is legally responsible for a breach of international law. 128 As explained in the Section on retorsion, internationally wrongful acts include not only uses of force, but also unlawful interventions. 129 Second, a state must call upon the perpetrator state to cease its reprisals are retaliations in order to compel an enemy guilty of a certain illegal act of warfare to comply with the laws of war. ) (citations and internal quotation marks omitted). Jus in bello is the law of armed conflict that governs the actual use of force during war. Sklerov, supra note 11, at 27. Because this Note is strictly concerned with the jus ad bellum analysis of how states can respond to hostile CNAs directed against them even at times of peace, the doctrine of belligerent reprisal is beyond the scope of this Note. For an analysis of how the doctrine of belligerent reprisal applies in the cyber realm, see TALLINN MANUAL, supra note 20, at 149 52. 123. DINSTEIN, supra note 64, at 244 (citations and internal quotation marks omitted). The term reprisal is often used interchangeably with the phrase proportionate countermeasure. See supra note 61. 124. See TALLINN MANUAL, supra note 20, at 40. 125. See id. at 36 41; KERSCHISCHNIG, supra note 24, at 163; DINNISS, supra note 18, at 105 08. 126. TALLINN MANUAL, supra note 20, at 36. 127. Gabcikovo-Nagymaros Project (Hung./Slovk.), 1997 I.C.J. 7, paras. 83 87 (Sept. 25); see DINNISS, supra note 18, at 107 (noting that the court set out a three-part test but added one additional requirement, making it a four-part test). 128. See DINNISS, supra note 18, at 107. 129. See KERSCHISCHNIG, supra note 24, at 163.

218 The Geo. Wash. Int l L. Rev. [Vol. 46 wrongful conduct, 130 notify it of the decision to employ countermeasures, and offer to negotiate a settlement. 131 If the perpetrator state were willing to discontinue its violation of international law and make adequate reparations to the victim state, a reprisal would be illegal. 132 Third, the reprisal must be proportionate. 133 Although a reprisal does not have to mirror the offensive acts, 134 the scale and effects of the responsive act must be commensurate to the harm the initial unlawful act caused. 135 Lastly, the countermeasure must purport to induce the perpetrator state to cease its violations of international law. 136 Once the perpetrator state begins to comply with its international obligations, the victim state must reverse its measures and loses its right to initiate countermeasures. 137 2. Reprisals in the Context of the Jus Ad Bellum Framework The jus ad bellum normative framework described above is central to determining when a state s use of a counter cyber force is legally justifiable as a reprisal. In particular, the prohibition on the use of force and the right to act in self-defense in response to an armed attack can influence whether a state may conduct a reprisal. 138 There are three different theories of reprisal, each premised on a different understanding of how the doctrine of reprisal interacts with the prohibition on the use of force and a state s right to self-defense. 139 As a result, under each theory, a state s right to use a counter CNA turns on the jus ad bellum classification of the initial CNA, the counter CNA, or both. 130. DINNISS, supra note 18, at 107. 131. DINSTEIN, supra note 64, at 249. 132. Id. 133. Id. at 247 48. 134. KERSCHISCHNIG, supra note 24, at 124. 135. See DINNISS, supra note 18, at 107. 136. Id. The Tallinn Manual provides a hypothetical illustrating how this element can be satisfied in the cyber context: [S]uppose State B launches a cyber operation against an electrical generating facility at a dam in State A in order to coerce A into increasing the flow of water into a river running through the two States. State A may lawfully respond with proportionate countermeasures, such as cyber operations against State B s irrigation control system. TALLINN MANUAL, supra note 20, at 37. 137. DINNISS, supra note 18, at 107; TALLINN MANUAL, supra note 20, at 37. 138. See TALLINN MANUAL, supra note 20, at 36 41, 54 61; DINSTEIN, supra note 64, at 244 55. 139. See TALLINN MANUAL, supra note 20, at 37 38; DINSTEIN, supra note 64, at 244 45.

2013] The Legality of Retaliatory Cyberattacks 219 a. Non-Forcible Countermeasure Theory of Reprisal The first theory, the non-forcible countermeasure theory of reprisal, asserts that a reprisal is only valid when the victim state s responsive act falls short of a use of force. 140 The theory stems from the position that Article 2(4) s prohibition on the use of force still binds states that take responsive measures under the doctrine of reprisal. 141 Consistent with such an approach, the Articles on State Responsibility the International Law Commission s codification of the customary international law concerning state responsibility confine the lawful use of countermeasures to instances where the countermeasures do not amount to a threat or use of force under Article 2(4). 142 Moreover, the majority of the Experts recognized the existence of such a restriction on the use of reprisals and on this basis concluded cyber countermeasures may not involve the threat or use of force. 143 b. The Gap Theory of Reprisal Another theory, the gap theory of reprisal, 144 permits states to respond to a use of force falling short of an armed attack with counter force on the condition that the counter force also falls short of an armed attack. 145 It therefore diverges from the nonforcible countermeasure theory that restricts a reprisal to measures short of a use of force. 146 Moreover, the theory is designed to resolve the problematic scenario states face when the attack they suffer falls in the gap between the use of force and armed attack thresholds. 147 A state that is in such a situation lacks a right to selfdefense under Article 51, and Article 2(4) nevertheless prohibits them from using force. 148 To rescue states from this legal predicament, the gap theory permits a victim state to use proportionate 140. See TALLINN MANUAL, supra note 20, at 37 38. 141. Id. 142. See id. at 38 (citing Responsibility of States for Internationally Wrongful Acts, G.A. Res. 56/83, art. 51, U.N. Doc. A/RES/56/83 (Dec. 12, 2001)). 143. Id. 144. The phrase gap theory has been used by scholars to refer to this understanding of reprisal. See e.g., DINNISS, supra note 18, at 105 07. 145. See TALLINN MANUAL, supra note 20, at 38. The gap theory appears to have originated in Judge Simma s Separate Opinion in the International Court of Justice s Oil Platforms Judgment. Id. 146. See id. 147. See supra Part III.A.3. 148. SHARP, supra note 28, at 44 45.

220 The Geo. Wash. Int l L. Rev. [Vol. 46 countermeasures involving the use of force against the perpetrator state. 149 In challenging the position that a reprisal must not violate Article 2(4) s prohibition on the use of force, the gap theory is controversial. 150 Nonetheless, some of the Experts endorse the theory. 151 In their view, reprisal entitles a victim state to respond to a CNA that involves a use of force with a counter CNA that also involves a use of force. 152 c. Defensive Armed Reprisal Theory A third theory, the defensive armed reprisals theory, predicates the validity of a reprisal on the jus ad bellum classification of the initial act that a perpetrator state takes. 153 Specifically, the theory confines the use of countermeasures involving the use of force to instances where the initial act reaches the threshold of an armed attack. 154 The theory reasons that any use of force by a state is prohibited unless the force is used in self-defense under Article 51 of the U.N. Charter. 155 As a result, reprisals must... come in response to an armed attack, as opposed to other violations of international law, in circumstances satisfying all the requirements of valid self-defence. 156 Put simply, the defensive armed reprisal theory treats reprisal as a form of self-defense. 157 Thus, in the cyber realm, a state may use a counter CNA that crosses the threshold of a use of force, and even the threshold of an armed attack if the initial CNA crosses the threshold of an armed attack. 158 Because the theory of defensive armed reprisal views reprisal as a form of self-defense, a victim state of a CNA can only invoke the theory of defensive armed reprisal to justify its use of a counter 149. See DINNISS, supra note 18, at 106. 150. See id. at 105. 151. TALLINN MANUAL, supra note 20, at 38. 152. Id. 153. DINSTEIN, supra note 64, at 244 45. 154. Id. at 245. 155. Id. 156. Id. 157. See id. at 245, 249. Professor Yoram Dinstein, the chief proponent of the defensive armed reprisal theory, distinguishes defensive armed reprisal from on-the-spot reaction, the more traditional category of self-defense in which a state party that is the object of an armed attack responds to its attackers with counter force. See id. at 242, 245. To the contrary, in a defensive armed reprisal, the responding state strikes at a time and place different from those of the original armed attack. Id. at 245. 158. See id. at 245, 248 ( [T]he responding State must adapt the magnitude of its counter-measures to the scale and effects of the armed attack. ).

2013] The Legality of Retaliatory Cyberattacks 221 CNA if the initial CNA it suffered amounted to an armed attack. 159 For this reason, the question of which counter CNAs this theory of reprisal justifies depends on which CNAs cross the threshold of an armed attack. i. The Threshold of Armed Attack Similar to how the meaning of the term force under Article 2(4) has stirred disagreement among scholars, experts have also continuously debated the definition of armed attack. 160 Whereas some experts focus on the effects an operation achieves to determine whether the operation is an armed attack, 161 others also focus on the means the operation uses to achieve the desired effects. What results is a lack of scholarly consensus as to when a state has a right to self-defense under the law of war. 162 One proponent of the more effects-based approach notes, an armed attack presupposes a use of force producing (or liable to produce) serious consequences, epitomized by territorial intrusions, human casualties or considerable destruction of property. When no such results are caused by (or reasonably expected from) a recourse to force, Article 51 does not come into play. 163 ICJ case law seems to support this approach. 164 In Nicaragua, the Court concluded that a state s sending of armed bands to the territory of another state meets the threshold of an armed attack if such an operation, because of its scale and effects, would have been classified as an armed attack rather than as a mere frontier incident had it been carried out by regular armed forces. 165 Although most of the Experts endorse the effects-based test articulated in Nicaragua, a minority of the Experts believes that an armed attack must involve the employment of weapons. 166 In their view, the issue of whether an operation is an armed attack depends not only on the effects the operation achieves, but also on the means used to achieve those effects. 167 Thus, for an act to amount to an armed attack, the act must employ a weapon that is by 159. See id. at 245. 160. Sklerov, supra note 11, at 31. 161. See DINNISS, supra note 18, at 78; DINSTEIN, supra note 64, at 208. 162. See Sklerov, supra note 11, at 31. 163. DINSTEIN, supra note 64, at 208. 164. Military and Paramilitary Activities in and Against Nicaragua (Nicar. v. U.S.), 1986 I.C.J. 14, para. 195 (June 27); see also Legality of the Threat or Use of Nuclear Weapons, Advisory Opinion, 1996 I.C.J. 226, para. 39 (July 8) (noting that the choice of means of attack is immaterial to whether an operation constitutes an armed attack). 165. Nicaragua, 1986 I.C.J. 14, para. 195 (emphasis added). 166. TALLINN MANUAL, supra note 20, at 55. 167. See id.

222 The Geo. Wash. Int l L. Rev. [Vol. 46 design, use, or intended use capable of causing either injury to persons or damage to property. 168 ii. Applying the Definition of Armed Attack to Cyberspace Applying the effects-based test, an armed attack may occur when a use of force or an activity not traditionally considered an armed attack is used in such a way that it becomes tantamount in effect to an armed attack. 169 Thus, like any other type of attack, a CNA amounts to an armed attack if its consequences reach the required threshold of gravity. 170 As one proponent of the effectsbased test explains, [if] a computer network attack causes destruction and fatalities on a par with a conventional attack, a state will have a right to respond in self-defence. 171 A state that suffers such a CNA can respond with a counter CNA as a defensive armed reprisal. 172 Yet, as the Tallinn Manual admits, the parameters of the scale and effects criteria remain unsettled beyond the indication that they need to be grave. 173 The Experts explain that the point at which the injury and damage caused by a cyber operation becomes grave enough to render the operation an armed attack is unclear. Moreover, scholars also debate the classification of cyber operations such as a disruption of the New York Stock Exchange that causes the market to crash because such operations produce severe economic effects, but do not cause personal injury or property damage. 174 Whereas some experts insist that such an operation does not cause physical damage to property and therefore is not an armed attack, others focus on the catastrophic effects of a crash and, on this basis, argue that such an operation is an armed attack. 175 168. See id. at 55, 141 42. 169. SHARP, supra note 28, at 119 (emphasis added). 170. See DINNISS, supra note 18, at 80; see also TALLINN MANUAL, supra note 20, at 54 ( The International Group of Experts unanimously concluded that some cyber operations may be sufficiently grave to warrant classifying them as an armed attack within the meaning of the Charter. ). But see SHARP, supra note 28, at 129 (arguing that any intrusion into a system containing information critical to the victim state s national security should be considered an armed attack that triggers the victim s right of self-defense). 171. DINNISS, supra note 18, at 80. 172. See DINSTEIN, supra note 64, at 245. 173. TALLINN MANUAL, supra note 20, at 55. 174. Id. at 56. 175. Id. at 56.

2013] The Legality of Retaliatory Cyberattacks 223 Similarly, the question of whether the Stuxnet worm that infected Iran s nuclear plant 176 constituted an armed attack has stirred debate. Scholars disagree as to whether the consequences of the worm the defection of over one thousand centrifuges suffice to render the virus an armed attack under Article 51. 177 Some academics highlight the destruction of these centrifuges as evidence that the scale and effects of the worm reached the required degree of gravity to qualify as an armed attack. 178 Others focus instead on reports that the worm did not stop Iran s continued buildup of low-enriched uranium and conclude, on this basis, that the scale and effects of Stuxnet were not of sufficient gravity for it to be an armed attack. 179 Presumably, it would be unclear whether a state could respond to a CNA like Stuxnet with a counter CNA as a defensive armed reprisal. 180 3. Summary of Three Theories of Reprisal In sum, there are three different theories as to when a reprisal is valid. The non-forcible countermeasure theory limits a state s right to use counter CNAs to instances where the counter CNA falls short of a use of force. 181 Another theory, the gap theory, permits a victim state of a CNA involving a use of force to respond with a counter CNA that involves a use of force, but falls short of an armed attack. 182 Lastly, the defensive armed reprisal theory limits a state s right to use counter CNAs involving the use of force to instances where the victim state suffers a CNA that amounts to an armed attack. 183 Of course, each theory requires that the reprisal also meet the four elements of reprisal outlined above. 184 176. Glenn Kessler, Centrifuges in Iran Were Shut Down, IAEA Report Says, WASH. POST (Nov. 24, 2010), http://www.washingtonpost.com/wp-dyn/content/article/2010/11/23/ AR2010112306964.html. 177. TALLINN MANUAL, supra note 20, at 58. 178. James Temple, In Waging Cyber War, Battlefield Becomes Blurred, SF GATE (Jan. 29, 2013, 12:20 PM), http://www.sfgate.com/business/article/in-waging-cyber-war-battlefieldbecomes-blurred-3622760.php. 179. DINNISS, supra note 18, at 82. 180. Cf. DINSTEIN, supra note 64, at 245. 181. See supra Part III.C.2.a. 182. See supra Part III.C.2.b. 183. See supra Part III.C.2.c. 184. See supra Part III.C.1.

224 The Geo. Wash. Int l L. Rev. [Vol. 46 IV. PROPOSAL OF A PROPORTIONATE COUNTER COMPUTER NETWORK ATTACK RULE THAT STATES SHOULD CONSULT AS A LEGAL GUIDE FOR WHEN THEY CAN USE COUNTER CYBER OPERATIONS Can the existing law of war provide states with clear legal guidance on the use of counter CNAs? 185 If existing laws can provide states with such guidance, will this legal clarity advance the policy goals of achieving cyber deterrence and discouraging conventional responses to cyberattacks? Alternatively, if existing laws cannot provide states with clear legal guidance as to when counter CNAs can be used, is it necessary to enact new laws? Such urgent questions are stirring debate among scholars of international law. Some scholars argue that the doctrine of selfdefense provides states with adequate legal guidance over the use of counter CNAs. 186 Others seem to believe that established legal doctrines provide states with a buffet of justifications for counter CNAs and that, when consulting all the doctrines in their entirety, states will understand when counter CNAs are permitted. 187 A third group of scholars mentioned above insist that existing legal doctrines do not resolve the problematic legal ambiguity and call for the establishment of a new legal regime to govern state use of CNAs. 188 This Note puts forth an alternative solution to the problem by proposing a novel interpretation of the existing law of war, which would not only provide states with the clear legal guidance they need but would also spare international lawmakers from the need to enact a cyber-specific legal regime. Specifically, states should collapse the doctrine of retorsion and the three theories of reprisal outlined above into one unqualified rule called the proportionate counter CNA rule. The rule provides that a victim state can respond to a CNA with a proportionate counter CNA if the three following conditions are met: (1) the CNA is attributable to the perpetrator state, (2) the victim state has called upon the perpetrator state to discontinue its use of CNAs, and (3) the counter CNA is necessary to induce the perpetrator state to cease its use of CNAs against the victim state. States should interpret these conditions and the proportionality requirement consistently with judicial and scholarly interpretations of the elements of reprisal. 185. See supra Part III. 186. See, e.g., Sklerov, supra note 11, at 37. 187. See TALLINN MANUAL, supra note 20. 188. E.g., Sklerov, supra note 11, at 11 12.

2013] The Legality of Retaliatory Cyberattacks 225 The proposed rule is crafted to avoid predicating a state s right to use a counter CNA on the particular jus ad bellum classification of either the initial CNA or the counter CNA. That is, the rule recognizes a state s right to respond to CNAs with counter CNAs irrespective of whether the initial CNA is an unlawful interference, a use of force, or an armed attack, and irrespective of whether the counter CNA is an unlawful interference, a use of force, or an armed attack. Rather, states that wish to use proportionate counter CNAs must only meet the three conditions articulated above. In arguing for the acceptance of such a proposed rule, Section A explains how the proportionate counter CNA rule derives from the existing body of law covered in Part III. Next, Section B argues that such a rule would provide states with clear legal guidance for when they can use counter CNAs. Lastly, Section C further argues that international adherence to the proportionate counter CNA rule would cure the problematic policy effects of the present legal ambiguity by fostering an atmosphere of cyber deterrence and by preventing cyber exchanges from escalating into conventional military altercations. A. The Legal Analysis Underlying the Proportionate Counter CNA Rule The proportionate counter CNA rule is based on an interpretation of law of war that merges the doctrine of retorsion with the three theories of reprisal. As explained in the beginning of Part III, there are four jus ad bellum classifications and therefore four different legal categories under which a CNA can fall: (1) unfriendly but lawful acts, (2) unlawful interventions that are not uses of force, (3) uses of force that are not armed attacks, and (4) armed attacks. 189 An assessment of the doctrine of retorsion and the three theories of reprisal non-forcible countermeasures theory, gap theory of countermeasures, and defensive armed reprisal theory leads to the following observation: a state can lawfully respond to a hostile act of any specific jus ad bellum classification with a commensurate act that falls under the same jus ad bellum classification as the initial hostile act. It therefore logically follows that, under the doctrines of retorsion and reprisal, any counter CNA that is proportionate to the initial CNA the victim state suffered is arguably valid. 190 That 189. See supra Part III.A.4. 190. Cf. id. The sentence includes the term arguably because not all of these three theories of reprisal are widely accepted by legal scholars, and therefore a counter CNA is arguably valid as long as it is proportionate to the initial CNA.

226 The Geo. Wash. Int l L. Rev. [Vol. 46 is, if the counter cyber operation satisfies the four elements of reprisal, one of which is proportionality, 191 it is justified by either retorsion or a recognized theory of reprisal. 192 An analysis of how states can legally justify their use of proportionate counter CNAs in response to CNAs of each of the four different jus ad bellum classifications elucidates this observation. 1. Responding to a CNA That Is Unfriendly but Lawful If the initial CNA by the perpetrator state is neither an unlawful intervention nor a use of force, then, under the doctrine of retorsion, the victim state can respond with a counter CNA that is commensurate in scale and effect to the initial CNA. 193 Presumably, a counter CNA that is proportionate to the initial CNA fits the same jus ad bellum classification (1) as the initial CNA. Thus, because retorsion permits a state to respond proportionately to an unfriendly but lawful act with an unfriendly but lawful counter act, responding to a classification (1) CNA with a classification (1) CNA is justified. 2. Responding to a CNA That Is Unlawful but Is Not a Use of Force If the initial CNA is an unlawful intervention but is not a use of force, then, under the non-forcible countermeasure theory, the victim state can respond with a counter CNA that is commensurate in scale and effect to the initial CNA. 194 Presumably, a counter CNA that is proportionate to the initial CNA fits the same jus ad bellum classification (2) as the initial CNA. Thus, because non-forcible countermeasures theory permits a state to respond proportionately to an unlawful act short of a use of force with an unlawful act short of a use of force, responding to a classification (2) CNA with a classification (2) CNA is justified. 3. Responding to a CNA That Is a Use of Force but Is Not an Armed Attack If the initial CNA is a use of force but not an armed attack, then, under the gap theory of reprisal, the victim state can respond with a counter CNA that is commensurate in scale and effect to the ini- 191. DINNISS, supra note 18, at 107. 192. Cf. KERSCHISCHNIG, supra note 24, at 162. 193. See id. at 162. 194. See id.

2013] The Legality of Retaliatory Cyberattacks 227 tial CNA. 195 Presumably, a counter CNA that is proportionate to the initial CNA fits the same jus ad bellum classification (3) as the initial CNA. 196 Thus, because the gap theory permits a state to respond proportionately to a use of force short of an armed attack with a use of force short of an armed attack, responding to a classification (3) CNA with a classification (3) CNA can be justified. 4. Responding to a CNA That Is an Armed Attack If the initial CNA is an armed attack, then, under the theory of defensive armed reprisal, the victim state can use a counter CNA that is commensurate in scale and effect to the initial CNA. 197 Presumably, a counter CNA that is proportionate to the initial CNA fits the same jus ad bellum classification (4) as the initial CNA. Thus, because the defensive armed reprisal theory permits a state to respond to an armed attack with an armed attack, 198 responding to a classification (4) CNA with a classification (4) CNA can be justified. 5. Table Illustrating this Legal Analysis The following table further illustrates the logic articulated above: Presumed classification of Jus ad bellum Classification of proportionate Justifying legal classification initial CNA counter CNA doctrine/theory 1 Lawful act that is not Lawful act that is not Retorsion a use of force a use of force 2 Unlawful act that is Unlawful act that is Non-forcible not a use of force not a use of force countermeasures 3 Use of force short of Use of force short of Gap theory of an armed attack an armed attack reprisal 4 Use of force that is Use of force that is Defensive armed an armed attack an armed attack reprisals As the table demonstrates, a counter CNA that is proportionate to the initial CNA will presumably fit the same jus ad bellum classification as the counter CNA and therefore can be justified by either retorsion or one of the three theories of reprisal. A counter CNA that is not commensurate in scale and effect to the initial CNA, 195. See TALLINN MANUAL, supra note 20, at 38. 196. See KERSCHISCHNIG, supra note 24, at 294. 197. See DINSTEIN, supra note 64, at 248. 198. See id.

228 The Geo. Wash. Int l L. Rev. [Vol. 46 however, may fit a more severe jus ad bellum classification than the initial CNA and will have no theory or doctrine to justify it. Thus, a state cannot use an unlawful CNA in response to a lawful CNA, a forceful CNA in response to a non-forcible CNA, or an armed CNA 199 in response to a non-armed CNA. 6. Legal Basis for the Proposed Rule s Three Conditions In addition to requiring that such a counter CNA be proportionate to the initial CNA, the counter CNA must meet three conditions. The initial CNA must be attributed to the perpetrator state, the victim state must call upon the perpetrator state to discontinue its use of CNAs, and the counter CNA must be necessary to induce the perpetrator state to cease its use of CNAs. These three conditions derive from the three elements that a lawful act of reprisal must satisfy in addition to the element of proportionality. 200 For this reason, states should construe the three conditions of the proportionate counter CNA rule similarly to how the scholarly community construes these three elements of reprisal. 201 A counter act that satisfies these three elements of reprisal and the proportionality element of reprisal is a lawful reprisal under at least one of the three theories of reprisal. As a result, a counter CNA that satisfies the three conditions in the proposed rule and the proportionality requirement will be valid under at least one of the three theories of reprisal. Moreover, as explained in the analysis above, a proportionate counter CNA that satisfies the rule s three conditions is justified by retorsion or a theory of reprisal regardless of the counter CNA s jus ad bellum classification. 202 The rule that results from this legal analysis is the proportionate counter CNA rule outlined above. In sum, the proportionate counter CNA rule does not require that the initial CNA fit a particular jus ad bellum classification for a state to use a counter CNA. Nor does the rule require that the counter CNA fit a particular jus ad bellum classification. Rather, the rule only requires that the 199. Armed CNA in this context refers to a CNA that amounts to an armed attack under Article 51. 200. See supra Part III.C.1. 201. See id. 202. While each of the three theories of reprisal can only justify acts that meet the three elements of reprisal in addition to proportionality, the doctrine of retorsion does not require similar elements. Compare supra Part III.B, with supra Part III.C. Nonetheless, because counter CNAs that fall under the jus ad bellum classifications 2 4 in the table above are valid under one of the three theories of reprisal, requiring a proportionate counter CNA to meet these elements of reprisal ensures that the proportionate counter CNA will be valid regardless of its jus ad bellum classification.

2013] The Legality of Retaliatory Cyberattacks 229 counter CNA be proportionate to the initial CNA. If the counter CNA is proportionate to the initial CNA, as the legal analysis shows, it can be justified under either the doctrine of retorsion or one of the three theories of reprisal, if the counter CNA meets the rule s three conditions. B. The Proposed Rule Offers States Straightforward Guidance on When They Can Use Counter CNAs. The proportionate counter CNA rule articulated above provides states with a clear picture of the range of circumstances under which a counter CNA would be lawful. The current legal ambiguity surrounding the use of counter CNAs, to a substantial degree, results from the application of vague law of war thresholds to the unconventional context of cyberspace. For this reason, a rule that allows states to avoid the application of law of war thresholds to cyber operations will provide states with more straightforward legal guidance as to when counter CNAs are permitted. The proposed proportionate counter CNA rule does not require states to make jus ad bellum threshold determinations when assessing whether they can use counter CNAs. Thus, states that consult the proposed rule will run into far less legal ambiguity when assessing whether they can lawfully use a counter CNA. 1. Much of the Legal Ambiguity States Currently Face Results from the Application of Vague Law of War Thresholds to the Unconventional Context of Cyber Operations. Much of the present legal ambiguity over the use of counter CNAs results from the particular difficulty states encounter when applying unclear and unsettled law of war thresholds to the unconventional context of cyber operations. 203 That is, uncertainty as to when counter CNAs are justified largely stems from two distinct problems that blur the application of jus ad bellum thresholds to CNAs. First, jus ad bellum thresholds are generally unsettled among scholars and practitioners, and, as a result, applying these thresholds to even conventional military operations often produces gray 203. See e.g., Andrew C. Foltz, Stuxnet, Schmitt Analysis, and the Cyber Use of Force Debate, 67 JOINT FORCE Q. 40, 42 (2012) ( [D]iscerning a clear use-of-force threshold in this gray area a difficult task even in traditional kinetic context has proven particularly difficult in the cyber context. ).

230 The Geo. Wash. Int l L. Rev. [Vol. 46 areas. 204 Scholarly debates over the meaning of phrases like unlawful intervention, use of force, and armed attack hinder the determination of a given kinetic attack s jus ad bellum classification. 205 In addition, disagreements among scholars over which operations fall within these classifications further blur the assessment of a kinetic operation s law of war classification. 206 Second, applying conventional thresholds that international lawmakers designed to govern kinetic attacks to the unconventional context of cyber operations generates ambiguity. 207 After all, as discussed earlier, the realm of cyber strikes is fundamentally different from the realm of kinetic strikes. 208 Whereas kinetic operations typically aim to damage physical property, cyber operations usually aim to damage intangible property. 209 Because of such fundamental differences, the question of whether a CNA has crossed a particular jus ad bellum threshold will likely be unclear. 210 The general vagueness of each threshold and the unconventional context of cyber operations both pose substantial impediments to the determination of a CNA s jus ad bellum classification. This is because classifying a CNA as either an unlawful intervention, use of force, or armed attack often involves a two-step process. First, a CNA must be equated to an analogous kinetic attack, and second, the analogous kinetic attack must be placed in the appropriate jus ad bellum classification. 211 The first part of the process compares conventional kinetic operations with cyber operations, which are unconventional in nature. 212 The second part of the process determines whether a kinetic operation crosses specific thresholds, which are unsettled and vague. 213 Overall, the process of applying jus ad bellum thresholds to cyber operations is particularly problematic. 204. See id. 205. See Hathaway et al., supra note 7, at 841 42. 206. See TALLINN MANUAL, supra note 20, at 37 39, 44 48, 53 59. 207. Hathaway et al., supra note 7, at 840 41 ( Nothing was further from the minds of the drafters of the Geneva Convention than attacks carried out over a worldwide computer network. ). 208. See supra Part II.A. 209. Id. 210. William Banks, The Role of Counterterrorism Law in Shaping ad Bellum Norms for Cyber Warfare, 89 INT L L. STUD. 157, 162 (2013) ( [T]he language and structure of... the Charter (focusing on use of force and armed attack ) present considerable analytic challenges and even incongruities in attempting to fit cyber into the conventional framework for armed conflict. ). 211. See Sklerov, supra note 11, at 6. 212. See DINNISS, supra note 18, at 62 74. 213. See TALLINN MANUAL, supra note 20, at 37 39, 44 48, 53 59.

2013] The Legality of Retaliatory Cyberattacks 231 These two distinct problems arise in the application of each of the three jus ad bellum thresholds to cyber operations. A separate analysis for each threshold shows how these two distinct problems blur the determination of the jus ad bellum classification of a CNA. Further, this analysis illustrates the benefit of a rule that circumvents the application of these thresholds to state cyber operations. a. Determining Whether a CNA Crosses the Threshold of Unlawful Intervention The question of where the unlawful intervention threshold stands along the continuum of kinetic operations is unsettled. 214 As one scholar mentions, the line between illegal intervention and permitted economic pressure has proved difficult to draw. 215 Moreover, the scope of unlawful intervention becomes even hazier in the cyber context. 216 As the Tallinn Manual admits, it is unclear whether placement of malware into another state s cyber infrastructure amounts to unlawful intervention. 217 b. Determining Whether a CNA Crosses the Threshold of Use of Force In applying the use of force threshold to cyber operations, one U.S. Lieutenant Colonel comments, discerning a clear use-offorce threshold in this gray area a difficult task even in traditional kinetic context has proven particularly difficult in the cyber context. 218 Scholars not only debate whether force is limited to armed force, but also whether to apply an instrument-based test or an effects-based test when determining what falls within the scope of force. 219 As a result, there is no conclusive definitional threshold for which actions fall in the gap between a use of force and an armed attack. 220 Furthermore, even among those scholars who endorse an effects-based test, there is internal debate as to how to apply such a test to CNAs. 221 For example, scholars that 214. See KERSCHISCHNIG, supra note 24, at 124. 215. Id. 216. See TALLINN MANUAL, supra note 20, at 45. 217. Id. at 16. 218. Foltz, supra note 203, at 42. 219. Id. As one scholar noted about Article 2(4) in 1984, [t]he paragraph is complex in its structure and nearly all of its key terms raise questions of interpretation. Oscar Schachter, The Right of States To Use Armed Force, 82 MICH. L. REV. 1620, 1624 (1984). 220. TALLINN MANUAL, supra note 20, at 47 48. 221. See supra Part III.B.1.

232 The Geo. Wash. Int l L. Rev. [Vol. 46 endorse the effects-based test disagree on whether a massive cyber operation that cripples an economy is a use of force. 222 c. Determining Whether a Cyber Operation Crosses the Threshold of Armed Attack According to one law of war scholar, the [e]xact scope of the right to self-defence remains one of the divisive issues in international law, so it is not surprising that its application to the topic of computer network attacks is particularly complex. 223 Despite the ICJ s analysis of the meaning of armed attack in both Nicaragua (Merits) and Oil Platforms, the threshold of armed attack is fraught with uncertainty. 224 Even assuming that an effects-based approach must be used to determine which kinetic attacks fall within the scope of an armed attack an approach that is not universally accepted scholars disagree on how to apply such an effects-based test. 225 As the Tallinn Manual admits, the parameters of the scale and effects criteria remain unsettled beyond the indication that they need to be grave. 226 Moreover, assessing which types of CNAs constitute armed attacks further blurs the threshold determination. The legal background presented above on the scope of armed attack reveals the ambiguity concerning the phrase s application to cyberspace. 227 As the Experts observe, the point at which the injury and damage caused by a cyber operation becomes grave enough to render the operation an armed attack is unclear. 228 This is because cyberspace operations tend to result in intangible damage and therefore do not fit neatly within the conventional legal paradigm. 229 As this analysis of each jus ad bellum threshold shows, classifying a given CNA as either an unlawful intervention, a use of force, or an armed attack is particularly difficult. For this reason, a rule that does not refer to varying jus ad bellum classifications will spare states of much of the legal ambiguity they currently face. 222. See id. 223. DINNISS, supra note 18, at 75. 224. See id. at 80. 225. See TALLINN MANUAL, supra note 20, at 55. 226. Id. 227. See DINNISS, supra note 18, at 58, 80. 228. TALLINN MANUAL, supra note 20, at 55. 229. DINNISS, supra note 18, at 63.

2013] The Legality of Retaliatory Cyberattacks 233 2. The Proposed Rule Relieves States of Legal Uncertainty By Not Requiring States to Determine Whether a Cyber Operation Crosses a Particular Law of War Threshold. States that consult the proportionate counter CNA rule to assess when they can use a counter CNA do not need to evaluate whether a CNA crosses a particular jus ad bellum threshold. This is because, under the proposed rule, a counter CNA is not rendered invalid merely because the initial CNA fails to reach a certain level of severity or merely because the counter CNA reaches a certain level of severity. Rather, a counter CNA is only invalid if its level of severity is disproportionate to the level of severity of the initial CNA. As a result, states determining whether a given counter CNA would be lawful do not need to ask themselves whether the initial CNA or counter CNA crossed a particular jus ad bellum threshold. As demonstrated, such threshold determinations are fraught with ambiguity, and sparing states the need to make these threshold determinations would help states avoid much of the legal uncertainty they currently face. Moreover, under the proposed rule, states no longer need to analogize cyber operations with kinetic operations, a practice which is particularly difficult given the fundamental differences between these two realms of operations. To the contrary, states consulting the proposed rule only need to draw analogies between cyber operations and other cyber operations by determining what type of counter CNA would be proportionate to the initial CNA it suffers. This is undoubtedly a less challenging inquiry. 230 Adopting the proposed rule will provide states with clear legal guidance as to when they may lawfully use counter CNAs. C. International Adherence to the Proposed Rule Would Help Cure the Problematic Policy Effects of the Present Legal Ambiguity. Part II.D discussed the problematic policy implications of the legal uncertainty states currently face in determining when they can use counter cyber operations. The discussion pointed to the achievement of two distinct policy goals of international cyber conflict that the present legal ambiguity impedes. To recall, the legal 230. Some argue to the contrary that determining which type of counter CNA is proportionate to an initial CNA would similarly be fraught with ambiguity. See Katherine C. Hinkle, Note, Countermeasures in the Cyber Context: One More Thing to Worry About, 37 YALE J. INT L L. 11, 12 (2012). However, it would be difficult to argue that analogizing CNAs with other CNAs runs into more uncertainty than analogizing CNAs with kinetic operations.

234 The Geo. Wash. Int l L. Rev. [Vol. 46 ambiguity stands in the way of (1) fostering an international atmosphere of cyber deterrence and (2) preventing cyber exchanges from escalating into conventional military altercations. 231 A separate Subsection will be devoted to explaining how international acceptance of the proposed rule would advance each of these goals. 1. Fostering an International Atmosphere of Cyber Deterrence By resolving the legal ambiguity about when states can use counter CNAs, the proposed rule also helps cure the lack of cyber deterrence that results from such ambiguity. As explained above, the inability to predict how states will respond to CNAs directed against them weakens the degree to which states launching CNAs will be deterred from doing so. 232 However, if states regularly consult the straightforward rule proposed above to guide when they will initiate counter CNAs, perpetrator states are more likely to anticipate what type of response they should expect to suffer from the victim state, if any. 233 Moreover, a state s duty under the proposed rule to notify the perpetrator state of its decision to employ countermeasures should the perpetrator state continue its wrongful conduct 234 would serve in practice as a warning to perpetrator states that the victim state is ready to launch a counter CNA. Such a warning is likely to deter the perpetrator state from continuing to perpetrate CNAs. Further, because state practice strongly influences international legal rules 235 and international legal rules conversely affect state practice, 236 a movement among states to apply the proposed rule can find its way into international law textbooks over time. With the widespread acceptance of the proposed rule, prospective perpetrator states will be able to predict more accurately how other 231. Supra Part II.D. 232. See Sklerov, supra note 11, at 10. 233. Legitimizing a victim state s right to launch a counter CNA against a perpetrator state under specific circumstances may appear to run the risk of encouraging cyber exchanges to escalate. The strict conditions under which a victim state can use counter cyber operations under the proposed rule mitigate such a risk. Specifically, a victim state cannot use a counter CNA unless the counter CNA is necessary to induce the perpetrator state to discontinue its cyber operations. See Part IV.A supra. If states correctly follow the proposed rule by only using counter CNAs as a last resort, this would significantly lower the risk of escalation. 234. See DINNISS, supra note 18, at 107. 235. See CHRISTOPHER JOYNER, INTERNATIONAL LAW IN THE 21ST CENTURY 38 (2005). 236. See Paul Schiff Berman, Seeing Beyond the Limits of International Law, 84 TEX. L. REV. 1265, 1280 1302 (2006) (reviewing JACK L. GOLDSMITH & ERIC A. POSNER, THE LIMITS OF INTERNATIONAL LAW (2005)).

2013] The Legality of Retaliatory Cyberattacks 235 states will respond to their hostile CNAs. Perpetrator states will therefore be deterred from launching CNAs with impunity in anticipation of the victim state s legal right to respond with a counter CNA. 237 2. Preventing Cyber Exchanges from Escalating into Conventional Military Altercations The current state of legal ambiguity also poses the risk of allowing cyber exchanges to escalate into conventional military altercations. 238 This is because doubt as to the legality of responding to CNAs with counter CNAs may lead states to exclude counter cyber operations from their arsenals. 239 Such exclusion would leave states to choose to either respond to a CNA with a conventional military retaliation or not respond at all. 240 Scholars are concerned about states adopting such a strategy because conventional military attacks tend to be more deadly and destructive than cyberattacks. 241 By clarifying the instances in which a counter CNA is lawful, the proposed rule would prevent states from adopting such a strategy. State acceptance of the rule would help establish the legality of counter CNAs. 242 Victim states consulting the rule would be encouraged to use cyber operations less lethal and devastating than conventional military operations 243 against perpetrator states when such a response is warranted. Further, the proposed rule s proportionality requirement, assuming state compliance, would restrain cyber conflicts from developing into conventional military exchanges. 244 This is because any destructive conventional counter attack by the victim state would probably not be commensurate to the CNA it suffered and therefore would not be justified under the proposed rule. 245 237. See Sklerov, supra note 11, at 10 11. 238. See KERSCHISCHNIG, supra note 24, at 294. 239. See id. 240. See id. 241. E.g., id. 242. See JOYNER, supra note 235, at 38. 243. See KERSCHISCHNIG, supra note 24, at 294. 244. See Sklerov, supra note 11, at 80 ( [Counter cyber operations] provide states a way to surgically strike at their attacker with minimal risks of severe collateral damage to the host-state, thereby meeting the proportional requirement to select the method or means of warfare likely to cause the least collateral damage and incidental injury, all other things being equal.... [For this reason], choosing [cyber] defenses versus kinetic weapons should reduce the chance of escalating these situations into full scale armed conflicts between states. ) (citations and internal quotation marks omitted). 245. See id. at 79 80.

236 The Geo. Wash. Int l L. Rev. [Vol. 46 Thus, in addition to fostering an atmosphere of cyber deterrence, the proposed rule would discourage states from responding to CNAs with conventional military retaliations. On this basis, adoption of the proposed rule would advance some of the important policy goals in the field of cyber conflict. V. CONCLUSION The ambiguity that surrounds how the law of war applies to state cyber operations is just another illustration of a jurisprudential problem that any lawmaking society must face: the problem of how law that is unchanging by nature can continue to serve the needs of a world that is ever changing. Can states adapt old laws to account for new circumstances or must states design new laws to fit a new reality? The advent of cyber weaponry presents such a difficulty. Indeed, state use of cyberattacks such as Stuxnet is well beyond the type of warfare that the framers of the U.N. Charter in 1945 thought that they would be governing. 246 Yet if law is meant to stay relevant in a continually evolving world, then the legal community must find creative ways to interpret and apply old rules to account for new circumstances while ensuring that those rules remain loyal to the principles that the old rules were designed to preserve. 247 Without such creative interpretations, the law is doomed to a fate of obscurity. 248 For if yesterday s rules are abandoned and a new set of rules are enacted to cater to today s world, what will become of today s rules when they encounter the new world of tomorrow? Cyber weaponry continues to grow increasingly sophisticated, and any effort to create a cyberspecific legal regime cannot fully foresee the types of CNAs that will develop in the future. 249 246. Cf. Hathaway et al., supra note 7, at 840 ( Nothing was further from the minds of the drafters of the Geneva Convention than attacks carried out over a worldwide computer network. ). 247. See, e.g., Sklerov, supra note 11, at 2 ( Revolutions in technology, like the Internet, challenge the framework that regulates international armed conflict. Legal scholars must use imagination to find ways to tackle this problem. If not, the law will become obsolete and meaningless to the states that need its guidance. ). 248. See id. 249. Experts: Flame Represents a New Level of State-Sponsored Cyber Attacks, HOMELAND SECURITY NEWS WIRE (June 1, 2012), http://www.homelandsecuritynewswire.com/dr2012 0601-experts-flame-represents-a-new-level-of-statesponsored-cyber-attacks ( According to the U.K.-based Information Security Forum (ISF)... cyber attacks [like the Flame attack against Iran] are becoming increasingly sophisticated as state-sponsored espionage, activism (online activists), and cybercrime move up a gear. This level of sophistication will only grow and grow on a global scale. ).

2013] The Legality of Retaliatory Cyberattacks 237 The proportionate counter CNA rule relieves the international community of the need to create a cyber-specific legal regime by interpreting the law of war in such a way that allows states to circumvent the unclear question of how old jus ad bellum classifications apply to new forms of attacks. By enabling states to escape the clash of the old with the new, the proposed rule rescues the law of war from a fate of obscurity.