Amid the flurry of national security documents leaked in the last weeks was one that got less attention than the PRISM surveillance program, but also opened a window on a secretive new realm: Presidential Policy Directive 20, issued last October, which instructed national security and intelligence officials to develop America’s capacity to wage cyberwarfare.
Cyberwarfare is emerging as the latest uncertain frontier of international relations, a way for developed nations to attack one another without appearing to do anything at all. The issue lay at the center of President Obama’s recent meeting in California with China’s leader, Xi Jinping: Obama confronted Xi about cyberattacks on government and corporate websites apparently hacked by a secret directorate of the Chinese military, People’s Liberation Army Unit 61398. The United States, of course, has its own alleged history of cyberattacks: It is believed to have helped launch the Stuxnet computer worm against Iran’s nuclear program several years ago.
Are these attacks permissible? How should nations respond? The first efforts to answer those questions are now coming to fruition. A group of 20 independent experts on international law has just completed a manual that attempts to lay out how the established rules of war might apply to cyberspace. The Tallinn Manual on the International Law Applicable to Cyber Warfare, published in March, is the result of an unofficial three-year-long project hosted by NATO in Estonia, intended to start the debate about how nations should conduct themselves on a field of battle that would have been unimaginable just a few decades ago.
Michael Schmitt, chairman of the international law department at the United States Naval War College, led the project. He spoke to Ideas from Germany, where he is on a lecture tour introducing the manual to academic audiences.
IDEAS: It seems almost impossible to match traditional rules of war to this new virtual world. How do you begin?
SCHMITT: First you have to look closely at what is known as “use of force.” That’s a legal term that comes from the UN charter, which tells us in article 2 that uses of force by one state against another are forbidden unless they are pursuant to a Security Council resolution or an act of self-defense on the part of the state. The question then is, in cyberspace, when do you have a use of force, and when can you defend yourself? The group of experts that put together the manual said that it is almost certainly a use of force if there was physical damage to objects or if there was injury to individuals. And that can definitely be the result of cyberwarfare—as conducted by a state, or groups of hackers that are armed and trained by a state to engage in this type of activity.
IDEAS: We don’t normally think of cyberwarfare as causing physical damage.
SCHMITT: A cyberattack could be huge. You could literally shut a small country down. The classic example is you interfere with the traffic control system of a country, which could of course cause death. You could interfere with navigational systems such that everyone is 100 feet off, so that when airplanes try to land they actually land not on the runway but next to it. You could hack into a nuclear reactor and cause a meltdown. Open the gates of a dam to release flood waters downstream. Interfere with medical data such that individuals are given the wrong blood type. There are many examples of truly catastrophic harm that could be caused to people and places.
IDEAS: In putting together the manual, you must have come across some contentious issues. What triggered the most debate?
SCHMITT: We really struggled with identifying a bright line, a threshold, across which you can say, “That’s a use of force.” What actions below the level of damage or injury would also qualify? We thought that training hacktivists counted, but what about financing a cyberactivist group? We thought that that didn’t make the cut. It’s gray and it remains gray and we acknowledged that in the text.
Another big question is related but different. Someone is conducting operations against you. When can you use force, either cyberforce or regular force to respond, like hacking back in a way that will cause damage to them, or firing a cruise missile into the location where the cyberattack is coming from? In current international law, before you can do that you have to be the victim of an armed attack. All the experts agreed that if the cyberattack caused significant injury or damage, then a state could respond. The big question we had was, what if you had an operation that was really devastating—something directed at the New York Stock Exchange that bottoms our economy out and causes massive loss of assets—but it doesn’t cause any physical damage or injury whatsoever?
And this is where the group split. Some of the group said—and I’m one of these—that I anticipate that the law will move in the direction of not looking so much at the nature of the harm but rather the severity of the consequences. But the law hasn’t done that yet....Others said, no, no, if we interpret that law in the cyber context, then we are there now. We need to be looking at the severity of the consequences. Speaking personally, that argument appeals to me. I believe that’s where we will be in 10 years, but I don’t believe that’s where we are today.
IDEAS: How about the Chinese military hacking The New York Times?
SCHMITT: It doesn’t rise to the level of use of force, but it certainly isn’t lawful.
IDEAS: The recently leaked Presidential Policy Directive 20 indicates pretty clearly that the Obama administration is aggressively trying to build up its ability to do catastrophic damage to its enemies in cyberspace. At the same time, it also demands that national security experts ensure that any US cyberattacks are legal.
SCHMITT: There are some states that are saying this is the fifth domain after land, water, air, and space, and international law doesn’t reach it. But Obama is telling operators that if the United States engages in operations, understand that there is a body of law, understand that the body of law will limit when you can engage, the level at which you can engage, and who you target....If we are in an armed conflict with the Taliban or with Al Qaeda, and we are going to use cyber, we are going to have to abide by rules like minimizing harm to the civilian population in strikes.
IDEAS: What about the rest of the world, though?
SCHMITT: Most of the states that we operate with on the battlefield and most of the states that are close friends and allies, most of them accept the notion that international law applies. I would characterize the view that it does not apply as really a fringe view, albeit one that is held by states that are quite important.
IDEAS: Like China?
SCHMITT: With regard to China, I’m not a Sinologist, but I will tell you that I have heard from Chinese in and out of government and I am surprised sometimes at the positions that have been taken. They are very sophisticated international lawyers, but the assertion that international law doesn’t apply simply doesn’t fly.