Suppose that the United States, in opposing Iran's suspected development of nuclear weapons, decides that the best way to halt or slow Iran's program is to undermine the Iranian banking system, calculating that the ensuing financial pressure would dissuade or prevent Iran from continuing on its current course. And further suppose that the United States draws up the following four options, all of which are believed likely to produce roughly the same impact on Iran's financial system and have similar effects on Iran's economy and population:
(1) Military air strikes against key Iranian banking facilities to destroy some of the financial system's physical infrastructure;
(2) A regulatory cut-off of Iranian banks from the U.S. financial system, making it difficult for Iran to conduct dollarized transactions;
(3) Covert flooding of the Iranian economy with counterfeit currency and other financial instruments;
(4) Scrambling Iranian banking data by infiltrating and corrupting its financial sector's computer networks.
Which of these options constitute uses of force, subject to the U.N. Charter's prohibitions and self-defense provisions?
I pose this set of hypothetical options for several reasons. First, it is an exercise in legal line drawing. The development and deployment of new technologies—both their offensive potential and the vulnerabilities they create for states reliant on those technologies—raise questions about permissible versus impermissible modes of interstate conduct and conflict. Military attacks are generally illegal, with exceptions for self-defense or when authorized by the U.N. Security Council. Most economic and diplomatic measures, even if they exact tremendous costs on target states (including significant loss of life), are generally not barred by the U.N. Charter, though some of them may be barred by other legal principles. Where along the spectrum of permissible to impermissible conduct do various types of cyberattacks lie?
Definitions of cyberattacks vary, and the range of hostile activities that can be carried out over information networks is immense, ranging from malicious hacking and defacement of websites to large-scale destruction of the military or civilian infrastructures that rely on those networks. By "cyberattacks" I mean efforts to alter, disrupt, or destroy computer systems or networks or the information or programs on them, which is still a broad category. That breadth—encompassing activities that range in target (military versus civilian, public versus private), consequences (minor versus major, direct versus indirect), and duration (temporary versus long-term)—is part of what makes international legal interpretation or regulation in this area so difficult.
Global interconnectedness brought about through linked digital information networks brings immense benefits, but it also places a new set of offensive weapons in the hands of states and nonstate actors, including terrorist groups. Military defense networks can be remotely disabled or damaged. Private sector networks can be infiltrated, disrupted, or destroyed. "Denial of service" attacks—flooding an Internet site, server, or router with data requests to overwhelm its capacity to function—can be used to take down major information networks. This method of attack was demonstrated in Estonia (one of the most "wired" nations in the world) during a period of diplomatic tensions with Russia in 2007, when such attacks disrupted government and commercial functions for weeks, including banking, media, and communications. More recently, it has been widely reported that a computer code dubbed Stuxnet, perhaps created and deployed by the United States or Israel, infected and significantly impaired Iran's uranium enrichment program by disrupting parts of its control system.
The London-based International Institute for Strategic Studies recently highlighted "the growing consensus" that future conflicts may feature "the use of cyber warfare to disable a country's infrastructure, meddle with the integrity of another country's internal military data, try to confuse its financial transactions or to accomplish any number of other possibly crippling aims." A U.N.-convened panel of governmental experts recently echoed that conclusion, noting that "existing and potential threats in the sphere of information security are among the most serious challenges of the twenty-first century. . . . Their effects carry significant risk for public safety, the security of nations and the stability of the globally linked international community as a whole." In short, electronic and informational interconnectivity creates tremendous vulnerabilities, and some experts speculate that the United States may be especially at risk because of its high economic and military dependency on networked information technology.
Computer information system capabilities and vulnerabilities raise international legal questions of tremendous public policy import. What are the permissible uses of offensive cyber capabilities? To what extent is existing international law adequate to regulate these capabilities today and in the future? And what international legal authority do states have to respond, including with military force, to cyberattacks or cyberthreats by states or nonstate actors? Note that I am concerned here with jus ad bellum issues—including whether cyberattacks constitute an act of aggression or would justify resort to armed force in response—but not jus in bello issues, that is, how the laws of war would govern the use of cyber-attacks during an ongoing armed conflict.
Besides illustrating some new interpretive challenges with regard to the U.N. Charter, another reason I pose the opening hypothetical is to illustrate that legal line drawing with respect to cyberattacks will produce winners and losers, and to illuminate the implications of those disparate effects for international legal development. States have different capabilities and different vulnerabilities to those capabilities. Not all states, for example, have the financial and trade muscle to coerce other states economically, and states have varying strength to withstand economic pressure. The same is true of cyber-attack and defense capabilities, so legal rules that affect the costs of using cyberattacks have disparate strategic consequences. Legal line drawing with respect to the use of force and modes of conflict has distributive effects on power, and is therefore likely to be shaped by power relations. For major actors like the United States, aligning legal interpretation with strategic interests is exceptionally difficult because the future effects of information technology on power and conflict remain so uncertain.
To better understand contemporary relationships between international law regulating force and cutting-edge technologies, this Article looks backward in time to international legal disputes and scholarly debates of the Cold War. A central theme is that these fundamental issues are not entirely new or unique to cyber-technology, even if they have new dimensions that make them harder to solve or navigate. Modes and technologies of conflict change, and the law adjusts with varying degrees of success to deal with them. Throughout the U.N. Charter regime's sixty-plus years of development, the means by which states and international actors wage conflict has changed so dramatically that every so often major international legal figures debate whether the Charter's most basic tenets are "dead." Cyber warfare capabilities and vulnerabilities will strain the Charter and its basic prohibition on force once again, and the lessons of history can help us understand how.
This Article makes two overarching arguments. First, strategy is a major driver of legal evolution. Most scholarship and commentary on cyberattacks capture only one dimension of this point, focusing on how international law might be interpreted or amended to take account of new technologies and threats. The focus here, however, is on the dynamic interplay of law and strategy—strategy generates reappraisal and revision of law, while law itself shapes strategy—and the moves and countermoves among actors with varying interests, capabilities, and vulnerabilities. The purpose is not to come down in favor of one legal interpretation or another, and the conclusions are necessarily speculative because no governments speak in much detail about their cyber warfare capabilities and strategies at this point. There are downside risks and tensions inherent in any plausible approach, though, and this analysis helps in understanding their implications.
Second, it will be difficult to achieve international agreement on legal interpretation and to enforce it with respect to cyberattacks. The current trajectory of U.S. interpretation is a reasonable effort to overcome the translation problems inherent in a U.N. Charter built for a different era of conflict. However, not only do certain features of cyber-activities make international legal regulation very difficult, but major actors also have divergent strategic interests that will pull their preferred doctrinal interpretations and aspirations in different directions, impeding formation of a stable international consensus. U.S. policymakers should therefore prepare to operate in a highly contested and uncertain legal environment. The prescription is not to abandon interpretive or multilateral legal efforts to regulate cyberattacks; rather, it is to recognize the likely limits of these efforts and to consider the implications of legal proposals or negotiations in the context of broader security strategy.
The Article proceeds as follows. Part II dissects a long-running debate over the meaning of "force" and "armed attack" in Articles 2(4) and 51 of the U.N. Charter, and examines the challenges of fitting cyberattacks into existing legal categories. This Part does not offer a doctrinal conclusion about where the lines should ultimately be drawn, though it discusses the most salient merits and problems of alternative interpretations. Instead, this Part uses the hypothetical options laid out above as a way to illustrate the implications of competing interpretations, which echo past interpretive disputes. It also describes the general thrust of U.S. government doctrinal thinking about cyber warfare and the regulation of force, which emphasizes the effects of cyberattacks in analyzing whether they cross the U.N. Charter's legal thresholds.
Part III considers parallels between cyber warfare and the "low-intensity conflict" or proxy warfare waged by the superpowers and their clients during the Cold War. As in that latter context, the low visibility of states' moves and countermoves in cyberspace will slow the process of interpretive development. This Part draws on Cold War lessons to argue that Article 2(4) will probably be a weak constraint on offensive cyberattacks because of, among other reasons, the difficulty of observing them and attributing them to their sources or sponsors. Those weaknesses will also likely plague any attempt to negotiate and enforce new international agreements limiting cyber warfare.
Part IV draws again on early Charter history to argue that interpretations of Articles 2(4) and 51 have distributive effects on power and therefore have strategic consequences. Rather than urging one interpretation or another, this Part aims to shed light on the strategic logic likely driving U.S. legal thinking, and it urges a more cautious and multidimensional assessment than is usually found in this burgeoning scholarly field. Whether emergent U.S. interpretations of the Charter serve U.S. interests or broader international societal goals of global order depends on the validity of assumptions about an unpredictable future security environment.