Crossing the rubicon: identifying and responding to an armed cyber-attack

Abstract

Over the past decade, the securitization of cyber technologies has dramatically altered the landscape of war. Beyond the technical challenges of countering nefarious cyber activities in a globalized and interconnected world, this new domain generates equally complex questions with respect to the conduct of war, the implementation of international law, and how to adjudicate actions perpetrated by non-state actors. Though the US maintains that existing international law applies to warfare in cyberspace, implementing the traditional rules of armed conflict in this domain presents challenges due in part to the blurring of boundaries that complicate the question of sovereignty as well as attribution. Neither current international law nor United States defense policy has resolved the question of what classifies as an armed attack in cyber-space nor how to adjudicate attacks perpetrated by non-state actors. This paper will address the question of what constitutes an “armed attack” in cyberspace, and how - once it has attributed responsibility – the United States should respond to this type of warfare. Written with the presumption that the United States should lead efforts to shape international law in this field, this paper will briefly outline the set of international laws governing war, the challenges in applying them to cyber-warfare, and provide recommendations for how to apply the law of armed conflict in cyberspace. Specifically, it will advocate for an effectsbased definition of an armed attack that provides a legal avenue for the United States to respond to cyber-attacks perpetrated by non-state actors.