From Nuclear War to Net War: Analogizing Cyber Attacks in International Law

On April 27, 2007, Estonia suffered a crippling cyber attack launched from outside its borders. It is still unclear what legal rights a state has as a victim of a cyber attack. For example, even if Estonia could conclusively prove that Russia was behind the March 2007 attack there is no clear consensus on how Estonia could legally respond, whether with armed force, its own cyber attack, or some other measure. The scholarly literature dealing with these questions, as well as the ethical, humanitarian, and human rights implications of information warfare (IW) on national and international security is scarce. Treatments of IW outside the orthodox international humanitarian law (IHL) framework are nearly non-existent. This underscores the tension between classifying cyber attacks as merely criminal, or as a matter of state survival calling for the same responses as conventional threats to national security. International law has been slow to adapt. The facts on the ground, and the widespread, amorphous use and rapid evolution of the internet in many ways challenge state sovereignty. I will advocate that the best way to ensure a comprehensive regime for cyber attacks is through a new international accord dealing exclusively with cyber security and its status in international law. Yet, the international community lacks the political will to tackle this issue directly. Until such an accord becomes politically viable, it is critical to examine how existing treaty systems may extend to cover the novel facts presented by cybe attacks. Together, existing treaties form a dual track approach to cyber attacks - one that is available for cyber attacks that do not rise to the level of an armed attack, and another that is activated once an armed attack occurs. To that end this paper will examine the most apt analogues in international law to form an appropriate legal regime for the various types of cyber attacks - whether it is humanitarian law (laws of war), human rights law (regulation of nation states behavior), or some novel combination of these and other treaty systems. In framing this regime, it will be argued that cyber attacks represent a threat to international peace and security as daunting and horrific as nuclear war. Yet the nuclear non-proliferation model is not a useful analogy since the technology necessary to conduct IW is already widespread in the international community. Instead, other analogies will rely on communications and cyber law, space law, and the law of the sea. The main failings of existing international treaties that touch on cyber law though are that most do not carry enforcement provisions. Nor do they specify how the frameworks change or fall away entirely during an armed attack. Nevertheless, regardless of whether or not cyber attacks fall below the threshold of an armed attack these bodies of law have a role to play in forming an appropriate regime. The cyber attack on Estonia in April, 2007, presents an example of the dire need for clarity in the international law of non-conventional warfare using modern technology.