This page contains a Flash digital edition of a book.
Cyberattacks


international understanding of cyber-operations, reflects this consensus.1


The work is the product


of a three-year effort commissioned by the NATO Cooperative Cyber Defence Centre of Excellence in Tallinn, Estonia, to examine the applicability of international norms to cyber-warfare. According to Tallinn, the fact that a computer is used “has no bearing on whether that operation amounts to a ‘use of force.’”2


The Tallinn experts advise, “States


contemplating cyber operations, or that are the target thereof, must be highly sensitive to the in- ternational community’s probable assessment of whether the operations violate the prohibition on the use of force.”3


At this time, however, the Tal- linn Manual is not official NATO doctrine.


Under both the Tallinn standard and the effects- based approach, the United States either has to downplay its involvement in Stuxnet as a moder- ate, targeted action that falls short of prompting Iran to invoke its right of self-defense, or to justify it as a primarily defensive act in a larger conflict. If the roles had been reversed, would the U.S. con- sider a Stuxnet-like attack justification for a self- defensive action? On its face, the United States’ answer to this question seems to be a definitive “yes” according to a 2012 speech by the U.S. State Department’s Legal Advisor Harold Koh.4 Thus, under both Tallinn and the U.S. State De- partment’s position, the Stuxnet attack on Iranian nuclear centrifuges was a use of force. If called to account, the U.S. would likely maintain that its own action was in “anticipatory” self-defense against Iran’s nuclear weapons program.5


III. CYBERATTACKS & THE ICC CRIME OF AGGRESSION


The judges at the Nuremberg Tribunal called ag- gression “the supreme international crime,” per- ceiving that aggression by one nation against another - whether motivated by politics, power, or demand for resources - formed the wellspring for the hatred from which many other heinous crimes flowed.6


For decades international bod- ies struggled to understand what, precisely, it


was about “aggression” which warranted punish- ment of either individuals or states. In 1998, one hundred and twenty nations signed the Rome Charter, which established a permanent Interna- tional Criminal Court (ICC) and formally defined the terms of genocide, crimes against humanity, and war crimes so that they could be prosecut- ed against individual actors. In 2010, the parties amended the Charter with Articles 8 bis, 15 bis, 15 ter, along with additional elements and under- standings, which outlined criminal liability for the “crime of aggression.”7


However, complex opt-in


provisions, additional voting requirements, and ratification procedures mean that the very earliest ICC jurisdiction could begin is January 1, 2017.


The “act of aggression” required to commit a “crime of aggression,” according to Article 8 bis, para. 2 of the Rome Charter, is defined as “the use of armed force by a state against the sovereignty, territorial integrity or political independence of an- other state.” The Rome Charter lists, as examples, classic war maneuvers such as the invasion, mili- tary occupation, or annexation by conventionally armed forces; naval bombardment and blockade; the sending of armed mercenaries; and a nation’s allowing its territory to be used as a launch point for another State to invade a third State. These are traditional notions of aggressive conduct, but they fit poorly into the new modalities of aggression utilized by cyberattacks. For example, if a denial of service attack8


on a nation were so severe that


its communications with the outside world were severed, is the attack analogous to a “blockade”? Perhaps, but even with a fertile imagination, some methods of cyberattack simply have no analogue in the current list of aggressive acts.


There is some evidence from the preparatory negotiations that the parties intended a certain flexibility of interpretation, but until the ICC Prose- cutor brings the first cases before the ICC, it is dif- ficult to know how strictly the Court will construe those provisions. In the meantime, how states act in response to cyberattacks, and whether they


ILSA Quarterly » volume 22 » issue 1 » October 2013


23


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56