This page contains a Flash digital edition of a book.

formally acknowledged involvement or responsi- bility, Israel’s Mossad trumpeted the program’s success to journalists in 2011.

Once the domain of minor criminals and activ- ists with few resources, limited technical knowl- edge, and a predominantly economic motive, the malware scene has a different character when it becomes state-sponsored. Nation-states can af- ford to spend millions to develop a virus, as the U.S. and Israel did on Stuxnet. When states are involved, technical escalation occurs not only be- cause an arms race ensues, but also because the malware is not destroyed after deployment like a conventional weapon:

it can be dissected and its 22

techniques coopted into the malware programs of other nations, and even of non-state actors. This cycle of constant deployment, discovery, and diagnosis of viruses means that they evolve more rapidly than conventional military weapons. And, with each acceptable cyberattack, the next - perhaps slightly more damaging–attack becomes warranted.


One way that state-sponsored cyberattacks might be subject to international law is through the laws of war governed by the UN Charter, the founda- tional treaty which all members of the United Na- tions must sign. In Articles 2(4) and 51, the UN Charter prohibits a state from the “use of force” against another state, except in self-defense against an “armed attack.”

The innocent-looking words “use of force” and “armed attack,” written just after World War II, un- fortunately give little direction in a technologically advanced age. As a result, scholars have probed the meaning of these terms in an attempt to un- derstand their nuances. Three broad approaches have emerged.

The first approach is to view “attack” as based on instrumentality. To qualify as an attack, tradition- al military means or weapons would have to be employed. Under this instrumentality approach,

a missile strike against Iran’s centrifuges would be an attack, but deploying a cyber-weapon like Stuxnet to destroy them would not be. This view is the most limited and the least technologically insightful, but has the advantage of providing a clear, bright dividing line which excludes most cyber-war from triggering a retaliatory response under Article 51.

A second approach examines the target of the at- tack. If the attack is against a computer system which is important to the national security or na- tional infrastructure of a state, the harm could be great enough to invoke the right of self-defense. Under this approach, the Stuxnet incident would justify a response because it attacked an impor- tant part of Iran’s national infrastructure. This is the most expansive view.

A third approach attempts to classify the attack ac- cording to the severity of its effects, though how severity itself is measured differs among com- mentators. Some propose that severity be mea- sured rather strictly, by looking to the likelihood of injury or property damage similar to that in an armed attack using traditional weapons. Others have advocated for multi-factor tests which look at the severity of harm, immediacy, directness, and other factors.

Of these three approaches, the effects-based ap- proach is probably the most balanced and most widely-accepted. Furthermore, it seems most likely that technologically advanced nations with sophisticated computer infrastructure would want a more expansive reading than the instru- mentality approach allows. The reason for this is that smaller nations with less raw military force can mount cyberattacks without the resources and expense of conventional war. Thus it is likely that larger nations would want to preserve their right to retaliate, both in cyberspace and with con- ventional weapons.

The Tallinn Manual, a recent standard-setting ef- fort which is poised to have a major impact on the

ILSA Quarterly » volume 22 » issue 1 » October 2013

Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56