Reply to bellow post around 200 wordDefending cyberspace.docx
Legal Responses to Cyber Attacks
1. The Legalities of Cyber-Warfare:
By: AdamKinder
Twenty-nine major companies have had major data breaches so far this
year in the United States. Of these major companies’ breaches, there were over
1 billion estimated American accounts (more than 3 times the population of
America) whose information was compromised. There are few Americans left
who have not, in some way, shape, or form, been the victim of a cyber-attack.
Yet how many arrests have been made related to these attacks? The FBI keeps
a list of their cyber-operations here. With-in these operations less than 10%
of cyber-crime perpetrators are actually caught, and that is only counting the
known cyber-attacks. This also does not count the large amount of advanced
2. persistent attacks made on the private sector constantly. These advanced
persistent attacks are not considered a crime according to current laws and
regulations until they have successfully breached the private company’s
defensive restraints. Even after these attacks breach a private company’s
defensive restraints, it is more likely that the private company will be
penalized for the breach than the perpetrator of the cyber-attack.
Considering the wide reaching effects of these cyber-attacks to the
general public: I suggest to my fellow information security professionals that
we raise the public awareness of the importance of governing the cyber-space
domain as well as the lack of laws being made in order to ensure that the
governance is evolving with its landscape. I further advise that we lead and
direct the conversation governing these laws in order to provide our expert
opinion and experience to the cause, where the general public has none. This
will help to speed along the law making process as well as limit the excuses
that lawmakers have to delay the legislation any more than needed to ensure
just laws are enacted.
In our current state as a country technology tends to race ahead of the
law. As cyber weaponry continues to grow increasingly sophisticated,
lawmakers are busy playing catch up analyzing how old international rules
of war apply to a new battlefield. Among the many legal issues raised is the
particularly challenging question of how a state may lawfully respond to a
cyber-attack by another state. Can the victim state respond with a counter
cyber-attack, or even military force? U.S. Secretary of Defense Leon Panetta
said “The next Pearl Harbor that we face could well be a cyber-attack.” In
the event of a cyber-Pearl Harbor, how could the United States lawfully
respond?
In Manny Halberstam’s note “Hacking Back: Reevaluating the Legality of
Retaliatory Cyber-attacks” he offers a solution based off of laws surrounding
a state’s legal right to use force against another state. By using these laws of
engagement we have an excellent place to begin the legislation process around
governing state to state cyber warfare. While this is a very broad area that
may not affect those who do not deal directly with cyber warfare, it is a key
3. step needed in the legislation process needed to further govern our cyber space.
To paraphrase Mr.Halberstam’s note in order to make it easier to digest:
1. When responding to a cyber-attack that is unfriendly but lawful the victim state can
respond with a counter cyber-attack that is unfriendly but lawful. Examples of unfriendly
but lawful cyber-attacks are denial of service attacks that do not affect key areas of state
infrastructure needed to provide governance over that state. The justifying legal doctrine
or theory for this counter attack is called retorsion.
2. When responding to a cyber-attack that is unlawful but is not a use of force the victim
state can respond with a counter cyber-attack that is unlawful but is not a use of force.
Examples of unlawful counter-attacks that are not a use of force are using cyber-attacks
that are used as a means to intervene directly or indirectly in the internal or external
affairs of other states. For example if a state used cyber-attacks to collect sensitive data
on a political party that was in power and used this data to help another political party
rise to power, that operation would be considered unlawful but is not a use of force. The
justifying legal doctrine or theory for this counter attack is called non-forcible
countermeasures.
3. When responding to a cyber-attack that is a use of force but is not an armed attack the
victim state can respond with a counter cyber-attack that is a use of force but is not an
armed attack. Examples of cyber-attacks that would be considered a use of force but is
not an armed attack is any cyber-attack that disrupts or stops systems that are vital to
the victim state. An example of such a system would be the New York Stock Exchange
or Iran’s nuclear research facilities. The justifying legal doctrine or theory for this counter
attack is called gap theory of reprisal.
4. When responding to a cyber-attack that is an armed attack the victim state can use a
counter cyber-attack that is an armed attack (or use a physical armed attack). A cyber-
attack becomes an armed attack once loss of life or physical damage has occurred. If a
cyber-attack damaged a state’s infrastructure to the point where people were dying due
to that vital infrastructure being down, the cyber-attack would be considered an armed
attack. Just as well if someone were able to design a cyber-attack that caused missiles
to launch or trigger in place and caused physical damage, this would also be considered
an armed attack. The justifying legal doctrine or theory for this counter attack is called
defensive armed reprisals.
This proposed backbone to the legislation behind state to state governance
of cyber warfare provides a straight forward picture of how to deal with such
attacks and when it is appropriate to use counter cyber-attacks. It is based off
of the current laws that govern any escalation of force between states and as
such has a proven history of effect. With the evidence of ever increasing
cyber-attacks in the U.S. it is important that we, as the experts in this
domain, encourage our communities and lawmakers to start pushing for laws
that properly govern our cyber-space. Halberstam graciously gave us a great
starting point, and with that it is time to educate the masses and guide the
4. way to taming cyber-space. Cyber-attacks exponentially grow more
devastating, deviant, and diverse. Without the proper guidance and education
our lawmakers have no hope in creating a cyber-specific governance that
covers the types of cyber-attacks that will develop in the future. It is up to us
to ensure that the law is sound, and enforced properly.