This is my second post that looks at the legal aspects of cyber conflicts. As Sean pointed out, Schmitt also wrote a piece in 1999 that gives a framework for evaluating whether or not jus ad bellum applies to cyber conflict. The text is available here [pdf]. Note that the last post was about jus in bello and this one is on jus ad bellum, which the author defines as:
He provides a list of criteria to be analyzed in order to check whether a cyber attack could be considered "use of force" in terms of international law. Here they are:
He spends a fair amount of time analysizing what actions could be taken in response to CNA. He comes up with a relatively simple decision procedure:
"... that body of international law governing the resort to force as an instrument of national policy ..."... or in other words, when is it ok to go to war. The article limits the scope to CNA between state actors, which is good, because applying the laws of war on non-state actors is always tricky. In the end, however, it needs to be done, because many of the actors in the cyber conflicts of today are definitely not state actors. Schmitt poses two generic scenarios of interest:
"In the first, State A conducts CNA operations against State B with no intention of ever escalating the conflict to the level of armed engagement. The advantages gained through the CNA are ends in themselves. In the second scenario, State A conducts CNA operations in order to prepare the battle space for a conventional attack. The goal is to disorient, disrupt, blind, or mislead State B so as to enhance the likelihood that conventional military operations will prove successful."He again stumbles on the issue of whether or not CNA constitutes "use of force" if the legal text is interpreted the traditional way. He then brings counterexamples of "lawful" use of force, which require a different analysis approach. Schmitt analyzes the text, looks at the history behind it, and shows how the application of law has evolved over time with court cases. He arrives to the conclusion that in the end, what matter are the consequenses.
He provides a list of criteria to be analyzed in order to check whether a cyber attack could be considered "use of force" in terms of international law. Here they are:
"1) Severity: Armed attacks threaten physical injury or destruction of property to a much greater degree than other forms of coercion. Physical well-being usually occupies the apex of the human hierarchy of need.An example of the use of the Schmitt analysis in a more quantitative form is available here [pdf].
2) Immediacy: The negative consequences of armed coercion, or threat thereof, usually occur with great immediacy, while those of other forms of coercion develop more slowly. Thus, the opportunity for the target state or the international community to seek peaceful accommodation is hampered in the former case.
3) Directness: The consequences of armed coercion are more directly tied to the actus reus than in other forms of coercion, which often depend on numerous contributory factors to operate. Thus, the prohibition on force precludes negative consequences with greater certainty.
4) Invasiveness: In armed coercion, the act causing the harm usually crosses into the target state, whereas in economic warfare the acts generally occur beyond the target’s borders. As a result, even though armed and economic acts may have roughly similar consequences, the former represents a greater intrusion on the rights of the target state and, therefore, is more likely to disrupt international stability.
5) Measurability: While the consequences of armed coercion are usually easy to ascertain (e.g., a certain level of destruction), the actual negative consequences of other forms of coercion are harder to measure. This fact renders the appropriateness of community condemnation, and the degree of vehemence contained therein, less suspect in the case of armed force.
6) Presumptive Legitimacy: In most cases, whether under domestic or international law, the application of violence is deemed illegitimate absent some specific exception such as self-defense. The cognitive approach is prohibitory. By contrast, most other forms of coercion—again in the domestic and international sphere--are presumptively lawful, absent a prohibition to the contrary. The cognitive approach is permissive. Thus, the consequences of armed coercion are presumptively impermissible, whereas those of other coercive acts are not (as a very generalized rule)."
He spends a fair amount of time analysizing what actions could be taken in response to CNA. He comes up with a relatively simple decision procedure:
"1) Is the technique employed in the CNA a use of armed force? It is if the attack is intended to directly cause physical damage to tangible objects or injury to human beings.A second decision procedure is available for determining whether or not a response with armed force is applicable:
2) If it is not armed force, is the CNA nevertheless a use of force as contemplated in the U.N. Charter? It is if the nature of its consequences track those consequence commonalities which characterize armed force.
3) If the CNA is a use of force (armed or otherwise), is that force applied consistent with Chapter VII, the principle of self-defense, or operational code norms permitting its use in the attendant circumstances?
a) If so, the operation is likely to be judged legitimate.
b) If not and the operation constitutes a use of armed force, the CNA will violate Article 2(4), as well as the customary international law prohibition on the use of force.
c) If not and the operation constitutes a use of force, but not armed force, the CNA will violate Article 2(4).
4) If the CNA does not rise to the level of the use of force, is there another prohibition in international law that would preclude its use? The most likely candidate, albeit not the only one, would be the prohibition on intervening in the affairs of other States."
"1) If the computer network attack amounts to a use of armed force, then the Security Council may characterize it as an act of aggression or breach of peace and authorize a forceful response under Article 42 of the Charter. To constitute an armed attack, the CNA must be intended to directly cause physical damage to tangible objects or injury to human beings.The paper contains a lot of insight (at least to an outsider like me) of how the international law works and what may be the questions asked after the first real cyber war. I highly recommend reading this paper in full to get the picture. I know the author is currently working on updating the analysis, but until then, we must wait.
2) If the CNA does not constitute an armed attack, the Security Council may nevertheless find it to threaten the peace (the absence of inter-state violence) and authorize a use of force to prevent a subsequent breach of peace. The CNA need not amount to a use of force before the Council may determine that it threatens peace.
3) States, acting individually or collectively, may respond to a CNA amounting to armed attack with the use of force pursuant to Article 51 and the inherent right of self-defense.
4) States, acting individually or collectively, may respond to a CNA not amounting to armed attack, but which is an integral part of an operation intended to culminate in armed attack when:
a) The acts in self-defense occur during the last possible window of opportunity available to effectively counter the attack; and
b) The CNA is an irrevocable step in an imminent (near-term) and probably unavoidable attack."
No comments:
Post a Comment