Rules of Cyber Engagement

The fuzzy international guidelines and norms for conflicts carried out online.

power grid.
Utilities could be targets in cyberwar.

Mark Strozier

Sometime in late 2013 or early 2014, hackers infiltrated the business network of a German steel plant, disrupting critical systems and causing massive—albeit unspecified—damage by manipulating the control system of a blast furnace.

Then, in 2015, malicious code attacked the power grid in the Ivano-Frankivsk Oblast in Western Ukraine, shutting off power for several hours. At the time, Ukraine was embroiled in an armed conflict with Russian-backed rebels.

These were not isolated incidents. Conflicts in cyberspace and cybertactics used in conventional (that is, physical) conflicts are both happening, and with increasing frequency. According to data collected in an ongoing project at New America, where I work, there have been 61 cyberattacks conducted by states against other states during peacetime and an additional 24 during wartime since the late 1980s. (New America is a partner with Slate and Arizona State University in Future Tense.) But are there rules for cyber in war? And what about conflict in cyberspace? If so, what are they? Where have they come from?

Generally, a loose amalgamation of existing law and norms, combined with developed and developing cyber-specific norms, attempt to govern state action in cyberspace. If we are to accept, as many have argued, that cyberwar is only a very minute portion of state behavior in cyberspace, then of particular interest for cyberwar are two existing bodies of law and their cyber-specific adaptations: jus ad bellum and jus in bello. Because it’s far more straight forward, let’s start with jus in bello.

Jus in bello, Latin for right in war and also known as international humanitarian law, aims to constrict how states fight—thereby constricting the potential destructiveness of war. It does so by stipulating constraints like what assets cannot be targeted (like hospitals and refugee camps) and what weapons cannot be used (like chemical-tipped missiles). While the details are nearly endless and spread across a number of conventions—including the Hague Convention of 1907, the United Nations Charter, and the 1949 Geneva Conventions—three key, high-level principles underpin the laws of war: military necessity, distinction, and proportionality.

Military necessity is the concept that an attack must be on a legitimate military target and harm to civilians or civilian property must not exceed the military advantage. Distinction is the idea that combatants must distinguish between combatants and noncombatants. Proportionality (at least when it comes to jus in bello) is the principle, often misunderstood and misrepresented, that the destruction caused to civilians and civilian property must be proportional to the strategic gain achieved.

Jus ad bellum, Latin for right to war, aims to limit the rightful reasons states can fight by defining what kinds of action constitute an act of war and, in a derivative sense, prescribing what state actions are and are not acceptable during peacetime. Like jus in bello, jus ad bellum is a broad body of law governed by a series of principles: proper authority, just cause, probability of success, proportionality (ad bellum), and last resort. In addition, according to the principles of jus ad bellum, a war is only a war when a state declares it so.

In reality, the rules that govern state action in cyberspace are pretty similar to those governing state behavior in other areas. When waging cyberwar (whatever that means), one must ensure that the attacks and tactics are militarily necessary and distinguish between combatants and noncombatants, and that the force used is proportional to the gain achieved. And in order to wage cyberwar, one must have a just cause and declare it war.

In 2013, an international group of lawyers released an interpretation of how the laws of war apply to cyberspace in the Tallinn Manual 1.0, a 300-plus-page guidebook. The manual’s overarching message was that the existing laws that govern war—like the principles of military necessity, proportionality, and distinction—are as valid online as they are off. This declaration has gradually become consensus among states. The manual also held that the same laws that determine a state’s right to war hold online as offline. However, its suggestions for how jus ad bellum applies to cyberspace have been less than universally accepted—primarily because no one can agree on what cyberwar means.

According to the principles of jus ad bellum, we have never experienced a cyberwar because, among other reasons, no state has ever declared one. And yet, cyberconflict between states has become commonplace. In the Ukrainian power grid example, the attack was part of an ongoing conflict, so it is clearly an act of war. But what about the German steel mill? If a belligerent were to cause the same damage by sending a conventional force into Germany, whether via land, air, or sea, this would automatically be considered an act of war. Yet, despite widespread consensus about who was ultimately behind the attack (digital traces as well as the terms and tactics used to carry out the attack point to Russia—though not conclusively to the government itself), Germany did not react to this act of aggression with an act of aggression of its own. Or it could’ve sought some form of recompense via international legal avenues. Yet it did not.

Herein lies one of the major difficulties with prescribing the right to a just war with regard to cyber. Because attribution of attacks is either (a) still not very good, or (b) requires releasing classified, proprietary, or sensitive information, confirming the identity of an aggressor is difficult. Though governments and private companies alike profess to improved attribution capabilities, proving an aggressor beyond reasonable doubt still faces hurdles, and the presence of many nonstate and proxy actors in this space further complicates matters, giving many of the countries engaging in offensive operations the crutch of plausible deniability.

A great deal of international policymaking time and effort has been poured into the development of norms for state behavior below the threshold of war and of confidence building measures for cyberspace. Indeed, the legal scholars of the Tallinn Manual 1.0 have begun preparations for the 2.0 version of the manual focusing on just that: the international legal framework that applies to cyberoperations below the threshold of war. The Tallinn Manual 2.0 is set to publish sometime in 2016.

Having said all that, in international relations, there’s some dispute over how much these rules actually matter. To proponents of neorealism, a paradigm in international relations, the international system is inherently anarchic and therefore no authoritative institution, like the United Nations or NATO, can enforce rules that constrain state behavior, online or off. Thus, state power and the fear of reprisal is the primary governor of state action. A staunch realist would say that as laws and norms agreed upon by states will go unenforced, there is little incentive for states not to cheat in those agreements.

Those in the opposing camp—known as neoliberalism, institutionalism, rational functionalism, or some combination therein—hold that, thanks to the complex interdependence of states, modern institutions do a pretty good job of constraining state behavior.

This same dispute is also playing out in cyberspace: Depending on whom you talk to, state action online is similarly governed by power (both cybercapabilities and traditional conceptions of power, like economic, cultural, and military might); by institutions, like jus in bello and jus ad bellum; or by some mix of the two. Nonetheless, a great deal of international policymaking effort has been poured into the creation or translation of institutions, norms, and regimes for cyberspace.

Despite efforts from diplomats, the past few years have brought the world more state-on-state cyberconflict than any year before—in terms of both severity and frequency. In addition to the Ukraine and German examples, we saw North Korea (allegedly) hit Sony Enterprise, exfiltrating countless data and damaging much of Sony’s business network; Iranian actors reportedly increase their efforts to compromise U.S. utility providers’ industrial control systems; a reported attempt by the Syrian Electronic Army to compromise the water supply of the Israeli city Haifa; the U.S. purportedly try to disrupt the North Korean nuclear program; and about a half-dozen others that have gone un- or underreported in mass media. As evidenced by the German steel mill and Stuxnet, states have begun to—and likely will continue to—explore the possibility of inflicting physical damage to critical systems via cyberattacks. Much work is being done in diplomatic circles to clarify what is and is not OK in this space, but until rules are universally accepted, some will claim, as the old adage says, all is fair in love and (cyber)war.

This article is part of the cyberwar installment of Futurography, a series in which Future Tense introduces readers to the technologies that will define tomorrow. Each month from January through June 2016, we’ll choose a new technology and break it down. Read more from Futurography on cyberwar:

Future Tense is a collaboration among Arizona State University, New America, and Slate. To get the latest from Futurography in your inbox, sign up for the weekly Future Tense newsletter.