National Security Law Program
Center on Corporate Governance
When does a cyber attack (or threat of cyber attack) give rise to a right of self-defense – including armed self-defense – and when should it? By "cyber attack" I mean the use of malicious computer code or electronic signals to alter, disrupt, degrade or destroy computer systems or networks or the information or programs on them. It is widely believed that sophisticated cyber attacks could cause massive harm – whether to military capabilities, economic and financial systems, or social functioning – because of modern reliance on system interconnectivity, though it is highly contested how vulnerable the United States and its allies are to such attacks.
This article examines these questions through three lenses: (1) a legal perspective, to examine the range of reasonable interpretations of self-defense rights as applied to cyber attacks, and the relative merits of interpretations within that range; (2) a strategic perspective, to link a purported right of armed self-defense to long-term policy interests including security and stability; and (3) a political perspective, to consider the situational context in which government decisionmakers will face these issues and predictive judgments about the reactions to cyber crises of influential actors in the international system.
My main point is that these three perspectives are interrelated, so lawyers interested in answering these questions should incorporate the strategic and political dimensions in their analysis. This is not just to make the banal, generic point that politics, strategy and law are interrelated. Of course they are. Rather, this article aims to show specifically how development of politics, strategy and law will likely play out interdependently with respect to this particular threat – cyber attacks – and to draw some conclusions about legal development in this area from that analysis.
The focus of this essay on military self-defense to cyber attacks (that is, self-defense in a legal sense of resort to force) is not meant to suggest that this is the most important element of a comprehensive cybersecurity strategy – far from it. Most attention these days is properly on other components of that strategy, including better network security and "offensive" cyber measures, though military force is part of the strategic tool set. Also, an important caveat is that this analysis is self-consciously colored with an American perspective. If one assumes, as I do, though, that legal analysis and development cannot be divorced from strategy and politics, then America's power – in its various forms – and vulnerabilities to power will greatly influence its own interpretive approach to these issues, and because of its relative power globally it will greatly influence international legal movement in this area.
Matthew C. Waxman,
Self-Defensive Force Against Cyber Attacks: Legal, Strategic and Political Dimensions,
Int'l L. Stud.
Available at: https://scholarship.law.columbia.edu/faculty_scholarship/845