Roger Hertog Program on Law and National Security
In a 2010 article in Foreign Affairs, Deputy Secretary of Defense William Lynn revealed that in 2008 the Department of Defense suffered "the most significant breach of U.S. military computers ever" when a flash drive inserted into a US military laptop surreptitiously introduced malicious software into US Central Command's classified and unclassified computer systems. Lynn explains that the US government is developing defensive systems to protect military and civilian electronic infrastructure from intrusions and, potentially worse, disruptions and destruction, and it is developing its own cyber-strategy "to defend the United States in the digital age."
To what extent is existing international law, including the UN Charter, adequate to regulate cyber attacks and related offensive and defensive activities today and in the future? By "cyber attacks" I mean efforts to alter, disrupt, degrade or destroy computer systems or networks or the information or programs on them.
This article examines one slice of that legal puzzle: the UN Charter's prohibitions of the threat or use of "force" contained in Article 2(4). Other writings in this volume deal with questions such as Article 51's self-defense provisions and questions of State responsibility, and there are other international legal prohibitions and regulations that are relevant as well. But Article 2(4) is a good place to start because it establishes or reflects foundational principles upon which most international law regulating international security sits. As a general matter, military attacks are prohibited by Article 2(4) except in self-defense or when authorized by the UN Security Council. Also as a general matter, most economic and diplomatic assaults or pressure, even if they exact tremendous costs on a target State, are not barred in the same way. Where along the spectrum in between might cyber attacks – which have some attributes of military attacks and some attributes of non-military pressure – lie?
Almost a decade ago, in a previous volume of this series, Professor Yoram Dinstein observed of cyber attacks: "The novelty of a weapon – any weapon – always baffles statesmen and lawyers, many of whom are perplexed by technological innovation.... [A]fter a period of gestation, it usually dawns on belligerent parties that there is no insuperable difficulty in applying the general principles of international law to the novel weapon...." This article takes up that claim in examining how US officials, scholars and policy experts have sought to adapt the UN Charter's basic principles.
This analysis yields two descriptive insights. First, it shows that American thinking (both inside and outside the government) inclines toward reading prohibited "force" broadly enough to include some hostile actions that might be carried out with bits of data in cyberspace. Although not necessarily inconsistent with interpretations previously dominating American thinking, this recent inclination reflects a shift away from the stricter readings of Article 2(4) and related principles that the United States government defended in the past when it was often the United States and its allies resisting efforts by some other States to read "force" broadly or flexibly.
Second, any legal line drawing with respect to force and modes of conflict has distributive effects on power, and it is therefore likely to be shaped by power relations. Because States have different strategic cyber-capabilities and different vulnerabilities to those capabilities, it will be difficult to reach international consensus with regard to the UN Charter's application to this problem.
Matthew C. Waxman,
Cyber Attacks as "Force" Under UN Charter Article 2(4),
Int'l L. Stud.
Available at: https://scholarship.law.columbia.edu/faculty_scholarship/847