Many thanks to Eric Jensen for his excellent post on cyber issues, the use of force, and international law. The increasing number and sophistication of cyber attacks threatening a broad range of digital assets central to national security. Grave cyber threats can be generated by actors lacking organizational or technical sophistication. Identification of specific threats and the attribution of these threats to specific actors present extreme technical, logistical, and social challenges. Cyber attacks do not involve the use of armed force in the traditional sense—and the distinctions between cyber-theft, cyber-espionage, and cyber “acts of war” are often exceedingly fine. Cyber threats nevertheless increasingly implicate the law of war—because of the scope of the threats and vulnerabilities involved, the targets of these threats, and the importance of cybersecurity to national security. The question is how to apply concepts of self defense, attack, civilian, discrimination, and proportionality in the cyber context.

Jensen’s post suggests a path forward and highlights one way in which the path we choose carries significance beyond the cyber realm. His central claim–that the way we resolve cyber-related ambiguities in the law of war will set a precedent for addressing similar issues raised by other looming war-making technologies–is extremely important and almost certainly correct. I also generally agree with his claim that current legal principles should not be abandoned, or considered irrelevant, in the cyber context–even though several principles of the law of war might need to “evolve” or be “modified” to address the more trenchant cyber-ambiguities. His point is that prevailing law cannot be applied to the cyber context without any further elaboration or clarification and yet, the fundamental principles of current law are the appropriate normative framework for resolving these ambiguities.

This all strikes me as persuasive. Jensen’s post prompts us to reflect carefully on the first order question of whether current law is up to the challenges posed by cyber hostilities. What is needed going forward, though, is a concrete, comprehensive inventory of the options available to policymakers and lawyers. What form might the needed “modification” or “evolution” take? By what process and in what forum might these changes be articulated and authoritatively endorsed?  For example, changes in international law might be brought about by treaty, inter-governmental organization rulemaking, or informal standard setting. And whatever form legal change assumes, these changes might be pursued through the United Nations General Assembly, the Security Council, regional organizations, or even a highly decentralized reliance on evolving state practice. What are the costs and benefits of each form, forum, and process?