Editor’s Note: Just Security is holding a “mini forum” on the new Defense Department Law of War Manual. This series includes posts from Sean Watts, Eric Jensen, Adil Ahmad Haque, Geoffrey Corn, Charlie Dunlap, Jr., John Dehn, Rachel VanLandingham, and more to come.
Law of cyber warfare practitioners surely breathed a sigh of relief when they found that only 15 of the 1,176 pages in DOD’s new Law of War Manual addressed cyber warfare. DOD appears to have concluded that the law in this area is still developing (or, perhaps, not developing), and that trying to capture it precisely would lead to the creation of a chapter that would soon be irrelevant. As a result, the cyber warfare chapter sticks broadly to the application of the principles of the law of armed conflict to cyber warfare – although it “inconveniently” introduces a new legal concept that seems inconsistent with other sections of the manual.
It’s well-settled in the US that the law of armed conflict applies to cyber warfare – the trick is determining exactly how it applies. Are cyber intrusions analogous to physical intrusions? Is cyber sovereignty the same as Westphalian sovereignty, or has cyberspace morphed the concept into something else entirely? Is temporarily impairing the functionality of equipment the legal equivalent of damaging it? What if the “temporary” period is weeks or months?
For the most part, the conversation about the law of cyber warfare resolves into three main headings:
– What is a cyber attack?
– What is a cyber weapon?
– What are the rules (if any) governing cyber espionage?
Of the three, the DOD manual provides some interesting detail on the first, defers on the second, and avoids the third. It’s understandable that DOD’s treatment of espionage is brief. After all, armed conflict is DOD’s area. Intelligence operations are overseen by others, and the Law of War Manual might not be the best place for a discussion of cyber espionage, however interesting and timely.
Cyber weapons, on the other hand, are within DOD’s area of responsibility, and they have been a topic of increasing interest. There are concerns about whether States have an obligation to disclose vulnerabilities in civilian software, for example, rather than using them as exploits in military or intelligence operations. Sellers of previously unknown software vulnerabilities known as “zero days” have been referred to as “arms dealers.” All the while, there is not even an agreed definition of what constitutes a cyber weapon, and on this difficult issue the manual defers to the individual military services. “Not all cyber capabilities, however, constitute a weapon or weapons system. Military Department regulations address what cyber capabilities require legal review.” Unfortunately, only the Air Force has issued specific guidance on cyber weapons and capabilities, and it’s not clear that the other services hold the same views on these matters as the Air Force. On this issue, the Law of War Manual missed an opportunity to provide some clarity to this area. Perhaps because the department felt the international law on the subject is insufficiently settled to provide definitive guidance.
The manual’s treatment of the notion of cyber attack is the most complete. Two uses of the word attack are addressed in the DOD manual. We’ll first look at the term in its ad bellum sense, because when headlines or political discussions question whether something is a cyber attack, they’re normally considering whether a particular cyber action could justify a State acting in self-defense, which for the US means the action rises to the level of a use of force (the US asserts that the right of self-defense may apply in the case of any use of force against it, as explained in chapter one, footnote 230 of the DOD manual).
In this regard, DOD notes that using cyber capabilities to trigger a nuclear plant meltdown, open a dam above a populated area, or disable air traffic control services resulting in airplane crashes, would “likely be considered” a cyber attack. No surprises there. However, the DOD manual goes on to include in this category crippling a military’s logistics system. Although how extensive an attack would have to be to be considered “crippling” isn’t specified, it’s potentially quite a leap from bursting the Hoover Dam to conducting a long-term denial of service disruption against Transportation Command’s computer network, delaying the movement of troops and materiel . This standard could be especially problematic if applied by a smaller State with a less robust military logistics capability. For example, in a situation like the 2007 events in Estonia, a relatively small State might incidentally have its military logistics system crippled when civilian communications in the country are disrupted. Until now, disrupting communications (like in Estonia) probably wouldn’t have been considered a sufficient basis for exercising the right of self-defense.
The DOD manual discusses the meaning of cyber attack during armed conflict (in bello), as well. The definition of attack is important within on-going armed conflicts because it determines when the principles of the law of armed conflict apply. The DOD manual notes the term doesn’t encompass defacing government webpages; briefly disrupting Internet service in a minor way; briefly disrupting, disabling, or interfering with communications; or disseminating propaganda. However, the DOD manual modifies its stance by introducing a unique principle of cyber warfare – Avoidance of Unnecessary Inconvenience. “[E]ven if a cyber operation is not an ‘attack’ or does not cause any injury or damage that would need to be considered under the proportionality rule, that cyber operation still should not be conducted in a way that unnecessarily causes inconvenience to civilians or neutral persons.” Perhaps the language is just a specific articulation of the principle of humanity, for example, and is also applicable to kinetic warfare, but it appears to be new. It’s not clear that inconvenience has ever been a consideration in warfare, as emphasized in chapter 5, footnote 306 of the DOD manual.
One striking thing about the chapter on cyber operations is that it relies almost entirely on two references: a 1999 DOD Office of General Counsel paper and Harold Koh’s 2012 speech at the US Cyber Command Legal Conference. Although Mr Koh’s speech in particular clearly sets out the US position on some of the key issues, it’s odd that the chapter contains not a single reference to the Tallinn Manual on the International Law Applicable to Cyber Warfare, which has been generally well-regarded since its publication in 2013. As the Tallinn manual is often consonant with US positions, it may have been helpful to cite it to give a non-US voice to some of the positions, as was the case throughout other chapters of the DOD manual.
DOD should be applauded for tackling the difficult issue of the law of cyber warfare. Cyber operations in 2015 little resemble what they were in the 1990’s when the DOD manual was conceived, and the chapter undoubtedly underwent many revisions over the years. The final product strikes a balance between saying too little and saying too much in an area of law that is fast evolving. This risk is that DOD chose the wrong areas to say too little and too much about – too little about cyber weapons, and too much about law of war principles.