As the prospect of international cyber warfare has become increasingly likely
—and as cyber attacks of many forms have proliferated
—scholars have devoted much attention to whether and when a state may legally defend itself with force in anticipation of a cyber attack.
Extensive cyber operations against Estonia in 2007 and the 2010 Stuxnet cyber operation against Iran’s nuclear centrifuges are the most well known of what is likely to become a long line of cyber warfare operations.
In the United States, military leaders have, in recent years, warned of the need to defend against a “cyber Pearl Harbor” or “cyber 9/11”
and have referred to recent cyber intrusions on the Office of Personnel Management, the Joint Chiefs of Staff, and Sony as “not just espionage of convenience, but a threat to our national security.”
More recently, political and national security leadership have described cyber espionage operations against the Democratic National Committee in the midst of the 2016 presidential election cycle as “serious business . . . [that] may destroy democracy”
and perhaps the most “aggressive or direct campaign to [ever] interfere in our election process.”
Under Article 51 of the United Nations Charter, if a state classifies a particular prospective cyber attack as an “armed attack,” it may give rise to a legal right to use force in anticipatory self-defense.
This interpretation of Article 51 is rooted in the so-called Caroline doctrine, which allows for anticipatory self-defense when an opponent’s act of war is “imminent.”
The basic premise that preemptive use of force is justified when an opponent’s armed attack is “imminent” is well accepted by the international community,
including the Obama Administration and its recent predecessors.
Indeed, in the cyber context specifically, the Obama Administration purportedly determined, via a secret legal review, that the United States has the power to conduct anticipatory strikes when an armed attack is imminent.
More recently, the Department of Defense’s 2015 cyber strategy “seem[s] to leave open the door for pre-emptive cyberattacks.”
Scholars broadly agree that at least some types of cyber attacks—those that result in death or physical destruction of sufficient scale—constitute an Article 51 “armed attack” justifying anticipatory self-defense.
This requirement, however, is necessary but not sufficient for anticipatory force: Under the Caroline doctrine, that armed attack must also be “imminent.”
This Note addresses two important questions about the imminence requirement left mostly unexplored in the academic literature.
Assuming that a prospective cyber attack meets Article 51’s “armed attack” requirement:
(1) Given that imminence would be a moot question if a state could not anticipate a cyber attack, what is the likelihood that states can foresee such an attack, and does this differ depending on the type of cyber attack?
(2) If the state can foresee the attack, how can it evaluate whether a cyber attack is imminent and when it is not?
The Note concludes that prospective cyber attacks may indeed be detectable well in advance of an adversary executing the code: The more likely a cyber attack is to constitute an “armed attack,” the more likely it is to be detected.
The Note also provides considerations for determining when the “last possible window” to stop a prospective cyber attack is likely to close—or whether it has already passed.
One indication of the importance of this topic is that, similar to the U.S. President’s sole decisionmaking authority over whether to use nuclear weapons, the Obama Administration determined that only the President can order a cyber attack, including anticipatory attacks.
Administration officials determined that cyber weapons were so potentially destructive that, like nuclear weapons, they should be unleashed only on the direct orders of the Commander in Chief.
Obviously, determining whether to go to war is always a matter of grave concern, but it is especially serious in the cyber context. An additional reason why preemptive action is particularly salient in the cyber-war context is that, while outside the scope of this Note, some argue there are “plenty of signs” that cyber deterrence as a strategy has not worked, meaning that would-be opponents are not afraid to launch cyber attacks.
According to proponents of this position, the failure of deterrence means that a state will have to preempt opponents’ attacks more frequently than in the conventional- or nuclear-weapons context.
This Note proceeds in three Parts. Part I discusses the broad acceptance of the legitimacy of anticipatory self-defense under U.N. Charter Article 51 and exposits the extensive commentary on when and whether a cyber attack may constitute an “armed attack.” Part II describes leading theories of evaluating when a cyber attack is “imminent” for purposes of anticipatory self-defense. Part III then argues that the cyber attacks most likely to constitute “armed attacks” are the most likely to be detected in advance, and it introduces several technological considerations for evaluating when such an attack might be “imminent.”
I. Some Cyber Attacks Will Trigger a Right to Anticipatory Self-Defense
This Part outlines legal scholars’ understanding of how cyber attacks fit within United Nations Charter Article 51’s “armed attack” requirement for state use of force and exposits the doctrine of anticipatory self-defense. This discussion has two sections: First, in section I.A, this Note discusses the broad acceptance of the legitimacy of anticipatory self-defense under Article 51. Section I.B then summarizes commentary as to whether and when a cyber attack can constitute an “armed attack” under Article 51. Before a decisionmaker is to get into the intricacies of analyzing whether a cyber attack is imminent, she or he must first accept that anticipatory self-defense is legitimate and that the doctrine applies to the cyber context.
A. Article 51’s “Armed Attack” Requirement and the Caroline Doctrine of Anticipatory Self-Defense
Under the United Nations Charter, “[a]ll Members shall refrain . . . from the threat or use of force against . . . any state,”
except where approved by the Security Council or, under Article 51, in “self-defence if an armed attack occurs against a Member . . . .”
According to the prevailing view, incorporated in the right of self-defense is the doctrine of anticipatory self-defense.
Born out of the famous Caroline incident in the midnineteenth century, the doctrine allows a state to use armed force in anticipation of an armed attack that is imminent.
Although Article 51 does not explicitly incorporate language about anticipatory self-defense, “there has been acquiescence” to the proposition that Article 51 does not disturb the longstanding international law doctrine regarding the inherent right of anticipatory self-defense.
The view that Article 51 incorporates the right to anticipatory self-defense has been used to justify a number of notable international uses of armed force. Examples include U.S. paramilitary activities in Honduras in the 1980s,
the U.S. bombing campaign of Libya in 1986,
and, perhaps most infamously, the U.S. invasion of Iraq in 2003.
The U.N. Security Council implicitly ratified the view that Article 51 allows for anticipatory self-defense in certain conditions when it unanimously condemned an Israeli attack on an Iraqi nuclear reactor in 1981 because the circumstances did not meet the “imminence” requirement of anticipatory self-defense
rather than because it denied the legitimacy of the doctrine itself.
Thus, with the doctrine of anticipatory self-defense and its requirement of an “armed attack” firmly entrenched in international law, the next key question, discussed in the following section, is whether a cyber attack can constitute an “armed attack” under Article 51. The other critical requirement—that an armed attack be “imminent”
—remains to be addressed in Part II.
B. A Cyber Attack Can Be an “Armed Attack”
Legal scholars and military decisionmakers broadly agree that, under Article 51, at least some types of cyber attacks may constitute an “armed attack” justifying the use of force in self-defense.
According to the Tallinn Manual, an impressive and influential attempt at restating international cyber law, “some cyber operations may be sufficiently grave to warrant classifying them as an ‘armed attack’” under Article 51.
The Tallinn Manual’s “International Group of Experts” presented two views about when a cyber attack constitutes an “armed attack,” one held unanimously and the other not.
Both approaches are consistent with the International Court of Justice’s insistence that it is the effect of an attack, rather than the means, that is material to the issue of whether an operation qualifies as an “armed attack.”
First, the Tallinn Manual group unanimously agreed that “any use of force that injures or kills persons or damages or destroys property” would satisfy the armed attack requirement.
This approach is consistent with the definition of an armed attack in the noncyber context.
A particular number of deaths or extent of destruction is not required.
“So long as a cyber operation is likely to result in death, injury, physical damage, or destruction, it is an armed attack.”
A second view, upon which the Tallinn Manual group did not unanimously agree, applies a lower threshold for a cyber operation to be considered an “armed attack”: Even if a cyber operation were to cause no first-order destruction or personal injury, the sheer scale and effects of its negative consequences could make it an “armed attack.”
A classic scenario highlighting the division between the two views involves a cyber operation causing the New York Stock Exchange to crash.
The experts opposed to labeling this as an “armed attack” noted that it involves no death or physical damage to property but rather is strictly financial in nature.
The experts who favored labeling this an “armed attack,” in contrast, emphasized the potentially catastrophic effects such an attack could cause, presumably referring to effects on the economy and public confidence.
Overall, the twenty experts who guided the development of the Tallinn Manual agreed that “the law is unclear as to the precise point” at which the scale and effects of harm caused by a cyber operation will qualify it as an armed attack.
All agreed, though, that at least some operations will qualify as “armed attacks.”
1. Examples of When a Cyber Attack Is—and Is Not—an Armed Attack. — To understand cyber attacks within Article 51’s “armed attack” framework, it is helpful to walk through some examples of cyber operations that would be more, or less, likely to constitute an “armed attack.” For example, under the threshold that the Tallinn Manual group agreed upon unanimously, the international community would be less likely to recognize an “armed attack” arising out of the mere destruction, damage, or alteration of data;
it would additionally have to result in physical consequences, such as causing a generator to overheat and catch fire or causing a transportation vehicle like a plane or subway to crash.
Such physical effects could be employed against any number of systems involving mechanical devices, including electric grids, municipal water systems, air traffic control, and military assets.
Two areas of particular concern for U.S. national security include the national fuel-supply infrastructure and power grid.
In contrast, under the more expansive view held nonunanimously by Tallinn Manual group members, destruction of data may have compounding scale and real-world effects severe enough to constitute an “armed attack.” For example, destruction of data designed to be immediately convertible into tangible objects, like banking data (which could presumably be converted into physical cash), could also be an armed attack.
Similarly, a cyber attack against the stock exchanges that occurs “repeatedly and continually,” disrupting trading for an “extended period of time,” may constitute an armed attack, even if the attack causes no physical damage.
Additionally, under either view of the “armed attack” threshold, a state could respond with force to cyber operations that accompany military action otherwise constituting an “armed attack,” regardless of the effects of the cyber operations themselves.
For example, “cyber attacks would likely be conducted against enemy command and control or air defense systems as an element of a broader [kinetic] military operation.”
Here, a state may act with force, “regardless of whether [the cyber attacks] independently qualify as an armed attack, because they are a component of the overall [‘conventional’ armed attack].”
Finally, most experts agree that “acts of [mere] cyber-intelligence gathering and cyber theft, as well as cyber operations that involve brief or periodic interruption of non-essential cyber services, do not qualify as armed attacks.”
Thus, despite the claims of some political leaders and despite possible harm to American representative democracy, the recent Russian cyber espionage operation to disrupt the 2016 electoral process probably should not be considered an “attack” that is an “act of war.”
Similarly, denial-of-service attacks—in which attackers overwhelm target networks with massive amounts of unmanageable traffic,
and thereby impede their functionality—have thus far failed, and will likely continue to fail, to directly cause human deaths or physical destruction or to have other negative consequences of sufficient duration and scale to satisfy the “armed attack” requirement.
For this reason, and because of the likely precedential effect of no state having declared any of the numerous denial-of-service attacks to be “armed attacks” thus far,
this type of attack is highly unlikely to be classified as “armed” going forward.
2. Why No State Has Yet Declared Itself the Victim of an “Armed” Cyber Attack. — Notably, no international cyber incidents have yet been “unambiguously and publicly characterized by the international community as . . . an armed attack.”
This includes the 2007 cyber operations against Estonia, which were popularly referred to as a “cyber war”;
the 2008 cyber operations against Georgia that preceded Russia’s invasion;
and the 2010 Stuxnet operations against Iran’s nuclear centrifuges.
As for the Estonia case, the international community had strong incentives to not recognize the actions against the country as an “armed attack” because doing so could have triggered NATO Charter Article 5, requiring fellow NATO members, including the United States, to come to the collective self-defense of Estonia.
Such an escalation could have involved a confrontation between NATO and Russia that the international community and Estonia may have felt was disproportionate to the novel, nondeadly operations against the tiny country.
The Speaker of the Estonian Parliament, however, certainly believed a forceful response was justified, stating, “When I look at a nuclear explosion and the explosion that happened in our country in May, I see the same thing.”
The predominant view, though, is that despite the political incentives to not declare the Estonia attacks as “armed attacks,” this was also correct as a matter of law because of the lack of significant lasting harmful effects.
The Estonia and Georgia operations were primarily distributed denial-of-service (DDoS) attacks that interrupted critical electronic systems but did not result in extensive physical damage.
Numerous less notable DDoS attacks preceded the Estonia and Georgia attacks and similarly were never characterized as armed attacks.
Thus, the established precedent of not categorizing such attacks as “armed” and the inherent nature of the effects of denial-of-service attacks mean that they will be unlikely to rise to the level of an armed attack.
In contrast, the Tallinn Manual refers to the Stuxnet operations against Iran’s nuclear centrifuges as a “closer case” for classification as an “armed attack” because the computer virus likely did physical damage to the centrifuges.
Physical damage to critical assets falls within the most broadly accepted definition of “armed attack” in both the cyber and noncyber contexts.
Some observers thus believe the Stuxnet operation was a clear example of an “armed attack.”
Not unlike the Estonia case, however, Iran had incentives to downplay the physical damage done to its centrifuges,
with former President Mahmoud Ahmadinejad asserting that Stuxnet was only “able to cause minor problems with some of our centrifuges . . . . They misbehaved but fortunately, our experts discovered it.”
Iran’s leadership had internal political incentives not to appear weak and incompetent by having their prized nuclear program compromised by adversaries. Iranian leadership may also have wished to preserve its own ability to launch similar attacks, without fear of the operation being labeled an “armed attack” and thereby justifying legal force against itself.
The question of how to evaluate whether a prospective cyber attack is “imminent” is very much a live issue for two reasons. First, as discussed in section I.A, the doctrine of anticipatory self-defense is broadly accepted by the international community, including the United States. Second, as discussed in section I.B, the international community has already come close to—but so far has been able to skirt the reality of—cyber attacks rising to the level of “armed attacks” that, if detected in advance, would justify anticipatory self-defense under U.N. Charter Article 51. To be prepared to legally respond with force in anticipation of a prospective armed attack, decisionmakers must be able to determine whether that attack is “imminent.” This is the subject of Parts II and III.
II. Evaluating the “Imminence” of a Cyber Attack
While there is an abundance of literature on when a cyber attack may rise to the level of an “armed attack” justifying anticipatory self-defense under Article 51,
there is a paucity of discussion applying the theoretical frameworks of “imminence” to the operational reality of how cyber weapons are developed and launched.
To address this void, this Note introduces several technical considerations inherent to the development of cyber weapons and explains why they will tend to make a particular cyber attack more or less imminent.
These considerations should influence decisionmakers’ understanding of whether a particular cyber attack is imminent, or not.
This Part assumes, based on section I.B, that some cyber attacks can be an Article 51 “armed attack” and moves on to the question of how to theoretically evaluate when a cyber attack is “imminent” for purposes of anticipatory self-defense. Section II.A introduces the concept of “imminence” generally and its application to the cyber arena. Section II.B then argues that improving cyber-operation-detection efforts will often lead to advance notice of potential armed attacks, requiring political decisionmakers to determine whether a prospective attack is “imminent.”
A. The Meaning of “Imminence” for Anticipatory Self-Defense, Including in the Cyber Context
1. Two—or, Possibly, Three—Views of Imminence. — There is not one single, generally agreed-upon definition in the literature of what it means for an armed attack to be “imminent.”
At the most restrictive end, some commentators have asserted that in order for an attack to be “imminent” such that anticipatory self-defense is justified, the force used in self-defense must occur just as the attack is about to be launched.
In the cyber context, this presumably would mean the moment the adversary is about to click the button that executes the already-written code. If one takes this restrictive view of imminence in the cyber context, the question of anticipatory self-defense will almost always be moot because the time it takes for fully written code to reach its target after it is executed is negligible.
There would never be an opportunity to preempt the incoming attack; it would be akin to waiting for someone holding a bomb to press the trigger button. Accordingly, a majority of the Tallinn Manual group rejected this narrow reading of “imminence.”
Another view of imminence, which Professor Michael Schmitt and the Tallinn Manual’s International Group of Experts have endorsed in the cyber context, is that the proper test must be whether or not “the last possible window of opportunity” to stop an armed attack has presented itself.
This window “may present itself immediately before the attack in question or, in some cases, long before it occurs.”
Determining when the window is closing, with incomplete information, is necessarily a function of estimating several likelihoods: for example, (1) the likelihood that the opponent would actually launch an attack, (2) the likelihood that the attack would actually result in requisite levels of harm rising to an “armed attack,” and, importantly, (3) the likelihood that the moment the window will close is the last in which the target state could effectively counter the prospective attack.
This “last possible window” view of imminence allows for anticipatory action in the cyber context, while the “about to be launched” view effectively does not.
A possible third view of imminence, known as “elongated imminence,” has also emerged.
Rather than truly being a distinct, new view, however, it seems to just be the “last possible window” standard with a different brand name.
According to reporting on the views of Legal Adviser to the State Department Harold Koh—the creator of the term “elongated imminence”—the theory allows a “consistent pattern of prior activity” by, for example, a potential terrorist actor to justify an act of self-defense.
In this example, would-be terrorists would not have to be boarding a plane before a kill operation could be executed; “it would be enough if they were designing the suicide vests.”
Rather than a new conception of imminence, the elongated-imminence view seems to be a straightforward application of the last-possible-window standard: Designing a suicide vest is a strong indicator of the likelihood that the would-be terrorist intends to carry out an attack, the effects of such an attack would very likely result in an “armed attack,” and waiting until the would-be terrorist attempts to board a plane is unacceptably late because the likelihood that the attack would not be effectively countered is too high.
Therefore, the time period must be shifted back to the last possible window for effectively stopping the attack—here, when authorities have detected that a person is designing a suicide vest.
Thus, while U.S. presidential advisers may yet still broaden elongated imminence to something distinct from the last-possible-window standard, the terms currently appear to mean the same thing.
2. Hypothetical Examples Demonstrating the Difference Between the Two Views. —To imagine what the last-possible-window view of imminence might mean in the cyber context, it is helpful to examine some hypothetical scenarios.
a. Hypothetical 1
U.S. leadership discover an adversary has penetrated a significant portion of the U.S. electric grid and has fully developed the code necessary to shut down the grid. The adversary could shut down the grid at any moment, but there is no concrete reason to believe it intends to do so in the near future.
Under the traditional “about to be launched” (ABL) view of imminence, the United States cannot take action in this scenario because it has no reason to believe the adversary plans to act on its capability in the immediate future.
In contrast, under the “last possible window” (LPW) approach, the United States is clearly entitled to take action: At any moment, the adversary has the capability to effect an armed attack that, once initiated, would not be preventable.
The last possible window is about to close.
b. Hypothetical 2
An adversary has declared its intention to shut down the U.S. power grid with a cyber attack, but the United States has strong reason to believe no software development activity has begun and that the adversary has not penetrated the relevant networks.
Here, the United States obviously cannot act under the ABL view because software development has not even begun,
but it also probably cannot act under the LPW approach. The consequences of a successful attack would be dire, but, as is discussed in Part III, such complicated, customized software takes significant time to develop, requires the adversary to detect a vulnerability in the network, and, since new software always has errors, it might not work.
The “last possible window” to stop the attack has not passed because the United States still has a strong likelihood of being able to effectively prevent it
through means such as diplomacy and defensive measures to protect the power grid.
c. Hypothetical 3
An adversary has fully developed the code to shut down a power grid, but an agent must plug a USB containing the code into a particular piece of equipment in a U.S. facility in order for it to execute. The United States is confident its facilities have not yet been penetrated by the agent.
Here, the United States probably cannot act under the ABL view because the adversary has not yet gained access to the facilities required to launch the attack.
Whether it can act under the LPW approach is a close call. The fact that the United States, if it intercepted the agent, could still stop the attack weighs against the attack being imminent.
On the other hand, the risk of that one person successfully completing his or her task may be so high that the last possible window to stop the attack may have arrived.
The purpose of this section has been to show that there are competing schools of thought with regard to when an armed attack is imminent and that, as others have argued, only the “last possible window” view allows for the action necessary to thwart potentially destructive attacks.
Remaining questions include: (1) whether decisionmakers will know enough about potential cyber attacks to be able to determine when the “last possible window” will close or even to detect that an attack is on the horizon
and (2) what decisionmakers need to know about the technical aspects of cyber weapons to help them determine when the “last possible window” to stop an armed attack will close.
B. Detection Efforts Continue to Improve, Thereby Increasing the Likelihood Decisionmakers Will Need to Decide If a Cyber Attack Is Imminent
Some scholarly writing assumes that states will tend not to know when a cyber attack is coming because the time between when it is launched and when it reaches its target will be minimal.
Under this view, the anticipatory self-defense question—and thus the “imminence” question as well—will never arise: If a state does not detect a cyber attack in its planning phase, it cannot conduct an imminence analysis. Proponents of this view posit, for example, that cyber attacks, like “kinetic terrorism, arrive with no warning.”
This view incorrectly only focuses on the moment that the adversary chooses to launch the attack, after which the attack will of course arrive quickly, but it ignores the ability to detect the cyber attack during the planning and development phase.
Indeed, there is ample evidence to believe that investments over the past several years have dramatically improved the United States’ monitoring abilities in this arena: For example, in 2010, the federal government reportedly launched a program called “Perfect Citizen” “to detect cyber assaults on private companies and government agencies running such critical infrastructure as the electricity grid and nuclear-power plants . . . .”
The system is said to “rely on a set of sensors deployed in computer networks for critical infrastructure that would be triggered by unusual activity suggesting an impending cyber attack . . . .”
Additionally, the Department of Defense’s (DoD’s) 2015 Cyber Strategy special report details plans to, by 2018, have sixty-eight military teams defending DoD network assets; thirteen “National Mission” teams defending critical national, nonmilitary assets; and more teams directly assisting traditional combat operations.
This will at least double the number of teams working on cyber defense and offense today.
The Pentagon expects to focus on “major cyberattack[s],” defined as “something that threatens significant loss of life, destruction of property or lasting economic damage.”
This closely mirrors the definition of “armed attack” discussed in section I.A.
The Pentagon’s “Law of War Manual” gives three examples of major cyber attacks warranting its involvement: sparking a nuclear plant meltdown, destructtively opening a dam above a populated area, and causing airplane crashes by disrupting air traffic control.
According to former Secretary of Defense Leon Panetta, the United States already has the capability to detect assaults in advance and to launch preemptive operations.
Similarly, the Department of Homeland Security, which carries primary responsibility for coordinating defense efforts with private companies, is developing a system for “the automated sharing of cyber-threat indicators with the private sector and government.”
Interested companies can work with the National Cybersecurity and Communications Integration Center to prepare their networks for the automated sharing of cyber-threat indicators.
Additionally, in 2015, President Barack Obama directed the creation of the Cyber Threat Intelligence Integration Center to “connect the dots” within government regarding malicious foreign cyber threats.
Thus, while throwing more resources at a problem does not necessarily mean the problem will be solved, the U.S. government’s ability—and presumably that of other military powers—to detect cyber attacks well before they are launched should improve dramatically in the coming years. Helpfully, the cyber attacks that have the greatest potential for harm will also tend to be those that stand the best chance of being detected in advance, thanks to comparatively long development cycles
and the investment in personnel required.
This Part introduced two competing concepts of “imminence,” endorsed the view that only the “last possible window” view allows for the anticipatory action necessary to thwart potentially destructive cyber attacks, and argued that governments will increasingly be able to detect “armed” cyber attacks in advance. Next, Part III will introduce several considerations for evaluating, when a state has detected some planning activity for a cyber attack, whether a prospective cyber attack is “imminent” under the “last possible window” standard of imminence.
III. Considerations for Evaluating the Imminence of a Cyber Attack
At the moment a state discovers that an enemy intends to attack it with a cyber weapon that would legally justify anticipatory force, the attack may be less likely to be “imminent” than a decisionmaker might expect at first blush. In support of this proposition, this Part walks through several of the key technological aspects of the development of cyber weapons that may cause them to take more time to develop, to be more expensive, and to be less reliable than decisionmakers may expect.
These aspects decrease the likelihood that an attack will be “imminent” when a decisionmaker learns about an enemy’s intent to attack.
This discussion has four sections: First, section III.A discusses the highly customized and resource-intensive nature of the cyber weapons most likely to constitute an “armed attack,” arguing that a cyber attack will often be less imminent than a decisionmaker might at first believe. Section III.B argues that because the cyber weapons most likely to constitute an armed attack will tend to be usable only once, the likelihood that a state will launch a particular cyber weapon will tend to be lower than a decisionmaker may expect—and thus the cyber attack will tend to be less imminent. Section III.C argues that prospective attacks requiring local access to target computer networks will tend to be less imminent than an attack that can be mounted remotely, because the former are less likely to succeed. Section III.D then discusses the inherent errors in new software and the need for testing it, arguing that this increases the time required to launch an attack and decreases the likelihood that an attack would actually succeed.
A. Cyber Weapons that Could Rise to the Level of “Armed Attack” Will Be Custom-Made and Resource-Intensive to Build
1. Implications of the Custom, Resource-Intensive Nature of the Most Threatening Cyber Weapons. — The cyber weapons most likely to cause the effects required for a legal anticipatory act of self-defense will be highly customized to a specific target.
This one-off customization requires time and resources.
There are two key implications of this fact. The first implication is that a state’s improving detection efforts—particularly those in states with advanced military technology like the United States
—will be more likely to detect such attacks in advance, so that the question of imminence becomes salient.
The second implication is that the time between when a decisionmaker learns of an enemy’s intent to attack and when the enemy could actually launch an attack could actually be rather long.
This section now goes on to provide the technical explanations for why the cyber weapons most likely to constitute an armed attack are highly one off, customized, and resource intensive to build and why denial-of-service attacks are not.
2. Why Cyber Weapons that Would Constitute an “Armed Attack” Are Customized, One Off, and Resource Intensive. — Unlike a bomb that can be used to damage any type of target (with varying degrees of damage), cyber weapons are more target-specific.
They require a vulnerability—a flaw in the software code that allows an outsider to tell the software to do something harmful—as well as access to that vulnerability, and also a payload (the adversary’s software code), in order to be executed.
Anyone who grew up using a computing device running Microsoft Windows understands this concept intuitively; eliminating and preventing viruses is part of the usual routine of a Windows user, while less so for an Apple Mac user.
This is because Windows software has always had different vulnerabilities that malicious actors can take advantage of to introduce viruses.
Users of Apple’s Mac devices, in contrast, have traditionally enjoyed far fewer issues with viruses, not because the Mac has fewer vulnerabilities per se, but because the greater market share of Windows devices traditionally made its particular vulnerabilities more attractive to would-be wrongdoers; a virus for Windows would have impacted far more people than if it had targeted Apple Mac devices.
This example shows how a cyber attacker needs to pick a specific vulnerability or set of vulnerabilities to exploit; the software will be effective only against those vulnerabilities to which it is tailored.
3. Denial-of-Service Attacks Are Simple (but Also Will Rarely Constitute an Armed Attack). — The vulnerability exploited in a denial-of-service operation—which is unlikely to constitute an “armed attack” justifying anticipatory self-defense
—is among the most generic across targets. The vulnerability is this: Because of the way the Internet works, computer servers that are connected to the Internet can be overwhelmed with a massive amount of traffic.
Although an attacker must train the attack on specific IP addresses and systems of the target, much of the necessary information about the target can be obtained by someone with the skills of a common hacker.
Denial-of-service attacks are thus more analogous to conventional bombs, which are relatively target agnostic, than to a target-specific cyber weapon like the Stuxnet virus used against Iran’s nuclear facilities.
For example, in the 2007 denial-of-service operations against Estonia, “[i]nspired and directed by posts on the Internet, thousands of users in Russia simultaneously transmitted network packet [traffic] at Estonian computer systems.”
The fact that thousands of Russian internet users were able to participate in a denial-of-service attack with no notice beforehand is evidence of the reusability and relatively target-agnostic nature of this technique.
Thus, this type of cyber operation—the denial-of-service attack—is analogous to a conventional bomb or missile: Although some effort will go into exploiting unique vulnerabilities of the target, the general method and coding approach of using distributed, masked servers to overwhelm the targets is relatively reusable from operation to operation.
This cyber operation, however, will almost never rise to the level of an armed attack justifying anticipatory self-defense.
4. Cyber Weapons that Can Cause an “Armed Attack” Will Be Customized and Resource Intensive. — In great contrast, at the other end of the spectrum, attacking highly specialized infrastructure such as the Natanz uranium enrichment plant likely requires months—if not years—of highly customized software development, as well as extensive testing, and much of the code will not be reusable in other contexts.
For example, the Stuxnet virus used to attack the Natanz enrichment plant was incredibly specific. It targeted vulnerabilities in one piece of software, called Siemens Step7, that is used to program the industrial control systems that operate nuclear equipment.
The software would then launch only if the control system it attacked became attached to other devices configured in a very specific manner.
The code was so customized that it was “designed to specifically target a system with 984 machines connected to each other.”
As a result, developing the Stuxnet virus required “extraordinary expertise,” including not only keen software development skills but also, for example, the ability to determine “the exact amount of pressure or torque needed to damage aluminum rotors within” Iran’s nuclear centrifuges.
A “team of 10 people would have needed at least two or three years to create” the Stuxnet virus, and “there are perhaps only 10 programmers in the world capable of engineering” the method through which Stuxnet spread through Windows machines in order to reach its ultimate target.
The code base was fifty times larger than the typical computer virus.
The key takeaway here is that, unlike the development of a bomb—the design of which stays the same regardless of how many bombs are manufactured—and unlike the replicability of a denial-of-service attack,
years of development and expertise will often be required to effect just one “armed” cyber attack on one very specific target.
The effort is also then only minimally transferable to other targets.
This means that not only will such attacks be relatively rare because of their cost, but also that the time between when a decisionmaker learns of an enemy’s intent to attack and when they could actually launch an attack might be longer than what that decisionmaker might expect at first blush.
Thus, an enemy’s mere plan, for example, to attack with a cyber weapon rising to the level of an armed attack will only rarely present an “imminent” threat, whereas learning of plans—at the same stage—to use conventional weapons would be more likely to constitute an imminent threat.
Some commentators have incorrectly characterized all cyber attacks as having the low barriers to access, low cost, and relative lack of skill required for denial-of-service attacks. For example, one author has characterized “the tools of [cyber warfare] [as] cheap, readily available and easily obtainable,” pointing to the “easy availability of hacker tools on underground Internet sites.”
This perspective is not surprising given that the great majority of known cyber attacks have been denial-of-service attacks
and that the Stuxnet operation was perhaps the first of its kind and happened only recently in 2010.
Similarly, the argument that “[l]ittle equipment is needed to launch [cyber] attacks . . . [including] computers, modems, telephones and software, essentially the same tools used by hackers and cyber-criminals,”
incorrectly treats “software” as though it were a generic, fungible good. “Software” can be as simple as a few lines of code used by a common hacker to direct traffic toward a target website (such as a denial-of-service attack)
or as complicated as a two-to-three-year, multi-million dollar project, developing a first-of-its-kind weapon requiring the scarce resources of the most talented software engineers in the world (such as Stuxnet).
In the former case, the software could be characterized as “[l]ittle equipment,”
but certainly not in the latter. Despite some conflation of the types of cyber attacks in the literature, decisionmakers should understand the important differences between simple denial-of-service attacks and more complicated weapons that are most likely to constitute an “armed attack” justifying anticipatory self-defense.
B. Target-Specific Cyber Weapons May Be One Use Only
The cyber weapons most likely to constitute an armed attack are likely to have a “very short shelf life” in that, once adversaries use them, they may become ineffective for future uses.
This fact bears on the likelihood that a state will actually use the weapon and thus is an important consideration for decisionmakers when determining whether an attack is imminent.
This is because, again, the likelihood that the opponent will actually succeed with the attack is a key factor in evaluating imminence.
To illustrate with an example: Launching a cruise missile or other conventional weapon has little impact on whether the next weapon will be effective.
The same design is used to manufacture many copies of the same weapon.
In contrast, using a cyber weapon other than a denial-of-service attack
may significantly or altogether impede the reusability of the code.
For example, while experts determined that Stuxnet contained extensive mechanisms to shield itself from discovery, it was eventually detected
when one of the programmers introduced a flaw into the code.
Cyber-security experts and potential targets have since been able to quickly reverse engineer it, allowing them to patch up vulnerabilities and make the code useless.
Reverse engineering and the inevitable publicization of its results allow potential targets to not only fix the particular vulnerability exploited at the Natanz plant, but to adapt to the broader, novel coding approach used for that weapon.
Thus, when a state believes that an adversary would like to use a cyber weapon against it, the state should factor into its calculus of whether the attack is “imminent” the consideration that the adversary’s use of that weapon may be inordinately expensive; indeed, it may not be able to use it again.
Given this cost, the adversary may be less likely to use the weapon than a decisionmaker might otherwise expect. This calculation decreases the likelihood, relative to conventional weapons—which have far less of a “one-off” aspect—that an attack may be “imminent.”
C. A Prospective Attack Requiring “Local” Access Will Be Less Likely to Succeed than One Using “Remote” Access
Another important consideration as to whether an attack is “imminent” is whether the enemy state can reach the intended target remotely (such as through the Internet) or whether it needs to gain local access to the target in order to introduce the cyber weapon.
Remote access requires less effort and is easier to accomplish than gaining local access.
An attack utilizing remote access is more likely to succeed than a local-access attack
and thus will tend to be more “imminent.”
The cyber operations against Estonia required only remote access, for example.
In contrast, prospective attacks that require local access will usually require more time to plan and develop software or to introduce local agents. The Stuxnet operation against Iran’s nuclear centrifuges, for example, required local access.
The attackers had “to rely on engineers, maintenance workers and others—both spies and unwitting accomplices—with physical access to the plant.”
In the Stuxnet attack, the attackers were able to implant the virus on a USB drive that a plant worker plugged into the local network, unintentionally providing Stuxnet access to the Natanz plant.
The difficulty in obtaining local access affects the relative likelihood that a planned cyber attack requiring local access will succeed.
For example, Reuters reported that the United States failed to introduce a cyber weapon, similar to Stuxnet, locally into North Korea’s core nuclear-weapons-program computer systems.
As the former deputy director general of the International Atomic Energy Agency noted, Stuxnet’s code itself could target both countries’ programs, “[b]ut you still need to get it in.”
Since the likelihood of an attack succeeding is a required input to the calculus of imminence,
a prospective attack that plans to use local access will inherently tend to be less imminent. Thus, if both North Korea and Iran, the latter a country with far less isolated systems, both became aware of the same U.S. effort to target their nuclear programs, all else being equal, Iran would be more justified than North Korea in arguing that the U.S. effort represented an “imminent” threat. This is because the likelihood that the United States could successfully penetrate North Korea’s networks, as has been empirically demonstrated, seems to be less than the probability it can access those of Iran.
While targets like internet websites are inherently accessible remotely, whether infrastructure targets are accessible remotely will be very case specific. For example, while many transportation systems remain unconnected to the external Internet, many of them—which run everything from subway systems to air-traffic-control networks—have since been linked to the Internet, making them more efficient but also exposing them to cyber attack.
Thus, when evaluating whether an attack is imminent, a state should consider whether the enemy state can reach the intended target remotely, or locally. All else being equal, a local attack is less likely to be “imminent” because it is less likely to succeed, and vice versa.
D. The Nature of Errors in Software Tends to Increase the Time Required to Launch a New Weapon, and Inherent Unreliability Decreases the Likelihood the Weapon Will Work
Because complex, new software almost always has errors, the cyber weapons most likely to constitute armed attacks will require extensive testing,
and, even when tested, errors that may prevent the software’s proper functioning will often slip through.
This truism affects the “imminence” question in two ways: (1) As to the need for testing, this means that when a state learns about an opponent’s plans to launch a cyber attack, the time at which an attack is “imminent” may be further in the future than the state may first expect. This stands in contrast to a missile or other conventional weapon, whose manufacturing and design flaws will likely have been ironed out over years, if not decades.
And (2) as to the fact that even tested software will often fail, this is important because the likelihood of an attack not only being launched but also succeeding is a factor in determining whether an attack is imminent.
An infamous example of a failure to test before launch will help to illustrate the need for software testing. Famously, the website for HealthCare.gov, the progeny of what is arguably President Obama and the Democratic Party’s largest achievement in recent memory, did not work at its launch
and was deficient for several months afterward.
The parties developing the website were in such a rush to launch it that they failed to allocate proper testing time before launch.
The need to test software is one of several reasons cyber espionage operations against private companies often involve the attacker spending significant amounts of time having infiltrated the target systems without taking action.
For example, in the recent act of cyber espionage conducted by North Korea against Sony, “the hackers spent more than two months . . . mapping Sony’s computer systems, identifying critical files and planning how to destroy computers and servers.”
These two examples help illustrate that, to the extent that the enemy state has not yet properly tested the cyber-weapon software,
the likelihood decreases that the attack will succeed, and thus the state should consider the attack less “imminent.”
The next truism is that even tested software will have errors. Even if a state believes the opponent has extensively tested the weapon software, the state should also generally discount the “imminence” of a cyber attack because all new weapons—even when extensively tested—will have high error rates.
This is because (1) even extensive testing misses bugs and (2) commanders will tend to use cyber weapons, more than regular weapons, improperly and thus ineffectively.
Here, another infamous software-launch snafu is illustrative. Not to be outdone by the world’s largest government, the world’s most valuable company,
Apple, also fell short when it launched, with great fanfare, its Maps “app” for the iPhone.
The app, for example, provided directions involving driving across an airport runway.
Here, the problem was not that Apple had not put the app through testing; rather, it was human error, oversight failure,
and the natural tendency for software bugs to arise.
There is even evidence that Stuxnet itself, despite having been developed and tested over several years, contained bugs preventing certain functions: According to a security firm that analyzed the virus, the attack code was incomplete and hence did not function as intended.
Additionally, the error that one of Stuxnet’s developers introduced, causing it to be able to escape the Natanz plant and propagate across the Internet, slipped through (or perhaps was intentionally introduced) in spite of years of development and testing.
The fact that new software inherently contains errors, that developers need to test it, and that errors will persist even in the face of testing all function to increase the time required to launch an attack and decrease the likelihood that an attack will actually succeed. These considerations should tend to make a decisionmaker with limited information believe that an attack is less “imminent” than he or she might otherwise expect.
Advanced states will often be able to detect in advance prospective cyber attacks that would rise to the level of an “armed attack” justifying anticipatory self-defense under Article 51 and the Caroline doctrine. There will be a new kind of “troops massing menacingly at the border,”
and they will be software developers amassing stockpiles of code.
This means that decisionmakers—in the United States, the President—will need to determine if the attack is “imminent” in order to act preemptively. In making this determination with incomplete information, the President and her or his advisers should consider several important technical aspects about the relatively few
weapons most likely to constitute an “armed attack” justifying anticipatory force. These weapons potentially require years of customized development with expert software engineers and may not be reusable. Additionally, the software needs to be tested—and even then it still may not work.
Each of these aspects stands in contrast to a denial-of-service attack, which can be launched with relatively little effort but which will almost never rise to the level of an armed attack justifying anticipatory self-defense in the first place. Thus, rather than constituting a somewhat sui generis category of attack that will necessarily arrive without warning, cyber attacks that are “armed” will lend themselves toward detection and the ensuing opportunity for decisionmakers to determine if and when it is the right time to act preemptively.