Fitting cyber attacks to jus ad bellum — Consequence-based approach Part I

[Matt]

Introductory presentation

While still reviewing the instrument-based theory, there was a slight allusion at some point that oftentimes from practical reasons the gravity of acts occurring in the international medium is divided into various standards—a sign self-evidently speaking in favour of consequences criteria over the instrument one.

A bright example accounting for that inclination one could derive from the Nicaragua case where ICJ established that it is “necessary to distinguish the most grave forms of the use of force (armed attacks) from other less grave forms” (Nicaragua case, 1986, par. 191), like a “mere frontier incident“. Assessment for possible differences between acts in terms of gravity should be based on the “scale and effects” of the force used by the aggressor.

Confirming the initial point made, Michael Schmitt, the Chairman of International Law Department at the United States Naval War College and most prominent proponent of the consequence-based scheme, opines that :

it is therefore more useful and appropriate to focus on the qualitative nature of an action’s consequences than on any ill-defined quantitative standards (Schmitt, 2012, p. 288).

Presumably, this ‘golden’ standard seeks to encompass acts that inflict grave consequences likely to produce death/injury to human beings or destruction/damage to tangible objects.

Hence, from the perspective of consequence-based approach, every cyber attack that falls within this range of “most grave forms of the use of forms” measured through the magnifying glass of ‘scale and effects’ would be deemed tantamount to ‘armed attack’ in accordance with Article 51 of the UN Charter. Moreover :

“…this approach would certainly be convincing in that it would liberated states from the prohibition on the use of (counter-) force as soon as cyber operations directed against them are likely to result in destructive effects equivalent to those normally caused by the use of kinetic, chemical, biological or nuclear weapons.” (Melzer, 2011, p. 14)

The Intent

Except for the quantitative values conditioned by “scale and effects”, the specific ‘intent’ is as well a precondition which distinguishes between less grave forms of the use of force and armed attacks. On the one hand, it constitutes a valuable indicator of the extent to which the political or military leadership of a state initiating cyber offensive is willing to violate another state’s inherent right of sovereignty and, on the other hand, whether the act is not a deed of cyber terrorists, cyber criminals (i.e. inchoate malware activities), or it is inadvertently launched. Therefore, the availability of exactly determined ‘intent’ would preclude misjudgements where “the accidental spreading of malware” is to be qualified erroneously as “an armed attack based exclusively on the objective ‘scale and effects’ of the accident (Melzer, 2011).”

With regard to all said to this point, one scholar draws the following inference:

“…it is neither the designation of a device, nor its normal use, which make it a weapon but the intent with which it is used and its effect. The use of any device or number of devices, which results in a considerable loss of life and/or extensive destruction of property must therefore be deemed to fulfill the conditions of an ‘armed attack’.”(Zemanek 2010: para. 21)

Results-oriented approach

It is important to mention that although similar they might seem at first, consequence-based and results-oriented approaches are different.

Davis Brown’s “results-oriented methodology” term refers to the work of Ian Brownlie, “International Law and the Use of Force by States” (1963). There Brownlie tried to explore the scope of an act and whether is a use of force by emphasizing on its consequences. For a leading point, he studied the chemical and biological weapons, concluding that they have the same result as the conventional ones—death and injury to civilians and military units.

Alike to the chemical, biological, and nuclear technology, cyber technology has a multitude of purposes. On the dark side of the coin, a cyber attack may cause a similar result as:

“releasing flood waters by remotely opening a dam, causing a meltdown at a nuclear power plant, or rupturing an oil pipeline.”(Brown, 2006, p. 187) Brown then concludes that “if an information attack achieves the same result that could have been achieved with bombs or bullets, then it has been conducted in the course of armed conflict (Brown, 2006, p.187).”

As a final proof, he examines a general denial-of-service attack under the results-oriented approach. By directing enormous amounts of artificially generated requests in order to disturb another computer’s computational resources or network’s bandwidth, the attacker attempts to incapacitate the adversary’s assets and make them inoperative for the intended users. If the attempt is successful, then the technology is as useless as it is struck by kinetic force –

“while no physical damage is inflicted on the system by a denial-of-service attack, the results is the same (Brown, 2006, p.188).”

Criticism

There are doubts based on the belief that Article 49 of Additional Protocol I to Geneva Conventions is not being taken into account and the focus is placed wrongly on the consequences instead of posing the question of whether or not the act is violent by nature as in Article 49. An effective methodology would try to promote the humanitarian principle that aim at less violent acts in favour of more violent ones, while the Brown’s proposed one does not differentiate clearly (Walker, 2009).

As to the provided example, the juxtaposition of armed attack and DoS cyber attack would be considered improbable to sustain the result-oriented approach. Although users are deprived from access in this instance, there is no kinetic equivalent of act bearing violent consequences (Walker, 2009). Hence, here comes the logic question: Does a mere denying of computer services would legally warrant recourse to a full-fledged armed attack in self-defence (Article 51 UN Charter)? Using another example, would it be feasible for Estonia after being attacked by a massive DDoS to attack Russia (if the act is positively attributed to their government) with tanks, missiles, or nuclear weapon (if they had one)? Given the customary international law tenets of proportionality and necessity, a negative reply is almost always certain.

Violent consequences’ terminology in jus in bello

In order to dig deeper into the consequence-based approach, one must also look at the other foundational branch in the international law which regulates conflicts. Jus in bello or the Law of Armed Conflict may shed some light on the versatile character of the word ‘consequences’.

Provision of interest:

The article to be referred to is again 49 (1) of Additional Protocol I, which provides a short explanation on the term “attacks”, equalizing it with the expression “acts of violence”. To discriminate between cyber attacks that cause mere nuisance or harassment and those that bring forth “human suffering”, Schmitt uses the following articulation:

““Attacks” is a term of prescriptive shorthand intended to address specific consequences. It is clear that what the relevant provisions hope to accomplish is shielding protected individuals from injury or death and protected objects from damage or destruction. To the extent that the term “violence” is explicative, it must be considered in the sense of violent consequences rather than violent acts.” (Schmitt, 2002, p. 377)

Hence, these “acts of violence” apparently do not necessitate the usage of kinetic violence, as far as the resulting aftermath is equipollent to that associated with kinetic physical violence, namely, death or injury of individuals or physical destruction or damage of objects (Melzer, 2011). As a result of this analysis, there can be concluded that under the consequence-based approach cyber attacks may fulfil the prescriptive requirements of Article 49(1) in the presence of three cumulative preconditions:

1. The consequences are not entailed by isolated, sporadic incidents

2. The consequences are desired and predictable to some extent

3. The consequences are intended to cause death/ injury or destruction/damage (i.e. violent consequences) (Kodar, 2012)

Inherent violence or violent nature argument

According to one theorist :

“an act must be also one of inherent violence. Unlike pressing of a gun trigger, the outwardly innocent typing on an ordinary keyboard

(a usual first step of IOA [cyber attack])

is not associated with inherent violence (Adler, 2011, p.3).“

She admits that these non-violent acts (typing on an ordinary keyboard) can :

“lead to all sort of violent outcomes” (Adler, 2011, p.3), but at the same time they cannot raise to an ‘armed attack’.

This type of discourse, however, is rather contentious. Firstly, why we should limit our perspective of inherent violence to the design of the weapon of choice? Why the ‘trigger’ should have, so to say, more inherent violence than the ‘button’? (See the images below) In the end, as children, we all played with toy guns having triggers that do not cause ‘inherent violence.

N-am stiut in ce categorie sa il pun asa ca l-am bagat la "Stiri" deoarece mi s-a parut foarte interesant ce e scris in el.

Sursa Resources.InfosecInstitute.com