fbpx

Rostrum’s Law Review | ISSN: 2321-3787

International Law and Cyber Warfare

The first mentions of cyber warfare date back to the period of cold war. After the launch of Sputnik, the US feared that their Soviet enemies would overtake them in the realm of technology and hence, technological warfare. They founded the ARPA (Advanced Research Projects Agency) to build military resilience with the enemy in the field of technology and science. It was found that in the event of a nuclear attack against the US, the entire communication could be shut down, hence decapitating the entire country.[1] This realization gave birth to the distributed communication paradigm by the ARPA. In such a model, nodes of communication would be created instead of the earlier hierarchal pathways.

This was done to ensure that in the event of a threat or attack on one node, the entire communication system does not go down.[2] This is when one thing led to another, civilian systems, library systems etc. were being put to use and the TCP/IP communication protocol was set up and the Internet was born. The realisation of the cyber capabilities and its potential of causing disruption dates back to the times when “cyber” had not really evolved but it was still only countries like USA that understood this early on.

People were inquisitive, some opportunistic and some became hackers. What started as development of annoying codes to shut down computers connected on a network led to the creation of malicious programmes to launch sophisticated attacks. The real threat vector apart from data theft was observed with the introduction of denial of service attacks.

In lay terms, it leads to overload of a network, rendering it incapacitated. This was being done through distributed networks and slowly, it was realized how a simple DOS attack could destroy a nation’s networks. Then came malicious programming of which Stuxnet[3] is a perfect example.

These sets of code could give the programmer access to a device to the point of controlling its core functions. Technology evolved and things like worms, viruses and polymorphic (self changing code) malware came into being. One must also understand that all of this was happening with a digital revolution alongside when all citizen essential, military services were being brought on to the Internet.

International Warfare and Law Principles:

One might feel that there must be many laws governing this unconventional dimension of warfare but truth be told, there are not many. When one refers to international warfare peace and resilience, they are essentially referring to the UN Charter of 1945[4] which lays down the resolution of withholding from use of force and limits the use only in cases of self defense.

Since the World War II, it has been clear that the entire world stands in unison against any future war of the nature that happened back then. One of the products of this thought is the UN Charter of 1945 and particularly Articles 51 and 2(4). Although the provisions in question are in force and widely in use, it has not prevented nations from practically developing and using nuclear, biological or cyber weapons.

Article 2(4) of the UN Charter of 1945 states as under[5]:

“All Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations.”

However, the use of this provision remains debated to date. For beginners, the word “force” has not been defined in the entire text of the Charter. Secondly, this is a statute of the year 1945 when force could have only meant military/nuclear force against other states. But given the deficiency of any other instrument on the point, it is viewed globally that the use of force provision does apply in this situation as well.

Also, substantiating with the use of cyber weapon definition by the author, it is clear that the object of a cyber weapon can call for the application of this provision. The term force however, has not been clearly defined, which is why the author proposes to test the word on different grounds.

As per the Vienna Convention on the Law of Treaties[6], “a treaty needs to be interpreted in good faith and in accordance with the ordinary meaning to be given to the terms of the treaty in their context and in light of its object and purpose.” By reading the purpose of the United Nations in its Charter and Article 1, it is clear that the core objectives are maintenance of peace and security, prevention of threats to peace and the suppression of acts of aggression.

Clearly, a cyber weapon/attack is capable of disrupting all of the mentioned objectives and hence call for application when the word force is used. Some researches had also led to the assertion in the early 1970s that even economic aggression against a state would be violative of Article 2(4). In 2005, in a case before the International Court of Justice, it was held that “magnitude and duration” of minor armed activities will also lead to a violation of Article 2(4) even in case such activities are not exclusively disruptive of international peace of armed conflict as it is.[7]

When one refers to the provisions of Article 2(4) of the Charter, Article 51 is naturally read in harmony. It states as under:

“Nothing in the present Charter shall impair the inherent right of individual or collective self-defence if an armed attack occurs against a Member of the United Nations, until the Security Council has taken measures necessary to maintain international peace and security. Measures taken by Members in the exercise of this right of self-defence shall be immediately reported to the Security Council and shall not in any way affect the authority and responsibility of the Security Council under the present Charter to take at any time such action as it deems necessary in order to maintain or restore international peace and security.”

It is clear through this provision that the only single exception to the rule of Article 2(4) is Article 51 when a state is allowed the right of self-defense in case of an armed conflict. This reading does not clear the concept of “use of force”, however, the author substantiates the initial research on cyber weapons to conclusively state that in order to qualify a conflict as “armed” usage of weaponry is paramount. As a researcher has put it,

“cyber attacks have the potential to reach out from cyberspace into the physical dimension, causing giant electrical generators to shred themselves, trains to derail, high-tension power-transmission lines to burn, gas pipelines to explode, aircraft to crash, weapons to malfunction, funds to disappear and enemy units to walk into ambushes.”[8]

This is why, it was paramount to define the concept of cyber weapon initially, so that there is no ambiguity as far as this part is concerned. As will also be clear through case studies in this chapter and through earlier reading that cyber weapons have the capability of causing similar damage as armed damage could have done back in the times of the World War II when this charter was written, it would be logical to apply the same provisions to the dimension of cyber warfare as well.

For understanding or accessing the definition of force leading to the point of armed conflict and concurrent “right of self defense”, the author points to the Schmitt test or the test of the Tallin Manual,[9] which is the sole authority on International Law in Cyber Warfare. Schmitt has argued that for any given incident, an effect based analysis should be done in order to understand if it qualifies as an armed attack of not and he has also suggested seven factors or grounds upon which this analysis is to be based. They are:

  • Severity
  • Immediacy
  • Directness
  • Invasiveness
  • Measurability
  • Presumptive Legitimacy
  • Responsibility

As for severity, it is posited that mere physical harm to individuals or property is sufficient, whereby it is clear that any cyber weapon attack that causes physical harm to individuals or property will qualify as the use of force. Stuxnet by this analogy, qualifies. Although it is the simplest test of all, but he suggests that even a little consequence if it is on the national critical interests or critical internet infrastructure, will constitute severity and concurrently, the use of force.

Talking about immediacy, it is proposed in the manual that the sooner the results of an attack manifest and the lesser the time a state has to seek a peaceful recourse will determine whether or not there is immediacy. For a cyber attack and usage of cyber weapon, it is clear how the time windows would be shrunk by a huge amount when compared to other frontiers of warfare. Leave alone peaceful recourse, a state might not at times have any bandwidth to stop damage at all.

As for invasiveness, the ground is clear. The more secure the system, the more its attack vector is pervasive, if it happens. It means that if a system is highly protected and it is still breached, the invasiveness of the attack is enough to be termed as armed attack. By the analogy of Stuxnet, it is clear how nuclear facilities which are heavily guarded and protected are still the target of many attacks.

Any attack against such systems and others like governmental communication systems, security servers, citizen databases etc. will be those places which if attacked will attract the invasiveness criteria. Measurability has been meant to be any type of damage. While Schmitt in the manual has not expressly stated cost as a factor, he says that some deaths or buildings destroyed is a criterion, again all of which a cyber weapon is capable of and an attack like Stuxnet or the Hawaii attack have shown.

Presumptive legitimacy as the name suggests is the test to check if the ac tis normally approved in international law. Some acts are in fact considered as normal for example, acts like espionage. Responsibility, lastly is when a state can be mapped to the attack directly or the nexus between a state and the act.

Towards the end, Schmitt does not clarify how many out of the seven need to be satisfied in order for the test to succeed but an analysis of all of them will lead to a valid conclusion as to whether or not to qualify an attack as armed conflict and use of force within the meaning of International Law.

What distinguishes cyber warfare from kinetic warfare is the question of deniability which none of the researchers have factored in their earlier researches. It calls for state of the art tech and research in order to investigate and accredit incidents to states but as has been proven through evidence like in the case of Wannacry[10] and Stuxnet[11], nations can be traced back and accreditation can be done.

There will however, still be the space for deniability of involvement which can only be tackled through mandatory weapon disclosure and controlled usage even for domestic surveillance at which juncture, domestic laws of data privacy and protection will also come into play. That is why, the author purports that an intervention to formalize this process has to start at the behest of the U.N. which can be the only signatory body to control this space.

Incidentally, it is also clear that the potential destruction that a cyber weapon can cause may also lead to loss of life and limb and it can be orchestrated by states against others. When talking about the challenges of cyber capabilities, one cannot do away with talking about the Stuxnet[12]. It was a virus that was designed and programmed just to damage a particular nuclear facility and even particularly its centrifuges[13].

It dates back to 2009 when one could not possibly imagine the disruption possible. There was a lot of chatter post Stuxnet about its origins in enemy nations but it never saw the light of International Law. Some experts also suggested that Iran, in fact had a right to self defense which could be its potential use of a cyber capability[14].

State Responsibility and Accreditation to an Attack:

The next question that comes to mind naturally is that should a state be held responsible for activities of its actors, hackers? On the point of state agents, it is clear that an attack is attributable to the state. EternalBlue for example, the manner and mode of its delivery would have led to NSA alone had it not been leaked which would have clearly tainted USA for the attack. In 2001, the International Law Commission proactively released Draft Articles on State Responsibility that act as starting point for this discussion. Article 1 of the same suggests that “every wrongful act of a state entails the responsibility of that state internationally.”

Article 4 of the same Articles suggests that when state organ conducts an act, it is considered to be an act that state internationally. NSA is one example but many nations have started developing their own cyber cells, units, cyber military institutions etc. that perform activities ranging from defense to intelligence. In some cases, these activities are outsourced to private entities which brings this question to the front. Although this tracing might seem like a bit of a challenge but in many cases, it has been found that in fact it is possible to trace states.

What happens when non-state actors are involved? On this point, Article 51 is firstly silent whether a state can actually use self defense against a non-state actor. Now, these non-state actors could be hacker groups, hacktivists or private citizens motivated by certain ideologies and in possession of sufficient skillset to develop/use cyber weapons to cause an attack.

While, it is still internationally debated but during the 9/11 response, the Security Council’s passing of a resolution to reaffirm the inherent right of the United States to respond via self defense as per Article 51is a clear example of how states have also prosecuted non-state actors in other jurisdictions by impounding on their sovereignty. But that is again a case where there needs to be domestic law to bring a foreign national in personal jurisdiction calling on the private international law sphere and then leading to cases like Lauri Love.[15]

The Draft Articles on the point that also substantiate the Corfu Channel case are healthy in point and suggest that when the lone activists or groups are working on the instructions of or the control of a state, then state responsibility may be fixed, not otherwise. Similarly, in the Nicaragua case, the issue before the ICJ was to determine whether the acts of contra guerillas in rebellion against the government were to be accredited to the USA.

The judgment in this case opened new doors when it was held that the test would need to be of effective control over the non state bodies, meaning that if these non-state bodies were in other states, even then effective control would lead to fixing of responsibility.

In all the above invariably, some element of state participation, assent or approval is necessary. The real problem arises when none of it exists. The Convention on Cybercrime, to which India is not a party requires in furtherance of this need signatories to adopt laws to criminalize cyber attacks in their own jurisdictions.

This thought proposes multiple questions ahead like one researcher proposing that usage of online anonymity shall be stopped as part of national policy.[16] How will a state in such a circumstance protect the privacy interests and online rights of its citizens is the question. Although such a discussion is outside the scope of this research, it does raise some questions as to the fine difference between governmental sanctions and use of technology in practice.

Cyber Jus in Bello and Jus Ad Bellum:

The bodies of law applicable to cyber warfare are “jus ad bellum and jus in bello.” Jus in Bello is a Latin term that means “law in waging war.” It is also referred to as the “International Humanitarian Law” (IHL) [17] and “the law of armed conflict” (LOAC). By using the principles of minimal usage and restrictions, it is aimed at minimizing collateral damage during war.

In order for it to apply, there is a requirement of armed conflict taking place. As stated earlier, mere nation-state tensions cannot amount to armed conflict. And the fact is that there has no declaration of cyber wars till date which leaves very little of a sample space for the law to even begin to apply. No nation state: Iran, Ukraine, USA or any other has ever risen against any type on an attack, although they have faced many.

International Law stipulates that there are four basic considerations for Jus in bello to apply: Necessity, distinction, perfidy and neutrality. Article 52(2) of Addnl Protocol to Geneva Convention lays down that a military attack is lawful only “against those objects which by their nature, location, purpose or use make an effective contribution to military action and whose total or partial destruction offers a definite military advantage.” In order to use force on their own accord, it is hence, crucial for a state to keep a record of what the state knew of a computer network or resource to defend its actions once questioned globally.

As for distinction, it is governed by Addnl Protocol II of the Geneva Convention. It ensues protection against dangers out of military operations to civilian population. But it also raises further questions as to the situations when non-state actors like hacktivists intrude into a nation’s sovereignty. Another concern in this vertical is that attacks like Denial of Service are often carried out through zombie systems which civilians are unaware about[18]. Thus, the intent of the attack is also a crucial factor in deciding whether it meets the criteria of distinction.

Another rule in context is the stopping of perfidious conduct. The Hague Convention IV, Article 23(b) stipulates that it is against the laws of war to “kill or wound treacherously individuals of the hostile nation.” In the context of a cyber attack, the Georgian attacks are relevant points of discussion. Kremlin Kids was a hacker group which used computers in Georgia to commit a DOS attack which crippled banking servers.

The nation was forced to believe that the attack was in fact originating from Georgia. Neutrality is with respect a nation state such as Switzerland to remain entirely neutral or to choose which armed conflicts it wishes to maintain its neutrality for. There is a huge debate about the liability of such neutral states when dealing with a cyber attack through zombie computers because it forces some level of culpability. One might also contend that due to the distributed system of interconnections, no one can actually predict the path of a cyber attack.

But are cyber attacks indiscriminate? Do attackers actually differentiate between different targets? In plain simple terms, most of the attacks being rogue, an attacker often never knows the kind of damage that some exploit would do. Having said that, the law in place clearly states that a state can only use force against a target that is military not civil. There are also situations where an attacker unlawfully attacks civilian resources to force their computers to act as his bots or to respond to his commands.

In such a situation, would the target state be empowered to attack its own civilian networks is the question. By simply creating a weapon that takes over civilian systems and forces them to participate in war, an attack unlawfully makes them complicit in war. This could be termed as a war replica of human shield in the online space.

In the last decade, there have been many attacks against nations, many that have even led to death of people but as stated earlier, none has ever been escalated to the point of cyber sanctions or international forums at the least even. These legal principles however, shed light on the legality of a cyber war and qualification to armed conflict for the provisions to apply[19].

These legislations, principles are age old; not that it undermines their authority but given the rate at which technology has changed, there have to be specific provisions about these newer developments. Jus in bellum rules guide a nation’s decision as to “whether an incident justifies engaging in armed conflict or triggers the provisions of the United Nations Charter of 1945.”

But would they apply to the cyber space?  The answer is in a faint positive through the a judgment of the ICJ, where the Martens Clause in the Hague Convention IV of 1907[20]  was used in case of Nuclear Weapons. This  invariable means that IHL will also be applicable unconventional weaponry sources as well.[21].

“Any use of a cyber weapon that can foreseeably cause injury, death, damage, or destruction to an adversary should presumably be subject to IHL as lex specialis of armed conflict over human rights law” [22]. There have been several suggested models of this concept, one of which is to impose strict liability on any state executing cyber attacks. Another model is the target based approach which focuses on the target of a cyber attack to decide if an armed attack occurred. Both these theories are flawed in the sense that they allow self defense for even less severe incidents and cases where facilities are just targeted. The more popular today is the effects based approach.

It factors the direct effect an attack had on the victim-nation. Some argue that in such an approach it is sometimes not possible to usually quantify any direct damage. People might die more remotely like an emergency service call line being shut down, crippling the response systems like fire vans and ambulance service.  A proposed definition by another researcher is that of consequences[23] which looks at various factors like severity, immediacy, directness, invasiveness, measurability and presumptive legitimacy.

It is also to be noted that when a nation is to use force in self defense, it must essentially attribute the attack to another state. In the infamous International Court of Justice case titled Nicaragua[24], it was held that the prohibition on use of force is part of the customary international law and also Article 2(4) of the UN Charter.

The ICJ also said in this case that an armed attack would be judged by a scale and effects test which could mean that an armed attack even if done by irregular forces would be termed as armed attack if carried out by regular military personnel.

It went on to highlight that even if a state had “effective control” over some non-state actors who committed the attack, then the state can be held accountable. But attribution is one of the major challenges in cyber attacks due to the nature of cyber weapons and tactics.

The Tallinn Manual stipulates that an armed cyber conflict would be “subject to law of armed conflict irrespective of whether they amount to armed force themselves”[25]. It is also against territorial integrity and political independence of another state that when an attack is targeted to disrupt, member states may not use force to that accord[26].

The Charter however, does not define concepts like force as well which gives rise to the same level of ambiguity but through this research it is proposed that force would be the use of similar cyber weapons by the target state as has been discussed earlier.

In order to further the understanding on the use of force and attack, Article 31 and 32 of the Vienna convention on the Law of Treaties need to be looked at. They lay down the manner of interpretation of treaties. Article 31(1) stipulates, “A treaty shall be interpreted in good faith in accordance with the ordinary meaning to be given to the terms of the treaty in their context and in the light of its object and purpose”.[27]

Low Intensity Cyber Conflicts:

What happens in cases of low intensity conflicts? The author supports the views of a researcher when he suggests that there are four strategic modes of low intensity conflicts[28]: military, economic, diplomatic and ideological. Military modes have been already discussed so as for the others,

Economic: An attacker attacks the Bombay Stock Exchange servers and takes them office to corrupt its data and change values of stocks.

Now, economic coercion is not covered under the Article 2(4) as prohibited use of force. Neither does the charter talk about it anywhere, so does the International law on warfare apply? In practice, economic coercion is an accepted retorsion, meaning a countermeasure. It has also been propounded that in situations when it would be an alternative to resort to military force, economic coercion is a good mode of settlement.

But when this unchartered economic effect hovers on national sovereignity and hampers domestic strategies and widely disrupts the international economic system, it ought to be considered as unlawful. Whether or not, use of self-defense against such attacks is considered good is yet to be seen but a good practice that many states observe in these times is designation of critical information resources which if attacked, it is considered that they will adversely effect a nation. In such a situation, if a critical infrastructure element is hacked/breached like a stock exchange, sanctions can be drawn.

Other minor incidents however, related to the economic offences will not form part of this particular head.

Ideological: An attacker manipulates sensitive emotions of voters like what happened between Russia and United States during the 2016 election.[29]

The promoter of cyber warfare law Michael Schmitt has clarified through interviews that he does not feel such ideological attacks should be termed as use of cyber weapons or an armed conflict calling for or allowing United States to use force against Russia. Military verticals of the United States however feel that such interference in essence is an act of war[30].

In the past, there have been instances of defacements of websites of famous personalities, leaders etc. Some argue and suggest that this needs to be termed as an act of cyber war. A closer look leads to the instances like in the context of inciting genocides like the Nuremberg Trials publishing. Outside of that purview, unless an attacker targets state resources or taints the nation challenging its national security or sovereignty, all that such an attacker can be brought under the purview of, is domestic law.

Another research paper[31] on this point analyses the application of law against spying and espionage in the incident involving Russia and USA. It goes on to assess the specifics on many parameters but fails to make any connection with the UN Charter or International Law related to cyber warfare.

Possession of Cyber Weapons:

One might argue as to the real existence of cyber weapons in itself and the fact that how can something be a cyber weapon at all in fact. Some suggest that there need not be a cyber weapon in order to cause digital damage today, even a simple workaround can cause damage.

The author seconds such thoughts but highlights the underlying difference between the capability of a cyber weapon and anything else in its comparison. In order to understand this in detail, most recent developments are very crucial.

Why would a nation need cyber weapons?

Israel’s Ministry of Defence most recently allegedly contacted American hackers to build zero-day exploits[32]. While this was just reported, the finding dates back to 2015 when letters from Israel were found that were written to US based firms that develop zero day tools. As per the agency in US, the letter read[33],

“The Government of Israel Ministry of Defense (GOI­-MOD) is interested in advanced Vulnerabilities R&D and zero-­day exploits for use by its law enforcement and security agencies for a wide variety of target platforms and technologies,”

A zero-day refers to a bug/exploit/payload etc. that has not been identified yet and which can be used to attack someone’s machine without any type of software detecting it. Clearly, assessing it under the definition of a cyber weapon as proposed under this research, it is a cyber weapon.

Now, nations do not just want to possess cyber weapons but they are also contracting creation of such weapons almost publically for their “law enforcement” and “security” activities. While primarily, it might genuinely be so, it still amounts to possession of cyber weapons.

EternalBlue:
As strange as it may sound, this fancy seeming name grew to be the real reason behind many catastrophes that have taken place in the realm of hacking over the last few years. So what happens on a timeline is that NSA builds a backdoor into the Windows Operating system using the Windows Messaging Service (Communication Protocol) and they write an exploit to gain access to systems based on it. This exploit makes use of the Microsoft Server Message Block SMB 1.0.[34] It is basically a file sharing protocol that lets other applications both read and write from and to files across systems on the same network.

From a reading of the last chapter, it is certainly clear that such an exploit will essentially be termed as a cyber weapon in the most crude sense. Interesting points to note were that NSA never revealed about it to Microsoft or to the Government which is also why some fear possible snooping invasion into privacy by NSA way too much than any other organisation in the world. Interestingly as well, NSA kept using this tool called EternalBlue for government surveillance for almost five years[35] before it was allegedly leaked.

Put into the public domain by a group of hackers called the Shadow Brokers[36], EternalBlue made a lot of news. Microsoft found the exploit to be true, patched it later on but fact has it that till date attacks are being designed solely based on the leaked code of EternalBlue. If the reader may recall one of the most disturbing ransomware of all time called Wannacry[37] or the infamous Petya[38] Ransomware, both of them and many more were based on the same EternalBlue exploit.

The case that the author tries to make with this assertion is that NSA and the United States were actually in possession of a potential cyber weapon. One that by the definition as propounded earlier was capable of mass level destruction. Had there been an International Law regime of mandatory disclosure of such possession and ban on the potential use, the damage could have been mitigated. There was not much of a legal case whatsoever but it did raise some serious questions about possession and development of these cyber weapons.[39]

The damage that the Wannacry or Petya ransomware did is non-comprehendible. Apart from compromising financial and other systems, it disrupted many hospitals and other civilian services that led to many deaths. Ambulances in the UK were diverted, patient monitoring systems shut, NHS services disabled and in one case an entire hospital was shut down.[40]

The damage due to state sponsored and held cyber weapons has not played its full outage yet. Just after the EternalBlue happened, there have been new reports of another cyber weapon called EsteemAudit being stolen and put out in the public domain.[41]It is only a matter of when one nation rises up against such an attack and then an International case on cyber warfare emerges.

What can a nation do in situation of an attack?

One clear and straightforward countermeasure to an attributed cyber attack is retorsion. A simple example could be denying access to the host country’s servers or digital resources. These are unfriendly yet perfectly legal ways in which an attack can be tackled. It is much like the model of governance that China and Russia are deploying today. One must bear in mind also that countermeasures are resorts to stop or prevent effects of a possible cyber attack and it is not aimed at punishing the perpetrator.

According to the International Law Commission’s Rules on Responsibility of States for Internationally Wrongful Acts, a victim state first must call upon the aggressor state to cease and desist a cyber attack before using force for self defense. In case the aggressor denies or does not comply, then the victim state can use active defense which is to include blocking access, counter attacks etc.

This warning requirement may however be overlooked through the language of Art. 52 of the rules which states that a victim state can take urgent countermeasures as may be necessary to preserve its rights.

It is pertinent to note here that in cases of cyber attacks, time is of the essence. An aggressor state may build resilience and immunization against attacks by the time warning requirements are met. The ICJ also allows emergency countermeasures to be taken and the victim state is given discretion to determine the extent and levels of countermeasures.[42]


This Article has been written by Shri Vineet Kumar and Shri Nitish Chandan, President World Peace Foundation.


References:

[1] Siobhan Gorman & Danny Yadro, Bank Seeks U.S. Help on Iran Cyberattacks, Wall St Journal, 12:01 AM) http://online.wsj.coin/article/SB100014241278873247349

[2] Phillip Pool, War of the Cyber World : The Law of Cyber Warfare, 47 Int. Lawyer 299–323 (2013).

[3] Charles J. Dunlap, Perspectives for Cyber Strategists on Law for Cyberwar,  Strateg. Stud. Q. 81–99 (2011), http://scholarship.law.duke.edu/faculty_scholarship/2368/.

[4] United Nations, Charter of the United Nations (1945).

[5] Id.

[6] United Nations, Vienna Convention on the Law of Treaties (1969).

[7] Armed Activities on the Territory of the Congo (Democratic Republic of the Congo v. Uganda), Judgment, I.C.J. Reports 2005, p. 168

[8] Jason D Jolley, Article 2 ( 4 ) and Cyber Warfare : How do Old Rules Control the Brave New World ?, 2 Int. Law Res. 1–16 (2013).

[9] Michael N. Schmitt, Tallinn Manual on the International Law applicable to Cyber Warfare (2013).

[10] Lily Hay Newman, A Scary New Ransomware Outbreak uses WannaCry’s Old Tricks, Wired, May 10, 2017.

[11] Christopher Williams, Stuxnet: Cyber attack on Iran “was carried out by Western powers and Israel,” The Telegraph, 2011, http://www.telegraph.co.uk/technology/8274009/Stuxnet-Cyber-attack-on-Iran-was-carried-out-by-Western-pow ers-and-Israel.html.%0A.

[12] Dunlap, supra note.

[13] Ido Kilovaty, Cyber Warfare and the Jus Ad Bellum Challenges : Evaluation in the Light of the Tallinn Manual on the International Law Applicable to Cyber Warfare, 5 91–124 (2014).

[14] Id.

[15] BBC, Lauri Love case: Hacking suspect wins extradition appeal, BBC, February 18, 2018, http://www.bbc.com/news/uk-england-42946540.

[16] Michael Gervais, Cyber Attacks and the Laws of War, 30 Berkeley J. Int. Law 525–579 (2012), http://search.ebscohost.com/login.aspx?direct=true&db=a9h&AN=80410602&site=ehost-live.

[17] Rex Hughes, A treaty for cyberspace, 86 Int. Aff. 523–541 (2010).

[18] Brian J Egan, Remarks on International Law and Stability in Cyberspace, 35 (2016), https://www.state.gov/s/l/releases/remarks/264303.htm.

[19] Stephen Moore, Cyber Attacks and the Beginnings of an International Cyber Treaty, 39 North Carolina J. Int. Law Commer. Regul. 223–257 (2013), https://extranet.cranfield.ac.uk/eds/detail/,DanaInfo=eds.b.ebscohost.com+detail?vid=1&sid=f2d5d5be-1348-4908-b651-e4d14a415678@sessionmgr111&hid=103&bdata=JnNpdGU9ZWRzLWxpdmU=#AN=92606783&db=bth.

[20] Brecht, supra note.

[21] Id.

[22] Dell Cameron, No Title, Gizmodo, October 27, 2017, https://gizmodo.com/britain-publicly-names-north-korea-as-source-of-wannacr-1819911031.

[23] Schmitt, supra note.

[24] 1986 I.C.J. 14

[25] John E Dunn, The world’s 10 most dangerous cyberwarfare attacks | Security | Techworld (2015), http://www.techworld.com/security/worlds-10-most-dangerous-cyberwarfare-attacks-3601660/ (last visited Jul 19, 2017).

[26] United Nations, supra note.

[27] Vienna Convention on the Law of Treaties §31-32, Jan. 27, 1980, 1155 U.N.T.S. 331 [hereinafter “VCLT”].

[28]Gervais, supra note 81.

[29] Ellen Nakashima, Russia’s apparent meddling in U.S. election is not an act of war, cyber expert says, The Washington Post, February 7, 2017, https://www.washingtonpost.com/news/checkpoint/wp/2017/02/07/russias-apparent-meddling-in-u-s-election-is-not-an-act-of-war-cyber-expert-says/?utm_term=.ead63360dee8.

[30] Id.

[31] Jens David Ohlin, Did Russian Cyber Interference in the 2016 Election Violate International Law?, 95 Tex. Law Rev. 1579–1598 (2017), http://ssrn.com/abstract=2934321%0Ahttps://ssrn.com/abstract=2934321.

[32] Karim Traboulsi, Israel’s ministry of defence contacted American hackers to make “zero-day” viruses for its cyber war, The New Arab, March 8, 2018.

[33] Id.

[34] Matt Burgess, Everything you need to know about EternalBlue – the NSA exploit linked to Petya, The Wired, 2017, http://www.wired.co.uk/article/what-is-eternal-blue-exploit-vulnerability-patch.

[35] Ellen Nakashima & Craig Timberg, NSA officials worried about the day its potent hacking tool would get loose. Then it did., The Washington Post, May 15, 2017, https://www.washingtonpost.com/business/technology/nsa-officials-worried-about-the-day-its-potent-hacking-tool-would-get-loose-then-it-did/2017/05/16/50670b16-3978-11e7-a058-ddbb23c75d82_story.html.

[36] Dan Goodin, NSA-leaking Shadow Brokers just dumped its most damaging release yet, Ars Technica, 2017.

[37] Ali Islam, SMB Exploited: WannaCry Use of “EternalBlue” Fireeye (2017).

[38] Newman, supra note.

[39] Thomas Fox-Brewester, An NSA Cyber Weapon Might Be Behind A Massive Global Ransomware Outbreak, Forbes, 2017.

[40] Russel Brandom, UK hospitals hit with massive ransomware attack, The Verge, 2017.

[41] Sam Jones, Hackers prime second classified US cyber weapon, Financial Times, 2017.

[42] Omer Yousif Elagab, The Legality of Non-forcible Counter-measures in International Law (1988).

Scroll to Top