The Rules of Self-Defense in Cyber War
Much effort has been focused on understanding how the rules of war change in a cyber environment. For example, one of the key elements of self defense is the notification that the other party has made the first strike. One immediate complication from cyber war is that most often it is not possible to determine who exactly made the attack. If it is not possible to determine the source of an attack, then it is problematical to consider self-defense.
Another challenge concerns the relationship between government and hackers. If, for example, the hacking against country A is done by a group of citizens in country B, then it is not clear how one can establish a relationship between the hackers and the government. If it is not possible to determine this relationship, then it is not possible to place the blame for the attack against the government. It follows that it would be impossible also to activate the rules of war for self-defense.
The right of self-defense under the United Nations charter is set up so that it is exclusively concerned with relations between nation states. There is, for example, no right of self-defense for a country against a terrorist group which is not a government. This does not mean, of course, that a country is unable legally to take any action against terrorists, but it does mean that when it does so out of self-defense, it is not doing this under Article 51 of the United Nations charter.
The nature of the Internet is such that it is possible to disguise the source of any attack. This is the fundamental problem with the laws of war. These laws are based upon an assumption that it is possible to identify the source of an attack. When this simple assumption is not available, then some other type of mechanism must be used in order to justify self-defense.
The Level of Force Problem. A second problem concerns the question of level of force. If, for example, it is in fact possible to determine that a cyber attack has taken place, and that the precise source of the cyber attack has been identified, and also that the source itself is linked to another government, then still the question remains “what is the proper response”. If the offended nation state launches a so-called kinetic attack, then is this a proper response to a virtual attack in the CyberWorld? Or is it permissible only to respond to a cyber attack with another cyber attack?
These are a few of the many concerns that must be accommodated in order to set up an international regime for the control of the cyber arms race.