Back in 2011, University of Virginia Law Professor Ashley Deeks wrote an article defining the circumnstances under which it is legal for a "victim state" to retaliate against a non-state actor -- such as a terrorist cell -- located in another country's territory. (My colleague David Bosco discussed it here.) In Deeks' view, such action is justified when the "territorial state" gives consent to the attack, or when the victim state believes the territorial state is "unwilling or unable" to deal with the target group itself. (Think Abbottabad.)
In a new paper for International Law Studies, Deeks argues that the "unwilling or unable" standard also applies to cyberattacks by nonstate actors, a very pertinent topic at a time when we're learning that the U.S. miltiary is deploying offensive cyber teams.
She describes one hypothetical situation where this could come into play:
Imagine now that the IDF learns that its air force's command and control center is being severely compromised electronically and has begun to send faulty coordinates to all of the IDF's military aircraft, including those currently airborne. As a result of the cyber attack, the IDF loses communications with two of its jets, which crash into the Mediterranean Sea. Israel has a high level of confidence that several servers in Turkey are the source of the ongoing attack; additionally, the offending code behind the attack has Hezbollah's digital fingerprints on it and Israel has intelligence that Hezbollah has been trying for several years to conduct just such an attack.
Assuming that Israel has the technological capacity to disable the Turkish servers currently routing the attack and believes that such an action is the only way to stop this attack, may Israel disable those Turkish servers (using cyber or kinetic tools)?
It's not exactly clear, as Deeks acknowledges, how the "unwilling or unable" standard can be applied in a real-world situation. She reccomends that victim states:
(1) prioritize cooperation or consent with the territorial State, rather than unilateral use of force; (2) ask the territorial State to address the threat and give it adequate time to respond; (3) reasonably assess the territorial State’s capacity and control within the relevant region; (4) reasonably asses the territorial State’s proposed means to suppress the threat; and (5) evaluate its prior interactions with the territorial State.
In the cyber context, she stresses that it's important for states to resist the attempt to take unilateral action that could not be easily traced back to them, particularly given the risk that cyberattacks can affect systems well beyond their intended target, as in the Stuxnet worm.
Of course, it's often difficult to distinguish between state and non-state actors when it comes to cyberattacks. For instance, according to Wikileaks cables, Estonia's government is fairly confident that the Russian state played a role in organizing the massive cyberattack that crippled its infrastructure in 2007, but the Kremlin-sponsored youth group Nashi as well as independent groups of Russian nationalist hackers may have played a role as well. Deeks writes that in such a scenario, Estonia would not be required to ask for consent before retaliating:
Where the victim State believes that the territorial State is colluding with the author of the cyber attack or will tip off the cyber attacker, the victim State should not be obligated to ask the territorial State before taking measures in the territorial State.
Katherine Maher recently wrote for this website that cyberspace is increasingly taking on the characteristics of the Westphalian state system. But of course, the rules of that system aren't always that well defined in the real world either.
Hat tip: Lawfare
U.S. Air Force photo by Staff Sgt. Christopher Boitz/Released