The new cyber face of battle: developing a legal approach to accommodate emerging trends in warfare.

• Author: Handler, Stephenie Gosnell

1. INTRODUCTION A. What's in a Name? B. Legal Paradigms for Operations in Cyberspace C. The Attribution Problem II. CYBERATTACKS AS COMBAT ENABLERS AND PART OF A COMBINED ARMS CAMPAIGN A. Cyberattacks and the Law of War: Jus ad Bellum B. Cyberattacks and the Law of War: Jus in Bello C. Cyberattacks as a Combat Enabler and Part of a Combined Arms Operation D. 2007 Israeli Raid on Syrian Nuclear Reactor E. Russian-Georgian War of 2008 III. MODIFIED-EFFECTS: A THRESHOLD TEST FOR CYBERATTACKS WITH NONKINETIC EFFECTS A. When is an Offensive Cyberspace Operation a Cyberattack? A Discussion of Leading Tests B. Modified Effects-Based Approach C. Using the Modified Effects-Based Approach to Analyze the Russian-Georgian War of 2008 IV. CONCLUSION I. INTRODUCTION

   The Russian-Georgian War of 2008 marked an important evolution in the conduct of warfare. For the first time in history, cyberattacks joined the kinetic triad of air, ground, and naval operations. While Russian aircraft conducted bombing runs, tanks and infantry rolled across the countryside, and naval ships were blockading the Georgian coast, cyberattacks demonstrated the violability of Georgian sovereignty in cyberspace as well. They did so in two capacities: by using non-kinetic operations to facilitate kinetic outcomes by conventional forces, and by using non-kinetic operations to directly achieve effects that supplanted the need to physically destroy targets. These developments add a new dimension to the on-going debate over what legal paradigm applies to cyberattacks--how to analyze non-kinetic cyberspace operations during armed conflict. This question is of critical importance because it determines how a state may respond under international law. State victims of cyberspace operations that are categorized as cybercrime will generally have a more limited response under international law than those classified as cyberattacks. This latter category constitutes an armed attack under the law of war, and therefore merit a response under that broader paradigm.

   As with many areas of cyberspace operations, technology and practice have evolved more rapidly than the legal framework. Cyberspace operations do not fit neatly within conventional legal paradigms, which have historically struggled with identification of what constitutes an armed attack under international law. Cyberspace operations have significantly heightened these challenges, and the development of a legal framework optimally suited to the unique characteristics of cyberspace operations has lagged dangerously behind. Rather than developing a new legal framework to fit the unique characteristics of cyberspace operations, the traditional legal framework governing the use of force remains in place. Instead, scholars and practitioners have sought to modify existing tools. For instance, the use of "threshold" tests to determine if an operation meets the level of severity required to be considered an attack under the law of war first evolved with conventional military operations, such as border skirmishes and insurgent activities. In recent years, efforts have been made to adapt threshold tests to account for the unique characteristics of cyberspace. To date, the focus of scholars and practitioners has largely been on cyberattacks that directly cause kinetic effects-physical damage or destruction. Existing scholarship also focuses predominantly on cyberattacks committed in the absence of conventional operations. The threshold approaches that have been developed specifically for cyberspace reflect this concentration on kinetic effects.

   This Note addresses an emerging form of cyberspace operations, and adapts existing threshold approaches to this new type of warfare first executed during the Russian-Georgian War of 2008: the use of non-kinetic cyberattacks to facilitate kinetic effects and the use of non-kinetic effects as a substitute for conventional operations, it proposes that the former operations be classified as combat enablers, and the latter be recognized as part of a modem four- dimensional combined arms campaign. This nomenclature parallels that given to conventional weapons that serve a similar role, although it expands the traditional understanding of these terms to apply them to cyberattacks. It does so to emphasize how military planners are increasingly viewing cyberattacks as another tool available to conduct warfare, and are synchronizing them with conventional arms. This discussion also highlights why current approaches to distinguish cybercrime from cyberattacks, which focus on direct kinetic effects, are ill-suited to these emerging uses of cyberattacks as part of a broader military campaign. Determining whether such cyberattacks should be considered under the law of war--even absent direct kinetic effects--is important as it is most probable that military campaigns of the future will follow the Russian precedent and utilize cyberattacks in concert with traditional weapons to achieve their strategic goals.

   This Note is divided into four parts. The first part provides a basic introduction to the terminology used in this note and a brief discussion of the legal paradigms that may apply to cyberspace operations. Part II continues with a proposal to consider cyberspace operations as an armed attack when non-kinetic cyberattacks are used in connection with other conventional weapons to achieve kinetic effects or to supplant the need for kinetic effects. As such, this Note proposes the use of the terms "combat enabler" and "part of a combined arms approach" to differentiate these types of attacks. This proposal is significant because it will impact the legal response a state can take in an armed conflict. Part II also introduces two case studies in which cyberspace operations were used in connection with conventional military attacks. The first is the 2007 Israeli raid on the suspected Syrian nuclear reactor; the second is the Russian-Georgian War of 2008. Part III discusses the different tests that have been proposed to determine when a cyberspace operation meets the threshold to be declared an armed attack. After reviewing existing literature, a proposal is made to adopt a modified effects-based approach to better address the unique nature of cyberattacks and their interaction with conventional arms to achieve kinetic outcomes. The Russian- Georgian War case study is used to demonstrate how the modified effects-based test can be applied to determine when a cyberspace operation should be considered cybercrime and when it is a cyberattack. Part IV provides concluding thoughts and discusses what future steps should be taken with regards to developing a legal framework that is better-suited to the distinct challenges of cyberattacks.

   1. What's in a Name?

      Even the most fundamental notions remain unsettled in cyber literature--scholars and practitioners continue to use a variety of terms to refer to activities conducted in cyberspace. The Department of Defense (DOD) and a growing number of scholars use the term "cyberspace operations" to refer to the "employment of cyber capabilities where the primary purpose is to achieve objectives in or through cyberspace." (1) This umbrella term seems to have mostly replaced the more narrow "computer network attack" terminology, which was prominent in earlier literature. (2) This Note will use "cyberspace operations" and follow the DoD's usage of the term.

      In order to more narrowly describe the different types of cyberspace operations, this note will use "cybercrime" to refer to those cyberspace operations that fall under the criminal or law enforcement paradigm. "Cybercrime" is "crime that is enabled by, or that targets computers," (3) a term that has been widely accepted by scholars and practitioners. However, there is no similar consensus on what term should be used to address those cyberspace operations that meet the criteria for an armed attack. The term "cyberattack" is commonly used by scholars and practitioners to refer to offensive cyberspace operations that may be considered an armed attack. In addition, cyberattack is frequently used as an umbrella term to describe offensive cyberspace operations that include both criminal activities and attacks that fall under the law of war. Using cyberattack as both an umbrella term and in specific reference to those offensive cyberspace operations that are considered an armed attack is confusing and makes it more difficult to appreciate the distinction between the two.

      Thus, this Note will generally use the term "cyberattack" in the narrow sense: to refer to those cyberspace operations that are offensive in nature and meet the criteria for an armed attack. The term "cyberwarfare," will generally not be used because the focus of this note is only on offensive cyberspace operations. Some use the term "cyberwarfare" in lieu of cyberattack to emphasize the distinction from cybercrime. However, in military doctrine, the term "warfare" encompasses both offensive and defensive operations. For example, the military uses the term "electronic warfare" to include electronic attack, electronic protection, and electronic warfare support. (4) It is logical to use a parallel construction for cyberwarfare, and use the term cyberattack to refer to those offensive cyberwarfare operations that meet the threshold to be considered under the law of war.

   2. Legal Paradigms for Operations in Cyberspace

      One of the core challenges with cyberspace operations is identifying which legal paradigm applies. Identifying the appropriate paradigm is critical for determining how to legally respond to such activities. There are three legal models relevant to cyberspace operations: criminal, espionage, and the law of war. The criminal, or law enforcement, model is based in domestic law. It is the broadest of the three legal approaches, and is used to prosecute crimes committed through cyberspace. Such activities commonly include credit...