Cyber Threats and the Law of War

When I was invited to participate in a forum dealing with “National Security Threats in Cyberspace,” sponsored by the American Bar Association Standing Committee on Law and National Security and the National Strategy Forum, my assigned role was to provide a “succinct and brief” explanation of how the existing Law of War (LOW) might be applied to cyber threats. The Journal of National Security Law & Policy later requested that I reduce my comments to writing. No doubt this generous request was made due to the brevity of my analysis, rather than to my intellectual prowess. Others have dealt with this subject in a far more detailed and sophisticated fashion.1 Nevertheless, for non-lawyer decisionmakers who must constantly struggle with this matter, brevity and succinctness appear to have a tangible appeal. It is in this vein that I offer the following thoughts.

I. IT’S NOT JUST THE LAW OF WAR: ENTER JUS AD BELLUM

In attempting to abide by the constraint of simplicity in dealing with this subject, I find that it is unfortunate, but nevertheless true, that the question of how to apply the current LOW to cyber warfare can be addressed only after it is first determined that a state might legally use “force” in responding to what it perceives to be “cyber attacks.” And, in turn, this determination must be made in the context of jus ad bellum, those established “conflict management” norms and procedures that dictate when a state may – and may not – legitimately use force as an instrument of dispute resolution.2 …