2 minute read
DETERRING ATTACKS ONBIGDATA
feature attacks on this resource. China and Taiwan, for example, both have sophisticated technological infrastructures that encompass data and AI capabilities. The risk that they might find themselves at war in the near future is greater than anyone would like.
I am interested in two issues: Under the law governing the legality of war, what kinds of attacks on big data might justify an armed response, touching off an armed conflict (a war)? And within an existing armed conflict, which parts of the law governing the conduct of war (international humanitarian law, or IHL) govern such attacks?
Advertisement
If cyber operations rise to the level of an armed attack, then the targeted state has, according to the U.N. Charter, an “inherent right” to respond with armed force. Moreover, the target need not limit its response to a symmetrical cyber operation. If a state regards, say, a takedown of its financial system as an armed attack, it may respond with missiles.
In a world where big data takes on greater importance and becomes more consequential, it will be easier to regard attacks on it as an outrage. If the harmful potential of cyberattacks—triggering an economic collapse or taking a hospital out of commission—requires legal regulation within war, as many propose, why wouldn’t such an attack also justify armed retaliation outside an armed conflict as a deterrent against future attacks? Why should the wiping out of vast wealth stored in the cloud not count as a causa belli if a conventional armed incursion, however slight, would count?
When faced with a legal conundrum, international lawyers often recommend that we make new law to provide a solution—for example, a treaty providing that IHL applies to databases while clarifying when a cyberoperation would trigger the right to self-defense. The states with the greatest cyber capacities are the least likely to agree to a common text.
The alternative approach is for states to walk and talk in a way that raises reasonable expectations on the part of the relevant audiences. These expectations in effect would become customary international law. The question becomes how to pitch this behavior and talk to best regulate threats to big data.
Without clearly and fully explaining their views, an increasing number of states have indicated that they accept a distinction between how IHL regulates actions against big data and how the rules of self-defense apply to cyberattacks. This implies that they might not see all cyber operations as automatically triggering their right to self-defense.
A legalistic approach could affirm current law that treats espionage operations as unregulated by international law but subject to stringent sanctions under national law. It might treat cyber operations with direct effects in the material world as equivalent to kinetic actions. It might treat cyber operations that render big data inaccessible or dysfunctional, whether through ransomware or simply by incapacitation, as triggering a power to respond in kind, rather than a right to resort to arms.
How might we get there? Perhaps the United States would articulate the rules it will observe, act accordingly and respond to attacks consistently. It would have to act reasonably, including laying out an acceptable case for attribution when it sanctions states for particular operations. If the U.S. rules seem generally useful rather than selfish, the other cyber powers might eventually join in without acknowledging they were doing so.
A piecemeal, tentative and implied response to a serious problem may not satisfy lawyers the way a grand new treaty would. But in today’s world, it often is the best alternative to anarchy.
