The Exercise Of State’s Right Of Self-defense For Victim States Under Cyber Attacks

With the rapid development of information technology, threats from cyberspace, such as the Estonia cyber-attack in 2007, the Georgia cyber-attack in 2008, the Stuxnet in 2010, the Flame in 2012 and the Ukraine crisis in 2014, have become the ever-rigorous concern for the international community. In general, cyber-attack refers to any cyber operation employed against networks, computers and information stored therein for achieving certain military or political goal that would cause severe damage. Considering the fact that the rules of international law in effect haven’t yet explicitly regulated the right of self-defense for a victim state under cyber-attack, how would states cope with cyber threats, and protect their interests in the cyberspace? This thesis intends to discuss a state’s natural right of self-defense under cyber-attack, which will be elaborated in four chapters.Chapter 1 “Defining Cyber Attack”, introduces state sovereignty in cyberspace, the definition and characteristics of cyber-attack, difference with other similar concepts,various types of cyber-attack and recent occurrences of cyber-attack in the international society.Section 1 “Defining State Sovereignty in the Cyberspace” focuses on discussing the historical development of state sovereignty and the legal nature of cyberspace. It shall be concluded that states enjoy their sovereign rights in cyberspace as cyberspace being considered as states’ territory in the information era.Section 2 “Concept of Cyber-Attack and Its Characteristics” seeks to define cyberattack, distinguish cyber-attack from similar concepts such as cyber-espionage, cybercrime and cyber-terrorism, and discuss its characteristics.Section 3 “Forms of Cyber-Attack” provides for an introduction of the most widely used methods of cyber-attack, and a brief analysis of the most typical cyber-attacks presented in the international community in recent years. Generally, Malicious Programs and Denial of Service Attack or Distributed Denial of Service Attack are the most common adopted means in international cyber-attacks. These information technologies have disabled a large number of computer systems and networks of various government departments and key industries in Estonia cyber-attack in 2007, the Georgia cyber-attack in 2008, the Stuxnet in 2010, the Flame in 2012 and the Ukraine crisis in 2014.Chapter 2 “the Pre-requisites of Exercising the Right of Self-defense” distinguishes cyber-attack from use of force and threat to use of force, discusses the applicable standards of armed attack and the attribution issue of state actors and non-state actors.Section 1 “the Standard of Armed Attack” focuses the differences among “threat to use force”, “use of force” and “armed attack”, and the standard adopted to determine “armed attack”. In short summary, a threat to use force itself couldn’t constitute armed attack; actions taken that are not sufficient to be deemed as use of force shall not be considered as constituting armed attack; and all armed attacks involve the use of force, however, such use of force shall cause significant damages to be armed attack. In practice, the most widely accepted standard of assessing “significant damages” is the “scale and effects” approach.Section 2 “Attribution of Cyber-Attack” analyzes how to attribute cyber-attacks from state actors and non-state actors. For state actors, the anonymity and impracticability to trace the source of cyber-attack has made it almost impossible to find the actual attacker, let alone proving a state’s involvement. For non-state actors, to attribute cyber-attacks to the state, the “direction or control from a state” must be demonstrated. With respect to “control”, among the effective control standard, the overall control standard and the duty of care standard, the general conception is that the overall control standard shall be adopted as the most appropriate considering the distinctiveness of cyber-attacks.Chapter 3 “the Restrictions of Exercising the Right of Self-defense” discusses the victim state shall act in compliance with the principle of necessity, the principle of proportionality and the principle of distinction while exercising its right of self-defense. In addition, a state shall also be subject to the procedural requirements when it so elects.Section 1 “Principle of Necessity” includes the principle of military necessity, and the principle of immediacy. The principle of military necessity requires the means of operation adopted by victim states have to be appropriate. Victim states must exhaust all passive and active measures before seeking use of force. The principle of immediacy requires to take immediate actions while under attack or under imminent harm.Section 2 “Principle of Proportionality” requires the symmetry of measures adopted for defense, interests protected and damages caused. The measures adopted to defend shall be proportional. In theory, using cyber/computer counter-measures would be satisfying such requirement. The interests protected and damages caused shall be proportional. That is to say, a military officer shall weigh potential deaths or injuries of civilians, and damages to civilian objects. Against the benefit of achieving a military objective.Section 3 “Principle of Distinction” requires states to distinguish civilian and military personnel and restrict targets to military objects only. International law forbids targeting civilians in military operations, provided that such civilians not in direct participation of the cyber-attacks. This principle also prohibits any use of force that in nature is uncontrollable, unpredictable, or do not discriminate between civilian and military objectives.Chapter 4 “Concluding Thoughts for Cyber Attacks”, discusses the measures taken on the international level and the national level, including insisting on restrictions of exercising the right of self-defense, strengthening international cooperation, perfect domestic legislation on cyber defense and cyber security, and improve cyber technologies.Section 1 “Endeavors in the International Level” focuses on principles held, efforts made to promote the legislation of cyber-attack in the international level, seeking to protect our interests in cyber security. Recognizing the particularity of cyber-attacks, we should insist on the restrictions of exercising the right of self-defense under the current international law, including satisfying the “armed attack” prerequisite, complying with the principle of necessity, proportionality and distinction. We shall also participate actively ininternational cooperation, promote the legislation of cyber security, respect the sovereign rights of other states in cyberspace, assist other states in combating the threats of cyberattacks. In particular, we should aim to perfect international judicial assistance system, establish specialized international institution to ensure the enforcement of international law applicable in cyber-attacks. We are also of the opinion that information technology advanced countries have the obligation to assist information technology developing countries in bridging the digital divide.Section 2 “Endeavors taken in the Domestic level” provides a three-step approach in coping with cyber-attacks, beginning with develop information and cyber technology. Especially the technology to trace the source of cyber-attacks and other advanced information technologies would improve the reaction rate and enhance the strike capabilities significantly. We should also establish a comprehensive cyber defensive system. Furthermore, we shall perfect domestic legislation, and most importantly, develop cyber strategy concentrating on protecting key cyber infrastructure.