Reconciling Technology and International Law,
Resolving Ambiguities, and Balancing Capabilities
As discussed above, international law has not yet resolved ambiguities
over the characterization of information warfare activities, and must
face a conflict between the international system of sovereign states
and the realities of global networks. International law thus leaves
space for the United States and others to conduct information warfare
activities, perhaps even in peacetime, without significant legal repercussions.
Conversely, international law may permit attacks against the United
States, as well as exacerbate U.S. difficulties in responding to attacks
against it, particularly in peacetime.
The legal status quo may appear satisfactory to U.S. policymakers.
As the United States apparently leads the world in information warfare
development, an international legal regime that permits information
attacks can give it an advantage, allowing the United States to apply
its technological strength to international conflicts in ways beyond
the capacities of anyone else. In the absence of conclusive legal
authority indicating, say, that particular information warfare attacks
are "armed attacks," "aggression," or "force,"
the United States can act with some confidence that its acts will
not be held to be so. Given its position in the world, the United
States will have the opportunity to begin the state practice that
can establish international norms and, perhaps, customary international
law. To an extent, then, given the United States' voice in world politics
and predominant military might, the United States is in the positions
of legislator, sheriff, and (perhaps, to its adversaries) executioner,
and it has a lot of influence over the judge.
Despite its freedom to act, the United States should not be sanguine
about the state of international law. The "legislator, sheriff,
and executioner" may all live together in a large glass house.
Just as the United States can attack, it can be attacked, and its
actions in conducting attacks may provide precedent for attacks against
it and its allies. Furthermore, just as U.S. capabilities may outstrip
those of its potential adversaries, so too may its vulnerabilities,
as it is perhaps uniquely dependent upon its information infrastructure
for both civilian and military needs. If only to increase protection
for U.S. systems, then, certain nonexclusive legal, diplomatic, or
policy initiatives may be appropriate.
Resolution of Legal Ambiguities
A first approach would be to clarify the delineation of such terms
as "armed attack," "force," and others, so that
the status of information warfare attacks under international law
is understood. Without knowing the extent of U.S. offensive capabilities
or defensive vulnerabilities, it is impossible for us to judge the
desirability of limiting information warfare.206
The United States might support restrictive definitions of those terms,
so as to preserve its ability to use its technological advantages,
to protect potentially desirable technological developments, and to
encourage the use of nonlethal methods of conflict; or it might support
broad definitions, to help reduce the lawful methods by which adversaries
can exploit its vulnerabilities. Definitions that included nonlethal
information warfare attacks within "war" or "force"
could give civilians a measure of protection from such attacks during
times of peace, as they would increase the diplomatic and political
repercussions of such attacks. To protect civilian targets during
wartime, the United States could pursue treaties or other international
understandings that the financial or other intangible damages caused
by certain types of nonlethal information attacks are, indeed, the
types of injuries against which humanitarian law should protect noncombatants.
The United States may use several legal mechanisms to achieve the
goal it chooses, ranging from a treaty setting out the circumstances
in which certain types of information warfare are permissible, to
silence on the subject to avoid hindrances on U.S. capabilities. Additionally,
the United States could try to influence the development of customary
international law regarding the appropriateness of information warfare.
It may move for declarations of the UN General Assembly interpreting
the Charter as it would apply to information warfare.207
U.S. statements of its views on the subject would have a significant
effect both on the opinions of other states and, ultimately, the emergence
of international norms regarding information attacks, or particular
aspects thereof. Although customary international law traditionally
evolved naturally from state practice over an extended period of time,
states have recently pursued efforts to create customary law purposefully.
Such efforts have been most visible in international forums, such
as the General Assembly, which has passed declarations setting out
world opinion as to the state of the law on such topics as the use
of nuclear weapons, seabed mining, or the equation of Zionism with
There is no reason, though, that an individual state could not set
out to influence the development of customary legal norms, especially
in an area such as information warfare, where that state leads the
world in the development or application of the technologies and techniques
to which these norms would be applied. U.S. efforts to draw world
attention to dangers that information warfare poses could be counterproductive,
however, as they might spur other countries' efforts to obtain or
use information warfare weapons, and those countries may be suspicious
of what they perceive to be U.S. efforts to protect its technological
advantages or retard the development of others' capacities.
International Cooperation Against Computer Attacks
Second, to improve its defensive or responsive options, the United
States could make efforts to reconcile the system of sovereign states
with international networks, through promoting harmonization of laws
and cooperation in investigation and prosecution of computer attacks.
The first part of such a strategy would include diplomatic pressure
and criminal justice advice and assistance to promote the criminalization
of computer-based attacks in those nations that do not yet recognize
such attacks as crimes, both to encourage other countries to discourage
such behavior by individuals within their borders, and to enable extradition
of offenders. Secondly, the United States could support the development
of an extradition regime for criminal or terrorist computer attacks,
obliging all countries to extradite or try those who have committed
specified network-related crimes. Models for such measures could be
drawn from the treaties executed in the 1960s and early 1970s to combat
hijacking and other terrorism against civil aviation.209
The Montreal Convention on the Suppression of Unlawful Acts Against
Civil Aviation, for example makes it an offense for anyone to destroy
an aircraft, place a device likely to destroy an aircraft, destroy
or damage air navigation facilities, or communicate information which
he knows to be false, thus endangering the safety of aircraft in flight,210
and it obliges countries to extradite or try suspected offenders.
Such agreements, along with diplomatic and other public statements
relating to the criminalization of such attacks, could also contribute
to the development of a norm that countries cannot support computer-based
attacks in peacetime, or that they must cooperate in resisting such
attacks. Given the United States' and its allies' ambiguous success
in fighting international terrorism, it is obvious, though, that such
agreements or norms would not be panaceas.
Protection of Critical Systems
Third, just as the aviation efforts were incremental steps in the
fight against terrorism, similar efforts could be made for the protection
of particular information systems from dangers including crime, terrorism,
war, or even natural disasters. Some systems may be so critical that
countries can agree that they must be put off limits from attacks,
or that all countries must cooperate to defend them. Systems that
could be the subject of individual protection regimes include those
involved in the command and control of strategic weapons, international
financial transfers, individual financial markets or stock exchanges,
telephone switches, emergency communications, rail transport, and
Such arrangements could be pursued under direct UN auspices, or as
individual treaties in the context of existing institutions, such
as the ITU, OECD, or ICAO, or even, perhaps the World Intellectual
Property Organization (WIPO).
Along with providing legal bases for responses and countermeasures,
incremental prohibitions against certain information warfare attacks
could contribute to the development of broader international norms
against such attacks, particularly in peacetime. In the context of
nuclear weapons, in comparison, proclamations and regional agreements
against the use of nuclear weapons contributed to the legal argument
that the use of such weapons had become illegal, although the International
Court of Justice did not ultimately embrace that argument.212
Arms Control for Information Warfare?
A fourth approach that has been suggested could be to pursue some
sort of ban on information warfare attacks or control of the weapons
of information warfare.213
Such an approach would seem to provide clear legal norms to guide
future actions, and might seem particularly sensible if the United
States were to determine that its vulnerabilities outweighed its technological
But such clarity would be illusory; the distinction between information
warfare and traditional warfare is blurry, at best. An information
warfare weapons ban would pose problems because not only do many information
weapons have dual military and civilian uses, but their applications
are predominantly civilian. Because of technological diffusion, the
small size of much information technology, and its primary incorporation
into consumer goods, an arms control regime would seem difficult to
enforce. Furthermore, although arms controls and weapons bans have
been applied to new technologies before they were widely used or their
military ramifications understood, as in the bans on bacteriological
use of environmental modification techniques,215
and blinding laser weapons,216
it does seem premature to limit a weapon that promises to bring some
measure of nonlethality to conflict, and in which the United States
apparently holds an advantage in development. In any event, arms controls
or warfare bans would not apply to the non-state actors, such as terrorists
or criminal organizations, who would not be parties to the agreements
and who may make up the gravest short-term information warfare threat.
Such bans, then, would not eliminate the need for defensive measures,
so countries might still need to explore offensive capabilities, if
only to test their defensive measures adequately.
The Lure of Inactivity
A final prospective course of action is to do nothing, or very little.
Although international law does not now conclusively address the legality
of many information warfare attacks or the appropriate responses to
them, that has not been a grave problem yet, because the attacks,
aside from some computer intrusions and crimes, have not been particularly
serious. But as information technology continues to develop and diffuse,
the danger of such attacks seems likely only to increase, as might
the opportunities for U.S. offensive uses. If the United States needs
to conduct such attacks, it will undoubtedly do so. If the United
States is subject to attacks, it will respond. International law will
address information warfare attacks in some way or another. It may
be wise to address the legal issues that the United States will face
in advance, rather than having to address them in the heat of an emergency,
where inadequate legal institutions may reduce national options and
precedents may be set by exigencies, rather than forethought.
Conclusion: A Caveat
Despite the apparent attractiveness of addressing the potential international
legal issues arising from the development of information warfare technologies
and techniques before the issues actually arise, it is important to
remember (and easy for lawyers to forget) that law is no panacea.
Even the wisest agreements and soundest legal analysis will not guarantee
the safety of U.S. systems or the potency of U.S. offensive measures.
Law can go a long way toward regulating nations' and individuals'
behavior, and it can be an important part of diplomatic efforts both
to alleviate conflict and to address its effects. At the same time,
though, the development of advanced information warfare technologies
and techniques and the continuing global diffusion of information
technology illustrate the fluidity of the world that law attempts
to govern. No law can change as swiftly as can technology; unless
law is to somehow stop technology's seemingly inexorable worldwide
progress, it cannot fully control the use of its fruits for warfare.
Legal measures can thus supplement, but not supplant, vigilance, preparedness,
| Index | Acknowledgments
| Preface | Executive
Summary | Chapter 1 | Chapter
2 | Chapter 3 | Chapter
4 | About the Authors | Endnotes