executive summary

Executive Summary

The development of "information warfare" presents international legal issues that will complicate nations' efforts both to execute and to respond to certain information warfare attacks, specifically those using computers, telecommunications, or networks to attack adversary information systems. Some legal constraints will certainly apply to information warfare, either because the constraints explicitly regulate particular actions, or because more general principles of international law govern the effects of those actions. Nevertheless, the novelty of certain information warfare techniques may remove them from application of established legal categories. Furthermore, the ability of signals to travel across international networks and affect systems in distant countries conflicts with the longstanding principle of national, territorial sovereignty.

First, it has not been established that information attacks, particularly when they are not directly lethal or physically destructive, constitute the use of "force" or "armed attack" under such provisions as the United Nations Charter. Such attacks thus may be legal forms of coercion even in peacetime, and the use of conventional armed force may not be an appropriate response to such attacks; indeed, such a response might be considered an act of aggression. No provision of international law prevents countries from taking many actions against other states, such as embargoes, that inflict great hardship on those states and their populations. Second, it is equally unclear whether some of the damage that information warfare attacks could inflict, as by disrupting government or private databases and systems, is the sort of damage that international humanitarian law is intended to restrain. Finally, where attacks can be executed across international networks, the United States (among others) may need to rely upon foreign assistance in identifying and responding to those who have attacked it.

The ambiguous state of international law regarding information warfare may leave space for the United States to pursue information warfare activities. Conversely, it may permit adversaries to attack the United States and its systems. When considering policy options, U.S. decision makers must balance those offensive opportunities against defensive vulnerabilities, a balance that is beyond the scope of this report. Nevertheless, we can discuss several, nonexclusive international legal approaches that the United States may pursue to protect its systems or clarify its offensive, defensive, and retaliatory options.

First, the United States could pursue international definitions of such concepts as "force" or "armed attack" as they apply to information warfare; such definitions could help establish when such attacks can be conducted and how countries may respond to them. Second, the United States could pursue international cooperation against information warfare attacks, encouraging cooperation in the investigation and prosecution of those responsible for the attacks, particularly terrorists and other criminals. Third, the United States may pursue agreements to protect critical information systems, either by putting them off limits for legitimate attacks, or creating international protection regimes for particular systems. Fourth, some have suggested that information warfare may be an appropriate area for arms control agreements. However, several factors, including the novelty of many information warfare technologies and techniques, the wide dissemination, small size, and predominantly civilian nature of much information technology, and the danger that arms control would not apply to non-state actors, such as terrorists, all suggest that the pursuit of arms control would be premature at best, especially in connection to largely nonlethal technologies in which the United States apparently leads other nations. Despite the apparent attractiveness of taking legal measures to either protect U.S. systems or preserve the availability of information weapons for U.S. use, law may not be nimble enough to keep up with technological change, and thus will not be a substitute for vigilance, preparedness, and ingenuity.