Last month, I wrote a piece for the Connecticut Law Tribune about the lack of legal doctrine to govern cyber warfare--and what a UConn professor and law student are doing about it:
Forget Terminator-style cyborgs sent back in time on an assassination mission.
Cyber warfare is here, but the form it takes doesn't involve lethal robots. It's things like Stuxnet, a computer "worm" that is believed to have been created in 2010 to attack Iran's nuclear facilities. Or unmanned planes – navigated by software and "pilots" on the ground – dropping bombs.
But while cyber warfare is here, the law of war and the rules of engagement are largely undeveloped regarding cyberwar, according to David Thaw, a University of Connecticut visiting assistant professor of law whose scholarship focuses on cybersecurity regulation and cybercrime.
There is not even clarity in international law about when cyber warfare can be started. For example, Thaw asks, when would an attack on Google constitute an act of war instead of just criminal activity? What level of cyberwarfare is proportionate as a matter of law?
There is a "wide space that the law needs to catch up" on quickly, Thaw said.
The open legal questions have led Thaw and Joel Henry, a cyberspace operations officer of the 103rd Airlift Wing, Connecticut Air National Guard, and a UConn law student in his last semester, to research the law of armed conflict and cyberwarfare. They have presented their research at places like the Pentagon and NATO conferences.
Talking to experts in those forums made them realize that they needed to address not only what happens during a cyber warfare conflict, but about what leads up to the conflict.
Their collaboration started after Henry wrote a paper on cyber warfare for one of Henry's classes, and because Henry has served as a cyberoperations officer with the Connecticut National Guard and the U.S. Air Force for five years. Prior to that, Henry was an Air Force captain and a weapons loader for A-10 fighter jets from 2002 to 2008. Until this semester, Henry was an evening law student working full time as an engineer.
The aim of professor and student is to develop "a set of legal guidelines to help the international community and the individual nation-states" as they draft their own laws and policies about cyber warfare, Thaw said.
Due to the interconnectivity of many systems with the Internet — for example, power grids, water and fuel pipelines and emergency services — cyberwarfare could have unintended consequences. For example, Country A deploys a cyberweapon against Country B, but the weapon affects systems in Country C due to the interconnective nature of technology, Thaw said.
If the military is using a cyberweapon to target an electronic system or a computer system of an adversary, it must be sure that use of that weapon is not going to have unintended consequences for a civilian population, Henry said.
One issue with cyber warfare is the risk of collateral damage if excessive force is used in more densely populated areas, Thaw said. The same is true of conventional warfare, he said. "You don't drop an imprecise high-yield warhead in a major urban center … to take down one building," Thaw said. "You use a precision-guided ordinance" from an aircraft.
The law needs to require that in cyberspace as well, he said.
Henry said his contribution to the paper is in terms of drafting new cyberlaw of armed conflict and how that applies to military operations. The focus has been on judge advocates assigned to military units, Henry said.
Henry said his research has been informed by his personal experience of working with JAGs assigned to one of the Air Force's Air and Space Operations Centers. Their research has shown that, as the law stands currently, "JAGS probably wouldn't be equipped "to lawfully authorize cyber warfare attacks, Henry said. "What would that individual need to know from a legal standpoint to authorize the use of a particular weapon?" Henry asked.
Thaw added: "One of the reasons we have judge advocates in uniform advising commanders who have to make decisions about deploying military assets" is to ensure that military action is lawful and that unlawful harm is not done to civilians, Thaw said.
Another issue with cyber warfare is what happens if remote-controlled aircraft are taken over by unauthorized people. "New questions arise when controlling things remotely," Thaw said.
Another issue with cyber warfare is what happens if remote-controlled aircraft are taken over by unauthorized people. "New questions arise when controlling things remotely," Thaw said.
Thaw and Henry hope to publish their research sometime in the future. For now, they are revising on the basis of their meetings with experts.
Lawyer and Legal Journalist
