Legal Consequences Of a Cyber Attack

Player utilities

This story is based on a radio interview. Listen to the full interview.

Audio Transcript:

Aaron Schachter: Charlie Dunlap retired in 2010 as deputy judge advocate general for the U.S. Air Force. He now teaches law at Duke University. General Dunlap, assuming the New York Times story is accurate, what are the legal ramifications of greenlighting a project like this, designed to destroy the infrastructure of a sovereign nation? If I may put it in another way, is this legal?

Charlie Dunlap: Well Aaron, as you know, in the modern world now we're operating under the U.N. Charter. And the U.N. Charter basically only permits the use of force in two circumstances. One, where the U.N. Security Council authorizes it, or secondly under Article 51 in a case of self-defense. And what gets complicated here is that when you look at Article 51, it talks about the inherent right to self-defense as a result of an armed attack. But there is an interpretation in international law that talks about anticipatory self-defense. And that actually goes back to an 1842 case called the Caroline Affair, and involves the destruction of a boat by the British during an insurrection in Canada. To make a long story short, the principle that comes out of that is that it's justified only where the necessity of that self-defense is instant, overwhelming, and leaving no choice of means and no moment for deliberation. Unquote.

Schachter: This all sounds a little bit fishy though, doesn't it?

Dunlap: It requires you to make some interesting assessments, specifically, how imminent is this threat?

Schachter: So step one essentially could be imminence.

Dunlap: Right. Number one, the rationale, I believe is going to have to fall into the area of self-defense. And so if you are into that, then you have to make the further analysis that you are going to apply this concept of anticipatory self-defense, which by the way not everybody in the world believes in. And then the third thing you need to do is look at these elements of anticipatory self-defense, of which, as you point out, the imminence of the threat needs to be assessed. And I'm suggesting that perhaps when we're dealing with weapons of mass destruction, we need to have a different perspective on the idea of imminence, in that you may only have these windows of opportunity and you have to seize them in a way.

Schachter: Is there a difference legally speaking, General, between the espionage and the self-defense? Because it seems like the United States practices an awful double standard when they wag their finger at China for mucking about in American computers and suggesting that they will attack our infrastructure, and at the same time they are attacking a sovereign country's infrastructure.

Dunlap: Espionage is typically not a violation of international law. But it is a violation of the domestic law of the targeted nation. In other words, if we catch a spy, we can try them, execute them, or whatever the maximum penalty may be. It doesn't mean that we're necessarily committing a war crime or even an act which would necessarily engage Article 51 of the U.N. Charter. Because espionage typically is not equated to an armed attack.

Schachter: General Dunlap, is there any black and white at all? Mean, a cyber attack leads to people dying or poisoning of water systems or something like that. Is that a case of black-and-white, damage has been done, act of war?

Dunlap: In my judgment, that would be a use of force clearly in violation of the U.N. Charter. I think it's very clear that when you have physical destruction and the direct consequences result in the deaths of people, that you are into the traditional analysis that would authorize the use of force in response. The interesting thing is that the Administration last summer in one of their policy documents made the point that if the U.S. was the victim of a cyber attack, it would not necessarily limit its response to an in-kind cyber counter-attack.

Schachter: An actual physical attack.

Dunlap: Yeah, in other words, the whole tool chest of the U.S. armed forces would be available to defend the nation, notwithstanding the fact that the strike, whatever caused the destruction or death, might have been through a cyber means. That they were not going to limit their response. That is perfectly consistent with law, but I think it is an interesting statement made to deter those countries who may have a sophisticated cyber capability. They need to know that the entire U.S. military has a number of capabilities and it's not limited to cyber.

Schachter: Charlie Dunlap is a retired major general. He's executive director of the Center on Law, Ethics, and National Security at Duke University. General, thank you for your time.

Dunlap: Thank you.