The systematic crash of the computer systems of banks and TV broadcasters in South Korea — reportedly the result of an attack that was widely speculated to have been launched by North Korea — raises questions about what international laws, if any, govern the new and unexplored area of cyberwarfare.
"The answer is there's nothing and there's everything," said Michael Schmitt, professor and chairman of the international law department at the U.S. Naval War College.
Schmitt, who was asked by the NATO Co-operative Cyber Defence Centre of Excellence to look into these issues, chaired a three-year project that brought together 20 academics and practitioners from around the world. The culmination of their efforts was the recently published Tallinn Manual on the International Law Applicable to Cyber Warfare.
"If you're looking for cyber specific law, a law that says 'a cyberattack that causes these consequences in an armed attack to which you can respond,' you will find nothing," he said. "But it was our unanimous consensus among the group of experts that the existing international law applies to cyberspace and to cyberweapons."
This means that, as international law permits a country to defend itself and retaliate if attacked by conventional weapons, a country that is the victim of a cyberattack that causes damage or death, may also retaliate, either through cyberwarfare or conventional weapons.
"Hack into a control system of a dam and release waters downstream. Those waters are going to cause significant damage, physical damage, people will drown. In my mind that's clearly an armed attack," Schmitt said. "And if someone did that to Canada, you could resort to force, not only cyber but armed force to defend yourself."
Other examples of cyberwarfare that are grounds for retaliation by force could include hacking into a water treatment plant and causing chemicals to flow into the water, thereby poisoning the population, hacking into air traffic control systems and causing planes to crash, or hacking into a hospital and changing people's blood type, causing harm to patients
But the attack on South Korea, if in fact North Korea was responsible, is different, Schmitt said. The attack is certainly a violation of South Korea's sovereignty and a violation of international law, he said, but not grounds for the use of force in response.
"We would call that a below the threshold operation that certainly would permit a response from South Korea but the response could not include armed force," Schmitt said.
The retaliatory options for South Korea would include countermeasures. These are actions that can be taken by the aggrieved state that would normally be unlawful under international law but are considered acceptable because the aggressor state violated international law first.
"If state A attacks state B's banking system, state B may then respond proportionally against state A's banking system to compel state A to knock it off," Schmitt said.
His group also looked at issues surrounding cyberattacks on civilians. Under international law and the principle of distinction, when on the battlefield, operations may only be directed against military objects and combatants and not civilians.
"We asked the question 'when is a cyber operation a forbidden attack?' There are all sorts of things you can do in cyberspace against civilians during an armed conflict that doesn't physically harm them and doesn't injure them," he said. For example, erasing personal data or messing with their banking records.
"What we said is that this is a very hard question. Not unanimous, but the majority said that an attack, in the law of war, means you physically harm someone, you break something, you cause physical damage or you interfere in the functionality of an object such that it needs to be actually repaired."
Ashley Deeks, an associate professor at the University of Virginia School of Law and an expert in international law, said many of the scenarios are case by case.
"Even in the kinetic world, there is no real definition of what an armed attack is," she said, adding that states look to past practices.
For example, the Stuxnet computer virus, reportedly launched by the U.S. that attacked and destroyed hundreds of centrifuges at the Natanz uranium enrichment facility in Iran, raised these issues.
"I guess I would just characterize it as the closest thing we've seen to a cyber action that produces real world effects, not dissimilar from what a kinetic attack would do. But I'm not prepared to say it was an armed attack."
That's why a lot of people are starting to devote a lot of attention to cyberwarfare and trying to sort out where the lines are, Deeks said.
"There are a lot of question marks. If you took out a banking system, and it caused massive instability in the country ... that could be construed as an armed attack by some states. But it's really an open question," she said.
"There would be other states that say, 'No, unless people die, things blow up, not an armed attack. We want to set a high threshold.' Others say, 'That 's crazy. You want to start deterring these things. You want to call lower level things armed attacks."
However, Schmitt said he believes all these thresholds will evolve over the next decade.
"I anticipate that we'll see a lot of thresholds coming down that will allow states to respond more vibrantly to cyber attacks that might not be possible under the law as we found it."