Schmitt analysis is a legal framework developed in 1999 by Michael N. Schmitt, leading author of the Tallinn Manual, for deciding if a state's involvement in a cyber-attack constitutes a use of force.[1] Such a framework is important as part of international law's adaptation process to the growing threat of cyber-warfare. The characteristics of a cyber-attack can determine which legal regime will govern state behavior, and the Schmitt analysis is one of the most commonly used ways of analyzing those characteristics.[2] It can also be used as a basis for training professionals in the legal field to deal with cyberwarfare.

Motivations

edit

As society becomes more dependent on computers for critical infrastructure, countries have become increasingly concerned with threats in cyberspace. The prevalence of computers and the pace of technological innovation has advanced civilization significantly but has left many vulnerabilities that can be exploited. Countries must be prepared to defend themselves and know how to respond accordingly to computer network attacks (CNAs). These unique attacks are different in many ways to the physical uses of force that happen in traditional warfare. Attackers can now remotely disable their targets simply through the transmission of data. CNAs also have a broad definition, and not every CNA enacted by one State upon another is sufficient reason for States to escalate into armed engagement.

Depending on if the CNA is treated as a use of force or not, the offending party would be judged based on either IHL or IHRL. And the jus ad bellum is the body of law that defines when it is reasonable for sovereign states to resort to use of force to defend their resources, people and interests. Article 51 of the UN Charter defines a situation where a sovereign state might employ use of force, and it states that:

"Nothing in the present Charter shall impair the inherent right of individual or collective self-defense if an armed attack occurs against a Member of the United Nations, until the Security Council has taken measures necessary to maintain international peace and security. Measures taken by Members in the exercise of this right of self-defense shall be immediately reported to the Security Council and shall not in any way affect the authority and responsibility of the Security Council under the present Charter to take at any time such action as it deems necessary in order to maintain or restore international peace and security."

A State has the autonomy to act in self-defense, but it needs proof that there is an imminent threat. It also needs to act according to the criteria of proportionality and necessity. The Schmitt analysis is a framework for evaluating a CNA, according to seven parameters, to determine if it constitutes a wrongful use of force, and for governments to decide on a valid course of action after being attacked.[3]

Historical background

edit

The Estonian Cyber-attacks of 2007, targeting Estonia's Internet resources, appear to be the first cyber attacks to be used as a weapon in a political conflict. In Estonia there was tension between the citizens that wanted their country to be more independent and the Russian-Estonians. Because the attacks came from Russian addresses, the Russian government was accused of endorsing the attacks.[4] The UN Security Council did not react to the Estonian cyber-attacks. Afterwards, the threat of cyber-war between States seemed much more real and imminent. This event also highlighted the importance of international cooperation for the protection of cyberspace. It also brings to light the necessity for international legislation regarding what qualifies as appropriate government response to CNAs.[5][6]

During the 2008 conflict between Georgian nationalists and South Ossetian separatists, many Georgian websites were subject to defacement and DDoS attacks. During this conflict a website named StopGeorgia.ru was put up and in it were links to potential targets for attacks, along with malicious software. Russian civilians could participate in the cyber-attacks, and there is the question of if this direct participation implies that they should not be considered civilians anymore.

In 2010 the Stuxnet worm that infected Natanz uranium enrichment facilities in Iran and is suspected to have destroyed up to a 1000 centrifuges was discovered, setting back Iran's nuclear program by several years. The Russian company Kaspersky said the virus could only have been deployed with nation-state support, and that it would lead to the creation of a new kind of arms race in the world. Considering the damage caused, along with the invasiveness, lack of clear legitimacy and the speculation that the worm was developed and deployed with help of U.S. government with possible Israeli or German assistance means Stuxnet could be seen as a use of force. Though it might not be seen as an unlawful use of force since the Iran nuclear activities targeted were illegal. For this reason the virus has been called a cyber-weapon, although the Iranian government did not claim it had been victim of a cyber-attack. The Iranian government's inaction might have implications for the development of legal norms regarding cyberspace, and a state's inaction is not addressed by the Schmitt framework.[2][7]

CNA as a use of force

edit

Schmitt's analysis is strongly tied to Article 2(4) of the UN Charter, which states that:

"All Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations."

Not every use of force falls within the scope of Article 2(4), only those that may threaten international peace. And the article does not specify armed force, and there is the question of if it can be read as any kind of force, even economic force such as through violative economic coercion. The idea is that any use of force not authorized within the Charter is wrongful. In practice though, it is necessary to have a degree of flexibility. There are situations, such as those of decolonization and humanitarian intervention, that a strict following of this rule might not aligned with community interests. And the law regarding use of force needs to adapt and evolve to new situations and circumstances, such as those of cyber-warfare. It would be difficult to classify every CNA as a use of force, considering for example that some might not even cause any direct physical damage. To make use of the established law that has dealt with armed forces, Schmitt proposed comparing the characteristics and consequences of CNAs. This goal of this case-by-case approach is to properly classify with CNAs fall into the category of use of force and which do not.[3]

The nuclear warfare analogy

edit

Computer network attacks are, like weapons of mass destructions, asymmetric in nature. Since infrastructure such as power grids, transportation, and telecommunications are interlinked, an attack on one site might have a catastrophic domino effect. The destructive capabilities of cyber-attacks have been compared to the effects of nuclear radiation and the EMP effect of nuclear blasts. Small countries wanting to have an impact can take advantage of how cheap it is to launch a CNA. Nuclear weapons have also not been outlawed, but along other weapons of warfare, there is a need to be very careful about using or threatening to use these weapons and follow rules of proportionality, necessity, and humanity. Both nuclear weapons and information weapons do not distinguish between civilians and non-civilians.[8]

Analysis criteria

edit

Seven criteria are used to evaluate the computer network attack. The analysis focuses predominantly on criteria that are dependent on the consequences of the CNA (and as such a cyber attack is considered a cyber attack only when there is injury, death and to objects and their functionality),[9] and so it is more useful for analyzing events after they have happened and not as they are being planned. This utilitarian focus is also predominant in the jus in bello, which strives for humanity while still allowing for in some cases a trade-off between military gains and civilian casualties, for example. The Schmitt analysis is also subjective, and depends heavily on context. It does not try to set measurements for where the boundaries where CNAs become uses of force, but instead tries to compare the characteristics of a particular CNA and characteristics of traditional uses of force.[1][2][10]

  1. Severity: This is the level of destruction caused by the attack. The scope, duration and intensity of the attack are taken into consideration. Defacing a public figure's website might be considered not a use of force, while disabling an online banking system or shutting off a nuclear plant's safety mechanisms might be.
  2. Immediacy: The speed of which the harm is done, where a more immediate attack leaves less room for dialogue and negotiation between the attacker and the target. For a State to act in self-defense, it should have irrefutable proof that the threat to the nation is immediate.
  3. Directness: A CNA might have unexpected consequences, and it can be difficult to predict the complete impact of a cyber-attack. This is how clear it is that the consequences are in fact consequences of the CNA and not of other events.
  4. Invasiveness: CNAs are normally less invasive than a movement of troops into a State's territory. If a cyber-attack affects the sovereignty of a state, then it is more likely to be considered a use of force.
  5. Measurability: This is how clear the exact consequences of the CNA are in terms of how much damage has been done. In armed coercion, the consequences tend to be very clear.
  6. Presumptive legitimacy: A State might employ a CNA as a method of defensive counter-attack. Self-defense is one of the exceptions to the prohibition of the application of violence. A state might also employ CNAs in a way that does not resemble armed coercion.
  7. Responsibility: The USDOD argues that if an attack from State A to State B is not sponsored by State A, then State B does not have the right to invade State A's nation, and should instead ask for it to intervene and stop the attack. But since attackers can route their data through remote locations, it may be difficult to attribute with certainty a CNA to the accused State, such as happened in Estonia in 2007.

A relevant factor when performing a Schmitt Analysis is to ask if the perpetrators of the attack attempted to act in accordance to the Law of Armed Conflict (LOAC). This might be the case of Stuxnet, which was designed to minimize collateral damage, and only spread beyond its intended target accidentally. This attempted can imply state involvement in the attack, since private individuals might not be so concerned with international law. And it also means that the attack is more likely to be characterized as a use of force, even if they do not cause actual damage.

Potential shortcomings

edit

The main issue with using the Schmitt framework is that it requires attribution, the attacking nation must be held responsible for the attack. This does not seem to happen in most cases, as states carry their actions within cyberspace in a secretive fashion and do not claim responsibility. There is also the possibility that the state that has been attacked will not take action against the offenders, and will not accuse another state of unlawful action. Some also criticize the framework's adherence to Article 2(4)'s instrument-based paradigm and restrictive definition of unlawful use of force, and favor a more consequence-based framework.

See also

edit

References

edit
  1. ^ a b Schmitt, Michael N., Computer Network Attack and the Use of Force in International Law: Thoughts on a Normative Framework (1999). Columbia Journal of Transnational Law, Vol. 37, 1998-99. Available at SSRN: https://ssrn.com/abstract=1603800
  2. ^ a b c Stuxnet, Schmitt Analysis, and the cyber 'use-of-force' debate.." The Free Library. 2012 National Defense University 08 Dec. 2016 https://www.thefreelibrary.com/Stuxnet%2c+Schmitt+Analysis%2c+and+the+cyber+%22use-of-force%22+debate.-a0328945066
  3. ^ a b Schmitt, Michael N., Cyber Operations and the Jus in Bello: Key Issues (March 2, 2011). Naval War College International Law Studies, 2011. Available at SSRN: https://ssrn.com/abstract=1801176
  4. ^ Schmidt, Andreas. "The estonian cyberattacks." The fierce domain–conflicts in cyberspace 2012 (1986): 1986-2012.
  5. ^ Waxman, Matthew C., Cyber-Attacks and the Use of Force: Back to the Future of Article 2(4) (March 16, 2011). Yale Journal of International Law, Vol. 36, 2011. Available at SSRN: https://ssrn.com/abstract=1674565 or https://dx.doi.org/10.2139/ssrn.1674565
  6. ^ Papanastasiou, Afroditi, Application of International Law in Cyber Warfare Operations (September 8, 2010). Available at SSRN: https://ssrn.com/abstract=1673785 or https://dx.doi.org/10.2139/ssrn.1673785
  7. ^ "Cyber attack 'targeted Iran': Malicious software discovered on systems around world could have been designed to target Bushehr reactor, experts say". Al Jazeera English. 2010-09-24. Archived from the original on 2012-07-08. Retrieved 2021-03-08.{{cite web}}: CS1 maint: unfit URL (link)
  8. ^ Scott J. Shackelford, From Nuclear War to Net War: Analogizing Cyber Attacks in International Law, 27 Berkeley J. Int'l Law. 192 (2009). Available at: http://scholarship.law.berkeley.edu/bjil/vol27/iss1/7
  9. ^ Vossen, Celine, Cyber Attacks Under the United Nations Charter. Critical Reflections on Consequentialist Reasoning. (August 11, 2014). Available at SSRN: https://ssrn.com/abstract=2594675 or https://dx.doi.org/10.2139/ssrn.2594675
  10. ^ Michael, J.B.; Wingfield, T.C.; Wijesekera, D. (2003). "Measured responses to cyber attacks using Schmitt analysis: A case study of attack scenarios for a software-intensive system". Proceedings 27th Annual International Computer Software and Applications Conference. COMPAC 2003. pp. 622–626. CiteSeerX 10.1.1.111.4082. doi:10.1109/CMPSAC.2003.1245406. ISBN 978-0-7695-2020-9. S2CID 23277767.