Moving Towards International Norms in Cyberwarfare

  • E-mail E-mail
  • Google+
  • Reddit Reddit

In an October 12, 2012, meeting with Time magazine, Secretary of Defense Leon Panetta warned of the immediate threat sophisticated malware posed to the United States.[1] Secretary Panetta lamented that such malware, now being developed by numerous countries[2], has “the kind of capability that can basically take down a power grid, take down a water system, take down a transportation system, take down a financial system.”[3] The most recent illustration of the power of state-sponsored cyberattacks came on August 15, 2012, when Saudi Armco, the world’s largest oil company, was the victim of an attack, which researchers believe was launched by Iranian hackers in retaliation for recent attacks by the United States and Israel.[4] The attack erased the contents of three-fourths of the company’s hard drives, leaving in their place an image of a burning American flag.[5] Advancements in cyberwarfare present the opportunity to accomplish foreign policy and military goals without the human, economic, or political cost inherent in traditional warfare.[6] However, it is evident that the rise of state-sponsored cyberattacks implicates strategic, ethical, and legal issues of the highest order.[7]

Since reports surfaced that the United States and Israel launched Stuxnet, a super-virus that successfully attacked Iranian nuclear centrifuges, U.S. officials have been willing to discuss the classified cyberwarefare program with increasing frequency and candor.[8] Such disclosures, along with media investigations[9] and reports from private cybersecurity firms[10], have revealed the increasing regularity of attacks targeting states and private entities alike.[11] Increased openness concerning the use of cyberweapons could lead to unsustainable consequences: The development of a cyber arms race[12], justification for those who seek to retaliate against the United States for the acknowledged attacks[13], or a movement towards international norms tolerating unfettered use of cyberweapons.[14] However, a dialogue concerning these issues also presents an opportunity for the United States to lead in shaping the legal framework that will govern the future of cyberwarfare.[15]

While the United States currently has offensive capacities that far outpace potential rivals, it is in its’ best interest to champion an effort to build an international consensus in favor of regulation and cyber arms control.[16] Albeit, there is reason for the United States to be skeptical of curbing its use of such weapons, especially at a time when it has leveraged the legal vacuum in this area to its strategic advantage, yielding notable successes.[17] Due in part to a nonexistent legal framework governing the use and development of cyberweapons, the United States was able to use Stuxnet to successfully infiltrate Iranian nuclear facilities, delaying Iran’s march towards developing a nuclear weapon by as much as two years.[18] Stuxnet represented a high-water mark for the U.S. cyberwarfare program, accomplishing a major foreign policy goal at a time when sanctions were ineffective, diplomacy was failing, and traditional armed conflict was untenable.[19]

However, despite the allure of the opportunities created by the legal vacuum, the United States should take action to establish international standards regulating the use of cyberweapons because the threats and uncertainties of unregulated use will quickly outweigh the benefits.[20] Given the ever-increasing threat of attack against the United States and its citizens, there are several factors suggesting that the United States should work towards an international agreement.[21] First, no country is more reliant on its computer networks than the United States.[22] While sophisticated networks ensure speed and efficiency in all areas of life, the reliance on such networks also makes the United States particularly vulnerable to a high-impact cyberattack.[23] Another factor to consider is the relative ease of creating and copying such weapons[24], making it increasingly likely that terrorist groups, or other malevolent actors, will acquire such a weapon in the near future.[25] Compared to traditional weapons, malware is a budget alternative that causes significant damage.[26]

Given the vulnerability of the United States to cyberattack and the increasing availability of sophisticated viruses to states and non-state actors, it is in the interest of the United States to forego, to a reasonable extent, its short-term offensive advantage in favor of embracing the stability and safety that would come through establishing international norms governing cyberwarfare. Whether it be through broad international agreement or through a piecemeal approach of bi-lateral agreements with key nations, such as China and Russia, the sooner mechanisms are in place for regulating the use of cyberweapons, the more secure U.S. interests will be.

[1] See Mark Thompson, Panetta Sounds Alarm on Cyber-War Threat, Time (Oct. 12, 2012),

[2] See Susan W. Brenner & Leo L. Clarke, Civilians in Cyberwarfare: Conscripts, 43 Vand. J. Transnat’l L. 1011, 1112 (2010) (“According to one estimate, 140 nations have developed or are in the process of developing the capacity to wage cyberwarfare.”).

[3] Thompson, supra note 1.

[4] See Nicole Perlroght, In Cyberattack on Saudi Firm, U.S. Sees Iran Firing Back, N.Y. Times (Oct. 23, 2012),

[5] See id.

[6] See Brenner & Clarke, supra note 2, at 1113-14 (noting cyberwarfare conserves human resources, is cheaper in terms of monetary cost, and is less likely to cause political backlash because at present it is difficult to determine with any certainty the source of an attack).

[7] See Mathew Borton, et al., Cyberwar Policy, 27 John Marshall J. Computer & Info L. 303, 303-06 (Spring 2010); see also Brenner & Clarke, supra note 2 at 1112-15; Toby L. Friesen, Resolving Tomorrow’s Conflicts Today: How New Developments Within the U.N. Security Council Can Be Used to Combat Cyberwarfare, 58 Naval L. Rev. 89, 90-92 (2009).

[8] See Scott Shane, Cyberwarfare Emerges from Shadows for Public Discussion by U.S. Officials, New York Times (Sept. 26, 2012),

[9] Thompson, supra note 1; Shane, supra note 8; Gerry Smith, Gauss: Virus Like Stuxnet Found, Russian Security Firm Claims, Huffington Post (Aug. 10, 2012),

[10] Kaspersky Lab, Kaspersky Lab Discovers ‘Gauss’—A New Complex Cyber-Threat Designed to Monitor Online Banking Accounts (Aug. 9, 2012),

[11] Perlroght, supra note 4.

[12] See Shane, supra note 8 (“[T]alking too boldly about American plans could fuel a global computer arms race.”).

[13] See Steve Coll, The Rewards (and Risks) of Cyber War, The New Yorker (Jun. 7, 2012), (“American and Israeli official action now stands available as a justification for others.”).

[14] See id. (“‘Olympic Games’ [which is the code name for the American cyberwarfare program] will invite imitation and retaliation in kind, and it has established new and disturbing norms for state aggression on the Internet and in its side-channels.”).

[15] See Shane, supra note 8 (quoting Professor Waxman of Columbia Law School, and formerly of the Department of Defense, as saying that the United States should use its offensive advantage to lay out rules of the road for cyberwarfare).

[16] See id.

[17] See David E. Sanger, Obama Order Sped Up Wave of Cyberattacks Against Iran, New York Times (Jun. 1, 2012),

[18] See id.

[19] See id. (“[Cyberweapons] were [President Obama’s] best hope of disrupting the Iranian nuclear program unless economic sanctions began to bite harder and reduced Iran’s oil revenues.”)

[20] See Friesen, supra note 7, at 92 (noting that cyber attacks will plague states until there is a consensus on the norms and law governing cyberwarfare, complete with a mechanism for investigating violations).

[21] See id. at 90-92; see also Brenner & Clarke, supra note 2, at 1115 (“Cyberwarfare erodes, and may erase, the distinction that currently exists between combatants (soldiers) and noncombatants (civilians).”); Thompson, supra note 1 (crediting Secretary Panetta with warning that three potential adversaries—Russia, China, and Iran—are developing cyberwarfare capabilities).

[22] See Sanger, supra note 17.

[23] See id. (citing President Obama as warning his aides of the dangers of overusing cyberweapons given the particular vulnerability of the United States to attack).

[24] See Kaspersky Lab, supra note 10 (noting that the Guass virus was similar to the Stuxnet and Flame viruses that showed certain functions were copied from the previous viruses).

[25] See Brenner & Clarke, supra note 2, at footnote 5 (citing a hearing before the Joint Economic Committee on Cyber Threats and the U.S. Economy where concern was expressed that terrorist and other non-state actors would turn to cyberweapons).

[26] See id. at 1113.

Posted by Brett M. Neve on Sun. March 24, 2013 11:06 PM
Categories: Cyberwarfare

Comments for this post are now closed.

UNC School of Law | Van Hecke-Wettach Hall | 160 Ridge Road, CB #3380 | Chapel Hill, NC 27599-3380 | 919.962.5106

If you are seeing this, you are either using a non-graphical browser or Netscape 4.x (4.7, 4.8, etc.) and this page appears very plain. If you are using a 4.x version of Netscape, this site is fully functional but lacks styles and optimizations available in other browsers. For full functionality, please upgrade your browser to the latest version of Internet Explorer or Firefox.