In an October 12, 2012, meeting with
Time magazine, Secretary of Defense Leon Panetta warned of the immediate threat sophisticated
malware posed to the United States. Secretary Panetta lamented that such malware,
now being developed by numerous countries, has
“the kind of capability that can basically take down a power grid, take down a
water system, take down a transportation system, take down a financial system.” The most recent illustration of the power of
state-sponsored cyberattacks came on August 15, 2012, when Saudi Armco, the
world’s largest oil company, was the victim of an attack, which researchers
believe was launched by Iranian hackers in retaliation for recent attacks by the United States and Israel. The attack erased the contents of
three-fourths of the company’s hard drives, leaving in their place an image of
a burning American flag. Advancements in cyberwarfare present the
opportunity to accomplish foreign policy and military goals without the human,
economic, or political cost inherent in traditional warfare. However, it is evident that the rise of
state-sponsored cyberattacks implicates strategic, ethical, and legal issues of
the highest order.
Since reports surfaced that the United States and Israel
launched Stuxnet, a super-virus that successfully attacked Iranian nuclear
centrifuges, U.S. officials have been willing to discuss the classified cyberwarefare program with increasing frequency and candor. Such disclosures, along with media investigations and reports from private cybersecurity firms, have revealed the increasing regularity of attacks
targeting states and private entities alike. Increased openness concerning the use of
cyberweapons could lead to unsustainable consequences: The development of a cyber arms race, justification for those who seek to retaliate against the
United States for the acknowledged attacks, or a movement towards international norms tolerating
unfettered use of cyberweapons. However, a dialogue concerning these issues
also presents an opportunity for the United States to lead in shaping the legal
framework that will govern the future of cyberwarfare.
While the United States currently has
offensive capacities that far outpace potential rivals, it is in its’ best
interest to champion an effort to build an international consensus in favor of
regulation and cyber arms control. Albeit, there is reason for the United States
to be skeptical of curbing its use of such weapons, especially at a time when
it has leveraged the legal vacuum in this area to its strategic
advantage, yielding notable successes. Due in part to a nonexistent legal framework
governing the use and development of cyberweapons, the United States was able
to use Stuxnet to successfully infiltrate Iranian nuclear facilities, delaying
Iran’s march towards developing a nuclear weapon by as much as two years. Stuxnet represented a high-water mark for the
U.S. cyberwarfare program, accomplishing a major foreign policy goal at a time
when sanctions were ineffective, diplomacy was failing, and traditional armed
conflict was untenable.
However, despite the allure of the
opportunities created by the legal vacuum, the United States should take action
to establish international standards regulating the use of cyberweapons because
the threats and uncertainties of unregulated use will quickly outweigh the
benefits. Given the ever-increasing threat of attack
against the United States and its citizens, there are several factors
suggesting that the United States should work towards an international
agreement. First, no country is more reliant on its
computer networks than the United States. While sophisticated networks ensure speed and
efficiency in all areas of life, the reliance on such networks also makes the
United States particularly vulnerable to a high-impact cyberattack. Another factor to consider is the relative
ease of creating and copying such weapons,
making it increasingly likely that terrorist groups, or other malevolent
actors, will acquire such a weapon in the near future. Compared to traditional weapons, malware is a
budget alternative that causes significant damage.
Given the vulnerability of the United
States to cyberattack and the increasing availability of sophisticated viruses
to states and non-state actors, it is in the interest of the United States to
forego, to a reasonable extent, its short-term offensive advantage in favor of
embracing the stability and safety that would come through establishing
international norms governing cyberwarfare. Whether it be through broad
international agreement or through a piecemeal approach of bi-lateral
agreements with key nations, such as China and Russia, the sooner mechanisms
are in place for regulating the use of cyberweapons, the more secure U.S.
interests will be.
 See Mark Thompson, Panetta Sounds Alarm on Cyber-War Threat, Time (Oct. 12, 2012), http://nation.time.com/2012/10/12/panetta-sounds-alarm-on-cyber-war-threat/#ixzz2A4hz6RxA.
 See Susan W. Brenner & Leo L.
Clarke, Civilians in Cyberwarfare:
Conscripts, 43 Vand. J. Transnat’l L.
1011, 1112 (2010) (“According to one estimate, 140 nations have
developed or are in the process of developing the capacity to wage
 Thompson, supra note 1.
 See Nicole Perlroght, In Cyberattack on Saudi Firm, U.S. Sees Iran
Firing Back, N.Y. Times (Oct.
23, 2012), http://www.nytimes.com/2012/10/24/business/global/cyberattack-on-saudi-oil-firm-disquiets-us.html?hp&_r=1&.
 See id.
 See Brenner & Clarke, supra note 2, at 1113-14 (noting
cyberwarfare conserves human resources, is cheaper in terms of monetary cost,
and is less likely to cause political backlash because at present it is
difficult to determine with any certainty the source of an attack).
 See Mathew Borton, et al., Cyberwar Policy, 27 John Marshall J. Computer & Info L. 303,
303-06 (Spring 2010); see also Brenner
& Clarke, supra note 2 at 1112-15; Toby L. Friesen, Resolving Tomorrow’s Conflicts Today: How
New Developments Within the U.N. Security Council Can Be Used to Combat
Cyberwarfare, 58 Naval L. Rev. 89,
 See Scott Shane, Cyberwarfare Emerges from Shadows for Public Discussion by U.S. Officials,
New York Times (Sept. 26, 2012), http://www.nytimes.com/2012/09/27/us/us-officials-opening-up-on-cyberwarfare.html?pagewanted=all&_r=0.
 Thompson, supra note 1; Shane, supra note 8; Gerry Smith, Gauss: Virus Like Stuxnet Found, Russian
Security Firm Claims, Huffington Post
(Aug. 10, 2012), http://www.huffingtonpost.com/2012/08/09/gauss-virus-stuxnet_n_1761107.html.
 Kaspersky Lab, Kaspersky Lab Discovers ‘Gauss’—A New Complex Cyber-Threat Designed to
Monitor Online Banking Accounts (Aug. 9, 2012), http://www.kaspersky.com/about/news/virus/2012/Kaspersky_Lab_and_ITU_Discover_Gauss_A_New_Complex_Cyber_Threat_Designed_to_Monitor_Online_Banking_Accounts.
 Perlroght, supra note 4.
 See Shane, supra note 8 (“[T]alking too boldly about American plans could fuel
a global computer arms race.”).
 See Steve Coll, The Rewards (and Risks) of Cyber War, The New Yorker (Jun. 7, 2012), http://www.newyorker.com/online/blogs/comment/2012/06/the-rewards-and-risks-of-cyberwar.html (“American and Israeli official action now stands available as a justification
 See id. (“‘Olympic Games’ [which is the
code name for the American cyberwarfare program] will invite imitation and
retaliation in kind, and it has established new and disturbing norms for state
aggression on the Internet and in its side-channels.”).
 See Shane, supra note 8 (quoting Professor Waxman of Columbia Law School, and
formerly of the Department of Defense, as saying that the United States should
use its offensive advantage to lay out rules of the road for cyberwarfare).
 See id.
 See David E. Sanger, Obama Order Sped Up Wave of Cyberattacks
Against Iran, New York Times
(Jun. 1, 2012), http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html?pagewanted=1&_r=1&ref=nuclearprogram.
 See id.
 See id. (“[Cyberweapons] were [President
Obama’s] best hope of disrupting the Iranian nuclear program unless economic
sanctions began to bite harder and reduced Iran’s oil revenues.”)
 See Friesen, supra note 7, at 92 (noting that cyber attacks will plague states
until there is a consensus on the norms and law governing cyberwarfare,
complete with a mechanism for investigating violations).
 See id. at 90-92; see also Brenner & Clarke, supra note 2, at 1115 (“Cyberwarfare erodes, and may erase, the distinction that
currently exists between combatants (soldiers) and noncombatants
(civilians).”); Thompson, supra note
1 (crediting Secretary Panetta with warning that three potential
adversaries—Russia, China, and Iran—are developing cyberwarfare capabilities).
 See Sanger, supra note 17.
 See id. (citing President Obama as
warning his aides of the dangers of overusing cyberweapons given the particular
vulnerability of the United States to attack).
 See Kaspersky
Lab, supra note 10 (noting
that the Guass virus was similar to the Stuxnet and Flame viruses that showed
certain functions were copied from the previous viruses).
 See Brenner & Clarke, supra note 2, at footnote 5 (citing a
hearing before the Joint Economic Committee on Cyber Threats and the U.S.
Economy where concern was expressed that terrorist and other non-state actors
would turn to cyberweapons).
 See id. at 1113.
Posted by Brett M. Neve on Sun. March 24, 2013 11:06 PM