From time to time I am privileged enough to attend presentations on cyber warfare that are not so open to the public. In one of such presentations the speaker spoke of Schmitt’s criteria, a set of rules that can help a state decide when dealing with a cyber attack, whether it is an act of war or not.

I set off to learn more on Schmitt’s criteria and eventually found out that they are coded in “Computer network attacks and the use of force in International Law”. I contacted Professor Schmitt asking for a copy of the paper and he directed me to HeinOnline. It seemed that I should pay $30 for 24 hours of access on HeinOnline in order to download the paper. Serious books cost less than that!

So I decided to contact the person who gave the presentation from which I learned about the criteria. He recommended that I should read “Inside Cyber Warfare“. The ebook cost $30. It also happened that the very same day O’Reilly was running a special offer campaign to help the Japanese Red Cross and their Fukushima efforts, so I even bought it for less.

Whose is the loss now HeinOnline?

I cannot stress enough how much I loved “Inside Cyber Warfare”. The author analyzes recent Cyber War incidents, talks a lot about Project Greygoose and the insight that it offered to analysts. It details the three major cyber doctrines and strategies (Russia, China and the US) with lots and lots of references. It contains an analysis on the Law of Armed Conflict and how it correlates to cyberspace and in my humble opinion, it predicts both stuxnet and the RSA hack.

Jeffrey Carr (@jeffreycarr) tweeted to me that a second edition is in the works. I am eagerly waiting for it since the first one covers cyber conflicts up to 2009. And for the third. And for the rest of the editions to come. For this is a continuous book; a lifetime’s work. The landscape is changing rapidly and Jeffrey Carr has positioned himself as one of those few who can accurately and objectively depict it anytime.

PS: For those who want to read about Schmitt’s criteria, Denning’s “The Ethics of Cyber Conflict” is a good place to start:

When Does a Cyber Attack Constitute the Use of Force?

Not all cyber attacks are equal. The impact of a cyber attack that denies access to a news website for one hour would be relatively minor compared to one that interferes with air traffic control and causes planes to crash. Indeed, the effects of the latter would be comparable to the application of force to shoot down planes. Thus, what is needed is not a single answer to the question of whether cyber attacks involve the use of force, but a framework for evaluating a particular attack or class of attacks.

For this, we turn to the work of Michael Schmitt, Professor of International Law and Director of the Program in Advanced Security Studies at the George G. Marshall European Center for Security Studies in Germany. In a 1999 paper, Schmitt, formerly a law professor at both the US Naval War College and the US Air Force Academy, offered seven criteria for distinguishing operations that use force from economic, diplomatic, and other soft measures. (Schmitt, 1999) For each criterion, there is a spectrum of consequences, the high end resembling the use of force and the low end resembling soft measures. The following description is based on both Schmitt’s paper and the work of Thomas Wingfield, author of The Law of Information Conflict. (Wingfield, 2000, 120-127)

1. Severity. This refers to people killed or wounded and property damage. The premise is that armed attacks that use force often produce extensive casualties or property damage, whereas soft measures do not.

2. Immediacy. This is the time it takes for the consequences of an operation to take effect. As a general rule, armed attacks that use force have immediate effects, on the order of seconds to minutes, while softer measures, such as trade restrictions, may not be felt for weeks or months.

3. Directness. This is the relationship between an operation and its effects. For an armed attack, effects are generally caused by and attributable to the application of force, whereas for softer measures there could be multiple explanations.

4. Invasiveness. This refers to whether an operation involved crossing borders into the target country. In general, an armed attack crosses borders physically, whereas softer measures are implemented from within the borders of a sponsoring country.

5. Measurability. This is the ability to measure the effects of an operation. The premise is that the effects of armed attacks are more readily quantified (number of casualties, dollar value of property damage) than softer measures, for example severing diplomatic relations.

6. Presumptive Legitimacy. This refers to whether an operation is considered legitimate within the international community. Whereas the use of armed force is generally unlawful absent some justifiable reason such as self-defense, the use of soft measures are generally lawful absent some prohibition.

7. Responsibility. This refers to the degree to which the consequence of an action can be attributed to a state as opposed to other actors. The premise is that armed coercion is within the exclusive province of states and is more susceptible to being charged to states, whereas non-state actors are capable of engaging in such soft activity as propaganda and boycotts.

Foreseeing stuxnet?


I copy from “Inside Cyber Warfare“:

“For instance, a cyber attack might shut down a system, rendering it inoperable for some time, or a cyber attack might cause an explosion at a chemical plant by tampering with the computers that control the feed mixture rates. The results of those attacks mirror the results of conventional armed attacks, previously only achievable through kinetic force, thus satisfying the instrument based approach.”

The book was published in 2009. This quote is taken verbatim from “Solving the Dilemma of State Responses to Cyberattacks” which is again dated April 2009.

Stuxnet was detected around July 2010. Sort of Life imitating Art…

Update: Shortly after I pressed [Publish] my twitter stream was filled with mentions of “How Digital Detectives Deciphered Stuxnet, the Most Menacing Malware in History“.

These days I am reading “Inside Cyber Warfare” (among other things). Chapter 4 (Responding to International Cyber Attacks as Acts of War) is written by Lieutenant Commander Matthew J. Sklerov. It is a rewrite of his 111-page thesis on the subject which is available online:

→ “Solving the Dilemma of State Responses to Cyberattacks: A Justification for the Use of Active Defenses against States Who Neglect Their Duty to Prevent

Like I said, I have not read the Thesis, but I am reading Chapter 4 from “Inside Cyber Warfare”. It is highly explanatory of the US strategic and military dogmas, including running cross-border operations against enemies who are non-state actors.