Cyber attacks subject to international law, says State Dept.


Attacks in cyberspace are subject to international law regarding conduct during war and incidents that could be taken as a justifiable cause for war, State Department Legal Adviser Harold Koh said Sept. 18.

In remarks before a Cyber Command-hosted conference on legal issues in cyberspace, Koh said the United States "has made clear our view that established principles of international law do apply in cyberspace"--and that new treaties that would impose unique rules on cyberspace aren't necessary.

"This is not the first time that technology has changed and that international law has been asked to deal with those changes," he added.

Applying existing international law to cyberspace isn't without challenges, Koh noted, since civilian computers can be networked to military machines that are valid military objectives. Accepted laws of war hold that civilian infrastructure can't immunize military objectives from attack, but also that the principle of proportionality prohibits attacks expected to harm civilians in excess of "the concrete and direct military advantage anticipated," Koh said during the course of his speech.

"Any number of factual scenarios could arise…which will require a careful, fact-intensive legal analysis in each situation," he said.

In addition, operations targeting the networks of one country could have negative effects in another, leading to the "difficult and important" question of how to respect sovereignty.

Existing international law, however, makes it already clear that states are responsible for the actions of proxy actors, even in cyberspace, Koh said.

"If a state exercises a sufficient degree of control over an ostensibly private person or group of persons committing an internationally wrongful act, the State assumes responsibility for the act," he added. The role of hacktivists, however, is another "difficult and important" question.

As for what constitutes a cyber use of force--and so an event subject to a self-defense response that could happen within or without cyberspace--Koh said that a cyber activity resulting in proximate "death, injury, or significant destruction" would likely be viewed as such.

It is the United States' longstanding view, Koh also noted, that there exists no threshold of deadly force for an event to qualify as an armed attack possibly warranting a forcible response.

For more:
- read Koh's remarks at

Related Articles:
NATO think tank looks to international law to define cyber war
Fears of cyberwar greatly exaggerated, says paper
Congress authorizes offensive cyberspace military operations
Q&A: Marcus Ranum on Stuxnet, Flame and the threat of cyberwar