20120603

schmitting stux into the spectrum of conflict

Perhaps, like myself, Dear Reader, you wonder what ever became of the United Nations and the Geneva convention, and the many international agreements setting the bounds for unacceptable use of state force; you may have lost hope for veracity from your public leaders who address such issues or despair of finding basic comprehension and competence from your journalists. I know that I have made many a conclusory statement with respect to what may or may not be viewed as "legal" or "permissible" under any number of the legion instruments that make up the international framework for the international conduct of states, at certain times when high dudgeon and flowing rant have overlapped, but sometimes I want to go back to the texts themselves to make sure I understand what I am talking about and, generally, to hedge that conclusory statement in hopes of being able to converse and communicate rather than merely shout "Is too!" -- "Is not!" through lips dripping with partisan venom.

If, like me, you would like to assert that development and release of the Stuxnet code [by a state or states -- recently apparently credible sources have allegedly verified it to be a product of a U.S./Israeli joint venture] specifically targeting the Siemens industrial machines that control Iran's uranium centrifuges, is an act of war, or to make any evaluation of nonconventional means of applying state force, then a critical first step lies in becoming familiar with the standards and descriptions of such actions, and approaches to the evaluation of specific operations with respect to such standards.

Please find below an excerpt from a longer essay introducing the spectrum of conflict from jus ad bellum through jus in bello under the international charter framework of the United Nations, and presenting "the Schmitt analysis" for assessing an operation's warlike character.


Evaluating information operations along the spectrum of conflict:

This essay will encapsulate the relevant factors of the customary international law and treaty framework governing nations’ entry into and conduct during armed hostilities, and isolate tensions regarding ongoing evolution of customary international understanding of the terms force, armed force and armed attack as used within the Charter framework.

A. Jus ad bellum

Commentaries on and discussion of the relevant corpus of customary international law and the governing framework of international treaties abound.[1] Explication of the development of the customary international law, the crafting of the charter framework, and the construction of critical threshold terms[2] used with varying consistency and clarity among the many disparate documents would be superfluous to this review and beyond the scope of the author. The character of the commentators’ contributions will sketch the outline of the framework.

The Charter framework[3] draws three lines, dividing the “spectrum of conflict”[4] between de facto peace and outright world war into four zones: “The new legal regime set thresholds for threats to the peace (article 39), threats and uses of force (article 2(4)), and armed attacks (article 51).”[5]

Article 39 directs the Security Council to “determine the existence of any threat to the peace, breach of the peace, or act of aggression,” by majority vote, and “make recommendations, or decide what measures are to be taken . . . to restore international peace and security.”[6]

Above the article 39 level of “threat” to “international peace and security,” but below the article 2(4) “threat or use of force” threshold, lie entire strata of state behaviors constituting serious violations of international law that could plausibly provoke an armed response. Included behaviors might be “extreme intrastate violence or human rights violations,” failure of states to surrender terrorists, illegal racist regimes, the destabilizing initiation of large transnational refugee movements, and the diversion of a river by an upstream state.[7]

Article 2(4) “outlawed international aggressive war.”[8] The article
requires all Member States to “refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state . . . .”  The Charter clearly outlaws the aggressive use of force while recognizing a state’s inherent right of individual and collective self-defense in Article 51 and the Security Council’s obligation under Article 39 to maintain or restore international peace and security.[9]
Article 2(4) threats of force are highly context and fact sensitive. Something more than hyperbole[10] and “fighting words” is called for. Developments that may persuasively augur the threatened use of force include such things as troop mobilization and initial movements, the shaping of alliances, use of “fire control radar,” and interference with command and control systems.[11]

Article 51 preserves and codifies the “inherent” and customary international law “right of individual or collective self-defense if an armed-attack occurs against a Member . . . .” States exercising self defense are directed by this article to “immediately” report measures they have taken to the Security Council.

Article 2(4) use of force will be something greater that mere threatened action at arms, but not necessarily above the article 51 threshold of “armed attack.” A valid reading of the two articles allows the conclusion “that an unlawful use of force” may “not meet the threshold of an armed attack [nor] give the victim state the right to respond with a use of force.”[12]  Although there appears to be a “gap”[13] or “grey area”[14] where a state can be subjected to impermissible use of force but not have the legal right to mount a forceful self-defense, this view has not been embraced in state practice.[15]

It is in this hazy zone, implied by the language of the two articles, that questions concerning the assessment of information operations and computer network attacks and automated systems’ exploits are situated.[16] It is here also that the question of anticipatory self defense arises.[17] Self-defense, in turn, calls for measures “necessary and proportionate” to the threat.[18]

B. Jus in bello

Within article 51, or, arguably, above the threshold of article 2(4), when the right of anticipatory self-defense arises, there is at least contentious interstate application of force, if not outright armed hostilities. It is likely that once both belligerents are asserting force under the claim of self-defense, matters will rapidly escalate into an article 51 conflict, or state of de facto war. Not all is fair, in war, however: “The right of belligerents to adopt means of injuring the enemy is not unlimited.”[19]

The law governing the conduct of nations during armed hostilities, substantially codified in a framework of international treaties,[20] is animated by four major principles.

The principle of discrimination “requires that belligerents distinguish between combatants and noncombatants, avoid targeting civilians and their property, and take all reasonable precautions against injuring civilians or damaging their property” in military operations.[21]

The principle of necessity, encompassing the “two interrelated concepts, ‘military necessity’ and ‘unnecessary suffering,’”[22] calls for “that degree and kind of force, not otherwise prohibited,” necessary “for the partial or complete submission of the enemy with a minimum expenditure of time, life, and physical resources . . . .”[23]

The principle of proportionality, founded in the prohibition of operations likely “to cause incidental loss of civilian life, injury to civilians, damage to civilian objects . . . excessive in relation to the concrete and direct military advantage anticipated,”[24] calls for “a balancing test between the anticipated ‘concrete and direct’ military advantage . . .. and the expected civilian losses. . . .”[25]

The fourth principle, chivalry, bans perfidious operations – deceptions of the enemy with regard to his legal status, his right to attack or right to expect freedom from attack[26] – while permitting “ruses of war,” which includes every way of fooling the enemy about the military situation.[27]

These principles govern the lawful conduct of states at war. Analysis according to these standards is essential in both assessing hostile action and planning operations.

In the context of information operations, once the level of force is determined, these principles, in light of the foreseeable consequences of the attack, the capabilities of the targeted systems, and the danger posed or military advantage lost as a result of degradation or loss of that capability, will inform threat appraisal and the crafting of appropriate countermeasures and responses.

C. Computer Network Attacks[28]

1. Objectives and Tools

Computer Network Attack (“CNA”) signifies the genus of offensive information operation[29] which “operates on data existing in computers or computer networks,”[30] seeking to “disrupt, deny, degrade or destroy information resident on computers and computer networks or the computers and networks themselves.”[31] CNA may be an aspect in, among or supporting the full range of information operations, to compromise adversary information or information systems and defend friendly information and information systems.[32]

Tools and techniques vary,[33] are rapidly evolving,[34] and can be employed both offensively and defensively.[35] These include sniffers,[36] trapdoors,[37] Trojan horses,[38] logic bombs,[39] video morphing,[40] denial of service attacks,[41] worms,[42] virii,[43] info blockades,[44] spamming,[45] and IP spoofing.[46] These tools can be combined for any range of outcomes from the discovery of a security hole in a prototype system, to the physically and environmentally destructive result of “creating a hammering phenomenon in oil pipelines so as to cause them to burst,”[47] but are not in and of themselves weapons per se.

2. Comparing CNA and conventional weapons

Some cases of CNA, those “specifically intended to directly cause physical damage to tangible property or injury or death to human beings,” can be “reasonably characterized as a use of armed force. . . .”[48]
Armed coercion is not defined by whether or not kinetic energy is employed or released, but rather by the nature of the direct results caused, specifically physical damage and human injury. Instrumentalities that produce them are weapons. There is little debate about . . . the use of chemicals or biologicals . . . even though the means that cause the injury or death differ greatly from those produced by kinetic force. . . . That computer network attack employs electrons to cause a result from which destruction or injury directly ensues is simply not relevant to characterization as armed force. The dilemma lies beyond this limited category of computer network attacks. How should they be classed?[49]
The “dilemma lies” in classification “vis-à-vis the prohibition on the use of force” of “computer network attacks which do not cause physical damage or injury, or do so indirectly.”[50]

3. The Schmitt Analysis[51]

In his analysis of when CNA would be considered a use of force, Michael N. Schmitt strayed from the instrumental view of force adopted and codified in the international charter framework[52] in favor of a quantitative approach: “How big a smoking hole is caused?”[53] Isolating seven “commonalities . . . among the most determinative” in distinguishing “[e]conomic and political coercion . . . from the use of armed force,”[54] Schmitt laid the groundwork for a quantitative evaluation of the military-ness of a given operation.

Schmitt’s seven consequence commonalities are 1) Severity,[55] 2) Immediacy,[56] 3) Directness,[57] 4) Invasiveness,[57] 5) Measurability,[59] 6) Presumptive Legitimacy,[60] and 7) Responsibility.[61] As it has developed,[62] it is a two step analysis, application of which “tells you everything there is to know legally about a given operation.”[63]

Each factor represents a spectrum on which a “higher” rating is indicative of likeness to uses of armed force, and a “lower” rating indicative of dissimilarity from uses of armed force[64]; taken cumulatively, an assessment of the “consequence commonalities” provides an index to “ascertain whether [consequences of computer network attack] more closely approximate consequences of the sort characterizing armed force or whether they are better placed outside the use of force boundary.”[65] A scale from one to ten may be used to simplify or illustrate computation, but three gradations – low, middling, and high – are significant.[66]

“The first part is Science. . . . ”[67] Primary Schmitt analysis is mathematical: assigning the operation under analysis a value for each of the seven criteria and calculating the average. Simply, an average in the low range (1-3) does not cross the line of belligerency, and so is not an Art. 2(4) use of force. An average in the high range (7-10) indicates an action above the line of belligerency, an Art. 2(4) use of force. Averages in the middle range are indeterminate.

The secondary Schmitt analysis “is Art.”[68] In recognition of the variable relative importance of the seven factors from one military operation to the next across the set of all military operations in all of history, each of the seven factors must be weighted in an analysis “accepting independent judgment and subjective criteria” with a goal of “making transparent the assumptions and values” informing the judgment.[69] Secondary Schmitt analysis is not a means to “hard and fast rules,” but “to make the rationales transparent and debatable” among decision-makers.[70] In this regard the secondary analysis is particularly useful in assessment of operations averaging in the indeterminate range in the primary analysis, or for the prospective assessment of potential operations.

While Schmitt proposed the framework, and the overall analytical technique has been developed, within the discourse of the corpus of computer and telecommunications law for assessment of information operations using and targeting those media, the analysis is compelling because of its flexibility and clarity, and seems, with the commonalities, to encapsulate a quantitative framework for assessing actions by states other than conventional force of arms. While instances of actual use of armed force could be assessed under the Schmitt analysis congruently with their treatment under the Charter framework, the real utility of the perspective is that very congruence when the approach is applied to actions accomplished by means of things not commonly considered to be weapons.

_______________________________________

Notes:

[1] See e.g., The Charter of the United Nations: A Commentary (Bruno Simma ed., 1994). See also Thomas C. Wingfield, The Law of Information Conflict: National Security Law in Cyberspace (Aegis Research Corp., 2000).
[2] E.g., “use of force,” “aggression,” “armed force” etc.
[3] The Charter of the United Nations, 26 June 1945, 59 Stat. 1031, T.S. No. 993, 3 Bevans 1153; as amended [arts. 23, 27, and 61] on 17 December 1963, 16 U.S.T. 1134, T.I.A.S. 5857, 557 U.N.T.S. 143; as amended [art. 109] on 20 December 1965, 19 U.S.T. 5450, T.I.A.S. 652; as amended [art. 61] on 20 December 1971, 24 U.S.T. 2225, T.I.A.S. 7739, (hereinafter “U.N. Charter”) available at http://www.un.org/en/documents/charter/index.shtml.
[4] Wingfield, lectures on the Cyberlaw of National Security, 2003, at The Catholic University of America, Columbus School of Law, Washington, DC.
[5] Wingfield, Information Conflict at 31.
[6] U.N. Charter, article 39.  Available at http://www.un.org/en/documents/charter/chapter7.shtml.
[7] Wingfield, lecture.
[8] Wingfield, lecture.
[9] Wingfield, Information Conflict at 37 (quoting U.N. Charter, article 2(4), available at http://www.un.org/en/documents/charter/chapter1.shtml).
[10] See, e.g., the corpus of the Korean Central News Agency of the Democratic People’s Republic of Korea, available at http://www.kcna.co.jp/index-e.htm (last visited December 19, 2003).
[11] Wingfield, lecture.
[12] Wingfield, Information Conflict at 47.
[13] Id.
[14] See Michael N. Schmitt, “Computer Network Attack and the Use of Force in International Law: Thoughts on a Normative Framework,” 37 Colum. J. Transnat’l L. 885 (1999), available at http://www.usafa.edu/df/iita/Publications/Computer%20Network%20Attack%20and%20the%20Use%20of%20Force%20in%20International%20Law.pdf.
[15] Wingfield, Information Conflict at 48.
[16] See e.g., Wingfield, Information Conflict at 47; Robert A. Ramey, Maj., U.S.A.F., “Armed Conflict on the Final Frontier: The Law of War in Space,” 48 A.F. L.Rev. 1, 59-63 (2000); Christopher M. Petras, Maj., U.S.A.F., “The Use of Force in Response to Cyber-Attack on Commercial Space Systems – Reexamining ‘Self-Defense’ in Outer Space in Light of the Convergence of U.S. Military and Commercial Space Activities,” 67 J. Air L. & Com. 1213, 1243-1249 (2002); Christopher C. Joyner and Catherine Lotrionte, “Information Warfare as International Coercion: Elements of a Legal Framework,” 12 Eur. J. Internat’l L. 825 (2001), available at http://ejil.oxfordjournals.org/content/12/5/825.full.pdf.
[17] The doctrine of anticipatory self-defense “authorizes the use of force in self-defense . . . before an attack occurs.” Wingfield, Information Conflict at 47. This arises, as famously articulated by Daniel Webster, in the Caroline case, when “the necessity of that self-defense is instant, overwhelming and leaving no choice of means, and no moment for deliberation.” Id.
[18] Christopher M. Petras, Maj., U.S.A.F., “The Use of Force in Response to Cyber-Attack on Commercial Space Systems – Reexamining ‘Self-Defense’ in Outer Space in Light of the Convergence of U.S. Military and Commercial Space Activities,” 67 J. Air L. & Com. 1213, 1260 (2002)(quoting Military and Paramilitary Activities (Nicar. v. U.S.), 1986 I.C.J. 14, at 103, P 195 (June 27, 1986)).
[19] Convention (II) with Respect to the Laws and Customs of War on Land, July 29, 1899, (1907 Supp.) 1 AM. J. INT'L L. 129, available at http://www.icrc.org/ihl.nsf/FULL/150?OpenDocument.
[20] See Wingfield, Information Conflict, Chapter 8 “Treaties on the Law of Armed Conflict” at 173-304.
[21] Id. at 140. And see Protocol Additional to the Geneva Conventions of 12 August 1949, and Relating to the Protection of Victims off International Armed Conflicts, art. 48, Dec. 12, 1977, available at http://www.icrc.org/ihl.nsf/FULL/470?OpenDocument.
[22] Id. at 148.
[23] Id. (quoting U.S. Dep’t of the Navy, NWP 1-14M, The Commander’s Handbook on the Law of Naval Operations §5.2 (1995)), available at http://www.fichl.org/uploads/media/US_Navy_Commander_s_Handbook_1995.pdf.
[24] Protocol Additional to the Geneva Conventions of 12 August 1949, and Relating to the Protections of Victims of International Armed Conflicts, arts. 51, para 5(b) and 57, para 2(a)(iii), December 12, 1977, 1125 U.N.T.S. 3. ("Geneva Protocol I"), available at http://treaties.un.org/untc/Pages/doc/Publication/UNTS/Volume%201125/volume-1125-I-17512-English.pdf.
[25] Wingfield, Information Conflict at 155.
[26] Wingfield, lecture; see also Wingfield, Information Conflict at 159-172, Geneva Protocol I, note 24, supra, articles 51 and 57, and see Convention IV respecting the Laws and Customs of War on Land and its annex: Regulations Concerning the Laws and Customs of War on Land, The Hague, 18 October 1907, at article 23(f), available at http://www.icrc.org/ihl.nsf/FULL/195.
[27] Id. And see Commander's Handbook, note 23, supra, at Section 12.
[28] This section derives orientation from Wingfield, Information Conflict, Chapter 2, “Military Applications of Cyberspace” at 17-30. See also Michael N. Schmitt, “Wired Warfare: Computer network attack and jus in bello,” 84 IRRC No. 846, 365 (June 2002), available at http://www.icrc.org/eng/assets/files/other/365_400_schmitt.pdf.
[29] See Joint Doctrine for Information Operations, Joint Pub. 3-13, 9 October 1998, available at http://www.c4i.org/jp3_13.pdf.
[30] Schmitt, n. 14 supra, at 891.
[31] Joint Doctrine for Information Operations, n. 29, supra, at I-9.
[32] Schmitt at 891.
[33] Id. at 892; Joyner & Lotrionte at 836.
[34] Wingfield, Information Conflict at 30.
[35] Joyner & Lotrionte at 836 - 839.
[36] Id. A sniffer is program that would enable “an intruder” to a network “to retrieve user IDs and passwords as they traverse a network,” compromising any information thereby secured.
[37] Id. A trapdoor, or “backdoor”, allows unauthorized access to a program or system, may be “installed” by an adversary, or built into the software, such as an “AutoUpdate” program, and merely exploited maliciously.
[38] Id. Wingfield, Information Conflict at 334: A Trojan horse is malicious code left on the target machine, that “does not merely grant access,” but resides “dormant and hidden” to be activated “if certain programmed conditions are met or, if the adversary has a trapdoor, by an affirmative command,” and bring about “some actual harm to the system.”
[39] Joyner & Lotrionte at 836. A logic bomb, which may be the “payload” of a virus or Trojan horse, is malicious code designed to destroy or corrupt a computer’s files and data.
[40] Id. Video morphing may be used to alter the news broadcasts of a belligerent state as part of an information operation. Thomas C. Wingfield, “Legal Aspects of Offensive Information Operations in Space,” 9 USAFA J. Leg. Stud. 121 (1999) at 140, uses the “digital morph[ing]” of an address from Slobodan Milosevic as an explanation of perfidy.
[41] Joyner & Lotrionte at 837, n. 41. A denial of service attack degrades processing and network service by overloading victim computers’ with Internet control message protocol echo request packets. A variation, the “distributed denial of service attack,” enslaves numerous computers in disparate locations to “ping” the same target port or ports, raising the impact on processing power and bandwidth exponentially. Clement McGovern, U.S. Department of Justice Computer Crimes attorney in Oct. 14, 2003 lecture at Catholic University.
[42] Joyner & Lotrionte at 837, n. 43. A worm is “a self-replicating program that moves from one system to another along a network,” not destroying software or damaging data but using “all available computing resources” to “saturate[] communications links.”
[43] Id. at 837, n. 44. A virus, which is connected to or activated by use of an infected file or program, uses available network resources to execute any directives and to replicate.
[44] Id. at 838. Info blockade would “block[] all electronic information from entering or leaving a state’s borders.”
[45] Id. at 838. Spamming floods e-mail systems, preventing or delaying the delivery of valid communications.
[46] Id. at 838. IP spoofing forges an otherwise uniquely identifying indicator of the source of each packet communicated across the TCP/IP infrastructure. This allows malefactors to conceal their identity, to operate more-or-less anonymously, and potentially to impersonate elements of a military command structure or circumvent IP address based access control systems.
[47] Schmitt, n. 14, supra, at  912.
[48] Id. at 913.
[49] Id. (citations omitted).
[50] Id.
[51] Id. Presentation and orientation of the Schmitt analysis by Thomas C. Wingfield in lectures at Catholic University, Fall 2003, have been instrumental in grappling with Schmitt’s test and text. See also, Wingfield, Information Conflict at 117-120, and http://conflictsincyberspace.blogspot.com/2010/01/schmitt-analysis.html.
[52] See notes 3 – 27, supra, and accompanying text.
[53] Wingfield, lecture.
[54] Schmitt, n. 14, supra, at 914.
[55] Id. at 914 (“Armed attacks threaten physical injury or destruction of property to a much greater degree than other forms of coercion.”).
[56] Id. (“The negative consequences of armed coercion, or threat thereof, usually occur with great immediacy, while those of other forms of coercion develop more slowly. Thus, the opportunity for the target state or the international community to seek peaceful accommodation is hampered in the former case.”).
[57] Id. (“The consequences of armed coercion are more directly tied to the actus reus than in other forms of coercion, which often depend on numerous contributory factors to operate.”).
[58] Id. (“In armed coercion, the act causing the harm usually crosses into the target state . . . represent[ing] a great[] intrusion on the rights of the target state. . . .”).
[59] Id. (“While the consequences of armed coercion are usually easy to ascertain (e.g., a certain level of destruction), the actual negative consequences of other forms of coercion are harder to measure.”).
[60] Id. (“[T]he application of violence is deemed illegitimate absent some specific exception such as self-defense. . . . By contrast, most other forms of coercion . . . are presumptively lawful, absent a prohibition. . . . [T]he consequences of armed coercion are presumptively impermissible, whereas those of other coercive acts are not. . . .”).
[61] Id. at 14 n. 81 (“Armed coercion is the exclusive province of states. . . . [N]on-governmental entities are often capable of engaging in other forms of coercion (propaganda, boycotts, etc.). . . . In sum, the consequences of armed coercion are more susceptible to being charged to the State actor than in the case of other forms of coercion.”).
[62] It is not clear to this author from the text of Schmitt’s article that the totality of the Schmitt analysis as presented in Wingfield’s lectures is introduced there in its entirety. Accordingly, while descriptions of the framework and its specific application will be Schmitt’s, discussion of the scoring and weighting of the factors will be drawn from Wingfield’s lecture.
[63] Wingfield, lecture.
[64] Wingfield, lecture.
[65] Schmitt at 915.
[66] Wingfield, lecture. The low end of the Severity scale would be an absence or minimum of property damage and human casualty; the high end, damage and casualty on the order of an assault by force of arms. The low end of the Immediacy scale would be a slowly developing consequence, such as the effect of economic sanctions; the high end would be explosive immediacy providing the target no time or opportunity for resolution. The low end of the Directness scale would be a negligible or highly contingent contribution of the operation to the consequence; at the high end the operation would be a sole or primary cause of the consequence. This is the question of proximate cause. The low end of the Invasiveness scale would be operations with “no identifiable locus” in the target country; the high end, intrusion upon the rights and sovereignty of the target state on the order of trans-border bombardment and occupation. The low end of the Measurability scale would be effects of the operation indistinguishable from the effects of other operations and “background noise”; the high end would be clear, quantifiable, and easily ascertained. The low end of Presumptive Legitimacy would be actions with no or minimal discernible effects in the physical world; the high end would be the sort of large-scale violence that only States have been known to do: firebombing cities, starting wars among nations. The low end of Responsibility is the anonymous act with the sort of effect unlikely to be attributable to a State actor; at the high end, a State actor has acknowledged and claimed responsibility, authority, for the act.
[67] Wingfield, lecture.
[68] Id.
[69] Id.
[70] Id.