Offensive cyber: What are the possibilities of the use of offensive cyber as an offensive capability within the existing international legal framework?

Abstract

Cyber is hot. Although the international community, scientists, military and NATO primarily focus on how to defend themselves against cyber attacks, this study mainly focuses on the offensive side of cyber. The thesis analyses the possibilities of the use of offensive cyber as a capability within the existing international legal framework. The thesis consists of two parts. The first part discusses what offensive cyber is and what its possibilities and capabilities are. Offensive use of cyber is new within modern warfare. Therefore it is important to describe and explain cyber attacks and offensive cyber operations thoroughly. In this part the definitions are set, and the base characteristics of cyber attack are discussed. Not only the possibilities of offensive cyber are described, but also dilemmas for the use of offensive cyber are explained. This first part concludes with possible scenarios for the use of offensive cyber operations. The second part of this thesis is a case study and analyses whether and how offensive cyber fits in, and complies with the existing international legal framework. Firstly, the aspects in the existing international legal framework are discussed, which are unambiguous for regular war scenarios, but seem difficult to interpret when it comes to cyber operations. Secondly, the case study is conducted by analysing the three main principles within the Laws of Armed Conflict (LoAC), proportionality, necessity and distinction, on the four recent cyber cases of Estonia 2007, Georgia 2008, Stuxnet 2010 and Libya 2011. The conclusion of the thesis is that the existing international legal framework is not fully suitable for the use of cyber as an offensive capability. Especially the attribution problem, collateral damage, and distinction between military and civil objects are problematic. As long as there is no consensus on international accepted cyber law that sets the boundaries for the use of offensive cyber, the existing international legal framework is applicable, and the use of offensive cyber will have its challenges and grey areas. A new international accepted legal cyber framework should limit, and set boundaries for the use of offensive cyber. On the other hand, developing a new international accepted legal framework, in which offensive cyber is appointed, is also an opportunity to exploit the optimum use of offensive cyber, within that framework.