This is another follow-up to the post I did last week on cyber war. This post is a response to someone who raised these questions after reading the earlier post:
I am a law student at Cornell University, and one other issue struck me while reading your article: What about potential liability for private carriers in allowing cyberwar signals to reach US government servers? In the event that these carriers have the capacity to identify enemy attacks, and the capacity to stop them, do they have a duty under the law as it currently stands to prevent such attacks from accessing sensitive computers in the first place?
They’re good questions, and I’m going to do my best to respond to them, given the limitations imposed by the relative brevity of a blog post and the fact that I am not an expert in the laws of war. I’m also going to limit my response to the issue of criminal liability, because I am an expert in that area; civil liability may, or may not, apply here.
The issue is whether U.S. civilian carriers can be held criminally liable for not preventing hostile cyberwar signals from reaching U.S. targets. (I’m including civilian and criminal targets because, as I’ve noted before, cyberwar will almost certainly blur or ignore the distinction between combatants and non-combatants.) There are two ways the carriers could, at least theoretically, be liable for letting the signals go through: direct criminal liability and derivative criminal liability.
Direct criminal liability means that the carriers themselves committed a crime by not preventing the signals from reaching their U.S. targets. The only way I can see they’d be liable under that principle is if the U.S. had laws requiring civilian carriers to block hostile cyberwar signals or be held criminally liable for failing to do so. As far as I know, we don’t have such laws. If I’m wrong on that, please let me know.
The other alternative is to use derivative criminal liability, which means we hold the carriers liable for aiding and abetting cyberwar or conspiring to commit cyberwar.
As I noted in an earlier post, conspiracy can be used to hold all the members of a conspiracy liable for the crimes their colleagues commit. As I also noted in that post, aiding and abetting – or accomplice – liability is based on the premise that if John helps Jane rob a bank by, say, giving her the combination to the bank safe, he should be held guilty of the robbery, even though he was not present when Jane actually robbed the bank. We impute liability for the completed crime – the target crime – to the accomplice who facilitates its commission, both because of the role he/she/it played in contributing to the crime and to deter others from aiding and abetting future crimes.
Accomplices usually do something overt to facilitate the commission of the target crime; they give the combination to the safe, they give the man who’s going to commit murder a gun, etc. In the scenario we’re analyzing, the civilian carriers haven’t done anything overt; they’ve simply not prevented the cyberwar signals from reaching their intended targets. The drafters of the Model Penal Code (which, as I’ve noted, is an influential template of criminal laws) specifically addressed this situation: Section 2.06(3)(a)(ii) of the Model Penal Code says one is an accomplice “in the commission of an offense if . . . with the purpose of . . . facilitating” the crime and “having a legal duty to prevent” the crime he “fails to make a proper effort so to do”.
We therefore would have to resolve three issues in order to hold the civilian carriers criminally liable for not preventing cyberwar signals from reaching their targets: One, as noted above, is the existence of a duty to prevent the crime; we can’t infer such a duty. It would have to exist in a statute or regulation or even under case law. For the purpose of this analysis, we’ll assume such a duty exists (even though I don’t think it does). The other issue we’d have to resolve is whether, having such a duty, the carriers purposely did not prevent the cyberwar signals from reaching their targets. While I think it would be impossible to prove that, I’m going to reserve that issue for the moment, and move on to what I think is the REALLY difficult issue.
As I noted above, an accomplice is held liable for facilitating the commission of a target crime, like robbery or murder. As I tell my students, accomplice liability doesn’t stand alone; that is, there’s no such crime as “being an accomplice.” The crime is “being an accomplice to ________” (insert target crime). So to hold the private carriers liable for not preventing the signals from reaching their targets, cyberwar has to be a crime. Then the carriers could, at least theoretically, be held liable as accomplices to cyberwar.
That brings us to the real issue: Is war (which we’ll assume includes cyberwar) a crime? As Wikipedia explains, there are three sources of authority for the proposition that “war of aggression” is a crime. The first derives from the Nuremberg trials: The 1945 London Charter of the International Military Tribunal defined three categories of crime, one of which was “crimes against peace.” In 1950, in a document submitted to the U.N. the Nuremberg Tribunal defined “crimes against peace” as “waging a war of aggression” or participating in a “common plan or conspiracy” to wage a war of aggression.
That principle was incorporated into the U.N. Charter and in 1974 became the basis of U.N. Resolution 3314. U.N. Resolution 3314 was a non-binding recommendation to the U.N. Security Council; so while it defines the “crime of aggression”, that definition is not binding under international law. Resolution 3314 says a “war of aggression is a crime against international peace” and defines aggression as “the use of armed force by a State against the sovereignty . . . of another State”. Under Article 51 of the U.N. Charter, states can lawfully use armed force to defend themselves against an attack by another state; essentially, any other use of armed force constitutes the crime of aggression.
That brings us to the final source: The Rome Statute of the International Criminal Court. Article 5 of the Statute gives the International Criminal Court jurisdiction over 4 types of crime: Genocide; crimes against humanity; war crimes; and the “crime of aggression”. The Rome Statute defines the first three, but does not define the crime of aggression; according to Wikipedia, a conference to be held some time next year is supposed to define it. I’m including the Rome Statute in this discussion, even though the U.S. does not intend to become a party to the statute; as a result, the Statute doesn’t bind the U.S.
I’m not sure, at this point, that war is a crime, so I’m even less certain that cyberwar is a crime. For the purpose of analysis, I’m going to assume cyberwar is a crime and can therefore support derivative liability under either of the theories noted above.
As far as I know, there has only been one attempt to hold civilian corporate executives criminally liability for an aggressive war. Count 1 of the Indictment in the Nuremberg Trials charged all of the defendants with participating in a “common plan or conspiracy” to wage a war of aggression. Twelve of the defendants charged were associated with the Krupp company, which had been Germany’s leading armament manufacturer. The prosecution’s theory was that the Krupp company and these individual defendants, had conspired with the Nazi regime to wage aggressive war; the premise seems to have been that the conspiracy could be inferred from the fact that the Krupp company, and these defendants, worked to rearm Germany, often in violation of the Versailles Treaty, and profited from their efforts.
The Tribunal eventually dismissed the aggressive war charge against these defendants because it found that their involvement in making weapons used to wage war was not enough to establish their liability absent evidence they knew the weapons were to be used in aggressive war and acted with the intent of furthering that end. In concurring in the acquittal, one of the judges noted that weapons can be used offensively or defensively, and the defensive use of weapons is lawful.
Even if we assume, as I have, that war of aggression is a crime and civilian carriers have a legal duty to prevent cyberwar signals from reaching their targets, I don’t see how the carriers could be held criminally liable as accomplices or conspirators. I think the critical issue is the same as in the Krupp case: Both accomplice liability and the principle that holds conspirators liable for the crimes their fellow conspirators commit require that the person have acted either with the purpose of facilitating the target crime (accomplice) or with the knowledge that he had joined a conspiracy and that his co-conspirators would or were likely to commit the target crime.
I think it would be impossible to prove that in the scenario we’re analyzing, at least as long as the carriers aren’t on notice that the signals in question are cyberwar signals being directed at U.S. targets. If a country decides to launch a cyberwar attack, how and why is a private carrier to know that these signals are war-of-aggression signals instead of routine signals (or even signals being used for cybercrime). If the Krupp defendants couldn’t be held guilty of conspiring to commit aggressive war when their conduct spanned many years (and what some would say were pretty clear markers), then I don’t see how a civilian carrier unexpectedly and almost instantaneously confronted with cyberwar signals heading for U.S. targets could be convicted of aiding and abetting the attack or being liable under the co-conspirator as agent theory.
I’m far from being an expert on international law or on the laws of war, so if I’ve missed something, let me know.