Armed Conflict Foreign Relations & International Law

DOD Interpretation of The Laws of War Allow Botnet Creation?

Herb Lin
Saturday, June 27, 2015, 11:11 AM

I was struck by Charlie Dunlap’s take on the DOD Law of War manual regarding cyber operations, especially on how cyberattacks are carried out.

Published by The Lawfare Institute
in Cooperation With

I was struck by Charlie Dunlap’s take on the DOD Law of War manual regarding cyber operations, especially on how cyberattacks are carried out. Charlie notes the manual’s instruction that “remote harms and lesser forms of harm, such as mere inconveniences or temporary losses, need not be considered in applying the proportionality rule.” The manual also states that the “military advantage anticipated from an attack” indicated in the proportionality rule “is intended to refer to an attack considered as a whole, rather than only from isolated or particular parts of an attack.”

That sounds right to me. Minimal forms of harm, e.g., harm that does not affect the experience of a computer user, should not count as damage as far as the laws of war are concerned. But I’m troubled by its implications.

Specifically—one of the conclusions that flows from these two statements is that damage from the usurpation of a civilian computer to act as an intermediary in a cyberattack on another computer need not count in the proportionality analysis if the functionality of the intermediary computer from the user’s perspective is only minimally compromised. If this is really true, then the damage from the usurpation of hundreds of thousands of computers for this purpose need not be counted either.

In other words, creating a botnet using civilian computers for attacking an adversary in cyberspace does not violate the laws of war, or at least the DOD’s interpretation thererof.

Can this be right?

Dr. Herb Lin is senior research scholar for cyber policy and security at the Center for International Security and Cooperation and Hank J. Holland Fellow in Cyber Policy and Security at the Hoover Institution, both at Stanford University. His research interests relate broadly to policy-related dimensions of cybersecurity and cyberspace, and he is particularly interested in and knowledgeable about the use of offensive operations in cyberspace, especially as instruments of national policy. In addition to his positions at Stanford University, he is Chief Scientist, Emeritus for the Computer Science and Telecommunications Board, National Research Council (NRC) of the National Academies, where he served from 1990 through 2014 as study director of major projects on public policy and information technology, and Adjunct Senior Research Scholar and Senior Fellow in Cybersecurity (not in residence) at the Saltzman Institute for War and Peace Studies in the School for International and Public Affairs at Columbia University. Prior to his NRC service, he was a professional staff member and staff scientist for the House Armed Services Committee (1986-1990), where his portfolio included defense policy and arms control issues. He received his doctorate in physics from MIT.

Subscribe to Lawfare